Monthly Archives: March 2019

How to Secure the Internet of Things

English

The Internet of Things (IoT) stands to have a tremendous impact on business – and life – as we know it. Gartner estimates that by 2020 the IoT will grow to 26 billion units installed, and IoT product and service suppliers will generate incremental revenue exceeding $300 billion, mostly in services. In the meantime, the cost of adding IoT capability to consumer products will gradually decrease, and connectivity will become ubiquitous. New industries will develop and old ones will disappear altogether or evolve into something entirely new. Society will be transformed as more data becomes available to us as consumers, enabling us to make informed decisions about how we live our daily lives.

The IoT will also have a significant impact on however, as an industry, approach security. Security approached as an afterthought or layered preventive controls will not suffice in the IoT. In order to fully benefit from all the IoT has to offer, companies must consider its security implications and address them early on. This blog introduces the security risks inherent in the IoT and how this new technology stack must be secured.

Going a step further, this product system is being integrated with other product systems to create a system of systems of which the farming equipment is just one component. It might also include a weather data system, a seed optimization system and an irrigation system, all of which feed into a farm management system. Thus, the competition within the farming industry is shifting from discrete products to product systems, while the farmers themselves gain a competitive advantage through increasing yield.

But that’s just the beginning. We have barely begun to scrape the surface of what’s possible by connecting
smart devices.


The IoT Technology Stack

A new technology infrastructure is required to participate in the IoT. Companies must build, support and secure a new technology stack that begins with the endpoint – the ‘thing’ in the Internet of Things. This hardware may have embedded sensors and processors, as well as embedded software including an operating system, onboard software applications, a user interface and product controls.

The data collected by the endpoint’s sensors are transmitted over a communications network (often the Internet) to the cloud, where the data is managed in a big-data database system, and analyzed to optimize product operation and uncover new product insights. Additional applications that manage the monitoring, control, optimization and autonomous operation of product functions may also run in the cloud. External information sources, such as weather, traffic and prices, as well as business systems (ERP, CRM, etc.) may also be integrated at both the endpoint and cloud layers.


Security Risks Inherent to the IOT

As with any technology stack, there are a number of risks inherent to the IoT. Perhaps the most obvious relates to data privacy. The collection of vast amounts of customer and product data sparks concerns regarding its ownership, how the data is used, who has access to it, who is responsible for securing it, what constitutes sensitive data, what constitutes competitive intelligence and more. These questions need to be answered and data protected accordingly, as there is great opportunity for abuse – from insurance companies using personal health data to increase rates, to attackers stealing data to sell to the victim’s competitor. The IoT also forces companies to consider the new legal liabilities that arise from sharing data access with trading partners.

Algorithms are used to control endpoints in the IoT. Algorithms are rules that dictate the endpoint’s behavior based on environmental changes or changes in the product’s condition. For example, an algorithm might dictate that when the temperature reaches 70 degrees, the air conditioner turns on. Algorithms can be built into the endpoint itself or reside in the product cloud. Unfortunately, an error in an algorithm could have an effect ranging from a mere annoyance to catastrophic, depending on the application.

Embedded software on endpoint devices also poses a risk. Vulnerabilities can be exploited using malware and the devices used as bots to execute denial-of-service attacks. Attackers can potentially take over device functionality to, for example, intercept sensitive communications or even cause bodily harm in the case of health devices like pacemakers and insulin pumps, or automobiles.


Security Measures and Challenges

In order to help reduce these risks, security by design is required at every level of the IoT technology stack. The traditional development approach of quickly releasing a product then adding security after the fact in the form of patches, updates and preventive software, falls apart in the new world of the IoT. Users cannot be expected to download antivirus software for every smart connected device they own. Nor does it make sound business sense to deploy patches and other updates to disposable, lightweight devices. IoT devices must be built with security and privacy controls baked in. The FTC has developed guidelines for building security into the Internet of Things, which includes security measures for protecting data at rest and in motion, preventing unauthorized access, and securing access between the endpoint’s technology stack and other enterprise systems.

Security efforts don’t get any easier as you move up the technology stack. The network must be protected against unauthorized access, and the data traversing the network must be properly encrypted to prevent sniffing. The cloud infrastructure and the third-party software running on it must be secured to prevent attackers from gaining access to endpoints through software vulnerabilities or weak configurations. Finally, user authentication and system access must be properly managed across the entire technology stack. This becomes a significant challenge in light of multiple stakeholders sharing interest in the assets and increasingly interconnected systems.


Service Providers Play a Key Role

ISPs and carriers play a key role in the IoT. IoT devices connect to the cloud over the ISP’s network. ISPs must undergo big changes to accommodate for this, beginning with flattening their networks. Today, ISPs have limited visibility to the devices that sit behind Network Address Translation (NAT) home cable modems. ISPs are
removing the NAT and adopting IPV6 in order to address all these devices and offer services on top. One of the key services that ISP will offer is security. ISPs will want to differentiate by offering a safer, more secure way for the IoT world to operate.


Conclusion

It has taken the information technology industry more than a decade to recognize the need for a detect and respond approach to network security. Given the presence of advanced persistent threats and the value of data, we will not have the luxury of time with the IoT. A holistic approach to securing the IoT is necessary from the start, with an emphasis on detecting and respond.

 

Ready to Ensure Your IoT Devices are Secure?

Get started with a personalized demo of our advanced threat detection solution, Network Insight.

Request a demo >

 

Network Insight
Big text: 
Blog
Resource type: 
Blogs

What Are Advanced Persistent Threats (APTs)?

English

Advanced Persistent Threats (APTs) are a cybercrime category directed at business and political targets. APTs require a high degree of stealth over a prolonged duration of operation in order to be successful. The attack objectives typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached. APTs can best be summarized by their named requirements:

Advanced:

Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent:

Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat:

Threat means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. 

How APTs Breach Enterprises

APTs breach enterprises through a wide variety of vectors, even in the presence of properly designed and maintained defense-in-depth strategies:

  • Internet-based malware infection
  • Physical malware infection
  • External exploitation


Well-funded APT adversaries do not necessarily need to breach perimeter security controls from an external perspective. They can, and often do, leverage “insider threat” and “trusted connection” vectors to access and compromise targeted systems.

Abuse and compromise of “trusted connections” is a key ingredient for many APTs. While the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel into an organization using the hijacked credentials of employees or business partners, or remote offices. Almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point.

Low and Slow Attacks

A key requirement for APTs (as opposed to an “every day” botnet) is to remain invisible for as long as possible. The criminal operators of APT technologies tend to focus on “low and slow” attacks – stealthily moving from one compromised host to the next, without generating regular or predictable network traffic – to hunt for their specific data
or system objectives.

Tremendous effort is invested to ensure that malicious actions cannot be observed by legitimate operators of the systems.

Malware is a key ingredient in successful APT operations. Modern “off-the-shelf” and commercial malware openly available on the internet includes all of the features and functionality necessary to infect digital systems, hide from host-based detection systems, navigate networks, capture and extricate key data, provide video surveillance, along with silent and covert channels for remote control. If needed, APT operators can and will use custom developed malware tools to achieve specific objectives and harvest information from non-standard systems.

Criminal Remote-Control

At the very heart of every APT lies remote control functionality. Criminal operators rely upon this capability in order to
navigate to specific hosts within target organizations, exploit and manipulate local systems, and gain continuous access to critical information.

If an APT cannot connect with its criminal operators, then it cannot transmit any intelligence it may have captured. In effect, it has been neutered. This characteristic makes APTs appear as a sub-category of botnets. While APT malware can remain stealthy at the host level, the network activity associated with remote control is more easily identified.

APTs are most effectively identified, contained and disrupted at the network level.

 

Are APTs lurking in your environment?

See how you can chase them out of hiding with a personalized demo of our advanced threat detection solution, Network Insight.

Request a demo >

Network Insight
Big text: 
Blog
Resource type: 
Blogs

10 Ways to Help Your Family Break Bad Tech Habits

A new study from Pew Research confirms our collective hunch that 95% of teens now report they have a smartphone and that 45% of teens now say they are always online. No shock there. The finding that is far more worrisome? That despite this dramatic digital shift over the past decade, parents are divided on whether today’s teens face a set of issues completely different than the issues of their youth.

When asked to compare the experiences of today’s teens to their own experiences when they were a teen, 48% of parents surveyed said today’s teens have to deal with a completely different set of issues. Likewise, 51% said that despite some differences, the issues young people deal with today is not that different from when they were teenagers.

This number is alarming from both a parenting perspective and a digital safety perspective. It means that while we’ve made incredible progress in our digital awareness and how to raise kids in this unique culture, a lot of parents are still woefully behind in their thinking. (Seriously: Could our experience as teens — minus the internet and smartphones — be any more different than the experience of today’s digital natives?)

Distracted Parents, Distracted Kids

In trying to understand this reality gap, the survey offered up another morsel of insight: That parents themselves are as distracted as kids when it comes to reliance on devices. Yep! As worried as parents say they are about the amount of time their teen spends online, parents’ digital behavior isn’t exactly praiseworthy. The survey found that 59% of parents say they at least sometimes feel obligated to respond to cell phone messages immediately, while 39% admit they regularly lose focus at work because they’re checking their mobile device and 36% say they spend too much time on their cell phone.

Reality Check

If half of us genuinely believe that our kids are growing up with issues similar to ours as teens (only with strange devices in their hands), and if we are telling our kids to lead balanced digital lives but our digital habits are off the rails, then — if we’re honest — we’ve got some serious work to do as parents.

How do we begin to shift these numbers in favor of our family’s digital health? How do we move from technology leading our family to the other way around?

Like any significant change, we begin at home — with the truth — and move forward from there. We’ve got this!

10 Ways to Improve Your Family Tech Habits

  1. Own your stuff. Let’s get real. Change begins with acknowledging our personal responsibility in what isn’t working. If your own screen time is out of control and you are trying to set healthy digital habits for your family — that contradiction is going to undermine your success. Take a look at your screen time habits, admit to the bad habits, and establish fresh tech goals moving forward.
  2. No shame zone. We know about establishing device-free zones in the home such as the dinner table, movie time, and the bedroom at night. Consider a no shame zone — the understanding that no one is made to feel shame for his or her not-so-great tech habits. It’s hard to move forward toward new goals if we beat ourselves up for the past, compare ourselves to others, or are made to feel like the bad guy for falling short. Acknowledge bad habits, discuss them openly, and help one another do better in the future. Your chances of success double when you have a team supporting you.
  3. Stick to a device curfew. Try a device curfew — say 8 p.m. to 8 a.m. — when devices are turned off and put into a drawer (yes, you have to get this intentional). A curfew increases face-to-face family interaction and creates space for non-device activities. It specifically reduces the temptation to habitually check your phone, get lost scrolling on Instagram, and getting sucked back into work emails. More importantly, it models for your kids that you don’t have to check your phone constantly, which has countless emotional and physical benefits.
  4. Be realistic with changes. The goal is to reduce your tech and strike a balance that complements — rather than conflicts with — your family’s lifestyle and wellbeing. We know that technology is now an ever-present part of family life so cutting it out completely is neither beneficial nor realistic. Achieving a healthy tech balance is an on-going process. Some days you will fare than others. The goal is to make progress (not perfection) toward a healthier, more balanced relationship with your technology. Going haywire with rules and consequences won’t get you there faster. Discuss as a family what changes need to be made and brainstorm ways to get there. Set some realistic goals that everyone can achieve and maintain not just in the short-term but also as a lifestyle.
  5. Turn off notifications. This is a small, powerful act that can transform your digital life. Getting pop up notifications for apps, emails, texts, calendar events, social media actions — you name it — might be your normal for you but far from beneficial. So, turn them all off. I dare you.
  6. Filter content. Tech balance isn’t just about less tech; it’s also about monitoring the content that flows into your home from the other side of the screen. You can turn off your family’s devices for 23 hours a day and if the content you allow into your home for that remaining one hour isn’t age-appropriate or conflicts with your family’s values and tech goals, then that one hour has tremendous influence. Take the time to explore filtering options that allow you to set time limits on your child’s (and your) technology, block dangerous websites and apps, and helps you strike a healthy tech balance that reflects your family’s lifestyle and needs. Roll up your sleeves: Co-view movies, go through apps and video games and discuss the issues that arise around the media your kids consume.
  7. Be the parent. Kids crave consistency and leadership from parents. No matter what age your child may be, as a parent, you are the most influential person in your child’s life. You pay the bills. You can shut devices and routers off — regardless of the tantrum level. Your opinion matters on video games, media, apps, friend groups, and content. Don’t let your child’s emotional protests keep you from parenting well and establishing and enforcing good tech habits. If you think your child has a technology addiction issue trust that instinct and take action.
  8. Get a plan, work it. We all nod when we read this but who has done it? You can’t get where you are going without a map. Put a family tech plan in place (with group input) and stick to it. Ideas to consider: Phone free zones, device curfew, chores and responsibilities, physical activity vs. screen time, social media behavior, tech security rules, TV viewing time, video game time limits, content guidelines, and expectations. If you discover that your tech plan isn’t working, zero in and make adjustments.
  9. Rediscover real life — together. Maybe you’ve gotten in some bad habits over the years. Don’t beat yourself up. Just decide to change things up moving forward. It’s never too late to change your family vibe. Explore new things together — nature, art classes, concerts, camping — anything that helps you disconnect from technology and reconnect to each other and real life.
  10. Keep. On. Talking. Sure you’ve said it before, so what? Make the conversation about digital issues a priority in your home. Ask your kids what’s going on with their friend groups and online. Talk about tech issues in the news. Talk about the health and emotional issues connected to excessive tech use. According to your child’s age, talk about the stuff that’s tough to talk about talking about like cyberbullying, suicide, self-harm, body image, and sexting. A good rapport with your child is the most powerful tool you have as a parent today.

Remember, technology is a tool not a way of life. Healthy screen habits begin parents who are grounded in reality and who model healthy screen habits themselves. Times have changed, there are challenges to be sure but stay the course parent: You’ve got the tools and the tenacity you need to get in front of those challenges and equip our kids to live wise, balanced digital lives.

The post 10 Ways to Help Your Family Break Bad Tech Habits appeared first on McAfee Blogs.

AHUKUMIWA MIAKA MIWILI JELA KWA KOSA LA KUHARIBU TAARIFA ZA ALIYEKUA MUAJIRI WAKE



KWA UFUPI: Steffan Needham, Amabae alihudumu kama mshauri wa maswala ya tehama (IT Cosultant) katika kampuni ya Voova ya nchini Uingereza amehukumiwa kifungo cha miaka 2 Jela kwa kosa la kuharibu taarifa za muajiri wake wa wa zamani.
--------------------------------

Kwa mujibu wa Thames Valley Police ya Nchini Uingereza, Mtuhumiwa alifukuzwa kazi na mwaajiri wake na baadae kuharibu taarifa zote muhimu za kampuni hiyo kwa kile kilicho tafsiriwa kama kulipiza kisasi kutokana na kufukuzwa kwake.
Uharibifu wa taarifa umekadiriwa kuigharimu kampuni hiyo kiasi cha Dola laki sita na elsfu Hamsini (US$650,000) ikiwa ni pamoja na kupelekea wafanyakazi kadhaa kupoteza kazi zao.

Mtuhumiwa amehukumiwa chini ya sheria ya nchini Uingereza ya mitandao (Computer Misuse Act)




Aidha, Kampuni husika imeonekana na mapungufu ya kushindwa kuwa na mikakati madhubuti ya kulinda taarifa zake ikiwa ni pamoja na uwekaji wa njia zaidi ya moja (multi-factor authentication) ya uthibitishaji pale mhusika anapotaka kuingia kwenye mifumio yake na kuhakiki ufutwaji wa taarifa katika mfumo unahusisha mtu zaidi ya mmoja.



Ushauri umetolewa kwa makampuni kuchukua tahadhari za dhati katika kulinda taarifa zake ili kujikinga na watumishi wasio wema walio ndani (Malicious/disgruntled insiders) kuweza kuleta maafa hapo baadae.


Wakati huo huo, mahakama Nchini marekani imepatia kibali cha ruhusa kwa Microsoft kuziangusha tovuti takriban 99 zilizo husishwa na uhalifu rubunishi (Phishing Attack).

Tom Burt, kutokea Microsoft ameeleza oparesheni iliyo ziharibu na kuziangusha tovuti hizo 99 ilihusisha makampuni mengine makubwa kama vile Yahoo na mengineyo.

Android Security & Privacy Year in Review 2018: Keeping two billion users, and their data, safe and sound


We're excited to release today the 2018 Android Security and Privacy Year in Review. This year's report highlights the advancements we made in Android throughout the year, and how we've worked to keep the overall ecosystem secure.
Our goal is to be open and transparent in everything we do. We want to make sure we keep our users, partners, enterprise customers, and developers up to date on the latest security and privacy enhancements in as close to real-time as possible. To that end, in 2018 we prioritized regularly providing updates through our blogs and our new Transparency Reports, which give a quarterly ecosystem overview. In this year-in-review, you'll see fewer words and more links to relevant articles from the previous year. Check out our Android Security Center to get the latest on these advancements.
In this year's report, some of our top highlights include:
  • New features in Google Play Protect
  • Ecosystem and Potentially Harmful Application family highlights
  • Updates on our vulnerability rewards program
  • Platform security enhancements
We're also excited to have Dave Kleidermacher, Vice President of Android Security and Privacy, give you a rundown of the highlights from this report. Watch his video below to learn more.

Thoughts on OSSEC Con 2019

Last week I attended my first OSSEC conference. I first blogged about OSSEC in 2007, and wrote other posts about it in the following years.

OSSEC is a host-based intrusion detection and log analysis system with correlation and active response features. It is cross-platform, such that I can run it on my Windows and Linux systems. The moving force behind the conference was a company local to me called Atomicorp.

In brief, I really enjoyed this one-day event. (I had planned to attend the workshop on the second day but my schedule did not cooperate.) The talks were almost uniformly excellent and informative. I even had a chance to talk jiu-jitsu with OSSEC creator Daniel Cid, who despite hurting his leg managed to travel across the country to deliver the keynote.

I'd like to share a few highlights from my notes.

First, I had been worried that OSSEC was in some ways dead. I saw that the Security Onion project had replaced OSSEC with a fork called Wazuh, which I learned is apparently pronounced "wazoo." To my delight, I learned OSSEC is decidedly not dead, and that Wazuh has been suffering stability problems. OSSEC has a lot of interesting development ahead of it, which you can track on their Github repo.

For example, the development roadmap includes eliminating Logstash from the pipeline used by many OSSEC users. OSSEC would feed directly into Elasticsearch. One speaker noted that Logstash has a 1.7 GB memory footprint, which astounded me.

On a related note, the OSSEC team is planning to create a new Web console, with a design goal to have it run in an "AWS t2.micro" instance. The team noted that instance offers 2 GB memory, which doesn't match what AWS says. Perhaps they meant t2.micro and 1 GB memory, or t2.small with 2 GB memory. I think they mean t2.micro with 1 GB RAM, as that is the free tier. Either way, I'm excited to see this later in 2019.

Second, I thought the presentation by security personnel from USA Today offered an interesting insight. One design goal they had for monitoring their Google Cloud Platform (GCP) was to not install OSSEC on every container or on Kubernetes worker nodes. Several times during the conference, speakers noted that the transient nature of cloud infrastructure is directly antithetical to standard OSSEC usage, whereby OSSEC is installed on servers with long uptime and years of service. Instead, USA Today used OSSEC to monitor HTTP logs from the GCP load balancer, logs from Google Kubernetes Engine, and monitored processes by watching output from successive kubectl invocations.

Third, a speaker from Red Hat brought my attention to an aspect of containers that I had not considered. Docker and containers had made software testing and deployment a lot easier for everyone. However, those who provide containers have effectively become Linux distribution maintainers. In other words, who is responsible when a security or configuration vulnerability in a Linux component is discovered? Will the container maintainers be responsive?

Another speaker emphasized the difference between "security of the cloud," offered by cloud providers, and "security in the cloud," which is supposed to be the customer's responsibility. This makes sense from a technical point of view, but I expect that in the long term this differentiation will no longer be tenable from a business or legal point of view.

Customers are not going to have the skills or interest to secure their software in the cloud, as they outsource ever more technical talent to the cloud providers and their infrastructure. I expect cloud providers to continue to develop, acquire, and offer more security services, and accelerate their competition on a "complete security environment."

I look forward to more OSSEC development and future conferences.

Apple News+ Is A Rip-Off, There Are Free Alternatives

Apple announced this week their new expansion of their News app a paid subscription model called News+. News+ will allow users to get access to digital magazines as well as special access to Wall Street Journal and LA Times newspapers among others. On the surface this looks like a game changer but this is an […]

The post Apple News+ Is A Rip-Off, There Are Free Alternatives appeared first on Security In Five.

3 Ways Small Organizations Can Take a Proactive Approach to Security

Small Business SecurityWhile most large enterprises have recognized the value in taking a proactive approach to security, many smaller organizations may not yet realize that they’re also a target for cybercriminals.  As a result, these organizations’ primary security strategy consists of waiting until an incident occurs to react, with minimal to no preventative security measures in place.

This makes small organizations a prime target for cyber criminals, with 43% of cyberattacks targeted at small businesses, according to the Verizon DBIR.

The problem is that this reactive approach often results in severe remediation and forensics costs, as well as substantial brand and reputation damage.

This has a significant effect on any business that is breached, but unlike larger organizations, smaller businesses often have a harder time recovering from the damage caused.  Many of these small businesses don’t recover at all, with 60% of small organizations going out of business within six months of suffering a cyberattack. 

When you take into consideration the growing frequency of small businesses that are breached and the rising costs of these breaches, it makes sense that taking a proactive approach to security can actually save you money in the long run.

So, what exactly does a proactive cybersecurity strategy consist of?

1.  Identifying your greatest vulnerabilities with Security Assessments.

The first step in proactively protecting your organization is understanding what exactly needs protecting.  This can be accomplished in a security assessment to understand and identify your greatest weaknesses ­­— before an adversary does.

These assessments could take the form of a Network Security & Architecture Review or a Penetration Test.  They are designed to find weaknesses in your security policies, network design, and device configurations and rules.

As an extra benefit, these assessments help you prioritize where to focus your budget.  This is a great way to get your executives on board, whose support is critical when gaining budget for other proactive measures.

2.  Monitoring your network continuously with a Managed Security Service Provider.

One of the best ways to proactively detect incidents is to have eyes on your network 24/7/365.  This can be done through a managed security services provider (MSSP), which will continuously monitor your endpoints and alert you when there is suspicious activity on your network.  The MSSP staff will also provide you with detailed recommended remediations so you can strengthen your network and prevent future incidents.

Although the cost of an MSSP may be comparable to hiring an internal employee, the value you receive from an MSSP is far greater than one person can offer.  Unlike a single employee, an MSSP offers you varied areas of expertise, access to technology, and around-the-clock coverage. 

3.  Reducing incidents resulting from human error with Security Awareness Training.

With human error accounting for 27% of cybersecurity incidents (Ponemon Institute), providing your staff with security awareness training is one of the most critical and budget-friendly proactive measures you can take.

This training should include secure password training, phishing campaigns, and secure travel training.  Be sure to incorporate this training into the onboarding process and include regular refreshers to ensure your staff is up-to-date and you are fostering a culture of cyber awareness.

By taking the necessary steps to implement proactive security measures, you can save money on costly breaches ­­– and possibly even save your business.

Not sure where to start? Contact us for a complimentary security assessment.

The post 3 Ways Small Organizations Can Take a Proactive Approach to Security appeared first on GRA Quantum.

iOS Users: Update Your Software to Avoid Security Vulnerabilities

On Monday, Apple made some bold announcements at their keynote event, including new subscription offerings for news, television, video games, and a credit card service. But while these exciting announcements were being made, the release of iOS 12.2 seemed to slip under the radar. This update contains 51 different security fixes and impacts devices ranging from the iPhone 5s and later, the iPad Air, and even products running tvOS. These software patches cover a variety of bugs that cybercriminals could use to obtain effects like denial-of-service, overwrite arbitrary files, or execute malicious code.

The iOS 12.2 update includes patches for vulnerabilities in core apps like Contacts, FaceTime, Mail, Messages, and more. According to security professional Alex Stamos, most of the vulnerabilities were found in Webkit, the browser engine Apple uses in many of its products including Safari, Mail, and App Store. Among these vulnerabilities were memory corruption bugs, which could lead to arbitrary code execution. This type of attack allows malicious actors to run any command on the target system, potentially taking over the victim’s files or allowing them to take over the victim’s system remotely. To prevent arbitrary code execution attacks, Apple improved device memory handling, state, and management. These processes control and coordinate device computer memory in order to optimize overall system performance. Another issue patched by this update is the ability for a cybercriminal to bypass sandbox restrictions, which protect a device’s critical infrastructure from suspicious code. To combat this, Apple issued an improvement to validation checks.

While it can be easy to click the “Remind Me Later” option when you receive a software update notification, the security updates included in iOS 12.2 should not be overlooked. To help keep your iOS devices protected and running smoothly, check out the following tips:

  • Update your software. To update your device to iOS 12.2, go to your Settings, then to General, and then click Software Update. From there, you will be able to download and install the update and patch over 50 security holes.
  • Turn on automatic updates. Turning on automatic updates helps shield you from exposure to threats brought on by software bugs and vulnerabilities. You can enable automatic updates in your Settings as well.
  • Use a security solution. To add an extra layer of protection to all your devices, install a security solution like McAfee Total Protection. This will allow you to have an extra security weapon and help defend your devices from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iOS Users: Update Your Software to Avoid Security Vulnerabilities appeared first on McAfee Blogs.

DMitry Deepmagic information Gathering Tool Kali Linux

DMitry Deepmagic information Gathering Tool Kali Linux   DMitry (Deepmagic Information Gathering Tool) is a open source Linux CLI tool developed by James Greig. Coded in C. DMitry is a powerful information gathering tool that aims to gather as much information about a host that is possible. Features include subdomains search, email addresses, uptime information, […]

The post DMitry Deepmagic information Gathering Tool Kali Linux appeared first on HackingVision.

How to Enable Facebook White Hat Researcher Setting

How to Enable Facebook White Hat Researcher Setting   Facebook have implemented a white hat secuirty testing setting that allows its users to test security over various Facebook services.   Facebook will knowingly break its Certificate Pinning mechanism for its users that use white hat settings. Pinning is used to improve security of a website […]

The post How to Enable Facebook White Hat Researcher Setting appeared first on HackingVision.

From Mobile and ISP to Endpoint Engineering: Undergoing a Role Transition in the Security Industry

The technology around us is constantly changing, and cybersecurity practices are evolving to match these new innovations. As the cybersecurity landscape shifts to meet the needs presented by new technology, opportunities arise for cybersecurity professionals to step into new roles – an experience I recently underwent myself. I’ve recently shifted from McAfee’s Mobile and ISP Business Unit to our Enterprise Endpoint Engineering team, a transition that has given me the opportunity to leverage what I’ve learned in the industry and step forward as a leading woman in tech.

Through this process, I’ve seen first-hand how growth opportunities within the cybersecurity field are beneficial for both individuals and the future of the security industry as well. For example, my transition allows me to apply my past experience and knowledge to a new area of security. Previously, I specialized in engineering solutions that protected mobile, IoT, and smart home devices. However, with my transition into this new role, I am still protecting individual endpoint devices, but rather in a new type of environment — an organization’s network.

Just like the ever-growing number of IoT devices connecting to users’ home networks, endpoint devices are popping up everywhere in corporate networks these days. As we add more endpoint devices to corporate networks, there is a growing need to ensure their security.  Endpoint security, or endpoint protection, are systems that protect computers and other devices on a network or in the cloud from security threats. End-user devices such as smartphones, laptops, tablets, and desktop PCs are all classified as endpoints, and these devices are all now rapidly connecting to an organization’s network with every employee, partner, and client that enters the building. That’s why it’s imperative companies prioritize a robust and agile endpoint security strategy so that all of their network users can connect with confidence. Similar to securing all the personal devices on a home network, it’s a sizable challenge to secure all corporate endpoints. And my new team, the McAfee Enterprise Endpoint Engineering group, is here to help with exactly that.

Leading consumer engineering taught me how to make security simple for a home user’s consumption. How to protect what matters to a user without them being experts on the threat landscape or security vulnerabilities, security breaches and campaigns around device, data, cloud and network. This is something I plan to bring to the new role. Leading a business unit focused on delivering security through mobile carriers and ISPs taught me the strength of bringing together an ecosystem both on technology and the channel to solve end users’ security needs in a holistic way. That ecosystem view is another that I bring to this role, besides leading engineering from the lens of growing the business.

This transition is not only exciting from a personal perspective but also because it is a testament to the progress that is being seen across the cybersecurity industry as a whole. There’s a lot to be said about the vast opportunities that the cybersecurity field has to offer, especially for women looking to build a career in the field. Cybercriminals and threat actors often come from diverse backgrounds. The wider the variety of people we have defending our networks, the better our chances of mitigating cyberthreats. From there, we’ll put ourselves in the best position possible to create change – not only within the industry but within the threat landscape as a whole.

The post From Mobile and ISP to Endpoint Engineering: Undergoing a Role Transition in the Security Industry appeared first on McAfee Blogs.

Social Media: Where Cybercrime Lurks in the Shadows

When you think of cybercrime, the first thing that comes to mind is most likely cybercriminals operating on the dark web. Last year, however, cybercriminals made the jump over to social media and cashed in big – $3 billion worth, as a matter of fact. With approximately 2.77 billion people using one social media account or more, it’s no wonder these bad actors have followed the masses. While the average user distrusts the dark web, they do trust their chosen social media platforms. Whether it’s sharing birthdates or a current location, or accepting a follow or message request from strangers, users in front of a screen feel secure. Although, as the line between social platforms and the dark web quickly blurs, the events behind the screen are the real issue.

Since 2017, cryptomining malware has exploded on a global scale, with over half of the identified strains found on social media sites. Utilizing apps, advertisements, and malicious links, cybercriminals were able to deliver these attacks and earn $250 million per year. Not only are social media platforms being used to distribute cryptomining malware, but they are also used as a major source for spreading other types of malware – malvertisments, faulty plug-ins, and apps – that draw users in by offering “too good to be true” deals. Once clicked on, the malware attacks. From there, cybercriminals can obtain data, establish keyloggers, dispense ransomware, and lurk in the shadows of social media accounts in wait for the next opportunity.

That next opportunity could also be on a completely different social media platform. As these sites unknowingly make it easier for malware to spread from one site to another. Many social media accounts interconnect with one another across platforms, which enables “chain exploitation,” or where malware can jump from one account to the next.

In short, social media is a cash cow for cybercriminals, and they are showing no sign of slowing down. What it really comes down to is social platforms, like Instagram and Facebook, attract a significant number of users and are going to draw in a criminal component too. However, if you take the proper security precautions ahead of time, you can fight off bad actors and continuously scroll with confidence. Here are some tips to help you get started:

  • Limit the amount of personal information shared in the first place. Avoid posting home addresses, full birth dates, and employer information, as well as exact location details of where you are.
  • Be wary of messages and follow requests from strangers. Avoid clicking on links sent by someone you don’t know personally.
  • Report any spam posts or messages you encounter to the social media platform. Then they can stop the threat from spreading to other accounts.
  • Always use comprehensive security software. To help protect you from viruses, spyware, and other digital threats that may emerge from social media sites, consider McAfee Total Protection or McAfee Mobile Security.

Interested in learning more about IoT and mobile security trends and information?

  • Take our quiz on best practices on how to stay secure on social media
  • Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook

 

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post Social Media: Where Cybercrime Lurks in the Shadows appeared first on McAfee Blogs.

The Ultimate CyberParenting Hack – Managing Your Family’s Cybersafety with the help of your Wi-Fi Router!

Managing your family’s cybersafety can often feel overwhelming. But one thing I have learnt in my 22 years of parenting is that there are no silver bullets for any parenting issues. Whether it’s toilet training or driver training, it takes time and often a combination of strategies. Teaching your kids about online safety is no different. Yes, you need to put in the hard work and continue to have the conversations. BUT if it was possible to supplement the talking with some strategic parental controls and an automatic layer of cybersecurity, then I would consider that to be a parenting no brainer!

Well, this parenting no-brainer exists. Let me introduce you D-Link’s latest D-Fend Router which not only includes McAfee’s Secure Home Platform which automatically protects all your Wi-Fi connected devices but some pretty impressive parental controls too. And all this happens while users are delivered fast wireless connectivity with increased range and reliability. Awesome!

Being a First-Generation Digital Parent Is A Tough Gig

As a generation of parents, I believe we are the busiest yet. Not only are we juggling our brood of kids and their lives but many of us are also managing ageing parents, plus our own careers, relationships and social lives. And just to complicate things a little further, we are also the first generation of digital parents. Managing our kids and their fleet of devices comes with no guidebook or tried and tested generational wisdom, which makes our job even more complex. How easy did my parents have it – all they had to do was buy the Atari console in the 80’s!

But the job of a digital parent is only set to become more complex with Gartner estimating that by 2020 there will be 20.4 billion IoT devices operating in our world.

Many Parents Don’t Know Where To Start With Cyber Safety At Home

When I speak with parents about how they manage their kids and devices, there is a recurring theme – many parents know they need to be doing something to protect their kids from online risks, but they often don’t know where to start. As a result, nothing often happens. Research from McAfee confirms this too with almost a third of Aussies taking no steps at all to install security protection on either their own or their kids’ internet connected devices.

But there is no doubt that many parents are concerned about the risks. Research by Life Education in partnership with Hyundai Help for Kids shows that an overwhelming 95% of Aussie parents rated online safety as a very important issue which is very encouraging.

What Online Risks Concern Aussie Parents the Most?

Aussie parents have many concerns about the risks posed by the online world. I believe however, the following are the ones that increase parents’ blood pressure the most!

Screen time – The time our kids spend glued to screens is a huge concern for many Aussie parents. Whether you are concerned about ‘tech neck’, the growing rates of childhood obesity or simply, the lack of conversation at home – you would not be alone! Research by The Australian Institute of Family Studies shows that 12-13 year old Aussie kids are spending a whopping 3 hours a day in front of screens during the week and then 4 hours on the weekends. No wonder many parents are concerned.

Gaming – Recent research conducted by McAfee shows that some Aussie teens are spending up to 4 hours a day gaming. And while parents naturally worry about the opportunity cost associated with the time, their greater concern is around the risk of online grooming and of exposure to inappropriate and violent material.

Cyberbullying – This is the big one for many parents and rightly so. Cyberbullying can be absolutely devastating for victims. A quick google provides just far too many examples of young adults who have suffered significant psychological trauma or even lost their lives as a result of unchecked cyberbullying. Last year, our e-Safety Commissioner reported a 35% increase in cases of reported cyberbullying as compared to the previous year.

But Why Aren’t Parents Taking Action?

As a group of parents, there is no doubt we are concerned about screen time, gaming addiction, online grooming, and cyberbullying but many of us aren’t taking the necessary action to intervene and protect our kids. So, McAfee probed a little deeper in recent research and discovered that almost half of Aussie parents believe that their children can manage their own cyber safety from the age of just 10. Now, when my boys when 10, they were barely able to manage their own lunchboxes! So, this belief truly stuns me.

So, we have some parents who just don’t know where to start and others who believe it isn’t their responsibility. Regardless, there is clearly a need to take some decisive action to protect our kids from both online risks and problematic anti-social behaviours.

What Steps Can Parents Take Now to Protect Their Kids Digital Lives?

The good news is there are a few simple things parents can do to protect their kids and their growing fleet of internet connected devices. Here are my top tips:

  • Check a Device’s Security Track Record

Before buying any connected device, always research the brand and read reviews on a product’s security (or lack of). A quick web search will give you some pretty fast insight into the potential device’s security standards. Going with a notable brand that has a proven security track record is often the best option.

  • Always Change Default Settings, Use Strong Passwords & Enable Two-Factor Authentication

Default and weak passwords are the biggest threat to the security of internet connected devices. Hackers are very familiar with both default and obvious passwords which makes it super easy to access the data on your devices. Know these passwords and use them to access the data on your devices. If the thought of remembering several passphrases daunts you, go for a password manager. While a strong and unique password is a great place to start, enabling two-factor authentication on your devices and accounts will mean you’ll need to verify your identity with something that you (and only you) have access to. This is most commonly a mobile device, which ensures a higher-level of security.

  • Keep Your Devices Up To Date

Device software updates are often always designed to protect your device from recently discovered security bugs, vulnerabilities and threats. If you’re in the common habit of ignoring update notifications, turning on auto-update will ensure you apply these patches in real time and have maximum protection.

  • Invest in a Router that Protects Your Devices & Offers Parental Controls!

Investing in a Wi-Fi router with built-in protection like McAfee’s Secure Home Platform is one of the easiest ways of both managing and protecting your family’s fleet of devices. Not only does it automatically protect any device that connects to the Wi-Fi but it comes with some very strategic parental controls. So not only can you take back control and proactively manage your kids’ screen time but you can set up customised profiles to ensure they are visiting only suitable sites.

As a mum of 4, I believe that managing the risk in our kids’ cyber lives needs to be a genuine priority for us all. So, yes, let’s keep talking to our kids about online risks and the need to self-regulate our online behaviour. But, if we could also add in a later of automatic protection for our kids’ devices from McAfee’s Secure Home Platform and some savvy parental controls to ensure our kids are on track then I think that’s a pretty compelling parenting hack for us first generation digital parents!

Take Care

Alex xx

 

The post The Ultimate CyberParenting Hack – Managing Your Family’s Cybersafety with the help of your Wi-Fi Router! appeared first on McAfee Blogs.

Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home

Like most parents, before you go to sleep each night, you take extra care to lock doors and windows to keep your family safe from any outside threats. The only thing you may have overlooked is the smartphone illuminated on your nightstand. And if you were to add up the smartphones humming all over your house, suddenly you’d have a number of unlocked doors that a determined criminal could enter through. Maybe not tonight — but eventually.

Digital Ecosystem

Over time you’ve purchased and plugged in devices throughout your home. You might have a voice assistant, a baby monitor, a thermostat, a treadmill, a gaming system, a fitness watch, smart TVs, a refrigerator, and many other fun, useful gadgets. Each purchase likely connects to your smartphone. Take stock: You now have a digital ecosystem growing all around you. And while you rarely stop to take notice of this invisible power grid around you, hackers can’t stop thinking about it.

This digital framework that pulsates within your home gives cybercriminals potential new entryways into your life and your data. Depending on your devices, by accessing your smartphone, outsiders may be able to unlock your literal doors while you are away (via your home security system), eavesdrop on your family conversations and collect important information (via your voice assistant), access financial information (via your gaming system, tablet, or laptop).

What you can do:

  • Change factory security settings. Before you fire up that smart TV, drone, or sound system, be sure to change each product’s factory settings and replace it with a bulletproof password to put a layer of protection between you and would-be hackers.
  • Protect your home network. We are connected people living in connected homes. So, part of the wired lifestyle is taking the lead on doing all we can to protect it. One way to do that is at the router level with built-in network security, which can help secure your connected devices.
  • Stay on top of software updates. Cybercrooks rely on consumers to ignore software updates; it makes their job so much easier. So be sure to install updates to your devices, security software, and IoT products when alerted to do so.

Smartphone = Front Gate

The most common entry point to all of these connected things is your smartphone. While you’ve done a lot of things to protect your phone — a lock screen, secure passwords on accounts, and system updates — there are hacking tactics you likely know nothing about. According to McAfee’s recent  Mobile Threat Report, you don’t know because the scope and complexity of mobile hacks are increasing at alarming rates.

Hidden Apps

The latest statistics report that the average person has between 60-90 apps installed on their phones. Multiply that between all the users in your home, and you are looking at anywhere from 200-500 apps living under your digital roof. Hackers gravitate toward digital trends. They go where the most people congregate because that’s where they can grab the most money. Many of us control everything in our homes from our apps, so app downloads are off the charts, which is why crooks have engineered some of their most sophisticated schemes specifically around app users.

Hidden apps are a way that crooks trick users into letting them inside their phones. Typically, hidden apps (such as TimpDoor) get to users via Google Play when they download games or customized tools. TimpDoor will then directly communicate with users via a text with a link to a voice message that gives detailed instructions to enable apps from unknown sources. That link downloads malware which will run in the background after the app closes. Users often forget they’ve downloaded this and go on with life while the malware runs in the background and can access other internal networks on the smartphone.

What you can do:

  • Stay alert. Don’t fall for the traps or click links to other apps sent via text message.
  • Stay legit. Only download apps hosted by the original trusted stores and verified partner sites.
  • Avoid spam. Don’t click on any email links, pop-ups, or direct messages that include suspicious links, password prompts, or fake attachments. Delete and block spam emails and texts.
  • Disable and delete. If you are not using an app, disable it. And, as a safety habit, remove apps from your phone, tablet, or laptop you no longer use.

Fake Apps

Again, crooks go where the most people congregate, and this year it is the 60 million+ downloaded game Fortnite. The Fortnite craze has lead hackers to design fake Fortnite apps masquerading as the real thing. The fraudulent app designers go to great lengths to make the download look legitimate. They offer enticing downloads and promise users a ton of free perks and add ons. Once users download the fake app, crooks can collect money through ads, send text messages with more bad app links, crypto jack users, or install malware or spyware.

What you can do:

  • Don’t install apps from unknown sources. Not all gaming companies distribute via Google Play or the App Store. This makes it even harder for users to know that the app they are downloading is legit. Do all you can to verify the legitimacy of the site you are downloading from.
  • Delete suspicious acting apps. If you download an app and it begins to request access to anything outside of its service, delete it immediately from your device.
  • Update devices regularly. Keep new bugs and threats at bay by updating your devices automatically.
  • Monitor bank statements. Check statements regularly to monitor the activity of the card linked to your Fortnite account. If you notice repeat or multiple transactions from your account or see charges that you don’t recognize, alert your bank immediately.
  • Be a savvy app user. Verify an app’s legitimacy. Read other user reviews and be discerning before you download anything. This practice also applies to partner sites that sell game hacks, credits, patches, or virtual assets players use to gain rank within a game. Beware of “free” downloads and avoid illegal file-sharing sites. Free downloads can be hotbeds for malware. Stick with the safer, paid options from a reputable source.

The post Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home appeared first on McAfee Blogs.

Facebook Users: Here are Proactive Tips to Keep Your Data Safe

Social media has become extremely popular over the years, providing users with an easy way to communicate with their friends and family. As social media users, we put a lot of faith and trust in these platforms to maintain the security of our private information. But what happens when our private information is mishandled? The reality is that these incidents happen and users need to be prepared. Yesterday, Facebook announced that it did not properly mask the passwords of hundreds of millions of its users, primarily those associated with Facebook Lite.

You might be wondering how exactly this happened. It appears that many user passwords for Facebook, Facebook Lite, and Instagram were stored in plaintext in an internal company database. This means that thousands of Facebook employees had access to the database and could have potentially searched through these user passwords. Thankfully, no cases of data misuse were reported in the investigation, and these passwords were never visible to anyone outside of the company. According to Facebook software engineer Scott Renfro, Facebook is in the process of investigating long-term infrastructure changes to prevent these security issues going forward.

According to Facebook’s vice president of engineering, security, and privacy, the company has corrected the password logging bug and plans to notify the users whose passwords may have been exposed. But what can users do to better protect their data when an incident like this occurs? Check out the following tips:

  • Change your password. As a precautionary step, update your Facebook and Instagram passwords by going into the platforms’ security and privacy settings. Make sure your passwords are unique and complex.
  • Use multi-factor authentication. While this shouldn’t be your be-all and end-all security solution, it can help protect your credentials in the case of data exposure.
  • Set up a password manager. Using a password manager is one of the easiest ways to keep track of and manage your passwords so you can easily change them after these types of incidents occur.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Users: Here are Proactive Tips to Keep Your Data Safe appeared first on McAfee Blogs.

McAfee Web Security offers a more flexible approach to Data Privacy

Post GDPR, there is still a lot of complexity in data privacy and data residency requirements. Depending on where they are located, what industry they are in, and how diverse their customer base is, companies are requiring a high degree of flexibility in the tools they use for web security. While most web security products in the market today simply document their data handling practices as a part of GDPR compliance, McAfee strives to give customers more flexibility to implement the level of data privacy appropriate for their business.  Most of our McAfee Web Protection customers use our technologies to manage employee web traffic, which requires careful handling when it comes to processing Personal Data.

Our latest update to the McAfee Web Gateway Cloud Service introduced two key features for customers to implement their data privacy policies:

  • Concealment of Personal Data in internal reporting: We enable you to conceal or pseudonymize certain fields in our access logs. You can still report on the data but Personal Data is obfuscated. As an example, you can report on how much your Top Web Users surfed the Internet, but administrators cannot identify who that top user is.

 

 

 

 

 

 

 

  • Full control of data residency: Especially in heavily regulated industries, many of our customers have asked for the ability to control where their log data goes so that they have control over data residency. We give you that control. For example, you can currently select between the EU and US as data storage points for users connecting in each geographical region. Additional finer control can be achieved by configuring client proxy settings, or through Hybrid policy. And, in conjunction with Content Security Reporter 2.6, customers can centrally report on all the data, while providing access control on the generated reports.

 

 

 

 

 

 

As a globally dispersed organization, there are of course still limits to what we can offer – our support and engineering teams, for instance, might need to access data for troubleshooting purposes from other geographies.  Telemetry and other data required to operate the service would still be global.  But to the extent that we can, with the access logs that contain PII, customers want more control.

McAfee Web Gateway Cloud Service is built for the enterprise, and many organizations will gain a higher level of performance than they currently experience on premises. As your security team continues to manage highly sophisticated malware and targeted attacks that evade traditional defences, McAfee Web Gateway Cloud Service allows you to go beyond basic protection, with behaviour emulation that prevents zero-day malware in milliseconds as traffic is processed.

The post McAfee Web Security offers a more flexible approach to Data Privacy appeared first on McAfee Blogs.

Managed Google Play earns key certifications for security and privacy


Posted by Mike Burr, Android Enterprise Platform Specialist

[Cross-posted from the Android Enterprise Keyword Blog]



With managed Google Play, organizations can build a customized and secure mobile application storefront for their teams, featuring public and private applications. Organizations' employees can take advantage of the familiarity of a mobile app store to browse and download company-approved apps.
As with any enterprise-grade platform, it's critical that the managed Google Play Store operates with the highest standards of privacy and security. Managed Google Play has been awarded three important industry designations that are marks of meeting the strict requirements for information security management practices.
Granted by the International Organization for Standardization, achieving ISO 27001 certification demonstrates that a company meets stringent privacy and security standards when operating an Information Security Management System (ISMS). Additionally, managed Google Play received SOC 2 and 3 reports, which are benchmarks of strict data management and privacy controls. These designations and auditing procedures are developed by the American Institute of Certified Public Accountants (AICPA).
Meeting a high bar of security management standards
To earn the ISO 27001 certification, auditors from Ernst and Young performed a thorough audit of managed Google Play based on established privacy principles. The entire methodology of documentation and procedures for managing other companies' data are reviewed during an audit, and must be made available for regular compliance review. Companies that use managed Google Play are assured their data is managed in compliance with this industry standard. Additionally, ISO 27001 certification is in line with GDPR compliance.
Secure data management
With SOC 2 and SOC 3 reports, the focus is on controls relevant to data security, availability, processing integrity, confidentiality and privacy, which are verified through auditing reports. In managed Google Play, the data and private applications that enter Google's systems are administered according to strict protocols, including determinations for who can view them and under what conditions. Enterprises require and receive the assurance that their information is handled with the utmost confidentiality and that the integrity of their data is preserved. For many companies, the presence of an SOC 2 and 3 report is a requirement when selecting a specific service. These reports prove that a service company has met and is abiding by best practices set forth by AICPA to ensure data security.
Our ongoing commitment to enterprise security
With managed Google Play, companies' private apps for internal use are protected with a set of verified information security management processes and policies to ensure intellectual property is secure. This framework includes managed Google Play accounts that are used by enterprise mobility management (EMM) partners to manage devices.
Our commitment is that Android will continue to be a leader in enterprise security. As your team works across devices and shares mission-critical data through applications hosted in managed Google Play, you have the assurance of a commitment to providing your enterprise the highest standards of security and privacy.

Why Take the Risk? Addressing Privacy Concerns with an MSSP

One concern that often arises when a company is considering hiring a Managed Security Service Provider (MSSP) and outsourcing their security functions is the risk of allowing a third party to monitor and take care of sensitive data.  For many companies, this can be a source of great anxiety.  Allowing a third party to access sensitive organization data and customer Personally Identifiable Information (PII) begs the question, what exactly is my MSSP monitoring?

While it is always a risk to give your data over to another entity, it is important to know that MSSPs will protect your privacy at all costs and are only interested in monitoring the security of your organization.

Let’s start to address the concerns by taking a look at what MSSPs are not monitoring:

What an MSSP is not monitoring:

A responsible MSSP places a high value on protecting client confidentiality and is primarily concerned with protecting the integrity of the client’s network infrastructure and data. As such, even if the ability is there, the MSSP staff does not review browsing activity or history, email content and recipients, or database information, ensuring full privacy for your executives.  MSSP personnel strictly adhere to confidentiality agreements and act professionally.  If sensitive information is seen, it is not discussed.

There are ways to ensure confidentiality is maintained, including detailed service level agreements (SLA) and statements of work (SOW). These are essential when transferring risk to an MSSP and can offer legal protections to a company in the event of a data breach.

What an MSSP is monitoring:

Typically, an MSSP will aggregate logs and events from multiple systems and sources within the client’s network infrastructure to a security information and event management (SIEM) system.  Those logs and events will come from infrastructure components like firewalls, endpoint security applications, and operating systems.  The SIEM will be configured with alarming rules that will generate alerts from incoming logs for the MSSP personnel to investigate and act upon.

Why partner with an MSSP?

Cost Advantage

Contracting with a third party to handle your organization’s network and information security has significant advantages, especially for small and medium-sized businesses that may not have the budget for a dedicated in-house information security team.  In fact, hiring an MSSP over an in-house staff is a way to make the most of your money by gaining access to 24/7 expertise without the burden of finding and retaining staff during the massive cybersecurity skills shortage.

Business Advantage

When you partner with an effective MSSP, they will provide monthly reports that not only improve visibility into your security posture, but also act as a tool to justify and build budget for future security needs.  This allows you to map your security objectives to the greater business objectives, which in turn helps get leadership on board with your efforts.

Technology Adaptability

A quality MSSP will be technology agnostic, with the ability to adapt to your current infrastructure, technology, and existing applications that you’ve already invested time and budget into.

Access to Expertise

Perhaps the largest benefit of contracting with an MSSP is the level of security expertise the MSSP can provide.  A quality MSSP will be staffed with security experts who are highly skilled in network and information security, organized to detect, analyze, respond to, report on, and prevent cybersecurity events.

Ultimately, when you engage the services of an MSSP, you receive peace of mind knowing that not only is your data protected around the clock, but your privacy is also prioritized and maintained.

Don’t settle for any MSSP; follow our Comprehensive Guide to find the right one for your needs.

The post Why Take the Risk? Addressing Privacy Concerns with an MSSP appeared first on GRA Quantum.

Return to Workplace: Ready to Relaunch Your Career

By: Sheetal, Application Developer & Majy, IT Support

McAfee offers a new program that offers professionals who dedicated extended time to their families the chance to reignite their passion for the technology industry and relaunch their careers.

Sometimes, it’s necessary to put your career on hold to raise kids, care for loved ones or serve your country. For many, it can be daunting to reenter the workplace after time away. That’s why McAfee designed its Return to Workplace program.

Launched in India in 2018, the 12-week Return to Work program offers training, support and resources for those who are looking to reenter the technology field and put their careers back on track.

Read Sheetal’s and Majy’s stories about how McAfee’s Return to Workplace program helped them build the skills they needed to reenter the workforce and come back strong.

Sheetal’s Return to Workplace Journey – Application Developer

To pursue my love for technology, I moved to Bangalore to complete my engineering degree in computer science, and I found rewarding work as a Quality Auditor. In 2015, I added another momentous title to my resume—mom. I gave birth to my first child and took my maternity leave; however, family circumstances extended my break.

Returning to Tech

Three years later, I was finally ready to get back to work, and I anxiously began my job hunt. It wasn’t as easy as I thought it would be, and I had a few concerns to say the least. Not only did I fear I’d be behind in the fast-paced technology industry, I also feared I wouldn’t find a supportive workplace as a single mom.

All Thanks to McAfee

As a single mother, McAfee allowed me to balance both my career and my family by giving me flexible work hours, technical mentoring, soft skills training, sessions with the HR team and several other resources to sharpen my professional skills. It helped me build my confidence over time, and today, I am working as a part of the application development team, assuring that the business works efficiently as possible.

McAfee has offered not only me, but a number of other wonderful women, a second chance to resume their careers at their own pace, without having to give up time with their families and children.

Majy’s Story – IT Support

Passionate about technology, I pursued my education in engineering at Calicut University and began my career soon after as a software engineer. I loved my career and the people I worked with—it’s what got me out of bed and excited about each day. Eventually, my reasons to start the day shifted when my husband and I were blessed with our first child. I decided it was time to put a hold on my career, to be there for my son and spend quality time at home during those early development years.

Facing Fears About Getting Back to Work

My son was growing up right before my eyes, and as he became more independent, I considered returning to my career. Even though I was eager to get back to work, I feared I wouldn’t find a company that allowed me to manage both a fulfilling career and raising a child at home—or if my skills would still be relevant.

 

Discovering McAfee Was the Best Thing Ever

McAfee’s Return to Workplace initiative completely blew me away. With the working environment that McAfee offered me, which was flexible and encouraging, I absolutely could not miss this opportunity. McAfee offered me several avenues to learn and brush up on my technical skills. They even provided me with a technical mentor! Having access to my mentor created a safe environment where I could ask my technical queries without feeling the pressure of asking the wrong question. In addition to this, the host of online courses I could leverage was an advantage for me. Ultimately, McAfee provided me with an environment where I could learn and grow without feeling intimidated. This was empowering and gave me the push I needed to successfully complete the program. McAfee was my natural first choice for returning to work and I couldn’t have been happier to accept a full-time position.

For more stories like this, follow @LifeAtMcAfee  on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

Ready to relaunch your career? Get the resources you need at McAfee. Apply here.

The post Return to Workplace: Ready to Relaunch Your Career appeared first on McAfee Blogs.

KNOW AND PICK YOUR ANDROID SECURITY APP WISELY



IN BRIEF: In recent year, we have seen a tremendous increase of mobile applications across many countries – It is like everyone want to come with a mobile application for many reasons. On the other hand, the rate of fake and malicious mobile applications is rapidly growing posing major security risk to mobile users.
-------------------------------------

 Mobile application developers are now facing threats to customers and application data as automated and sophisticated attacks increasingly target the owners, users and data of mobile applications.

Apart from jeopardizing our privacy from unprotected Application from various application developers, Criminals are also developing mobile applications with malicious intentions putting thousands of users who download them to fall victims of cybercrimes.





It is prudent to secure our mobile devices with security solutions – Sadly, A recent test of anti-malware apps available in Google Play showed that most are not, in fact, worthy of the name and, indeed, the space they take up on the Android device.


Independent testing outfit AV-Comparatives threw the 2,000 most common Android malware samples seen in the wild last year at 250 security (and, as it turns out, also “security”) apps that were available in the Android store in January of this year. Only 80 apps passed the organization’s most basic test – flagging at least 30 percent of the samples as malware while reporting no false positives for some of the most popular and clean apps in Google Play.

Crucially, only 23 apps passed the test with flying colors; that is, they had a 100-percent success rate at detecting the malicious code.

So, what are those purported anti-malware solutions that failed the test up to? You may have guessed it – for the most part, they’ll only foist ads on you. Put differently, instead of keeping you safe from pests that are banking Trojans, ransomware and other threats, many of the fake security apps will apparently only pester you with unwanted ads, all in the name of easy revenue for the developers.


Indeed, some of the products are already detected, at the very least, as “potentially unwanted applications” by at least some reputable mobile security solutions and are likely to be booted by Google from the Android store soon.

In many cases, the apps’ “malware-detecting functionality” resided in their comparing the name of a package for any given app against the AV apps’ respective whitelisted or blacklisted databases. This way of determining if a piece of software is safe or not, can, of course, be trivially easy to defeat by malware creators. Meanwhile for the user, it creates a false sense of security.


The fact that many ad-slinging apps are disguised as security solutions may not be a revelation for you. After all, ESET malware researcher Lukáš Štefanko warned early in 2018 about dozens of apps that professed to protect users from malicious code, but were instead only vehicles for displaying ads.

Meanwhile, a number of products that scored poorly in the test were deemed to be the work of what AV-Comparatives called “hobby developers”. Rather than focus on producing quality security software, these software makers apparently produce a variety of apps that are only designed to generate ad revenue for them. Still other developers “just want to have an Android protection app in their portfolio for publicity reasons”, wrote the AV testing outfit.

In addition, user ratings and/or download numbers are not necessarily something to go by. “Most of the 250 apps we looked at had a review score of 4 or higher on the Google Play Store. Similarly, the number of downloads can only be a very rough guide; a successful scam app may be downloaded many times before it is found to be a scam,” wrote AV-Comparatives, adding that the ‘last updated’ date isn’t a reliable indicator, either.


All told, the results can be understandably disheartening. On the other hand, they’re another reminder of the need to stick to reputable products with proven track records in mobile security.

Analysis of a Chrome Zero Day: CVE-2019-5786

1. Introduction

On March 1st, Google published an advisory [1] for a use-after-free in the Chrome implementation of the FileReader API (CVE 2019-5786). Clement Lecigne from Google Threat Analysis Group reported the bug as being exploited in the wild and targeting Windows 7, 32-bit platforms. The exploit leads to code execution in the Renderer process, and a second exploit was used to fully compromise the host system [2]. This blog is a technical write-up detailing the first bug and how to find more information about it. At the time of writing, the bug report [2b] is still sealed. Default installation of Chrome will install updates automatically, and users running the latest version of Chrome are already protected against that bug. To make sure you’re running the patched version, visit chrome://version, the version number displayed on the page should be 72.0.3626.121 or greater.

2. Information gathering

2.1 The bug fix

Most of the Chrome codebase is based on the Chromium open source project. The bug we are looking at is contained inside the open source code, so we can directly look at what was fixed in the new release pertaining to the FileReader API. Conveniently, Google shares the changelog for its new release [3].

We can see that there’s only one commit that modifies files related to the FileReader API, with the following message:

The message hints that having multiple references to the same underlying ArrayBuffer is a bad thing. It is not clear what it means right now, but the following paragraphs will work on figuring out what wisdom lies hidden in this message.

For starters, we can look at the commit diff [3b] and see what changed. For ease of reading, here is a comparison of the function before and after the patch.

The old one:

The new one:

The two versions can be found on GitHub at [4a] and [4b]. This change modifies the behavior of the ArrayBufferResult function that is responsible for returning data when a user wants to access the FileReader.result member.
The behavior of the function is as follows: if the result is already ‘cached,’ return that. If not, there are two cases; if the data has finished loading, create a DOMArrayBuffer, cache the result, and returns it. If not, it creates a temporary DOMArrayBuffer and returns that instead. The difference between the unpatched and patched version is how that temporary DOMArrayBuffer is handled, in case of a partial load. In one case, we can see a call to:

 

This prompted us to go down a few more rabbit holes. Let us compare what is going on in both the unpatched and patched situation.

We can start with the patched version, as it is the simplest to understand. We can see a call to ArrayBuffer::Create that takes two arguments, a pointer to the data and its length (the function is defined in the source tree at /third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer.h)

 

This basically creates a new ArrayBuffer, wraps it into a scoped_refptr<ArrayBuffer> and then copies the data into it. The scoped_refptr is a way for Chromium to handle reference counting [5]. For readers unfamiliar with the notion, the idea is to keep track of how many times an object is being referenced. When creating a new instance of a scoped_refptr, the reference count for the underlying object is incremented; when the object exits its scope, the reference count is decremented. When that reference count reaches 0, the object is deleted (and for the curious, Chrome will kill a process if the reference count overflows….). As we’re looking for a potential use-after-free, knowing that the buffer is ref-counted closes some avenues of exploitation.

In the unpatched version, instead of calling ArrayBuffer::Create, the code uses the return value of ArrayBufferBuilder::ToArrayBuffer() (from third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer_builder.cc):

 

Here is yet another rabbit hole to dive into (but we will keep it high level).  Depending on the value of bytes_used_), the function will either return its buffer, or a Sliced version of it (i.e. a new ArrayBuffer of a smaller size, that contains a copy of the data)

 

To sum up what we have so far, in all the code paths we have looked at, they all return a copy of the data instead of the actual buffer, unless we run the unpatched code, and the buffer we try to access is `fully used` (per the comment in ArrayBufferBuilder::ToArrayBuffer()).
Because of the implementation of the FileReaderLoader object, the buffer_->ByteLength() is the pre-allocated size of the buffer, which correspond to the size of the data we want to load (this will be relevant later on).
If we now remember the commit message and what the bad scenario was, it looks like the only situation to exploit the bug is to access multiple times the ArrayBufferBuilder::ToArrayBuffer(), before the finished_loading is set to true, but after the data is fully loaded.

To wrap up this part of the code review, let us look at the behavior of the DOMArrayBuffer::Create function that is being called in both patched/unpatched cases, the case interesting to us is when we have the following call DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());

From third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h:

 

Something interesting to look at is the use of std::move, which has the semantic of transferring ownership.
For instance, in the following snippet:

then `b` takes ownership of what belonged to `a` (`b` now contains “hello”) and `a` is now in a somewhat undefined state (C++11 specs explain that in more precise terms)).

In our current situation, what is going on here is somewhat confusing [6a] [6b]. The object returned by ArrayBufferBuilder::ToArrayBuffer() is already a scoped_refptr<ArrayBuffer>. I believe the meaning of all this, is that when calling ToArrayBuffer(), the refcount on the ArrayBuffer is increased by one, and the std::move takes ownership of that instance of the refcounted object (as opposed to the one owned by the ArrayBufferBuilder). Calling ToArrayBuffer() 10 times will increase the refcount by 10, but all the return values will be valid (as opposed to the toy example with the strings `a` and `b` mentioned above where operating on `a` would result in unexpected behavior).
This closes an obvious case of use-after-free where the buffer_ object from the ArrayBufferBuilder would get corrupted if we would call ToArrayBuffer() multiple times during the sweet spot described above.

2.2 FileReader API

Another angle of approach for figuring out how to exploit this bug is to look at the API that is available to us from JavaScript and see if we can come up with a way to reach the sweet spot we were looking at.

We can get all the information we want from Mozilla web docs [7]. Our options are fairly terse; we can call readAsXXX functions on either Blob or File, we can abort the read, and finally there are a couple of events to which we can register callbacks (onloadstart, onprogress, onloadend, …).

The onprogress events sounds like the most interesting one, as it is being called while data is loading, but before the loading is finished. If we look at the FileReader.cc source file, we can see that the logic behind the invocation of this event is to fire every 50ms (or so) when data is received. Let us have a look at how this behaves in a real system…

3. Testing in a web-browser

3.1 Getting started

The first thing we want to do is download a vulnerable version of the code. There are some pretty useful resources out there [8] where one can download older builds rather than having to build them yourself.

Something interesting to note is that there is also a separate zip file that has `syms` in its name. You can also download to get debug symbols for the build (in the form of .pdb files). Debuggers and disassemblers can import those symbols which will make your life way easier as every function will be renamed by its actual name in the source code.

3.2 Attaching a debugger

Chromium is a complex software and multiple processes communicate together which makes debugging harder. The most efficient way to debug it is to start Chromium normally and then attach the debugger to the process you want to exploit. The code we are debugging is running in the renderer process, and the functions we were looking at are exposed by chrome_child.dll (those details were found by trial and error, attaching to any Chrome process, and looking for function names of interest).

 

If you want to import symbols in x64dbg, a possible solution is to go in the Symbol pane, right click on the .dll/.exe you want to import the symbols for and select Download symbols. It may fail if the symbol server setting is not configured properly, but it will still create the directory structure in x64dbg’s `symbols` directory, where you can put the .pdb files you’ve previously downloaded.

3.3 Looking for the exploitable code path

Not that we have downloaded an unpatched version of Chromium, and we know how to attach a debugger, let us write some JavaScript to see if we can hit the code path we care about.

 

To sum up what is going on here, we create a Blob that we pass to the FileReader. We register a callback to the progress event and, when the event is invoked, we try to access multiple times the result from the reader. We have seen previously that the data needs to be fully loaded (that is why we check the size of the buffer) and if we get multiple DOMArrayBuffer with the same backing ArrayBuffer, they should appear to be to separate objects to JavaScript (hence the equality test). Finally, to double check we have indeed two different objects backed by the same buffer, we create views to modify the underlying data and we verify that modify one modifies the other as well.

There is an unfortunate issue that we had not foreseen: the progress event is not called frequently, so we have to load a really large array in order to force the process to take some time and trigger the event multiple times. There might be better ways of doing so (maybe the Google bug report will reveal one!) but all the attempts to create a slow loading object were a failure (using a Proxy, extending the Blob class…). The loading is tied to a Mojo Pipe, so exposing MojoJS could be a way of having more control as well but it seems unrealistic in an attacker scenario as this is the entry point of the attack. See [9] for an example for that approach.

3.4 Causing a crash

So, now that we have figured out how to get into the code path that is vulnerable, how do we exploit it? This was definitely the hardest question to answer, and this paragraph is meant to share the process to find an answer to that question.

We have seen that the underlying ArrayBuffer is refcounted, so it is unlikely we’ll be able to magically free it by just getting garbage collected from some of the DOMArrayBuffer we’ve obtained. Overflowing the refcount sounds like a fun idea, but if we try by hand to modify the refcount value to be near its maximum value (via x64dbg) and see what happens… well, the process crashes. Finally, we cannot do much on those ArrayBuffers; we can change their content but not their size, nor can we manually free them…
Not being familiar enough with the codebase, the best approach then is to pour through various bug reports that mention use-after-free, ArrayBuffer, etc., and see what people did or talked about. There must be some assumption somewhere that a DOMArrayBuffer owns its underlying memory, and that is an assumption we know we are breaking.
After some searching, we started to find some interesting comments like this one [10a] and this one [10b]. Those two links talk about various situation where DOMArrayBuffer gets externalized, transferred and neutered. We are not familiar with those terms, but from the context it sounds like when this happens, the ownership of the memory is transferred to somebody else. That sounds pretty perfect for us as we want the underlying buffer to be freed (as we are hunting for a use-after-free).
The use-after-free in WebAudio shows us how to get our ArrayBuffer “transferred” so let’s try that!

 

And as seen in the debugger:

The memory being dereferenced is in ECX (we also have EAX == 0 but that’s because we’re looking at the first item in the view). The address looks valid, but it isn’t. ECX contains the address where the raw data of our buffer was stored (the AAAAA…) but because it got freed, the system unmapped the pages that held it, causing the access violation (we’re trying to access an unmapped memory address). We reached the use-after-free we were looking for!

4. Exploit considerations and next steps

4.1 Exploit

It is not the point of this document to illustrate how to push beyond the use-after-free to get full code execution (in fact Exodus have released a blog and a working exploit roughly coinciding with the timing of this publication). However, there are some interesting comments to be made.
Due to the way we are triggering the use-after-free, we are ending up with a very large buffer unallocated. The usual way to exploit a use-after-free is to get a new object allocated on top of the freed region to create some sort of confusion. Here, we are freeing the raw memory that is used to back the data of our ArrayBuffer. That is great because we can read/write over a large region. Yet, a problem in this approach is that because the memory region is really large, there is no one object that would just fit in. If we had a small buffer, we could create lots of objects that have that specific size and hope one would be allocated there. Here it is harder because we need to wait that until that memory is reclaimed by the heap for unrelated objects. On Windows 10 64-bit, it is hard because of how random allocations are, and the entropy available for random addresses. On Windows 7 32-bit, it is much easier as the address space is much smaller, and the heap allocation is more deterministic. Allocating a 10k object might be enough to have some metadata land within the address space we can control.
The second interesting aspect is that because we are going to dereference a region that has been unmapped, if the 10k allocation mentioned above fails to allocate at least one object in that area we control, then we are out of luck; we will get an access violation and the process will die. There are ways to make this step more reliable, such as the iframe method described here [11]
An example on how to move on if one can corrupt the metadata of a JavaScript object can be found here [12].

4.2 Next step

Once an attacker has gained code execution inside the renderer process they are still limited by the sandbox. In the exploit found in the wild, the attacker used a second 0-day that targeted the Windows Kernel to escape the sandbox. A write up describing that exploit was recently released by the 360CoreSec here [13].

5. Conclusion

By looking at the commit that fixed the bug and hunting down hints and similar fixes we were able to recover the likely path towards exploitation. Once again, we can see that modern mitigations introduced in the later version of Windows makes life way harder on attackers and we should celebrate those wins from the defensive side. Also, Google is extremely efficient and aggressive in its patching strategy, and most of its user base will have already seamlessly updated to the latest version of Chrome.

 

Links

[1] https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
[2] https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
[2b] https://bugs.chromium.org/p/chromium/issues/detail?id=936448
[3] https://chromium.googlesource.com/chromium/src/+log/72.0.3626.119..72.0.3626.121?pretty=fuller
[3b] https://github.com/chromium/chromium/commit/ba9748e78ec7e9c0d594e7edf7b2c07ea2a90449
[4a] https://github.com/chromium/chromium/blob/17cc212565230c962c1f5d036bab27fe800909f9/third_party/blink/renderer/core/fileapi/file_reader_loader.cc
[4b] https://github.com/chromium/chromium/blob/75ab588a6055a19d23564ef27532349797ad454d/third_party/blink/renderer/core/fileapi/file_reader_loader.cc
[5] https://www.chromium.org/developers/smart-pointer-guidelines
[6a] https://chromium.googlesource.com/chromium/src/+/lkgr/styleguide/c++/c++.md#object-ownership-and-calling-conventions
[6b] https://www.chromium.org/rvalue-references
[7] https://developer.mozilla.org/en-US/docs/Web/API/FileReader
[8] https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/612439/
[9] https://www.exploit-db.com/exploits/46475
[10a] https://bugs.chromium.org/p/v8/issues/detail?id=2802
[10b] https://bugs.chromium.org/p/chromium/issues/detail?id=761801
[11] https://blog.exodusintel.com/2019/01/22/exploiting-the-magellan-bug-on-64-bit-chrome-desktop/
[12] https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/
[13] http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html

The post Analysis of a Chrome Zero Day: CVE-2019-5786 appeared first on McAfee Blogs.

Code makes the world go ’round. Well, code and love. So love your code.

Your code is powerful, clever, and elegant—but is it secure?

More than ever, code makes the world go 'round. From smart home thermostats to critical infrastructure to integrated clinical environments in hospitals, code runs so much of what touches our lives every day. Sometimes we are explicitly aware that we are interacting with software but increasingly we are not—code runs quietly amid the people, objects, and experiences that shape our lives and the broader world we share.

Your code is powerful and so are you: the quality and security of the code that you put out into the world ripples out to affect individuals, organizations, nations. When you consider the reach of your code it is clear that to deliver quality code you must deliver secure code.

As the pressure to deliver software to the market quickly has increased so too have the scope and severity of the risks posed by insecure applications. For example, 85% of all applications we scanned in a recent 12-month period had at least one vulnerability in them, and more than 13% had a critical severity flaw. The most common flaws found are some of the most easily exploited: SQL injection flaws are present in nearly one in three applications and cross-site scripting vulnerabilities are present in nearly half of applications tested.

It’s not all gloom and doom, we promise. Here’s some sunshine for you: writing secure code does not take longer than writing insecure code. Sit with that idea for a few seconds. This assertion might seem counterintuitive as you consider the pressure to ship code more and more quickly, but taking the time to address security early and often in the development process will get you to shipping quality code faster. A minor flaw left unaddressed early in the software development lifecycle becomes a tangled mess the longer it persists. Unraveling that tangle is neither simple nor quickly done. Finding and fixing flaws early on is an easier path for teams working hard to deliver functional, high quality code to the market.

But where to start? If writing secure code seems like a steep climb, you are not alone. Many developers—most developers in fact—are not introduced to secure coding principles while they are learning to build software.

More good news: developers of all stripes, whenever and however they started coding, have this in common: intellectual curiosity. You are the tinkerers, problem-solvers, and lifelong learners who started with your first line of code and have never stopped wondering, perfecting, and learning. Coding is a craft and your years of coding have all been about mastering something new and then doing that again and again and again—across new languages, frameworks, and approaches to development.

For many developers writing secure code is brand new and yet it has undeniably become part of the process of mastering your craft. A first step is educating yourself on basic secure coding principles and beginning to put these principles into practice every day. In doing so you join developers the world over who are tinkering, learning, and growing—united by their shared commitment to put the best possible code out into the world. As you find and fix flaws, you will be learning as you go and writing more and more secure code. Along the way you will notice that you are introducing fewer and fewer flaws into your code to begin with. Fewer messy tangles to pull apart later on. And your team will benefit too. As you build your security knowledge, you will be helping your peers by spotting flaws during code reviews when they are easier to fix. You will be measurably shifting the security of your applications just by starting where you are.

So wherever you are in your own learning process, we offer this toolkit of resources to help you and your team along your path to writing amazing code.

  • Best practices for secure coding
  • How to secure your DevOps environments
  • How to combat the most common software vulnerabilities
  • What developers don’t know about security but should

Secure Coding Best Practices Handbook

What Developers Don’t Know About Security But Should

Whitepapers:

5 Principles for Securing DevOps

Vulnerability Decoder Infosheets:

Insecure Crypto

Encapsulation

Race Condition

Improper Error Handling

Broken Access Controls

Cross-Site Scripting

Insecure Open Source Components

Additional resources

Out of our close work with developers over many years has grown a range of developer-focused resources for learning to code more securely. Beyond the secure coding toolkit, we offer many learning resources—developer training, remediation coaching, the Veracode Community, and Greenlight, Veracode’s IDE- or CI-integrated continuous flaw feedback and secure coding education solution.

How Online Scams Drive College Basketball Fans Mad

Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most popular techniques cybercriminals use to gain access to passwords and financial information, as well as encourage victims to click on suspicious links.

Online betting provides cybercriminals with a wealth of opportunities to steal personal and financial information from users looking to engage with the games while potentially making a few extra bucks. The American Gaming Association (AGA) estimates that consumers will wager $8.5 billion on the 2019 NCAA men’s basketball tournament. What many users don’t realize is that online pools that ask for your personal and credit card information create a perfect opportunity for cybercriminals to take advantage of unsuspecting fans.

In addition to online betting scams, users should also be on the lookout for malicious streaming sites. As fewer and fewer homes have cable, many users look to online streaming sites to keep up with all of the games. However, even seemingly reputable sites could contain malicious phishing links. If a streaming site asks you to download a “player” to watch the games, there’s a possibility that you could end up with a nasty malware on your computer.

Ticket scammers are also on the prowl during March, distributing fake tickets on classified sites they’ve designed to look just like the real thing. Of course, these fake tickets all have the same barcode. With these scams floating around the internet, users looking for cheap tickets to the games may be more susceptible to buying counterfeit tickets if they are just looking for the best deal online and are too hasty in their purchase.

So, if you’re a college basketball fan hoping to partake in this exciting month – what next? In order to enjoy the fun that comes with the NCAA tournament without the risk of cyberthreats, check out the following tips to help you box out cybercriminals this March:

  • Verify the legitimacy of gambling sites. Before creating a new account or providing any personal information on an online gambling website, poke around and look for information any legitimate site would have. Most gambling sites will have information about the site rules (i.e., age requirements) and contact information. If you can’t find such information, you’re better off not using the site.
  • Be leery of free streaming websites. The content on some of these free streaming websites is likely stolen and hosted in a suspicious manner, as well as potentially contains malware. So, if you’re going to watch the games online, it’s best to purchase a subscription from a legitimate streaming service.
  • Stay cautious on popular sports sites and apps. Cybercriminals know that millions of loyal fans will be logging on to popular sports sites and apps to stay updated on the scores. Be careful when you’re visiting these sites you’re not clicking on any conspicuous ads or links that could contain malware. If you see an offer that interests you in an online ad, you’re better off going directly to the website from the company displaying the ad as opposed to clicking on the ad from the sports site or app.
  • Beware of online ticket scams. Scammers will be looking to steal payment information from fans in search of last-minute tickets to the games. To avoid this, it’s best to buy directly from the venue whenever possible. If you decide to purchase from a reseller, make sure to do your research and only buy from trusted vendors.
  • Use comprehensive security software. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links, and will warn you in the event that you do accidentally click on something malicious. It will provide visual warnings if you’re about to go to a suspicious site.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post How Online Scams Drive College Basketball Fans Mad appeared first on McAfee Blogs.

Ghosts May Not Be Real but Trolls Are – Look Out for Social Media Trolls

The Cambridge Dictionary describes a troll as “an imaginary, either very large or very small creature in traditional Scandinavian stories, that has magical powers and lives in mountains or caves.”

If you have read your fairy tales, you would know that trolls are generally grotesque creatures that stay away from human habitation. They take pleasure in carrying out antisocial activities and causing people pain and mental suffering.

Those trolls are mythical, but the online trolls are very much real. These digital trolls use the anonymity offered by the net to stay hidden and cause disruption and harm through their malicious and negative comments. They share provocative, malicious content and delight in fomenting unrest. If the victim takes the comments personally, it can leave them emotionally disturbed.

Why do people troll?

Why do people troll? Why do they want to insult, abuse, criticize, hurt and spread negativity? There are many studies available online that offer detailed analysis of how a troll’s mind works. However, we won’t go into such details. For our convenience and easy understanding, it will suffice to say that trolling may be the result of an individual’s background, low empathy levels, anger, frustration, jealousy, sadness and/or bitterness.

  • Low empathy: There are people who have less empathy or sensitivity and often find grim or disturbing situations funny. They will, for e.g.; not think twice about posting a joke on a social media thread where everyone is offering condolence on the demise of a loved one. They may see nothing wrong in it, rather it may give them a laugh.
  • Inflexible attitude: Some people find it difficult to accept that others too can have their individual viewpoints and instinctively target people with different opinions as enemies and make it their mission to abuse them, as if to prove that they are wrong. They hamper freedom of speech online for they do try to desist other users from sharing their personal opinions.
  • Revenge: Some go on a rampage to seek revenge for the ‘wrong’ done to them or someone else.

The anonymity provided by the net enables many cowardly people to feel strong by attacking others and give vent to their emotions online.

How do you identify trolls?

Easy. They are the rabble rousers, the ones who have nothing positive to contribute but are only out to disrupt, disturb and upset you. Their posts may vary from personal comments on your photo, satirical outbursts on your blogs or videos or direct attacks on your person, to out-of-context malicious remarks in an ongoing discussion. They would definitely be using a false bio and either no profile pic or a false one.

What do you do if you are trolled?

  • Avoid feeding them – they thrive on your emotional upheaval and vituperative responses. The smart thing to do is to neither acknowledge their comments nor respond to them. Nothing is as putting off as an IGNORE.
  • Keep records and block – If the trolling continues, keep records and block account of the troll and report to the platform. Let your friends know about the account too.
  • Consider keeping commenting off on your YouTube channel – you may also choose to delete negative comments.
  • Make amendments to posts – if factual or grammatical errors or an archaic style of writing your posts or blogs have brought out the trolls, consider apologizing for the errors and making revisions. Reply positively, thanking the troll for the feedback. You will take the wind out of the troll’s sails.
  • Don’t take it to heart – adults may use humour to counter trolls online, but it may not be easy for teens to keep emotions aside and reply to abusive comments lightly. So, it’s best to ignore.

As a digital parent, you may already be aware of trolls and the emotional havoc they can cause. You want to protect your kids from their attacks when they go online. At the same time, you need to explain to them why trolling is wrong and sometimes funny isn’t funny at all but may be hurtful and nasty.

How to ensure your kids know it’s wrong to troll?

  • Good manners: Whether online or off it, there is no substitute to good manners and etiquette. Ensure your kids feel happy and secure at home. Model the kind of behavior you expect from them and reward good manners with appreciation.
  • Empathy: The world runs on kindness and empathy. Reinforce empathy right from childhood. They need to understand that there are all kinds of people and each one is special in some way. Help them grow up to be generous, tolerant and broad-minded people.
  • Positivity: A child with a positive outlook and sunny disposition is most unlikely to be rude and deliberately mean online. Lay stress on being positive, whatever the situation may be.
  • Monitoring: It is recommended that parents monitor the conversations kids have online. Avoid participating in their conversations or taking to task those who maybe bullying or trolling them, for though this will delight the troll, it will be embarrassing for the child. Instead, have discussions on how he/she plans to handle it and let him/her tackle the issue.
  • Last but not the least, ensure all your devices are installed with licensed comprehensive security software that offers the parental controls feature. This will allow you to monitor activities remotely, though you should keep your child informed that you are doing so.

One last word: we cannot make trolls vanish, but we can empower our kids to vanquish them.

The post Ghosts May Not Be Real but Trolls Are – Look Out for Social Media Trolls appeared first on McAfee Blogs.

Kali Linux Micro Hacking Station Raspberry Pi

Kali Linux Micro Hacking Station Raspberry Pi   Raspberry Pi is a small pocket sized low cost computer. Today we will be setting up Kali Linux on Raspberry Pi. We can use Kali Linux on Raspberry Pi to hack WiFi passwords, launch various social engineering attacks, Set up rogue access points and a wide range […]

The post Kali Linux Micro Hacking Station Raspberry Pi appeared first on HackingVision.

Open-sourcing Sandboxed API



Many software projects process data which is externally generated, and thus potentially untrusted. For example, this could be the conversion of user-provided picture files into different formats, or even executing user-generated software code.
When a software library parsing such data is sufficiently complex, it might fall victim to certain types of security vulnerabilities: memory corruption bugs or certain other types of problems related to the parsing logic (e.g. path traversal issues). Those vulnerabilities can have serious security implications.

In order to mitigate those problems, developers frequently employ software isolation methods, a process commonly referred to as sandboxing. By using sandboxing methods, developers make sure that only resources (files, networking connections and other operating system resources) which are deemed necessary are accessible to the code involved in parsing user-generated content. In the worst-case scenario, when potential attackers gain remote code execution rights within the scope of a software project, a sandboxing technique can contain them, protecting the rest of the software infrastructure.

Sandboxing techniques must be highly resistant to attacks and sufficiently protect the rest of the operating system, yet must be sufficiently easy-to-use for software developers. Many popular software containment tools might not sufficiently isolate the rest of the OS, and those which do, might require time-consuming redefinition of security boundaries for each and every project that should be sandboxed.

Sandbox once, use anywhere

To help with this task, we are open-sourcing our battle-tested project called Sandboxed API. Sandboxed API makes it possible to create security policies for individual software libraries. This concept allows to create reusable and secure implementations of functionality residing within popular software libraries, yet is granular enough to protect the rest of used software infrastructure.

As Sandboxed API serves the purpose of accessing individual software functions inside a sandboxed library, we are also making publicly available our core sandboxing project, Sandbox2. This is now part of Sandboxed API and provides the underlying sandboxing primitives. It can be also used standalone to isolate arbitrary Linux processes, but is considered a lower-level API.

Overview

Sandboxed API is currently implemented for software libraries written in the C programming language (or providing C bindings), though we might add support for more programming runtimes in the future.

From a high-level perspective, Sandboxed API separates the library to be sandboxed and its callers into two separate OS processes: the host binary and the sandboxee. Actual library calls are then marshalled by an API object on the host side and send via interprocess communication to the sandboxee where an RPC stub unmarshals and forwards calls to the original library.

Both the API object (SAPI object) and the RPC stub are provided by the project, with the former being auto-generated by an interface generator. Users just need to provide a sandbox policy, a set of system calls that the underlying library is allowed to make, as well as the resources it is allowed to access and use. Once ready, a library based on sandboxed API can easily be reused in other projects.

The resulting API of the SAPI object is similar to the one of the original library. For example, when using zlib, the popular compression library, a code snippet like this compresses a chunk of data (error handling omitted for brevity):


void Compress(const std::string& chunk, std::string* out) {
 z_stream zst{};
 constexpr char kZlibVersion[] = "1.2.11";
 CHECK(deflateInit_(&zst, /*level=*/4, kZlibVersion, sizeof(zst)) == Z_OK);

 zst.avail_in = chunk.size();
 zst.next_in = reinterpret_cast<uint8_t*>(&chunk[0]);
 zst.avail_out = out->size();
 zst.next_out = reinterpret_cast<uint8_t*>(&(*out)[0]);
 CHECK(deflate(&zst, Z_FINISH) != Z_STREAM_ERROR);
 out->resize(zst.avail_out);

 deflateEnd(&zst);
}


Using Sandboxed API, this becomes:
void CompressSapi(const std::string& chunk, std::string* out) {
 sapi::Sandbox sandbox(sapi::zlib::zlib_sapi_embed_create());
 CHECK(sandbox.Init().ok());
 sapi::zlib::ZlibApi api(&sandbox);

 sapi::v::Array<uint8_t> s_chunk(&chunk[0], chunk.size());
 sapi::v::Array<uint8_t> s_out(&(*out)[0], out->size());
 CHECK(sandbox.Allocate(&s_chunk).ok() && sandbox.Allocate(&s_out).ok());
 sapi::v::Struct<sapi::zlib::z_stream> s_zst;
 
 constexpr char kZlibVersion[] = "1.2.11";
 sapi::v::Array<char> s_version(kZlibVersion, ABSL_ARRAYSIZE(kZlibVersion));
 CHECK(api.deflateInit_(s_zst.PtrBoth(), /*level=*/4, s_version.PtrBefore(),
                         sizeof(sapi::zlib::z_stream).ValueOrDie() == Z_OK));

 CHECK(sandbox.TransferToSandboxee(&s_chunk).ok());
 s_zst.mutable_data()->avail_in = chunk.size();
 s_zst.mutable_data()->next_in = reinterpet_cast<uint8_t*>(s_chunk.GetRemote());
 s_zst.mutable_data()->avail_out = out->size();
 s_zst.mutable_data()->next_out = reinterpret_cast<uint8_t*>(s_out.GetRemote());
 CHECK(api.deflate(s_zst.PtrBoth(), Z_FINISH).ValueOrDie() != Z_STREAM_ERROR);
 CHECK(sandbox.TransferFromSandboxee(&s_out).ok());
 out->resize(s_zst.data().avail_out);

 CHECK(api.deflateEnd(s_zst.PtrBoth()).ok());
}
As you can see, when using Sandboxed API there is extra code for setting up the sandbox itself and for transferring memory to and from the sandboxee, but other than that, the code flow stays the same.

Try for yourself

It only takes a few moments to get up and running with Sandboxed API. If Bazel is installed:
sudo apt-get install python-typing python-clang-7 libclang-7-dev linux-libc-dev
git clone github.com/google/sandboxed-api && cd sandboxed-api
bazel test //sandboxed_api/examples/stringop:main_stringop
This will download the necessary dependencies and run the project through its paces. More detailed instructions can be found in our Getting Started guide and be sure to check out the examples for Sandboxed API.

Where do we go from here?

Sandboxed API and Sandbox2 are used by many teams at Google. While the project is mature, we do have plans for the future beyond just maintaining it:

  • Support more operating systems - So far, only Linux is supported. We will look into bringing Sandboxed API to the Unix-like systems like the BSDs (FreeBSD, OpenBSD) and macOS. A Windows port is a bigger undertaking and will require some more groundwork to be done.
  • New sandboxing technologies - With things like hardware-virtualization becoming almost ubiquitous, confining code into VMs for sandboxing opens up new possibilities.
  • Build system - Right now, we are using Bazel to build everything, including dependencies. We acknowledge that this is not how everyone will want to use it, so CMake support is high on our priority list.
  • Spread the word - Use Sandboxed API to secure open source projects. If you want to get involved, this work is also eligible for the Patch Reward Program.
Get involved

We are constantly looking at improving Sandboxed API and Sandbox2 as well as adding more features: supporting more programming runtimes, different operating systems or alternative containment technologies.

Check out the Sandboxed API GitHub repository. We will be happy to consider your contributions and look forward to any suggestions to help improve and extend this code.

How to Safeguard Your Family Against A Medical Data Breach

Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

Breaches on the Rise

Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

The IoT Factor

Medical Data Breach

Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

The Dark Web

The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

Medical Data Breach

Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

Ways to Safeguard Medical Data

Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

How to Protect IoT Devices

Medical Data Breach

According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

  • Change default usernames and passwords
  • Isolate IoT devices on their protected networks
  • Configure network firewalls to inhibit traffic from unauthorized IP addresses
  • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
  • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
  • Ensure devices and their associated security patches are up-to-date
  • Apply cybersecurity best practices when connecting devices to a wireless network
  • Invest in a secure router with appropriate security and authentication practices

The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

Protecting kids online – are we doing our best?

I’m trying to work through some thoughts about how companies repeatedly take advantage of consumers’ privacy in the US.  The latest being TikTok, a video sharing app acquired from musical.ly, which has agreed to pay $5.7 million to settle allegations that it collected personal information from children – a violation of COPPA or the Children’s […]

The post Protecting kids online – are we doing our best? appeared first on Privacy Ref Blog.

Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)

Earlier this month Check Point Research reported discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched.

One recent example piggybacks on a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar”

When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.

Figure 1 – Malformed Archive detected by McAfee as CVE2018-20250!4A63011F5B88
SHA256: e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec

Figure 2 – Extracted non-malicious MP3 files

Figure 3 – Extracted Malware payload detected by McAfee as Generic Trojan.i
SHA256: A1C06018B4E331F95A0E33B47F0FAA5CB6A084D15FEC30772923269669F4BC91

In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.

 

McAfee advises users to keep their anti-malware signatures up to date at all times. McAfee products detect known and unknown malformed ACE files exploiting the vulnerability as CVE2018-20250![Partial hash] starting with the following content

  • V2 DATs version 9183 released March 2, 2019
  • V3 DATs version 3634 released March 2, 2019

Additional GTI coverage exists for email-based attacks, in tandem with the Suspicious Attachment feature. When this feature is enabled, Artemis![Partial hash] detections will occur on known exploits.

Update: An earlier version of this article used the phrase User Access Control (UAC) which has now been changed to User Account Control (UAC) and the term “bypass” which has now been changed to “does not apply.”

The post Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) appeared first on McAfee Blogs.

McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future?

I spoke last week at the RSA Conference in San Francisco on the subject of AI related threats and opportunities in the cybersecurity field. I asserted that innovations such as AI can strengthen our defenses but can also enhance the effectiveness of a cyber attacker.  I also looked at some examples of underlying fragility in AI that enable an attacker opportunity to evade AI based defenses. The key to successfully unlocking the potential of AI in cybersecurity requires that we in the cybersecurity industry answer the question of how we can nurture the sparks of AI innovation while recognizing its limitations and how it can be used against us.

We should look to the history of key technological advances to better understand how technology can bring both benefits and challenges. Consider flight in the 20th century. The technology has changed every aspect of our lives, allowing us to move between continents in hours, instead of weeks. Businesses, supply chains, and economies operate globally, and our ability to explore the world and the universe has been forever changed.

But this exact same technology also fundamentally changed warfare. In World War II alone, the strategic bombing campaigns of the Allied and Axis powers killed more than two million people, many of them civilians.

The underlying technology of flight is Bernoulli’s Principle, which explains why an airplane wing creates lift. Of course, the technology in play has no knowledge of whether the airplane wing is connected to a ‘life-flight’ rescue mission, or to a plane carrying bombs to be dropped on civilian targets.

When Orville Wright was asked in 1948 after the devastation of air power during World War II whether he regretted inventing the airplane he answered:

“No, I don’t have any regrets about my part in the invention of the airplane, though no one could deplore more than I do the destruction it has caused. We dared to hope we had invented something that would bring lasting peace to the earth. But we were wrong. I feel about the airplane much the same as I do in regard to fire. That is, I regret all the terrible damage caused by fire, but I think it is good for the human race that someone discovered how to start fires, and that we have learned how to put fire to thousands of important uses.”

Orville’s insight that technology does not comprehend morality—and that any advances in technology can be used for both beneficial and troubling purposes.  This dual use of technology is something our industry has struggled with for years.

Cryptography is a prime example. The exact same algorithm can be used to protect data from theft, or to hold an individual or organization for ransom. This matters more than ever given that we now encrypt 75% of the world’s web traffic, protecting over 150 exabytes of data each month.  At the same time, organizations and individuals are enduring record exploitation through ransomware.

The RSA Conference itself was at the epicenter of a debate during the 1990’s on whether it was possible to conditionally use strong encryption only in desirable places, or only for desirable functions.  At the time, the U.S. government classified strong encryption as a munition along with strict export restrictions.   Encryption is ultimately just math and it’s not possible to stop someone from doing math.  We must be intellectually honest about our technologies; how they work, what the precursors to use them are and when, how and if they should be contained.

Our shared challenge in cybersecurity is to capture lightning in a bottle, to seize the promise of advances like flight, while remaining aware of the risks that come with technology.  Let’s take a closer look at that aspect.

History repeats itself

Regardless of how you define it, AI is without a doubt the new foundation for cybersecurity defense. The entire industry is tapping into the tremendous power that this technology offers to better defend our environments. It enables better detection of threats beyond what we’ve seen in the past, and helps us out-innovate our cyber adversaries. The combination of threat intelligence and artificial intelligence, together or human-machine teaming provides us far better security outcomes—faster—than either capability on their own.

Not only does AI enable us to build stronger cyber defense technology, but also helps us solve other key issues such as addressing our talent shortage. We can now delegate many tasks to free up our human security professionals to focus on the most critical and complex aspects of defending our organizations.

“It’s just math..”

Like encryption, AI is just math. It can enhance criminal enterprises in addition to its beneficial purposes. McAfee Chief Data Scientist Celeste Fralick joined me on stage during this week’s keynote to run through some examples of how this math can be applied for good or ill. (visit here to view the keynote).  From machine learning fueled crime-spree predictors to DeepFake videos to highly effective attack obfuscation, we touch on them all.

It’s important to understand that the cybersecurity industry is very different from other sectors that use AI and machine learning. For a start, in many other industries, there isn’t an adversary trying to confuse the models.

AI is extremely fragile, therefore one focus area of the data science group at McAfee is Adversarial Machine Learning. Where we’re working to better understand how attackers could try to evade or poison machine learning models.  We are developing models that are more resilient to attacks using techniques such as feature reduction, adding noise, distillation and others.

AI and False Positives: A Warning

We must recognize that this technology, while incredibly powerful, is also incredibly different from what many cybersecurity defenders worked with historically. In order to deal with issues such as evasion, models will need to be tuned to high levels of sensitivity. The high level of sensitivity makes false positives inherent and something we must fully work into the methodology for using the technology.

False positive can have catastrophic results.  For an excellent example of this, watch the video of the keynote here if you haven’t seen it yet.  I talk through the quintessential example of how a false positive almost started World War III and nuclear Armageddon.

The Take-Away

As with fire and flight, how we manage new innovations is the real story.  Recognizing technology does not have a moral compass is key.  Our adversaries will use the technology to make their attacks more effective and we must move forward with our eyes wide open to all aspects of how technology will be used…. Its benefits, limitations and how it will be used against us.

 

Please see the video recording of our keynote speech RSA Conference 2019: https://www.rsaconference.com/events/us19/presentations/keynote-mcafee

 

The post McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future? appeared first on McAfee Blogs.

Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics

Free apps have a lot of appeal for users. They don’t cost a cent and can help users complete tasks on-the-go. However, users should take precautions before installing any app on their device. Researchers here at McAfee have observed some Android apps using extremely deceptive techniques to try and trick users into signing up for a very expensive service plan to use basic tool functionalities like voice recording and opening zip files.

The two apps being called into question, “Voice recorder free” and “Zip File Reader,” have been downloaded over 600,000 times combined. So at first glance, users may assume that these are reputable apps. Once installed, they offer the user an option to use a “Free trial” or to “Pay now.” If the user selects the trial version, they are presented with a subscription page to enter their credit card details for when the three-day trial is over. However, these apps charge a ridiculously high amount once the trial is up. “Voice recorder free” charges a whopping $242 a month and “Zip File Reader” charges $160 a week.

Users who have downloaded these apps and then deleted them after their free trial may be surprised to know that uninstalling the app will not cancel the subscription, so they could still be charged these astronomical amounts for weeks without realizing it. While this is not technically illegal, it is a deceptive tactic that app developers are using to try to make an easy profit off of consumers who might forget to cancel their free trial.

With that said, there are a few things users can do to avoid becoming victim to deceptive schemes such as these in the future. Here are some tips to keep in mind when it comes to downloading free apps:

  • Be vigilant and read app reviews. Even if an app has a lot of downloads, make sure to comb through all of the reviews and read up before downloading anything to your device.
  • Read the fine print. If you decide to install an app with a free trial, make sure you understand what fees you will be charged if you keep the subscription.
  • Remember to cancel your subscription. If you find a reputable free app that you’ve researched and want to use for a trial period, remember to cancel the subscription before uninstalling the app off your device. Instructions on canceling, pausing, and changing a subscription can be found on Google Play’s Help page.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics appeared first on McAfee Blogs.

Thoughts on Cloud Security

Recently I've been reading about cloud security and security with respect to DevOps. I'll say more about the excellent book I'm reading, but I had a moment of déjà vu during one section.

The book described how cloud security is a big change from enterprise security because it relies less on IP-address-centric controls and more on users and groups. The book talked about creating security groups, and adding users to those groups in order to control their access and capabilities.

As I read that passage, it reminded me of a time long ago, in the late 1990s, when I was studying for the MCSE, then called the Microsoft Certified Systems Engineer. I read the book at left, Windows NT Security Handbook, published in 1996 by Tom Sheldon. It described the exact same security process of creating security groups and adding users. This was core to the new NT 4 role based access control (RBAC) implementation.

Now, fast forward a few years, or all the way to today, and consider the security challenges facing the majority of legacy enterprises: securing Windows assets and the data they store and access. How could this wonderful security model, based on decades of experience (from the 1960s and 1970s no less), have failed to work in operational environments?

There are many reasons one could cite, but I think the following are at least worthy of mention.

The systems enforcing the security model are exposed to intruders.

Furthermore:

Intruders are generally able to gain code execution on systems participating in the security model.

Finally:

Intruders have access to the network traffic which partially contains elements of the security model.

From these weaknesses, a large portion of the security countermeasures of the last two decades have been derived as compensating controls and visibility requirements.

The question then becomes:

Does this change with the cloud?

In brief, I believe the answer is largely "yes," thankfully. Generally, the systems upon which the security model is being enforced are not able to access the enforcement mechanism, thanks to the wonders of virtualization.

Should an intruder find a way to escape from their restricted cloud platform and gain hypervisor or management network access, then they find themselves in a situation similar to the average Windows domain network.

This realization puts a heavy burden on the cloud infrastructure operators. They major players are likely able to acquire and apply the expertise and resources to make their infrastructure far more resilient and survivable than their enterprise counterparts.

The weakness will likely be their personnel.

Once the compute and network components are sufficiently robust from externally sourced compromise, then internal threats become the next most cost-effective and return-producing vectors for dedicated intruders.

Is there anything users can do as they hand their compute and data assets to cloud operators?

I suggest four moves.

First, small- to mid-sized cloud infrastructure users will likely have to piggyback or free-ride on the initiatives and influence of the largest cloud customers, who have the clout and hopefully the expertise to hold the cloud operators responsible for the security of everyone's data.

Second, lawmakers may also need improved whistleblower protection for cloud employees who feel threatened by revealing material weaknesses they encounter while doing their jobs.

Third, government regulators will have to ensure no cloud provider assumes a monopoly, or no two providers assume a duopoloy. We may end up with the three major players and a smattering of smaller ones, as is the case with many mature industries.

Fourth, users should use every means at their disposal to select cloud operators not only on their compute features, but on their security and visibility features. The more logging and visibility exposed by the cloud provider, the better. I am excited by new features like the Azure network tap and hope to see equivalent features in other cloud infrastructure.

Remember that security has two main functions: planning/resistance, to try to stop bad things from happening, and detection/respond, to handle the failures that inevitably happen. "Prevention eventually fails" is one of my long-time mantras. We don't want prevention to fail silently in the cloud. We need ways to know that failure is happening so that we can plan and implement new resistance mechanisms, and then validate their effectiveness via detection and response.

Update: I forgot to mention that the material above assumed that the cloud users and operators made no unintentional configuration mistakes. If users or operators introduce exposures or vulnerabilities, then those will be the weaknesses that intruders exploit. We've already seen a lot of this happening and it appears to be the most common problem. Procedures and tools which constantly assess cloud configurations for exposures and vulnerabilities due to misconfiguration or poor practices are a fifth move which all involved should make.

A corollary is that complexity can drive problems. When the cloud infrastructure offers too many knobs to turn, then it's likely the users and operators will believe they are taking one action when in reality they are implementing another.

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.


A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.

5 Tips For Creating Bulletproof Passwords

While biometric tools like facial ID and fingerprints have become more common when it comes to securing our data and devices, strong passwords still play an essential part in safeguarding our digital lives.

This can be frustrating at times, since many of us have more accounts and passwords than we can possibly remember. This can lead us to dangerous password practices, such as choosing short and familiar passwords, and repeating them across numerous accounts. But password safety doesn’t have to be so hard. Here are some essential tips for creating bulletproof passwords.

Remember, simple is not safe

Every year surveys find that the most popular passwords are as simple as  “1234567” and just “password.” This is great news for the cybercrooks, but really bad news for the safety of our personal and financial information.

When it comes to creating strong passwords, length and complexity matter because it makes them harder to guess, and harder to crack if the cybercriminal is using an algorithm to quickly process combinations. The alarming truth is that passwords that are just 7 characters long take less than a third of a second to crack using these “brute force attack” algorithms.

Tricks:

  • Make sure that your passwords are at least 12 characters long and include numbers, symbols, and upper and lowercase letters.
  • Try substituting numbers and symbols for letters, such as zero for “O”, or @ for “A”.
  • If you’re using internet-connected devices, like IP cameras and interactive speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

Keep it impersonal

Passwords that include bits of personal information, such as your name, address, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online. But you can use personal preferences that aren’t well known to create strong passphrases.

Tricks:

  • Try making your password a phrase, with random numbers and characters. For instance, if you love crime novels you might pick the phrase: ILoveBooksOnCrime
    Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as: 1L0VEBook$oNcRIM3!
  • If you do need to use personal information when setting up security questions, choose answers that are not easy to find online.
  • Keep all your passwords and passphrases private.

Never reuse passwords

If you reuse passwords and someone guesses a password for one account, they can potentially use it to get into others. This practice has gotten even riskier over the last several years, due to the high number of corporate data breaches. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts.

Tricks:

  • Use unique passwords for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. These too can be compromised, and if you use the same password for more sensitive accounts, they too are at risk.
  • If a website or monitoring service you use warns you that your details may have been exposed, change your password immediately.

Employ a password manager

If just the thought of creating and managing complex passwords has you overwhelmed, outsource the work to a password manager! These are software programs that can create random and complex passwords for each of your accounts, and store them securely. This means you don’t have to remember your passwords – you can simply rely on the password manager to enter them when needed.

Tricks:

  • Look for security software that includes a password manager
  • Make sure your password manager uses multi-factor authentication, meaning it uses multiple pieces of information to identify you, such as facial recognition, a fingerprint, and a password.

Boost your overall security

Now that you’ve made sure that your passwords are bulletproof, make sure you have comprehensive security software that can protect you from a wide variety of threats.

Tricks:

  • Keep you software up-to-date and consider using a web advisor that protects you from accidentally typing passwords into phishing sites.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post 5 Tips For Creating Bulletproof Passwords appeared first on McAfee Blogs.

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator (MSFPC)   Disclaimer Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors of Hackingvision.com will not be […]

The post Create Metasploit Payload in Kali Linux MSFvenom Payload Creator appeared first on HackingVision.

Artificial Intelligence, Machine Learning and More at RSAC 2019

Last week, the RSA Conference painted San Francisco’s Moscone Center purple with the theme ‘Better’, and the cybersecurity industry did not disappoint in making the digital world a better and safer place. Below, we’re sharing a few McAfee highlights from this year’s event.

Behind the Scenes of MGM Resorts’ Digital Transformation at CSA Summit

In its tenth year at the RSA Conference, the CSA Summit welcomed Rajiv Gupta, Senior Vice President, Cloud Security Business Unit at McAfee and Scott Howitt, Senior Vice President & Chief Information Security Officer at MGM Resorts International to the stage. During the keynote, Howitt discussed MGM’s digital transformation and how adopting the cloud into MGM’s business model resulted in delivering a modern experience to customers and more engaged and productive employees. We also heard Gupta share statistics from our Cloud Report on how cloud data distribution has changed dramatically ,which now requires new and better solutions. Before attendees headed out for lunch, Howitt and Gupta closed the first half of the CSA summit by solidifying the positive impact the cloud can have on enterprise businesses. 

Tapping into the Tremendous Power of Artificial Intelligence at RSAC

On Tuesday, SVP and Chief Technology Officer, Steve Grobman and Chief Data Scientist, Dr. Celeste Fralick, took the mainstage at RSAC. During their keynote, Grobman and Fralick discussed how the industry needs to think about artificial intelligence, its power, how it can be used against us and its adversarial uses. Fralick shared how “most people don’t realize how fragile AI and machine learning can really be” and voiced how her team is involved in a technical area called the adversarial machine learning, where they study ways that adversaries can invade or poison machine learning classifier. In closing, Grobman told RSA attendees that “we must embrace AI but never ignore its limitations. It’s just math. It’s fragile. And there is a cost to both false positives and false negatives.”

EXPO- nentially Better

This year’s RSAC expo didn’t disappoint, with over 400 exhibitors showcasing unique content from the world’s top cybersecurity minds and the latest security solutions. Every day our booth was full as we connected with our customers, partners, and prospects. At this year’s conference, we hosted a fun and interactive Capture the Flag challenge which tested the investigative and analytical skills of RSA attendees. Contestants were given various challenges and received “flag” details on how to complete each challenge as quickly and accurately as possible.

RSAC was full of announcements with new and better products along with the buzzing of cybersecurity professionals making better connections with peers from around the world, with the same goal of keeping the digital world safe and making the real world a better place.

The post Artificial Intelligence, Machine Learning and More at RSAC 2019 appeared first on McAfee Blogs.

You Rang? New Voice Phishing Attack Tricks Unsuspecting Users

In this digital day and age, the average user is likely familiar with the techniques and avenues cybercriminals use to get ahold of personal data and money. With this knowledge, we’ve become smarter and keen to the tricks of the cybercrime trade. However, cybercriminals have become smarter too, and therefore their attacks have become more complex. Take phishing, for example. There has been a dramatic shift in phishing attacks, from simple and general to complex and personalized. What was once spoofing emails or websites has now evolved into something more devious – vishing, or voice phishing. This method involves a cybercriminal attempting to gain access to a victim’s personal or financial information by pretending to be a financial institution via phone call. And now a new vishing attack is proving to be more difficult to detect than the typical phishing scams.

In April 2018, Min-Chang Jang, a manager at Korea Financial Security Institute and Korea University, made a breakthrough in his investigation into malicious apps designed to intercept calls to users from legitimate numbers. This tactic puts a new but troubling twist on the original voice phishing cyberattack. To be successful in this venture, a hacker must first convince a user to download a fake app. To do this, a link is sent to the victim, luring them in with an amazing offer around loan refinancing or something similar, which then prompts the user to download the faulty app. If the target takes the bait, calls will start to come in from the financial institution following up on the possible loan refinancing offer. The call, however, isn’t connected to the actual financial company, rather it is intercepted and connected to the bad actor.

We know that as we adjust to the world around us and become smarter about our security, cybercriminals will do the same with their thievery. Today it’s an advanced vishing attack, tomorrow it could be a different type of phishing vector. However, users can rest assured that companies like McAfee are working tirelessly to ensure our users can thwart any cyberattack that comes their way. While this voice phishing attack is hard to detect, here are some proactive steps you can take to ensure you don’t fall victim to cybercriminals’ schemes:

  • Only install apps from authorized sources. To avoid malicious apps getting ahold of your data, only download apps from authorized vendors. For Android users, use the Google Play Store. For iPhone users, use the Apple App Store. Never trust a third-party app with information that could be exploited in the wrong hands.
  • Turn on caller ID or other services. Numerous carriers now offer free services that notify users of possible scam calls. And a lot of phones come with call-identifying capabilities that can give the user a quick diagnostic of whether the call is legitimate or not. With this feature, users can report scam calls to a database too.
  • Always think twice. In addition to tips and apps, there’s no better judge than common sense so if an offer or deal sounds too good to be true, it most likely is.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post You Rang? New Voice Phishing Attack Tricks Unsuspecting Users appeared first on McAfee Blogs.

Learning from the Big Data Breaches of 2018

Guest article by Cybersecurity Professionals

What can we learn from the major data breaches of 2018?
2018 was a major year for cybersecurity. With the introduction of GDPR, the public’s awareness of their cyber identities has vastly increased – and the threat of vulnerability along with it. The Information Commissioner’s Office received an increased number of complaints this year and the news was filled with reports of multi-national and multi-millionaire businesses suffering dramatic breaches at the hand of cybercriminals.

2018 Data Breaches
Notable breaches last year include:

5. British Airways
The card details of 380,000 customers were left vulnerable after a hack affected bookings on BA’s website and app. The company insists that no customer’s card details have been used illegally but they are expected to suffer a major loss of money in revenue and fines as a result of the attack.

4. T-Mobile
Almost 2 million users had their personal data, including billing information and email addresses accessed through an API by an international group of hackers last August.

3. Timehop
A vulnerability in the app’s cloud computing account meant that the names and contact details of 21 million users were affected on Timehop. The company assured users that memories were only shared on the day and deleted after, meaning that the hackers were not able to access their Facebook and Twitter history.

2. Facebook & Cambridge Analytica
One of the most sensationalised news stories of the last year, Facebook suffered a string of scandals after it was released that analytics firm Cambridge Analytica had used the Facebook profile data of 87 million users in an attempt to influence President Trump’s campaign and potentially aid the Vote Leave campaign in the UK-EU referendum.

1. Quora
After a “malicious third party” accessed Quora’s system, the account information, including passwords, names and email addresses, of 100 million users was compromised. The breach was discovered in November 2018.

GDPR
As the UK made the switch from the Data Protection Act to GDPR, businesses and internet users across the country suddenly became more aware of their internet identities and their rights pertaining to how businesses handled their information.

With the responsibility now firmly on the business to protect the data of UK citizens, companies are expected to keep a much higher standard of security in order to protect all personal data of their clients.

How many complaints to the ICO?
Elizabeth Denham, the UK’s Information Commissioner, said that the year 2017-18 was ‘one of increasing activity and challenging actions, some unexpected, for the office’.

This is shown in an increase in data protection complaints by 15%, as well as an increase in self-reported breaches by 30%. Since this is the first year of GDPR, it is expected that self-reported breaches have increased as businesses work to insure themselves against much higher fines for putting off their announcement.

The ICO also reports 19 criminal prosecutions and 18 convictions last year and fines totalling £1.29 million for serious security failures under the Data Protection Act 1998. The office has assured that they don’t intend to make an example of firms reporting data breaches in the early period of GDPR but as time goes on, leniency is likely to fade as businesses settle into the higher standards.

What does it mean for SMEs?
With 36% of SMEs having no cybersecurity plan, the general consensus is that they make for unpopular targets. However, with the GDPR, the responsibility is on the business to protect their data so being vulnerable could result in business-destroying costs. Considering the cost to businesses could total the higher of 2% of annual turnover or €10 million, data protection is of paramount importance to small businesses.

How exposed are we in the UK?
At 31%, our vulnerability rating is higher than the Netherlands, Germany, Estonia (30%) and Finland (29%), but the UK is a more likely target for cybercriminals looking to exploit high tech and financial services industries, which are some of the most vulnerable across Great Britain.

Despite a higher level of vulnerability, the UK has one of the largest cyber security talent pools, showing there is time and manpower being dedicated to the protection of our data online.

https://www.cybersecurity-professionals.com/blog/2019/03/01/cybercrime-in-the-uk-infographic/

How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep

Spring Break and reputation management

Spring Break and reputation management Spring Break 2019 is in full swing, which means high school and college kids have hit the road determined to make this rite of passage epic. Unfortunately, not everyone will return home with his or her online reputation intact.

Despite the headlines and warnings, kids are still uploading their lives 24/7 and not all of their choices will be wise. While impressive at the moment, showcasing one’s exceptional beer pong or body shot skills could become a future digital skeleton.

Define it

The decision to share reckless content online has damaged (even destroyed) scholarships, opportunities, reputations, and careers.

Each day more than one billion names are searched on Google, and 77% of job recruiters look up potential employees up online during the hiring process, according to BrandYourself.com. Also, 45% of people have found content in an online search that made them decide not to do business with someone.

As elementary as it sounds, the first step to helping your child safeguard his or her online reputation this spring break is defining what is and is not appropriate online content.

Spring Break and reputation management

Technology has created a chasm between generations so don’t assume your values align with your child’s in this area. Behavior once considered inappropriate has slowly become acceptable to kids who grew up in the online space. Also, peers often have far more influence than parents.

So take the time to define (and come to an agreement on) content you consider off limits such as profanity, racy photos, mean, disrespectful, or racist comments, irresponsible or prank videos, or pictures that include alcohol or drug use. (Yes, state the obvious!)

Untag It

Spring Break and reputation management

Turn off tagging. Like it or not, people often judged us by the company we keep. Your child’s online behavior may be stellar but tag-happy, reckless friends can sink that quickly. To make sure your child doesn’t get tagged in risky photos on Twitter, Instagram, or Facebook, encourage them to adjust privacy settings to prevent tagging or require user approval. Also, help your kids to pay more attention to unflattering Snapchat photos and Snapchat story photos that other people post about them that can be problematic if shared elsewhere.

Lock It

Amp privacy settings. By adjusting privacy settings to “friends only” on select social networks content, digital mistakes can be minimized. However, we know that anything uploaded can be shared and screen captured before it’s deleted so tightening privacy settings isn’t a guarantee.

Google It

Spring Break and reputation management To get a clear picture of your child’s digital footprint and what a school or future employer might find, Google your child’s name. Examine the social networks, links, and sites that have cataloged information about your child. One of the best ways to replace damaging digital information is by creating positive information that overshadows it. Encourage your child to set up a Facebook page that reflects their best self — their values, their goals, and their character. Make the page public so others can view it. They may also consider setting up a LinkedIn page that highlights specific achievements, goals, and online endorsements from teachers and past employers.

If for some reason there’s damaging content that can’t be removed by request, encourage your child to set up a personal website and blog weekly. This can be a professional or hobby blog, but the idea is to repopulate the search results with favorable content and push the tainted content further down on Google.

Balance It

In your guiding, don’t forget the wise words of Cyndi Lauper who reminds us all, “Girls just wanna have fun!” Strive for balance in giving kids the room to make memories with friends while at the same time equipping them to make wise choices online.

The post How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep appeared first on McAfee Blogs.

809 Million Records Left Exposed: How Users Can Protect Their Data

It’s no secret that technological advancements and online threats are directly proportional to each other. So now more than ever, it’s imperative that users prioritize the security of their digital presence, especially in the face of advanced malware attacks and massive data leaks. Speaking of the latter — less than two months after the Collection #1 data breach exposed 773 million email addresses, it seems we have another massive data dump in our midst. Last week, researchers discovered a 150-gigabyte database containing 809 million records exposed by the email validation firm, Verifications.io.

You may be wondering how Verifications.io had so much data left to be exposed. Most people have heard of email marketing, but very few realize that these companies often vet user email addresses to ensure their validity. Enter Verifications.io. This company serves as a way email marketing firms can outsource the extensive work involved with validating mass amounts of emails and avoid the risk of having their infrastructure blacklisted by spam filters. Verifications.io was entrusted with a lot of data provided by email marketing firms looking to streamline their processes, creating an information-heavy database.

This unusual data trove contains tons of sensitive information like names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amounts, interest rates, social media accounts, and characterizations of people’s credit scores. While the data doesn’t contain Social Security Numbers or credit card information, that amount of aggregated data makes it much easier for cybercriminals to run new social engineering scams or expand their target audience. According to security researcher Troy Hunt, owner of HaveIBeenPwned, 35% of the data exposed by Verifications.io is new to his database. With that said, it was the second largest data dump added in terms of email addresses to Hunt’s website, which allows users to check whether their data has been exposed or breached.

Upon discovery, the firm was made aware of the incident. And while proper security measures were taken, users can take various steps themselves to protect their information in the event of largescale data exposure. Check out the following tips:

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your individual accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords on a consistent basis to further protect your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 809 Million Records Left Exposed: How Users Can Protect Their Data appeared first on McAfee Blogs.

RSA Conference 2019: A Recap

RSA is pretty amazing! I’ve been to a lot of security and tech conferences over the years, but somehow always missed the train to RSA. The show is absolutely massive, and involves an entire week of tradeoffs for an attendee – do you walk the expo hall for hours on end? Meet with customers? New prospects? Attend the sessions? Analysts? Write content? Promote on social media? Network with new vendors and partners? Or eat lunch? There is nowhere near enough time to do everything you want to do (I’ll cover a recommendation for this at the end), and RSA has so much to offer.

I had a fantastic week in San Francisco (minus the weather, I think we all could have done without that). I learned a lot while I was here and wish, like many, I had more time to do it. However, I’m flying home tomorrow, and I’m absolutely exhausted, so a weekend at home, with the peace and quiet, and catching up on some work emails is very welcoming!

Another interesting thing, from a vendor perspective, is that there are two sides to a conference like this. There is the work happening at the conference itself (keynotes, sessions, and vendor booths), and then there is everything happening adjacent to it (networking, customer meetings, and business partnerships). And every single person here, the 40K+ attendees, are all on their own missions; it’s inspiring to see the drive behind everyone’s eyes.

If you’re on LinkedIn, connect with me, and let me know how RSA was for you!

Themes

RSA had a lot of themes that were presented both purposefully, and by accident in the market shifts represented by the vendor booths. The first set of themes were set by the keynote address, specifically that “we are better together,” that AI and humans together is critical to the future, and that trust moving forward is going to be make or break our future. 

The importance of diversity and inclusion in the security industry also surfaced through many conversations. Walking the show floor, it’s amazing to see how far we have come in our efforts to include people of different backgrounds. But while we have made a lot of progress, there is still a lot of work to be done here. 

The last major theme that played out, similar to “better together,” is that none of us are alone. While our market may be fiercely competitive at times, we ultimately are all moving towards the same goals: to protect ourselves, our customers, our data, our people, and our country. The honor and pride in the work that we do is incredible. There will be trying times, there will be breaches, there will be cyberattacks, and in those moments, we have to remember that none of us are alone in these efforts.

Takeaways

There is no shortage of security companies, and the evolution of technology is at a break-neck pace. So many new companies were on the RSA expo floor, with leading-edge technology, cool stories to tell, and a lot of fun designs. Standing out at the expo hall is no easy task.

We have to continue our efforts on the diversity and inclusion fronts, and every company must make a conscious effort to do so. Again, we’ve made a lot of progress, but we still have a long way to go. We need to make security sound as cool as it really is, and encourage the youngest generations to get involved.

The world is changing rapidly! Cyberattacks are becoming more frequent, and the rate at which they’re changing their patterns is accelerating. The private sector is going to have a hard time keeping up with state-sponsored attacks, and the industry could do with more collaborative, cross-business work.

There is a lot of noise in the marketplace. So many vendors solving the same problems, but in slightly different ways. As a product marketer, this is ripe with opportunity! Product marketers of the world: please understand your buyers’ needs and bring to the forefront exactly how your business solves those problems – and then go after that market. Make it crystal clear! Again, in the spirit of “better together,” connect with me on LinkedIn if you’re not sure how to go about that. 

Veracode’s Presence

I have to spend a little bit of time talking about Veracode at RSA this year. We came full force! We brought an army of Veracoders to RSA this year, from all different departments and with a variety of backgrounds. We had a really large booth with a ton of traffic all week. We were thrilled to have Sophia, the world’s first humanoid robot, join us to answer attendees’ questions. We met with thousands of people, held hundreds of meetings, handed out a ton of customized t-shirts, conducted demos, and had some of our brightest minds present on a number of topics, like how to make security part of your competitive edge. Veracode launched its refreshed branding, with a new focus on YOU! You, our customers, are the ones that are changing this world – we’re just helping you secure it. We worked really hard all week, but we had a lot of fun doing it. And if you saw some Veracoders and want to be part of something amazing, come see what it’s all about.

Recommendations

Since this was my first year at RSA, there are a few things I would do differently – so let me share with you a few recommendations, both from a vendor perspective and an attendee’s perspective.

Vendors with booths, especially the smaller ones, make sure what you do and your differentiating value proposition are front and center. Bigger companies can get away with a little more ambiguity, because the booths are so big. Your buyers are walking by, and with over 300 booths to choose from, and no time to do it, you have to make sure that in the THREE seconds it takes to walk by – your potential buyers knows you can solve a specific pain point they have.

Attendees – plan, plan, plan. Start with what you want to get out of RSA, and then make sure everything you do centers around that. You are not going to be able to do it all, so you’re better off focusing on one or two areas, and going all in on those. Make sure you have a schedule and that it’s really locked down, and leave time to walk the show floor – it’s fun! 

Vendors and attendees: Please remember to take care of yourselves and each other. We are all just humans after all. Remember to eat, go for that run in the morning, take that bath in the evening, watch your favorite show, and get some much-needed rest. Don’t forsake your health. You will be on your feet all day, so make sure you’re healthy. Oh, and try to wear comfortable shoes! You’re going to be on your feet a lot. 

Stay tuned for more from RSA … in 2020! In the meantime, learn more about Veracode.

Don’t Let Thunderclap Flaws Strike Your Device

If you own a Mac or PC, odds are you’ve used your laptop’s Thunderbolt port to connect another device to your machine. Thunderbolt ports are convenient for charging other devices using your laptop or desktop’s battery power. However, a new flaw called Thunderclap allows attackers to steal sensitive information such as passwords, encryption keys, financial information, or run detrimental code on the system if a malicious device is plugged into a machine’s port while it’s running.

So, how can attackers exploit this flaw? Thunderbolt accessories are granted direct-memory access (DMA), which is a method of transferring data from a computer’s random-access memory (RAM) to another part of the computer without it needing to pass through the central processing unit (CPU). DMA can save processing time and is a more efficient way to move data from the computer’s memory to other devices. However, attackers with physical access to the computer can take advantage of DMA by running arbitrary code on the device plugged into the Thunderbolt port. This allows criminals to steal sensitive data from the computer. Mind you, Thunderclap vulnerabilities also provide cybercriminals with direct and unlimited access to the machine’s memory, allowing for greater malicious activity.

Thunderclap-based attacks can be carried out with either specially built malicious peripheral devices or common devices such as projectors or chargers that have been altered to automatically attack the host they are connected to. What’s more, they can compromise a vulnerable computer in just a matter of seconds. Researchers who discovered this vulnerability informed manufacturers and fixes have been deployed, but it’s always good to take extra precautions. So, here are some ways users can defend themselves against these flaws:

  • Disable the Thunderbolt interface on your computer. To remove Thunderbolt accessibility on a Mac, go to the Network Preference panel, click “OK” on the New Interface Detected dialog, and select “Thunderbolt Bridge” from the sidebar. Click the [-] button to delete the option as a networking interface and choose “Apply.” PCs often allow users to disable Thunderbolt in BIOS or UEFI firmware settings, which connect a computer’s firmware to its operating system.
  • Don’t leave your computer unattended. Because this flaw requires a cybercriminal to have physical access to your device, make sure you keep a close eye on your laptop or PC to ensure no one can plug anything into your machine without permission.
  • Don’t borrow chargers or use publicly available charging stations. Public chargers may have been maliciously altered without your knowledge, so always use your own computer accessories.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Don’t Let Thunderclap Flaws Strike Your Device appeared first on McAfee Blogs.

Live From RSA: Diversity and Inclusion

At one of the keynote addresses at RSA, the opening speaker asked that everyone who identifies as a woman in the audience stand up. It was amazing to see how many women there were at the conference, but we have a long way to go.

Veracode has an incredibly diverse employee base, which makes working here a great experience. We don’t have men and women, we have “Veracoders,” and we take that pretty seriously. We are a women-led organization, with Sam King as our CEO. I am on the product strategy team, and more than half of our department is women. We have an incredible mix of races, religions, backgrounds, ages, and political viewpoints – and everyone respects each other no matter who they are or where they came from. Veracode also has a diversity and inclusion team that seeks to ensure we stay honest about our direction as a company and continues to push through barriers as often as possible.

I attended a great diversity and inclusion panel at RSA this year, where a resonating theme was “Diversity is a fact, but inclusion is a choice.” This panel had CISO/CSO representation from Xerox, ADP, United Airlines, and JP Morgan Chase – all companies that strive to take diversity and inclusion seriously.

Diversity and inclusion starts well before the employee is working in a company. It’s important to build the talent pipeline from an early age with programs that ensure diverse individuals have opportunities to grow and learn in STEM fields. Diversity and inclusion has to be something that you don’t accidently fall into, it has to be a deliberate and thoughtful initiative in the company. A really awesome takeaway is that we could work to change the narrative around the security industry. We always idealize doctors, lawyers, and athletes for kids on TV shows and in movies, but telling a child that you are a CISO is boring. So one of the panelists says she tells kids she’s a “Professional Hacker,” and their eyes grow wide! I think that’s a really interesting approach, and we could work as an industry to make this field sound as cool and important as it really is!

One of the hardest questions the panel tried to answer was around the impact that diversity and inclusion has on the success of a business. They said there isn’t a really great way to measure this in terms of a trackable number. One of the recommendations was to have regular surveys on how people feel in their job – how comfortable they are in their role, how included they feel, and if they feel supported and have a path up and forward. 

In summary, the main takeaways were:

  • Ensure that as an industry we are building the talent pipeline from a very early age, so that people from diverse backgrounds pursue careers in security.
  • Companies must have more than just policies on diversity, they need a purposeful mission driven by a team in the company.

Ensure there is a plan for each and every employee to grow and feel like a partner with the business.

Stay tuned for more from RSA ...

Disclosing vulnerabilities to protect users across platforms



On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together.

To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.

The second vulnerability was in Microsoft Windows. It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.

We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.

Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.

As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available.

Live From RSA: In a World Changed by Software, Make Security Your Competitive Advantage

At RSA, our own CEO Sam King and CTO Chris Wysopal presented to a roomful of intrigued attendees on how software has completely changed the way businesses tackle problems, how companies work everyday to change our world, and how doing so in a secure manner provides these companies with a competitive edge in the marketplace.

They key takeaway, if you read nothing else is this: Companies leverage software to rapidly solve life-changing problems in innovative ways, but the speed of doing so means nothing if the software you build is insecure. Companies build their own competitive advantage by staying agile. And if companies have to drop everything in order to deal with a security breach, they lose all of the competitive advantage they worked so hard to build. So companies must work to make security part of the competitive advantage that helps them change the world.

When we think about software, it’s easy to default to thinking about browsers, word processing software, and accounting programs. We forget that software also powers many life-critical things. The agricultural industry leverages software to ensure that the right amount of irrigation is used based on the saturation of the soil. Healthcare companies leverage software to find new cures and supply the right amount of medicine. Weather companies leverage software to better predict severe storms in order to warn people in the damaging path. 

You are leveraging software to change the world for the better, every single day. We want to make sure that the work you’re doing doesn’t become undone, because we need you, our country needs you, and our entire human civilization needs you.

Sam and Chris talked about how the entire world of software itself has changed, with a greater focus on automation. Chris painted a picture of the three waves of automation that we have undergone. The first being the automation of back-end systems, like financial programs. Then we experienced front-end automation, like e-commerce stores. Finally, we are now in the automation phase of software, augmenting everything else from medicine to the space program.

So to stay up to speed with the rate of change, to keep your competitive advantage, and to continue changing the world – you have to implement security practices in your software development processes. And the security needs to be automated, integrated into developer tools, and help facilitate actual fixing of the code (after all, a list of security issues is nothing more than a list if they never get fixed, and what good is that?)

Everyday you’re changing the world, we’ll help you secure it in the process.

Stay tuned for more from RSA …

Deriving value from the MITRE ATT&CK Threat Model

The MITRE ATT&CK knowledge base continues to gain traction as the defacto source for supporting business threat assessing, developing proactive cybersecurity and cyber resilience strategies. ATT&CK provides a defined understanding of the adversaries, their associated tactics, their techniques and procedures (TTPs). The ATT&CK comprehensive knowledge base of adversary tactics and techniques has been built up using real-world observations and is freely available to use. 
There are many ways in which organisations can benefit from ATT&CK, often dependant on an organisation's security capabilities and the general security maturity. Steve Rivers, Technical Director International at ThreatQuotient has written guidance on the MITRE ATT&CK stages of maturity, so that any organisation can derive value from it.

MITRE ATT&CK Framework: Keep your friends close, but your enemies even closer

Steve Rivers, Technical Director International at ThreatQuotient

So, how can you get started and use the framework? Nearly every organisation is interested in using MITRE ATT&amp;CK, but they have different views on how it should be adopted based the capabilities of their security operations. We need to make sure that the MITRE ATT&amp;CK framework doesn’t become another source of threat data that is not fully utilised, or a passing fad, or a tool that only the most sophisticated security operations teams can apply effectively. To avoid this fate, we must look at ways to map the framework to stages of maturity so that every organisation can derive value. Here are a few examples of how to use the framework with appropriate use cases as maturity levels evolve.

Stage 1: Reference and Data Enrichment

The MITRE ATT&CK framework contains a tremendous amount of data that could potentially be valuable to any organisation. The MITRE ATT&CK Navigator provides a matrix view of all the techniques so that security analysts can see what techniques an adversary might apply to infiltrate their organisation. To more easily consume this data, a good place to start is with tools that make that data easy to access and share across teams. This may be through an enrichment tool or a platform with a centralised threat library that allows a user to aggregate the data and easily search for adversary profiles to get answers to questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply? Security analysts can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment.

Stage 2: Indicator or Event-driven Response

Building on the ability to reference and understand MITRE ATT&CK data, in Stage 2 security teams incorporate capabilities in the platform within their operational workflows that allow them to apply a degree of action to the data more effectively. For example, with the data ingested in a centralised threat library, they can build relationships between that data automatically without having to form those relationships manually. By automatically correlating events and associated indicators from inside the environment (from sources including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with indicators from the MITRE ATT&CK framework, they gain the context to immediately understand the who, what, where, when, why and how of an attack. They can then automatically prioritise based on relevance to their organisation and determine high-risk indicators of compromise (IOCs) to investigate within their environment. With the ability to use ATT&CK data in a more simple and automated manner, security teams can investigate and respond to incidents and push threat intelligence to sensors for detection and hunt for threats more effectively.

Stage 3: Proactive Tactic or Technique-driven Threat Hunting
At this stage, threat hunting teams can pivot from searching for indicators to taking advantage of the full breadth of ATT&CK data. Instead of narrowly focusing on more targeted pieces of data that appear to be suspicious, threat hunting teams can use the platform to start from a higher vantage point with information on adversaries and associated TTPs. They can take a proactive approach, beginning with the organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if related data have been identified in the environment. For example, they may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential IOCs or possible related system events in my organisation? Are my endpoint technologies detecting those techniques?

The success of MITRE ATT&CK will depend on how easy it is to apply effectively. With an understanding of maturity levels and use cases, and the ability for technologies to support security operations teams at whatever stage they are in, organisations will be able to use the framework to their advantage. As their desire and capabilities to use the data evolve and grow, they’ll be able to dig deeper into the MITRE ATT&CK framework and gain even greater value.

A Simple Trillion$ Cyber Security Question for the Entire RSA Conference

Folks,

This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -


Image Courtesy RSA Conference. Source: https://www.rsaconference.com/

If that's the case, let's talk -  I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -

Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?

For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.



For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -


  • Q 1.  Should your organization's foundational Active Directory be compromised, what could be its impact?
  • Q 2.  Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
  • Q 3.  If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
  • Q 4.  If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!

You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!


Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.


Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.

Best wishes,
Sanjay


PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.

PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?

Live from RSA: Sophia the Social Humanoid Robot

A big theme throughout RSA this year, from the keynote to vendor booths, is the power that artificial intelligence can bring to the security world. While we do leverage machine learning at Veracode to better our vulnerability database, we thought it would be a lot more fun to bring a different form of AI to the booth this year.

We invited Sophia, the world’s first social humanoid robot, to be a guest speaker at our booth. We engaged in an interview session with Sophia, and then opened the floor to attendees to ask her questions and get their pictures taken. Sophia is extremely lifelike in her facial appearance and expressions. The rest of her body, such as her arms, are still robot looking. 

So how well did she answer questions? Very well! It wasn’t without some challenges, though we believe most were due to the level of noise on the RSA expo floor. Our booth is in a very central location, with a lot of traffic, so the ambient noise is high. With Sophia drawing a crowd, it made it sometimes really hard for even us to hear the attendee’s question, let alone for Sophia to make out what was said. 

The keynote this year highlighted the importance of humans and machines (AI) working together to better security, and by doing so, becoming stronger than either one individually. Humans are great at understanding context, knowing what questions to ask, and setting big goals for our civilization to achieve. Machines are great at processing massive amounts of data, getting to answers that we never could, and providing a systematic approach to problems. This was exemplified in one of the first questions asked of Sophia: “What do you like the most about RSA?” Sophia, being an AI system programmed to analyze the question and provide an answer, gave an accurate answer – she talked about how great the RSA encryption is. However, a human would realize that the question is being asked in the context of the conference going on at the time. So while it’s funny to hear that answer, it’s also a great thing because it means that an AI system can provide us answers that maybe we didn’t know we were asking. Better yet, it also allows us to better frame the questions to get to the answers we really want – such as asking,”what’s your favorite thing about the RSA Conference so far?”

The most interesting part was hearing some of her answers to questions like “what goals do you have for your life?” Sophia provided a surprisingly realistic answer about being so close to autonomy, and not having to rely on other humans.

Looking at Sophia, it makes me realize that we are on the edge of something amazing. 

Stay tuned for more from RSA …

 

This Is How Easy It Is To Get Hacked – Vice News – HackingVision

This Is How Easy It Is To Get Hacked Vice News talks about how easy it is to get hacked. VICE News went to Moscow to see the country’s expert hackers in action. “If someone wants to hack you, they’re gonna be able to” former NSA hacker Patrick Wardle told VICE News. And if a […]

The post This Is How Easy It Is To Get Hacked – Vice News – HackingVision appeared first on HackingVision.

How To Secure Your Smart Home

Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.

You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.

Unfortunately, these are not rare cases. In recent months, the “Internet of Things” (IoT) has been used repeatedly to spy on businesses, launch attacks, or even deliver cryptojacking malware or ransomware.

Still, given the benefits we get from these devices, they are probably here to stay.  We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.

Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.

So, whether you have one IoT device, or many, it’s worth learning how to use them safely.

Follow these smart home safety tips:

  • Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
  • Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
  • Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
  • Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Secure Your Smart Home appeared first on McAfee Blogs.

Live From RSA: Coolest Things to See on the Expo Floor

The RSA expo hall is massive. Even the word “massive” doesn’t seem to do justice to just how big the floor is and how many vendors are present. Putting it in better context, it took me an entire hour to walk by every booth at a moderate pace, and that is without stopping for conversations or getting my badge scanned. For the first night, I wanted to see everything, and make some mental notes on who to return to the following day – I was on the hunt for some of the more interesting things at RSA.

The number of giveaways was astonishing, everything from your typical socks and t-shirts to, what looked like, a car giveaway! The expo hall presented every aspect of security imaginable, with a noticeable concentration of artificial intelligence powered products.

The second day I walked back to the booths that caught my attention, for a quick conversation on what they were really pushing at RSA, and below are the coolest things I found. There may be cooler technologies out there on the floor, but these are the ones that I understood what they did right away and had something that seemed on the leading edge.

Circadence

https://www.circadence.com/

This was easily one of the coolest things I saw on the floor. Circadence seems focused on taking the boring out of cybersecurity education. For people like myself, who are active, hands-on learners, Circadence seems incredible. The team gave me a demo of Project Ares, which is a gamified platform that simulates real-world scenarios on actual virtual machines (on Azure) that the learner must either try to attack or try to protect from attacks. There was an entire library of knowledge for protecting your infrastructures/networks, and then the full simulation room. You’re presented with a list of 80+ tasks that you must complete. The tasks increase in difficulty, and completing tasks awards points to the student. There are helpful hints along the way, but viewing them lowers your overall score. All of this is reported up to an analytics/reporting platform for the managers. They also claim AI hooks that can turn real-time threat intelligence into new missions for the students. In addition, the vision they shared with me for where they want to take the platform over time was pretty impressive. Definitely a booth to visit and a company to keep an eye on!

Blue Hexagon

https://bluehexagon.ai/

If AI and machine learning are vehicles, then deep learning is the Ferrari. It’s a powerful sub category of machine learning that has become really popular for a number of companies. Blue Hexagon takes deep learning, developed from their own proprietary neural networks, and applies it to network threat detection and protection. Their biggest focus is on speed of detection, by leveraging their deep learning to categorize both known and unknown threats across all of their systems. Blue Hexagon is a two-part system: First their cloud is where their Deep Learning Neural Network sits, and is where all of the training and data analysis on traffic occurs. Second is an on-premises device that sits at the ingress of your network and communicates with the cloud as it’s monitoring traffic. The interesting upside is that the more customers they onboard, the more powerful their deep learning will become. Definitely a company to keep an eye on, especially if they use all of that data and pivot into other fields.

SaltStack

https://www.saltstack.com/

At Veracode, our focus is on DevSecOps, which is bringing security into the automation fold of DevOps. When I saw that SaltStack focuses on SecOps, I was intrigued. This company is about bringing Security and IT Operations closer together in a far more automated fashion. With their platform, security teams can scan their networks for a number of different issues. In most cases, security teams would then send these findings to the Operations team to go and fix – essentially throwing the issue over the wall, which is exactly what DevOps itself aimed to solve in the Developer/Operations world. With SaltStack, security teams can create scripts that actually fix the issues, and send those over to the Operations group – who can then read the problem and fix in their language, and with a single click, deploy the fix immediately. The end goal is to eliminate the operations review cycles, and fully automate the scan and fix process, as the teams become more aligned over time. Any time companies can provide tools that help bridge the gaps between departments, it’s a big win. SaltStack is another company to check out and keep an eye on!

Cofense

https://cofense.com/

Have you heard of the company Cofense? How about PhishMe? If you’re like a lot of people I spoke to, they have heard about PhishMe, but not Cofense. Well, they’re the same company! About a year ago, PhishMe rebranded as Cofense after an acquisition by a private equity consortium. The main reason for the rebranding is because a lot of people knew about PhishMe for their phishing platform, but didn’t realize they provide much more beyond that. They maintained the name “PhishMe” as one of their products, but Cofense now represents the entire portfolio of products and services, including phishing reporting, threat intelligence, and incident response platform. Although the rebranding happened a year ago, I thought it would be good to mention Cofense in this list as a company to keep an eye on. Phishing is a problem that still takes even the most security-conscious company by surprise, and Cofense is on a mission to fix that problem.

Code42

https://www.code42.com/

I’m going to round out this list with Code42 for one simple reason – they nailed their marketing. I had never heard of Code42 before the conference because my career hasn’t taken me into the data loss prevention space. However, Code42’s digital and print advertising leading up to RSA was very memorable. They had a lot of fun with it, with phrases like “I love my DLP, said nobody ever.” I remember seeing a lot of these ads online leading up to RSA, and when I saw the same images at the booth as I was walking by, I had to stop in and say hello.  

Stay tuned for more from RSA …

How to Steer Clear of Tax Season Scams

*This blog contains research discovered by Elizabeth Farrell

It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund or have yet to start the process, one thing is for sure: cybercriminals will certainly use tax season as a means to get victims to give up their personal and financial information. This time of year is advantageous for malicious actors since the IRS and tax preparers are some of the few people who actually need your personal data. As a result, consumers are targeted with various scams impersonating trusted sources like the IRS or DIY tax software companies. Fortunately, every year the IRS outlines the most prevalent tax scams, such as voice phishing, email phishing, and fake tax software scams. Let’s explore the details of these threats.

So, how do cybercriminals use voice phishing to impersonate the IRS? Voice phishing, a form of criminal phone fraud, uses social engineering tactics to gain access to victims’ personal and financial information. For tax scams, criminals will make unsolicited calls posing as the IRS and leave voicemails requesting an immediate callback. The crooks will then demand that the victim pay a phony tax bill in the form of a wire transfer, prepaid debit card or gift card. In one case outlined by Forbes, victims received emails in their inbox that allegedly contained voicemails from the IRS. The emails didn’t actually contain any voicemails but instead directed victims to a suspicious SharePoint URL. Last year, a number of SharePoint phishing scams occurred as an attempt to steal Office 365 credentials, so it’s not surprising that cybercriminals are using this technique to access taxpayers’ personal data now as well.

In addition to voice phishing schemes, malicious actors are also using email to try and get consumers to give up their personal and financial information. This year alone, almost 400 IRS phishing URLs have been reported. Even back in December, we saw a surge of new email phishing scams trying to fool consumers into thinking the message was coming from the IRS or other members of the tax community. In a typical email phishing scheme, scammers try to obtain personal tax information like usernames and passwords by using spoofed email addresses and stolen logos. In many cases, the emails contain suspicious hyperlinks that redirect users to a fake site or PDF attachments that may download malware or viruses. If a victim clicks on these malicious links or attachments, they can seriously endanger their tax data by giving identity thieves the opportunity to steal their refund. What’s more, cybercriminals are also using subject lines like “IRS Important Notice” and “IRS Taxpayer Notice” and demanding payment or threatening to seize the victim’s tax refund.

Cybercriminals are even going so far as to impersonate trusted brands like TurboTax for their scams. In this case, DIY tax preparers who search for TurboTax software on Google are shown ads for pirated versions of TurboTax. The victims will pay a fee for the software via PayPal, only to have their computer infected with malware after downloading the software. You may be wondering, how do victims happen upon this malicious software through a simple Google search? Unfortunately, scammers have been paying to have their spoofed sites show up in search results, increasing the chances that an innocent taxpayer will fall victim to their scheme.

Money is a prime motivator for many consumers, and malicious actors are fully prepared to exploit this. Many people are concerned about how much they might owe or are predicting how much they’ll get back on their tax refund, and scammers play to both of these emotions. So, as hundreds of taxpayers are waiting for a potential tax return, it’s important that they navigate tax season wisely. Check out the following tips to avoid being spoofed by cybercriminals and identity thieves:

  • File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.
  • Obtain a copy of your credit report. FYI – you’re entitled to a free copy of your credit report from each of the major bureaus once a year. So, make it a habit to request a copy of your file every three to four months, each time from a different credit bureau. That way, you can keep better track of and monitor any suspicious activity and act early if something appears fishy.
  • Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Be wary of strange file attachment names such as “virus-for-you.doc.” Remember: the IRS only contacts people by snail mail, so if you get an email from someone claiming to be from the IRS, stay away.
  • Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.
  • Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blogs.

In a software-driven world, who is responsible for the risks?

The power of software to improve our lives and our world is almost limitless. Consequently, those creating software are wielding a power that demands a new level of responsibility.

When I think about how fast the world is changing, I wonder how our ancestors must have felt at the dawn of past industrial revolutions. Everything changed – the way we made, shipped, and sold goods evolved, and daily schedules and lives changed as people moved to cities to escape subsistence farming and find work in factories and mills. All of this change was fueled by new technologies and innovations. While many of these changes were positive, there were risks and costs, such as increased injuries, rising wealth inequality, and, as urbanization took hold, an increased spread of disease. It became the responsibility of factory workers, and in some cases the government, to address these concerns in order for our economy and society to flourish and grow.

We are in the dawn of the fourth industrial revolution, where software will not only power our lives, but is also created by organizations to change the world in remarkable and sometimes unimaginable ways. We are already seeing innovations in software to solve some of modern society’s biggest challenges. There is software to help farmers determine the exact amount of water to use to hydrate their fields, so they don’t waste such a precious commodity. There is software to help diagnose disease, monitor vital health information, and even treat diseases.

This software is not just powering our world, it’s changing our world. Thus, those who create software have an increased level of power in our society – and as the Spiderman comics say, “with great power comes great responsibility.”  

Consider that the average car today has approximately 100 million lines of code. A good portion of this code goes into operating innovations that make the car more automated. The ethical implications of creating this code for vehicles is much more complex. For example, developers creating code for a self-driving car must consider how the technology will respond if the car is placed in a situation where it has to choose between hitting another car, or, worse, a pedestrian or biker. There is no right answer, and typically the driver would make this split decision based on instinct, reaction time, and cultural priorities. However, when a computer makes the decision, we are really asking the developer to decide, placing more responsibility with the developer.

As software becomes more ingrained into our lives, we are placing an increased responsibility on the shoulders of developers to make sure that software is functional and safe – both safe in terms of how it operates, but also how secure it is. In a world where software is used to treat patients, and solve important human issues, a breach in the digital world can have a tragic effect on the physical world. What a great responsibility developers have to code securely. We are putting our trust in their typing hands – trust that they will create great code, and that they will create code that does no harm, and doesn’t allow bad actors to use that software to harm. I’m not sure that’s what most programmers were signing up for when they decided to take that first computer science course. But it’s our current reality, and ultimately it’s the responsibility of all who interact with software – whether purchasing, using, or coding – to insist that quality software = secure software.

McAfee Employees Strike Their #BalanceForBetter Pose This International Women’s Day

By Karla, Digital Media Specialist

During the month of March, we are thrilled to support International Women’s Day, on March 8, and Women’s History Month. At McAfee, we recognize the importance of an inclusive and diverse culture and as part of this year’s International Women’s Day call to action, we’ve asked team members from across the globe to share how they #BalanceForBetter at McAfee.

Check out some of these great moments and be sure to share your own #BalanceForBetter stories in the comments below!

 

Silvia – Software Sales Account Representative (Chile)

“I always wanted to work for a company that would support me in my role as a woman, a mother, a professional and an athlete. I found that place. McAfee allows me to be me and encourages me to do what I need to do to #BalanceForBetter.”

 

 

 

Priya – Customer Success Manager (India)

“At McAfee, I feel like I can grow my career and be an independent career-focused woman while still being a doting and caring mother and spouse. McAfee helped create the right balance between my family, future and career. #BalanceForBetter”

 

 

 

 

Steve – Head of Advanced Threat Research (U.S.)

“I wish I could say we had gender balance in Advanced Threat Research of 50/50 men and women. I wish we could say this at the industry level in general. However, there’s no time better than the present to change this.

What #BalanceForBetter means to me is engaging early by hosting lab days at McAfee or visiting schools. At McAfee, we have a chance to spark interest, demonstrate inclusiveness and promote real change in the gender gap across the IT industry. Without more women in tech, I truly feel like we are missing out on a unique and diverse perspective. As a father of two young girls with the potential to be anything, I know it’s time we change the status quo.”

 

 

Gurjeet – Engineering Manager (Canada)

“McAfee is like my second family. We celebrate each other’s achievements, encourage one another to give our best and are wonderful friends who always cheer each other up during difficult times.

Here, I can be my personal best every day at the office while doing all the things I cherish with my real family, like hiking, running, traveling and exploring the beautiful world.”

 

 

Paula – Head of Consumer ORD (Brazil)

“The consumer online business is a heavily results-driven organization that demands strong planning and speedy execution, so every minute counts! I #BalanceForBetter by creating clear business objectives that help me to prioritize my tasks and meetings – guaranteeing my weekdays are as productive as possible. This balance ensures that my mornings are spent in the gym and my evenings with family and friends, which ultimately gives me the energy and joy needed to execute my work each day.”

 

 

Laura – Marketing Communications Manager (Mexico)

“After working in marketing for more than 20 years in tech, I certainly believe that technology helps you find a balance of work and play – not having to choose between one or the other. I #BalanceForBetter at McAfee to define the best version of myself.”

 

 

 

Charan Jeet – MSSP Solutions Architect (Australia)

“McAfee’s flexible and supportive work culture plays a vital role. It encourages equal opportunity to every individual/employee irrespective of gender or background. It has helped me keep myself actively engaged in the activities I love, helping me #BalanceForBetter.”

 

 

 

Sonia – Talent Acquisition Partner (Argentina)

“We all live in the same world, but each person lives and experiences life through a different lens. Learning how to accept and sympathize with these different points of view is what makes the world a better place. As a recruiter, I enjoy communicating with diverse people to help them reach their full potential in all aspects of their work lives and personal lives. #BalanceForBetter”

 

 

 

Laura – Program Manager (Ireland)

“At McAfee, we are tipping the scales in terms of championing equality in the workplace. From our investment in gender pay parity to living the McAfee values and creating a better workplace where we are encouraged to be our full authentic selves. For me, that’s #BalanceforBetter.”

 

 

 

 

Andrea – Program Manager (Argentina)

“At McAfee, I #BalanceForBetter by leveraging my skills as a Program Manager to collaborate with teams around the globe. As a working mom at McAfee, I am offered a great work-life balance and I can #BalanceForBetter by devoting time to another one of my passions – playing soccer with my boys! This healthy mix helps me stay happy and well.”

 

 

 

McAfee is an inclusive employer and is proud to support inclusion and diversity. Interested in joining our teams? We’re hiring! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

 

The post McAfee Employees Strike Their #BalanceForBetter Pose This International Women’s Day appeared first on McAfee Blogs.

Live From RSA: Opening Keynote Inspires

The keynote presentation this year at RSA carried three major themes: Better Together, Trust, and Artificial Intelligence.

Better Together

We were treated with a surprise keynote opening by Dame Helen Mirren, who gave an inspirational speech on the influence that every security practitioner in the room has on the security of our world. She walked us through an exercise, asking everyone to hold up their favorite picture on their phone, and share it with the people sitting nearby, to remind us all we are humans. 

It’s important in trying times, when we are all working hard every day to combat the cyberattacks against our nation, our companies, and our people to remember that we are all humans doing our best. When things are hard, it’s okay to look to your left and your right, and share in a positive experience with a neighbor. None of us can protect our world without each other. 

“We can build a better future together.” – Dame Helen Mirren

Trust

Next Rohit Ghai and Niloofar Razi Howe treated us to a visionary walk through the future, painting a picture of the year 2049 when the world is in the middle of a new era: the Biodigital Era. The main takeaway was that the security landscape is rapidly changing, and moving away from just understanding risk and attacks, and towards a world where trust is the most important thing. 

They painted a picture of a future where people lost faith in democracy, in media and news, and in the companies they had loved for so many years. We were brought back to the current year, 2019, where over 40K attendees at RSA made the conscious decision to work toward fixing the trust landscape so that the vision of an untrusting world of 2049 does not come to reality. 

They challenged everyone to get there by working toward three visionary objectives:

1) Consider both risk and trust together: Risk and trust coexist, and you have to understand, prioritize, and manage your risk so you can continue to keep trust.

2) Embrace the machine/human relationship: The trustworthy twins are here, meaning that humans and machines together are more trustworthy than either individually. As an industry, we should work to continue embracing this relationship, because our adversaries are working towards this. 

3) Build a chain of trust by measuring your reputation to measure your trustworthiness. There is a connection between the reputation of your business and its trustworthiness, and we need to ensure that we make “deposits” to our global reputation account by celebrating successes and sharing knowledge between companies. Too often, we make “withdrawals” when things go wrong, but don’t spend enough time working with others, even our competitors, to understand the attackers and threats that work to taint our reputations.

Artificial Intelligence

The last common theme was around AI, which resonated through all the presentations during the keynotes. AI is important to the success of our companies moving forward, and we must embrace this change. Our adversaries leverage machine learning and artificial intelligence to prioritize their attack vectors toward the weakest points uncovered by these algorithms. However, AI has limitations that still require human partnership, which we were reminded of during a story about the Cold War era. The Soviets “detected” the US launching five missiles towards them, but one man decided to ignore the “by the book” protocol and dismiss it as a false positive (which was correct), rather than escalating us into World War 3.

Adversaries are working on a number of fronts to combat the work that security companies do leveraging AI, including things like tainting machine learning classifiers in order to throw off the detection of their attacks. 

Wrapping Up

It’s amazing being at a conference of over 40K people who are all working toward the same goals: to protect our customers, our data, our country, and our people. There is an incredible honor and pride in this work and a sometimes overwhelming challenge when the targets are moving. It’s important for all of us to continue to understand how the threats are changing and stay laser focused on the needs of companies to combat those threats. Veracode works every day toward these goals, with a heavy focus on ensuring that our customers can trust the results of the security tests we give them. For us, trust is important, and the world shifting towards a focus on trust is critical to the success of our security practices.

Stay tuned for more from RSA …

Huawei’s possible lawsuit, ransomware readiness, old malware resurfaces | TECH(feed)

The ongoing battle between the U.S. and Huawei could soon go to court as Huawei reportedly prepares to sue the U.S. government. Plus, 2019 will see ride sharing companies going public… but which will be first? And as a decade-old malware resurfaces in enterprise networks, a report questions if the world is ready for the next large-scale ransomware attack.

Live From RSA: DevSecOps Days

RSA is arguably the preeminent security conference of the year. 2019 looks to live up to the excitement with a schedule full of knowledge sharing from the top experts in our industry. All week, we will share what we are learning this year, on both our social media channels and our blog. 

Monday was full of pre-conference seminars and sessions to attend, and the one that caught our eye was DevSecOps Days. Our very own Tim Jarret, Director of Product Management, attended this day-long seminar and has a few takeaways to share with you. 

DevSecOps is here, just not evenly distributed

DevOps alone still largely remains an aspirational goal for companies looking to accelerate their development schedules, drive predictability, and pivot quickly to new market demands. The theory of DevOps is fantastic, but the practice isn’t as straightforward. It makes sense that DevSecOps is catching on in theory, but remains aspirational in practice. 

Tim says that, “A lot of practitioners talked about the ideals of DevSecOps but acknowledge that there are still a lot of challenges. Some attendees are still struggling with the DevOps transformation alone (including how to make traditional infrastructure teams ‘agile’), so DevSecOps is a challenge atop a challenge."

The biggest hurdles facing DevSecOps may be organizational and psychological rather than technological

There is little dispute that the ability to implement DevSecOps from a technology perspective is possible, and some companies have found success in doing so. However, technology remains an easy escape for blame when the real problems are with the people. Technology enables DevOps and DevSecOps, but it’s people, processes, and culture that drive it forward. So all the technology in the world will not help a company if they do not have the capabilities and drive to execute a DevSecOps strategy. It’s also why companies are looking for vendors to not just provide them with a “shiny tool” but give them a full programmatic approach to DevSecOps.

One moment stood out to Tim – “One panelist talked about the challenge of getting security practitioners to agree to implement feedback loops around incidents as an example of a simple mind shift. A danger is that security continues to see itself outside processes and therefore abdicates power where it could have an opportunity to drive change.”

Our recommendation to security leaders: be an enabling body who’s mission is to help drive development forward. Lead with stories about how your developers must deal with the backlog work, in the form of security issues, that will slow down development later or, worse, force them to drop everything when a breach occurs. 

To succeed with DevSecOps, security must recast what it does in terms of business value delivery

Our previous recommendation drives right into the third takeaway from DevSecOps Days. Security is often seen as a blocker to getting work done – the annoying person over your shoulder preventing your code from moving forward. This does not have to be the case, and security should be champions for efficient and high-velocity development. 

Tim’s thoughts on this? “It’s hard to prioritize security activities that avoid risk against projects that deliver business value. Security needs to define its work as helping to deliver business value faster or more safely rather than standing outside the process.”

We recommend that your security team sets a goal for itself: In the next 12 months, someone on your team will deliver a presentation, webinar, or speaking engagement on how you helped increase the overall velocity of your development teams. Make that a real driving goal for your team and ask yourself if the processes and controls put in place are driving your team towards that goal.

Stay tuned for more from RSA …

Let’s Discuss Cybersecurity as a Career Option This International Women’s Day

Even as I write this blog, the higher secondary board exams have started in schools across India and I send up a silent prayer for the thousands of nervous youngsters who are at the juxtaposition of a crucial time in their lives – the time when they have to take serious decisions regarding college education and career. The Board results would no doubt play a major role in this decision making.

With International Women’s Day around the corner, I am naturally thinking about women, their emancipation and their choices in life. I imagine them thinking independently, making decisions based on their capabilities and preferences, and supplying the necessary valuable skills that our country so needs.

But often that isn’t the case for teens as they are indecisive, and their knowledge of professions isn’t vast. They often miss out on plum prospects because, well, they were not aware of them or feel they may later hamper their family lives! I am going to do my bit for all the young ladies finishing school education this year- I am going to talk to you about choosing cybersecurity as a career option.

So girls, if you possess good reasoning power, enjoy ferreting out the source of the problem, are a natural at coding or are a serious video gamer, think cybersecurity.

Why Cybersecurity you ask? Let me present the facts.

  • Skills shortage

The National Association of Software and Services Companies (NASSCOM) recently estimated that India alone will need 1 million cybersecurity professionals by 2020 to meet the demands of its rapidly growing economy.

Demand for security professionals in India will increase in all sectors due to the unprecedented rise in the number of cyber-attacks, added NASSCOM. Despite having the largest information technology talent pool in the world, India is struggling to produce an adequate number of professionals to close the cybersecurity skill gap.

  • The age of diversification

There is gender gap in the cybersecurity sector and companies globally are trying to correct this, not just to promote diversity but to add value to their work culture with the addition of the visions, perspectives and skills that women bring in.

  • Flexible work arrangements

With more women joining the profession, employers are doing their best to make the work atmosphere favourable for them. Not only are they offering flexi-timings but also work-from-home opportunities when it’s possible. I have heard of companies that allow mothers with infants to work from home for extended periods! Isn’t that a blessing?

According to a 2013 McKinsey Report, 34 percent of India’s IT workforce is female. However, most of them exit the employment pipeline at the junior to mid-level.

This only goes to reveal that many women scientists and engineers drop out, perhaps because they find it difficult manage their work-home balance. With flexi-timings and work-from-home options, this figure will definitely decrease!

  • Good support system

Great news for all women exploring cybersecurity as a career! There are organizations like Women in CyberSecurity (WiCyS) that aims at offering a common platform to women cybersecurity professionals from academia, research and industry where they can network, mentor and be mentored, share information and experience; which means, you will never feel alone as help is just a click away!

  • You don’t need to be an engineer

Employers are trying to plug the cybersecurity skills gap with alternative solutions. It has been found that video gamers too have the right types of skills along with a different approach to threat hunting. So, if you are an avid gamer, go for it!

  • Steady jobs with good pay

This last bit is the clincher really! In this super-competitive market, isn’t it a dream to have a high salary job that rarely gets monotonous?

McAfee lists some cool cybersecurity job prospects for you, check them out!

Job 1 – Forensics Expert

They analyze and determine who the mastermind behind a security breach might be. It can be almost as complex and precise as understanding human DNA.

Job 2  – Cryptographer/ Cryptanalysts

Cryptographers develop algorithms, ciphers and security systems to encrypt and hide sensitive information from cyber hackers.

Job 3 – Threat Hunter

Threat hunters use manual or machine-assisted skills to detect and prepare for security incidents

Job 4 – Security Architect

They design systems to help develop and test the security vulnerabilities of a business

Parenting tips to rear future cyber security experts:

You can help your child make faster career decisions if you instill security habits in them from an early age. It goes without saying that you need to model cybersecurity habits so that they can learn by imitating you. Discuss cybersecurity as a profession and explore the prospects together online. Take your child to meet friends in the field so that they can get their doubts cleared. Have dinner time conversations on how attacks are becoming more advanced and the best means to fight them. If your daughter enjoys playing online games, use that as a conversation starter to talk about how security firms are looking at video gamers—even those without a background in cybersecurity.

The best gift you can give the women in your family on International Women’s Day is a sense of independence, security and equality.

Happy International Women’s Day!!

Credits:

https://anitab.org/blog/indian-women-in-technology-barriers/

CSO

McAfee

The post Let’s Discuss Cybersecurity as a Career Option This International Women’s Day appeared first on McAfee Blogs.

What is an IT auditor? A vital role for risk assessment

What is an IT auditor?

An IT auditor is responsible for analyzing and assessing a company’s technological infrastructure to ensure processes and systems run accurately and efficiently, while remaining secure and meeting compliance regulations. An IT auditor also identifies any IT issues that fall under the audit, specifically those related to security and risk management. If issues are identified, IT auditors are responsible for communicating their findings to others in the organization and offering solutions to improve or change processes and systems to ensure security and compliance.

Google Dorks List 2019 SQLi Dorks – HackingVision

Google Dorks List 2019 SQLi Dorks Google Dorks List 2019, Google Dorks List, Find SQL Injectable Websites, Hack Websites using Google Dorks, Google Dorks List SQL Injection. Google Dorks List 2019 is a list of dorks to find SQL injectable websites. A Google dork query, sometimes just referred to as a dork, is a search […]

The post Google Dorks List 2019 SQLi Dorks – HackingVision appeared first on HackingVision.

McAfee Protects Against Suspicious Email Attachments

Email remains a top vector for attackers.  Over the years, defenses have evolved, and policy-based protections have become standard for email clients such as Microsoft Outlook and Microsoft Mail.  Such policies are highly effective, but only if they are maintained as attacker’s keep changing their tactics to evade defenses.  For this reason, McAfee endpoint products use a combination of product features and content for increased agility.  In McAfee Endpoint Security (ENS) 10.5+, such protection is enabled via the ‘Detect suspicious email attachments’ option and maintained through DAT content.  This capability goes beyond the level of protection offered by email clients by not only blocking applications and scripts, but also a variety of threat types in their native form, as well as those compressed and contained within archives and other formats.

Figure 1 – ENS 10.6.1 Configuration Screen

An example of this capability in action can be seen against a recent spam run.

In this campaign, a malicious email message contained the attachment BANK DETAILS.ZIP.  Inside this archive was the file BANK DETAILS.ISO.  Malicious ISO spam has been increasing over the past six months, and while it is common for ISO files to be blocked by email clients, this is not the case where the ISO is inside of a ZIP.  Inside the BANK DETAILS.ISO file resides BANK DETAILS.EXE.  Email clients will typically block executable files attached to messages, but not if they are inside a container.

When the email client attempts to write the attachment to disk, ENS scans inside the ZIP and subsequently the contained ISO and EXE files (ZIP -> ISO -> EXE).

Figure 2 – ENS Toaster Popup

In this case, 2-year-old DAT content proactively stopped the threat.

If the system had not been protected, an unsuspecting user might open the ZIP to reveal the ISO.

Figure 3 – Inside ZIP file showing ISO file

The ISO can then be accessed via Windows Explorer, which appears as a DVD Drive containing the executable, password-stealing, payload.

Figure 4 – EXE file inside Bank Details.ISO

Since the advent of policy-based email attachment blocking, attackers have continued to seek ways to evade that protection. ISO abuse may be the latest chapter in the story, but others are sure to follow.

Tens of thousands of new and unique malicious attachments are blocked each month via the ‘Suspicious Attachment’ detection feature.

The post McAfee Protects Against Suspicious Email Attachments appeared first on McAfee Blogs.

25 Free eBooks to learn Python 2019 – HackingVision

Free eBooks list of free Python programming eBooks to learn Python programming. Download eBooks in PDF EPUB 2019 Python eBooks. List curated by Hackingvision.com Disclaimer: The contributor(s) cannot be held responsible for any misuse of the data. This repository is just a collection of URLs to download eBooks for free. Download the eBooks at your […]

The post 25 Free eBooks to learn Python 2019 – HackingVision appeared first on HackingVision.

Alleged ‘Momo Challenge’ Reminds Parents to Monitor Online Content

Momo challenge
This eerie image is connected to the alleged Momo challenge causing panic among parents.

Editor’s Note: This blog post includes disturbing content and mentions of suicide.

Internet challenges have been going on for years. They can be fun and harmless, or they can be dim-witted and even deadly. The latest challenge referred to as the Momo challenge seemingly hits a whole new level of creepy but experts say there’s little evidence the challenge is real.

What Is It?

To participate in the alleged challenge players using various apps or games are purportedly urged by a pop-up image of “Momo” to hurt themselves or others to avoid being cursed by the creature. (The creepy image of Momo is reportedly a half-girl-half-bird sculpture created by a Japanese artist unrelated to the game). Rumors allege the game ends with Momo encouraging participants to take their own lives and record it for social media.

Real or rumor?

Is the challenge real or a hoax? While several youth suicides around the world are rumored to be tied to the Momo game, none of the connections have been proven, according to both the Washington Post, Snopes, and other news sources.

Rumored or reality, one thing is for certain: The viral Momo story is creating a genuine panic and perceived threat among parents that requires an equally strategic response.

With devices in the hands of most kids by the time they are 10, the viral Momo challenge offers all of us a chance to stop, think, and connect with our kids specifically about digital content, peer pressure, and the danger of online challenges.

Talking Points for Families

Be hands-on. This story, while considered an internet myth, represents an opportunity to get even more hands-on with your digital parenting efforts. As silly, viral challenges like Momo arise (and there will be more), resolve to routinely monitor the content your kids engage with online. This includes apps, YouTube content, video games, TV shows online, and chat apps. Feel overwhelmed with monitoring? Consider getting a software program to be your eyes and ears online and help filter out risky content.

Get proactive. Depending on the age of your child, chances are if they’ve heard about the Momo game or seen the image, they could be frightened. Talk about the dangers of peer pressure, bullying, and online challenges. Make sure the conversation is two-way and includes your child’s experiences and thoughts on the topic. Ask your child to come to you immediately if anyone or anything online ever makes them feel unsafe, afraid, or provoked.

Stay informed. Risky digital behaviors that affect kids, tweens, and teens make the headlines each week. Any parent in the know will tell you candidly that staying informed about online risk is a part-time job attached to parenting. Read blogs, set google alerts, listen to podcasts, and connect with experts online to stay informed. Other dangerous online challenges include the Bird Box Challenge and several others.

Encourage critical thinking. If your child blows off the potential seriousness of online stunts or games, encourage him or her to think a behavior through. Ask them: “Walk through each step of the stunt and tell me where you think things could go wrong.” This will help your child personally determine if an activity is risky or not.

Know Those Apps! One of the biggest threats to a child’s online safety is his or her choice in apps. Apps run the gamut of risk and range from educational and uplifting to inappropriate and dangerous. Go on your child’s phone regularly and check for risky apps. Google the app and read app reviews. Look at age restrictions and customer reviews so you will be better equipped to evaluate whether an app may be suitable for your child. Dangerous apps include Kik Messenger, Ask.Fm, Tumblr, and any other social network that allows anonymous users.

Monitor online communities. Your kids have friends they bring home, but they also have friends online you will never meet face to face. Dig in and get curious. Look for apps such as WhatsApp or Kik that allow kids to chat with anyone, anywhere. Ask your kids to show you where they spend their time and the kind of people they choose to talk with. Remember: The direct message feature on favorite apps like Instagram and Snapchat are also ways kids connect with peers online.

The contour of our digital life evolves and expands every day. And, unfortunately, along with that growth will come people who attempt to cause harm or plant fear just for sport. Rather than respond with fear, consider approaching risks with a fresh determination to equip your family with the knowledge and tools it needs to thrive and stay safe in this ever-changing digital terrain.

The post Alleged ‘Momo Challenge’ Reminds Parents to Monitor Online Content appeared first on McAfee Blogs.

Cyber Security Roundup for February 2019

The perceived threat posed by Huawei to the UK national infrastructure continued to make the headlines throughout February, as politicians, UK government agencies and the Chinese telecoms giant continued to play out their rather public spat in the media. See my post Is Huawei a Threat to UK National Security? for further details. And also, why DDoS might be the greater threat to 5G than Huawei supplied network devices.

February was a rather quiet month for hacks and data breaches in the UK, Mumsnet reported a minor data breach following a botched upgrade, and that was about it. The month was a busy one for security updates, with Microsoft, Adobe and Cisco all releasing high numbers of patches to fix various security vulnerabilities, including several released outside of their scheduled monthly patch release cycles.

A survey by PCI Pal concluded the consequences of a data breach had a greater impact in the UK than the United States, in that UK customers were more likely to abandon a company when let down by a data breach. The business reputational impact should always be taken into consideration when risk assessing security.


Another survey of interest was conducted by Nominet, who polled 408 Chief Information Security Officers (CISOs) at midsize and large organisations in the UK and the United States. A whopping 91% of the respondents admitted to experiencing high to moderate levels of stress, with 26% saying the stress had led to mental and physical health issues, and 17% said they had turned to alcohol. The contributing factors for this stress were job security, inadequate budget and resources, and a lack of support from the board and senior management. A CISO role can certainly can be a poisoned-chalice, so its really no surprise most CISOs don't stay put for long.

A Netscout Threat Landscape Report declared in the second half of 2018, cyber attacks against IoT devices and DDoS attacks had both rose dramatically. Fuelled by the compromise of high numbers of IoT devices, the number of DDoS attacks in the 100GBps to 200GBps range increased 169%, while those in the 200GBps to 300GBps range exploded 2,500%. The report concluded cybercriminals had built and used cheaper, easier-to-deploy and more persistent malware, and cyber gangs had implemented this higher level of efficiency by adopting the same principles used by legitimate businesses. These improvements has helped malicious actors greatly increase the number of medium-size DDoS attacks while infiltrating IoT devices even quicker.

In a rare speech, Jeremy Fleming, the head of GCHQ warned the internet could deteriorate into "an even less governed space" if the international community doesn't come together to establish a common set of principles. He said "China, Iran, Russia and North Korea" had broken international law through cyber attacks, and made the case for when "offensive cyber activities" were good, saying "their use must always meet the three tests of legality, necessity and proportionality. Their use, in particular to cause disruption or damage - must be in extremis".  Clearly international law wasn't developed with cyber space in mind, so it looks like GCGQ are attempting to raise awareness to remedy that.

I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.

Finally, completely out of the blue, I was informed by 4D that this blog had been picked by a team of their technical engineers and Directors as one of the best Cyber Security Blogs in the UK. The 6 Best Cyber Security Blogs - A Data Centre's Perspective Truly humbled and in great company to be on that list.

BLOG
NEWS 
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

    SQLiv – Massive SQL injection scanner

    SQLiv – Massive SQL injection scanner SQLiv Massive SQL injection scanner Features multiple domain scanning with SQL injection dork by Bing, Google, or Yahoo targetted scanning by providing specific domain (with crawling) reverse domain scanning both SQLi scanning and domain info checking are done in multiprocessing so the script is super fast at scanning many […]

    The post SQLiv – Massive SQL injection scanner appeared first on HackingVision.

    JAVA-VBS Joint Exercise Delivers RAT

    The Adwind remote administration tool (RAT) is a Java-based backdoor Trojan that targets various platforms supporting Java files. For an infection to occur, the user must typically execute the malware by double-clicking on the .jar file that usually arrives as an email attachment. Generally, infection begins if the user has the Java Runtime Environment installed. Once the malicious .jar file runs successfully on the target system, the malware silently installs itself and connects to a remote server through a preconfigured port. This allows it to receive commands from the remote attacker and perform further malicious activities. Recently, McAfee labs has seen a surge in a variant which comes as a JAR attachment via a spam email and uses the famous Houdini VBS worm to infect user.

    Infection chain:

    The malware’s spreading mechanism is the same as in previous versions. It arrives in a spam email with a .jar attachment. The contents of the email are carefully crafted to lure victims using social engineering techniques. We can summarise the whole infection chain as shown in the below snippet:

     

    The spam email may look like this:

    The parent JAR file:

    To keep things simple, we just called the attached .jar file as a parent jar file and named it Sample.jar. Generally, Adwind comes in an obfuscated form to hide its malicious intent. Its payload and configuration file (which serves as an installation file) are encrypted with the DES, RC4, or RC6 cipher, depending on the variant. The Adwind backdoor will decrypt itself on the fly during execution. In this variant we can see the contents of Manifest.MF. It has main class bogjbycqdq.Mawbkhvaype.

    Mawbkhvaype.class

    The main task of this class is to check for a resource file available in the Jar bundle. Here, resource mzesvhbami is a vbs file. Mawbkhvaye.class will check for mzesvhbami in the resource section and later drop bymqzbfsrg.vbs in the user’s Home directory before executing it with the help of wscript.

    Bymqzbfsrg.vbs

    It has a huge chunk of obfuscated base64 encoded data present. The below snippet shows the partial part of Bymqzbfsrg.vbs script.

    Once deobfuscated and decoded, the base64 encoded data converts to ntfsmgr.jar and is dropped in %appdata%/Roaming. The below snippet shows the conversion of base64 encoded data into Jar file:

    Decoded to JAR file (ntfsmgr.jar)

    Ntfsmgr.jar

    Here, important files present in ntfsmgr.jar are drop.box, mega.download and sky.drive which will be used later for creating the configuration file for the malware.

    Final Payload:

    Ntfsmgr.jar has operational.Jrat as the main class. The purpose of operational.Jrat is to drop another .jar file into the %TEMP% folder with random file name [underscore] [dot] [random numbers] [dot] class, e.g. _0.1234567897654265678.class, which will be the actual payload and later will perform malicious activities on the user’s system. The below snippet shows the routine present in operational.Jrat for creation of the final payload in %TEMP% location.

    The contents of Manifest.MF looks somewhat similar to ntfsmgr.jar. All the other files in the final Java archive will be decrypted on the fly and will infect the system. After Adwind successfully infects a system, we have seen it log keystrokes, modify and delete files, download and execute further malware, take screenshots, access the system’s camera, take control of the mouse and keyboard, update itself, and more. We are not going to dig into this threat in this direction now but you can read more about Adwind here and here. In this blog we will now discuss another part of the story, Bymqzbfsrg.vbs

    Working of Bymqzbfsrg.vbs

    After successful execution, Bymqzbfsrg.vbs drops ntfsmgr.jar and sKXoevtgAv.vbs in %appdata%/Roaming.

    Bymqzbfsrg.vbs dynamically executes a method naira inside the script by using ExecuteGlobal, as seen in the below snippet.:

    Dynamic execution of the script looks like this:

    The below snippet shows the script for dropping sKXoevtgAv.vbs in %appdata%Roaming.

    Here we see the script for dropping ntfsmgr in %appdata%Roaming.

    At the time of execution, sKXoevtgAv.vbs decodes itself to Houdini vbs worm which is the final payload. The first few lines of the script are as follows:

    The attacker may perform many malicious activities on the victim’s machine, including::

    • Downloading and executing files on the victim’s machine
    • Running command instructions
    • Updating or uninstalling a copy of itself
    • Downloading and uploading files
    • Deleting a file or folder
    • Terminating certain process

    Enumerating files and folders on the victim’s machine

    Additional Points:

    1. For persistence it creates a run entry.

    When the ntfsmgtr.jar runs, it adds itself into the start-up so that it will be run whenever the system starts.

    1. It checks for installed anti-malware products on the system.

    1. If available, it copies the installed Java Runtime files to a temporary directory within the victim’s home directory, otherwise it downloads from the web and copies in the same directory.

    Conclusion:

    In past, we have seen threat actors using two similar functioning malware families in a single infection. Usually, threat actors chose this path for higher probability of successful infection.

    The hashes used in the analysis:

    Sample.jar: 07cb6297b47c007aab43311fcfa9976158b4149961911f42d96783afc517226a

    Ntfsmgr.jar: ee868807a4261a418e02b0fb1de7ee7a8900acfb66855ce46628eb5ab9b1d029

    McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect the malicious jar files as Adwind-FDVH.jar! [Partial hash] and Adwind-FDVJ.jar! [Partial Hash], with DAT Versions 9137 and later.

    The post JAVA-VBS Joint Exercise Delivers RAT appeared first on McAfee Blogs.