Monthly Archives: June 2019

#Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account

If you’re an avid Instagram user, chances are you’ve come across some accounts with a little blue checkmark next to the username. This little blue tick is Instagram’s indication that the account is verified. While it may seem insignificant at first glance, this badge actually means that Instagram has confirmed that the account is an authentic page of a public figure, celebrity, or global brand. In today’s world of social media influencers, receiving a verified badge is desirable so other users know you’re a significant figure on the platform. However, cybercriminals are taking advantage of the appeal of being Instagram verified as a way to convince users to hand over their credentials.

So, how do cybercriminals carry out this scheme? According to security researcher Luke Leal, this scam was distributed as a phishing page through Instagram. The page resembled a legitimate Instagram submission page, prompting victims to apply for verification. After clicking on the “Apply Now” button, victims were taken to a series of phishing forms with the domain “Instagramforbusiness[.]info.” These forms asked users for their Instagram logins as well as confirmation of their email and password credentials. However, if the victim submitted the form, their Instagram credentials would make their way into the cybercriminal’s email inbox. With this information, the cybercrooks would have unauthorized access to the victim’s social media page. What’s more, since this particular phishing scam targets a user’s associated email login, hackers would have the capability of resetting and verifying ownership of the victim’s account.

Whether you’re in search of an Instagram verification badge or not, it’s important to be mindful of your cybersecurity. And with Social Media Day right around the corner, check out these tips to keep your online profiles protected from phishing and other cyberattacks:

  • Exercise caution when inspecting links. If you examine the link used for this scam (Instagramforbusiness[.]info), you can see that it is not actually affiliated with Instagram.com. Additionally, it doesn’t use the secure HTTPS protocol, indicating that it is a risky link. Always inspect a URL before you click on it. And if you can’t tell whether a link is malicious or not, it’s best to avoid interacting with it altogether.
  • Don’t fall for phony pages. If you or a family member is in search of a verified badge for their Instagram profile, make sure they are familiar with the process. Instagram users should go into their own account settings and click on “Request on verification” if they are looking to become verified. Note that Instagram will not ask for your email or password during this process, but will send you a verification link via email instead.
  • Reset your password. If you suspect that a hacker is attempting to gain control of your account, play it safe by resetting your password.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post #Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account appeared first on McAfee Blogs.

Is Cloud Service Provider-Native Security ‘Good Enough’ For Your Cloud Transformation Program’s Goals?

Several times lately, CIOs and CISOs have asked me why the security toolset they get for “free” from their cloud service providers isn’t enough. Sure, it might not be the best … but isn’t it good enough for the program’s success?

It’s true that we don’t often need the Cadillac. But cloud programs are failing at high rates, and the number-one listed reason is security challenges. Teams are trying to use that SaaS or IaaS/PaaS cloud service provider-native security and finding after initial designs that it’s full of holes, or that it’s very difficult to operate across the enterprise. And trying to bolt on additional security to highly automated cloud deployments is not nearly as easy as it was in steadier-state traditional data center configurations. We as solution engineers are failing our development, business and security teams by not addressing the number-one factor in cloud transformation failure with tools that will better support their success in delivering secure cloud implementations.

Figure 1: Percent of respondents with major cloud programs reporting they have “fully achieved” their expected cloud outcomes

Figure 2:  Top concerns perceived to impact that lack of full program goal attainment

The CSPs and enterprise software providers just aren’t considering full architectural requirements for security, at a time when architecture overall—and security architecture in particular—is more important than ever. And they don’t have that perspective: Operating a complete end-to-end security architecture and program isn’t the perspective of these software companies’ product teams. Enterprise security is still needed, but new perspectives, more flexibility and support for automated architectures are also needed. Cloud deployments move so fast that we get to the point of “hard to add budget and redesign for efficiency” faster than ever before. We’re asking our development teams to walk a high wire, creating new technologies that enable business using new cloud technologies … but we’re assuming that those new cloud technologies are coming with their own security safety nets. And the market experience is that they don’t.

A better approach is to ENSURE a practical, agile security architecture starting with Cloud Access Security Broker (CASB) basics in place as a foundation of any major cloud transformation program. This gives us detective—and quickly available preventative—controls to ensure that while valuable risks are taken by our development and business teams who build fast in SaaS or IaaS/PaaS cloud, we are protecting them and the enterprise from egregious configuration errors and other easy mistakes up on that high wire.

When I’m developing services, I want to work with market-proven tools—they create an environment for my success.  

What do you think? Are SaaS or IaaS/PaaS “built-in” security controls sufficient, or is a considered enterprise security architecture still necessary? Should we design that security architecture as base to programs or after giving CSPs’ own controls a chance to fail? Always interested in your feedback.

Next month, we’ll look at the highest-priority components of a complete cloud security architecture.

The post Is Cloud Service Provider-Native Security ‘Good Enough’ For Your Cloud Transformation Program’s Goals? appeared first on McAfee Blogs.

Business-Focused Approach to Security Assurance Is More Evolution Than Revolution

Veracode Information Security Forum Security Assurance Research

According to a new research report from Information Security Forum (ISF), only 32 percent of its membership is satisfied with their security assurance program – though 80 percent say that they want to take a more business-focused approach to security. Given the ever-evolving threat landscape, security leaders understand that they always need their finger on the pulse of how secure their organization’s information is. This can prove to be challenging if the right processes and controls are not in place across development, IT, and security in your organization.

Often times, communicating the security of your organization –and communicating it well – comes down to asking the right people the right questions, and taking smaller steps to achieve the desired outcome. In the report, Establishing a Business-Focused Security Assurance Program, ISF proposes that organizations build on existing compliance-based approaches instead of recreating the wheel. To map out where the program needs to go and begin evolving it with business in mind, IFS notes that security leaders should:

  • Identify what business stakeholders want from security assurance
  • Break down the requirements into manageable tasks to move from current to future approaches
  • Apply repeatable security assurance process across multiple target environments (i.e. business processes, projects and supporting assets where appropriate in your organization)

“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are,” said Steve Durbin, Managing Director, ISF. “A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”

Including Secure Coding in the Security Control Discussion

According to the 2019 Verizon Data Breach Investigations Report, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting personal data to create a profit.

An often-overlooked way to tighten security in your organization is to provide developers with the tools they need to code securely, and to continue learning about different vulnerabilities as they work. When development teams are able to scan for vulnerabilities in their code while they work, they’re less likely to be introduced in the QA and production stages. The State of Software Security Report Volume 9 shows that organizations that are conducting application security scanning more than 300 times per year are able to shorten flaw persistence by 11.5 percent.

This means that development leaders must be included in security control discussions. Their team may work in a different way than others across your organization, so understanding how to support them to make security a seamless priority in their day-to-day processes is a necessary step for security assurance. Once the DevSecOps approach to application development has been adopted, it’s even easier to verify for your executives – as well as customers and prospects – that you really do take security seriously.

The Right Analytics to Tell the Right Story

Analytics are useful for determining exactly what the right metrics are for AppSec managers to share with executives and their board. Given that policy compliance is often the number one priority for this audience, AppSec managers need to set their threshold for what they’re willing to accept and what they’re unwilling to accept when it comes to the appropriate level of risk and the type of data involved.

The Veracode Platform includes Veracode Analytics, which empowers our customers to set up custom analytics once they’ve determined their risk threshold and application criticality. With an easy-to-use dashboard view, AppSec managers can review their AppSec program to make sure that development and security teams alike are scanning all of their applications – and fixing what they find.

The Veracode Platform and Veracode Analytics can be a game-changer for your business, as it helps you to stay focused, motivate your teams, ensure better resource allocation, and help you more strategically communicate your security posture to the executive team.

For more on getting executive support for application security, see Everything You Need to Know About Getting AppSec Buy-In.

For more on measuring your application security program, see Everything You Need to Know About Measuring Your AppSec Program.

How Google adopted BeyondCorp


It's been almost five years since we released the first of multiple BeyondCorp papers, describing the motivation and design principles that eliminated network-based trust from our internal networks. With that anniversary looming and many organizations actively working to adopt models like BeyondCorp (which has also become known as Zero Trust in the industry), we thought it would be a good time to revisit topics we have previously explored in those papers, share the lessons that we have learned over the years, and describe where BeyondCorp is going as businesses move to the cloud.

This is the first post in a series that will focus on Google’s internal implementation of BeyondCorp, providing necessary context for how Google adopted BeyondCorp.

Why did we adopt BeyondCorp?

With a traditional enterprise perimeter security model, access to services and resources is provided by a device being connected to a privileged network. If an employee is in a corporate office, on the right network, services are directly accessible. If they're outside the office, at home or in a coffee shop, they frequently use a VPN to get access to services behind the enterprise firewall. This is the way most organizations protect themselves.

By 2011, it became clear to Google that this model was problematic, and we needed to rethink how enterprise services are accessed and protected for the following reasons:

Improving productivity
  • A growing number of employees were not in the office at all times. They were working from home, a coffee shop, a hotel or even on a bus or airplane. When they were outside the office, they needed to connect via a VPN, creating friction and extending the network perimeter.
  • The user experience of a VPN client may be acceptable, even if suboptimal, from a laptop. Use of VPN is less acceptable, from both employees and admins perspectives, when considering growing use of devices such as smartphones and tablets to perform work.
  • A number of users were contractors or other partners who only needed selective access to some of our internal resources, even though they were working in the office.
Keeping Google secure
  • The expanded use of public clouds and software-as-a-service (SaaS) apps meant that some of our corporate services were no longer deployed on-premises, further blurring the traditional perimeter and trust domain. This introduced new attack vectors that needed to be protected against.
  • There was ongoing concern about relying solely on perimeter defense, especially when the perimeter was growing consistently. With the proliferation of laptops and mobile devices, vulnerable and compromised devices were regularly brought within the perimeter.
  • Finally, if a vulnerability was observed or an attack did happen, we wanted the ability to respond as quickly and automatically as possible.

How did we do it?

In order to address these challenges, we implemented a new approach that we called BeyondCorp. Our mission was to have every Google employee work successfully from untrusted networks on a variety of devices without using a client-side VPN. BeyondCorp has three core principles:
  • Connecting from a particular network does not determine which service you can access.
  • Access to services is granted based on what the infrastructure knows about you and your device.
  • All access to services must be authenticated, authorized and encrypted for every request (not just the initial access).


High level architecture for BeyondCorp

BeyondCorp gave us the security that we were looking for along with the user experience that made our employees more productive inside and outside the office.

What lessons did we learn?

Given this was uncharted territory at the time, we had to learn quickly and adapt when we encountered surprises. Here are some key lessons we learned.

Obtain executive support early on and keep it

Moving to BeyondCorp is not a quick, painless exercise. It took us several years just to get most of the basics in place, and to this day we are still continuing to improve and refine our implementation. Before embarking on this journey to implement BeyondCorp, we got buy in from leadership very early in the project. With a mandate, you can ask for support from lots of different groups along the way.

We make a point to re-validate this buy-in on an ongoing basis, ensuring that the business still understands and values this important shift.

Recognize data quality challenges from the very beginning

Access decisions depend on the quality of your input data. More specifically, it depends on trust analysis, which requires a combination of employee and device data.

If this data is unreliable, the result will be incorrect access decisions, suboptimal user experiences and, in the worst case, an increase in system vulnerability, so the stakes are definitely high.
We put in a lot of work to make sure our data is clean and reliable before making any impactful changes, and we have both workflows and technical measures in place to ensure data quality remains high going forward.

Enable painless migration and usage

The migration should be a zero-touch or invisible experience for your employees, making it easy for them to continue working without interruptions or added steps. If you make it difficult for your employees to migrate or maintain productivity, they might feel frustrated by the process. Complex environments are difficult to fully migrate with initial solutions, so be prepared to review, grant and manage exceptions at least in the early stages. With this in mind, start small, migrate a small number of resources, apps, users and devices, and only increase coverage after confirming the solution is reliable.

Assign employee and helpdesk advocates

We also had employee and helpdesk advocates on the team who represented the user experience from those perspectives. This helped us architect our implementation in a way that avoided putting excess burden on employees or technical support staff.

Clear employee communications

Communicating clearly with employees so that they know what is happening is very important. We sent our employees, partners, and company leaders regular communications whenever we made important changes, ensuring motivations were well understood and there was a window for feedback and iteration prior to enforcement changes.

Run highly reliable systems

Since every request goes through the core BeyondCorp infrastructure, we needed a global, highly reliable and resilient set of services. If these services are degraded, employee productivity suffers.

We used Site Reliability Engineering (SRE) principles to run our BeyondCorp services.

Next time

In the next post in this series, we will go deeper into when you should trust a device, what data you should use to determine whether or not a device should be trusted, and what we have learned by going through that process.

In the meantime, if you want to learn more, you can check out the BeyondCorp research papers. In addition, getting started with BeyondCorp is now easier using zero trust solutions from Google Cloud (context-aware access) and other enterprise providers.

This post was updated on July 3 to include Justin McWilliams as an author.

Top 3 Challenges with Securing the Cloud

Cloud SecurityBy 2020,  it’s predicted that 83% of company workload will be stored in the cloud (Forbes).  This rise in usage and popularity comes at no surprise with how cost-effective and easy it is to manage systems in the cloud.

As more critical applications are migrating towards the cloud, data privacy and software security are becoming a greater concern.  With 60% of web applications compromised due to cloud-based email servers (Verizon 2019 DBIR), it’s time to take these concerns seriously.

The cloud has had its share of attacks over the years, from DDoS to data loss attacks and even data breaches.  Whether malicious tampering or accidental deleting, these attacks can lead to a loss of sensitive data and often a loss of revenue.

How exactly do we secure data and prevent against these attacks in the cloud?

The one way to truly secure your data in the cloud is through continual monitoring of your cloud systems. However, this is a challenging process for several reasons:

1.    Lack of Visibility

Cloud technology solutions often make the job of security providers more difficult because they don’t provide a single-pane-of-glass to view all endpoints and data. For this reason, you need a vast number of tools to monitor your cloud systems. For example, most cloud solutions send email notifications that provide some visibility into your environment.  However, these notifications don’t always provide enough insight into what exactly happened. You may receive an email alert about a suspicious login, but many of these alerts don’t give information about where the login attempt happened and what user was affected.

These vague alerts mean you have to investigate further; however, many of these cloud systems don’t have very useful investigative tools. If you want to find out more about the alert, you may be able to view the reports and read the logs associated with the activity, but that requires practice in knowing what to look for and how to interpret the information. This leads to another challenge in cloud security: lack of expertise.

2.    Lack of Expertise

It takes practice to be able to look at security logs and interpret what the activity means. Different cloud providers may produce different types of logs and it can be difficult to translate the many varying log types.

If you want to secure your cloud environment properly, you will need a team dedicated to configuring, monitoring and managing these tools. Through 2022, it’s predicted that 95% of cloud security failures will result from customer error (Gartner).  This reinforces the need to configure your cloud environment properly. Interpreting logs and configuring cloud systems requires skills that are developed overtime.  Many security professionals lack this particular expertise or the time required to properly develop these skills.

Those that do possess these skills and knowledge are in high demand, and there simply aren’t enough people to fill these positions.

3.    Lack of Resources

Implementing all the right tools and staffing appropriately to monitor these tools around-the-clock is not an inexpensive endeavor.  Luckily, there are services you can leverage to augment your staff and monitor your environment, such as a managed security services provider (MSSP).

MSSPs have the tools and resources to pull information from all of your different cloud systems and monitor them in one place.  With a full staff of experts on-hand at all hours, an MSSP is fully prepared to monitor and respond to incidents. They can help provide the expertise and visibility into your cloud environment required to properly secure your cloud systems.

The post Top 3 Challenges with Securing the Cloud appeared first on GRA Quantum.

Live from AWS re:Inforce: Learnings from Security Enablement for DevOps at AT&T

Veracode AWS reInforce Building an AppSec Program

This week, AWS ran its inaugural security conference AWS re:Inforce in Boston. There were several interesting talks at the conference, and I found John Maski’s presentation, “Integrating AppSec in your DevSecOps on AWS,” contained great practical advice. Maski worked for AT&T for 32 years, with his most current role being Director, Production Resiliency & DevSecOps Enablement. He recently joined Veracode to advise customers on how to best integrate Veracode into their security pipeline, and we’re lucky to have him on the team.

Support from Executive Leadership is Crucial

Starting out, and as expected for any large organization, Maski found a huge variety of skill levels and a lot of variation in how people ran their development pipelines outside of the central DevOps initiative.  Software development was optimized for speed – aka “quantity” – and security was an afterthought. 

On the upside, Maski saw pockets of advanced knowledge and CI/CD implementations. A significant CI/CD platform was already in the works. Most importantly, there was a huge appetite among executives for making quick and extensive progress.

“In an organization the size of AT&T, you can’t make meaningful progress without the support of executive leadership,” Maski said. “It is absolutely critical to drive the necessary cultural changes.”

With this backing, he set out to connect with partner organizations, working collectively towards the seemingly impossible goal to secure AT&T’s entire application landscape. Spoiler alert: When Maski recently left AT&T, they were very close to completing this goal.

Integrating Security into the CI/CD Pipeline

If you are coming from the security side of the house and are in charge of application security, it really pays off to truly understand your organization’s development tools and how pipelines are set up. Not only will you be able to speak your engineering team’s language, you will be better suited to advise them on how to integrate security testing solutions.

Most of application security can and should be automated, with the exception of what’s at the very beginning and the very end of the process. Threat modeling is still a manual process that relies on human understanding of the architecture, even if there are tools that help visualize and document this process. Likewise, penetration testing is a final litmus test at the end of the development process that should be carried out on any critical application before it is deployed into production.

In the middle are various automated testing solutions that should be run automatically to regularly provide feedback on security defects. Static analysis tests the application code for a broad range of security flaws, and it can be fully automated into both the IDE and the CI process. In the IDE, it provides early security guidance and education to software engineers while they are coding by highlighting potential vulnerabilities and suggesting best practices. Veracode has found that integrating SAST in this early stage in the process has helped organizations to reduce newly introduced flaws by 60 percent.

However, guidance at this stage is not mandatory and is mostly suitable to removing flaws in newly written code. To ensure a more structured feedback and compliance process, static analysis should be integrated into the SDLC. Typically, development teams would scan as part of their CI process, either on a code commit or a pull request, and get security defects flagged through the ticketing system. They will do this scan in a “sandbox,” so that results do not get escalated to the security team. Finally, for high security applications, we recommend doing a scan on the full scope of the application before each deployment to ensure that no security defects escape to production.

Software composition analysis looks at known vulnerabilities in open source libraries that are being used in the code. If you find such a vulnerability, the fix is usually upgrading to a different library version rather than fixing the open source code yourself. SCA often integrates with the SDLC in the same places as static analysis.

Dynamic analysis is a third way of looking for vulnerabilities in software and is typically applied to web applications. Unlike static analysis, which looks at the application code, dynamic analysis interacts with the application via an instrumented browser that crawls and audits the application. While findings with other testing solutions overlap, there are several security issues that only dynamic analysis can detect, including server configuration errors. Dynamic analysis is typically run in the QA stage against a staging server and against the production server.

Five Tips for Getting Traction with Your DevSecOps Initiative

With many lessons learned having during his DevSecOps initiative at AT&T, Maski shared his five recommendations to get traction with your own program:

  1. Partner with stakeholders: Identify, collaborate, and align with your partners, especially in software development. You have to understand their world and respect their point of view for your program to be successful.
  2. Pick the right metrics: Know your metrics before you jumpstart the program. Talk upfront with your sponsors and partners on what success means to them and agree on metrics.
  3. Don’t boil the ocean: Go “Agile.” Pick pilot applications to secure, so that you can learn from the process and expand to the next group of applications. Keep note of what you learn along the way to improve the program over time.
  4. Run an internal campaign: Communicate effectively to raise awareness about the importance of AppSec to the business. Tie AppSec to the mission of the company. Use your communication to educate DevOps team members about AppSec to help strengthen their expertise.
  5. Demonstrate progress: To ensure continued executive support for your program, regularly report your program’s progress through the metrics you picked. Tailor your progress reports to the audience; for example, your senior leadership will want to see different metrics than your engineering partners.

Key Learnings from AT&T’s DevSecOps Program

Maski left the audience with three key learnings from running his program:

  • Strong Executive Leadership is key to driving the necessary cultural changes – and to secure the required budget.
  • If getting your program started quickly is a requirement, use services built on a robust platform. That way you can focus on onboarding applications rather than building and maintaining scanning infrastructure.
  • Build a strong team and have a flexible plan. Map out and communicate your plan with confidence. That doesn’t mean that your plan has to be perfect – learn and adjust as you go along. Set bold goals to drive progress.

Veracode was and is a cornerstone of AT&T’s AppSec strategy. If you’d like to learn how to build an AppSec program in your organization, download The Ultimate Guide to Getting Started With Application Security.

Klaytn Will Onboard Cloudbric Following Mainnet Launch

cloudbric klaytn blockchain mainnet launchThe internet giant KakaoTalk has just launched its blockchain platform on June 27, 2019. The mainnet launch was orchestrated by KakaoTalk’s blockchain arm, Ground X. 

This marks a big occasion for both Klaytn and Cloudbric, who is a technology ISP (Initial Service Partner).  

Klaytn has emphasized the importance of ISPs who provide substantial and tangible service use-cases for the blockchain ecosystem. Because the main focus of the company is on the Dapps (decentralized apps) that run on the blockchain, Cloudbric will launch a crypto security app for within Q3.

The app will focus on protecting users when they use crypto apps or exchanges to transfer cryptocurrency. 

After its initial release, Cloudbric has plans to add upgraded features and functions

Please look forward to more details soon as we disrupt the crypto security market!

—-

Cloudbric is already working to provide web security services to numerous cryptocurrency exchanges and blockchain projects. Known for our distinguished WAF, Cloudbric also recently released Threat DB, our free database of threat intelligence, this past May. The platform currently includes blacklisted, or malicious IPs, known hacker wallet addresses, and phishing URLs.

The data collected on the platform will be available via an API which allows businesses and developers to create their own security technologies. 

Crypto exchanges can also can leverage the hacker wallet addresses to prevent unauthorized transactions on their platform. 


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Klaytn Will Onboard Cloudbric Following Mainnet Launch appeared first on Cloudbric.

How To Verify and Claim Your CLBK Token Bonuses

Hello Cloudbric CLB community,

The following guide is meant to help you claim your additional CLBK bonuses that you acquired during our Super Holders Event.

Klaytn’s wallet app is expected to be released in late August/early September following the launch of Klaytn’s main net (opened June 27) and will be available to all users. The Klaytn Wallet allows you to check the balance of KLAY and KLAY compatible tokens like CLBK.

Thus, prior to the wallet’s release, Cloudbric will distribute CLBK through Cloudbric Labs, our online hub of free web security resources and tools for the cybersecurity community but in time for our upcoming token swap with Klaytn. 


Step 1: Sign up for membership on Cloudbric Labs using the same email you used to participate in the Super Holder Event

Check for your email here.
     

Step 2: Go to your dashboard and check the quantity of your CLBK tokens. 

Those who participated in the event using multiple wallet addresses but used the same email will be able to see their accumulated CLBK. 

Dashboard

Step 3: Following the release of Klaytn’s wallet, you will be able to enter a Klaytn’s wallet address into Cloudbric Labs’s withdrawal feature to claim your CLBK. 

More details about the token swap will soon be announced!


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post How To Verify and Claim Your CLBK Token Bonuses appeared first on Cloudbric.

Google Public DNS over HTTPS (DoH) supports RFC 8484 standard



Ever since we launched Google Public DNS in 2009, our priority has been the security of DNS resolution. In 2016, we launched a unique and innovative experimental service -- DNS over HTTPS, now known as DoH. Today we are announcing general availability for our standard DoH service. Now our users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 8.8.8.8) as regular DNS service, with lower latency from our edge PoPs throughout the world.

General availability of DoH includes full RFC 8484 support at a new URL path, and continued support for the JSON API launched in 2016. The new endpoints are:

  • https://dns.google/dns-query (RFC 8484 – GET and POST)
  • https://dns.google/resolve (JSON API – GET)
We are deprecating internet-draft DoH support on the /experimental URL path and DoH service from dns.google.com, and will turn down support for them in a few months.

With Google Public DNS, we’re committed to providing fast, private, and secure DNS resolution through both DoH and DNS over TLS (DoT). We plan to support the JSON API until there is a comparable standard for webapp-friendly DoH.


What the new DoH service means for developers

To use our DoH service, developers should configure their applications to use the new DoH endpoints and properly handle HTTP 4xx error and 3xx redirection status codes.
  • Applications should use dns.google instead of dns.google.com. Applications can query dns.google at well-known Google Public DNS addresses, without needing an extra DNS lookup.
  • Developers using the older /experimental internet-draft DoH API need to switch to the new /dns-query URL path and confirm full RFC 8484 compliance. The older API accepts queries using features from early drafts of the DoH standard that are rejected by the new API.
  • Developers using the JSON API can use two new GET parameters that can be used for DNS/DoH proxies or DNSSEC-aware applications.
Redirection of /experimental and dns.google.com

The /experimental API will be turned down in 30 days and HTTP requests for it will get an HTTP redirect to an equivalent https://dns.google/dns-query URI. Developers should make sure DoH applications handle HTTP redirects by retrying at the URI specified in the Location header.

Turning down the dns.google.com domain will take place in three stages.
  1. The first stage (in 45 days) will update the dns.google.com domain name to return 8.8.8.8 and other Google Public DNS anycast addresses, but continue to return DNS responses to queries sent to former addresses of dns.google.com. This will provide a transparent transition for most clients.
  2. The second stage (in 90 days) will return HTTP redirects to dns.google for queries sent to former addresses of dns.google.com.
  3. The final stage (in 12 months) will send HTTP redirects to dns.google for any queries sent to the anycast addresses using the dns.google.com domain.
We will post timelines for redirections on the public‑dns‑announce forum and on the DoH migration page. You can find further technical details in our DoH documentation, and if you have a question or problem with our DoH service, you can create an issue on our tracker or ask on our discussion group. As always, please provide as much information as possible to help us investigate the problem!

How McAfee’s Paternity Leave Helped My New Family

By: Guillaume, EMEA Retail Marketing Manager, Slough, U.K.

Becoming a parent is a daunting experience for anyone. The sheer amount of responsibilities can feel overwhelming and all consuming. For my husband and I, we spent an emotional and tiring 18 months working through the adoption process before becoming parents to two fully formed little humans seemingly overnight. Most parents get to know their children over a few years; we only had two weeks’ worth of introduction. In an instant, these two children and their care, happiness, security, dreams and hopes now rest firmly with us.

I feel incredibly grateful to work for a company that understands the value of family. Whether it was my colleagues checking in and celebrating our new arrivals, or the eight weeks of bonding leave that McAfee offers any new parent – including adoptive and same-sex couples. The paternity leave from McAfee really made a difference in getting to know our children and for them to get to know us. I can’t fathom how different the experience and early months would have been if I had to go back to work after two weeks. The extra time allowed us to get settled and establish good routines.

Overcoming Obstacles

That’s not to say the adoption process was easy. My husband and I knew we wanted to adopt in 2014 but didn’t officially start the process until 2017. After a grueling amount of paperwork came the emotional and time-consuming interview with the social worker. The questions challenged me and forced me to confront some of my own anxieties to ready myself for parenthood. We learned how important it is to be ready and open to re-shape who you are to bring forward the best version of yourself for your children.

 And as a natural worrier, you can imagine how after having children, my anxieties skyrocketed — in addition to the concerns of any new parent, we have to think about protecting our children from homophobic attacks and prejudices. Our boys already had a tough start; I don’t want to make it tougher.

As an LGBTQ+ family, we get unspoken scrutiny from the world that already puts more pressure on us than on conventional families. We know how society says an LGBTQ+ family should celebrate Mother’s Day or Father’s Day. We notice the side looks from other parents. We know how we must conduct ourselves in public to be safe. We know we can’t go on holiday in certain countries.

As a gay man, I’ve had to work hard to create the family I have today. Growing up, gay marriage and adoption weren’t allowed, so I had come to terms with possibly never having a family of my own. Now, I’m able to play football in the park with my kids, tuck them into bed, or help with their homework – just like any other parent. This makes me feel that together, we can make a difference. We can advance equality and make the impossible, possible.

Feeling Included and Supported

I’ve worked for a number of technology companies, but McAfee is the first one that I can say, hand on heart, delivers on its commitment to inclusion. Upon my return, my colleagues have been great at giving me advice and asking how I‘m doing. As an employee and a new father, I couldn’t feel more supported. It’s reassuring to have your company’s backing and I feel lucky to live in an era and country where I could get married and adopt children without discrimination or prejudice.

Allies Can Make a Difference

For me, it’s often the little things that make a big difference toward inclusion and acceptance. Three things I always encourage from allies to help us in our quest for equality, include:

  • Treat people with respect and as your equal (the golden rule – it’s simple and effective!)
  • Have an open mind and don’t be afraid of our differences – we have more in common than you think
  • Call out offensive or disrespectful talk – a simple “hey, that’s not cool” shows those ‘off the cuff’ comments aren’t tolerated

My family is no less different from any other. The worries and hopes for my children are the same as any parent. My struggles and questioning are the same as any father. And the love I feel for my children is the same as everybody else.

Interested in joining our team? We’re hiring! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

The post How McAfee’s Paternity Leave Helped My New Family appeared first on McAfee Blogs.

Catch a Ride Via Wearable

More often than not, commuters and travelers alike want to get to their destination quickly and easily. The advent of wearable payments helps make this a reality, as passengers don’t have to pull out a wallet or phone to pay for entry. Adding to that, users are quickly adopting wearable technology that has this payment technology embedded, causing transportation systems to take notice and adopt corresponding technology as a result. Unfortunately, there’s a chance this rapid adoption may catch the eye of cybercriminals as well.

Just last month, the New York City Subway system introduced turnstiles that open with a simple wave of a wearable, like an Apple Watch or Fitbit. Wearables may provide convenience and ease, but they also provide an open door to cybercriminals. With more connections to secure, there are more vectors for vulnerabilities and potential cyberthreats. This is especially the case with wearables, which often don’t have security built-in from the start.

App developers and manufacturers are hard-pressed to keep up with innovation, so security isn’t always top of mind, which puts user data at risk. As one of the most valuable things cybercriminals can get ahold of, the data stored on wearables can be used for a variety of purposes. These threats include phishing, gaining access to online accounts, or transferring money illegally. While the possibility of these threats looms, the adoption of wearables shows no sign of slowing down, with an estimated 1.1 billion in use by 2022. This means developers, manufacturers, and users need to work together in order to keep these handy gadgets secure and cybercriminals out.

Both consumers and transport systems need to be cautious of how wearables can be used to help, or hinder, us in the near future. Rest assured, even if cybercriminals utilize this technology, McAfee’s security strategy will continue to keep pace with the ever-changing threat landscape. In the meantime, consider these tips to stay secure while traveling to your destination:

  • Always keep your software and apps up-to-date.It’s a best practice to update software and apps when prompted to help fix vulnerabilities when they’re found.
  • Add an extra layer of security. Since wearables connect to smartphones, if it becomes infected, there is a good chance the connected smartphone will be impacted as well. Invest in comprehensive mobile security to apply to your mobile devices to stay secure while on-the-go.
  • Clear your data cache. As previously mentioned, wearables hold a lot of data. Be sure to clear your cache every so often to ensure it doesn’t fall into the wrong hands.
  • Avoid storing critical information. Social Security Numbers (SSN), bank account numbers, and addresses do not need to be stored on your wearable. And if you’re making an online purchase, do so on a laptop with a secure connection.
  • Connect to public Wi-Fi with caution. Cybercriminals can use unsecured public Wi-Fi as a foothold into a wearable. If you need to connect to public Wi-Fi, use a virtual private network, or VPN, to stay secure.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Catch a Ride Via Wearable appeared first on McAfee Blogs.

The $1.5 Million Email

Ransomware has been around since the late 1980s, but in recent years, it has emerged as one of the largest financial threats facing the public and private sector alike. According to the U.S. Department of Homeland Security, ransomware is the fastest-growing malware threat—and according to a report by Recorded Future in May, more than 170 state and local governments have been the victims of ransomware attacks since 2013.

In addition to improved ransomware capabilities, such as military-grade encryption algorithms, two key factors have emboldened cybercriminals to launch such attacks: the rise of hard-to-trace cryptocurrency such as Bitcoin, and the tendency of unprepared targets to continue meeting scammers’ demands, even as these demands become increasingly audacious.

One such target was the city of Riviera Beach, Fla., a waterfront suburb north of Palm Beach, which recently paid a near-record 65 Bitcoins to a gang of hackers after a ransomware attack brought the city to a halt.

On May 29, a city employee opened an email containing a piece of malware, which quickly infected nearly every city computer network. With the municipal computer system held hostage, all operations were hobbled—everything from the city’s website, email server and VoIP phones to the water utility pump stations. 911 dispatchers were forced to take down caller information on paper, employees and vendors had to be paid with paper checks, utility payments could only be accepted by snail mail or in person, and police officers had to resort to digging through closets at headquarters to find paper traffic citation pads.

City leaders were told they could make all of these problems go away—if they simply complied with the ransomers’ demand to remit 65 bitcoin (roughly $600,000) in exchange for the decryption key.

While the city had originally decided not to pay the ransom—opting instead to invest $914,000 into purchasing hundreds of new desktop and laptop computers and other hardware in an attempt to circumvent the issue—these measures ultimately failed. Three weeks after the original attack, based on the advice of an outside security consulting firm, the city council met to discuss next steps—and unanimously decided, after just two minutes of discussion, to acquiesce. The total cost, including the unbudgeted-for hardware, the consultation, and of course, the ransom itself, amounted to more than $1.5 million. For a city of just 35,000 residents, the cost was staggering, even after insurance paid its percentage.

While Riviera Beach was among the latest targets, it certainly won’t be the last, or the largest—according to a 2018 Deloitte-NASCIO survey, nearly half of states lack a separate cybersecurity budget, and a majority allocate under 3% of IT budgets to cyberthreat prevention.

But with ransomware attacks continuing to unleash a post-internet world on any unsuspecting target at any time, many targets are finding that, as much as they thought they lacked the resources to prevent such attacks, they’re even less prepared for the aftermath. Once infected, they’re left with two unsavory options: Pay the ransom, knowing that there’s no guarantee the hackers will decrypt the systems or that they’ll be decrypted perfectly. And even if they are, there are still the moral implications: When governments pay such ransoms, they’re not only putting taxpayer dollars directly into the hands of criminals, they’re also encouraging future ransomware attacks. The alternative, of course, is to try to rebuild…often from the ground up.

While cyberinsurance policies can give the illusion of protection, this solution will likely become less viable as the frequency of attacks continues to rise and the amount demanded continues to skyrocket. The goal, then, becomes for companies, government entities and individuals to prepare for and prevent these attacks before they’re targeted. While large-scale legislative solutions, such as outlawing the payment of ransomware demands, may eventually offer some relief, here are some steps that companies, individuals and government entities can take right now to prevent being victims:

  1. Learn: Resources such as NoMoreRansom.org—an initiative created by the National High Tech Crime Unit of Netherlands, Europol’s European Cybercrime Centre, and McAfee—aim to provide prevention education and help ransomware victims retrieve their encrypted data without having to pay criminals.
  2. Educate: When it comes to ransomware, knowing isn’t half the battle—it’s the entire battle. When millions of dollars hinge on your employees’ decision whether or not to open an email, organization-wide training on how to spot malicious emails and social engineering schemes may pay for itself many, many times over.
  3. Backup: There’s no reason to pay criminals to decrypt your data if you have access to a copy. Frequently back up essential data, ideally storing it both locally and on the cloud.
  4. Update: Always downloading the newest version of your operating system or apps helps you stay ahead of threats
  5. Defend: Sufficiently robust security solutions can protect you from known threats as well as those that have not yet been formally detected.

The post The $1.5 Million Email appeared first on McAfee Blogs.

Key Components to Consider When Kicking Off Your Veracode AppSec Program

I’ve been working as a Veracode security program manager since 2013, and have adopted AppSec best practices in those six years that contribute to successful AppSec programs. I started my journey here as a program manager and was fortunate enough to manage and lead some of Veracode’s largest and most complex customer programs. Today, I’m managing a team of program managers.

In this blog, I will walk through four key components to consider when kicking off your program with Veracode. These are all components I’ve implemented when managing large programs, and which have led to AppSec success by helping organizations understand what’s needed in order to have a successful, well-functioning application security program.  

Customer Engagement

The first component is Veracode customer engagement. You might be thinking, “of course, this is a given,” but in some cases I’ve seen (moreso in the past), it’s not. The No. 1 roadblock with the customers I’ve seen struggle has been lack of engagement. An established security team (on the client side) who can act as the liaison between the development organization and Veracode is very important. In some cases, increasingly so with the DevSecOps push, dev management is involved as well.

When I first began my journey with Veracode, security didn’t exist at many organizations, so an engaged team also didn’t exist. Today, when I go on-site and meet with my customers, I frequently thank them. I thank them for their dedication and engagement level, because without the primary, day-to-day contacts, it would be more difficult to get the necessary traction. At Veracode, we say it’s a team effort. Customers who identify teams who are willing and eager to work with their Veracode contacts is the No. 1 step toward success. This is also a team or individual who can act as a Veracode advocate and work with the Veracode SPM to tackle Veracode initiatives and be an internal presence that helps drive and motivate, making security No. 1 so that our clients’ customers are confident they’re using secure products and applications.

Cross-Functional Communication

My second on the list is cross-functional communication. It is imperative for a program to have cross-functional communication between the security team and main teams involved, including executives and the development organization. Communicating policy mandates, remediation plans, and automation plans across all functions, including developers and DevOps teams, early on in the program, is going to put a program ahead. Understanding what the best communication method is in order to circulate important plans across teams, whether it’s through email or a newsletter, and who should be delivering it, should be well thought out. Veracode Program Management acts as an extension of our customers’ teams and, therefore, can help with messaging and delivery.  

Ultimately, communication will prevent confusion and promote awareness, which is important to the health of a program. When a developer is introduced to security scanning requirements or remediation plans later in the development lifecycle, it can affect release dates. The team will be in a much better position if they know early on what they’re responsible for and when, and any consequences if they do not incorporate security into their SDLC.

Application Inventory

Next is application inventory, which is another major component. This is a list of your organization’s high-risk applications that are most critical to the business and could impact company brand or reputation if breached, OR application inventory could be all applications in the organization. If you do not know this information early on, it could cause delays when kicking off a program.

We recommend companies scan all their applications. However, many organizations start their programs with a baseline of only their high-risk applications. If you fall into this category, having that list ready and sharing it with your Veracode Security Program Manager will keep everyone in alignment. Your SPM will provide a list of the important information needed when gathering application inventory information, and prior to setting up application profiles in the Veracode platform.

Program Strategy

Finally, once you’ve identified your team, have a communication plan in place, and have created an application inventory, the next step is to map out program strategy. This is where your Veracode SPM will have a discovery session with you and your team to discuss the future of the program, and obtain key information to ensure success. He or she will also review the critical activities that need to take place in the security program to keep it on track. Additionally, the SPM will review measureable metrics with you and discuss what the key metrics are to the organization/teams in order to track program success down the road. The SPM will handle the operational effort to get you there and report back regularly to ensure that you are achieving your organizational goals through those metrics.

The SPM will ask several questions to help develop and kick off your program, including:

  • Details about your SDLC environment, development tools, and systems the development teams are using. This is imperative as the push to shift left and toward DevSecOps is a major focus for many organizations today. The end goal is to fully automate your application security program, because automating and integrating security into your CI/CD pipeline will make for a seamless program that will save you and your developers time and money.
  • Identifying development teams and setting onboarding schedules. Training users on how to use the Veracode platform will help immensely with developer adoption and awareness. Veracode provides training and always offers flexible schedules to accommodate developers globally.
  • Establishing a remediation process and workflow. The end goal is to bring down those very high and high flaws to get you closer to being compliant with your organization’s policies and standards.

Lastly, we will have discussions around automation and integration into your CI/CD pipeline. As mentioned, this will save time for developers by streamlining the scanning process through automation and having them consume Veracode scan results in their environment, rather than manually running scans and reviewing results in the UI.

Whether you’re an existing customer or potential customer, if all of these items are checked off at the beginning, then you will be on the right path to kick-starting a robust application security program that everyone at your organization will be onboard with.  

Learn More

Get more details on maturing your application security program in our guide, Everything You Need to Know About Maturing Your Application Security Program.

And you can always get valuable tips and advice on managing AppSec from other Veracode customers in our Community.

Endpoint’s Role in Enterprise Data Protection

Data is a big deal. As the foundation of a modern-day business, data drives organizations’ everyday operations. It provides insights, indicates trends, and informs business decisions. This means securing an organization’s data is of the utmost importance, especially when it comes to defending against attacks emerging out of today’s threat landscape. And though there are standards that have been published to protect customer data and data context, these rules are still incomplete and imperfect, given any published best practice that works for organizations may also create immediate targets for an attacker to bypass. Let’s examine some key threats that compromise enterprise data, and the role endpoint security plays in safeguarding that information.

Means to an End

For many cybercriminals, data is the end goal and endpoint devices are the avenue for getting there. Whether it’s through a compromised app, credential theft, malware, ransomware, or a phishing attack – cyberattacks are consistently testing enterprises in an attempt to find a weakness. That’s because the endpoint acts as the ultimate gateway to critical enterprise data. If compromised, it could cause ripple effects on an organization’s day-to-day functions, causing downtime or a longer attack dwell time, permitting cybercriminals to harvest more sensitive data.

The good news? Doors work both ways. Just as endpoints can create gateways to important data, they can also stop cybercrime in its tracks, if properly secured.

Keeping the Door Locked

The best option for safeguarding your data is securing it at the start – the endpoint. By implementing agile and adaptive endpoint security on every device in your organization, enterprises can ensure data stays locked down. The key is leveraging endpoint solutions that go beyond the more traditional deterministic security feature like anti-malware and include predictive technology like artificial intelligence (AI) and machine learning (ML). This type of technology can quickly sift through security incidents in order to identify the real threats posed to endpoint devices, which helps security teams automatically reduce the time required to address threats. Security teams should also ensure they leverage endpoint security solutions that provide increased, centralized visibility into all of their organization’s devices. This kind of visibility is crucial for not only rapid detection, but also to ensure user behavior is being tracked and policies are being enforced.

For security teams aiming to stop modern-day cyberthreats at the start, adopt security solutions such as McAfee MVISION Mobile and McAfee MVISION Endpoint, which have machine learning algorithms and analysis built into their architecture to help identify malicious behavior and attack patterns affecting endpoint devices. To add to that, teams should also leverage solutions such as McAfee DLP Endpoint, which empowers IT staff with increased visibility, giving them knowledge of what all their users are doing at all times.  With this kind of technology in play, enterprise data won’t be anyone else’s business other than the organization it belongs to.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Endpoint’s Role in Enterprise Data Protection appeared first on McAfee Blogs.

Veracode to showcase DevSecOps solutions at inaugural AWS re:Inforce

Developers and security professionals from around the world are descending on Boston this week to attend the first AWS security conference, re:Inforce, for what promises to be one of the most exciting events in recent memory in the industry.

As a pioneer of application security that is helping educate both security and dev teams in building more secure code, Veracode is proud to be a platinum sponsor of AWS re:Inforce here in Boston, a world renowned hub of cybersecurity innovation.

With so many security conferences taking place throughout the year around the world, and with more companies entering the market and crowding niches, it can have a dizzying effect for companies buying security solutions.

What makes AWS re:Inforce different?

Companies seeking to change the world are using software to push entire industries forward with new advancements, better insights and greater efficiencies. At the same time, new threat vectors appear, and new languages and frameworks change how we create software, causing cyberattacks to evolve and become more sophisticated. The security of software is just as critical as the function of the software itself. But, if the software you are developing or buying is insecure, you can’t achieve your vision – no matter how important or innovative it is.

Two movements that are allowing innovation and security to evolve in harmony – the shift to cloud-native solutions and the evolution of DevSecOps – will be on full display at AWS re:Inforce. That’s because we’ve moved from a world where applications were only run in the cloud to one where they are written and live in the cloud throughout their lifecycle. As a result, we are experiencing a dramatic increase in scan frequency and our customers are adopting application security practices earlier in their continuous integration pipeline. More frequent, incremental scans in the SDLC – a pillar of DevSecOps – allow companies to fix flaws more than 11 times more quickly than the typical organization. Fundamentally, when a company’s applications are more secure and their development teams are not slowed down by security, they achieve a competitive advantage.

Veracode is evolving its SaaS architecture by leveraging the power of AWS to better meet increased demand for DevSecOps practices from customers. Development teams are looking for fast, accurate application security tools integrated directly into their CI/CD work cycles. Veracode processes an average of more than 400,000 scans per month for customers around the world, and companies expect fast scan times and the ability to rapidly scale their volume of scanning given that developers scan at every code check in. Veracode’s combination of technology, expertise, and services backed by AWS cloud services helps organizations more effectively find and fix the vulnerabilities in their software.

Veracode has also achieved Advanced Technology Partner Status in the AWS Partner Network (APN). This achievement is the highest tier within the AWS Partner Network. It recognizes a rigorous qualification process that includes AWS technical certification and validation with a wide range of customer references. The technical certification included an extensive review of the Veracode architecture leveraging AWS services against AWS published best practices and benchmarks for security, scalability and availability.

At AWS re:Inforce, attendees can visit the Veracode booth (#813) to learn more about the company’s application security testing platform, get a Veracode t-shirt and participate in an interactive experience designed to test developers’ secure programming knowledge.

On the evening of Tuesday, June 25, Veracode is hosting a “Conquer the Cloud” afterparty at City Tap House in Boston. Securing the cloud takes a tribe of AppSec heroes, and we’d love your tribe to meet ours over beers, games, and live music during AWS re:Inforce. Take a moment to register here.

Finally, don’t miss a presentation at re:Inforce by John Maski, Veracode Application Security Consultant and former director of DevSecOps at AT&T, titled “Integrating AppSec Into Your DevSecOps on AWS.” John will describe securing CI/CD pipelines in enterprise environments and “shifting left” with security. This talk is taking place at 10:15 am, Wed., June 26 in the Solutions Theater.

RDP Security Explained

RDP on the Radar

Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or “Bluekeep.” The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication. These attributes make it particularly ‘wormable’ – it can easily be coded to spread itself by reaching out to other accessible networked hosts, similar to the famous EternalBlue exploit of 2017. This seems particularly relevant when (at the time of writing) 3,865,098 instances of port 3389 are showing as open on Shodan.

Prior to this, RDP was already on our radar. Last July, McAfee ATR did a deep dive on Remote Desktop Protocol (RDP) marketplaces and described the sheer ease with which cybercriminals can obtain access to a large variety of computer systems, some of which are very sensitive. One of the methods of RDP misuse that we discussed was how it could aid deploying a targeted ransomware campaign. At that time one of the most prolific targeted ransomware groups was SamSam. To gain an initial foothold on its victims’ networks, SamSam would often rely on weakly protected RDP access. From its RDP launchpad, it would proceed to move laterally through a victim’s network, successfully exploiting and discovering additional weaknesses, for instance in a company’s Active Directory (AD).

In November 2018, the FBI and the Justice department indicted two Iranian men for developing and spreading the SamSam ransomware extorting hospitals, municipalities and public institutions, causing over $30 million in losses. Unfortunately, this did not stop other cybercriminals from using similar tactics, techniques and procedures (TTPs).

The sheer number of vulnerable systems in the wild make it a “target” rich environment for cybercriminals.

In the beginning of 2019 we dedicated several blogs to the Ryuk ransomware family that has been using RDP as an initial entry vector. Even though RDP misuse has been around for many years, it does seem to have gained an increased popularity amongst criminals focused on targeted ransomware.

Recent statistics showed that RDP is the most dominant attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 of 2019.

Source: Coveware Q1 statistics

Securing RDP

Given the dire circumstances highlighted above it is wise to question if externally accessible RDP is an absolute necessity for any organization. It is also wise to consider how to better secure RDP if you are absolutely reliant on it. The good news is there are several easy steps that help an organization to better secure RDP access.

That is why, in this blog, we will use the adversarial knowledge from the McAfee ATR red team to explain what easy measures can be undertaken to harden RDP access.

Recommendations are additional to standard systems hygiene which should be carried out for all systems (although it becomes more important for Internet connected hosts), such as keeping all software up-to-date, and we intentionally avoid ‘security through obscurity’ items such as changing the RDP port number.

Do not allow RDP connections over the open Internet

To be very clear… RDP should never be open to the Internet. The internet is continuously being scanned for open port 3389 (the default RDP port). Even with a complex password policy and multi-factor authentication you can be vulnerable to denial of service and user account lockout. A much safer alternative is to use a Virtual Private Network (VPN). A VPN will allow a remote user to securely access their corporate network without exposing their computer to the entire Internet. The connection is mutually encrypted, providing authentication for both client and server, preferably using a dual factor, while creating a secure tunnel to the corporate network. As you only have access to the network you will still need to RDP to the computer but can do so more securely without exposing it to the internet.

Use Complex Passwords

An often-used alternative acronym for RDP is “Really Dumb Passwords.” That short phrase encapsulates the number one vulnerability of RDP systems, simply by scanning the internet for systems that accept RDP connections and launching a brute-force attack with popular tools such as, ForcerX, NLBrute, Hydra or RDP Forcer to gain access.

Using complex passwords will make brute-force RDP attacks harder to succeed.

Below are the top 15 passwords used on vulnerable RDP systems. We built this list based on information on weak passwords shared by a friendly Law Enforcement Agency from taken down RDP shops. What is most shocking is the fact that there is such a large number of vulnerable RDP systems did not even have a password.

The TOP 15 used passwords on vulnerable RDP systems

[no password]
123456
P@ssw0rd
123
Password1
1234
password
1
12345
Password123
admin
test
test123
Welcome1
scan

Use Multi-Factor Authentication

In addition to a complex password, it is best practice use multi-factor authentication. Even with great care and diligence, a username and password can still be compromised. If legitimate credentials have been compromised, multi-factor authentication adds an additional layer of protection by requiring the user to provide a security token, e.g. a code received by notification or a biometric verification. Better yet, a FIDO based authentication device can provide an extra factor which is not vulnerable to spoofing attacks, in a similar fashion to other one-time-password (OTP) mechanisms. This increases the difficulty for an unauthorized person to gain access to the computing device.

Use an RDP Gateway

Recent versions of Windows Server provide an RDP gateway server. This provides one external interface to many internal RDP endpoints, thus simplifying management, including many of the items outlined in the following recommendations. These comprise of logging, TLS certificates, authentication to the end device without actually exposing it to the Internet, authorization to internal host and user restrictions, etc.

Microsoft provides detailed instructions for configuration of remote desktop gateway server, for Windows Server 2008 R2 as an example, over here.

Lock out users and block or timeout IPs that have too many failed logon attempts

A high number of failed logon attempts is a strong indication of a brute force attack. Limiting the number of logon attempts per user can prevent such attacks. A failed logon attempt is logged under Windows Event ID 4625. An RDP logon falls under logon type 10, RemoteInteractive. The account lockout threshold can be specified in the local group policy under security settings: Account Policies.

For logging purposes, it is best to log both failed and successful logons. Additionally, it is important to note that “specific security layer for RDP connections” needs to be enabled. Otherwise, you will be unable to tell that the logon attempt came over RDP or see the source IP address. A comparison is shown below.

Event log network logon (type 3) note no source network address

Event log RDP logon (type 10) note the source network address present

Use a Firewall to restrict access

Firewall rules can be created to restrict Remote Desktop access so that only a specific IP address or a range of IP addresses can access a given device. This can be achieved by simply opening “Windows Firewall with Advanced Security,” clicking on Inbound Rules and scrolling down to the RDP rule. A screen shot can be seen below.

Firewall settings for inbound RDP connections 

Enable Restricted Admin Mode

When connecting to a remote machine via RDP, credentials are stored on that machine and may be retrievable by other users of the systems (e.g. malicious attackers). Microsoft has added restricted admin mode which instructs the RDP server not to store credentials of users who log in. Behind the scenes, the server now uses ‘network’ login rather than ‘interactive’ and therefore uses hashes or Kerberos tickets rather than passwords for authentication. Assessment of the pros and cons of this option are recommended before enabling in your environment. On the negative side, the use of network login exposes the possibility of credential reuse (pass the hash) attacks against the RDP server. Pass the hash is likely possible anyway, internally, via other exposed ports so may not significantly increase exposure there, but when including this option to Internet servers, where other ports are likely (and should be!) restricted, pass the hash is then extended to the Internet. Given the pros and cons, avoiding internal escalation of privilege is often prioritized and therefore restricted admin mode is enabled.

Microsoft TechNet describes configuration and usage of restricted mode here.

Encryption

There are four levels of encryption supported by standard RDP: Low, Client Compatible, High, and FIPS Compliant. This is configured on the Remote Desktop server. This can be further improved upon by using Enhanced RDP Security. When Enhanced RDP security is used, encryption and server authentication are implemented by external security protocols, e.g. TLS or CredSSP. One of the key benefits of Enhanced RDP Security is that it enables the use of Network Level Authentication (NLA) when using CredSSP as the external security protocol.

Certificate management is always a complexity, but Microsoft does provide this through the use of Active Directory Certificate Services (ADCS). Certificates can be pushed using Group Policy Objects (GPO) where this is available. Incompatible operating system environments must import certificates via the web interface exposed at https://<server>/Certsrv.

Enable Network Level Authentication (NLA)

To reduce the amount of initially required server resources, and thereby mitigate against denial of service attacks, network level authentication (NLA) can be used. Within this mode, strong authentication takes place before the remote desktop connection is established, using the Credential Security Support Provider (CredSSP) either through TLS or Kerberos. NLA can also help to protect against man-in-the-middle attacks, where credentials are intercepted. However, be aware that NLA over NTLM does not provide strong authentication and should be disabled in favor of NLA over TLS (with valid certificates).

Microsoft TechNet describes configuration and usage of NLA in Windows Server 2008 R2 here.

Interestingly, BlueKeep, mentioned above, is partially mitigated by having NLA enabled. As reported by Microsoft in the associated advisory “With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.”

Restrict users who can logon using RDP

All administrators can use RDP by default. Remote access should be limited to only the accounts that require it. If all administrators do not need remote access you should consider removing the Administrator account from the RDP access group. You can then add the specific users which require access to the “Remote Desktop Users” group. See here for more information on managing users in your RDS collection.

Minimize the Number of Local Administrator Accounts

Local administrator accounts provide an attack vector for attackers who gain access to a system. Credentials can be cracked offline and more accounts means more likelihood of a successful crack. Therefore, you should aim for a maximum of one local administrator account which is secured appropriately.

Ensure that Local Administrator Accounts are Unique

If the local administrator accounts match those assigned to their counterparts on other systems within the server’s internal network, the attacker can potentially re-use credentials to move laterally. This issue occurs quite frequently, so Microsoft provided Local Administrator Password Solution (LAPS) as a means to avoid this scenario across the organization with central management of unique local administrator credentials. This is particularly relevant for externally exposed systems.

Microsoft provides a download and usage information for LAPS here.

Limit Domain Administrator Account Access

Accounts within the domain admins group have full control of the domain by default, by virtue of being part of the administrators group for all domain controllers, domain workstations and domain member servers. If a credential for a domain admin account is retrieved from the RDP server, the attacker now holds the ‘keys to the kingdom’ and is in full control of the entire domain. You should reduce the amount of domain administrators within the organization in general and avoid accessing the RDP server or other externally exposed systems via these accounts, to avoid inadvertently making credentials accessible.

In general, ‘least privilege’ administration models should be used. Microsoft provides guidance in this area, including how best to use domain admin accounts, here.

Consider Placement Within the Network

Where possible, RDP servers should be placed within a DMZ or other restricted area of the network. The idea here is that if an attack is successful, its scope is reduced and confined to the RDP server alone. Often RDP is exposed specifically to allow external users onto the network, so this may not be a feasible solution, however it should be considered and the quantity of services reachable within the internal network should be minimized.

Consider using an account-naming convention that does not reveal organizational information

There are many options for account naming conventions, ranging from firstname.lastname to not deriving usernames from name data; all having their pros and cons. However, some of the more commonly used account naming conventions such as firstname.lastname, make it very easy to guess usernames and email addresses. This can be a security concern as spammers and hackers will readily use this information.

Conclusion

When trying to run an efficient IT organization, having remote access to certain computer systems might be essential. Unfortunately, when not implemented correctly, the tools that make remote access possible also open your systems up to unwanted guests. In the last few years there have been far too many examples of where vulnerable RDP access gave way to a full-scale network compromise.

In this article we have shown that RDP access can be hardened with some easy steps. Please take the time to review your RDP security posture.

The post RDP Security Explained appeared first on McAfee Blogs.

How can UK Financial Services Organisations Combat the Cyber Threat?

Guest article by Genevra Champion, Sector Marketing Manager at IT Governance

The financial services industry is naturally a lucrative target for cyber criminals. Financial organisations trade and control vast amounts of money, as well as collect and store customers’ personal information so clearly, a data breach could be disastrous for an industry that is built on trust with its customers.

The financial services industry is second only to retail in terms of the industries most affected by cyber crime – the number of breaches reported by UK financial services firms to the FCA increased 480 per cent in 2018, compared to the previous year. While financial services organisations are heavily regulated and cybersecurity is becoming more of a business priority, there is still much more to be accomplished when it comes to businesses understanding what measures must be taken – from the C-suite down – to effectively protect organisations against inevitable breaches.

So how can financial services firms proactively equip themselves to respond to increased regulatory scrutiny and mitigate the impact from the growing number of threats they will face?

Mitigating the Cyber Threat Financial institutions were able to defend against two-thirds of unauthorised fraud attempts in 2018, but the scale of attacks significantly increased. Significant market players including Tesco Bank, Metro Bank and HSBC all reported breaches in the last year. Clearly, the banks’ cybersecurity defences have not developed at a fast enough pace. Cyber criminals can and will dramatically outspend their targets with increasingly sophisticated attack methods. In addition, many of the traditional banks struggle with large, cumbersome legacy systems, which pose significant reliability issues, as well as flaws in security.

Last year’s IT banking disaster led to thousands of TSB customers being locked out of their accounts, leading to fraudsters exploiting the situation by posing as bank staff on calls to customers in order to steal significant sums of money from customers. The breach occurred while the company was conducting an upgrade on its IT systems to migrate customer data to a new platform. This wasn’t just bad luck for TSB, but a failure to adequately plan and assess the risks that come with such a huge project. The bank has since pledged to refund all customers that are victims of fraud, a move which will likely see other banks reviewing their approach to the rise of this particular type of cybercrime.

The industry must understand that security incidents are an ever-present risk. However, organisations can be prepared - scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.

Appropriate Defence Strategy
The FCA has set out various cybersecurity insights that show how cybersecurity practices of UK financial services firms are under the regulatory microscope, as the cyber threat continues to grow. The approach from the FCA includes practices for organisations to put into action such as those that promote governance and put cyber risk on the board agenda. The advice also covers areas such as identifying and protecting information assets, being alert to emerging threats and being ready to respond, as well as testing and refining defences. With cybercrime tools and techniques advancing at a rapid pace, and increasing regulations, it’s no wonder that many organisations struggle to keep up to ensure their defences stay ahead of the game.

In order for in-house security teams to keep up to date with current and evolving threats and data protection issues, firms must invest in regular training. Specialist skills are required to mitigate cyber risk, which for some could be cost-prohibitive. As an alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cyber security strategy.

Crucially, in addition to completing a gap analysis and a multi-layered defence strategy, the model will also apply to people and processes. Attackers will generally aim at the weakest point of an organisation – often it’s staff. Human nature means passwords are forgotten, malware isn’t noticed, or phishing emails are opened, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.

Conclusion
With increased regulatory attention across security and privacy, firms must take steps to improve their defences, or risk severe financial and reputational damage. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Anyone within an organisation can be a weak link, so the importance of cybersecurity defences must be promoted at all levels – from the board all the way through to the admin departments. It’s everyone’s responsibility to keep the organisation protected against threats.

While the threat of cyber attack is real, financial services firms do not have to take on the battle alone. With a CSaaS model in place, organisations can start to take back control of their cybersecurity strategy and embed it as a trusted, cost-effective and workable core part of the business’ process.

Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer

If you haven’t seen your kids in a few hours but can hear outbursts of laughter from a nearby room, chances are, they — along with millions of other kids — are watching YouTube. The popular digital video hub has more viewers than network television and soaks up more than 46,000 years of our collective viewing time annually. Chances are your kids will be part of the YouTube digital mosh pit this summer, but do you know the risks?

Types of screen time

The quality of online time for kids usually shifts during the summer months. For example, there’s active screen time and passive screen time. Knowing the difference between the two can help your family decide best how to balance device use — especially when it comes to consuming endless hours on YouTube.

Active screen time requires a person’s cognitive and/or physical engagement and develops social, language, or physical skills. Engaging in activities such as researching, creating original content, learning a new program, and playing educational games is considered active screen usage. Active screen time tends to go up during the school year and down in the summer.

Passive screen time is passively absorbing information via a screen, app, or game for entertainment reasons only. This includes scrolling through social networks, watching movies binge watching), and watching YouTube videos. Little to no thought or creativity is required when a person engages in repetitious, passive screen activities.

According to a Common Sense Media study, children ages 8 to 12, spend nearly six hours per day using media, and teenagers average closer to nine hours a day (numbers don’t include school work). It’s safe to say that during the summer, these numbers climb even higher — as do the risks.

Here are a few ways to balance screen time and boost safety on YouTube this summer.

YouTube: 5 Family Talking Points

  • Explore YouTube.The best way to understand the culture of YouTube is to spend time there. Ask your kids about their favorite channels and what they like about them. Get to know the people they follow — after all, these are the people influencing your child. Here’s a sampling of a few top YouTubers: MattyBRaps (music), JoJoSiwa (music, dance), Brooklyn and Bailey (vlogs, challenges, music), Baby Ariel (challenges, vlog), Johnny Orlando (music), PewDiePie (comedy), Jacy and Kacy (crafts, challenges), (Bethany Mota (shopping hauls), Grav3yardgirl (makeup), Smosh (comedy).
  • Respect age limits. YouTube is packed with humor, tutorials, pranks, vlogs, music, reviews, and endlessly engaging content. However, age limits exist for a good reason because the channel also has its share of dangerous content. The darker side of YouTube is always just a click away and includes sexual content, hate content, harassment and cyberbullying, violent and graphic content, and scams.
  • Turn on restricted mode. By turning on the restricted mode you can block videos with mature content from a user’s searches, related videos, playlists, and shows — this is a big deal since many “up next” videos (on the right side of the screen) are cued to play automatically and can lead kids to sketchy content. In addition to the restricted mode, consider an extra layer of protection with filtering software for all your family devices.
  • Opt for YouTube Kids. For kids under 13, YouTube Kids is a safe video platform, specially curated for young viewers. Kids may snub any platform designed “for kids,” however, if you are worried about younger kids running into inappropriate content, this is your best video option.
  • Discuss the ‘why’ behind the rules. As a parent, you know the possible ways YouTube — or other social platforms — can be harmful. Don’t assume your kids do. Kids are immersed in their peer groups online, which means danger and harm aren’t primary concerns. Even so, before you lecture kids about the dangers of YouTube, open up a dialogue around the topic by asking great questions. Here are just a few to get you started:

  • Do you understand why it’s important to filter YouTube content and respect age limits (inappropriate content, cyberbullying)?
  • Do you understand why unboxing and makeup videos are so popular (advertisers want you to purchase)?
  • Do you understand why we need to balance between screen time this summer? (mental, physical health)
  • Do you know why this piece of content might be fake or contain questionable information (conspiracy, hate, or political videos)?

As the public increasingly demands social networks do more to remove harmful or objectionable content, one thing is clear: Despite strides in this area by a majority of platforms, no online social hub is (or will likely ever be) 100% safe. The best way to keep kids safe online is by nurturing a strong parent-child connection and having consistent conversations designed to equip and educate kids about digital risks and responsibility.

The post Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer appeared first on McAfee Blogs.

How organisations can effectively manage, detect and respond to a data breach?

Guest article by Andy Pearch, Head of IA Services at CORVID

78% of businesses cite cyber security as a high priority for their organisation’s senior management. Whilst it is encouraging that this figure has risen year on year, generating awareness of cyber security is only one part of the issue. The next step for organisations to take is not only understanding, but intelligently acting on the risks presented. Despite the heightened awareness, many organisations are still focusing on mitigating assumed risks, rather than real risks, without a robust security strategy in place.

Whilst perimeter security is a key part of any organisation’s security posture, the fact is that it cannot work in isolation. Data breaches are now commonplace and largely regarded as inevitable, and the rise of new technologies means that today’s threats have increased in sophistication. As Andy Pearch, Head of IA Services at CORVID, explains, safeguarding data integrity, confidentiality and availability should be fundamental to all cyber security strategies. After all, it is the speed with which a breach is detected and the effectiveness with which it is remediated that will provide the most value – this can be achieved with a strategic Managed Detection and Response solution.

Unidentified attacks The Government’s Cyber Security Breaches Survey 2019 revealed that in the last 12 months alone, almost one third of UK businesses identified cyber security breaches or attacks. What’s more, the research also showed that just under half of these companies identified at least one breach or attack per month. While these figures should be enough to make a business refocus its strategic security thinking, it is the use of the word ‘identified’ that is significant: many more attacks could have occurred, but not yet been discovered.

Indeed, global figures reveal that the median dwell time – the time a criminal can be on a company’s network undetected – is over 100 days. And in many cases, the breach is not revealed by the security team itself; it is a call from a supplier, a customer or business partner that brings the problem to light, typically following the receipt of a diversion fraud email requesting, for example, that future payments should be sent to a different bank account.

These breaches not only have the ability to undermine business relationships, but in some cases, can also incur significant financial liability. These frauds usually follow one of two forms: either impersonation, where a criminal masquerades as the business using a very similar domain name and email address, or following a successful compromise, the email comes from the company’s own system. It is the latter case that raises the issue of liability for any financial losses a business partner may have suffered.

Asking the tough questions
Alongside phishing attacks, this approach to cyber attacks completely bypasses the traditional cyber security methods, such as anti-virus (AV) software and firewalls, upon which so many companies still rely. Indeed, while 80% of businesses cite phishing attacks as the cause of breach, 28% confirm the cause was the impersonation of an organisation in emails or online. Only 27% cite viruses, spyware or malware, including ransomware attacks, as the root cause of the breach.

Many companies still depend on perimeter security, and for those that do, it is time to ask some serious questions. Firstly, can you be 100% confident that your business has not been compromised? How would you know if the attacker has not used malware or a virus that would be picked up by the perimeter defences? Secondly, even when a compromise is identified, many companies aren’t sure what the next steps should be. If a supplier makes the call to reveal the business has been compromised, can you confidently identify where that occurred? What part of the business has been affected? What is the primary goal of the attack? Is the attacker only leveraging a compromised email system to defraud customers, or aiming to gain intellectual property or personal data?

The GDPR has demonstrated that the risk associated with a cyber attack is not only financial, as hackers are also actively seeking to access personal information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential for organisations to accept that protection is not a viable option given today’s threat landscape: a fundamental shift in security thinking is required. When hackers are using the same tactics and tools as genuine users, preventing these attacks is impossible. Rapid detection and remediation must be the priority.

Removing the burden
Managed Detection and Response (MDR) enables an organisation to spot the unusual activity that indicates a potential breach. For example, if a user is accessing files they would never usually open or view, sending unexpected emails or reaching out to a new domain, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to detect this activity but also the time and skills to analyse whether it is a breach or actually a false positive.

A managed approach not only takes the burden away from the business, but also enables every company to benefit from the pool of knowledge gathered by detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised assets – this can then either be remediated in-house, if preferred, or as part of the MDR service.

Information relating to the mode of attack is also collected. This timely, actionable intelligence is immediately applied to the MDR service, creating either a prevention or detection technique to minimise the chance of this approach succeeding again. Because of this, the speed with which attacks can now be detected is compelling: whilst the average dwell time has continued to decrease in recent years, it is now entirely possible for unknown malware to be detected and nullified within the hour.

Reflect and act
The threat landscape is continuously evolving – it’s important for organisations to recognise this and match security strategies to the true level of risk. What’s more, whilst the increased commitment to security at a Board level is encouraged, organisations cannot equate expenditure with effectiveness.

Organisations must reflect and consider not only the consequences of data loss, but of integrity and availability too. Security strategies can no longer rely on users not making mistakes; when a breach occurs, an organisation must know what happened.

Security strategies cannot afford to stand still. With the rise in phishing and diversion fraud, it is not enough for organisations to simply lock down the perimeter. Companies cannot prevent all attacks, but when a compromise occurs, it is essential to understand how, when and why the attack succeeded so the appropriate response can be determined, and learnings can be applied for the future. It is only with this process in place that organisations can safeguard their business, data and reputation.

Live From Gartner Security & Risk Mgmt Summit: Starting an AppSec Program, Part 2

This is part two of a two-part blog series on a presentation by Hooper Kincannon, Cyber Security Engineer at Unum Group, on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk Management Summit in National Harbor, MD. In this presentation, Hooper provided a great blueprint for starting a DevSecOps program. In part one, I summarized how Hooper got buy-in for his program and his overall plan for the initiative. In this blog, we delve into the details.

Using Different Assessment Types for the Right Purpose

Hooper kindly shared his slides with us. Here is his helpful comparison of different assessment types, focusing on static analysis, dynamic analysis and manual penetration testing:

You have to make a choice which route you’d like to take. In Hooper’s case, he decided to build static and dynamic application security into the SDLC.

Dynamic and Static Analysis Workflow

For dynamic analysis testing, Hooper recommeds the following workflow:

To make your DAST assessments successful, he recommended using a consistent scan duration, considering the various authentication mechanisms, and using the testing credentials only for testing.

For static analysis testing, he recommended the following workflow:

His recommendations for static analysis testing included being conscious of how you define applications, being aware of compilation instructions, and consistency of the process.

Understanding Remediation vs. Mitigation

After you have identified a vulnerability, you can address it in two different ways:

  • Remediation: Fixing the security defect by changing the code that contains the defect or making a configuration change. This eliminates the risk.
  • Mitigation: Implementing controls to make it less likely that the vulnerability is exploited. This reduces the risk but does not eliminate it because the vulnerability is still present in the code.

Working With Scanning Results

How you use your scan results can make or break your program. If you’re fortunate, you’ll scan your application and get back a low volume of flaws. If you’re unlucky, it may be the opposite.

Hooper’s biggest recommendation is not to panic: The overall goal is to reduce risk, and that won’t happen overnight. Take your time to digest the results and discuss how to best prioritize them. For example, consider fixing dynamic results first because they are easier to discover by an attacker. Decide what you accept as trusted sources, especially in the case of input validation, and have a process for handling exceptions, such as acceptable risk, mitigations, and false positives. Hooper recommends that you do a readout of the results with the stakeholders.

Picking the Right Metrics to Report On

Metrics are probably the most important deliverable coming out of your program. Security is a difficult metric to measure; reduction in risk is a bit easier.

Metrics that worked for Hooper are:

  • Flaw density
  • Risk reduced (vulnerability severity reduced)
  • Most common flaw types (use to guide education efforts)
  • Compliance over time
  • Onboarding time + other operation metrics

When presenting to the different stakeholders of the program, be aware of what each constituency is interested in – because it varies:

  • CISO + senior management: Profitability of the investment
  • Business leaders: Resource allocation
  • Development: Staying on top of flaws

Keeping a regular cadence is vital. Hooper has made these activities part of his program:

  • Monthly scorecards
  • Monthly executive dashboards
  • Annual reviews
  • Real-time dashboards for developers

Optimizing the Program in Year Two

One year after starting the program, Hooper had reached success with external high-risk applications. Next, he moved on to internal high-risk applications. In addition, he started to automate more and more of the program to make it repeatable and easier to manage. For most organizations, he recommends starting out with automation from day one, but even if you start out manually, you’re taking a step in the right direction.

Here is a picture of how Unum Group integrates Veracode into their SDLC:

For More Information

If you’re interested in starting your own application security program, read our take on Everything You Need To Know About Getting Application Security Buy-In.

Live From Gartner Security & Risk Mgmt Summit: Starting a Web Application Security Program

Bootstrapping an application security program is hard. Technology is only one part of the equation. You need to inventory your applications, get stakeholders on board, and then execute on the holy trinity of people, process, and technology. That’s why I was excited to see Hooper Kincannon, Cyber Security Engineer at Unum Group, present on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk Management Summit in National Harbor, MD. Hooper provided a great blue print for starting a DevSecOps program.

Sixty Vulnerabilities Are Reported Every Day, 27 Percent Are Never Fixed

Hooper began his presentation by outlining the current state of both software, and software security. He points out that while software is changing the world, it is also fundamentally flawed from a security perspective.

He points to some highlights from a study by Risk Based Security:

  • More than 22,000 vulnerabilities were disclosed in 2018 – that’s about 60 per day.
  • Almost a third of these (27%) were never fixed, so security professionals can’t just deploy a patch to improve their security posture.
  • Web-related vulnerabilities accounted for nearly half of all reported security flaws, and more than two thirds were related to insufficient or improper validation of input.
  • 33% received a severity rating of seven or above.
  • OWASP Top 10 still account for two-thirds of the reported vulnerabilities.

What can we do about it? We can develop a secure software development lifecycle and try to stem the flow of the vulnerabilities being published in the first place. This is becoming increasingly difficult because more lines of code are be written than ever before (111 billion lines of code in 2016, trending up).

Software Is Becoming Mission Critical: Making the Case for AppSec

So what if Alexa won’t work or my app crashes? Both would probably only be minor annoyances, but software is also impacting us on a much larger scale. Not too long ago, people would be lucky if they had only a two-minute warning that a tornado was coming. Today, weather monitoring and modeling software can predict the formation and path of a tornado with stunning accuracy. And better still they can send text messages to those in danger – providing precious minutes to find shelter.

Farming is being transformed by software as well. Software monitors the moisture levels in soil, and irrigation systems connected to these sensors release the optimal amount of water into the soil. This way, the crops have what they need to grow, and not a drop of water is wasted. There are technologies that monitor crop growth and health and even harvest crops. In other words, software is tackling world hunger. That’s something worth protecting.

When you want to demonstrate to your stakeholders why application security is important to your organization, go back to your company’s mission and ladder up your argument to this ultimate goal. Unum offers disability, life and financial protection to its customers. If your mission is to help people at their most vulnerable moments in life, you need to ensure that they don’t have to worry about their identity being stolen as the result of a data breach in addition to having to figure out medical payments. Making this connection with the core mission can really help tell a story of why application security is crucial to the business.

Starting Out With the Right Questions

Before you can dive head first into your DevSecOps program, you need to ask yourself the right questions:

  • Do you know your application portfolio?
  • Do you have web application security policies defined?
  • Who is responsible for the web application security program?
  • Who is going to fund the program?
  • What is your goal?

Only once you have answered these questions will you be able to find the right formula for your organization. Hooper laid out his program in the rest of the talk, but your organization may differ, so make sure that you ask these questions at the outset.

Building a DevSecOps Program from Scratch

Hooper started at Unum about three years ago as a member of their threat and vulnerability management team. At that point in time, they didn’t have a true web application security program, but they had a relationship with Veracode to assess their top-tier applications, and they were doing basic dynamic analysis with another vendor. At that point, Hooper was fortunate enough to get funding to help expand and mature the program. 

Unum’s primary goal was to reduce risk, so he set out to discover and rate the risk of all of their applications. He helped define security policies for all web applications, including expectations and remediation SLAs. They also decided that security should be responsible for the administration of the AppSec program, and development would cover remediation. 

Hooper chose to expand his relationship with Veracode, covering SAST, DAST, SCA, and eLearning. He also partnered with Veracode to provide live trainings for developers, and signed up for their program management and application security consulting services, which help onboard scrum teams and help developers fix security defects if they get stuck.

In a follow-up blog, we will delve into the details of Hooper’s AppSec program and his path to AppSec maturity.

Blocking DDoS Attacks Using Automation

Guest article by Adrian Taylor, Regional Vice President at A10 Networks

DDoS attacks can be catastrophic, but the right knowledge and tactics can drastically improve your chances of successfully mitigating attacks. In this article, we’ll explore the five ways, listed below, that automation can significantly improve response times during a DDoS attack while assessing the means to block such attacks.

Response time is critical for every enterprise because, in our hyper-connected world, DDoS attacks cause downtime, and downtime means money lost. The longer your systems are down, the more your profits will sink.

Let’s take a closer look at all the ways that automation can put time on your side during a DDoS attack. But first, let’s clarify just how much time an automated defence system can save.

Automated vs. Manual Response Time
Sure, automated DDoS defence is faster than manual DDoS defence, but by how much?

Founder and CEO of NimbusDDoS Andy Shoemaker recently conducted a study to find out. The results spoke volumes: automated DDoS defence improves attack response time five-fold.

The average response time using automated defence was just six minutes, compared to 35 minutes using manual processes, a staggering 29-minute difference. In some cases, the automated defence was even able to eliminate response time completely.

An automated defence system cuts down on response time in five major ways. Such systems can:

  • Instantly detect incoming attacks: Using the data it has collected during peace time, an automated DDoS defence system can instantly identify suspicious traffic that could easily be missed by human observers.
  • Redirect traffic accordingly: In a reactive deployment, once an attack has been detected, an automated DDoS defence system can redirect the malicious traffic to a shared mitigation scrubbing center – no more manual BGP routing announcements of suspicious traffic.
  • Apply escalation mitigation strategies: During the attack’s onslaught of traffic, an automated DDoS defence system will take action based on your defined policies in an adaptive fashion while minimising collateral damage to legitimate traffic.
  • Identify patterns within attack traffic: By carefully inspecting vast amounts of attack traffic in a short period of time, an automated DDoS defence system can extract patterns in real-time to block zero-day botnet attacks.
  • Apply current DDoS threat intelligence: An automated DDoS defence system can access real-time, research-driven IP blocklists and DDoS weapon databases and apply that intelligence to all network traffic destined for the protected zone.
An intelligent automated DDoS defence system doesn’t stop working after an attack, either. Once the attack has been successfully mitigated, it will generate detailed reports you and your stakeholders can use for forensic analysis and for communicating with other stakeholders.

Although DDoS attackers will never stop innovating and adapting, neither will automated and intelligent DDoS protection systems.

By using an automated system to rapidly identify and mitigate threats with the help of up-to-date threat intelligence, enterprises can defend themselves from DDoS attacks as quickly as bad actors can launch them.

Three key strategies to block DDoS attacks
While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.

After all, DDoS attacks are asynchronous in nature: You can’t prevent the attacker from launching an attack, but with three critical strategies in place, you can be resilient to the attack, while protecting your users.

Each of the three methods listed below is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block. The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.

While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it is equally fraught with indiscriminate collateral damage to legitimate users.

Tracking deviation: A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat.
  • Specifically, a defence system can analyse data rate or query rate from multiple characteristics (e.g. BPS, PPS, SYN-FIN ratio, session rate, etc.) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.
Pattern recognition: A pattern recognition strategy uses machine learning to parse unusual patterns of behaviour commonly exhibited by DDoS botnets and reflected amplification attacks in real time.
  • For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common command and control (C&C) and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy.
Reputation: To utilise reputation as a source-based blocking strategy, a DDoS defence system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks.
  • The system will then use that intelligence to block any matching IP addresses during an attack.
Any of these three source-based DDoS mitigation strategies requires more computing capabilities than indiscriminate destination protection.

They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.

Knowing that, it’s safe to say that these three mitigation strategies are all well worth the investment.

Adrian Taylor, Regional Vice President at A10 Networks

Process Reimaging: A Cybercrook’s New Disguise for Malware

As of early 2019, Windows 10 is running on more than 700 million devices, including PCs, tablets, phones, and even some gaming consoles. However, it turns out the widespread Windows operating system has some inconsistencies as to how it specifically determines process image file locations on disk. Our McAfee Advanced Threat Research team decided to analyze these inconsistencies and as a result uncovered a new cyberthreat called process reimaging. Similar to process doppelganging and process hollowing, this technique evades security measures, but with greater ease since it doesn’t require code injection. Specifically, this technique affects the ability for a Windows endpoint security solution to detect whether a process executing on the system is malicious or benign, allowing a cybercrook to go about their business on the device undetected.

Let’s dive into the details of this threat. Process reimaging leverages built-in Windows APIs, or application programming interfaces, which allow applications and the operating system to communicate with one another. One API dubbed K32GetProcessImageFileName allows endpoint security solutions, like Windows Defender, to verify whether an EXE file associated with a process contains malicious code. However, with process reimaging, a cybercriminal could subvert the security solution’s trust in the windows operating system APIs to display inconsistent FILE_OBJECT names and paths. Consequently, Windows Defender misunderstands which file name or path it is looking at and can no longer tell if a process is trustworthy or not. By using this technique, cybercriminals can persist malicious processes executing on a user’s device without them even knowing it.

So, the next question is — what can Windows users do to protect themselves from this potential threat? Check out these insights to help keep your device secure:

  • Update your software. Microsoft has issued a partial fix that stops cybercriminals from exploiting file names to disguise malicious code, which helps address at least part of the issue for Windows Defender only. And while file paths are still viable for exploitation, it’s worth updating your software regularly to ensure you always have the latest security patches, as this is a solid practice to work into your cybersecurity routine.
  • Work with your endpoint security vendor. To help ensure you’re protected from this threat, contact your endpoint security provider to see if they protect against process reimaging.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Process Reimaging: A Cybercrook’s New Disguise for Malware appeared first on McAfee Blogs.

3 Tips Venmo Users Should Follow to Keep Their Transactions Secure

You’ve probably heard of Venmo, the quick and convenient peer-to-peer mobile payments app. From splitting the check when eating out with friends to dividing the cost of bills, Venmo is an incredibly easy way to share money. However, users’ comfort with the app can sometimes result in a few negligent security practices. In fact, computer science student Dan Salmon recently scraped seven million Venmo transactions to prove that users’ public activity can be easily obtained if they don’t have the right security settings flipped on. Let’s explore his findings.

By scraping the company’s developer API, Salmon was able to download millions of transactions across a six-month span. That means he was able to see who sent money to who, when they sent it, and why – just as long as the transaction was set to “public.” Mind you, Salmon’s download comes just a year after that of a German researcher, who downloaded over 200 million transactions from the public-by-default app last year.

These data scrapes, if anything, act as a demonstration. They prove to users just how crucial it is to set up online mobile payment apps with caution and care. Therefore, if you’re a Venmo or other mobile payment app user, make sure to follow these tips in order to keep your information secure:

  • Set your settings to “private” immediately. Only the sender and receiver should know about a monetary transaction in the works. So, whenever you go to send money on Venmo or any other mobile payment app, make sure the transaction is set to “private.” For Venmo users specifically, you can flip from “public” to “private” by just toggling the setting at the bottom right corner of main “Pay or Request” page.
  • Limit the amount of data you share. Just because something is designed to be social doesn’t mean it should become a treasure trove of personal data. No matter the type of transaction you’re making, always try to limit the amount of personal information you include in the corresponding message. That way, any potential cybercriminals out there won’t be able to learn about your spending habits.
  • Add on extra layers of security. Beyond flipping on the right in-app security settings, it’s important to take any extra precautions you can when it comes to protecting your financial data. Create complex logins to your mobile payment apps, participate in biometric options if available, and ensure your mobile device itself has a passcode as well. This will all help ensure no one has access to your money but you.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 3 Tips Venmo Users Should Follow to Keep Their Transactions Secure appeared first on McAfee Blogs.

Why Process Reimaging Matters

As this blog goes live, Eoin Carroll will be stepping off the stage at Hack in Paris having detailed the latest McAfee Advanced Threat Research (ATR) findings on Process Reimaging.  Admittedly, this technique probably lacks a catchy name, but be under no illusion the technique is significant and is worth paying very close attention to.

Plain and simple, the objective of malicious threat actors is to bypass endpoint security. It is this exact game of cat and mouse that the security industry has been playing with malware writers for years, and one that, quite frankly, will continue. This ongoing battle will shape the future of cyber, and drive innovation in attack techniques and the ways in which we defend against them.  As part of this process it is crucial that we, the McAfee ATR team, continually identify techniques that could be used by malicious actors successfully.  It is this work that has led to the identification of a technique we call Process Reimaging, which was successful in bypassing endpoint security solutions (ESSs). To be clear, our objective is to stay ahead of malicious actors in identifying evasion techniques, with the broader goal of providing a safer computing environment for all organizations.

This technique is detailed by Eoin in a comprehensive technical blog titled In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass. The following is a summary of the findings.

Process Reimaging targets non-EDR ESSs.  It’s a post exploitation technique, meaning it targets users who have already fallen victim, for example to a phishing or a drive-by-download attack, so that the process can execute undetected and dwell on an endpoint for an significant period of time. The Windows kernel exports functionality to support the user mode components of ESSs which they depend on for protection and detection capabilities. There are numerous APIs such as K32GetProcessImageFileName that allows the ESSs “to verify a process attribute to determine whether it contains malicious binaries and whether it can be trusted to call into its infrastructure.” It was this functionality that our research focused on since the APIs return stale and inconsistent FILE_OBJECT paths, this potentially allows a malicious actor to bypass the process attribute verification undertaken by the Windows Operating System.   To be more precise, this allowed McAfee ATR to develop a proof-of-concept that was not detected by Windows Defender and will not be detected until a signature is created to block the file on disk before the process itself is created or a full scan is executed.

It is because the ESS relies on the Windows operating system to verify the process attributes that this technique is actually successful.  Whereby the ESS will naturally trust a particular process with a non-malicious file on disk since it makes the assumption that the O/S has verified the correct file on disk associated with that process, for the ESS to scan.

Releasing details of the technique

With the public release of security research, there is always a significant risk that any released information can be utilized by adversaries for nefarious activities. The balance of security research versus irresponsible disclosure is an issue we continually wrestle with, and these findings are no different. In the process of conducting due diligence, we were able to identify the use of Process Doppelganging with Process Hollowing as its fallback defense evasion technique within the SynAck ransomware in 2018.  Since Process Doppelganging technique was weaponized within SynAck ransomware less than five months after it’s disclosure at Blackhat Europe in 2017, we can only assume that the Process Reimaging technique itself is, or rather will be close to usage by threat actors to bypass detection.

The post Why Process Reimaging Matters appeared first on McAfee Blogs.

In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass

Process Reimaging Overview

The Windows Operating System has inconsistencies in how it determines process image FILE_OBJECT locations, which impacts non-EDR (Endpoint Detection and Response) Endpoint Security Solution’s (such as Microsoft Defender Realtime Protection), ability to detect the correct binaries loaded in malicious processes. This inconsistency has led McAfee’s Advanced Threat Research to develop a new post-exploitation evasion technique we call “Process Reimaging”. This technique is equivalent in impact to Process Hollowing or Process Doppelganging within the Mitre Attack Defense Evasion Category; however, it is , much easier to execute as it requires no code injection. While this bypass has been successfully tested against current versions of Microsoft Windows and Defender, it is highly likely that the bypass will work on any endpoint security vendor or product implementing the APIs discussed below.

The Windows Kernel, ntoskrnl.exe, exposes functionality through NTDLL.dll APIs to support User-mode components such as Endpoint Security Solution (ESS) services and processes. One such API is K32GetProcessImageFileName, which allows ESSs to verify a process attribute to determine whether it contains malicious binaries and whether it can be trusted to call into its infrastructure. The Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths, which enable an adversary to bypass Windows operating system process attribute verification. We have developed a proof-of-concept which exploits this FILE_OBJECT location inconsistency by hiding the physical location of a process EXE.

The PoC allowed us to persist a malicious process (post exploitation) which does not get detected by Windows Defender.

The Process Reimaging technique cannot be detected by Windows Defender until it has a signature for the malicious file and blocks it on disk before process creation or performs a full scan on suspect machine post compromise to detect file on disk. In addition to Process Reimaging Weaponization and Protection recommendations, this blog includes a technical deep dive on reversing the Windows Kernel APIs for process attribute verification and Process Reimaging attack vectors. We use the SynAck Ransomware as a case study to illustrate Process Reimaging impact relative to Process Hollowing and Doppelganging; this illustration does not relate to Windows Defender ability to detect Process Hollowing or Doppelganging but the subverting of trust for process attribute verification.

Antivirus Scanner Detection Points

When an Antivirus scanner is active on a system, it will protect against infection by detecting running code which contains malicious content, and by detecting a malicious file at write time or load time.

The actual sequence for loading an image is as follows:

  • FileCreate – the file is opened to be able to be mapped into memory.
  • Section Create – the file is mapped into memory.
  • Cleanup – the file handle is closed, leaving a kernel object which is used for PAGING_IO.
  • ImageLoad – the file is loaded.
  • CloseFile – the file is closed.

If the Antivirus scanner is active at the point of load, it can use any one of the above steps (1,2 and 4) to protect the operating system against malicious code. If the virus scanner is not active when the image is loaded, or it does not contain definitions for the loaded file, it can query the operating system for information about which files make up the process and scan those files. Process Reimaging is a mechanism which circumvents virus scanning at step 4, or when the virus scanner either misses the launch of a process or has inadequate virus definitions at the point of loading.

There is currently no documented method to securely identify the underlying file associated with a running process on windows.

This is due to Windows’ inability to retrieve the correct image filepath from the NTDLL APIs.  This can be shown to evade Defender (MpMsEng.exe/MpEngine.dll) where the file being executed is a “Potentially Unwanted Program” such as mimikatz.exe. If Defender is enabled during the launch of mimikatz, it detects at phase 1 or 2 correctly.  If Defender is not enabled, or if the launched program is not recognized by its current signature files, then the file is allowed to launch. Once Defender is enabled, or the signatures are updated to include detection, then Defender uses K32GetProcessImageFileName to identify the underlying file. If the process has been created using our Process Reimaging technique, then the running malware is no longer detected. Therefore, any security service auditing running programs will fail to identify the files associated with the running process.

Subverting Trust

The Mitre ATT&CK model specifies post-exploitation tactics and techniques used by adversaries, based on real-world observations for Windows, Linux and macOS Endpoints per figure 1 below.

Figure 1 – Mitre Enterprise ATT&CK

Once an adversary gains code execution on an endpoint, before lateral movement, they will seek to gain persistence, privilege escalation and defense evasion capabilities. They can achieve defense evasion using process manipulation techniques to get code executing in a trusted process. Process manipulation techniques have existed for a long time and evolved from Process Injection to Hollowing and Doppelganging with the objective of impersonating trusted processes. There are other Process manipulation techniques as documented by Mitre ATT&CK and Unprotect Project,  but we will focus on Process Hollowing and Process Doppelganging. Process manipulation techniques exploit legitimate features of the Windows Operating System to impersonate trusted process executable binaries and generally require code injection.

ESSs place inherent trust in the Windows Operating System for capabilities such as digital signature validation and process attribute verification. As demonstrated by Specter Ops, ESSs’ trust in the Windows Operating system could be subverted for digital signature validation.

Similarly, Process Reimaging subverts an ESSs’ trust in the Windows Operating System for process attribute verification.

When a process is trusted by an ESS, it is perceived to contain no malicious code and may also be trusted to call into the ESS trusted infrastructure.

McAfee ATR uses the Mitre ATT&CK framework to map adversarial techniques, such as defense evasion, with associated campaigns. This insight helps organizations understand adversaries’ behavior and evolution so that they can assess their security posture and respond appropriately to contain and eradicate attacks. McAfee ATR creates and shares Yara rules based on threat analysis to be consumed for protect and detect capabilities.

Process Manipulation Techniques (SynAck Ransomware)

McAfee Advanced Threat Research analyzed SynAck ransomware in 2018 and discovered it used Process Doppelganging with Process Hollowing as its fallback defense evasion technique. We use this malware to explain the Process Hollowing and Process Doppelganging techniques, so that they can be compared to Process Reimaging based on a real-world observation.

Process Manipulation defense evasion techniques continue to evolve. Process Doppelganging was publicly announced in 2017, requiring advancements in ESSs for protection and detection capabilities. Because process manipulation techniques generally exploit legitimate features of the Windows Operating system they can be difficult to defend against if the Antivirus scanner does not block prior to process launch.

Process Hollowing

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis” (see figure 2 below)

Figure 2 – SynAck Ransomware Defense Evasion with Process Hollowing

Process Doppelganging

Process Doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process Doppelgänging’s use of Windows Transactional NTFS (TxF) also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext” (see figure 3 below)

Figure 3 – SynAck Ransomware Defense Evasion with Doppleganging

Process Reimaging Weaponization

The Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths which enable an adversary to bypass windows operating system process attribute verification. This allows an adversary to persist a malicious process (post exploitation) by hiding the physical location of a process EXE (see figure 4 below).

Figure 4 – SynAck Ransomware Defense Evasion with Process Reimaging

Process Reimaging Technical Deep Dive

NtQueryInformationProcess retrieves all process information from EPROCESS structure fields in the kernel and NtQueryVirtualMemory retrieves information from the Virtual Address Descriptors (VADs) field in EPROCESS structure.

The EPROCESS structure contains filename and path information at the following fields/offsets (see figure 5 below):

  • +0x3b8 SectionObject (filename and path)
  • +0x448 ImageFilePointer* (filename and path)
  • +0x450 ImageFileName (filename)
  • +0x468 SeAuditProcessCreationInfo (filename and path)

* this field is only present in Windows 10

Figure 5 – Code Complexity IDA Graph Displaying NtQueryInformationProcess Filename APIs within NTDLL

Kernel API NtQueryInformationProcess is consumed by following the kernelbase/NTDLL APIs:

  • K32GetModuleFileNameEx
  • K32GetProcessImageFileName
  • QueryFullProcessImageImageFileName

The VADs hold a pointer to FILE_OBJECT for all mapped images in the process, which contains the filename and filepath (see figure 6 below).

Kernel API NtQueryVirtualMemory is consumed by following the kernelbase/NTDLL API:

  • GetMappedFileName

Figure 6 – Code Complexity IDA Graph Displaying NtQueryVirtualMemory Filename API within NTDLL

Windows fails to update any of the above kernel structure fields when a FILE_OBJECT filepath is modified post-process creation. Windows does update FILE_OBJECT filename changes, for some of the above fields.

The VADs reflect any filename change for a loaded image after process creation, but they don’t reflect any rename of the filepath.

The EPROCESS fields also fail to reflect any renaming of the process filepath and only the ImageFilePointer field reflects a filename change.

As a result, the APIs exported by NtQueryInformationProcess and NtQueryVirtualMemory return incorrect process image file information when called by ESSs or other Applications (see Table 1 below).

Table 1 OS/Kernel version and API Matrix

Prerequisites for all Attack Vectors

Process Reimaging targets the post-exploitation phase, whereby a threat actor has already gained access to the target system. This is the same prerequisite of Process Hollowing or Doppelganging techniques within the Defense Evasion category of the Mitre ATT&CK framework.

Process Reimaging Attack Vectors
FILE_OBJECT Filepath Changes

Simply renaming the filepath of an executing process results in Windows OS returning the incorrect image location information for all APIs (See figure 7 below).  This impacts all Windows OS versions at the time of testing.

Figure 7 FILE_OBJECT Filepath Changes – Filepath Changes Impact all Windows OS versions

FILE_OBJECT Filename Changes

Filename Change >= Windows 10

Simply renaming the filename of an executing process results in Windows OS returning the incorrect image information for K32GetProcessImageFileName API (See figure 8.1.1 below). This has been confirmed to impact Windows 10 only.

Figure 8.1.1 FILE_OBJECT Filename Changes – Filename Changes impact Windows >= Windows 10

Per figure 8.1.2 below, GetModuleFileNameEx and QueryFullProcessImageImageFileName will get the correct filename changes due to a new EPROCESS field ImageFilePointer at offset 448.  The instruction there (mov r12, [rbx+448h]) references the ImageFilePointer from offset 448 into the EPROCESS structure.

Figure 8.1.2 NtQueryInformationProcess (Windows 10) – Windows 10 RS1 x64 ntoskrnl version 10.0.14393.0

Filename Change < Windows 10

Simply renaming the filename of an executing process results in Windows OS returning the incorrect image information for K32GetProcessImageFileName, GetModuleFileNameEx and QueryFullProcessImageImageFileName APIs (See figure 8.2.1 below). This has been confirmed to impact Windows 7 and Windows 8.

Figure 8.2.1 FILE_OBJECT Filename Changes – Filename Changes Impact Windows < Windows 10

Per Figure8.2.2 below, GetModuleFileNameEx and QueryFullProcessImageImageFileName will get the incorrect filename (PsReferenceProcessFilePointer references EPROCESS offset 0x3b8 SectionObject).

Figure 8.2.2 NtQueryInformationProcess (Windows 7 and 8) – Windows 7 SP1 x64 ntoskrnl version 6.1.7601.17514

LoadLibrary FILE_OBJECT reuse

LoadLibrary FILE_OBJECT reuse leverages the fact that when a LoadLibrary or CreateProcess is called after a LoadLibrary and FreeLibrary on an EXE or DLL, the process reuses the existing image FILE_OBJECT in memory from the prior LoadLibrary.

Exact Sequence is:

  1. LoadLibrary (path\filename)
  2. FreeLibrary (path\filename)
  3. LoadLibrary (renamed path\filename) or CreateProcess (renamed path\filename)

This results in Windows creating a VAD entry in the process at step 3 above, which reuses the same FILE_OBJECT still in process memory, created from step 1 above. The VAD now has incorrect filepath information for the file on disk and therefore the GetMappedFileName API will return the incorrect location on disk for the image in question.

The following prerequisites are required to evade detection successfully:

  • The LoadLibrary or CreateProcess must use the exact same file on disk as the initial LoadLibrary
  • Filepath must be renamed (dropping the same file into a newly created path will not work)

The Process Reimaging technique can be used in two ways with LoadLibrary FILE_OBJECT reuse attack vector:

  1. LoadLibrary (see figure 9 below)
    1. When an ESS or Application calls the GetMappedFileName API to retrieve a memory-mapped image file, Process Reimaging will cause Windows OS to return the incorrect path. This impacts all Windows OS versions at the time of testing.

Figure 9 LoadLibrary FILE_OBJECT Reuse (LoadLibrary) – Process Reimaging Technique Using LoadLibrary Impacts all Windows OS Versions

2. CreateProcess (See figure 10 below)

    1. When an ESS or Application calls the GetMappedFileName API to retrieve the process image file, Process Reimaging will cause Windows OS to return the incorrect path. This impacts all Windows OS versions at the time of testing.

Figure 10 LoadLibrary FILE_OBJECT Reuse (CreateProcess) – Process Reimaging Technique using CreateProcess Impacts all Windows OS Versions

Process Manipulation Techniques Comparison

Windows Defender Process Reimaging Filepath Bypass Demo

This video simulates a zero-day malware being dropped (Mimikatz PUP sample) to disk and executed as the malicious process “phase1.exe”. Using the Process Reimaging Filepath attack vector we demonstrate that even if Defender is updated with a signature for the malware on disk it will not detect the running malicious process. Therefore, for non-EDR ESSs such as Defender Real-time Protection (used by Consumers and also Enterprises) the malicious process can dwell on a windows machine until a reboot or the machine receives a full scan post signature update.

CVSS and Protection Recommendations

CVSS

If a product uses any of the APIs listed in table 1 for the following use cases, then it is likely vulnerable:

  1. Process reputation of a remote process – any product using the APIs to determine if executing code is from a malicious file on disk

CVSS score 5.0 (Medium)  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N (same score as Doppelganging)

  1. Trust verification of a remote process – any product using the APIs to verify trust of a calling process

CVSS score will be higher than 5.0; scoring specific to Endpoint Security Solution architecture

Protection Recommendations

McAfee Advanced Threat Research submitted Process Reimaging technique to Microsoft on June 5th, 2018. Microsoft released a partial mitigation to Defender in the June 2019 Cumulative update for the Process Reimaging FILE_OBJECT filename changes attack vector only. This update was only for Windows 10 and does not address the vulnerable APIs in Table 1 at the OS level; therefore, ESSs are still vulnerable to Process Reimaging. Defender also remains vulnerable to the FILE_OBJECT filepath changes attack vector executed in the bypass demo video, and this attack vector affects all Windows OS versions.

New and existing Process Manipulation techniques which abuse legitimate Operating System features for defense evasion are difficult to prevent dynamically by monitoring specific API calls as it can lead to false positives such as preventing legitimate processes from executing.

A process which has been manipulated by Process Reimaging will be trusted by the ESS unless it has been traced by EDR or a memory scan which may provide deeper insight.

Mitigations recommended to Microsoft
  1. File System Synchronization (EPROCESS structures out of sync with the filesystem or File Control Block structure (FCB)
    1. Allow the EPROCESS structure fields to reflect filepath changes as is currently implemented for the filename in the VADs and EPROCESS ImageFilePointer fields.
    2. There are other EPROCESS fields which do not reflect changes to filenames and need to be updated, such as K32GetModuleFileNameEx on Windows 10 through the ImageFilePointer.
  2. API Usage (most returning file info for process creation time)
    1. Defender (MpEngine.dll) currently uses K32GetProcessImageFileName to get process image filename and path when it should be using K32GetModuleFileNameEx.
    2. Consolidate the duplicate APIs being exposed from NtQueryInformationProcess to provide easier management and guidance to consumers that require retrieving process filename information. For example, clearly state GetMappedFileName should only be used for DLLs and not EXE backing process).
    3. Differentiate in API description whether the API is only limited to retrieving the filename and path at process creation or real-time at time of request.
  3. Filepath Locking
    1. Lock filepath and name similar to lock file modification when a process is executing to prevent modification.
    2. Standard user at a minimum should not be able to rename binary paths for its associated executing process.
  4. Reuse of existing FILE_OBJECT with LoadLibrary API (Prevent Process Reimaging)
    1. LoadLibrary should verify any existing FILE_OBJECT it reuses, has the most up to date Filepath at load time.
  5. Short term mitigation is that Defender should at least flag that it found malicious process activity but couldn’t find associated malicious file on disk (right now it fails open, providing no notification as to any potential threats found in memory or disk).
Mitigation recommended to Endpoint Security Vendors

The FILE_OBJECT ID must be tracked from FileCreate as the process closes its handle for the filename by the time the image is loaded at ImageLoad.

This ID must be managed by the Endpoint Security Vendor so that it can be leveraged to determine if a process has been reimaged when performing process attribute verification.

The post In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass appeared first on McAfee Blogs.

Welcoming Cloudbric’s New CSO for Strategic Planning and Investor Relations

We’re excited to announce that Yujin (Gin) Hyeon has joined Cloudbric as Chief Strategic Officer (CSO).

As Cloudbric’s new CSO, Gin will be driving corporate strategy and investor relations to take the next big step forward. As a veteran of the tech industry, Gin’s experience with early stage companies from growth stage to IPOs will be pivotal for Cloudbric’s continued development. Given his track record, we are very excited to have him join our roster.

To give some background, Gin was a Co-Founder of Com2uS, one of the world’s first mobile gaming companies, which was established in 1996 and known for games like Summoners War: Sky Arena, Ace Fishing, Golf Star, and Tiny Farm.

His role was twofold with on hand on the business side and another on product development. On the business side Gin was focused on acquiring funding for the team and expanding business overseas, including the opening of regional offices in London, Bangalore, Los Angeles and Singapore.

On the product development end, he helped the company achieve its strategic goals and moved product development by co-developing the product lineup.

Some highlights while working with Com2uS include developing and negotiating contractual agreements with license holders, mobile telecommunications carriers, and other strategic partners, successfully completing agreements with 64 mobile telecommunications operators in 32 countries.

Notably, he also developed strategic partnerships with Samsung Electronics, Nokia, Motorola, Sony Ericsson, Siemens, Sun Microsystems, Qualcomm, and YAHOO.

It doesn’t end with just Com2uS!

Gin worked for INKA ENTWORKS, which specializes in security solutions and is known worldwide as one of the leading DRM (Digital Rights Management) technology companies.

With the launch of AppSealing, a software that prevents hacking for mobile applications, Gin, as Senior VP, oversaw the strategic and business plans for the solution all while implementing a China strategy before launching it into an incubation program.

He also worked for a company called ASCAN, a document management and record archiving company based in Korea that uses AI, serving as COO.

In between balancing both operating and strategic planning, Gin also helped acquire overseas funding for the company.

Amongst his experience in the tech industry, Gin has accumulated over 15 years of experience in consulting and grant writing too.

He has worked in consulting for companies like Fairways Consulting Services (a company focused on preparing businesses to enter the Indian market) and Brilliant Rise, a Hong Kong based company composed of former executives in the various fields of technology and internet to provide consulting services, project management, and merger & acquisition services.

Mostly recently, as the previous CSO to the Korean product design and development startup PiQuant, he oversaw the investor relation management aspect of the business and their strategic partnerships.

With his extensive experience in building company strategies across various industries and his huge investor network, we are excited to bring in Gin to the team as someone who can help us continue to grow.

Gin is joining the team at a time in which Cloudbric is seeing a 50% increase in the company’s workforce.

Welcome

환영합니다

स्वागत

Bienvenue Gin!

(Though a Korean national, Gin spent a total of 32 years in India. He speaks a total of five languages! English, Korean, Hindi, French, and Spanish).

Furthermore, as a company, we’re excited to continue growing and in various industries as well.

Recently, Cloudbric began providing security services to cryptocurrency exchanges blockchain businesses and has now delved into the operation of blockchain wallet nodes, utilizing its know-how in cloud computing services like AWS and others.

We aim to build blockchain nodes in our existing data centers and servers around the world to grow this business.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Welcoming Cloudbric’s New CSO for Strategic Planning and Investor Relations appeared first on Cloudbric.

Live From Gartner Security & Risk Mgmt Summit: How to Approach Container Security

Container security is a topic most security practitioners still find confusing. It’s a new technology that’s spreading fast because of its numbers benefits, and security implications and solutions are evolving just as fast.

That’s why I really appreciated Anna Belak’s session “Container Security – From Image Analysis to Network Segmentation” at the Gartner Security & Risk Management Summit in National Harbor, MD. Anna provided a great framework for thinking about container security that I would like to share with you.

Divide and Conquer: Images, Orchestration, Runtime

After introducing the audience to all of the security challenges and attack vectors for containers, she broke down a container security program into three sections:

  • Securing container images
  • Securing the orchestration plane 
  • Securing containers at runtime 

Today, there’s no security vendor that helps with all three of these areas. Because Veracode focuses on application development security, we focus on securing container images, not the operational parts.

Inside the Sausage Factory: How the Docker Image is Made

A Docker container image is a lightweight, standalone, executable package of software that includes everything you need to run an application: code, runtime, system tools, system libraries and settings. Docker’s run utility is the command that actually launches a container. Each container is an instance of an image, and multiple container instances of the same image can be run simultaneously. Docker images are ephemeral: Container deployments are in constant flux. The average lifetime of a container is 30 minutes. 

The Docker Hub registry is a repository for sharing container images from open source projects and from software vendors. These images are leveraged by developers – often introducing additional risk to the organization.

In her talk, Anna referenced a study of 3,802 official images on the Docker Hub that found a median of 127 vulnerabilities per image. Even more shocking: There were zero images that did not have any vulnerabilities.

Gartner’s Top Recommendations on Container Security

The talk closed with three recommendations:

  • Secure containers holistically through integrating controls at key steps in the CI/CD pipeline. Focusing solely on runtime controls – as you would for software installed VMs – will leave you vulnerable at many ends.
  • Use secrets management and software component analysis as primary container protection strategies. Add Layer 7 network segmentation for operational containers that require defense in depth.
  • Select vendors that can integrate with the container offerings of leading cloud service providers, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Veracode can help you with the first recommendation: Veracode Software Composition Analysis scans container images for vulnerabilities as part of your CI/CD pipeline to help you find vulnerabilities in the production image. If you’re interested in more information, read our blog post How Veracode Scans Docker Containers for Open Source Vulnerabilities

Embracing the “Sec” in DevSecOps: How Veracode and AWS Work Together to Help You Build Secure Apps

Developers, like most builders, are creative critical thinkers who take pride in their work. Let’s focus on the word “builder” for a moment. During the industrial revolution, we saw a shift in manufacturing where time-consuming processes were made more efficient through automation. With that, we also saw the concept of an assembly line and interchangeable parts transform businesses. The idea was to build as quickly as possible for less cost. Transpose this to software engineering and we see a similar trend: Building software as quickly as possible, using components, and decreasing costs. Implicit in this is the direct correlation between quality of the components and the quality of the final product. This begs the question: Why then are developers selecting poor or insecure components to build their applications? I would argue that the intention to build stable and secure software has always existed, but there is a general lack of awareness and overall confusion on the best approach. We need only look at the latest headlines and read about Fortune 500 companies that have been victims of vulnerabilities despite their best efforts to ship software they thought to be secure. So, how does intent go beyond a mere idea and put into design and practice to mitigate these concerns in the most comprehensive and reliable way possible?

Before we are able to answer that, it is important that we consider a few facts:

  1. Modern applications are complex and made up of various components.
  2. Open source has grown and has found its way into millions of applications across various industries spanning private, public, and even government sectors.
  3. Application security has traditionally been reactive and found later in the development life cycle.

Cloud adoption has made it easier for developers to be empowered to not only build their application, but also provision its supporting infrastructure. Take for example a fully-managed CI/CD pipeline on AWS comprised of AWS CodeCommit, AWS CodePipeline, and AWS CodeBuild with container deployments to AWS Fargate. If you find yourself in a similar scenario or aspire to migrate to AWS to use these services, then which tools do you use, and how do you leverage those correctly to ensure that you are building secure applications? If you are using open source components, then how do you ensure that you are using the right versions of components, or find out where those are being downloaded from? These questions extend to your container images as well. Container images are often opaque in that they typically contain various layers, but it is not immediately clear what security vulnerabilities may be contained within each of those respectively. Are you including inspection of these into your automated workflows?

One of the more prominent blockers to applying security is the perception that doing so will undoubtedly negatively impact time to market. Developers are often under time constraints and are focused on building applications and releasing features as expeditiously as possible. This coupled with the complexity of modern architectures, use of external components and lack of prescriptive guidance on leveraging the right tools at the appropriate stage of the development life cycle leads to exacerbating frustration and the expected reaction is one of avoidance. In other words, we acknowledge the problem, vaguely understand there may be a way or ways to resolve it, but are not clear on how to accomplish that and determine it’s not worth the effort today, after all, there’s always tomorrow.

The truth is that this need not be as daunting as it may seem on the surface. The journey begins with understanding your process and gaining insights into your environment. If you don’t know where your vulnerabilities exist today, then how can you effectively solve them? Second, it’s about applying security at every stage of the process. There are several tools that address specific concerns and were built for specific audiences: Security teams, AppSec teams, Dev teams. Use them accordingly. For example, there is a place for static analysis (SAST), software composition analysis (SCA), dynamic analysis (DAST) testing and monitoring tools designed for finding security defects and completing the feedback loop. It’s critical to understand that you may build a secure application today, but can you quickly iterate and resolve for those vulnerabilities that have yet to be discovered before they negatively impact your business or your customers? These are considerations that are necessary for any business to survive in today’s competitive landscape. Sure, you need to ship features as quickly as possible, but you need to do so without compromising security.

This is where solutions such as those available today from Veracode are integral for any business. Veracode is a full spectrum application security testing solution that begins with Veracode Greenlight in the developers’ IDE and spans across the devevlopment lifecycle with Veracode Manual Penetration Testing. Along the way, you are covered throughout the entire software development life cycle. From the moment developers begin writing code and pushing commits, Veracode Software Composition Analysis (SCA) identifies any open source vulnerability and provides crisp remediation guidance. Integrate Veracode Static Analysis (SAST) into your build and test tools and processes to quickly identify security flaws in your code. Lastly, Veracode Dynamic Analysis (DAST) in your release, deployment and operations process reduces your risk of a breach once your application goes live. These are easily integrated with AWS CodePipeline and CodeBuild to secure your fully managed CI/CD pipelines running in the AWS cloud.

As the complexity of modern applications continues to increase over the years, so too does introducing security into every stage of your development life cycle become a necessity. We live in a highly competitive world with a voracious appetite for innovation. It is critical for businesses to deliver quickly and satisfy customer demand, but equally critical to ensure and preserve customer trust. It is possible to do both without compromising one for the other, and the solutions exist today.

Learn more at AWS re:Inforce this month in Boston – Veracode will be at Booth 813, and speaking on Wednesday the 26th on “Integrating AppSec Into Your DevSecOps on AWS.”

Expanding Our Vision to Expand the Cybersecurity Workforce

I recently had the opportunity to testify before Congress on how the United States can grow and diversify the cyber talent pipeline. It’s great that members of Congress have this issue on their radar, but at the same time, it’s concerning that we’re still having these discussions. A recent (ISC) Study puts the global cybersecurity workforce shortage at 2.93 million. Solving this problem is challenging, but I offered some recommendations to the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection and Innovation.

Increase the NSF CyberCorps Scholarships for Service Program

The National Science Foundation (NSF) together with the Department of Homeland Security (DHS) designed a program to attract more college students to cybersecurity, and it’s working. Ten to 12 juniors and seniors at each of the approximately 70 participating institutions across the country receive free tuition for up to two years plus annual stipends. Once they’ve completed their cybersecurity coursework and an internship, they go to work for the federal government for the same amount of time they’ve been in the program. Afterwards, they’re free to remain federal employees or move elsewhere, yet fortunately, a good number of them choose to stay.

Congress needs to increase the funding for this program (which has been flat since 2017) from $55 million to at least $200 million. Today the scholarships are available at 70 land grant colleges. The program needs to be opened up to more universities and colleges across the country.

Expand CyberCorps Scholarships to Community Colleges

Community colleges attract a wide array of students – a fact that is good for the cybersecurity profession. Some community college attendees are recent high school graduates, but many are more mature, working adults or returning students looking for a career change or skills training. A strong security operation requires differing levels of skills, so having a flexible scholarship program at a community college could not only benefit graduates but also provide the profession with necessary skills.

Furthermore, not everyone in cybersecurity needs a four-year degree. In fact, they don’t need to have a traditional degree at all. Certificate programs provide valuable training, and as employers, we should change our hiring requirements to reflect that reality.

Foster Diversity of Thinking, Recruiting and Hiring

Cybersecurity is one of the greatest technical challenges of our time, and we need to be as creative as possible to meet it. In addition to continually advancing technology, we need to identify people from diverse backgrounds – and not just in the standard sense of the term. We need to diversify the talent pool in terms of race, ethnicity, gender and age, all of which lead to creating an inclusive team that will deliver better results. However, we also should seek out gamers, veterans, people working on technical certificates, and retirees from computing and other fields such as psychology, liberal arts as well as engineering. There is no one background required to be a cybersecurity professional. We absolutely need people with deep technical skills, but we also need teams with diverse perspectives, capabilities and levels of professional maturity.

Public-Private Sector Cross Pollination

We also must develop creative approaches to enabling the public and private sectors to share talent, particularly during significant cybersecurity events. We should design a mechanism for cyber professionals – particularly analysts or those who are training to become analysts – to move back and forth between the public and private sector so that government organizations would have a continual refresh of expertise. This type of cross-pollination would help everyone share best practices on technology, business processes and people management.

One way to accomplish this would be for DHS to partner with companies and other organizations such as universities to staff a cadre of cybersecurity professionals – operators, analysts and researchers – who are credentialed to move freely between public and private sector service. These professionals, particularly those in the private sector, could be on call to help an impacted entity and the government respond to a major attack in a timely way. Much like the National Guard, a flexible staffing approach to closing the skills gap could become a model of excellence.

We’re Walking the Talk

McAfee is proud to support the community to establish programs that provide skills to help build the STEM pipeline, fill related job openings, and close gender and diversity gaps. These programs include an Online Safety Program, onsite training programs and internships for high school students. Our employees also volunteer in schools help educate students on both cybersecurity risks and opportunities. Through volunteer-run programs across the globe, McAfee has educated more than 500,000 children to date.

As part of the McAfee’s new pilot Achievement & Excellence in STEM Scholarship program, we’ll make three awards of $10,000 for the 2019-2020 school year. Twelve students from each of the three partner schools will be invited to apply, in coordination with each partner institution’s respective college advisor. Target students are college-bound, high school seniors with demonstrated passion for STEM fields, who are seeking a future in a STEM-related path. This type of a program can easily be replicated by other companies and used to support the growth and expansion of the workforce.

We’re Supporting Diversity

While we recognize there is still more to do in fostering diversity, we’re proud to describe the strides we’re making at McAfee. We believe we have a responsibility to our employees, customers and communities to ensure our workplace reflects the world in which we live. Having a diverse, inclusive workforce is the right thing to do, and after we became an independent, standalone cybersecurity company in 2017, we made and have kept this a priority.

 The steps we’re taking include:

  • Achieving pay parity between women and men employees in April 2019, making us the first pureplay cybersecurity company to do so.
  • In 2018, 27.1% of all global hires were female and 13% of all U.S. hires were underrepresented minorities.
  • In June 2018, we launched our “Return to Workplace” program for men and women who have paused their career to raise children, care for loved ones or serve their country. The 12-week program offers the opportunity to reenter the tech space with the support and resources needed to successfully relaunch careers.
  • Last year, we established the Diversity & Culture Council, a volunteer-led global initiative focused on creating an infrastructure for the development and maintenance of an integrated strategy for diversity and workplace culture.
  • McAfee CEO Chris Young joined CEO Action for Diversity Inclusion, the largest group of CEOs and presidents committed to act on driving an inclusive workforce. By taking part in CEO Action, Young personally commits to advancing diversity and inclusion with the coalition’s three-pronged approach of fostering safe workplaces.

Looking to the Future

While I’d love to see a future where fewer cybersecurity professionals were needed, I know that for the foreseeable future, we’ll not only need great technology but also talented people. With that reality, we in the industry need to expand our vision and definition of what constitutes cybersecurity talent. The workforce shortage is such that we have to do expand our concepts and hiring requirements. In addition, the discipline itself will benefit from a population that brings more experiences, skills and diversity to bear on a field that is constantly changing.

The post Expanding Our Vision to Expand the Cybersecurity Workforce appeared first on McAfee Blogs.

Helping organizations do more without collecting more data



We continually invest in new research to advance innovations that preserve individual privacy while enabling valuable insights from data. Earlier this year, we launched Password Checkup, a Chrome extension that helps users detect if a username and password they enter on a website has been compromised. It relies on a cryptographic protocol known as private set intersection (PSI) to match your login’s credentials against an encrypted database of over 4 billion credentials Google knows to be unsafe. At the same time, it ensures that no one – including Google – ever learns your actual credentials.

Today, we’re rolling out the open-source availability of Private Join and Compute, a new type of secure multi-party computation (MPC) that augments the core PSI protocol to help organizations work together with confidential data sets while raising the bar for privacy.


Collaborating with data in privacy-safe ways

Many important research, business, and social questions can be answered by combining data sets from independent parties where each party holds their own information about a set of shared identifiers (e.g. email addresses), some of which are common. But when you’re working with sensitive data, how can one party gain aggregated insights about the other party’s data without either of them learning any information about individuals in the datasets? That’s the exact challenge that Private Join and Compute helps solve.

Using this cryptographic protocol, two parties can encrypt their identifiers and associated data, and then join them. They can then do certain types of calculations on the overlapping set of data to draw useful information from both datasets in aggregate. All inputs (identifiers and their associated data) remain fully encrypted and unreadable throughout the process. Neither party ever reveals their raw data, but they can still answer the questions at hand using the output of the computation. This end result is the only thing that’s decrypted and shared in the form of aggregated statistics. For example, this could be a count, sum, or average of the data in both sets.


A deeper look at the technology 


Private Join and Compute combines two fundamental cryptographic techniques to protect individual data:

  • Private set intersection allows two parties to privately join their sets and discover the identifiers they have in common. We use an oblivious variant which only marks encrypted identifiers without learning any of the identifiers.
  • Homomorphic encryption allows certain types of computation to be performed directly on encrypted data without having to decrypt it first, which preserves the privacy of raw data. Throughout the process, individual identifiers and values remain concealed. For example, you can count how many identifiers are in the common set or compute the sum of values associated with marked encrypted identifiers – without learning anything about individuals. 

This combination of techniques ensures that nothing but the size of the joined set and the statistics (e.g. sum) of its associated values is revealed. Individual items are strongly encrypted with random keys throughout and are not available in raw form to the other party or anyone else.

Watch this video or click to view the full infographic below on how Private Join and Compute works:

Private Join and Compute

Using multi-party computation to solve real-world problems


Multi-party computation (MPC) is a field with a long history, but it has typically faced many hurdles to widespread adoption beyond academic communities. Common challenges include finding effective and efficient ways to tailor encryption techniques and tools to solve practical problems.

We’re committed to applying MPC and encryption technologies to more concrete, real-world issues at Google and beyond by making privacy technology more widely available. We are exploring a number of potential use cases at Google across collaborative machine learning, user security, and aggregated ads measurement.

And this is just the beginning of what’s possible. This technology can help advance valuable research in a wide array of fields that require organizations to work together without revealing anything about individuals represented in the data. For example:

  • Public policy - if a government implements new wellness initiatives in public schools (e.g. better lunch options and physical education curriculums), what are the long-term health outcomes for impacted students?
  • Diversity and inclusion - when industries create new programs to close gender and racial pay gaps, how does this impact compensation across companies by demographic?
  • Healthcare - when a new preventative drug is prescribed to patients across the country, does it reduce the incidence of disease? 
  • Car safety standards - when auto manufacturers add more advanced safety features to vehicles, does it coincide with a decrease in reported car accidents?

Private Join and Compute keeps individual information safe while allowing organizations to accurately compute and draw useful insights from aggregate statistics. By sharing the technology more widely, we hope this expands the use cases for secure computing. To learn more about the research and methodology behind Private Join and Compute, read the full paper and access the open source code and documentation. We’re excited to see how other organizations will advance MPC and cryptography to answer important questions while upholding individual privacy.


Acknowledgements


Product Manager - Nirdhar Khazanie
Software Engineers - Mihaela Ion, Benjamin Kreuter, Erhan Nergiz, Quan Nguyen, and Karn Seth
Research Scientist - Mariana Raykova


Live From Gartner Security & Risk Mgmt Summit: Pair Security Trainings With Technical Controls

“We often forget that technology cannot solve the world’s problems.” That was one of the opening lines of Joanna Huisman’s session “Magic Quadrant for Security Awareness Computer-Based Training” at the Gartner Security & Risk Management Summit in National Harbor, MD. While her Magic Quadrant doesn’t address DevSecOps trainings, I took away some valuable lessons that also apply to this area.

20 percent of users will never change behavior, no matter how well you train

Traditional awareness efforts are based on the belief (or hope) that information leads to action. In other words, the problem with trainings is that “awareness” does not automatically result in secure behavior: About 20 percent of learners are never going to do the right thing, no matter how much you train them.

Let’s think this through for a moment: 80 percent of your audience will follow your advice to some extent, so you will get an improvement, but 20 percent will not change their behavior. Most security professionals aim to reward users who follow security process but are reluctant to punish the ones who don’t because they don’t want to be the bad guys. Even if they are prepared to go through with punitive actions, it may be counter to corporate culture (and generally not a good teaching practice).

Education is good, but it must be coupled with technical controls

This means that while security awareness does improve your security posture, you still need technical controls in place to mitigate the rest. In the case of DevSecOps, this translates into a combination of secure coding trainings and automated application security testing. The training will reduce vulnerabilities being introduced into the code, which reduces the cost of your DevSecOps program because security defects that never enter the code are understandably much cheaper than those found in production. The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.

At Veracode, we offer courses to teach the fundamentals of secure coding, both as eLearning and live sessions. With Veracode Greenlight, we provide instant feedback on code security as developers are typing code in their IDE. And we provide feedback via ticketing systems and a security gate as part of Veracode Static Analysis. If developers get stuck fixing a vulnerability, they can book our application security consultants for a coaching session to help fix their security defect.

Learn more about Veracode’s Developer Training.

Application Security Beyond Static Analysis

There is no application security “silver bullet” – it takes a combination of testing types to effectively reduce your risk. Each testing method has a different role to play and works best when used in harmony with others.

For instance, our research showed that there are significant differences in the types of vulnerabilities you discover dynamically at runtime compared to those you’ll find when doing static testing in a non-runtime environment. In fact, two of the top five vulnerability categories we found during dynamic testing weren’t even among the top five found by static, with one not found by static at all.

Add to this the fact that applications are increasingly “assembled” from open source components, rather than developed from scratch, which means software composition analysis is an important part of your testing mix. Neglecting to assess and keep track of the open source components you are using would leave a large portion of your code exposed and leave you open to attack. 

And finally, automation alone is not enough to ensure an application is thoroughly tested from a security perspective. Some flaws, such as CSRF (Cross-Site Request Forgery) and business logic vulnerabilities, require a human to be in the loop to exploit and verify the vulnerability. Only manual penetration testing can provide positive identification and manual validation of these vulnerabilities.

Here's an overview of the different types of vulnerabilities found by different testing types:

capabilities static analysis software composition analysis dynamic analysis manual penetration testing
Flaws in custom web apps (CWEs) X   X X
Flaws in custom non-web apps (CWEs) X     X
Flaws in custom mobile apps (CWEs) X     X
Known vulnerabilities in open source components (CVEs)   X   X(1)
Behavioral issues (CWEs) X(2)     X
Configuration errors (CWEs)     X X
Business logic flaws (CWEs)       X
Repeatable process for automation X X X  
Scalable to all corporate applications X X X  
Scan speed Seconds to hours Seconds to minutes Hours Days to weeks
Cost per scan $ $ $ $$

1Penetration testing can find known vulnerabilities in open source components, but this may not be as rigorous as Veracode Software Composition Analysis, which not only systematically flags CVEs but also crawls commit histories and bug tracking tickets in open source projects to identify silent fixes of security issues.

2This is not true for all static analyzers. Veracode can exercise the code and manipulate the UI for behavioral analysis in mobile applications.

Here’s a summary of when to use each testing type:

assessment type advantages limitations
Static analysis (with entire application in scope)
  • Very broad coverage of flaw types (CWEs)
  • Looks at the flaws in the context of the entire application, analyzing all the data paths
  • Can scan any type of application, including web, mobile, desktop, or microservices
  • Scanning frequency should be in line with how often developers can review scan results
  • Use static analysis as part of Continuous Delivery pipeline and file security issues in bug tracking system
  • Can track flaw history: new, open, fixed. Important for trending reports on mean time to remediation.
  • Suitable for compliance purposes
  • Does not provide instant feedback to developers as they’re coding
  • Cannot find CWEs related to server configurations
  • Limited to code that developers can remediate.
  • Does not report vulnerabilities in third-party components (see: SCA).

Static analysis (on file level, e.g., Greenlight)

  • Recommended for development teams who want to shift left in application security testing by scanning early and often. Scans usually complete in seconds.
  • Best suited when scanning multiple times per day
  • Recommended for use by developers working on the new code for continuous flaw feedback and remediation guidance
  • Developer friendliness: enhances learning, allows developers to find and address issues without exposing flaws in reports
  • Scans web applications without having to integrate with the SDLC
  • Ability to scan in pre-production and production
  • Suitable for compliance purposes
  • Scans individual files, so can only detect vulnerabilities where source and sink are in same file
  • Typically not suited for compliance scanning because scope limitations may cause false negatives
  • Does not report vulnerabilities in third-party components
Dynamic analysis
  • Scans web applications without having to integrate with the SDLC
  • Ability to scan in pre-production and production
  • Suitable for compliance purposes
Scan times are often between 12 and 24 hours for complex applications, so recommended for overnight scans, or for asynchronous scanning

Software composition analysis

 

  • Finds vulnerabilities in third-party components
  • Scans take seconds or minutes Can scan any type of application, including web, mobile, desktop, or microservices
  • Suitable for compliance purposes
Does not find flaws in first-party code

 

For more details, check out our new guide, Application Security Best Practices.

New Chrome Protections from Deception


Chrome was built with security in mind from the very beginning. Today we’re launching two new features to help protect users from deceptive websites. The Suspicious Site Reporter Extension will improve security for Chrome users by giving power users an easy way to report suspicious sites to Google Safe Browsing. We’re also launching a new warning to protect users from sites with deceptive URLs.

We designed Chrome to be secure by default, and easy to use by everyone. Google Safe Browsing has helped protect Chrome users from phishing attacks for over 10 years, and now helps protect more than 4 billion devices every day across multiple browsers and apps by showing warnings to people before they visit dangerous sites or download dangerous files. We’re constantly improving Safe Browsing, and now you can help.

Safe Browsing works by automatically analyzing the websites that we know about through Google Search’s web crawlers, and creating lists of sites that are dangerous or deceptive. With the Suspicious Site Reporter extension, you can help Safe Browsing protect web users by reporting suspicious sites. You can install the extension to start seeing an icon when you’re on a potentially suspicious site, and more information about why the site might be suspicious. By clicking the icon, you’re now able to report unsafe sites to Safe Browsing for further evaluation. If the site is added to Safe Browsing’s lists, you’ll not only protect Chrome users, but users of other browsers and across the entire web.


Help us protect web users by reporting dangerous or deceptive sites to Google Safe Browsing through the Suspicious Site Reporter extension.

One way that deceptive sites might try to trick you is by using a confusing URL. For example, it’s easy to confuse “go0gle.com” with “google.com”. In Chrome 75, we’re launching a new warning to direct users away from sites that have confusing URLs.


Starting in the current version of Chrome (75), you’ll see a warning when the page URL might be confused for URLs of sites you’ve visited recently.

This new warning works by comparing the URL of the page you’re currently on to URLs of pages you’ve recently visited. If the URL looks similar, and might cause you to be confused or deceived, we’ll show a warning that helps you get back to safety.

We believe that you shouldn't have to be a security expert to feel safe on the web, and that many Chrome power-users share our mission to make the web more secure for everyone. We’ll continue improving Chrome Security to help make Chrome easy to use safely, and are looking forward to collaborating with the community to further that goal. If you'd like to help out, install the new extension and start helping protect the web!

Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight

The heyday of fax technology may have been in the 80s, but all-in-one printers found throughout homes and offices often still include a fax machine. And telephonic transmission has resisted the rise of email and other internet-connected messaging tools in a variety of fields, including healthcare and law enforcement.

On the latest episode of “Hackable?” we learn if this dated, but still used, technology puts entire networks at risk. Geoff invites two Israeli cybersecurity researchers to test the seldom-used fax machine and printer sitting in the corner of his home office. Listen and learn what they are able to do with only a $5 modem, Geoff’s fax number, and a Python script.

The post Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight appeared first on McAfee Blogs.

Live From Gartner Security & Risk Mgmt Summit: Running Midsize Enterprise Security

Over the past few months, I’ve experienced an increased interest in DevSecOps from midsize enterprises, so I was especially interested in attending Neil Wynne and Paul Furtado’s session “Outlook for Midsize Enterprise Security and Risk Management 2019” at the Gartner Security & Risk Management Summit in National Harbor, MD this week.

57 Percent of Midsize Enterprises Don’t Have a CISO

Gartner defines midsize enterprises as companies with less than $20 million in IT security budget. At that size, they have up to 30 people in IT, which means that 57 percent of this group do not have enough security staff to warrant a CISO. This means the CIO is accountable for cybersecurity in most midsize enterprises.

According to Gartner, midsize enterprises spend an average of $1,089 on IT security per employee. About 6 percent of the IT headcount is dedicated to security, so you have to have at least 17 people in IT before you start dedicating a full headcount to security. Below that water mark, it’s only partial headcounts. That’s a lot of security areas to cover for very little headcount, and you can completely forget about 24/7 coverage for security operations. To make things worse, the midsize enterprise is hit even harder by the InfoSec skill gap because they often cannot compete with Fortune 500 salaries and benefits.

How Can Midsize Enterprises Address These Challenges?

Paul Furtado, Sr. Director Analyst at Gartner, recommends the following guidelines for addressing these challenges:

  • Create a baseline: What are you doing today?
  • Know what to protect: You won’t know what to protect if you don’t know what’s critical to the business. Identify your most critical data: PII, IP, partner/customer lists, business-critical applications. If you don't know that, you're spending money in the wrong areas.
  • Know your risk appetite: Categorize all risks by business impact and risk scenario likelihood, then prioritize and decide what’s a level of acceptable risk for the organization.
  • It’s a combined effort: Security is a combination of people, process, and technology.
  • Apply best practices: You are not the first one to set up a security program – learn from others.  

Framing Security Spending With Executive Leadership

Before Paul joined Gartner, he spent decades working in the trenches in midsize enterprises. Most executive leaders ask why they should be spending dollars on security. I loved his response: “I’m not taking a dollar from you, I’m protecting the dollars for you” This is a great mind shift that I can absolutely see working with executives.

I also liked how he boiled down the basics of what a security program must do:

  • Keep bad guys out 
  • Let good guys in
  • Keep the wheels on

I often see security professionals over-rotate on the first item, which is most important to them. However, let’s not forget, items two and three are more important to everyone else in the business!

Be Pragmatic and Don’t Do Everything In-House

With very limited resources, you cannot do everything in-house. You need to outsource some of the work to be successful. Use cloud solutions and vendors that can supply you with specialized knowledge and round-the-clock coverage. As Paul summed it up: “We could do this ourselves, but it’s not a good use of our people.”

A Recipe for a Successful Security Program in Midsize Enterprise

Paul summed up his recommendations as follows:

  • Do the simple things well. This means the more difficult things in IT security become easier. Complexity is the enemy of security. 
  • Start to seriously examine how to leverage your security spending with multiplication platforms.
  • Demand a secure development life cycle and “built-in” security for IT components.
  • Constantly re-evaluate your risk tolerance and your good-enough security comfort level.
  • Investigate emerging security services.

Of course, working in application security, number three resonated most with me, so I’d like to dig into this one a little and tie it back to all of his recommendations.

How to Do DevSecOps in Midsize Enterprises

Key takeaways from Paul’s talk are that you cannot do everything in-house because of lack of headcount and skills shortage in InfoSec. Veracode can help you address both of these challenges.

Let’s get to lack of headcount first. Veracode is the only SaaS-native Leader in the Gartner 2019 Magic Quadrant for Application Security Testing, and we have been a Leader for six times in a row. As a midsize enterprise, you don’t have the time to set up and maintain an application security scanning infrastructure, especially if you have to support multiple geographic sites as well as high availability and scalability for critical DevOps teams. Using Veracode is like having DevSecOps on tap: You don’t have to set up any infrastructure so your developers can start scanning on day one.

Now let’s discuss skills shortage. If you only have a couple of InfoSec people on your team, you will struggle to offer specialized knowledge for developers who need help remediating specific vulnerabilities in their code, especially if your team covers a broad set of languages. At Veracode, we have a dedicated team of application security consultants that your developers can tap into to get help with their code. In addition, our security program managers can onboard your scrum teams onto our platform and help them automate the security scanning.

Security as a Competitive Advantage

As a midsize enterprise, you are often subject to security scrutiny when selling to the Fortune 500, especially when the value you deliver to your customers involves software, either directly or indirectly. Veracode is the only application security testing vendor to offer the Veracode Verified Program, which helps you show your customers that you take security seriously. Many of our midsize enterprise customers even use their Veracode Verified logo as a competitive advantage. Check out some of these companies in the Veracode Verified Directory.

 

“You may not have the need today, but it’s well worth doing the research today.”

How Veracode Supports DevSecOps Methodologies With SaaS-based Application Security

Veracode Kuppinger Cole Report

Most legacy applications were not developed with security in mind. However, modern businesses and organizations are continuing to undergo digital transformation in order to pursue new business models and revenue channels, as well as giving their customers or constituents a simplified experience. This often means selecting cloud-based tools and solutions that allow for the scalability necessary to provide applications and services to a broad customer base.

For example, in 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions, making it mandatory to consider cloud solutions before alternatives. This means that government IT professionals must first consider public cloud options, including SaaS models for enterprise IT and back-office functions, as well as Infrastructure as a Service and Platform as a Service.

But this dramatic expansion of the application layer introduces new security challenges. In one engagement, Veracode worked with a High Street bank to secure its web application portfolio and uncovered 1,800 websites that had not been inventoried – making its attack surface 50 percent bigger than originally thought.

With the growing complexity of IT infrastructures and a shortage of qualified security experts, businesses and government agencies alike need to enlist application security specialists with a deep understanding of the complexity of modern applications.

Veracode pioneered static binary analysis to address the security of modern applications, which are often comprised from different teams, languages, frameworks and third-party libraries. This approach allows security and development teams to assess the security posture of entire applications once they’ve been built, rather than analyzing individual pieces of source code and missing some of the potential “cross-platform” exploits.

Yet the Veracode Platform offers so much more than its signature static binary analysis.

“With a growing number of integrations with CI/CD tools and development environments and expanding its coverage to the full software supply chain, Veracode clearly shows the commitment to fully embrace the modern DevOps and DevSecOps methodologies and to address the latest security and compliance challenges,” writes KuppingerCole Lead Analyst Alexei Balaganski. “With the SaaS approach, the company can ensure that customers can start using the platform within hours, and a wide range of support, consulting and training services means they are ready to guide every customer towards the application security best practices as quickly as possible.”

To learn more about our approach to supporting modern DevOps and DevSecOps methodologies, and how the Veracode Platform is even easier for software developers to use, download the KuppingerCole Report, Executive View: Veracode Application Security Platform.

The 2019 Job Seeker & The Cybersecurity Skills Shortage

In today’s ever-changing job market, job seekers and employers alike are under a great deal of pressure. Those looking for their next career move are focusing on what’s required to land a great role with competitive compensation and room for growth in an exciting field. And employers are seeking a rising star that will be a good culture fit and have values that match those of their company.

A Letter to Jobseekers

Whether you just graduated college, left your previous role, or are seeking a different career path, you’re probably thinking, “Now what?” No matter where your path leads you, stay positive. Try to find a company that invests in you, truly wants you to succeed, fosters both personal and professional growth, and makes a big difference in your career progression.

If you’re a problem solver and love to learn, cybersecurity is the path for you. A career in cybersecurity can be very fulfilling. As cybercrime continues to rise, so will the demand for qualified cybersecurity professionals, offering both dynamic growth opportunities and job security. Furthermore, cybersecurity professionals are generally among the most highly-compensated technology workers—and as the need for security professionals further outpaces the supply, salaries will continue to climb as companies compete for top talent Lastly, a career in cybersecurity offers the sense of purpose that comes with making the world a better place by helping protect innocent people from cybercriminals.

Whether you are just out the gate or further along in your career, check out McAfee CHRO Chatelle Lynch’s five powerful career tips: stay hungry, celebrate other’s success, work hard, own your brand, and take pride in everything you do.

Good luck!

A Sustainable Model for Cybersecurity Talent

The term “skills shortage” is all too familiar to those in the cybersecurity industry. A Cybersecurity Ventures report estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. And as cloud platforms demand an increasingly complex set of cloud SecOps skills, the skills gap will continue to grow at an increasing clip.

Success requires fresh thinking and fresh perspectives. It’s time for the cybersecurity industry to redefine the minimum credentials for entry-level cybersecurity jobs and accept non-traditional sources of education. Instead of expecting to hire an experienced cybersecurity professional, more companies should consider accepting job applicants that will require upfront investment and training. According to our Winning the Game report, 92% of cybersecurity managers say gamers possess skills that make them suited to a career in cybersecurity—and 75% would consider hiring a gamer even if that person had no cybersecurity training or experience.

In order to grow security talent and close the skills gap, companies should also consider developing apprenticeship programs, investing and supporting cybersecurity and threat intelligence programs at universities, and other avenues. According to Lynch, “We won’t close our skills gap overnight, but by working together to collectively promote and advocate for a career in cybersecurity, the closer we will get.” We look forward to solving the cyber skills shortage together and driving innovation with diversity and inclusion.

Looking for a career in cybersecurity? Join our team.

The post The 2019 Job Seeker & The Cybersecurity Skills Shortage appeared first on McAfee Blogs.

[Results] CLB Super Holder Event

Greetings Cloudbric community!

Thank you for your interest in our CLB Super Holder event which has now come to an end.

On exactly June 17, at 4pm KST, the price of CLB sat at 10.4 KRW (approx. $00.0088 USD).

As mentioned, all eligible CLB holders will receive a guaranteed minimum of 5% cumulative bonus distributions (CLB and CLBK tokens) of their total CLB stake as long as they hold the minimum CLB token amount.

Please check the airdrop list and look to see if your email was accepted in alignment with the guidelines.

Airdrop list

Please note that users that had already transferred CLB tokens prior to June 11th, 2019 at 2pm KST will receive an additional 200 CLB bonus airdrop to help mitigate any issues or confusion regarding wallet addresses and transfers.

The winners of the CLB Super Holder event will be issued their CLB tokens by June 24 and will receive their CLBK tokens after Klaytn’s main net launch. More details soon to come.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Results] CLB Super Holder Event appeared first on Cloudbric.

How to Book Your Next Holiday Online and NOT Get Scammed

Taking our tribe on an annual family holiday has always been a top priority for my husband and me. But with 4 sons – who all eat like ridiculous amounts – this can be an expensive exercise. So, like most people, I am always on the lookout for deals and ways to save money to our favourite holiday destinations.

But according to research from McAfee, our need to secure a great deal to a hot destination may mean we are cutting corners and taking risks online. Over one-third of us (32%) report that we are likely to use a website we have never heard of before just because it offers great deals!

And cybercriminals are fully aware of this, so they spend a lot of time and effort creating malicious travel websites and fraudulent links to lure us ‘travel nuts’ away from the reputable online travel players. Their goal is to get us to their fraudulent site, install malware on our devices so they can steal our personal information, passwords and, ideally, our money!

How Many Aussies Have Been Scammed?

McAfee’s research also shows that 1 in 5 of us have either been scammed or nearly scammed when booking a holiday online with many of us (32%) signing up for a deal that turned out to be fake. And horrifyingly, 28% of holiday scam victims only realised that they had been scammed when checking-in to their holiday accommodation!! Can you imagine breaking the news to the kids? Or worse still having to pay twice for the one holiday?

Cybercriminals Also Have Favourite Holiday Hot Spots

Not only are cybercriminals capitalising on our need for a deal when booking a holiday, but they are also targeting our favourite destinations. The findings from McAfee’s research show holiday hot spots such as Thailand, India, the Philippines and the UK generate the riskiest search results when people are on the hunt for holidays online.

The top holiday destinations for Aussies that hackers are targeting via potentially malicious sites:

  1. New Delhi, India
  2. Bangkok, Thailand
  3. London, England
  4. Phuket, Thailand
  5. Manila, Philippines

Cybercriminals take advantage of the high search volumes for accommodation and deals in these popular destinations and drive unsuspecting users to their malicious websites often using professional looking links, pop-up ads and even text messages.

What You Can Do to Avoid Being Scammed

With Aussie school holiday just a few weeks away, do not despair! There are definitely steps you can take to protect yourself when booking your Winter getaway. Here are my top tips:

  1. Think Before You Click

With 25% of holiday bookings occurring through email promotions and pop-up ads, it’s essential to properly research the company behind the ads before you proceed with payment. Check out reviews and travel forums to ensure it is a legitimate online travel store. And it’s always best to use a trusted online retailer with a solid reputation even if it costs a little more.

  1. Use Wi-Fi With Caution

Using unsecured Wi-Fi is a risky business when you are travelling. If you absolutely must, ensure it is secured BUT never conduct any financial or sensitive transactions when connected. Investing in a virtual private network (VPN) such as McAfee Safe Connect is the best way to ensure that your connection is secure and your data remains private.

  1. Protect Yourself

Ensuring your device has current comprehensive security protection, like McAfee Total Protection, will ensure any malicious websites will be identified when you are browsing. It will also protect your device against malware – which could come in handy if you are tricked into visiting a fraudulent site.

So, next time you come across an amazing, bargain-basement deal to Thailand, PLEASE take the time to do your homework. Is the retailer legitimate? What do the reviews say? What are the terms and conditions? And, if it isn’t looking rosy, remember, if it looks too good to be true, it probably is!

‘till next time

Alex xx

 

The post How to Book Your Next Holiday Online and NOT Get Scammed appeared first on McAfee Blogs.

[Exchange Listing] CLB Token to be listed on Bitsdaq Exchange

Bitsdaw exchange listing CLB

The Cloudbric team is excited to announce that we will be adding a new exchange listing for our CLB token!

Bitsdaq exchange is an official partner of Bittrex, which is one of the premier cryptocurrency exchanges based out of the US.

Based on Bittrex’s unique exchange technology, Bitsdaq will help provide safe and reliable cryptocurrency trading activities for users based in the APAC region.

Users can also find Cloudbric’s CLB token listed on both Korea-based Bitsonic exchange, as well as BitForex which is targeted for global users.

Bitsdaq listing details:

  • Token: CLB
  • Exchange: Bitsdaq
  • Date: June (exact date will be announced on our Telegram)

For more information regarding our CLB token and new exchange listing announcements, please join our official Telegram community channel at https://t.me/cloudbric.

_____________________________

What is Bitsdaq?

Bitsdaq is a Hong Kong based cryptocurrency exchange based on the unique technology of its official partner, Bittrex exchange. Bitsdaq officially launched its exchange on January 29th, 2019 and currently boasts more than 2 million users with both mobile and web access for its exchange.

As an official partner of Bittrex exchange, one of the most globally recognized cryptocurrency exchanges, Bitsdaq helps expand Bittrex’s reach towards the APAC region through its unique and cutting edge technology.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Exchange Listing] CLB Token to be listed on Bitsdaq Exchange appeared first on Cloudbric.

5 Digital Risks to Help Your Teen Navigate this Summer

S’mores.
Sparklers.
Snow cones.
Sunburns.
Fireflies.

Remember when summer was simple? Before smartphones and social networks, there was less uploading and more unwinding; less commenting and more savoring. 

There’s a new summer now. It’s the social summer, and tweens and teens know it well. It’s those few months away from school where the pressure (and compulsion) to show up and show off online can double. On Instagram and Snapchat, it’s a 24/7 stream of bikinis, vacations, friend groups, and summer abs. On gaming platforms, there’s more connecting and competing. 

With more of summer playing out on social, there’s also more risk. And that’s where parents come in. 

While it’s unlikely you can get kids to ditch their devices for weeks or even days at a time this summer, it is possible to coach kids through the risks to restore some of the simplicity and safety to summer.

5 summer risks to coach kids through:

  1. Body image. Every day your child — male or female — faces a non-stop, digital tidal wave of pressure to be ‘as- beautiful’ or ‘as-perfect’ as their peers online. Summer can magnify body image issues for kids.
    What you can do: Talk with your kids about social media’s power to subtly distort body image. Help kids decipher the visual world around them — what’s real, what’s imagined, and what’s relevant. Keep an eye on your child’s moods, eating habits, and digital behaviors. Are comments or captions focused only on looks? If so, help your child expand his or her focus. Get serious about screen limits if you suspect too much scrolling is negatively impacting your child’s physical or emotional health.
  2. Gaming addiction. The risks connected with gaming can multiply in the summer months. Many gaming platforms serve as social networks that allow kids to talk, play, and connect with friends all day, every day, without ever leaving their rooms. With more summer gaming comes to the risk for addiction as well as gaming scams, inappropriate content, and bullying.
    What you can do: Don’t ignore the signs of excessive gaming, which include preoccupation with gaming, anger, irritation, lying to cover playing time, withdrawal and isolation, exchanging sleep for gaming. Be swift and take action. Set gaming ground rules specific to summer. Consider parental control software to help with time limits. Remember: Kids love to circumvent time limits at home by going to a friend’s house to play video games. Also, plan summer activities out of the house and away from devices.
  3. Cyberbullying. Making fun of others, threatening, name-calling, exclusion, and racial or gender discrimination are all serious issues online. With more time on their hands in the summer months, some kids can find new ways to torment others.
    What you can do: Listen in on (monitor) your child’s social media accounts (without commenting or liking). What is the tone of your child’s comments or the comments of others? Pay attention to your child’s moods, behaviors, and online friend groups. Note: Your child could be the target of cyberbullying or the cyberbully, so keep your digital eyes open and objective.
  4. Smartphone anxiety. Anxiety is a growing issue for teens that can compound in the summer months if left unchecked. A 2018 survey from the Pew Research Center reveals that 56 percent of teens feel anxious, lonely, or upset when they don’t have their cell phones.
    What you can do:
    Pay attention to your child’s physical and emotional health. Signs of anxiety include extreme apprehension or worry, self-doubt, sleeplessness, stomach or headache complaints, isolation, panic attacks, and excessive fear. Establish screen limits and plan phone-free outings with your child. Set aside daily one-on-one time with your child to re-connect and seek out professional help if needed.
  5. Social Conflict. More hours in the day + more social media = potential for more conflict. Digital conflict in group chats or social networks can quickly get out of hand. Being excluded, misunderstood, or criticized hurts, even more, when it plays out on a public, digital stage.
    What you can do: While conflict is a normal part of life and healthy friendships, it can spiral in the online space where fingers are quick to fire off responses. Offer your child your ears before your advice. Just listen. Hear them out and (if asked) help them brainstorm ways to work through the conflict. Offer options like responding well, not engaging, and handling a situation face-to-face. Avoid the temptation to jump in and referee or solve.

Summer doesn’t have to be stressful for kids, and the smartphone doesn’t have to win the majority of your child’s attention. With listening, monitoring, and timely coaching, parents can help kids avoid common digital risks and enjoy the ease and fun of summer. 

The post 5 Digital Risks to Help Your Teen Navigate this Summer appeared first on McAfee Blogs.

Stop Discarding Devices Frequently- It’s Risky for Mother Earth as Well As Your Cybersecurity

Aunty, do you happen to have any waste paper at home? I need them for my Environment Day project,” chirped a bright little thing standing at my door early Sunday morning.

I am sure I have. What is your project this year?”

Oh! I want to emphasize on ‘Reduce. Reuse. Recycle.’ by making durable paper bags that people can pack their gifts in. It will also reduce the use of plastic.”

We need more such efforts on the part of all producers, consumers and recyclers to restore the balance on earth, which we have sadly turned into a dump yard of toxic waste that is polluting our land, water and air. The matter is serious and calls for judicious purchase and use of goods.

This Environment day, why not pledge to reduce e-waste, digital citizens?

What is e-waste?

Electronic waste or e-waste describes discarded electrical or electronic devices. Used electronics which are destined for refurbishment, reuse, resale, salvage, recycling through material recovery, or disposal are also considered e-waste.

Which means all your obsolete devices and electronic goods, that are lying around at home or been thrown away in bins, make up e-waste.

Why is there a rise in e-waste?

The volume of annual e-waste is on the rise, thanks to the desire for latest models fueled by the rise in disposable income, technological progress and cheap data rates. Gone are those thrifty days when we purchased goods to last; now we want only the smartest and latest.

Consider this: The Global E-Waste Monitor, 2017 published by the United Nations University estimated that India generates about 2 million metric tons of e-waste annually, of which almost 82% comprises of personal devices!

Why are we worried about e-waste?

We want the Earth to continue being the clean, green and beautiful planet that it is, right? But the increasing amount of e-waste is a threat to the environment. If not processed properly, it can have negative effects on pollution levels and consequently on the health of all life forms. Toxicity in soil will affect soil fertility, and hence crop production. We have already witnessed the effect of plastics and toxic fumes from incinerators on birds and animal life.

How is e-waste connected to cybersecurity?

Improper disposal of devices can also pose a security risk. If you have not taken the trouble to delete all the content and reset to factory settings, then your data, including photos may fall in wrong hands and could be misused. Before you give or throw away old devices, take care to thoroughly clean content and unsync from other devices.

How to reduce e-waste?

This is your Environment Day Mantra: Reduce. Recycle. Refurbish. Reuse.

Every time you desire to replace an electronic item, ask yourself, ‘Is it really necessary to purchase it now or can it be postponed? Am I doing it to keep up with or ahead of the Joneses? What will I do with the old product?’ Such soul-searching often leads to sane decisions that you will not regret later.

With that in mind, and the following tips handy, you can become a positive contributor to keeping the environment clean.

  1. Keep your devices in top condition: The two most common devices to be found in homes across India are the computer (or laptop) and smartphone. Replace slow batteries and keep them secured. Carry out regular scans and clean-ups and install all software updates.
  2. Protect your phone from damage: Use a screen guard and phone cases to reduce chances of breakage. Your kids can choose trendy cases that will serve two purposes: protect their phones as well as encourage them to use the devices for a longer period
  3. Battery life: Avoid overcharging the battery to extend battery life
  4. Secure your products: Use licensed security tools to remove malware and optimize performance

Some countries offer financial incentives to return old devices at designated collection centres. Perhaps we should start something like this to encourage people to recycle?

Things You Can Do This Environment Day:

Still not found a suitable project for Environment Day? Why not go on a collection drive of gaming devices and mobile phones that your neighbours have lying at home. You can then clean them and get in touch with a reputed NGO to channel these gaming devices to children’s homes, domestic help and others. Think about it.

 

Credit

https://www.greenchildmagazine.com/reduce-ewaste/

https://tcocertified.com/news/global-e-waste-reaches-record-high-says-new-un-report/

https://www.downtoearth.org.in/blog/waste/e-waste-day-82-of-india-s-e-waste-is-personal-devices-61880

The post Stop Discarding Devices Frequently- It’s Risky for Mother Earth as Well As Your Cybersecurity appeared first on McAfee Blogs.

Small and Mid-size Orgs: Take Notice of this Trend in the 2019 Verizon Data Breach Investigations Report (DBIR).

43% of breaches in 2018 involved small businesses. Hackers know you’re vulnerable and they’re acting on it.

We’re big fans of the DBIR over here, not just because we’re contributing partners and want to see our name in lights. Yes, we’re certainly guilty of initially jumping into the contributor section and searching for our logo, but after that, we devour the data. The report in itself is an easy read, and there is also a DBIR executive summary available for those that want a short overview.

At GRA Quantum, we’re experts at developing tailored security solutions for small organizations facing big threats —and the data in this year’s DBIR show that the threats facing these orgs are only growing. 43% of breaches in 2018 involved small businesses. And that makes sense, when you take the threat actors’ POV into account. Nefarious attackers know that small and mid-size businesses don’t have the cyber hygiene that’s expected of enterprise organizations. Yet, the personally identifiable information (PII) and the intellectual property of smaller organizations is just as valuable.

It’s not all bad news.

As more organizations, especially in the small and mid-size range, move to the cloud, hackers shift their focus to the cloud too. The DBIR showed an increase in hackers’ focus to cloud-based servers. Where’s the good news in this? Much of this hacking stems from stolen credentials AND can be prevented with better education amongst staff, paired with anti-phishing technology and managed security services. All affordable options for companies that don’t have hundreds or thousands of endpoints.

More good news: you can start protecting your small org today by implementing some cybersecurity best practices. We’ve developed a checklist to strengthen your cybersecurity program that can get you started. It’s more straightforward than you may anticipate, and you don’t have to be technical or in a security role to kick-off the initiative. In fact, the list was created for management in Human Resources and Finance departments. Items in the list that are easiest to implement include:

  • Enforcing a policy to require multi-factor authentication (MFA) to access all company systems
  • Creating an onboarding and offboarding policy, integrating HR and IT activities
  • Developing a third-party vendor risk management program
 Start taking this proactive approach to get ahead of the threats and strengthen your security stance today.

 

The post Small and Mid-size Orgs: Take Notice of this Trend in the 2019 Verizon Data Breach Investigations Report (DBIR). appeared first on GRA Quantum.

Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware

Customers often ask us how to implement the suggestions provided in our blogs and threat advisories to better protect their environments. The goal of this blog is to do just that.

By showing you how to better use our products, you’ll be able to protect against Emotet and other malware. Emotet is a Trojan downloader spread by malicious spam campaigns using JavaScript, VBScript, and Microsoft Office macro functions. It downloads additional malware and persists on the machine as a service. Emotet has been observed to download ransomware, mass-mailing worms, W32/Pinkslipbot, W32/Expiro, W32/Dridex, and banking Trojans.

NOTE: Always test changes prior to implementing them in your environment.

1. DATs and product updates

One of the most common issues seen while in Support was an outdated DAT.

2. Make sure you have at least one scheduled product update task in McAfee ePO to run daily.

3. On-Access Scan (OAS) configuration for McAfee Endpoint Security and McAfee VirusScan Enterprise

Ensure that On-Access Scan (OAS) is enabled and set to scan on read and write and that entire drives aren’t excluded from being scanned. McAfee Endpoint Security and McAfee VirusScan Enterprise allow you to configure different scan settings based on the process. You can enable “Configure different settings for High-Risk and Low-Risk processes” to improve performance and reduce the need for file/folder exclusions. See KB88205 for more information.

Be sure that Artemis/GTI is enabled and that the first scanner action is “Clean” and the second action is “Delete”.

NOTE: Setting Artemis/GTI to High or Very High should be done gradually and with testing to reduce the risk of false positives. See KB53735 for more information.

4. On-Demand Scan (ODS)

A weekly On-Demand Scan (ODS) is suggested to ensure that your systems don’t have malware or PUPs. Do not run an ODS during peak business hours, as users may complain about system performance.

5. Access Protection (AP)

While the default Access Protection (AP) rules provide decent coverage, both McAfee Endpoint Security and McAfee VirusScan Enterprise allow for the creation of user-defined rules to prevent infection and the spread of worms or viruses. Below are some pre-created ones that should be tested and enabled in your environment to provide additional protection.

Pre-Defined Rule:

  • Disabling Registry Editor and Task Manager — Certain malware may attempt to disable the Task Manager to prevent the user from terminating the malicious process. Enable this AP rule to prevent the Task Manager from being disabled.

6. Access Protection (AP) rules for virus and worm outbreaks

These rules should only be enabled during a virus outbreak and for workstations only. Implementing the last two shown below may cause issues with file servers running McAfee VirusScan Enterprise or McAfee Endpoint Security. Always test these rules before you enable them:

  • Remotely Creating Autorun Files
  • Remotely Creating or Modifying Files or Folders
  • Remotely Accessing Local Files or Folders

NOTE: Only create a separate AP policy for workstations if you wish to continue using the AP rules below. Remotely creating files between workstations is unusual behavior.

7. User-defined AP file/folder patch locations

The user-defined rule below is one common location for malware.

8. Microsoft Office malware

Most threats come through email and are often downloaders for other malware. The AP rule below is intended to prevent Microsoft Office applications from executing PowerShell. You can include CScript.exe and WScript.exe as well.

9. McAfee Endpoint Security firewall

Almost all organizations have a firewall at the perimeter level. Some may opt to disable the built-in firewall on workstations and servers. The McAfee Endpoint Security Firewall is more comprehensive than the Windows firewall and can be used to prevent communication to malicious IPs and domains.

10. Blocking malicious traffic with the firewall

Blocking malicious network traffic prevents new variants from being downloaded and can minimize the impact on the environment. Environments that don’t block malicious traffic as one of the first steps often take longer to clean up.

The post Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware appeared first on McAfee Blogs.

How to Manage Identities for Contractors, Consultants, and Other Non-Employees

English

For years, organizations have recognized the need to pay close attention to and manage the access that their employees have with the help of identity governance and administration solutions.  More recently, organizations are also being faced with the reality that they need to apply the same level of governance to non-employees as well. According to a 2018 Opus-sponsored Ponemon study, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. Many of these breaches go undetected. With most organizations agreeing that third-party cybersecurity incidents are on the rise, non-employee access management is more important than ever.   

Access by non-employees like contractors, vendors, students, or consultants face additional challenges when it comes to entitlements. How does an organization ensure that a non-employee can get into the systems they need to do their job, while still enforcing enough limitations to avoid becoming a security risk? Read on to learn more about why non-employees present a unique challenge to identity and access management programs, how industries like healthcare handle managing their privileges, and best practices to find the balance between granting permissions and reducing risk.

What makes access for non-employee so challenging?

Non-employees often need to be onboarded quickly, since they may only be temporary members of the organization. Contractors or consultants, for example, need to quickly be able to log on and get to work. Organizations with no identity governance and administration (IGA) solution, or a very limited identity and access management (IAM) program, likely do not have a way to easily limit access or keep track of those with non-employee status. Oftentimes there is no “non-employee” designation in the system, or security teams lack a centralized inventory of users, allowing atypical IDs to slip through the cracks.

Even businesses with IGA solutions may end up quickly classifying consultants as employees as far as IT is concerned. Since these roles are typically not vetted as thoroughly as a full-fledged employee would be, giving them standard access may open the door to serious security issues. Providing a contractor with full employee access defies the principle of least privilege, since contractors don’t require access to nearly as many systems and applications but will be able to log into them anyway.

Additionally, non-employees may be not be working in your specific infrastructure as often, making them more prone to mistakes, making full access to sensitive information or data particularly risky. Some of the largest breaches have come from stolen non-employee credentials that allowed a hacker to get in through the front door.

Finally, non-employees tend to come and go far more frequently than employees, leaving behind an unused, but still active account. These orphaned accounts are key targets for threat actors looking for a way to get inside a system without setting off any alarms. Since the owner of the account isn’t using it, it may be too late before it’s noticed that it’s being utilized for malicious purposes.

Best practices for non-employee access

Luckily, there are a few tangible ways to solve the potential challenges related to non-employee access. An organization with a solid IGA program can safeguard their infrastructure by a few important guidelines:

  1. Have a way to identify and manage non-employees.

There are many ways to manage non-employees. For example, you could add non-employees to your HR system, segment them appropriately, and manage their contract status. If this is not possible within an organization, the right IGA solution can be configured to be the central repository for non-employee identities and have convenient methods for inputting relevant information about them as well as enforce appropriate controls to manage them more closely.

Whatever approach an organization chooses, the most important part is to regularly ensure these non-employee user accounts are correct and up to date. The work of a contract employee can often vary depending on the project. Without regular check-ins, entitlement creep and orphaned accounts may begin to occur. That is, a contractor simply gains additional access without removing privileges they no longer need, or the account is left active after the contractor has left the organization.

  1. Follow the principle of least privilege.

All IGA identity governance and administration programs should begin with the principle of least privilege. That is, no employee or non-employee should have more access than needed to get their job done. This is best achieved through role-based access, which provides permissions based on roles, instead of individual entitlements.  Roles can easily be applied to well-managed non-employees as well as employees.

  1. Have processes in place for efficient, but accurate onboarding and offboarding.

Manual provisioning can be labor intensive and take weeks before a new employee has access to every area they’ll need. This can lead to a frustrating experience for both the employee and non-employee and will cost the organization time and money. However, sloppy onboarding for the sake of speed can lead to security risks. While off boarding does not seem as time sensitive since no one is waiting on access, it is even more important from a security perspective.

 

Use Case: Non-Employees in Healthcare

Healthcare is a perfect example of an industry that needs to have a comprehensive yet flexible way of managing non-employees. It is highly regulated industry with a significant number of non-employees  Potentially challenging use cases include the following:

Providers

Many doctors and clinicians that work in hospital systems are not actually employed by the hospitals themselves. They may be employed by a clinic or medical group that has established a partnership allowing them privileges at the hospital.

While they may not be official employees, this group need access to many of the systems within the hospital network. Not having access to scheduling software, communication applications, alerting systems, and of course, electronic health records (EHR) can put lives as risk. It is also important to make certain that the status of a physician’s relationship with the hospital is up to date and that access is removed when it is appropriate.

However, these doctors do not require access to employee portals that provide benefit and payment information or other human resources related applications. Granularity and visibility into the access via roles is important.

Physicians are perfect examples of a non-employee who will require longer term access, but do not require full access. Best practices and role-based access would ensure that regular entitlement reviews would renew this access as needed, verifying compliance without disrupting patient care.

Volunteers

Whether it be as part of a program to interact with and assist patients, or as part of an emergency response plan, hospitals often have a need to allow volunteers to have access to their resources and patient data. Some may be long-term; others may only last a week. Some come in large groups, others volunteer on their own. Regardless, volunteers still require a certain amount of access. It may be very minimal, perhaps to sign in to track hours and verify that they’re in the building.

With volunteers, it is imperative that their access be managed to a level corresponding with the significance of data they require. Most will not have any medical certifications and should not have any access to health records. It is important to consider the definition of roles for volunteers as well as a repository that can be used to understand their precise needs in relationship with the healthcare systems. Removing even minimal access for volunteers is important when it is no longer needed.

Medical Students

Medical students provide a unique middle ground between physicians and volunteers when it comes to access. While they need access to the EHR system, they may not require the privileges that nurses and doctors are entitled to. For example, a medical student may not need to be able to put through an order for a test or send a prescription to a pharmacy.

Administrators face additional challenges  because large groups of students typically start on the same day.  Since the window in which they will be working at the hospital is so short, it is important for them to have all of their access needs sorted by day one. Similarly, most students have a shared end date, so offboarding must also be well organized and efficient. Automated deprovisioning is ideal in this scenario, so that orphaned accounts don’t linger for longer than necessary. Continuous review is also still necessary in case a student drops out or transfers.

Managing Everyone with Core Access Assurance Suite

The best way to manage non-employees is with a robust IGA solution that can manage non-employees in addition to standard full-time employee. Core Access Assurance Suite provides the complete context of relationships between users, access rights, resources, user activity, and compliance policies so that you can efficiently use access provisioning to manage a user appropriately from the beginning, using roles as necessary.

Automate the process of creating and managing non-employee accounts and identities as well as their associated access rights across the enterprise. Core Access Assurance Suite also ensures immediate disablement of access rights upon termination for increased security and regulatory compliance.

From long-term employees to short term contractors, our IGA solution will streamline access control and manage risk to provide a secure environment for your organization.

Core Access Assurance Suite provides complete identity, access risk, and compliance management, easily identifying, quantifying and managing the risks associated with information access.

cs-manage-identities-non-employees-blog-700x350.jpg

How to Manage Identities for Contractors, Consultants, and Other Non-Employees
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Want to learn more about identity governance?

Find out how to manage identites for everyone in your organization with the Identity Governance Toolkit.

Improving Security and Privacy for Extensions Users

No, Chrome isn’t killing ad blockers -- we’re making them safer

The Chrome Extensions ecosystem has seen incredible advancement, adoption, and growth since its launch over ten years ago. Extensions are a great way for users to customize their experience in Chrome and on the web. As this system grows and expands in both reach and power, user safety and protection remains a core focus of the Chromium project.
In October, we announced a number of changes to improve the security, privacy, and performance of Chrome extensions. These changes include increased user options to control extension permissions, changes to the review process and readability requirements, and requiring two-step verification for developers. In addition, we’ve helped curb abuse through restricting inline installation on websites, preventing the use of deceptive installation practices, and limiting the data collected by extensions. We’ve also made changes to the teams themselves — over the last year, we’ve increased the size of the engineering teams that work on extension abuse by over 300% and the number of reviewers by over 400%.
These and other changes have driven down the rate of malicious installations by 89% since early 2018. Today, we block approximately 1,800 malicious uploads a month, preventing them from ever reaching the store. While the Chrome team is proud of these improvements, the review process alone can't catch all abuse. In order to provide better protection to our users, we need to make changes to the platform as well. This is the suite of changes we’re calling Manifest V3.
This effort is motivated by a desire to keep users safe and to give them more visibility and control over the data they’re sharing with extensions. One way we are doing this is by helping users be deliberate in granting access to sensitive data - such as emails, photos, and access to social media accounts. As we make these changes we want to continue to support extensions in empowering users and enhancing their browsing experience.
To help with this balance, we’re reimagining the way a number of powerful APIs work. Instead of a user granting each extension access to all of their sensitive data, we are creating ways for developers to request access to only the data they need to accomplish the same functionality. One example of this is the introduction of the Declarative Net Request API, which is replacing parts of the Web Request API.
At a high level, this change means that an extension does not need access to all a user’s sensitive data in order to block content. With the current Web Request API, users grant permission for Chrome to pass all information about a network request - which can include things like emails, photos, or other private information - to the extension. In contrast, the Declarative Net Request API allows extensions to block content without requiring the user to grant access to any sensitive information. Additionally, because we are able to cut substantial overhead in the browser, the Declarative Net Request API can have significant, system-level performance benefits over Web Request.


This has been a controversial change since the Web Request API is used by many popular extensions, including ad blockers. We are not preventing the development of ad blockers or stopping users from blocking ads. Instead, we want to help developers, including content blockers, write extensions in a way that protects users’ privacy.
You can read more about the Declarative Net Request API and how it compares to the Web Request API here.
We understand that these changes will require developers to update the way in which their extensions operate. However, we think it is the right choice to enable users to limit the sensitive data they share with third-parties while giving them the ability to curate their own browsing experience. We are continuing to iterate on many aspects of the Manifest V3 design, and are working with the developer community to find solutions that both solve the use cases extensions have today and keep our users safe and in control.

Use your Android phone’s built-in security key to verify sign-in on iOS devices


Compromised credentials are one of the most common causes of security breaches. While Google automatically blocks the majority of unauthorized sign-in attempts, adding 2-Step Verification (2SV) considerably improves account security. At Cloud Next ‘19, we introduced a new 2SV method, enabling more than a billion users worldwide to better protect their accounts with a security key built into their Android phones.
This technology can be used to verify your sign-in to Google and Google Cloud services on Bluetooth-enabled Chrome OS, macOS, and Windows 10 devices. Starting today, you can use your Android phone to verify your sign-in on Apple iPads and iPhones as well.
Security keys
FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page, so that an attacker can’t access your account even if you are tricked into providing your username and password. Learn more by watching our presentation from Cloud Next ‘19.


On Chrome OS, macOS, and Windows 10 devices, we leverage the Chrome browser to communicate with your Android phone’s built-in security key over Bluetooth using FIDO’s CTAP2 protocol. On iOS devices, Google’s Smart Lock app is leveraged in place of the browser.


User experience on an iPad with Pixel 3


Until now, there were limited options for using FIDO2 security keys on iOS devices. Now, you can get the strongest 2SV method with the convenience of an Android phone that’s always in your pocket at no additional cost.
It’s easy to get started
Follow these simple steps to protect your Google Account today:
Step 1: Add the security key to your Google Account
  • Add your personal or work Google Account to your Android 7.0+ (Nougat) phone.
  • Make sure you’re enrolled in 2-Step Verification (2SV).
  • On your computer, visit the 2SV settings and click "Add security key".
  • Choose your Android phone from the list of available devices.
Step 2: Use your Android phone's built-in security key
You can find more detailed instructions here. Within enterprise organizations, admins can require the use of security keys for their users in G Suite and Google Cloud Platform (GCP), letting them choose between using a physical security key, an Android phone, or both.
We also recommend that you register a backup hardware security key (from Google or a number of other vendors) for your account and keep it in a safe place, so that you can gain access to your account if you lose your Android phone.

Improving Cyber Resilience with Threat Intelligence

According to the SANS CTI 2019 survey results, 72% of organizations either consume or produce Threat Intelligence. Although most organizations have Intelligence data, they struggle with defining requirements and managing Cyber Threat Intelligence (CTI) as a program with measurable output. This likely results from threat data and intelligence being perceived as a technical function unrelated to business objectives.

We need to change this perception.

In my opinion, the key business objectives most closely related to threat intelligence are Risk Management and Cyber Resilience. Threat Intelligence can influence the outcomes of both.

Cyber Resilience itself requires risk management and adaptability. The need for businesses to become more resilient is driving the demand for an adaptable security architecture—one that not only effectively leverages threat intelligence to improve Security Operations, especially Incident Response, but also adapts cyber defenses such as endpoint and network controls to prevent the latest threats.

Meanwhile, regulations focused on improving cyber security are driving a continuous risk management approach. For example, in 2016, the European Union released the NIS (Network and Information Systems) Directive, which provides a legal framework to boost the overall level of cybersecurity in critical industries and calls specifically for threat intelligence and incident sharing among organizations and national authorities. With these drivers in mind, we now need to design a managed process with the goal of creating an efficient way to increase the business value of CTI. We can define this process as follows:

  • Discovering the most valuable data sources
  • Using automation to collect, investigate, respond and share
  • Integrating CTI into cyber defense processes
  • Measuring to prove the value of Threat Intelligence

1. Collection, Deduplication and Aggregation

The first step in the CTI Management Process is the collection, deduplication and aggregation of the data or feeds. One of the main gaps at the enterprise level is the collection of local produced Threat Intelligence. Local Threat Intelligence includes data generated from analytics solutions like sandboxes and from incidents. Sandboxes usually produce intelligence data in the form of Indicators of Compromise (IOCs). These local sources could expose targeted attacks, and therefore are potentially the most valuable threat data source.

McAfee’s Open Architecture allows for the production, consumption and sharing of threat intelligence in various ways. Here is an example of how our architecture automates aggregation of various CTI sources with an open-source tool, MISP. The MISP platform subscribes to the McAfee Data Exchange Layer messaging fabric to consume IoCs from McAfee’s Advanced Threat Defense sandbox in real time. Additionally, MISP consumes and manages feeds from open or paid sources, providing an entry-level tool to manage the threat intel process.

Here is another example of how our architecture supports the aggregation process, this time by working with a commercial vendor, ThreatQ.

2. Investigation and Hunting

The second step in the CTI management process is investigation and hunting. Here, the biggest task is figuring out how to make Threat Intelligence actionable, which can be done by answering questions like:

  • Have we seen any related artifacts (IP address connections, Hash/File executions) in my enterprise in the past?
  • Do we have, right now, any devices that have related artifacts?

Before answering these questions, the right data must be collected from the enterprise sensors. Fundamental information should include IP address connections, file hashes on endpoints, web proxy, DNS and Active Directory logs. These logs provide the necessary data for correlation and historical analysis. The following example demonstrates how the architecture can automate some of the key triage steps.

MISP can push Threat Intelligence into McAfee’s SIEM solution, ESM (Enterprise Security Manager), to automate historical analysis. There, it can query McAfee’s Threat Intelligence Exchange server to identify which systems executed related artifacts, and where and when they did so. Furthermore, MISP can run real-time queries against McAfee-protected endpoints with McAfee Active Response to identify any persistent artifacts that are currently in the enterprise network.

Here is another example working with ThreatQ. This time, ThreatQ interacts with McAfee ESM, Active Response and McAfee TIE to identify systems that have or had artifacts related to Threat Intelligence indicators. These various integrations support manual enrichment task and investigations.

The screenshot below highlights the various McAfee integrations as part of an investigation.

3. Response

The third step in the CTI Management Process is response. Cyber Threat Intelligence is essential to prevent the latest threats and should be integrated into key cyberdefense countermeasures. The following example demonstrates an automated update process using McAfee’s Open Architecture, with the Data Exchange Layer (DXL) fabric as the key component.

ThreatQ can communicate via the DXL fabric with McAfee technologies. During this process ThreatQ is able to update key cyber defense countermeasure tools with Threat Intelligence to protect against the latest threats.

Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This includes TLP, STIX, TAXII and DXL. These protocols support the automated exchange and governance of the shared data.

Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This list includes TLP, STIX, TAXII and DXL, which feature protocols facilitating the automated exchange and governance of the shared data.

4. Measurement

Finally, the value of Threat Intelligence can be proven by measuring a variety of outcomes. The following are some of the metrics commonly quantified and reported on:

  1. Number of duplicate Threat Intelligence Artifacts removed
  2. Impact on Mean-Time-To-Respond
  3. Number of IOCs generated from Threat Intelligence
  4. Number of incidents identified based on Threat Intelligence
  5. Number of attacks blocked via Threat Intelligence

Summary

The creation and implementation of the right process is critical to the success of Cyber Threat Intelligence within the enterprise. In this blog, we defined a CTI management process of Collection, Investigation, Response and Measurement. McAfee’s research, management platform and open architecture enable you to implement this process and get the best value out of Cyber Threat Intelligence, promoting resilience and enabling better risk management.

Links to additional resources

The post Improving Cyber Resilience with Threat Intelligence appeared first on McAfee Blogs.

Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these “can’t-miss deals,” how do you know who to trust?

It turns out that this is a common concern among folks looking for a little summer getaway. According to our recent survey of 8,000 people across the UK, US, Canada, Australia, France, Germany, Spain, and Singapore, 54% of respondents worry about their identity being stolen while booking and purchasing travel and accommodation online. However, 27% don’t check the authenticity of a website before booking their vacation online. Over half of these respondents say that it doesn’t cross their minds to do so.

These so-called “great deals” can be difficult to pass up. Unfortunately, 30% of respondents have been defrauded thanks to holiday travel deals that were just too good to be true. What’s more, 46.3% of these victims didn’t realize they had been ripped off until they arrived at their holiday rental to find that the booking wasn’t actually valid.

In addition to avoiding bogus bookings, users should also refrain from risky online behavior while enjoying their summer holidays. According to our survey, 44.5% of respondents are putting themselves at risk while traveling by not checking the security of their internet connection or willingly connecting to an unsecured network. 61% also stated that they never use a VPN, while 22% don’t know what a VPN is.

Unfortunately, travel-related attacks aren’t limited to just travelers either; hotels are popular targets for cybercriminals. According to analysis conducted by the McAfee Advanced Threat Research team, the most popular attack vectors are POS malware and account hijacking. Due to these attacks, eager vacationers have had their customer payment, credit card data, and personally identifiable information stolen. In order for users to enjoy a worry-free vacation this summer, it’s important that they are aware of the potential cyberthreats involved when booking their trips online and what they can do to prevent them.

We here at McAfee are working to help inform users of the risks they face when booking through unsecured or unreliable websites as well as when they’re enjoying some summertime R&R. Check out the following tips so you can enjoy your vacation without questioning the status of your cybersecurity:

  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to help keep your connection secure.
  • Think before you click. Often times, cybercriminals use phishing emails or fake sites to lure consumers into clicking links for products or services that could lead to malware. If you receive an email asking you to click on a link with a suspicious URL, it’s best to avoid interacting with the message altogether.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which includes McAfee WebAdvisor that can help identify malicious websites.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel appeared first on McAfee Blogs.

1.1M Emuparadise Accounts Exposed in Data Breach

If you’re an avid gamer or know someone who is, you might be familiar with the retro gaming site Emuparadise. This website boasts a large community, a vast collection of gaming music, game-related videos, game guides, magazines, comics, video game translations, and more. Unfortunately, news just broke that Emuparadise recently suffered a data breach in April 2018, exposing the data of about 1.1 million of their forum members.

The operators of the hacked-database search engine, DeHashed, shared this compromised data with the data breach reference site Have I Been Pwned. According to the site’s owner Troy Hunt, the breach impacted 1,131,229 accounts and involved stolen email addresses, IP addresses, usernames, and passwords stored as salted MD5 hashes. Password salting is a process of securing passwords by inputting unique, random data to users’ passwords. However, the MD5 algorithm is no longer considered sufficient for protecting passwords, creating cause for cybersecurity concern.

Emuparadise forced a credential reset after the breach occurred in April 2018. It’s important that users of Emuparadise games take steps to help protect their private information. If you know someone who’s an avid gamer, pass along the following tips to help safeguard their security:

  • Change up your password. If you have an Emuparadise account, you should change up your account password and email password immediately. Make sure the next one you create is strong and unique so it’s more difficult for cybercriminals to crack. Include numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the better!
  • Keep an eye out for sketchy emails and messages. Cybercriminals can leverage stolen information for phishing emails and social engineering scams. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided.
  • Check to see if you’ve been affected. If you or someone you know has made an Emuparadise account, use this tool to check if you could have been potentially affected.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 1.1M Emuparadise Accounts Exposed in Data Breach appeared first on McAfee Blogs.

Say So Long to Robocalls

For as long as you’ve had a phone, you’ve probably experienced in one form or another a robocall. These days it seems like they are only becoming more prevalent too. In fact, it was recently reported that robocall scams surged to 85 million globally, up 325% from 2017. While these scams vary by country, the most common type features the impersonation of legitimate organizations — like global tech companies, big banks, or the IRS — with the goal of acquiring user data and money. When a robocall hits, users need to be careful to ensure their personal information is protected.

It’s almost impossible not to feel anxious when receiving a robocall. Whether the calls are just annoying, or a cybercriminal uses the call to scam consumers out of cash or information, this scheme is a big headache for all. To combat robocalls, there has been an uptick in apps and government intervention dedicated to fighting this ever-present annoyance. Unfortunately, things don’t seem to be getting better — while some savvy users are successful at avoiding these schemes, there are still plenty of other vulnerable targets.

Falling into a cybercriminal’s robocall trap can happen for a few reasons. First off, many users don’t know that if they answer a robocall, they may trigger more as a result. That’s because, once a user answers, hackers know there is someone on the other end of the phone line and they have an incentive to keep calling. Cybercriminals also have the ability to spoof numbers, mimic voices, and provide “concrete” background information that makes them sound legitimate. Lastly, it might surprise you to learn that robocalls are actually perfectly legal. It starts to become a grey area, however, when calls come through from predatory callers who are operating on a not-so-legal basis.

While government agencies, like the Federal Communications Commission and Federal Trade Commission, do their part to curb robocalls, the fight to stop robocalls is far from over, and more can always be done. Here are some proactive ways you can say so long to pesky scammers calling your phone.

  1. There’s an app for that. Consider downloading the app Robokiller that will stop robocalls before you even pick up. The app’s block list is constantly updating, so you’re protected.
  2. Let unknown calls go to voicemail. Unless you recognize the number, don’t answer your phone.
  3. Never share personal details over the phone. Unfortunately, there’s a chance that cybercriminals may have previously obtained some of your personal information from other sources to bolster their scheme. However, do not provide any further personal or financial information over the phone, like SSNs or credit card information.
  4. Register for the FCC’s “Do Not Call” list. This can help keep you protected from cybercriminals and telemarketers alike by keeping your number off of their lists.
  5. Consider a comprehensive mobile security platform. Utilize the call blocker capability feature from McAfee Mobile Security. This tool can help reduce the number of calls that come through.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Say So Long to Robocalls appeared first on McAfee Blogs.

Have Fun in the Sun this Summer with the Summer Safety #RT2Win Sweepstakes!

The school year has come to an end, and with it comes the start of summer! For many, this time of year brings excitement and anticipation to jet-set off to their favorite destinations and spend some quality time with family. But while many are soaking up the sun or sharing fun photos online, cybercriminals also trying to target those not taking the proper precautions to protect their data.

In fact, according to recent research by McAfee, only 40% of people are concerned about their personal photos being hacked, and 3x more concerned about their Social Security number being hacked than their photos. Whether booking travel deals or sharing photos on social media, device security should be top of mind to keep information secure this summer.

Whether you’re laying by the pool or dipping your toes in the sand, we want to help you leave your cybersecurity woes behind with our Summer Safety #RT2Win sweepstakes! Two [2] lucky winners of the sweepstakes drawing will receive a $500 Amazon gift card. The best part? Entering is a breeze! Follow the instructions below to enter and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, follow @McAfee_Home on Twitter and find the #RT2Win sweepstakes tweet.
  • The sweepstakes tweet will be released on Monday, June 10, 2019, at 12:00pm PST. This tweet will include the hashtags: #ProtectWhatMatters, #RT2Win AND #Sweepstakes.
  • Retweet the sweepstakes tweet released on the above date, from your own handle. The #ProtectWhatMatters, #RT2Win AND #Sweepstakes hashtags must be included in order to be entered.
  • Make sure you’re following @McAfee_Home on Twitter! You must follow for your entry to count.
  • Sweepstakes will end on Sunday, June 23, 2019 at 11:59pm PST. All entries must be made before that date and time.
  • Winners will be notified on Tuesday, June 25, 2019 via Twitter direct message.
  • Limit one entry per person.

1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include “#ProtectWhatMatters, #RT2Win, AND #Sweepstakes” for a chance to win a $500 Amazon gift card (for full prize details please see “Prizes” section below). Two [2] total winners will be selected and announced on June 25, 2019. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

#RT2Win Sweepstakes Terms and Conditions

2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee Summer Safety #RT2Win Sweepstakes will be conducted from June 10, 2019 through June 23, 2019. All entries for each day of the McAfee Summer Safety Cybersecurity #RT2Win Sweepstakes must be received during the time allotted for the McAfee Summer Safety #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee Summer Safety Shopping #RT2Win Sweepstakes, duration is as follows:

  • Begins: Monday, June 10, 2019­­ at 12:00pm PST
  • Ends: Sunday, June 23, 2019 at 11:59pm PST
  • Two [2] winners will be announced: Tuesday, June 25, 2019

For the McAfee Summer Safety #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee Summer Safety #RT2Win Sweepstakes:

  1. Follow @McAfee_Home on Twitter.
  2. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #ProtectWhatMatters, #RT2Win and #Sweepstakes.
  3. Retweet the sweepstakes tweet of the day and make sure it includes the #ProtectWhatMatters, #RT2Win, and hashtags.
  4. Note: Tweets that do not contain the #ProtectWhatMatters, #RT2Win, and #Sweepstakes hashtags will not be considered for entry.
  5. Limit one entry per person.

Two [2] winners will be chosen for the McAfee Summer Safety #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #ProtectWhatMatters, #RT2Win and #Sweepstakes. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on Tuesday, June 25, 2019 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.

3. Eligibility: 

McAfee Summer Safety #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee Summer Safety #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee Summer Safety #RT2Win Sweepstakes not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

4. Winner Selection:

Winners will be selected at random from all eligible retweets received during the McAfee Summer Safety #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee Summer Safety #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

5. Winner Notification: 

Each winner will be notified via direct message (“DM”) on Twitter.com by June 25, 2019. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

6. Prizes: 

The prize for the McAfee Summer Safety #RT2Win Sweepstakes is a $500 Amazon gift card for each of the two [2] entrants/winners. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Summer Safety #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Summer Safety #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

Limit one (1) prize per person/household. Prizes are non-transferable, and no cash equivalent or substitution of prize is offered. The McAfee Summer Safety #RT2Win Sweepstakes has no affiliation with Amazon.

7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Summer Safety #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee Summer Safety #RT2Win Sweepstakes. entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee Summer Safety #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee Summer Safety #RT2Win Sweepstakes -related activity, or participation in the McAfee Summer Safety #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
  2. Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with the prize McAfee Summer Safety #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee Summer Safety #RT2Win Sweepstakes.

10. Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Summer Safety #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Summer Safety #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of the State of New York, U.S.A.

12. Privacy Policy: 

Personal information obtained in connection with this prize McAfee Summer Safety #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html.

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after June 10,2019 before June 23, 2019 to the address listed below, Attn: #RT2Win at Summer Safety Sweepstakes. To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2019 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA
  4. Administrator: LEWIS Pulse, 111 Sutter St., Suiter 850, San Francisco, CA 94104

The post Have Fun in the Sun this Summer with the Summer Safety #RT2Win Sweepstakes! appeared first on McAfee Blogs.

What the AMCA Data Breach Teaches Us About Modern Supply Chain Security

The State of Software Security Volume 9 (SOSS Vol. 9) found that the healthcare industry, with its stringent regulations, received relatively high marks in many of the standard AppSec metrics. According to Veracode scan data, healthcare organizations ranked highest of all industries on OWASP pass rate on latest scan, coming in with a rate just over 55 percent. Our flaw persistence analysis shows that the industry is statistically closing found vulnerabilities far faster than any other sector.

However, the recent American Medical Collection Agency data breach has brought attention to the fact that breaches involving subcontractors and business associates, particularly in the healthcare industry, are on the rise. As both Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) have filed 8-Ks with the Security and Exchange Commission (SEC), as many as 11.9 million people may have had their personal and payment information stolen by an unauthorized user.

Earlier this year, Moody’s Investor Service ranked hospitals as one of the sectors most vulnerable to cyberattacks. In a press release, Moody's Managing Director Derek Vadala said, “We view cyber risk as event risk that can have material impact on sectors and individual issuers. Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers' financial profiles and business prospects.”

Ensuring the security of patient data

Healthcare organizations appear to be doing their part to ensure the safety of their patient and customer data. Recently, the Wall Street Journal’s Melanie Evans and Peter Loftus published a story about how hospitals are asking device makers to let them under the hood of their software to look for flaws and vulnerabilities – and opting out of doing business if they’re not granted access. The article cites how, in 2017, NewYork-Presbyterian dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security issued a warning that hackers could take control of pumps (a fix has since been released).

That same year, many hospitals were forced to cancel appointments and surgeries when their operations were stunted by WannaCry and NotPetya cyberattacks – so it’s no wonder hospitals began enlisting the help of cybersecurity pros, including penetration testers.

Evans and Loftus spoke with corporate counsel at Boston Scientific who noted that negotiations with hospitals are more complicated and drawn out than ever before as a result of cybersecurity demands.

Where is the gap in the modern healthcare supply chain?

Given the sensitivity of the data involved, it’s reasonable for hospitals and healthcare IT companies to be more inquisitive. But it’s not just the healthcare-related technologies that they need to look into.

SOSS Vol. 9 shows that the financial industry, while boasting the largest population of applications under test and with a reputation of maintaining some of the most mature AppSec programs, is struggling to meet AppSec standards. The industry ranks second to last in major verticals examined for OWASP pass rate on latest scan, and based on flaw persistence analysis, it’s leaving flaws to linger longer than other industries do.

In order for hospitals and healthcare organizations to ensure the security of those they care for, they need to be able to trust that the third-party vendors and service providers that they enlist to take payments and process claims are taking the appropriate precautions when it comes to software security.

Awareness begets progress

In 2017, Veracode conducted research with YouGov to better understand how well business leaders understood the cybersecurity risks they are introducing to their company as a result of digital transformation and participation in the global economy. What we found was that awareness was low – even following the Equifax breach that occurred that year. The research showed that only 28 percent of respondents had heard of the attack.

Since then, we’ve seen a number of CEOs and other executives paying the price after a breach. Veracode CTO, EMEA, Paul Farrington, said it best:

“Ultimately, this is merely an extension of expectations on the C-Suite when responding to serious events. If CEOs violate environmental, health, or safety standards, they can be fined, and even jailed in many countries. Perfect security is not possible, but with data about our entire lives now being stored and processed by businesses, it is essential that employees and customers alike are afforded a certain standard of cybersecurity. When such standards aren’t met, there out to be accountability at a senior level.”

As healthcare organizations and hospitals are doing an increased level of due diligence before making a purchase or partnering with third parties, we can expect that other industries are likely to follow suit. Executives will begin to add security to their list of priorities, because it will be demanded by the board in an effort to protect their brand and bottom line.

Give your customers confidence that your software is secure

Given that perfect security isn’t possible, organizations should consider reviewing their software development processes to ensure that security is embedded in each stage. One of the reasons that we created Veracode Verified, which helps your organization prove at a glance that you’ve made security a priority, is to help organizations stay ahead of customer and prospect security concerns and speed up sales cycles – without straining limited security resources. The program provides you with a proven roadmap for maturing your application security program, as well as an attestation letter you can share with customers and prospects.

Curious to learn more about how your organization may benefit from Veracode Verified? Have a look at this infographic to get the details.

Don’t Hesitate When Transforming Your Business

Transformation is a popular buzz word in the tech industry. The market is full of companies promising to be the change your business needs to help it transform into the best player in its category. Many companies that have been around for a decade or more believe they’ve already transformed their business numerous times to keep up with the latest technology trends, while newer companies tend to practice business transformation daily to stay competitive. But is business transformation really needed? The answer is yes! However, transformation is an evolutionary process and won’t happen overnight. Organizations need to think about the future and embrace the fact they need to constantly change and move forward.

Transformation is Continuous

A disruptive and groundbreaking company will continually transform alongside its customers, adopting new applications and policies around the cloud, BYOD and more. As these items evolve, companies are confronted with the challenges and risks of change, including securing new endpoints on devices or in the cloud.

As companies evolve and transform to keep up with the latest IT trends, overlooking the security of company data is a common misstep. A recent study by leading IT analyst firm Frost & Sullivan revealed that 83% of APAC organizations don’t think about cybersecurity while embarking on digital transformation projects. Although 72% of the organizations conduct regular breach assessment to protect themselves against cyberattacks, 55% of them were at risk.

A Plan of Action

Companies are predicted to spend $1.7 trillion on digital transformation by the end of 2019, a 42% increase from 2017, according to IDC. With IT budgets at nearly their highest point, it’s time to rethink your transformation strategy and make security a priority.

The cloud is transforming the enterprise, and as a market leader, McAfee is transforming the way businesses secure data in the cloud. We transform the nature of security itself with SaaS (security-as-a-service) consumption models. By partnering with us, organizations can transform confidently, leveraging security solutions purpose-built with transformation in mind, including those that secure every segment of the cloud and heterogenous device environments. McAfee cloud security solutions extend your security from device to cloud with data visibility, data loss prevention, and advanced threat protection on a platform that supports an open ecosystem. Our goal is to make the most secure environment for your business from device to cloud.

As you start your transformation journey, consider the following questions:

  • How is your organization aligned? What are your organization’s goals?
  • What are the biggest/most important strategic initiatives your company has over the next two to four years?
  • What are your current major IT initiatives? Security initiatives? Cloud initiatives?

Looking to transform your business with McAfee? We’re here to help. Use the resources below for more information.

The post Don’t Hesitate When Transforming Your Business appeared first on McAfee Blogs.

Study: Fortnite Game Becoming the Preferred Social Network for Kids

According to a study recently released by National Research Group (NRG), the wildly popular video game Fortnite is growing beyond its intended gaming platform into a favored social network where kids go daily to chat, message, and connect.

The study represents the most in-depth study on Fortnite to date and contains essential takeaways for parents trying to keep up with their kids’ social networking habits. According to the NRG study, “Fortnite is the number one service teens are using, and audiences cite its social elements as the primary motivators for playing.”

The popular game now claims more than 250 million users around the world, and for its audience of teens (ages 10-17) who play at least once a week, Fortnite consumes about 25% of their free time, cites NRG adding that “Fortnite presents a more hopeful meta-verse where community, inclusivity, creativity and authentic relationships can thrive.”

Summer gaming 

With school break now upon us, the NRG study is especially useful since screentime tends to jump during summer months. Here are some of the risks Fortnite (and gaming in general) presents and some tips on how to increase privacy and safety for young users who love this community.

Fortnite safety tips 

Activate parental controls. Kids play Fortnite on Xbox One, PlayStation 4, Nintendo Switch, and iOS. Parents can restrict and monitor playing time by going into the Settings tab of each device, its related URL, or app. Another monitoring option for PC, tablets, and mobile devices is monitoring software.

Listen, watch, learn. Sit with your kids and listen to and watch some Fortnite sessions. Who are they playing with? What’s the tone of the conversation? Be vocal about anything that concerns you and coach your child on how to handle conflict, strangers online (look at their friend list), and bullying.

Monitor voice chat. Voice chat is an integral part of Fortnite if you are playing in squads or teams. Without the chat function, players can’t communicate in real-time with other team members. Voice chat is also a significant social element of the game because it allows players to connect and build community with friends anywhere. Therein lies the risk — voice chat also allows kids to play the game with strangers so the risk of inappropriate conversation, cyberbullying, and grooming are all reported realities of Fortnite. Voice chat can be turned off in Settings and should be considered for younger tween users.

Scams, passwords, and tech addiction. When kids are having a blast playing video games, danger is are far from their minds. Talk about the downside so they can continue to play their favorite game in a safe, healthy way. Discuss the scams targeting Fortnite users, the importance of keeping user names and passwords private (and strong), and the reasoning behind gaming screen limits.

Social networks have become inherent to kids’ daily life and an important way to form meaningful peer bonds. With new networks emerging every day such as Fortnite, it’s more important than ever to keep the conversation going with your kids about the genuine risks these fun digital hangouts bring.

The post Study: Fortnite Game Becoming the Preferred Social Network for Kids appeared first on McAfee Blogs.

UK Security BSides, Mark Your Calendar & Don’t Miss Out

BSides conferences are fantastic events for budding cyber and information security novices through to seasoned security professionals to learn, discuss the latest security challenges, network with peers and to make new contacts from across the UK cyber security scene. 
Some BSides conferences are run in tandem with nearby popular mainstream security conferences, but unlike most mainstream security conferences, BSides agendas are more participation driven and are more collaborative focused. Any group of security passionate individuals can organise a BSides event at a city not already covered, under the official Security BSides direction. In recent years, following on from the multi-year success of BSides London, there has been a steady stream of new BSides conferences popping up at the various regions throughout the UK.

Mark Your Calendar & Don't Miss Out
UK BSides events are incredibly popular, they tend to be ticket only events, with tickets often selling out weeks and sometimes months prior to the event. Below lists the current UK Security BSides scene (as of 7th June 2019), so mark your calendar and avoid missing out on these excellent and highly rewarding events.

BSides London
Website:
 https://www.securitybsides.org.uk/
Twitter: @BSidesLondon
Last Event: 5th June 2019
Next Event: TBC (expected June 2020)

Notes: Annually held in since April 2011

BSidesMCR (Manchester)
Website: https://www.bsidesmcr.org.uk/
Twitter: @BSidesMCR
Last Event: 16th Augst 2018
Next Event: 29th August 2019 (tickets on sale soon)
Notes: Annually held in August since 2014

BSides Liverpool
Twitter: @bsideslivrpool
Next Event: Saturday 29th June 2019 (Sold Out)
Past Event: Inaugural event June 2019

BSides Bristol
Twitter: @bsidesbristol
Next Event: 20th June 2019 (Sold Out)
Past Event: Inaugural event June 2019

BSides Cymru (Wales)
Twitter: @BSidesCymru
Next Event: In Cardiff on 28th September 2019
Past Event: Inaugural event September 2019

BSides Scotland
Twitter: @BSidesScot
Next Event: Expected April 2020
Past Event: at Edinburgh on 23rd April 2019
Notes: Annually held since 2017

BSides Belfast
Twitter: @bsidesbelfast
Next Event: TBC
Past Event: 27th September 2018

BSides Leeds
Twitter: @bsidesleeds
Next Event: TBC
Past Event: 25th January 2019 

PHA Family Highlights: Triada



We continue our PHA family highlights series with the Triada family, which was first discovered early in 2016. The main purpose of Triada apps was to install spam apps on a device that displays ads. The creators of Triada collected revenue from the ads displayed by the spam apps. The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor. However, thanks to OEM cooperation and our outreach efforts, OEMs prepared system images with security updates that removed the Triada infection.

History of Triada

Triada was first described in a blog post on the Kaspersky Lab website in March 2016 and in a follow-up blog post in June 2016. Back then, it was a rooting trojan that tried to exploit the device and after getting elevated privileges, it performed a host of different actions. To hide these actions from analysts, Triada used a combination of dynamic code loading and additional app installs. The Kaspersky posts detail the code injection technique used by Triada and provide some statistics on infected devices at the time. In this post, we’ll focus on the peculiar encryption routine and the unusual binary files used by Triada.
Triada’s first action was to install a type of superuser (su) binary file. This su binary allowed other apps on the device to use root permissions. The su binary used by Triada required a password, so was unique compared to regular su binary files common with other Linux systems.
The binary accepted two passwords, od2gf04pd9 and ac32dorbdq. This is illustrated in the IDA screenshot below. Depending on which one was provided, the binary either 1) ran the command given as an argument as root or 2) concatenated all of the arguments, ran that concatenation preceded by sh, then ran them as root. Either way, the app had to know the correct password to run the command as root.
This Triada rooting trojan was mainly used to install apps and display ads. This trojan targeted older devices because the rooting exploits didn’t work on newer ones. Therefore, the trojan implemented a weight watching feature to decide if old apps needed to be deleted to make space for new installs.
Weight watching included several steps and attempted to free up space on the device’s user partition and system partition. Using a blacklist and whitelist of apps it first removed all the apps on its blacklist. If more free space was required it would remove all other apps leaving only the apps on the whitelist. This process freed space while ensuring the apps needed for the phone to function properly were not removed.
Every app on the system partition had a number, or weight, associated with it. The weight was a sum of the number of apps installed on the same date as the app in question and the number of apps signed with the same certificate. The apps with the lowest weight were installed in isolation (that is, not on a day that the device system image was created) and weren’t signed by the OEM or weren’t part of a developer bundle. In the weight watching process, these apps were removed first, until enough space was made for the new app.
su binary accepts two passwords
In addition to installing apps that display ads, Triada injected code into four web browsers: AOSP (com.android.browser), 360 Secure (com.qihoo.browser), Cheetah (com.ijinshan.browser_fast), and Oupeng (com.oupeng.browser). The code was injected using the same technique described in our blog post about the Zen PHA family and in previously mentioned Kaspersky blog posts.
The web browser injection was done to overwrite the URLs and substitute ad banners on websites with ads benefiting the Triada authors.
Triada also used a peculiar and complex communication encryption routine. Whenever it had to send a request to the Command and Control (C&C) server, it encrypted the request using two XOR loops with different passwords. Because of XOR rules, if the passwords had the same character in the same position, those characters weren’t encrypted. The encrypted request was saved to a file, which had the same name as its size. Finally, the file was zipped and sent to the C&C server in the POST request body.
The example below illustrates one such request. The yellow bytes are the zip file’s signature of the central directory file header. The red bytes show the uncompressed file size of 0x0952. The blue bytes show the file name length (4) and the name itself (2386, a decimal version of 0x0952).
09 00 00 50 4B 01 02 14 00 14 00 08 00 08 00 4F ...PK..........O
91 F3 48 AE CF 91 D5 B1 04 00 00 52 09 00 00 04 ..H........R....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 32 33 38 36 50 4B 05 06 00 00 00 00 01 00 01 .2386PK.........
00 32 00 00 00 E3 04 00 00 00 00 .2.........
The underlying data protocol changed periodically. It was either a simple JSON, a list of key-value pairs similar to the properties file, or a proprietary format as shown below.
[collect_Head]device=Nexus 5X
[collect_Space]xadevicekey=xxxxx

[collect_Space]collentmod=opappresultmode
[collect_Space]registerUser=true
[collect_End]
When Triada was discovered, we implemented detection that removed Triada samples from all devices with Google Play Protect. This implementation, combined with the increased security on newer Android devices, made it significantly harder for Triada to infect devices.

When rooting doesn’t work…

During the summer of 2017 we noticed a change in new Triada samples. Instead of rooting the device to obtain elevating privileges, Triada evolved to become a pre-installed Android framework backdoor. The changes to Triada included an additional call in the Android framework log function, demonstrated below with a highlighted configuration string.
LABEL+13:
V18 = -1;
LABEL_18:
j___config_log_println(v7, v6, v10, v11, "cf89450001");
if ( v10 )
This backdoored log function version of Triada was first described by Dr.Web in July 2017. The blog post includes a description of Triada code injection methods.
By backdooring the log function, the additional code executes every time the log method is called (that is, every time any app on the phone tries to log something). These log attempts happen many times per second, so the additional code is running non-stop. The additional code also executes in the context of the app logging a message, so Triada can execute code in any app context. The code injection framework in early versions of Triada worked on Android releases prior to Marshmallow.
The main purpose of the backdoor function was to execute code in another app’s context. The backdoor attempts to execute additional code every time the app needs to log something. Triada developers created a new file format, which we called MMD, based on the file header.
The MMD format was an encrypted version of a DEX file, which was then executed in the app context. The encryption algorithm was a double XOR loop with two different passwords. The format is illustrated below.
Each MMD file had a specific file name of the format <MD5 of the process name>36.jmd. By using the MD5 of the process name, the Triada authors tried to obscure the injection target. However, the pool of all available process names is fairly small, so this hash was easily reversible.
We identified two code injection targets: com.android.systemui (the System UI app) and com.android.vending (the Google Play app). The first target was injected to get the GET_REAL_TASKS permission. This is a signature-level permission, which means that it can’t be held by ordinary Android apps.
Starting with Android Lollipop, the getRecentTasks() method is deprecated to protect users' privacy. However, apps holding the GET_REAL_TASKS permission can get the result of this method call. To hold the GET_REAL_TASKS permission, an app has to be signed with a specific certificate, the device’s platform cert, which is held by the OEM. Triada didn’t have access to this cert. Instead it executed additional code in the System UI app, which has the GET_REAL_TASKS permission.
The injected code returned the app running on top (the activity running in the foreground and being actively used by the device user) to other apps on the device. This app was exposed using two methods: an intent or a socket created for this purpose. When an app on the device sent the intent or wrote to a socket created by Triada’s code injection, it received the package name of the app running on top. Triada used the package name to determine if an ad was displayed. The assumption was that if the app running on top was a browser, the user would expect to see some ads, so Triada displayed ads from the background.
The second injection target was the Google Play app. This injection supported five commands and responses to them. The supported commands are shown below in Chinese, a language that was used throughout the Triada app and injection. English translations are given on the right.
  1. 下载请求
  2. 下载结果
  3. 安装请求
  4. 安装结果
  5. 激活请求
  6. 激活结果
  7. 拉活请求
  8. 拉活结果
  9. 卸载请求
  10. 卸载结果
  1. download request
  2. download result
  3. install request
  4. installation result
  5. activation request
  6. activation result
  7. pull request
  8. pull the results
  9. uninstall request
  10. uninstall result
The commands trigger the heartbeat (pull request), download, installation, uninstallation (in the Google Play app context), and activation (the first execution) of the apps. In the Google Play app context, installation meant that Triada didn’t have to turn on installation from unknown sources and all app installs looked like they were from Google Play.
The apps were downloaded from the C&C server and the communication with the C&C was encrypted using the same custom encryption routine using double XOR and zip. The downloaded and installed apps used the package names of unpopular apps available on Google Play. They didn’t have any relation to the apps on Google Play apart from the same package name.
The last piece of the puzzle was the way the backdoor in the log function communicated with the installed apps. This communication prompted the investigation: the change in Triada behavior mentioned at the beginning of this section made it appear that there was another component on the system image. The apps could communicate with the Triada backdoor by logging a line with a specific predefined tag and message.
The reverse communication was more complicated. The backdoor used Java properties to relay a message to the app. These properties were key-value pairs similar to Android system properties, but they were scoped to a specific process. Setting one of these properties in one app context ensures that other apps won’t see this property. Despite that, some versions of Triada indiscriminately created the properties in every single app process.
The diagram below illustrates the communication mechanisms of the Triada backdoor.
Communication mechanisms of Triada

Reverse engineering countermeasures and development

The Triada backdoor was hidden to make the analysis harder. The strings in the Android framework library that related to Triada activities were encrypted, as shown below.
Android framework strings
The strings were encrypted using the algorithm of two XOR loops. However, the first highlighted string, 36.jmd, wasn’t encrypted. This is the MMD file name string mentioned before.
Another anti-analysis measure implemented by the Triada authors was function padding, including additional exported functions that don't serve any purpose apart from making the file size bigger and the function layout more random with every compilation. Four types of these functions are shown in the screenshots below.
Example of function padding
One final interesting feature of Triada worth mentioning is the development cycle. By analyzing subsequent versions of the Triada backdoor (up to 1.5.1) we saw the changes in the code. In the newest version, they substituted MD5 with SHA1. This is used to hash the filenames, which come from a restricted pool of values. The newest version also encrypted the 36.jmd string and introduced changes to the code for compatibility with Android Nougat.
There are also code stubs pointing at the modification of the SystemUI and WebView Android framework elements. We couldn’t find the code that was executed by these modifications, just code stubs suggesting more development in the future.

OEM outreach

Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development.
Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.
Production process with malicious party
We coordinated with the affected OEMs to provide system updates and remove traces of Triada. We also scan for Triada and similar threats on all Android devices.
OEMs should ensure that all third-party code is reviewed and can be tracked to its source. Additionally, any functionality added to the system image should only support requested features. It’s a good practice to perform a security review of a system image after adding third-party code.

Summary

Triada was inconspicuously included in the system image as third-party code for additional features requested by the OEMs. This highlights the need for thorough ongoing security reviews of system images before the device is sold to the users as well as any time they get updated over-the-air (OTA).
By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates.
The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.
We are also performing a security review of system images through the Build Test Suite. You can read more about this program in the Android Security 2018 Year in Review report. Triada indicators of compromise are one of many signatures included in the system image scan. Additionally, Google Play Protect continues to track and remove any known versions of Triada and Triada-related apps it detects from user devices.

4 Tips to Protect Your Information During Medical Data Breaches

As the companies we trust with our data become more digital, it’s important for users to realize how this affects their own cybersecurity. Take your medical care provider, for instance. You walk into a doctor’s office and fill out a form on a clipboard. This information is then transferred to a computer where a patient Electronic Health Record is created or added to. We trust that our healthcare provider has taken the proper precautions to safely store this data. Unfortunately, medical data breaches are on the rise with a 70% increase over the past seven years. In fact, medical testing company LabCorp just announced that it experienced a breach affecting approximately 7.7 million customers.

How exactly did this breach occur? The information was exposed as a result of an issue with a third-party billing collections vendor, American Medical Collection Agency (AMCA). The information exposed includes names, addresses, birth dates, balance information, and credit card or bank account information provided by customers to AMCA. This breach comes just a few days after Quest Diagnostics, another company who worked with AMCA, announced that they too experienced a breach affecting 11.9 million users.

Luckily, LabCorp stated that they do not store or maintain Social Security numbers and insurance information for their customers. Additionally, the company provided no ordered test, lab results, or diagnostic information to AMCA. LabCorp stated that they intend to provide 200,000 affected users with more specific information regarding the breach and offer them with identity protection and credit monitoring services for two years. And after receiving information on the possible security compromise, AMCA took down its web payments page and hired an external forensics firm to investigate the situation.

Medical data is essentially nonperishable in nature, making it extremely valuable to cybercrooks. It turns out that quite a few security vulnerabilities exist in the healthcare industry, such as unencrypted traffic between servers, the ability to create admin accounts remotely, and disclosure of private information. These types of vulnerabilities could allow cybercriminals to access healthcare systems, as our McAfee Labs researchers discovered. If someone with malicious intent did access the system, they would have the ability to permanently alter medical images, use medical research data for extortion, and more.

Cybercriminals are constantly pivoting their tactics and changing their targets in order to best complete their schemes. As it turns out, medical data has become a hot commodity for cybercrooks. According to the McAfee Labs Threats Report from March 2018, the healthcare sector has experienced a 210% increase in publicly disclosed security incidents from 2016 to 2017. The McAfee Advanced Threat Research Team concluded that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.

While medical care providers should do all that they can to ensure the security of their patients, there are steps users can take to help maintain their privacy. If you think your personal or financial information might be affected by the recent breaches, check out the following tips to help keep your personal data secure:

  • Place a fraud alert.If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit.Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection.A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Be vigilant about checking your accounts.If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 4 Tips to Protect Your Information During Medical Data Breaches appeared first on McAfee Blogs.

A Robust Federal Cybersecurity Workforce Is Key To Our National Security

The Federal government has long struggled to close the cybersecurity workforce gap. The problem has continued to get worse as the number of threats against our networks, critical infrastructure, intellectual property, and the millions of IoT devices we use in our homes, offices and on our infrastructure increase. Without a robust cyber workforce, federal agencies will continue to struggle to develop and execute the policies needed to combat these ongoing issues.

The recent executive order on developing the nation’s cybersecurity workforce was a key step to closing that gap and shoring up the nation’s cyber posture. The widespread adoption of the cybersecurity workforce framework by NIST, the development of a rotational program for Federal employees to expand their cybersecurity expertise and the “president’s cup” competition are all crucial to retaining and growing the federal cyber workforce. If we are to get serious about closing the federal workforce gap, we have to encourage our current professionals to stay in the federal service and grow their expertise to defend against the threats of today and prepare for the threats of tomorrow.

Further, we must do more to bring individuals into the field by eliminating barriers of entry and increasing the educational opportunities available for people so that there can be a strong, diverse and growing cybersecurity workforce in both the federal government and the private sector. Expanding scholarship programs through the National Science Foundation (NSF) and Department of Homeland Security (DHS) for students who agree to work for federal and state agencies will go a long way to bringing new, diverse individuals into the industry.  Additionally, these programs should be expanded to include many types of educational institutions including community colleges. Community colleges attract a different type of student than a 4-year institution, increasing diversity within the federal workforce while also tapping into a currently unused pipeline for cyber talent.

The administration’s prioritization of this issue is a positive step forward, and there has been progress made on closing the cyber skills gap in the U.S., but there is still work to be done. If we want to create a robust, diverse cyber workforce, the private sector, lawmakers and the administration must work together to come up with innovative solutions that build upon the recent executive order.

The post A Robust Federal Cybersecurity Workforce Is Key To Our National Security appeared first on McAfee Blogs.

What You Can Do to Reduce Your E-Waste This World Environment Day

Our love of technology and often biological need for new devices has created one of the biggest environmental issues of our time – e-waste. Today is World Environment Day – a great opportunity to ensure we are doing all we can to minimise landfill and protect our precious environment.

Over the last 12 months, BYO shopping bags, paper straws and ‘truly recyclable’ takeaway coffee cups have dominated our national environmental dialogue as essential ways to minimise future landfill. But with the average Aussie family generating a whopping 73 kg per year of e-waste, it’s critical that we turn our attention to our growing e-waste crisis this World Environment Day.

What is e-Waste?

E-Waste refers to old technology that you are no longer using. It includes microwaves, computers, TVs, batteries, screens, chargers, printer cartridges and even kitchen appliances.

High amounts of non-renewable resources such as plastic and precious metals (gold, silver, platinum, nickel, zinc, copper and aluminium) are found in e-waste. So, recycling these materials to make new electronics not only makes good financial sense but it also prevents products from winding up in a landfill.

According to experts, the average Aussie household own a startling 17 devices with predictions that this will increase to 27 by 2022.  So, it’s clear that our e-waste problem needs to be tackled head-on.

How Much e-Waste Is Generated Annually?

In January, the United Nations and World Economic Forum reported that the world produces 50 million tonnes of e-waste a year – around the same mass as 125,000 jumbo jets which is more than all the commercial aircraft ever built!

But interestingly, e-waste isn’t all bad news. In 2017, the UN University estimated the value of raw materials in e-waste to be worth  $US62.5 billion annually which exceeds the GDP (gross domestic product) of 123 countries. So, the opportunities contained in effective e-waste management are not only environmental but financial as economies could be bolstered and jobs could be created.

What Can We Do to Minimise It?

There are definitely steps we can all take to reduce our e-waste. While the obvious (less popular) strategy is to STOP purchasing new electronics, focussing in recycling and repurposing will go a long way to reducing our e-waste footprint. Here are my top tips:

  1. Repair or Refresh Your Current Devices

While we all love the idea of a shiny, new device, it’s often possible to repair or rejuvenate devices to avoid spending big bucks on a new one. Most devices can usually be repaired and even enhanced with a little expert ‘know-how’. I have spent a large chunk of my parenting career repairing and rescuing smartphones that were dropped, ‘washed’ or just deemed not ‘cool enough’. But the good news, it doesn’t take much to fix these issues: screens can be replaced, faults can be rectified, and new covers can be purchased to re-energise ‘the look’. And don’t forget the power of a software upgrade to ensure your phone is operating at its peak performance. If you are an Apple user, why not book a visit to their Genius Bar and let their staff show you how to get your device working at its optimum level?

  1. Sell or Give Away Your Unwanted Electronics

One of the easiest ways to manage your unwanted electronic devices is to rehome them. Gumtree and eBay are great online marketplaces to make a bit of extra cash by selling your obsolete devices. I know my boys have taken great delight in making a few extra bucks selling old phones and iPads over the years. Many charities also welcome donations of pre-loved smartphones or laptops so they can rehome them to people in Australia and overseas who just can’t afford to purchase their own. But don’t forget to wipe the data from your devices, remove your SIM cards and ideally do a factory reset of the phone to protect your privacy.

  1. Repurpose Your Old Smartphone

Instead of throwing out your old phone, why not repurpose it? Consider using it as a standalone GPS device in your car or perhaps dedicate it to your family’s music collection? Or why not turn it into a stand-alone home security camera?  Or even a baby monitor or a Google Home speaker? The possibilities are endless

  1. Turn Your Smartphone into a Child-Friendly Entertainment Device

If your little ones are after their ‘own phone’ then why not turn your old one into a custom child-friendly device? It’s super easy to set a passcode and turn age-appropriate restrictions on. Within minutes, you can lock down the device and turn off access to anything you don’t want your child to get involved with. This includes the camera, web browser and permission to install apps. Genius!

  1. Organise Your Current Fleet Before You Buy Anything New

Before you invest in new devices, organise what you already own to make sure you really need to make that purchase. A clean-up of desks, cupboards and kitchen drawers may yield a stash of chargers, USB sticks, hard drives and even old smartphones you had forgotten about. And consider sharing gadgets and chargers between family members to avoid buying new items.

  1. Recycle, Recycle, Recycle

But if you decide, it’s time to say farewell to your old devices, PLEASE recycle them properly. Many e-waste experts, including Craig Reucassel environmental champion from the ABC’s ‘War on Waste’, believe the biggest challenge to reducing e-waste is getting devices out of people’ s drawers and garages and into designated recycling stations.

But the good news is that there are a number of user-friendly recycling options available:

  1. TechCollect is a free Australia-wide e-waste recycling initiative which is funded by some of the leading tech brands with the aim of avoiding landfill. Check out their website for the closest recycling centre to you.
  2. Mobile Muster provides mobile phone recycling facilities in Australia with over 3000 drop locations. Check out your closest drop-off point on their website.
  3. Many local councils also offer recycling options for e-waste. Why not contact yours to find out your options?
  4. Consider recycling your smartphone to support your favourite charity. It is now possible to recycle your phone and benefit your favourite charity at the same time. For no cost to the consumer, the Aussie Recycling Program (ARP) will recycle your phone and donate the profits to your nominated charity. They will either sell it on, recycle it or break it down into small parts that can be sold to manufacturers.

With e-waste set to become one of the biggest environmental issues of our generation, it’s time we all took responsibility for our unloved tech goods. If you are a closet hoarder, it’s time to workshop these issues quickly. Because our failure to take action could mean our discarded devices with their toxic by-products end up in landfill potentially polluting our waterways and food supply. So, let’s make this a priority!

Alex xx

 

 

 

The post What You Can Do to Reduce Your E-Waste This World Environment Day appeared first on McAfee Blogs.

Is Trouble Brewing for Owners of Smart Coffee Makers and Kettles?

There’s an undeniable appeal to a smart coffee maker that knows when you wake up so you’re never left without a freshly brewed pot. Or a smart tea kettle that heats water to the perfect temperature for brewing your favorite varietal. But does the convenience of automation put your personal data up for grabs? Could smart coffee makers and kettles actually leave you vulnerable to cybercrime?    

On the latest episode of “Hackable?” we answer these important questions about the proliferation of smart home devices — and settle the coffee vs tea debate once and for all with a hacking competition between two teams of white-hats. Listen and learn if there’s more trouble brewing for owners of smart coffee makers or tea kettles.   

Listen now to the award-winning podcast “Hackable?” 


The post Is Trouble Brewing for Owners of Smart Coffee Makers and Kettles? appeared first on McAfee Blogs.

IDG Contributor Network: Security and the boardroom: From advantage to imperative

Over the past year, all around the world, corporate IT teams watched in horror as one expensive and damaging corporate security breach after another popped up in the headlines. But the flashy ones that made the news are only a fraction of the ones that actually occurred. The use of digital technology expands every day, and so does the number of cyber criminals lurking on the Darknet who are ready and willing to take advantage of any weaknesses in the tech they can spot. As a result, as highlighted in CSO’s 2018 US State of Cybercrime Survey, organizations of all shapes and sizes have borne an onslaught of cyber-attacks and incurred billions in financial losses.

To read this article in full, please click here

Australian National University hit by huge data breach

Vice-chancellor says hack involved personal and payroll details going back 19 years

The Australian National University is in damage control after discovering a major data breach a fortnight ago in which a “significant” amount of staff and student information was accessed by a “sophisticated operator”.

The university has confirmed an estimated 200,000 people have been affected by the hack, based on student numbers each year and staff turnover.

Related: Australian security services investigate attempted cyber attack on parliament

Continue reading...

Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online?

Take it down, please. 

The above is a typical text message parents send to kids when they discover their child has posted something questionable online. More and more, however, it’s kids who are sending this text to parents who habitually post about them online.

Tipping Point

Sadly — and often unknowingly — parents have become some of the biggest violators of their children’s privacy. And, there’s a collective protest among kids that’s expressing itself in different ways. Headlines reflect kids reigning in their parent‘s posting habits and parents choosing to pull all photos of their kids offline. There’s also a younger generation of voices realizing the effect social media has had on youth, which could be signaling a tipping point in social sharing.

Ninety-two percent of American children have an online presence before the age of 2, and parents post nearly 1,000 images of their children online before their fifth birthday, according to Time. Likewise, in a 2017 UNICEF report, the children’s advocacy group called the practice of “sharenting” – parents sharing information online about their children – harmful to a child’s reputation and safety.

Digital Footprint

This sharenting culture has fast-tracked our children’s digital footprints, which often begins in the womb. Kids now have a digital birth date — the date of the first upload, usually a sonogram photo — in addition to their actual birth date. Sharing the details of life has become a daily routine with many parents not thinking twice before sharing birthdays, awards, trips, and even more private moments such as bath time or potty training mishaps.

Too often, what a parent views as a harmless post, a child might see as humiliating, especially during the more sensitive teen years. Oversharing can impact a child’s emotional health as well as the parent-child relationship, according to a University of Michigan study.

Diminishing Privacy 

So how far is too far when it comes to the boundaries between public and private life? And, what are the emotional, safety, and privacy ramifications to a child when parents overshare? The sharenting culture has forced us all to consider these questions more closely.

Children’s diminishing privacy is on advocacy agendas worldwide. Recently, the UK Children’s Commissioner released a report called “Who Knows About Me?” that put a spotlight on how we collect and share children’s data and how this puts them at risk.

5 safe sharing tips for families

  1. Stop and think. Be intentional about protecting your child’s privacy. Before you upload a photo or write a post, ask yourself, “Do I really need to share this?” or “Could this content compromise my child’s privacy (or feelings) today or in the future?”
  2. Ask permission. Before publicly posting anything about your child, ask for his or her permission. This practice models respect and digital responsibility. If posting a group photo that includes other children, ask both the child’s consent and his or her parent’s.
  3. Keep family business private. Resist sharing too much about your family dynamic — good or bad — online. Sharing your parenting struggles or posting details about what’s going on with you and your child could cause embarrassment and shame and irreparably harm your relationship.
  4. Consider a photo purge. With your child’s wellbeing, safety, and privacy in mind — present and future — consider going through your social networks and deleting any photos or posts that don’t need to be public.
  5. Talk to kids about the freedom of expression. Every person who logs on to the internet can expect fundamental freedoms, even kids. These include the right to privacy, how our data is shared, and the freedom of expression online. Discuss these points with your children in addition to our collective digital responsibilities such as respect for others, wise posting, downloading legally, citing works properly, and reporting risky behavior or content.

When it comes to parenting, many of us are building our wings on the way down, especially when it comes to understanding all the safety implications around data privacy for children. However, slowing down to consider your child’s wellbeing and privacy with every post is a huge step toward creating a better, safer internet for everyone.

The post Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online? appeared first on McAfee Blogs.

Quest Diagnostics Breached Through Third-Party Billing Collections Vendor

veracode-quest-diagnostics-breach-june-2019

Quest Diagnostics has reported that nearly 12 million patients’ may have been impacted by a breach into American Medical Collection Agency (AMCA), the medical testing company’s third-party billing provider. According to a data breach filing with the Security and Exchange Commission, as many as 11.9 million patients may have had their credit card, banking, medical information, and other personal details stolen.

Quest has confirmed that because AMCA does not handle lab results, this information was not affected by the breach. It has also stopped sending collections request through AMCA while the breach is under investigation, and has hired outside security experts to get a better sense of the damage.  

On May 14, AMCA alerted Quest of the potential breach through its web payments page. The data breach filing indicates that between August 1, 2018 and March 30, 2019, an unauthorized party got access to AMCA’s system that allowed them to inject malicious code into the payments pages. They were then able to skim and collect the information users inputted.

According to TechCrunch, this is the second breach affecting Quest customers in three years. In 2016, the company announced the breach of its MyQuest patient portal, which allowed access to the test results and personal information of 34,000 patients.

Your company takes the security of its software seriously. If you want to prove to your customers that you make it a priority, you have to check out Veracode Verified.

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

Cyber Security Roundup for May 2019

May 2019 was the busiest month of the year for critical security vulnerabilities and patch announcements. The standout was a Microsoft critical security update for Windows, rated with a CVSS score of 9.8 of 10. This vulnerability fixes CVE-2019-0708 aka 'BlueKeep', which if exploited could allow the rapid propagation of malware (i.e. worm) across networked devices, similar to the devastating WannaCry ransomware attacks of 2017.  Such is the concern at Microsoft, they have released BlueKeep patches for their unsupported versions of Windows (i.e. XP, Visa, Server 2003), a very rare occurrence. Researchers at Errata Security said they have found almost one million internet-connected systems which are vulnerable to the BlueKeep bug.

A zero-day Microsoft vulnerability was also reported by an individual called 'SandboxEscaper', which I expect Microsoft will patch as part of their monthly patch cycle in June.  And a past Microsoft vulnerability, CVE-2019-0604, which has a security update available, has been reported as being actively exploited by hackers.

There were also critical security vulnerabilities and patch releases for Adobe, Drupal, Cisco devices, WhatsApp and Intel processorsThe WhatsApp vulnerability (CVE-2019-3568) grabbed the mains stream news headlines. Impacting both iPhone and Android versions of the encrypted mobile messaging app, an Israeli firm called NSO, coded and sold a toolkit which exploited the vulnerability to various government agencies. The NSO toolkit, called Pegasus, granted access a smartphone's call logs, text messages, and could covertly enable and record the camera and microphone. New and fixed versions of WhatsApp are available on AppStore, so update.

Political and UK media controversy surrounding the Huawei security risk went into overdrive in May after Google announced it would be placing restrictions on Chineses telecoms giant accessing its Android operating system. For the further details see my separate post about The UK Government Huawei Dilemma and the Brexit Factor and Huawei section towards the end of this post.

May was a 'fairly quiet' month for data breach disclosures. There were no media reports about UK pub chain 'Greene King', after they emailed customers of their gift card website, to tell them their website had been hacked and that their personal data had been compromised. I covered this breach in a blog post after being contacted by concerned Greene King voucher customers. It seems that TalkTalk did not inform at least 4,500 customers that their personal information was stolen as part of the 2015 TalkTalk data breachBBC consumer show Watchdog investigated and found the personal details of approximately 4,500 customers available online after a Google search. The Equifax data breach recovery has surpassed $1 billion in costs after it lost 148 million customer records in a 2017 security breach.

The UK army is to get a new UK Based Cyber Operations Centre, to help the army conduct offensive cyber operations against 'enemies', following a £22 million investment by the defence secretary Penny Mordaunt. She said "it is time to pay more than lip service to cyber. We know all about the dangers. Whether the attacks come from Russia, China or North Korea. Whether they come from hacktivists, criminals or extremists. Whether its malware or fake news. Cyber can bring down our national infrastructure and undermine our democracy."  The army's cyber operation centre will be up and running next year and should help to plug a 'grey area' between the British security intelligence services and the military.

Action Fraud and the Financial Conduct Authority (FCA) said UK victims lost £27 million to cryptocurrency and foreign exchange investment scams last year, triple the number of the previous year.

The 2019 Verizon Data Breach Investigations Report was released, a key report in understanding what cyber threat actors have been up to and what they are likely to target next. 

BLOG

NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE
AWARENESS, EDUCATION AND THREAT INTELLIGENCE