Monthly Archives: June 2020

How Entertaining Ourselves at Home Has Become a Risky Business

Online entertainment is certainly having a moment. While we all stayed home and socially distanced, many of us filled our time binge-watching movies and TV series  – and wasn’t it fabulous!! But did you know that researching your next binge-watching project could actually be putting you at risk?

Aussies Love TV

There is no doubt that us Aussies love our TV and the statistics confirm this. With over three-quarters of Aussies watching TV and over two-thirds browsing the internet to pass the time during lockdown, we are clearly a country of screen-time professionals. And with just under a million new Aussies gaining access to a streaming service in their household, it seems everyone is doing their bit to support the entertainment industry!

But streaming isn’t cheap and can add up fast (particularly when you have multiple accounts) prompting many of us to look for free alternatives. And our desire to save a buck or two when trying to find our next binge-watching project hasn’t escaped the attention of cybercriminals who have a knack for crafting convincing scam strategies that are in sync with consumer trends.

What’s the Most Targeted Show to Search For?

McAfee analysed over 100 of the top ‘talked about’ entertainment titles available across the leading streaming providers here in Australia and identified the 10 most targeted shows (both TV and film) to search for.

The series Unorthadox and movie Ace Ventura took the top place in their respective categories as having the highest ‘web search risk’ which means cybercriminals have put a lot of effort into developing scams around these titles. Scams could include websites offering free downloads of these titles – which require you to enter your personal information – or, pirated videos that contain malware which could access the private data on your device.

Here are the top 10 riskiest shows in both categories:

Series – Australian Top 10 Most Targeted

  1. Unorthadox
  2. You
  3. Family Guy
  4. Big Mouth
  5. Homeland
  6. The Vampire Diaries
  7. Dynasty
  8. Lost
  9. Brooklyn Nine-Nine
  10. Stranger Things

Movies – Australian Top 10 Most Targeted

  1. Ace Ventura
  2. Green Book
  3. John Wick
  4. Machinist
  5. Annihilation
  6. Ex Machina
  7. A Star Is Born
  8. Fyre
  9. Lady Macbeth
  10. Bird Box

Horror and Thriller Films seem to be the trend!

It appears as though our love for horror and thriller films may be putting us in danger, with five of the top ten films most targeted by cybercriminals falling into these genres. With social distancing restrictions in place, Aussies are clearly seeking to add some thrill back into their lives which has opened up new opportunities for cybercriminals. Consumers need to be careful when it comes to searching for stimulating content to escape reality to ensure it doesn’t translate to real-life malware horror.

How You Can Stay Safe While Binge-Watching At Home

Now, I want to make it very clear – this news doesn’t mean you need to give up nights on the couch. Not at all! Instead, just follow a few simple steps and you can continue binge-watching till your heart is content!

Here are my top tips for staying safe:

  1. Be Careful What You Click –if you are looking to catch up on the latest season of You or A Star is Born, please only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from sources like iTunes or Amazon, instead of downloading a “free” version from a website that could contain malware.
  2. Do NOT use Illegal Streaming Sites – this is not negotiable! Many illegal streaming sites are riddled with malware disguised as pirated video files. Malware could cause you a world of pain. Not only could it cause your device to freeze or crash, it could steal sensitive information and give cybercrims unauthorized access to system resources. So, do your device a favor and stream your favourite show from a reputable source.
  3. Protect your Online Life with a Cybersecurity Solution –why not send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

So, when you are looking for your next binge-watching project, please take a moment before you download. Ensure the site you are accessing content from is legit (have you heard of it before? is it offering something for free when every other streaming service has a fee?) and if you are even a little unsure that it doesn’t look professional then DON’T click! The last thing you want is a bonus virus to interrupt your night in on the couch!

Happy Watching!!

Alex xx

 

 

 

 

The post How Entertaining Ourselves at Home Has Become a Risky Business appeared first on McAfee Blogs.

Why Should You Pay for a Security Solution?

Online safety

Do you ever go a single day without using a digital device? The answer is probably not. According to the Digital 2019 report by Hootsuite and We Are Social, users spend almost 7 hours a day online. And due to the recent stay-at-home orders, that number has only increased (internet hits recently surged between 50% to 70%). What’s more, U.S. households are now estimated to have an average of 11 connected devices – that’s almost 3 devices per person in my family!  

As the use of devices, apps, and online services increases daily, so do the number of online threats consumers face. That’s why it is important users consider what the best method is for securing their digital life 

My advice? Use a comprehensive security solution (and I’m not only saying this because I work for McAfee). Here’s why. 

The Limitations of Free Security Tools

Let’s be real – we all love free stuff (Costco samples anyone?). However, when it comes to my family’s security, am I willing to risk their safety due to the limitations of free solutions?  

Free tools simply don’t offer the level of advanced protection that modern technology users need. Today’s users require solutions that are as sophisticated as the threats they face, including everything from new strains of malware to hacking-based attacks. These solutions also quite literally limit consumers’ online activity too, as many impose limits on which browser or email program the user can leverage, which can be inconvenient as many already have a preferred browser or email platform (I know I do).  

Free security solutions also carry in-app advertising for premium products or, more importantly, may try to sell user data. Also, by advertising for premium products, the vendor indirectly admits that a free solution doesn’t provide enough security. These tools also offer little to no customer support, leaving users to handle any technical difficulties on their own. What’s more, most free security solutions are meant for use on only one device, whereas the average consumer owns over three connected devices. 

Security should provide a forcefield that covers users in every sense of the word – the devices they use, where they go online, how they manage and store information, and their personal data itself 

Connected Consumers Need Comprehensive Solutions

Today’s users need more than just free tools to live their desired digital life. To truly protect consumers from the evolving threat landscape, a security solution must be comprehensive. This means covering not only the user’s computers and devices, but also their connections and online behaviors. Because today’s users are so reliant on their devices and connections to bridge the gap between themselves and the outside world, security solutions must work seamlessly to shield their online activity – so seamlessly that they almost forget the solution is there. This provides the user with the protection they need without the added distractions of in-app advertising or the constant worry that their subpar solution might not secure them from common online threats.  

Why McAfee Matters

Free security products might provide the basics, but a comprehensive solution can protect the user from a host of other risks that could get in the way of living their life to the fullest. McAfee knows that users want to live their digital lives free from worry. That’s why we’ve created a line of products to help consumers do just that. With McAfee® Total Protection, users can enjoy robust security software with a comprehensive, yet holistic approach to protection.  

First, consumers are safeguarded from malware with cloud-based threat protection that uses behavioral algorithms to detect new threats – specifically protecting the device and web browsing. The software’s detection capabilities are constantly being updated and enhanced, without compromising the performance of users’ devices.  

McAfee also provides users with protection while surfing the web, where they can face a minefield of malicious ads or fraudulent websites. These pesky threats are designed to download malware and steal private information. That’s why McAfee® LiveSafe and McAfee® Total Protection include McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files. They also include McAfee® Identity Theft Protection, which helps users stay ahead of fraud with Dark Web monitoring and SSN Trace to see if personal information has been put at risk 

Finally, we can’t forget about the importance of mobile threat detection, given that consumers spend nearly half of their online time via their mobile devices. Hackers are fully aware that we live in a mobile world, and coincidentally they’ve stepped up mobile attacks. That’s why McAfee solutions provide multi-device protection so you can safely connect while on the go.  

With robust, comprehensive security in placeyour family’s devices will be consistently protected from the latest threats in the ever-evolving security landscape. With all these devices safeeveryone’s online life is free from worry.   

Stay Updated

To stay updated on all things  McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Why Should You Pay for a Security Solution? appeared first on McAfee Blogs.

System hardening in Android 11

In Android 11 we continue to increase the security of the Android platform. We have moved to safer default settings, migrated to a hardened memory allocator, and expanded the use of compiler mitigations that defend against classes of vulnerabilities and frustrate exploitation techniques.

Initializing memory

We’ve enabled forms of automatic memory initialization in both Android 11’s userspace and the Linux kernel. Uninitialized memory bugs occur in C/C++ when memory is used without having first been initialized to a known safe value. These types of bugs can be confusing, and even the term “uninitialized” is misleading. Uninitialized may seem to imply that a variable has a random value. In reality it isn’t random. It has whatever value was previously placed there. This value may be predictable or even attacker controlled. Unfortunately this behavior can result in a serious vulnerability such as information disclosure bugs like ASLR bypasses, or control flow hijacking via a stack or heap spray. Another possible side effect of using uninitialized values is advanced compiler optimizations may transform the code unpredictably, as this is considered undefined behavior by the relevant C standards.

In practice, uses of uninitialized memory are difficult to detect. Such errors may sit in the codebase unnoticed for years if the memory happens to be initialized with some "safe" value most of the time. When uninitialized memory results in a bug, it is often challenging to identify the source of the error, particularly if it is rarely triggered.

Eliminating an entire class of such bugs is a lot more effective than hunting them down individually. Automatic stack variable initialization relies on a feature in the Clang compiler which allows choosing initializing local variables with either zeros or a pattern.

Initializing to zero provides safer defaults for strings, pointers, indexes, and sizes. The downsides of zero init are less-safe defaults for return values, and exposing fewer bugs where the underlying code relies on zero initialization. Pattern initialization tends to expose more bugs and is generally safer for return values and less safe for strings, pointers, indexes, and sizes.

Initializing Userspace:

Automatic stack variable initialization is enabled throughout the entire Android userspace. During the development of Android 11, we initially selected pattern in order to uncover bugs relying on zero init and then moved to zero-init after a few months for increased safety. Platform OS developers can build with `AUTO_PATTERN_INITIALIZE=true m` if they want help uncovering bugs relying on zero init.

Initializing the Kernel:

Automatic stack and heap initialization were recently merged in the upstream Linux kernel. We have made these features available on earlier versions of Android’s kernel including 4.14, 4.19, and 5.4. These features enforce initialization of local variables and heap allocations with known values that cannot be controlled by attackers and are useless when leaked. Both features result in a performance overhead, but also prevent undefined behavior improving both stability and security.

For kernel stack initialization we adopted the CONFIG_INIT_STACK_ALL from upstream Linux. It currently relies on Clang pattern initialization for stack variables, although this is subject to change in the future.

Heap initialization is controlled by two boot-time flags, init_on_alloc and init_on_free, with the former wiping freshly allocated heap objects with zeroes (think s/kmalloc/kzalloc in the whole kernel) and the latter doing the same before the objects are freed (this helps to reduce the lifetime of security-sensitive data). init_on_alloc is a lot more cache-friendly and has smaller performance impact (within 2%), therefore it has been chosen to protect Android kernels.

Scudo is now Android's default native allocator

In Android 11, Scudo replaces jemalloc as the default native allocator for Android. Scudo is a hardened memory allocator designed to help detect and mitigate memory corruption bugs in the heap, such as:

Scudo does not fully prevent exploitation but it does add a number of sanity checks which are effective at strengthening the heap against some memory corruption bugs.

It also proactively organizes the heap in a way that makes exploitation of memory corruption more difficult, by reducing the predictability of the allocation patterns, and separating allocations by sizes.

In our internal testing, Scudo has already proven its worth by surfacing security and stability bugs that were previously undetected.

Finding Heap Memory Safety Bugs in the Wild (GWP-ASan)

Android 11 introduces GWP-ASan, an in-production heap memory safety bug detection tool that's integrated directly into the native allocator Scudo. GWP-ASan probabilistically detects and provides actionable reports for heap memory safety bugs when they occur, works on 32-bit and 64-bit processes, and is enabled by default for system processes and system apps.

GWP-ASan is also available for developer applications via a one line opt-in in an app's AndroidManifest.xml, with no complicated build support or recompilation of prebuilt libraries necessary.

Software Tag-Based KASAN

Continuing work on adopting the Arm Memory Tagging Extension (MTE) in Android, Android 11 includes support for kernel HWASAN, also known as Software Tag-Based KASAN. Userspace HWASAN is supported since Android 10.

KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to find out-of-bound and use-after-free bugs in the Linux kernel. Its Software Tag-Based mode is a software implementation of the memory tagging concept for the kernel. Software Tag-Based KASAN is available in 4.14, 4.19 and 5.4 Android kernels, and can be enabled with the CONFIG_KASAN_SW_TAGS kernel configuration option. Currently Tag-Based KASAN only supports tagging of slab memory; support for other types of memory (such as stack and globals) will be added in the future.

Compared to Generic KASAN, Tag-Based KASAN has significantly lower memory requirements (see this kernel commit for details), which makes it usable on dog food testing devices. Another use case for Software Tag-Based KASAN is checking the existing kernel code for compatibility with memory tagging. As Tag-Based KASAN is based on similar concepts as the future in-kernel MTE support, making sure that kernel code works with Tag-Based KASAN will ease in-kernel MTE integration in the future.

Expanding existing compiler mitigations

We’ve continued to expand the compiler mitigations that have been rolled out in prior releases as well. This includes adding both integer and bounds sanitizers to some core libraries that were lacking them. For example, the libminikin fonts library and the libui rendering library are now bounds sanitized. We’ve hardened the NFC stack by implementing both integer overflow sanitizer and bounds sanitizer in those components.

In addition to the hard mitigations like sanitizers, we also continue to expand our use of CFI as an exploit mitigation. CFI has been enabled in Android’s networking daemon, DNS resolver, and more of our core javascript libraries like libv8 and the PacProcessor.

The effectiveness of our software codec sandbox

Prior to the Release of Android 10 we announced a new constrained sandbox for software codecs. We’re really pleased with the results. Thus far, Android 10 is the first Android release since the infamous stagefright vulnerabilities in Android 5.0 with zero critical-severity vulnerabilities in the media frameworks.

Thank you to Jeff Vander Stoep, Alexander Potapenko, Stephen Hines, Andrey Konovalov, Mitch Phillips, Ivan Lozano, Kostya Kortchinsky, Christopher Ferris, Cindy Zhou, Evgenii Stepanov, Kevin Deus, Peter Collingbourne, Elliott Hughes, Kees Cook and Ken Chen for their contributions to this post.

Foundational Cybersecurity Guidance for IoT Device Manufacturers: NISTIR 8259 Overview

Video Recording from the Event On June 30, NIST will host a virtual-only event, Foundational Cybersecurity Guidance for IoT Device Manufacturers: NISTIR 8259 Overview. On May 29, NIST released final NISTIRs 8259 and 8259A, representing a major milestone in IoT cybersecurity. The publications present six foundational activities and a core baseline of IoT device cybersecurity capabilities for manufacturers as a starting point towards building more securable devices. NIST is now adapting NISTIRs 8259 and 8259A to formulate a federal profile that defines the cybersecurity device capabilities

McAfee XDR: Taking Threat Detection and Response to a New Level

In the battle to protect digital data, the stakes have never been higher, and the outcome has never been more uncertain.

Enterprises face ever-changing threats to their digital assets both inside and outside the traditional network perimeter from sophisticated threat actors, who use a changing assortment of techniques to find ways to skirt traditional security controls.

It’s also increasingly difficult for SOC teams to stay ahead of the attackers. Too often, they rely on an assortment of disconnected security tools and data sets supplied by different vendors. This is a flawed approach that requires multiple tools and consoles, driving up cost and the resources to make sense of the sea of data, leaving organizations with less visibility and manageability.

Many organizations still rely on EDR systems to get information about attacks against their endpoints that may be undetected or unclassified by traditional EPP solutions. However, enterprises nowadays require an extended protective umbrella that can defend not just legacy endpoints, but also mobile, and cloud workloads – all without overburdening in-house staff or requiring even more resources. Detecting today’s advanced threats requires more than a collection of point solutions. SOCs need a platform that intelligently reveals advanced adversaries leading to better, faster security outcomes.

The Rise of XDR

Companies simply can’t afford not to have full visibility into who’s trying to attack them. Here is where the deployment of Extended Detection and Response (XDR) can have a powerful security impact. XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform.

Gartner defines XDR as a SaaS-based, security threat detection and incident response tool that natively integrates different security products into a cohesive security operations system. That’s a mouthful, but in practice, XDR makes the job of defenders easier by delivering a full complement of security capacities – everything from asset discovery and threat detection to vulnerability assessment, investigation and response. We see how detection efficacy drops when multiple platforms and consoles are required to identify and remediate threats. But with XDR, defenders have a single pane view into their environment across different platforms, both on-prem as well as in the cloud.

It also changes the nature of threat-hunting. Consider an organization that’s using a SIEM. While the system collects information in batches – typically from non-endpoint data sources and security countermeasures –  that isn’t the same as delivering real-time results. Even if SOC teams try to get faster answers by stitching together custom tools to correlate data, they still lag behind the attackers.

By contrast, an XDR platform will offer access in real time to all necessary telemetry to conduct a hunt and retrieve results in seconds. That helps defenders streamline the process of triage and investigation and unlock insights that were previously unimaginable using previous security tools.

Making a Difference

XDR is not a bullet-point discussion. We’re talking about different needs, delivered in different ways, and for different customers and leveraging a unique set of multi-vendor sensors and countermeasures for each.

This is where a trusted partner with a broad portfolio makes all the difference in that customer journey. As cybercriminals and groups acting on behalf of nation-states step up their nefarious activities, the outcome of this struggle against bad actors turns on speed, reliability, and predictable security outcomes.

An innovator in this field, McAfee is particularly suited to help customers to meet that challenge with a sophisticated intelligence-driven security platform. As Gartner noted earlier this year in a wide-ranging report on XDR, McAfee’s approach leverages a deep technological understanding of the relationships in the underlying data to help speed rapid out-of-the box integration.

McAfee’s XDR also benefits from a rich security legacy and a deep product portfolio. We’re also uniquely equipped to provide actionable intelligence on security threats because we can access over one billion global sensors across devices, networks and in the cloud.

The mobilization of that full complement of security capabilities delivers more complete threat detection, investigation, and response than any other security provider. For instance, when enterprises implement the security products that comprise McAfee’s XDR solution, they also benefit from the following:

  • AI and Expert System Security Analytics
  • A single interface for detections at the endpoint, sandbox, network, Internet perimeter/edge/gateway, and cloud
  • Accurate threat prioritization that helps predict potential impact as well as any countermeasures to foil an attack – the only solution that does this in a concurrent manner
  • Combined threat and detection data from your environment for richer, more meaningful alerts as well as prescriptive configuration suggestions to improve protection efficiency
  • More context and intelligent correlation leading to faster detection and higher fidelity alerts

The upshot is that McAfee XDR dramatically reduces the time defenders need to detect, contain, and respond to threats. Our AI and Big Data analytics capabilities supplies SOCs with threat and campaign insights before an attack changes course, so they avoid wasting time chasing false positives. Defenders get fewer and more meaningful alerts, making it easier to prioritize their response based on the severity and potential impact of a threat.

In a nutshell: McAfee XDR delivers a complete platform that provides SOCs visibility into how threats are impacting your key business processes, prioritization of response and delivers a full-integrated platform of security technologies.

While it may still not be ready for prime time,  XDR is poised to become an important part of the unfolding security story this year and beyond as more enterprises move their information to the cloud. It’s also why having an experienced partner by your side to help unlock the full benefits of a cohesive, unified security incident detection and response platform has never been more important.

For more information visit: mcafee.com/XDR

The post McAfee XDR: Taking Threat Detection and Response to a New Level appeared first on McAfee Blogs.

Meaningful Context for Your Endpoint Threat Investigations

virus scan

Threat intelligence (TI) — the art of distilling down everything that is happening globally in the adversarial threatscape and TI Programs – reducing  to what is necessary context for your company and your security team to know and take mitigation action against — is hard. Yet, many companies continue to try and create a threat intelligence capability from the ground up and find that their TI programs are not what they really want it to be. No wonder, then, that while 64% of companies say they have threat-intelligence programs, only 36% believe they would catch a sophisticated attacker, according to an Ernst & Young report on cyber threat intelligence What is causing the disconnect in effectiveness of those TI programs? 

A significant portion of the problem with TI is that the human analysts must absorb the global TIprioritize it for their organization, and then locally-operationalize any intelligence relevant to their company – and that’s not easy! Having access to TI is only the first step on the road to adding context to events that your team is seeing inside the network. Turning external threat feeds or data from a Threat Intelligence Program (TIP) into useful context for security teams – and then connecting that context to individual actions and projects – takes time and resources to produce results. The process is often slow and resource-intensivefurther delaying detection. Less than 20% of breaches are stopped in a timely fashion (e.g. in a matter of hours), according to VerizonWorse than that, knowing about a threat before you encounter it (e.g. a Campaign) and then being breached while you’re still working on proactively tuning your countermeasures against that threat would be disastrousA lack of timely, actionable context from TI is therefore a main contributor to NOT being proactively prepared for an attackIs there any way to produce actionable context, appropriate for your organization, in a timely and resource-efficient manner? Is there any way to expand that context to threats NOT in your environment but are headed your way?  

Threat Intelligence Context: Leverage EDR or not? 

As companies continue to deploy endpoint detection and response (EDR) on users’ machines, security teams are recognizing that the technology can detect anomalous behavior on the endpoint. But determining the degree to which those activities constitute a real threat that matters to you requires more context. Without the context to interpret whether an activity on the system is malicious or benign, companies are limited in their ability to do Threat Hunting[Sidebar] Define Threat Hunting: Threat hunting is the practice of proactively searching for cyber threats that are hidden, undetected, in an organization’s environment. 

Without context sensitive threat intelligence integrated with EDR, SOC teams are reduced to endlessly searching for endpoint events for known IOCs associated with adversaries and then manually doing cross-correlation to external TI. They have no way to automatically cross-correlate these events with known adversarial activities or known adversarial TTPs (e.g. like knowing the C&C IP address), and they end up having a very low signal-to-noise (SN) ratio where they waste lots of time investigating things that turn out to be a nothing- because they miss all the TI correlationsHaving a way to incorporate TI in a contextual manner would really improve the signal-to-noise ratio and make the SOC team much more effective 

That’s where effective TI integration comes into play and separates effective TI programs from ineffective TI programs. With properly integrated TI, you should have easy access into things like crowdsourced attack data that identifies Tactics, Techniques and Procedures (TTPs.) Once new TTPs have been identified by the Cyber Intelligence Community, this gives threat hunters an easy, high-fidelity way to look for specific attack behaviors in the organization’s environment, knowing what attacks those TTPs are related toWith this kind of TI integration, the Security Operations Center (SOC) can more quickly identify threats and be able to dramatically improve the signal-to-noise ratio for accurately prioritized investigations. However, I would argue that this is just table stakes. What and how can we take TI integration to the next level?  

A truly superior TI Integration would additionally provide prioritization of known threats based on things like whether the threat is targeting your industry sector and geography and most-importantly, predict  the risk of your environment getting impacted by the threat. This actionable TI would offer countermeasures and prescribe what you need to do if the countermeasures are predicted to be ineffective. With this next level of TI integration, the Security Operations Center (SOC) can actually move to being more proactive, by automating the analysis of threats that haven’t even been encountered by the organization. The organization is now prepared for attacks that EDR hasn’t even seen yet!  

Reality check here, how many organizations have this level of context and integration on threats? Not many.  

The ones I am aware of today, are the current McAfee customers who participated in our Joint Development Program for MVISION Insights this past quarter.  

McAfee has created its MVISION Insights service to provide a superiorintegrated TI so that security teams can prioritize and predict threats by cross-correlating known campaigns using industry and geographical threat activity with one’s own  security posture derived from their security telemetry, and prescribe the mosteffective way of dealing with the threat. This kind of solution empowers the SOC to move beyond manual TI cross-correlation and move to much more easily prioritizing threats that matter and moving from being reactive to being a lot more proactive.  

MVISION Insights empowers McAfee MVISION EDR for the SOC analyst on many fronts by offering more actionable context to the SOC to be more proactive 

This kind of TI integration can reduce the unnecessary investigations that a SOC does and can also improve the speed and accuracy of the investigations that have resources assignedBy having the context of a threat (e.g. by having organized, curated TTPs for Campaigns, knowing the attack operation and objective, list of IOCs, etc.) the SOC analyst can leverage this context on a current investigation and really reduce the time and effort to complete the investigation. Additional context like this can both eliminate unnecessary investigations and accelerate the investigation to decisive resolution. 

TI Context is King But… 

We have seen that as EDR capabilities become adopted more widely, it is becoming increasingly clear that knowing what is happening on the endpoint and ‘looking for clues’ is not enough. Without meaningful and automated context from a properly integrated TI capability, companies are slower to identify malicious events, may not prioritize attack investigations for threats headed their way, and could take the wrong steps to remediate threatsThe problem is that time is critical: An attacker can use a couple of days to do really bad things in your network. Having effective automated signal-to-noise improvement through a properly integrated TI program can help you quickly detect and hunt down attackers and be proactive against threats headed your way but are not in your environment. 

Context is not just a brief writeup from a TIP or External Threat Intelligence FeedTypically, a human must read and interpret and analyze that feed, often leading to a significant delay in incorporating the information into the SOC response. In most cases, TI products do not offer enough remediation guidance, they just provide the threat profile.   

Properly integrated TI project can solve these problems and a superior TI integration can move the SOC to being proactiveMcAfee’s MVISION Insights delivers actionable intelligence and context in an automated way that can augment and speed investigations and make the SOC proactive with respect to threats that haven’t even been detected in the organization. By freeing up analysts from manual analysis of intelligence feeds, companies can catch more attacks more quickly and be proactive against threats targeting them. 

Moreover, the insight does not come from a few instances or open-source feeds, but from the entire McAfee customer base across the globe from over 1B sensors 

Many companies are delivering machine learning and artificial intelligence applications to security orchestration, automation and response. Very few possess the data and context from a customer base as large as ours.

Having right TI context from a well-respected source with statistical reach and a threat analysis that is actionable gives organizations confidence to address a sophisticated attacker before their attack, elevates this TI context to new heights while shifting cyber security to be more proactive.    

For more on McAfee Insights, check out our webinar.  

On-Demand Webinar

Get Ahead of the Adversary with Proactive Endpoint Security

On-demand

Watch Now


 

The post Meaningful Context for Your Endpoint Threat Investigations appeared first on McAfee Blogs.

11 Weeks of Android: Privacy and Security

This blog post is part of a weekly series for #11WeeksOfAndroid. For each #11WeeksOfAndroid, we’re diving into a key area so you don’t miss anything. This week, we spotlighted Privacy and Security; here’s a look at what you should know.

mobile security illustration

Privacy and security is core to how we design Android, and with every new release we increase our investment in this space. Android 11 continues to make important strides in these areas, and this week we’ll be sharing a series of updates and resources about Android privacy and security. But first, let’s take a quick look at some of the most important changes we’ve made in Android 11 to protect user privacy and make the platform more secure.

As shared in the “All things privacy in Android 11” video, we’re giving users even more control over sensitive permissions. Throughout the development of this release, we have engaged deeply and frequently with our developer community to design these features in a balanced way - amplifying user privacy while minimizing developer impact. Let’s go over some of these features:

One-time permission: In Android 10, we introduced a granular location permission that allows users to limit access to location only when an app is in use (aka foreground only). When presented with the new runtime permissions options, users choose foreground only location more than 50% of the time. This demonstrated to us that users really wanted finer controls for permissions. So in Android 11, we’ve introduced one time permissions that let users give an app access to the device microphone, camera, or location, just that one time. As an app developer, there are no changes that you need to make to your app for it to work with one time permissions, and the app can request permissions again the next time the app is used. Learn more about building privacy-friendly apps with these new changes in this video.

Background location: In Android 10 we added a background location usage reminder so users can see how apps are using this sensitive data on a regular basis. Users who interacted with the reminder either downgraded or denied the location permission over 75% of the time. In addition, we have done extensive research and believe that there are very few legitimate use cases for apps to require access to location in the background.

In Android 11, background location will no longer be a permission that a user can grant via a run time prompt and it will require a more deliberate action. If your app needs background location, the system will ensure that the app first asks for foreground location. The app can then broaden its access to background location through a separate permission request, which will cause the system to take the user to Settings in order to complete the permission grant.

In February, we announced that Google Play developers will need to get approval to access background location in their app to prevent misuse. We're giving developers more time to make changes and won't be enforcing the policy for existing apps until 2021. Check out this helpful video to find possible background location usage in your code.

Permissions auto-reset: Most users tend to download and install over 60 apps on their device but interact with only a third of these apps on a regular basis. If users haven’t used an app that targets Android 11 for an extended period of time, the system will “auto-reset” all of the granted runtime permissions associated with the app and notify the user. The app can request the permissions again the next time the app is used. If you have an app that has a legitimate need to retain permissions, you can prompt users to turn this feature OFF for your app in Settings.

Data access auditing APIs: Android encourages developers to limit their access to sensitive data, even if they have been granted permission to do so. In Android 11, developers will have access to new APIs that will give them more transparency into their app’s usage of private and protected data. The APIs will enable apps to track when the system records the app’s access to private user data.

Scoped Storage: In Android 10, we introduced scoped storage which provides a filtered view into external storage, giving access to app-specific files and media collections. This change protects user privacy by limiting broad access to shared storage in many ways including changing the storage permission to only give read access to photos, videos and music and improving app storage attribution. Since Android 10, we’ve incorporated developer feedback and made many improvements to help developers adopt scoped storage, including: updated permission UI to enhance user experience, direct file path access to media to improve compatibility with existing libraries, updated APIs for modifying media, Manage External Storage permission to enable select use cases that need broad files access, and protected external app directories. In Android 11, scoped storage will be mandatory for all apps that target API level 30. Learn more in this video and check out the developer documentation for further details.

Google Play system updates: Google Play system updates were introduced with Android 10 as part of Project Mainline. Their main benefit is to increase the modularity and granularity of platform subsystems within Android so we can update core OS components without needing a full OTA update from your phone manufacturer. Earlier this year, thanks to Project Mainline, we were able to quickly fix a critical vulnerability in the media decoding subsystem. Android 11 adds new modules, and maintains the security properties of existing ones. For example, Conscrypt, which provides cryptographic primitives, maintained its FIPS validation in Android 11 as well.

BiometricPrompt API: Developers can now use the BiometricPrompt API to specify the biometric authenticator strength required by their app to unlock or access sensitive parts of the app. We are planning to add this to the Jetpack Biometric library to allow for backward compatibility and will share further updates on this work as it progresses.

Identity Credential API: This will unlock new use cases such as mobile drivers licences, National ID, and Digital ID. It’s being built by our security team to ensure this information is stored safely, using security hardware to secure and control access to the data, in a way that enhances user privacy as compared to traditional physical documents. We’re working with various government agencies and industry partners to make sure that Android 11 is ready for such digital-first identity experiences.

Thank you for your flexibility and feedback as we continue to build an increasingly more private and secure platform. You can learn about more features in the Android 11 Beta developer site. You can also learn about general best practices related to privacy and security.

Please follow Android Developers on Twitter and Youtube to catch helpful content and materials in this area all this week.

Resources

You can find the entire playlist of #11WeeksOfAndroid video content here, and learn more about each week here. We’ll continue to spotlight new areas each week, so keep an eye out and follow us on Twitter and YouTube. Thanks so much for letting us be a part of this experience with you!

Industry Experts Weigh in on McAfee’s Proactive Cybersecurity

Recently Forbes shared an accurate depiction of McAfee in its articleMcAfee Finally On The Right PathLet me extend their innovation story and share with you the leadership path McAfee continues to blaze in cybersecurity 

Imagine if organizations knew of high severity threats targeting their industry sector and geographies before they encountered such threats, with precise knowledge if their countermeasures could stop the threat?  Also imagine if the countermeasures could not stop the threats, and they knew what they should do to improve those countermeasures so that the threat would be stopped? Doing all these actions, before an attack impacts you, is referred to as “shifting left on the attack lifecycle.  Gartner and many other analyst firms have openly expressed that shifting left is something a lot of vendors are trying to achieve. I am excited to announce that McAfee has found a way to do it. 

So, how did we do it? Enter McAfee MVISION InsightsWe previewed this innovation at MPOWER in October 2019 – an unique solution helping organizations become more proactive MVISION Insights is a cloud-native solution that provides highly predictive security analytics  These analytics enable proactive management and remediation against advanced attacks.  

 News of MVISION Insights created quite a buzz among industry influencers when we briefed them. The resounding point of view was that McAfee MVISION Insights is in a class of its own. and “ahead of the market”.  

A highly reputed analyst cast MVISION Insights at the same level of high esteem as McAfee’s highly acclaimed unified management solution, ePolicy Orchestrator 

“In the same way ePO is the gold standard for management consoles, Insights can be the same for the threat/analytics platform” 

– Top Tier Analyst Firm  

Yet other analysts called out the lack of immediate competition.   

“The vendor has stolen a march on some of its competitors, at least in the short term, with this offering. A lot of vendors are aiming to get to an offering comprising threat intel + prioritization + recommendations + automation, but few if any have actually reached that point today.” 

Omdia research. 

‘You are forward leaning and a differentiator in this space.  And it is even more impressive you did this organically while your competitors are trying to piece together with partnerships’ 

– Top Tier Analyst Firm 

Many vendors are making big claims about all the data they have access to and their rich telemetry, but they don’t weave the pieces together with why it is relevant to an organization’s environment. MVISION Insights not only prioritizes the threats based on prevalence in the organization’s geography and industry sector but also  takes the prioritized threat analysis and assesses your local security posture to see how it will stack up against the threat.  This value of the local security posture assessment against the threat was also called out, “…a key value point here is the local security posture assessment with the vast threat intelligence and analytics.”.   

ESG recognized “With the exposure of any new security attack, CISOs, CEOs, and corporate boards immediately ask whether they are at risk.  MVISION Insights from McAfee can help automate answers to this question.  This gives organization the ability to think globally, act locally, and respond quickly to cyber-attacks.” 

It’s not just threat analysis paralysis but prioritized actionable insights. 

With MVISION Insightsorganizations can answer critical questions quickly: Are they at risk? What is their priorityWill their protections hold? What do they need to do to be protected?  Take a closer look at MVISION Insights coming soon. Soon I plan to share the customer feedback we are receiving with organizations accessing the early solution. You don’t want to miss it.  

The post Industry Experts Weigh in on McAfee’s Proactive Cybersecurity appeared first on McAfee Blogs.

SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE

SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE

Introduction

Previous SMBleedingGhost write-ups: 

In the previous part of the series, SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE, we described two techniques that allow us to read uninitialized memory from the pool buffers allocated by the SrvNetAllocateBuffer function of the srvnet.sys module. The first technique accomplishes that by crafting a special SMB packet and deducing information from the server’s response. The second technique, which has less limitations, does that by sending specially crafted compressed data and deducing information depending on whether the server drops the connection.

The next thing we had to understand was: what can be done with this reading ability? As a reminder, we began this research with a write-what-where primitive that we demonstrated in our previous research about achieving local privilege escalation. Since most of the memory layout in the modern Windows versions is randomized, we need to have at least one pointer to be able to do something useful with the write-what-where primitive. Unfortunately, memory allocated with the SrvNetAllocateBuffer function is mostly used for network data such as SMB packets and doesn’t contain system pointers. We could try and read uninitialized memory left by a previous allocation that wasn’t done with SrvNetAllocateBuffer, but it would be difficult to predict where to look for a pointer in this case, especially since we can’t run code on the target computer that could help us grooming the pool (unlike in the case of a local privilege escalation, for example). So we started looking for something more reliable.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

SrvNetAllocateBuffer and the allocated buffer layout

As we already mentioned in our local privilege escalation research, the SrvNetAllocateBuffer function doesn’t just return a buffer with the requested size. Instead, it returns a pointer to a struct that is located at the bottom of the pool-allocated memory block, containing information about the allocated buffer. The layout of the pool-allocated memory block is the following:

While our reading technique can only read bytes from the “User buffer” region, we can use the integer overflow bug to copy parts of the SRVNET_BUFFER_HDR struct to the “User buffer” region of another buffer, which we can then read. We can do that by setting the Offset field to point at the SRVNET_BUFFER_HDR struct beyond the data we want to read. We just need to make sure that the data that is located there can be interpreted as valid compressed data, otherwise the copying won’t happen.

Hunting for pointers

Let’s take a look at the fields of the SRVNET_BUFFER_HDR struct and see whether there’s something worth reading:

#pragma pack(push, 1)
struct SRVNET_BUFFER_HDR {
/*00*/  (orange) LIST_ENTRY ConnectionBufferList;
/*10*/  WORD BufferFlags; // 0x01 - no transport header, 0x02 - part of a lookaside list
/*12*/  WORD LookasideListIndex; // 0 to 8
/*14*/  WORD LookasideListLogicalProcessor;
/*16*/  WORD TracingDataCount; // 0, 1 or 2, for TracingPtr1/2, TracingUnknown1/2
/*18*/  (blue) PBYTE UserBufferPtr;
/*20*/  DWORD UserBufferSizeAllocated;
/*24*/  DWORD UserBufferSizeUsed;
/*28*/  DWORD PoolAllocationSize;
/*2C*/  BYTE unknown1[4];
/*30*/  (blue) PBYTE PoolAllocationPtr;
/*38*/  (blue) PMDL pMdl1;
/*40*/  DWORD BytesProcessed;
/*44*/  BYTE unknown2[4];
/*48*/  SIZE_T BytesReceived;
/*50*/  (blue) PMDL pMdl2;
/*58*/  (orange) PVOID pSrvNetWskStruct;
/*60*/  DWORD SmbFlags;
/*64*/  (orange) PVOID TracingPtr1;
/*6C*/  SIZE_T TracingUnknown1;
/*74*/  (orange) PVOID TracingPtr2;
/*7C*/  SIZE_T TracingUnknown2;
/*84*/  BYTE unknown3[12];
};
#pragma pack(pop)

The colored variables are pointers. The blue-colored pointers all point inside the pool-allocated memory block, with offsets which can be calculated in advance, so it’s enough to read one of them. Having an absolute pointer to the pool-allocated memory block will surely be helpful. Regarding the orange-colored pointers:

  • ConnectionBufferList – A linked list of all of the received, unhandled buffers of a connection. The list head is a part of the connection object created by the SrvNetAllocateConnection function in srvnet.sys. A buffer is added to the list by the SrvNetWskReceiveComplete function. In our case, there will be only one buffer in the list, so both pointers (Flink and Blink of the LIST_ENTRY struct) will point to the list head inside the connection object.
  • pSrvNetWskStruct – Initially, a pointer to the connection object mentioned above. The pointer is set by the SrvNetWskReceiveEvent function, but is overridden by the SrvNetWskReceiveComplete function with the pointer to the SRVNET_BUFFER_HDR struct. Thus, reading it is not more useful than reading one of the other blue-colored pointers. By the way, if you search for “pSrvNetWskStruct“ you’ll find out that it played a role in exploiting EternalBlue.
  • TracingPtr1/2 – These pointers are only used when tracing is enabled, as it seems.

As you can see, the only other useful pointer for us to read is one of the pointers from the ConnectionBufferList struct. Both pointers (Blink and Flink of the LIST_ENTRY struct) point to the connection object. The object struct has been named SRVNET_RECV by EternalBlue researchers, so we’ll use this name as well.

Getting a module base address

Now that we know how to get the two pointers – a pointer to a pool-allocated memory block and a pointer to an SRVNET_RECV struct – we can freely modify the two buffers using the write-what-where primitive. There are probably several ways from this point to achieve RCE, but we had a feeling that getting a base address of a module would be the most straightforward option since there are so many things we can modify in a data section of a module. As we’ve seen, none of the pointers in a memory block allocated by SrvNetAllocateBuffer point to a module. We had hopes for the SRVNET_RECV struct, but we didn’t find pointers that point to a module there, too. On the bright side, there are several pointers to modules one additional dereference away:

At this point, we noticed that since we can override those pointers in SRVNET_RECT, we can call an arbitrary function by replacing the HandlerFunctions pointer and triggering one of the events, e.g. closing the connection so that Srv2DisconnectHandler is called. This will come in handy later, but we didn’t have any function pointers to call yet, so we continued with our attempt to get a module base address.

Unlike writing, reading those pointers is not as easy since our technique allows us to read only from the “User buffer” region. So close, yet so far. Since we can get and modify a pool-allocated memory block and an SRVNET_RECV struct, we hoped to find code that we can trigger that does a double-dereference-read followed by a double-dereference-write with two variables that we control, similar to the following:

ptr1 = *(pSrvNetRecv + offset1)
value = *ptr1
ptr2 = *(pSrvNetRecv + offset2)
*ptr2 = value

If we could find such a snippet, we would trigger it to copy the first pointer (e.g. HandlerFunctions) to the “User buffer” region, read it, then copy the second pointer (e.g. the Srv2ConnectHandler function pointer) to the “User buffer” region and read it as well, deducing the module base address from it. We searched for such a snippet for a long time, but didn’t find a good match. Finally, we settled for a sub-optimal option which nevertheless worked. Let’s take a look at the relevant part of the SrvNetFreeBuffer function (simplified):

void SrvNetFreeBuffer(PSRVNET_BUFFER_HDR Buffer)
{
    PMDL pMdl1 = Buffer->pMdl1;
    PMDL pMdl2 = Buffer->pMdl2;

    if (pMdl2->MdlFlags & 0x0020) {
        // MDL_PARTIAL_HAS_BEEN_MAPPED flag is set.
        MmUnmapLockedPages(pMdl2->MappedSystemVa, pMdl2);
    }

    if (Buffer->BufferFlags & 0x02) {
        if (Buffer->BufferFlags & 0x01) {
            pMdl1->MappedSystemVa = (BYTE*)pMdl1->MappedSystemVa + 0x50;
            pMdl1->ByteCount -= 0x50;
            pMdl1->ByteOffset += 0x50;
            pMdl1->MdlFlags |= 0x1000; // MDL_NETWORK_HEADER

            pMdl2->StartVa = (PVOID)((ULONG_PTR)pMdl1->MappedSystemVa & ~0xFFF);
            pMdl2->ByteCount = pMdl1->ByteCount;
            pMdl2->ByteOffset = pMdl1->MappedSystemVa & 0xFFF;
            pMdl2->Size = /* some calculation */;
            pMdl2->MdlFlags = 0x0004; // MDL_SOURCE_IS_NONPAGED_POOL
        }

        Buffer->BufferFlags = 0;

        // ...

        pMdl1->Next = NULL;
        pMdl2->Next = NULL;

        // Return the buffer to the lookaside list.
    } else {
        SrvNetUpdateMemStatistics(NonPagedPoolNx, Buffer->PoolAllocationSize, FALSE);
        ExFreePoolWithTag(Buffer->PoolAllocationPtr, '00SL');
    }
}

Upon freeing the buffer, if buffer flags 0x02 (means the buffer is part of a lookaside list) and 0x01 (means the buffer has no transport header) are set, some operations are made on the two MDL objects to add the transport header before resetting the flags to zero and returning the buffer back to the lookaside list. If we set aside the meaning behind the operations on the MDL objects for a moment and look at the operations in terms of memory manipulation, we can notice that the code does a double-dereference-read followed by a double-dereference-write with two variables that we control (the two MDL pointers), which is what we were looking for. The downside is that the content that we want to read from is also modified (lines 13-16, 29), a side effect we hoped to avoid.

Given the above, here’s how we managed to read the AcceptSocket pointer:

1. Prepare buffer A from a lookaside list such that the “User buffer” region is filled with zeros. This buffer will end up holding the pointer that we’ll eventually read.

2. Prepare buffer B from a different lookaside list such that:

  • The pMdl1 pointer points at the address of the HandlerFunctions pointer minus 0x18, the offset of MappedSystemVa in the MDL struct.
  • The pMdl2 pointer points at the “User buffer” region of Buffer A.
  • The Flags field is set to 0x03.

We can override the SRVNET_BUFFER_HDR struct fields by decompressing them from a larger buffer using the technique described in the Observation #2 section of the previous part of the writeup.

3. When buffer B is freed, the following operations will take place:

  • The MDL flags will be read from the second MDL at buffer A. If the MDL_PARTIAL_HAS_BEEN_MAPPED flag is set, MmUnmapLockedPages will be called and the system will likely crash. That’s why we filled the buffer with zeros in step 1.
  • The HandlerFunctions pointer and the memory around it will be modified as depicted here:
+00 |  00 00 00 00 00 00 00 00
+08 |  __ __ __|10 __ __ __ __
+10 |  __ __ __ __ __ __ __ __
+18 |  [+50..................]  <--  HandlerFunctions
+20 |  __ __ __ __ __ __ __ __
+28 |  [-50......] [+50......]
  • The HandlerFunctions pointer and the memory around it will be read as depicted here:
+00 |  __ __ __ __ __ __ __ __
+08 |  __ __ __ __ __ __ __ __
+10 |  __ __ __ __ __ __ __ __
+18 |  ab cd ef gh ij kl mn op  <--  HandlerFunctions
+20 |  __ __ __ __ __ __ __ __
+28 |  qr st uv wx __ __ __ __
  • The “User buffer” region of buffer A will be modified as depicted here: (The orange-colored bytes contain the pointer we want to read. We just need to order them properly.)
+00 |  00 00 00 00 00 00 00 00
+08 |  ?? ?? 04 00 __ __ __ __
+10 |  __ __ __ __ __ __ __ __
+18 |  __ __ __ __ __ __ __ __
+20 |  00 {c}0 {ef gh ij kl mn op}
+28 |  qr st uv wx {ab} 0{d} 00 00

4. Read the AcceptSocket pointer from the “User buffer” region of buffer A.

The good news: we managed to read the pointer. The bad news: we corrupted some data in the SRVNET_RECT struct. Luckily for us, the corruption doesn’t affect the system as long as nothing happens with the relevant connection. When something does happen, e.g. the connection closes, the system crashes. That’s not a problem since we’ll get RCE soon, and we can fix the corruption if we want to. We didn’t implement such a fix in our POC and such fix was left as an exercise for the reader.

After reading the AcceptSocket pointer, we used the same technique to read the srvnet!SrvNetWskConnDispatch pointer. We read the AcceptSocket pointer and not the HandlerFunctions pointer since the array of handler functions is shared between all connections, while the buffer pointed by AcceptSocket is not shared with other connections. Therefore, we can corrupt the latter, affecting the stability of only a single connection.

If we have a copy of the srvnet.sys file used on the target computer, we can just compute the offset of the SrvNetWskConnDispatch pointer in the module locally and subtract the offset from the pointer we read, getting the srvnet.sys module base address as a result. That’s what we did in our POC to keep things simple. One can improve it to be more general. One option that comes to mind is keeping several versions of srvnet.sys locally, and deducing the correct one by the least significant bytes of the read pointer.

Implementing arbitrary read

From the beginning of this research we had a convenient write-what-where (arbitrary write) primitive, but had nothing that allowed us to read memory. We worked hard until now to gain some memory reading abilities, and at this point we felt that we had enough tools to make our life easier and implement a convenient arbitrary read primitive. We began by exploring the possibilities of calling an arbitrary function.

Given that we have the base address of the srvnet.sys module, we can call any of the module’s functions. But what about the function’s arguments? The srv2!Srv2ReceiveHandler function is called by SrvNetCommonReceiveHandler, and the call looks like this:

HandlerFunctions = *(pSrvNetRecv + 0x118);
Arg1 = *(ULONG_PTR)(pSrvNetRecv + 0x128);
Arg2 = *(ULONG_PTR)(pSrvNetRecv + 0x130);
(HandlerFunctions[1])(Arg1, Arg2, Arg3, Arg4, Arg5, Arg6, Arg7, Arg8);

The first two arguments are read from the SRVNET_RECT struct, so we can control them. We don’t have as much control over the other arguments. The x86-64 calling convention specifies that it’s the caller’s responsibility to allocate and free the stack space for the arguments, so even though a 8-arguments function is intended to be called, we can replace the pointer with a function that expects any other amount of arguments, and it will work.

Here are the steps we used to trigger the function call:

  1. Send a specially crafted message so that the connection’s SRVNET_RECT struct pointer will be copied to a buffer we can read.
  2. Send another, valid message, which will reuse the same SRVNET_RECT struct, but don’t close the connection yet. Note that when a connection is closed, the SRVNET_RECT struct is not freed. The SrvNetPrepareConnectionForReuse function is called to reset the struct so that it can be reused for the next connection.
  3. Read the SRVNET_RECT struct pointer that we copied in step 1.
  4. Replace the HandlerFunctions pointer and the arguments using the write-what-where primitive.
  5. Send an additional message over the connection from step 2 so that the function that took the place of srv2!Srv2ReceiveHandler is called.

Now all we had to do was to find a convenient function to copy memory from one location to another, so that we can copy arbitrary memory to the pool buffer we can read from. memcpy comes to mind, and srvnet.sys does have such a function (memmove, to be precise), but this function requires a third argument, the amount of bytes to be copied, which we don’t control. Failing to find a convenient function that requires one or two arguments, we realized that we’re not limited by functions implemented in srvnet.sys, we can also call functions from srvnet’s import table by pointing HandlerFunctions at the right offset. There, we found the perfect function: RtlCopyUnicodeString.

The RtlCopyUnicodeString function gets two UNICODE_STRING pointers as arguments, and copies the content of the source string to the destination string. Unlike C strings which are NULL-terminated, strings in the kernel are defined by the UNICODE_STRING struct which holds a pointer to the string, and the string’s length in bytes. The string buffer can hold any binary data. If you peek at the implementation of RtlCopyUnicodeString, you can see that the copying is done with the memmove function, i.e. plain binary data copying. All we have to do is prepare our two UNICODE_STRING structs and call RtlCopyUnicodeString, then read the copied data:

Executing shellcode

After achieving a convenient arbitrary read primitive, we moved on to the next challenge towards our goal of remote code execution: running a shellcode. We used the technique that Morten Schenk presented in his Black Hat USA 2017 talk (pages 47-51).

The idea is to write a shellcode below the KUSER_SHARED_DATA structure which is located at a constant address, the only address that is not randomized in the kernel memory layout of the recent Windows versions. Then modify the relevant page table entry, making the page executable. The base address of the page table entries in the kernel is randomized, but can be retrieved from the MiGetPteAddress function in ntoskrnl.exe. Here are the steps we used to execute our shellcode:

  1. Use our arbitrary read primitive to get the base address of ntoskrnl.exe from srvnet’s import table.
  2. Read the base address of the page table entries from the MiGetPteAddress function, as described in Morten’s slides.
  3. Write the shellcode at address KUSER_SHARED_DATA + 0x800 (0xFFFFF78000000800). Note that we could also use one of the pool buffers, using KUSER_SHARED_DATA is just more convenient.
  4. Calculate the relevant page table entry address and clear the NX bit to allow execution, as described in Morten’s slides.
  5. Call the shellcode using our ability to call an arbitrary function.

Launching a reverse shell

Technically, we achieved remote code execution, so we could stop here. But if we’re not popping calc or launching a reverse shell, the POC is not complete, so we went on to fill that gap. Since our shellcode runs in kernel mode, we can’t just run cmd.exe or calc.exe and call it a day. We needed to find a way to get our code to run in user mode. While searching for prior work on the topic we found sleepya’s shellcode, written originally for EternalBlue exploits, which is designed to do just that. 

In short, here’s what the shellcode does:

  1. Hook IA32_LSTAR MSR to lower the IRQL (Interrupt Request Level) from DISPATCH_LEVEL to PASSIVE_LEVEL. The shellcode begins execution at the DISPATCH_LEVEL IRQL which imposes several limitations. For more information see the great explanation of zerosum0x0.
  2. Find a privileged user mode process (lsass.exe or spoolsv.exe) and queue a user mode APC in one of the alertable threads that is in waiting state.
  3. In the APC kernel routine, allocate EXECUTE_READWRITE memory and point the APC normal (user mode) routine there. Then copy the user mode shellcode to the newly allocated memory, prepended with a stub to create a new thread.
  4. In the APC normal routine a new thread is created, executing the user mode shellcode.

Published about three years ago, the shellcode didn’t work right away on recent Windows versions, so we had to make a couple of adjustments:

  1. Incompatibility with the KVA Shadow mitigation. In the blog post Fixing Remote Windows Kernel Payloads to Bypass Meltdown KVA Shadow zerosum0x0 explains why the first part of the shellcode, IA32_LSTAR MSR hooking, isn’t supported when the KVA Shadow mitigation is enabled, and proposes a fix. We tried the proposed fix, but it didn’t work on newer Windows versions – zerosum0x0 targeted Windows 10 version 1809 while we were targeting versions 1903 and 1909. The right thing to do is to improve the fix or find another solution, but we just removed the IRQL lowering part. As a result, the POC can sometimes crash the system while trying to access paged memory (bug check IRQL_NOT_LESS_OR_EQUAL), but it doesn’t happen often, so we left it as is since it’s good enough for a POC.
  2. Fixed finding the base address of ntoskrnl.exe. At first, we tried using zerosum0x0’s method – get an address of the first ISR (Interrupt Service Routine), which is located in ntoskrnl.exe, and search for a nearby PE header. The method didn’t work for us since the ISR pointer points to ntoskrnl’s INITKDBG section which is not mapped. Since we already found the ntoskrnl.exe base address, we fixed it by just passing it as an argument to the shellcode.
  3. Fixed a problem with finding the offset of ETHREAD.ThreadListEntry. The original code looked for the current thread in the thread list of the current process. The thread won’t be found if the current thread is attached to a different process than the one it was originally created in (see KeStackAttachProcess).
  4. Fixed the UserApcPending check in the KAPC_STATE struct for Windows 10 version R5 and newer. Since Windows 10 version R5 UserApcPending shares a byte with the newly added bit value, SpecialUserApcPending.

With the above fixed, we finally managed to make the shellcode work, we just needed to fill in the user mode part of the code to run. We used MSFvenom, the Metasploit payload generator, to generate a user mode shellcode to spawn a reverse shell.

Targets with more than one logical processor

In the Observation #1 section of the previous part of the writeup we assumed that our target has only one logical processor. With this assumption, we could rely on the lookaside lists buffer reusing, knowing that we get the same buffer every time as long as the allocation size is the same. As a reminder, the lookaside lists are created upon initialization, a list for each size and logical processor, as depicted in the following table:

→ Allocation size

Logical Processor
0x1100 0x2100 0x4100 0x8100 0x10100 0x20100 0x40100 0x80100 0x100100
Processor 1 📝 📝 📝 📝 📝 📝 📝 📝 📝
Processor 2 📝 📝 📝 📝 📝 📝 📝 📝 📝
Processor n 📝 📝 📝 📝 📝 📝 📝 📝 📝

Each cell with the “📝” symbol is a separate lookaside list.

With more than one logical processor, things are a bit more complicated – we get the same buffer only as long as the allocation is made on the same logical processor. Our first attempt at overcoming this limitation was redundancy. When writing to one of the lookaside list buffers, write multiple times. When reading from one of the lookaside list buffers, read multiple times and choose the most common value. This approach would work if the logical processor usage was distributed evenly, but we found that it’s not the case. We tested our POC in VirtualBox, and from our observations, some logical processors are preferred over others. For a setup of 4 logical cores, here’s the distribution of handling the incoming packet in a test execution:

Logical processor Incoming packets handled
Logical processor 1 0.2%
Logical processor 2 0.8%
Logical processor 3 7.9%
Logical processor 4 91.1%

Here’s the distribution of handling the decompression:

Logical processor Decompressions executed
Logical processor 1 13.3%
Logical processor 2 5.1%
Logical processor 3 6.8%
Logical processor 4 74.8%

As you can see, in this specific case logical processor 4 did most of the work. Logical processor 1 handled only 1 out of every 500 incoming packets!

We tweaked the POC such that it sends several packets simultaneously from multiple threads to improve the logical processor usage distribution. We also added error detection, so that if the data that is read doesn’t make sense, another reading attempt is made instead of proceeding and most likely crashing the system. The changes we made were enough to make the POC work with VirtualBox targets with multiple logical processors, but from a quick test the POC doesn’t work with VMware targets or (at least some) physical computers with multiple logical processors. We didn’t try to improve the POC further to support all targets, which we believe can be achieved with a better strategy for a reading and writing order.

Our POC with the improvements can be found in the GitHub repository.

If you’d like to study the code, we suggest starting with the initial, less noisy version which was designed for a single logical processor. It can be found in a previous commit here.

ZecOps Detection

ZecOps classify forensics logs related to this issue as #SMBGhost and #SMBleed. You can find more information on how to use ZecOps solutions for Endpoints & Servers, Mobile devices, or applications. Besides SMBleed / SMBGhost, ZecOps Crash Forensics solutions can find other, previously unknown vulnerabilities, that are exploited in the wild. If you care about persistent threats – we’ll be happy to assist.

Remediation

You can remediate the impact of both issues by doing one of the following:

  • Applying the latest security issues (recommended)
  • Block port 445 / enforce host-isolation
  • Disable SMBv3.1.1 compression

Summary

This is the third and final part of the writeup, in which we used the findings from the previous parts to achieve RCE using SMBGhost and SMBleed. We hope you enjoyed the read. Here’s a recap of the milestones during our research on the SMB bugs:

  1. A write-what-where primitive, demonstrated in our previous research about achieving local privilege escalation.
  2. The discovery of the SMBleed bug, described in the first part of the writeup.
  3. An ability to read memory from the pool buffers allocated by the SrvNetAllocateBuffer function, demonstrated in Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE.
  4. An ability to get the base address of the srvnet.sys module.
  5. An ability to call an arbitrary function.
  6. Arbitrary memory read.
  7. Shellcode execution.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

McAfee Vision for SASE: Making Cloud Adoption Fast, Easy and Secure

While cloud services deliver on promised savings and convenience, keeping everything secure remains a moving target for many organizations.

That’s because the enterprise perimeter has not only expanded, it has pushed the service edge to anywhere business takes you—or employees choose to go. Consequently, many organizations must uplevel how they protect cloud-based apps, data and services. Achieving success will be difficult with walled-garden style defenses found in legacy environments.

Gartner suggests an Adaptative Zero Trust approach (CARTA) to secure use of cloud applications, and it recommends a Secure Access Service Edge (SASE) framework to deliver connectivity and security for Cloud applications.

A lot of SASE vendors have focused on convergence of networking and security, but the key business goal of SASE is to protect applications and data in the cloud by building a pervasive edge that spans all manners of accessing these applications and data.

McAfee’s MVISION Unified Cloud Edge (UCE) delivers this pervasive edge and enables organizations to apply consistent data protection and threat prevention policies across their entire estate, including users, devices, locations and applications. Under the covers, MVISION UCE is convergence of Cloud Access Security Broker (CASB), next-gen Secure Web Gateway (SWG), and data loss protection (DLP) technologies delivered via a single global cloud fabric –with consistent policy and incident management.  Each of the MVISION UCE components provide coverage over distinct controls points that seamlessly deliver the pervasive edge:

  • McAfee CASB provides direct visibility and control over cloud-native interactions that are impossible to broker via a network/man-in-the-middle approach. This not only includes real time data and threat protection for data being stored/created in the cloud, it also includes on-demand scanning over existing data to identify both sensitive data and malware. The data objects could include files, messages and field data such as structured data objects in business applications like Salesforce.com, ServiceNow, Workday, etc.
  • McAfee’s next-gen SWG establishes proxy-based visibility and control over web traffic with deep awareness of cloud activity and data interactions. This keeps users safe from accidental data loss or malware, and it delivers the most advanced threat protection against ransomware, phishing attempts and other advanced attacks by integrating Remote Browser Isolation (RBI), a recommended part of a SASE architecture in our next-gen SWG.
  • A common DLP engine that provides device-to-cloud visibility and control over sensitive data on personal or managed devices, data resident and transacted in the cloud and data transiting over the network. McAfee MVISION UCE shares data classifications with all enforcement points for device, network, and the cloud with a single incident management console and API.

The convergence of cloud-native SWG and CASB also enables use cases that can extend network-delivered SASE controls with deep context of cloud applications in a single fabric. Many cloud-application-centric use cases that are critical in a post-COVID work from home scenario cannot be delivered by pure-play cloud SWGs, including:

  • The ability to apply contextual access control to users connecting to sanctioned Cloud applications directly over the internet, without a VPN. MVISION UCE ensures a user with a corporate device has full access to Microsoft 365, whereas a user with an unmanaged device has read-only access, which can be delivered by an app-proxy or remote browser isolation.
  • The ability to control unsanctioned Cloud applications at different levels of granularity including tenancy, activity and data. McAfee provides consistent policies that specifically identify and grant permissions to unsanctioned or personal services like OneDrive where the cloud user can be blocked from synching any data to personal OneDrive, or can be blocked from synching only “classified or sensitive” data to personal OneDrive.
  • The ability to protect against day-zero threats from the cloud in real time without any friction to the user experience. McAfee helps prevent end-user synching or downloading malware delivered from a trusted cloud storage provider such as OneDrive, Google Drive or  Dropbox.

In addition, most SASE vendors today focus on user to cloud security – otherwise known as front door controls, but that is not sufficient. Data and threats also need to be protected across side doors in the cloud. Protection also needs to be extended to backdoors within the cloud. McAfee’s MVISION UCE delivers side- and back-door controls that are not offered by any other SASE

  • Connected Application Control

Enables your architecture to discover SaaS applications or home-grown applications connected to each other via API channels. It can then authorize these API connections based on policies, risk and behavior of the connected application. For instance, a Sales VP connecting Clari, a sales forecasting mobile application, to the corporate Salesforce.com instance and pulling all the Salesforce.com data into Clari. The SASE architecture needs to be able to discover all such app-to-app connections and have granular policies around what scope of access should be allowed.

  • SaaS Cloud Security Posture Management (CSPM)

Allows your SASE architecture to assess and manage the security posture of your SaaS provider’s control and management planes. Specifically, Microsoft 365 has more than 200 individual configuration settings that need to be evaluated for an appropriate security posture of 365. For example, the default sharing permissions on Sharepoint that make shared links available to anyone in the world and never expire.

  • Sharing and Collaboration Control

Enables your architecture to control the transaction flow of sensitive data being shared inappropriately between users within the organization or across organizations via popular collaboration platforms such Microsoft OneDrive, Microsoft Teams, Slack, Zoom, etc. For example, McAfee helps ensure sensitive data is not posted to external (guest) users in Microsoft Teams.

Cloud-native

Long promised, cloud transformation is catching on at a time when enterprises increasingly rely upon cloud services to support their expanding digital activities. It can support large parts of the workforce who are working remotely and from home. Data and Threat controls must work in real-time as data moves to and from cloud applications. Accordingly, organizations need a cloud-native security architecture that is frictionless and ensures cloud applications function without latency or application breakage, and with security delivered in real-time. This real-time capability is not just necessary for network controls delivered by the SWG service; they are equally essential for cloud-native controls delivered via API and email gateways. Gartner describes the use of Points of Presence (POP) for global distribution and scale for SASE architectures. Most vendors offering SASE describe their footprint in terms of their network POPs. McAfee MVISION UCE has more than 50 globally distributed network POPs, but it also has similar scale and capacity for API and email POPs to ensure pervasive real-time control.

By our estimate, load increases on cloud security services in the last three months have soared from between 200% and 700%. While this surge has caused many other SASE providers to buckle, McAfee has logged an amazing 99.999% uptime! This is largely driven by our cloud-native architecture which does not rely on racking and stacking network appliances in public cloud, or by purely relying in colocation POPs that might have longer lead times to build-out and support burst capacity. McAfee MVSION UCE is not only built in a cloud-native (i.e. software- defined) manner deployed in POPs around the world, it also has ability to leverage public cloud providers such as AWS, Azure and GCP for burst POP capacity in order to deliver surge capacity without delay.

MVISION UCE, with its focus on protecting data and preventing threats in the cloud, along with its approach to both network-based and cloud-native controls, marks a key milestone on the path to implementing Gartner’s SASE framework.

Click here to learn more about McAfee MVISION UCE.

The post McAfee Vision for SASE: Making Cloud Adoption Fast, Easy and Secure appeared first on McAfee Blogs.

How McAfee Makes an Impact: 2019 CSR Report Launch

At McAfee, we defend the world from cyber threats. We live our values daily. But most importantly, we recognize the power of inclusion and diversity in helping to create a better world inside and outside of McAfee.

Recently, we launched our 2019 corporate social responsibility report—our Impact Report. Last year, just our second year as the new McAfee, we published our collective actions and 2018 workforce demographics as part of McAfee’s first-ever Inclusion & Diversity Report.

This year, we’re providing greater insights on the progress we’re making to positively impact our people, our community, and our planet, together. As a company, we believe in proactively publishing this report with greater transparency, driving greater accountability and progress—not just for McAfee, but the industry as a whole.

We’ve made progress in our second year as the new McAfee and continue to reach major milestones. We achieved global pay parity. Our evolving hiring and retention practices brought us to the attainment of our 30% diversity goal and we made significant strides in our community outreach and sustainability practices.

We know genuine change requires continuous commitment and we’re up to the challenge. We look forward to working towards a more inclusive, sustainable world, and commit to refining our diversity hiring practices, ensuring equal career progression opportunities, actively developing cybersecurity interest in future generations, mobilizing our employees in their communities, and doing our part to protect our planet.

To understand the reach of McAfee’s impact, you can browse the report or read the highlights below.

No alt text provided for this image

The post How McAfee Makes an Impact: 2019 CSR Report Launch appeared first on McAfee Blogs.

Back to Basics: Simple Moves to Keep You Secure at Home

Guest Post by Susan Doktor

Staying at home, something we’ve all been doing a lot more of, can be relaxing. But as our attention has been focused elsewhere, particularly on our health and the economic crisis brought on by the global pandemic, some of us may have also relaxed our safety standards. We are witnessing a serious spike in cybercrime since the coronavirus took the world hostage. Even those institutions that are working diligently to vanquish the virus have not been immune to attack. And that means we have to be more diligent about our privacy and cyber safety.

As mentioned in a recent post, the technology we’re relying on to stay connected while adhering to social distancing guidelines may be contributing to our vulnerability. But whether you’re chatting on a video conferencing app or charging airline tickets to your travel credit card, there are built-in security weaknesses inherent to our online lives. I’m talking about passwords. They’re necessary, of course. And they’re ubiquitous. A 2017 study estimated that the average business user has nearly 200 of them. That’s why it’s a good idea to refresh our understanding of safe password hygiene.

A few simple rules to follow:
  • Choose passwords that are difficult to guess and have nothing to do with your personal information. Don’t use your birthday or house number or any information that’s easy to gather to make up your passwords.
  • Never share your passwords. Beyond matters of basic trust, you don’t know how the person you shared them is protecting them. Does your shared password reside on a mobile phone or a slip of paper kept in a wallet? Both of those things can be lost or stolen.
  • Don’t re-use passwords. If one of your accounts is hacked, that leaves more them vulnerable.
  • Change your passwords often. If you don’t, that computer that was stolen six months ago can come back to haunt you. And you’re more at risk from security breaches that online retailers, credit card companies, and even hospitals are experiencing with greater frequency. That risk multiplies any time one of the companies you do business with sells your personal information to one of its marketing partners. So make it a habit to check the privacy policy on any site where you enter your personal data
  • Enable two-factor authentication whenever you have the option to do so on a website or device. It takes a moment more to complete a log-in but it can save you years of headaches if your identity is stolen.
If all that sounds like too much work, I have another tip for you. And it’s a real time-saver. Get yourself a password manager. The best password managers perform all of those tasks for you automatically. You need only create and remember a single master password to gain a tremendous amount of protection when you install a password manager app on your various devices. There are some excellent free open-source password manager apps out there and quite a few paid ones that offer advanced features like secure file sharing and automatic synching of all of your devices.

Another layer of safety you might want to consider is a Virtual Private Network (VPN). VPNs allow you to surf the web anonymously and encrypt any data you send across it. That means you can use public wi-fi networks, like the one at your favourite Costa, more securely. They can boost your download speed, increase your bandwidth, and let you take advantage of peer-to-peer sharing of films and other entertainment media.

Protecting your personal data through the use of password managers and a secure VPN are great first steps towards increased cybersecurity. But there's no such thing as absolute safety online. Identity thieves have long memories--which means they may have access to your old passwords. And thanks to all the data breaches that have occurred over the last decade, they also have your name, address, phone, email, date of birth, and other personal information. So they spoof your phone number, call your bank, and pretend to be you. They give all the correct identity information and then say that they've lost the device that had their current account password on it—but they remember their old password. And they persuade the customer service rep to change your password again. Now you are effectively locked out of your own account while the thieves vacuum out your money.

Does this mean that password managers, VPNs, and the like are a waste of time? Hardly. The above scenario requires a lot of work on the criminals' part. They'll be much more likely to go after a bank account that's secured with the same password you used back when you were on GeoCities and MySpace. Beefing up your cybersecurity practices now will tilt the odds of staying safe back in your favour.

Author Bio:Susan Doktor is a journalist and business strategist who hails from New York City. She writes, guest- and ghost-blogs on a wide range of topics including finance, technology, and government affairs.

Is upatre downloader coming back ?

Hi Folks, today I want to share a quantitative analysis on a weird return-match by Upatre. According to Unit42 Upatre is an ancient downloader firstly spotted in 2013 used to inoculate banking trojans and active up to 2016.

First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

From PaloAlto Unit42

From 2016 until today I’ve never experienced a new Upatre campaign, or something like that, but something looks to be changed. Analyzing the Cyber Threats Trends findings (for an upcoming post) I spotted an interesting revival of the Upatre downloader starting from April 2020. The following image shows what I mean. Zero Upatre findings until April 21 2020 and almost 50 single detections per day since that date. Those statistics are so strange to me, that I need to doubt about that. So let’s take a closer look to it and see if there is some misclassification around.

Upatre Time Distribution

Digging a little bit on that samples by asking a second opinion to VirusTotal it looks like matches are genuine. In order to verify that “revival”, I firstly have taken some random samples (with Upatre classification tag) and then verified on VirusTotal the malware classification and the first submission date. Following an example of the performed checks. As you might see from the following picture, 9 AV classified that sample as Upatre, so we might consider not a “false positive” or a “miss-classificated” sample.

Upatre Correct Classification

The following image shows the “First Submission Date” which is aligned to what I’ve seen on Cyber Threats Trends. If you take some more samples from the following list (IoC Section) you will probably see much more cases similar to that one. I did many checks and I wasn’t able to find mismatches at all, so I decided to write up this post about it.

Upatre First Submission

Conclusion

It’s something very interesting, at least to my understanding, to see an ancient downloader be resumed in such a specific period. Many people starting from April up to today are stuck at home performing what has been called “quarantine” due to COVID pandemic. Curiously during the same time, while people are working from home and potentially have much more free time (since they can’t get out home), this older downloader reappears. Maybe somebody took advantage from this bad situation to resurrect some old tools stored in dusty external hard-drive ?

IoC (3384)

For the complete IoC list check it out: HERE

Medical Care #FromHome: Telemedicine and Seniors

Telemedicine visit

Medical Care From Home: Telemedicine and Seniors

For weeks and even months now, millions of us have relied on the internet in ways we haven’t before. We’ve worked remotely on it, our children have schooled from home on it, and we’ve pushed the limits of our household bandwidth as families have streamed, gamed, and conferenced all at the same time. Something else is new—more and more of us have paid visits to our doctors and healthcare professionals  on the internet. Needless to say, this is an entirely new experience for many. And with that, I got to thinking about seniors. What’s been their experience with telemedicine? What concerns have they had? And how can we help?

For starters, an online doctor’s visit is known as telemedicine—a way of getting a medical issue diagnosed and treated remotely. With telemedicine, care comes by way of your smartphone or computer via a video conference or a healthcare provider’s portal.

Telemedicine is not new at all. It’s been in use for some time now, such as in rural communities that have little access to local healthcare professionals, in cases of ongoing treatment like heart health monitoring and diabetes care, and situations where a visit to the doctor’s office simply isn’t practical. What is new is this: the use of telemedicine has made a significant leap in recent months.

Telemedicine for seniors (and everyone else) is on the rise

A recent global consumer survey by Dynata  took a closer look at this trend. The research spanned age groups and nations across North America and Europe, which found that 39% of its respondents consulted a physician or healthcare professional online in the past few months. Of them, two-thirds said they used telemedicine as part of their care. Yet more telling, 84% of those who recently had a telemedicine appointment said this was the first time they used telemedicine.

The study also looked at their attitudes and experiences with telemedicine based on age and reported that members of the Baby Boomer generation found the experience to be satisfactory—just over 55%. Interestingly, this was quite consistent across other age groups as well, with all of them hovering just above or below that same level of satisfaction.

Have seniors changed their feelings about telemedicine?

One other study gives us some insight into how the opinions seniors hold about telemedicine may have changed in the past year. We can contrast the findings above with a University of Michigan study that polled American adults aged 50 to 80 in the middle of 2019. On the topic of telemedicine, the research found that:

  • 64% would consider using telemedicine if they had an unexpected illness while traveling
  • 58% saw it as an option for a return visit or follow-up
  • 34% would use it to address a new health concern

The study also asked how older Americans felt about telemedicine visits. At that time in 2019, only 14% said that their provider offered telemedicine visits, while 55% didn’t know if they had the option available to them at all. Just a small number, 4%, said they’d had a telemedicine visit within the year. Needless to say, it’ll be interesting to see what 2020’s results would have to say should the university run this poll again.

In terms of their experience with telemedicine, those who had at least one telemedicine visit, 58% felt that in-person office visits provided an overall better level of care and about 55% felt that in-person visits were better for communicating with their health care professional and feeling better cared-for overall.

Older adults and seniors express concerns about telemedicine

Citing the same University of Michigan study from last year, some of the concerns older adults shared are what you might expect, even regardless of age. The lack of a physical exam (71%), worries that the care might not be as good as a face-to-face visit (68%), and losing the feeling of a personal connection with their health care professional (49%) all ranked high.

Of note, three other concerns around technology also topped the responses:

  • Privacy (49%)
  • Issues using the technology needed to connect (47%)
  • Difficulty seeing or hearing their care provider (39%)

Once again, you can make a strong case that plenty of people might share these same concerns—not just seniors.

Your first telemedicine visit

On the subject of the actual telemedicine visit, let’s turn to some expert advice on the topic. The AARP (American Association of Retired Persons) offers a step-by-step guide on how to prepare for your first telemedicine visit. Their first piece of advice is “make sure you are tech-ready” for your appointment. And that’s one place I can help. Let’s take a look at some of those top concerns about technology.

Some of my advice here mirrors what I shared a few weeks ago about getting ready for and online job interview, and you can keep the following in mind:

Pick your device of choice and get it set up for telemedicine

You’ll need a device for your visit, so choose the one you know and that you’re comfortable with. That’s probably your computer or laptop. And just like with any video conferencing you do, spend some time getting familiar with how to set the microphone levels, speaker volume, and the camera. For audio, you can use a set of smartphone earbuds, which can help prevent audio feedback loops and simply make it easier to hear your caregiver.

As for cameras, many laptops have them built in as a standard feature. If that’s not the case for you, or if you have a desktop computer without a camera, there are several inexpensive options. If you’re shopping around, do a little research. There are plenty of reputable sites that provide mini-reviews, pricing overviews, and give you a sense for where you can make your purchase right now.  As with any connected device, be sure to change any default passwords to a strong, unique password.

And if you can, do a dry run before your appointment. Reach out to a friend or relative and set up a quick video call with your computer or laptop. That way, you can get a feel for the experience and fine tune your settings as you like.

In other instances, the care provider will have an app that you’ll need to download or an online portal that you’ll need to access. If this is the case, don’t worry. You can still practice using your camera and your audio ahead of time with a trusted video conferencing application like Apple’s FaceTime or Microsoft’s Skype.

Make sure your technology is secure

If you don’t already have a comprehensive security solution in place, get one. This will protect you against malware, viruses, and phishing attacks. You’ll also benefit from other features that help you manage your passwords, protect your identity, safeguard your privacy, and more.

As for privacy in general, medical information is among the most precious information you have. For example, here in the U.S., we have HIPPA privacy standards to protect our medical records and conversations. Yet there’s also the issue of eavesdropping , which is a risk in practically any online communication. Here, you’ll want to do some research. A reputable health care provider will have a comprehensive set of Frequently Asked Questions (FAQ) available as part of their telemedicine service, which should include a section on your personal privacy and the technology they use. (Here’s a good example of a telemedicine FAQ from University of Washington Medicine.) Consult that FAQ, and if you have further questions, feel free to call the healthcare provider and speak with them.

If you find yourself searching online for a telemedicine provider, look out for bad links and phishing scams. It’s a sad state of affairs, yet hackers are capitalizing on today’s healthcare climate just as they’ve taken advantage of innocent people in times of need before. Use a web advisor with your browser that will alert you of malicious links and never click any link or open any email that you’re unsure of. Again, your security software should help you steer clear of trouble.

The best telemedicine choice is the one that is right for you

We’ve welcomed the internet into so many aspects of our lives, right on down to purchasing connected refrigerators and washing machines. Yet inviting the internet into other aspects of our lives, like our health and that of our loved ones, may not come so quickly. To put it bluntly, getting comfortable with the idea of online doctor’s visits may take some time. However, with research and conversation with your healthcare provider, you may find that a telemedicine visit will work just as well, or well enough, as an in-person visit in some cases. As you make those very personal decisions for yourself, I hope this article and the resources cited within it helps you make a choice that’s absolutely right for you.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Medical Care #FromHome: Telemedicine and Seniors appeared first on McAfee Blogs.

Information Security and Privacy Advisory Board (ISPAB) June 2020 Meeting

The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of Homeland Security (DHS), and the Director of the Office of Management and Budget (OMB) on information security and privacy issues pertaining to Federal government information systems, including thorough review of proposed standards and guidelines developed by NIST. The Federal Register Notice will be added closer to the event date. Contact jeffrey.brewer@nist.gov with any questions. NIST is closely

Federal Cybersecurity Workforce Summit (Virtual)

This half-day Summit kicked off the Federal Cybersecurity Workforce Summit and Webinar Series to support collaboration and information sharing among agencies focused on building and maintaining a robust cybersecurity workforce. The PowerPoint slides used during the webinar can be downloaded here. Objectives: Create a sense of community among individuals in Federal agencies with similar responsibilities for building a superior cybersecurity workforce Provide strategic and program updates from key agencies that influence cybersecurity workforce legislation, policy, guidance, and standards

Making a Case for the Cloud: Customers Give Their Honest Feedback of SaaS-Based AppSec

Before the pandemic, 70 percent of companies were in the early stages of a digital transformation. But given the current circumstances, companies are being forced to speed up those efforts. This statistic, coupled with the FBI???s findings that cyberattacks have increased by 400 percent over the last few months, supports the need for increased application security (AppSec) and the shift toward software-as-a-service (SaaS) models.

Veracode offers the application industry???s only cloud-native SaaS solution, combined with over a decade of experience helping customers develop effective AppSec programs. This means your program is up and running on day one, and you don???t purchase or maintain servers, which can lead to savings of up to $650,000 a year*.

Most organizations are starting to realize the benefits of this delivery model. Gartner???s 2018 report on Market Trends: The Transformative Impact of SaaS on the Software Market, found that SaaS models are definitely trending. In fact, SaaS revenue grew a whopping 135 percent between 2015 and 2018.

We recently compiled some of our customers??? thoughts on the advantages of SaaS-based AppSec. You can see the video here. Combined with data from a recent Forrester Total Economic Impact report*, we found that the following are the biggest benefits:

No deployment

On-premises solutions take more than 33 hours* to configure ??? that???s almost an entire workweek! But, since SaaS-based solutions don???t require physical servers, you can start scanning immediately. This means there is zero downtime for your organization.

No maintenance

With SaaS-based AppSec solutions, the customer doesn???t take care of maintenance, the vendor does. This saves you time and money that can be dedicated to other efforts, like integrations. As our customer, Wallace Dalrymple, Chief Information Security Officer at Advantasure, said about our solution in a recent interview, ???We could rely on our strategic partner to maintain it for us. We could really just focus on integrating the product and its features and functionalities.???

Ease of scaling

What???s great about a SaaS-based AppSec solution is that you don???t need to plan for scan spikes or take any action. The solution is elastic and will auto-scale to meet demand. This means no more paying for a sudden scan increase or worrying about adding additional scan engines. For customers like Gautum Roy, Head of Product Marketing and Security at Automation Anywhere, Veracode???s ability to ???scale on-demand in the cloud??? was a major selling point.

Cost savings

The total cost of ownership for a SaaS-based AppSec program is significantly lower than that of an on-premises solution. Not only is it 20 percent less a year to operate, the increased productivity time can save you millions*. You will also avoid unexpected expenses like scan spikes, enabling your organization to budget better.

More accurate results

With SaaS-based AppSec, developers and security professionals can easily mark a finding as a false positive, meaning low false-positive rates, without self-tuning. On-premises vendors are limited to testing their false-positive rate with a small number of test apps in a lab. You would need to file support tickets for false positives, which is a time-consuming step most developers are unlikely to take. This is why on-premises applications have a higher false-positive rate, and why on-premises users need to tune the scanner for each application to reduce the false-positive rate.

Watch our customers talk about SaaS advantages

For more details, check out our video, Veracode Customers Talk About the Advantages of SaaS-Based AppSec.

ツ?

*Data is based on a Veracode-commissioned study and published in Forrester???s report, SaaS vs. On-premises: The Total Economic Impact??「 of Veracode???s SaaS-based Application Security Platform.

ツ?

Veracode Achieves AWS DevOps Competency Status

We are pleased to announce that we have earned the AWS DevOps Competency status, which recognizes that Veracode provides proven technical proficiency and customer success helping organizations implement continuous integration and delivery practices on AWS. To receive the designation, APN Partners must possess deep expertise and deliver solutions seamlessly on AWS.

Why does this matter? Because your software development is changing, and this AWS competency indicates our work to make sure security can keep up. In fact, a recent GitLab survey found that 59 percent of companies now deploy multiple time a day, once a day, or once every few days. At the same time, security risk has largely shifted to the application layer (the 2020 Verizon Data Breach Investigations Report found that web applications are the most popular attack vector), leaving modern developers on the security front lines. Developers need to produce more code, on more frequent release cycles, and find and fix security flaws without missing a beat.

We???re focused on helping modern developers face these new challenges. Nearly 200,000 developers are using Veracode solutions to identify and fix flaws, and Veracode customers have fixed more than 51 million security flaws to date. Our most recent State of Software Security report found that in a recent 12-month period, our customers addressed 76 percent of the high-severity flaws found in their code.

As a leading cloud-native application security provider, we inherently understand modern software development and our unique platform provides the integrations, flexibility, and analytics to make security a core component of the development process.

Speed, automation, and the right technology support are critical to making developers of secure cloud applications successful. Our deep AWS support includes integration with AWS CodeStar, allowing developers to initiate application security scans from AWS CodeBuild and AWS CodePipeline. In addition, our support for AWS Lambda, as well as AWS Software Development Kits for Python, JavaScript, and Node.js (with more coming soon) will further help developers deliver highly secure, cloud-native applications.

We???re continuing to deliver on these needs through evolution of our core software. For instance, developers are using our fast and accurate IDE Scan to find and fix flaws in their code as they???re writing it. They???re using our Software Composition Analysis to get insight into which open source libraries in their code are vulnerable, and which ones are truly increasing risk and should be updated. And they???re building AppSec skills through hands-on-keyboard experience with our Veracode Security Labs.

One of our customers recently noted of working with Veracode, ???The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future.???

We???re also delivering on these modern development needs by leveraging secure, highly available, and scalable services provided by AWS. We???ve architected some of our newer offerings from the ground-up using AWS services like Lambda and KMS, and have also done extensive refactoring across our full platform to use AWS services in a secure manner.

Our AWS DevOps Competency differentiates us as an AWS Partner Network (APN) member, and it is a key step in our strategy to support developer tools and platforms.

Veracode???s mission is to help you confidently and efficiently create secure software that moves your business forward. To achieve that mission, we???re constantly evolving our technology to address changes in software development and anticipate future needs for software security.

Learn more about our AWS partnership here.

iKeepSafe has announced a change to a virtual format for 2020 NICE K12 Cybersecurity Education Conference

6th Annual NICE K12 Cybersecurity Education Conference Call for Presentations: Open April 1 – June 30, 2020 In an effort to be mindful of health concerns, travel restrictions, budget impacts, and based on the conference's continued commitment to equity and inclusion, the National Initiative for Cybersecurity Education (NICE) K12 Cybersecurity Education Conference will be reimagined to bring the community spirit and networking energy to an inspiring and engaging online space. The Conference, previously slated to take place on December 7-8, 2020 in St. Louis, Missouri, will now be a virtual

Read Before You Binge-Watch: Here are the TV Shows & Movies to Look Out For

If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports.   

But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions often look for free options to stream their favorite TV show or movie.  

Criminals are often behind these websites, luring unsuspecting users into schemes via “free” downloads of movies and TV shows.   Some of these movies and shows are risker than others, however.  McAfee WebAdvisor data has revealed certain titles are tied to potential malware and phishing threats. 

Let’s take a look at the TV shows and movies that could lead you to a dangerous download instead of your next film spree, as well as discuss what users can do to stay secure. 

Top 10 U.S. TV and Movie Titles That Could Lead You to a Dangerous Download:

Top 10 U.S. TV Titles  Top 10 U.S. Movie Titles 
“Brooklyn Nine-Nine”  “Warrior” 
“Elite”  “Zombieland” 
“Harlots”  “The Incredibles” 
Letterkenny”  Step Brothers”   
“Poldark”  “Bad Boys” 
“Lost”  “Aladdin” (2019) 
“You”  “The Lion King” (1994)
“Gentefied”  “Swingers” 
“PEN15”  “Frozen 2” 
“Skins  “The Invitation” 

Stay Protected While Streaming

While consumers search for new content from home, criminals are clearly searching for ways to trick eager TV and movie fans. However, there’s still way users can stay both entertained and secure during this time. Follow these tips to help ensure that your online entertainment experience is safe 

Watch what you click

Users looking to catch up on Season 2 of “You” or watch the “The Incredibles” on repeat should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websitesinstead of downloading a “free” version from a website that could contain malware. 

Refrain from using illegal streaming sites

Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source. 

Use a comprehensive security Solution

Use a solution like McAfee Total Protection. This can help protect your devices from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites. Additionally, McAfee WebAdvisor can be accessed as a free download.  

Use parental control software

Kids are techsavvy and may search for movies by themselves. Ensure that limits are set on your child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

*Methodology: McAfee pulled the most popular TV and movie titles available on U.S. streaming sites according to “best of” articles by a range of U.S. publications. The web results for the searches of the entertainment titles with modifying terms, such as “TV show” and “torrent,” were then analyzed. Other popular modifying search terms include “free download,” “free login,” “free,” and “pirated download.” From there, the resulting URLs and domains were measured using McAfee WebAdvisor data and assigned a score of high, medium, or unverified risk. The results identified the top 10 TV shows and movie titles with the highest risk of being used by criminals to spread malware and phishing threats.  

The post Read Before You Binge-Watch: Here are the TV Shows & Movies to Look Out For appeared first on McAfee Blogs.

Ripple20 Vulnerability Mitigation Best Practices

On June 16th, the Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors. This set of 19 vulnerabilities in a low-level TCP/IP software library developed by Treck has been dubbed “Ripple20” by researchers from JSOF.

A networking stack is a software component that provides network connectivity over the standard internet protocols. In this specific case these protocols include ARP, IP (versions 4 and 6), ICMPv4, UDP and TCP communications protocols, as well as the DNS and DHCP application protocols. The Treck networking stack is used across a broad range of industries (medical, government, academia, utilities, etc.), from a broad range of device manufacturers – a fact which enhances their impact and scope, as each manufacturer needs to push an update for their devices independently of all others. In other words, the impact ripples out across the industry due to complexities in the supply and design chains.

Identifying vulnerable devices on your network is a crucial step in assessing the risk of Ripple20 to your organization. While a simple Shodan search for “treck” shows approximately 1000 devices, which are highly likely to be internet-facing vulnerable devices, this represents only a fraction of the impacted devices. Identification of the Treck networking stack vs. other networking stacks (such as the native Linux or Windows stacks) requires detailed analysis and fingerprinting techniques based on the results of network scans of the devices in question.

The impact of these vulnerabilities ranges from denial of service to full remote code exploitation over the internet, with at least one case not requiring any authentication (CVE-2020-11901). JSOF researchers identified that these vulnerabilities impact a combination of traditional and IoT devices. Customers should review advisories from vendors such as Intel and HP because non-IoT devices may be running firmware that makes use of the Treck networking stack.

Ripple20’s most significant impact is to devices whose network stack is exposed (in general IoT devices incorporating the Treck network stack) as compared to devices that incorporate the stack that it is only exposed to the local device. We recommend that you audit all network-enabled devices to determine if they are susceptible to these vulnerabilities.

There are potentially tens of millions of devices that are vulnerable to at least one of the Ripple20 flaws. Mitigating impact requires attention from both device owners and device vendors.

Mitigations for users of vulnerable devices per CISA recommendations (where possible): 

  • Patch any device for which a vendor has released an update.
  • Practice the principle of least privilege for all users and devices (devices and users should only have access to the set of capabilities needed to accomplish their job). In this case, minimize network exposure and internet-accessibility for all control system devices.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices. VPN solutions should use multi-factor authentication.
  • Use caching DNS servers in your organization, prohibiting direct DNS queries to the internet. Ideally, caching DNS servers should utilize DNS-over-HTTPS for lookups.
  • Block anomalous IP traffic by utilizing a combination of firewalls and intrusion prevention systems.

Where Can I Go to Get More Information?

Please review KB93020 for more information and subscribe for updates.

The post Ripple20 Vulnerability Mitigation Best Practices appeared first on McAfee Blogs.

What to Expect from the Next Generation of Secure Web Gateways

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B.

While secure web gateways (SWGs) have operated on a far more compressed timetable, a similarly drastic evolution has taken place. SWGs are still largely focused on ensuring users are protected from unsafe or non-compliant corners of the internet, but the transition to a cloud- and remote-working world has created new security challenges that the traditional SWG is no longer equipped to handle. It’s time for the next generation of SWGs that can empower users to thrive safely in an increasingly decentralized and dangerous world.

How We Got Here

The SWG actually started out as a URL filtering solution and enabled organizations to ensure that employees’ web browsing complied with corporate internet access policy.

URL filtering then transitioned to proxy servers sitting behind corporate firewalls. Since proxies terminate traffic coming from users and complete the connection to the desired websites, security experts quickly saw the potential to perform more thorough inspection than just comparing URLs to existing blacklists. By incorporating anti-virus and other security capabilities, the “secure web gateway” became a critical part of modern security architectures. However, the traditional SWG could only play this role if it was the chokepoint for all internet traffic, sitting at the edge of every corporate network perimeter and having remote users “hairpin” back through that network via VPN or MPLS links.

Next-Generation SWG

The transition to a cloud and remote-working world has put new burdens on the traditional perimeter-based SWG. Users can now directly access IT infrastructure and connected resources from virtually any location from a variety of different devices, and many of those resources no longer reside within the network perimeter on corporate servers.

This remarkable transformation also expands the requirements for data and threat protection, leaving security teams to grapple with a number of new sophisticated threats and compliance challenges. Unfortunately, traditional SWGs haven’t been able to keep pace with this evolving threat landscape.

Just about every major breach now involves sophisticated multi-level web components that can’t be stopped by a static engine. The traditional SWG approach has been to coordinate with other parts of the security infrastructure, including malware sandboxes. But as threats have become more advanced and complex, doing this has resulted in slowing down performance or letting threats get through. This is where Remote Browser Isolation (RBI) brings in a paradigm shift to advanced threat protection. When RBI is implemented as an integral component of SWG traffic inspection, and with the right technology like pixel mapping, it can deliver real-time, zero-day protection against ransomware, phishing attacks and other advanced malware while not hindering the browsing experience.

Another issue revolves the encrypted nature of the internet. The majority of web traffic and virtually all cloud applications use SSL or TLS to protect communications and data. Without the ability to decrypt, inspect and re-encrypt traffic in a compliant, privacy-preserving manner, a traditional SWG is simply not able to cope with today’s world.

Finally, there is the question of cloud applications. While cloud applications operate on the same internet as traditional websites, they function in a fundamentally different way that traditional SWGs simply can’t understand. Cloud Access Security Brokers (CASBs) are designed to provide visibility and control over cloud applications, and if the SWG doesn’t have access to a comprehensive CASB application database and sophisticated CASB controls, it is effectively blind to the cloud.

 

What we need from Next-Gen SWGs

Fig. Next Generation Secure Web Gateway Capabilities

A next-gen SWG should help simplify the implementation of Secure Access Service Edge (SASE) architecture and help accelerate secure cloud adoption. At the same time, it needs to provide advanced threat protection, unified data control, and efficiently enable a remote and distributed workforce.

Here are some of the use cases:

  • Enable a remote work force with a direct-to-cloud architecture that delivers 99.999% availability – As countries and states slowly came out of the shelter-in-place orders, many organizations indicated that supporting a remote and distributed workforce will likely be the new norm. Keeping remote workers productive, data secured, and endpoints protected can be overwhelming at times. A next-gen SWG should provide organizations with the scalability and security to support today’s remote workforce and distributed digital ecosystem. A cloud-native architecture helps ensure availability, lower latency, and maintain user productivity from wherever your team is working. A true cloud-grade service should offer five nines (99.999%) availability consistently.

 

  • Reduce administrative complexity and lower cost – Today, with increased cloud adoption, more than eighty percent of traffic is destined for the internet. Backhauling internet traffic to a traditional “Hub and Spoke” architecture which requires expensive MPLS links can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers have proven to be ineffective. A next-gen SWG should support the SASE framework and provide a direct-to-cloud architecture that lowers the total operating costs by reducing the need for MPLS links. With a SaaS delivery model, next-gen SWG’s remove the need to deploy and maintain hardware infrastructure reducing hardware and operating costs. Per Gartner’s SASE report, organizations can “reduce complexity now on the network security side by moving to ideally one vendor for secure web gateway (SWG), cloud access security broker (CASB)…”  By unifying CASB and SWG, organizations can benefit from unified policy and incident management, shared insights on business risk and threat database, and reduced administrative complexity.

 

  • Defend against known and unknown threats – As the web continues to grow and evolve, web-borne malware attacks grow and evolve as well. Ransomware, Phishing and other advanced web-based threats are putting users and endpoints at risk.  A next-gen SWG should provide real-time Zero-day malware and advanced phishing protection via a layered approach that integrates dynamic threat intelligence for URL, IPs and file-hashes and real-time protection against unknown threats with machine-learning and emulation-based sandboxing. A next-gen SWG should also include integrated Remote Browser Isolation to prevent unknown threats from ever reaching the endpoints. Furthermore, a next-gen SWG should provide the capability to decrypt, inspect and re-encrypt SSL/TLS traffic so threats and sensitive data cannot hide in encrypted traffic. Lastly, a next-gen SWG should be XDR-integrated to improve SOC efficiencies. SOC teams have too much to deal with already and they shouldn’t settle for Siloed security tools.

 

  • Lock down your data, not your business – More than 95% of companies today use cloud services, yet only 36% of companies can enforce data loss prevention (DLP) rules in the cloud at all. A next-gen SWG should offer a more effective way to enforce protection with built-in Data Loss Prevention templates and in-line data protection workflows to help organizations comply with regulations. A device-to-cloud data protection offers comprehensive data visibility and consistent controls across endpoints, users, clouds, and networks. When incidents do happen, administrators should be able to manage investigations, workflows, and reporting from a single console. Next-gen SWGs should also integrate user and entity behavior analytics (UEBA) to further protect business sensitive data by detecting and separating normal users from the malicious or compromised ones.

SWGs have clearly come a long way from just being URL filtering devices to the point where they are essential to furthering the safe and accelerated adoption of the cloud. But we need to push the proverbial envelope a lot further. Digital transformation demands nothing less.

 

The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.

Working from Home in 2020: Threat Actors Target the Cloud

Like any enterprise, cybercrime focuses its resources where it can derive value, which is data. In the case of ransomware, data is held hostage for a direct monetary exchange, whereas many other data breaches seek to steal data and monetize it on dark web markets. These two methods are even starting to merge, with some cybercrime organizations now offering Data-Leaking-as-a-Service. For most of the history of cybercrime, resources and infrastructure used to steal data targeted endpoint devices and network stores, using malware to land an attack, find data, and exfiltrate. That’s where the data was.   

Now, we have a dramatic shift of data moving to cloud service providers, held not within the confines of a customer’s managed network but instead a third party. The shift to working from home in early 2020 accelerated cloud use, just as it accelerated other trends like food delivery and telehealth. Read more about the increase in cloud use in our first post on this topic, here.  

With the acceleration of cloud adoption comes more data in the cloud, and in lockstep, threat actors shifting their attack resources to the cloudThrough the first months of 2020 as this shift occurred, we monitored attack attempts from external threat actors on our customer’s cloud accounts, which increased 630%: 

  

In this chart, we’ve plotted all threats across 30 million cloud end users, along with the two primary categories of external threat events targeted at cloud accounts. They are: 

  • Excessive Usage from Anomalous Location. This begins with a login from a location that has not been previously detected and is anomalous to the user’s organization. The threat actor then initiates high-volume data access and/or privileged access activity.  
  • Suspicious Superhuman. This is a login attempt from more than one geographically distant location, impossible to travel to within a given period of time. We track this across multiple cloud services, for example, if a user attempts to log into Microsoft 365 in Singapore, then logs into Slack in California five minutes later.  

The increase in threat events impacted some verticals more than others, with companies in Transportation/Logistics, Education, and Government agencies hit the hardest:  

 

Head over to the report below for more analysis on how specific verticals were targeted, where these attacks came from, and recommendations for how to protect your organization.  

 

The post Working from Home in 2020: Threat Actors Target the Cloud appeared first on McAfee Blogs.

25 Amazing Quotes To Inspire You This Fathers Day

shutterstock_56156032 copy

Today’s blog post is going to take a little detour off the main road. We’re going to pause from gulping down information and slaying cyber dragons and simply refuel our parenting tanks. So often the best wisdom comes from lands far beyond our well-traveled parenting peripheral. The best ideas and most brilliant connections often sneak up on us to challenge our thinking and our parenting norms, which can be a very, very good thing.

So here are some great (and hopefully new) thoughts on parenting to inject some fresh vision and levity into your perspective. If you’re anything like this parent, you much prefer a good cup of coffee, a quiet house, and a double dose of higher thinking over just about any life perk. Oh, and if you need a great laugh, listen to Author Andy Andrews’ 50 Famous Parental Sayings in this video!

25 Amazing Parenting Quotes:

  1. “Hugs can do great amounts of good, especially for children.” – Princess Diana
  2. “Trust yourself. You know more than you think you do.” – Dr. Benjamin Spock
  3. “Even in our increasingly toxic culture, parents can still have the inside track in their children’s development because parents are their children’s first and most important moral teachers.” – Dr. Michele Borba
  4. “The most beautiful sight in the world is a little child going confidently down the road of life after you have shown him the way.” – Confucius
  5. “I’ve learned that you can tell a lot about a person by the way he or she handles these three things: a rainy day, lost luggage, and tangled Christmas tree lights.” – Maya Angelou
  6. “What it’s like to be a parent: It’s one of the hardest things you’ll ever do but in exchange it teaches you the meaning of unconditional love.” -Nicholas Sparks
  7. “To be in your children’s memories tomorrow, you have to be in their lives today.” – Barbara Johnson
  8. “Children have never been very good at listening to their elders, but they have never failed to imitate them.” – James Baldwin
  9. “Don’t let the sun go down without saying thank you to someone, and without admitting to yourself that absolutely no one gets this far alone.” – Stephen King
  10. “Work at our responsibility as parents as if everything in life counted on it.” – Gordon B. Hinckley
  11.  “But let me tell you something, ladies. There will come a day when you look back on these [toddler] years with something that feels like wistfulness. A longing even. Because that pea-soup-spewing, head spinning, chicken-nugget-clutching abomination in the car seat behind you is going to be a teenager some day. And then things get really fun.” – Jennifer Ball, blogger
  12. “Vulnerability sounds like truth and feels like courage. Truth and courage aren’t always comfortable, but they’re never weakness.” – Brene Brown
  13.  “Sometimes we’re so concerned about giving our children what we never had growing up, we neglect to give them what we did have growing up.” – Dr. James Dobson
  14.  “Live life in such a way that when your children think of fairness and integrity, they think of you.” – H. Jackson Brown, Jr.
  15. “If you are a parent, open doors to unknown directions to the child so he can explore. Don’t make him afraid of the unknown, give him support.” – Osho
  16.  “When you’re feeling insecure and just plain not-good-enough as a parent, remember most parents feel the same way.” – Anon.
  17.  “The way we talk to our children becomes their inner voice.” – Peggy O’Mara
  18. “Always kiss your children good night even if they’re already asleep.” – H. Jackson Brown, Jr.
  19. “Never let the things you want make you forget the things you have.” – Anon.
  20. “Children need love the most when they least deserve it.” – Harlod Hulbet
  21. “A father’s words are like a thermostat that sets the temperature in the house.” – Paul Lewis
  22.  “Children spell ‘love’. . . T-I-M-E. – Dr. A. Witham
  23. “The school will teach children how to read, but the environment of the home must teach them what to read. The school can teach them how to think, but the home must teach them what to believe.” – Charles A. Wells
  24.  “Don’t feel entitled to anything you didn’t sweat and struggle for.” – Marian Wright Edelman
  25. “If you want your children to improve, let them overhear the nice things you say about them to others.” – Haim Ginott

ToniTwitterHS

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @SafeEyes

The post 25 Amazing Quotes To Inspire You This Fathers Day appeared first on McAfee Blogs.

State of Software Security: Open Source Edition – Key Takeaways for Developers

The popularity of open source libraries isn???t dwindling anytime soon. They???re critical for developer functionality, allowing teams of developers like yours to work faster so they can meet tight deadlines they face on the regular.

But some developers may not fully understand the risks that come from using open source libraries, just like the risks we found in State of Software Security: Open Source Edition. We took a look at open source libraries and studied reports from 85,000 applications, which included 351,000 unique external libraries. The guide, which delves into the prevalence of open source libraries and how vulnerable they are, sheds light on just how much risk is carried in open source code. Here are some key takeaways.

PHP is a problem

When we broke down the data, we found that the languages with the most open source risk include JavaScript, Ruby, and PHP ??? with PHP taking the cake in most instances. In fact, the numbers highlighted a glaring problem with this programming language: when you include any given PHP library, the chance of introducing a security flaw along with that library is greater than 50 percent.

PHP Flaw Rates???

And when it comes to the most worrisome vulnerabilities, PHP still stands out. We found that nearly half (more than 40 percent) of PHP libraries had Cross-Site Scripting (XSS) flaws, and that Authentication and Broken Access Control vulnerabilities trailed closely behind.

We also examined how organizations prioritize the remediation of their flaws based on the availability of public proof-of-concept (PoC) exploits, and we found that over one-fifth of open source libraries have such an exploit. PHP once again stole the spotlight as the top offender, with 27 percent of flawed PHP libraries showing published exploit code. While we can???t say for sure why these numbers are higher, this may be due to the usage of PHP in web server applications, which is a focus for cyberattackers.

Most flaws are from transitive dependencies

It was important that we peeled back the layers to look at risk-laden facets of open source libraries which are not always obvious to developers on your team. Enter transitive dependencies. While not explicitly introduced during the coding process, these dependencies are often carried over by components within open source libraries and can come with hidden debt that increases workload ??? as well as costs ??? down the road.

Our data showed that 71 percent of applications have a vulnerability in an open source library upon initial scan, with 47 percent of the flaws being transitive. PHP and Ruby are top offenders within applications that have transitive dependencies, though JavaScript takes the lead at 87 percent. The numbers are concerning, especially considering that flawed libraries are used more often than unflawed libraries, and transitive dependencies are common.

This presents a problem; the further removed they are from the creation of the original code the harder it is to manage these dependencies and know how to fix flaws quickly. Additionally, because of the hidden nature of transitive dependencies, large attack surfaces on applications can catch you off guard.

Most flaws can be fixed with a simple update

There???s good news, too. When it comes to reducing the security risks of open source libraries, our data shows that almost 75 percent of known flaws are fixable. Even better, they???re usually fixable by updating the code with minor revisions or patches, which won???t disrupt a developer???s busy schedule too much.

Percent of Flaws with Available Fixes???

Languages in top OWASP categories delivered reassuring results too ??? almost 90 percent of Broken Access Control vulnerabilities (the second most common flaw in applications with PoC exploits) are fixable with a published update. We found the same for Cross-Site Scripting at nearly 90 percent, and Broken Authentication came out on top at 96 percent of flaws with available fixes for you and your team to implement.

Renowned computer programmer and sci-fi writer Daniel Keys Moran said it well: ???You can have data without information, but you cannot have information without data.??? There???s a silver lining to the risk that comes with open source libraries; the more information you arm yourself with, the more efficiently you can shape your DevSecOps program and improve the health of your applications. ツ?

The bottom line is that there are fixes for these issues, and most are minor ??? suggesting that this problem is one of discovery and tracking, not huge refactoring of code. Work with your security team to make sure you are equipped with the tools you need to identify and remediate open source vulnerabilities.

Read the full State of Software Security: Open Source Edition report here for a full analytical picture of what we uncovered in our latest round of research.

How One College Professor Is Trying to Address the Cybersecurity Skills Gap

Software development is ever-evolving, and with that demand for innovation and scale comes the need to ensure software is secure. Many enterprise organizations have invested in AppSec to help them identify security flaws throughout the development process. However, within higher education, secure coding skills are often not part of computer science or software engineering curriculums.

At Tufts University outside of Boston, Ming Chow, Associate Teaching Professor in the Department of Computer Science, recognizes this need and has incorporated secure coding into his courses. I recently connected with Professor Chow to chat about the role application security plays in his classroom, expanding his students??? horizons with secure software development, and how his courses have opened students??? eyes to new opportunities within the field.

Chris Eng: Good to talk with you, Ming. These are very surreal times. Tell me how things have been with you and how your teaching responsibilities have changed.

Ming Chow: Very little. Here's why. I've been teaching online courses during the summers since 2016. On March 3rd 2020, a full week before Tufts made the announcement it would move to online learning, I sent an announcement to my Introduction to Security class "Should Tufts decide to end the semester early, I got a plan in place..." Some people thought I was crazy. Because I have taught Introduction to Security online since summer of 2017, it was a seamless to transition from in-class to online learning after spring break.ツ?The first activity we did after spring break was Capture the Flags (CTF).

Overall, I've been a lot busier since we moved to online learning. I???m checking in on students and alumni to see if they are okay, I rolled out our new co-op program, I???m preparing for our first inaugural Online Master's class, and assisting in a programツ?for Tufts Computer Science students who lost internships and opportunities because of the pandemic.

CE: One of the things we hear about often is the cyber skills gap, or more broadly, having enough IT or IT security personnel both in the U.S. and abroad. What is your sense of the interest in technology degrees at Tufts ??? do you think there are more students who want to start a career in tech?

MC: Yes, because that's where the money and opportunities are -- full stop.ツ?Computer Science is now the largest undergraduate major at many colleges and universities because of that reason. When college is so expensive and you have lots of student loans, what options do students really have?ツ?Still, there are lots of students who are really passionate about Computer Science, and I am very grateful to have many of them.ツ?Even for those who are "in it for the money," do I blame them?

CE: Another reality is that a lot of higher education institutions may offer programming courses, but they are very far behind in teaching security skills. For example, most students who earn a relevant degree may graduate without taking a single security course. What are your thoughts on the reasons behind this?

MC: This is very true, and there are a few reasons. First, many faculty just don't know. They don't know about the security field.ツ?They don't know what the needs are in industry. There's a reason why there is always talk of the gaps between academia and industry, and it's gotten wider thanks to constant changes and growing toolchain.ツ?If an instructor isツ?following the textbooks, namely introductory CS textbooks, most textbooks still don't cover security -- so that doesn't help. Second, as I said before, Computer Science is now the largest undergraduate major at many universities. In my opinion, many schools are struggling with over-enrollment, so most days consist of putting out fires (of enrollment issues), and everything else such as curriculum comes secondary.

CE: In your courses, you use Veracode as a teaching tool so that your students can learn about application security testing, and how to find and fix flaws. When did you start using AppSec technology in your classes, and why?

MC: Veracodeツ?Static Analysis is used right after the Capture the Flags game in my Introduction to Security class.ツ?The topic after the CTF game is Static and Dynamic Analysis.ツ?The lab after the CTF game is a Technical Risk Analysis where students have to manually review the source code of the CTF game, and create a technical risk table for a technical manager.ツ?Students also learn to use Veracodeツ?Static Analysis tool where the process is automated. Results are then compared to manual results, and students have consistently noted in README that Veracode found a lot more issues than they could have ever imagined.

In the spring semester of Senior Capstone, which I also run, teams have to provide a Defects and Vulnerabilities Report, including Static Analysis results. Students who have taken my Security class opt to use Veracode for the deliverable as well. I have used Veracode Static Analysis my Introduction to Security class since fall 2013 to present.

As for why I started using AppSec technology in my classes, the primary reason is exposure to real tools and hands-on skills early on.ツ?Look, cybersecurity is a largely hands-on field; it can't be all theory.ツ?Don't tell me the toolchain is not important as part of your education. It's disheartening to hear many Computer Science students have never used tools like Git before, let alone a static analysis tool.ツ?

CE: What are your students??? reactions when they find flaws in the code they???ve written? Is there anything that has stood out to you as surprising over the years as you???ve taught security skills to students?

MC: A real comment from a former student after running Veracode scan: "[Without Veracode], I did not find the hard-coded password, many instances of the lack of HTML script sanitation, cryptographic issues, information exposure through an error message, and deserialization of untrusted data."

With regard to using Veracode Static Analysis, the biggest surprise and most gratifying comments I have received were on how to incorporate static analysis tools like Veracode in student organizations who are doing software projects.ツ?For example, we haveツ?JumboCode, an organization dedicated to helping non-profits in the greater Boston area by providing them free, custom technology to aid their services. The lead, who was a former student, asked me how to incorporate such tools into the program (after he did the lab in my class).

Overall, the most surprising thing is the consistent comment of how the course opened up students' eyes.ツ?When the course is consistently noted to have opened up students??? eyes on a part of Computer Science they never knew of, or have opened up opportunities other than software development, or even have spurred their interest in Computer Science, you know you did something right.

CE: Do you have any advice for university students taking computer science or programming classes with regard to security?

MC: To quote your very own words: "Understand how things work.ツ?Never mind security, some of them have no idea how the web (or the Internet) works. So much is abstracted from developers in a typical CS curriculum that they are often unprepared to understand how things actually work, which is core for security..." It is arguably my biggest dissatisfaction with many new engineering grads: not just the lack of preparation, but the seeming disinterest to chase down that very understanding. Knowing how to code or understanding a few programming languages doesn't make you well rounded as a developer or programmer.

CE: What are some of the things they should know, or seek out to improve their knowledge base with secure coding?

MC: Knowing how to ask for help is important, and there???s absolutely no shame to do so. Build intellectual curiosity by building and breaking things.ツ?Understanding how things work and debugging skills go in tandem.

CE: Do you think that having a better sense of secure coding can help individuals stand out from the crowd when looking for a job or entering the workforce?

MC: Anyone can code.ツ?Anyone can learn how to code, so much so that there are too many resources and references available now.ツ?Hence, it's not that special. There are lots of developers out there, but the issue, and this is the real workforce shortage problem, is the dearth number of good software developers and engineers. I still hear stories of Senior Software Engineers who don't know what Cross Site Scripting and SQL injection are.

CE: For other professors who might be looking to work secure coding into their curriculums, what advice would you offer them?

MC: Make, not just encourage, students think about ???what could possibly go wrong.??? Institute that adversarial thinking in their programming assignments. That alone will be significantly better than no emphasis on security.

How to Secure Single-Page Applications

Let???s face it; consumers??? attention spans are getting shorter by the day. Gone are the days of people willing to wait several minutes for a clunky website with a poor user experience to load. In fact, 47 percent of users expect the average page to load in less than 2 seconds before they leave, resulting in billions in missed potential revenue. With the increased competition for consumer attention, companies have turned to single-page applications (SPAs) to overcome the technical challenge of providing a better experience with fewer development efforts. The widespread use of this technology provides a unique challenge for security teams looking to mitigate their risk of breach, as traditional scanning methods may not provide the necessary coverage. This is alarming because, according to theツ?2020 Verizon Data Breach Investigations Report, web applications were involved in 43 percent of all breaches.

How SPAs work

SPAs work well because a single HTML page is loaded in the browser and the content is dynamically updated without needing to refresh the entire page. This decreases the chance of users bouncing off the page because of load delays caused by rendering HTML files on uncertain networks. The page can load in as little as 0.2 seconds, which can lead to longer and more meaningful interactions.

In addition to a more engaging experience, SPAs are easy for developers to build and deploy. SPAs are developed using frameworks like React and Angular, making it easy to debug with Chrome. Apps built with these frameworks typically interact with a back end implemented as RESTful API, typically through the fetch() JavaScript call. Since all the data sits under a single location on the client???s side, developers only have to deal with one HTML file, making things much faster and simpler.ツ?

Security challenges with SPAs

Although SPAs provide a better experience for developers and consumers, they come with their own set of security challenges. The inability to adequately scan them, coupled with the large number of SPAs deployed by organizations, give cyberattackers a wide attack surface. Traditionally, multi-page applications have a number of URLs for a scanner to crawl through in order to consider a scan complete. When a scanner does not support single-page applications, it is unable to scan much at all and returns quickly with few CWEs, resulting in a false sense of security.

SPAs are especially vulnerable to Cross-Site Scripting (XSS) attacks, since users are making server requests in JavaScript that result in outputs in HTML. As developers are moving logic and features from the server and to the client, it becomes easy to accidentally allow improper access to confidential data. This can lead to lawsuits, hefty fines, a bad PR storm, and reduced sales due to lack of public trust.

How to prevent your SPAs from getting breached

There are two ways to ensure that SPAs are properly tested for security.

The first is to have an expert penetration tester attack the application manually. Pen testers can find all levels of vulnerabilities, but many organizations like to focus their tests on the areas where automation is difficult, such as business logic. The downside of solely using pen testing is the lack of scalability across the application portfolio, which prevents frequent testing. Without frequent testing, mitigating the risk of attack would be nearly impossible.ツ?

The second solution is to use automated security scanning technologies. Organizations need to use a Dynamic Analysis solution that has the ability to automatically and effectively scan SPAs. Veracode Dynamic Analysis has a unique approach to this problem. Our scanning engine uses an embedded browser in order to record and replay a series of actions that users are likely to take as they browse a single-page application. Because the scanner mimics real-world user actions inside a browser instead of simply observing network traffic, it can navigate through the SPA, despite it only consisting of a single URL. This process is then followed until the application has been successfully scanned. Without an embedded browser, which is the case with traditional dynamic scanning, it is extremely difficult to achieve this same level of coverage.

Learn more

Securing your web applications can seem like a daunting task, but it doesn???t have to be. To learn more, please download our whitepaper, Reducing Your Risk of a Breach with Dynamic Analysis, or to schedule a demo now,ツ?click here.

My Adventures Hacking the iParcelBox

In 2019, McAfee Advanced Threat Research (ATR) disclosed a vulnerability in a product called BoxLock. Sometime after this, the CEO of iParcelBox, a U.K. company, reached out to us and offered to send a few of their products to test. While this isn’t the typical M.O. for our research we applaud the company for being proactive in their security efforts and so, as the team over at iParcelBox were kind enough to get everything shipped over to us, we decided to take a look.

The iParcelBox is a large steel box that package couriers, neighbors, etc. can access to retrieve or deliver items securely without needing to enter your home. The iParcelBox has a single button on it that when pushed will notify the owner that someone wants to place an object inside. The owner will get an “open” request push notification on their mobile device, which they can either accept or deny.

The iParcelBox (Photo Credit: iparcelbox.com)

Recon

The first thing we noticed about this device is the simplicity of it. In the mindset of an attacker, we are always looking at a wide variety of attack vectors. This device only has three external vectors: remote cloud APIs, WIFI, and a single physical button.

iParcelBox Delivery Button (Photo Credit: iparcelbox.com)

During setup the iParcelBox creates a WIFI access point for the mobile application to connect with and send setup information. Each iParcelBox has a unique randomly generated 16-character WiFi password that makes brute forcing the WPA2 key out of the question; additionally, this Access Point is only available when the iParcelBox is in setup mode. The iParcelBox can be placed into setup mode by holding the button down but it will warn the owner via a notification and will only remain in setup mode for a few minutes before returning to normal operation.

iParcelBox Random WiFi Access Point Password (16 Characters)

Since we have the WiFi password for the iParcelBox in our lab, we connected to the device to see what we could glean from the webserver. The device was only listening on port 443, meaning that the traffic between the application and iParcelBox was most likely encrypted, which we later verified. This pointed us to the Android app to try to decipher what type of messages were being sent to the iParcelBox during setup.

iParcelBox Port Scan

Using dex2jar we were able to disassemble the APK file and look at the code within the app. We noticed quickly that the iParcelBox was using MQTT (MQ Telemetry Transport) for passing messages back and forth between the iParcelBox and the cloud. MQTT is a publish/subscribe message protocol where devices can subscribe to “topics” and receive messages. A simple description can be found here: (https://youtu.be/EIxdz-2rhLs)

Dex2Jar Command

A typical next step is to retrieve the firmware for the device, so we started to look through the disassembled APK code for interesting URLs. While we didn’t find any direct firmware links, we were able to find some useful information.

Disassembled Code pulled from APK

The code snipped above shows a few interesting points, including the string “config.iparcelbox.com” as well as the line with “app” and “TBpwkjoU68M”. We thought that this could be credentials for an app user passed to the iParcelBox during setup; however, we’ll come back to this later. The URL didn’t resolve on the internet, but when connecting to the iParcelBox access point and doing a Dig query we were able to see that it resolves to the iParcelBox.

DNS Lookup of config.iparcelbox.com

Nothing from the Android app or the webserver on the device popped out to us so we decided to look deeper. One of the most common ways that information about targets can be gathered is by looking through user forums and seeing if there are others trying to tweak and modify the device. Often with IOT devices, home automation forums have numerous examples of API usage as well as user scripts to interact with such devices. We wanted to see if there was anything like this for the iParcelBox. Our initial search for iParcelBox came up empty, other than some marketing content, but when the search was changed to iParcelBox API, we noticed a few interesting posts.

Google Search for “iparcelbox api”

We could see that even on the first page there are a few bug reports and a couple of user forums for “Mongoose-OS”. After going to the Mongoose-OS forums we could clearly see that one user was a part of the iParcelBox development team. This gave us some insight that the device was running Mongoose-OS on an ESP32 Development board, which is important since an ESP32 device can be flashed with many other types of code. We started to track the user’s posts and were able to discover extensive information about the device and the development decisions throughout the building process. Most importantly this served as a shortcut to many of the remaining analysis techniques.

As mentioned earlier, a high priority is to try to gain access to the device’s firmware by either pulling it from the device directly or by downloading it from the vendor’s site. Pulling firmware is slightly more tedious since you must often solder wires to the flash chip or remove the chip all-together to interface with the flash. Before we began to attempt to pull the firmware from the ESP32, we noticed another post within the forums that mentioned that the flash memory on the device was encrypted.

Post describing flash encryption

With this knowledge, we skipped soldering wires to the ESP32 and didn’t even try to pull the firmware manually since it would have proven difficult to get anything off it. This also gave us insight into the provisioning process and how each device is set up. With this knowledge we started to look for how the OTA updates are downloaded.

Searching around a little longer we were able to find a file upload of a large log file containing what seemed like the iParcelBox boot procedure. Searching through the log we found some highly sensitive data.

Admin Credentials and gh-token from boot log

In the snippet above you can see that the admin credentials are passed as well as the GitHub token. Needless to say, this isn’t good practice, we will see if we can use that later. But in this log, we also found a firmware URL.

Firmware URL from boot log

However, the URL required a username and password.

Firmware.iparcelbox.com .htaccess

We found this forum post where “.htaccess” is set up to prevent unintended access to the firmware download.

.htaccess post

The admin password found earlier didn’t authenticate, so we wanted to get the logs off the device to see if these were old credentials and if we could print the new credentials out to UART.

The internals of the iParcelBox (TX and RX highlighted in red)

The ESP32 RX and TX pins are mapped to the USB-C connection, but if you look at the circuit there is no FTDI (Future Technology Devices International) chip to do processing, so this is just raw serial. We decided to just solder to the vias (Vertical Interconnect Access) highlighted in red above, but still no data was transferred.

Then we started to search those overly helpful forum postings again, and quickly found the reason.

Disable UART

This at least verified that it wasn’t something that we set up incorrectly, but rather that logging was simply disabled over UART.

Method #1 – RPC

From our recon work we pretty much settled on the fact that we were not going to get into the iParcelBox easily from a physical standpoint and decided to switch a network approach. We knew that during setup the iParcelBox creates a wireless AP and that we can connect to it. Armed with our knowledge from the forums we decided to revisit the web server on the iParcelBox. We began by sending some “MOS” (Mongoose-OS) control commands to see what stuck.

Setup instructions for Mongoose-OS can be found here. Instead of installing directly to the OS we did it in Docker for portability.

Docker file used to create mos

Referencing the forums provided several examples of how to use the mos command.

Docker mos commands

The first command returned a promising message that we just need to supply credentials. Remember when we found the boot log earlier? Yep, the admin credentials were posted online, and they actually work!

At this point we had full effective root access to the iParcelBox including access to all the files, JavaScript code, and even more importantly, the AWS certificate and private key.

With the files extracted from the device we noticed that the developers at iParcelBox implemented an Access Control List (ACL). For an IOT device this is uncommon but a good practice.

ACL showing users permissions

The credentials we found earlier in the disassembled Android APK with the username “app” were RPC credentials but with limited permissions to only run Sys.GetInfo, Wifi.Scan, Wifi.PortalSave and Sys.Reboot. Nothing too interesting can be done with those credentials, so for the rest of this method we will stick with the “admin” credentials.

Now that we have the credentials, certificates, and private keys we wanted to try to pivot to other devices. During setup we noticed that the MAC address was labeled “TopicID.”

Setup process linking MAC Address to the TopicID

As we determined earlier, the iParcelBox uses MQTT for brokering the communication between the device, cloud, and mobile application. We were interested to find out if there were any authentication barriers in place, or if all you need is the MAC address of the device to initiate commands remotely.

Since we essentially had root access, enabling logging was a logical next step so we could see what was happening on the device. From one of the Mongoose-OS forums posts we saw that you can enable UDP logging to a local device by changing the configuration on the iParcelBox.

How to enable UDP logging post

We provisioned the iParcelBox, then held the button down until we entered setup mode (where the AP was available), thus reenabling RPC calls. Then we set the “udp_log_addr” to our local machine.

Reenabling Logging on iParcelBox

Now we have logs and much more information. We wanted to test if we could access the MQTT broker and modify other iParcelBoxes. In the logs we were able to validate that the MQTT broker was setup on AWS IOT and was using the certificate and keys that we pulled earlier. We found some Python examples of connecting to the AWS MQTT broker (https://github.com/aws/aws-iot-device-sdk-python) but it assumed it knows the full topic path (e.g. topic_id/command/unlock).

UDP Log file

Parsing through the extracted logs from UDP, we were able to find the format for the “shadow/update” MQTT topic. However, when trying to subscribe to it with the Python script, it seemed to connect to the MQTT broker, but we couldn’t ever get any messages to send or receive. Our best guess is that it was limited to one subscribe per topic or that our code was broken.

We went searching for another way to control devices. This brought us back to the Mongoose-OS forum (seeing a pattern here?). We found this post explaining that the devices can run RPC commands over MQTT.

RPC over MQTT

This would be better for an attacker than only MQTT access, since this gives full access to the device including certificates, keys, user configuration files, WIFI passwords, and more. We could also use RPC to write custom code or custom firmware at this point.  We found the official Mongoose-OS support for this here (https://github.com/mongoose-os-libs/rpc-mqtt), to which they even included an example with AWS IOT.

After plugging that into the “mos” command we were able to run all administrative RPC commands on the device that we pulled the keys from, but also any other device that we knew the MAC address of.

Running RPC commands on multiple ATR lab devices

From looking at the two iParcelBoxes that were sent to us, the MAC addresses are only slightly different and strongly suggest that they are probably generated incrementally.

  • 30AEA4C59D30
  • 30AEA4C59D6C

Theoretically, with the MAC addresses incremental we could have just written a simple script to iterate through each of the iParcelBoxes’ MAC addresses, found any iParcelBox connected to the internet, and controlled or modified them in any way we wanted. However, the most common attack would likely be a more targeted one, where the attacker was looking to steal a package or even a victim’s home WiFi credentials. An attacker could do a simple network scan to find the MAC address of the target iParcelbox using a tool like “airodump-ng”. Then, after the attacker knows the target MAC address, they could use the admin credentials to initiate a “mos” command over MQTT and execute a “GPIO.Toggle” command directed at the GPIO (General Purpose Input Output) pin that controls the locking mechanism on the iParcelBox. A toggle will invert the state, so if the iParcelBox is locked, a GPIO toggle will unlock the box. If the attacker had other motives, they could also initiate a config dump to gain access to the WiFi credentials to which the iParcelBox is connected.

Scanning for iParcelBoxes and Controlling them with RPC

Method #2 – AWS Misconfiguration

While writing this blog we wanted to double check that SSL pinning was done properly. After we saw this post during our recon, we assumed it was pinning a certificate. We set up an Android with a certificate unpinner using Frida.  With the unpinner installed and working we were able to decrypt traffic between the application and the AWS servers, but it failed to decrypt the data from application to the iParcelBox. Please follow this technique if you’d like to learn how you can unpin certificates on Android devices.

Next, we reran the iParcelBox application without the Frida SSL Unpinner, which returned the same AWS server transactions, meaning that pinning wasn’t enabled. We browsed through some of the captures and found some interesting requests.

Cognito Credential SSL Network Capture

The “credentials” in the capture immediately piqued our interest. They are returned by a service called “Cognito”, which is an AWS service allowing apps and users to access resources within the AWS ecosystem for short periods of time and with limited access to private resources.

AWS Cognito example (Photo Credit: Amazon.com)

When an application wants to access an AWS service, it can ask for temporary credentials for the specific task. If the permissions are configured correctly, the credentials issued by the Cognito service will allow the application or user to complete that one task and deny all other uses of the credentials to other services.

To use these credentials, we needed the AWS-CLI interface. Thankfully, Amazon even has a Docker image for AWS-CLI which made things much easier for us. We just saved the credentials returned from the Cognito service inside of a “~/.aws” folder. Then we checked what role these credentials were given.

AWS-CLI docker command

The credentials captured from the Android application were given the “AppAuth_Role”. To find out what the “AppAuth_Role” had access to we then ran a cloud service enumeration using the credentials; the scripts can be found here (https://github.com/NotSoSecure/cloud-service-enum) and are provided by the NotSoSecure team. The AWS script didn’t find any significant security holes and showed that the credentials were properly secured. However, looking at the next few network captures we noticed that these credentials were being used to access the DynamoDB database.

Checking if the user is subscribed to the Premium service

Getting the owner’s devices

After reading through some of the DynamoDB documentation we were able to craft database queries.

DynamoDB Query

Because the “primary key” for the database is the “DeviceID” which we know is just the MAC address of the iParcelBox, we can then modify this query and get any other device’s database entries. While we didn’t test this for ethical reasons, we suspect that we could have used this information to gain access to the MQTT services. We also did not attempt to write to the database since this was a live production database and we didn’t want to corrupt any data.

We investigated the Android application attempting to trigger some more database interactions to see what other queries were being sent, but were limited to the following:

  • Accounts – Shows premium subscription info
  • Owners – Shows devices and guests of each iParcelBox
  • Users – Used to save owners of each iParcelBox (only during setup)

With our self-imposed database write restrictions, none of these tables really helped us anyway. That is when we began looking at the disassembled code of the Android app for more clues. Since we now knew the table names, we searched for “ClientID”, which turned up the Java file “DBConstants.class.”

Constants file from APK

This constants file gave us information that there are more database tables and fields, even though we never saw them in the network traffic. The “TABLE_DEVICES_PASSWORD” caught our eyes from the “iParcelBox_devices” table.

We tested the “AppAuth_Role” credentials on this table as well, which was accepted.

Requesting information from the iParcelBox_devices table

We were able to get the device password and serial number all from the MAC address. Recall the “iParcelBox Setup Information” image at the beginning of the blog and how it mentions that you should keep this information safe. The reason that this information should be kept safe is that you can become the owner of the iParcelBox if you know the MAC address, serial number, and password even without the QR code thanks to the “Add Manually” button.

“Add manually” option during setup

With this information an attacker could register for a new iParcelBox account, login to the application, capture the Cognito credentials, begin the “setup” process, click “Add Manually” and then enter all the required information returned from the database to gain full control over any iParcelBox. This could all take place from simply knowing the MAC address since the “AppAuth_Role” can read any database entry.

Required Information to set up the iParcelBox

Lessons Learned

This project took a turn from a classic hardware/IOT device research project to an OSINT research topic very early on. It really goes to show that even simple mistakes with online data hygiene could expose key details to attackers allowing them to narrow down attack vectors or expose sensitive information like credentials.

Since this was a sponsored project from iParcelBox, we reported this to the company immediately. They promptly changed the admin password for every iParcelBox and asked the developers at Mongoose-OS to implement a change where one device’s AWS certificate and private key cannot control any other device. This was patched within 12 hours after our vendor disclosure, which puts iParcelBox in the top response time for a patch that we have ever seen. We have tested the patch and can no longer control other devices or use the old admin password to access the devices from within setup mode.

iParcelBox also fixed the Android application not pinning certificates properly and removed all direct calls to the DynamoDB. We were still able to decrypt some traffic using the Frida SSL unpinner, but the application would freeze, which we believe is due to the MQTT broker not accepting a custom certificate. The DynamoDB queries are now wrapped in API calls which also check against the customer ID. This prevents someone from using their extracted Cognito credentials to obtain information from any device other than their own. Wrapping the database queries within API calls is an effective security fix as well, as the data can be parsed, verified, and sanitized all before committing to the database.

We wanted to give props to the team at iParcelBox for their focus on security throughout the development of this product. It is easy to see from the device and the forum posts that the developers have been trying to make this device secure from the start and have done it well. All non-essential features like UART and Bluetooth are turned off by default and a focus on data protection is clearly there as evidenced through the use of SSL and encryption of the flash memory. There are not many attack surfaces that an attacker could leverage from the device and is a great refreshment to see IOT devices heading this direction.

The post My Adventures Hacking the iParcelBox appeared first on McAfee Blogs.

What’s in the Box? Part II: Hacking the iParcelBox

Package delivery is just one of those things we take for granted these days. This is especially true in the age of Coronavirus, where e-commerce and at-home deliveries make up a growing portion of consumer buying habits.

In 2019, McAfee Advanced Threat Research (ATR) conducted a vulnerability research project on a secure home package delivery product, known as BoxLock. The corresponding blog can be found here and highlights a vulnerability we found in the Bluetooth Low Energy (BLE) configuration used by the device. Ultimately, the flaw allowed us to unlock any BoxLock in Bluetooth range with a standard app from the Apple or Google store.

Shortly after we released this blog, a similar product company based in the UK reached out to the primary researcher (Sam Quinn) here at McAfee ATR, requesting that the team perform research analysis on his product, called the iParcelBox. This device is comprised of a secure steel container with a push-button on the outside, allowing for package couriers to request access to the delivery container with a simple button press, notifying the homeowner via the app and allowing remote open/close functions.

iParcelBox – Secure Package Delivery & iParcelBox App

The researcher was able to take a unique spin on this project by performing OSINT (Open Source Intelligence), which is the practice of using publicly available information, often unintentionally publicized, to compromise a device, system or user. In this case, the primary developer for the product wasn’t practicing secure data hygiene for his online posts, which allowed the researcher to discover information that dramatically shortened what would have been a much more complicated project. He discovered administrative credentials and corresponding internal design and configurations, effectively providing the team access to any and all iParcelBox devices worldwide, including the ability to unlock any device at a whim. All test cases were executed on lab devices owned by the team or approved by iParcelBox. Further details of the entire research process can be found in the full technical version of the research blog here.

The actual internals of the system were well-designed from a security perspective, utilizing concepts like SSL for encryption, disabling hardware debugging, and performing proper authentication checks. Unfortunately, this level of design and security were all undermined by the simple fact that credentials were not properly protected online. Armed with these credentials the researcher was able to extract sensitive certificates, keys, device passwords, and WIFI passwords off any iParcelBox.

Secondly, as the researcher prepared the writeup on the OSINT techniques used for this, he made a further discovery. When analyzing the configuration used by the Android app to interact with the cloud-based IOT framework (AWS-IOT), he found that even without an administrative password, he could leak plaintext temporary credentials to query the AWS database. These credentials had a permission misconfiguration which allowed the researcher to query all the information about any iParcelBox device and to become the primary owner.

In both cases, to target a device, an attacker would need to know the MAC address of the victim’s iParcelBox; however, the iParcelBox MAC addresses appeared to be generated non-randomly and were simple to guess.

A typical research effort for McAfee ATR involves complex hardware analysis, reverse engineering, exploit development and much more. While the developer made some high-level mistakes regarding configuration and data hygiene, we want to take a moment to recognize the level of effort put into both physical and digital security. iParcelBox implemented numerous security concepts that are uncommon for IOT devices and significantly raise the bar for attackers. It’s much easier to fix issues like leaked passwords or basic configuration issues than to rebuild hardware or reprogram software to bolt on security after the fact. This may be why the company was able to fix both issues almost immediately after we informed them in March of 2020. We’re thrilled to see more and more companies of all sizes embracing the security research community and collaborating quickly to improve their products, even from the beginning of the development cycle.

What can be done?

For consumers:

Even developers are subject to the same issues we all have; choosing secure and complex passwords, protecting important credentials, practicing security hygiene, and choosing secure configurations when implementing controls for a device. As always, we encourage you to evaluate the vendor’s approach to security. Do they embrace and encourage vulnerability research on their products? How quick are they to implement fixes and are they done correctly? Nearly every product on the market will have security flaws if you look hard enough, but the way they are handled is arguably more important than the flaws themselves.

For developers and vendors:

This case study should provide a valuable testament to the power of community. Don’t be afraid to engage security researchers and embrace the discovery of vulnerabilities. The more critical the finding, the better! Work with researchers or research companies that practice responsible disclosure, such as McAfee ATR. Additionally, it can be easy to overlook the simple things such as the unintentional leak of critical data found during this project. A security checklist should include both complex and simple steps to ensure the product maintains proper security controls and essential data is protected and periodically audited.

The post What’s in the Box? Part II: Hacking the iParcelBox appeared first on McAfee Blogs.

NICE Webinar: The Challenge of That First Job in Cybersecurity – Entry Level Roles and How to Qualify

The PowerPoint slides used during the webinar can be downloaded here. Speakers: Casey O'Brien Executive Director and Principal Investigator National CyberWatch Center Susan Chiang Head of Security Program Management and Business Operations Cloudflare Jennifer Bate Associate Consulting Engineer CDW Synopsis: Despite the incredible shortage of talent in cybersecurity, it can be enormously challenging for career entrants to find their first role. What can candidates do to prepare where their lack of experience holds them back? What roles are considered entry-level from the employer perspective

Internet Privacy: Tips & Tricks for Staying Secure Online

Working from home

How much value do you place on your personal privacy? You would never leave your wallet on a public park bench and expect it to be safe and untouched. It is possible that no one would take your valuable belongings, but you’d never intentionally take the risk – so why would you risk your personal data online?

The Power of Privacy

No matter who you are, you need to protect what’s yours. The fact is that your online data can’t be replaced the same way that your tangible possessions can be, and privacy has an intrinsic value that can be easily compromised on the web.

So how can you keep yourself and your sensitive information safe online? To learn more about safety while browsing the web, read on.

What is a Virtual Private Network?

A VPN, or virtual private network, routes your internet usage exclusively through private channels. Doing this effectively blocks your web activity from prying eyes and subsequently protects your sensitive data. When using public Wi-Fi hotspots, a VPN hides your identity and location, preserving your privacy and offering you peace of mind.

What Can A VPN Do For You?

In this fast-paced, high-tech world, a VPN is an invaluable asset. While your internet service provider (ISP) can’t read your online interactions, it’s nevertheless capable of identifying communication links. For example, it can trace the connections from your computer to sensitive web addresses like your bank or brokerage firm. Knowing that your vulnerable information is floating around on the internet might be enough to entice an unscrupulous ISP into finding and using it for their own benefit.

If you’re not using public internet services or doing your computing from home, you might be wondering if you need a VPN at all. Not necessarily, but at McAfee, we believe it always pays to take precautions.

Are Your Passwords Protecting You?

We often feel secure relying on passwords to protect our privacy. The unfortunate truth is that a password alone may not be enough to deter a hacker. If you notice unusual behavior on your computer, it could mean that a hacker already knows your password.

We need passwords to get almost anywhere on the internet, but the familiarity of this practice may result in complacency. After a while, a password may seem unimportant or even burdensome. Instead of trying to remember countless complicated passwords, you might feel overly comfortable in resorting to simpler passwords that are easily breakable with even the smallest effort.

How To Strengthen Your Passwords

A secure password requires at least 14 characters and should include both upper and lower case letters, capitals, numbers, and symbols.

If your password consists of readily available public knowledge like your birthdate, street address, or your dog’s name, chances are it’s not very strong. Likewise, predictable sequences of numbers or letters, like 123456789 or abcdefg, are risky.

Should You Protect Yourself From Viruses?

You wouldn’t cross the street without looking both ways. Installing antivirus software is the virtual equivalent of double-checking on a busy street. Protect your computer’s health and safety with antivirus software that prevents attacks from malicious programs that can infect your computer and the computers of others.

The Antivirus Safety Net

Every time you access the internet, you risk infection from a vast array of malware, including trojan horses, worms, and spyware, to name just a few. Luckily, antivirus software has a firewall that can detect these intruders, while a recovery tool helps eliminate these malicious programs from your computer.

Both a firewall and a VPN can prevent unauthorized web access to your computer systems. McAfee offers both antivirus software that removes malware, spyware, and adware through scheduled scans and protects your computer in real-time with its VPN, Safe Connect.

Should You Update Your Software?

You’re likely already familiar with many of the best privacy practices. These include using secure passwords, rejecting unknown emails, ignoring suspicious-looking links, and never distributing your personal information. When you pair these practices with free updates to your security software, you’re in an excellent position to preserve your privacy on the web.

Software updates can rectify security issues, replace outdated features, enhance compatibility with your apps, and even increase running speed. These patches can protect your computer from viruses, and prevent spread to other systems.

How To Update

Ready to update? Simply click ‘yes’ when you get a popup from your software developer asking if you’d like the latest features.

Most manufacturers offer free updates, while others require a technical support contract. Each software manufacturers’ website should provide specific details to help you download their security updates.

What are Cookies? Should I remove them?

Removing cookies is really up to preference. Cookies allow a website you’ve visited to retain your information—like your email address and password—for a more convenient user experience. However, tracking cookies do pose a risk to your security. By allowing cookies, you’re saying it’s okay for the information to be sent to an unknown location.

Many cookies are relatively harmless and do nothing more than use your IP address for marketing analysis. Others, however, may submit your name and address to a tracking host, allowing advertisers to target you with bullseye-like precision.

Every browser has an option that lets you delete your cookies from your computer. For example, Internet Explorer shows a gear icon in the upper right-hand corner of the browser screen. You simply click on the gear, select “Internet Options” in the menu box, and then click “Delete browsing on exit.”

Connecting Securely Online

Yes, it is possible. When using an online browser, the Hypertext Transfer Protocol (HTTP) allows you to view webpages but doesn’t provide security. The lack of encryption enables third parties to easily intercept data that you may prefer to keep private. When you use Hypertext Transfer Protocol Secure (HTTPS), you enjoy secure transmissions. Not all websites support this function, but it can provide more web privacy when you visit sites that do.

Steps To Protect

So how can you use this information to keep your sensitive data from becoming vulnerable? Here are the main takeaways:
• Get a VPN. Secure your home and travel networks with VPN software. It makes blocking suspicious activity easy and can protect your computer from becoming damaged.
• Use a password manager. This is a great tool for creating and storing hard-to-break passwords. You can find free password managers online, coupled with antivirus software.
• Install antivirus and firewall software that doesn’t flag false detections.
• Accept free security updates from your software manufacturer.
• Remove cookies from your browser.
• Use HTTPS for encrypted security on sites that support it.

With a little security know-how and the right tools for the job, you’ll be well-equipped to protect even your most sensitive and valuable data. Don’t live in fear of hackers and malware. Let your software manufacturer be your safety net, and browse with peace of mind!

The post Internet Privacy: Tips & Tricks for Staying Secure Online appeared first on McAfee Blogs.

Beware When You Search for These TV Shows and Movies

Beware When You Search for These TV Shows and Movies

If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time.

But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions

Criminals are often behind these websites, luring unsuspecting users into schemes via “free” downloads of popular movies and TV shows. Some of these movies and shows are risker than others, however, as McAfee WebAdvisor data has revealed* certain titles are tied to potential malware and phishing threats.

Let’s take a look at the TV shows and movies that could lead you to a dangerous download instead of your next film spree, as well as discuss what users can do to stay secure.

 Top 10 Australian TV and Movie Titles

Top 10 Australian TV Titles With Risky Results With Risky Results
1.      Unorthadox Ace Ventura
2.      You Green Book
3.      Family Guy John Wick
4.      Big Mouth The Machinist
5.      Homeland Annihilation
6.      The Vampire Diaries Ex Machina
7.      Dynasty A Star Is Born
8.      Lost Fyre
9.      Brooklyn Nine-Nine Lady Macbeth
10.  Stranger Things Bird Box

 Stay Protected While Streaming

While consumers search for new content from home, criminals are clearly searching for ways to trick eager TV and movie fans. However, there’s still a way users can stay both entertained and secure during this time. Follow these tips to help ensure that your online entertainment experience is safe:

 Watch what you click

Users looking to catch up on Season 2 of “You” or watch the “The Incredibles” on repeat should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.

 Refrain from using illegal streaming sites

Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.

Use a comprehensive security Solution

Use a solution like McAfee Total Protection. This can help protect your devices from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites. Additionally, McAfee WebAdvisor can be accessed as a free download.

Use parental control software

Kids are tech-savvy and may search for movies by themselves. Ensure that limits are set on your child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

*Methodology: McAfee pulled the most popular TV and movie titles available on Australian streaming sites according to “best of” articles by a range of Australian publications. The web results for the searches of the entertainment titles with modifying terms, such as “TV show” and “torrent,” were then analyzed. Other popular modifying search terms include “free download,” “free login,” “free,” and “pirated download.” From there, the resulting URLs and domains were measured using McAfee WebAdvisor data and assigned a score of high, medium, or unverified risk. The results identified the top 10 TV shows and movie titles with the highest risk of being used by criminals to spread malware and phishing threats.

 

The post Beware When You Search for These TV Shows and Movies appeared first on McAfee Blogs.

SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE

SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE

Introduction

In our previous blog post, we demonstrated how the SMBGhost bug (CVE-2020-0796) can be exploited for local privilege escalation. A brief reminder: CVE-2020-0796, also known as “SMBGhost”, is a bug in the compression mechanism of SMBv3.1.1. The bug affects Windows 10 versions 1903 and 1909, and it was announced and patched by Microsoft about 3 months ago. In the previous blog post we mentioned that although the Microsoft Security Advisory describes the bug as a Remote Code Execution (RCE) vulnerability, there is no public POC that demonstrates RCE through this bug. This was true until chompie1337 released the first public RCE POC, based on the writeup of Ricerca Security. Our POC uses a different method, and doesn’t involve physical memory access. Instead, we use the SMBleed (CVE-2020-1206) bug to help with the exploitation.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

Aiming for RCE

Our previous research led to the local privilege escalation attack that we have shown in our previous writeup. SMBGhost can be used for an RCE attack and we aim to demonstrate how we achieved it in this series of blog posts. As we showed in the previous writeup, we were able to implement a remote write-what-where primitive. However, for an RCE capability we need to know where to write the arbitrary data. Since most of the memory layout in the modern Windows versions is randomized, having the ability to write arbitrary data in any location is still very limiting. While searching for another capability to assist with the attack, we discovered a new bug in Microsoft’s SMB implementation. For technical details and a POC, check out our recent publication. We named it SMBleed since it allows to leak parts of memory remotely, similar to Heartbleed, just via SMB. While the concept is similar and an authenticated user can read large blocks of uninitialized data, the attack surface without authentication is more limited. Since we aimed for an unauthenticated RCE exploitation, the first thing we looked for is a way to read memory unauthenticated.

Diving into SMB

Note: The following sections describe in detail a technique we were able to use for exploitation, but dumped in favor of a different approach which worked better in our case. Still, it’s an approach that we felt is worth sharing. If you prefer to stick to what ended up in our final POC, you can just read Observation #1 and Observation #2, and then skip to the A different approach – decompression section.

The SMBleed bug allows an attacker to send a message such that its beginning is controlled by the attacker, while the rest of the message contains uninitialized data which is treated as a part of the message. For an authenticated user, there’s an easy way to exploit this using the SMB2 WRITE message to write uninitialized data to a file, and then read it with the SMB2 READ command. We started by looking for a similar technique for an unauthenticated user – a way to send a message such that a part of it can be retrieved later.

After skimming over the protocol specification and debugging a couple of sessions, we saw that a regular flow begins with the following commands that are sent by the client:

SMB2 NEGOTIATE → SMB2 SESSION_SETUP → SMB2 SESSION_SETUP

If incorrect credentials are used, the session is aborted after the second SMB2 SESSION_SETUP request.

We assume that we don’t have valid credentials, so we checked whether other commands can be sent without authentication. We found the following after some experimentation:

  • The first command to be sent must be SMB2 NEGOTIATE. It also must be the only SMB2 NEGOTIATE command during the session.
  • The subsequent commands, until authentication completes successfully, must be SMB2 SESSION_SETUP. That is unless anonymous access to named pipes or shares is not restricted, and it is by default.

Since the SMB2 NEGOTIATE message is not compressed (the compression algorithm, if any, is decided during the negotiation), all that’s left is SMB2 SESSION_SETUP. So we took a closer look at the format of the SMB2 SESSION_SETUP message, hoping to find a way to get some of the data that is being sent back.

A closer look at SMB2 SESSION_SETUP

As we’ve already mentioned, a regular session that we observed sends two SMB2 SESSION_SETUP commands. At first, we checked whether one of the replies to these messages sends back some of the data. If that was the case, we could try to craft a message such that the data is left uninitialized. Unfortunately, we didn’t find such data. We couldn’t find a way to affect the first response, and the second response had an empty body and the 0xC000006D (STATUS_LOGON_FAILURE) status in the packet header (remember, we assume we don’t have valid credentials). The first SMB2 SESSION_SETUP request contains an NTLM Negotiate message, and the second SMB2 SESSION_SETUP request contains an NTLM Authenticate message. The former is rather simple, and we weren’t able to use it for something interesting, so we focused on the latter.

The NTLM Authenticate message

After studying the NTLM Authenticate message we came to the conclusion that the message’s most complex part, which is the best fit for misuse, is the NTLM2 V2 Response structure. It’s a  variable-length byte array, mostly consisting of the NTLMv2_CLIENT_CHALLENGE structure. We noticed that if the structure doesn’t pass some of the initial checks, the 0xC000000D (STATUS_INVALID_PARAMETER) parameter is returned instead of 0xC000006D (STATUS_LOGON_FAILURE). Some of these checks are verifying the AvPairs field.

The AvPairs field is a variable-length byte array that contains a sequence of AV_PAIR structures. Each AV_PAIR structure defines an attribute/value pair. The attribute is defined by the AvId field, the AvLen field defines the value’s length in bytes, and the Value field is a variable-length byte-array that contains the value itself. An item with the attribute MsvAvEOL and a zero length marks the end of the array.

AvPairs inside the SMB2 packet.

The authentication message is handled by the SsprHandleAuthenticateMessage function in the msv1_0.dll module. Among the initial checks, the function makes sure that the AvPairs array contains the following attributes: 0x0001 (MsvAvNbComputerName), 0x0002 (MsvAvNbDomainName). The value is not checked. The check itself is done by traversing the array and checking whether the requested attribute exists, and whether its length is within the struct. If the length is too large, the traversal is stopped. So practically, the MsvAvEOL item is not required for the NTLM Authenticate message to be valid.

At this point we figured that we can craft a request that can provide an answer to the following question: Given two bytes at offset x, interpreted as uint16, is the value larger than y? x and y are controlled by us. Consider the following packet:

The content of value 0x0001 (MsvAvNbComputerName) doesn’t matter, so we can use it to adjust the offset of the second value. For the second value, we only set the attribute as 0x0002 (MsvAvNbDomainName), leaving the length and the value uninitialized. We also set the size of the whole packet so that there are y bytes that follow the length field. There are two possible outcomes depending on the uninitialized value of the length field of the second value:

  • length <= y: In this case the check passes, since a valid 0x0002 (MsvAvNbDomainName) value is found. The server returns 0xC000006D (STATUS_LOGON_FAILURE) since the credentials are incorrect.
  • length > y: In this case the check fails, since the second value has an invalid length and is discarded. The server returns 0xC000000D (STATUS_INVALID_PARAMETER) for this case.

According to the server response we can deduce the answer to our question.

So, now we can get this small piece of information, right? Not so fast. Unfortunately, the NTLM Authenticate message is limited to 0xB48 bytes, and is discarded if it’s larger than that. The check is done by the SspContextGetMessage function in the msv1_0.dll module. Can we solve this problem by leaving only one of the two length bytes uninitialized? Unfortunately not, since the uint16 value is encoded as little endian, and to the best of our knowledge at this point, we can only leave the second, significant byte uninitialized, which doesn’t help too much. Unable to achieve something better within a single SMB session, we looked at what else can be done.

Observation #1: Lookaside lists

As we already mentioned in our previous research, the modules that handle SMB in the kernel (srv2.sys and srvnet.sys) use a custom allocation function, SrvNetAllocateBuffer, exported by srvnet.sys. This function uses lookaside lists for small allocations as an optimization. Lookaside lists are used for effectively reserving a set of reusable, fixed-size buffers for the driver.

The lookaside lists are created upon initialization, a list for each size and logical processor, as depicted in the following table:

→ Allocation size

Logical Processor
0x1100 0x2100 0x4100 0x8100 0x10100 0x20100 0x40100 0x80100 0x100100
Processor 1 📝 📝 📝 📝 📝 📝 📝 📝 📝
Processor 2 📝 📝 📝 📝 📝 📝 📝 📝 📝
Processor n 📝 📝 📝 📝 📝 📝 📝 📝 📝

Each cell with the “📝” symbol is a separate lookaside list. To simplify our analysis, we’ll assume our target has only one logical processor (we’ll cover targets with more than one logical processor in the third part of the writeup). In this case, as long as the same amount of bytes is allocated, the same lookaside list is used, and the same allocated buffer is reused again and again. We can use this implementation detail to have some control over the uninitialized data, as we’ll see soon.

Observation #2: Failing the decompression

Let’s revisit what happens when a compressed packet is decompressed (refer to our previous research for more details and pseudocode):

In case CompressedData is invalid, the decompression stage fails, the copy stage is not executed, and the connection is dropped. But the decompression might fail only after extracting a part of CompressedData which is valid. This allows us to craft a request such that data of our choice will be written at an offset of our choice, like this:

Back to the NTLM Authenticate message

We can use the above observations to make our technique work by using two steps:

  1. Send a message with an invalid compressed data such that only a single zero byte is extracted. That byte will be the most significant byte of the length of the second value in the AvPairs array.
  2. Send a message just as before, but make sure that the same lookaside list is used for the allocation, so that the zero byte will be there.

This time, this technique can answer the following question: Given a byte at offset x, is the value larger than y? As before, x and y are controlled by us.

Since we can re-use the buffer again and again by making sure the same lookaside list is used, we can repeat the steps several times while changing y, and finally deduce the byte value at a given offset.

Unfortunately, this technique has a limitation – the offset of the byte we can read is limited to 0xADB bytes from the beginning of the packet buffer. That’s because the offset of the NTLM Authenticate message (AUTHENTICATE_MESSAGE) is limited to 0x40 bytes after the end of the SMB2 SESSION_SETUP headers (enforced by the Smb2ValidateSessionSetup function in srv2.sys), and the size of the NTLM Authenticate message (AUTHENTICATE_MESSAGE) is limited to 0xB48 bytes, as we already mentioned.

Overcoming the offset limitation

Let’s say that we want to read a byte at offset 0x1100 (we’ll see why we want to go that far in the third part of the writeup). We can’t do it directly with our technique, but we found the following solution: since the buffers get reused from the lookaside lists, we can “lift up” the target byte via the decompression function by setting the Offset field to point beyond that byte. We just need to make sure that the data that is located there can be interpreted as valid compressed data, otherwise the copying won’t happen.

The incoming packet buffer contains extra 16 header bytes which aren’t copied over when the decompression takes place. As a result, the copied data, including the target byte, is copied to a location 16 bytes closer to the beginning of the allocated buffer. We can repeat that several times, until the target byte offset is low enough.

Address leak POC

You can find a script that demonstrates the above technique here. Remember that we assumed that the target computer has only one logical processor, so you’ll have to configure your VM properly to get the script working. If all goes well, the script will read and print an address from the NonPagedPoolNx pool. In fact, that would be the address of one of the buffers residing in one of the lookaside lists.

A different approach – decompression

While advancing with our research, we realized that the decompressed SMB packet is not the only complex structure that can be invalid in various ways. Even before handling all of the SMB-related structures, the compressed buffer can be invalid as well. If the decompression fails, the connection is dropped, which can be detected.

Microsoft’s SMB implementation offers three compression algorithms to choose from: LZNT1, Plain LZ77 and LZ77+Huffman. We looked at LZNT1 since it’s the first in the list, and it’s rather simple – about 80 Python lines for a decompression function. Without diving too much into details, the compressed data consists of a sequence of compressed blocks, each beginning with a uint16 variable marking its length. When a length of zero is encountered, the decompression completes (similar to a NULL-terminated string, but it’s optional). Also, conveniently, a range of zero bytes represents valid compressed data. With the above, we managed to answer the same question as we did with the previous approach: Given a byte at offset x, is the value larger than y? Here, too, x and y are controlled by us.

We accomplished that by sending a valid packed which is followed by a range of bytes similar to the following (note that it’s a simplification, the actual byte values are a bit different):

There are two possible outcomes depending on the uninitialized value of the least significant byte of the length field:

  • length <= y: In this case the whole compressed block will consist out of zero bytes, which is completely valid, and the next block’s length will be zero, completing the decompression successfully. The server will return a response.
  • length > y: In this case, either the first or the second compression block will contain 0xFF bytes, which will fail the decompression. The server will drop the connection.

Just like with the previous technique, we can use observations #1 and #2 to craft a message with an uninitialized byte in the middle of the message by using two steps:

  1. Send a message with invalid compressed data such that only the part we need is extracted. The bytes that will be extracted are the bytes in the image above.
  2. Send a second message, but make sure that the same lookaside list is used for the allocation, so that the bytes from step 1 will be there.

Note that the Offset value in the SMB packet header will point to the compressed data, which can be valid or not depending on the value of the initialized byte. The valid SMB packet will be sent uncompressed. Note also that since the Offset value is larger than the message itself, there’s an overflow in the calculation of the compressed data size, which ends up being a huge number. Usually that’s not an issue since the decompression ends quickly, either successfully or not. But sometimes the system crashes due to an out of bounds read. We didn’t try to solve this since it happens rarely, and the POC is complex enough.

The most notable advantage of this technique compared to the previous one is that there’s no offset limitation anymore. Even though we managed to overcome the limitation, it required sending a large number of packets, hurting performance and stability.

ZecOps Detection

ZecOps classify forensics logs related to this issue as the following tags #SMBGhost and #SMBleed. You can find more information on how to use ZecOps solutions for Endpoints & Servers, Mobile devices, or applications.

Remediation

You can remediate the impact of both issues by doing one of the following:

  • Applying the latest security issues (recommended)
  • Block port 445 / enforce host-isolation
  • Disable SMBv3.1.1 compression

Part II – Summary

In this part, we described how we managed to read uninitialized data from the kernel pool, remotely and without authentication, by exploiting SMBGhost and SMBleed. In the third part we’ll show how it helped us achieve RCE.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

McAfee Team Members Give Back During Pandemic by 3D Printing PPE

Behind the scenes, McAfee secures critical information to protect what matters most. But a visible side of the company is making just as big of an impact by protecting essential workers during the pandemic.

A small army of McAfee volunteers have joined the worldwide effort to protect doctors, hospital workers and other medical professionals by making personal protective equipment (PPE). Team members are spending their downtime creating masks, visors and plastic face shields on their 3D printing machines. PPE is being generously donated, with McAfee’s support, to healthcare workers and others on the front lines of COVID-19.

Through McAfee’s corporate social responsibility response to COVID-19, global team members who are part of the 3D mask printing program have produced nearly 5,000 pieces of PPE and have used 250 volunteer hours to make a difference in our communities. Several team members have gone above and beyond the call of duty.

Many McAfee team members have joined the initiative since Advanced Threat Researcher Thomas Roccia began giving back during COVID-19 by printing masks.

McAfee has embraced this charitable spirit and display of innovation by funding the plastic filament and other materials for team members who have the hardware to produce face masks and shields. Time spent producing PPE qualifies for the company’s Volunteer Time Off program, a benefit that encourages team members to give back to the cause of their choice.

Making PPE to Protect in the Pandemic

3D printing technology has advanced significantly in recent years. On a large scale, it’s reducing production costs, increasing supply chain efficiency and providing low-cost manufacturing for unique items. Small 3D printing systems are easy to come by and getting started requires only a few hundred dollars.

For the past couple of years, Thomas has dabbled in 3D printing technology to aid his research at McAfee by building prototypes for projects.  His machine also comes in handy for fixing things that get broken at his home in France.

Thomas began producing masks and shields in March 2020 as the pandemic gained traction and has since delivered more than 1,000 within his community. Steve, who heads the Advanced Threat Research group, was so moved that he and team members Sam and Kevin crafted a plan and joined the effort.

Steve reached out to at least a dozen medical facilities in the Portland area to gauge interest, and many were on board. The group settled on a local healthcare organization in fast need of 100 masks.

McAfee donated materials for the group and production began. Averaging about a dozen masks per day, the trio soon had nearly 50 masks ready to ship. Another half dozen went to a healthcare facility in San Diego at the request of a McAfee team member.

PPE was produced with an Ender 3 Printer using a Face Shield 3D Printer Design, transparent face shield material, elastic bands, a hole punch and scissors. Getting into production, however, was the hard part, Steve said.

“We ran into some significant challenges procuring materials,” he said. “But in the end, we were able to build a pretty high-quality mask at a low cost.”

The group continues to produce PPE based on the needs of healthcare providers.

Getting the Job Done for Everyone

Another McAfee team member, Moe comes from a family of health care providers. His dad is a doctor in Palestine and mother is a retired personal support worker.

Moe has seen firsthand the risk, care and compassion that healthcare workers put into their career, so he began making visors and ear pieces for providers on the front lines. In one weekend, he donated about 100 visors and a plethora of ear guards to Michael Garron Hospital in Toronto.

“While I may not be in the medical field myself, it does not mean I cannot practice my talent and hobby to help our healthcare workers and my fellow Canadians during this time of need,” Moe said.

Will, a program manager at McAfee and U.S. Army veteran, also fired up his 3D printer and began making plastic masks with filtered breathing holes to protect workers on the front lines. He has gladly traded some leisure time so he can contribute to this unified giving effort.

“I wanted to help, and I have the ability to make sure essential personnel is protected and staying safe by providing PPE to them for free,” he said. “We can’t do our jobs unless they can do theirs.”

 

 

 

 

 

 

 

At McAfee, we encourage and support the efforts of our team members to make a difference in their communities. If you’re interested in joining the McAfee team, explore our careers.

The post McAfee Team Members Give Back During Pandemic by 3D Printing PPE appeared first on McAfee Blogs.

Reports of Online Predators on the Rise. How to Keep Your Kids Safe. 

online predators

June is Internet Safety Month. And, with kids spending more time online, stepping up the public conversation about digital risks couldn’t come at a better time.

The past few months have created what some experts call the perfect storm for online predators. Schools are closed, kids are on devices more, and social distancing is creating new levels of isolation and boredom.

Guards are down, and predators know it. In fact, according to The National Center for Missing & Exploited Children (NCMEC), reports to their CyberTipline spiked 106% during the first months of the pandemic. A recent CNN story, claims the dark web has seen a similar increase in activity within predator communities that has spilled over to the mainstream web since the pandemic began.

While specific data doesn’t exist (yet) to connect increased complaints directly to the ongoing health crisis, NCMEC, the FBI, and UNICEF continue to issue strong warnings to parents to step up digital safety as predators step up their efforts to connect with kids online.

What You Should Know

online predators

Predators reach out to minors through social networks, gaming platforms, or apps. They often pose as a peer, use fake photos, and create fake profiles to lure minors to chat. Predators build trust with children through devious tactics such as grooming, mirroring, and fishing, which you can read more about in our post specific to predator behavior.

Predators have been known to (although not exclusively) target socially awkward or shy kids and convince them to keep the online relationship secret. The predator may ask for a risqué or explicit photo that they may later use to bully or manipulate the child or share within predator circles on the dark web. If the child refuses to send more photos when asked, a predator may threaten to share photos they already have with the child’s family and friends. Often the predator may ask the child to meet in person. These relationships can be brief or go on. Regardless of duration, each encounter can have a harmful psychological impact on a child. Of course, the worst-case predator situations can result in trafficking or death.

What You Can Do

No parent wants to think about their child in this chilling situation. However, a quick Google search regarding actual predator cases may likely inspire you to adopt targeted safety practices. Here are some focused things you can do to minimize your child’s exposure to predators.

  • Have frequent and honest conversations with your child about the specific ways predators may try to befriend them online.
  • Be a safe haven. Discuss with your kids why it’s important for them to tell you right away if they feel uncomfortable with a conversation or if they are asked to engage in any inappropriate activity online.
  • Review your child’s online profiles often. This includes the content they post, who they follow, and the “friends” who comment or message them.
  • Inventory social networks and apps to ensure privacy settings are set to the most restrictive levels possible.
  • Discuss the consequences of sharing inappropriate photos with anyone online.
  • Check-in with your child frequently throughout the day. If you work at home and get easily engrossed with work, consider setting a timer to remind you to monitor your child’s digital activity.
  • Ask simple, critical questions: What apps do your use? What are you watching? Who are you talking to?
  • Teach kids how to safely search the web using tools such as McAfee Web Advisor. Consider parental controls designed to block risky sites, filter inappropriate content, and help parents set screen limits. And, don’t be shy about physically checking your child home screen or PC several times a week.
  • Create screen limits and a phone curfew to prevent late-night online conversations.
  • Be aware of your isolating more or insisting on more privacy to talk with friends.
  • If your child is attending class online, don’t assume they are safe. Monitor their web surfing activity through browser history and monitoring. Connect with teachers to inquire about safety protocols.
  • Seek out help and report it if your child encounters a threatening situation online. You can also contact your local FBI field office.

There’s no way to avoid online risk 100%. Darker elements will always infiltrate the endless opportunity and good stuff the internet offers. As parents, rather than live in fear, we can be proactive. We can understand the risks, take action to minimize them, and make every effort to equip our kids to deal with any threats they encounter online.

The post Reports of Online Predators on the Rise. How to Keep Your Kids Safe.  appeared first on McAfee Blogs.

Time to Move from Reactive to Proactive Endpoint Security

One of the most useful new ideas in software development (especially in DevOps) is the concept of “shift-left.” Its meaning is simple: The earlier you are able to tackle an issue, the less trouble you will have later by preventing defects early in the software delivery process. But shift-left is also particularly relevant to Endpoint security. By acquiring knowledge of external threats as they relate to an organization’s own security posture, it is possible to accurately anticipate what might happen and establish a more effective defense.

As most of us are aware, digital transformation through big data analytics, online transactions, the Internet of Things (IoT) and cloud-based applications has dramatically changed businesses of all kinds. At the same time, workers have become mobile on a global scale, requiring access to ever larger amounts of data. And during a pandemic outbreak, large numbers of employees must work from home.

Meanwhile, cybersecurity adversaries have increased in number and their threats have increased in sophistication, making life difficult for often overwhelmed cybersecurity staff who must contend with a confusing array of manual tools. Traditional Endpoint defenses are not effective anymore. It’s no longer good enough to sit back, wait for an attack and then try to recover from it.

Because we can always count on adversaries to be persistent and increasingly sophisticated, cyber defense cannot stand still. Fortunately, new technology is giving us better defensive weapons, including the vital tool of intelligence — information about what adversaries are doing – or are likely to do – and about our own defenses.

Shift-left Endpoint security means gathering this information and putting it to use by being better informed and better prepared. Shift-left means being able to anticipate and stop breaches before they happen, and should an attack get through, to run more effective mitigation procedures because you know ahead of time what’s coming. That sounds good, but how does it work in the real world?

There’s a lot of data out there, more than humans can grasp, so it’s important to put automation to work for us. Sensors that are strategically placed across worldwide networks monitor hacker activity to identify what’s going on. But automated data-gathering and analysis is not enough. Human intelligence is needed to fully understand and interpret the correlations revealed by machine intelligence.

For example, a few weeks ago, RagnarLocker ransomware was targeting the energy sector. If you’re not in the energy sector, you might have thought you could breathe easy. But just what is Ragnar doing now? Is it moving to another target industry? If so, which one?

Applying big data analytics to a data lake containing customer telemetry can show a data scientist that, let’s say, healthcare companies are next on the list of Ragnar victims. Unfortunately, most organizations do not have the resources or time to perform this type of analysis.

That’s why you need to take the next step – applying Attack Surface Management to understand your organization’s own susceptibilities to a potential attack. What if you could automatically run a scan to discover your own weaknesses and match the results against the intelligence data from the outside, then receive a high-priority alert with guidance as to next steps? Knowing what attacks are in the offing and how they might be effective against your organization arms you with the critical intelligence you need to take preventive action.

Innovating on Endpoint Security

By shifting left – pulling together security information and responding immediately – you won’t have to spend your time on the “right” side of things later, dealing with breaches after they occur. This need is all the more urgent when you consider that 279 days is the average time it takes to detect and contain a breach, according to a 2019 Ponemon Institute study on behalf of IBM.

McAfee’s MVISION Insights, an unparalleled innovation of MVISION Endpoint Security platform, gives you the intelligence you need to implement a shift-left cybersecurity strategy by uniquely combining three key steps:

  1. Prioritize threats that matter to your customer according to industry, region and security posture—derived from one billion sensors, AI and human analytics.
  2. Predict whether or not a security posture can counter a given threat.
  3. Prescribe guidance for what to change and how to counter the threat before it enters your organization—hardening and transforming the security posture dynamically.

By drawing on insights revealed by automation, augmented by the understanding of threat researchers and data scientists, MVISION Insights enables you to look across vectors, industries and regions to drill down on what needs attention. It tells you who is targeted, what endpoints could be impacted and what actions you should take. Based on feedback from initial customers, MVISION Insights takes weeks away from a typical red team to find a campaign and offers campaigns that matter in minutes.

This is, in short, the next endpoint security paradigm, designed to help you move from reactive to proactive defense, and to alleviate the constant struggle to find and keep cybersecurity experts on staff. Shift-left: It’s what happens before the attack that matters. MVISION Insights is here to shift your endpoint security to be proactive!

The post Time to Move from Reactive to Proactive Endpoint Security appeared first on McAfee Blogs.

New Insights From McAfee’s Survey Around Remote Work

The last few months have brought about a lot of change for all of us. Due to social distancing, companies across the world saw a huge increase in the number of people working remotely over the last few months. So as countries now start to relax social distancing and organizations consider shifting back to previous in-office work environments, McAfee took a look into how this change affects the number of remote workers. Will people return to work quickly, or will remote working continue on? Let’s take a look at how remote work trends have evolved in the U.S. over the past few months. 

The Evolution of Remote Work   

As lockdown began in March, the US saw a huge increase as people moved to work from home, with a 9% increase in the amount of remote connections to our apps compared to the previous month. Now, as parts of the U.S. starts to reopen, we’re tracking these remote connections to see if people are returning to work. So far, it looks like people aren’t rushing back to the office from home, with just a 0.3% decrease in remote connections this week compared to last week. What’s the big deal if more people work from home, anyways? 

One answer: many organizations see employees returning to corporate offices as a necessity, especially from a security standpoint. Nearly half of employees say that their company isn’t currently responsible for securing their devices while they’re at home. This is likely correlated to the increase in the number of online attacks employees have reported over the past three months. In fact, a recent McAfee report shows that threats to enterprises increased by 630% over the same period, with most attacks targeting collaboration services that enable remote work. 

Security Implications Around Remote Work

While many employers are anxious to have their team return to the officea new study from McAfee revealed that 47% of employees do not want to go back to working how they were previously. Additionally, 21% stated that they intend to remain at home for as long as possible 

While it’s clear that consumers are doing their best to embrace their current work environment, both the employee and employer must take the various security implications around remote work into account. Companies must ensure that tools are set up so that they can keep all employees’ applications and systems up to date, patched, and monitored for any issues that may arise. By doing more to protect their employees remotely, businesses will be able to reap the benefits of a happier workforce and greater business continuity.  

Although many users may be unsure of whether they will continue to commute to the kitchen table or their corporate office, there are several security tips to keep in mind in the interim to help enable remote work. Check out the following tips to safeguard your work from home environment: 

Be cautious of correspondence asking you to act

You must stay vigilant if you receive an email or text asking you to take a certain action or download software. Avoid clicking on anything within the message. Instead, go straight to the organization’s website to prevent malicious content from phishing links.  

 Keep infrastructure up to date

With an ongoing trend of vulnerabilities in consumer devices like home routers or smart home products, you should be regularly reminded to update such devices. 

Browse with security protection

Use comprehensive security protection, likeMcAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can help identify malicious websites. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post New Insights From McAfee’s Survey Around Remote Work appeared first on McAfee Blogs.

The Future of Work: How Technology & the WFH Landscape Are Making an Impact

Over the past few months, the American job market has seen a lot of change. Employees made the transition from commuting into an office every day to working from home. Some people lost work or experienced reduced hours, and the unemployment rate in the U.S. has jumped to 13.3% as of May 2020. However, new challenges breed new opportunities, and there are some jobs that are flourishing amid these uncertain times. What’s more, these challenges are paving a new path for the future of work and how prospective employees look for new job opportunitiesLet’s take a look. 

Jobs on the Rise

While some industries have experienced a downturn due to the pandemicothers have experienced a huge increase in demand as a result. All of them have one thing in common: they directly impact consumers’ key needs during this time.  

Essential Industries

Of course, healthcare is top of mind for us all right now, so it’s not surprising that the demand for healthcare workers and pharmacy workers has steadily increased. For example, CVS is hiring 50,000 employees and Walgreens is looking to fill 25,000 permanent and temporary positions. 

To keep up with the increase in demand for home eatingmajor grocery chains are hiring in-store shelf stockers and delivery staffAdditionally, Instacart is looking to hire 300,000 contract workers over the next three months. 

Tech

Beyond physical needs, humanity’s need to remain connected – both socially and professionally  has driven demand within the tech industry. With more users working from home than ever before, the need for dependable telecommunications software has never been greater. While telecommunication has already experienced a 44% increase over the past 5 years, thcurrent need for video conferencing platforms, online meetings, chat, and mobile collaboration services will only further facilitate this growth. With the increase in remote work, many employees found themselves helplessly fumbling with laptops and other equipment. So, its unsurprising that tech support jobs are on the rise as well. With physical call centers and operation centers shut down, companies still need agents to take customer and technical support calls.  

Security

As more employees telecommute, unprecedented stress has been placed on virtual private networks (VPNs) and other systems securing remote work arrangements. As a result, some security jobs have seen a 20% surge in demand. As businesses begin to emerge from the global lockdown, it’s likely that the need for security talent will become even more apparent as businesses look for the safest way to resume business operations. 

As the demand for security jobs has recently increased, so has the security skills gap. To guarantee that an organization’s business can continue, organizations must ensure that VPNs, network devices, and other devices being used in the remote environment are updated with the latest software patches and security configurations. Additionally, networks must be constantly monitored to prevent hackers from accessing the organization’s VPN connection. To do this, however, requires a skilled security workforce that can be hard to come by due to the ever-increasing demand. If organizations wish to close the skills gap, they will need to look beyond the typical graduate talent pool and see the value in other forms of security education such as internships. 

 How to Stay Secure While Job Hunting

Hackers know that everyone is spending more time online. They also know that many Americans have recently been laid off and are looking for new jobs, leading to a surge of fake job scams. According to Forbes, the Better Business Bureau has reported more than 13,000 job listing scams in North America alone since December. Users searching for jobs online must proceed with caution and look out for suspicious job postings disguised as real businesses to protect their personal data. 

So, if you’re looking to change career paths during this time or are on the hunt for a new job, follow these tips to protect your security and personal data.  

Go directly to the source

If you come across a job posting that seems suspicious, go directly to the business’ career page to verify that the listing is real. Likewise, beware of any so-called recruiters who reach out offering you a job that seems too good to be true. Be skeptical of emails, phone calls, or text messages claiming to be from organizations with peculiar asks as well.  

Hover over links to see and verify the URL

If someone claiming to be from an organization sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether. 

Beware of what you share

If you get what appears to be a suspicious request from a recruiter, an HR representative, a friend, or family member, verify the message with that person directly before opening or responding. Remember that an employer will never request sensitive information such as social security numbers or bank routing numbers over email or text. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

 

The post The Future of Work: How Technology & the WFH Landscape Are Making an Impact appeared first on McAfee Blogs.

What Does it Take to Be an Effective Developer Manager?

If you???re a software engineer you???ve probably seen one or two of your colleagues graduate from Senior Developer to Developer Manager ??? some with the sobering realization that managing a team of developers requires significant cross-functional skillsets.

Foundationally, to be a successful Developer Manager you must know your stuff when it comes to software development, be passionate about the importance of security, and come equipped with communication skills that will enable you to bring siloed teams together. More often than not, these skills will come naturally as you move through your career in software engineering, but it???s never too early to start honing in on what will make you a great Developer Manager down the road.ツ?

We asked a handful of Veracoders to talk about what they think are the most important qualities for Developer Managers to have in their back pocket and ways that managers can effectively lead their teams in the right direction.

Become a supportive advocate. Doug Wilcox, Principal Software Engineer at Veracode, says it???s all about how a good manager supports their team. ???Always be the team's advocate, protect the team from the often-changing priorities and occasional unreasonable demands from higher up,??? Doug says. Those unreasonable demands can cause panic and unnecessary stress that derails an entire project, so it???s important to understand the difference between a five-alarm fire and a fire drill.

Doug elaborates that being supportive includes providing opportunities for professional growth, especially in areas of team leadership. Becoming that anchor for your team will help to keep frustrations down and spirits high, especially if you act as a communication bridge between security and development ??? two teams that are often siloed. ツ?

Be a tank for the team (when it???s right). Dan Murphy, Principal Software Engineer at Veracode, also stresses the importance of managers protecting their teams ???Act as a ???tank??? to shield developers from organization overhead. Push back to give developers the time to do things right,??? he explains. ???But ensure that ???right??? is always aligned with business interests. Security usually is!??? Any team can buckle under the pressure coming from various departments, especially those directly above.

Good Developer Managers can shield their teams while keeping projects on track to meet tight deadlines. Establish boundaries with other team leaders and make sure everyone involved understands how your team functions, which tools they use, and how they prefer to communicate.

Set realistic timeline goals. Kayla Firestack, Associate Software Engineer at Veracode, underscores the importance of timelines and deadlines when racing to produce code. She says, ???Understand that it's very difficult to actually figure out how much time something will take if things are done properly. And ignoring tech debt makes working conditions worse.??? While projects can and do morph on the fly, setting expectations on a sudden change of direction or added steps that slow things down is critical to maintaining a happy (and sane) team of developers.

As Kayla points out, overlooking security debt can also compound these issues and place even more pressure on teams of developers to write quality code under tight deadlines. Work with the security team to set priorities for remediating vulnerabilities so that you know what your developers need to tackle first when new flaws are discovered.

Provide mentorship resources for success. Zachary Estrella, a DevOps Engineer at Veracode, knows firsthand the importance of a manager who also acts as a resource center for growth. ???I think Developer Managers should provide any resource the developer needs for success. A Developer Manager also needs to offer some type of mentorship program to younger developers,??? he says. Becoming a mentor can be as simple as providing opportunities for developers with an interest in security so that they can use their leadership and security skills efficiently.

Consider standing up a security champions program to empower a member of your team who keeps security at top of mind and cares about the quality of the code they produce. The security champion you choose can then help you encourage the team to shift security left in the software development lifecycle (SDLC), reducing the number of flaws potentially discovered later in the development process and saving the organization money. That???s a win-win.

Offer engaging training solutions. Tim Jarrett, Veracode???s Director of Product Management and Strategy, offers concise words of wisdom: ???Support training initiatives.??? These may range from eLearning tutorials and courses on various languages to workshops and webinars that cover professional growth, ideally with content tailored to how your developers work every day. Developer training is essential to the growth of your team, as well as to their impact on the business. As the development process speeds up and security shifts left, developers must be well-equipped to spot and fix vulnerabilities before they become a problem for the organization.

Now, more than ever, this means developers need skills, tools, and ongoing training they may not have had in school or early on in their careers. Look for solutions like Veracode???s self-paced eLearning and instructor-led remote education, secure programming workshops, and hands-on training with Veracode Security Labs that teaches developers how to exploit and fix real-world vulnerabilities. Lead by example and take the initiative to use these training tools as well, showing your developers that they should never stop learning if they want to be successful.

Projects move quickly in modern software development, and the health of your code is more important than ever. Possessing these qualities and skills as a Developer Manager will not only make your team more successful but also it will help your developers set off on the right career path for their skills and goals.

Read our whitepaper to learn more about developer training, including how to boost security knowledge for your team of developers.

Quantifying Cloud Security Effectiveness

Let’s start with the good news. Agencies are adopting cloud services at an increased rate. Adoption has only increased in times of coronavirus quarantine lockdowns with most federal, state and municipal workforce working from home. What’s even better news is that we also see increased adoption of cloud security tools, like CASB, which is commensurate with the expanding cloud footprint of US Public Sector agencies.

So now we have security tools in place to secure our cloud assets in SaaS, PaaS and IaaS. The next step is to determine what security controls need to be implemented. What DLP policies should the agency adopt? What capabilities of a cloud services should be enabled or disabled to maintain a robust security posture? How does an agency actually go about measuring the effectiveness of the security controls that were implemented? How do we find out how we stack up against our peer organizations?

To answer these questions, McAfee developed MVISION Cloud Security Advisor (CSA). Cloud Security Advisor is a portal that is provided “out-of-the-box” with your organization’s MVISION Cloud CASB tenant. CSA provides a comprehensive set of recommendations for organizations to prioritize efforts in implementing their cloud security controls. The recommendations are broken down into Visibility and Control metrics. There is also a section that provides quarterly reports on various parameters, which we will discuss in a little bit.

When you first access Cloud Security Advisor dashboard you are presented with a “magic quadrant” that shows your organization’s security posture relative to other peer organizations on the scales of Control and Visibility and provides a maturity score for both.

There is even an option to select a vertical market to see how your organizations stacks up to organizations in other business sectors.

On the right of the main dashboard are check list items that provide a short description and current progress in following Cloud Security Advisor’s recommendations. CSA scans the organization’s MISION Cloud environment once every 24 hours. Any changes to MVISION Cloud will be reflected in the next scan. In the screenshot below, for example, we see an environment that is not enforcing controls on publicly shared links in Collaboration SaaS apps.

From here, a security admin can simply click on the check list item and then on Enable Policy. This will automatically take the user to the DLP Policy Templates page to select the appropriate policy for enforcement.

Another powerful capability of MVISION Cloud Security Advisor is providing quarterly Cloud Security Reports. These are accessible from the main CSA dashboard by going to View Reports and then selecting a quarter for which you would like to see the report.

From there we can start examining our organization’s cloud footprint to identify total number of Shadow IT services discovered that quarter as well as some additional Shadow IT statistics.

Next we can look at IaaS resources in all our AWS, Azure and GCP environments.

We then proceed to look at summary statistics for DLP and access policy violations. Incidents show policy violations of each type detected across all of the organization’s cloud environments secured by MVISION Cloud CASB.

Next screen shows user behavioral anomalies and threats uncovered by MVISION Cloud UBA machine-learning engine.

The Malware section of the report provides insights into malware uncovered in SaaS and IaaS environments connected to MVISION Cloud.

The Data at Risk report is probably the most pertinent to gauging the effectiveness of the MVISION Cloud CASB solution. This report shows how much of the organization’s data was at risk and how it was secured using MVISION Cloud CASB. As seen from the image, there is a downward trend, indicating progress is being made to secure organization’s data.

The Sensitive Data report shows how organization’s sensitive data is distributed across all cloud services in use by the organization. This report also provides insights into cloud adoption trends for your organization.

The “Users” report is a pivot table of the Sensitive Data report that organizes incidents and policy violations by individual users. Ultimately, the report shows how much of a risk an organization’s users pose to organization’s data.

The Mobile Devices report shows incidents for each type of detected mobile device.

The next three pages of the CSA report provide a deeper dive into the data on the front page of the CSA portal we saw in the beginning of this blog. On the Scores page we see the “magic quadrant” with Control and Visibility axis, together with progress relative to previous quarters. Visibility score and Control score, both on a scale of 100, gauge your organization’s maturity in securing its cloud footprint.

Next, the Visibility metrics page. Visibility metrics measure how well an organization has been doing in gaining visibility into what is out there in their cloud environment and how secure it is.

Finally, the Control metrics page shows how well an organization has performed in placing controls and mitigating security risks for its cloud environment.

And that, in a nutshell, is it. By reviewing the screenshots from the Cloud Security Advisor dashboard you should now have a good idea of the metrics at your disposal to quantify cloud security effectiveness for your organization.

To see MVISION Cloud Security Advisor in action, please check out the video below:

The post Quantifying Cloud Security Effectiveness appeared first on McAfee Blogs.

SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost

SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost

TL;DR

  • While looking at the vulnerable function of SMBGhost, we discovered another vulnerability: SMBleed (CVE-2020-1206).
  • SMBleed allows to leak kernel memory remotely.
  • Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve pre-auth Remote Code Execution (RCE).
  • POC #1: SMBleed remote kernel memory read: POC #1 Link
  • POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost: POC #2 Link

Introduction

The SMBGhost (CVE-2020-0796) bug in the compression mechanism of SMBv3.1.1 was fixed about three months ago. In our previous writeup we explained the bug, and demonstrated a way to exploit it for local privilege escalation. As we found during our research, it’s not the only bug in the SMB decompression functionality. SMBleed happens in the same function as SMBGhost. The bug allows an attacker to read uninitialized kernel memory, as we illustrated in detail in this writeup.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

An observation

The bug happens in the same function as with SMBGhost, the Srv2DecompressData function in the srv2.sys SMB server driver.  Below is a simplified version of the function, with the irrelevant details omitted:

typedef struct _COMPRESSION_TRANSFORM_HEADER
{
    ULONG ProtocolId;
    ULONG OriginalCompressedSegmentSize;
    USHORT CompressionAlgorithm;
    USHORT Flags;
    ULONG Offset;
} COMPRESSION_TRANSFORM_HEADER, *PCOMPRESSION_TRANSFORM_HEADER;


typedef struct _ALLOCATION_HEADER
{
    // ...
    PVOID UserBuffer;
    // ...
} ALLOCATION_HEADER, *PALLOCATION_HEADER;


NTSTATUS Srv2DecompressData(PCOMPRESSION_TRANSFORM_HEADER Header, SIZE_T TotalSize)
{
    PALLOCATION_HEADER Alloc = SrvNetAllocateBuffer(
        (ULONG)(Header->OriginalCompressedSegmentSize + Header->Offset),
        NULL);
    If (!Alloc) {
        return STATUS_INSUFFICIENT_RESOURCES;
    }


    ULONG FinalCompressedSize = 0;


    NTSTATUS Status = SmbCompressionDecompress(
        Header->CompressionAlgorithm,
        (PUCHAR)Header + sizeof(COMPRESSION_TRANSFORM_HEADER) + Header->Offset,
        (ULONG)(TotalSize - sizeof(COMPRESSION_TRANSFORM_HEADER) - Header->Offset),
        (PUCHAR)Alloc->UserBuffer + Header->Offset,
        Header->OriginalCompressedSegmentSize,
        &FinalCompressedSize);
    if (Status < 0 || FinalCompressedSize != Header->OriginalCompressedSegmentSize) {
        SrvNetFreeBuffer(Alloc);
        return STATUS_BAD_DATA;
    }


    if (Header->Offset > 0) {
        memcpy(
            Alloc->UserBuffer,
            (PUCHAR)Header + sizeof(COMPRESSION_TRANSFORM_HEADER),
            Header->Offset);
    }


    Srv2ReplaceReceiveBuffer(some_session_handle, Alloc);
    return STATUS_SUCCESS;
}

The Srv2DecompressData function receives the compressed message which is sent by the client, allocates the required amount of memory, and decompresses the data. Then, if the Offset field is not zero, it copies the data that is placed before the compressed data as is to the beginning of the allocated buffer.

The SMBGhost bug happened due to lack of integer overflow checks. It was fixed by Microsoft and even though we didn’t add it to our function to keep it simple, this time we will assume that the function checks for integer overflows and discards the message in these cases. Even with these checks in place, there’s still a serious bug. Can you spot it?

Faking OriginalCompressedSegmentSize again

Previously, we exploited SMBGhost by setting the OriginalCompressedSegmentSize field to be a huge number, causing an integer overflow followed by an out of bounds write. What if we set it to be a number which is just a little bit larger than the actual decompressed data we send? For example, if the size of our compressed data is x after decompression, and we set OriginalCompressedSegmentSize to be x + 0x1000, we’ll get the following:

The uninitialized kernel data is going to be treated as a part of our message.

If you didn’t read our previous writeup, you might think that the Srv2DecompressData function call should fail due to the check that follows the SmbCompressionDecompress call:

if (Status < 0 || FinalCompressedSize != Header->OriginalCompressedSegmentSize) {
    SrvNetFreeBuffer(Alloc);
    return STATUS_BAD_DATA;
}

Specifically, in our example, you might assume that while the value of the OriginalCompressedSegmentSize field is x + 0x1000, FinalCompressedSize will be set to x in this case. In fact, FinalCompressedSize will be set to x + 0x1000 as well due to the implementation of the SmbCompressionDecompress function:

NTSTATUS SmbCompressionDecompress(
    USHORT CompressionAlgorithm,
    PUCHAR UncompressedBuffer,
    ULONG  UncompressedBufferSize,
    PUCHAR CompressedBuffer,
    ULONG  CompressedBufferSize,
    PULONG FinalCompressedSize)
{
    // ...

    NTSTATUS Status = RtlDecompressBufferEx2(
        ...,
        FinalUncompressedSize,
        ...);
    if (status >= 0) {
        *FinalCompressedSize = CompressedBufferSize;
    }

    // ...

    return Status;
}

In case of a successful decompression, FinalCompressedSize is updated to hold the value of CompressedBufferSize, which is the size of the buffer. Not only this seemingly unnecessary, deliberate update of the FinalCompressedSize value made the exploitation of SMBGhost easier, it also allowed the SMBleed bug to exist.

Basic exploitation

The SMB message we used to demonstrate the vulnerability is the SMB2 WRITE message. The message structure contains fields such as the amount of bytes to write and flags, followed by a variable length buffer. That’s perfect for exploiting the bug, since we can craft a message such that we specify the header, but the variable length buffer contains uninitialized data. We based our POC on Microsoft’s WindowsProtocolTestSuites repository (that we also used for the first SMBGhost reproduction), introducing this small addition to the compression function:

// HACK: fake size
if (((Smb2SinglePacket)packet).Header.Command == Smb2Command.WRITE)
{
    ((Smb2WriteRequestPacket)packet).PayLoad.Length += 0x1000;
    compressedPacket.Header.OriginalCompressedSegmentSize += 0x1000;
}

Note that our POC requires credentials and a writable share, which are available in many scenarios, but the bug applies to every message, so it can potentially be exploited without authentication. Also note that the leaked memory is from previous allocations in the NonPagedPoolNx pool, and since we control the allocation size, we might be able to control the data that is being leaked to some degree.

SMBleed POC Source Code

Affected Windows versions

Windows 10 versions 1903, 1909 and 2004 are affected. During testing, our POC crashed one of our Windows 10 1903 machines. After analyzing the crash with Neutrino we saw that the earliest, unpatched versions of Windows 10 1903 have a null pointer dereference bug while handling valid, compressed SMB packets. Please note, we didn’t investigate further to find whether it’s possible to bypass the null pointer dereference bug and exploit the system.

An unpatched system, null pointer dereference happens here.
A patched system, the added null pointer check.

Here’s a summary of the affected Windows versions with the relevant updates installed:

Windows 10 Version 2004

Update SMBGhost SMBleed
KB4557957 Not Vulnerable Not Vulnerable
Before KB4557957 Not Vulnerable Vulnerable

Windows 10 Version 1909

Update SMBGhost SMBleed
KB4560960 Not Vulnerable Not Vulnerable
KB4551762 Not Vulnerable Vulnerable
Before KB4551762 Vulnerable Vulnerable

Windows 10 Version 1903

Update Null Dereference Bug SMBGhost SMBleed
KB4560960 Fixed Not Vulnerable Not Vulnerable
KB4551762 Fixed Not Vulnerable Vulnerable
KB4512941 Fixed Vulnerable Vulnerable
None of the above Not Fixed Vulnerable Potentially vulnerable*

* We haven’t tried to bypass the null dereference bug, but it may be possible through another method (for example, using SMBGhost Write-What-Where primitive)

SMBleedingGhost? Chaining SMBleed with SMBGhost for pre-auth RCE

Exploiting the SMBleed bug without authentication is less straightforward, but also possible. We were able to use it together with the SMBGhost bug to achieve RCE (Remote Code Execution). A writeup with the technical details will be published soon. For now, please see below a POC demonstrating the exploitation. This POC is released only for educational and research purposes, as well as for  evaluation of security defenses. Use at your own risk. ZecOps takes no responsibility for any misuse of this POC. 

SMBGhost + SMBleed RCE POC Source Code

Detection

ZecOps Neutrino customers detect exploitation of SMBleed & SMBGhost – no further action is required. SMBleed & SMBGhost can be detected in multiple ways, including crash dump analysis, a network traffic analysis. Signatures are available to ZecOps Threat Intelligence subscribers. Feel free to reach out to us at threat_intel@zecops.com for more information.

Remediation

You can remediate both SMBleed and SMBGhost by doing one or more of the following things:

  1. Windows update will solve the issues completely (recommended)
  2. Blocking port 445 will stop lateral movements using these vulnerabilities
  3. Enforcing host isolation
  4. Disabling SMB 3.1.1 compression (not a recommended solution)

Shout out to Chompie that exploited this bug with a different technique. Chompie’s POC is available here.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

RagnarLocker Ransomware Threatens to Release Confidential Information

EXECUTIVE SUMMARY

The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a campaign against compromised networks targeted by its operators.

The ransomware code is small (only 48kb after the protection in its custom packer is removed) and coded in a high programming language (C/C++). Like all ransomware, the goal of this malware is to encrypt all files that it can and request a ransom for decrypting them.

RagnarLocker’s operators, as we have seen with other bad actors recently, threaten to publish the information they get from compromised machines if ransoms are not paid.

After conducting reconnaissance, the ransomware operators enter the victim’s network and, in some pre-deployment stages, steal information before finally dropping the ransomware that will encrypt all files in the victim’s machines.

The most notable RagnarLocker attack to date saw this malware deployed in a large company where the malware operators then requested a ransom of close to $11 million USD in return for not leaking information stolen from the company. In this report we will talk about the sample used in this attack.

At the time of writing there are no free decryptors for RagnarLocker.

However, certain McAfee products, including personal antivirus, endpoint, and gateway can protect our customers against the threats that we talk about in this report.

RAGNARLOCKER OVERVIEW

The unpacked malware is a binary file of 32 bits that can be found as an EXE file.

FIGURE 1. INFORMATION ABOUT THE MALWARE

As can be seen in the previous screenshot, this sample was compiled on the 6th of April 2020. The attack mentioned earlier took place some days later, but this sample was prepared for the victim, as we will explain later.

Name malware.exe
Size 48,460 bytes unpacked (can change between samples), packed can be variable
File-Type EXE 32 bits (can change between samples)
SHA 256 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
SHA 1 60747604d54a18c4e4dc1a2c209e77a793e64dde
Compile time 06-04-2020 (can change between samples)

 

TECHNICAL DETAILS

As we often see with ransomware, RagnarLocker starts preparing some strings of languages for the CIS countries that are embedded within its own code (in Unicode).

FIGURE 2. THE LANGUAGE STRINGS EMBEDDED INTO THE CODE IN THE STACK

The languages that are hardcoded are:

Georgian
Russian
Ukrainian
Moldavian
Belorussian
Azerbaijani
Turkmen
Kyrgyz
Kazakh
Uzbek
Tajik

 

After preparing these strings, the malware uses the function “GetLocaleInfoW” to get the LOCALE_SYSTEM_DEFAULT language as a string. Once obtained, it will check the system language with the blacklisted languages and, if any of them match, it will terminate itself with the function “TerminateProcess” and with an error result code of 0x29A (as we have seen before with many different malware samples).

FIGURE 3. CHECK OF THE LANGUAGE AGAINST THE BLACKLIST

The check against the LOCALE_SYSTEM_DEFAULT is to prevent a user from installing a language they would not otherwise use as a means of avoiding infection. The check is made against the language selected in Windows. Of course, not everyone in these countries will be using a CIS language in Windows so English is also ok to use. As with other ransomware families, there is no guarantee that infection will be avoided if other languages are selected as the default.

After this the malware will get the name of the infected computer with the function “GetComputerNameW” and the username of whoever is actively using the machine at that time with the function “GetUserNameW”.

FIGURE 4. GET THE COMPUTER NAME AND THE USERNAME

After this the malware will read two registry keys:

  • HKLM\SOFTWARE\Microsoft\Cryptography and the subkey MachineGuid to get the GUID of the victim machine.
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion and the subkey “ProductName” to get the name of the operating system.

For this the malware uses the functions “RegOpenKeyExW”, “RegQueryValueExW” and “RegCloseKey” in the hive HKEY_LOCAL_MACHINE. This hive can be read without admin rights.

FIGURE 5. READ FROM THE REGISTRY THE NAME OF OPERATING SYSTEM AND GUID

Next, RagnarLocker will prepare the first string in the stack with the function “lstrcpyW” and later will start joining the strings with the function “lstrcatW”.

The sequence is first the GUID of the machine, then the Windows operating system name, the user logged in the machine and, finally, the name of the victim machine.

FIGURE 6. GET INFORMATION OF THE USER AND MACHINE AND JOIN ALL STRINGS

In the screenshot some values were modified to protect my virtual machine. After getting this information and preparing the string, the malware makes a custom hash with each.

For this, the malware will reserve some memory with “VirtualAlloc” and get the size of the string and compute the hash in a very small loop. After this it will format the hash with the function “wsprintfW” to have it as a Unicode string.

FIGURE 7. MAKE THE CUSTOM HASH AND FORMAT AS UNICODE STRING

The hashes are made in the following order:

  • Machine name (g. 0xf843256f*)
  • Name of the user logged into the machine (e.g. 0x56ef3218*)
  • GUID of the infected machine (e.g. 0x78ef216f*)
  • Name of the operating system (e.g. 0x91fffe45*)
  • Finally, the full string with all strings joined (e.g. 0xe35d68fe*)

*The above values have been changed to protect my machine.

After this it will use the function “wsprintfW”, with the template string “%s-%s-%s-%s-%s”, to format the custom hashes together with hyphens between them, but in this case the hashes are in this order:

  • GUID
  • Operating System Name
  • Name of the logged in user
  • Name of the infected machine
  • Full string with all other strings joined together

FIGURE 8. CREATE CUSTOM HASH OF THE STRINGS AND FORMAT THE FINAL STRING IN A SPECIAL ORDER

The malware will get the command line of this launch process and will check if it has more than one argument (the first argument is always in C/C++) with the functions “GetCommandLineW”, to get the full command line with arguments if it exists, and “CommandLineToArgvW” to get the arguments if they exist.

If there is more than one argument the malware will avoid the next procedure. To keep the normal flow in the technical details section we will put what happens if only one argument exists. In this case the malware will try to make a Windows Event with the name of the formatted string with all hashes, as explained earlier (in our example case above, 78ef216f-91fffe45-56ef3218-f843256f-e35d68fe).

After trying to create the event the malware will check the last error with the function “GetLastError” and compare with ERROR_ALREADY_EXISTS (0xB7). If the event already exists the malware will check a counter with the value at 0x8000 (32768) and, if is not this value, it will increase the counter by one and try again to make the event, check the last error, and so on, until it can finally make the event, reach the counter value, or it reaches the maximum value in the counter (64233). If the event cannot be created the malware will get the pseudohandle to its own process with the function “GetCurrentProcess” and terminate it with the function “TerminateProcess” with the exit code 0x29A.

FIGURE 9. CREATE EVENT LOOP AFTER CHECKING THERE IS ONLY ONE ARGUMENT IN THE COMMAND LINE

This is done for several reasons:

  • The event is created to avoid relaunching another instance of the malware at the same time.
  • The check of the counter is made if another instance of the malware is launched, to wait for the previous one to finish before continuing the process (this avoids some issues with the malware checking for crypted files).
  • The check of the argument, as we will explain later, can be used to avoid the event behavior so the malware will always try to encrypt files. It is one of the reasons why a vaccine against this malware is useless if the malware operator executes the malware with an argument as simple as “1”.

After this, the malware will try to access in raw mode all units connected to the victim machine in a physical way, preparing the string “\\.\PHYSICALDRIVE%d”. This string will be formatted with the function “wsprintfW”, starting with the first unit that is 0 to a maximum of 16 in a loop. After the format, the malware will use “CreateFileW” and check that it does not return the error “ERROR_INVALID_HANDLE” (that means the unit cannot be accessed or that it does not exist). If this error is returned it will increase the counter and format the string with the new value of the counter. If it can open the handle to the unit in raw mode it will send two commands using the function “DeviceIoControl”.

The commands are:

  • 0x7C0F4 -> IOCTL_DISK_SET_DISK_ATTRIBUTES with the attributes of: DISK_ATTRIBUTE_READ_ONLY and DISK_ATTRIBUTE_OFFLINE.
  • 0x70140 -> IOCTL_DISK_UPDATE_PROPERTIES that will be make the drive update its partition table. As the attributes are updated the malware can be accessed in sharing mode on the disk.

FIGURE 10. CONTROL THE PHYSICAL DISK TO HAVE ACCESS TO IT

The ransomware’s next action is checking the units that exist and can be accessed without any problem. This can be done in two ways, the first of which is using the functions “FindFirstVolumeA”, “FindNextVolumeA” and “FindVolumeClose”.

FIGURE 11. GET VOLUME LETTER AND INFORMATION TO CHECK IT EXISTS AND CAN BE ACCESSED

The first two functions return the volume and the special internal value associated with it. This information comes from Windows, so the malware needs to translate it to the logic unit letter associated to this volume. This is done with the function “GetVolumePathNamesForVolumeNameA” that will return the logic letter associated to the volume inspected.

With this letter the function “GetVolumeInformationA” is then used to get information of the volume if it exists and is enabled. If the volume does not exist or cannot be checked the function will fail and the volume ignored, and the process will move onto the next volume in the machine.

Another check is made using the function “GetLogicalDrives” that will return a structure and, by checking one byte, the malware will know if the unit exists or not.

After this, the malware will prepare the keys that later will be needed to encrypt the files. To make them it will get the crypto context with the function “CryptAquireContextW” that will generate random data with “CryptGenRandom” and prepare to permutate this value with the SHA-512 algorithm. These values are the key and nonce of the Salsa20 algorithm that will be used later to encrypt files.

FIGURE 12. AQUIRE CRYPTO CONTEXT AND GENERATE SOME DATA AND PREPARE WITH SHA-512

The malware continues decrypting some strings using two steps, one in a big function for the first layer and the other that is used later for the second layer and the final string of the service. The services stopped are:

 

vss
sql
memtas -> associated with MailEnable
mepocs -> associated with MailEnable
Sophos -> associated with Sophos Antivirus
Veeam -> associated with a program to make backups and save in the cloud
Backup -> associated with Asus WebStorage
Pulseway -> associated with remote control software for IT departments
Logme -> associated with remote control software
Logmein -> associated with a remote control software
Conectwise -> associated with a remote control software
Splastop -> associated with a remote control software
Mysql -> associated with a program of databases
Dfs -> associated with the Distribute File System (Microsoft)

 

Please note: The services list can change between samples.

After decrypting the strings, the malware accesses the SCManager with the function “OpenSCManagerA”. If it does not want access it will ignore all services and continue onto the next step.

If it can open a handle to it, it will get the status of the service with the function “EnumServicesStatusA” and if the service is stopped already will pass to the next one. The malware calls this function two times, firstly to get the correct size needed for this function, with the last error being checked with ¨GetLastError¨ against the value 0xEA (ERROR_MORE_DATA) (that means that the application needs more memory to fill all information than the function gives).

FIGURE 13. OPEN THE SERVICE MANAGER AND ENUMSERVICESTATUS

This memory is reserved and the function called again later, in this case to get the real status and, if not stopped, the malware will open the service with the function “OpenServiceA” and query the status of the service with the function “QueryServiceStatusEx”. If the service is not stopped, it will get all dependencies of the service with “EnumDependentServicesA” and finally it will control the service to stop it with the function “ControlService”.

FIGURE 14. OPEN THE SERVICES AND CONTROL THEM

After this, the malware decrypts a list of the processes that it will try terminating if it finds them in the infected machine. For this decryption, the malware uses a string that converts into an integer and uses this integer as a critical value to decrypt the list.

For this task, the malware will create a snapshot of all processes in the system per this blacklist:

sql
mysql
veeam
oracle
ocssd
dbsnmp
synctime
agntsvc
isqlpussvc
xfssvccon
mydesktopqos
ocomm
dbeng50
sqbcoreservice
excel
infopath
msaccess
mspub
onenote
outlook
powerpnt
steam
thebat
thunderbird
visio
wordpad
winword
EduLink2SIMS
bengine
benetns
beserver
pvlsvr
beremote
VxLockdownServer
postgres
fdhost
WSSADMIN
wsstracing
OWSTIMER
dfssvc.exe
swc_service.exe
sophos
SAVAdminService
SavService.exe

 

Please note: The processes list can change between samples.

After making the snapshot it will enumerate all processes with the functions “Process32FirstW” and “Process32NextW” and for each process found will call the function “WideCharToMultyByte” to get the size needed to convert the name of the process returned in Unicode into Ascii. Later it reserves memory for the name and calls the same function to make the string conversion.

FIGURE 15. GET ALL SYSTEM PROCESSES

If the malware, after comparison with the function “StrStrIA”, detects some of the blacklisted processes it will open the process with the function “OpenProcess” and terminate it with the function “TerminateProcess” and with the exit  code of 0x29A.

FIGURE 16. OPEN THE PROCESS AND TERMINATE IT IF IT IS BLACKLISTED

The malware will check for all processes in the blacklist, using part of the string rather than the exact name. Not using the extension allows for greater obfuscation but carries the risk that some processes could be closed by accident if they share that string.

After this the malware will check if the operating system is 64-bit or not with the function “GetNativeSystemInfo” against the value 9 (that means that the OS is 64-bit).

If the operating system is 64-bit it will get, using “LoadLibraryW” and “GetProcAddress”, the function “Woe64EnableWow64FsRedirection” to remove the redirection that by default is found in 64-bit operating systems. This call is done in a dynamic way, but the malware does not check that the function was retrieved with success; usually it will be, but it is not 100% certain and a crash calling a null pointer could ensue.

FIGURE 17. CHECK THE OPERATING SYSTEM AND DISABLE REDIRECTION IF NEEDED

After this, the malware will prepare a string in Unicode embedded in the code with the string “wmic.exe shadowcopy delete” and will call it with the function “CreateProcessW”. After the call it will wait for up to an infinite amount of time using the function “WaitForSingleObject” so that the “wmic.exe” process can finish, irrespective of the size and number of shadow volumes, available machine resources, etc.

Of course, the malware will also use the typical program of “vssadmin” to delete the shadow volumes with the command “vssadmin delete shadows /all /quiet”, as well as with the function “CreateProcessW”. After that it will wait again with “WaitForSingleObject” for the end of the new process.

When it finishes, the malware will check again if the operating system is 64-bit and, if it is, will use “LoadLibraryW” and “GetProcAddress” to get the function “Wo64EnableWow64FsRedirection” to leave the system as before with the redirection. Again, the malware does not check that the function is resolved with success and calls it directly in a dynamic way.

FIGURE 18. DESTROY THE SHADOW VOLUMES AND RE-ENABLE THE REDIRECTION

While it seems like a mistake to destroy the shadow volumes again, it is not, as RagnarLocker has support for Windows XP and the WMIC classes do not exist in that operating system, hence the need to use the old program “vssadmin” that exists in both new and old operating systems.

The malware continues with the decryption of one PEM block encoded in base64 and the ransom note is prepared for the target in memory.

FIGURE 19. DECRYPTION OF THE PEM BLOCK AND THE RANSOM NOTE

An example of the ransom note, with confidential information removed, can be seen below:

FIGURE 20. EXAMPLE REDACTED RANSOM NOTE

After preparing both things the malware decodes the PEM block from the base64 as an object, getting a key that will be used to protect the keys used in the crypto process (of course this procedure may change in future samples as the malware evolves) of the RSA algorithm. It is important to note here that this RSA key changes per sample.

FIGURE 21. DECODE FROM BASE64 AND DECODE THE OBJECT AND IMPORT IT TO USE LATER

With this key it will encrypt the two random keys previously generated to protect them in memory. After that, the crypto will release the memory.

Later, it will get the name of the infected machine again, get the size of the name and will calculate the custom hash with the same algorithm as before.

FIGURE 22. CRYPT THE PREVIOUSLY GENERATED VALUES AND GET THE COMPUTER NAME

With this hash it will prepare a string with this structure:

  • RGNR_
  • hash from the name of the victim machine
  • the extension .txt
  • a backslash character at the start of the string

It is done with the function “lstrcatW”.

FIGURE 23. CREATION OF THE RANSOM NOTE NAME

With this string it will get the folder of “My Documents” for all users with the function “SHGetSpecialFolderPathW” (this function, based on the operating system, will get different paths for the documents). This string with the path of the folders will join with the string of the ransom note name and later make the final path to create the file.

FIGURE 24. GET THE DOCUMENTS FOLDER TO LATER WRITE THE RANSOM NOTE

After this it will encode in base64 the critical information to decrypt the files with the function “CryptBinaryToStringA”. The malware uses the function the first time to get the size needed and reserve memory and then uses it again to encode the data. After encoding the data, it creates the ransom note file in the documents path with the string previously joined with the path with the function “CreateFileW” and will write the contents of the ransom note that has been prepared in memory. Later, it will format a special string with some hardcoded characters with “—RAGNAR SECRET—” as a start of block and end of block and, between, will format the encode string in base64 and write in the ransom note.

FIGURE 25. CREATION OF THE RANSOM NOTE AND PUT THE RAGNAR SECRET AT THE END OF IT

Later, the malware will create a new string with the strings:

  • .ragnar_
  • hash of the name of the victim machine

This string will be used later as the new extension in the crypted files. After this the malware will enumerate again the logic units of the system with the function “GetLogicalDrivesW” and, to check if the unit is correct, will use the function “GetVolumeInformationW” and check the type of the unit and avoid the type of CD-ROM. For each logic unit it will enumerate all files and folders and will start the crypto process.

FIGURE 26. GET ALL LOGIC UNITS AND CHECK THEM

Before starting the crypto process, the malware will try to write the ransom note in the root of each unit that is found as a target.

The malware will ignore folders with these names:

Windows
Windows.old
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users

 

The ransom note will be written in all folders that are affected and, as with other ransomware, it will use the functions “FindFirstFileW” and “FindNextFileW” to enumerate all contents in each folder.

FIGURE 27. CHECK OF THE BLACKLISTED FOLDER NAMES

RagnarLocker also avoids crypting certain files:

autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
botmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
RGNR_<hash>.txt

 

 

FIGURE 28. CHECK OF BLACKLISTED FILE NAMES

If a file has one of these names it will be ignored and, if it has another name, the malware will avoid any file that has these extensions:

.db
.sys
.dll
.lnk
.msi
.drv
.exe

 

 

FIGURE 29. CHECK OF BLACKLISTED EXTENSIONS

These checks are in place to prevent the ransomware from destroying the operating system as the victim needs to have access to the machine to pay the ransom.

For each file that passes all controls a thread will be created that will encrypt it. After creating all threads, the malware will wait for up to an infinite amount of time with the function “WaitForMultipleObjects”.

In the crypto process, in the threads, the malware will check if the file has the mark “_RAGNAR_” at the end with the function “SetFilePointerEx” and by reading 9 bytes and checking if they are this string. If it has this mark the file will be ignored in the crypto process and will be renamed again (with an extension name based on the current machine name).

FIGURE 30. CHECK OF THE MARK OF CRYPTO IN THE FILE

In other cases the malware will encrypt the file and at the end of it will write the block crypted of the key, used in a block of 256 bytes, and the nonce used in another block of 256 bytes and, finally, the mark “_RAGNAR_”, along with one byte as NULL to end the string (that makes 9 bytes). The key and nonce used in the Salsa20 algorithm are encrypted by the RSA public key embedded in the malware. This ensures only the malware developers can have the RSA private key that belongs to the public key used to decrypt the key and nonce and, thus, decrypt the files in the system.

Before writing this information, the malware will use the function “LockFile” and, when the process of writing the function is finished, “UnlockFile” to release the file already crypted. This is done to prevent the file being changed or deleted during the encryption process.

FIGURE 31. WRITE THE NEW CONTENTS AT THE END OF THE FILE

After the crypto, or if the file is already crypted, the malware will change the extension to a new one, such as “.ragnar_45EF5632”.

FIGURE 32. CHANGE OF THE EXTENSION OF THE CRYPTED FILE

After all threads of crypto, the malware tries to get the session of the Terminal Services or the session of the user logged in the local machine with the function “WTSGetActiveConsoleSessionId”. With this session it gets the current process of the malware with the function “GetCurrentProcess” and the token of this process with the function “OpenProcessToken”. With the session that was got previously it tries to duplicate the token with the function “DuplicateTokenEx” and sets this token with the function “SetTokenInformation”. After this it will get the system directory with the function “GetSystemDirectoryW” and joins to this path the string “\notepad.exe”.

FIGURE 33. GET THE SESSION OF THE LOCAL USER OR TERMINAL SERVICES AND MANAGE THE TOKENS

With this prepared, the malware executes Notepad and, as an argument, the ransom note to show to the user what happened in the machine. The function used in this case is “CreateProcessAsUserW” to impersonate the user that had the session previously. Of course, this function is called with the desktop as “WinSta0\Default”.

FIGURE 34. CREATE A PROCESS OF THE NOTEPAD TO SHOW THE RANSOM NOTE

After this the malware finishes itself with the function “ExitProcess” and a code of exit of 0.

VACCINE

RagnarLocker can have a vaccine if a program is made that can make the event, as explained in the technical part of this blog. If this event exists, the malware does not make anything in the system, but this type of vaccine is not likely to offer a long-term solution for several reasons:

  • The way that the event is done, the malware developers can change the algorithm, or the order of the name of the event, or make a mutex instead of an event and the vaccine will stop working.
  • The algorithm has a hardcoded value. If this value is changed the final hash will be different and the vaccine becomes useless.
  • The malware is developed in such a way that if it has at least two arguments the event is not created so, if the operators want to execute with safety, they need only to execute with an argument, for example “<malware.exe> 1”.
  • The malware may evolve over time so the vaccine can be very fragile and limited.

For these reasons we think that a vaccine using this system is not helpful in the longer-term.

CONCLUSION

RagnarLocker is a simple ransomware, much like others that exist in the criminal market. Due to its small size, its operator’s aggressive behavior and the knowledge they seem to have that allows them to enter the networks of enterprises, as well as the threat to leak information if the ransom is not paid, RagnarLocker could potentially become a big threat in the future. Time will tell if RagnarLocker becomes a serious threat or disappears against a backdrop of other ransomware with more resources. The code is medium in quality.

COVERAGE

McAfee can protect against this threat in all its products, including personal antivirus, endpoint and gateway.

The names that it can have are:

  • Ransom-ragnar

Also, learn how Enhanced Remediation, a new capability in ENS 10.7, can automatically rollback changes made by processes that exhibit malicious behavior.

MITRE ATT&CK COVERAGE

  • Command and Control : Standard Application Layer Protocol
  • Defense Evasion : Disabling Security Tools
  • Discovery : Security Software Discovery
  • Discovery : Software Discovery
  • Discovery : System Information Discovery
  • Discovery : System Service Discovery
  • Discovery : System Time Discovery
  • Discovery : Query registry
  • Execution : Command-Line Interface
  • Execution : Execution through API
  • Exfiltration : Data Encrypted
  • Impact : Data Encrypted for Impact
  • Impact : Service Stop

YARA RULES

rule RagnarLocker

{

    /*

      This YARA rule detects the ransomware RagnarLocker in memory or unpacked in disk for the sample with hash SHA1 97f45184770693a91054075f8a45290d4d1fc06f and perhaps other samples

    */

    meta:

        author      = “McAfee ATR Team”

        description = “Rule to detect unpacked sample of RagnarLocker”

        version     = “1.0”

    strings:

        $a = { 42 81 F1 3C FF 01 AB 03 F1 8B C6 C1 C0 0D 2B F0 3B D7 }

    condition:

        $a

}

 

import “pe”

 

rule ragnarlocker_ransomware

{

   meta:

  

      description = “Rule to detect RagnarLocker samples”

      author = “Christiaan Beek | Marc Rivero | McAfee ATR Team”

      reference = “https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/”

      date = “2020-04-15”

      hash1 = “63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059”

      hash2 = “9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376”

      hash3 = “ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597”

      hash4 = “9706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c”

     

   strings:

  

      //—RAGNAR SECRET—

      $s1 = {2D 2D 2D 52 41 47 4E 41 52 20 53 45 43 52 45 54 2D 2D 2D}

      $s2 = { 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 }

      $s3 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 85 ?? 0F 84 }

      $s4 = { FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }

      $s5 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }

     

      $op1 = { 0f 11 85 70 ff ff ff 8b b5 74 ff ff ff 0f 10 41 }

     

      $p0 = { 72 eb fe ff 55 8b ec 81 ec 00 01 00 00 53 56 57 }

      $p1 = { 60 be 00 00 41 00 8d be 00 10 ff ff 57 eb 0b 90 }

     

      $bp0 = { e8 b7 d2 ff ff ff b6 84 }

      $bp1 = { c7 85 7c ff ff ff 24 d2 00 00 8b 8d 7c ff ff ff }

      $bp2 = { 8d 85 7c ff ff ff 89 85 64 ff ff ff 8d 4d 84 89 }

     

   condition:

  

     uint16(0) == 0x5a4d and

     filesize < 100KB and

     (4 of ($s*) and $op1) or

     all of ($p*) and pe.imphash() == “9f611945f0fe0109fe728f39aad47024” or

     all of ($bp*) and pe.imphash() == “489a2424d7a14a26bfcfb006de3cd226”

}

 

IOCs

SHA256 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
SHA256 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
SHA256 dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4
SHA256 63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059
SHA256 b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186
SHA256 68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3
SHA256 1bf68d3d1b89e4f225c947442dc71a4793a3100465c95ae85ce6f7d987100ee1
SHA256 30dcc7a8ae98e52ee5547379048ca1fc90925e09a2a81c055021ba225c1d064c

 

USING MVISION EDR TO DETECT RAGNARLOCKER

With thanks to Mo Cashman and Filippo Sitzia

We downloaded a RagnarLocker sample from Virus Total to test detection capability by MVISION Endpoint Detection and Response (EDR). We tested first with the original sample which was known to most detection engines by this time. We then changed file hashes to test detection with an unknown sample. In both cases, MVISION EDR identified the suspicious behaviors and raised alerts. The original sample was detected as a HIGH Risk because the file had a known malicious reputation in McAfee Global Threat Intelligence which is integrated with MVISION EDR. The unknown samples were detected as Medium Risk and most likely would have triggered further inspection by a security analyst.

Sample VT submission

2020-05-30 13:30:55, File size: 48.50 KB, File type Win32 EXE, File name: omniga.exe, VT detections: 51/73

Test Environment

OS Win10, ENS 10.7 Threat Protection off, Adaptive Threat Protection off, MVISION EDR

Execution with original HASH – 3bc8ce79ee7043c9ad70698e3fc2013806244dc5112c8c8d465e96757b57b1e1

To further test MVISION EDR effectiveness, we modified the hash file slightly:

Execution with HASH changed – 63F5B6ED99C559341CF1AD081BAF55B4EACAD8E46D056764531BD316BF3C3EE3

Alerting Results for both samples

The post RagnarLocker Ransomware Threatens to Release Confidential Information appeared first on McAfee Blogs.

Your CEO Just Asked If We Are Protected from This Threat? Now What?

For years, CISOs have grappled with a fundamental challenge – understanding how protected they truly are against the latest threats and campaigns facing them. Never really knowing what threats and campaigns matter most to their specific organization, security teams have typically had to wait until vulnerabilities were weaponized, and threats were materialized before taking action. And even then, it has often been a scramble with no prescriptive guideline for ensuring protection. This has made the simple question – “are we protected?” – a nightmare for CISOs to deal with.

But what if the tables were turned and the SOC team could preempt a new threat before it attacks your organization.

Here is where MVISION Insights, the latest innovation in the McAfee Endpoint security platform, breaks the old paradigm and allows security defenders to get ahead of threats by solving three critical use cases for the SOC:

  • Proactive Prioritization of Threats: MVISION Insights proactively advises attacks that matter based on a particular industry vertical or specific geography by leveraging real-time, high-quality intelligence from over 1 billion sensors prioritized by AI and curated by McAfee ATR threat researchers. This advanced intelligence helps organizations quickly understand the nature of the approaching threats and enables them to prioritize and commit resources to proactively prevent these threats. For example, if MVISION Insights detects an uptick in attacks against US-based healthcare providers, then the CISO at your hospital is going to find that information very useful. Being informed, is halfway to being prepared.

 

  • Predictive Assessment of Security Posture: MVISION Insights offers a security score based on the prevalence and severity of the campaign and the organization’s own preparedness for blocking those threats based on their security configuration of McAfee endpoint security products. You know exactly how you would perform under an attack scenario and how this posture would compare to others.

 

  • Preemptive Prescription of Security Actions: If your security posture isn’t optimized for protecting against the attack, MVISION Insights offers specific actions to ramp up defenses against the threat or campaign before it hits. This becomes the prescriptive guide and takes the guessing out of the picture for the SOC at a time when they are under duress.

 

Fig 1: MVISION Insights prioritizes threats, predicts if your countermeasures will work and prescribes security actions to stay ahead of the attack

It typically takes weeks – with up to dozens of people – to complete a proactive investigation on one campaign. That’s untenable in today’s fast-moving threat landscape. Security challenges were already multiplying even before COVID-19. But with companies adopting work-from-home policies in response to the pandemic, cyber criminals seeking to exploit the health emergency have stepped up their efforts to find new ways to compromise defenses.

That doesn’t mean organizations are destined to suffer breaches. With MVISIONS Insights, SOCs will be able to glean proactive insights on many campaigns in minutes without requiring any other personnel to perform the investigation. This will allow security managers to redirect valuable security personnel to more strategic assignments. Not only does this fortify their organizations’ security and resilience posture, but it also saves time otherwise wasted on hunting down and investigating myriad threats.

And when there’s a new headline about an active APT group, CISOs won’t need to waste time on rounds of consultations with IT admins and security analysts hunting down definitive answers for senior management. With the advent of MVISIONS Insights, threat automation is about to take a leap forward that returns the advantage to the defenders. MVISION Insights is here!

 

The post Your CEO Just Asked If We Are Protected from This Threat? Now What? appeared first on McAfee Blogs.

Simplify Secure Cloud Adoption with Your Next-Gen Secure Web Gateway

Today, with increased cloud adoption, more than eighty percent of corporate network traffic is destined for the internet. Backhauling internet traffic to a traditional Web Gateway’s “Hub and Spoke” architecture can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers proved to be ineffective and low performance in a situation like COVID.

Figure 1. Legacy Secure Web Gateway architecture in a cloud world.

Performance aside, as you adopt new cloud services and move more data to the cloud, you’re probably thinking: how do I protect business critical data, and how can I prevent threats coming in from the internet and cloud applications?

Many organizations are either adopting cloud services faster than they can secure them, or applying on-premises Web Gateway tools and architectures that were not designed to meet the challenges of cloud traffic. This can lead to attacks, malware, data leaks, and an unproductive work force.

IT departments need a secure yet flexible direct-to-cloud Web Gateway solution that ensures availability, maintain employee productivity and defend against threats.

Here are some of the capabilities of a Next-gen Cloud Secure Web Gateway to consider:

Real-time Zero-day Malware Prevention: Today’s threats are frequently customized and targeted. Zero-day protection is essential, and traditional gateways handle this by offloading to an out of band sandbox. The key to a next generation gateway is to provide that protection in real time – not forensically after the fact.

Unification with CASB: Gartner recommends that to reduce complexity on the network security side is to move to ideally one vendor for secure web gateway (SWG), cloud access security broker (CASB).  The Next-gen Cloud Secure Web Gateway should be a cloud- managed solution that is unified with CASB with shared risk databases, closed loop remediation and unified workflow.

Scalability and Availability: A cloud-native architecture that can offer the cloud-scale which is required as your remote workforce mushrooms as opposed to a SWG that is simply hosted in the cloud. A true cloud-grade service availability provides five nines 99.999% uptime – consistently.   Ask yourself, can you afford 50+ minutes of downtime?

Figure 2. Downtime Calculation Example.

McAfee’s Next-gen Cloud Secure Web Gateway (offered via MVISION Unified Cloud Edge) is unified with MVISION Cloud (CASB) to offer cloud-delivered web security to protect web traffic, provide visibility into data flowing to cloud applications, and safely enable both on-prem and remote workers. Furthermore, it is a direct to cloud solution that helps drive down cost and increase scalability and performance.

To find out more, listen to our latest podcast.

 

The post Simplify Secure Cloud Adoption with Your Next-Gen Secure Web Gateway appeared first on McAfee Blogs.

Open Source Libraries: Uncovering the Risks That Lurk Beneath the Surface

The use of open source libraries to assemble applications is accelerating. Not only are more people using open source libraries, but more individual developers, and even companies, are also on a mission to contribute to more open source projects. For Veracode, we???re seeing more than 70 percent of our customer base leveraging one or more open source libraries in their applications.

And that could just be the tip of the open source iceberg in your application. Beyond the third-party code explicitly introduced by a developer, lies code and vulnerabilities, introduced indirectly. Transitive dependencies happen when an open source library employed by your organization is dependent on code from other libraries. In other words, the open source library that is visible to your organization is pulling from a library that is ???invisible??? to your organization.

In our recent report, State of Software Security: Open Source Edition, we analyzed the security of open source libraries found in over 85,000 applications. We found that 70.5 percent of the applications had an open source flaw, and of those applications, 46.6 percent of the flaws were transitive, and 41.9 percent were direct (11.5 percent were both). Bottom line: most flaws are reaching your code indirectly.

For our report, we also uncovered the dependency breakdown by language. As you will notice in the figure below, JavaScript, Ruby, PHP, and Java have the most transitive inclusions.

transitive

Making the data work for you

The bottom line is that using open source libraries isn???t a security threat to the business. The threat lies in a lack of awareness. The real problem is not knowing that what you???re using contains vulnerabilities and that they???re exploitable in your application.

Veracode helps you quickly and effectively address open source risk by accurately highlighting where you have open source vulnerabilities, and if they are in your application???s execution path. In this way, you focus only on the vulnerabilities truly increasing your risk.

This image is a visualization within our solution of a dependency graph. The empty circle in the middle is your application, and all of the sections around it are different direct and indirect libraries. In this specific example, all of the colored sections are libraries containing vulnerabilities that affect the application either directly or indirectly. Our scanner identifies all of these, the versions being used, and any vulnerabilities that they contain.

layers

And for supported languages, it identifies the call stacks and traces the vulnerabilities through your application to identify those that actually impact your application and leave it open to exploits.

To get all our data and analysis on the security of open source libraries, download out full State of Software Security: Open Source Edition report.

ツ?

OneDrive Phishing Awareness

There are number of ways scammers use to target personal information and, currently, one example is, they are taking advantage of the fear around the virus pandemic, sending phishing and scam emails to Microsoft OneDrive users, trying to profit from Coronavirus/COVID-19. They will pretend to be emailing from government, consulting, or charitable organizations to steal victim’s OneDrive details. OneDrive scammers will steal sensitive account information like usernames and passwords.  We would like to educate McAfee users and the public about the potential risks with these scams.

Nefarious Groups Attempt to Harvest Users’ Credentials

Below we will take you through three examples of this kind of attack, coming from a government organization, consulting firm and a charitable organization hosted in OneDrive to make them appear more genuine to users. As the screenshot below illustrates, the goal is to steal the user’s OneDrive credentials.

Fake Government Email Baits Victims

Scammers pretend to be from government offices and deliver documents that contain the latest live questionnaire regarding COVID-19. Remember: governments do not generally email the masses, sending unrequested documents, so a user could verify by examining the sender email address and location in the email headers and could visit the legitimate government site to see if there is COVID-19 information there instead.

When the folder in the above image is clicked on, it redirects to the screenshot shown below.

A warning saying “Hmm… looks like this file doesn’t have a preview we can show you” baits the visitor into clicking on the Open button. When clicked, it takes them to the below OneDrive screenshot prompting them to enter their personal information.

Notice that the link points users to a vulnerable WordPress site that contains a credential phishing landing page. A user should be aware that a legitimate OneDrive login page will never be hosted on a non-Microsoft domain. This should be a red flag to the user that this may be a scam or phishing attack.

 

As intended by the scammers, the user cannot access the OneDrive document to view the updated government questionnaire and, instead, will receive an error message to try again later.

By this stage, the scammers would have already stolen the user’s OneDrive personal information.

Fake Consulting Firm Attempts to Trick Users with Secured Document

Scammers pretend to be a consulting firm to share a secured document with the customer regarding the COVID-19 pandemic. Accepting an email document from a random and unsolicited consulting firm should be regarded as suspicious.

 

 

If a recipient clicks on the Download PDF link, it will take them to the page shown above where they are prompted to login. If they do so, it brings them to the below Microsoft login page where they enter their email address and password.

After attempting to sign in, the victim will be presented with an error message, as seen in the below screenshot.

When they enter their OneDrive information they will receive an error message saying, “Sorry, but we’re having trouble signing you in”. However, by this point, the scammers have already stolen the user’s OneDrive information.

Fake Charitable Organization Tries to Trick Volunteers

Some emails appear like charitable organizations looking for volunteers to help the community.

 

If someone clicks on the open PDF link, it will take them to the below OneDrive login page.

Scammers are trying to harvest company and individual OneDrive credentials by pretending to appear as a non-profit organization looking for volunteers.

 

The user is then presented with a login screen requesting their credentials.

However, they should notice the URL hosting the OneDrive login page is not from a Microsoft domain and should be regarded as suspicious.

Advice to Consumers

Consumers should be aware of scammers trying to harvest OneDrive details and should follow these best practices: –

  • Be careful of any charity or businesses requesting their OneDrive user information. Stick with organizations known to be reputable.
  • Never share financial or personal information over the phone, via email or with untrusted sites.
  • Remember that legitimate organizations will almost never send an email asking for personal information.
  • Never click on suspicious links or download attachments from unknown sources.
  • Never log in to a web page reached through a link from an email.
  • Remember email addresses can be spoofed so if a message looks suspicious, contact the sender via a known telephone number taken from their official website.

Advice to Organizations

  • Organizations should activate multi-factor authentication to prevent stolen credentials from been used to access OneDrive or Office 365 accounts.
  • Ensure all employees are aware of the threat posed by OneDrive and Office 365 phishing scams and consider security awareness training where appropriate.

 

If you find suspected scam sites, please submit them to McAfee for review at https://trustedsource.org as well as reporting them to your local law enforcement.

The post OneDrive Phishing Awareness appeared first on McAfee Blogs.

Entertainment #FromHome: How to start your own podcast

Making Media #FromHome

How to start your own podcast

Start your own podcast? Why not? Instead of streaming someone else’s show, maybe it’s time to create one of your own. And a fine time to start a podcast it is. Podcasting once took a bit of effort to get into. The recording software, the hosting, and the equipment could end up costing a reasonable amount of money and took a certain degree of technical savvy to use. Yet like so many things on today’s internet, those barriers have dropped, particularly for folks who simply want to dive in and give it a try. With a pair of headsets, a built-in microphone, and some free software, you can start podcasting now with your computer or even your phone. So, if you’re ready to give it shot, let’s take a look at some of the resources available to you.

Coming up with an idea for your podcast

More so than choosing this software or that, the process really starts with a basic concept for your podcast. You’ll have a topic that you want to cover, a format such as a one-person show or a talk format where you have multiple hosts or guests, and a target length for your show. 

For example, let’s assume that you’re trying out podcasting as part of a little family project. Maybe you and your daughter want to talk about going on adventures like hiking, canoeing on lakes, and fishing. A great concept for you could be a 20-minute show about adventures kids and parents can take together. You can talk about how you decide on your adventures, plan for them, and tell some stories about your triumphs and pitfalls along the way. What does it feel like to catch your first bass, or how does it feel to set up your tent in a sudden downpour? People love hearing stories that’ll inspire them or make them laugh or, better yet, both. 

Another idea is to approach it like as a learning opportunity for your kids. Recently, I posted an article on project-based learning for kids at home. One of the suggestions was for kids to make a short podcast of their own to show what they’ve learned about after researching a that they’re interested in. What you learn here in this article could point the way for them to create their own show, whether with your help or independently. 

That’s just a few examples. And really, coming up with an idea for a podcast is a topic in and of itself. For more on that, check out this article on creating a podcast from National Public Radio. While written for students, it’s packed with plenty of solid advice for anyone who wants to get started in podcasting, plus several pro tips for making your show sound great.

What about podcasting equipment?

Chances are you already have the basics. If you have a set of headphones with a built-in microphone and a computer or phone you can attach them to, that’s a great start. Of course, people who invest more time and money into their podcasting pursuit will have things like a podcasting microphone mounted on a miniature boom arm, a “pop filter” that prevents you from popping your “P’s” in the microphone, and maybe even a small mixing board. But, for just getting started or just having some fun as a family, you really don’t need those things. 

Free podcasting software and hosting

What you will need is some software that lets you record your show and even do some basic editing too. Here are a few free options that’ll cover your recording and editing while giving you a place to post your shows too:

Anchor FM

Anchor gives you standard recording features, plus extra bells and whistles like importing voice messages from your phone, group chat, and transitions. As Anchor is part of streaming music provider Spotify, you can also import music into your podcast from there. And when you’re done recording, Anchor offers free hosting for creators. If you’re creating a multiple-host podcast, your co-host or guests can use the Anchor app on their phone and join in.

Spreaker

It may look like a typo, yet Spreaker is the name for this offering. Much akin to Anchor, it offers a combination of recording software and hosting capabilities so that you can add things like music and sound effects to your podcast. The app also supports Google Hangouts and Skype so that you can bring on a co-host or guest.

Podbean

A third popular option is Podbean. It also allows you to record and publish your podcast for free as part of a basic plan that offers 500 MB of storage space and 100GB of bandwidth per month (meaning, a 500 MB could be downloaded 200 times at no cost—where 500 MB is approximately 5 hours of showtime).

Free options for editing your podcast

If you already have a way of recording your podcast, such as with a simple audio recorder on your phone, computer, or laptop, you can drop those audio files into free audio editing software to edit your show together. 

These are more formally known as Digital Audio Workstations (DAWs). Depending on which one you select, these apps offer functionality similar to what the pros use to record and edit their audio. You’ll see things like multiple tracks where you can place people, music, and sound effects on their own timeline that you can mix together, different options for exporting your show to different file types, settings to sweeten sound quality, and much more. As you might imagine, audio editing and mixing is a pursuit unto itself, and you can really dive deep here if the podcasting bug bites you. Here’s a rundown of what’s out there:

GarageBand

Apple users will probably know this app. Garageband is available only on Mac and iOS devices (iPad and iPhone). It has all the watermarks of an Apple application, where it’s an app that looks good and simplifies an otherwise complicated process. Above, we mentioned multi-track recording. If you’re new to that, it can feel a little overwhelming at first, yet GarageBand color-codes its tracks and leans heavily on drag-and-drop editing. That lends itself to ease of use, exploration, and even a fair share of trial-and-error as you get comfortable with it. Plus, as its name would imply, GarageBand features a library of musical instruments. So when you get tired of podcasting, you can play around with it and drop some beats.

Audacity

Slightly further along the audio editing learning curve is Audacity, which is a free download for multiple platforms. Visually, it’s a contrast to GarageBand yet its functionality goes much deeper. One appealing aspect of Audacity is that it’s celebrating a 20-year run as open source software—meaning that it’s a community-supported effort. So if you’re dedicated to learning audio editing, there are numerous resources out there that can help you learn the Audacity interface and feel confident that you’re learning an audio app that’ll be around for some time.

Reaper Digital Audio Workstation

And of our three free options, Reaper is the most full-functioned editor, which you can download for a free 60-day trial. If you’re completely new to audio editing, you may want to start with one of the other options just to get familiar with the basics. Otherwise, if you’ve used some other simpler platforms before and feel ready to move up, Reaper is a fine choice. 

Your podcast and your privacy

Here’s the thing with dipping your toe into the world of podcasting: you don’t have to post your podcast for others to hear. As we talked about at the start of this article, this could just be an entertaining project or exploration for you and your family. You can hang on to your podcast and just share it with family at home, or you could send it to some friends and family for them to listen to it too. Regardless of what you decide to do with your podcast once you’ve recorded it, you’ll want to think about your privacy.

Online privacy isn’t a topic that’s discussed much in many “how-to start your own podcast” articles. Yet it’s a vital topic. (In fact, we discuss privacy all the time on our own Hackable? podcast.) Keep privacy in mind when you podcast. Just like anything else you post online, a picture, a status update, a blog, or what have you, you’re exposing yourself to the entire online world. When it comes to anything digital, what you say and what you share is forever. It can be copied, shared, disseminated, and even reconstructed in umpteen different ways. 

So the general rule with podcasting is much the same as everything else you do online: think before you post. 

Before you post, consider …

Just as you go back and look at what you’ve typed in that email or that status update, go back and review your show before you post or share it with others. Listen for things like:

  1. Have you overtly or inadvertently shared some information about yourself and your family—like birthdays, when you typically go on vacation, or other information that uniquely identifies you in a way? Hackers and crooks could find this useful when it comes to online identity theft or physical theft on your property.
  2. Are you keeping your family business and friendships private? “Sharenting” details about your children, good or bad, or talking about your relationships with others could lead to embarrassment or hurt feelings amongst family and friends.
  3. Can anything you’ve said be construed as hurtful, casting someone in a bad light, or simply mocking? Remove it from your podcast or simply don’t post it. You could be held legally responsible. Laws will vary across countries and locales, so make a point of understanding what they are with regards to defamation, libel, and slander in your area.

Again, stop and think before you post. Could this compromise you, your family, your friends, or someone else now or in the future? If so, and even if you’re uncertain of the answer, don’t post. 

Start your podcast!

These are just a few of the numerous, and often free, options that allow practically anyone to get started in podcasting, and there are plenty more. Just be sure as you’re surfing around for software, tutorials, and resources, use comprehensive security software to protect you from threats—particularly a browser advisor app that will steer you clear of malware, bad downloads, and suspicious links. Also, caveat emptor, buyer beware. When researching apps, always look at the reviews so that you can spot any issues before you download or use an app.

With that, I hope this inspires an interesting side project, or even a new pastime for you and your family. Get out there and have some fun!

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

 

The post Entertainment #FromHome: How to start your own podcast appeared first on McAfee Blogs.

Entertainment #FromHome: Photo Backups, Digital Picture Frames, and More!

Creating digital photos

Entertainment From Home: Back up your photos, create digital picture frames, and more!

One thing many of us have is a bunch of photos on our phone. And something tells me that’s an understatement.

Estimates show that worldwide we took somewhere around 1.2 trillion photos in 2018. Chances are, you have your share of them sitting on your phone, which is great! All those memories, those people, those times, and those travels. But what to do with them? They may just be sitting there, taking up storage space on your phone, instead of becoming something special like an album, greeting cards, a wall hanging, or popping them into a digital picture frame for your kitchen or living room. Let’s take a look at how you can organize your photos, back up your photos, and so that you can create something with them too.

Back up your photos in the cloud

Backing up your photos in the cloud is an important first step for so many reasons. The first is that it ensures that you won’t lose any of your precious snapshots in the event of a device failure or in the really unfortunate event of your phone getting stolen or lost. Additionally, when it comes time to buy a new phone, storing your photos in the cloud means that your new phone can automatically access those photos once you log into your cloud account. Lastly, backing up your photos in the cloud puts them all in one place, where you can access them from other devices—like your computer or your laptop. Once there, you can use free apps like Photos for iOS or Photos for Windows to organize your pictures, create slideshows, videos, and more.

What cloud service should I use for backing up my photos?

That’s an excellent question. There are many available, and the answer most typically depends on which brand of device you own. iPhone owners have iCloud, Apple’s cloud service, available to them as part of their device. Android owners can back up their device (including photos) using Google Drive, and some brands have partnered with cloud providers like Dropbox. Using the service specific to your device is typically a quick route for backing up your photos—for example:

  • For Android owners, check out this excellent article from Androidcentral, which they keep updated to reflect the latest features and apps they recommend. They take you through the process step-by-step and give you a number of cloud storage options such as Google Photos, Google Drive and Google One, plus Dropbox.
  • For iPhone (and iPad) owners, give this article a click to see how you can transfer your photos using Apple’s iCloud. Likewise, Apple breaks it down into steps and shows how you can transfer photos to your PC or Mac and then make your photos available on all your devices with iCloud Photos.

The other consideration here is to make sure that the devices you use can all access the cloud service you select for your photos. The good news is that many services work across different platforms and brands, as you’ll see in our quick overview below. Thus, you can use iCloud on a PC, just as you can use Google Drive on a PC or Mac. If you’re relatively new to cloud services like these, know that many of them back up much more than just photos. They back up and store documents and other files too. Here are a few options:

iCloud: Provided by Apple, this offers 5GB of free storage, plus you can buy more storage as you need it, such as 50GB for $0.99 a month. iCloud has an app for Macs and PCs as well so that you can access the photos and files you store in it from those devices too.

Google Drive: This cloud storage service comes with every Google account. It offers 15 GB of space, which includes all of data you store in it, such as the email in your Gmail account, documents you create in Google Docs, and so forth. It’s available for Android and iOS devices, as well as Macs and PCs.

OneDrive: This is Microsoft’s cloud offering for documents, files, and photos, which has options for both iOS and Android users and works on both PCs and Macs alike. It starts with 5 GB of free cloud storage and 1 TB of storage if you have or sign up for a Microsoft 365 account.

Dropbox: Their free offering includes 2 GB of storage for accessing and sharing photos, documents, and other files from any device. You’ll find options for using it on Android, iOS, Mac, and PC devices.

If you’re looking for a cloud service that’s specific to photos, you have options there as well.

Google Photos: This is a cloud storage service that’s specifically designed for photos and videos. What’s nice is that it offers free unlimited storage for photos that are up to 16 megapixels in size and HD videos. Works on Android and iOS devices, plus Macs and PCs.

Amazon Photos: Among the many perks of an Amazon Prime membership, you get Amazon Photos, which provides unlimited photo storage across desktop computers plus Android and iOS devices. In addition to storing and sharing photos, you can also print photos into several formats, including prints on metal and acrylic, wall décor, and photo books.

Whichever cloud service you choose, you’ll want strong passwords and password protection as part of your overall digital security for any cloud account you keep. Go with a reputable cloud provider. Do your research. Make sure their track record is clean. Use strong passwords—always.

Transfer your photos to your computer to your computer without the cloud

This is another option as well, however, it’s still strongly suggested that you back up your photos in the cloud as well for all of the reasons we outlined about—most significantly, you wouldn’t want to lose them due to device damage or theft!

Back up your photos locally too

This advice may feel a little “old school” because there’s so much emphasis placed on the cloud and its benefits these days. Yet a local backup provides yet another layer of protection in the event of data loss, theft of your device, or even a ransomware attack where your data (which could include your photos) is held hostage. Put simply, it keeps your data in your hands. Also, by copying your photos and files onto an external hard drive you can access them if your internet is down or running a little spotty.

Delete some photos and save some space on your phone

Once you have your photos on your PC or Mac and backed up, now you can get to work. This is the point where you can delete photos from your phone with confidence. Photos take up plenty of storage space on your phone, so an occasional cleanout is a good thing. Depending on the method you used to transfer your photos, the transfer process may ask you whether you’d like to delete some or all of the photos on your phone. Likewise, you may just want to do that on a photo-by-photo basis yourself. Yes, this can be time-consuming, but the benefit is that you’ll free up space on your phone.

Start organizing your photos

Here’s the really fun part: both the Photos app on iOS and the Photos app on Windows come standard on Macs and PCs. You’ll see that they both have tools for creating albums, folders, and for searching. They each have a facial recognition feature as well, which will automatically tag photos based on the people who are in them so you can quickly create albums featuring a specific person or people. Likewise, these apps allow you to search based on keywords, like activities, places, and dates so that you can quickly gather related photos and make albums based upon them. Note that the search isn’t always perfect. Much depends on the metadata associated with your photos, which is information that your phone or camera attaches to your photo—such as when the picture was taken, where it was taken, and so forth.

The Photos app on iOS has an additional feature that to help you organize your photos. Select a picture and then hit the “i” icon at the top of the screen. A window will show you the metadata associated with that picture, which is information about your photo. You can add to this metadata with your own keywords and tags that help describe the picture, like “Mom on the Metro” or “Dad’s Birthday 2015.” This will aid in future searching and organizing as well. Unfortunately Photos on Windows doesn’t have a similar feature at this time, however, you can change metadata of a photo by right-clicking on the photo file in your file explorer and selecting “Properties” and then choosing the “Details” tab.

Another word about metadata: you’ll want to take a look at the metadata of the pictures you post online. Your photos can reveal details about you that you may not want to share or have up in the hands of hackers and crooks. Check out this episode from our Hackacble? Podcast to avoid some of the common risks associated with sharing photos.

Create!

Now that you have your photos backed up in the cloud and on your laptop or computer, it’s time to start making things. There are plenty of free, paid, and subscription services out there for making prints, posters, and albums. You can also look into well-reviewed digital picture frames that you can load up with hundreds of rotating photos via a USB connection, an app, or even email.

Another option is to start exploring the world of photo editing. If you don’t own or have a subscription to the popular Photoshop app, there’s an excellent free option for multiple operating systems (which includes Mac and PC). The long-form name is the GNU Image Manipulation Program, or GIMP for short. Don’t let the fact that it’s free fool you. It’s a powerful program with full functionality that’s been around for more than 20 years. You’ll find a built-in help system, full documentation, and tutorials, all free. Give it a look and see if it’s right for you.

How about my old prints and photo slides?

On a similar side note, my husband recently transferred my parents’ old photo slides (remember those?) into digital format. What a treasure trove from decades ago! If you have some old slides, you can do the same with a digital slide scanner (typically available around the $100 mark here in the U.S.), although that’s a manual process and can take some time. Likewise, you can scan old photo prints on your flatbed scanner to digitize them or use a phone app like Photomyne or Photoscan. Another option is to have a service do the work for you, which you can easily find online or available through a local retailer.

Worth the effort

Up until this point, I’ve resisted making a Marie Kondo reference, yet organizing your photos can spark oodles of joy. Along the way, you can count on rediscovering tucked-away memories that you’ll want to relive and share. I hope that’s your experience and that these feelings propel you along as you set out on this task. While organizing takes some effort, the rewards await. Have fun!

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on

 

 

The post Entertainment #FromHome: Photo Backups, Digital Picture Frames, and More! appeared first on McAfee Blogs.

Does PC Cleaning Improve Performance?

PC ,tablet and device performance

If you would like to maintain or restore the performance of your PC, cleaning it is a task you don’t want to overlook. In addition to boosting the speed of your PC, cleaning it on a regular basis also helps protect your personal information and identity from criminals.

Cleaning your PC frees up storage space so that you can install more programs or save pictures, sound files and movies. Clean your computer at least once per month for the best possible results. If you have not cleaned your PC in a while, you will be surprised to notice how much faster it runs. This guide explains the basics and points you in the right direction.

What Is PC cleaning?

Over time, the files you store on your computer begin taking up space. Especially your C drive might be gradually filling up due to backup files, hidden files and temporary files. You should even consider PC cleaning on a new computer because new PCs often come with pre-installed programs you don’t need. In simple terms, PC cleaning involves removing unneeded files from your computer when you want extra storage space and increased performance.

Are you using all programs on your PC?

Remove unwanted programs by going to the programs and features section of your control panel. Go through the list and make a note of the programs you don’t use. For the programs you don’t recognize, perform a quick search at the internet to get insights if you really want to delete these programs. After you finished the list, the window prompt will explain everything you need to do. It should not take too long to remove the programs depending on their size. In addition to removing unneeded programs, you can even use the disk cleanup utility to remove temporary files.

Cleaning up temporary files

Temporary files include internet cookies and partially downloaded programs that you never installed on your machine. Internet cookies contain information you enter on websites and images from sites you visit. The main purpose of these cookie is to identify users and possibly prepare customized pages or to save information. The benefit for you is that you don’t need to enter your login information each time you visit a website. Also, web pages and online media you have visited online are stored in the cache of your browser. Doing so speeds up the web browsing experience the next time you visit the same site again. Also, applications which consume large amounts of data as Microsoft Word are creating temporary files to store and save information as you go along.

The Importance of PC cleaning

Your PC saves files from the websites you visit and stores them on your hard drive. Unless you remove those files, they add up over time and begin taking a lot of space on your computer. Lots of people install programs on their PCs and never remove the programs after they stop using them, and they lose a lot more space than they might think. Cleaning your PC often is a good way to protect yourself from that pitfall.

Does Deleting Stuff From Your Computer Make It Faster?

Although many people assume deleting files from their hard drive is enough to increase the speed of their computers, it does not have the impact they expect. In fact, your temporary internet files can increase the speed at which websites load. Since temporary internet files contain images and other media files from the websites you visit, your computer won’t have to download them each time you visit the websites. You should still delete your temporary files on occasion to free disk space.

Remove Startup Items

Some programs you download onto your PC automatically start when you turn it on. Automatic startup processes work well for programs your computer needs to run at its best, but having too many startup items slows your computer down. To change which apps run automatically at the startup, select the Start button. From there, navigate via Task Manager to Startup. Select the app you want to change, then select Disable so it doesn’t run when restarting your computer.

Factors to Keep in Mind When Cleaning Your PC

While you don’t face much risk when you delete temporary internet files, deleting the wrong programs or removing certain startup items can harm your PC. Therefore, start by removing temporary files and reducing the amount of startup items to see if that improves the performance of the PC. If you are deleting programs, make sure you know what you are deleting so that you don’t run into problems along the way.

Clean up sensitive files

When you delete files from the recycle bin, they are not really deleted. The files on your computer point to the part of your hard drive that stores the file, and your hard drive retrieves the file when you open it.

Deleting files only removes the pointer, so the file itself remains on your system for a while. Use a file shredder to erase data by overwriting the space with pattern of 1’s and 0’s. This won’t improve performance, but file shredding does help to keep us in compliance with the law and to prevent identity theft. With a PC cleaner, these files are then removed from your hard drive.

Use a PC cleaner

You can save time and avoid problems by using a proven PC cleaner to remove unwanted and temporary files from your PC. With an effective PC cleaner, you can reach your goals in no time and never have to worry about deleting the wrong file. McAfee Total Protection is an antivirus software that comes with a PC cleaner and a file shredder. The PC cleaner deletes temporary internet files and broken shortcuts, and it removes unneeded registry keys that you don’t need.

Final Thoughts

Your computer’s performance depends on regular maintenance to stay at its best. Failing to maintain your PC results in slower performance and other issues you want to avoid. Use the steps from this guide to clean your computer and boost performance, or you can save time by using a PC cleaner to keep your PC safe and running well for as long as possible, and you will be thrilled with the results.

The post Does PC Cleaning Improve Performance? appeared first on McAfee Blogs.

Internet Safety Begins with All of Us

Internet Safety Begins with All of Us

Now’s the time to pause for a moment and consider just how important the internet is to us. Not just any internet. A safer internet.

June marks Internet Safety Month. Why June? The original thought was that the onset of summer sees more kids online, making it an ideal time for a fresh look at internet safety in our homes. Now, with millions of us worldwide finding ourselves online more than before due to stay-at-home guidance from our localities or employers, Internet Safety Month 2020 is much more important to observe. We’re working more online, playing more online, and schooling more online, and making all kinds of changes in our routines that make the internet the cornerstone of our day.

Indeed, we’re counting more and more on the internet, now more so than ever. A safer internet isn’t a nice thing to have. It’s a necessity. And there’s plenty we can do to make it happen.

Each of us has a hand in a safer internet

While a safer internet may seem like it’s somewhat out of our hands as individuals, the truth is that each of us play a major role in making it so. As members, contributors, and participants who hop on the internet daily, our actions can make the internet a safer place.

So, specifically what can we do? Take a few moments this month to ponder these three categories and the questions that follow. Using them can help frame your thinking about internet safety and how you can make yourself, and others, safer.

  1. Internet Security – How am I keeping my devices safe?
  2. Internet Safety – How am I keeping myself and my family safe?
  3. Internet Ethics – How am I treating other people online?

Internet Security

How am I keeping my devices safe? Device safety is relatively straightforward provided you take the steps to ensure it. You can protect your things with comprehensive security software, use an internet router that protects all the connected devices in your home -, you can update your software, and you can use strong passwords with the help of a password manager.

Put another way, internet security is another aspect of home maintenance. Just as you mow your lawn, swap out the batteries in your smoke alarm, or change the filters in your heating system, much goes the same for the way you should look after computers, tablets, phones, and connected devices in your home. They need your regular care and maintenance as well. Again, good security software can handle so much of this automatically or with relatively easy effort on your part.

If you’re wondering where to start with looking after the security of your devices, check out our article on how to become an IT pro in your home—it makes the process easy by breaking down the basics into steps that build your confidence along the way.

Internet Safety

How am I keeping myself and my family safe? This entails topics like identity theft, personal data privacy, cyberbullying, screen time, when to get a smartphone for your child, and learning how to spot scams online. Certainly you have tools to assist with these concerns, such as identity theft protection services and virtual private networks (VPNs) that encrypt your personal information, plus apps that make going online safer for kids like parental control software and built-in browser advisors that help you search and surf safely.

However, internet safety goes beyond devices. It’s a mindset. A savvy. As with driving a car, so much of our online safety relies on our behaviors and good judgment. For example, one piece of research found that ninety-one percent of all cyberattacks start with phishing email where people click on links that they could really think twice about and end up the victim of an attack. Research bears this out. Tomas Holt, professor of criminal justice at Michigan State University, states, “An individual’s characteristics are critical in studying how cybercrime perseveres, particularly the person’s impulsiveness and the activities that they engage in while online that have the greatest impact on their risk.” Put another way, scammers bank on an itchy clicker-finger—where a quick click opens the door for an attack.

With that, here’s some general guidance on behaviors that can keep you safer:

  • Look out for phishing red flags. If you notice that the “from” address in an email looks like a slightly altered brand name or if it is an unknown source altogether, don’t interact with the message.
  • Be skeptical of emails claiming to come from legitimate companies. If you receive an email asking to confirm your login credentials, go directly to the company’s website or app. You should be able to check the status of your account there to determine the legitimacy of the request.
  • When searching, give the results a good look before clicking. Ask yourself if the website you want to click is legitimate—are there any red flags, like a strange URL, an unfamiliar name, a familiar brand name with an unusual addition to it, or a description that simply doesn’t feel right when you read it. If so, don’t click. Better yet, use a built-in browser advisor that helps you search and surf safely like we mentioned earlier. It’ll call out any known or suspected bad links clearly before you click.

These are just a few examples, yet hopefully it conveys the idea: we all need to be sharp when we’re online. That goes for our children and our parents who may be older too, as these behaviors may be new to them. Moreover, the reasons why these behaviors are so important may be new to them as well. They simply may not be aware of the risks and scams that are out there. In that case, the best protection starts with a conversation. Shine a light on the risks that are out there and help them develop a critical eye for the suspicious links and emails they’re bound to come across in their travels. That, in addition to comprehensive security software, will help keep them safe.

Internet Ethics

How am I treating other people online? A big part of a safer internet is us. Specifically, how we treat each other—and how we project ourselves to friends, family, and the wider internet. With so much of our communication happening online through the written word or posted pictures, together they create a climate around each of us, which can take on an uplifting air or mire you in a cloud of negativity. What’s more, it’s largely out there for all to see. Especially on social media.

Internet Safety Month is a fine time to pause and reflect on your climate. A good place to start is with basic etiquette. Verywell Family put together an article on internet etiquette for kids, yet when you give it a close read you’ll see that it provides good advice for everyone. In summary, their advice focuses on five key points:

  1. Treat others how you want to be treated – this is the “Golden Rule,” which applies online just as it does in every other aspect of our lives.
  2. Keep messages and posts positive and truthful – steering clear of rudeness, hurtful sarcasm, and rumor-mongering is the way to go here.
  3. Double-check messages before hitting send – ask yourself if what you’ve written can be misinterpreted, especially when people can’t see your facial expression or hear tone of voice.
  4. Don’t violate a friend’s confidence – think about that picture or post … will it embarrass someone you know or share something not meant to be shared?
  5. Avoid digital drama – learn when to respectfully exit a conversation that’s getting mean, rude, or otherwise hurtful.

Of course, the flip side to all of this is what to do when someone targets you with their bad behavior—such as an online troll who hurls hurtful or malicious comments your way. That’s a topic in of itself. Check out our article on internet trolls and how to handle them. Once again, the advice there is great for everyone in the family.

Being safer … take it in steps

We’ve shared quite a bit of information in this article and loaded it up with plenty of helpful links too. Don’t feel like you have to address everything at once in one sitting. See what you have in place and make notes about where you’d like to make improvements. Then, start working down the list. A few minutes each week dedicated to your security can greatly increase your security, safety, and savvy.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Internet Safety Begins with All of Us appeared first on McAfee Blogs.

Making the Advanced Protection Program and Titan Security Keys easier to use on Apple iOS devices




Starting today, we’re rolling out a change that enables native support for the W3C WebAuthn implementation for Google Accounts on Apple devices running iOS 13.3 and above. This capability, available for both personal and work Google Accounts, simplifies your security key experience on compatible iOS devices and allows you to use more types of security keys for your Google Account and the Advanced Protection Program.


Using an NFC security key on iPhone

More security key choices for users
  • Both the USB-A and Bluetooth Titan Security Keys have NFC functionality built-in. This allows you to tap your key to the back of your iPhone when prompted at sign-in.
  • You can use a Lightning security key like the YubiKey 5Ci or any USB security key if you have an Apple Lightning to USB Camera Adapter.
  • You can plug a USB-C security key in directly to an iOS device that has a USB-C port (such as an iPad Pro).
  • We suggest installing the Smart Lock app in order to use Bluetooth security keys and your phone’s built-in security key, which allows you to use your iPhone as an additional security key for your Google Account.
In order to add your Google Account to your iOS device, navigate to “Settings > Passwords & Accounts” on your iOS device or install the Google app and sign in.


Account security best practices


We highly recommend users at a higher risk of targeted attacks to get security keys (such as Titan Security Key or your Android or iOS phone) and enroll into the Advanced Protection Program. If you’re working for political committees in the United States, you may be eligible to request free Titan Security Keys through the Defending Digital Campaigns to get help enrolling into Advanced Protection.

You can also use security keys for any site where FIDO security keys are supported for 2FA, including your personal or work Google Account, 1Password, Bitbucket, Bitfinex, Coinbase, Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and more.

When Less is More – MVISION EDR Leads Detection Efficiency & Alert Quality

If you are an incident responder, a SOC analyst or a threat hunter, you know how a well-designed EDR solution can augment your visibility, detection, and reaction capabilities. However, in many organizations, a single blue teamer, or how we like to call them, an “all around defender,” may wear all these hats.  Even when all these roles are performed by the same person, a different approach is required for each of these different security operations workflows. While an incident responder spends most of his time containing impact, scoping, collecting and analyzing new artifacts, threat hunters look for the needle in the haystack, finding the presence of advanced adversaries through proactive queries, analytics and investigations based on hypothesis that often end up in the declaration of an incident.  

 

Compare that work with the role of a security analyst. Whether it’s an analyst working in an internal SOC, an analyst working for an MSSP or MDR service, or simply somebody reacting to security alerts that show up in the EDR monitoring screen, in a SIEM or in an orchestration tool.  

 

How is that different? First, neither the incident responder nor the threat hunter is concerned with false positives or the so called ‘noise’. For an incident responder or a threat hunter the priority is to have low false negatives. In other words, not to miss anything. For them, visibility is a priority, even if that means dealing with a lot of data. For that purpose, a well-designed EDR solution must have a powerful real time query language as well as the ability to provide fast reaction to newly discovered threats. 

 

A security analyst, on the other hand, works primarily off the monitoring screen, reacting to alarms that may result in the declaration of an incident. In this role, having a low rate of false positives is critical. Traditionally, poorly configured detection tools have overwhelmed analysts with alerts to the point where the analyst can’t trust the product anymore.  

 

But having a low rate of false positives is not enough. The quality of those alarms is paramount too. How do we define quality in this context? Using Forrester’s definition, “from a detection perspective, an ideal solution would alert once and correlate all other detections to that initial alert. […] The more alerts you’re generating, the less efficient you are at helping a SOC surface true adversarial behavior.” 

 

Notice how this is aligned to the Time-Based Security model described in our previous blog postTo be successful as a defender, it is essential to react in the fastest possible way, raising an alarm as early as possible on the attack chain, while correlating, aggregating and summarizing all subsequent activity to preserve actionability.  

 

To illustrate: imagine that you have installed a security camera that not only provides you continuous visibility through 24×7 video recording, but that is also equipped with a motion sensor to alert when somebody approaches your front door. If an intruder approaches your home in the middle of the night, you not only want to have a full recording of the event, to share with law enforcement in an investigation, but you also want to be alerted. But having an alert is not enough. You don’t want to be alerted when the thief is out of the door with your TV, but as early as possible, ideally, before he can cause any harm. And think about the quality of the alerts. Do you want your phone to be flooded with several messages per second coming from the same sensor, for the same event? Or would you rather have one single alarm with enough actionable context, like one single screenshot of the intruder, leaving your device available so you can respond appropriate, for example calling 911 asap?  

 

At McAfee, we know how security operations work, and that’s why we have designed MVISION EDR with ‘Human Machine Teaming’ in mind. In this paradigm, our expert system monitors, tracks, detects, summarizes, and aggregates individual alerts that are presented to the analysts as correlated Threats. The analyst is presented with all this context that allows her to triage, validate and determine whether this activity represents an incident, based on their organizational policies. In that case, the analyst creates an investigation to assess the scope and severity of the incident across the organization, while the threat can be contained. Furthermore, investigations are expanded automatically using expert investigation guides. 

 

Consider the example of MITRE’s APT29 evaluation. During Day 1 attack, MVISION EDR generated 61 detections throughout the attack chain.  Imagine you are the analyst sitting in front of the console. Do you really need to see 61 individual alarms? Clearly not. In fact, MVISION EDR correlated, aggregated and summarized these detections while continuing to track attacker’s activities, presenting only 4 correlated ‘Threats’ in the UI. 

These correlated Threats were ranked automatically according to its severity as seen in Figures below.

As shown in Figure 4, this aggregation doesn’t mean losing context. In fact, these correlated Threats provide high actionability, allowing the analyst to have a quick overview of the behavior of the threat, mapped to MITRE ATT&CK, as well as a plethora or response actions that empower the analyst to choose the most appropriate response for their environment within seconds.  

In conclusion, MVISION EDR was able to aggregate and summarize MITRE’s APT29 attack emulation into 4 threats. At the same time, rich and contextualized telemetry allows security operations teams to implement and optimize additional key security operations workflows, such as incident response, investigations and threat hunting.  

The post When Less is More – MVISION EDR Leads Detection Efficiency & Alert Quality appeared first on McAfee Blogs.

Why Fast Feedback Is Critical For Developer Success

In their book Agile Testing: A Practical Guide for Testers and Agile Teams (2008), Lisa Crispin and Janet Gregory wrote that one of the most important factors for success in software development is feedback. ???Feedback is a core agile value. The short iterations of agile are designed to provide constant feedback to keep the team on track.??? The message still rings true: constant feedback is critical to successful deployments. The faster the better.

agile

[aj-uhl] adjective - quick and well-coordinated in movement; lithe: an agile leap.

The word ???agile??? has been a part of software development for years, and today it???s more important than ever. Contemporary programming is all about speed and security ??? can you deploy your software faster than the competition, and will it be secure enough to protect valuable customer data in the face of modern threats? It comes down to how agile you are as a team and just how efficient those feedback loops can be.ツ?

Why is it critical for feedback to be fast and efficient? Today???s developers must often work so quickly to provide code that slowing down for even a day can have a delaying domino effect. In a software-soaked world that relies on websites and their companion applications for many everyday activities, release delays can quickly add up to monetary losses for organizations as finding the same flaws after each build is like watching money (and time) circle the drain. That???s a problem for the whole company, not just your team of developers.

The power of instant feedback

Instant feedback with clear results shows developers what???s working and what???s not so that they can pivot quickly, fix flaws, squash bugs, and reduce overall risk earlier in the software development lifecycle (SDLC). And psychologically, instant feedback is gratifying. There???s less room for impatience and more room for action when feedback rolls in as developers are working hard to write successful code. Learning what common flaws look like and how to avoid introducing them while working away is the epitome of efficient and agile for developers.

In previous years, ???pair programming??? solved some of these feedback issues, but not all. With pair programming, one programmer (the driver) writes code while another programmer (the observer/navigator) reviews the code line by line as it is typed. Even though the two switch roles from time to time, this process is dated and resource-heavy.ツ?

Tools like Veracode Static Analysisツ?come equipped with automated security feedback right in the IDE and the Pipeline, taking on the role of observer/navigator so that the driver can do what he or she does best. And it???s quick; the IDE scan returns feedback instantly, while the Pipeline scan takes about 90 seconds on average, and the Policy scan about 8 minutes at the production stage.

This quick feedback helps developers improve their code while they work by providing guidance that prevents the introduction of new flaws down the road and conducting a full policy scan before deployment to help developers understand which flaws and vulnerabilities they should be focusing on most.

Less time researching, more time writing secure code

Packed schedules leave little room for patience. Of the respondents to Stack Overflow???s 2020 Developer Survey, 54.5 percent said they simply walk away when they hit a wall with coding problems and work on something else for the time being. Developers are just too busy to wait for feedback. Veracode Static Analysis, which integrates with existing tooling, takes out the middleman and provides that fast, guiding feedback so that developers don???t need to shift gears to another project or scramble if a vulnerability is discovered closer to deployment.ツ?

When paired with training tools like Veracode Security Labs, which uses real-world applications to teach developers about exploiting and patching code, scanning platforms with automated security feedback are even more impactful. Solutions that are built to accommodate busy developer schedules go a long way for helping the entire team succeed, especially if they integrate seamlessly as SaaS-based cloud services that do not disrupt workflow.

It isn???t enough to practice pair programming or wait to see what went wrong at different points in the build process. In order to get to market quickly with secure applications, fast feedback is just as critical as good feedback. Good feedback that shows developers what the issue is and how to remediate it is a training tool itself that removes risk from your software development processes ??? and thus removes unnecessary risk from your customers??? shoulders.

Ready to learn more? Check out our eBook on securing your software development pipeline with Veracode Static Analysis.

ツ?

ツ?

NIST to Digital Forensics Experts: Show Us What You Got

Digital forensics experts often extract data from computers and mobile phones that may contain evidence of a crime. Now, researchers at the National Institute of Standards and Technology (NIST) will conduct the first large-scale study to measure how well those experts do their job. But rather than testing the proficiency of individual experts, the study aims to measure the performance of the digital forensics community overall. In this study, to be conducted online, participants will examine simulated digital evidence, then answer questions that might arise in a real criminal investigation

Cyber Security Roundup for June 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
  • 86% of data breaches for financial gain - up from 71% in 2019 
  • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
  • 67% of data breaches resulted from credential theft, human error or social attacks. 
  • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
  • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
  • 70% with organised crime accounting for 55% of these. 
  • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
    • 37% of credential theft breaches used stolen or weak credentials,
    • 25% involved phishing
    • Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    The Advanced Protection Program comes to Google Nest



    The Advanced Protection Program is our strongest level of Google Account security for people at high risk of targeted online attacks, such as journalists, activists, business leaders, and people working on elections. Anyone can sign up to automatically receive extra safeguards against phishing, malware, and fraudulent access to their data.

    Since we launched, one of our goals has been to bring Advanced Protection’s features to other Google products. Over the years, we’ve incorporated many of them into GSuite, Google Cloud Platform, Chrome, and most recently, Android. We want as many users as possible to benefit from the additional levels of security that the Program provides.

    Today we’re announcing one of the top requests we’ve received: to bring the Advanced Protection Program to Nest.  Now people can seamlessly use their Google Accounts with both Advanced Protection and Google Nest devices -- previously, a user could use their Google Account on only one of these at a time.

    Feeling safe at home has never been more important and Nest has announced a variety of new security features this year, including using reCAPTCHA Enterprise, to significantly lower the likelihood of automated attacks. Today’s improvement adds yet another layer of protection for people with Nest devices.

    For more information about using Advanced Protection with Google Nest devices, check out this article in our help center.