Neutralize Threats – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Thu, 22 Jun 2017 04:05:58 +0000 en-US hourly 1 Grocery Industry’s Cybersecurity Challenges: Harbinger Of Threats To Corporate America https://securingtomorrow.mcafee.com/business/neutralize-threats/grocery-industrys-cybersecurity-challenges-harbinger-of-threats-to-corporate-america/ Fri, 16 Jun 2017 17:44:54 +0000 https://securingtomorrow.mcafee.com/?p=75222 Button up your overcoat; it’s about to rain cyberthreats   Few businesspeople have as much on the line every moment of every day as grocers. When disquieting events happen at a grocery store, customers can be more than just inconvenienced. In extreme circumstances, grocery products can be the cause of illness, even death. What makes …

The post Grocery Industry’s Cybersecurity Challenges: Harbinger Of Threats To Corporate America appeared first on McAfee Blogs.

]]>
Button up your overcoat; it’s about to rain cyberthreats  

Few businesspeople have as much on the line every moment of every day as grocers. When disquieting events happen at a grocery store, customers can be more than just inconvenienced. In extreme circumstances, grocery products can be the cause of illness, even death.

What makes the grocery industry so susceptible to calamities is that food is a necessity, not a luxury. Threats to food safety have the potential to create panic. If a company is the sole retailer affected, there’s a sobering chance it could lose customers – but perhaps only temporarily. The length of customers’ disaffection all depends on the effectiveness of the company’s response.

What constitutes an effective response? When it comes to cybersecurity, it’s not always easy to say. It’s scary, but data breaches, ransomware, malware, phishing and other cybersecurity issues are all still in their infancy. There are no widely accepted industry standards for incident response, leaving “reasonable” action in the eye of the beholder. One thing is for sure – the miracle of the Internet is being turned into weaponization by a myriad of bad actors.

The specter of malicious product tampering or computer hacks that prevent items from being properly refrigerated are among the risks that keep grocers awake at night. In many ways, they’re a microcosm of the pressures faced these days by corporate CEOs, communications executives, and their legal counsel. Fears surrounding cybersecurity and attendant liability nightmares have become Corporate America’s #1 risk management concern. For the past decade, the threat of hacking was largely limited to information. Now, life, health, and safety are becoming the real exposure, and few companies are ready, though all will face attacks. If a company thinks its prophylaxis is sufficient, it is wrong. If it thinks free credit reporting is still a satisfactory response, it is more unprepared than it realizes.

In early June, I was among the crisis response specialists invited to participate in a crisis management conference organized by Pillsbury Winthrop Shaw Pittman LLP. The panel was given a cybersecurity scenario that involved a ransomware breach disrupting customer transactions in dozens of stores across a nationwide chain.

The scenario cut right to the heart of the grocery industry’s biggest fear: the reputational impact of a liability or injury lawsuit stemming from a single incident, an episode whose repercussions could overwhelm decades of conscientious customer and community service.

Here’s the strategic premise I shared for grocery industry executives caught in the klieg lights: from the moment the crisis hits, their brand reputation hinges on empathetic communications that keeps their customers front and center. Yes, regulatory and legal liability will provide a threshold for them to respond, but their efforts to go above and beyond mere compliance will be what customers remember. As cybercrime gets more sophisticated, audiences from customers to shareholders expect a more fulsome response. “Hey, we are a victim, too,” will only get you so far, and less and less each day.

A company should frame its response through the prism of its customers – a young mom trying to get food for her children, or a son that needs to pick up medicine for his sick father, or a family living paycheck to paycheck.

Always act out of an abundance of compassion and caution, I counseled. Anticipate the health-and-safety questions customers are likely to have and develop emotionally resonant answers. Identify resourceful ways to make their lives easier. A response that surmounts basic regulatory requirements will cultivate good will and could win over lifelong customers.

With that in mind, I advised industry executives to use all channels available to communicate with consumers – from signage at store shelves to social media and online postings. They should also consider having employees outside each affected retail location to talk with customers as they arrive. Employees that are the face of the company are often best equipped to explain facts, answer questions, and collect insight about customer concerns.

Not only do grocery stores face the same cyberthreats that other retailers face, but they also have tremendous financial capital at risk if a significant event disturbs refrigeration or inventory systems. These additional operational systems must be considered in a company’s Incident Response Plan, just as they would be in Business Continuity planning for bad weather power outages.

It is imperative companies establish Business Continuity Plans, Incident Response Plans, and Crisis Communications Plans. Those plans should be examined against detailed risk assessments and help guide employee training. Plans should be validated through simulated exercises. This builds a culture where cybersecurity is a priority and employees understand their role in protecting the brand.

Tom Campbell, the head of Pillsbury’s crisis management practice and the host of the conference, warns that, “Failing to prevent a cyber breach will injure a company but failing to rapidly respond to the crisis that follows can kill it.”

Brian Finch, co-chair of Pillsbury’s Privacy, Data Protection, and Cybersecurity team, adds that, “Businesses of all stripes have to understand that today’s cyberthreats go well beyond simple ‘smash and grab’ data thefts. Their preparation, and by extension their legal exposure, must be attuned to stopping or minimizing the impact of cyberattacks that could slow or stop their revenue intake.”

Cyberattacks, data breaches, and information security issues have become so pervasive that people may generally forgive companies for a breach – but not for slipshod communications about it. And not for failing to take proactive measures to protect information and assets in the first place, whether it’s installing the latest patches or conducting security penetration tests.

Cybersecurity is not just a technology issue. It’s a risk management issue. Everyone in the company should understand the company’s objectives when it comes to cybersecurity and incident response. Employees are a critical first audience for security messaging and communications; it is inevitable that they will receive questions when an incident occurs.

When it comes to messaging to external stakeholders – from investors to industry analysts to consumers – the critical component is quick and consistent messaging. Telling key audiences what happened, what the company is doing to fix it, and what it is doing to prevent the episode from happening again is paramount.

The fact is that a company’s risk will never be zero. When it comes to cybersecurity and data breaches, the old axiom “Not if, but when” has never been more true.

Richard Levick, Esq., @richardlevick, is Chairman and CEO of LEVICK. He is a frequent television, radio, online, and print commentator.

 

This article was written by Richard Levick from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Grocery Industry’s Cybersecurity Challenges: Harbinger Of Threats To Corporate America appeared first on McAfee Blogs.

]]>
Beware the next wave of cyber threats: IoT ransomware https://securingtomorrow.mcafee.com/business/neutralize-threats/beware-the-next-wave-of-cyber-threats-iot-ransomware/ Thu, 15 Jun 2017 19:56:42 +0000 https://securingtomorrow.mcafee.com/?p=75160 Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us – from home users to corporations and government organizations – are trying to protect ourselves from encryption viruses. But we are ignoring the beginning of the next wave of ransomware attacks – aimed at encrypting IoT devices. These attacks …

The post Beware the next wave of cyber threats: IoT ransomware appeared first on McAfee Blogs.

]]>
Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us – from home users to corporations and government organizations – are trying to protect ourselves from encryption viruses.

But we are ignoring the beginning of the next wave of ransomware attacks – aimed at encrypting IoT devices. These attacks can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things.

Quite simply, there are some differences that make IoT ransomware more dangerous than the already widespread extortion viruses for desktops and smartphones.

IoT ransomware does not encrypt your data

The well-known and most active crypto viruses like Locky and Cerber lock down important files on infected machines. Their main strength is irreversibility – the victims are forced to either pay for obtaining the decryption key or say goodbye to their files in case there are no backups. It is usually assumed that files and important data have a value expressed in money, and this fact attracts cyber extortionists.

IoT devices often do not have any data at all. Some may think that ransomware authors are not interested in attacking IoT devices. It’s actually not so.

Instead of only locking some files, IoT viruses may lock and get complete control over many devices and even networks. IoT malware may stop vehicles, disconnect the electricity and even halt production lines. Such programs can do much more harm, and therefore hackers may demand much larger ransom amounts. This increases the attractiveness of the new underground market.

One could argue that IoT hacking can be stopped with a simple reboot. However, the incentive to pay extortionists does not result from irreversibility but rather from the volume and character of potential losses which may occur during the time you lose control over the system.

While the Internet of Things expands the possibilities of life-supporting devices like pacemakers or industrial systems such as pumping stations, the financial benefits of blocking IoT infrastructure and the damage from belated response will grow exponentially. Organizations that use the Internet of Things in industrial control systems are the most vulnerable. These include power plants, big automated production lines, etc.

Consumer IoT devices

Attacks on consumer IoT devices, including smart homes and connected cars, are already real. Researchers have shown how they can gain control of a connected thermostat through the use of malicious code and set the device to increase the temperature to the maximum, causing the owner to pay a ransom.

Let’s imagine you got into a connected car this morning and suddenly there is a message on the screen: “If you pay $500, I’ll let you get to work today.” It was impossible several years ago, but due to technological progress, such scenario does not look fantastic anymore.

Furthermore, IoT ransomware may steal important data and personal information, for example, from surveillance cameras connected to the network or from fitness gadgets and then blackmail people, threatening to publish their sensitive information.

Despite the fact that IoT devices often have serious security weaknesses, it is still premature to talk about the imminent ransomware threat for smart homes and connected cars. The wide variety of apps and devices created by thousands of manufacturers complicates extensive malware usage.

The IoT industry is highly fragmented these days. It lacks standardized approaches, common platforms and communication systems. It is tough to carry out mass attacks. Every time a compromise occurs, hackers only target a specific type of devices, which reduces the number of potential victims.

We can conclude that hackers’ benefits from attacking consumer IoT devices are currently small. But the situation is likely to change in the future as the Internet of Things is going to deeper penetrate into our homes and offices.

Industrial segment already facing high risks

We see an entirely different picture in the industrial segment of the Internet of Things. Industrial systems are already very attractive for cyber extortionists. This could be any relevant system that may affect the lives of thousands or millions of people and are extremely expensive to operate.

For example, several US hospitals have undergone a series of ransomware attacks recently. Normal workflow of the Hollywood Presbyterian Hospital was disrupted because of ransomware. Some patients had to be moved to other clinics, and doctors started to keep records the old fashioned way on paper.

If a hospital system is compromised, it puts the health of patients at risk. The likelihood is very high that the hospital will pay upon demand. An attack against critical infrastructure can be carried out successfully based on similar factors – if lives of people might be put in danger and time is pressing, the owners would often agree to pay up.

Power grids and power stations can be another important target for IoT malware. Their important role in the modern world was perfectly illustrated as far back as the Northeast blackout of 2003. It caused $6 billion in losses within several hours, affecting 55 million people. It wasn’t a cyber attack but a software failure. Today, hackers constantly scan the Internet for important and vulnerable networks, so energy companies should be prepared.

How to protect IoT systems from ransomware

Although there is no universal solution, many experts believe that the observance of certain guidelines and methodologies can help organizations and manufacturers better protect their IoT systems from ransomware.

One of the important points is the ability to remotely upgrade the firmware of smart devices. Safety is a journey, not a destination, and there are no connected devices that can stay safe forever. Therefore, a firmware update should be a very simple, effective and safe process.

The latter is particularly important since insecure update channels can become portals for the infection to come in. There are time-tested measures to eliminate this malware entry point, such as blocking the processor and firmware, as well as encrypting communication channels between devices.

A reliable authentication mechanism poses another important protection measure. You may encounter situations these days when devices are connected to the Internet without any authentication at all.

This paves the way for spoofing. If lack of authentication becomes a mass phenomenon, it will be possible to disable millions of devices. Spoofing is particularly dangerous when a server with millions of connected machines is infected.

To make intruders’ life much harder it is necessary to introduce reliable security certificate life-cycle management and standardize the code base of security systems. This will help reduce the number of attack vectors.

Of course, securing the Internet of Things remains an arduous task as the industry is only groping its way. Currently, online criminals are only beginning to weigh the risks and assess the opportunities and potential profitability of the new market.

Meanwhile, manufacturers and users are not too concerned about the possible threat. Perhaps this will change quickly after the first successful incidents of rogue monetization of IoT vulnerabilities. Hopefully, we will have time to prepare.

 

This article was written by David Balaban from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Beware the next wave of cyber threats: IoT ransomware appeared first on McAfee Blogs.

]]>
Public-private partnership critical to thwarting cyber threats https://securingtomorrow.mcafee.com/business/neutralize-threats/public-private-partnership-critical-to-thwarting-cyber-threats/ Mon, 12 Jun 2017 23:02:25 +0000 https://securingtomorrow.mcafee.com/?p=75014 While a set of more than 100 recommendations to help increase cybersecurity across the healthcare industry might seem like overkill, the co-chair of a task force that developed them believes the challenges are urgent and wide-ranging, requiring immediate and aggressive action. “There are so many areas that need to be addressed, quite frankly, given the …

The post Public-private partnership critical to thwarting cyber threats appeared first on McAfee Blogs.

]]>
While a set of more than 100 recommendations to help increase cybersecurity across the healthcare industry might seem like overkill, the co-chair of a task force that developed them believes the challenges are urgent and wide-ranging, requiring immediate and aggressive action.

“There are so many areas that need to be addressed, quite frankly, given the complexity of healthcare,” says Theresa Meadows, co-chair of the Health Care Industry Cybersecurity Task Force, which was created by Congress through the Cybersecurity Act of 2015 to examine the sector’s vulnerabilities.

Specifically, the task force’s June 2 report, which was sent to several congressional committees, calls for a unified effort by both the public and private sectors to counter the growing cyber threats that are putting patient information and safety at risk.

“Real cases of identity theft, ransomware and targeted nation-state hacking prove that our healthcare data is vulnerable,” states the report, which was finalized prior to last month’s WannaCry ransomware attack that compromised more than 300,000 computers worldwide in at least 150 countries, including the National Health Service in the United Kingdom.

“A breach is not a matter of if, but when,” warns Meadows. “Everybody is going to experience some level of this type of issue. One of the most important takeaways from the task force report is knowing your plan of action when a situation occurs so you can mitigate and recover from such an event.”

Meadows, who is also senior vice president and chief information officer at Cook Children’s Health Care System, contends that the panel’s intention was to provide actionable recommendations designed to increase security across the industry – each recommendation has one or more action items for implementing them.

The task force’s 100-plus recommendations are organized into six high-level imperatives, including increasing the security and resilience of medical devices and health IT. In particular, Meadows observes that medical devices are a “tough not to crack because most institutions have medical devices for many years,” adding that, on average, it’s a 10- to 15-year investment timeframe.

“Our security posture has really changed over those 15 years, and those devices were not designed to have all of those mitigation factors in place, nor were they designed to be fully integrated to electronic health records,” she notes. “Some of the mandates around Meaningful Use have really driven up the risk around medical devices because they weren’t initially designed that way. The key is beginning to replace those legacy devices so we can have them on the most current software and security without it being cost-prohibitive.”

According to Meadows, another high-level healthcare cybersecurity imperative is improving information sharing of industry threats, weaknesses and mitigations. “Some organizations wouldn’t want to report a security incident because of how it might affect them from a consumer standpoint, but there are a lot of good mechanisms to share critical information to fix and prevent issues without identifying the institutions that reported it,” she says.

Meadows believes that one of the strongest recommendations made by the task force is for the Department of Health and Human Services to create a cybersecurity leader role within HHS to align industry-facing efforts for healthcare cybersecurity. She makes the case that many different programs and agencies within and outside of HHS are responsible for cybersecurity, but it’s critical to have a single person who is responsible for coordinating these activities.

Overall, the successful implementation of these recommendations “will require adequate resources and coordination across the public and private sector,” finds the task force’s report.

However, the task force points out that healthcare organizations “often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”

It’s a serious problem for healthcare organizations, which have a responsibility to secure their systems, medical devices and patient data from these kinds of cyber attacks with razor-thin operating margins, and, as a result, “cannot afford to retain in-house information security personnel, or designate an information technology staff member with cybersecurity as a collateral duty,” according to the task force.

Meadows acknowledges that security is a “harder sell” for C-level healthcare executives “because it’s really an insurance policy and there’s no perceived ROI to having good security posture and hygiene,” particularly in smaller organizations facing resource constraints.

However, organizations making the decision to “prioritize cybersecurity within the healthcare industry requires culture shifts and increased communication to and from leadership, as well as changes in the way providers perform their duties in the clinical environment,” concludes the task force report.

“People are beginning to see that it’s more of a priority,” adds Meadows. “It’s going to take all of us working together to really make some headway on these issues on how to improve security in healthcare. I hope organizations will really take to heart some of the recommendations that have been made and begin to put implementation plans in place.”

 

This article was written by Greg Slabodkin from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Public-private partnership critical to thwarting cyber threats appeared first on McAfee Blogs.

]]>
Denial Of Service Is A Growing Threat: How Can You Better Protect Your Business? https://securingtomorrow.mcafee.com/business/neutralize-threats/denial-of-service-is-a-growing-threat-how-can-you-better-protect-your-business/ Fri, 02 Jun 2017 19:46:29 +0000 https://securingtomorrow.mcafee.com/?p=74753 Earlier this month, I wrote on the changing face of cybersecurity, and last week I wrote a blog on recent high-profile security attacks, and what lessons we can take away from them. Today, as part of our ongoing series on security, I wanted to take a deeper dive into the different kinds of Denial of …

The post Denial Of Service Is A Growing Threat: How Can You Better Protect Your Business? appeared first on McAfee Blogs.

]]>
Earlier this month, I wrote on the changing face of cybersecurity, and last week I wrote a blog on recent high-profile security attacks, and what lessons we can take away from them. Today, as part of our ongoing series on security, I wanted to take a deeper dive into the different kinds of Denial of Service attacks (DoS), and what enterprises need to do in order to better secure themselves from this growing threat. We’ve touched on the topic a few times in the last several blogs, but there’s a fair amount more to chew on here.

Three kinds of DoS – classic, DDoS, PDoS

First off, there are three different main variations on DoS attacks, all of which are distinct from traditional data theft or information loss (though those attacks may happen as a result of DoS). While the industry tends to disagree a bit about the proper acronyms to use, the underlying concepts are widely agreed upon – here’s the rundown, using the nomenclature we typically use at Moor Insights & Strategy. First, the classic Denial of Service attack, referred to simply as DoS. This attack refers to when a server made inaccessible by either overloading it with traffic, or compromising the firmware. A slight twist on this is that sometimes a server with compromised firmware can technically still be available, but being used simultaneously by a baddie for criminal purposes. This is a particularly sinister threat, because users might not immediately realize that they’ve been compromised. 

Next up, we’ve got the Distributed Denial of Service, or DDoS. This form of DoS occurs when a server is attacked from many different locations – making it incredibly difficult to pinpoint where exactly the attack is coming from. You’ve probably been hearing lot about this one – the recent gigantic Mirai-Dyn attack falls under this category. In that case, experts believe that the Mirai bot targeted IoT devices with unsecured IoT devices and out-of-date firmware, and transformed it into a huge botnet that overloaded traffic into Dyn. This was one of those attacks that we in the industry see as a harbinger of things to come – with the proliferation of IoT and edge devices, the threat surface is growing and becoming increasingly vulnerable to attacks of this nature.

The third, and final form of DoS is what we call Permanent Denial of Service, or PDoS. This occurs when a server or device is compromised (often at the firmware level), to the extent that it becomes impossible to recover. No way to revive it back into operation, just plain dead. Referred to colloquially as a “brick,” these sorts of serious attacks are on the rise. In an interesting twist, there’s a new malware strain that’s popped up that seems to be intentionally “bricking” unsecured IoT devices – seemingly to take them off the table to prevent the spread of Mirai-like malware. It may be the work of a well-intentioned vigilante, but it’s still PDoS and a huge headache for those who are being permanently iced out from their devices.

What can you do to better protect yourself?

As we’ve discussed before, security is a constantly moving target and the players, techniques and remedies change over and over. Compute clients and networks were the soft spot five years ago but now it’s the server. Hackers go after the soft spots.

First the obvious – businesses need to make sure their firmware is up to date, and make sure all the default passwords on their devices have been changed. These common blind spots are known to cyber-criminals, and they will be taken advantage of. But as I’ve written before, security measures must go deeper than that – they have to be incorporated into the blueprint of their products, down to the hardware and firmware. For an enterprise to truly be secure, it needs to beef up measures on all fronts – hardware must be strengthened, AI should be leveraged to quickly and more effectively detect anomalies, and encryption must be extended to the component level. If an enterprise’s security strategy is not holistic, it’s not a matter of if a cybercriminal will breach its defenses, but when. These measures will do much to protect enterprises from DoS attacks, as well as more traditional threats. 

Last but not least, security must be extended to partners and the supply chain. This is an area that is often overlooked from a security standpoint and vulnerable. Access to firmware must be strictly controlled every step of the way. Enterprises have to properly vet and verify the companies they do business with to make sure that they are not exposed to malware and counterfeit materials at any juncture. Even Apple reportedly, according to Ars Technica, fell victim to an attacker on the supply chain level – a fake firmware patch made its way in via Supermicro, a server supplier (which you can read about here). Even the biggest, most secure companies are struggling with this blind spot, and that has to change.

Wrapping up

DoS attacks are ramping up, and it’s important to know what they are and how they could potentially affect your enterprise. They can kill productivity and cause massive downtime, such as the Mirai-Dyn incident, or they can open the door to data theft and information loss and even ruin your hardware. Right now it’s a hacker’s playground out there, with unsecured devices popping up left and right and most enterprises still struggling to devise effective, holistic security strategies to address the expanding threat surface and changing characteristics. This is a problem that’s only going to get worse unless the right measures are taken, and soon.

Disclosure: My firm, Moor Insights & Strategy, like all research and analyst firms, provides or has provided research, analysis, advising, and/or consulting to many high-tech companies in the industry, which may be cited in this article. I do not hold any equity positions with any companies cited in this column.

Note: Moor Insights & Strategy technical writer Walker Pickens contributed to this article.

 

This article was written by Patrick Moorhead from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Denial Of Service Is A Growing Threat: How Can You Better Protect Your Business? appeared first on McAfee Blogs.

]]>
Chipotle removes malware after breach strikes payment systems https://securingtomorrow.mcafee.com/business/neutralize-threats/chipotle-removes-malware-after-breach-strikes-payment-systems/ Thu, 01 Jun 2017 22:39:15 +0000 https://securingtomorrow.mcafee.com/?p=74733 (Bloomberg) – Chipotle Mexican Grill Inc., which warned investors and customers last month that it had suffered a data breach, gave the all-clear on Friday, saying it had removed malicious software from its systems. The company identified the so-called malware during a probe that included law enforcement, payment-card networks and cybersecurity firms, the burrito chain …

The post Chipotle removes malware after breach strikes payment systems appeared first on McAfee Blogs.

]]>
(Bloomberg) – Chipotle Mexican Grill Inc., which warned investors and customers last month that it had suffered a data breach, gave the all-clear on Friday, saying it had removed malicious software from its systems.

The company identified the so-called malware during a probe that included law enforcement, payment-card networks and cybersecurity firms, the burrito chain said. Hackers installed the software in order to grab customer data from point-of-sale devices, striking between March 24 and April 18.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”

The data breach was the latest setback for a company that has struggled to revive growth. An E. Coli scare in late 2015 sent its sales and stock price plunging. To win back customers, the Denver-based chain has rolled out a new ad campaign and free-food offers. The company also shook up its board after being targeted by activist investor Bill Ackman.

Same-store sales began to recover last quarter after declining for five straight periods, raising hope that a turnaround is underway.

On Friday, Chipotle warned customers to check their credit-card statements for unauthorized charges and “remain vigilant to the possibility of fraud.”

 

This article was written by Nick Turner from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Chipotle removes malware after breach strikes payment systems appeared first on McAfee Blogs.

]]>
The modern guide to staying safe online https://securingtomorrow.mcafee.com/business/neutralize-threats/the-modern-guide-to-staying-safe-online/ Wed, 24 May 2017 22:15:17 +0000 https://securingtomorrow.mcafee.com/?p=74510 The internet can be a scary place. Threats come in many forms, lurking in practically any corner. Worse, yesterday’s prevailing advice for staying safe online – avoid dodgy websites, don’t traffic in stolen or illegal goods, interact only with people you know – no longer holds. Phishing emails from supposed family members, spyware piggybacking on …

The post The modern guide to staying safe online appeared first on McAfee Blogs.

]]>
The internet can be a scary place. Threats come in many forms, lurking in practically any corner. Worse, yesterday’s prevailing advice for staying safe online – avoid dodgy websites, don’t traffic in stolen or illegal goods, interact only with people you know – no longer holds. Phishing emails from supposed family members, spyware piggybacking on legitimate apps, well-known sites hijacked with malicious code – digital safety clearly needs new rules to meet today’s evolving threatscape.

Considering how much of our digital lives occurs online – communications, financial transactions, entertainment, work, education, to name a few – adopting even a few safe browsing practices can lead to broad benefits. And this includes how we deal with email messages as well, given how popular email is as a delivery mechanism for online attacks using exploit kits and malware.

Here, we provide a strategic guide for staying safe online, outlining what you can do to protect your data and privacy on the web, while remaining productive.

Understand your threat profile

With so many threats looming, it’s tempting to take the strictest approach by locking everything down, but the challenge is to balance precautions in a way that keeps you productive. For example, to avoid malicious JavaScript, you could just turn off JavaScript in your browser preferences – except half the Internet would become nearly impossible to use. Have you tried using Gmail without JavaScript turned on? It isn’t pleasant.

We all use the web differently, and our risks vary drastically, depending on where we are, what we are doing, even what day it is. How security researchers stay safe online is dramatically different from a consumer who emails, uses Facebook, and watches Netflix. That in turn is different from a developer downloading new tools and frequenting forums for advice.

At a base level, you should regularly update all your applications – not just the OS, but every application, especially your web browser. You should also switch your browser preferences to click-to-play for Flash if your browser hasn’t proactively done that for you. You should also deactivate ActiveX and uninstall the Java client on your machine. Unless you are using Java-hungry client applications, such as games or certain educational offerings, you likely don’t need Java anymore. Even major videoconferencing applications are shifting to pure HTML5.

You should also consider the combination of venue and activity. For example, performing sensitive transactions on public wireless networks can get you in trouble. The public Wi-Fi at your favorite coffee shop is not the place for online banking. Not even if you’re using an SSL connection; a man-in-the-middle attack is still possible over SSL.

Once you’ve got those basics down, you’ll need to consider what dangers you are most worried about, what assets you want to protect, who you interact with regularly, and where your data is stored. In the following sections, we break down these concerns to help you match your secure browsing practices to your threat tolerance – the level of threat you’re willing to live with online.

Threat level 1: No malware, please

Most folks, especially businesses, want to avoid malware at all costs. Two of the most common vectors are links that download malware and drive-by-downloads, in which malware is downloaded automatically just by loading a web page. Dangerous links can be found on webpages, in email, or on IM. Scammers often use social networks and URL shorteners to spread malicious links in disguise, in hopes that someone will click.

First action: Stop clicking on links. This requires social training, and it can be hard to stick to, especially given all the links we are sent all the time both professionally and personally. Ask people you communicate with regularly to send you a heads-up notification if they are planning to send a link – and to send the link only after getting positive confirmation. Or, ask people to confirm that they in fact sent the link by using a different channel. For example, text your brother to ask if the link sent from his account is really from him. This may sound paranoid, but the recent fake Google Docs scam succeeded because people thought the malicious file was from someone they trusted. Always type in your own links, and if someone sends you a link to what looks like a cool whitepaper, go to the source directly and seek out the whitepaper on the website yourself.

Pro tip: Set your browser to ask where a document should be saved so that you are always aware when something is being downloaded. Drive-by-downloads rely on stealth so that users don’t even realize what is happening. Configure your security software to scan all files as they are downloaded.

Threat level 2: I don’t like spyware, either

An attacker who manages to compromise your browser can uncover all kinds of information. Here, browser add-ons are not necessarily your friend. Use them sparingly, as they can become an unforeseen delivery mechanism for malware. Periodically check your list of extensions (chrome://extensions in Chrome, about:addons in Firefox) to see whether anything unfamiliar or inexplicable is there. You can rarely go wrong by disabling something that looks suspicious. Also be mindful of web pages that try to trick you into installing browser extensions – for example, “Click ‘add’ to speed up this website” or some other deceptive prompt.

First action: Be extra cautious with browser add-ons created by individuals, as they may access sites without HTTPS. Even the pros struggle: LastPass, creator of the widely used password manager, has had to fix a number of serious vulnerabilities in its browser extension recently. Ask yourself if the convenience provided by an add-on outweighs the potential risk, especially if it’s something you may not find worthwhile in a month.

Pro tip: Always consider the source. If you need to download Flash or Adobe Reader, get it from Adobe’s website. Don’t download tools like these from unaffiliated websites, because it’s easy for spyware, adware, and other malicious files to piggyback onto the download. Don’t search for “free PDF converter” and download whatever comes up first. (Do you even need one? Chrome automatically turns pages into PDF, and Office has good PDF support nowadays.) Projects like PortableApps.com and Ninite provide convenient ways to automatically obtain and update common open source and free-to-use applications from trusted sources.

Threat level 3: No tracking at any time

It’s happened to all of us: After browsing for floor tiles on HomeDepot.com, ads for home improvement pop up everywhere on the internet. Advertisers rely on cookies to follow you online and serve up ads based on your activity. But it’s not just advertising. Websites use cookies to remember your accounts, passwords, and browsing history, and to track your activity on their site. When you disable and clear cookies you cut down on the personal data cybercriminals can obtain.

First action: Use private browsing or incognito mode when online. Here, cookies and browsing history aren’t retained when your session ends. You can fire up incognito mode and paste in a URL (that you are sure isn’t going to give malware) and navigate to the page fully sure you aren’t tracked. If you want to always be incognito on Chrome, add – incognito at the end of the target command in Chrome properties, and you’ll be in incognito mode whenever you launch Chrome. You can do the same for Firefox via about:config.

Pro tip: If you want to use Facebook, Twitter, or other social account but don’t want that login following you persistently, create a separate user profile in Chrome, Firefox, or Safari, one reserved exclusively for that social network. Log into it there, and only there, and use it there and only there. This confines the amount of data associated with that login to only those things you absolutely need it for. This technique is also useful for minimizing tracking from sites that use social networks as single-sign-on providers, like Spotify.

If you are concerned about tracking, you should enable Do Not Track on every browser you use. DNT isn’t enforced – it just tells websites that you’ve asked not to be tracked. It’s up to the websites you visit to respect that request. Many websites aren’t scrupulous and there is no guarantee the site you are visiting will honor the request, but it doesn’t hurt to at least make your preferences clear upfront.

Threat level 4: Hands off my information

Cookies are prime targets for cybercriminals because of the information they contain, especially those with emails, account names, and passwords. Even when obscured, this information can be used nefariously. Cross-site scripting attacks use JavaScript on a webpage to extract user details and session information from cookies and impersonate them online, and cross-site request forgery attacks use session cookies to forge requests for other sites.

First action: Block cookies whenever you can. While it would be nice to block both first-party and third-party cookies, and to disable session cookies, it makes basic web browsing such as email and social networking nearly impossible. You should at least block third-party cookies, and you should consider deleting your browser history on a regular basis.

Also, don’t let browsers store passwords. It’s convenient, but it’s hard to guarantee the security of the stored passwords. Use a separate password manager such as 1Password or KeePass.

Pro tip: For searches, use a secure search engine such as DuckDuckGo, which doesn’t store information automatically transmitted by the computer, such as your IP address and other pieces of digital identity. DuckDuckGo cannot auto-complete search queries based on previous searches or location, but that’s a small price to pay given that it also cannot link search history to you.

If you want to keep your information to yourself, private browsing is your friend. If no cookies are saved, there’s nothing to steal. It’s a good idea to delete all cookies after every browser session. You will have to log in to websites with each new session because they won’t know who you are. This is another use case for establishing distinct user sessions, in which you create sessions for specific logins and confine cookies for that login to that user session only.

While some add-ons can be dangerous, others are good – for example, Disconnect, which blocks third-party tracking cookies. The extension blocks social media accounts from tracking browsing history and gives users the ability to control the scripts on the site. Another extension worth having, Ghostery, blocks common tracking scripts but lets you whitelist sites that depend on them if need be.

Threat level 5: Don’t phish me

Phishing sites are fraudulent websites designed to steal personal information. This isn’t limited to login credentials for email or banking sites. Phishing sites can masquerade as contests and ask for your SSN. Phishing attacks can also redirect victims to a bogus site where malicious code is downloaded and the malware collects sensitive information. We see potential phishing attacks everywhere, so our natural inclination is to not click on any links.

First action: Don’t click on links received in email or open attachments, let alone fill out sensitive information in forms that come your way. That FedEx claim form may just be a fake. Pick up the phone and call FedEx to verify what is going on. Don’t click the link in an email that looks like it’s from HR warning you about your vacation balance. Go to the HR website directly to see what is wrong. Typing out URLs helps catch tricks such as using a 0 (zero) instead of an O (the letter) or nn instead of m, or the fact that the address is something like paypal.com.someothersite.com. Type a trusted URL for a company’s site into the address bar of your browser to bypass links in an email or instant message.

Pro tip: Provide personal information only on sites that use HTTPS. Remember that with Let’s Encrypt and other sources of free SSL certificates, just a padlock icon is no longer enough. Look for an EV cert – the name of the entity should show up in the browser bar. The HTTPS Everywhere extension from the Electronic Frontier Foundation is also a good option as it forces sites to put traffic over HTTPS.

If you receive emails from merchants – for instance, for specials or discounts – see if there’s an option to send emails as text instead of HTML. This makes it easier to see what the content of a given link is.

It’s difficult to detect all phishing attempts – some are extremely good. Make sure you don’t use the same password for your accounts so that a stolen one doesn’t mean all others are compromised. Use a password manager to generate discrete passwords for each site account. Try to keep personal Internet separate from work Internet, and never register for sites using your work address. If that account gets compromised, you don’t want it to lead to phishing attacks against your work address. Turn on two-factor authentication, when a site supports it, to make it harder for attackers to use stolen credentials – especially if that site is a financial institution.

Threat level 6: Nuclear protection

If you’re going for maximum protection, you’ll need to set up a system of multiple browsers and operating systems to keep activities separate. And you might want to consider a series of virtual machines to isolate the threats.

First action: Use different web browsers for different activities: Have a browser for financial transactions, another for communications, another for just browsing. That way, if an attacker compromises a web forum you frequent, he or she can’t use cross-site scripting to get access to online banking because the attack can’t jump across browsers. A Facebook scam can’t escape to gain access to Amazon.

For a very sensitive website – the crown jewel of your accounts – have a dedicated web browser for that site and be restrictive in its configurations. For example, having a dedicated browser used only to access your Amazon Web Services control panel means there is no way to “accidentally” browse to some other site (whitelist only AWS, block others) and potentially expose your organization’s entire cloud infrastructure. Turn on all security options to lock down the browser.

Pro Tip: For extremely risky – potentially dangerous – or incredibly sensitive sites, consider splitting up the activity across multiple virtual machines. Do all your banking in a dedicated virtual machine using a locked-down (yet up-to-date) browser. This eliminates all banking-focused web attacks, and the attacker would have to do a lot more work to get your banking information.

Linux Live CDs are great alternative to running VMs – you can even run a Live CD in a VM for maximum security. Tails is a very stripped-down Linux variant that runs off a USB drive and can be used to hide digital footprints, since it keeps nothing persistent.

Got an email attachment that looks hinky? Open it in a VM. If it’s malware, it has infected just an empty VM. Of course, don’t assume that everything is okay just because nothing happens in the VM: Malware can be designed to not execute within a VM. Keep that file always in the VM and away from your main desktop.

If you want to hide your activities online, consider Tor, which conceals your identity by using encryption to scramble data transmissions and routes traffic between multiple Tor nodes to obscure the origin. Since your traffic passes through random servers with Tor, the data is no longer tied to your personal IP address.

Use NoScript to disable Java, JavaScript, Flash, and other dynamic content. This option will break a lot of websites, but it lets you authorize content manually, so it requires careful attention to ensure malicious code doesn’t get approved by accident. Adblock Plus blocks pop-ups and other content from known advertising and spyware sites. There are concerns with how Adblock Plus creates blocklists, because advertisers can pay to be whitelisted on the platform, but it gets the job done if the goal is to shut down pop-up ads and block potential attacks.

An alternative is to disable JavaScript and block pop-ups from the browser itself. Most browsers automatically block pop-ups by default, but JavaScript is enabled by default, again because it’s so widely used.

Keep safe

Being safe online is a combination of technology, awareness, and willingness to jump through hoops. Today’s browsers offer lots of protections, including the ability to disable plugins and turn on anti-phishing mechanisms. Just turning those on and completing basic security hygiene, such as updating all software, will address much of the low-hanging fruit.

But it is easier than ever to be infected with malware or get hit by a phishing attack. Sometimes it’s just a matter of being in the wrong place at the wrong time. But once you know what you are most worried about and what your appetite for risk is, you can set a sensible security regimen to fit your needs, keeping you safe and productive online.

 

This article was written by Fahmida Y. Rashid, Serdar Yegulalp from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post The modern guide to staying safe online appeared first on McAfee Blogs.

]]>
Sixth-grader weaponizes smart teddy bear, hacks security audience’s Bluetooth https://securingtomorrow.mcafee.com/business/neutralize-threats/sixth-grader-weaponizes-smart-teddy-bear-hacks-security-audiences-bluetooth/ Mon, 22 May 2017 17:10:57 +0000 https://securingtomorrow.mcafee.com/?p=74332 If yet another cybersecurity expert wanted to warn the general public about the risks associated with the Internet of Things (IoT), it is likely the warning would go in one ear and out the other. But when a sixth-grader hacks an audience of security experts and “weaponizes” his smart teddy bear, it might just snag …

The post Sixth-grader weaponizes smart teddy bear, hacks security audience’s Bluetooth appeared first on McAfee Blogs.

]]>
If yet another cybersecurity expert wanted to warn the general public about the risks associated with the Internet of Things (IoT), it is likely the warning would go in one ear and out the other. But when a sixth-grader hacks an audience of security experts and “weaponizes” his smart teddy bear, it might just snag the attention of parents who have disregarded warnings about the dangers and bought internet-connected toys for their kids anyway.

At the International One Conference in the Netherlands on May 16, 11-year-old Reuben Paul set out to ensure that “the Internet of Things does not end up becoming the Internet of Threats.” Judging by security experts’ awed reactions on Twitter, Paul made a lasting impression.

“From airplanes to automobiles, from smart phones to smart homes, anything or any toy can be part of the Internet of Things (IoT),” Paul said during his keynote, Mutually Symb-IoT-ic Security. On stage at the World Forum in The Hague, he added, “From terminators to teddy bears, anything or any toy can be weaponized.”

He then used his smart teddy bear, Bob, to prove his point. Paul plugged a Raspberry Pi into the bear, which is connected to the cloud via Wi-Fi and Bluetooth, to send and receive messages. He scanned for Bluetooth devices. AFP reported that “to everyone’s amazement, including his own,” he “suddenly downloaded dozens of numbers including some of the top officials.”

Using Python, he “hacked into this bear via one of the numbers to turn on one of its (LED) lights and record a message from the audience.”

Live demos are great when they work as intended, but it surely is nerve-wracking for the speaker.

 

Young Paul, aka @RAPst4r, tweeted that his “heart was going boom boom before the bear’s heart went blink blink.”

 

“Most internet-connected things have a Bluetooth functionality. … I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light,” Paul told AFP.

“IoT home appliances, things that can be used in our everyday lives, our cars, lights, refrigerators, everything like this that is connected in our homes, could be used and weaponized to spy on us, or even harm us,” he added.

Internet-connected devices can be weaponized to steal passwords or other sensitive information, used as remote surveillance or to determine a person’s location. A smart toy could be abused to tell a kid, “Meet me at this location and I will pick you up.”

His Kung Fu is strong and not just the digital kind. Paul was the youngest person in America to have received the Shaolin Do Kung Fu Black Belt.

This Austin, Texas, sixth-grade “cyber ninja” is also founder and CEO of CyberShaolin, a non-profit organization with a mission “to educate, equip and empower kids with the knowledge of cybersecurity dangers and defenses, using videos and games.” These are videos and games that Paul “develops when he is done with his homework or his sports training.”

Paul has shown an aptitude in IT since he was six. He “shocked” his dad, IT expert Mano Paul, by first hacking a toy car before moving on to exploit vulnerabilities in more complex toys. His father said, “It means that my kids are playing with time-bombs that over time somebody who is bad or malicious can exploit.”

This isn’t the first time his son has presented at security conferences. In 2014, at age 8, Paul delivered a talk at DerbyCon. And when he was only a third-grader, Paul gave a closing keynote at the 2014 Houston Security Conference and spoke at the (ISC)2 Congress. Back then, he reportedly wanted to become a cyber spy and had already become founder and CEO of Prudent Games. At age 9, he was dubbed the next generation of security at the RSA conference and a child prodigy.

It’s exciting to think what he might do next after live-hacking his smart teddy bear. Be it his age or hacking a toy, Paul hopes people won’t miss the message:

 

 

This article was written by Ms. Smith from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Sixth-grader weaponizes smart teddy bear, hacks security audience’s Bluetooth appeared first on McAfee Blogs.

]]>
Your data has been kidnapped… now what? https://securingtomorrow.mcafee.com/business/neutralize-threats/your-data-has-been-kidnapped-now-what/ Tue, 16 May 2017 17:34:29 +0000 https://securingtomorrow.mcafee.com/?p=74139 What’s it like to be held hostage? I never want to find out and I’ll bet you don’t either. But given today’s environment executives might find themselves held hostage in a way they never expected. Ransomware, as it is known because it holds your entire computer system hostage, is quickly becoming the hacker’s method of choice …

The post Your data has been kidnapped… now what? appeared first on McAfee Blogs.

]]>
What’s it like to be held hostage? I never want to find out and I’ll bet you don’t either. But given today’s environment executives might find themselves held hostage in a way they never expected. Ransomware, as it is known because it holds your entire computer system hostage, is quickly becoming the hacker’s method of choice because it’s simple, fast and virtually untraceable.

For the most part companies that are victims have little choice (unless they’re properly prepared – more on that later) than to pay the ransom, whatever it is, to alleviate the attack. In fact, up until very recently even the FBI has recommended to victims that they pay up.

Ransomware attacks are different than what most people perceive as a cyberattack. There’s no theft of data or interest in stealing personal identification. Hackers don’t care if your company stores credit card information, medical records, login credentials or Social Security numbers. Instead, ransomware attacks leverage the importance of your business operation and access to your data, or what your computers control, to force you to pay up. And it happens. A lot.

In fact, it’s becoming so ubiquitous that the CyberThreat Alliance estimates that they’ve seen 406,887 instances of just one type of “infection” and that the damage last year alone was $325 million. And that’s a soft number because it doesn’t calculate the damage from lost time, productivity and reputation. $325 million is just what you can put your finger on.

So how does this work and why is it so effective? Simple: An email containing a link, attachment or embedded virus is sent to someone – anyone – in your organization. It might appear to come from the CEO, or from a large bank or credit card company. Using standard “phishing” techniques they’re bound to get at least one sucker to open the attachment and that’s all it takes. Once they open the email and click the link your entire organization could be held hostage for a ransom. What happens is that by clicking the link or downloading the file they’ve installed a piece of nefarious code that hackers will then use to encrypt your entire system with a key that only they have. But maybe not right away.

Imagine that your entire company and everything in it that is connected to the Internet – payment processing, manufacturing machinery, logistics control, physical security systems – essentially everything – grinds to a very loud screeching halt. Because the hackers were patient, they planted the seed for this weeks ago when an email contained a link to a file labeled “Account receipt.doc” or “Financial records.pdf” or some other tempting name. Nothing happened at the time (because the hackers planned it that way) and the code just waited. And waited. And waited some more until you receive a frightening and threatening email telling you that you need to pay up or you’ll lose access to every record your company maintains.

Worse, you’ll be completely locked out of every control, machine, logistics management software, sensor, camera, temperature regulator, voltage regulator and whatever else is on your network.

And your personnel records, inventory information, customer data and everything else that’s stored anywhere on your network? As the old-style thieves used to say, fuhgeddaboudit. You’re toast. And as the clock keeps ticking and the business losses pile up the board of directors and the executives are left with a simple choice: Pay the ransom to get the key to unlock your world or take the high road and refuse to pay but watch your business crumble.

There’s no right choice … but there’s no good choice, either. Ethics and principle demand that you stand your ground and not negotiate with criminals. Reality, however, is that your phone system doesn’t work, your factory is completely shut down, your ledgers, ordering system and everything else is eerily quiet. So you grind your teeth, bang your fist on the desk … and pay.

Or not. Maybe you don’t have to pay because you took the appropriate precautions. They’re relatively simple but the number of companies that don’t follow these simple guidelines would shock you.

  • Backup backup backup backup backup. That’s right – do it daily, weekly, monthly, quarterly and annually. Move the backups offline to another, totally separate network with completely different credentials and operations. That’s what cloud systems are great for – use them. Take snapshots of different types of data in different ways. Be absolutely totally obsessively compulsively fanatic about it. And then do it some more. If you have an unencrypted backup and are the victim of a ransomware attack you can laugh at the criminals while you restore a perfectly preserved snapshot of your system from the day, week or month before. It may not be up to the minute but it’ll be enough and you’ll thank yourself for doing it.
  • Educate your employees until they’re sick of hearing it. Tell them not to click links, insert USB thumb drives, open emails from anyone not in their address book and a dozen other things that can expose the entire company. Then do it again. And again – until it is seared into their memory to the point where they are all mildly paranoid. In today’s cybercrime world that’s a healthy state of mind.
  • Conduct a fire drill. Pick a day – preferably over a weekend or sometime when your normal business will not be heavily impacted and tell your IT department that you just got the worst scareware letter you’ve ever seen or have the IT department call you and tell you that every single aspect of your system is locked up. And then create a checklist of what to do, who is responsible for doing it and what can be done while you are bringing your backup online. Do you need to call customers, put up a message on your web page, make a public announcement or tell your employees? Figure it out now because when this happens you won’t be able to think about anything other than getting your operation restored.

Ransomware is nothing more than an old-fashioned kidnapping. But there isn’t just one person being held hostage, there’s an entire organization, your customers, your employees and, probably most dangerous of all … your reputation. Remember this: It takes years to build up a great reputation and just a moment to destroy it. Don’t let this happen to you. Don’t be a victim. Be diligent. Be prepared. Be cyber aware!

 

This article was written by Scott Goldman from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Your data has been kidnapped… now what? appeared first on McAfee Blogs.

]]>
Further Analysis of WannaCry Ransomware https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/ https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/#respond Sun, 14 May 2017 21:25:15 +0000 https://securingtomorrow.mcafee.com/?p=74016 McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s …

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

]]>
McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s network propagation, Bitcoin activity, and differences in observed variants.

Malware network behavior

WannaCry uses the MS17-010 exploit to spread to other machines through NetBIOS. The malware contains exploits in its body that are used during the exploitation phase. These are related to CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148, all based on the MS17-10 security bulletin.

In many reports we read that the malware generates a list of internal IPs. We found that the malware generates random IP addresses, not limited to the local network. The following is an example attempt at propagation:

With this, the malware can spread not only to other machines in same network, but also across the Internet if sites allow NetBIOS packets from outside networks. This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware.

Another interesting characteristic of the malware is that once a machine with an open NetBIOS port is found, the malware will send three NetBIOS session setup packets to it. One has the proper IP of the machine being exploited, and the other two contain two IP addresses hardcoded in the malware body:

The preceding packet contains the IP of the machine being exploited. It uses the test network 192.168.0.0/24. The other two packets, below, contain different IPs that the malware has in its code:

This activity and the presence of two hardcoded IP addresses (192.168.56.20, 172.16.99.5) could be used to detect the exploit using network intrusion prevention systems.

Server message block (SMB) packets also contain the encrypted payload, which consists of exploit shellcode and the file launcher.dll. During our analysis, we found the malware is encrypted using a 4-byte XOR key, 0x45BF6313.

Encrypted payload with the key 0x45BF6313.

Decrypted launcher.dll payload.

We also found following x64 shellcode being transferred during network communication over SMB.

EternalBlue code.

DoublePulsar code.

Worm behavior

Machine A at left, Machine B at right. 

The infection flow to the vulnerable host (Machine B).

Kernel mode at left, user mode at right.

 

Infection using kernel exploit

In our analysis, we found that on infected machines the SMB driver srv2.sys is vulnerable in kernel module and is exploited by the malware to spread using SMB communication.

A compromised srv2.sys will inject launcher.dll into the user-mode process lsass.exe, which acts as the loader for mssecsvc.exe. This DLL contains only one export, PlayGame:

The code simply extracts the ransomware dropper from the resource shown previously, and starts it using the function CreateProcess:

 

Injected launcher.dll in the lsass.exe address space.

Malware variants in the wild

As reported by several sources, the malware dropper contains code to check to two specific domains before executing its ransomware or the network exploit codes.

  • hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

While looking for more samples in our malware database, we came across several other droppers (MD5: 509C41EC97BB81B0567B059AA2F50FE8) that did not exhibit this same behavior. These other droppers did not have the code to exploit machines through NetBIOS or to check for the kill-switch domain. With these samples, the ransomware code would be executed in all cases.

These samples were found in the wild, which means they are capable of infecting and spreading, but in a much less aggressive way. Once the ransomware infects a machine, it also tries to infect any network shares mounted as local disks. Anyone accessing these shares could execute the malware sample by mistake and infect themselves. This infection vector is not as effective as the network exploit but could nonetheless wreak havoc in a corporate environment.

We also examined the droppers (for example, MD5: DB349B97C37D22F5EA1D1841E3C89EB4) that had the exploit code to compare with the other samples. We found that this exploit-aware dropper is a wrapper around the other droppers.

Looking at the exploit-aware sample, we found that one of the resources contains a 3.4MB .exe file that is the same as the other type of droppers:

The preceding resource is extracted after the remote host is exploited and sent to the victim and installed as a service. This event starts the infection on the remote machine.

File decryption

WannaCry offers free decryption for some random number of files in the folder C:\Intel\<random folder name>\f.wnry. We have seen 10 files decrypted for free.

In the first step, the malware checks the header of each encrypted file. Once successful, it calls the decryption routine, and decrypts all the files listed in C:\Intel\<random folder name>\ f.wnry.

A code snippet of the header check:

The format of the encrypted file:

To decrypt all the files on an infected machine we need the file 00000000.dky, which contains the decryption keys. The decryption routine for the key and original file follows:

Bitcoin activity

WannaCry uses three Bitcoin wallets to receive payments from its victims. Looking at the payment activity for these wallets gives us an idea of how much money the attackers have made.

The current statistics as of May 13 show that not many people have paid to recover their files:

  • Wallet 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • Wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • Wallet 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The attackers appear to have earned a little over BTC 15.44 (US$27,724.22). That is not much considering the number of infected machines, but these numbers are increasing and might become much higher in the next few days. It’s possible that the sink holing of two sites may have helped slow things down:

  • hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Multiple organizations across more than 90 countries have been impacted, according to reports.

We will update this blog as we learn more.

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/feed/ 0
WannaCry: The Old Worms and the New https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/ https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/#comments Sat, 13 May 2017 05:42:14 +0000 https://securingtomorrow.mcafee.com/?p=73980 The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was …

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

]]>
The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry.

Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers.

By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers.

McAfee urges all its customers to ensure these DAT updates have been applied, and furthermore ensure that security updates are applied for all the software solutions they use. For more information, read this Knowledge Center article.

This week’s attacks leveraging the WannaCry ransomware were the first time we’ve seen an attack combine worm tactics along with the business model of ransomware. The weaponization of the Eternal Blue exploit made public weeks ago, and unpatched MS-17-010 Windows OS vulnerabilities by the thousands enabled WannaCry to infect hundreds of thousands of computers, across industries, across continents, and within just a day. Furthermore, these attacks accomplished all this with little or no human involvement, as is typically the case in other ransomware campaigns.

A hybrid of the proven, less the human

WannaCry’s success comes down to its ability to amplify one attack through the vulnerabilities of many machines on the network. The impact of the attack is much greater than what we’ve seen from traditional data ransomware attacks.

Almost all of the ransomware we see in the wild today attack individual users typically through spear-phishing, meaning victims receive an email that appears to be coming from a legitimate source, it lures the victim into clicking on a link or opening an attachment that downloads or executes malicious code on his or her system. But it only impacts that victim’s one computer.

If you think back to the late 90s and early 2000s, when we had Code Red, NIMDA and SQL Slammer, those worms spread really rapidly because they didn’t require a human to take any action in order to activate the malware on the machine.  This week’s attacks did something very similar.

We’re still working to determine how a “patient zero” machine became infected, but, once it was, if other machines hadn’t received the MS-17-010 vulnerability patch, they were infected over their network.

Instead of stealing data or damaging other machines, the malware executed a classic ransomware attack, encrypting files and demanding a ransom payment. The attack essentially combined two techniques to produce something that was highly impactful.

With WannaCry, if the configuration of machines within an organization possessed the Microsoft vulnerability (addressed by Microsoft in March), the ransomware could infect one machine and then move very rapidly to spread and impact many other machines that still had not been patched.

What we’ve typically seen with cybercrime is that when any technique is shown to be effective, there are almost always copycats. Given that this appears to have been quite an effective attack, it would be very reasonable for other attackers to look for other opportunities. One of the things that makes that difficult is you need to have a vulnerability in software that has characteristics that enable worm-like behavior.

What’s unique here is that there is a critical vulnerability that Microsoft has patched, and an active exploit that ended up in the public domain, both which created the opportunity and blueprint for the attacker to be able to create this type of malicious ransomware worm capability.

Open for exploit

In the late 90s, it was common practice to leave all sorts of software running on machines even if it wasn’t used. For instance, one of the worms in the 90s took advantage of a vulnerability in a print server which was by default included on all servers even if there wasn’t a printer attached to the configuration of systems. That could enable a worm to connect to that printer port on all of the servers on a network, creating a worm propagation scenario that infected system after system.

A common practice for addressing this since those days is a best practice known as “least privilege,” which allows an application or service to run only the things on a machine or network that that entity needs to complete a task or function specific to its particular role. Least privilege has reduced the chances of the traditional worm scenario, but unpatched vulnerabilities mimmick this “open” element available for exploit, particularly if such vulnerabilities enable things such as file transfer or sharing across systems.

It would be difficult to orchestrate attacks such as the WannaCry campaign, without all the unpatched vulnerabilities, the publicly released exploit, and a set of proven ransomware technologies and tactics at the attacker’s disposal.

To patch or to not to patch

WannaCry should remind IT of the criticality to apply patches quickly. Part of the reason IT organizations hesitate to patch or run an internal quality assurance process is to ensure that there aren’t software incompatibility issues. One way I like to think about this is that whenever a patch must be applied, there is a risk to applying a patch, and a risk to not applying a patch. Part of what IT managers need to understand and assess is what those two risks mean to their organizations.

By delaying deployment of a patch, they can mitigate risk related to application compatibility. By delaying a patch, they are increasing the risk of being compromised by a threat exploiting a vulnerability. IT teams need to understand for each patch, what those levels of risk are, and then make a decision that minimizes risk for an organization.

Events such as WannaCry have the potential to shift the calculus of this analysis. One of the problems we often see in security is that the lack of an attack is sometimes interpreted as having a good defense.  Companies that have become lax in applying patches may have not experienced any attacks that take advantage of those vulnerabilities. This can reinforce the behavior that it’s okay to delay patching.

This episode should remind organizations that they really do need an aggressive patching plan in order to mitigate the vulnerabilities in their environment.

Why the hospitals?

Hospitals fall into a category I think of as “soft targets,” meaning hospitals generally focus on patient care as their top priority, as opposed to having the best cyber defenders on staff and best cyber defense technologies in place.

The reason for this is that, traditionally, there was very little incentive for cybercriminals to attack a hospital. They could potentially steal patient records or other data, but the total value of data from a hospital would typically be less than that of  the bulk data stolen from other industries such as financial services.

What ransomware has done as a criminal business model is provide an incentive to attack any organization. Given that criminals are demanding a ransom, it’s far easier to exploit an organization with weaker cyber defenses than an organization with stronger cyber defenses, which is why we’ve seen hospitals, schools, municipal police departments, and universities become victims of ransomware over the last year. While we’re now starting to see the targeting of “harder” organizations as well, at least for now, there are a lot of opportunities for criminals to continue to target these soft target organizations.

What next?

Although this attack is something new, and something we need to be thoughtful of, when we see such a vulnerability occur in the wild, and an exploit published that could be used by cybercriminals, we should always expect and be prepared for this kind of attack, and many more copy-cat attacks following soon after.

 

For French translation click here.

For German translation click here.

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/feed/ 2
“WannaCry” Ransomware Spreads Like Wildfire, Attacks Over 150 Countries https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/wannacry-ransomware-attacks/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/wannacry-ransomware-attacks/#comments Sat, 13 May 2017 00:32:14 +0000 https://securingtomorrow.mcafee.com/?p=73966 Update: The McAfee team has developed a tool that can be used in an effort to recover files that have been attacked by WannaCry ransomware. Learn about it here. Recently, a ransomware attack emerged that is worthy of tears. WannaCry ransomware hit the scene, spreading like wildfire across 150 countries and infecting more than 250,000 machines, which includes a …

The post “WannaCry” Ransomware Spreads Like Wildfire, Attacks Over 150 Countries appeared first on McAfee Blogs.

]]>
Update: The McAfee team has developed a tool that can be used in an effort to recover files that have been attacked by WannaCry ransomware. Learn about it here.

Recently, a ransomware attack emerged that is worthy of tears. WannaCry ransomware hit the scene, spreading like wildfire across 150 countries and infecting more than 250,000 machines, which includes a massive takedown of 16 UK NHS medical centers in just one day. Other major countries impacted include Spain, Russia, Ukraine, India, China, Italy, and Egypt.

Now, how is this massive attack possible? Our experts say the ransomware attack exploits the Server Message Block (SMB) critical vulnerability–also known as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago. Basically, the attacker can use just one exploit to gain remote access into a system. Once access is gained, the cybercriminal then encrypts data with a file extension “.WCRY.” Not to mention, the decypter tool used can hit users in multiple countries at once, and translate its ransom note to the appropriate language for that country. The ransom is said to demand $300 to decrypt the files.

The good news is, consumers don’t have to worry about this attack affecting their personal data, as it leverages a flaw within the way organizations’ networks allow devices to talk to each other.

Furthermore, by Friday afternoon, McAfee delivered detection updates to its products to ensure customers would be protected from all the known versions of the WannaCry ransomware.

However, this attack does act as a reminder for consumers to prepare for personal ransomware attacks. In order to stay prepared and keep your personal data secure, follow these tips:

-Be careful what you click on. This malware was distributed by phishing emails. You should only click on emails that you are sure came from a trusted source. Click here to learn more about phishing emails. 

-Back up your files. Always make sure your files are backed up. That way, if they become compromised in a ransomware attack, you can wipe your disk drive clean and restore the data from the backup.

-Update your devices. There are a few lessons to take away from WannaCry, but making sure your operating system is up-to-date needs to be near the top of the list. The reason is simple: nearly every software update contains security improvements that help secure your computer and removes the means for ransomware variants to infect a device.

Schedule automatic updates. It’s always a good practice to set your home systems to apply critical Windows Security Updates automatically. That way, whenever there is a vulnerability, you receive the patch immediately.

Apply any Windows security patches that Microsoft has sent you. If you are using an older version of Microsoft’s operating systems, such as Windows XP or Windows 8, click here to download emergency security patches from Microsoft. 

Keep security solutions up-to-date. Many security products are automatically updated. Take McAfee for example– our customers will be protected from this ransomware as soon they connect to the Internet and update their security software. Plus, as new variants of this ransomware arise, we will continuously update our software to keep them protected.

If you are not currently a McAfee customer, you can get protection here. And stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post “WannaCry” Ransomware Spreads Like Wildfire, Attacks Over 150 Countries appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/wannacry-ransomware-attacks/feed/ 9
An Analysis of the WannaCry Ransomware Outbreak https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/#comments Fri, 12 May 2017 22:07:01 +0000 https://securingtomorrow.mcafee.com/?p=73946 Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to …

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

]]>
Charles McFarland was a coauthor of this blog.

Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers. But the wave of attacks ranks as one of the more notable cyber events in history.

Once infected, the encrypted files contain the file extension .WNCRYT. Victims’ computers then proceed to display the following message with a demand for $300 to decrypt the files.

Observations

Exploit MS17-010:

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options. Details at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx . Exploit code is available on multiple sites, including this example: https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb.

This exploit is also known as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges, meaning both steps (Remote Code Execution +Local Privilege Escalation combined) use just one bug in the SMB protocol. Analyzing the exploit code in Metasploit, a popular hacking tool, we see the exploit uses KI_USER_SHARED_DATA, which has a fixed memory address (0xffdff000 on 32-bit Windows) to copy the payload and transfer control to it later.

By remotely gaining control over a victim’s PC with system privileges without any user action, the attacker can spray this malware in the local network by having control over one system inside this network (gaining control over all systems that are not fixed and are affected by this vulnerability), and that one system will spread the ransomware to all vulnerable Windows systems not patched for MS17-010.

Behavior

By using command-line commands, the Volume Shadow copies and backups are removed:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

File size of the ransomware is 3.4MB (3514368 bytes).

Authors called the ransomware WANNACRY—the string hardcoded in samples.

Ransomware is writing itself into a random character folder in the ProgramData folder with the filename tasksche.exe or in the C:\Windows\ folder with the filename mssecsvc.exe and tasksche.exe.

Examples

C:\ProgramData\lygekvkj256\tasksche.exe

C:\ProgramData\pepauehfflzjjtl340\tasksche.exe

C:\ProgramData\utehtftufqpkr106\tasksche.exe

c:\programdata\yeznwdibwunjq522\tasksche.exe

C:\ProgramData\uvlozcijuhd698\tasksche.exe

C:\ProgramData\pjnkzipwuf715\tasksche.exe

C:\ProgramData\qjrtialad472\tasksche.exe

c:\programdata\cpmliyxlejnh908\tasksche.exe

 

The ransomware grants full access to all files by using the command:

Icacls . /grant Everyone:F /T /C /Q

 

Using a batch script for operations:

176641494574290.bat 

 

Content of batch file (fefe6b30d0819f1a1775e14730a10e0e)

echo off

echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs

echo SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)>> m.vbs

echo om.TargetPath = “C:\

WanaDecryptor

.exe”>> m.vbs

echo om.Save>> m.vbs

cscript.exe //nologo m.vbs

del m.vbs

del /a %0

Content of M.vbs

SET ow = WScript.CreateObject(“WScript.Shell”)

SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)

om.TargetPath = “C:\

WanaDecryptor

om.Save

 

Indicators of compromise

Hashes

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56

21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd

2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32

9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13

78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf

fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2

57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4

ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9

9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640

5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b

85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186

3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301

 

IP Addresses

  • 197.231.221.221:9001
  • 128.31.0.39:9191
  • 149.202.160.69:9001
  • 46.101.166.19:9090
  • 91.121.65.179:9001
  • 2.3.69.209:9001
  • 146.0.32.144:9001
  • 50.7.161.218:9001
  • 217.79.179.177:9001
  • 213.61.66.116:9003
  • 212.47.232.237:9001
  • 81.30.158.223:9001
  • 79.172.193.32:443
  • 38.229.72.16:443

Domains

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
  • Rphjmrpwmfv6v2e[dot]onion
  • Gx7ekbenv2riucmf[dot]onion
  • 57g7spgrzlojinas[dot]onion
  • xxlvbrloxvriy2c5[dot]onion
  • 76jdd2ir2embyv47[dot]onion
  • cwwnhwhlz52maqm7[dot]onion

Filenames

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @WanaDecryptor@.exe.lnk
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • 131181494299235.bat
  • 176641494574290.bat
  • 217201494590800.bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • 00000000.pky
  • 00000000.eky
  • 00000000.res
  • C:\WINDOWS\system32\taskdl.exe

 

Bitcoin Wallets

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Here is a snort rule submitted to Sans from Marco Novak:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

And other SNORT rules from Emerging Threats:

(http://docs.emergingthreats.net/bin/view/Main/2024218)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

 

Yara:

rule wannacry_1 : ransom

{

meta:

author = “Joshua Cannell”

description = “WannaCry Ransomware strings”

weight = 100

date = “2017-05-12”

 

Strings:

$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase

 

Condition:

any of them

}

rule wannacry_2{

meta:

author = “Harold Ogden”

description = “WannaCry Ransomware Strings”

date = “2017-05-12”

weight = 100

strings:

$string1 = “msg/m_bulgarian.wnry”

$string2 = “msg/m_chinese (simplified).wnry”

$string3 = “msg/m_chinese (traditional).wnry”

$string4 = “msg/m_croatian.wnry”

$string5 = “msg/m_czech.wnry”

$string6 = “msg/m_danish.wnry”

$string7 = “msg/m_dutch.wnry”

$string8 = “msg/m_english.wnry”

$string9 = “msg/m_filipino.wnry”

$string10 = “msg/m_finnish.wnry”

$string11 = “msg/m_french.wnry”

$string12 = “msg/m_german.wnry”

$string13 = “msg/m_greek.wnry”

$string14 = “msg/m_indonesian.wnry”

$string15 = “msg/m_italian.wnry”

$string16 = “msg/m_japanese.wnry”

$string17 = “msg/m_korean.wnry”

$string18 = “msg/m_latvian.wnry”

$string19 = “msg/m_norwegian.wnry”

$string20 = “msg/m_polish.wnry”

$string21 = “msg/m_portuguese.wnry”

$string22 = “msg/m_romanian.wnry”

$string23 = “msg/m_russian.wnry”

$string24 = “msg/m_slovak.wnry”

$string25 = “msg/m_spanish.wnry”

$string26 = “msg/m_swedish.wnry”

$string27 = “msg/m_turkish.wnry”

$string28 = “msg/m_vietnamese.wnry”

condition:

any of ($string*)

}

 

McAfee urges all its customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We furthermore advise customers to be diligent in applying security updates for all the software solutions they use.

For more information on McAfee’s response to WannaCry, please read this Knowledge Center article.

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/feed/ 5
WannaCry – über alte und neue Würmer https://securingtomorrow.mcafee.com/languages/german/wannacry-uber-alte-und-neue-wurmer/ https://securingtomorrow.mcafee.com/languages/german/wannacry-uber-alte-und-neue-wurmer/#respond Fri, 12 May 2017 16:05:19 +0000 https://securingtomorrow.mcafee.com/?p=74403 Am Morgen des 12. Mai, einem Freitag, meldeten mehrere Quellen in Spanien den Ausbruch einer Ransomware-Variante, die inzwischen als „WannaCry“ identifiziert wurde. Sofort nach dem Eingang dieser Informationen begann McAfee, die Ransomware-Exemplare zu analysieren, Hinweise zur Beseitigung auszuarbeiten und Erkennungs-Updates für unsere Kunden zu entwickeln. Am Freitagnachmittag war das McAfee Global Threat Intelligence-System bereits aktualisiert und …

The post WannaCry – über alte und neue Würmer appeared first on McAfee Blogs.

]]>
Am Morgen des 12. Mai, einem Freitag, meldeten mehrere Quellen in Spanien den Ausbruch einer Ransomware-Variante, die inzwischen als „WannaCry“ identifiziert wurde.

Sofort nach dem Eingang dieser Informationen begann McAfee, die Ransomware-Exemplare zu analysieren, Hinweise zur Beseitigung auszuarbeiten und Erkennungs-Updates für unsere Kunden zu entwickeln.

Am Freitagnachmittag war das McAfee Global Threat Intelligence-System bereits aktualisiert und in der Lage, alle bekannten WannaCry-Varianten zu erkennen. Zudem hatten alle Kunden entsprechende DAT-Signaturaktualisierungen erhalten.

McAfee bittet dringend alle seine Kunden, diese DAT-Updates durchzuführen und zusätzlich sicherzustellen, dass auch für alle anderen Software-Lösungen alle verfügbaren Sicherheits-Updates installiert sind. Weitere Informationen finden Sie in diesem Artikel der Wissensdatenbank.

Bei den in dieser Woche beobachteten Angriffen mit der WannaCry-Ransomware wurden erstmals Wurm- und Ransomware-Taktiken kombiniert. Der mögliche Missbrauch des Eternal Blue-Exploits war seit einigen Wochen bekannt. Da der Patch für die Schwachstelle MS-17-010 des Windows-Betriebssystems auf Tausenden Systemen nicht implementiert war, konnte WannaCry innerhalb eines Tages Hunderttausende Computer in allen Branchen auf der ganzen Welt infizieren. Ebenso wie bei vielen anderen Ransomware-Kampagnen waren diese Angriffe auch dadurch so erfolgreich, weil keine oder nur eine geringe Benutzerbeteiligung erforderlich war.

Eine Mischung aus Bewährtem – und der Mensch bleibt außen vor

Der Erfolg von WannaCry lässt sich darauf zurückführen, dass ein Angriff durch die Schwachstellen, die auf vielen Systemen im Netzwerk bestehen, verstärkt werden konnte. Die Folgen des Angriffs waren daher erheblich größer als bei herkömmlichen Ransomware-Angriffen.

Fast alle Ransomware-Varianten, die derzeit im Umlauf sind, greifen einzelne Benutzer an, häufig per Spearphishing: Die Opfer erhalten eine E-Mail, die von einem scheinbar legitimen Absender kommt und den Empfänger dazu verleitet, auf einen Link zu klicken oder einen Anhang zu öffnen, der Schadcode herunterlädt bzw. auf dem System des Opfers ausführt. Dabei ist aber stets nur ein Computer des Opfers betroffen.

Erinnern Sie sich an die späten 1990er und frühen 2000er? Damals verbreiteten sich Würmer wie Code Red, NIMDA und SQL Slammer, die die Malware ohne Benutzerbeteiligung auf dem System aktivieren konnten, rasend schnell. Die WannaCry-Angriffe gingen sehr ähnlich vor.

Wir versuchen immer noch zu ermitteln, wie das „Patient Null“-System infiziert werden konnte. In jedem Fall konnte sich diese Erstinfektion auf alle Systeme im Netzwerk ausbreiten, auf denen der Patch für die Schwachstelle MS-17-010 nicht installiert war.

Die Malware hatte dabei gar nicht das Ziel, Daten zu stehlen oder andere Systeme zu beschädigen, sondern führte einen klassischen Ransomware-Angriff durch – mit verschlüsselten Dateien und einer Lösegeldforderung. Bei diesem Angriff wurden im Grunde zwei Techniken kombiniert, um eine besonders große Wirkung zu erzielen.

Das WannaCry-Problem: Wenn auf Unternehmenssystemen die Microsoft-Schwachstelle bestand, konnte sich die Ransomware nach der Infektion eines Systems sehr schnell ausbreiten und viele weitere Systeme, die ebenfalls noch nicht durch den von Microsoft im März bereitgestellten Patch geschützt waren, befallen.

Typischerweise beobachten wir, dass Cyber-Kriminelle gern Techniken kopieren, die sich bereits als effektiv erwiesen haben. Da der WannaCry-Angriff offensichtlich äußerst effektiv war, müssen wir damit rechnen, dass weitere Angreifer nach anderen Gelegenheiten suchen. Dies wird dadurch erschwert, dass dazu eine Software-Schwachstelle nötig ist, die Wurmverhalten ermöglicht.

Das Besondere an diesem Angriff ist die Tatsache, dass Microsoft bereits einen Patch für diese kritische Schwachstelle veröffentlicht hatte und ein aktives Exploit in den Umlauf gelangte. Beide Faktoren boten den Angreifern Gelegenheit und Vorlage, mit der sie eine Ransomware mit Wurmfunktionen erstellen konnten.

Offen für die Ausnutzung

In den späten 1990er Jahren wurde typischerweise verschiedenste Software auf Systemen ausgeführt, die teilweise nicht genutzt wurde. So nutzte zum Beispiel ein Wurm in den 1990er Jahren eine Schwachstelle in einem Druck-Server aus, der standardmäßig in allen Servern enthalten war – auch in Systemen ohne angeschlossenen Drucker. Auf diese Weise konnte sich der Wurm auf allen Servern im Netzwerk über diesen Drucker-Port verbinden und ein System nach dem anderen infizieren.

Diese Taktik wird seither typischerweise durch das Prinzip der minimalen Gewährung von Berechtigungen ausgehebelt. Dabei wird sichergestellt, dass eine Anwendung bzw. ein Dienst nur die Aktionen auf dem System oder im Netzwerk ausführen darf, die für die jeweiligen Aufgaben oder Funktionen erforderlich sind. Durch dieses Prinzip konnten die Erfolgschancen herkömmlicher Würmer reduziert werden, doch ungepatchte Schwachstellen imitieren dieses „offene“ Element, sodass es ausgenutzt werden kann. Das gilt ganz besonders für Schwachstellen, die Dateiübertragungen oder -freigaben für andere Systeme ermöglichen.

Die Koordination von Kampagnen wie WannaCry wird durch all die ungepatchten Schwachstellen, das veröffentlichte Exploit sowie die zahlreichen bewährten Ransomware-Technologien und -Taktiken, die Angreifern zur Verfügung stehen, deutlich vereinfacht.

Patchen oder nicht Patchen?

WannaCry sollte IT-Verantwortliche an die Dringlichkeit schneller Patch-Bereitstellungen erinnern. Einer der Gründe für das Zögern von IT-Verantwortlichen beim Patchen oder Durchführen interner Qualitätsprüfungen ist die Frage, ob Probleme durch Software-Inkompatibilitäten auftreten. Meiner Meinung nach sollte die Frage anders formuliert werden: Wenn ein Patch veröffentlicht wird, besteht immer ein Risiko durch das Anwenden des Patches und eines durch das Nichtanwenden. IT-Verantwortliche müssen die jeweiligen Folgen für ihr Unternehmen verstehen und einschätzen können.

Durch die Verzögerung einer Patch-Bereitstellung können sie das Risiko einer Anwendungsinkompatibilität minimieren. Gleichzeitig erhöhen sie jedoch das Risiko einer Kompromittierung durch eine Bedrohung, die genau diese Schwachstelle ausnutzt. IT-Verantwortliche müssen für jeden Patch verstehen, wie hoch und schwerwiegend diese Risiken sind und dann entscheiden, wie sie das Risiko für das Unternehmen minimieren können.

Ereignisse wie WannaCry haben das Potenzial, diese Denkweise zu ändern. Eines der Probleme, die wir in Bezug auf die Sicherheit häufig beobachten, ist der Glaube, dass nicht erfolgte Angriffe mit einer funktionierenden Abwehr gleichzusetzen sind. Unternehmen, die heute eher entspannt an die Anwendung von Patches herangehen, haben vielleicht einfach noch keine Angriffe erlebt, die genau diese Schwachstellen ausnutzen. Das könnte die Einstellung verstärken, dass das Aufschieben von Patch-Bereitstellungen in Ordnung ist.

Dieser Vorfall sollte jedoch Unternehmen daran erinnern, dass sie einen strikten Patch-Bereitstellungsplan benötigen, um die Schwachstellen in ihrer Umgebung zu reduzieren.

Warum wurden Krankenhäuser angegriffen?

Krankenhäuser fallen in eine Kategorie, die ich als „weiche Ziele“ bezeichne, d. h. sie konzentrieren sich meist in erster Linie auf die Patientenfürsorge und weniger auf bestmögliche Mitarbeiter für Cyber-Abwehr sowie bestmögliche Technologien zum Schutz vor Cyber-Angriffen.

Das liegt daran, dass Angriffe auf Krankenhäuser für Cyber-Kriminelle in der Vergangenheit als wenig reizvoll galten. Sie konnten vielleicht Patientenakten oder andere Daten stehlen, doch der Gesamtwert der Daten in einem Krankenhaus liegt normalerweise unter dem Wert der massenhaft bei anderen Branchen (z. B. Finanzdienstleistern) gestohlenen Daten.

Ransomware hat dafür gesorgt, dass es sich für Kriminelle lohnt, beliebige Unternehmen anzugreifen. Da es den Kriminellen ausschließlich um die Lösegeldforderung geht, ist es erheblich einfacher, ein Unternehmen mit schwacher Cyber-Abwehr als eines mit starken Schutzmaßnahmen anzugreifen. Deshalb wurden im vergangenen Jahr Krankenhäuser, Schulen, städtische Polizeibehörden und Universitäten Opfer von Ransomware-Angriffen. Während wir derzeit auch einige Angriffe auf „härtere Ziele“ beobachten, bieten sich Kriminellen zahlreiche Gelegenheiten, ihre Attacken auf diese weichen Ziele fortzusetzen.

Wie geht es weiter?

Obwohl dieser Angriff neu ist und einige Überlegungen auslösen sollte, dürfen wir Folgendes nicht vergessen: Wenn bekanntermaßen eine Schwachstelle im Umlauf ist und ein Exploit veröffentlicht wurde, das von Cyber-Kriminellen ausgenutzt werden könnte, müssen wir immer mit derartigen Angriffen rechnen und darauf vorbereitet sein, dass schon bald zahlreiche Nachahmerangriffe folgen werden.

The post WannaCry – über alte und neue Würmer appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/german/wannacry-uber-alte-und-neue-wurmer/feed/ 0
WannaCry : les vers d’hier font peau neuve https://securingtomorrow.mcafee.com/languages/francais/wannacry-les-vers-dhier-font-peau-neuve/ https://securingtomorrow.mcafee.com/languages/francais/wannacry-les-vers-dhier-font-peau-neuve/#respond Fri, 12 May 2017 15:44:17 +0000 https://securingtomorrow.mcafee.com/?p=74459 Le vendredi 12 mai en matinée, de nombreuses sources en Espagne ont été les premières à signaler l’apparition d’une vague d’attaques informatiques menées à l’aide du ransomware désormais identifié sous le nom de WannaCry. Dès que McAfee a été informé de ces incidents, notre équipe s’est immédiatement attelée à analyser des échantillons de ce logiciel de …

The post WannaCry : les vers d’hier font peau neuve appeared first on McAfee Blogs.

]]>
Le vendredi 12 mai en matinée, de nombreuses sources en Espagne ont été les premières à signaler l’apparition d’une vague d’attaques informatiques menées à l’aide du ransomware désormais identifié sous le nom de WannaCry.

Dès que McAfee a été informé de ces incidents, notre équipe s’est immédiatement attelée à analyser des échantillons de ce logiciel de demande de rançon. Nous avons mis au point des mises à jour pour sa détection ainsi que des conseils de prévention à l’intention de nos clients.

Le vendredi après-midi, le système de cyberveille McAfee Global Threat Intelligence a été actualisé pour permettre l’identification de tous les échantillons connus de WannaCry. En outre, nous avons fourni à tous nos clients des mises à jour de signatures (fichiers DAT).

Nous leur conseillons vivement non seulement de s’assurer que ces mises à jour DAT ont été appliquées, mais aussi de veiller au déploiement des mises à jour de sécurité requises pour toutes les solutions logicielles qu’ils utilisent. Pour plus d’informations, veuillez consulter cet article du Knowledge Center.

L’offensive menée à l’aide de WannaCry est inédite : c’était la première fois que l’on observait un mode opératoire combinant des tactiques typiques des vers avec le modèle économique des ransomwares. La conversion en outil d’attaque de l’exploit Eternal Blue, rendu public il y a plusieurs semaines, et la mise à profit de milliers de failles de systèmes d’exploitation Windows encore présentes malgré la publication du correctif MS-17-010 ont permis à WannaCry d’infecter des centaines de milliers d’ordinateurs. Tous les secteurs d’activité et la planète entière ont été frappés, en un jour à peine. De plus, ces attaques n’ont pas nécessité d’intervention humaine, ou très peu, comme c’est généralement le cas dans les campagnes de propagation de ransomware.

Un croisement entre méthodes éprouvées, sans le facteur humain

La réussite de WannaCry est due à sa capacité à amplifier chaque attaque grâce à l’exploitation des vulnérabilités de nombreuses machines connectées au réseau. L’impact est donc nettement plus important que celui des campagnes de diffusion de ransomware classiques observées jusqu’ici.

Pratiquement tous les logiciels de demande de rançon qui sévissent à l’heure actuelle visent des utilisateurs particuliers, souvent par des techniques de harponnage (spear phishing). Ainsi, les cibles reçoivent généralement un e-mail qui semble émaner d’un expéditeur légitime et les incite à cliquer sur un lien ou à ouvrir une pièce jointe entraînant le téléchargement ou l’exécution de code malveillant sur le système du destinataire. Ce type d’attaque n’affecte cependant que l’ordinateur de la victime.

Dans les années 1990 et au début des années 2000, à l’époque de Code Red, NIMDA et SQL Slammer, ces vers se propageaient rapidement parce qu’ils n’avaient pas besoin du concours de l’être humain pour activer le logiciel malveillant sur les ordinateurs. Les attaques qui ont fait rage à la mi-mai ont eu un comportement similaire.

Nous essayons toujours de déterminer comment une machine « patient zéro » a pu être infectée, mais nous savons qu’à partir de cette première infection, d’autres systèmes dépourvus du correctif MS-17-010 étaient contaminés via leur réseau.

Plutôt que de voler des données ou d’endommager d’autres machines, le logiciel malveillant a exécuté une attaque par ransomware classique, en chiffrant des fichiers et en exigeant une rançon. Deux techniques ont été associées pour produire un impact maximal.

Dans le cas où les systèmes de l’entreprise présentaient la vulnérabilité en question (pour laquelle Microsoft avait publié une mise à jour de sécurité en mars), le ransomware WannaCry pouvait infecter un premier ordinateur, puis se propager très rapidement et toucher de nombreuses autres machines dépourvues du correctif ad hoc.

En matière de cybercrime, nous savons que lorsqu’une technique se révèle efficace, elle est presque systématiquement copiée. Vu la réussite impressionnante de cette cyberattaque, on peut raisonnablement penser qu’elle inspirera d’autres pirates. Elle sera cependant difficile à reproduire car ce type d’approche nécessite la présence d’une vulnérabilité logicielle dont les caractéristiques permettent l’expression d’un comportement similaire à celui d’un ver informatique.

L’attaque WannaCry est unique en cela qu’elle a tiré parti à la fois d’une vulnérabilité critique pour laquelle Microsoft avait déjà publié un correctif et d’un exploit actif qui s’est retrouvé sur Internet, accessible à quiconque : ces deux facteurs ont offert à son auteur l’opportunité et le modèle de fonctionnement lui permettant de créer ce ver de demande de rançon très particulier.

Une brèche ouverte aux exploits

À la fin des années 1990, il était courant de laisser s’exécuter toutes sortes de logiciels sur des ordinateurs qui pourtant n’étaient pas en cours d’utilisation. Ainsi, un des vers actifs à cette époque tirait parti d’une vulnérabilité d’un logiciel de serveur d’impression qui était inclus par défaut sur tous les serveurs, même si la configuration ne comptait en réalité aucune imprimante. Tous les serveurs du réseau étaient donc exposés au risque qu’un ver se connecte à leur port d’imprimante, créant ainsi un scénario de propagation où le ver pouvait infecter un système après l’autre.

Pour contrer ce type d’attaque, une bonne pratique appelée « principe du moindre privilège » a été adoptée. Selon celle-ci, une application ou un service exécute sur une machine ou un réseau uniquement les éléments strictement nécessaires à l’accomplissement des tâches ou fonctions propres à son rôle particulier. L’application de ce principe a limité les risques d’attaques par des vers traditionnels, mais les vulnérabilités non corrigées laissent elles aussi une porte ouverte par laquelle les exploits peuvent s’engouffrer — particulièrement lorsqu’elles permettent des transferts de fichiers, des partages entre systèmes, etc.

Il serait très compliqué d’orchestrer des attaques telles que la campagne WannaCry sans la présence de vulnérabilités non corrigées, sans un exploit rendu public et sans disposer d’une série de technologies et tactiques de ransomware à l’efficacité éprouvée.

Corriger ou ne pas corriger, telle est la question

WannaCry doit rappeler aux équipes informatiques combien il est essentiel d’appliquer rapidement les patchs requis. L’une des raisons pour lesquelles elles hésitent à corriger leurs systèmes ou à exécuter un contrôle qualité interne est qu’elles veulent s’assurer de l’absence de problèmes de compatibilité logicielle. J’envisage la question sous un angle différent : lorsqu’un correctif est disponible, tant son application que sa non-application comportent un certain risque. L’un des rôles du responsable informatique consiste à peser ces risques respectifs et à évaluer ce qu’ils représentent pour leur entreprise.

Dans certains cas, retarder le déploiement d’un patch limite les risques d’incompatibilité. Dans d’autres, cela augmente le risque de compromission par une menace qui exploiterait une vulnérabilité existante. Pour chaque patch, l’équipe informatique doit déterminer le niveau de risque associé à chaque cas de figure et ensuite prendre la bonne décision, celle qui mettra le moins possible l’entreprise en péril.

Des incidents majeurs tels que WannaCry vont probablement peser dans la balance lors de cette analyse. Il arrive souvent que les équipes de sécurité interprètent l’absence d’attaques comme une preuve de l’efficacité de leurs défenses. Or, il n’en est rien. Il est tout à fait possible que des entreprises négligentes dans l’application de patchs n’aient pas subi d’attaques exploitant les vulnérabilités concernées. Cela peut renforcer l’idée qu’un déploiement différé n’est pas problématique.

Or, cette attaque massive du mois de mai doit rappeler aux entreprises qu’elles doivent absolument adopter une stratégie rigoureuse de correction des vulnérabilités dans leur environnement.

Pourquoi les hôpitaux ?

Les hôpitaux sont des cibles vulnérables, car leur première préoccupation est bien évidemment les soins aux patients, et pas le déploiement des meilleures technologies de cyberdéfense ou le recrutement de personnel qualifié en cybersécurité.

De fait, jusqu’à présent, les cybercriminels avaient très peu à gagner avec ces établissements. Il était toujours possible de voler les dossiers médicaux ou d’autres types de données, mais en termes de valeur totale, les données provenant d’un hôpital étaient généralement moins attrayantes que celles subtilisées à des entreprises de secteurs comme les services financiers.

Avec le modèle économique criminel des ransomwares, tous les secteurs d’activité deviennent des cibles potentiellement intéressantes. Puisque l’objectif du cyberpirate est la rançon, il est plus aisé de s’en prendre à une structure aux cyberdéfenses faibles plutôt qu’à une entreprise dotée d’un dispositif de protection performant. Voilà pourquoi des hôpitaux, des bureaux de police, des établissements d’enseignement et des universités ont été frappés par des ransomwares l’année dernière. Nous commençons à observer également un intérêt accru pour des entreprises moins vulnérables, mais pour l’instant du moins, les pirates disposent encore de nombreuses opportunités de cibler ces proies plus faciles.

Et demain ?

Même si l’attaque WannaCry présente des caractéristiques inédites, dont il faudra tenir compte à l’avenir, lorsqu’une vulnérabilité est signalée publiquement et qu’un exploit est diffusé au risque d’être utilisé par des cybercriminels, nous devons nous attendre à une attaque de ce genre et nous y préparer. Et, très vite, à de nombreuses autres qui s’en seront inspirées.

 

The post WannaCry : les vers d’hier font peau neuve appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/francais/wannacry-les-vers-dhier-font-peau-neuve/feed/ 0
Phishing Scams Cost American Businesses Half A Billion Dollars A Year https://securingtomorrow.mcafee.com/business/neutralize-threats/phishing-scams-cost-american-businesses-half-a-billion-dollars-a-year/ Tue, 09 May 2017 21:09:34 +0000 https://securingtomorrow.mcafee.com/?p=73813 These days, the FBI devotes a lot of time and effort to cybercrimes, particularly those they refer to as business email compromise scams. BECs are a type of phishing attack in which criminals target businesses that frequently send international wire transfers, and they can involve huge sums of money. A report issued this week by …

The post Phishing Scams Cost American Businesses Half A Billion Dollars A Year appeared first on McAfee Blogs.

]]>
These days, the FBI devotes a lot of time and effort to cybercrimes, particularly those they refer to as business email compromise scams. BECs are a type of phishing attack in which criminals target businesses that frequently send international wire transfers, and they can involve huge sums of money. A report issued this week by the Bureau reveals just how huge.

From October 2013 to December 2016, the FBI investigated just over 22,000 of these incidents involving American businesses. In total, they saw losses approaching $1.6 billion. That’s roughly $500 million every year being scammed and dollar figures involved have climbed sharply – up 2370% between Janury 2015 and last December.

No business is immune from BECs, it seems. There have been victims in all 50 states, and for the most part no one segment is targeted more frequently than another. Attackers are, however, giving more attention to parties involved in real estate transactions. Lawyers and realtors remained in the crosshairs, but the Internet Crime Complaint Center received almost five times as many reports from title companies last year.

It’s easy enough to see why real estate phishing is on the rise: large sums of money change hands and there are several potential weak links in the transaction process. Compromising any one of those with a successful phish of account details can give an attacker access to a trusted email address from which to launch the second stage of the attack. The fraudster can lie in wait skimming emails for information about a transaction and then send off fraudulent wire instructions to a buyer, seller, or escrow agent when the time is right.

The closing section of the FBI bulletin offers several tips for avoiding BECs, and they’re worth studying whether or not you own or operate a business. Among them: being more cautious when requests are urgent or secrecy is requested, closely scrutinizing any communications (sender’s email address, writing style, etc.) involving financial details, and implementing two-factor authentication to minimize the potential for account breaches.

 

This article was written by Lee Mathews from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Phishing Scams Cost American Businesses Half A Billion Dollars A Year appeared first on McAfee Blogs.

]]>
Cyberattacks involving extortion are on the up, Verizon says https://securingtomorrow.mcafee.com/business/neutralize-threats/cyberattacks-involving-extortion-are-on-the-up-verizon-says/ Tue, 02 May 2017 22:27:59 +0000 https://securingtomorrow.mcafee.com/?p=73353 (Bloomberg) – Cyberattacks involving ransomware – in which criminals use malicious software to encrypt a user’s data and then extort money to unencrypt it – increased 50 percent in 2016, according to a report from Verizon Communications Inc. And criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report …

The post Cyberattacks involving extortion are on the up, Verizon says appeared first on McAfee Blogs.

]]>
(Bloomberg) – Cyberattacks involving ransomware – in which criminals use malicious software to encrypt a user’s data and then extort money to unencrypt it – increased 50 percent in 2016, according to a report from Verizon Communications Inc.

And criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report said. Government organizations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report published Thursday.

Instances of ransomware attacks have grown along with the market for bitcoin, the digital currency that is most commonly how cybercriminals demand ransoms be paid because of its anonymity.

While overall most malware was delivered through infected websites, increasingly criminals were turning to phishing – using fraudulent emails designed to get a user to download attachments or click on links to websites that are infected with malware – to carry out attacks. A fifth of all malware raids began with a phishing email in 2016, while fewer than 1 in 10 did the year before, according to the report.

“These emails are often targeted at specific job functions, such as HR and accounting – whose employees are most likely to open attachments or click on links – or even specific individuals,” the report said.

Verizon is currently in the process of acquiring Yahoo! Inc.’s internet properties at a $350 million discount after revelations of security breaches at the web company. Yahoo said in December that thieves in 2013 stole information from 500 million customer accounts, from email addresses to scrambled account passwords. Such a data cache may allow criminals to go after more sensitive personal information elsewhere online.

Whereas in the past most ransomware simply encrypted the data on the device where it was first opened, Marc Spitler, a Verizon security researcher, said criminal gangs were increasingly using more sophisticated hacking techniques, seeking out business critical systems and encrypting entire data servers. “There is increased sophisticated surveillance and targeting of organizations to maximize profit,” he said in an interview.

Criminal gangs were behind the majority of all cybersecurity breaches, Verizon said, with financial services firms the most common victims, accounting for about a quarter of all attacks.

But espionage – whether that was by foreign governments or unknown entities – was on the rise, Verizon said, accounting for 21 percent of all breaches in 2016 up from less than 10 percent in 2010. Besides governments, manufacturing firms were the most likely to be targeted in espionage-motivated attacks, the report said. There has also been a surge in espionage-related breaches targeting universities and other educational institutions, spiking from almost none in 2012 to more than 20 percent last year, it said.

The Verizon report, which is published annually, draws on the company’s own data from breaches its security consultants have responded to and data contributed by 65 partner organizations, including the U.S. Secret Service. NTT Security, a unit of Japan’s Nippon Telegraph and Telephone Corp., released a report earlier this week that showed results similar to Verizon’s findings

 

This article was written by Jeremy Kahn from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Cyberattacks involving extortion are on the up, Verizon says appeared first on McAfee Blogs.

]]>
The IoT of bricks: Someone is bricking insecure IoT devices https://securingtomorrow.mcafee.com/business/neutralize-threats/the-iot-of-bricks-someone-is-bricking-insecure-iot-devices/ Thu, 27 Apr 2017 01:19:12 +0000 https://securingtomorrow.mcafee.com/?p=73087 I can’t justify the vigilantism, but someone is bricking vulnerable IoT devices. I ponder the morality of it all. It’s called BrickerBot. It finds IoT devices with dubious security and simply bricks/disables them. Insecure dishwashers, teapots, refrigerators, security cameras – all become part of vast botnets. The botnets can do many things, and we’ve seen …

The post The IoT of bricks: Someone is bricking insecure IoT devices appeared first on McAfee Blogs.

]]>
I can’t justify the vigilantism, but someone is bricking vulnerable IoT devices. I ponder the morality of it all. It’s called BrickerBot. It finds IoT devices with dubious security and simply bricks/disables them.

Insecure dishwashers, teapots, refrigerators, security cameras – all become part of vast botnets. The botnets can do many things, and we’ve seen them become the armies behind the largest internet attacks in history. How to cleanse these devices has become the crux of many cries, including numerous ones in this space.

No one’s gone to jail for building the devices – but then no one’s gone to jail for building the botnets from these devices. Why? We have no vendor liability. Instead, organizations can design and implement the crappiest software on the planet, and they’re very highly unlikely to be punished. And so it continues.

Can bricking unsafe IoT devices work? Yes. It disables them and forces firmware updates – if the updates can even be done in the first place – because there were updates available. Civilians who purchased IoT-enabled devices have no clue how to do this. Perhaps one in 100 might be able to follow useful instructions – or even be motivated to update the firmware on their IoT devices.

Most people with infected devices don’t even know it. Hey, Marge, did you know the refrigerator’s been assaulting Level 3 again?

The danger of vigilante bricking of IoT-enabled devices

But I want to run a chill down your spine, and it’s the motivation for writing this.

We can start with BMW and Volkswagan AG, and then cite Jeep, Ford, ad more. Imagine driving down the road and having your car’s computer bricked. Maybe you were doing 70. Or maybe someone drives the maze of a parking garage, merrily bricking cars.

Your vehicle is vulnerable! We must brick it!

Similar attacks on radio key fobs have allowed access by hackers to Mercedes, BMWs and even Toyota Priuses. Do you honestly think your key fob as a PKI certificate being broadcast to the doorlock of your car?

The automotive IoT risks being equally vulnerable. Worse, the privacy components will rat you out.

  • You were speeding.
  • You drive in seedy neighborhoods.
  • You follow too closely.
  • You put makeup on in your car.
  • You fibbed to the insurance company about how many miles you drive per year.
  • Here’s a list of all the text messages you transcribed while driving.
  • You logged 17,215 left turns without using a turn signal. Upload?
  • Your warranty is now void due to excessively late oil changes.
  • This is JeEp RaNsOmEwArEz!!! Insert Apply Pay Now or in 60 seconds we stop your ignition!!

My great fear is for the unsuspecting public. Now their refrigerator’s acting wonky. It was the teapot yesterday. The vacuum cleaner has been trying to break into the garage again. Why?

Bricking bots are not the way to go. They will cause damage. At some point, lives will be lost and people maimed. An uncontrolled botnet seeking to protect us all from badly designed devices will brick the wrong one – or dozens of them.

This is why we can’t have nice things. Oh, and some of the makers, such as Garadget, are just plain grouchy.

 

This article was written by Tom Henderson from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post The IoT of bricks: Someone is bricking insecure IoT devices appeared first on McAfee Blogs.

]]>
Smartphone sensors pose a serious security risk https://securingtomorrow.mcafee.com/business/neutralize-threats/smartphone-sensors-pose-a-serious-security-risk/ Fri, 21 Apr 2017 22:24:25 +0000 https://securingtomorrow.mcafee.com/?p=71977 As more people look for ways to protect their smartphones from hackers and criminals, we look for additional means beyond typing in a PIN. A popular method now is fingerprint analysis, where users can place a finger on their phone to unlock it or to make a purchase. And as crime shows and police officers …

The post Smartphone sensors pose a serious security risk appeared first on McAfee Blogs.

]]>
As more people look for ways to protect their smartphones from hackers and criminals, we look for additional means beyond typing in a PIN. A popular method now is fingerprint analysis, where users can place a finger on their phone to unlock it or to make a purchase. And as crime shows and police officers have told us for decades, every fingerprint is completely unique and is an absolutely certain method to identify different people.

However, researchers with the NYU Tandon School of Engineering announced via a press release in April that they have essentially created a fingerprint hack called MasterPrint, which can match “between 26 and 65 percent” of users’ fingerprints. The researchers took advantage of weaknesses in how phone fingerprinting security works, particularly their small screens, and by exploiting the differences between partial and full fingerprints.

There are various aspects of this test that would make it difficult to apply to a real-life attempt to break into someone’s phone, and users may look at how this hack may still fail more than half the time and conclude there is nothing to worry about. But this test, as well as other attempts to take advantage of phone sensors, shows that technological is not a security substitute for taking a proactive security approach.

Partial and full fingerprints

Those of you who watch too much CSI may be aware of full fingerprints, which look at all the ridges and grooves of a fingerprint to identify a person, versus partial fingerprints, which use fewer data points. Fingerprint sensors on a phone rely on partial scans. This is partly due to how a small phone screen means fewer sensors, and partly because if sensors used a full fingerprint, they may not recognize the owner’s fingerprint due to smudges or a wet screen.

The NYU researchers thus first looked at finding human fingerprints that possessed common attributes that could serve as a MasterPrint, which could let them unlock other phones. They found on average almost one MasterPrint for every eight partial prints, compared to one for every 800 full prints. After that, the researchers constructed the aforementioned MasterPrint, which had a higher success rate with partial prints, showing the security problems behind relying on partials

While these results show that fingerprint sensors are not foolproof, security expert Andy Adler stated to the New York Times that “it’s almost certainly not as worrisome as presented, but it’s almost certainly pretty darn bad.” For one thing, criminals would have to construct a working MasterPrint and would then have to get physical access to a smartphone. Even under those circumstances, the MasterPrint would fail much more often than not.

But over the long run, a criminal who could repeatedly grab others’ phones would be able to use it to break in. And as the NYU researchers stressed, the important thing to take away from their findings is that phone companies cannot become complacent about their fingerprinting sensors. Research team leader Nasir Memon said that “”As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features.”

Other sensors are dangerous

The fact that fingerprint scanners have proven to be fallible should encourage users to rely on more traditional measures such as a PIN. But even a PIN can be vulnerable to other sensors, as hackers can spy on you with iOS reverse engineering and figure out your PIN just by how you tilt your phone.

These dangerous sensors include sensors that most people are not aware of, such as your phone’s gyroscope and rotation sensors. Researchers from Newcastle discovered that if a hacker can gain access to those sensors, they can detect small differences in how you tilt your phone to type in digits to guess the correct PIN number. The researchers found that they could correctly identify the PIN through examining the sensors 70 percent of the time on the first attempt and hit 100 percent by the fifth attempt.

If that was not bad enough, malicious programs often do not need to ask permission to use these sensors. By opening up a malicious webpage or app, hackers can spy on your phone and gain access to data through these sensors.

Good security measures

Far too many users are uncertain about what their sensors do or are convinced that said sensors will provide them with absolute security. But there is no shortcut for implementing basic security measures. While 100 percent security can never be guaranteed, even implementing basic measures like locking your phone (which a shockingly high numbers of users do not do) will often persuade hackers to move on to easier prey.

Be careful about using apps or web pages, do not recklessly grant permissions, regularly change your PIN and update often. Technology like fingerprint sensors can be useful and despite NYU’s findings are still better than no protection at all. But the best protection is cautioun and common sense.

 

This article was written by Gary Eastwood from CIO and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Smartphone sensors pose a serious security risk appeared first on McAfee Blogs.

]]>
How to protect against cross-site request forgery attacks https://securingtomorrow.mcafee.com/business/neutralize-threats/how-to-protect-against-cross-site-request-forgery-attacks/ Thu, 20 Apr 2017 21:35:47 +0000 https://securingtomorrow.mcafee.com/?p=71816 Cross-site request forgery (CSRF) attacks are becoming a more common attack method used by hackers. These attacks take advantage of the trust a website has for a user’s input and browser. The victim is tricked into performing a specific action they were not intending to do on a legitimate website, where they are authenticated to. …

The post How to protect against cross-site request forgery attacks appeared first on McAfee Blogs.

]]>
Cross-site request forgery (CSRF) attacks are becoming a more common attack method used by hackers. These attacks take advantage of the trust a website has for a user’s input and browser. The victim is tricked into performing a specific action they were not intending to do on a legitimate website, where they are authenticated to.

CSRF attacks will use the identity and privileges that the victim has on the website to impersonate them and perform malicious activity or transactions. Attackers will attempt to take advantage of users who have login cookies stored in their browsers. E-commerce sites that send cookies to store user authentication data are vulnerable to this attack.

An example of a CSRF attack is if a victim were to log in to their banking website and while their session is active, they receive an email with a request to click on a link. If this victim clicks the link, a script would execute against the banking site to transfer funds from their account into one the attacker has designated. Here, the attacker has impersonated the victim by using the victim’s login information, computer and IP address for the attack.

Instead of emailing while authenticated into a site, an attacker may have code injected into the site and just wants the user to click on the link for the executable to run. This code would then run the malicious transaction.

Sometimes it can be a challenge for the victim to claim someone else performed the malicious transaction because their login information and IP were previously used for it. This can contribute to a more detailed and longer investigation that the financial institution would perform before allowing a credit or reversal of the transaction.

How to prevent CSRF attacks

To prevent CSRF attacks on the server side, banks and merchants should transition from cookies that perform session-tracking to session tokens that are dynamically generated. This would make it more difficult for an attacker to get a hold of a client’s session.

Don’t trust that the site you’re visiting has measures in place to prevent CSRF attacks. Many sites do have controls in place to protect against it, but it is not a good practice to assume this. Some sites could have controls in place today but after an upgrade or change in the code, may remove them later.

For users to prevent CSRF attacks, it is important to understand that you must already be authenticated into a certain website to be vulnerable. Banking or any site that performs financial transactions and has a high usage rate are the primary targets of these attacks.

6 actions you can take to prevent a CSRF attack

  • Make sure your anti-virus software is up to date. Many malicious scripts can be blocked and quarantined by this software.
  • Do not open any emails, browse to other sites or perform any other social network communication while authenticated to your banking site or any site that performs financial transactions. This will prevent any malicious scripts from being executed while being authenticated to a financial site.
  • Whenever you finish a banking or financial transaction on a site, always log off immediately. Don’t just minimize or close the browser. If you do, it will make you vulnerable to an attack.
  • Never save your login or password for a banking or financial institution site within your browser. Malicious code in CSRF attacks is usually written to take advantage of this information that is within your browser
  • Disable scripting in your browser. Firefox has a plugin that can prevent scripts from running.
  • Run all your financial or banking transactions in one browser and all your other browsing within another. This way an attacker cannot make your general web browser do anything malicious to your banking or financial transaction browser.

As more financial transactions process on the internet, CSRF attacks will continue to grow. Also, the rise in using social network sites will contribute to the delivery of scripts that trigger these attacks. Following the preventive actions I have listed will reduce the possibility of you becoming a victim of a CSRF attack.

 

This article was written by Mark Dargin from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How to protect against cross-site request forgery attacks appeared first on McAfee Blogs.

]]>
Chrome And Firefox Adding Protection Against This Nasty Phishing Trick https://securingtomorrow.mcafee.com/business/neutralize-threats/chrome-and-firefox-adding-protection-against-this-nasty-phishing-trick/ Wed, 19 Apr 2017 22:53:55 +0000 https://securingtomorrow.mcafee.com/?p=71783 If you click on a link to Forbes.com you expect to be taken to the Forbes website. But fraudsters that want to steal your passwords or credit cards info have an incredibly sneaky way of showing you a link that looks like a site you trust but sends you to a very convincing phishing site …

The post Chrome And Firefox Adding Protection Against This Nasty Phishing Trick appeared first on McAfee Blogs.

]]>
If you click on a link to Forbes.com you expect to be taken to the Forbes website. But fraudsters that want to steal your passwords or credit cards info have an incredibly sneaky way of showing you a link that looks like a site you trust but sends you to a very convincing phishing site instead.

A website address that starts with xn-- tells your browser that the domain name is encoded using Punycode, which allows characters like ü or ñ to be displayed. It’s important that browsers be able to do that, because a very large percentage of Internet users don’t speak English (or it’s not their first language).

It also lets cybercriminals execute what’s called a homograph attack. All it takes to trick your browser is a jumble of letters, symbols and numbers. For example, if an attacker wanted to spoof the Forbes domain, they might register the domain name xn--0xa0vo267doa5di.com.

Chrome and Firefox will display that mess of characters as forbes.com. A scammer could even apply for — and would likely be granted — an SSL certificate for the Punycode name. That means you’d not only see forbes.com in the address bar if you clicked this kind of phishing link but you’d also see the green lock icon that tells you a site is secure. Security provider Wordfence offered the following example in a recent blog post discussing these attacks:

 

Wordfence's example homoglyph attack domain

 

Wordfence’s example homoglyph attack domain

To be clear, Forbes isn’t the kind of site that scammers would generally spoof using a homograph attack. They’re much more interested in getting victims to cough up credentials for Paypal, Facebook and email accounts, or credit card numbers.

This clever phishing technique isn’t new. Homograph attacks have been around for more than a decade. It’s proven to be a difficult technique to thwart because of the legitimate uses of Punycode in domain names. Fortunately, both Chrome and Firefox users may soon be protected.

Google has already introduced a change in Chrome Canary, an experimental version of its browser. Changes in Canary that make the cut are usually pushed to all Chrome users within a few months. When this one rolls out, Chrome users will be protected automatically.

 

The Punycode setting in Firefox

 

The Punycode setting in Firefox

Firefox users can actually enable protection right now. It’s done by entering the about:config in the address bar and agreeing to the warning Firefox displays. A search box will then appear. Enter punycode in the box and a line that reads network.IDN_show_punycode will appear. By default, it is set to false. Double-clicking the words will change it to true, which will cause Firefox to display the xn-- characters instead of the deceptive, encoded ones.

 

This article was written by Lee Mathews from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Chrome And Firefox Adding Protection Against This Nasty Phishing Trick appeared first on McAfee Blogs.

]]>
When phone systems attack https://securingtomorrow.mcafee.com/business/neutralize-threats/when-phone-systems-attack/ Tue, 18 Apr 2017 20:07:13 +0000 https://securingtomorrow.mcafee.com/?p=71708 A telephony denial of service (TDoS) attack is a specific type of DDoS attack that originates from or is directed towards a telephone system with the intent of bringing down the targeted system. These attacks commonly focus on commercial businesses and may often include ransomware requests. In reality, these attacks can affect anyone, including our nation’s …

The post When phone systems attack appeared first on McAfee Blogs.

]]>
A telephony denial of service (TDoS) attack is a specific type of DDoS attack that originates from or is directed towards a telephone system with the intent of bringing down the targeted system. These attacks commonly focus on commercial businesses and may often include ransomware requests. In reality, these attacks can affect anyone, including our nation’s 911 infrastructure, because even it is not isolated from or immune from these types of attacks. And based on its mission, in many ways, it is more fragile.

Unintentional TDoS attack

Just last year, 911 centers across the country, including a site in Phoenix, Arizona, were the targets of allegedly unintentional 911 TDoS attacks when some malicious JavaScript code was published on a web page. The code, once loaded on a smartphone browser, would cause some devices to automatically dial 911 repeatedly without user intervention and without the user’s knowledge.

The bug, found in the Apple iOS, was recently corrected in Apple’s latest 10.3 release. Now, user confirmation is required before the phone will automatically make a call. While this fix should minimize the net effect of this specific type of focused attack by embedding code on a web page, there remains the possibility – if not the likelihood – that other TDoS attacks, with more nefarious intentions, could trigger similar events, ultimately preventing citizens from reaching 911 centers during dire times.

911 lines go down in Amarillo, Texas

Amarillo, Texas, also experienced an outage with its 911 system.

Just after 7 a.m. on Thursday, April 6, public safety dispatchers at the Amarillo, Texas, Police Department were forced to turn to social media to notify the public that their 911 lines were not working. In some ways similar to the recent outages in Dallas, the root cause of this outage was an overload of inbound 911 calls, spanning a short period of time.

Amarillo Police Sgt. Brent Barbee told reporters that while he was familiar with what are termed as “mass call events,” he had never witnessed them coming in “from one source” as was being experienced that morning. Typically, these events occur during weather events or if there’s a major accident on the highway and a large number of citizens with cell phones call in simultaneously to 911, creating a spike in call volume that is difficult to manage.

The subsequent investigation by Amarillo Police revealed that the source of these calls was from a multi-line telephone system at a local business. Once the company was contacted and made aware of the problem, officials disconnected the system and the problem was successfully cleared.

Unfortunately, the damage had already been done. It was reported that during this uninitiated attack, the Amarillo Emergency Communication Center received about 470 calls over a 90-minute span, averaging to over 11 calls per second. It was not known how many calls may have been missed; however, police officials reported they were not aware of any issues left unresolved. In this instance, the huge volume of this traffic was accidental, although certainly not difficult for anyone with malicious intent to replicate: overloading the inbound call-taking capabilities of a center and staff, effectively taking them out of service.

Just how vulnerable are we?

Although no official industry statistics exist, most industry experts will agree that approximately 80 percent or more of the nation’s estimated 6,000-plus Public Safety Answer Points (PSAPs) in the United States are operating with six positions or less.

Around the country, many agencies in metropolitan areas are moving or considering moving to consolidated, regionalized models for their public safety centers. In addition to this model providing financial benefits from physical and virtual consolidation, technology advantages are more realistically deployed, and centers can interwork with each other, effectively providing a meshed Next Generation 911 (NG911) safety net for citizens.

Using the NENA i3 framework, NG911 offers a modern approach to network security and protection based IP-based architecture and capabilities. In fact, cybersecurity remains the greatest concern. With new multimedia, multimodal methods of communication that will receive not only voice traffic, but also text messages, pictures and video from public sources, network design and implementation must address segmentation, detection and isolation of potential threats in addition to resiliency and reliability.

Interim solutions may be possible

While next-generation 911 networks are being built and deployed, can something be done to protect us from these attacks? Fortunately, the answer is a simple one, yet complex at the same time.

An initial response that would have solved the problem in Amarillo would be for the local exchange carrier to provide the PSAP with the ability to selectively block traffic from a specific source number for a predetermined period of time. To ensure this isn’t abused, checks and balances could be put into place that control who and when blockages can be applied, as well as what call routing is applied to blocked numbers. Likely, a happy medium could be reached that would still protect individuals while not denying other legitimate callers access to critical emergency services.

One thing to remember is that these problems have mostly been solved in the commercial space. These lessons learned need to be examined and then reshaped for the public safety use cases as we start deploying modern emergency service networks.

What will it all cost? Can we afford it?

At this point, it probably costs more to keep the legacy system running. An upgrade or replacement is likely to have an overall lower TCO, and, as with most upgrades to technology, the payback may be faster than you think. If the problem is about shoveling money out the window, don’t worry so much about the size of the shovel, just close the window!

 

This article was written by Mark J. Fletcher from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post When phone systems attack appeared first on McAfee Blogs.

]]>
Mac OS malware saw a 744% increase in 2016 https://securingtomorrow.mcafee.com/business/neutralize-threats/mac-os-malware-saw-a-744-increase-in-2016/ Wed, 12 Apr 2017 20:44:24 +0000 https://securingtomorrow.mcafee.com/?p=71496 Many organizations fail to properly interpret IT security threat data or to share threat intelligence, and are unable to turn that data into actionable insights. The result is that many cyber defense systems are ill-prepared to handle the growing number of threats they experience. Those are among the findings of a new cyber security study …

The post Mac OS malware saw a 744% increase in 2016 appeared first on McAfee Blogs.

]]>
Many organizations fail to properly interpret IT security threat data or to share threat intelligence, and are unable to turn that data into actionable insights. The result is that many cyber defense systems are ill-prepared to handle the growing number of threats they experience.

Those are among the findings of a new cyber security study from McAfee Inc., “McAfee Labs Threat Report: April 2017,” which noted a huge increase in the number and variety of cyber threats experienced by organizations today.

“The security industry faces critical challenges in our efforts to share threat intelligence between entities, among vendor solutions, and even within vendor portfolios” notes Vincent Weaver, vice president of McAfee Labs. “Working together is power. Addressing those challenges will determine the effectiveness of cybersecurity teams to automate detection and orchestrate responses, and ultimately tip the cybersecurity balance in favor of defenders.”

The McAfee Labs report contains a number of dramatic statistics:

  • Total Mac OS malware grew 744 percent in 2016
  • Mac OS malware grew by 245 in Q4 of 2016 alone
  • 176 new cyber threats were detected every minute, almost three every second in Q4 2016
  • Ransomware grew 88 percent in 2016
  • Mobile malware grew 99 percent in 2016
  • Overall malware grew 24 percent in 2016
  • While still a minute fraction compared to Windows threats, new Mac OS malware samples grew 245 percent in Q4 2016
  • Total malware samples grew 744 percent in 2016

The report cites a number of challenges to threat intelligence sharing and the effective use of IT security data. The first challenge is the obvious sheer volume of cyber security threats now happening. Beyond that, threat assessment tools need to capture richer data on threat patterns and do so more quickly.

Attackers may file false threat reports to mislead or overwhelm threat intelligence systems, the report says, and data from legitimate sources can be tampered with.

Most importantly, the failure to identify threat patterns and key data points in threat data makes it impossible to turn threat data into intelligence to inform cyber security defense teams, the report concludes.

 

This article was written by David Weldon from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Mac OS malware saw a 744% increase in 2016 appeared first on McAfee Blogs.

]]>
McAfee: Trend indicates 2017 will be bumper year for new malware https://securingtomorrow.mcafee.com/business/neutralize-threats/mcafee-trend-indicates-2017-will-be-bumper-year-for-new-malware/ Tue, 11 Apr 2017 23:19:37 +0000 https://securingtomorrow.mcafee.com/?p=71469 A cycle of increasing new malware is well underway and could last the rest of this year if a trend established over the past two years continues. Defenders enjoyed a nine-month dip in malware innovation last year, but that’s over with, according to a cycle identified by McAfee Labs. Its latest McAfee Labs Threats Report …

The post McAfee: Trend indicates 2017 will be bumper year for new malware appeared first on McAfee Blogs.

]]>
A cycle of increasing new malware is well underway and could last the rest of this year if a trend established over the past two years continues.

Defenders enjoyed a nine-month dip in malware innovation last year, but that’s over with, according to a cycle identified by McAfee Labs.

Its latest McAfee Labs Threats Report says that starting at the beginning of 2015, the volume of new threats has fluctuated in a regular pattern, with two to three quarters of growth followed by three quarters of decline. The last three quarters of 2016 showed decline, so the next uptick should have started last quarter.

McAfee’s report on the first quarter 2107, which should confirm or refute the trend, won’t be published until summer. The latest decline saw the volume of new malware samples dip from about 37 million in the second quarter of 2016 to about 23 million in the fourth quarter of 2016, the report says.

Data for the report was gathered from public sources, and from McAfee’s incident response and threat research teams.

Meanwhile the total number of malware samples, new or otherwise, that McAfee detected has been on a steady rise for the past two years, from just over 400 million per quarter to just over 600 million in the last quarter of 2016.

While it’s at a lower volume, total mobile malware samples is also steadily increasing, up from just under 4 million at the start of 2015 to more than 14 million in the fourth quarter of 2017.

McAfee includes adware among the malware count, which accounts for a dramatic leap in new malware found in Mac OS devices, in which adware was bundled during the fourth quarter of 2107.

Ransomware, on the other hand, took a dramatic dip in the fourth quarter, due largely to the decline of Locky and Cryptowall as well as generic ransomware. Generic ransomware is malware that behaves like ransomware but doesn’t fit into any particular family as determined by McAfee’s automated methodologies.

The volume of ransomware as a whole has more than tripled from the start of 2015 through 2016 from just under 3 million samples to about 9 million.

 

This article was written by Tim Greene from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post McAfee: Trend indicates 2017 will be bumper year for new malware appeared first on McAfee Blogs.

]]>
You Can Remove This New Ransomware By Playing An Old Video Game https://securingtomorrow.mcafee.com/business/neutralize-threats/you-can-remove-this-new-ransomware-by-playing-an-old-video-game/ Mon, 10 Apr 2017 19:13:16 +0000 https://securingtomorrow.mcafee.com/?p=71320 Malware authors have never been afraid to try new things. When flooding users with pop-up ads and hijacking search results didn’t prove lucrative enough, they cooked up ransomware. It’s now a billion-dollar “business,” but not everyone is in it for the money. Take a piece of ransomware that was discovered recently called Rensenware. Once it’s …

The post You Can Remove This New Ransomware By Playing An Old Video Game appeared first on McAfee Blogs.

]]>
Malware authors have never been afraid to try new things. When flooding users with pop-up ads and hijacking search results didn’t prove lucrative enough, they cooked up ransomware. It’s now a billion-dollar “business,” but not everyone is in it for the money.

Take a piece of ransomware that was discovered recently called Rensenware. Once it’s infected your system and encrypted your files, there’s only one way to get them back: You have to become really good at a video game called Undefined Fantastic Object. The sailor girl in the warning image is a character from the game, Minamitsu Murasa. She’ll encrypt your documents, music, pictures, and “some kinda project files” and will only let you see them again if you can rack up 200 million points playing her game.

 

Game screenshot

 

Game screenshot

The catch: the game isn’t all that easy to find, at least not through traditional channels – which is not surprising given that the game was released in 2009. Amazon.com, does, however, have two copies left in stock. Secure one, blast your way through wave after wave of attackers, and your files will be decrypted.

That was the plan, at least, when the joker who cooked up Rensenware started working on it. It seems this particular hacker saw the error of his ways shortly after unleashing this still-quite-dangerous “prank” on unsuspecting web surfers. An apology was posted, along with a tool that can be run to trick the ransomware into thinking the game is being played and the minimum score has been achieved.

 

While Rensenware may never have been intended as a serious threat, it underscores just how big a problem ransomware (and malware in general) is these days. In addition to the hackers who are actually out to do you harm you’ve got to watch out for hobbyists and tinkerers that are “just messing around” and “doing it for the lulz.”

 

This article was written by Lee Mathews from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post You Can Remove This New Ransomware By Playing An Old Video Game appeared first on McAfee Blogs.

]]>
Android version of iOS malware used in targeted attacks discovered https://securingtomorrow.mcafee.com/business/neutralize-threats/android-version-of-ios-malware-used-in-targeted-attacks-discovered/ Fri, 07 Apr 2017 21:56:42 +0000 https://securingtomorrow.mcafee.com/?p=71274 Researchers at Lookout and Google have identified an Android variant of custom malware originally detected in targeted attacks against iOS last year. Called Pegasus, the malware is used against dissidents in multiple countries, and has full intercept capabilities. Pegasus was developed for both iOS and Android by NSO Group Technologies. Founded in 2010, NSO Group …

The post Android version of iOS malware used in targeted attacks discovered appeared first on McAfee Blogs.

]]>
Researchers at Lookout and Google have identified an Android variant of custom malware originally detected in targeted attacks against iOS last year. Called Pegasus, the malware is used against dissidents in multiple countries, and has full intercept capabilities.

Pegasus was developed for both iOS and Android by NSO Group Technologies. Founded in 2010, NSO Group is an Israeli company specializing in the development and sale of software designed for government surveillance.

Earlier this year, the company was linked to targeted attacks against proponents of Mexico’s 2014 soda tax, which the soda industry viewed as a threat to commercial interests in the country. In 2016, when Pegasus was first detected on iOS, the target was Ahmed Mansoor, a human rights activist in the UAE. The iOS attack was detected by Mansoor, who informed researchers at Citizens Lab, who worked with Lookout to investigate the malware.

The Pegasus infection on iOS started with a malicious text message, and leveraged three zero-day vulnerabilities in order to compromise the phone. Once compromised, the malware targets everything on the target’s iPhone, including iMessage, calendar, passwords, Gmail, Mail.ru, Viber, Facebook, VK, WhatsApp, Telegram and Skype.

The Android version of the malware doesn’t need zero-day exploits, and performs the same data collection and offers the same function controls as previously observed with iOS including, keylogging, screen captures, and remote control via SMS. Pegasus will also self-destruct if the software senses there is a risk, or if a kill command is issued.

“Pegasus for Android does not require zero-day vulnerabilities to root the target device and install the malware. Instead, the threat uses an otherwise well-known rooting technique called Framaroot,” Lookout explained.

“In the case of Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the Android version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for permissions that would then allow it to access and exfiltrate data. The failsafe jumps into action if the initial attempt to root the device fails.”

Google’s name for Pegasus is Chrysaor, and the search giant labels it as a PHA or Potentially Harmful Application. The Android creator stated that after some research and with the help of Lookout and Citizens Lab, each of the potentially affected users have been contacted.

Google says they’ve detected fewer than three dozen (36) installs on victim devices, in Israel, Georgia, Medico, Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, UAE, Ukraine, and Uzbekistan.

“It is extremely unlikely you or someone you know was affected by Chrysaor malware,” Google said.

“Through our investigation, we identified less than 3 dozen devices affected by Chrysaor, we have disabled Chrysaor on those devices, and we have notified users of all known affected devices. Additionally, the improvements we made to our protections have been enabled for all users of our security services.”

 

This article was written by Steve Ragan from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Android version of iOS malware used in targeted attacks discovered appeared first on McAfee Blogs.

]]>
Here Are Google’s Best Tips For Avoiding Android Ransomware https://securingtomorrow.mcafee.com/business/neutralize-threats/here-are-googles-best-tips-for-avoiding-android-ransomware/ Wed, 05 Apr 2017 16:16:26 +0000 https://securingtomorrow.mcafee.com/?p=71149 Reports of ransomware infecting Android devices are often sensational, yet according to Google, fewer than 0.00001% of app installs from Google Play have ever contained ransomware. You’re more likely to be struck by lightning twice, the company notes.   Two common Android ransomware screens That’s not to say ransomware isn’t a very serious issue and …

The post Here Are Google’s Best Tips For Avoiding Android Ransomware appeared first on McAfee Blogs.

]]>
Reports of ransomware infecting Android devices are often sensational, yet according to Google, fewer than 0.00001% of app installs from Google Play have ever contained ransomware. You’re more likely to be struck by lightning twice, the company notes.

Two common Android ransomware screens

 

Two common Android ransomware screens

That’s not to say ransomware isn’t a very serious issue and you don’t need to give it a second thought while you’re using your Android device. It never hurts to exercise caution, especially when a device contains as much sensitive information as your phone or tablet.

The good news is that Google has already done a lot of the work for you. It has built numerous protections into Android to keep ransomware – and all kinds of other threats – from infiltrating your device.

If you’re among the roughly 3% of users running Android 7 Nougat, you’re in the best shape. Google implemented several new features that can fend off ransomware, like “safety blinders,” which keeps apps from finding out what other apps are running. Nougat also introduced protections against clickjacking, a technique attackers use to trick you into clicking buttons you can’t see to kickstart malware.

Google has made it impossible for a malicious app to change your PIN, too. That’s a common way ransomware apps have locked users out of their devices, and it reinforces just how important it is to set up a PIN or other lock.

Android apps are also sandboxed for safety. They run inside isolated virtual containers so that they can’t poke around where they’re not supposed to. It’s not impossible to break out of a sandbox, but it is very, very difficult.

There’s also the Verify Apps feature, which has been around for years. Verify Apps scans for suspicious behavior, blocks them, and in very serious situations will even remove them from your device – all without you lifting a finger.

How You Can Help

So what can you do to avoid getting a ransomware infection on your Android device? The first step is one that I’ve mentioned before: don’t mess with the “untrusted sources” switch in your settings. Google carefully screens apps in Google Play. Other places you can find Android apps – like third-party app stores and filesharing sites – aren’t necessarily doing that.

Even if you only download apps from Google Play, Google recommends that you do a little investigation before clicking the install button – Google’s good at keeping threats out of their store, but the odd one can still slip through. Have a look at the app’s reviews. See what permissions it will request. If things aren’t adding up, skip the install.

Another super-simple way to protect your device: keep the software on it up-to-date. Making sure you have the latest Android patches and current updates for all your apps goes a long way to keeping malware at bay.

 

This article was written by Lee Mathews from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Here Are Google’s Best Tips For Avoiding Android Ransomware appeared first on McAfee Blogs.

]]>
A data breach can put the reputation of enterprises at stake https://securingtomorrow.mcafee.com/business/neutralize-threats/a-data-breach-can-put-the-reputation-of-enterprises-at-stake/ Mon, 03 Apr 2017 16:31:51 +0000 https://securingtomorrow.mcafee.com/?p=71035 Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think. While many organizations worry about the technical issues that are posed by a cybercrime attack, such as ransomware locking up entire swaths of servers and bringing business operations to its knees, most are even more concerned about their public …

The post A data breach can put the reputation of enterprises at stake appeared first on McAfee Blogs.

]]>
Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think. While many organizations worry about the technical issues that are posed by a cybercrime attack, such as ransomware locking up entire swaths of servers and bringing business operations to its knees, most are even more concerned about their public perception and loss of clientele.

In fact, while an attack or exploitation by a cybercriminal may be technically damaging to an organization, the fallout over the attack’s handling may be even worse, revealing some of the companies’ true fears.

Understanding the technical implications of an attack are incredibly important. That’s why many organizations employ incident response teams. Analysis of an attack and restoring business operations is key to ensuring that organizations do not fall prey to the same attack or, ideally, the same attacker. However, with a proper incident response and disaster recovery element, technically recovering from an attack simply becomes a matter of restoring services and implementing the appropriate cybersecurity controls to protect an exploited organization.

What takes much longer to restore is public brand perception and customer retention. Companies have shown their fear of customer loss in the past by implementing rather dramatic controls in an effort to keep their customers. For example, after Yahoo revealed its most recent breach in 2016, it immediately disabled the automatic email forwarding feature.

While this was a small change on the behalf of Yahoo, it was a huge change for its customers, who may have wanted to change their email provider to another service while ensuring that they did not miss anything pivotal sent to their old address. Thus, users had a much harder time making the switch over to another email provider out of fear of potentially missing an important email. It goes without saying that users, and the media, reacted adversely.

In comparison to Yahoo, the University of Maryland, which suffered from the theft of student personally identifiable information (PII) in 2013, pivoted dramatically by announcing the attack and its response in the same week. Each student with compromised information was provided five years of credit monitoring. Additionally, public presentations were made that explained the attack as well as the types of controls placed to deter future attacks. Thus, the situation was quickly relegated to memory and barely discussed beyond the ensuing weeks.

The Yahoo and University of Maryland examples are just two that illustrate the real damage that can occur from cybercrime attacks, reputational damage and loss of consumer confidence. Those working in cyber security should keep this in mind during an incident response or disaster recovery – though the technical impact to an organization may be damaging, the reputational damage could be leagues worse.

(About the author: Frank Downs is senior manager of cyber/information security at the ISACA. This post originally appeared on his ISACA blog, which can be viewed here).

 

This article was written by Frank Downs from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post A data breach can put the reputation of enterprises at stake appeared first on McAfee Blogs.

]]>
How to keep ransomware from human resources https://securingtomorrow.mcafee.com/business/neutralize-threats/how-to-keep-ransomware-from-human-resources/ Wed, 29 Mar 2017 21:42:44 +0000 https://securingtomorrow.mcafee.com/?p=70878 Ransomware is not your friend. It’s lurking out there to take over your computer and business systems to extort money from you. Keeping this wolf from your door takes some doing. The sneak attacks come attached to emails. When opened, these attachments infect your computer and lock it up until you pay the ransom demanded. …

The post How to keep ransomware from human resources appeared first on McAfee Blogs.

]]>
Ransomware is not your friend. It’s lurking out there to take over your computer and business systems to extort money from you. Keeping this wolf from your door takes some doing.

The sneak attacks come attached to emails. When opened, these attachments infect your computer and lock it up until you pay the ransom demanded. According to Infosec Institute, “Small businesses usually lack sophisticated computer defenses thus making them very vulnerable. An overwhelming majority, some reports by Intel say as much as 80%, of these small and medium-scale businesses don’t employ data protection or email security.”

Impact of ransomware

In a 2016 Osterman Research survey of 540 CIOs in four countries, 40% of the respondents said that their businesses had been attacked. A total of 47% of those were in the United States. Ransoms demanded ranged from $1,000 to more than $150,000, and 40% of the hostage companies paid.

 

While 60% of the respondents said they spent nine hours or more fixing the problem, 19% said they had to stop business altogether. And the attacks endangered lives in 3.5% of the cases. A main concern is the fact that most intrusions occur on desktop computers inside the business’s existing security setup.

Research International conducted a survey of IT experts and found that “43% had customers fall victim to ransomware” across 22 industries. They found 41% of the victims were small businesses that lost three days of their access to data.

Some 71% of those infected paid ransoms, typically under $500, but “while 71% of ransom pirates restore the customers’ files after being paid off, 1 in 5 customers who paid the ransom failed to recover their files.” While relatively little was paid in ransom money by the companies surveyed, the financial impact of lost time and recovery is significant and foreshadows future losses.

Reuters, on the other hand, quotes FBI reports of business losses of $209 million in the first quarter of 2016. Pirates have hit large users like Hollywood Presbyterian Hospital, Michigan’s Board of Power & Light and the Texas North East Independent School District, among others.

“The loss and exposure of confidential data from a cyber attack is costly to both the people victimized and the businesses whose data was compromised. The goals and methods of cyber attackers are evolving and will continue to evolve. With proper visibility of devices entering and leaving the network, education and training for staff, data encryption, and real-time scanning can minimize the risks if combined with proper backup and disaster recovery planning,” warns Dave Philistin, CEO of Omnificent Systems.

How it works

Criminals infect computers in three ways:

  • Botnets, rootkits and malware installation infect a computer with malicious software that spreads to other computers and can be managed by the criminal initiator.
  • Spam and social engineering schemes target individual users, enticing them to open messages or offering them some opportunity for clicking through to something seemingly desirable and then releasing a virus to infect and spread.
  • Drive-by download and malvertising offer a double threat. The drive-by downloads malicious software without even asking you, and malvertising attaches poison to ads that attract users.

“It only takes one PC getting compromised to lead to a widespread attack. One machine can encrypt network file servers and begin attacking other PCs on the network,” explains Don Pezet, super host of ITProTV.

In any business, the human resources (HR) department receives more email than other offices. HR staffers are forever getting emails from job applicants. Moreover, HR data is a priceless pirate trove of personal identity information that thieves can use to expand their enterprise.

How to safeguard HR

Writing for The Society of Human Resouce Management, Aliah D. Wright reports on studies that show, “81 percent of IT professionals said laptops – both company-owned and personal ones employees use for work – are most vulnerable to a breach. That’s followed by desktops (73 percent), smartphones (70 percent) and tablets (62 percent).”

Pierluigi Paganini analyzed a study by Intel Security with alarming results. Participants were given a list of emails and asked to identify those that were phishing. Paganini says that “only 3% got all answers right” and adds that “80% of the surveyed people got at least one wrong answer.” If users only recognize one in four phishing emails, you get some sense of the vulnerability. So if HR is an easy and lucrative target, the business must defend itself forcefully. It’s no longer a question of if the company will be attacked but when.

Everything depends on intensive education. Most of the malware comes through employee error. HR staffers must learn not to open attached files with .doc, .pdf or .txt designations. New and current staffers need training and reminders. Corporate trainers should prepare documents and calendar sessions on instruction and updating.

IT must give them what they need in the form of strong web filters and spam management. The CIO must have systems in place to evade, quarantine and shut down invasive ransomware. Just as important, IT must have a working backup plan distinct from the business network. “It’s extremely important that companies secure their backups offline to prevent them from becoming infected as well,” says Pezet.

IT must implement businesswide and department-specific strategies to detect and remediate invasive software. And management and staff must know the response mechanism.

IT can segment databases and restrict access to authorized users. Segmentation could defeat contagion and networkwide damage.

HR can restrict traffic in incoming applications to a dedicated workstation. The staff can work as a unit or as trained individuals to confine such traffic to the one system.

The future of ransomware attacks

There’s good news and bad news when looking into the future. The good news is that small businesses are small pickings for cybercriminals – though ransomware is a troublesome nuisance when you consider the price of defense and remediation.

The bad news is that the people behind ransomware-as-a-service (RaaS) schemes apparently see the financial promise in broader and deeper infections. That they are criminally willing and able to serve and support other criminals makes it something to fear now and into the future. The ability to field a rapid variation of infections concerns CIOs who race to get ahead of the curve.

 

This article was written by Andre Bourque from CIO and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How to keep ransomware from human resources appeared first on McAfee Blogs.

]]>
Acoustic attack lets hackers control smartphone sensor https://securingtomorrow.mcafee.com/business/neutralize-threats/acoustic-attack-lets-hackers-control-smartphone-sensor/ Tue, 28 Mar 2017 23:01:22 +0000 https://securingtomorrow.mcafee.com/?p=70830 A newfound vulnerability in smartphones could let hackers remotely control the devices. With the acoustic injection attack, “attackers that deliver high intensity acoustic interference in close proximity” can interfere with a device accelerometer and get the sensor to send “attacker – chosen” data to the smartphone’s processor, say researchers from the University of Michigan and University …

The post Acoustic attack lets hackers control smartphone sensor appeared first on McAfee Blogs.

]]>
A newfound vulnerability in smartphones could let hackers remotely control the devices.

With the acoustic injection attack, “attackers that deliver high intensity acoustic interference in close proximity” can interfere with a device accelerometer and get the sensor to send “attacker – chosen” data to the smartphone’s processor, say researchers from the University of Michigan and University of South Carolina in a paper.

Accelerometers measure changes of speed in a device, and they are used industrially to sense vibration for machinery health. In a smartphone, the accelerometer sensor can be used to detect screen orientation, for example.

The tiny microelectromechanical (MEMS) component works by measuring analog physical movement in axes. That signal is converted to digital and is sent onwards to be processed by the device.

This new audio injection hack creates sound – a form of vibration – and fools the accelerometer into receiving it. It can then issue commands.

The hijack also works on Internet of Things MEMS, medical equipment and other devices that use the now-common accelerometer gizmos from major manufacturers, the researchers say. Those vendors include Bosch and STMicroelectronics.

The problem is that “hardware components are not protected by traditional software means,” says Timothy Trippel, one of the students working on a solution, in a video on the school’s website. Device software usually trusts data sent from attached hardware sensors. That leaves sensors wide open to trickery if they can be infiltrated.

“No one really thought about the hardware layers that sit below the software layers,” he says. Adversaries can spoof those sensors and in this case, get in through the audio injection.

“With proper knowledge of the algorithms that [use] the polluted sensor data, adversaries may be able to control the behavior of a system that relies on the sensor data to make automated decisions,” the researchers say.

Hacking a Samsung Galaxy S5

The researchers were able to introduce special tones in a YouTube video that fool a Samsung Galaxy S5’s accelerometer into outputting certain signals. The acoustic interference woven throughout the YouTube video could also be delivered through Twitter, email attachments and other websites, they claim.

In another experiment, the group used audio to hack a smartphone app that was being used to pilot a radio-controlled model car. An app on a handheld phone, in that case, would use real-time gesture sensing delivered by the accelerometer to steer the car. The performed attack allowed the car to be piloted without moving the phone. A third experiment introduced fake steps into a wearable fitness band.

Accelerometers are used extensively in all drone flight controllers, in airplanes for navigation and in laptops to protect hard drives. They will also be used in self-driving cars and will be a ubiquitous element in future-tech robotics – a robot needs to know where it is.

“Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems that blindly trust the un-validated integrity of sensor outputs,” the researchers explain in the paper.

To prevent attack, the researchers say sensors must be limited in their exposure to acoustic interference and must be enclosed in dampening foam. Plus, algorithms need to be introduced to reject signals that are obviously abnormal.

 

This article was written by Patrick Nelson from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Acoustic attack lets hackers control smartphone sensor appeared first on McAfee Blogs.

]]>
A New Way to Spot Malicious Apps https://securingtomorrow.mcafee.com/business/neutralize-threats/a-new-way-to-spot-malicious-apps/ Mon, 20 Mar 2017 16:33:01 +0000 https://securingtomorrow.mcafee.com/?p=70568 By targeting fraudulent reviews to identify malware in the Google Play store, researchers uncovered an insidious technique: some of these apps harass innocent users until they leave positive ratings of their own. Malware is a constant threat for Android users downloading apps from the Google Play store. There are 2.7 million apps for people to …

The post A New Way to Spot Malicious Apps appeared first on McAfee Blogs.

]]>
By targeting fraudulent reviews to identify malware in the Google Play store, researchers uncovered an insidious technique: some of these apps harass innocent users until they leave positive ratings of their own.

Malware is a constant threat for Android users downloading apps from the Google Play store. There are 2.7 million apps for people to choose from, and to its credit, Google has a system called Bouncer that looks for and removes malicious apps. But numerous malicious apps have slipped through this safety net.

Which is why Mahmudur Rahman and pals at Florida International University in Miami have developed a system called Fairplay, which searches for malicious behavior in the Google Play store in an entirely different way.

Instead of scanning the code for malicious software, Fairplay follows the trails that malicious users leave behind when fraudulently boosting their ratings. By following these trails, Fairplay can spot malicious activity that otherwise slips through Google’s security system.

Rahman and co. base their new approach on a curious observation: Users who post fraudulent reviews to boost the rankings of malicious apps tend to use the same account for lots of different apps. So once they are identified, they are easy to follow.

It’s easy to see why malicious users behave this way. To leave a review or rating on Google Play, users must have a Google account, register a mobile device to that account, and then install the app on that device.

That makes it hard to create lots of different accounts, so to keep their lives easy, malicious users tend to use just one. Rahman and co’s approach is to first identify malicious accounts and then map their activity.

They began by downloading the reviews and ratings associated with all the newly uploaded apps to Google Play between October 2014 and May 2015. That’s nearly 90,000 apps and 3 million reviews.

They then used traditional antivirus tools, along with human experts in app fraud, to manually identify over 200 apps containing malware. This forms their “gold standard” data set of malicious apps. They also asked the experts to identify Google accounts responsible for generating fraudulent reviews, finding 15 accounts that had written reviews for over 200 fraudulent apps.

These 200 apps received a further 53,000 reviews. They data-mined these reviews to find a further 188 accounts that had each reviewed at least 10 of the fraudulent apps. “We call these guilt by association accounts,” say Rahman and co.

From all this fraudulent activity, they selected a set of 400 fraudulent reviews to train a machine-learning algorithm to spot others like them.

They also designed Fairplay to look at other potential indicators of malicious behavior, such as the number of permissions an app asks for and the way in which ratings appear over time, looking in particular for suspicious spikes in rating activity.

Finally, they let the algorithm loose on the entire set of 90,000 newly released apps on Google Play.

The results make for interesting reading. “FairPlay discovers hundreds of fraudulent apps that currently evade Google Bouncer’s detection technology,” say Rahman and co.

More significant, the algorithm uncovered an entirely new form of coercive attack that forces ordinary users to write positive reviews for malicious apps. “FairPlay enabled us to discover a novel, coercive campaign attack type, where app users are harassed into writing a positive review for the app, and install and review other apps,” say the team.

The campaign works by bombarding users with ads or otherwise making games difficult to play. However, the campaign lets users remove the ads, unlock another level in a game, or get additional features by writing positive reviews.

Rahman and co uncovered this behavior by data-mining the reviews. In a subset of 3,000 reviews, they found 118 that reported some level of coercion. For example, users wrote “I only rated it because I didn’t want it to pop up while I am playing,” or “Could not even play one level before I had to rate it [ … ] they actually are telling me to rate the app 5 stars.”

That reveals an entirely new kind of coercive fraud attack that Google’s Bouncer does not spot.

The question now is: what next? Identifying this kind of behavior makes it easier to crack down on. But in this cat-and-mouse game, it’s surely only a matter of time before malicious users dream up some other ingenious way to cheat.

Ref: arxiv.org/abs/1703.02002 : FairPlay: Fraud and Malware Detection in Google Play

 

This article was written by Emerging Technology from the arXiv from MIT Technology Review and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post A New Way to Spot Malicious Apps appeared first on McAfee Blogs.

]]>
Phishing: Draining the corporate bottom line https://securingtomorrow.mcafee.com/business/neutralize-threats/phishing-draining-the-corporate-bottom-line/ Mon, 13 Mar 2017 21:49:46 +0000 https://securingtomorrow.mcafee.com/?p=70394 Quick quiz – how many of you have not experienced a phishing attack on your organization in the last month? I suspect that there are not many hands up. As you likely know, phishing is a pervasive problem for the corporate world, and the problem is growing. One organization I work with has seen a …

The post Phishing: Draining the corporate bottom line appeared first on McAfee Blogs.

]]>
Quick quiz – how many of you have not experienced a phishing attack on your organization in the last month?

I suspect that there are not many hands up. As you likely know, phishing is a pervasive problem for the corporate world, and the problem is growing. One organization I work with has seen a 400% increase in phishing attacks in just the last year.

I think most people with some knowledge of the information security world understand the gravity of phishing attacks. The results of a recent study indicated that approximately 93% of phishing messages carry ransomware. On top of that, many seek to collect personal information for later use, a practice known as social engineering.

What many may not realize is the drain phishing attacks place on the information technology team, particularly the information security organization. For organizations with an operational security function, this involves pulling the message out of mailboxes before most users see it, conducting forensic analysis to understand what each message does, reviewing logs to understand what, if any, impact the message had on the organization, blocking links or attachments, and keeping leadership informed. These efforts can leave a major dent in the bottom line.

If someone acted on a link or attachment, the time spent can rise exponentially. This usually involves a full incident response process, focused on cleaning up any damage, restoring corrupted files, and investigating the possibility of a data breach. Given that HIPAA requires any such attack be considered a breach until proven otherwise, medical organizations must approach the investigation process even more completely.

Phishing is also a drain on overall organizational workload. Many larger organizations now require annual phishing training. Employees must read outside messages with greater care and must learn to contact IT when they have a suspected message. The hours all employees of an organization spend on activities related to phishing can add up fast.

To further complicate the impact on the organization as a whole, the constant fear of being a victim of a phishing attack can slow down normal operations. This fear often leads to employees being reluctant to act on a message that is legitimate. I encountered one such situation this week, with employees who received a message confirming their access to a new system they requested. Multiple users thought it might be phishing. This delayed their accessing the system they needed and required the operational security team to investigate to confirm its legitimacy.

According to a study by the Ponemon Institute, the average yearly cost to a 10,000 person company for phishing-related activities is a staggering $3.7 million dollars. This includes an average of 4.16 hours per year wasted by each individual employee dealing with phishing. In my experience, that number is low.

One of my favorite movie quotes was made by the WOPR computer from the movie WarGames: “The only winning move is not to play.” Applied to phishing, this underscores the importance of keeping as many phishing attacks out of an organization as possible, and limiting the damage from those that do get through. Here are some suggestions:

Prevent spam

Using anti-spam software on your email system is a strong defense against phishing attacks. Many phishing attacks are readily recognized and blocked by spam filters.

Training and reporting

Train your employees to spot phishing attacks, and make it easy for them to report suspected incidents. This becomes a valuable part of your early warning system, allowing you to investigate, and where necessary, act on an incident quickly. Services such as PhishMe include a button for Outlook that facilitates easy reporting.

Have a plan

Have a written plan outlining the steps your team will take in responding to phishing attacks. Logging and documentation are a critical part of this, in case an attack later becomes a legal or compliance issue.

Kill the messages

When an attack is confirmed, the highest priority should be to pull the message out of the mailboxes of anyone that received it before they have a chance to respond.

Analyze and remediate

Once you have removed all possible messages from other users, you need to understand whether any recipients clicked on the link or opened an attachment. Use available logs – if not available, contact the recipients and ask for details. It helps to have an isolated environment from which you can open the link or an attachment, to determine what, if any, negative consequences occur. Tools such as Wireshark can help you to determine what actions result from responding to the message.

Be cautious, however, to only test a message in a completely isolated environment. Obviously, if you find that a user interacted with a phishing message, you will need to take whatever steps are necessary to clean up any damage.

Block actions

If you determine from the analysis that the message attempts to contact addresses or websites, block access to those destinations from your firewall or web filtering system.

Use threat intelligence

A good way to prevent phishing attacks before they happen is to stay plugged in to threat intelligence feeds. If you can get other organizations to tell you about their phishing attacks before they hit your network, you have a chance to block them before they happen.

The best threat intelligence feeds usually come from an organization focused on your industry. If you cannot find one, check this list of available feeds. Don’t forget to return the favor by informing other organizations about the attacks you get.

Maintain metrics

Since phishing prevention and response is time-consuming and expensive, you will likely need to justify the costs to your company’s management. Keep careful statistics about your phishing attacks, and the time and effort spent responding, and report those numbers to management on a regular basis.

Bottom line: Preventing and responding to phishing attacks is a costly endeavor, but the consequences of one of your users responding to such an attack will be far worse. Do everything you can to prevent or limit attacks, and respond quickly to any attacks you discover.

 

This article was written by Robert C. Covington from Computerworld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Phishing: Draining the corporate bottom line appeared first on McAfee Blogs.

]]>
One Of The Biggest Senders Of Spam Leaked A Database With 1.4 Billion Emails https://securingtomorrow.mcafee.com/business/neutralize-threats/one-of-the-biggest-senders-of-spam-leaked-a-database-with-1-4-billion-emails/ Wed, 08 Mar 2017 20:47:48 +0000 https://securingtomorrow.mcafee.com/?p=70269 Many of the massive data breaches you’ve read about over the past few years are the result of incredibly sophisticated hacking — the infamous Yahoo! incidents, for example. There are other ways data leaks out that are incredibly unsophisticated. Sometimes all it takes is someone careless when setting up a backup. That’s what led to security researchers …

The post One Of The Biggest Senders Of Spam Leaked A Database With 1.4 Billion Emails appeared first on McAfee Blogs.

]]>
Many of the massive data breaches you’ve read about over the past few years are the result of incredibly sophisticated hacking — the infamous Yahoo! incidents, for example. There are other ways data leaks out that are incredibly unsophisticated. Sometimes all it takes is someone careless when setting up a backup.

That’s what led to security researchers Chris Vickery and Steve Ragan stumbling onto a database that contained 1.4 billion records. The data was left completely exposed to anyone who happened to be poking around. It wasn’t even secured by a username or password.

The data, Vickery says, was served up on a platter by “a group calling themselves River City Media.” RCM, he continues, was ”responsible for up to a billion daily email sends” every day. In addition to spilling over a billion email addresses (and, in some cases, physical addresses), the leak exposed numerous documents that revealed the inner workings of RCM’s spam operation.

Some of those documents show just how profitable spamming can be. One leaked text references a single day of activity that targeted Gmail users with 18 million emails and AOL users with another 15 million. The total take: around $36,000.

Image: Chris Vickery/MacKeeper

Image: Chris Vickery/MacKeeper

How does a group that’s reportedly made up of about 12 individuals amass a mailing list with 1.4 billion addresses and send tens of millions of emails in a single day? Through “automation, years of research, and fair bit of illegal hacking techniques,” Vickery states. It’s also not uncommon for spammers to share their databases or harvest email addresses when hackers dump them online.

That might explain how you end up on mailing lists that try to sell you everything from generic drugs to car loans. Even if you’re extremely careful about giving out your primary email address all it takes is one legitimate service you registered for being hacked and you’re sunk.

The Silver Lining

While it’s incredibly unnerving to read about leaks of personal information on this scale, there’s some good news here. Also among the data that RCM leaked: numerous IP addresses that helped Vickery, Ragan, and Spamhaus – an international organization that maintains and distributes anti-spam lists to email providers — to identify key components of the spammers’ infrastucture.

Their exposure allowed Spamhaus to blacklist RCM’s extensive network. In the short term, you may notice a drop in the number of spam emails you see in your inbox.

It may be an incredibly short break, however. Given that the good guys discovered RCM’s data, it’s reasonable to assume that some very bad guys found it, too.

 

This article was written by Lee Mathews from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post One Of The Biggest Senders Of Spam Leaked A Database With 1.4 Billion Emails appeared first on McAfee Blogs.

]]>
Ransomware ‘customer support’ chat reveals criminals’ ruthlessness https://securingtomorrow.mcafee.com/business/neutralize-threats/ransomware-customer-support-chat-reveals-criminals-ruthlessness/ Tue, 28 Feb 2017 17:10:09 +0000 https://securingtomorrow.mcafee.com/?p=69966 Ransomware criminals chatting up victims, offering to delay deadlines, showing how to obtain Bitcoin, dispensing the kind of customer support that consumers lust for from their cable and mobile plan providers, PC and software makers? What’s not to love? Finnish security vendor F-Secure yesterday released 34 pages of transcripts from the group chat used by …

The post Ransomware ‘customer support’ chat reveals criminals’ ruthlessness appeared first on McAfee Blogs.

]]>
Ransomware criminals chatting up victims, offering to delay deadlines, showing how to obtain Bitcoin, dispensing the kind of customer support that consumers lust for from their cable and mobile plan providers, PC and software makers?

What’s not to love?

Finnish security vendor F-Secure yesterday released 34 pages of transcripts from the group chat used by the crafters of the Spora ransomware family. The back-and-forth not only put a spotlight on the gang’s customer support chops, but, said a company security advisor, illustrated the intertwining of Bitcoin and extortion malware.

“We should be thankful that there are at least some practical barriers to purchase Bitcoins,” wrote Sean Sullivan of F-Secure in a Wednesday post to the firm’s blog. “If it were any easier to do so, very little else would check the growth of crypto-ransomware’s business model.”

Sullivan originally penned that conclusion last month, in a short section of the “State of Cyber Security” report that F-Secure published then. Yesterday, F-Secure posted the transcripts, 20,000 words or more, and dubbed the collection a “new supplemental appendix” to the original report.

“[A] fascinating read,” Sullivan said.

He wasn’t kidding.

In one exchange, a Spora victim said he or she had paid the extortion fee, but had gotten nothing in return. “I already sent you 98USD worth of bitcoin,” the victim reported.

In response, the “customer support rep” blamed the victim for entering an incorrect Bitcoin destination address. “But do you agree, that it is you mistake, that you entered incorrect address?” asked the Spora rep.

“I literally copied the address that was given at the refill page. How could I be mistaken?” the victim replied.

In one of many similar threads — the transcripts identified each victim by the first character of the ID created by the ransomware — someone pleaded for mercy.

“Hello crooks. I agree to pay,” said “0” in a lead-off message. “But 570 dollars for a lot of photos of my grandmother. Can I expect a discount if I leave good feedback on the forum about you?”

No go. “We do not provide any discount. Also, we cannot be sure, that you have only photos,” retorted “support.”

At times, the messages were pitiful. “Hello, I am 82 and my family pikture [sic] go away — bad, very bad,” reported another victim identified as “0.”

“Is anyone there?” asked another during a stretch when Spora’s support didn’t respond to scores of messages, apparently borrowing another tactic from legitimate technical support desks.

Others played the anger card, the profanity card, the sympathy card. “Am I the one you should hack? No. I am just a salary man who tries to make ends meet and bring foods to his kids,” said “E,” who also identified himself as “Mustapha from Morocco.”

But as F-Secure’s Sullivan noted, many the questions posed to the hackers involved Bitcoin. “Hello, I am from Greece and we have capitol [sic] controls, is there any chance of a discount? Am having trouble buy bitcoins from here,” remarked one.

“I’m going to pay for bitcoin. But I’m not sure that it works in weekend. Can you remove deadline please? If not works I will pay it on Monday,” pleaded another.

The answer from Spora was always the same: No discount. The “rep” often extended deadlines, however, sometimes in response to victims pleading poverty, telling them that when they had the full amount, come back and pay.

“The malware technology to encrypt data has been possible for many, many years; the bigger challenge has always been getting paid,” Sullivan pointed out. “In the past, cyber-crime schemes (such as scareware) have been killed off by disrupting the money supply. The same may well be true of cyber extortion; to kill the business model, it may be necessary to ban Bitcoin.”

The complete Spora transcripts can be found here.

 

This article was written by Gregg Keizer from Computerworld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Ransomware ‘customer support’ chat reveals criminals’ ruthlessness appeared first on McAfee Blogs.

]]>
Skills of the sophisticated hacker https://securingtomorrow.mcafee.com/business/neutralize-threats/skills-of-the-sophisticated-hacker/ Mon, 27 Feb 2017 20:27:26 +0000 https://securingtomorrow.mcafee.com/?p=69942 Sure, the industrialization of attack exploits has made it really easy for virtually anyone to enter into the cybercrime world, but buying any as-a-service attack doesn’t necessarily guarantee success. Those who excel in the cybercrime world may not be engineers or technicians, but they do know how to run a business, and that’s the new …

The post Skills of the sophisticated hacker appeared first on McAfee Blogs.

]]>
Sure, the industrialization of attack exploits has made it really easy for virtually anyone to enter into the cybercrime world, but buying any as-a-service attack doesn’t necessarily guarantee success.

Those who excel in the cybercrime world may not be engineers or technicians, but they do know how to run a business, and that’s the new skill that allows these attackers to make a lot of money.

Matthew Gardiner, Mimecast’s cybersecurity strategist, said that the sophisticated hacker of today isn’t so much a hacker by trade but more entrepreneurial.

“They are leaders on the bad side of the economy, but they have the same skills that happen in the good side. They can assemble the people and processes needed to run a business,” Gardiner said.

Cybercrime is now the equivalent of industrial corporations led by start up entrepreneurs who assemble the technology, infrastructure, hosting services, pay offs, and everything else needed for business to run smoothly and efficiently.

“These are money oriented cybercriminals, not hacktivists or nation states. The vast majority of attacks are money oriented. They are technically savvy, mostly men, often from central Europe (though they are all over), and they have some background in technology,” Gardiner said.

These cybercriminal entrepreneurs design a network of technologists from hosting providers to operations, assembling those with similar interest that are loosely related into a financially oriented organization.

“A botnet runner becomes acquainted with someone who wants to run a ransomware campaign. He might say let’s get together and we’ll split the money. They work together to determine the payment processing, support, negotiating the ransom, promotion, and the distribution of the attack,” Gardiner said.

Because ransomware has so many varieties, the exploits need to change pretty regularly, which requires the cybercriminals to get more sophisticated. These entrepreneurs are involved in everything from, “Product development to knowing where it is, how many machines have been hit, the types of machines hit, the kind of data collected, and who the victim was,” Gardiner said.

In terms of ransomware, all of those details are important to figure out in order to determine whether they have a good victim as well as how much to charge them for the ransom.

Because defenders are identifying signatures more quickly, “Exploits need to get more sophisticated in order for the criminals to get more ROI, but defenders are acting right behind them,” Gardiner said.

Starting a technology company 30 years ago was a lot harder than it is now, which is why today’s cybercriminals are more the entrepreneur of the operation than they are highly skilled hackers.

“There’s so many more resources they can draw on in the dark open market to get up and running, and the rise of cybercurrency means they can be paid and safely paid,” Gardiner said.

The good news for security teams is that the average company doesn’t need to know too much about the attackers in order to have strong defenses. “They are exploiting known vulnerabilities, and they are only going to be as creative as they need to be,” Gardiner said.

What will also help to strengthen defense is the ability to have early detection and response. “The attackers share information with each other for money, but defenders are not as good at sharing across industries, vendors, and geography,” said Gardiner.

If victims knew of an exploit millisecond after an attack, that could result in the attackers needing to move faster, which would lessen their profit. Because these are profit motivated criminals, the best way to defeat them is to significantly minimize their potential to make money.

 

This article was written by Kacy Zurkus from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Skills of the sophisticated hacker appeared first on McAfee Blogs.

]]>
Sneaky Hack Steals Data By Watching Computer LEDs Blink https://securingtomorrow.mcafee.com/business/neutralize-threats/sneaky-hack-steals-data-by-watching-computer-leds-blink/ Fri, 24 Feb 2017 17:09:00 +0000 https://securingtomorrow.mcafee.com/?p=69843 When an organization needs to make sure that a computer is as secure as possible, they will often “air-gap” it. An air-gapped computer isn’t connected to the Internet. It’s not even networked to other computers that are connected to the Internet. While air-gapping significantly increases the degree of difficulty for cyberattacks, it doesn’t make a …

The post Sneaky Hack Steals Data By Watching Computer LEDs Blink appeared first on McAfee Blogs.

]]>
When an organization needs to make sure that a computer is as secure as possible, they will often “air-gap” it. An air-gapped computer isn’t connected to the Internet. It’s not even networked to other computers that are connected to the Internet.

While air-gapping significantly increases the degree of difficulty for cyberattacks, it doesn’t make a system impenetrable. Numerous clever ways have been devised to steal data from isolated systems like these, too. Researchers have done it by listening to the sound produced by a computer’s cooling fan, by watching it for temperature changes, and by broadcasting inaudible sound through a system’s integrated speakers.

Now researchers at Ben-Gurion University in Israel have been able to do it just by watching a computer’s hard drive LED blink. What makes their demonstration particularly jaw-dropping, however, is that they watched for those blinks from the parking lot outside the office building where the infected computer was located. The picture below will give you some idea how subtle their method is. That tiny white speck is the LED their drone is watching:

Image: Lee Mathews/Forbes

Image: Lee Mathews/Forbes

How much data can you transmit using what’s essentially Morse code? Somewhere in the neighborhood of 4,000 bits per second, which the research team says is 10 times faster than any previously demonstrated technique that uses a camera to siphon data from an air-gapped computer.

No special equipment is required, either. Just about every computer ever made has a hard drive LED, and any camera — whether it’s embedded in a smartphone, attached to a drone, or sitting on a tripod on the roof of a building across the street — can be used to capture data.

Like other air-gap attacks, one of the biggest hurdles that has to be overcome is getting malware onto the target computer. How do you install malware on a system that has no Internet connection? USB sticks and SD cards are the most common method, though both require a willing accomplice. That’s not necessarily hard to find… if the job pays well enough.

 

This article was written by Lee Mathews from Forbes and was legally licensed through the NewsCred publisher network.

The post Sneaky Hack Steals Data By Watching Computer LEDs Blink appeared first on McAfee Blogs.

]]>
Cyber security predictions for 2017: Increased awareness, new threats https://securingtomorrow.mcafee.com/business/neutralize-threats/cyber-security-predictions-for-2017-increased-awareness-new-threats/ Thu, 09 Feb 2017 23:23:52 +0000 https://securingtomorrow.mcafee.com/?p=69055 In the world of cyber security, 2016 was a banner year––and not in a good way. From the Bank of Bangladesh/SWIFT heist in February to the Dyn DDoS attack a few weeks ago, the year’s wild attacks have one thing in common: they were proof that hacker innovation is on a growth trajectory. That’s the …

The post Cyber security predictions for 2017: Increased awareness, new threats appeared first on McAfee Blogs.

]]>
In the world of cyber security, 2016 was a banner year––and not in a good way. From the Bank of Bangladesh/SWIFT heist in February to the Dyn DDoS attack a few weeks ago, the year’s wild attacks have one thing in common: they were proof that hacker innovation is on a growth trajectory.

That’s the bad news. The good news is that businesses and consumers are also much more aware of cyber threats than they were 12 months ago, and that’s the jumping off point of my cyber security predictions for 2017.

Prediction: Consumers will care a lot more about the security of the companies they do business with.

With hackers hitting organizations from the Internal Revenue Service to the University of California, Berkeley in 2016, consumers are more anxious than ever about the downstream financial crime that follows data breaches. In 2017, consumer demand will emerge around wanting to understand more about the security of the organizations they do business with.

Just as companies promote “seals of approval” for accomplishments like being “green,” (environmentally friendly), promoting gender equality or having accident-free workplaces, customers of all kinds of businesses will look for some sort of seal of assurance that the companies they do business with have a strong cyber security posture.

Prediction: Consumers will care a lot more about their own cyber security.

The great doorbell hack of 2016 kicked off the year with a loud “ding-dong.” Hackers figured out that smart home devices such as doorbells and refrigerators are gateways to home WiFi networks and Gmail logins, respectively––and surely that is just the beginning. As consumers embrace more Internet of Things (IoT) devices within the home, and more and more of their daily affairs (like banking and shopping) are conducted online, the security of their home technology environment will become extremely important. I predict that in 2017, new services will emerge that allow consumers to evaluate their own cyber security.

Prediction: Businesses will care a lot more about the cyber security of the companies they do business with.

Led by the Office of the Comptroller of the Currency (OCC) directive requiring banks to manage risks, including cyber security risk, in their third-party relationships, companies in all industries will start putting paying a lot more attention to their business partners’ cyber security posture in 2017. The web of risk is incredibly wide; I recently spoke with executives at a national communications company about the FICO® Enterprise Security Score and how it can help them reduce their risk exposure through partner networks. This particular company is connected with more than 32,000 business partners, and reckons that ESS will help it keep a close watch on its 4,000 most critical partner connections.

Prediction: Consumers and businesses will finally recognize the threat potential of IoT devices.

Beyond hacked doorbells and refrigerators, IoT devices like self-driving cars can present serious security threats that are very real. While I hope no tragedy will precipitate my prediction being realized, in 2017 I predict that people and businesses will make security considerations a priority in their decisions to use IoT devices, not an afterthought.

Prediction: Biometric security data may become the biggest security vulnerability of all.

Starting with Apple TouchID, biometric identification has now gone mainstream. (Even three year old kids’ fingerprints are being captured when they visit Disney World.) Hailed as being safer than digit-based passwords, biometric security data presents explosive potential in hackers’ hands. In the aftermath of the compromise of 5.6 million US government military, civilian and contractor personnel fingerprints, Eva Velasquez, CEO of the Identity Theft Resource Center, explained that stolen fingerprints may be a big problem in the future if biometric technology is used to verify bank accounts, home security systems and even travel verifications.

(About the author: Doug Clare is a vice president at FICO, leading the cybersecurity initiative and FICO Analytic Cloud. He has been with FICO for more than 25 years, and has deep expertise in helping banks and other businesses managed fraud, risk and the customer experience.) 

 

This article was written by Doug Clare from Information Management and was legally licensed through the NewsCred publisher network.

The post Cyber security predictions for 2017: Increased awareness, new threats appeared first on McAfee Blogs.

]]>
Following Ransomware’s Path to Extortion https://securingtomorrow.mcafee.com/business/dynamic-endpoint/ransomwares-path-to-extortion/ https://securingtomorrow.mcafee.com/business/dynamic-endpoint/ransomwares-path-to-extortion/#respond Fri, 03 Feb 2017 17:20:59 +0000 https://securingtomorrow.mcafee.com/?p=68801   It comes as no surprise that ransomware is the fastest growing form of criminal malware, accelerating in quantity 128% year over year. This plethora of ransomware is, however, primarily acting across one type of playing field- the web. In fact, 80% of the methods used to deliver criminal malware are web-based, such as a …

The post Following Ransomware’s Path to Extortion appeared first on McAfee Blogs.

]]>
 

It comes as no surprise that ransomware is the fastest growing form of criminal malware, accelerating in quantity 128% year over year.

This plethora of ransomware is, however, primarily acting across one type of playing field- the web. In fact, 80% of the methods used to deliver criminal malware are web-based, such as a drive-by download, email link, or download by malware itself. Ransomware is no exception.

In an effort to fight web-based ransomware attacks, most security teams run web-filtering technology in either a secure web gateway or firewall. This typically involves utilizing signatures that security vendors issue after seeing the malware for the first time, or technologies like network sandboxing and next-generation endpoint security, both of which identify threats without the use of signatures.

But network sandboxing is rarely implemented in a “blocking” mode, since ineffective pre-filtering allows a large volume of files to queue up at the sandbox, which takes time to process and ends up disrupting productivity for the user. Adding new endpoint technologies in isolation can further fragment security operations, resulting in additional time spent on integration, training, and management instead of improving security posture. In fact, 62% of security professionals admit that this “technology sprawl” actually reduces their security efficacy.

Clearly, this doesn’t get the job done, especially as code-changing, zero-day attacks render many web-filtering technologies ineffective.

So, what now? How do you defeat polymorphic attacks, or, essentially, defeat the unknown? How can businesses keep up with an ever-evolving, dangerous threat like ransomware? First and foremost, it’s time to get a better understanding of how this threat actually works so you can improve your ability to stop it.

To do just that, follow along ransomware’s path to extortion to dive deep into this threat and learn how to adapt your protection. 

To join in on the ransomware conversation, follow us on Twitter @IntelSec_Biz.

The post Following Ransomware’s Path to Extortion appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/dynamic-endpoint/ransomwares-path-to-extortion/feed/ 0
ESG Lab Spotlight on SIEM https://securingtomorrow.mcafee.com/business/neutralize-threats/esg-lab-spotlight-on-siem/ https://securingtomorrow.mcafee.com/business/neutralize-threats/esg-lab-spotlight-on-siem/#respond Tue, 02 Jun 2015 16:05:55 +0000 https://blogs.mcafee.com/?p=43700 It’s no secret that today’s attack surface is growing. Everywhere you turn there’s news of a new breach or targeted attack. Look around you – is your mobile device nearby? The answer is most likely yes. In a world of connected devices and people on the go, our affinity for multi-tasking is in turn causing …

The post ESG Lab Spotlight on SIEM appeared first on McAfee Blogs.

]]>
It’s no secret that today’s attack surface is growing. Everywhere you turn there’s news of a new breach or targeted attack. Look around you – is your mobile device nearby? The answer is most likely yes. In a world of connected devices and people on the go, our affinity for multi-tasking is in turn causing an increase in potential attack surfaces.

The bigger truth here is that 2014 was a record year in the number – and severity – of security breaches. For this reason, it comes as no surprise that IT managers are finding network security to be a larger task than it was two years ago.

It boils down to the simple fact that businesses need tools that can filter and analyze the influx of security data they are collecting. This analytics component is key, as what’s really important is the tools’ ability to prioritize the millions of events and alerts coming in.

Furthermore, as malware continues to morph and get more sophisticated, where do we stand in terms of defenses? No longer are perimeter defenses, SIEM and a multi-layered “defense in depth” approach simply a ‘nice to have’, rather, they have become necessities to combat and navigate today’s threat landscape.

In their recent testing, ESG Lab focused in on McAfee Enterprise Security Manager (ESM), the core product of McAfee’s SIEM solution. Here’s a recap of what they found:

  • Testing explored how the solution accurately detects advanced threats, offers actionable intelligence and provides an efficient integrated solution.
  • During their research, ESG Lab was able to discover, investigate, and manage responses quickly, and from a single interface.
  • The findings? By quickly and decisively prioritizing events for investigation and remediation, McAfee ESM allows organizations to filter out the noise and focus on what’s important.

Ultimately, ESG Lab believes this type of end-to-end solution may indeed be most effective for protecting enterprises against today’s increasingly dangerous threats.

So next time you’re discussing a battle plan for before, during, or after a breach, remember that you want SIEM on your side.

Want to learn more about ESG’s analysis of McAfee ESM? Take a look at the full report or get up to speed by watching the on-demand webinar.

To learn more about McAfee SIEM solutions and get information on the latest security techniques, explore our SIEM community and follow along with @IntelSec_Biz on Twitter.

The post ESG Lab Spotlight on SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/neutralize-threats/esg-lab-spotlight-on-siem/feed/ 0