McAfee Blogs https://securingtomorrow.mcafee.com/blogs Securing Tomorrow. Today. Thu, 05 Dec 2019 21:35:42 -0800 en-US hourly 1 https://wordpress.org/?v=5.3 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png McAfee Blogs https://securingtomorrow.mcafee.com/blogs 32 32 Cloud Security and Artificial Intelligence in the Financial Sector https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/cloud-security-and-artificial-intelligence-in-the-financial-sector/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/cloud-security-and-artificial-intelligence-in-the-financial-sector/#respond Thu, 05 Dec 2019 16:00:13 +0000 /blogs/?p=97672

I recently had the honor of testifying before the House Financial Services Committee’s Taskforce on Artificial Intelligence about two critical emerging issues in the financial services sector – cloud and artificial intelligence (AI). Both have incredible potential for energizing the financial sector, but they also raise important security concerns. Financial services organizations are migrating to […]

The post Cloud Security and Artificial Intelligence in the Financial Sector appeared first on McAfee Blogs.

]]>

I recently had the honor of testifying before the House Financial Services Committee’s Taskforce on Artificial Intelligence about two critical emerging issues in the financial services sector – cloud and artificial intelligence (AI). Both have incredible potential for energizing the financial sector, but they also raise important security concerns.

Financial services organizations are migrating to the cloud to reduce complexity, cut costs, and focus their capabilities on delivering financial services to their customers. Leveraging the cloud, both large and small institutions benefit from advanced technology that is normally only available to those who can substantially invest in a highly technical workforce.

While cloud providers generally practice strong cyber hygiene, enabling quick responses to vulnerabilities and security incidents, there are also major security challenges with moving to cloud.

Because cloud providers service many clients, a single breach can place multiple organizations’ data at risk. Today, almost all organizations, including financial services, use multiple cloud providers, a trend that is making visibility into operations more challenging. To remediate this situation, organizations need solutions to manage visibility and monitor security between cloud service consumers and providers. Services like McAfee’s MVISION Cloud, a Cloud Access Security Broker (CASB), represent a critical new class of applications that are rapidly being adopted to manage and secure diverse cloud environments.

As with cloud, we must also understand the capabilities, limitations, and risks of AI. Financial services organizations are using AI and machine learning to enable advanced analytics that allows them to better serve and protect customers, while better managing overall cost.

As the new foundation for cyber defense, AI is enabling us to better detect threats and find the so-called “needle in a haystack of needles.” Additionally, AI-based automation is helping alleviate the cybersecurity talent shortage, enabling us to free up human security professionals to focus on the most critical aspects of cyber defense.

Unfortunately, AI can be used by our adversaries. Bad actors can use AI to identify the most vulnerable victims, automate phishing, and evade detection. AI improves their ability to execute attacks and enables content creation for use in social engineering and information warfare, such as deepfake videos. These and many other adversarial uses of AI can and will occur, putting our financial services sector as well as our democracy and civil society at risk.

To properly secure cloud and AI technology in the financial services sector, I recommended the Taskforce consider voluntary collaboration and the use of industry-supported standards and best practices such as the NIST Cybersecurity Framework. When appropriate, existing cybersecurity rules for highly regulated critical infrastructure industries should be updated to reflect the rapid speed of innovation.

While innovations in both cloud and artificial intelligence are and will continue to enhance the cybersecurity of the financial services and cloud sectors, these same innovations will progressively enable cyber hackers.

At McAfee, we look forward to working with Congress to help provide cybersecurity advice as the industry moves towards the adoption of cloud and artificial intelligence technologies.

A transcript of my testimony on the U.S. House Financial Services Committee’s Taskforce on Artificial Intelligence can be found here.

 

The post Cloud Security and Artificial Intelligence in the Financial Sector appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/cloud-security-and-artificial-intelligence-in-the-financial-sector/feed/ 0
Analysis of LooCipher, a New Ransomware Family Observed This Year https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/#respond Thu, 05 Dec 2019 15:00:19 +0000 /blogs/?p=97708

Initial Discovery This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis. The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor […]

The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.

]]>

Initial Discovery

This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis.

The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor in an early stage of development used the same techniques of distribution as other players in the ransomware landscape. The design of the ransomware note reminded us of the old times of Cerber ransomware, a very well impacted design to force the user to pay the rescue.

Thanks to initiatives like the ‘No More Ransom’ project, one of the partners involved has already provided a valid decryptor to restore files encrypted by LooCipher.

McAfee Telemetry

Based on the data we manage, we detected LooCipher infections in the following regions:

Campaign Analysis:

Based on the analysis we performed, this ransomware was delivered through a DOC file. The content and techniques used with this MalDoc are quite simple compared to other doc files used to spread malware, such as Emotet. No special social engineering techniques were applied; the authors only put a simple message on it – “Enable macros”.

The file is prepared to download LooCipher from a remote server upon opening the file. We can see the Sub AutoOpen function as a macro in the document:

LooCipher will start its encryption routine using a predefined set of characters, creating a block of 16 bytes and using the local system hour:

The ransomware will use the AES-ECB encryption algorithm in the process and the key is the same for all the files which facilitates the file recovery process. Other ransomware families use a different key for each file to avoid the possibility of a brute force attack discovering the key used during the infection.

In the encryption process, the ransomware will avoid 3 special folders in the system so as to not break their functionality.

Encrypting key files and folders was one of the mistakes we highlighted in our analysis of LockerGoga; that ransomware was completely breaking the functionality of the system. Some binaries found were encrypting all the system, including the LockerGoga binary file.

Regarding the extensions that LooCipher will search and encrypt in the system, the list is hardcoded inside the binary:

It is quite interesting see how LooCipher searches for extensions that are not present in Windows systems like “.dmg.” This suggests that the authors may just be going to code sites to find extension lists.

In the analysis we found a PDB reference:

\\Users\\Usuario\\Documents\\Proyectos\\sher.lock\\Debug\\LooCipher.pdb

It is interesting to note that the reference found contains Spanish words, as if the user was using folders named in Spanish, however, the system is configured in English. We currently have no idea why this is so, but it is curious.

BTC payment is the method chosen by LooCipher authors to get money from the victims. So, at the end of the file’s encryption, the ransomware will show a rescue note to the user:

LooCipher decryptor will pop up in the system as well with a specific countdown:

In the ransom note LooCipher says the BTC address is specifically generated for the user but that is not true; all the BTC addresses we have seen are hardcoded in the binary:

This is another special characteristic for this ransomware. Normally, this workflow is providing an email address to contact the authors so they can provide the instructions to the victim, or at least a BTC address to make payment (if there is not a unique BTC address provided to every victim), something that is the main difference between RaaS and one-shot campaigns.

If we apply static analysis in the binaries we have, the same bundle of BTC addresses is included across most that we spot in the wild:

None of the BTC addresses found regarding LooCipher showed any transactions so we believe the authors did not monetize the campaign with the binaries we analyzed.

LooCipher and Network Traffic:

In the encryption process, LooCipher will contact the C2 server and send information about the victim:

The data sent to the server is:

Here, a copy of the network traffic could help the user to know the encryption key used.

Decryptor Fallback Mechanism Implemented by LooCipher

The LooCipher authors provide a fallback mechanism to help victims access the instructions and the decryptor again, in case they close the LooCipher window when it appears in the system after encrypting the files:

The mechanism sees the LooCipher binary uploaded to the Mega platform. In case the user wants to get the BTC address or decrypt the files after making the payment, they can download this binary and use it. If the files were previously encrypted by LooCipher they would not be encrypted again according to the ransomware’s authors.

I’m Infected by LooCipher. How Can I Get my Files Back?

McAfee is one of the founders and contributors of the ‘No More Ransom’ project. One of our fellow stakeholders created a decryptor for all the files encrypted by LooCipher:

So, if you are infected with LooCipher, it is possible get your files back.

Conclusions:

LooCipher authors are not a sophisticated actor compared to other families like Ryuk, LockerGoga or REVil. They tried to spread their ransomware combining the infection with an Office file with a simple macro.

It will be impossible for the authors to come back to the scene if they do not change how the ransomware works.

The McAfee ATR Team advises against paying the ransomware demands and, instead, recommends:

  • Saving a copy of your encrypted files – sometimes in the future a decryptor may be released
  • Having a solid backup workflow in the company
  • Implementing best practices in terms of Cybersecurity

YARA Rule

We uploaded a YARA rule to detect almost all the samples observed in the wild.

MITRE ATT&CK Coverage:

  • Hooking
  • Defense Evasion
  • Network Service Scanning
  • System Information Discovery
  • Data Compressed

McAfee Coverage:

  • Artemis!02ACC0BC1446
  • Artemis!12AA5517CB7C
  • Artemis!1B1335F20CD0
  • Artemis!362AB3B56F40
  • Artemis!64FCC1942288
  • Artemis!8F421FE340E7
  • Artemis!983EF1609696
  • Artemis!A11724DBE1D6
  • Artemis!A7ABF760411F
  • Artemis!B9246AA9B474
  • Artemis!F0D98A6809C1
  • McAfee-Ransom-O
  • Ransomware-GNY!3B9A8D299B2A
  • Ransomware-GNY!66571E3C8036
  • Ransomware-GNY!9CF3C9E4A9B5
  • Ransomware-GNY!A0609D7AD404
  • Ransomware-GNY!A77FDEFE40BE
  • Ransomware-GNY!A9B6521FF980
  • Ransomware-GNY!D3CE02AD4D75
  • Ransomware-GNY!DC645F572D1F
  • RDN/Generic Downloader.x
  • RDN/Generic.ole

IOCs

7720aa6eb206e589493e440fec8690ceef9e70b5e6712a9fec9208c03cac7ff0

35456dc5fdaf2281aad4d8f0441dcd0c715164e9d2ca6412380c2215ed2eab9c

3e8660f0d2b5b4c1c7dfb0d92f1198b65f263d36cd9964505f3a69150a729f6f

2ca214c271920c7261fc0009971961fa6d2ee4bd23820899f4d6e0679739bf2e

2ef92ced4c009fc20645c5602f0b1f2ddca464365b73b62eb0b7217f422590d5

77766f7f78e13dce382aeb4f89c13b9de12a2fa85f0a7550f4239dfe385a6fb5

8834001d7420d8caaa20cd429130249db30c81f0c5da92a2cb2da4dee6669c87

242f9a9cb23c87b6a5913731bce3f4e565f0393d95f2f9a78d675ef481578a61

7db9491697847dd0a65b719b0d836aeb28dec22a9deed57aa601f23a5b32214a

1f5d310da6f3f3a89e22fc86acb71741db56cbe85fbacc43822bec344cbe4058

893c4f7e3d8e9dc6757becbf2f20e81ec09557fc8e6ea72353c7b8984068f145

242198732eecc9c2d07d1db612b6084ece3a8d1d1b337554a7bef4216cbebccf

e209d7003a5d3674ab90fd1d082266a4aaa1bee144b04371abba0c358e95fd03

2a4ce9877a743865d6c11c13aa45da3683af223c196086984f57f3eff07cd3ea

0d72eab82635df496d20a8fb3921e33ed3aac597496cf006322eed48deb2c068

a6d23f11692e23a6c2307b9f5dd660bca3423f2f0202aa398325345f906b07b5

079d555a4935a6748d92e8bd9856ae11ecf4fd5293ed41cf318a407f9aaa6b2d

387be2e56804ed02ed6d4611d82c6f4b88953761d3961a33017adfb274e6cbfa

3e1d8a5faaa35e7f72ecad5f91644efd5bf0d92fdb0341c48a236c843c697196

0c42641fcc805c049883b9617082a8ac6d538fd87cfa371e3fef6114aff71c2a

b31d3de8ffd2b2dce2b570c0172f87a6719f01d4424a7a375bbb249cd15c1157

23b949ed81925ea3c10fa6c74b0d066172409e6a38023bd24672cc4efb47dd64

6987933482f12f0e1301bb0509a46f5889802fe481be160da9a29985acbabbd9

77d5586bc259e944634cff99912779fabfb356f6f840ea5afd6514f52562879d

177e91b5ac698542b5488a95a60816347fcba118f0ad43473aa7d2d5c9223847

0ffeb5639da6e77dfb241f1648fa8f9bac305335f7176def2b17e1b08706d49a

ad7eebdf328c7fd273b278b0ec95cb93bb3428d52f5ff3b69522f1f0b7e3e9a1

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/d[.]php

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/k[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/k[.]php

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/k[.]php

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/k[.]php

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/k[.]php

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/d[.]php

924cc338d5d03f8914fe54f184596415563c4172679a950245ac94c80c023c7d

e824650b66c5cdd8c71983f4c4fc0e1ac55cd04809d562f3b6b4790a28521486

hcwyo5rfapkytajg[.]darknet[.]to

hcwyo5rfapkytajg[.]onion[.]sh

hcwyo5rfapkytajg[.]onion[.]ws

hcwyo5rfapkytajg[.]tor2web[.]xyz

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/3agpke31mk[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/2hq68vxr3f[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_project_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/2hq68vxr3f[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_bsv_2019[.]docm

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/3agpke31mk[.]exe

43cfb0a439705ab2bd7c46b39a7265ff0a14f7bd710b3e1432a9bdc4c1736c49

ff24d9575694ae2a1e6a6101a2dbaa95dd1ab31b44a3931f6d6a62bbf5be2cbd

The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/feed/ 0
Here’s What You Need to Know About Your Data Privacy in 2020 https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-predictions-2020/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-predictions-2020/#respond Thu, 05 Dec 2019 05:01:51 +0000 /blogs/?p=97731

The end of 2019 is rapidly approaching, and with the coming of a new year comes the perfect opportunity to reflect on the past and plan for the months ahead. What will 2020 bring when it comes to cybersecurity and what can users do to ensure that they’re protected in the upcoming year? From new […]

The post Here’s What You Need to Know About Your Data Privacy in 2020 appeared first on McAfee Blogs.

]]>

The end of 2019 is rapidly approaching, and with the coming of a new year comes the perfect opportunity to reflect on the past and plan for the months ahead. What will 2020 bring when it comes to cybersecurity and what can users do to ensure that they’re protected in the upcoming year? From new data privacy laws to how organizations collect and store user data, the new year will certainly bring plenty of security implications for users. Let’s take a look at a few predictions we have for the year to come.

More Awareness, More Regulations

After a security breach is disclosed, users often learn what can go wrong with their data and may start to wonder what will happen if their information gets into the wrong hands. That’s why new privacy laws will likely be implemented to empower users to better protect and control their data. For example, the new California privacy law set to go into effect January 2020 will allow consumers to instruct companies to delete their personal information and to opt-out of having their private data shared. These new regulations will allow users to better control their data and who has access to it. However, more regulations also create a more complicated landscape for individuals to navigate. Consumers will likely see more “consent” requests attached to any online data collection. That said, it is important to pay close attention to what consumers are agreeing to when they click “consent.”

With these new privacy laws, the method and level of transparency that organizations use to collect and store user data will likely come under scrutiny, particularly as data breaches become public. For example, companies make billions of dollars annually by buying and selling personal information that isn’t theirs to sell. The more data a company has on a user, the more insight cybercriminals have to infiltrate their digital life and trick them into sharing more information. 

New Tricks for the New Year

As more data is collected from various breaches, cybercriminals will look to leverage this information as a way to better understand which users to target and how exactly to target them. With the help of social engineering and artificial intelligence, these crooks will up the ante and turn old cyber tricks into sophisticated, unfamiliar threats. Take call spoofing, for example. By taking advantage of a user’s private data and new technology, cybercriminals could implement a fake call that appears to be coming from the user’s friend or family member. Because users are more likely to pick up a call from someone they know or a number that shares their same area code, cybercriminals increase the chances that their malicious attacks will be successful.

Dark Web Draws in More Data

With the number of breached records growing every day, users need to be aware of how crooks are leveraging this information in the cybercriminal underground and on the Dark Web. According to the McAfee Advanced Threat Research (ATR) team, more than 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone. This growing trend of personal online accounts being brokered on the Dark Web and the increasingly sophisticated threats that have recently emerged means that the 2019 holiday season could be the most dangerous yet.

With these predictions for the cybersecurity landscape in 2020, what resolutions can users make to help ensure that their data is protected? Follow these security tips to help safeguard your personal information:

  • Never reuse passwords. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. Ensure that all of your passwords are complex and unique.
  • Go directly to the source. Instead of clicking on a link in an email, it’s always best to check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.
  • Use a tool to help protect your personal information. A solution like McAfee Identity Theft Protection takes a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help keep identities personal and secure.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Here’s What You Need to Know About Your Data Privacy in 2020 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-predictions-2020/feed/ 0
McAfee Labs 2020 Threats Predictions Report https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2020-threats-predictions-report/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2020-threats-predictions-report/#respond Thu, 05 Dec 2019 05:01:14 +0000 /blogs/?p=97660

With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against […]

The post McAfee Labs 2020 Threats Predictions Report appeared first on McAfee Blogs.

]]>

With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against us.

Continuing advancements in artificial intelligence and machine learning have led to invaluable technological gains, but threat actors are also learning to leverage AI and ML in increasingly sinister ways. AI technology has extended the capabilities of producing convincing deepfake video to a less-skilled class of threat actor attempting to manipulate individual and public opinion. AI-driven facial recognition, a growing security asset, is also being used to produce deepfake media capable of fooling humans and machines.

Our researchers also foresee more threat actors targeting corporate networks to exfiltrate corporate information in two-stage ransomware campaigns.

With more and more enterprises adopting cloud services to accelerate their business and promote collaboration, the need for cloud security is greater than ever. As a result, the number of organizations prioritizing the adoption container technologies will likely continue to increase in 2020. Which products will they rely on to help reduce container-related risk and accelerate DevSecOps?

The increased adoption of robotic process automation and the growing importance to secure system accounts used for automation raises security concerns tied to Application Programming Interface (API) and their wealth of personal data.

The threatscape of 2020 and beyond promises to be interesting for the cybersecurity community.

–Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Twitter @Raj_Samani

Predictions

Broader Deepfakes Capabilities for Less-Skilled Threat Actors

Adversaries to Generate Deepfakes to Bypass Facial Recognition

Ransomware Attacks to Morph into Two-Stage Extortion Campaigns

Application Programming Interfaces (API) Will be Exposed as The Weakest Link Leading to Cloud-Native Threats

DevSecOps Will Rise to Prominence as Growth in Containerized Workloads Causes Security Controls to ‘Shift Left’

Broader Deepfakes Capabilities for Less-skilled Threat Actors

By Steve Grobman

The ability to create manipulated content is not new. Manipulated images were used as far back as World War II in campaigns designed to make people believe things that weren’t true. What’s changed with the advances in artificial intelligence is you can now build a very convincing deepfake without being an expert in technology. There are websites set up where you can upload a video and receive in return, a deepfake video. There are very compelling capabilities in the public domain that can deliver both deepfake audio and video abilities to hundreds of thousands of potential threats actors with the skills to create persuasive phony content.

Deepfake video or text can be weaponized to enhance information warfare. Freely available video of public comments can be used to train a machine-learning model that can develop of deepfake video depicting one person’s words coming out of another’s mouth. Attackers can now create automated, targeted content to increase the probability that an individual or groups fall for a campaign. In this way, AI and machine learning can be combined to create massive chaos.

In general, adversaries are going to use the best technology to accomplish their goals, so if we think about nation-state actors attempting to manipulate an election, using deepfake video to manipulate an audience makes a lot of sense. Adversaries will try to create wedges and divides in society. Or if a cybercriminal can have a CEO make what appears to be a compelling statement that a company missed earnings or that there’s a fatal flaw in a product that’s going to require a massive recall. Such a video can be distributed to manipulate a stock price or enable other financial crimes

We predict the ability of an untrained class to create deepfakes will enhance an increase in quantity of misinformation.

Adversaries to Generate Deepfakes to Bypass Facial Recognition

By Steve Povolny

Computer-based facial recognition, in its earliest forms, has been around since the mid-1960s. While dramatic changes have since taken place, the underlying concept remains: it provides a means for a computer to identify or verify a face. There are many use cases for the technology, most related to authentication and to answer a single question: is this person who they claim to be?

As time moves onwards, the pace of technology has brought increased processing power, memory and storage to facial recognition technology. New products have leveraged facial recognition in innovative ways to simplify everyday life, from unlocking smart phones, to passport ID verification in airports, and even as a law enforcement aid to identify criminals on the street.

One of the most prevalent enhancements to facial recognition is the advancement of artificial intelligence (AI). A recent manifestation of this is deepfakes, an AI-driven technique producing extremely realistic text, images, and videos that are difficult for humans to discern real from fake. Primarily used for the spread of misinformation, the technology leverages capabilities. Generative Adversarial Networks (GANs), a recent analytic technology, that on the downside, can create fake but incredibly realistic images, text, and videos. Enhanced computers can rapidly process numerous biometrics of a face, and mathematically build or classify human features, among many other applications. While the technical benefits are impressive, underlying flaws inherent in all types of models represent a rapidly growing threat, which cyber criminals will look to exploit.

As technologies are adopted over the coming years, a very viable threat vector will emerge, and we predict adversaries will begin to generate deepfakes to bypass facial recognition. It will be critical for businesses to understand the security risks presented by facial recognition and other biometric systems and invest in educating themselves of the risks as well as hardening critical systems.

Ransomware Attacks to Morph into Two-Stage Extortion Campaigns

By John Fokker

In McAfee’s 2019 threat predictions report, we predicted cyber criminals would partner more closely to boost threats; over the course of the year, we observed exactly that. Ransomware groups used pre-infected machines from other malware campaigns, or used remote desktop protocol (RDP) as an initial launch point for their campaign. These types of attacks required collaboration between groups. This partnership drove efficient, targeted attacks which increased profitability and caused more economic damage. In fact,  Europol’s Internet Organised Crime Threat Assessment (IOCTA),  named ransomware the top threat that companies, consumers, and the public sector faced in 2019.

Based on what McAfee Advanced Threat Research (ATR) is seeing in the underground, we expect criminals to exploit their extortion victims even more moving forward. The rise of targeted ransomware created a growing demand for compromised corporate networks. This demand is met by criminals who specialize in penetrating corporate networks and sell complete network access in one-go.

Here are examples of underground ads offering access to businesses:

Figure 1 RDP access to a Canadian factory is being offered

Figure 2 Access to an Asian Food, Consumer and Industrial company being offered

For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks. In the first stage cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage criminals will target the recovering ransomware victims again with an extortion attack, but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.

During our research on Sodinobiki we observed two-stage attacks, with cryptocurrency miners installed before an actual ransomware attack took place. For 2020, we predict that cybercriminals will increasingly exfiltrate sensitive corporate information prior to a targeted ransomware attack to sell the stolen data online or to extort the victim and increase monetization.

Application Programming Interfaces (API) Will Be Exposed as The Weakest Link Leading to Cloud-Native Threats

By Sekhar Sarukkai

A recent study showed that more than three in four organizations treat API security differently than web app security, indicating API security readiness lags behind other aspects of application security. The study also showed that more than two-thirds of organizations expose APIs to the public to enable partners and external developers to tap into their software platforms and app ecosystems.

APIs are an essential tool in today’s app ecosystem including cloud environments, IoT, microservices, mobile, and Web-based customer-client communications. Dependence on APIs will further accelerate with a growing ecosystem of cloud applications built as reusable components for back-office automation (such as with Robotic Process Automation) and growth in the ecosystem of applications that leverage APIs of cloud services such as Office 365 and Salesforce.

Threat actors are following the growing number of organizations using API-enabled apps because APIs continue to be an easy – and vulnerable – means to access a treasure trove of sensitive data. Despite the fallout of large-scale breaches and ongoing threats, APIs often still reside outside of the application security infrastructure and are ignored by security processes and teams. Vulnerabilities will continue to include broken authorization and authentication functions, excessive data exposure, and a failure to focus on rate limiting and resource limiting attacks. Insecure consumption-based APIs without strict rate limits are among the most vulnerable.

Headlines reporting API-based breaches will continue into 2020, affecting high-profile apps in social media, peer-to-peer, messaging, financial processes, and others, adding to the hundreds of millions of transactions and user profiles that have been scraped in the past two years. The increasing need and hurried pace of organizations adopting APIs for their applications in 2020 will expose API security as the weakest link leading to cloud-native threats, putting user privacy and data at risk until security strategies mature.

Organizations seeking improvement in their API security strategy should pursue a more complete understanding of their Cloud Service APIs through comprehensive discovery across SaaS, PaaS and IaaS environments, implement policy-based authorization, and explore User and Entity Behavior Analytics (UEBA) technology to detect anomalous access patterns.

 

DevSecOps Will Rise to Prominence as Growth in Containerized Workloads Causes Security Controls to ‘Shift Left’

 By Sekhar Sarukkai

DevOps teams can continuously roll out micro-services and interacting, reusable components as applications. As a result, the number of organizations prioritizing the adoption of container technologies will continue to increase in 2020. Gartner predicts that “by 2022, more than 75 percent of global organizations will be running containerized applications in production – a significant increase from fewer than 30 percent today.” 1 Container technologies will help organizations modernize legacy applications and create new cloud-native applications that are scalable and agile.

Containerized applications are built by assembling reusable components on software defined Infrastructure-as-Code (IaC) which is deployed into Cloud environments. Continuous Integration / Continuous Deployment (CI/CD) tools automate the build and deploy process of these applications and IaC, creating a challenge for pre-emptive and continuous detection of application vulnerabilities and IaC configuration errors. To adjust to the rise in containerized applications operating in a CI/CD model, security teams will need to conduct their risk assessment at the time of code build, before deployment. This effectively shifts security “left” in the deployment lifecycle and integrates security into the DevOps process, a model frequently referred to as DevSecOps.

Additionally, threats to containerized applications are introduced nor only by IaC misconfigurations or application vulnerabilities, but also abused network privileges which allow lateral movement in an attack. To address these run-time threats, organizations are increasingly turning to cloud-native security tools developed specifically for container environments. Cloud Access Security Brokers (CASB) are used to conduct configuration and vulnerability scanning, while Cloud Workload Protection Platforms (CWPP) work as traffic enforcers for network micro-segmentation based on the identity of the application, regardless of its IP. This approach to application identity-based enforcement will push organizations away from the five-tuple approach to network security which is increasingly irrelevant in the context of ephemeral container deployments.

When CASB and CWPP solutions integrate with CI/CD tools, security teams can meet the speed of DevOps, shifting security “left” and creating a DevSecOps practice within their organization.  Governance, compliance, and overall security of cloud environments will improve as organizations accelerate their transition to DevSecOps with these cloud-native security tools.

 

Gartner Best Practices for Running Containers and Kubernetes in Production, Arun Chandrasekaran, 25 February 2019

The post McAfee Labs 2020 Threats Predictions Report appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2020-threats-predictions-report/feed/ 0
Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/endpoint-security-301-what-to-do-when-products-policies-and-people-break-down-the-lines-of-communication/ https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/endpoint-security-301-what-to-do-when-products-policies-and-people-break-down-the-lines-of-communication/#respond Wed, 04 Dec 2019 16:00:05 +0000 /blogs/?p=97654

Security architecture is like the ocean: no one owns it, and it is constantly affected by change. New technologies are introduced, staff changes occur, and as a result, communication suffers. I often see environments where ownership is placed into silos across teams in the enterprise, meaning IT administrators preventing threats may not get the insights […]

The post Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication appeared first on McAfee Blogs.

]]>

Security architecture is like the ocean: no one owns it, and it is constantly affected by change. New technologies are introduced, staff changes occur, and as a result, communication suffers. I often see environments where ownership is placed into silos across teams in the enterprise, meaning IT administrators preventing threats may not get the insights uncovered by security operations teams. On the other hand, SecOps may not receive details on why a policy or configuration change has occurred. What’s more, in environments without effective integration between security tools, this lack of communication means the insights and visibilities that might benefit other stakeholders rarely travel or surface outside the immediate security team.

Add into the mix a pool of security tools that can’t co-exist — or who do so poorly in a way that causes conflicts with the other — and the situation is complicated even further. Clearly, implementing an effective, comprehensive endpoint strategy is one challenge, but maintaining that strategy is usually where the real battle begins.

A crucial part of winning this battle is ensuring that IT security administrators and SecOps work together effectively. Let’s examine how these two can do so to ensure all bases and endpoints are covered.

A Lack of Alignment Exacerbates the Skills Gap

A quick reminder: IT security teams are responsible for the health of the network and IT infrastructure, requiring them to focus on access controls, endpoint protection, and vulnerability management. SecOps teams, meanwhile, establish the rules their organization must follow to secure their environment.

Logically, these teams should work hand-in-hand, but in most enterprises, they are siloed due to functional or technical limits. Each has little visibility into what the other side is doing on a day-to-day basis, plus a complete lack of insight into longer-term strategic security initiatives. This can lead to a breakdown in rules, configurations, and escalations that has a detrimental impact on an enterprises’ infrastructure.

Lack of communication can also make it hard for IT security admins to know how to escalate and prioritize issues, as well as prevents SecOps from upskilling. For example, junior analysts can only address about 30% of alerts today. The remainder of alerts require a higher skill set to remediate, a problem that’s only compounded by the lack of qualified cybersecurity talent. In fact, some estimates expect the number of unfilled cybersecurity jobs to rise to 3.5 million by 2021, and because many SecOps tools today require significant experience to operate, communication and education will only become more critical.

Establishing Shared Visibility Between Teams

Now that we know the issues that can arise when SecOps and IT admins don’t communicate, let’s address some of the solutions and outcomes. It all starts with better, shared visibility. When each team has insight into what the other is working on, teams are no longer siloed, and less time is spent on alerts and false positives that frontline IT can handle rather than SecOps. This means that if an eventual hack or breach does occur, more time and effort can be spent on threat remediation in order to strengthen an enterprise’s endpoint environment.

Shared visibility extends into joint policy creation as well. When forming policies, if IT admins and SecOps provide their respective input, there is less of a chance of miscommunication or misconfiguration. Policy changes can be understood from the get-go by forming a holistic approach, with the necessary expertise and insights from both teams coming together to create an overarching endpoint security strategy that’s more secure.

SecOps and IT must also find a way to extend that visibility to new team members. In my experience, solving security architecture issues requires a two-pronged approach. First, the security industry should take more responsibility for designing products usable by both the most advanced security professionals and operational staff and analysts. But second, organizations must ensure that a lack of continuity at customer sites from staff rotations is maintained through documented policies to support product configurations. In other words, organizations must ensure the appropriate processes are in place to support the security tools they deploy. This historical knowledge matters because, anecdotally,I find that a significant number of escalations are addressable simply by reverting a customer environment back to default settings. New employees are unaware of this quick fix and therefore waste precious time and resources on unnecessary efforts.

Collaborating for True Endpoint Security

With these challenges in mind, we recommend the following steps.

  • Create visible, documented policies for all products and scenarios. This helps overcome a lack of communication, staff turnover, and the inability of products to integrate.
  • Conversely, seek integration and automation. And in fact, organizations are doing so, with over 70% pursuing increased automation in endpoint security, including automated detection and response.
  • Establish cross-functional collaboration in other ways. For example, require IT admins to flag threats to SecOps.
  • Review your policy book and guidelines quarterly so that the latest technology and processes can be effectively integrated into guidelines.

IT security admins and SecOps teams don’t have to — and shouldn’t — do their jobs alone. To cover all bases, they can leverage a multitude of endpoint security solutions with proactive, collaborative, and integrated technology built in. These solutions allow IT security admins and SecOps teams to focus their efforts elsewhere, such as on strategic projects, policies, and insights.

McAfee MVISION Endpoint and MVISION Mobile, for example, build machine learning (ML) algorithms and analysis into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Detection & Response combines real-time endpoint monitoring and data collection with rules-based automated response and analysis capabilities so that both IT security and SecOps can be involved in the process of fostering effective enterprise endpoint security in a way that makes both of their jobs easier.

With the proper visibility between IT security and SecOps teams, advanced security solutions not only bring an endpoint security strategy full circle but also allow for more time to be spent on collaboration and teamwork. An endpoint security strategy is only as strong as its weakest link – human, solution, or otherwise. Enterprises should ensure that their weakest link isn’t a vulnerable missing link between IT admins and SecOps.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

 

The post Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/endpoint-security-301-what-to-do-when-products-policies-and-people-break-down-the-lines-of-communication/feed/ 0
McAfee Up Levels Insights for Customers https://securingtomorrow.mcafee.com/blogs/enterprise/mcafee-up-levels-insights-for-customers/ https://securingtomorrow.mcafee.com/blogs/enterprise/mcafee-up-levels-insights-for-customers/#respond Tue, 03 Dec 2019 17:16:54 +0000 /blogs/?p=97690

Authored by Anand Ramanathan McAfee recently announced MVISION Insights designed to help customers proactively detect, rank and respond quickly and accurately to threats. On top of having to respond to threats that persistently target their companies, security professionals also face another huge challenge – prioritizing what threat information is relevant from the huge volume of […]

The post McAfee Up Levels Insights for Customers appeared first on McAfee Blogs.

]]>

Authored by Anand Ramanathan

McAfee recently announced MVISION Insights designed to help customers proactively detect, rank and respond quickly and accurately to threats.

On top of having to respond to threats that persistently target their companies, security professionals also face another huge challenge – prioritizing what threat information is relevant from the huge volume of data being presented to them. At McAfee we know how critical time optimization has become to security. So, we are focusing as a team on helping customers not only identify and report on the threats that pose a risk to businesses at large, but also have intelligent insights so they can prioritize information and take action to allocate resources when and where it really matters.

To deliver these insights, we are continually innovating our products and services, and part of that innovation means looking outside of McAfee to bring in the best technologies for our products. For this initiative, this meant adding a leader in security analytics and graph theory, Uplevel, to the McAfee family. Uplevel’s graph analysis platform will allow our customers to more quickly understand the threats that they’re facing and effectively select the right course of action. Combined with McAfee’s world-class data lake, we’re aiming to help our customers have the most comprehensive review of threats and their risk.

In addition to the technology, the Uplevel team led by Liz Maida brings a wealth of experience to McAfee, and specifically the Enterprise Security Business Unit. Liz’s ability to identify pain points for companies and develop solutions that address these will be instrumental in the future development of McAfee technologies and services.

Bringing Uplevel into the McAfee family – along with other recent acquisitions  – demonstrates McAfee’s commitment to innovation that will allow us to be the best device-to-cloud cybersecurity company for our customers and partners.

The post McAfee Up Levels Insights for Customers appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/mcafee-up-levels-insights-for-customers/feed/ 0
Are All Phishing Scams Easy to Spot? https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-all-phishing-scams-easy-to-spot/ https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-all-phishing-scams-easy-to-spot/#respond Tue, 03 Dec 2019 17:09:24 +0000 /blogs/?p=97684

The number of phishing scams that hide malware or malicious links is on the rise for a simple reason: they still work because people are the weakest link of any cybersecurity system. Some schemes are a numbers game — a hacker sends out thousands of emails to random people with the hope of getting a […]

The post Are All Phishing Scams Easy to Spot? appeared first on McAfee Blogs.

]]>

The number of phishing scams that hide malware or malicious links is on the rise for a simple reason: they still work because people are the weakest link of any cybersecurity system. Some schemes are a numbers game — a hacker sends out thousands of emails to random people with the hope of getting a few to click. Others are highly-targeted, spear-phishing attacks that involve gathering information about a single person so that the hacker can exploit a very specific vulnerability.

On the latest episode of “Hackable?” we find out just how hackers go spear-phishing when our cybersecurity expert Bruce Snell creates his own scheme. His target? Who else but producer Pedro Mendes. Listen and learn whether or not Pedro clicks, and how you can help protect your data and devices.

Listen to “Hackable?” today.

The post Are All Phishing Scams Easy to Spot? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-all-phishing-scams-easy-to-spot/feed/ 0
Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part I https://securingtomorrow.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-i/ https://securingtomorrow.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-i/#respond Mon, 02 Dec 2019 17:50:12 +0000 /blogs/?p=97656

Much has been said about the power of AI and how tomorrow’s CISO won’t be able to provide efficient cybersecurity without it. The hype surrounding AI is based on both the quickening pace of natural language capability development and the current deficiency of capable and competent cybersecurity professionals. A quick clarification of what AI is […]

The post Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part I appeared first on McAfee Blogs.

]]>

Much has been said about the power of AI and how tomorrow’s CISO won’t be able to provide efficient cybersecurity without it.

The hype surrounding AI is based on both the quickening pace of natural language capability development and the current deficiency of capable and competent cybersecurity professionals.

A quick clarification of what AI is and to what extent it exists today may be useful before explaining the legal recognition it has today, including in the world of cybersecurity.

What is AI? Does it exist yet?

The term “artificial intelligence” is rather vague from a legal standpoint—and in the legal world, words tend to have a strong impact. For French people (and for most people around the world), the official definition of AI is as follows: “A theoretical and practical interdisciplinary field whose purpose is to understand the mechanisms of cognition and reflection, and their imitation by a material and software device, for purposes of assistance or substitution to human activities”.

AI now has full recognition of the EU Parliament as a result of the 2018/2088(INI) Motion on Comprehensive European Industrial Policy on Artificial Intelligence and Robotics, also known as the Ashley Fox Resolution, dated 12 February 2019 (Motion). Interestingly, this resolution specifically mentions the implications of AI for cybersecurity:

“Notes that cybersecurity is an important aspect of AI, especially given the challenges for transparency in high level AI; considers that the technological perspective, including auditing of the source code, and requirements for transparency and accountability should be complemented by an institutional approach dealing with the challenges of introducing AI developed in other countries into the EU single market “

So, with such official recognition, why do we read everywhere that real AI does not exist yet?

The argument made is that, although the goal is to replace the human being, AI may only provide augmented intelligence which assists the human being.

In fact, says J. McCarthy, as far back as the 1956 Dartmouth Artificial Intelligence Conference, the conference was “to proceed on the basis of the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it.”

More than 60 years later, machine learning is still not autonomous. But it does exist to a certain degree, and the capability of machine learning combined with the accumulation of today’s databases makes it possible to create algorithms capable of performing tasks that have never been automated before. AI, or at least a certain form of AI, is today part of our daily lives, and understanding this technology is essential so that it can be accepted and integrated into our societies.

In Part II of this blog, we’ll examine the economic, political and ethical challenges in the development of AI, particularly as they pertain to cybersecurity. 

The post Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part I appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-i/feed/ 0
How to Ensure You Don’t Fall Victim to a Holiday Scam this Festive Season https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-ensure-you-dont-fall-victim-to-a-holiday-scam-this-festive-season/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-ensure-you-dont-fall-victim-to-a-holiday-scam-this-festive-season/#respond Mon, 02 Dec 2019 01:56:15 +0000 /blogs/?p=97649

If Benjamin Franklin were alive today, I have no doubt that he’d revise his famous quote: ‘Nothing can be said to be certain except death and taxes’ to include online holiday scams! For there is no question that online scammers and cybercriminals love the festive season! The bulk of us are time-poor, stressed, and sporting […]

The post How to Ensure You Don’t Fall Victim to a Holiday Scam this Festive Season appeared first on McAfee Blogs.

]]>

If Benjamin Franklin were alive today, I have no doubt that he’d revise his famous quote: ‘Nothing can be said to be certain except death and taxes’ to include online holiday scams! For there is no question that online scammers and cybercriminals love the festive season! The bulk of us are time-poor, stressed, and sporting to-do lists as long as our arms – so cybercrims know it’s inevitable that some of us are going to take short cuts with our online safety and fall into their webs!

And McAfee research shows just that with over a third of Aussies having either fallen victim to or know someone who has been affected by a phishing scam in 2019. A phishing scam is when a scammer poses as a trustworthy entity (for example, a bank or government department) usually via email with the sole purpose of trying to extract sensitive information such as passwords, usernames and credit card details. And clearly, phishing is a very lucrative online trick as it was named as the worst scam of 2019!

Top Scams of 2019

Although phishing scams have taken out the top place for 2019, robocalling scams and shipping notification scams have also caused Aussies great pain this calendar year.

If you receive a phone call with a pre-recorded message that presents a grim scenario if you don’t take action then you’ve been robocalled! My family’s ‘favourite’ one from 2019 was the scam which delivered a pre-recorded message advising us that our phone line would be cut unless we spoke immediately to their technician. The Australian Telecommunications Ombudsman was overrun with complaints about this particular heist which backs up McAfee’s research that shows 32% of Aussies either fell victim to this scam, or knew someone who did.

Shipping notification scams have also caused Aussies grief this year with more than a 1/4 of us (26%) affected or in touch with someone who was. The meteoric rise of online shopping has meant that when many of us are notified about an impending delivery, we probably don’t stop to question its authenticity.

How Much Are Scams Costing Aussies?

In Australia, 1 in 10 scam victims (11%) have lost money as a result of being targeted by a scam. And a quarter of those affected have lost more than $500! Now, that’s a sizeable chunk of cash!

But in addition to an initial monetary sting, having your personal details ‘stolen’ via a scam may come back to haunt you later down the track. According to McAfee’s Advanced Threat Research (ATR), more than 2.2 billion stolen account credentials were made available on the criminal underground in just the first 3 months of 2019!

Cybercriminals Love the Holidays!

The holiday season is particularly stressful for consumers, and cybercriminals plan accordingly. Many of us ramp up our online shopping in the lead-up to the holiday period and, as our ‘to-do’ lists get longer, some of us will inevitably let our guard down online. And cybercriminals know this too well so consequently spend a lot of effort devising cunning schemes to take advantage of our corner-cutting.

Cybercriminals put a lot of effort into devising fake accounts and sites to target consumers around key holiday shopping periods however some Aussies aren’t aware of these ploys with 21% of the Aussies interviewed not aware scams like these existed.

How Can Consumers Stay Safe This Holiday Period?

I highly recommend that you (and your family members) take a little time this holiday period to sure up your online safety. Here are a few simple steps that consumers can take to protect themselves and avoid getting scammed this festive period:

  1. Think Before Clicking on Links

With phishing scams revealed to be the worst scam of the year, it is more important than ever to think before clicking on links. Instead of clicking on a link in an email, it is always best to check directly with the source to verify an offer or shipment.

  1. Passwords, Passwords, Passwords

With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. By using a different password for each, shopping, media streaming or social media account, you can dramatically reduce this risk.

  1. Invest in Security Protection Software

Use comprehensive security protection, like McAfee Total Protection, which can help protect devices against malware, phishing attacks and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

  1. Consider a Virtual Private Network (VPN)

A solution like McAfee Safe Connect with bank-grade encryption, private browsing services, and internet security will keep your information safe from cybercriminals – even when checking emails or online shopping on public Wi-Fi or open networks.

And finally beware bogus gift card scams! One new trend that is set to hit unsavvy consumers hard this holiday season is phoney gift cards, with McAfee’s ATR team seeing fake gift cards sold on the cybercriminal underground. Yet, despite the rise in this scam, 17 per cent of the survey respondents have never heard of bogus gift cards and over a quarter (26%) reported that they are not concerned about the threat. So, please spread the word and do your homework before buying gift cards!

Here’s to a Happy, Scam-Free Holiday Season!

The post How to Ensure You Don’t Fall Victim to a Holiday Scam this Festive Season appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-ensure-you-dont-fall-victim-to-a-holiday-scam-this-festive-season/feed/ 0
7 Ways to Wreck a Cybercrook’s Holidays https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/7-ways-to-wreck-a-cybercrooks-holidays/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/7-ways-to-wreck-a-cybercrooks-holidays/#respond Sat, 30 Nov 2019 15:00:44 +0000 /blogs/?p=97635

’Tis the season for giving and who better to give a giant headache to than the digital scammers working overtime to wreck our holidays? Can we spot and unravel every scam out there? Probably not. But, by taking a few minutes to get equipped to click, we can dodge common traps laid by cybercrooks and […]

The post 7 Ways to Wreck a Cybercrook’s Holidays appeared first on McAfee Blogs.

]]>

holiday scams’Tis the season for giving and who better to give a giant headache to than the digital scammers working overtime to wreck our holidays? Can we spot and unravel every scam out there? Probably not. But, by taking a few minutes to get equipped to click, we can dodge common traps laid by cybercrooks and wreck their holidays before they get a chance to wreck ours.

Rock ‘Em Sock ‘Em Robo Calls

As informed as most of us may profess to be, American consumers continue to step into cyber traps every day. In fact, according to a recent McAfee survey, in 2019, 74% of those surveyed admitted to losing more than $100 in scams and almost a third (30%) losing more than $500. The survey also revealed that 48% of Americans have been or know someone who has been a victim of robocalling in 2019, making it the most prevalent scam of the year. Email phishing (41%) and text phishing (35%) are also tricks we fell for in 2019.

Cybercrooks call those stats a very happy holiday.

Are you equipped to click?

We can do our part to reduce these statistics. Before we all get distracted with shopping sprees or fall into sugar comas, call a family huddle. Discuss ways to avoid the digital traps and send cybercrooks into a maze of locked doors and dead ends. Here are a few ideas to get you started.

7 ways to wreck a cybercrook’s holidays

  1. Get real about cybercrime. Don’t sugar coat cybercrime for your kids. Here’s the truth: Over 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone, which puts a priceless amount of user data at risk. Crooks are targeting us. They are shopping the black web for stolen data to use in a variety of illegal ways. If we fail to lock our digital doors, the consequences can be emotionally and financially devastating and may last years.
  2. Shake up your passwords. Never use the same password. By uncovering one of your passwords,  cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. So change passwords often and use a variety, especially around the holidays when online shopping spikes.
  3. Verify emails. Slow down to examine emails. Instead of clicking on an email link, check directly with the source to verify an offer or shipment. Cybercriminals are getting very sophisticated. They are creating full websites that closely mimic brand retailers. Also, they are posing as friends, family, and colleagues in an attempt to get you to click a link that will download malicious malware onto your computer.
  4. Browse securely. Use a comprehensive security solution to help protect devices against malware, phishing attacks, and malicious websites.
  5. Use a tool to help protect your personal information. Take a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help your identity secure.
  6. Verify shipments. Cybercrooks understand consumer habits. They know you’ve likely ordered from several online retailers, so they will exploit that and try to confuse you by sending bogus shipment notifications or reward  you with “added offers.” The email will look legitimate. It will likely have a legitimate-looking email address and branding of the retailer or shipping company. Check directly with the source before clicking any link in an offer or shipment notification.
  7. Protect your identity. Criminals are on the prowl to find weak links anywhere personal data is kept — the includes credit card companies and banks. Get proactive in protecting your identity and the identities of your family members with personal and financial monitoring and recovery tools.

Even with the threats that exist around us, keep your sights fixed on the bigger picture. The holiday season is still merry and bright. People are still good. And, peace on earth — and in your home — is still possible this year. With a little foresight and a few cool tools, you are more than able to protect the things that matter most.

To stay informed on the latest digital news, trends, and family safety insights, subscribe to this and other McAfee blogs. Follow @McAfee_Family on Twitter to join the digital parenting conversation.

The post 7 Ways to Wreck a Cybercrook’s Holidays appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/7-ways-to-wreck-a-cybercrooks-holidays/feed/ 0
Beat Black Friday Scammers: Secure Your Online Purchases From Fake Payment Processors https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/fake-payment-processors-scam/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/fake-payment-processors-scam/#respond Wed, 27 Nov 2019 16:52:19 +0000 /blogs/?p=97644

They see you when you’re shopping, they know when you click “pay” – cybercriminals, that is. With Black Friday and Cyber Monday deals flooding the internet, malicious actors have many opportunities to exploit users rushing to purchase gifts for family and friends. And according to Ars Technica, thieves have devised a new way to steal […]

The post Beat Black Friday Scammers: Secure Your Online Purchases From Fake Payment Processors appeared first on McAfee Blogs.

]]>

They see you when you’re shopping, they know when you click “pay” – cybercriminals, that is. With Black Friday and Cyber Monday deals flooding the internet, malicious actors have many opportunities to exploit users rushing to purchase gifts for family and friends. And according to Ars Technica, thieves have devised a new way to steal payment-card data from online shoppers, just in time for the holiday shopping season.

So, what makes this particular scam different from other credit and debit card scams? Many e-commerce sites will choose to offload payment card charges to third-party payment service platforms, or PSPs. However, cybercriminals have developed fake payment service platforms that highly resemble legitimate PSPs. Rather than infecting a merchant’s checkout page with malware that skims the information after it’s been inputted by the user, cybercriminals infect the merchant site by adding a line or two of code, which redirects the user to a fake PSP at the time of purchase.

Image provided by Ares Technica.

What makes this scam so stealthy? Apart from swapping legitimate payment processing sites with fraudulent ones, cybercriminals closely mimic the traits of real e-banking pages to further trick the user into believing that their purchase is secure. For example, the fake payment processing page checks all the fields once the user completes them or informs the user if the field is invalid. Once the fake PSP collects the data, it redirects the unsuspecting user to the legitimate PSP and includes the purchase amount after successfully stealing the victim’s information.

Payment-service platforms are common in the world of e-commerce, particularly for smaller websites that don’t have the resources to harden their servers against sophisticated attacks. As a result, users need to be on high alert for these malicious schemes. Check out the following tips to help prevent your data from being swiped by cybercriminals.

  • Be on the lookout for suspicious activity. This particular scam redirects users from the fake PSP back to the legitimate payment site after their information has already been accepted. If you’re being asked for personal or financial data more than once, the site has likely been infected with malicious code.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Use a comprehensive security solution. Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection, which can help protect you from malware, phishing, and other threats.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Beat Black Friday Scammers: Secure Your Online Purchases From Fake Payment Processors appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/fake-payment-processors-scam/feed/ 0
Response Required: Why Identifying Threats With Your EDR Isn’t Enough https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/response-required-why-identifying-threats-with-your-edr-isnt-enough/ https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/response-required-why-identifying-threats-with-your-edr-isnt-enough/#respond Mon, 25 Nov 2019 16:00:00 +0000 /blogs/?p=97584

The perpetrator was a master of disguise, outfitting himself as an employee to bypass the extensive preventive security controls and flee with the contents of the vault. Fortunately, the building was equipped with strong detection security measures, and the burglar—unaware of the location of a laser tripwire—soon set off a silent alarm. A handful of […]

The post Response Required: Why Identifying Threats With Your EDR Isn’t Enough appeared first on McAfee Blogs.

]]>

The perpetrator was a master of disguise, outfitting himself as an employee to bypass the extensive preventive security controls and flee with the contents of the vault. Fortunately, the building was equipped with strong detection security measures, and the burglar—unaware of the location of a laser tripwire—soon set off a silent alarm. A handful of the best-equipped and most experienced officers swarmed the building just minutes later, tracing the subject to a large storage area where they found him frantically digging through the large box of documents and cramming a few in his backpack.

While the other officers stood in the hallway at the ready, one began walking toward the perp, shouting “It’s all over, buddy. This is the end of the road.” The criminal, fear-stricken, turned to run. As he began to make his way toward a freight entrance, he was dumbfounded to hear only his own footsteps reverberating off the walls. He chanced a look back at the officer, who had not moved. “You thought you could run, but we found you! You’re under arrest!” the officer shouted, still not moving a muscle. Knowing something had to be going on, the criminal took this opportunity to hurriedly backtrack to the box and grab his ill-gotten loot. He looked back at the officer, who was still frozen in place.

The criminal looked incredulously at the officer, laughed and shook his head. Feeling no threat, he slowly shuffled out with his giant box of classified documents into the night.


The “R” Is There For A Reason

What is true in the world of police is also true in the world of cybersecurity: Detection means nothing without response. And not any response, but the right response.

EDR marketing materials focus heavily on their ability to detect the largest number of the newest threats in the least amount of time. But without a broad and well-developed set of response mechanisms in place, even the best detection abilities are of little use. Unlike, say, a legacy anti-virus product, EDR isn’t a “set it and forget it” technology—you can’t just put it on your network and call it a day. Your ability to adequately respond to threats is going to depend on two factors. While having capable analysts at the helm is vital, not limiting them with inadequate tools is an equally important part of safeguarding your enterprise.


Response Options Must Be Extensive

What if our officer instead had access to a full range of response capabilities? Criminals are unpredictable, and it’s impossible to know ahead of time whether “Put your hands up!” will be sufficient, or whether you’ll need to call for backup, use a stun gun or give chase. The ability to determine the best response isn’t enough if you don’t have access to that response method.

So it goes in cybersecurity. The EDR market is sharply divided in terms of response capabilities, and the ability—or inability—to adequately respond should be a purchasing consideration. Any decent EDR will yield the necessary context and present it in a way that allows you to easily and quickly assess the situation. A good EDR will put a panoply of response capabilities at your fingertips. Should you kill the process? Restart the machine? Quarantine the box? The amount of flexibility offered can affect how quickly you’re able to handle the threat.

Ideally, according to a SANS Institute report, your EDR should have at least the following response options:
– Terminate running processes
– Prevent processes from executing based on name, path, argument, parent, publisher or hash
– Block specific processes from communicating on the network,
– Block processes from communicating with specific host names or IP addresses
– Uninstall Services
– Edit registry keys and values
– Shut down or reboot an endpoint
– Log users off an endpoint
– Delete files and directories

But what do you do when the specific response you need isn’t available out of the box? In this case, you need to be able to program your own script to perform a custom action or response. Many EDRs lack the technology to make this possible, but it’s an important thing to look for—just because your business needs don’t require it now, doesn’t mean it won’t in the future.

 

EDR: Excessively Delayed Reaction?

What if our officer can chase a suspect, but only in baby steps? What if he or she can call for backup, but it takes them 45 minutes to arrive?

Having every response ever conceived still isn’t enough if they cannot contain threats in time.

With attackers moving from initial compromise to action on objectives with increasing quickness, the old way of “reassign the ticket to IT” no longer cuts it—by the time IT notices the ticket, the attacker may already have gone.

It’s important to have at your disposal the best response. But when you don’t yet know what something is, your best response may not be your first response. In other words, sometimes you’re going to want to be able to quarantine the affected device(s) while you investigate and scope in order to limit the threat’s impact.

The ability for the EDR to integrate with existing workflows, rather than dictating those workflows, can also make a big difference. A lot of people look at MTTD (Mean Time To Detection)—but that’s only part of the story. A better indicator of an EDR’s effectiveness is MTTR (Mean Time To Response). According to SANS Institute analyst Jake Williams, enterprises that have orchestrated actions between detection and response have MTTR metrics that are both more favorable and more reliable.

There’s no shortage of EDR solutions on the market, at all levels of speed and capability. It’s worth making sure that yours offers as much in terms of response as it does in detection—remember, when you choose an EDR, you’re partnering with the technology that will serve and protect your enterprise.  When the chips are down, are you going to have an EDR that can identify, track and eliminate a threat in time to prevent massive devastation?

In a future blog, we’ll explain how detection and response should work in parallel with prevention to safeguard your enterprise. 

 Want to learn more about what to look for—and watch out for—in an EDR? Click here to read “Why Traditional EDR Is Not Working—and What To Do About It.”

The post Response Required: Why Identifying Threats With Your EDR Isn’t Enough appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/response-required-why-identifying-threats-with-your-edr-isnt-enough/feed/ 0
Could Your Child be Sexting? Signs to Look for and Ways to Respond https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/could-your-child-be-sexting-signs-to-look-for-and-ways-to-respond/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/could-your-child-be-sexting-signs-to-look-for-and-ways-to-respond/#respond Sat, 23 Nov 2019 15:00:04 +0000 /blogs/?p=97588 Teens and sexting

Oh, what we wouldn’t do to travel back in time to the days before smartphones kid-jacked our families, right? But here we are. Our kids are forever connected. And, it’s up to parents to help them navigate the risks — one of which is sexting. Ouch. Even reading the word may make any parent want […]

The post Could Your Child be Sexting? Signs to Look for and Ways to Respond appeared first on McAfee Blogs.

]]>
Teens and sexting

Oh, what we wouldn’t do to travel back in time to the days before smartphones kid-jacked our families, right? But here we are. Our kids are forever connected. And, it’s up to parents to help them navigate the risks — one of which is sexting.

Ouch. Even reading the word may make any parent want to click off this post and run. But don’t. Stay here. Keep reading. Yes, it’s a difficult thing to imagine that your child could be like those “other kids.” (You know, the unruly ones; the wild ones, the ones who must lack parental input and digital monitoring, right?)

But it happens. Good kids — great kids even — may bend the rules and eventually engage in sexting.

As one parent recently reminded with this Direct Message on Twitter:

“I recently discovered my daughter has been sexting with her boyfriend. I’m still shaking over what I found. This is not like her at all. The worst part is she blew it off like it was no big deal! She says everyone does it, and I’m overreacting. Am I the crazy one here? Do a lot of kids do this? Please help. No clue what to do next.” ~ Minnesota Mom

Teens and sextingSexting stats

For Minnesota Mom, and others, here’s what we know.

Some, but not all, kids sext.

One of the latest and most comprehensive studies reveals that while adolescent sexting isn’t an epidemic, it’s still happening despite public campaigns to reduce it. The study, published in the journal Archives of Sexual Behavior, Justin Patchin and Sameer Hinduja, surveyed 5,593 American middle and high school students ages 12 to 17.

In summary, the study found:

  • 14% of middle and high school students had received a sexually explicit image from a boyfriend or girlfriend
  • 6% said they received such an image from someone who was not a current romantic partner.
  • 11% reported sending a sext to a boyfriend or girlfriend.
  • 9% of the students who were asked by a current boyfriend or girlfriend to send a sext complied.
  • 43% of students asked to send a sext by someone who was not a current romantic partner complied.

No, mom, you aren’t crazy.

If you’ve discovered your child is sexting, don’t buy into the flippant (and erroneous) response that “everyone’s doing it.” For those kids who are engaged in sexting, your concerns are more than legitimate.

Sexting can carry enormous emotional, physical, social, and even legal risks. Also, if a situation gets out of hand (not often but it happens), those involved may never fully recover emotionally.

Some signs of sexting

  • Increased secrecy. If your daughter (or son) is sexting, they may become overly protective of their cell phone and hide their screen from public view. They may sleep with their phones under their pillows to safeguard its contents.
  • Grade changes. Grades may drop as risky behaviors edge out day to day responsibilities.
  • Friend changes. If you check your child’s social accounts and notice an increase in flirty photos and language or friends who do the same, it could be a sign of risky digital behavior.
  • Spike in screen time. You may notice your tween or teen on the phone more, leave the room to talk or text, and insist on using their phone from a private place.
  • Anger, defensiveness. While kids may try to rationalize or normalize sexting, your child knows sending a racy photo on a device is risky. Hiding that behavior can cause anger and defensiveness. Your child also likely knows about the specific risks associated with sexting — things like sextortion (pressuring, threatening), revenge porn (sharing to humiliate), bullying, a wrecked reputation, anxiety, and depression. However, she may be in denial that the consequences apply to her personally.

How to respond

Don’t lose your cool or shame. Today’s digital teen culture is something parents haven’t experienced. Peer pressure plays a significant role in sexting. Girls may sext to compete for and win someone’s approval, to prove loyalty or love, or as relational insurance. Boys can be bullied or shamed by male peers if they don’t have girls sexting them.

Keep in mind: What the teenage brain believes to be a good idea at 15 isn’t likely to align with that of a parent. Coming-of-age behaviors in the digital era do not look like they did decades ago. So getting angry, shaming, or getting extreme with restrictions, may not be as useful as working together to figure out why your child is sexting, why it isn’t wise, and how to avoid doing it in the future.

Act quickly. If you discover your child is sexting, immediately remove all suggestive images from your child’s phone and be aggressive to get them deleted from anyone else’s devices. Sexting will often end between the participants without incident. Other situations can escalate. Every situation will be different. Gather all facts and carefully consider bringing other people into the situation. State laws vary, and sexting allegations can have profound consequences. Some options may be to 1) talk to the other kids or parents involved 2) speak to the school (if relevant) 3) contact the police (if a situation evolves to conflict or threats) 4) pursue legal action (if related) 5) seek counseling if a situation causes anxiety or depression for your child.

Teach responsibility; consider filtering. Teaching digital responsibility is one of the top tasks of parents today. And, a healthy parent-child relationship is the best way to equip your child to deal with and avoid sexting. In addition to discussing the risks, but time limits, and phone curfews in place, and consider protecting your family devices with parental controls.

Be proactive. Sexting is a tough but necessary conversation. Start talking to your kids at a young age about the importance of protecting their privacy — information, images, reputation — online. Get specific about what kind of content is okay and not okay to share. Have age-appropriate conversations on how to avoid the temptation of sexting and possible consequences. This handbook from Common Sense Media is an excellent resource as you approach the sexting discussion.

Make the consequences clear. Work together to create ground rules for responsible phone use that include clear consequences. Be prepared to enforce those consequences. If you say you will take away a phone for a week that isn’t used responsibly, be prepared to do that (even if you have to endure not being able to communicate with your child throughout the school day).

Parenting in the digital age certainly isn’t for the faint of heart. Kids are always one poor choice away from an emotional avalanche. Find different ways to let your kids know you are there for them — without condition — to listen, to counsel, and to help them work through any difficult situation.

The post Could Your Child be Sexting? Signs to Look for and Ways to Respond appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/could-your-child-be-sexting-signs-to-look-for-and-ways-to-respond/feed/ 0
2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/gatehub-epicbot-data-exposure/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/gatehub-epicbot-data-exposure/#respond Fri, 22 Nov 2019 17:11:56 +0000 /blogs/?p=97581

The digitalization of data allows it to move effortlessly and be accessed from devices and places around the world within a matter of seconds. This also makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a variety of reasons. However, not all of these purposes are well-intentioned. More […]

The post 2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure appeared first on McAfee Blogs.

]]>

The digitalization of data allows it to move effortlessly and be accessed from devices and places around the world within a matter of seconds. This also makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a variety of reasons. However, not all of these purposes are well-intentioned. More often than not, cybercriminals use the abundance of digital data to their advantage. According to Ars Technica and security researcher Troy Hunt, password data and other personal information belonging to as many as 2.2 million users of two websites – a cryptocurrency wallet service and a gaming bot provider — has been posted on the Dark Web.

What information is included in these databases? The first data haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The cybercriminal who posted this 3.72GB database stated that it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes. The second haul contains data for about 800,000 accounts on RuneScape’s bot provider EpicBot, including usernames and IP addresses. Both databases include registered email addresses and hashed passwords.

So, what lessons can we learn from this data dump and what can we do to help secure our information? Check out the following security tips to help protect your digital data.

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords consistently to further protect your data.
  • Watch out for other cyberattacks. Be on high alert for other malicious attacks where cybercriminals could use stolen credentials to exploit users, such as spear phishing.
  • Check to see if you’ve been affected. If you or someone you know has a GateHub or EpicBot account, use this tool to check if you could have been potentially affected.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/gatehub-epicbot-data-exposure/feed/ 0
The AI (R)evolution: Why Humans Will Always Have a Place in the SOC https://securingtomorrow.mcafee.com/blogs/enterprise/the-ai-revolution-why-humans-will-always-have-a-place-in-the-soc/ https://securingtomorrow.mcafee.com/blogs/enterprise/the-ai-revolution-why-humans-will-always-have-a-place-in-the-soc/#respond Wed, 20 Nov 2019 16:00:30 +0000 https://securingtomorrow.mcafee.com/?p=97162

In cybersecurity, the combination of men, women and machines can do what neither can do alone — form a complementary team capable of upholding order and fighting the forces of evil. The 20th century was uniquely fascinated with the idea of artificial intelligence (AI). From friendly and helpful humanoid machines — think Rosie the Robot […]

The post The AI (R)evolution: Why Humans Will Always Have a Place in the SOC appeared first on McAfee Blogs.

]]>

In cybersecurity, the combination of men, women and machines can do what neither can do alone — form a complementary team capable of upholding order and fighting the forces of evil.

The 20th century was uniquely fascinated with the idea of artificial intelligence (AI). From friendly and helpful humanoid machines — think Rosie the Robot maid or C-3PO — to monolithic and menacing machines like HAL 9000 and the infrastructure of the Matrix, AI was a standard fixture in science fiction. Today, as we’ve entered the AI era in earnest, it’s become clear that our visions of AI were far more fantasy than prophecy. But what we did get right was AI’s potential to revolutionize the world around us — in the service of both good actors and bad.

Artificial intelligence has revolutionized just about every industry in which it’s been adopted, including healthcare, the stock markets, and, increasingly, cybersecurity, where it’s being used to both supplement human labor and strengthen defenses. Because of recent developments in machine learning, the tedious work that was once done by humans — sifting through seemingly endless amounts of data looking for threat indicators and anomalies — can now be automated. Modern AI’s ability to “understand” threats, risks, and relationships gives it the ability to filter out a substantial amount of the noise burdening cybersecurity departments and surface only the indicators most likely to be legitimate.

The benefits of this are twofold: Threats no longer slip through the cracks because of fatigue or boredom, and cybersecurity professionals are freed to do more mission-critical tasks, such as remediation. AI can also be used to increase visibility across the network. It can scan for phishing by simulating clicks on email links and analyzing word choice and grammar. It can monitor network communications for attempted installation of malware, command and control communications, and the presence of suspicious packets. And it’s helped transform virus detection from a solely signature-based system — which was complicated by issues with reaction time, efficiency, and storage requirements — to the era of behavioral analysis, which can detect signatureless malware, zero-day exploits, and previously unidentified threats.

But while the possibilities with AI seem endless, the idea that they could eliminate the role of humans in cybersecurity departments is about as farfetched as the idea of a phalanx of Baymaxes replacing the country’s doctors. While the end goal of AI is to simulate human functions such as problem-solving, learning, planning, and intuition, there will always be things that AI cannot handle (yet), as well as things AI should not handle. The first category includes things like creativity, which cannot be effectively taught or programmed, and thus will require the guiding hand of a human. Expecting AI to effectively and reliably determine the context of an attack may also be an insurmountable ask, at least in the short term, as is the idea that AI could create new solutions to security problems. In other words, while AI can certainly add speed and accuracy to tasks traditionally handled by humans, it is very poor at expanding the scope of such tasks.

There are also the tasks that humans currently excel at that AI could potentially perform someday. But these tasks are ones that humans will always have a sizable edge in, or are things AI shouldn’t be trusted with. This list includes compliance, independently forming policy, analyzing risks, or responding to cyberattacks. These are areas where we will always need people to serve as a check on AI systems’ judgment, check its work, and help guide its training.

There’s another reason humans will always have a place in the SOC: to stay ahead of cybercriminals who have begun using AI for their own nefarious ends. Unfortunately, any AI technology that can be used to help can also be used to harm, and over time AI will be every bit as big a boon for cybercriminals as it is for legitimate businesses.

Brute-force attacks, once on the wane due to more sophisticated password requirements, have received a giant boost in the form of AI. The technology combines databases of previously leaked passwords with publicly available social media information. So instead of trying to guess every conceivable password starting with, say, 111111, only educated guesses are made, with a startling degree of success.

The post The AI (R)evolution: Why Humans Will Always Have a Place in the SOC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/the-ai-revolution-why-humans-will-always-have-a-place-in-the-soc/feed/ 0
Are Smart Padlocks Secure Enough to Protect Your Packages? https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-smart-padlocks-secure-enough-to-protect-your-packages/ https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-smart-padlocks-secure-enough-to-protect-your-packages/#respond Tue, 19 Nov 2019 18:40:34 +0000 /blogs/?p=97545

“Hackable?” host Geoff Siskind likes to shop online. A lot. What he doesn’t like is how often his packages are stolen from his front porch. Desperate for a solution, he’s intrigued by smart padlocks that promise to protect packages. But after five seasons of hosting “Hackable?” Geoff is skeptical that anything smart is also secure. […]

The post Are Smart Padlocks Secure Enough to Protect Your Packages? appeared first on McAfee Blogs.

]]>

“Hackable?” host Geoff Siskind likes to shop online. A lot. What he doesn’t like is how often his packages are stolen from his front porch. Desperate for a solution, he’s intrigued by smart padlocks that promise to protect packages. But after five seasons of hosting “Hackable?” Geoff is skeptical that anything smart is also secure.

On the latest episode, he joins McAfee’s Advanced Threat Research team to learn if what looks like a foolproof way to secure your packages may, in fact, turn out to be anything but. Is a smart lockbox enough to deter digital porch piracy? Or is this episode’s white-hat hacker able to pick the lock without breaking a sweat?

The post Are Smart Padlocks Secure Enough to Protect Your Packages? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-smart-padlocks-secure-enough-to-protect-your-packages/feed/ 0
This Holiday Season, Watch Out for These Cyber-Grinch Tricks https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-season-tricks-survey-us/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-season-tricks-survey-us/#respond Tue, 19 Nov 2019 05:01:38 +0000 /blogs/?p=97496

Whether it be that their shoes are too tight, their heads aren’t screwed on just right, or they’re expressing a little bit of “Bah Humbug,” cyber-grinches and cyber-scrooges everywhere view the holiday season as a perfect opportunity to exploit users. In fact, McAfee recently conducted a survey of over 1,000 adults over the age of […]

The post This Holiday Season, Watch Out for These Cyber-Grinch Tricks appeared first on McAfee Blogs.

]]>

Whether it be that their shoes are too tight, their heads aren’t screwed on just right, or they’re expressing a little bit of “Bah Humbug,” cyber-grinches and cyber-scrooges everywhere view the holiday season as a perfect opportunity to exploit users. In fact, McAfee recently conducted a survey of over 1,000 adults over the age of 18 in the U.S. from October 10-20, 2019 to shed light on the types of scams they encountered this year. Let’s take a look at how criminals are attempting to steal the fun of the holiday season with various scams.

Ribbons, Wrappings, and Robocalls

The survey revealed that 48% of Americans have been a victim of or know someone who has been a victim of robocalling in 2019, making it the most prevalent scam of the year. Respondents also reported that they had been targeted with email phishing (41%) and text phishing (35%) in 2019. Another popular trend this year among these crooks? What’s old is new again. While cybercriminal activity has become increasingly sophisticated over the years, survey results showed that these less sophisticated scams of Christmas are still a popular avenue for cybercriminals to exploit.

Combined, all these scams have left quite a financial impact. 74% of respondents admitted to losing more than $100 to these scams, while 30% lost more than $500. What’s more, over 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone, posing an even greater threat to users’ data.

Between all the threats stemming from these cyber-grinches and cyber-scrooges, scams have the potential to haunt users’ digital past, present, and future. Which begs the question – what should users do? They can start by first reading McAfee’s own Christmas Carol:

Be on the Lookout for These Cyber-Grinch Tricks

While most users believe that cyber-scams become more prevalent during the holidays, a third don’t actually take any steps to change their online behavior. In fact, by cutting some corners to pave way for holiday fun, users may be putting themselves at more risk than they realize. While using devices and apps for tasks like holiday shopping, streaming TV shows, and food delivery services, users are sharing more personal information than ever before. By targeting these popular apps, cybercriminals can collect and store key data, including home addresses, credit card information, and account passwords that they can use for future attacks.

Another trend that’s set to hit unsavvy users this holiday season is phony gift cards, with McAfee’s Advanced Threat Research team discovering phony gift cards sold on the cybercriminal underground. However, the survey found that only 43% of respondents are aware of fake gift cards as a threat. What’s more, users are also failing to check shopping websites, with over one-third (37%) of respondents admitting that they don’t check an email sender or retailer’s website for authenticity. By not being mindful of these grinchy tricks, users open themselves up to many avenues of exploitation.

Securing Your Holiday Season

We must stop these Christmas scams from coming, but how? To help ensure a cyber-grinch doesn’t put a damper on your holiday season, check out the following security tips.

  • Never reuse passwords. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. Ensure that all of your passwords are complex and unique.
  • Go directly to the source. Instead of clicking on a link in an email, it’s always best to check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use a comprehensive security solution, likeMcAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.
  • Use a tool to help protect your personal information. A solution like McAfee Identity Theft Protection takes a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help keep identities personal and secure.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post This Holiday Season, Watch Out for These Cyber-Grinch Tricks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-season-tricks-survey-us/feed/ 0
‘Tis the Season for Cybersecurity: Stay Protected This Holiday Season https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-scam-cybersecurity-survey/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-scam-cybersecurity-survey/#respond Tue, 19 Nov 2019 05:01:05 +0000 https://securingtomorrow.mcafee.com/?p=97393

It’s beginning to look a lot like the holiday season – and with the holidays comes various opportunities for cyber-scrooges to exploit. While users prepare for the festivities, cybercriminals look for opportunities to scam holiday shoppers with various tricks. To shed more light on how these crooks are putting a damper on user’s holiday season, […]

The post ‘Tis the Season for Cybersecurity: Stay Protected This Holiday Season appeared first on McAfee Blogs.

]]>

It’s beginning to look a lot like the holiday season – and with the holidays comes various opportunities for cyber-scrooges to exploit. While users prepare for the festivities, cybercriminals look for opportunities to scam holiday shoppers with various tricks. To shed more light on how these crooks are putting a damper on user’s holiday season, McAfee surveyed over 8,000 adults over the age of 18 across multiple countries from October 10-20, 2019 on the types of scams they’ve encountered this year.

The Scams of Christmas Past

Cyber-scrooges have upped the ante over the years, using more sophisticated measures to adapt to consumers’ evolving digital lifestyles. However, scams of Christmas Past are still haunting users today, as global findings indicate that email and text phishing are still prevalent. For example, the percentage of respondents stating that they still experience email phishing ranges from 25% in India to a whopping 42% in France. Respondents stating that they still experience text phishing ranged from 21% in India to 35% in Australia.

Additionally, robocalling has seen an increase in popularity in 2019. Fifty-one percent of respondents in France stated that they still receive robocalls. The survey found that 48% of respondents in the U.S. and 32% of Australians receive robocalls, as well as 34% in Spain, and 33% in Germany claimed that they have fallen victim to robocalls.

The Scams of Christmas Present

During the holidays, cyber-scrooges are likely to further exploit scams of Christmas Present to take advantage of users’ generosity. For example, several survey respondents in the U.K., France, Germany, Spain, Australia, India, and Singapore stated that they had fallen victim to fake charity scams in 2019. Knowing that many people enjoy making donations during this time of year, cybercriminals will likely pose as a charity online as a ploy to collect financial data and money from unsuspecting users.

Since many people do a lot of their holiday shopping online, users should also beware of shipping notification scams, as respondents in the U.K., Spain, Australia, India, and Singapore have fallen victim to these scams throughout this year. This scam, along with all those of Christmas Past and Present, proves that as people continue to adopt technology into their everyday lives, they are in turn giving cybercriminals more opportunities to exploit during the holiday season.

The Scams of Christmas Future

Whether it be email phishing or fake charity scams, users must stay updated on common cyber-scrooge practices to help protect their personal and financial data. As more data and user credentials are gathered from breaches, cybercriminals are looking to take their business to the next level and leverage more advanced techniques. For example, the cybercriminal underground poses a threat to users with more than 2.2 billion stolen account credentials made available for purchase in Q1 2019. These crooks will likely continue to sell and share user data across the Dark Web for the possibility of more profit.

Cybercriminals will also leverage data collected from breaches to better understand which users to target and how they can easily target them with social engineering and AI (artificial intelligence). Most users will probably ignore a call from an unknown number, but what about a call from a family member? Cybercriminals will create more sophisticated scams by including a family member’s caller ID in the hopes of exploiting users through more personal engagement.

Attacks will not only likely grow in sophistication but in volume in the future as well. From interactive speakers to IP cameras to other internet-connected devices like thermostats and appliances — IoT devices have greatly increased the attack surface. As we see an increase in the volume of devices going into homes with a lack of security controls built-in, cybercriminals will likely focus on exploiting consumers through these gadgets. The good news? As we look ahead towards the scams of Christmas Future, we can also work to better prepare our networks and devices before we fall into cybercriminals’ traps.

Even though users believe that cyber-scams become more prevalent during the holiday season, a third don’t actually take steps to change their online behavior. To help ensure your holiday season goes off without a hitch, follow these tips to help stay secure:

  • Say so long to robocalls. Consider downloading the app Robokiller that will stop robocalls before you even pick up. The app’s block list is constantly updating, so you’re protected. Let all other unknown calls go to voicemail and never share personal details over the phone.
  • Go directly to the source. Be skeptical of emails or texts claiming to be from companies or charities with peculiar asks or messages. Instead of clicking on a link within the email or text message, it’s best to go straight to the company’s website or contact customer service.
  • Hover over links to verify the URL. If someone sends you an email with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Use a comprehensive security solution. Using a solution like McAfee Total Protection can help your holiday shopping spree go smoothly by providing safe web browsing, virus protection, and more.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post ‘Tis the Season for Cybersecurity: Stay Protected This Holiday Season appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-scam-cybersecurity-survey/feed/ 0
Threat Hunting or Efficiency: Pick Your EDR Path? https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/threat-hunting-or-efficiency-pick-your-edr-path/ https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/threat-hunting-or-efficiency-pick-your-edr-path/#comments Tue, 12 Nov 2019 15:00:53 +0000 https://securingtomorrow.mcafee.com/?p=97369

“Do You Want It Done Fast, Or Do You Want It Done Right?” “Yes.” “Help out more with our business objectives.” “Cover an increasing number of endpoints.” “Cut budgets.” “Make it all work without adding staff.” Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 […]

The post Threat Hunting or Efficiency: Pick Your EDR Path? appeared first on McAfee Blogs.

]]>

“Do You Want It Done Fast, Or Do You Want It Done Right?” “Yes.”

“Help out more with our business objectives.” “Cover an increasing number of endpoints.” “Cut budgets.” “Make it all work without adding staff.”

Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).

Unfortunately, traditional EDR solutions have made accomplishing both of these goals (and in some cases, even one or the other!) difficult, if not impossible. According to the study, gaps in EDR capabilities have created pain points for 83% of enterprises. For instance, while 40% of enterprises consider threat hunting a critical requirement, only 29% feel their current EDR solutions fully meet that need. On an even more basic level, 36% worry their EDR solution doesn’t surface every threat that breaks through—while an equal number of respondents say the alerts that are surfaced by their EDR are frequently not relevant or worth investigating.

These numbers clearly show there’s a lot of room for improvement, but at the same time, these two goals seem to be less than complementary. How would you choose to try and meet them?

Scenario 1: The Status Quo

Your team continues utilizing their traditional EDR solution on its own.

You lose points in efficiency out of the gate—according to Forrester, 31% of companies say that the systems are so complex, their junior staff lack the skillset to triage and investigate alerts without senior staff.

The number of alerts output by traditional EDR solutions will cost you efficiency in another way: another 31% of respondents say their teams struggle to keep up with the volume of alerts generated by their EDRs.

On the threat detection side, you’re not starting out with a perfect score, either: Again, keep in mind that more than a third of respondents believe that, even with this large volume of alerts, not everything is being caught.

As a baseline, let’s assume you’re starting out with a 7 in Threat Detection, and a 3.5 in Efficiency.
You’re still a long way from meeting your goals. Let’s look at our options.

Do you want to:

  • Add more staff members
  • Bolt on more software
  • Hire an MDR

Scenario 2: Add more staff members

With efficiency seeming such a far-off goal, your team decides to focus its efforts on threat detection. To help manage the number of alerts, you hire two new employees. You still have every bit as much noise coming from your EDR, and it still isn’t catching everything, but your team has marginally more ability to triage and respond to threats. You gain a point for threat detection, but a look at your department budget sheet shows your efficiency score is basically shot.

Final Score: 8 in Threat Detection, and a 2 in Efficiency.

Scenario 3: Bolting On More Software

Other businesses are taking a different tack. They’re keeping their traditional EDR solution, but they’re also bolting on more point solutions to help catch things that fall through the cracks. If you choose to go this route, your threat detection capabilities go up …. but between all the duplicate alerts, separate interfaces, and near complete lack of integration, your team is critically bogged down.  With junior staff able to triage just 31 percent of alerts on traditional EDR systems, senior analysts are having to manage all the alerts on all the interfaces on their own.

All this software isn’t cheap, and you’re losing time in both training in all of it, and in switching back and forth. Meanwhile, the solutions that were supposed to improve your threat detection capabilities are doing so … somewhat … but with things falling through the cracks amidst the chaos and analyst fatigue setting in, you wouldn’t know it.

Final Score: 7.5 in Threat Detection, 1.5 in Efficiency.

Scenario 4: Partnering with an MDR

You don’t want to hire any more staff—and even if you did, there aren’t many to hire. So instead you hire a Managed Detection and Response (MDR) provider to do what your EDR should be doing, but isn’t. You partner with the most reputable MDR you can find, and you’re confident that between what you’re doing and what they’re doing, there isn’t much getting past you. But you’re also paying twice to get a single set of capabilities.

Final Score: 9 in Threat Detection, 1 in Efficiency

Clearly, it’s time to try something new

  • I want to improve my efficiency with my current EDR!
  • I want to try something better.

Scenario 5: Improving efficiency with current EDR

How do you make a first-gen EDR more efficient? You don’t. In other words, if you want to get more out of an EDR that doesn’t utilize the latest technologies, the only adjustments you can make here have to come from your team. If you could get more threat detection mileage out of the same number of team members, your efficiency level would naturally rise.

Initial Score: 8 in Threat Detection, 4 in Efficiency

But as you soon find out, the mandatory late nights and your “you’d better step it up or else!” attitude aren’t exactly doing wonders for morale. With cybersecurity professionals in high demand everywhere, it isn’t long before you’re down at least one team member. Now you have 4 team members doing the number of 5. Which sounds decent ….

Intermediate Score: 6 in Threat Detection, 6 in Efficiency

… until an enterprising hacker takes note of your shorthandedness and targets you, hoping to use your situation to their advantage. Unfortunately, not only do you have a highly imperfect traditional EDR system and four employees trying to do the work of five … you have four disgruntled employees trying to do the work of five. According to IDC, in organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours). Guess which camp your team falls into?

Before long, your company is brought to its knees by a major attack. The press is all over it, and confidence in your company plummets. Your company’s reputation might recover … eventually … but things aren’t looking so good for you.

Final Score: Game Over.

Scenario 6: I want to try something better.

You’ve heard from your friends and colleagues about what doesn’t work. And, of course, you’ve read the horror stories. But you’re still left with two disparate goals. What if there was a way to increase threat detection capabilities without hiring more personnel, outsourcing what your EDR should be able to handle but isn’t, or creating a system with more bolts than Frankenstein’s monster?

According to Forrester, there is a way to bridge the goals of greater efficiency and better threat detection. With AI guided investigation, your junior analysts will be able to triage threats like your more seasoned analysts, freeing your senior analysts to focus on mission-critical tasks. And with less noise, your team will be free to focus on more of the right alerts.

Survey respondents backed this up: 35 percent believe AI-guided investigations will lead to fewer breaches, and 52 percent think they’ll lead to improved efficiency. Mission accomplished.

Final Score: You=1, Hackers=0.

To read more about how AI-guided investigation can help revolutionize your SOC, click here.

The post Threat Hunting or Efficiency: Pick Your EDR Path? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/threat-hunting-or-efficiency-pick-your-edr-path/feed/ 1
It’s Beginning to Look a Lot Like Holiday Shopping: Secure Your Black Friday & Cyber Monday Purchases https://securingtomorrow.mcafee.com/blogs/consumer/black-friday-cyber-monday-safe-online-shopping/ https://securingtomorrow.mcafee.com/blogs/consumer/black-friday-cyber-monday-safe-online-shopping/#respond Mon, 11 Nov 2019 14:00:57 +0000 https://securingtomorrow.mcafee.com/?p=97282

As we gear up to feast with family and friends this Thanksgiving, we also get our wallets ready for Black Friday and Cyber Monday. Black Friday and Cyber Monday have practically become holidays themselves, as each year they immediately shift our attention from turkey and pumpkin pie to holiday shopping. Let’s take a look at […]

The post It’s Beginning to Look a Lot Like Holiday Shopping: Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blogs.

]]>

As we gear up to feast with family and friends this Thanksgiving, we also get our wallets ready for Black Friday and Cyber Monday. Black Friday and Cyber Monday have practically become holidays themselves, as each year they immediately shift our attention from turkey and pumpkin pie to holiday shopping. Let’s take a look at these two holidays, and how their popularity can impact users’ online security.

The Origins of the Holiday Shopping Phenomenon

You might be surprised to find out that the term “Black Friday” was first associated with a financial crisis, not sales shopping. According to The Telegraph, the U.S. gold market crashed on Friday, September 24, 1869, leaving Wall Street bankrupt. It wasn’t until the 1950s that Black Friday was used in association with holiday shopping when large crowds of tourists and shoppers flocked to Philadelphia for a big football game. Because of all the chaos, traffic jams, and shoplifting opportunities that arose, police officers were unable to take the day off, coining it Black Friday. It wasn’t until over 50 years later that Cyber Monday came to fruition when Shop.org coined the term as a way for online retailers to participate in the Black Friday shopping frenzy.

Growth Over the Years

Since the origination of these two massive shopping holidays, both have seen incredible growth. Global interest in Black Friday has risen year-over-year, with 117% average growth across the last five years. According to Forbes, last year’s Black Friday brought in $6.2 billion in online sales alone, while Cyber Monday brought in a record $7.9 billion.

While foot traffic seemed to decrease at brick-and-mortar stores during Cyber Week 2018, more shoppers turned their attention to the internet to participate in holiday bargain hunting. Throughout this week, sales derived from desktop devices came in at 47%, while mobile purchases made up 45% of revenue and tablet purchases made up 8% of revenue.

 

So, what does this mean for Black Friday and Cyber Monday shopping this holiday season? Adobe Analytics projects that Thanksgiving and Black Friday will bring in $12.3 billion in online sales and Cyber Monday will bring in $9.48 billion. If one thing’s for sure, this year’s Black Friday and Cyber Monday sales are shaping up to be the biggest ones yet for shoppers looking to snag some seasonal bargains. However, the uptick in online shopping activity provides cybercriminals with the perfect opportunity to wreak havoc on users’ holiday fun.

Holiday Bargain or Shopping Scam?

Inherently, Black Friday and Cyber Monday are pretty similar, with the main difference being where users choose to shop. While Black Friday sees a mix of online and in-store shoppers, most consumers will participate in Cyber Monday sales from their mobile phones or desktops at work. Plus, with mobile Cyber Week sales increasing year over year, it’s clear that users are gravitating towards the convenience of shopping on the go. However, the increase in mobile online shopping also creates an opportunity for cybercriminals to exploit. The latest McAfee Mobile Threat Report revealed a huge increase in device backdoors, fake apps, and banking trojans. With more and more users turning to their smartphones this holiday shopping season, they are in turn potentially subject to a wide variety of mobile cyberattacks.

Another threat to users’ holiday shopping sprees? Rushed purchases. Thanks to a later Thanksgiving, Cyber Monday falls on December 2nd, leaving users with one less shopping week between Turkey Day and Christmas. Because of this time crunch, many users are feeling pressured to get their holiday shopping done in time and might forego some basic cybersecurity practices to speed up the online shopping process. This includes not checking online retailer authenticity, falling for fake Black Friday deals, and hastily giving up more personal information than necessary, all in the interest of jumping on a sale before it’s too late.

How to Stay Secure This Holiday Season

In the blur of the holiday shopping frenzy, how can you help protect your personal information online? Before whipping out your credit card this Black Friday and Cyber Monday, check out these cybersecurity tips to ensure your holiday shopping spree goes off without a hitch:

  • Look for the lock icon. Secure websites will start with “https,” not just “http.” Double-check that you see the padlock icon right next to the web address in your browser. If you don’t, it’s best to avoid making purchases on that website.
  • If you can help it, shop on your desktop. Although shopping on a smartphone allows you to make purchases on the go, this opens you up to threats like mobile malware and fake shopping apps. Additionally, URLs are often shortened on mobile devices, making it easier for scammers to trick you with clone websites.
  • Ask the critics. Cybercriminals will often create fake websites to try and exploit users looking to get in on the Black Friday and Cyber Monday action. If you’re unsure about a product or retailer, read lots of reviews from trusted websites to help see if it’s legitimate.
  • Be on the lookout for suspicious websites. Misspellings and grammatical errors are often a sign that it’s a rip off of a legitimate site. If the site’s content looks a little rough around the edges, this is probably a sign that it was created by a cybercriminal.
  • Don’t be too optimistic. Beware of bogus Black Friday and Cyber Monday deals with fake “free” offers. If you spot an ad online that seems too good to be true, chances are it probably is.
  • Use a comprehensive security solution. Using a solution like McAfee LiveSafe can help your holiday shopping spree go smoothly by providing safe web browsing, virus protection, and more. Check out our own special Cyber Week Offer here.

Looking for more security tips and trends? Be sure to follow @McAfee Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post It’s Beginning to Look a Lot Like Holiday Shopping: Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/black-friday-cyber-monday-safe-online-shopping/feed/ 0
Sadfishing, Deepfakes & TikTok: Headlines You May Have Missed https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/sadfishing-deepfakes-tiktok-headlines-you-may-have-missed/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/sadfishing-deepfakes-tiktok-headlines-you-may-have-missed/#respond Sat, 09 Nov 2019 15:00:32 +0000 https://securingtomorrow.mcafee.com/?p=97330

Technology trends move fast and the digital newsfeeds run non-stop. No worries, we’ve got your backs, parents. Here are three important headlines you may have missed about some of the ways kids are using their devices and how you can coach them around the risks. What’s Sadfishing and is Your Child Doing it Online? Sadfishing […]

The post Sadfishing, Deepfakes & TikTok: Headlines You May Have Missed appeared first on McAfee Blogs.

]]>

Technology trends move fast and the digital newsfeeds run non-stop. No worries, we’ve got your backs, parents. Here are three important headlines you may have missed about some of the ways kids are using their devices and how you can coach them around the risks.

What’s Sadfishing and is Your Child Doing it Online?

Sadfishing is the act of someone making exaggerated claims about their emotional problems to generate sympathy from other people online. The concept of sadfishing surfaced when some alleged that celebrity influencers Justin Bieber and Kendall Jenner were engaging fans a form of sadfishing, which then sparked others to follow suit. The practice is growing to the extent that a  recent Digital Awareness UK report, based on interviews with 50,000 schoolchildren, says sadfishing could be damaging teenagers’ self-esteem and leading to bullying.

The risks: Young people who post emotionally-heavy content could be bullied by peers who see a vulnerable post as an empty bid for attention. But here’s where things get murky. Is a person sadfishing for attention or could that person truly be in crisis? Unless you are a professional, there’s no definite way to know since online interactions tend to lack context. For that reason, professionals say that alarming posts should be taken seriously, and everyone should become familiar with how to help someone in an emotional crisis online.

Talking points: Browsing posts and comments on your child’s social feeds is one way to see if your child is sadfishing. Coach your kids on how to express themselves online and to carefully consider the deeper intent of a confessional post before sharing. Encourage your child to consider these questions themselves posting:

  • What am I hoping to achieve with this post?
  • Could I more effectively work out this issue more if I confided it to a friend or family member face-to-face?
  • Should I journal my feelings privately before sharing them online?

Deepfakes: What Your Family Needs to Know

A deepfake is a video created using artificial intelligence to show real people doing and saying things they never did. Deepfakes can be humorous (like the political deep fakes circulating) or harmful. Deepfakes are on the rise because free apps such as FakeApp and DeepFaceLab allow any amateur to manipulate videos.

The risks: It’s getting tougher to discern real from fake videos, which means that misinformation spreads quickly as does the fallout. Deepfakes can destroy a person’s reputation, spread fake pornography videos, alter election outcomes, or even impact the stock market. Stay tuned for updates, the topic of AI and deepfakes is getting more complex and risky every day.

Talking points: Digital literacy is now a pillar of modern parenting. Teaching kids how to evaluate online information is critical, especially with the rapid growth of AI. Discuss deepfake technology with your kids. Use this Deep Fake overview video to help them understand how the technology works. Explore the topic of personal responsibility online and the ethics of creating misleading content. To spot deepfakes look for things in a video such as lack of eye blinking, shadows or borders that seem wrong, mismatch skin tones, and lip movement that is slightly out of sync with the person’s words.

TikTok App Obsession (and Safety Concerns) on the Rise

TikTok, the looping short-form video app owned by Chinese company ByteDance, that’s also wildly popular with teens, is back in the news for several reasons. Recently U.S. Senators asked the Intelligence Committee to look into whether the Chinese-owned app poses a security risk to the United States. Also, a BBC investigation found that TikTok failed to remove cyber predators from the app who were sending sexually explicit messages to children. And, lastly, reports in the Wall Street Journal claim that Islamic State militants have been posting short propaganda videos to TikTok as part of a recruitment effort.

Risks: In addition to online predators, TikTok app users can share inappropriate content such as talk about sex, alcohol, drugs, and girls wearing suggestive clothing. Too, there’s the risk of posting regrettable content, data mining (an issue in the past for TikTok), and, as with any app, there’s the very real (and reported) issue of cyberbullying.

Talking points: Anyone over the age of 13 can open a TikTok account, but it’s widely known that elementary-aged kids have accounts. If your child wants a TikTok account, consider downloading the app and looking around. After you’ve explored, discuss why age controls are in place, and consider putting comprehensive parental controls on your family devices. Review the most current device and app safety practices. The National Society for the Prevention of Cruelty to Children (NSPCC) has a great online safety acronym to guide family discussions called TEAM:

  • Talk about staying safe online
  • Explore the online world together
  • Agree on rules about what’s OK and what’s not
  • Manage your family’s settings and controls.

Keeping up with the online trends your kids gravitate to is one of the most important things you can do to keep your family conversations relevant and keep your kids safe online. To stay updated on all of the latest family and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and get even more family safety insights on Facebook.

The post Sadfishing, Deepfakes & TikTok: Headlines You May Have Missed appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/sadfishing-deepfakes-tiktok-headlines-you-may-have-missed/feed/ 0
Spanish MSSP Targeted by BitPaymer Ransomware https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/#respond Fri, 08 Nov 2019 12:00:53 +0000 https://securingtomorrow.mcafee.com/?p=97348

Initial Discovery This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new but, by interacting with one of the cases in Spain, we want to highlight in this blog how well prepared and targeted an attack can be and how it appears to […]

The post Spanish MSSP Targeted by BitPaymer Ransomware appeared first on McAfee Blogs.

]]>

Initial Discovery

This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new but, by interacting with one of the cases in Spain, we want to highlight in this blog how well prepared and targeted an attack can be and how it appears to be customized specifically against its victims.

In general, ransomware attacks are mass-spread attacks where adversaries try to infect many victims at the same time and cash out quickly. However, this has significantly changed over the past two years where more and more ransomware attacks are targeting high-value targets in all kinds of sectors.

Victims are infected with a different type of malware before the actual ransomware attack takes place. It looks like adversaries are using the infection base to select or purchase the most promising victims for further exploitation and ransomware, in a similar way to how the sale of Remote Desktop Access on underground forums or private Telegram channels is being used for victim selection for ransomware attacks.

In the following paragraphs, we will take you step by step through the modus operandi of the attack stages and most important techniques used and mapped against the MITRE ATT&CK Framework.

The overall techniques observed in the campaign and flow visualization:

Technical Analysis

The overall campaign is well known in the industry and the crew behind it came back to the scene reusing some of the TTPs observed one year ago and adding new ones like: privilege escalation, lateral movement and internal reconnaissance.

Patient 0 – T1189 Drive-by Compromise

The entry point for these types of campaigns starts with a URL that points the user to a fake website (in case the website is compromised) or a legitimate page (in case they decided to use a pay-per-install service) using social engineering techniques; the user gets tricked to download the desired application that will use frameworks like Empire or similar software to download and install next stage malware which, in this case, is Dridex.

First infection – T1090 Connection Proxy

These types of attacks are not limited to one type of malware; we have observed it being used by:

  • Azorult
  • Chthonic
  • Dridex

It is currently unclear why one would select one malware family above the other, but these tools allow for remote access into a victim’s network. This access can then be used by the actor as a launchpad to further exploit the victim’s network with additional malware, post-exploitation frameworks or the access can be sold online.

For quite some time now, Dridex’s behavior has changed from its original form. Less Dridex installs are linked to stealing banking info and more Dridex infections are becoming a precursor to a targeted ransomware attack.

This change or adaptation is something we have observed with other malware families as well.

For this campaign, the Dridex botnet used was 199:

Information Harvesting – T1003 Credential Dumping

From the infection, one or multiple machines are infected, and the next step is to collect as many credentials as they can to perform lateral movement. We observed the use of Mimikatz to collect (high privileged) credentials and re-use them internally to execute additional software in the Active Directory servers or other machines inside the network.

The use of Mimikatz is quite popular, having been observed in the modus operandi of more than 20 different threat actors.

Lateral Movement – T1086 PowerShell

The use of PowerShell helps attackers to automate certain things once they are in a network. In this case, we observed how Empire was used for different sock proxy PowerShell scripts to pivot inside the network:

Extracting information about the IP found in the investigation, we observed that the infrastructure for the Dridex C2 panels and this proxy sock was shared.

PowerShell was also used to find specific folders inside the infected systems:

A reason for an attacker to use a PowerShell based framework like Empire, is the use of different modules, like invoke-psexec or invoke-mimikatz, that can execute remote processes on other systems, or get credentials from any of the systems where it can run Mimikatz. When deployed right, these modules can significantly increase the speed of exploitation.

Once the attackers collected enough high privileged accounts and got complete control over the Active Directory, they would then distribute and execute ransomware on the complete network as the next step of their attack, in this case BitPaymer.

Ransomware Detonation – T1486 Data Encrypted for Impact

BitPaymer seemed to be the final objective of this attack. The actors behind BitPaymer invest time to know their victims and build a custom binary for each which includes the leet-speek name of the victim as the file extension for the encrypted files, i.e. “financials.<name_of_victim>”.

In the ransomware note, we observed the use of the company name too:

Observations

  • One of the remote proxy servers used in the operation shares the same infrastructure as one of the C2 panels used by Dridex.
  • We observed how a Dridex infection served as a launch point for an extensive compromise and BitPaymer ransomware infection.
  • Each binary of Bitpaymer is specially prepared for every single target, including the extension name and using the company name in the ransomware note.
  • Certain Dridex botnet IDs are seen in combination with targeted BitPaymer infections.
  • Companies must not ignore indicators of activity from malware like Dridex, Azorult or NetSupport; they could be a first indicator of other malicious activity to follow.
  • It is still unclear how the fake update link arrived at the users but in similar operations, SPAM campaigns were most likely used to deliver the first stage.

McAfee Coverage

Based on the indicators of compromise found, we successfully detect them with the following signatures:

  • RDN/Generic.hbg
  • Trojan-FRGC!7618CB3013C3
  • RDN/Generic.dx

The C2 IPs are tagged as a malicious in our GTI.

McAfee ATD Sandbox Detonation

Advanced Threat Detection (ATD) is a specialized appliance that identifies sophisticated and difficult to detect threats by executing suspicious malware in an isolated space, analyzing its behavior and assessing the impact it can have on an endpoint and on a network.

For this specific case, the ATD sandbox showcases the activity of Bitpaymer in a system:

We observe the use of icacls and takeown to change permissions inside the system and the living off the land techniques are commonly used by different type of malware.

ATD Sandbox extracted behavior signatures observing Bitpaymer detonation in the isolated environment:

Having the opportunity to detonate malware in this environment could give indicators about the threat types and their capabilities.

McAfee Real Protect

Analysis into the samples garnered from this campaign would have been detected by Real Protect. Real Protect is designed to detect zero-day malware in near real time by classifying it based on behavior and static analysis. Real Protect uses machine learning to automate classification and is a signature-less, small client footprint while supporting both offline mode and online mode of classification. Real Protect improves detection by up to 30% on top of .DAT and McAfee Global Threat Intelligence detections, while producing actionable threat intelligence.

YARA RULE

We have a YARA rule available on our ATR GitHub repository to detect some of the versions of BitPaymer ransomware.

IOCs

 

A special thanks to John Fokker and Christiaan Beek for their assistance with this blog.

The post Spanish MSSP Targeted by BitPaymer Ransomware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/feed/ 0
Veterans Day U.S. – A McAfee MoM’s Reflection https://securingtomorrow.mcafee.com/blogs/other-blogs/life-at-mcafee/veterans-day-u-s-a-mcafee-moms-reflection/ https://securingtomorrow.mcafee.com/blogs/other-blogs/life-at-mcafee/veterans-day-u-s-a-mcafee-moms-reflection/#respond Thu, 07 Nov 2019 15:33:59 +0000 https://securingtomorrow.mcafee.com/?p=97332

By: Deb, Executive Assistant, Plano TX On Monday, November 11, the U.S. celebrates Veterans Day. We at McAfee U.S. are able to spend this holiday paying tribute to coworkers, friends and family members who have served our country in the various branches of military service. Being able to honor, celebrate and remember our nation’s heroes […]

The post Veterans Day U.S. – A McAfee MoM’s Reflection appeared first on McAfee Blogs.

]]>

By: Deb, Executive Assistant, Plano TX

On Monday, November 11, the U.S. celebrates Veterans Day. We at McAfee U.S. are able to spend this holiday paying tribute to coworkers, friends and family members who have served our country in the various branches of military service. Being able to honor, celebrate and remember our nation’s heroes on Veterans Day every year is one of the things that I hold near and dear to my heart.

Wearing RED for a Reason

Anyone who knows me or sees me on Fridays at our Plano headquarters location, knows that I wear red EVERY Friday. I wear RED as a reminder to “Remember Everyone Deployed.”  I’ve recently noticed that many of my peers have also begun to wear red on Fridays. Regardless of whether it’s McAfee red or acknowledging our veterans with RED, I make it a point to acknowledge and thank them for showing their support!  We have such a great team at McAfee-Plano, and I always encourage my colleagues to wear RED. It’s an easy, yet powerful, way to make a statement of support for our veterans!

I am passionate about our military and veterans because I come from a long line of military servants. My dad and brother-in-law both served in the U.S. Air Force. Three of my grandfathers served in the military—two in the U.S. Army and one in the U.S. Army Air Corps. I also have an uncle/Godfather who served as a Navy Seabee. But my most powerful connection to the military is as a MoM (Mother of a Marine). My 19-year-old son, Austin, is a Lance Corporal in the U.S. Marine Corps. I call Austin my tough, awesome, and brave hero. He not only has my back, but he has the backs of all Americans. As his family, we are fortunate that he is currently stationed stateside. Of course, that can change in the blink of an eye.

Making the Sacrifice

Very recently, it has sunk in that my family is living our lives based on someone else’s calendar and the decisions of the U.S. Marine Corps. They have full control over Austin’s schedule and our ability to see him. As easy as a flight can be booked and other plans finalized, a leave can be taken away. In fact, my son’s leave for Thanksgiving this year was recently cancelled. This would have been his first time home since his graduation from boot camp at the end of June 2018. Yes, as a mama, I cried for an entire day when I heard that he would not be able to come home. But then I remembered that his calling is so much bigger than that of a son, a brother, a nephew, or grandson coming home for the holiday. When I remembered that his obligation and commitment is so much greater, my tears had to stop. My pride in him swelled, as did my love for my country. He and his military brothers and sisters, in all branches of service, are out there protecting us and fighting for our freedom. I cannot be selfish with my wishes for him to be home. What I can do is pray for his safety, and the safety of all those serving. And I will continue to be thankful for the sacrifices of all military personnel, past and present, and their families.

Feeling Support at McAfee

One of the reasons I love working here at McAfee is the knowledge that our company is so supportive of those who are actively serving in the military as well as our honored veterans and their family members. As a MoM, it makes me proud when I come to work each Friday and see more and more of my coworkers dressed in red; or I get the opportunity to participate in Veterans events and celebrations. I am grateful for my colleagues’ gestures of support that bring a big smile to my face. McAfee’s strong commitment to Veterans through our Veterans Community and active recruiting of veterans are other reasons I am proud to be a McAfee team member.

 

The post Veterans Day U.S. – A McAfee MoM’s Reflection appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/life-at-mcafee/veterans-day-u-s-a-mcafee-moms-reflection/feed/ 0
Buran Ransomware; the Evolution of VegaLocker https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/#respond Tue, 05 Nov 2019 17:37:32 +0000 https://securingtomorrow.mcafee.com/?p=97285

McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware […]

The post Buran Ransomware; the Evolution of VegaLocker appeared first on McAfee Blogs.

]]>

McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware families like GandCrab, and they are willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. They announced in their ads that all the affiliates will have a personal arrangement with them.

For this analysis we present, we will focus on one of the Buran hashes:

We will highlight the most important observations when researching the malware and will share protection rules for the endpoint, IOCs and a YARA rule to detect this malware.

Buran Ransomware Advertisement

This ransomware was announced in a well-known Russian forum with the following message:

 

Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7.

Functional:

Reliable cryptographic algorithm using global and session keys + random file keys;
Scan all local drives and all available network paths;
High speed: a separate stream works for each disk and network path;
Skipping Windows system directories and browser directories;
Decryptor generation based on an encrypted file;
Correct work on all OSs from Windows XP, Server 2003 to the latest;
The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;

The completion of some processes to free open files (optional, negotiated);
The ability to encrypt files without changing extensions (optional);
Removing recovery points + cleaning logs on a dedicated server (optional);
Standard options: tapping, startup, self-deletion (optional);
Installed protection against launch in the CIS segment.

Conditions:

They are negotiated individually for each advert depending on volumes and material.

Start earning with us!

 

The announcement says that Buran is compatible with all versions of the Windows OS’s (but during our analysis we found how, in old systems like Windows XP, the analyzed version did not work) and Windows Server and, also, that they will not infect any region inside the CIS segment. Note: The CIS segment belongs to ten former Soviet Republics: Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

Rig Exploit Kit as an Entry Vector

Based upon the investigation we performed, as well as research by “nao_sec” highlighted in June 2019, we discovered how Buran ransomware was delivered through the Rig Exploit Kit. It is important to note how the Rig Exploit Kit is the preferred EK used to deliver the latest ransomware campaigns.

FIGURE 1. EXPLOIT KIT

The Rig Exploit Kit was using CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine, Arbitrary Code Execution) to exploit in the client-side. After successful exploitation this vulnerability will deliver Buran ransomware in the system.

Static Analysis

The main packer and the malware were written in Delphi to make analysis of the sample more complicated. The malware sample is a 32-bit binary.

FIGURE 2. BURAN STATIC INFORMATION

In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.

FIGURE 3. BURAN STATIC INFORMATION

The goal of the packer is to decrypt the malware making a RunPE technique to run it from memory. To obtain a cleaner version of the sample we proceed to dump the malware from the memory, obtaining an unpacked version.

Country Protection

Checking locales has become quite popular in RaaS ransomware as authors want to ensure they do not encrypt data in certain countries. Normally we would expect to see more former CIS countries but, in this case, only three are verified.

FIGURE 4. GETTING THE COUNTRY OF THE VICTIM SYSTEM

This function gets the system country and compares it with 3 possible results:

  • 0x7 -> RUSSIAN FEDERATION
  • 0x177 -> BELARUS
  • 0x17C -> UKRAINE

It is important to note here that the advertising of the malware in the forums said it does not affect CIS countries but, with there being 10 nations in the region, that is obviously not entirely accurate.

If the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish with an “ExitProcess”.

The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution; the check will be done extracting the date of the file.

FIGURE 5. BURAN CHECKS IN THE TEMP FOLDER

If the file exists after the check performed by the malware, the temporary file will be erased through the API “DeleteFileW”.

FIGURE 6. CHECK WHETHER A TEMP FILE CAN BE CREATED

This function can be used as a kill switch to avoid infection by Buran.

Buran ransomware could accept special arguments in execution. If it is executed without any special argument, it will create a copy of Buran with the name “ctfmon.exe” in the Microsoft APPDATA folder and will launch it using ShellExecute, with the verb as “runas”. This verb is not in the official Microsoft SDK but, if we follow the MSDN documentation to learn how it works, we can deduce that the program will ignore its own manifest and prompt the UAC to the user if the protection is enabled.

This behavior could change depending on the compilation options chosen by the authors and delivered to the affiliates.

According to the documentation, the function “CreateProcess” checks the manifest, however in Buran, this is avoided due to that function:

FIGURE 7. LAUNCH OF THE NEW INSTANCE OF ITSELF

Buran in execution will create a registry key in the Run subkey section pointing to the new instance of the ransomware with a suffix of ‘*’. The meaning of this value is that Buran will run in safe mode too:

FIGURE 8. PERSISTENCE IN THE RUN SUBKEY IN THE REGISTRY

The writing operation in the registry is done using the “reg” utility, using a one-liner and concatenating different options with the “&” symbol. This method through “reg.exe” avoids a breakpoint in the main binary.

FIGURE 9. WRITE OF PERSISTENCE IN THE REGISTRY

Buran implements this technique with the objective of making analysis of the sample complicated for malware analysts looking at reverse engineering profiles. After these operations, the old instance of the ransomware will die using “Exit Process”.

Analysis of the Delphi code show that the 2nd version of Buran will identify the victim using random values.

FIGURE 10. GENERATE RANDOM VALUES

After that it will decrypt a registry subkey called “Software\Buran\Knock” in the HKEY_CURRENT_USER hive. For the mentioned key it will check the actual data of it and, if the key does not exist, it will add the value 0x29A (666) to it. Interestingly, we discovered that GandCrab used the same value to generate the ransom id of the victim. If the value and subkey exists the malware will continue in the normal flow; if not, it will decrypt a URL ,“iplogger.ru”, and make a connection to this domain using a special user agent:

FIGURE 11. SPECIAL USER AGENT BURAN

As mentioned, the referrer will be the victim identifier infected with Buran.

The result of this operation is the writing of the subkey previously checked with the value 0x29A, to avoid repeating the same operation.

After this action the malware will enumerate all network shares with the functions :

  • WNetOpenEnumA,
  • WNetEnumResourceA
  • WNetCloseEnum

This call is made in a recursive way, to get and save all discovered shared networks in a list. This process is necessary if Buran wants to encrypt all the network shares as an addition to the logical drives. Buran will avoid enumerating optical drives and other non-mounted volumes. The result of those operations will be saved for Buran to use later in the encryption process.

The ransom note is crypted inside the binary and will be dumped in execution to the victim’s machine. Inside this ransom note, the user will find their victim identifier extracted with the random Delphi function mentioned earlier. This identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.

In the analysis of Buran, we found how this ransomware blacklists certain files and folders. This is usually a mechanism to ensure that the ransomware does not break its functionality or performance.

Blacklisted folders in Buran:

Blacklisted files in Buran:

The encryption process will start with special folders in the system like the Desktop folder. Buran can use threads to encrypt files and during the process will encrypt the drive letters and folders grabbed before in the recognition process.

The ransom note will be written to disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!” with the following content:

FIGURE 12. AN EXAMPLE RANSOM NOTE

Each file crypted is renamed to the same name as before but with the new extension of the random values too.

For example: “rsa.bin.4C516831-800A-6ED2-260F-2EAEDC4A8C45”.

All the files encrypted by Buran will contain a specific filemarker:

FIGURE 13. CRYPTED FILE

In terms of encryption performance, we found Buran slower compared to other RaaS families. According to the authors’ advertisement in the underground forums, they are continually improving their piece of ransomware.

Buran Version 1 vs Buran Version 2

In our research we identified two different versions of Buran. The main differences between them are:

Shadow copies delete process:

In the 2nd version of Buran one of the main things added is the deletion of the shadow copies using WMI.

Backup catalog deletion:

Another feature added in the new version is the backup catalog deletion. It is possible to use the Catalog Recovery Wizard to recover a local backup catalog.

System state backup deletion:

In the same line of system destruction, we observed how Buran deletes in execution the system state backup in the system:

Ping used as a sleep method:

As a poor anti-evasion technique, Buran will use ping through a ‘for loop’ in order to ensure the file deletion system.

The ransom note changed between versions:

VegaLocker, Jumper and Now Buran Ransomware

Despite the file marker used, based on the behavior, TTPs and artifacts in the system we could identify that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin for this malware family.

Malware authors evolve their malware code to improve it and make it more professional. Trying to be stealthy to confuse security researchers and AV companies could be one reason for changing its name between revisions.

This is the timeline of this malware family:

Similarities in Behavior:

Files stored in the temp folder:

VegaLocker:

Jumper:

Buran:

Registry changes:

VegaLocker:

Buran:

Extension overlapping:

In one of the variants (Jumper) it is possible to spot some samples using both extensions:

  • .vega
  • .jamper

Shadow copies, backup catalog and systembackup:

In the analyzed samples we saw how VegaLocker used the same methods to delete the shadow copies, backup catalog and the systembackup.

Coverage

  • RDN/Ransom
  • Ransomware-GOS!E60E767E33AC
  • Ransom
  • RDN/Ransom
  • RDN/Generic.cf
  • Ransom-Buran!

Expert Rule:

Indicators of Compromise

MITRE

The sample uses the following MITRE ATT&CK™ techniques:

  • Disabling Security Tools
  • Email Collection
  • File and Directory Discovery
  • File Deletion
  • Hooking
  • Kernel Modules and Extensions
  • Masquerading
  • Modify Registry
  • Network Service Scanning
  • Peripheral Device Discovery
  • Process Injection
  • Query Registry
  • Registry Run Keys / Start Folder
  • Remote Desktop Protocol
  • Remote System Discovery
  • Service Execution
  • System Time Discovery
  • Windows Management Instrumentation

YARA Rule

We created a YARA rule to detect Buran ransomware samples and the rule is available in our GitHub repository

Conclusion

Buran represents an evolution of a well-known player in the ransomware landscape. VegaLocker had a history of infections in companies and end-users and the malware developers behind it are still working on new features, as well as new brands, as they continue to generate profits from those actions. We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them. We are observing an increase in ransomware families in 2019, as well as old players in the market releasing new versions based on their own creations.

For the binaries, all of them appeared with a custom packer and already came with interesting features to avoid detection or to ensure the user must pay due to the difficulty of retrieving the files. It mimics some features from the big players and we expect the inclusion of more features in future developments.

Buran is slower than other ransomware families we observed, and samples are coded in Delphi which makes reverse engineering difficult.

The post Buran Ransomware; the Evolution of VegaLocker appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/feed/ 0
Are Some Phone Charging Cables Dangerous to Plug in? https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-some-phone-charging-cables-dangerous-to-plug-in/ https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-some-phone-charging-cables-dangerous-to-plug-in/#respond Tue, 05 Nov 2019 17:20:39 +0000 https://securingtomorrow.mcafee.com/?p=97322

We’ve all felt helpless as our phone’s battery dwindles in a moment of dire need. 25%…15%… 5%. The panic sets in, and suddenly, any port in the proverbial storm will do. You start outlet hunting and maybe even ask strangers if you can borrow their cable. But have you ever wondered whether every charging station […]

The post Are Some Phone Charging Cables Dangerous to Plug in? appeared first on McAfee Blogs.

]]>

We’ve all felt helpless as our phone’s battery dwindles in a moment of dire need. 25%…15%… 5%. The panic sets in, and suddenly, any port in the proverbial storm will do. You start outlet hunting and maybe even ask strangers if you can borrow their cable. But have you ever wondered whether every charging station and cable is safe?

On the latest episode of “Hackable?” we wanted to find out just dangerous it is to charge your phone with a hacker-modified cable. White-hat Craig Young ships our producer Pedro a secretly-sinister cable and together they launch an attack on host Geoff’s phone and computer. Listen and learn just how much low battery anxiety could put you at risk if you end up charging with the wrong cable!

 

The post Are Some Phone Charging Cables Dangerous to Plug in? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/hackable/are-some-phone-charging-cables-dangerous-to-plug-in/feed/ 0
Helping Kids Think Critically About Influencers They Follow Online https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/helping-kids-think-critically-about-influencers-they-follow-online/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/helping-kids-think-critically-about-influencers-they-follow-online/#respond Sun, 03 Nov 2019 15:29:09 +0000 https://securingtomorrow.mcafee.com/?p=97262

When I was a teenager, my role model was Olympic gymnast Mary Lou Retton. I admired everything about her. I cut my hair like hers and brushed my teeth three times a day, determined to get my smile to sparkle like hers. I even started eating Wheaties when she endorsed them, thinking it would help […]

The post Helping Kids Think Critically About Influencers They Follow Online appeared first on McAfee Blogs.

]]>

When I was a teenager, my role model was Olympic gymnast Mary Lou Retton. I admired everything about her. I cut my hair like hers and brushed my teeth three times a day, determined to get my smile to sparkle like hers. I even started eating Wheaties when she endorsed them, thinking it would help me land my back handspring (spoiler alert: it didn’t).

It’s natural and healthy to seek out role models. Who doesn’t want to excel at a skill or possess admirable qualities? Teens today are no different. They look to others to figure out how to attain their goals. But while kids today may have the same emotional desire for role models, the online culture has confused the meaning of influence.

Algorithm vs. Character

We no longer bestow titles like role model and influencer on the few, but the many. And the requirements? Not too steep. Today, influencers win the public’s affections based on the number of likes, follows, shares, or sponsors a person accumulates. When it comes to emulating others, kids turn to famous Instagrammers and YouTubers whose fame is determined by algorithm strength rather than character strength.

For parents, this force field of influence can feel impossible to penetrate. Many (this mom included) constantly feel torn. As our kids mature, we want to give them space to explore and form opinions and preferences of their own apart from our commentary. On the flip side, technology brings more risk to the choices kids make today. Those risks can be severe and include online scams connected to celebrities, data breaches, and mental health issues linked to social influence.

Equipping vs. Condemning

So, what practical steps can we take to help our kids think more critically about the role models, celebrities, or influencers they choose to follow and even emulate? One way to move the needle is to thoughtfully and consistently increase the dialogue about values, beliefs, and goals.

Keeping the conversation focused can be tricky. The goal of guiding your child should aim to equip, not condemn. Hint: The goal isn’t to debate the questionable things a celebrity or influencer chooses to say or do. The goal is to explore and build the values that inform the things your child chooses to say and do.

Here are a few conversation starters to challenge your child to look a little more closely at the influencers and celebrities he or she esteems.

Family Talking Points

Highlight common ground. I instantly connected with Mary Lou Retton because we about the same age and were both half-pints. She was 4’9,” and at that time, I was barely an inch taller and struggling with that. But Mary Lou was fierce, unstoppable, and had a positive attitude that was contagious. Suddenly, short was cool. In talking to your child about the people they admire, point to the common ground, he or she might share with that person. Questions: What kind of character or personal traits do you think you might share with this person? How do you think the two of you are similar or different? If you could have lunch with this person, what do you think you could teach them? What could they teach you?

Find the friction. Encourage your child to look beyond the social surface and find influencers who have overcome real-life struggles. The discussion might turn to issues such as depression, grief, addiction, bullying, or dealing with a disability. Questions: What influencers or celebrities do you admire who have conquered a difficult situation? What have you learned from watching how he or she responded to that situation? How do you think you might respond if you were in that situation?

Learn the back story. If your child admires a person and you can’t figure out the reason, challenge her thinking. If the reasoning is that someone is “so pretty” or “goes to Coachella,” challenge your child to dig deeper and learn as much as she can about her favorite person. Questions: What specific qualities or achievements do you think make this person famous? Do you agree with that? Did you discover events in this person’s life that may have shaped who they are? What did you learn about this person that makes you admire them more? What did you learn that makes you admire them less? How does this person help others? If you were in this person’s shoes, how would you use your influence differently?

Get personal. Sometimes we can strengthen a perspective by looking close to home. Challenge your child to think about the people in his or her family or community. Who do you know that stands up for what’s right? Who makes time to help others? Point out someone who has conquered an addiction or made a courageous comeback of some kind. Questions: What do you think are the three most important traits a person can have? Who do you know who has these traits? If you overheard people talking about you in the future, what words would you hope they would use to describe you?

Asking great questions can improve the quality of family conversations. While technology has changed our vocabulary in dramatic ways, the meaning we apply to our words can survive any cultural shift if we’re intentional. Take the time this week to ask your kids great questions. And stick with it, parents — you have more influence than you think.

The post Helping Kids Think Critically About Influencers They Follow Online appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/helping-kids-think-critically-about-influencers-they-follow-online/feed/ 0
What You Need to Know About the Google Chrome Vulnerabilities https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/google-chrome-vulnerabilities/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/google-chrome-vulnerabilities/#respond Fri, 01 Nov 2019 23:05:03 +0000 https://securingtomorrow.mcafee.com/?p=97259

While you might have been preoccupied with ghosts and goblins on Halloween night, a different kind of spook began haunting Google Chrome browsers. On October 31st, Google Chrome engineers issued an urgent announcement for the browser across platforms due to two zero-day security vulnerabilities, one of which is being actively exploited in the wild (CVE-2019-13720). […]

The post What You Need to Know About the Google Chrome Vulnerabilities appeared first on McAfee Blogs.

]]>

While you might have been preoccupied with ghosts and goblins on Halloween night, a different kind of spook began haunting Google Chrome browsers. On October 31st, Google Chrome engineers issued an urgent announcement for the browser across platforms due to two zero-day security vulnerabilities, one of which is being actively exploited in the wild (CVE-2019-13720).

So, what is the Google Chrome zero-day exploit? While there are few specific details known at this time, researchers did uncover that the bug is a use-after-free flaw, which is a memory corruption flaw that attempts to access a device’s memory after it has been freed. If this occurs, it can cause a variety of issues including program crashes, execution of malicious code, or even allowing an attacker to gain full remote access to the device.

The second of the two vulnerabilities (CVE-2019-13721) affects PDFium, a platform developed by Foxit and Google. PDFium provides developers with capabilities to leverage an open-source software library for viewing and searching for PDF documents. Like the first bug, this flaw is also a use-after-free vulnerability. However, there have been no reports of it being exploited by cybercriminals for malicious purposes yet.

Luckily, Google has quickly acknowledged the vulnerabilities and is rolling out a patch for these bugs over the coming days. Meanwhile, follow these security tips to help safeguard your data and devices:

  • Update, update, update. Be sure to install the latest Chrome browser update immediately to help mitigate any risk of falling victim to these exploits.
  • Turn on automatic updates. Practice good security hygiene by turning on automatic updates. Cybercriminals rely on unpatched software to exploit vulnerabilities, so ensure that your device software is updated as soon as patches are available.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

 

The post What You Need to Know About the Google Chrome Vulnerabilities appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/google-chrome-vulnerabilities/feed/ 0
ST12: IoT in Energy & Manufacturing https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st12-iot-in-energy-manufacturing/ https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st12-iot-in-energy-manufacturing/#respond Fri, 01 Nov 2019 14:00:34 +0000 https://securingtomorrow.mcafee.com/?p=97253

In this episode, security operations solutions strategists Andrew Lancashire and Kate Scarcella discuss the world of Internet of Things inside the Energy and Manufacturing industries.

The post ST12: IoT in Energy & Manufacturing appeared first on McAfee Blogs.

]]>

In this episode, security operations solutions strategists Andrew Lancashire and Kate Scarcella discuss the world of Internet of Things inside the Energy and Manufacturing industries.

The post ST12: IoT in Energy & Manufacturing appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st12-iot-in-energy-manufacturing/feed/ 0
Ransomware: The Digital Plague that Still Persists https://securingtomorrow.mcafee.com/blogs/enterprise/ransomware-the-digital-plague-that-still-persists/ https://securingtomorrow.mcafee.com/blogs/enterprise/ransomware-the-digital-plague-that-still-persists/#respond Thu, 31 Oct 2019 14:30:27 +0000 https://securingtomorrow.mcafee.com/?p=97251

Ransomware began its reign of cyber terror in 1989 and remains a serious and dangerous threat today. In layman’s terms, ransomware is malware that employs encryption to lock users out of their devices or block access to critical data or files. A sum of money, or ransom, is then demanded in return for access to […]

The post Ransomware: The Digital Plague that Still Persists appeared first on McAfee Blogs.

]]>

Ransomware began its reign of cyber terror in 1989 and remains a serious and dangerous threat today. In layman’s terms, ransomware is malware that employs encryption to lock users out of their devices or block access to critical data or files. A sum of money, or ransom, is then demanded in return for access to the information. Some effects of ransomware include downtime, data loss, possible intellectual property theft, major financial consequences and more.

The Rise of Ransomware

 Ransomware and their variants are rapidly evolving. McAfee Labs found that ransomware grew by 118% in the first quarter of 2019, and discovered new ransomware families using innovative techniques to target and infect enterprises. Based on volume, the top three ransomware families that were most active in Q1 were Dharma, GandCrab and Ryuk.

Many variations of ransomware exist. Often we’ve seen ransomware and other malware being distributed using email spam campaigns or through targeted attacks. But in Q1, our researchers found an increasing number of attacks are gaining access to companies that have open and exposed remote access points, such as RDP and virtual network computing (VNC). RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets. To note, the ransomware Dharma used the RDP attack method, while GandCrab and Ryuk used mostly spear-phishing as a distribution mechanism.

The Impact of Ransomware

Earlier this year, cybercriminals targeted the city of Riviera Beach, Fla., a waterfront suburb north of Palm Beach. After major disruptions in municipal services resulting from the ransomware, city leaders complied with the hacker gang’s demand of 65 bitcoin (roughly $600,000) in exchange for the decryption key. Although not suggested, we’ve seen a number of victims give in to the extortion demands of attackers, often paying the ransom demand of hundreds or thousands of dollars in order to restore their systems. In the end, you may reduce downtime by paying the ransom, but it’s never a guarantee that you will receive a decryption key, plus you will be funding criminal activity.

The impact of ransomware is more than merely a nuisance. Companies tend to experience temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.

How to Defend Against Ransomware

We must not forget that with every cyberattack, there is always a human cost, whether it’s a business dealing with an outage or a consumer dealing with a major fraud. It’s important to develop a proactive disaster recovery plan to increase your chances of withstanding ransomware. To help steer clear of ransomware, below are a few tips to follow:

  • Defend – Sufficiently robust security solutions can protect you from known threats as well as those that have not yet been formally detected. Always downloading the newest version of your operating system or apps helps you stay ahead of threats
  • Back up your data – Frequently back up essential data, ideally storing it both locally and on the cloud.
  • Stay informed – Resources such as nomoreransom.org—an initiative created by the National High Tech Crime Unit of Netherlands, Europol’s European Cybercrime Centre, and McAfee—aim to provide prevention education and help ransomware victims retrieve their encrypted data without having to pay criminals.

The post Ransomware: The Digital Plague that Still Persists appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/ransomware-the-digital-plague-that-still-persists/feed/ 0
Chapter Preview: Ages 11 to 17 – From Tweens to Teens https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/from-tweens-to-teens/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/from-tweens-to-teens/#respond Thu, 31 Oct 2019 10:00:43 +0000 https://securingtomorrow.mcafee.com/?p=96534

For anyone who asks what happens during the tween through teen years, the best answer is probably, “What doesn’t happen?!” Just so you know, I’ve been there, done that, and got the T-shirt. And I survived. My kids were the first generation to grow up on social media. Like most teens in the mid-2000s, they […]

The post Chapter Preview: Ages 11 to 17 – From Tweens to Teens appeared first on McAfee Blogs.

]]>

For anyone who asks what happens during the tween through teen years, the best answer is probably, “What doesn’t happen?!”

Just so you know, I’ve been there, done that, and got the T-shirt. And I survived. My kids were the first generation to grow up on social media. Like most teens in the mid-2000s, they got their first taste with MySpace and then switched to Facebook as the masses shifted there around 2009. They also got into other platforms, like Instagram, and stuck with them while others came and went. And yes, sharing almost every facet of their lives presented many challenges. I won’t get into details here as it might embarrass my kids, but suffice it to say that mistakes were made.

Being a security and privacy practitioner, I made sure there were lots of discussions on how to use these platforms safely. The early discussions centered on privacy and the permanence of data, but eventually led to security talks as the platforms were inundated with scams and other malicious activities. As you can imagine, when my kids were tweens and teens, the internet was a different place than it is today, and I’m sure it will be very different 10 to 15 years from now.

 

This chapter of “Is Your Digital Front Door Unlocked?” steps you through what your tween and teen face as they spend an increasing amount of time online and using connected things. It expands upon some of the topics discussed earlier in the book with more of an eye towards how those topics impact this age group, while offering advice and insights on topics that often surface at this age. We tackle some big topics too, such when to get your child a smartphone, how many children will make friends that they will only know online, cyberstalking, and the secret digital life of teens that every parent should know. This chapter packs a big punch—as it should, because these are some big years for parents and kids alike.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Chapter Preview: Ages 11 to 17 – From Tweens to Teens appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/from-tweens-to-teens/feed/ 0
3 Tips to Protect Yourself From the Office 365 Phishing Scams https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/office-365-phishing/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/office-365-phishing/#respond Thu, 31 Oct 2019 04:01:15 +0000 https://securingtomorrow.mcafee.com/?p=97244

Cybercriminals seem to get more and more sophisticated with their attacks, and phishing scams are no different. The McAfee Labs team has observed a new phishing campaign using a fake voicemail message to trick victims into giving up their Office 365 email credentials. During the investigation, the team has found three different phishing kits being […]

The post 3 Tips to Protect Yourself From the Office 365 Phishing Scams appeared first on McAfee Blogs.

]]>

Cybercriminals seem to get more and more sophisticated with their attacks, and phishing scams are no different. The McAfee Labs team has observed a new phishing campaign using a fake voicemail message to trick victims into giving up their Office 365 email credentials. During the investigation, the team has found three different phishing kits being used to exploit targets.

How exactly does this sneaky phishing scam work? It all begins when a victim receives an email stating that they’ve missed a phone call, along with a request to log into their account to access the voice message. The email also contains an attached HTML file that redirects the victim to a phishing website. This website prepopulates the victim’s email address and asks them to enter their Office 365 credentials. What’s more, the stealthy attachment contains an audio recording of someone talking, leading the victim to believe that they are listening to a legitimate voicemail.

Once the victim enters their password, they are presented with a page stating that their login was successful. The victim is then redirected to the office.com login page, leading them to believe that everything is perfectly normal. Little do they know that their credentials have just been harvested by a cybercriminal.

While this sneaky scheme has been primarily used to target organizations, there is much to be taken away from this incident, as cybercriminals often disguise themselves as businesses to phish for user data. To protect yourself from these stealthy scams, check out the following tips:

  • Go directly to the source. Be skeptical of emails claiming to be from companies with peculiar asks or messages. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account or contact customer service.
  • Be cautious of emails asking you to take action. If you receive an email asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links.
  • Hover over links to see and verify the URL. If someone sends you an email with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 3 Tips to Protect Yourself From the Office 365 Phishing Scams appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/office-365-phishing/feed/ 0
Office 365 Users Targeted by Voicemail Scam Pages https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/#respond Thu, 31 Oct 2019 04:01:09 +0000 https://securingtomorrow.mcafee.com/?p=97170

Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious […]

The post Office 365 Users Targeted by Voicemail Scam Pages appeared first on McAfee Blogs.

]]>

Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious kits and evidence of several high-profile companies being targeted. McAfee Customers using VSE, ENS, Livesafe, WebAdvisor and MGW are protected against this phishing campaign.

The attack begins when the victim receives an email informing them that they have missed a phone call, along with a request to login to their account to access their voicemail.

An example of the malicious email is shown below:

The phishing email contains a HTML file as an attachment which, when loaded, will redirect the user to the phishing website. There are slight variations in the attachment, but the most recent ones contain an audio recording of someone talking which will lead the victim to believe they are listening to the beginning of a legitimate voicemail.

The HTML code which plays the recording is shown below:

Once redirected, the victim is shown the phishing page which asks them to log into their account. The email address is prepopulated when the website is loaded; this is another trick to reinforce the victim’s belief that the site is legitimate.

When the password is entered, the user is presented with the following successful login page and redirected to the office.com login page.

We observed the following filenames being used for the attachments:

  • 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
  • 14-August-2019.html [Format: DD-Month-YYYY.html]
  • Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
  • Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]

Phishing Sites

As explained in the introduction, we were surprised to observe three different phishing kits being used to generate the malicious websites. All three look almost identical but we were able to differentiate them by looking at the generated HTML code and the parameters which were accepted by the PHP script.

Voicemail Scmpage 2019 (Not a typo)

The first kit is being sold on an ICQ channel and the creator advertises it on social media. The kit goes by the name of ‘Voicemail Scmpage 2019’ and operates on a license key basis, where the license key is checked prior to the phishing site being loaded.

A snippet of the generated HTML code is shown below:

A file, data.txt, is created on the compromised website and it contains a list of visitors, including their IP address, web browsers and the date.

The following data is harvested from the victims and emailed to the owner of the phishing site:

  • Email
  • Password
  • IP Address
  • Region (Location)

Office 365 Information Hollar

The second phishing kit we discovered is called ‘Office 365 Information Hollar’. This kit is very similar to ‘Voicemail Scmpage 2019’ and gathers the same data, as shown in the image below:

Third “Unnamed” Kit

The final phishing kit is unbranded, and we could not find any attribution to it. This kit makes use of code from a previous malicious kit targeting Adobe users back in 2017. It is possible that the original author from 2017 has modified this kit, or perhaps more likely the old code has been re-used by a new group.

This kit also harvests the same data as the previous two. The ‘Unnamed Kit’ is the most prevalent malicious page we have observed while tracking these voicemail phishing campaigns.

Targeted Industries

During our investigation we observed the following industries being targeted with these types of phishing emails:

[Services includes tourism, entertainment, real estate and others which are too small to group]

A wide range of employees were targeted, from middle management to executive level staff. We believe that this is a ‘Phishing’ and ‘Whaling’ campaign.

Conclusion

The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company. The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks.

What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link. This gives the attacker the upper hand in the social engineering side of this campaign.

We urge all our readers to be vigilant when opening emails and to never open attachments from unknown senders. We also strongly advise against using the same password for different services and, if a user believes that his/her password is compromised, it is recommended to change it as soon as possible

It is highly recommended to use Two-Factor Authentication (2FA) since it provides a higher level of assurance than authentication methods based on Single-Factor Authentication (SFA), like the one that many users utilise for their Office 365 accounts.

When possible for enterprise customers, we recommend blocking .html and .htm attachments at the email gateway level so this kind of attack will not reach the final user.

Also, be sure to read our companion blog which details how you can stay safe from such phishing campaigns.

Indicators of Compromise

Email Attachment with the following filename:

10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]

14-August-2019.html [Format: DD-Month-YYYY.html]

Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]

Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]

McAfee Detections

HTML/Phishing.g V2 DAT = 9349, V3 DAT = 3800

HTML/Phishing.av V2 DAT = 9371, V3 DAT = 3821

HTML/Phishing.aw V2 DAT = 9371, V3 DAT = 3821

The hashes of the attachments will not be provided as this will provide information on the potential targets

Domains:

(Domains (all blocked by McAfee WebAdvisor)

h**ps://aws.oficce.cloudns.asia/live/?email=

h**ps://katiorpea.com/?email=

h**ps://soiuurea.com/?email=

h**ps://afaheab.com/?email=

h**ps://aheahpincpea.com/?email=

More Information on Phishing Attacks:

The post Office 365 Users Targeted by Voicemail Scam Pages appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/feed/ 0
A Cybersecurity Horror Story: October’s Creepiest Threats and How to Stay Secure https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/creepiest-threats/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/creepiest-threats/#respond Mon, 28 Oct 2019 18:10:37 +0000 https://securingtomorrow.mcafee.com/?p=97228

Halloween time is among us and ghosts and goblins aren’t the only things lurking in the shadows. This past month has brought a variety of spooky cyberthreats that haunt our networks and devices. From malicious malware to restricting ransomware, October has had its fair share of cyber-scares. Let’s take a look at what ghoulish threats […]

The post A Cybersecurity Horror Story: October’s Creepiest Threats and How to Stay Secure appeared first on McAfee Blogs.

]]>

Halloween time is among us and ghosts and goblins aren’t the only things lurking in the shadows. This past month has brought a variety of spooky cyberthreats that haunt our networks and devices. From malicious malware to restricting ransomware, October has had its fair share of cyber-scares. Let’s take a look at what ghoulish threats have been leading to some tricks (and no treats) around the cybersphere this month.

Ghostcat Malware

One ghost that recently caused some hocus pocus across the Web is Ghostcat-3PC. According to SC Magazine, the malware’s goal is to hijack users’ mobile browsing sessions.

The infection begins when a user visits a particular website and is served a malicious advertisement. Ghostcat fingerprints the browser to collect device information and determines if the ad is running on a genuine webpage. Ghostcat also checks if the ad is running on an online publishers’ page that has been specifically targeted by this campaign. If these conditions are met, then the malware serves a malicious URL linked to the ad.

From there, this URL delivers obfuscated JavaScript, which creates an obscure source or machine code. The attackers behind Ghostcat use this to trick the publishers’ ad blockers, preventing them from detecting malicious content. The code also checks for additional conditions necessary for the attack, like ensuring that the malware is being run on a mobile device and a mobile-specific browser, for example. If the malware concludes that the browsing environment fits the descriptions of their target, it will serve a fraudulent pop-up, leading the user to malicious content.

Bewitched WAV Files

Ghostcat isn’t the only way malware is being spread lately, as, according to ZDNet, attackers have manipulated WAV audio files to spread malware and cryptominers. By using a technique called stenography, malware authors can hide malicious code inside of a file that appears normal, which allows hackers to bypass security software and firewalls.

Previously, cybercriminals have used stenography revolving around image file formats like PNG or JPEG. However, these crooks have now upped the ante by using WAV audio files to hide different types of malware. Most recently, researchers found that this technique is used to hide DLLs, or dynamic link libraries that contain code and data that can be used by more than one program at the same time. If malware was already present on an infected host device, it would download and read the WAV file, extract the DLL, and install a cryptocurrency miner called XMRrig. Cryptocurrency miners compile all transactions into blocks to solve complicated mathematical problems and compete with other miners for bitcoins. To do this, miners need a ton of computer resources. As a result, miners tend to drain the victim’s device of its computer processor’s resources, creating a real cybersecurity headache.

MedusaLocker Ransomware

Finally, we have the mysterious MedusaLocker ransomware. According to BleepingComputer, this threat is slithering its way onto users’ devices, encrypting files until the victim purchases a decryptor.

This strain will perform various startup routines to prep the victim’s device for encryption. Additionally, it will ensure that Windows networking is running and mapped network drives (shortcuts to a shared folder on a remote computer or server) are accessible. Then, it will shut down security programs, clear data duplicates so they can’t be used to restore files, remove backups made with Windows backup, and disable the Windows automatic startup repair.

For each folder that contains an encrypted file, MedusaLocker creates a ransom note with two email addresses to contact for payment. However, it is currently unknown how much the attackers are demanding for the victim to have their files released or if they actually provide a decryptor once they receive a payment.

With all of these threats attempting to haunt networks and devices, what can users do to help themselves have a safe and secure spooky season? Follow these tips to keep cybersecurity tricks at bay:

  • Watch what you click. Avoid clicking on unknown links or suspicious pop-ups, especially those coming from someone you don’t know.
  • Be selective about which sites you visit. Only use well-known and trusted sites. One way to determine if a site is potentially malicious is by checking its URL. If the URL address contains multiple grammar or spelling errors and suspicious characters, avoid interacting with the site.
  • If your computer slows down, be cautious. One way you can identify a cryptojacking attack – poor performance. If your device is slow or acting strange, start investigating and see if your device may be infected with malware.
  • Surf the web safely. You can use a tool like McAfee WebAdvisor, which will flag any sites that may be malicious without your knowing.
  • Use a comprehensive security solution. To secure your device and help keep your system running smoothly and safely, use a program like McAfee Total Protection.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post A Cybersecurity Horror Story: October’s Creepiest Threats and How to Stay Secure appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/creepiest-threats/feed/ 0
Did You Check Your Quarantine?! https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/did-you-check-your-quarantine/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/did-you-check-your-quarantine/#respond Mon, 28 Oct 2019 16:02:38 +0000 https://securingtomorrow.mcafee.com/?p=97203

A cost-effective way to detect targeted attacks in your enterprise While it is easy to get caught up in the many waves of new and exciting protection strategies, we have recently discovered an interesting approach to detect a targeted attack and the related actor(s). Quite surprisingly, a big part of the solution already exists in […]

The post Did You Check Your Quarantine?! appeared first on McAfee Blogs.

]]>

A cost-effective way to detect targeted attacks in your enterprise

While it is easy to get caught up in the many waves of new and exciting protection strategies, we have recently discovered an interesting approach to detect a targeted attack and the related actor(s). Quite surprisingly, a big part of the solution already exists in most enterprises: the tried, tested endpoint security platform. In this case, we used our own McAfee Endpoint Security (ENS). Along with ENS, we used GetQuarantine, a freeware tool from McAfee, and a third-party threat analytics service.

The Problem

We will begin with a working definition of a targeted attack:

A targeted attack is a threat in which a threat actor actively pursues and compromises a specific target. To achieve the goal, the adversary may adapt and improve their attack(s) to counter the victim’s defenses and persist at it for a long period of time.

What does this say? First, the adversary’s objective is to compromise a specific target, not just an arbitrary target. Second, the adversary is skilled enough to know how defenses work and is resourceful enough to actively adapt and improve their attack to beat defenses. Third, the adversary is determined enough to pursue the objective for perhaps an indefinite period of time.

Taken together, the above characteristics challenge most defense technologies. Why so? Because these characteristics run counter to the assumptions on which these technologies are based.

At the heart of it, most defense technologies are signature-based, where the signatures are created either by a human analyst, by a machine, or by using instances of known malicious behavior. The cost of constructing signatures is high and is amortized by using the same signature to defend against the same attack elsewhere.

Twenty years ago, when there were just a few thousand examples of malicious software around, it was relatively easy to find the origin, perpetrators, and the reason for the creation and release of a malicious file or application. Security researchers would manually analyze each sample, carefully identify similarities with previously known samples through sheer memory and label each sample with a unique name. This method worked well because the attacks then were opportunistic and aimed at spreading as wide as possible. This meant that anti-virus companies could discover an attack in one place, extract relevant detection signatures, and send the signature updates to its install base.

Now, security threat intelligence companies receive hundreds of thousands of new malware samples every day. There is simply not enough time or resources to analyze each malware to answer who, what, when, and why? The best any anti-virus software can do is to classify a file into just two bins: good or bad. It is impossible for researchers to manually look at every sample and process them to the same detail as before. To make matters worse, attacks today are targeted. Attackers create one-off variants aimed at a specific enterprise. This makes it virtually impossible to connect attacks across enterprises to understand the attacker.

And therein lies an important problem. Just as the numbers and sophistication of attacks have increased exponentially, the objective of tracking who is behind an attack, and identifying linkages between different malware samples and their authors, and the intent behind an attack, have been lost.

Why should it matter? In the absence of information about who is attempting to breach an organization, defenders are left operating in the dark. They make security decisions based on breaches that happen elsewhere using threat intelligence that is most often irrelevant, and when relevant, is most likely outdated.

The Solution

Analysis of targeted campaigns shows that programs that are part of an attack usually show a couple of similar characteristics. First, the malware or attack mechanism is focused on one enterprise or, at most, one sector and second, the malware program demonstrates evolutionary characteristics where the actor repeatedly unleashes different variants of it. Our proposed solution focuses on these characteristics and tries to uncover targeted campaigns by finding binary semantics between malware found in customer environments and known targeted campaigns.

Our solution strategy is:

Endpoint-security detects a malware sample. It is compared with a sample from a known targeted attack. If the similarity is high, it is a strong indication that the ENS detected sample is a part of that targeted attack and the threat actor is the same.

The strategy is implemented in three building blocks: sample collector, sample storage and targeted attack analysis using third-party threat analytics application.

Sample Collector (GetQuarantine)

Sample collection is performed using McAfee proprietary licensed freeware, GetQuarantine. GetQuarantine is a McAfee e-Policy Orchestrator (ePO) deployable tool that can run on all endpoints protected by McAfee ENS. GetQuarantine runs as an ePO scheduled product deployment task. ENS cleans or deletes items that are detected as threats and saves copies in a non-executable format to the Quarantine folder. The GetQuarantine tool on a scheduled run, checks the quarantine folder and uploads items to the McAfee backend if items are not already uploaded during previous tool runs.

Sample Storage (McAfee Workflow & AWS)

The McAfee workflow backend receives sample submissions from GetQuarantine and stores them in an S3 bucket. Samples are segregated per enterprise and made available for further analysis. Third-party analytics applications like MAGIC can be run on samples to extract targeted attack insights. Analytics services are available to McAfee customers participating in a third-party analytics program. For customers that do not participate in a third-party analytics program, sample processing ends at the McAfee backend layer and the sample eventually gets deleted without further analysis.

Targeted Attack Analysis

For our pilot implementation we used Cythereal MAGIC services. The McAfee backend submits samples to MAGIC for binary similarity analysis. Customers can check analysis reports using Cythereal website. Cythereal is McAfee’s Security Innovation Alliance (SIA) partner.

Cythereal MAGIC™ (malware genomic correlation) is a web-service touted as “BinDiff on Steroids”. The system carries out semantic similarity analysis of programs using advanced program analysis techniques at the assembly instruction-level code. The semantics of the program gives more meaningful insights than structural or behavioral characteristics. MAGIC can find similarity between samples submitted using GetQuarantine and also find variants of those samples from MAGIC’s database. It has the facility to provide alerts for campaign detections and can generate YARA rules that can be used for searching other services, like VirusTotal.

We first tried human-driven in-house analysis using open source tools like SSDEEP, SDHASH, TLSH, etc. to prove the concept of identifying targeted attacks using the binary similarity of samples found in quarantine. Though we were successful in proving this concept with these open source tools, they were not very effective, especially with polymorphic variants, so we explored third-party options and identified Cythereal MAGIC™.

Architecture

Figure 1 shows the overall architecture of our system:

[Figure 1: McAfee ENS detects a suspicious sample by studying its behavior or other means and then moves the sample file to the quarantine folder. The scheduled execution of the GetQuarantine Tool configured in ePO as a scheduled task submits the sample to the McAfee backend. The third-party analytics app, periodically receives samples from McAfee backend for further analysis.]

Case Study

For a case study, we used samples from a McAfee discovered campaign, Oceansalt. We tested the solution’s ability to group samples using semantic similarity and also tested the solution’s ability to identify new variants of Oceansalt samples.

Illustration of the Solution’s Ability to Group Malware From Quarantine

McAfee Endpoint Security (ENS) detected two samples of Oceansalt (as listed in Table 1). GetQuarantine submitted these samples to the McAfee backend. Targeted attack analysis of these files showed a semantic similarity of 95.1%. The comparison of their control-flow graphs in Figure 2 justifies the high semantic similarity score.

[Table 1: Oceansalt samples reported by McAfee™ security operation center in June-July 2018.]

[Figure 2: Control-flow graph of Oceansalt samples from Table 1]

Illustration of the Solution’s Ability to Link New Variants From the Wild to a Known Targeted Attack

Finally, we come to the use case that motivated this study. Malware belonging to a targeted attack is identified by its file-hashes. However, attackers use polymorphism and other obfuscations to create new variants. Though McAfee ENS may block such variants, it may not link it to the original attack. Targeted attack analytics can help fill this void.

To test the solution’s ability to locate such targeted attacks, we uploaded an Oceansalt sample (MD5: 531DEE019792A089A4589C2CCE3DAC95 [VT]) to MAGIC and identified it as an APT. We then uploaded a large number (thousands) of malware samples via GetQuarantine. As we had thought, targeted attack analytics sent an alert that it had detected variants of Oceansalt (Figure 3).

[Figure 3: Alert about detecting an Oceansalt variant in the quarantine]

MAGIC’s alert was triggered because it found two Oceansalt variants from the wild which were not previously reported by the McAfee SOC or any other global threat intelligence.

[Table 2: Two new variants of Oceansalt samples found using semantic similarity]

Try Your Quarantine

We tested the GetQuarantine-based solution in our lab and found encouraging results. If you would like to try out this solution use the following steps, along with McAfee Endpoint Security (ENS):

  • Download the beta version of GetQuarantine, a proprietary licensed freeware.
  • Deploy it using the ePO ecosystem.
  • On successful sample submission to the McAfee backend, receive an acknowledgment email.

To obtain analysis results from the third-party analytics app, follow these steps:

  • Visit Cythereal MAGIC™.
  • The MAGIC dashboard contains plots with details about various ongoing campaigns.
  • Upon selecting a campaign in the plot, a table with all the associated malware is displayed where the customer can download samples and YARA rules.
  • Whenever MAGIC detects a targeted attack, it sends an alert email to the registered email address of the customer, along with additional threat intelligence, such as information on the threat group, third-party research on the group, and associated IoCs. Customers can also see the list of alerts on the MAGIC website.

Summary

As you can see from this exercise, traditional AV still has lot to offer and can play an important role in overall security strategy againt targeted attacks. We can amplify signals coming out of AV detections using tools like GetQuarantine and by running analytics on quarantine artifacts to uncover targeted attacks. We can take an incremental approach in solving targeted attack challenges.

The post Did You Check Your Quarantine?! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/did-you-check-your-quarantine/feed/ 0
7 Ways to Help Girls Pursue Their Passion for Tech https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/7-ways-to-help-girls-pursue-their-passion-for-tech/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/7-ways-to-help-girls-pursue-their-passion-for-tech/#respond Sat, 26 Oct 2019 14:00:19 +0000 https://securingtomorrow.mcafee.com/?p=97218

One of my favorite binges of late is the Netflix series Halt and Catch Fire. It’s a story about the personal computer revolution of the 1980s. The lead character, Cameron Howe, is a brilliant, self-assured young woman who runs circles around her, mostly male, co-workers, with her mad coding skills. I remember being influenced by a […]

The post 7 Ways to Help Girls Pursue Their Passion for Tech appeared first on McAfee Blogs.

]]>

One of my favorite binges of late is the Netflix series Halt and Catch Fire. It’s a story about the personal computer revolution of the 1980s. The lead character, Cameron Howe, is a brilliant, self-assured young woman who runs circles around her, mostly male, co-workers, with her mad coding skills.

I remember being influenced by a similar female lead. It was Jane Craig (played by Holly Hunter) in the movie Broadcast News. As the credits rolled, I knew I wanted to be a journalist. Likewise, Cameron Howe (played by Mackenzie Davis) possesses just the right mix of courage and intellect required to spark the tech fire in girls today.

STEM and beyond

What better way to close out our National Cybersecurity Awareness Month (NCSAM) series than to encourage the next generation of cybersecurity superheroes to grow their STEM (Science, Technology, Engineering, Math) skills and consider a future in cybersecurity?

Cybersecurity is a rewarding career, boasting an average salary of $96,000, and yet few women pursue the field. According to The U.S. Department of Labor, employment opportunities for Information Security Analysts will grow by 28% between 2016 and 2026. It’s also predicted that 3.5 million jobs in cybersecurity will remain unfilled by 2021.

Why focus on girls? Because while the numbers are improving, in the tech field or otherwise, in 2019, women are still paid 80 cents for every dollar their male counterparts earn, and 93.4 percent of Fortune 500 CEOs are men.

If your daughter shows a talent for tech, here are a few ways to nurture that passion.

  1. Challenge stereotypes. Girls get steeped in pink from the moment they arrive in the delivery room. This “pinkification,” in general, experts argue, is one factor distracting girls from pursuing tech. Consider the conscious and even unconscious ways you may be deterring your daughter from pursuing traditionally male subjects such as computers, engineering, robotics, or programming. Challenge perceptions like a 2012 Girl Scouts found there’s a common belief that girls are not high achievers in math and science. However, a study by the American Association of University Women found high school girls and boys perform equally in the subjects.
  2. Expose her to the rock stars. Women like YouTube CEO Susan Wojcicki, Facebook’s Sheryl Sandberg, HP’s Meg Whitman, and Google coder Marisa Mayer are great role models for girls today. Also, choose media (check ratings before viewing to stay age-appropriate) with strong female leads who excel in tough career fields.
  3. Ask her. How many times do we make assumptions and skip this crucial step in parenting? Ask your daughter what camps appeal most to her, what activities she enjoys, what qualities she admires most in others, and what she dreams of achieving.
  4. Don’t overdo it. If your daughter has a natural ability in STEM subjects, don’t push too hard. She will find her path. Suggest adjacent activities to complement her strengths. Is she good at math? Encourage a musical instrument as a hobby. Good at science? Suggest cooking or gardening to compliment her love for creative problem-solving. Integrate creative activities such as art, writing, or theatre.
  5. Seek out tech opportunities. Few kids will pursue experiences on their own, so consider giving them a nudge. Encourage age-appropriate camps, clubs, and activities that play to her strengths. The choices in quality camps — rocketry, science, coding, physics — are endless. Be your daughter’s tech companion. Take her to a women’s tech conference so she can begin to visualize her future and meet women who work in the field. Encourage an internship or even a job shadowing opportunity during high school or college, like this one that changed Gwendolyn’s career path.
  6. Model, teach resilience. The tech field tends to be a male-dominated culture of “brogrammers,” which can be intimidating for women. For this reason, your daughter may need to develop a tough skin and learn to push through obstacles with ease.
  7. Help her find her people. Organizations like Girls Go CyberstartGirls Who CodeCode.org, and uscyberpatriot.org can be game-changers for a tech-minded girl and help grow her passion among peers.

Cybersecurity is one of the fastest-growing, in-demand professions out there. With the rise in security breaches of all kinds, it’s also a field experts say is “future proof.” If your daughter shows a desire to fight the bad guys and make her mark safeguarding the digital realm, then cybersecurity may be the best place for her to start blazing her trails.

The post 7 Ways to Help Girls Pursue Their Passion for Tech appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/7-ways-to-help-girls-pursue-their-passion-for-tech/feed/ 0
McAfee Reveals the Most Dangerous Celebrities Across the Globe https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/global-most-dangerous-celebrities-2019/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/global-most-dangerous-celebrities-2019/#respond Fri, 25 Oct 2019 16:02:21 +0000 https://securingtomorrow.mcafee.com/?p=97200

Earlier this week, we revealed McAfee’s Most Dangerous Celebrity of 2019 in the U.S., Alexis Bledel. Growing from a young actress in “Gilmore Girls” to Ofglen in “A Handmaid’s Tale,” Bledel’s rising stardom helps to explain why she topped this year’s list. But, is that the case in other parts of the world as well? […]

The post McAfee Reveals the Most Dangerous Celebrities Across the Globe appeared first on McAfee Blogs.

]]>

Earlier this week, we revealed McAfee’s Most Dangerous Celebrity of 2019 in the U.S., Alexis Bledel. Growing from a young actress in “Gilmore Girls” to Ofglen in “A Handmaid’s Tale,” Bledel’s rising stardom helps to explain why she topped this year’s list. But, is that the case in other parts of the world as well? It’s time to take a trip around the globe and see which celebrities are considered risky in different regions.

In McAfee’s 13th annual study on the riskiest celebrities to search for online, the stars topping each list varied from country to country. While Bledel sits at the top of the most dangerous celebrity list in the U.S., singer Camila Cabello is ranked No. 1 in Spain. In Germany, model and TV personality Heidi Klum and actress Emilia Clarke tied each other for the country’s riskiest celebrity. Caroline Flack, the host of reality dating show “Love Island,” came in No. 1 in the U.K. In France, actor/producer Jamel Debbouze topped the list of the countries most dangerous celebrities. At the top of India’s most dangerous celebrity tally is international cricketer M.S. Dhoni. And, finally, rounding out the list of the riskiest celebrities around the world are comedian, actor, and TV host John Oliver in Australia and Malaysian actress Michelle Yeoh in Singapore.

Many users don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice users to click on dangerous links. And while this year’s list of riskiest celebrities might vary from country to country, cybercriminals’ use of trending celebrities and pop culture icons continues to be an avenue used to exploit users’ security. It’s for these reasons that users must understand the importance of taking precautions when it comes to searching for the latest news on their favorite celebrities.

So, whether you’re checking out what Alexis Bledel has been up to since “Gilmore Girls” or looking for the latest drama on “Love Island” with Caroline Flack, be a proactive fan and follow these security tips when browsing the internet:

  • Be careful what you click. Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.
  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.
  • Protect your online safety with a cybersecurity solution. Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.
  • Use a website reputation tool. Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.
  • Use parental control software. Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post McAfee Reveals the Most Dangerous Celebrities Across the Globe appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/global-most-dangerous-celebrities-2019/feed/ 0
Using Expert Rules in ENS to Prevent Malicious Exploits https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/#respond Fri, 25 Oct 2019 15:41:38 +0000 https://securingtomorrow.mcafee.com/?p=97184

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system […]

The post Using Expert Rules in ENS to Prevent Malicious Exploits appeared first on McAfee Blogs.

]]>

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system at a very granular level. Expert rules do not rely on User-Mode hooking; hence they have very minimal impact on a system’s performance. This blog is created as a basic guide to show our customers how to create them and which threats they can help block. Further detailed information can be found in the conclusion.

How Expert Rules work

The following sections show how to add Expert rules via EPO and ENS.

Adding an Expert Rule from EPO

1. Select System Tree | Subgroup (e.g.: ens_10.6.0) | Assigned Policies | Product (Endpoint Security Threat Prevention) | Exploit Prevention (My Default)

2. Navigate to Signatures and click on Add Expert Rule.

3. In the Rules section, complete the fields.

a. Select the severity and action for the rule. The severity provides information only; it has no select on the rule action.

b. Select the type of rule to create. The Rule content field is populated with the template for the selected type.

c. Change the template code to specify the behavior of the rule.

When you select a new class type, the code in the Rule content field is replaced with the corresponding template code. Endpoint Security assigns the ID number automatically, starting with 20000. Endpoint Security does not limit the number of Expert Rules you can create.

4. Save the rule, then save the settings.

5. Enforce the policy to a client system.

6. Validate the new Expert Rule on the client system.

Adding an Expert Rule directly at the Endpoint:

If we need to add an expert rule from EPO it will be pushed to all endpoints of an entire EPO “WORKGROUP”. There could be situations where expert rules are required to be applied in one/two systems or ENS systems which are not managed by EPO (non-corporate environment where ENS is installed from a standalone setup); in those cases, the expert rule must be added directly at the endpoint. Expert rules can be written and applied directly at the Endpoint system using McAfee Endpoint Security UI. Steps are below:

1. Open McAfee Endpoint Security. Go to Settings.

2. Go to Threat Prevention | Show Advanced.

3. Scroll Down to Expert Rule Section and then click on Add Expert Rule.

4. The expert rule compiler should pop up where an end user can directly write and compile expert rules and, upon compilation, enforce the rules to the system.

If there is no syntax error in the expert rule it can be applied in the system by clicking on the Enforce button. In case there is a syntax error, the details can be found in log file  %ProgramData%\McAfee\Endpoint Security\Logs\ExploitPrevention_Debug.log

Testing the Rules

When new rules are created, they should first be tested in ‘Report’ mode so that the detections can be observed. When enough confidence in the rule has been gained, it can be turned to ‘Block’ mode.

Expert Rule Examples:

 

Basic Rule:

The following rule will detect an instance of cmd.exe creating any file at c:\temp. Please note that cmd.exe might be run by any user and from any part of the system.

Rule {

Process {

Include OBJECT_NAME { -v “cmd.exe” }

}

Target {

Match FILE {

Include OBJECT_NAME { -v “c:\\temp\\**” }

Include -access “CREATE”

}

}

}

 

Rules which target specific malicious behavior:

The following rules can be created to help block specific malicious activity which is performed by various malware families and attack techniques.

 

Expert Rule to Block Remote Process Injection [MITRE Technique Process Injection T1055]:

Rule {

Process {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “SYSTEM” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\WBEM\\WMIPRVSE.EXE” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\CSRSS.EXE” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\WERFAULT.EXE” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\SERVICES.EXE” }

Exclude OBJECT_NAME { -v “*\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE” }

}

Target {

Match THREAD {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “**\\MEMCOMPRESSION” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\WERFAULT.EXE” }

Include -access “WRITE”

}

}

}

 

Expert Rule which prevents powershell.exe and powershell_ise.exe process from dumping credentials by accessing lsass.exe memory [ MITRE Technique Credential Dumping T1003 ]:

Rule {

Process {

Include OBJECT_NAME {  -v “powershell.exe”  }

Include OBJECT_NAME {  -v “powershell_ise.exe”  }

Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }

}

Target {

Match PROCESS {

Include OBJECT_NAME {   -v  “lsass.exe”  }

Include -nt_access “!0x10”

Exclude -nt_access “!0x400”

}

}

}

 

Expert Rule which prevents creation of a suspicious task (PowerShell script or batch file) using “SchTasks.exe” utility [MITRE Technique Scheduled Task T1053]:

Rule {

Process {

Include OBJECT_NAME { -v  “SchTasks.exe” }

Include PROCESS_CMD_LINE { -v “*/Create*” }

}

Target {

Match PROCESS {

Include PROCESS_CMD_LINE { -v “**.bat**” }

}

Match PROCESS {

Include PROCESS_CMD_LINE { -v “**.ps1**” }

}

}

}

 

Expert Rule to prevent Start Up Entry Creation [ MITRE Technique Persistence T1060]:

Adversaries can use several techniques to maintain persistence through system reboots. One of the most popular techniques is creating entries in the Start Up folder. The following expert rule will prevent any process from creating files in the Start Up folder. Recently, the internet has witnessed a full-fledged exploit of a decade old WinRAR vulnerability (CVE-2018-20251) which can be exploited by dropping files in the Start Up directory. The following expert rule will also block such an attempt.

Rule {

Process {

Include OBJECT_NAME { -v ** }

}

Target {

Match FILE {

Include OBJECT_NAME { -v “**\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\**” }

Include -access “CREATE WRITE”

}

}

}

 

Expert Rule which blocks JavaScript Execution within Adobe Reader:

Exploiting a client-side software vulnerability to gain an initial foothold in a network is not new [MITRE Technique T1203]. Adobe Reader is a very popular target because, like any other browser, it supports JavaScript which makes exploitation much easier. The following expert rule can be deployed in any network to prevent Adobe Reader from executing any kind of JavaScript.

Rule {

Process {

Include OBJECT_NAME { -v “AcroRd32.exe”}

}

Target {

Match SECTION {

Include OBJECT_NAME { -v “EScript.api” }

}

}

}

The table below shows how the above four Expert Rules line up in the Mitre Att&ck matrix.

Conclusion

There are many more rules which can be created within Exploit Prevention (part of McAfee’s ENS Threat Prevention) and they can be customized depending on the customer’s environment and requirements. For example, the Expert Rule which blocks JavaScript Execution within Adobe Reader will be of no use if an organization does not use “Adobe Reader” software. To fully utilize this feature, we recommend our customers read the following guides:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/ens_1053_rg_ExpertRules_0-00_en-us.pdf

https://kc.mcafee.com/corporate/index?page=content&id=KB89677

 

Disclaimer: The expert rules used here as examples can cause a significant number of False Positives in some environments, hence we recommend those rules to be explicitly applied only in an environment where better visibility of above (or similar) events at granular level is required.

Acknowledgement:

The author would like to thank following colleagues for their help and inputs authoring this blog.

  • Oliver Devane
  • Abhishek Karnik
  • Cedric Cochin

The post Using Expert Rules in ENS to Prevent Malicious Exploits appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/feed/ 0
It’s About Time: Cybersecurity Insights, Visibility, and Prioritization https://securingtomorrow.mcafee.com/blogs/enterprise/its-about-time-cybersecurity-insights-visibility-and-prioritization/ https://securingtomorrow.mcafee.com/blogs/enterprise/its-about-time-cybersecurity-insights-visibility-and-prioritization/#respond Thu, 24 Oct 2019 20:23:23 +0000 https://securingtomorrow.mcafee.com/?p=97164

As McAfee Chief Executive Officer Chris Young said in his 2019 MPOWER Cybersecurity Summit keynote address, time is the most valuable resource that we all share. But time isn’t always on our side – especially when it comes to cybersecurity. “Time is the one constant that we cannot change. It’s the one constraint that we […]

The post It’s About Time: Cybersecurity Insights, Visibility, and Prioritization appeared first on McAfee Blogs.

]]>

As McAfee Chief Executive Officer Chris Young said in his 2019 MPOWER Cybersecurity Summit keynote address, time is the most valuable resource that we all share. But time isn’t always on our side – especially when it comes to cybersecurity.

“Time is the one constant that we cannot change. It’s the one constraint that we cannot ignore. Every second counts,” Young said. “… Our adversaries are using time to their advantage. It’s the single greatest weapon they have. It’s taken over the language of our industry. Persistence. Dwell time. Used to describe the time the work that our adversaries do as they run up the clock until they try to exfiltrate our most sensitive information. Versus ransomware, which applies time pressure to run down the clock. If you don’t pay the ransom you’ll lose your data forever. Zero-day attacks. Mean time to detect. Mean time to respond. These are just a few of the many, many examples of the way time is woven into the fabric of our industry.”

Time is a major challenge for organizations attempting to keep pace with cyber threats that are rapidly increasing in volume and complexity. Elevated efficiency is cybersecurity’s counterpunch against agile and elusive adversaries weaponizing time. Organizations that constantly find themselves in reactive mode struggle to maintain staff efficiency—but time and resources can be saved by using improved visibility and prioritization to get ahead of the threat curve.

The findings of an ESG paper commissioned by McAfee concurred: “Organizations want more visibility into cyber-risks so they can tailor and prioritize their threat response and risk remediation actions in alignment with threats that may hit them,” said Jon Oltsik, ESG fellow. “Many firms want to be more proactive but do not have the resources and talent to execute.”

Better cybersecurity intelligence and insights can enable organizations to assume a more proactive cybersecurity program without dramatically upgrading resources and talent.

Better Visibility Through Next Generation Open Architecture

Modern adversaries are using next-generation tools, tactics and techniques to evade traditional reactive security systems. The next generation of open cyberthreat identification, investigation, and response capabilities paired with human and artificial intelligence can enable organizations to answer key questions about how to respond to threats. Open architecture can enable security teams to add their own expertise and analytics, empowering insight into the high-impact threats that matter. Security analysts will need the right technology to do the analysis, a combination of human expertise and the most advanced artificial intelligence and machine-learning capabilities that provide insight as to which actions to take.

The diversity of the raw materials an organization uses matters. If you only have one type of sensor, such as endpoint, you’re limited in what you can see. Gaining insight requires the ability to look at a wide range of capabilities from traditional on-premise environments to the cloud. Sensors should cover on-premise, perimeter, network, endpoint, and cloud environments. From the data gathered by these sensors, security teams can then extract context, detecting the characteristics, structure, and behavior of suspicious activity. Efficiencies are empowered through diverse telemetry at scale.

Prioritization: Decoding the DNA of Cyber Threats

“We and the rest of the cybersecurity industry have to move beyond the hash,“ said Steve Grobman, senior vice president and chief technology officer. “Features are a lot like markers in DNA and biology. By understanding the markers and characteristics, we can understand the structure, the behavior. We can understand what a threat is even if we’ve never seen it before. We can basically see the characteristics of a threat we’ve never seen before and have a very good understanding of what it actually is.”

Most security teams are constrained by the available data and traditional indicators of compromise such as hashtags and IP addresses. An open architecture consisting of a variety of sensors provides the capability to gather more and richer information on a threat’s DNA.

The goal goes beyond a simple patch or remedy. It’s about being better able to understand the unknown through improved data and intelligence. To enhance efficiency in dealing with the things that matter. The threats that are inherently difficult to detect. The threats that are engineered to target you.

By gaining this understanding, you’ll be more able to answer strategic questions such as:

  • Am I protected from this threat?
  • What do I need on my platform in to defend against this threat?
  • What is the technology?
  • What is the content?
  • What is the configuration I need to defend myself?
  • Was I protected when this threat impacted my environment on that very first day or the day that threat emerged?
  • What did I need to have zero-day protection?
  • Did I have the right real-protect model?

Intelligence that helps answer these questions can provide insight into not only how a threat fared against one organization’s security but how a security plan can proactively prepare for next-generation threats.

Anticipating Next-Generation Threats

Understanding threats is not just about protection but also anticipation, both of threats in your environment and on a global scale. Improved insights can leave organizations with a complete view of how a threat is impacting their environment.

Decoding the DNA of threats through an expanded variety of sensors can help organizations recognize and anticipate the next generation of threats:

  • Using machine-learning algorithm that recognizes potentially malicious activity, extracts characteristics and recognizes its similarities to threats we’ve seen before.
  • Finding outliers that allow us to find things that have uncommon characteristics.
  • Finding things that appear to be engineered for things in your environment. The fact that this only in your environment and it has characteristics that really look different from anything we’ve ever seen before. That tells us you really need to pop this to the top of your stack of investigation priorities because this could be targeting you.
  • Identifying targeted attacks by mapping threats tied to specific industrial sectors and being able to cluster the highest level of intensity by sector.
  • Separating the noise from the signal.
  • Triaging the priority and raising the urgency on threats critical to your organization.

Gaining cybersecurity efficiency via visibility and prioritization isn’t only about gathering richer data. It’s also about having the right technology to do the analysis. It’s not just about being able to identify the things that matter, it’s about being able to take action with your current security staff. It’s about saving time against an adversary using time as a weapon.

Read more on how the McAfee MVISION Insights platform’s integration into the McAfee architecture provides better intelligence capable of empowering better insights

The post It’s About Time: Cybersecurity Insights, Visibility, and Prioritization appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/its-about-time-cybersecurity-insights-visibility-and-prioritization/feed/ 0
TLS 1.3 and McAfee Web Gateway https://securingtomorrow.mcafee.com/blogs/enterprise/tls-1-3-and-mcafee-web-gateway/ https://securingtomorrow.mcafee.com/blogs/enterprise/tls-1-3-and-mcafee-web-gateway/#respond Wed, 23 Oct 2019 14:00:08 +0000 https://securingtomorrow.mcafee.com/?p=97159

With the introduction of TLS 1.3 in 2018, IETF’s goal was (and is) to make the Internet a safer and more secure place. Legacy technologies such as the RSA key exchange have been phased out now. Replacing it is a much safer Diffie-Hellman key exchange. There are two main benefits to this method: not only […]

The post TLS 1.3 and McAfee Web Gateway appeared first on McAfee Blogs.

]]>

With the introduction of TLS 1.3 in 2018, IETF’s goal was (and is) to make the Internet a safer and more secure place.

Legacy technologies such as the RSA key exchange have been phased out now. Replacing it is a much safer Diffie-Hellman key exchange. There are two main benefits to this method: not only is perfect forward secrecy reached, but also a decryption after the fact is no longer possible, since the relevant key cannot be recalculated. The usage of elliptic curve ciphers introduces greater efficiency—as the same strengths can be reached with a smaller key, essentially the encryption will use fewer resources.

To support a safer Internet, adoption of TLS 1.3 is key. TLS 1.3 offers better security posture than its previous versions.

It is important that a web gateway supports TLS 1.3 to ensure secure connection. McAfee Web Gateway version 8.2.0 supports TLS 1.3 in a bi-directional fashion. This helps organizations to ensure that the connection from the internal client side has the same level of security as the connection on the outbound side (towards the server).

In the reverse proxy scenario, McAfee Web Gateway with TLS 1.3 helps secure Internet traffic for cloud infrastructures such as Azure and AWS, even when they don’t support TLS 1.3 themselves.

The timely adoption of TLS 1.3, as previously seen with HTTP/2, will enable customers to act at the speed of cloud and make cloud usage as safe and secure as possible. To find out more, please view this whitepaper.

The post TLS 1.3 and McAfee Web Gateway appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/tls-1-3-and-mcafee-web-gateway/feed/ 0
Could a Streaming Device Help Hackers Hijack Your TV? https://securingtomorrow.mcafee.com/blogs/consumer/hackable/could-a-streaming-device-help-hackers-hijack-your-tv/ https://securingtomorrow.mcafee.com/blogs/consumer/hackable/could-a-streaming-device-help-hackers-hijack-your-tv/#respond Tue, 22 Oct 2019 17:43:36 +0000 https://securingtomorrow.mcafee.com/?p=97154

Streaming devices make dumb TVs smart and smart TVs, well, smarter. But as loyal “Hackable?” listeners know, the smarter something is, the more likely it is that it can be hacked. So does that mean that a hacker can interrupt your binge-watching? Or do something worse? On the latest “Hackable?” Geoff sets up his smart […]

The post Could a Streaming Device Help Hackers Hijack Your TV? appeared first on McAfee Blogs.

]]>

Streaming devices make dumb TVs smart and smart TVs, well, smarter. But as loyal “Hackable?” listeners know, the smarter something is, the more likely it is that it can be hacked. So does that mean that a hacker can interrupt your binge-watching? Or do something worse?

On the latest “Hackable?” Geoff sets up his smart TV and streaming devices in the studio and learns just how much damage hacker Craig Young can do from thousands of miles away. Listen and find out how surprisingly vulnerable smart TVs and streaming devices are!
Listen now to the award-winning podcast “Hackable?”.

 

The post Could a Streaming Device Help Hackers Hijack Your TV? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/hackable/could-a-streaming-device-help-hackers-hijack-your-tv/feed/ 0
Increasing Value with Security Integration https://securingtomorrow.mcafee.com/blogs/enterprise/increasing-value-with-security-integration/ https://securingtomorrow.mcafee.com/blogs/enterprise/increasing-value-with-security-integration/#respond Tue, 22 Oct 2019 15:00:35 +0000 https://securingtomorrow.mcafee.com/?p=97140

What would your security team do with an extra 62 days? According to a recent study by IDC, that’s the amount of time the average-sized security team can expect to regain by addressing a lack of security management integration. With just 12 percent of respondents currently using an end-to-end management suite—and with 14 percent completely […]

The post Increasing Value with Security Integration appeared first on McAfee Blogs.

]]>

What would your security team do with an extra 62 days?

According to a recent study by IDC, that’s the amount of time the average-sized security team can expect to regain by addressing a lack of security management integration. With just 12 percent of respondents currently using an end-to-end management suite—and with 14 percent completely reliant on ad hoc “solutions”—there’s plenty of room for improvement.

The study, “Security Integration and Automation: The Keys to Unlocking Security Value,” found that businesses who addressed lack of integration saw three main business benefits: Efficiency, Cost Reduction and Improved Staff Retention. If your business chose to do the same, which goal would your team spend its 62 days working toward?

Increasing Efficiency

When asked what concerns limited their ability to improve IT security capabilities, 44% reported security was too busy with routine operations, and 37 percent cited high levels of demand for new business services.

If these teams had an extra 62 days, it could afford them the free time needed to improve their security posture—and one place that a lot of companies currently fall short is in the cloud, where a majority of new business services live.

According to IDC, enterprises are expected to spend $1.7 trillion on digital transformation by the end of this year. And our 2019 Cloud Adoption and Risk Report found that 83% of respondents worldwide stored sensitive data in the cloud. The number of files on the cloud that are eventually shared has risen to nearly half, but unfortunately, there isn’t always a lot visibility or control over where that data winds up. 14% of those files go to personal email addresses, removing them from the oversight of corporate cybersecurity. Even worse, another 12% of the files shared are accessible to “anyone with a link.”

These numbers are only rising—over the past two years, they’ve gone up 12% and 23% respectively. A recent report by Gartner puts a fine point on it: “Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data”—a figure which could risk your company’s compliance status, reputation, or even overall well-being. Clearly, any portion of that 62 days dedicated to preventing such data loss would be time well spent.

Decreasing Costs

According to a Cybersecurity Ventures report, there will be an estimated 3.5 million unfilled cybersecurity jobs by 2021. Odds are, your own cybersecurity team is feeling this crunch. In our “Hacking the Skills Shortage” report, we found that businesses are having to respond to in-house talent shortages by expanding their outsourcing of cybersecurity.

More than 60% of survey respondents work at organizations that outsource at least some cybersecurity work. With an extra 62 days a year, some of these capabilities could be brought back in-house, which would help meet cost-cutting goals or free up resources that could be reallocated elsewhere. For a team struggling to meet demands that outpace their current bandwidth, having this 62 days would be like receiving an extra 9.5 manhours of work a week. This “free” higher production reduces your company’s labor cost—and could make a substantial difference during cybersecurity labor shortages, when extra manpower can be basically unavailable at any price.

Employee Retention

What else could your team do with 62 extra days a year? Nothing at all.

More specifically, this time could be allocated across your team as a way to ease burnout, incentivize hard work, and help increase retention.

According to our “Winning the Game” report, only 35% of survey respondents say they’re “extremely satisfied” in their current cybersecurity job, and a full 89% would consider leaving their roles if offered the right type of incentive.

What are the “right types of incentives?” 32% said that shorter/flexible hours would make them consider leaving. Another 28% said lower workload would lure them away, and an additional 18 percent said an easier, more predictable workload could make them switch.

Assuming an average security staff of between 5 and 6 team members, 62 days would allow you to give each employee several extra days off a year. Alternately, by distributing existing workload through this allotted time, your team could work at a pace other than “breakneck.”

While the extra time you’d gain could certainly allow for less work, it could also allow for more interesting work. In the same survey, 30% of employees mentioned that an opportunity to work with exciting technologies like AI/automation could lead them to consider working elsewhere. If your team falls into this camp, an extra 62 days could allow the time necessary to explore these options (which in turn, could have business benefits of their own.)

Once these benefits are realized, what are the ultimate outcomes expected to be? According to IDC, 36% said faster response times, 35% said more effective response, and 29% said better threat intel sharing. Given these findings, it’s no wonder that the share of end-to-end suite users who feel their security is ahead of their peers outnumber their ad-hoc equivalents 4:1. Where does your business stand?

To read the full “Security Integration and Automation: The Keys to Unlocking Security Value” study, click here.

The post Increasing Value with Security Integration appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/increasing-value-with-security-integration/feed/ 0
How Googling Our Favourite Celebrities Is A Risky Business https://securingtomorrow.mcafee.com/blogs/consumer/how-googling-our-favourite-celebrities-is-a-risky-business/ https://securingtomorrow.mcafee.com/blogs/consumer/how-googling-our-favourite-celebrities-is-a-risky-business/#respond Tue, 22 Oct 2019 05:17:18 +0000 https://securingtomorrow.mcafee.com/?p=97148

Did you know that searching for your favourite celebrities online may very well increase your chance of running into trouble? For the thirteenth year running, McAfee has put together its Most Dangerous Celebrities List which includes the celebrities who generate the riskiest search results that could potentially expose their fans to malicious websites and viruses. […]

The post How Googling Our Favourite Celebrities Is A Risky Business appeared first on McAfee Blogs.

]]>

Did you know that searching for your favourite celebrities online may very well increase your chance of running into trouble?

For the thirteenth year running, McAfee has put together its Most Dangerous Celebrities List which includes the celebrities who generate the riskiest search results that could potentially expose their fans to malicious websites and viruses. And, as usual, Aussies feature!!

Who Are the Riskiest Aussie Celebrities?

After a tumultuous year in and out of love, Liam Hemsworth – Aussie actor and ex-husband of popstar Miley Cyrus – has taken out top honours as the most dangerous Australian born celebrity coming in at 19th place on the list. Rose Byrne, Cate Blanchett and Kylie Minogue also feature on the list coming in at 37th, 41st and 52nd place respectively.

Talk Show Hosts Top the List

While previous years have seen Reality TV stars, such as The Kardashians, top of the list, in 2019 – it’s all about talk show hosts. In fact, there are 4 talk show hosts in the top 10. John Oliver takes out 1st place, followed by James Corden in 4th place, Jimmy Kimmel in 6th place and Jimmy Fallon in 10thplace.

Whether it’s their karaoke singing or their viral views on politics, our fascination with charismatic talk show hosts is clearly very strong. McAfee’s research also shows that the names of these 4 hosts are strongly associated with the search term ‘torrent’. This indicates people may be trying to avoid paying expensive subscriptions to view these cult shows and are pursuing free yet riskier alternatives.

Singers Are Also Proving Risky!

English singer Dua Lipa came in at no 2 on the list, followed by Scottish singer/DJ Calvin Harris in 5th place and teen favourite Billie Eilish at no 7. Our quest for immediate or free content about our favourite singers could mean that we visit sites purposefully designed by cybercriminals to extract our personal information or even better, our credit card details!

And then there’s Game of Thrones

The world’s love affair with Game of Thrones saw Emilia Clarke take out the 9th spot in this year’s list of risky celebs to search for online. Clarke, who played Daenerys Targaryen in the HBO fantasy series, was joined by Hollywood royalty Morgan Freeman in the top 10 list.

Cybercriminals Capitalise on Our Love for Celebrities

Our love of ‘all things celebrity’ has clearly not escaped the attention of cybercriminals with many spending a lot of time

and energy creating malicious websites designed to trick consumers into visiting. Whether it’s the promise of a ‘sneak-peak’ of the latest Star Wars movie, or free access to full episodes of a favourite American talk show, consumers will often drop their guard in favour of speed or convenience and quickly enter their personal details to gain access to a site without thinking about the consequences.

How to Avoid Getting Stung!

The good news is that you don’t need to give up your obsession with your favourite celebrity to stay safe online. Instead, develop some patience and trust your gut. Here are my top tips to help you stay ahead of the cybercriminals:

  1. Be Careful What You Click

Only stream and download movies and TV shows from reliable sources. While it may feel boring, the safest thing to do is wait for the official release of a movie instead of visiting a 3rd party site that could contain malware.

  1. Avoid Using Illegal Streaming Sites – No Exceptions!

Many illegal streaming sites are riddled with malware or adware disguised as pirated videos. Do yourself a favour and stream the show from a reputable source.

  1. Use a Web Reputation Tool

A web reputation tool such as McAfee’s freely available WebAdvisor will alert users if they are about to visit a malicious website. Very handy!

  1. Consider Parental Control Software

Kids love celebrities too! Ensure you set limits on device usage with your kids and use parental control software to help minimise exposure to potentially malicious or inappropriate websites.

But if you aren’t convinced your kids are going to take your advice on board then why not invest in some comprehensive security software like McAfee’s Total Protection for the whole family? This Rolls Royce cybersecurity software will protect you (and your kids) against malware and phishing attacks. A complete no-brainer!!

Alex xx

 

The post How Googling Our Favourite Celebrities Is A Risky Business appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/how-googling-our-favourite-celebrities-is-a-risky-business/feed/ 0
“Gilmore Girls” Actress Alexis Bledel Is McAfee’s Most Dangerous Celebrity 2019 https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/most-dangerous-celebrities-2019/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/most-dangerous-celebrities-2019/#respond Tue, 22 Oct 2019 04:01:30 +0000 https://securingtomorrow.mcafee.com/?p=97052

You probably know Alexis Bledel from her role as the innocent book worm Rory Gilmore in network television’s “Gilmore Girls” or as shy, quiet Lena Kaligaris in the “Sisterhood of the Travelling Pants” movies. But her most recent role as Ofglen in Hulu’s acclaimed “The Handmaid’s Tale” took a bit of a darker turn. And […]

The post “Gilmore Girls” Actress Alexis Bledel Is McAfee’s Most Dangerous Celebrity 2019 appeared first on McAfee Blogs.

]]>

You probably know Alexis Bledel from her role as the innocent book worm Rory Gilmore in network television’s “Gilmore Girls” or as shy, quiet Lena Kaligaris in the “Sisterhood of the Travelling Pants” movies. But her most recent role as Ofglen in Hulu’s acclaimed “The Handmaid’s Tale” took a bit of a darker turn. And while Bledel made this dramatic on-screen transition, her rising stardom has in turn made her a prime target for malicious search results online, leading to her coming in at the top of McAfee’s 2019 Most Dangerous Celebrities list.

For the thirteenth year in a row, McAfee researched famous individuals to reveal the riskiest celebrity to search for online or whose search results could expose fans to malicious content. Bledel is joined in the top ten most dangerous celebrities by fellow actresses Sophie Turner (No. 3), Anna Kendrick (No. 4), Lupita Nyong’o (No. 5), and Tessa Thompson (No. 10). Also included in the top ten list are late night talk show hosts James Corden (No. 2) and Jimmy Fallon (No. 6). Rounding out the rest of the top ten are martial arts master Jackie Chan (No. 7) and rap artists Lil Wayne (No. 8) and Nicki Minaj (No. 9).

Many users don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice users to click on dangerous links. This year’s study emphasizes that today’s streaming culture doesn’t exactly protect users from cybercriminals. For example, Alexis Bledel and Sophie Turner are strongly associated with searches including the term “torrent,” indicating that many fans of “The Handmaid’s Tale” and “Game of Thrones” have been pursuing free options to avoid subscription fees. However, users must understand that torrent or pirated downloads can open themselves up to an abundance of cyberthreats.

So, whether you’re checking out what Alexis Bledel has been up to since “Gilmore Girls” or searching for the latest production of James Corden’s “Crosswalk the Musical,” be a proactive fan and follow these security tips when browsing the internet:

  • Be careful what you click. Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.
  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.
  • Protect your online safety with a cybersecurity solution. Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.
  • Use a website reputation tool. Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.
  • Use parental control software. Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post “Gilmore Girls” Actress Alexis Bledel Is McAfee’s Most Dangerous Celebrity 2019 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/most-dangerous-celebrities-2019/feed/ 0
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/#respond Mon, 21 Oct 2019 04:01:24 +0000 https://securingtomorrow.mcafee.com/?p=96926

Episode 4: Crescendo This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. In this final episode of our series we will zoom in on the operations, techniques and tools used by different affiliate […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo appeared first on McAfee Blogs.

]]>

Episode 4: Crescendo

This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019.

In this final episode of our series we will zoom in on the operations, techniques and tools used by different affiliate groups spreading Sodinokibi ransomware.

Since May we have observed several different modus operandi by different affiliates, for example:

  • Distributing the ransomware using spear-phishing and weaponized documents
  • Bat-files downloading payloads from Pastebin and inject them into a process on the operating system
  • Compromising RDP and usage of script files and password cracking tools to distribute over the victim’s network
  • Compromise of Managed Service Providers and usage of their distribution software to spread the ransomware

To understand more about how this enemy operates, we in McAfee Advanced Threat Research (ATR) decided to operate a global network of honeypots. We were aware of the lively underground trade market of RDP credentials and were curious about what someone would do with a compromised machine. Would they distribute the Sodinokibi ransomware? Would they execute the DejaBlue or BlueKeep exploits? Our specially designed and built RDP honeypots would give us those insights.

Like Moths to a Flame

From June until September 2019, we observed several groups compromise our honey pots and conduct activities related to Sodinokibi; we were able to fully monitor attackers and their actions without their knowledge.

It is important to note the golden rule we operated under: the moment criminal actions were prepared or about to be executed, the actor would be disconnected and the machine would be restored to its original settings with a new IP address.

We noticed some of our honeypot RDP servers were attacked by Persian-speaking actors that were actively harvesting credentials. Our analysis of these attacks led us to various Persian underground channels offering the same tools we observed appearing in Sodinokibi intrusions. Some of these tools are closed source and custom made, originating from within the channels in our analysis.

In this blog we will highlight a few of the intrusions we observed.

Group 1 – Unknown Affiliate ID

McAfee ATR observed initial activity against our South American honey pot begin in late May 2019. We had full visibility as the actor loaded a number of tools, including Sodinokibi, during the initial intrusion period.

The following ransom note (uax291-readme.txt) was dropped onto the system on June 10th, 2019. The actor utilized Masscan and NLBrute to scan and target other assets over RDP which fits with the behavior we have seen in all other Sodinokibi intrusions tracked by McAfee ATR. The actor then created a user account ‘backup’ and proceeded to consistently connect from an IP address range in Belgrade, Serbia.

Group 2 – Affiliate ID 34

Campaign 295 (based on sub-ID in the malware configuration)

The following Sodinokibi variant appeared in our South American honey pot with the original file name of H.a.n.n.a.exe.

  • 58C390FE5845E2BB88D1D22610B0CA61 (June 8th, 2019)

Extracting the configuration from the ransomware sample as we conducted during our affiliate research, the affiliate-id is nr 34.

Upon initial intrusion, the actor created several user accounts on the target system between June 10th and June 11th.  The malware Sodinokibi and credential-harvesting tool Mimikatz were executed under the user account “ibm” that the actor created as part of the entry into the system

Further information revealed that the actor was connecting from two IP addresses in Poland and Finland via the ‘ibm’ account. These logins originated from these countries in a 24hr period between July 10th and 11th with the following two unique machine names WIN-S5N2M6EGS5J and TS11. Machine name WIN-S5N2M6EGS5J was observed to be used by another actor that created the account “asp” and originated from the same Polish IP address.

The actor deployed a variant of the Mimikatz credential harvester during the intrusion, with the following custom BAT file:

We have seen a consistent usage of various custom files used to interact with hacking tools that are shared among the underground communities.

Another tool, known as Everything.exe, was also executed during the same period. This tool was used to index the entire file system and what was on the target system. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes. The usage of reconnaissance tools to profile the machine is interesting as it indicates potential manual lateral movement attempts by the actor on the target system.

July 20th to 30th Intrusion

Activity observed during this period utilized tools similar to those used in other intrusions we have observed in multiple regions, including those by Affiliate ID 34.

In this activity McAfee ATR identified NLBrute being executed again to target victims over RDP; a pattern we have seen over and over again in intrusions involving Sodinokibi.  A series of logins from Iran were observed between July 25th and July 30th, 2019.

We have also seen crypto currency mining apps deployed in most of the intrusions involving Sodinokibi, which may suggest some interesting side activity for these groups. In this incident we discovered a miner gate configuration file with a Gmail address.

Using Open-Source Intelligence (OSINT) investigation techniques, we identified an individual that is most likely tied to the discovered Gmail address. Based on our analysis, this individual is likely part of some Persian-speaking credential cracking crew harvesting RDP credentials and other types of data. The individual is sharing information related to Masscan and Kport scan results for specific countries that can be used for brute force operations.

ACTOR PROFILE

Further, we observed this actor on a Telegram channel discussing operations which align to the behavior we observed during intrusions on our honey pot. The data shared appears to be results from tools such as Masscan or Kport-scan that would be used to compromise further assets.

DISCUSSION OF SCANNING IN FARSI, ON PRIVATE CHANNEL

Other tools were found to have been executed the same day as the activity documented include:

  • Mimikatz

Was executed manually from the command line with the following parameters:

mimikatz.exe “privilege::debug” “sekurlsa::logonPasswords full” “exit”

  • Slayer Leecher
  • MinerGate

Group 3 – Affiliate ID 19

We observed the following Sodinokibi ransom variants attributed to this affiliate appearing in the honey pot in the Middle East. The attacker downloaded a file, ابزار کرک.zip, which can be mostly found in Farsi language private channels. The tool is basically a VPS Checker (really an RDP cracker) as discussed on the channels in the underground.

Campaign 36

Activity from June 3rd to 26th indicates that the attacker present on the system was conducting operations involving the Sodinokibi ransomware. When linking back activity, we observed one notable tool the actor had used during the operation.

‘Hidden-User.bat’ was designed to create hidden users on the target system. This tool links back to some underground distribution on Farsi-speaking private channels.

The file being shared is identical to the one we found to be used actively in the Sodinokibi case in different instances in June 2019, in different cities in the Middle East. We found the following Farsi-speaking users sharing and discussing this tool specifically (Cryptor007 and MR Amir), and others active in these groups. McAfee ATR observed this tool being used on June 13th, 2019 and June 26th, 2019 by the same actors in different regions.

HIDDEN-USER.bat

POSTED IMAGE OF THE TOOL IN USE

These Sodinokibi variants are strictly appearing in Israel from our observations:

  • 009666D97065E97FFDE7B1584DB802EB (June 3rd, 2019)
  • 3746F1823A47B4AA4B520264D1CF4606 (June 11th, 2019)

We observed the actor dropping one of the above-mentioned variants of Sodinokibi. In this case, the login came from an IP address originating in Iran and with a machine with a female Persian name.

The attackers connecting are most likely Farsi-speaking, as is evident by the browsing history uncovered by McAfee ATR, which indicates where a number of the tools utilized originate from, including Farsi language file sharing sites, such as Picofile.com and Soft98.ir, that contain malicious tools such as NLBrute, etc.

FARSI LANGUAGE SITE FOUND IN BROWSING HISTORY

We observed the actor attempting to run an RDP brute force attack using NLBrute downloaded from the Iranian site Picofile.com. The target was several network blocks in Oman and the United Arab Emirates in the Middle East.

In our analysis we discovered an offer to install ransomware on servers posted in Farsi speaking on August 19th,. This posting date corresponds with the timing of attacks observed in the Middle East. The services mentioned are specifically targeting servers that have been obtained via RDP credential theft campaigns. It is possible that these actors are coming in after the fact and installing ransomware on behalf of the main organizer, according to actor chatter. One specific Farsi language message indicates these services for a list of countries where they could install ransomware for the potential client.

FARSI LANGUAGE MESSAGE FROM PERSIAN LANGUAGE CHANNEL

Tools and Methods of Group 1

The operators responsible for intrusions involving Sodinokibi variants with an unknown affiliate ID utilize a variety of methods:

  • Initial intrusions made over RDP protocol
  • Using Masscan to identify potential victims
  • Executing NLBrute with custom password lists

Tools and Methods of Group 2

The operators responsible for intrusions involving Sodinokibi variants with PID 34 utilize a variety of methods:

  • Intrusion via RDP protocol
  • Manual execution of subsequent stages of the operation
  • Deployment of Sodinokibi
  • Deployment of Mimikatz
  • Utilization of CryptoCurrency mining
  • Deployment of other brute force and checker tools
  • Running mass port scans and other reconnaissance activities to identify potential targets
  • Executing NLBrute with custom password lists
  • Some of the operators appear write in Farsi and are originating from Iranian IP address space when connecting to observed targets

Tools and Methods of Group 3

The operators responsible for intrusions involving Sodinokibi variants with PID 19 utilize a variety of methods:

  • Intrusion via RDP protocol
  • Manual execution of subsequent stages of the operation
  • Likely a cracking crew working on behalf of an affiliate
  • Deployment of Sodinokibi
  • Custom scripts to erase logs and create hidden users
  • Usage of Neshta to scan internal network shares within an organization in an effort to spread Sodinokibi
  • Running mass port scans and other reconnaissance activities to identify potential targets
  • Limited use of local exploits to gain administrative access
  • Executing NLBrute with custom password lists
  • Some of the operators appear to write in Farsi and are originating from Iranian IP address space when connecting to observed targets

Conclusion

In our blog series about Sodinokibi we began by analyzing the code we asked ourselves the question, “Why Persian?” With the information retrieved from our honeypot investigations, it might give us a hypothesis that the Persian language is present due to the involvement of Persian-speaking affiliates. Time and evidence will tell.

We observed many affiliates using different sets of tools and skills to gain profit and, across the series, we highlighted different aspects of this massive ongoing operation.

To protect your organization against Sodinokibi, make sure your defense is layered. As demonstrated, the actors we are facing either buy, brute-force or spear-phish themselves into your company or use a trusted-third party that has access to your network. Some guidelines for organizations to protect themselves include employing sandboxing, backing up data, educating their users, and restricting access.

As long as we support the ransomware model, ransomware will exist as it has for the last four years. We cannot fight alone against ransomware and have to unite as public and private parties. McAfee is one of the founding partners of NoMoreRansom.org and are supporting Law Enforcement agencies around the globe in fighting ransomware.

 

We hope you enjoyed reading this series of blogs about Sodinokibi.

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/feed/ 0
Want Your Kids to Care More About Online Safety? Try These 7 Tips https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/want-your-kids-to-care-more-about-online-safety-try-these-7-tips/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/want-your-kids-to-care-more-about-online-safety-try-these-7-tips/#respond Sun, 20 Oct 2019 01:04:29 +0000 https://securingtomorrow.mcafee.com/?p=97127

The topics parents need to discuss with kids today can be tough compared to even a few years ago. The digital scams are getting more sophisticated and the social culture poses new, more inherent risks. Weekly, we have to breach very adult conversations with our kids. Significant conversations about sexting, bullying, online scams, identity fraud, […]

The post Want Your Kids to Care More About Online Safety? Try These 7 Tips appeared first on McAfee Blogs.

]]>

The topics parents need to discuss with kids today can be tough compared to even a few years ago. The digital scams are getting more sophisticated and the social culture poses new, more inherent risks. Weekly, we have to breach very adult conversations with our kids. Significant conversations about sexting, bullying, online scams, identity fraud, hate speech, exclusion, and sextortion — all have to be covered but we have to do it in ways that matter to kids.

With 95% of teens now having access to a smartphone and 45% online ”almost constantly,” it’s clear we can’t monitor conversations, communities, and secret apps around the clock. So the task for parents is to move from a mindset of ”protect” to one of ”prepare” if we hope to get kids to take charge of their privacy and safety online.

Here are a few ideas on how to get these conversations to stick.

  1. Bring the headlines home. A quick search of your local or regional headlines should render some examples of kids who have risked and lost a lot more than they imagined online. Bringing the headlines closer to home — issues like reputation management, sex trafficking, kidnapping, sextortion, and bullying — can help your child personalize digital issues. Discussing these issues with honesty and openness can bring the reality home that these issues are real and not just things that happen to other people.
  2. Netflix and discuss. Hollywood has come a long way in the last decade in making films for tweens and teens that spotlight important digital issues. Watching movies together is an excellent opportunity to deepen understanding and spark conversation about critical issues such as cyberbullying, teen suicide, sextortion, catfishing, stalking, and examples of personal courage and empathy for others. Just a few of the movies include Cyberbully, 13 Reasons Why (watch with a parent), Eighth Grade, Searching, Bully, Disconnect. Character building movies: Dumplin’, Tall Girl, Wonder, Girl Rising, The Hate U Give, Mean Girls, and the Fat Boy Chronicles, among many others.
  3. Remove phones. Sometimes absence makes that heart grow appreciative, right? Owning a phone (or any device) isn’t a right. Phone ownership and internet access is a privilege and responsibility. So removing a child’s phone for a few days can be especially effective if your child isn’t listening or exercising wise habits online. One study drives this phone-dependency home. Last year researchers polled millennials who said they’d rather give up a finger than their smartphones. So, this tactic may prove to be quite effective.
  4. Define community. Getting kids to be self-motivated about digital safety and privacy may require a more in-depth discussion on what “community” means. The word is used often to describe social networks, but do we really know and trust people in our online “communities?” No. Ask your child what qualities he or she values in a friend and who they might include in a trusted community. By defining this, kids may become more aware of who they are letting in and what risks grow when our digital circles grow beyond trusted friends.
  5. Assume they are swiping right. Dating has changed dramatically for tweens and teens. Sure there are apps like MeetMe and Tinder that kids explore, but even more popular ways to meet a significant other are everyday social networks like Snapchat, WhatsApp, and Instagram, where kids can easily meet “friends of friends” and start “talking.” Study the pros and cons of these apps. Talk to your kids about them and stress the firm rule of never meeting with strangers.
  6. Stay curious. Stay interested. If you, as a parent, show little interest in online risks, then why should your child? By staying curious and current about social media, apps, video games, your kids will see that you care about — and can discuss — the digital pressures that surround them every day. Subscribe to useful family safety and parenting blogs and consider setting up Google Alerts around safety topics such as new apps, teens online, and online scams.
  7. Ask awesome questions. We know that lectures and micromanaging don’t work in the long run, so making the most of family conversations is critical. One way to do this is to ask open-ended questions such as “What did you learn from this?” “What do you like or dislike about this app?” “Have you ever felt unsafe online?” and “How do you handle uncomfortable or creepy encounters online?” You might be surprised at where the conversations can go and the insight you will gain.

Make adjustments to your digital parenting approach as needed. Some things will work, and others may fall flat. The important thing is to keep conversation a priority and find a rhythm that works for your family. And don’t stress: No one has all the answers, no one is a perfect parent. We are all learning a little more each day and doing the best we can to keep our families safe online.

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post Want Your Kids to Care More About Online Safety? Try These 7 Tips appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/want-your-kids-to-care-more-about-online-safety-try-these-7-tips/feed/ 0
Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/briansclub-hack/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/briansclub-hack/#respond Thu, 17 Oct 2019 23:46:24 +0000 https://securingtomorrow.mcafee.com/?p=97113

There’s something ironic about cybercriminals getting “hacked back.” BriansClub, one of the largest underground stores for buying stolen credit card data, has itself been hacked. According to researcher Brian Krebs, the data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past […]

The post Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records appeared first on McAfee Blogs.

]]>

There’s something ironic about cybercriminals getting “hacked back.” BriansClub, one of the largest underground stores for buying stolen credit card data, has itself been hacked. According to researcher Brian Krebs, the data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.

Most of the records offered up for sale on BriansClub are “dumps.” Dumps are strings of ones and zeros that can be used by cybercriminals to purchase valuables like electronics, gift cards, and more once the digits have been encoded onto anything with a magnetic stripe the size of a credit card. According to Krebs on Security, between 2015 and 2019, BriansClub sold approximately 9.1 million stolen credit cards, resulting in $126 million in sales.

Back in September, Krebs was contacted by a source who shared a plain text file with what they claimed to be the full database of cards for sale through BriansClub. The database was reviewed by multiple people who confirmed that the same credit card records could also be found in a simplified form by searching the BriansClub website with a valid account.

So, what happens when a cybercriminal, or a well-intentioned hacker in this case, wants control over these credit card records? When these online fraud marketplaces sell a stolen credit card record, that record is completely removed from the inventory of items for sale. So, when BriansClub lost its 26 million card records to a benign hacker, they also lost an opportunity to make $500 per card sold.

What good comes from “hacking back” instances like this? Besides the stolen records being taken off the internet for other cybercriminals to exploit, the data stolen from BriansClub was shared with multiple sources who work closely with financial institutions. These institutions help identify and monitor or reissue cards that show up for sale in the cybercrime underground. And while “hacking back” helps cut off potential credit card fraud, what are some steps users can take to protect their information from being stolen in the first place? Follow these security tips to help protect your financial and personal data:

  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook

The post Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/briansclub-hack/feed/ 0
Chapter Preview: Ages 2 to 10 – The Formative Years https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/the-formative-years/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/the-formative-years/#respond Thu, 17 Oct 2019 10:00:03 +0000 https://securingtomorrow.mcafee.com/?p=96530

As our children venture into toddlerhood, they start to test us a bit. They tug at the tethers we create for them to see just how far they can push us. As they grow and learn, they begin to carve out a vision of the world for themselves—with your guidance, of course, so that they […]

The post Chapter Preview: Ages 2 to 10 – The Formative Years appeared first on McAfee Blogs.

]]>

As our children venture into toddlerhood, they start to test us a bit. They tug at the tethers we create for them to see just how far they can push us. As they grow and learn, they begin to carve out a vision of the world for themselves—with your guidance, of course, so that they can learn how to live a safe and happy life both now and as they get older.

This is true in the digital world as well.

Typically, at around age two, our kids get their first taste of playing on mommy’s or daddy’s smartphone or tablet and discover an awesome new world of devices and online activities. It’s slow at first—a couple minutes here and there—but, over time, they spend more and more of their day online. You have an opportunity when your child has their first experience with a connected device to set the tone for what’s expected. This is a deliberate teaching moment, the first of many, where you explain how to go safely online and continue to reinforce these behaviors as they grow.

Just as at home and in school, these are children’s formative years in the digital world because there’s a significant increase in their access to devices and online engagement—whether it means watching videos, playing games, interacting with educational software, or many other activities. Keeping them safe in this environment needs to be top of mind, and that includes awareness of how their initial data puddle will rapidly become a data pond during these years. We need to be aware that this pond has direct ties to our privacy, their privacy, and, ultimately, to their life in general.

This chapter of “Is Your Digital Front Door Unlocked?” lays out several topics that, if done in healthy and constructive way, will make your child’s digital journey much more enjoyable. Topics such as the importance of rules, online etiquette, and the notion of “the talk” as it relates to going online safely are discussed in detail, in the hope of providing a framework that will grow as your child grows.

It also looks at challenges that every parent should be aware of, such as cyberbullying and the impact of screen time on your child. It also introduces the risks associated with online gaming for those just getting started.

I can’t express strongly enough the importance of engagement with your child during the formative years. This chapter will give you plenty of ideas of how to go about it in a way that both you and your child will enjoy.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

 

The post Chapter Preview: Ages 2 to 10 – The Formative Years appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/the-formative-years/feed/ 0
Investing in our Future Cybersecurity Workforce Through JROTC https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/investing-in-our-future-cybersecurity-workforce-through-jrotc/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/investing-in-our-future-cybersecurity-workforce-through-jrotc/#respond Wed, 16 Oct 2019 15:00:38 +0000 https://securingtomorrow.mcafee.com/?p=97065 digital risks

We all know that filling the pipeline for IT jobs is one of our nation’s biggest challenges. The Department of Labor projects there will be 3.5 million computing-related jobs available by 2026, but our current education pipeline will only fill 19% of those openings, threatening our security and global leadership. Congress recently proposed a plan to […]

The post Investing in our Future Cybersecurity Workforce Through JROTC appeared first on McAfee Blogs.

]]>
digital risks

We all know that filling the pipeline for IT jobs is one of our nation’s biggest challenges. The Department of Labor projects there will be 3.5 million computing-related jobs available by 2026, but our current education pipeline will only fill 19% of those openings, threatening our security and global leadership.

Congress recently proposed a plan to grow the talent pipeline and diversify the computer science and cybersecurity workforce in the federal government. The Junior Reserve Officers’ Training Corps (JROTC) Cyber Training Act (H.R.3266/S.2154), which was sponsored by Representatives Lizzie Fletcher (D-TX), Rob Bishop (R-UT), Jackie Speier (D-CA), Conor Lamb (D-PA) and Michael Waltz (R-FL) in the House, and Senators Jackie Rosen (D-NV), Marsha Blackburn (R-TN), Gary Peters (D-MI) and John Cornyn (R-TX) in the Senate, would direct the Secretary of Defense to develop a program to prepare JROTC high school students for military and civilian careers in computer science and cybersecurity

If enacted, the bill would create targeted internships, cooperative research opportunities and funding for training with an emphasis on computer science and cybersecurity education. This important legislation has the potential to bring evidence-based computer science and cybersecurity education to 500,000 students at 3,400 JROTC high schools across the United States, greatly improving the number of professionals ready to take on the cyber challenges of tomorrow.

The Department of Defense reports that 30% of JROTC cadets join the military after high school or college. The remaining 70% of cadets represent a large pool of talent that could enter into civilian roles in the defense and cybersecurity sectors if given the proper training while in the JROTC program. The JROTC Cyber Training Act is an important opportunity to fill those job openings with innovative thinkers from the JROTC program, while simultaneously growing and diversifying the future workforce.

Cybersecurity is one of the greatest technical challenges of our time, and we need to be creative to meet it. McAfee is proud to support initiatives to establish programs, such as the JROTC Cyber Training Act, that provide skills to help build the STEM pipeline, fill related job openings, and close gender and diversity gaps.

The post Investing in our Future Cybersecurity Workforce Through JROTC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/investing-in-our-future-cybersecurity-workforce-through-jrotc/feed/ 0
Top 5 Highlights from MPOWER 2019 https://securingtomorrow.mcafee.com/blogs/enterprise/top-5-highlights-from-mpower-2019/ https://securingtomorrow.mcafee.com/blogs/enterprise/top-5-highlights-from-mpower-2019/#respond Tue, 15 Oct 2019 14:30:00 +0000 https://securingtomorrow.mcafee.com/?p=97094

Fellow security experts gathered at MPOWER 2019 to strategize, network, and learn about the newest and most innovative ways to ward off advanced cyberattacks. This year’s attendees had a special opportunity to hear from cybersecurity thought leaders as they shared their insights on our ever-changing industry. The latest applications, workload and infrastructure designed to protect […]

The post Top 5 Highlights from MPOWER 2019 appeared first on McAfee Blogs.

]]>

Fellow security experts gathered at MPOWER 2019 to strategize, network, and learn about the newest and most innovative ways to ward off advanced cyberattacks. This year’s attendees had a special opportunity to hear from cybersecurity thought leaders as they shared their insights on our ever-changing industry. The latest applications, workload and infrastructure designed to protect your data from the device to the cloud were also spotlighted, giving attendees a first look at McAfee’s newest innovations.

Here are the top five highlights gleaned from three jam-packed days of MPOWER at the Aria in Las Vegas.

1. The most valuable resource we all share—Time

This year’s MPOWER had an overarching theme of time. According to our recent research, threats are multiplying at unprecedented rates—as fast as five per second, resulting in customers feeling the mounting pressure of time in the never-ending race to do more, secure more, defend more and save more.

In the opening keynote for MPOWER 2019, CEO Chris Young pledged to make every second count at MPOWER and emphasized that, at McAfee, “… time is the underpinning factor in our investment strategy—in protecting the digital experience, from the device to the cloud.” Young went on to say that time is the one constant we can’t change and the one constraint we can’t ignore. Time, he reiterated, “remains our one resource that can burden or empower.” In closing, he stated, “I, for one, choose empowerment. I choose to seize our collective destiny today—a safe, secure future. Our pace is fueled by a passion and a commitment I share with nearly 7,000 McAfee employees each day—we are pledged to create the future that you and we deserve. It’s about time.”

2.  Announcing Unified Cloud Edge, MVISION Insights and Advancements MVISION Portfolio

During MPOWER, Young and Senior Vice President of the Cloud Security Business Unit Rajiv Gupta introduced Unified Cloud Edge, an industry-first initiative, to address the security concerns of the cloud. By converging the capabilities of its award-winning McAfee MVISION Cloud, McAfee® Web Gateway, and McAfee® Data Loss Prevention offerings—all to be available through the MVISION ePolicy Orchestrator (ePO) platform—Unified Cloud Edge will offer a borderless IT environment. This frictionless environment will enable security professionals to reduce risk and increase productivity for organizations as they move to secure cloud adoption.

During Day Three of MPOWER, Young and CTO Steve Grobman offered a sneak preview into the MVISION Insights platform. Geared to help organizations move to an action-oriented, proactive security posture, the MVISION Insights platform will pinpoint threats that matter, offer insights into the effectiveness of their defenses and provide the ability to respond quickly and accurately to these threats. Security teams will soon be able to coordinate the data gathered by McAfee’s one-billion-plus sensors worldwide with their own threat data to provide the information needed to battle threats targeting their systems and data, while also preparing defenses against threats that have yet to be seen in their environments.

Lastly, Young announced the latest enhancements to the MVISION portfolio— a first-of-its-kind, cloud-based product family that allows organizations to deploy security on their terms as they move to the cloud. The new features and functionality lie within McAfee MVISION CloudMcAfee MVISION EndpointMcAfee MVISION EDR and McAfee MVISION ePO, and have been purpose-built to help organizations protect data and stop threats across devices, networks and the cloud. Also announced at MPOWER, the latest version of McAfee Endpoint Security—10.7—now features a visualization tool to help security pros trace the root cause of attacks and rollback remediation to enable customers to easily and quickly reverse the effects of malware and return a device to its former healthy state.

3. New Ransomware

McAfee’s Advanced Threat Research team (ATR) observed a new ransomware family in the wild, dubbed Sodinokibi (or REvil), at the end of April 2019. During MPOWER, the ATR team posted the first and second episodes detailing the Sodinokibi ransomware. In the first installment, they share their extensive malware and post-infection analysis and visualize exactly how big the Sodinokibi campaign is. The second installment shares an analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) campaign of 2018 and mid-2019. (Check back on Securing Tomorrow to see Episode 3: Follow the Money and Episode 4: Crescendo.)

4. SIA DEV CON

Tuesday afternoon, our ATR and SecOps Engineering team hosted our first ever interactive game, “Defend The Flag,” in which 65 customers competed to win a brand-new challenge coin. The game consisted of defending an organization against a real-world adversary like APT29. Through simulated attacks and scenarios based on the MITRE ATT&CK framework, the participants leveraged a combination of McAfee solutions and best-of-breed open source tools to prevent, detect, triage, investigate and hunt for the presence of the adversary. Players practiced their security skills through a series of questions and challenges ranging from basic to advanced, and earned prize points, unique swagger and bragging rights.

 

 

 

 

5. Building a Culture of Security

Throughout the morning keynotes, guest speakers and McAfee leadership enthusiastically supported the notion of creating a culture of security. Throughout the presentations, several essential elements emerged: getting young people excited about the work McAfee and other companies are doing; opening up immigration policies to welcome new talent; increasing government investment in technology initiatives and infrastructure; and reaching out to allies across the globe rather than taking an isolationist stance. When CMO Allison Cerra addressed MPOWER attendees, she discussed her contribution to building a culture of security. Her goal is to use her communications expertise to start a conversation on how organizations can build a stronger cybersecurity culture in the face of relentless attackers. This led to her writing a playbook for every employee, every functional manager and every leader in organizations big and small, private and public. The book, titled The Cybersecurity Playbook: How Every Leader Can Contribute to a Culture of Security, was published in September, and every MPOWER attendee received a copy.

 

The post Top 5 Highlights from MPOWER 2019 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/top-5-highlights-from-mpower-2019/feed/ 0
Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment? https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/defining-cloud-security-is-it-the-endpoint-your-data-or-the-environment/ https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/defining-cloud-security-is-it-the-endpoint-your-data-or-the-environment/#respond Mon, 14 Oct 2019 14:30:30 +0000 https://securingtomorrow.mcafee.com/?p=97037

You’ve heard it once; you’ve heard it a hundred times – “secure the cloud.” But what does that phrase mean? On the surface, it’s easy to assume this phrase means using cloud-enabled security products. However, it’s much more than that. Cloud security is about securing the cloud itself through a combination of procedures, policies, and technologies […]

The post Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment? appeared first on McAfee Blogs.

]]>

You’ve heard it once; you’ve heard it a hundred times – “secure the cloud.” But what does that phrase mean? On the surface, it’s easy to assume this phrase means using cloud-enabled security products. However, it’s much more than that. Cloud security is about securing the cloud itself through a combination of procedures, policies, and technologies that work together to protect the cloud—from the endpoint to the data to the environment itself. A cloud security strategy must be all-encompassing, based on how data is monitored and managed across the environment. So, let’s examine how IT security teams can address common cloud challenges head-on, while at the same time establishing the right internal processes and adopting the necessary solutions in order to properly secure the cloud.

Cloud Security’s Top Challenges

As we enter a post-shadow IT world, security teams are now tasked with understanding and addressing a new set of challenges—those that can stem from a complex, modern-day cloud architecture. As the use of cloud services grows, it is critical to understand how much data now lives in the cloud. In fact, the amount of sensitive data stored in cloud-based files is only growing, currently standing at 21% after having increased 17% over the past two years. So it’s no wonder that threats targeting the cloud are growing, too: The average organization experiences 31.3 cloud-related security incidents each month, a 27.7% increase over the same period last year.

Frequently impacted by data breaches and DDoS attacks, cloud technology is no stranger to cyberthreats. However, the technology is also impacted by challenges unique to its makeup—such as system vulnerabilities and insecure user interfaces (UIs) and application programming interfaces (APIs), which can all lead to data loss. Insecure UIs and APIs are top challenges for the cloud, as the security and availability of general cloud services depends on the security of these UIs and APIs. If they’re insecure, functionalities such as provisioning, management, and monitoring can be impacted as a result. There are also bugs within cloud programs that can be used to infiltrate and take control of the system, disrupt service operations, and steal data, mind you. The challenge we see with data and workloads moving to the cloud is insufficient knowledge of developers on the evolution of cloud capabilities. We are finding misconfigurations to be one of the major contributors of data leaks and data breaches as well, meaning cloud configuration assessment is another best practice that IT should own. Another major source of cloud data loss? Improper identity, credential, and access management, which can enable unauthorized access to information via unprotected default installations.

The good news? To combat these threats, there are a few standard best practices IT teams can focus on to secure the modern-day cloud. First and foremost, IT should focus on controls and data management.

Security Starts with Process: Controls and Data Management

To start a cloud security strategy off on the right foot, the right controls for cloud architecture need to be in place. Cloud security controls provide protection against vulnerabilities and alleviate the impact of a malicious attack. By implementing the right set of controls, IT teams can establish a necessary baseline of measures, practices, and guidelines for an environment. These controls can range from deterrent and corrective to preventative and protective.

In tandem with controls, IT teams need to establish a process or system for continually monitoring the flow of data, since insight into data and how it is managed is vital to the success of any cloud security strategy. A solution such as McAfee Data Loss Prevention (DLP) can help organizations monitor data through the use of a management console or dashboard. This tool can help secure data by extending on-premises data loss prevention policies to the cloud for consistent DLP, protecting sensitive data wherever it lives, tracking user behavior, and more.

Solving for Visibility, Compliance, and Data Protection

When it comes to securing data in the cloud, visibility and compliance must be top of mind for IT teams as well. Teams need to gain visibility into the entirety of applications and services in use, as well as have proper insight into user activity to have a holistic view of an organization’s existing security posture. They also need to be able to identify sensitive data in the cloud in order to ensure data residency and compliance requirements are met.

That’s precisely why IT teams need to adopt an effective cloud access security broker (CASB) solution that can help address visibility and compliance issues head-on. What’s more, this type of solution will also help with data security and threat protection by enforcing encryption, tokenization, and access control, as well as detecting and responding to all types of cyberthreats impacting the cloud.

Bringing It All Together

By combining the right controls and data management processes with a CASB solution, security teams can protect the cloud on all levels. A CASB solution like McAfee MVISION Cloud protects data where it lives today, in the cloud. This CASB solution is a cloud-hosted software that sits between cloud service customers and cloud service providers to enforce security, compliance, and policies uniformly across all cloud assets, from SaaS to IaaS/PaaS. Plus, McAfee MVISION Cloud can help organizations extend security controls of their on-premises infrastructure to the cloud and beyond. To extend these controls, this solution detects, protects, and corrects. During detection, IT security teams gain complete visibility into data, context, and user behavior across all cloud services, users, and devices. When data leaves the cloud, McAfee MVISION Cloud applies persistent protection wherever it goes: in or outside the cloud. And when an error does occur, the solution takes real-time action deep within cloud services to correct policy violations due to human error and stops security threats. While McAfee MVISION Cloud protects the cloud itself, it’s also important to protect access to the cloud at the start, or the endpoint. An endpoint security solution, such as McAfee Endpoint Security, is also integral for safeguarding the cloud, since endpoints are a target for credential theft that leads to greater risk in the cloud environment.

In an ever-changing threat landscape, implementation of the proper controls and data management, with the addition of effective cloud security solutions, are the keys to a strong cloud security strategy. By taking into account and working to proactively protect the multitude of endpoints connected to the cloud, the amount of data stored in the cloud, and the cloud environment itself, IT security teams can help ensure the cloud is secure.

To learn more about cloud security and other enterprise cybersecurity topics, be sure to follow us @McAfee and @McAfee_Business.

 

The post Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/defining-cloud-security-is-it-the-endpoint-your-data-or-the-environment/feed/ 0
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money/#respond Mon, 14 Oct 2019 13:33:20 +0000 https://securingtomorrow.mcafee.com/?p=96913

Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandCrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. The Talking Heads once sang “We’re on a road to nowhere.” This expresses how challenging it can be when […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money appeared first on McAfee Blogs.

]]>

Episode 3: Follow the Money

This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandCrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019.

The Talking Heads once sang “We’re on a road to nowhere.” This expresses how challenging it can be when one investigates the financial trails behind a RaaS scheme with many affiliates, etc.

However, we persisted, and we prevailed. By linking underground forum posts with bitcoin transfer traces, we were able to uncover new information on the size of the campaign and associated revenue; even getting detailed insights into what the affiliates do with their earnings following a successful attack.

With the Sodinokibi ransomware a unique BTC wallet is generated for each victim. As long as no payment is made, no trace of the BTC wallet will be available on the blockchain. The blockchain operates as a public ledger of all bitcoin transactions that have happened. When no currencies are exchanged, no transactions are recorded. Although many victims hit the news, we understand that if they paid, sharing that with the research community is maybe a bridge too far. On one of the underground forums we discovered the following post:

In this post the actors are expanding their successful activity and offering a 60 percent cut as a start and, after three successful payments by the affiliate (read successful ransomware infections and payments received from the victims), the cut increases to 70 percent of the payments received. This is very common as we saw in the past with RaaS schemes like GandCrab and Cryptowall.

Responding to this post is an actor with the moniker of ‘Lalartu’ and his comments are quite interesting, hinting he was involved with GandCrab. As a site-note: “Lalartu’ means ‘ghost/phantom’. Its origins are from the Sumerian civilization where Lalartu was seen as a vampiric demon.

Researching the moniker of ‘Lalartu’ through our data, we went back in time a month or so and discovered a posting from the actor on June 4th of 2019, again referencing GandCrab.

We observe here a couple of transaction IDs (TXID) on the bitcoin ledger, however they are incomplete. More than a week later, on June 17th, 2019, “Lalartu” posted another one with an attachment to it:

 

In this posting we see a screenshot with partial TXIDs and the amounts. With the help of the Chainalysis software and team, we were able to retrieve the full TXIDs. With that list we were able to investigate the transactions and start mapping them out with their software:

From the various samples we have researched, the amounts asked for payment are between 0.44 and 0.45 BTC, an average of 4,000 USD.

In the above screenshot we see the transactions where some of these amounts are transferred from a wallet, or bitcoins are bought at an exchange and transferred to the wallets associated with the affiliate(s).

Based on the list shared by Lalartu in his post, and the average value of bitcoin around the dates, within 72 hours a value of 287,499.00 USD of ransom had been transferred.

Taking the list of transactions as a starting point in our graph-analysis, we colored the lines red and started from there to investigate the wallets involved and interesting transactions:

Although it might look like spaghetti, once you dive in, very interesting patterns can be discovered. We see victims paying to their assigned wallets; from there it takes an average of two to three transactions before it goes to an ‘affiliate’ or ‘distribution’ wallet. From that wallet we see the split happening as the moniker ‘UNKN’ mentioned in his forum post we started this article with. The 60 or 70 percent stays with the affiliate and the remaining 40/30 percent is forwarded in multiple transactions towards the actors behind Sodinokibi.

Once we identified a couple of these transactions, we started to dig in both directions. What is the affiliate doing with the money and where is the money going for the Sodinokibi actors?

We picked one promising affiliate wallet and started to dig deeper down and followed the transactions. As described above, the affiliate is getting money transferred mostly through an exchange (since this is being advised by the actors in the ransom note). This is what we see in the example below. Incoming ransomware payments via Coinbase.com are received. The affiliate seems to pay some fee to a service but also sends BTC into Bitmix.biz a popular underground bitcoin mixer that is obfuscating the next transactions to make it difficult to link the transactions back to the ‘final’ wallet or cash-out in a (crypto) currency.

We also observed examples where the affiliates were paying for services, they bought on Hydra Market. Hydra Market is a Russian underground marketplace where many services and illegal products are offered with payment in BTC.

Tracing down the route of splits, we started to search for the 30 or 40 percent cuts of the ransom payments of 0.27359811 BTC or, if the price was doubled, 0.54719622 BTC.

Using the list of amounts and querying the transactions and transfers discovered, we observed a wallet that was receiving a lot of these smaller payments. Due to ongoing research we will not publish the wallet but here is a graph representation of a subset of transactions:

It seems like a spider, but many incoming ‘split’ transfers, and only a few outgoing ones with larger amounts of bitcoins, were observed.

If we take the average of $2,500 – $5,000 USD as a ransom ask, and the mentioned split of 30/40 percent for the actor maintaining the Sodinokibi ransomware and affiliate infrastructure, they make $700 – $1,500 USD per paid infection.

We already saw in the beginning of this article that the affiliate Lalartu claimed to have made 287k USD in 72 hours, which is an 86k USD profit for the actor from one affiliate only.

In episode 2, The All-Stars, we explained how the structure is setup and how each affiliate has its own id.

As far as we tracked the samples and extracted the amount of id-numbers, we counted over 41 affiliates being active. The data showed a in a relatively short amount of time the velocity and number of infections was high. Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune.

Following the traces of one particular affiliate, we ended up seeing large amounts of bitcoins being transferred into a wallet which had a total value of 443 BTC, around 4,5 million USD with the average bitcoin price.

We do understand that there are situations in which executives decide to pay the ransom but, by doing that, we keep this business model alive and also fund other criminal markets.

Conclusion

In this blog we focused on insights into the financial streams behind ransomware. By linking underground forum posts with bitcoin transfer traces, we were able to uncover new information on the size of the campaign and associated revenue. In some cases, we were able even to get detailed insights into what the affiliates do with their earnings following a “successful” attack. It shows that paying ransomware is not only keeping the ‘ransom-model’ alive but is also supporting other forms of crime.

In the next and final episode, “Crescendo” McAfee ATR reveals insights gleaned from a global network of honey pots.

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money/feed/ 0
15 Easy, Effective Ways to Start Winning Back Your Online Privacy https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/15-easy-effective-ways-to-start-winning-back-your-online-privacy/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/15-easy-effective-ways-to-start-winning-back-your-online-privacy/#respond Sat, 12 Oct 2019 14:00:46 +0000 https://securingtomorrow.mcafee.com/?p=97063 NCSAM

Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back. Like most people, […]

The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.

]]>
NCSAM

NCSAM

Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back.

Like most people, the internet knows way too much about me — my age, address, phone numbers and job titles for the past 10 years, my home value, the names and ages of family members  — and I’d like to change that.

But there’s a catch: Like most people, I can’t go off the digital grid altogether because my professional life requires me to maintain an online presence. So, the more critical question is this:

How private do I want to be online?  

The answer to that question will differ for everyone. However, as the privacy conversation continues to escalate, consider a family huddle. Google each family member’s name, review search results, and decide on your comfort level with what you see. To start putting new habits in place, consider these 15 tips.

15 ways to reign in your family’s privacy

  1. Limit public sharing. Don’t share more information than necessary on any online platform, including private texts and messages. Hackers and cyber thieves mine for data around the clock.
  2. Control your digital footprint. Limit information online by a) setting social media profiles to private b) regularly editing friends lists c) deleting personal information on social profiles d) limiting app permissions someone and browser extensions e) being careful not to overshare.NCSAM
  3. Search incognito. Use your browser in private or incognito mode to reduce some tracking and auto-filling.
  4. Use secure messaging apps. While WhatsApp has plenty of safety risks for minors, in terms of data privacy, it’s a winner because it includes end-to-end encryption that prevents anyone in the middle from reading private communications.
  5. Install an ad blocker. If you don’t like the idea of third parties following you around online, and peppering your feed with personalized ads, consider installing an ad blocker.
  6. Remove yourself from data broker sites. Dozens of companies can harvest your personal information from public records online, compile it, and sell it. To delete your name and data from companies such as PeopleFinder, Spokeo, White Pages, or MyLife, make a formal request to the company (or find the opt-out button on their sites) and followup to make sure it was deleted. If you still aren’t happy with the amount of personal data online, you can also use a fee-based service such as DeleteMe.com.
  7. Be wise to scams. Don’t open strange emails, click random downloads, connect with strangers online, or send money to unverified individuals or organizations.
  8. Use bulletproof passwords. When it comes to data protection, the strength of your password, and these best practices matter.
  9. Turn off devices. When you’re finished using your laptop, smartphone, or IoT devices, turn them off to protect against rogue attacks.NCSAM
  10. Safeguard your SSN. Just because a form (doctor, college and job applications, ticket purchases) asks for your Social Security Number (SSN) doesn’t mean you have to provide it.
  11. Avoid public Wi-Fi. Public networks are targets for hackers who are hoping to intercept personal information; opt for the security of a family VPN.
  12. Purge old, unused apps and data. To strengthen security, regularly delete old data, photos, apps, emails, and unused accounts.
  13. Protect all devices. Make sure all your devices are protected viruses, malware, with reputable security software.
  14. Review bank statements. Check bank statements often for fraudulent purchases and pay special attention to small transactions.
  15. Turn off Bluetooth. Bluetooth technology is convenient, but outside sources can compromise it, so turn it off when it’s not in use.

Is it possible to keep ourselves and our children off the digital grid and lock down our digital privacy 100%? Sadly, probably not. But one thing is for sure: We can all do better by taking specific steps to build new digital habits every day.

~~~

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/15-easy-effective-ways-to-start-winning-back-your-online-privacy/feed/ 0
Digital Innovation Thrives in Open Pastures https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/digital-innovation-thrives-in-open-pastures/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/digital-innovation-thrives-in-open-pastures/#respond Fri, 11 Oct 2019 15:35:24 +0000 https://securingtomorrow.mcafee.com/?p=97084

Openness and interoperability are long standing buzzwords in the digital ecosystem, but it is not always clear what it means, and why it is important. For McAfee, embracing these notions is critical to our success, and here’s why. Openness means that we share information, and interoperability means that this information is shared with our eco-system […]

The post Digital Innovation Thrives in Open Pastures appeared first on McAfee Blogs.

]]>

Openness and interoperability are long standing buzzwords in the digital ecosystem, but it is not always clear what it means, and why it is important. For McAfee, embracing these notions is critical to our success, and here’s why. Openness means that we share information, and interoperability means that this information is shared with our eco-system partners be they public and private entities all with the aim of fostering innovative solutions and services of benefit to all.  We all have a natural instinct to defend ourselves against free-loaders, but in the digital world, however counterintuitive it may seem at first glance, this mindset is harmful to both digital business and our capacity to innovate.

Put another way, the more we collaborate and share, the more our customers trust that we are at the top of our game. By being a cog in a vast and interdependent digital machine, McAfee’s services become more valuable. Conversely, locking ourselves out of this process has real risk.  This is because openness and interoperability cuts both ways. By giving others access to our expertise, we also gain access to theirs. This lets us focus on what we are good at, and we can leave it to others to create amazing new services that build on our innovation.

Of course, there is a bigger picture. An open and interoperable digital ecosystem is a cornerstone of competition. And ultimately, it is competition that drives innovation. Equally, devices or services that cannot interoperate will over time become less valuable.

That’s why we think the principles of openness and interoperability merit inclusion in the new  European Commission’s  technology and security policies, a point not lost on the Finnish Presidency, the current chair of EU ministerial meetings, who have made interoperability a priority objective for the next five years.

Openness has its drawbacks, of course. If we don’t excel and keep our products and services at the highest standard, someone else with a more robust solution could easily claim our place in the market. But being open and interoperable also acts as a rapid-alert system to let us know where we are falling short. Whether it is a bug in the code we produce, or a glitch in our interfaces, the community that we work with will let us know far sooner than if we were closed off to this scrutiny.

In relation to cyber security a lack of interoperability and cyber intelligence sharing across information systems can have serious consequences, including, for example, the limitation of response capability against cyber (or even, larger scale) terrorist attacks.  Today’s threats are no longer confined to a particular country, company or group of people and their impact is felt by the whole of society.

The best way to keep people safe today is to share and receive cyber threat intelligence within and beyond a company’s boundaries, fast detection of imminent attacks by cybersecurity experts, and collaboration on threat analysis, automated threat exchange, and detection and response. If we do not prioritise openness and interoperability in our policies, real people could suffer as a result.

The benefits of open and interoperable cloud security architectures to digital transformation should also not be overlooked.  Open and interoperable cloud security architectures provide a quick and comprehensive way of achieving higher security standards across governments and enterprises.

So, there is no question that openness and interoperability is the right way to go, and we’re proud the fact that McAfee and others use these as foundational principles.

As a case in point, on October 8th, McAfee and IBM Security kick-started an initiative to bring real interoperability and data sharing across the cybersecurity product landscape. The Open Cybersecurity Alliance (OCA) project is comprised of like-minded global cybersecurity vendors, end users, thought leaders, and individuals interested in fostering an open cybersecurity ecosystem, where products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated response, via commonly developed code and tooling, using mutually agreed upon technologies, standards, and procedures.

The Alliance’s founders, McAfee and IBM Security, are joined in the initiative by Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin.

Formed under the auspices of OASIS, a respected consortium driving the development, convergence and adoption of open standards for the global information society, the Alliance was launched as an OASIS Open Project on October 8, 2019.

Its goal is to is to develop and promote sets of open source common content, code, tooling, patterns, and practices for operational interoperability and data sharing among cybersecurity tools. The Alliance aims to create an environment where cybersecurity vendors do not compete on plumbing; rather, the plumbing is the foundation – the common platform — upon which cybersecurity tools are built. Cybersecurity vendors have a real adversary they are trying to defeat, and vendors should not be distracted by each of us having to replicate different ways to provide product plumbing. (See OCA announcement blog)

Finally, if you are interested to learn more about why this agenda is important to European policy makers as the new European Commission is confirmed,  I would encourage you to look to the work of the European Committee for interoperable systems (ECIS) and its recent white paper on how interoperability and openness works in theory and practice, particularly in the field of cybersecurity an cloud services.

 

The post Digital Innovation Thrives in Open Pastures appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/digital-innovation-thrives-in-open-pastures/feed/ 0
CDM and the 2019 Billington Cybersecurity Summit https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/cdm-and-the-2019-billington-cybersecurity-summit/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/cdm-and-the-2019-billington-cybersecurity-summit/#respond Fri, 11 Oct 2019 15:30:04 +0000 https://securingtomorrow.mcafee.com/?p=97023

Recently, Billington hosted their 10th annual Cybersecurity Summit, one of the premier cybersecurity conferences where industry leaders and government officials join together to discuss the current state of cybersecurity. Several key themes presented themselves throughout the two-day summit, including cloud, cybersecurity legislation, and DHS’s Continuous Diagnostics and Mitigation program (CDM). Kevin Cox, the program manager […]

The post CDM and the 2019 Billington Cybersecurity Summit appeared first on McAfee Blogs.

]]>

Recently, Billington hosted their 10th annual Cybersecurity Summit, one of the premier cybersecurity conferences where industry leaders and government officials join together to discuss the current state of cybersecurity. Several key themes presented themselves throughout the two-day summit, including cloud, cybersecurity legislation, and DHS’s Continuous Diagnostics and Mitigation program (CDM). Kevin Cox, the program manager of CDM at CISA, and private sector experts involved in the program discussed new developments and some of the benefits of CDM.

While updating the audience on CDM, Cox teased several important updates to the program expected soon, including a new dashboard system and an algorithm that will show agencies how they’re doing with basic cybersecurity measures — the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm. Cox said that 50 federal agencies are reporting data to the federal dashboard, 74 smaller agencies are using the CDM shared services dashboard, and 31 agencies are reporting AWARE scores.

CDM has largely been a success throughout the federal government. According to a recent MeriTalk report, 85% of federal and industry stakeholders said that CDM has improved federal cybersecurity, with its most helpful capability being the increased visibility about the federal government’s cybersecurity posture. Now the program should move ahead on a cloud initiative, as federal agencies and organizations have been moving to cloud for some time, and many are in multi- or hybrid-cloud environments.

Cox noted that the program office would begin to address cloud security, specifically, “work[ing] with the DHS team, agencies, system integrators, and DHS Cybersecurity Division partners to determine the right approach and scope for a cloud security proof of concept.”

Another speaker at Billington, McAfee SVP and CTO Steve Grobman, took part in a panel devoted to cloud security. The conversation focused on the differences between traditional computing and cloud computing, current cybersecurity issues, and how policy can change that landscape.

“Cloud has given us the ability to redefine the security architecture,” said Grobman. “Although we can secure our environment using a lot of new capabilities, we need to recognize that the scale that cloud operates and that the issues are going to be bigger.”

Moving applications and infrastructure to the cloud securely is something government agencies need to prioritize, and programs like CDM should give the workforce and federal agencies the tools they need to make this important transition. McAfee is working with federal, state and local governments to adopt cloud capabilities to better detect threats and establish procedures to work through how to recover.

Supporting CDM has been one of McAfee’s highest priorities for the past 10 years. We designed several products specifically to meet CDM requirements, and we remain committed to making the aims of CDM a reality both today and well into the future. We also appreciate that organizations such as Billington continue to advance the conversation on important topics like both CDM and cloud security. and look forward to assisting our federal partners on both.

The post CDM and the 2019 Billington Cybersecurity Summit appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/cdm-and-the-2019-billington-cybersecurity-summit/feed/ 0
Watch Your Step: Insights on the TOMS Shoes Mailing Hack https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/toms-shoes-hack/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/toms-shoes-hack/#respond Thu, 10 Oct 2019 16:15:04 +0000 https://securingtomorrow.mcafee.com/?p=97057

You’re familiar with the cybercriminals that go after users’ credit card information and look to spread malicious links, but recently, one hacker decided to send a different message. According to Vice’s Motherboard, a hacker accessed TOMS Shoes’ mailing list and sent an email encouraging users to log off and go enjoy the outdoors. The email […]

The post Watch Your Step: Insights on the TOMS Shoes Mailing Hack appeared first on McAfee Blogs.

]]>

You’re familiar with the cybercriminals that go after users’ credit card information and look to spread malicious links, but recently, one hacker decided to send a different message. According to Vice’s Motherboard, a hacker accessed TOMS Shoes’ mailing list and sent an email encouraging users to log off and go enjoy the outdoors.

The email specifically stated, “hey you, don’t look at a digital screen all day, theres a world out there that you’re missing out on.” The hacker claimed to have compromised TOMS a while back but never had any malicious intent and felt it had been too long to disclose the breach to the authorities. Although the hacker didn’t tell Motherboard how he or she specifically gained access to the TOMS account, they did voice their frustrations with hackers who steal data from large companies and innocent civilians.

Representatives from TOMS stated that they are actively looking into the breach and warned users to not interact with the message. And while this particular hacker had no malicious intent, users could have a potential phishing scam on their hands if these email addresses had ended up in the wrong hands.

So, whether you’re a TOMS shoe wearer or not, it’s important to stay updated on potential cyberthreats so you can recognize immediately. Here are some tips to help you avoid accidentally treading on potential phishing emails:

  • Go directly to the source. Be skeptical of emails claiming to be from companies with peculiar asks or messages. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account or contact customer service.
  • Be cautious of emails asking you to take action. If you receive an email asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links.
  • Hover over links to see and verify the URL. If someone sends you an email with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Watch Your Step: Insights on the TOMS Shoes Mailing Hack appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/toms-shoes-hack/feed/ 0
Securing the Unsecured: State of Cybersecurity 2019 – Part II https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/securing-the-unsecured-state-of-cybersecurity-2019-part-ii/ https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/securing-the-unsecured-state-of-cybersecurity-2019-part-ii/#respond Thu, 10 Oct 2019 16:00:16 +0000 https://securingtomorrow.mcafee.com/?p=97030

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack? In Part I of the series, we explored IT security trends for […]

The post Securing the Unsecured: State of Cybersecurity 2019 – Part II appeared first on McAfee Blogs.

]]>

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?

In Part I of the series, we explored IT security trends for 2019 and ways companies can protect themselves from IoT device vulnerability. Today, we’re continuing the discussion by exploring the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.

Q3: How great is the threat to companies of “crypto crime”?

The thing about ransomware is that it’s no longer the province of specific groups. At the RSA Conference this year, McAfee’s own Raj Samani shared the advent of the franchise model in crypto crime. As a result, we are seeing greater reach, but less unique systems applying ransomware. Still, we see the enterprises failing in the same ways year after year and falling victim to these families of ransomware at scale.

As you seek to conquer incident response as an effective plank of mitigating the effect of phishing and initial ransomware infections—I’d ask, how does your incident response change in the cloud? Do you have incident response resources and provisions for SaaS vs. IaaS? How do you get the logs and resources that you need from cloud providers to effectively investigate and ensure you have identified all affected nodes, or the initial attack vector? The time to figure out that question isn’t during time-compressed investigation stages when everyone is under stress from an active threat.

With the recent third anniversary of No More Ransom, security leaders like Raj Samani and the companies that make up partnerships like that of the No More Ransom website can help offer basic protection for some forms of ransomware. In this joint project with Europol and AWS, it’s been an amazing journey to watch and even invest in helping protect businesses against ransomware.

Q4: How can small businesses with limited resources protect the privacy of their customers?

The dwell time of threats in small and medium businesses is 45 to 800 days, with the averages moving more towards the latter. Cloud based information security SaaS (Software as a Service) is helping to level the playing field. To make continued progress, venture capital backing small firms, and the public buying from these companies, need to assert an expectation of security as part of doing business.

Many restaurants and retail establishments are still small businesses today, run by families and individuals. In many of these stores, there is a certain level of distrust of cloud and connected platforms, versus point-of-sales systems they can put their hands on and feel like they have control over. How do we gain the trust and their attention to of these small stakeholders, help them either more strongly secure things in-house or make the move to cloud security services? We can’t just have an answer that demands $4,000 or $40,000 to make the fix. Instead we have to find every possible opportunity to go serverless and make more and more walled garden capability for things like point of sale, or small engineering platform.

When it comes to small businesses interconnecting systems and moving into cloud services for consumers, these small companies holding identities is a challenge from a trust perspective. Forums and programs like the OpenID technologies providing standards and enabling identity without spreading the authorization infrastructure unnecessarily has been instrumental in constraining the size of this problem.

Security spans everything. There are basic exercises that you can do as business customers to check your readiness. I am a huge fan of SOAPA from ESG as a method of mapping what assets you have at different levels of the organization. Ask yourself a basic question -can you keep control integrity when you go from one “tower” —like on-premise—of connected capability to mapping the other silos or major cloud environments of your hybrid company? I’d also add it costs nothing to follow some of your favorite security personalities. I follow people like Cisco’s Wendy Nather and Kate Moussouris, the CEO of Luta Security who is helping even small companies understand the market of bug bounties and vulnerability disclosure.

Here, too, public policy potentially has a natural role. Government requires health training, for example in a restaurant, but not information security necessarily at small- and medium-sized business. Actually, the natural consequences and motivations of insurance companies can be an ally here, requiring training in basic computer hygiene, security, and privacy as part of issuing liability policies for businesses.

Q5: What are some new cybersecurity threats that we can expect to see in the next year?

I expect to see the rise of more significant exploitation of the “seams” in cloud integrations. The recent CapitalOne breach was relatively benign in the scheme of things. The actor was a braggart hacktivist, but the media coverage emphasized the weakness of cloud integrations to many who might have more capability. We’ve seen spikes in discussion in the dark web around this, so the profile of the cloud vulnerability is higher, and now we will have to see how the cat-and-mouse game between offense and defense proceeds.

I think it’s worth adding, the next threat isn’t as much the challenge to me, as the enterprise reaching the next run of maturity in the digital environment. Asset management, vulnerability reduction, and preparing the protection of cloud operations and visibility are all critical disciplines for the enterprise, no matter what the threat is.

Protect your devices. Protect your cloud—not in silos, but with an integrated strategy. Demand from your vendors the ability to integrate to maintain a cohesive threat picture which you can use to easily react.

To read Part I of this two-part series, click here.

 

The post Securing the Unsecured: State of Cybersecurity 2019 – Part II appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/securing-the-unsecured-state-of-cybersecurity-2019-part-ii/feed/ 0
Are Cybersecurity Robots Coming For Your Job? https://securingtomorrow.mcafee.com/blogs/enterprise/are-cybersecurity-robots-coming-for-your-job/ https://securingtomorrow.mcafee.com/blogs/enterprise/are-cybersecurity-robots-coming-for-your-job/#respond Wed, 09 Oct 2019 15:30:56 +0000 https://securingtomorrow.mcafee.com/?p=97035

“14 Jobs That Will Soon Be Obsolete.” “Can A Robot Do Your Job?” “These Seven Careers Will Fall Victim to Automation.” For each incremental advance in automation technology, it seems there’s an accompanying piece of alarmist clickbait, warning of a future in which robots will be able to do everything we can, only better, cheaper, […]

The post Are Cybersecurity Robots Coming For Your Job? appeared first on McAfee Blogs.

]]>

“14 Jobs That Will Soon Be Obsolete.” “Can A Robot Do Your Job?” “These Seven Careers Will Fall Victim to Automation.” For each incremental advance in automation technology, it seems there’s an accompanying piece of alarmist clickbait, warning of a future in which robots will be able to do everything we can, only better, cheaper, and for longer. Proponents of AI and automation view this as the harbinger of a golden age, ushering in a future free from all the paper-pushing, the drudgery, the mundane and repetitive things we have to do in our lives. We will work shorter hours, focus on more meaningful work, and actually spend our leisure time on, well, leisure.

But while it’s one thing to enjoy having a robot zipping across the floor picking up your 3-year-old’s wayward Cheerios, it’s quite another to imagine automation coming to our workplace. For those of us in cybersecurity, however, it has become a foregone conclusion: Now that criminals have begun adopting automation and AI as part of their attack strategies, it’s become something of an arms race, with businesses and individuals racing to stay one step ahead of increasingly sophisticated bad actors that human analysts will no longer be able to fend off on their own.

Spurred by growth in both the number of companies deploying automation and the sophistication of threats, automated processes are closing in on and even surpassing human analysts in some tasks—which is making some cybersecurity professionals uneasy. “When robots are better threat hunters, will there still be a place for me? What if someday, they can do everything I can do, and more?”

According to the “2019 SANS Automation and Integration Survey,” however, human-powered SecOps aren’t going away anytime soon. “Automation doesn’t appear to negatively affect staffing,” the authors concluded, after surveying more than 200 cybersecurity professionals from companies of all sizes over a wide cross-section of industries. What they found, in fact, suggested the opposite: Companies with medium or greater levels of automation actually have higher staffing levels than companies with little automation. When asked directly about whether they anticipated job elimination due to automation, most of those surveyed said they felt there would be no change in staffing levels. “Respondents do not appear concerned about automation taking away jobs,” the paper concludes.

There are many reasons for this, but perhaps the most basic is that, in order to see any sort of loss in the number of cybersecurity jobs, we’d first need to get to parity—and we’re currently about 3 million short of that.

Phrased another way, automation could theoretically eliminate three million jobs before a single analyst had to contemplate a career change. That’s an oversimplification, to be sure, but it’s also one that presupposes AI and automation will live up to all of its promises—and as we’ve seen with a number of “revolutionary” cybersecurity technologies, many fall short of the hype, at least in the early days.

Automation currently faces some fundamental shortcomings. First, it cannot deploy itself: Experts are needed to tailor the solution to the business’ needs and ensure it is set up and functioning correctly. And once they’re in place, the systems cannot reliably cover all the security needs of an enterprise—due to a lack of human judgment, automated systems surface a great many false positives, and failing to put an analyst in charge of filtering and investigating these these would create a huge burden on the IT staff responsible for remediation.

There’s also the issue of false negatives. AI is great at spotting what it’s programmed to spot; it is vastly more unreliable at catching threats it hasn’t been specifically instructed to look for. Machine learning is beginning to overcome this hurdle, but the operative word here is still “machine”—when significant threats are surfaced, the AI has no way of knowing what this means for the business it’s working for, as it lacks both the context to fully realize what a threat means to its parent company, and the ability to take into consideration everything a person would. Humans will still be needed at the helm to analyze risks and potential breaches, and make intuition-driven, business-critical decisions.

As effective as these automated systems are, once they’ve been programmed, their education begins to become obsolete almost immediately as new types of attack are created and deployed. Automated systems cannot continue to learn and evolve effectively without the guiding hand of humans. Humans are also needed as a check on this learning, to test and attempt to penetrate the defenses the system has developed.

Then there are the things that can never be automated: hiring and training people; selecting vendors; any task that requires creativity or “thinking outside the box”; making presentations and eliciting buy-in from the board of directors and upper management—and, of course, compliance. No automated system, no matter how sophisticated, is going to know when new laws, company regulations, and rules are passed, and no system will be able to adjust to such changes without human intervention. Even if the work of compliance could be completely automated, the responsibility for compliance cannot be outsourced, and rare would be the individual who could sleep easy letting a machine handle such tasks singlehandedly.

But for the sake of argument, let’s assume for a moment we could fully automate the SOC. While the loss of jobs is certainly a serious matter, we’d soon find the stakes to be much higher than even that. Hackers have already demonstrated an ability to hack into automated systems. If they were able to retrain your AI to ignore critical threats, and there was no human present to realize what was happening and respond swiftly and appropriately, sensitive data could be compromised enterprise-wide—or worse.

In short, automation won’t eliminate the demand for human cybersecurity expertise, at least in the short- to medium-term. But it will certainly redefine roles. According to SANS, implementation of effective automation often requires an initial surge in staff to get the kinks worked out—but it is almost invariably accompanied by a redirection, not reduction, of the existing workforce. Once in place, the automated systems will have two functions. By allowing analysts to shift their focus to more critical cybersecurity functions, improving efficiency, reducing incident response time, and reducing fatigue, they function as a tool for cybersecurity professionals to increase their effectiveness.

But their most valuable role may be as a partner. Automation may be powerful, but automation closely directed and honed by humans is more powerful. Rather than taking the place of humans, robots will take their place alongside humans. Automation, then, should be thought of as a way not to replace SecOps teams, but rather to complement and complete them in a way that will allow them to handle both the monotonous and mundane (yet necessary) tasks in the SOC, and also attend to the true mission-critical tasks rapidly and without distraction.

For more on misconceptions surrounding automation, read the 2019 SANS Automation Survey

The post Are Cybersecurity Robots Coming For Your Job? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/are-cybersecurity-robots-coming-for-your-job/feed/ 0
The Open Cybersecurity Alliance – Building for the Future https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/the-open-cybersecurity-alliance-building-for-the-future/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/the-open-cybersecurity-alliance-building-for-the-future/#respond Tue, 08 Oct 2019 16:00:24 +0000 https://securingtomorrow.mcafee.com/?p=97045

Today, the rapidly evolving cybersecurity threat landscape has driven an explosion of security products, generating an ever-increasing mountain of potentially valuable data and insights. But with that comes the increased complexity needed to make sense of it all and extract the real value.  According to the industry analyst firm Enterprise Strategy Group organizations use on […]

The post The Open Cybersecurity Alliance – Building for the Future appeared first on McAfee Blogs.

]]>

Today, the rapidly evolving cybersecurity threat landscape has driven an explosion of security products, generating an ever-increasing mountain of potentially valuable data and insights. But with that comes the increased complexity needed to make sense of it all and extract the real value.  According to the industry analyst firm Enterprise Strategy Group organizations use on average 25 to 49 different security tools from up to 10 vendors, each of which generates large amounts of siloed data. Today, integrating security products into an established operational environment can be  extremely resource intensive, time-consuming, and costly, all at the expense of hours that could be better spent hunting and responding to threats.

For too long, many cybersecurity vendors have made life harder for customers by assuring their “secret sauce” was theirs and theirs alone. Organizations were not able to get the full value from the tools they purchased because of the lack of interoperability, the expense of integration and the potentially valuable data locked away from sight in proprietary silos. This situation provides us with a real opportunity, and we intend to take advantage of it.

We have seen this play out before. Prior to the beginning of the Industrial Revolution, tools were mostly handcrafted and not precise or consistent enough to support manufacturing needs. It was widespread standardization that changed the landscape and led to the Industrial Revolution. Interchangeable parts allowed for the easy assembly of new and innovative products, cheap repairs and fewer skills and time required of workers. Best of all, it led to dramatically reduced costs across the board, for producers and consumers.

We need to foster a similar revolution in cybersecurity today.

McAfee and IBM Security have kick-started an initiative to bring real interoperability and data sharing across the cybersecurity product landscape. The Open Cybersecurity Alliance (OCA) project is comprised of like-minded global cybersecurity vendors, end users, thought leaders and individuals interested in fostering an open cybersecurity ecosystem, where products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated response, via commonly developed code and tooling, using mutually agreed upon technologies, standards, and procedures.

The Alliance’s founders, McAfee and IBM Security, are joined in the initiative by Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin.

The OCA was formed under the auspices of OASIS, a respected consortium driving the development, convergence and adoption of open standards for the global information society. The Alliance was launched as an OASIS Open Project on October 8, 2019. Participation from additional organizations and individual contributors is welcomed.

OCA’s goal is to develop and promote sets of open source common content, code, tooling, patterns, and practices for operational interoperability and data sharing among cybersecurity tools. The Alliance aims to create an environment where cybersecurity vendors do not compete on plumbing; rather, the plumbing is the foundation – the common platform — upon which cybersecurity tools are built. Cybersecurity vendors have a real adversary they are trying to defeat, and vendors should not be distracted by each of us having to replicate different ways to provide product plumbing.

For enterprise users, OCA means:

  • Improving security visibility, providing the ability to discover new insights and findings that might otherwise have been missed
  • Extracting real value from existing products while reducing vendor lock-in
  • Connecting data and sharing insights across products
  • Enabling vendors who make use of OCA code, tooling, and patterns to seamlessly interoperate, making plug-and-play integration of cybersecurity products a reality
  • Facilitating a variety of security use cases, including threat hunting & detection, analytics, operations, response and more;

In short, the goal is: integrate once, reuse everywhere.

For security vendors, the benefits of supporting the OCA in products are tangible.  They include:

  • Reduced integration costs, improving vendors’ ability to focus on higher-value features and integrations
  • Improved robustness of data integrations, allowing customers to extract more value from their products and tools
  • Ease of integration for customers, allowing products to be more useful directly out of the box
  • No duplication of the messaging and data exchange aspects of products

Security practitioners benefit from OCA integrated tools by:

  • Increased visibility and the ability to discover new critical insights and findings that would have otherwise been missed
  • Reduced procurement of unnecessary new tools
  • Reduced vendor lock-in
  • More rapid deployment and integration into security processes
  • Overall reduction of costs for product integration

Like the beginning of the Industrial Revolution, where interchangeable parts provided the economic incentives and the foundation for true innovation, we believe that an open cybersecurity ecosystem, where products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated responses, will lead to real advancements in cybersecurity. The OCA strives to provide that foundation for cybersecurity innovation to flourish.

Join the Open Cybersecurity Alliance today and help us start a revolution.

The post The Open Cybersecurity Alliance – Building for the Future appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/the-open-cybersecurity-alliance-building-for-the-future/feed/ 0
Securing the Unsecured: State of Cybersecurity 2019 – Part I https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/securing-the-unsecured-state-of-cybersecurity-2019-part-i/ https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/securing-the-unsecured-state-of-cybersecurity-2019-part-i/#respond Tue, 08 Oct 2019 16:00:16 +0000 https://securingtomorrow.mcafee.com/?p=97025

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack? Alongside some fantastic leaders and technology strategists from HCL, Oracle, Clarify360, Duo […]

The post Securing the Unsecured: State of Cybersecurity 2019 – Part I appeared first on McAfee Blogs.

]]>

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?

Alongside some fantastic leaders and technology strategists from HCL, Oracle, Clarify360, Duo Security, and TCDI, we explored the challenges of today’s hyper-connected and stretched security team.

Today, businesses operate in a world where over the last few years, more than 85% of business leaders surveyed by Dell and Dimensional Research say they believe security teams can better enable digital transformation initiatives if they are included early. Moreover, 90% say they can better enable the business if given more resources. Yet most of these same leaders assert that security is being brought in too late to enable digital transformation initiatives! These digital transformation trends—cloud, data, analytics, devices—are critical to the next generation of customer and employee experiences, and for the clear majority of companies, the transition of value chains is already in progress!

We collate the insights from the course of the discussion …

Q1: What are some of the IT security trends for 2019? Are there particular cybersecurity challenges related to digital trends?

Digital isn’t one trend—it’s many. Plus, we can’t stop running the business today. This forces a split of the skill investment that is available to companies, which MSSPs and system integrators can cover part of. The biggest challenge is information security extension in a multi-cloud world. All large enterprise is multi-cloud and hybrid. Yet few security operations teams are prepared for that.

Part of solving that challenge is bringing nascent ways of identifying anomalies and gaining scale—for example, through graph theory technology, critical to find the little traces that represent defensive capability. Machine learning will be throughout the information security technology stack soon. This shift must happen, as the challenge is more than new environments. The log volumes in cloud are material—and you pay for them, by the way—the formats are different, the collections are different, and the visibility is fragmented.

The harder thing here is that information security teams must adjust to ALL of this at ONCE. Great, you have AWS Cloud Trail. Let me ask you a question: Which of your security stack can see that AND is tuned for it AND can unify the risk identified there with on-premise derived visibility? And if you can answer that in a positive way, what about when I ask the same thing for Azure? Are you starting to think about the shift to resilience, or are you still thinking about defense and control exclusively?

I’d ask though, as your team is investing in cloud, are they investing in the understanding and readiness to protect data science? Are you preparing the project cycle for your security team to now be iterative as well to even deliver these services? Identity and access management is part of the solution as a critical foundation. Effective governance and strategy can help you figure out which platforms have security relevant data. While it’s easy to say “see and save everything,” you quickly find out how expensive that is, and how much trash is in there. At that point, you can start thinking about automation.

Focusing on data storage and data in motion has led us to consider more zero-trust to cut down on the amount of interstitial security complexity. To realize that vision, tokenization and indexing and many other technologies must continue to expand. We face an odd duality between the confidentiality and accessibility of making data useful in digital employee experience and customer experience.

It’s about more than adding automation to conquer the complexity. The automation must have intelligence, and it must operate in a way that is more than “I bought tech with buzzwords.” So many platforms and products say they do these things—but as you buy and implement, you need to focus on how, and how hard they are to build and link together. Plus, how are you going to maintain them? Be careful as we adjust to keep the pace of digital transformation that we aren’t trading one problem for another.

Finally, I’d note that at every level of the information security organization—not jus the CISO—the people need to have a sense of purpose. What value do you add as a security professional to the customer experience? Why do you exist? We need to remember that, as customer journeys are the way that digital transformation shows up. We have to think end-to-end.

Q2: What can companies do to protect themselves against vulnerabilities created by IoT devices?

Start with procurement. Look, I’d love to tell you that IoT security is a software problem, but that’s only part of it. It really starts with buying technology that is well-designed, and both the customer and the upstream vendor must enforce Secure Development Life Cycle (SDLC) internally.

To a certain degree, we need to see IoT as completely untrusted. Google’s BeyondCorp is a good goal for an entire org’s high-level vision of zero trust. Data introspection and device behaviors then need to have high inspection rather than assumptions of performance. We are advantaged in that we now live in a society full of tools where the reality is that encryption overhead is almost negligible with RISC based enhancements to network interface level assets. The organization can think differently about data protection in that kind of world with (relatively) cheap encryption cost to latency and performance.

When I think about IoT security, I continue to go back to an example that really made an impression on me a couple years back: If the team at IKEA can sell an IoT lightbar for cheap that has basic randomization, locked services, and minimal platform build … I have to think that certainly we can do better in health technology, industrial control systems, and manufacturing technologies.

When it comes to governance, IoT has the potential to turn asset management issues up to “11” on the 10-point scale of concern. How do you define an authorized device? Authorize an untrusted device to send data into the system? What do you recognize as a managed device? How will your organization make conditional access decisions to use, aggregate, and modify data? “Enterprise Architecture” (EA) needs to be part of the plan for effective governance. In some ways, as an industry, EA got swept up with the boom and bust of specific analyst models of architecture not proving out value cases at a lot of organizations. In today’s iterative digital world, architecture and simplicity have to be part of the IoT project Minimum Viable Product in order to realize the scale needed later.

We can’t manage IoT like laptops—these devices have fewer capabilities. Instead we need more affirmative approaches that integrate the components of the ecosystem in a predictable and defined way, like trusted cloud. The default expectation for a device intended to be used in a reduced management environment should have heavy encryption, PKI validation, and locked down application-controlled execution built into them out of the box.

When you take a step back and look at the problem as societal instead of the microcosm of a specific company’s product or implementation, public policy must enter into the intersection of law and devices at scale. We have to solve difficult questions like the role of liability and commercial incentives to build and deploy device platforms in a responsible way. As one example, when machine learning-led IoT decisions create a catastrophe, who is responsible? The owning company? The software vendor? The system integrator? All the above? In critical spaces like utilities and healthcare, we need the focus of meeting some level of criteria for devices to have minimum reasonable security.

Even at this scale, this, too could be a great place for graph theory and machine learning-led approaches to secure societal level device challenges like elections. It’s easily expressed as math—easily identified for loci and baseline deviations. We need investment, however, from government or non-traditional sources as the state/local government and education sectors have very long buying cycles, and the available budget for this problem hasn’t yet justified the extended R&D costs of these kinds of technological changes.

Even while these public policy shifts are emerging, the greater propensity of localized privacy law has created operational hurdles for enterprise. As a microcosm, introduction of privacy safeguards in the India data localization law represents many different interests trying to be balanced in one approach. This has created a higher cost for external multinationals as they create duplicative storage and has even slowed digital transformation and created a drag on growth for India based consulting and business process outsourcing economic engines. You could make the same analysis for CCPA or GDPR, but these same measures have helped privacy, potentially, for citizens.

To help companies navigate these challenges, we are seeing organizations like ENISA, and the NCSC Secure Authority providing advisory guidance. This leads to the definition of a state of reasonable practice. When we add that kind of practical dimension to ISO standards like the 27000 series, and the Top 20 from the Center for Internet Security, and others, we help organizations navigate what the basics look like for practical security applicability in IoT and security generally.

In Part II of this series, we’ll explore the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.

The post Securing the Unsecured: State of Cybersecurity 2019 – Part I appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/securing-the-unsecured-state-of-cybersecurity-2019-part-i/feed/ 0
Hackable?” Tests Whether Car Key Fobs Are Secure https://securingtomorrow.mcafee.com/blogs/consumer/hackable/hackable-tests-whether-car-key-fobs-are-secure/ https://securingtomorrow.mcafee.com/blogs/consumer/hackable/hackable-tests-whether-car-key-fobs-are-secure/#respond Tue, 08 Oct 2019 15:55:44 +0000 https://securingtomorrow.mcafee.com/?p=97008

Smart key fobs make it easy to open your car, pop the trunk, and start driving without fumbling around for your keys. But is the signal sent through the air secure? Does every click give hackers a chance to capture your code? During the second season of “Hackable?” white-hat hacker Tim Martin gained keyless entry […]

The post Hackable?” Tests Whether Car Key Fobs Are Secure appeared first on McAfee Blogs.

]]>

Smart key fobs make it easy to open your car, pop the trunk, and start driving without fumbling around for your keys. But is the signal sent through the air secure? Does every click give hackers a chance to capture your code?

During the second season of “Hackable?” white-hat hacker Tim Martin gained keyless entry to Geoff’s rental car by intercepting the key fob’s signal. On the latest episode, Tim’s back, and this time we learn if he can also start the car and drive away. Listen and learn if your car’s key fob could help a hacker steal your car in under 60 seconds!

Listen now to the award-winning podcast “Hackable?”.

 

The post Hackable?” Tests Whether Car Key Fobs Are Secure appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/hackable/hackable-tests-whether-car-key-fobs-are-secure/feed/ 0
Stay Smart Online Week 2019 https://securingtomorrow.mcafee.com/blogs/consumer/identity-protection/stay-smart-online-week-2019/ https://securingtomorrow.mcafee.com/blogs/consumer/identity-protection/stay-smart-online-week-2019/#respond Tue, 08 Oct 2019 00:28:59 +0000 https://securingtomorrow.mcafee.com/?p=97041

Let’s Reverse the Threat of Identity Theft!! Our online identities are critical. In fact, you could argue that they are our single most unique asset. Whether we are applying for a job, a mortgage or even starting a new relationship, keeping our online identity protected, secure and authentic is essential. This week is Stay Smart […]

The post Stay Smart Online Week 2019 appeared first on McAfee Blogs.

]]>

Let’s Reverse the Threat of Identity Theft!!

Our online identities are critical. In fact, you could argue that they are our single most unique asset. Whether we are applying for a job, a mortgage or even starting a new relationship, keeping our online identity protected, secure and authentic is essential.

This week is Stay Smart Online Week in Australia – an initiative by the Australian Government to encourage us all to all take a moment and rethink our online safety practices. This year the theme is ‘Reverse the Threat’ which is all about encouraging Aussies to take proactive steps to control their online identity and stop the threat of cybercrime.

What Actually Is My Online Identity?

On a simple level, your online identity is the reputation you have generated for yourself online – both intentionally or unintentionally. So, an accumulation of the pics you have posted, the pages you have liked and the comments you have shared. Some will often refer to this as your personal brand. Proactively managing this is critical for employments prospects and possibly even potential relationship opportunities.

However, there is another layer to your online identity that affects more than just your job or potential career opportunities. And that’s the transactional component. Your online identity also encompasses all your online movements since the day you ‘joined’ the internet. So, every time you have registered for an online account; given your email address to gain access or log in; joined a social media platform; undertaken a web search; or made a transaction, you have contributed to your digital identity.

What Are Aussies Doing to Protect Their Online Identities?

New research from McAfee shows Aussies have quite a relaxed attitude to managing their online identities. In fact, a whopping two thirds (67%) of Aussies admit to being embarrassed by the content that appears on their social media profiles. And just to make the picture even more complicated, 34% of Aussies admit to never increasing the privacy on their accounts from the default privacy settings despite knowing how to.

Why Does My Online Identity Really Matter?

As well as the potential to hurt career or future relationship prospects, a relaxed attitude to managing our online identities could be leaving the door open for cybercriminals. If you are posting about recent purchases, your upcoming holidays and ‘checking-in’ at your current location then you are making it very easy for cybercriminals to put together a picture of you and possibly steal your identity. And having none or even default privacy settings in place effectively means you are handing this information to cybercrims on a platter!!

Is Identity Theft Really Big Problem?

As at the end of June, the Australian Competition and Consumer Commission claims that Aussies have lost at least $16 million so far this year through banking scams and identity theft. And many experts believe that this statistic could represent the ‘tip of the iceberg’ as it often takes victims some time to realise that their details are being used by someone else.

Whether it’s phishing scams; texts impersonating banks; fake online quizzes; phoney job ads, or information skimmed from social media, cybercriminals have become very savvy at developing novel ways of stealing online identities.

What Can You Do to ‘Reverse the Threat’ and Protect Your Online Identity?

With so much at stake, securing your online identity is more important than ever. Here are my top tips on what you can do to give yourself every chance of securing your digital credentials:

  1. Passwords, Passwords, Passwords

As the average consumer manages a whopping 11 online accounts – social media, shopping, banking, entertainment, the list goes on – updating our passwords is an important ‘cyber hygiene’ practice that is often neglected.

Creating long and unique passwords using a variety of upper and lowercase numbers, letters and symbols is an essential way of protecting yourself and your digital assets online. And if that all feels too complicated, why not consider a password management solution? Password managers help you create, manage and organise your passwords. Some security software solutions include a password manager such as McAfee Total Protection.

  1. Turn on Two-Factor Authentication Wherever Possible!

Enabling two-factor authentication for your accounts will add an extra layer of defence against cybercriminals. Two-factor authentication is simply a security process in which the user provides 2 different authentication factors to verify themselves before gaining access to an online account. As one of the verification methods is usually an extra password or one-off code delivered through a separate personal device like a smartphone, it makes it much harder for cybercriminals to gain access to a person’s device or online accounts.

  1. Lock Down Privacy and Security Settings

Leaving your social media profiles on ‘public’ setting means anyone who has access to the internet can view your posts and photos whether you want them to or not. While you should treat everything you post online as public, turning your profiles to private will give you more control over who can see your content and what people can tag you in.

  1. Use Public Wi-Fi With Caution

If you are serious about managing your online identity, then you need to use public Wi-Fi sparingly. Unsecured public Wi-Fi is a very risky business. Anything you share could easily find its way into the hands of cybercriminals. So, avoid sharing any sensitive or personal information while using public Wi-Fi. If you travel regularly or spend the bulk of your time on the road then consider investing in a VPN such as McAfee Safe Connect. A VPN (Virtual Private Network) encrypts your activity which means your login details and other sensitive information is protected. A great insurance policy!

Thinking it all sounds a little too hard? Don’t! Identity theft happens to Aussies every day with those affected experiencing real distress and financial damage. So, do your homework and take every step possible to protect yourself, for as Benjamin Franklin said: ‘An ounce of prevention is worth a pound of cure’.

Alex xx

The post Stay Smart Online Week 2019 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/identity-protection/stay-smart-online-week-2019/feed/ 0
Device & App Safety Guide for Families https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/device-app-safety-guide-for-families/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/device-app-safety-guide-for-families/#respond Sun, 06 Oct 2019 06:34:31 +0000 https://securingtomorrow.mcafee.com/?p=96989

While we talk about online safety each week on this blog, October is National Cybersecurity Awareness Month (NCSAM), a time to come together and turn up the volume on the digital safety and security conversation worldwide. To kick off that effort, here’s a comprehensive Device and App Safety Guide to give your family quick ways […]

The post Device & App Safety Guide for Families appeared first on McAfee Blogs.

]]>

app safetyWhile we talk about online safety each week on this blog, October is National Cybersecurity Awareness Month (NCSAM), a time to come together and turn up the volume on the digital safety and security conversation worldwide.

To kick off that effort, here’s a comprehensive Device and App Safety Guide to give your family quick ways to boost safety and security.

Device Safety Tips

  • Update devices. Updates play a critical role in protecting family devices from hackers and malware, so check for updates and install promptly.
  • Disable geotagging. To keep photo data private, turn off geotagging, which is a code that embeds location information into digital photos.
  • Turn off location services. To safeguard personal activity from apps, turn off location services on all devices and within the app. 
  • Review phone records. Monitor your child’s cell phone records for unknown numbers or excessive late-night texting or calls.
  • Lock devices. Most every phone comes with a passcode, facial, or fingerprint lock. Make locking devices a habit and don’t share passcodes with friends. 
  • Add ICE to contacts. Make sure to put a parent’s name followed by ICE (in case of emergency) into each child’s contact list.
  • Back up data. To secure family photos and prevent data loss due to malware, viruses, or theft, regularly back up family data. 
  • Use strong passwords. Passwords should be more than eight characters in length and contain a mix of capital and lower case letters and at least one numeric or non-alphabetical character. Also, use two-factor authentication whenever possible.  
  • Stop spying. Adopting healthy online habits takes a full-court family press, so choose to equip over spying. Talk candidly about online risks, solutions, family ground rules, and consequences. If you monitor devices, make sure your child understands why. 
  • Share wisely. Discuss the risks of sharing photos online with your kids and the effect it has on reputation now and in the future. 
  • Protect your devices. Add an extra layer of protection to family devices with anti-virus and malware protection and consider content filtering
  • Secure IoT devices. IoT devices such as smart TVs, toys, smart speakers, and wearables are also part of the devices families need to safeguard. Configure privacy settings, read product reviews, secure your router, use a firewall, and use strong passwords at all connection points. 

App Safety Tips

  • Evaluate apps. Apps have been known to put malware on devices, spy, grab data illegally, and track location and purchasing data without permission. Check app reviews for potential dangers and respect app age requirements.app safety
  • Max privacy settings. Always choose the least amount of data-sharing possible within every app and make app profiles private.
  • Explore apps together. Learn about your child’s favorite apps, what the risks are, and how to adjust app settings to make them as safe as possible. Look at the apps on your child’s phone. Also, ask your child questions about his or her favorite apps and download and explore the app yourself. 
  • Understand app cultures. Some of the most popular social networking apps can also contain inappropriate content that promotes pornography, hate, racism, violence, cruelty, self-harm, or even terrorism.
  • Monitor gaming. Many games allow real-time in-game messaging. Players can chat using text, audio, and video, which presents the same potential safety concerns as other social and messaging apps.
  • Discuss app risks. New, popular apps come out every week. Discuss risks such as anonymous bullying, inappropriate content, sexting, fake profiles, and data stealing. 
  • Avoid anonymous apps. Dozens of apps allow users to create anonymous profiles. Avoid these apps and the inherent cyberbullying risks they pose.
  • Limit your digital circle. Only accept friend requests from people you know. And remember, “friends” aren’t always who they say they are. Review and reduce your friend list regularly.
  • Monitor in-app purchases. It’s easy for kids to go overboard with in-app purchases, especially on gaming apps.

Our biggest tip? Keep on talking. Talk about the risks inherent to the internet. Talk about personal situations that arise. Talk about mistakes. Nurturing honest, ongoing family dialogue takes time and effort but the payoff is knowing your kids can handle any situation they encounter online.

Stay tuned throughout October for more NCSAM highlights and information designed to help you keep your family safe and secure in the online world.

The post Device & App Safety Guide for Families appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/device-app-safety-guide-for-families/feed/ 0
Is Your Browser Haunted With Ghostcat Malware? https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/ghostcat-malware/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/ghostcat-malware/#respond Fri, 04 Oct 2019 20:02:32 +0000 https://securingtomorrow.mcafee.com/?p=97011

October is finally among us, and things are spookier than usual. One ghost causing some hocus pocus across the World Wide Web is Ghostcat-3PC, a browser-hijacking malware that has launched at least 18 different malvertising campaigns in the last three months. According to SC Magazine, Ghostcat’s goal is to hijack users’ mobile browsing sessions and […]

The post Is Your Browser Haunted With Ghostcat Malware? appeared first on McAfee Blogs.

]]>

October is finally among us, and things are spookier than usual. One ghost causing some hocus pocus across the World Wide Web is Ghostcat-3PC, a browser-hijacking malware that has launched at least 18 different malvertising campaigns in the last three months. According to SC Magazine, Ghostcat’s goal is to hijack users’ mobile browsing sessions and is specifically targeting website visitors in the U.S. and Europe.

How exactly does this ghost begin its haunting? The infection begins when a user visits a particular website and is served a malicious advertisement. When this occurs, Ghostcat fingerprints the browser, which is when information is collected about a device for the purpose of identification, to determine if the ad is running on a genuine webpage. Ghostcat also checks if the ad is running on one of the over 100 online publishers’ pages that have been specifically targeted by this campaign. If both of these conditions are met, then the malware serves a malicious URL linked to the ad.

From there, this malicious URL delivers obfuscated JavaScript, which creates an obscure source or machine code. The attackers behind Ghostcat use this technique to trick the publishers’ ad blockers, preventing them from detecting malicious content. The code also checks for additional conditions necessary for the attack. These conditions include ensuring that the malware is being run on a mobile device and a mobile-specific browser, that the device is located in a targeted country, and that it is being run on a genuine website as opposed to a testing environment. If the malware concludes that the browsing environment fits the descriptions of their target, then it will serve a fraudulent pop-up, leading the user to malicious content.

So, what are some proactive steps users can take to avoid being haunted by Ghostcat? Follow these tips to avoid the malware’s hocus pocus:

  • Watch what you click. Avoid clicking on unknown links or suspicious pop-ups, especially those that come from someone you don’t know.
  • Be selective about which sites you visit. Only use well-known and trusted sites. One way to determine if a site is potentially malicious is by checking its URL. If the URL address contains multiple grammar or spelling errors and suspicious characters, avoid interacting with the site altogether.
  • Surf the web safely. You can use a tool like McAfee WebAdvisor, which will flag any sites that may be malicious without your knowing.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Is Your Browser Haunted With Ghostcat Malware? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/ghostcat-malware/feed/ 0
ST11: MVISION Insights https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st11-mvision-insights/ https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st11-mvision-insights/#respond Thu, 03 Oct 2019 19:41:46 +0000 https://securingtomorrow.mcafee.com/?p=97004

McAfee’s Senior Director of Security Intelligence Bill Woods and McAfee’s Director of Product Management Robert Leong discuss the importance of intelligence and insights.

The post ST11: MVISION Insights appeared first on McAfee Blogs.

]]>

McAfee’s Senior Director of Security Intelligence Bill Woods and McAfee’s Director of Product Management Robert Leong discuss the importance of intelligence and insights.

The post ST11: MVISION Insights appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st11-mvision-insights/feed/ 0
ST10: Unified Cloud Edge with Sadik AlAbdulla and Tom Bryant https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st10-unified-cloud-edge-with-sadik-alabdulla-and-tom-bryant/ https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st10-unified-cloud-edge-with-sadik-alabdulla-and-tom-bryant/#respond Thu, 03 Oct 2019 16:11:43 +0000 https://securingtomorrow.mcafee.com/?p=96997

One of McAfee’s Vice Presidents of Product Management Sadik AlAbdulla and Global Technical Director of Web & DLP Tom Bryant are at MPOWER 2019 discussing the newly announced Unified Cloud Edge.

The post ST10: Unified Cloud Edge with Sadik AlAbdulla and Tom Bryant appeared first on McAfee Blogs.

]]>

One of McAfee’s Vice Presidents of Product Management Sadik AlAbdulla and Global Technical Director of Web & DLP Tom Bryant are at MPOWER 2019 discussing the newly announced Unified Cloud Edge.

The post ST10: Unified Cloud Edge with Sadik AlAbdulla and Tom Bryant appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st10-unified-cloud-edge-with-sadik-alabdulla-and-tom-bryant/feed/ 0
Chapter Preview: Birth to Age 2 – First Footprints https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/first-footprints/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/first-footprints/#respond Thu, 03 Oct 2019 10:00:01 +0000 https://securingtomorrow.mcafee.com/?p=96527

When your baby is on the way, their privacy and digital security is probably the last thing you have on your mind. At least it’s way down there on the list—of course it is! You’re preparing for a bright, joyous addition to your family and home. Everything you’re doing is intended to create an environment […]

The post Chapter Preview: Birth to Age 2 – First Footprints appeared first on McAfee Blogs.

]]>

When your baby is on the way, their privacy and digital security is probably the last thing you have on your mind. At least it’s way down there on the list—of course it is! You’re preparing for a bright, joyous addition to your family and home. Everything you’re doing is intended to create an environment that is safe and comfortable, so your baby knows a warm and loving world right from the start. Not to mention, you and your family are anticipating how much you’ll enjoy these milestones.

Part of the enjoyment includes sharing these moments, which is mainly done online these days. (When’s the last time you took a picture on film and had it printed?) From digital invitations, to baby showers, and ultrasound pictures posted on social media—the weeks and months leading up to birth are a celebration as well. And that’s where your baby’s data lake gets its initial drops. Your posts on social media make up the first little digital streams feeding their data lake, along with anything else you share about them online.

When my children were babies we spent a lot of time “baby proofing” the house. You know, putting special locks on the kitchen cabinets, plastic covers on electrical outlets, baby gates, and more. Today that behavior needs to extend online. We need to be the guardians of our baby’s privacy, identity, and security until they get to the age where they understand what’s at risk and can protect themselves.


No doubt you will want to share all those precious moments as your bundle of joy fills your life with happiness, despite the possible risks. With that in mind, there’s an entire chapter in “Is Your Digital Front Door Unlocked?” dedicated to your baby’s first steps online, offering suggestions on what constitutes a healthy balance of what should and should not be shared. It also looks at other important considerations that you may not have thought of, such as getting your baby a Web address and monitoring their identity to make sure an identify thief hasn’t hijacked it—plenty of things many parents wouldn’t think of, but should, given the way our world works today.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Chapter Preview: Birth to Age 2 – First Footprints appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/first-footprints/feed/ 0
MITRE ATT&CK™ APT3 Assessment https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/mitre-attck-apt3-assessment/ https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/mitre-attck-apt3-assessment/#respond Wed, 02 Oct 2019 17:32:16 +0000 https://securingtomorrow.mcafee.com/?p=96985

Making a case for the importance for real-time reporting is a simple exercise when considering almost every major campaign.  Take the case of Shamoon, where analysis into the Disttrack wiper revealed a date in the future when destruction would happen.  Similarly, cases where actors use different techniques in their attacks reveal that once mapped out, a story becomes visible. The question […]

The post MITRE ATT&CK™ APT3 Assessment appeared first on McAfee Blogs.

]]>

Making a case for the importance for real-time reporting is a simple exercise when considering almost every major campaign.  Take the case of Shamoon, where analysis into the Disttrack wiper revealed a date in the future when destruction would happen.  Similarly, cases where actors use different techniques in their attacks reveal that once mapped out, a story becomes visible. The question is, do you have visibility and early warnings into these threats and how timely are they presented to you so there’s time to respond? 

MITRE’s ATT&CK for Enterpriseproduced by the Cyber Security division of MITRE, is an adversarial behavior model for possible attacker actionsThe ATT&CK matrix used is a visualization tool in the form of a large table, intended to help provide a framework to talk about attacks in a unified way. This is coupled to detailed descriptions of different tactics and techniques and how they differ from attacker to attacker.  

When you participate in the assessment, MITRE is the red team simulating the techniques, used by APT3 in this case, and we as McAfee are the blue team using our products to detect their actions and report them. When the red team attacks us with a variant of a technique, as a blue team, we need to prove we detected it. 

McAfee went through a MITRE ATT&CK assessment early this summer and we are excited to announce that MITRE has published the results of the APT3 assessment today on their website. In today’s cyber-threat landscape, it’s all about ‘time’, time to detect, time to respond, time to remediate, etc. When it comes to advanced attacks represented in APT3 – real time detections offer a significant advantage to incident responders to rapidly contain threats. 

As the results show, McAfee provided the most real-time alerts while detecting the attacksWhen real-time alerts and simple efficacy score, as calculated using criteria published by Josh Zelonis of Forrester, are considered together, McAfee occupies a leadership position in the upper right quadrant of the chart: 

 

 

During MITRE’s APT3 evaluation, McAfee was the only vendor to display real-time alerts for certain attacks, including T1088: Bypass User Account Control, one of the techniques used by Shamoon. 

While MITRE’s evaluation focused on MVISION EDR’s detection capabilities, there are several aspects that defenders need to consider in order to properly triage, scope, contain and close an incidentDuring the APT3 attack we generated 200+ alerts and telemetry datapoints which were the core of MITRE’s evaluationYet we don’t expect analysts to review them individually. In MVISION EDR those 200+ data points got clustered into 14 threats which added context to paint a more complete picture of what happened in order to speed triage. 

Furthermore, analysts could trigger an automated investigation from a threat and therefore involve our AI driven investigation guides to bring more context from other products (e.g. ePO, SIEM)endpoint forensics, analytics and threat intelligence.  

 

Investigation case collecting 4000+ pieces of evidence, linking it, showing expert findings and uncovering potential lateral movement between two devices 

 Thanks to our automated investigation guides, in the case of APT3MVISION EDR was able to gather passive DNS information and link the evidence to further expose potential lateral movement and C2. 

Although it was not exercised by MITRE, the next step for the analyst would have been to use MVISION EDR’s real time search to further scope the affected devices and take containment actions (e.g. quarantine, kill processes, etc). 

McAfee has been engaged with MITRE in expanding the ATT&CK Matrix and helping to evolve future ATT&CK Evaluations. We are a proud sponsor of ATT&CKcon and will be exhibiting at ATT&CKcon 2.0 later this month. Come learn more about how automated AI-driven investigations can reduce the time to detect and respond to threats using McAfee MVISION EDR. 

 

 

The post MITRE ATT&CK™ APT3 Assessment appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/endpoint-security/mitre-attck-apt3-assessment/feed/ 0
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-the-all-stars/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-the-all-stars/#respond Wed, 02 Oct 2019 16:05:54 +0000 https://securingtomorrow.mcafee.com/?p=96897

Episode 2: The All-Stars Analyzing Affiliate Structures in Ransomware-as-a-Service Campaigns This is the second installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid-2019. GandCrab announced its retirement at the end of May. Since then, a new RaaS family […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars appeared first on McAfee Blogs.

]]>

Episode 2: The All-Stars

Analyzing Affiliate Structures in Ransomware-as-a-Service Campaigns

This is the second installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid-2019.

GandCrab announced its retirement at the end of May. Since then, a new RaaS family called Sodinokibi, aka REvil, took its place as one of the most prolific ransomware campaigns.

In episode one of our analysis on the Sodinokibi RaaS campaign we shared our extensive malware and post-infection analysis, which included code comparisons to GandCrab, and insight on exactly how massive the new Sodinokibi campaign is.

The Sodinokibi campaigns are still ongoing and differ in execution due to the different affiliates spreading the ransomware. Which begs more questions to be answered, such as how do the affiliates operate? Is the affiliate model working? What can we learn about the campaign and possible connections to GandCrab by investigating the affiliates?

It turns out, through large scale sample analysis and hardcoded value aggregation, we were able to determine which affiliates played a crucial role in the success of GandCrab’ criminal enterprise and found a lot of similarity between the RaaS enterprise of GandCrab and that of Sodinokibi.

Before we begin with the Sodinokibi analysis and comparison we will briefly explain the methodology that we used for GandCrab.

GandCrab RaaS System

GandCrab was a prime example of a Ransomware-as-a-Service. RaaS follows a structure where the developers are offering their product to affiliates, partners or advertisers who are responsible for spreading the ransomware and generating infections. The developers take a percentage of the earned income and provide the other portion to the affiliates.

FIGURE 1. HIGH LEVEL OVERVIEW OF THE GANDCRAB RAAS MODEL

Operating a RaaS model can be lucrative for both parties involved:

  • Developer’s perspective: The malware author/s request a percentage per payment for use of the ransomware product. This way the developers have less risk than the affiliates spreading the malware. The developers can set certain targets for their affiliates regarding the amount of infections they need to produce. In a way, this is very similar to a modern sales organization in the corporate world.

Subsequently, a RaaS model offers malware authors a safe haven when they operate from a country that does not regard developing malware as a crime. If their own nation’s citizens are not victimized, the developers are not going to be prosecuted.

  • Affiliate perspective: As an affiliate you do not have to write the ransomware code yourself; less technical skill is involved. RaaS makes ransomware more accessible to a greater number of users. An affiliate just needs to be accepted in the criminal network and reach the targets set by the developers. As a service model it also offers a level of decentralization where each party sticks to their own area of expertise.

Getting a Piece of the Pie

Affiliates want to get paid proportionate to the infections they made; they expose themselves to a large amount of risk by spreading ransomware and they want to reap the benefits. Mutual trust between the developer and the affiliate plays a huge role in joining a RaaS system. It is very much like the expression: “Trust, hard to build, and easy to lose” and this largely explains the general skepticism that cybercriminal forum members display when a new RaaS system is announced.

For the RaaS service to grow and maintain their trust, proper administration of infections/earnings per affiliate plays an important part. Through this, the developers can ensure that everyone gets an honest piece of the proverbial “pie”. So how can this administration be achieved? One way is having hardcoded values in the ransomware.

Linking the Ransomware to Affiliates

Through our technical malware analysis, we established that, starting from version 4, GandCrab included certain hardcoded values in the ransomware source code:

  • id – The affiliate id number.
  • sub_id – The Sub ID of the affiliate ID; A tracking number for the affiliate for sub-renting infections or it tracks their own campaign, identifiable via the sub_id number.
  • version – The internal version number of the malware.

Version 4 had significant changes overall and we believe that these changes were partly done by the authors to improve administration and make GandCrab more scalable to cope with its increased popularity.

Based on the hardcoded values it was possible for us, to a certain extent, to extract the administration information and create our own overview. We hunted for as many different GandCrab samples as we could find, using Yara rules, industry contacts and customer submissions. The sample list we gathered is quite extensive but not exhaustive. From the collected samples we extracted the hardcoded values and compile times automatically, using a custom build tool. We aggregated all these values together in one giant timeline from GandCrab version 4, all the way up to version 5.2.

FIGURE 2. SMALL PORTION OF THE TIMELINE OF COLLECTED SAMPLES (NOTE THE FIRST FOUR POSSIBLY TIME STOMPED)

ID and SUB_ID Characteristics Observed

Parent-Child Relationship
The extracted ID’s and Sub_IDs showed a parent-child relationship, meaning every ID could have more than one SUB_ID (child) but every SUB_ID only had one ID (parent).

FIGURE 3. THE ACTIVITY OF ID NUMBER 41 (PARENT) AND ITS CORRESPONDING SUB_IDs (CHILDREN)

ID Increments
Overall, we observed a gradual increment in the ID number over time. The earlier versions generally had lower ID numbers and higher ID numbers appeared with the later versions.

However, there were relatively lower ID numbers that appeared in many versions, as shown in figure 3.

This observation aligned with our theory that the ID number corresponds with a particular affiliate. Certain affiliates remained partners for a long period of time, spreading different versions of GandCrab; this explains the ID number appearing over a longer period and in different versions. This theory has also been acknowledged by several (anonymous) sources.

Determining Top ID’s/Affiliates
When we applied the theory that the ID corresponded with an affiliate, we observed different activity amongst the affiliates. There are some affiliates/ID’s that were only linked to a single sample that we found. A reason for affiliates to only appear for a short moment can be explained by the failure to perform. The GandCrab developers had a strict policy of expelling affiliates that underperformed. Expelling an affiliate would open a new slot that would receive a new incremented ID number.

On the other hand, we observed several very active affiliates, “The All-Stars”, of which ID number 99 was by far the most active. We first observed ID 99 in six different samples of version 4.1.1, growing to 35 different samples in version 5.04. Based on our dataset we observed 71 unique unpacked samples linked to ID 99.

Being involved with several versions (consistency over time), in combination with the number of unique samples (volume) and the number of infections (based on industry malware detections) can effectively show which affiliate was the most aggressive and possibly the most important to the RaaS network.

Affiliate vs. Salesperson & Disruption

An active affiliate can be compared to a top salesperson in any normal commercial organization. Given that the income of the RaaS network is largely dependent on the performance of its top affiliates, identifying and disrupting a top affiliate’s activity can have a crippling effect on the income of the RaaS network, internal morale and overall RaaS performance. This can be achieved through arrests of an affiliate and/or co-conspirers.

Another way is disrupting the business model and lowering the ransomware’s profits through offering free decryption tools or building vaccines that prevent encryption. The disruption will increase the operational costs for the criminals, making the RaaS of less interest.

Lastly, for any future proceedings (suspect apprehension and legal) it is important to maintain a chain of custody linking victims, samples and affiliates together. Security providers as gatherers and owners of this data play a huge role in safeguarding this for the future.

Overview Versions and ID Numbers

Using an online tool from RAWGraphs we created a graphic display of the entire dataset showing the relationship between the versions and the ID numbers. Below is an overview, a more detailed overview can be found on the McAfee ATR Github.

FIGURE 4. OVERVIEW OF GANDCRAB VERSIONS AND IDs

Top performing affiliates immediately stood out from the rest as the lines were thicker and more spread out. According to our data, the most active ID numbers were 15,41,99 and 170. Determining the key players in a RaaS family can help Law Enforcement prioritize its valuable resources.

Where are the All-Stars? Top Affiliates Missing in 5.2

At the time we were not realizing it fully but, looking back at the overview, it stands out that none of the top affiliates/ID numbers where present in the final version 5.2 of GandCrab which was released in February. We believe that this was an early indicator that the end of GandCrab was imminent.

This discovery might indicate that some kind of event had taken place that resulted in the most active affiliates not being present. The cause could have been internal or external.

But what puzzles us is why would a high performing affiliate leave? Maybe we will never hear the exact reason. Perhaps it is quite similar to why people leave regular jobs… feeling unhappy, a dispute or leaving for a better offer.

With the absence of the top affiliates the question remains; Where did these affiliates go to?

FIGURE 5. ID AND SUB_ID NUMBER LINKED TO VERSION 5.2

Please note that active ID numbers 15,41,99 and170 from the complete overview are not present in any GandCrab version 5.2 infections. The most active affiliate in version 5.2. was nr 287.

Goodbye GandCrab, Hello Sodinokibi/REvil

In our opening episode we described the technical similarities we have seen between GandCrab and REvil. We are not the only ones that noticed these similarities – security reporter Brian Krebs published an article where he highlights the similarities between GandCrab and a new ransomware named Sodinokibi or REvil, and certain postings that were made on several underground forums.

Affiliates Switching RaaS Families….

On two popular underground Forums a user named UNKN, aka unknown, placed an advertisement on the 4th of July 2019, for a private ransomware as a service (RaaS) he had been running for some time. Below is a screenshot of the posting. Interesting is the response from a user with the nickname Lalartu. In a reply to the advertisement, Lalartu mentions that he is working with UNKN and his team, as well as that they had been a former GandCrab affiliate, something that was noticed by Bleepingcomputer too. Lalartu’s post supports our earlier observations that some top GandCrab affiliates suddenly disappeared and might have moved to a different RaaS family. This is something that was suspected but never confirmed with technical evidence.

We suspect that Lalartu is not the only GandCrab affiliate that has moved to Sodinokibi. If top affiliates have a solid and very profitable infection method available, then it does not make sense to retire with the developers.

Around February 2019, there was a noticeable change in some of GandCrab’s infections behavior. Managed Service Providers (MSP) were now targeted through vulnerable systems and their customers got infected with GandCrab on a large scale, something we had not seen performed before by any of the affiliates. Interestingly, shortly after the retirement of GandCrab, the MSP modus operandi was quickly adopted by Sodinokibi, another indication that a former GandCrab affiliate had moved to Sodinokibi.

This makes us suspect that Sodinokibi is actively recruiting the top performing affiliates from other successful RaaS families, creating a sort of all-star team.

At the same time, the RaaS market is such where less proficient affiliates can hone their skills, improve their spreading capabilities and pivot to the more successful RaaS families. Combined with a climate where relatively few ransomware arrests are taking place, it allows for an alarming cybercriminal career path with dire consequences.

Gathering “administration” from Sodinokibi/Revil Samples

Another similarity Sodinokibi shares with GandCrab is the administration of infections, one of the indicators of a RaaS’s growth potential. In our earlier blog we discussed that Sodinokibi generates a JSON config file for each sample containing certain values such as a PID number and a value labeled sub. So, we decided to use our GandCrab affiliate methodology on the Sodinokibi config files we were able to collect.

With GandCrab we had to write our own tool to pull the hardcoded indicators but, with Sodinokibi, we were lucky enough that Carbon Black had developed a tool that did much of the heavy lifting for us. In the end there were still some samples from which we had to pull the configs manually. The JSON file contains different values and fields; for a comparison to GandCrab we focused on the PID and SUB field of each sample as these values appeared to have a similar characteristic as the ID and SUB_ID field in the GandCrab samples.

FIGURE 6. REVIL JSON CONFIG VALUES

Interpreting the Data Structures

With the data we gathered, we used the same analysis methodology on Sodinokibi  as we did on GandCrab. We discovered that Sodinokibi has a RaaS structure very similar to GandCrab and with the Parent-Child relationship structure being nearly identical. Below we compared activity of GandCrab affiliate number 99 with the activity of the Sodinokibi affiliate number 19.

FIGURE 7. THE ACTIVITY OF GANDCRAB ID NO 99 (PARENT) AND ITS CORRESPONDING SUB (CHILDREN)

FIGURE 8. THE ACTIVITY OF SODINOKIBI PID NO 19 (PARENT) AND ITS CORRESPONDING SUB (CHILDREN)

It needs to be said that the timespan for the GandCrab overview was generated over a long period of time with a larger total of samples than the Sodinokibi overview.

Nevertheless, the similarity is quit striking.

The activity of both ID numbers displays a tree-shaped structure with the parent ID number at the root and branching out to the respective SUB numbers linked to multiple samples.

We believe that the activity above might be linked to a tiered affiliate group that is specialized in RDP brute forcing and infecting systems with Sodinokibi after each successful compromise.

Both RaaS family structures are too large to effectively publish within the space of this blog. Our Complete overview for the Sodinokibi RaaS structure can be found on our McAfee GitHub.

Conclusion

When we started our journey with GandCrab we did not expect it would take us so far down the rabbit hole. Mass sample analysis and searching for administration indicators provided a way to get more insight in a multi-million-dollar criminal enterprise, determine key players and foresee future events through changes in the business structure. We believe that the retirement of GandCrab was not an overnight decision and, based on the data on the affiliates, it was clear that something was going to happen.

With the emergence of Sodinokibi and the few forum postings by a high profile former GandCrab affiliate, everything fell into place. We have strong indications that some of the top affiliates have found a new home with Sodinokibi to further their criminal business.

Given that the income of the RaaS network is largely dependent on the performance of its top affiliates, and it is run like a normal business, we (the security industry) should not only research the products the criminals develop, but also identify possible ways to successfully disrupt the criminal business.

In our next episode we dive deeper into the financial streams involved in the affiliate program and provide an estimate of how much money these actors are earning with the ransomware-as-a-service business model.

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-the-all-stars/feed/ 0
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/#respond Wed, 02 Oct 2019 16:05:20 +0000 https://securingtomorrow.mcafee.com/?p=96864

Episode 1: What the Code Tells Us McAfee’s Advanced Threat Research team (ATR) observed a new ransomware family in the wild, dubbed Sodinokibi (or REvil), at the end of April 2019. Around this same time, the GandCrab ransomware crew announced they would shut down their operations. Coincidence? Or is there more to the story? In […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us appeared first on McAfee Blogs.

]]>

Episode 1: What the Code Tells Us

McAfee’s Advanced Threat Research team (ATR) observed a new ransomware family in the wild, dubbed Sodinokibi (or REvil), at the end of April 2019. Around this same time, the GandCrab ransomware crew announced they would shut down their operations. Coincidence? Or is there more to the story?

In this series of blogs, we share fresh analysis of Sodinokibi and its connections to GandCrab, with new insights gleaned exclusively from McAfee ATR’s in-depth and extensive research.

In this first instalment we share our extensive malware and post-infection analysis and visualize exactly how big the Sodinokibi campaign is.

Background

Since its arrival in April 2019, it has become very clear that the new kid in town, “Sodinokibi” or “REvil” is a serious threat. The name Sodinokibi was discovered in the hash ccfde149220e87e97198c23fb8115d5a where ‘Sodinokibi.exe’ was mentioned as the internal file name; it is also known by the name of REvil.

At first, Sodinokibi ransomware was observed propagating itself by exploiting a vulnerability in Oracle’s WebLogic server. However, similar to some other ransomware families, Sodinokibi is what we call a Ransomware-as-a-Service (RaaS), where a group of people maintain the code and another group, known as affiliates, spread the ransomware.

This model allows affiliates to distribute the ransomware any way they like. Some affiliates prefer mass-spread attacks using phishing-campaigns and exploit-kits, where other affiliates adopt a more targeted approach by brute-forcing RDP access and uploading tools and scripts to gain more rights and execute the ransomware in the internal network of a victim. We have investigated several campaigns spreading Sodinokibi, most of which had different modus operandi but we did notice many started with a breach of an RDP server.

Who and Where is Sodinokibi Hitting?

Based on visibility from MVISION Insights we were able to generate the below picture of infections observed from May through August 23rd, 2019:

Who is the target? Mostly organizations, though it really depends on the skills and expertise from the different affiliate groups on who, and in which geo, they operate.

Reversing the Code

In this first episode, we will dig into the code and explain the inner workings of the ransomware once it has executed on the victim’s machine.

Overall the code is very well written and designed to execute quickly to encrypt the defined files in the configuration of the ransomware. The embedded configuration file has some interesting options which we will highlight further in this article.

Based on the code comparison analysis we conducted between GandCrab and Sodinokibi we consider it a likely hypothesis that the people behind the Sodinokibi ransomware may have some type of relationship with the GandCrab crew.

FIGURE 1.1. OVERVIEW OF SODINOKIBI’S EXECUTION FLAW

Inside the Code

Sodinokibi Overview

For this article we researched the sample with the following hash (packed):

The main goal of this malware, as other ransomware families, is to encrypt your files and then request a payment in return for a decryption tool from the authors or affiliates to decrypt them.

The malware sample we researched is a 32-bit binary, with an icon in the packed file and without one in the unpacked file. The packer is programmed in Visual C++ and the malware itself is written in pure assembly.

Technical Details

The goal of the packer is to decrypt the true malware part and use a RunPE technique to run it from memory. To obtain the malware from memory, after the decryption is finished and is loaded into the memory, we dumped it to obtain an unpacked version.

The first action of the malware is to get all functions needed in runtime and make a dynamic IAT to try obfuscating the Windows call in a static analysis.

FIGURE 2. THE MALWARE GETS ALL FUNCTIONS NEEDED IN RUNTIME

The next action of the malware is trying to create a mutex with a hardcoded name. It is important to know that the malware has 95% of the strings encrypted inside. Consider that each sample of the malware has different strings in a lot of places; values as keys or seeds change all the time to avoid what we, as an industry do, namely making vaccines or creating one decryptor without taking the values from the specific malware sample to decrypt the strings.

FIGURE 3. CREATION OF A MUTEX AND CHECK TO SEE IF IT ALREADY EXISTS

If the mutex exists, the malware finishes with a call to “ExitProcess.” This is done to avoid re-launching of the ransomware.

After this mutex operation the malware calculates a CRC32 hash of a part of its data using a special seed that changes per sample too. This CRC32 operation is based on a CRC32 polynomial operation instead of tables to make it faster and the code-size smaller.

The next step is decrypting this block of data if the CRC32 check passes with success. If the check is a failure, the malware will ignore this flow of code and try to use an exploit as will be explained later in the report.

FIGURE 4. CALCULATION OF THE CRC32 HASH OF THE CRYPTED CONFIG AND DECRYPTION IF IT PASSES THE CHECK

In the case that the malware passes the CRC32 check and decrypts correctly with a key that changes per sample, the block of data will get a JSON file in memory that will be parsed. This config file has fields to prepare the keys later to encrypt the victim key and more information that will alter the behavior of the malware.

The CRC32 check avoids the possibility that somebody can change the crypted data with another config and does not update the CRC32 value in the malware.

After decryption of the JSON file, the malware will parse it with a code of a full JSON parser and extract all fields and save the values of these fields in the memory.

FIGURE 5. PARTIAL EXAMPLE OF THE CONFIG DECRYPTED AND CLEANED

Let us explain all the fields in the config and their meanings:

  • pk -> This value encoded in base64 is important later for the crypto process; it is the public key of the attacker.
  • pid -> The affiliate number that belongs to the sample.
  • sub -> The subaccount or campaign id for this sample that the affiliate uses to keep track of its payments.
  • dbg -> Debug option. In the final version this is used to check if some things have been done or not; it is a development option that can be true or false. In the samples in the wild it is in the false state. If it is set, the keyboard check later will not happen. It is useful for the malware developers to prove the malware works correctly in the critical part without detecting his/her own machines based on the language.
  • fast -> If this option is enabled, and by default a lot of samples have it enabled, the malware will crypt the first 1 megabyte of each target file, or all files if it is smaller than this size. In the case that this field is false, it will crypt all files.
  • wipe -> If this option is ‘true’, the malware will destroy the target files in the folders that are described in the json field “wfld”. This destruction happens in all folders that have the name or names that appear in this field of the config in logic units and network shares. The overwriting of the files can be with trash data or null data, depending of the sample.
  • wht -> This field has some subfields: fld -> Folders that should not be crypted; they are whitelisted to avoid destroying critical files in the system and programs. fls -> List of whitelists of files per name; these files will never be crypted and this is useful to avoid destroying critical files in the system. ext -> List of the target extensions to avoid encrypting based on extension.
  • wfld -> A list of folders where the files will be destroyed if the wipe option is enabled.
  • prc -> List of processes to kill for unlocking files that are locked by this/these program/s, for example, “mysql.exe”.
  • dmn -> List of domains that will be used for the malware if the net option is enabled; this list can change per sample, to send information of the victim.
  • net -> This value can be false or true. By default, it is usually true, meaning that the malware will send information about the victim if they have Internet access to the domain list in the field “dmn” in the config.
  • nbody -> A big string encoded in base64 that is the template for the ransom note that will appear in each folder where the malware can create it.
  • nname -> The string of the name of the malware for the ransom note file. It is a template that will have a part that will be random in the execution.
  • exp -> This field is very important in the config. By default it will usually be ‘false’, but if it is ‘true’, or if the check of the hash of the config fails, it will use the exploit CVE-2018-8453. The malware has this value as false by default because this exploit does not always work and can cause a Blue Screen of Death that avoids the malware’s goal to encrypt the files and request the ransom. If the exploit works, it will elevate the process to SYSTEM user.
  • img -> A string encoded in base64. It is the template for the image that the malware will create in runtime to change the wallpaper of the desktop with this text.

After decrypting the malware config, it parses it and the malware will check the “exp” field and if the value is ‘true’, it will detect the type of the operative system using the PEB fields that reports the major and minor version of the OS.

FIGURE 6. CHECK OF THE VERSION OF THE OPERATIVE SYSTEM

Usually only one OS can be found but that is enough for the malware. The malware will check the file-time to verify if the date was before or after a patch was installed to fix the exploit. If the file time is before the file time of the patch, it will check if the OS is 64-bit or 32-bit using the function “GetSystemNativeInfoW”. When the OS system is 32-bit, it will use a shellcode embedded in the malware that is the exploit and, in the case of a 64-bit OS, it will use another shellcode that can use a “Heaven´s Gate” to execute code of 64 bits in a process of 32 bits.

FIGURE 7. CHECK IF OS IS 32- OR 64-BIT

In the case that the field was false, or the exploit is patched, the malware will check the OS version again using the PEB. If the OS is Windows Vista, at least it will get from the own process token the level of execution privilege. When the discovered privilege level is less than 0x3000 (that means that the process is running as a real administrator in the system or SYSTEM), it will relaunch the process using the ‘runas’ command to elevate to 0x3000 process from 0x2000 or 0x1000 level of execution. After relaunching itself with the ‘runas’ command the malware instance will finish.

FIGURE 8. CHECK IF OS IS WINDOWS VISTA MINIMAL AND CHECK OF EXECUTION LEVEL

The malware’s next action is to check if the execute privilege is SYSTEM. When the execute privilege is SYSTEM, the malware will get the process “Explorer.exe”, get the token of the user that launched the process and impersonate it. It is a downgrade from SYSTEM to another user with less privileges to avoid affecting the desktop of the SYSTEM user later.

After this it will parse again the config and get information of the victim’s machine This information is the user of the machine, the name of the machine, etc. The malware prepares a victim id to know who is affected based in two 32-bit values concat in one string in hexadecimal.

The first part of these two values is the serial number of the hard disk of the Windows main logic unit, and the second one is the CRC32 hash value that comes from the CRC32 hash of the serial number of the Windows logic main unit with a seed hardcoded that change per sample.

FIGURE 9. GET DISK SERIAL NUMBER TO MAKE CRC32 HASH

After this, the result is used as a seed to make the CRC32 hash of the name of the processor of the machine. But this name of the processor is not extracted using the Windows API as GandCrab does; in this case the malware authors use the opcode CPUID to try to make it more obfuscated.

FIGURE 10. GET THE PROCESSOR NAME USING CPUID OPCODE

Finally, it converts these values in a string in a hexadecimal representation and saves it.

Later, during the execution, the malware will write in the Windows registry the next entries in the subkey “SOFTWARE\recfg” (this subkey can change in some samples but usually does not).

The key entries are:

  • 0_key -> Type binary; this is the master key (includes the victim’s generated random key to crypt later together with the key of the malware authors).
  • sk_key -> As 0_key entry, it is the victim’s private key crypted but with the affiliate public key hardcoded in the sample. It is the key used in the decryptor by the affiliate, but it means that the malware authors can always decrypt any file crypted with any sample as a secondary resource to decrypt the files.
  • pk_key -> Victim public key derivate from the private key.
  • subkey -> Affiliate public key to use.
  • stat -> The information gathered from the victim machine and used to put in the ransom note crypted and in the POST send to domains.
  • rnd_ext -> The random extension for the encrypted files (can be from 5 to 10 alphanumeric characters).

The malware tries to write the subkey and the entries in the HKEY_LOCAL_MACHINE hive at first glance and, if it fails, it will write them in the HKEY_CURRENT_USER hive.

FIGURE 11. EXAMPLE OF REGISTRY ENTRIES AND SUBKEY IN THE HKLM HIVE

The information that the malware gets from the victim machine can be the user name, the machine name, the domain where the machine belongs or, if not, the workgroup, the product name (operating system name), etc.

After this step is completed, the malware will check the “dbg” option gathered from the config and, if that value is ‘true’, it will avoid checking the language of the machine but if the value is ‘false’ ( by default), it will check the machine language and compare it with a list of hardcoded values.

FIGURE 12. GET THE KEYBOARD LANGUAGE OF THE SYSTEM

The malware checks against the next list of blacklisted languages (they can change per sample in some cases):

  • 0x818 – Romanian (Moldova)
  • 0x419 – Russian
  • 0x819 – Russian (Moldova)
  • 0x422 – Ukrainian
  • 0x423 – Belarusian
  • 0x425 – Estonian
  • 0x426 – Latvian
  • 0x427 – Lithuanian
  • 0x428 – Tajik
  • 0x429 – Persian
  • 0x42B – Armenian
  • 0x42C – Azeri
  • 0x437 – Georgian
  • 0x43F – Kazakh
  • 0x440 – Kyrgyz
  • 0x442 –Turkmen
  • 0x443 – Uzbek
  • 0x444 – Tatar
  • 0x45A – Syrian
  • 0x2801 – Arabic (Syria)

We observed that Sodinokibi, like GandCrab and Anatova, are blacklisting the regular Syrian language and the Syrian language in Arabic too. If the system contains one of these languages, it will exit without performing any action. If a different language is detected, it will continue in the normal flow.

This is interesting and may hint to an affiliate being involved who has mastery of either one of the languages. This insight became especially interesting later in our investigation.

If the malware continues, it will search all processes in the list in the field “prc” in the config and terminate them in a loop to unlock the files locked for this/these process/es.

FIGURE 13. SEARCH FOR TARGET PROCESSES AND TERMINATE THEM

After this it will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot with this command:

  • exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

It is executed with the Windows function “ShellExecuteW”.

FIGURE 14. LAUNCH COMMAND TO DESTROY SHADOW VOLUMES AND DESTROY SECURITY IN THE BOOT

Next it will check the field of the config “wipe” and if it is true will destroy and delete all files with random trash or with NULL values. If the malware destroys the files , it will start enumerating all logic units and finally the network shares in the folders with the name that appear in the config field “wfld”.

FIGURE 15. WIPE FILES IN THE TARGET FOLDERS

In the case where an affiliate creates a sample that has defined a lot of folders in this field, the ransomware can be a solid wiper of the full machine.

The next action of the malware is its main function, encrypting the files in all logic units and network shares, avoiding the white listed folders and names of files and extensions, and dropping the ransom note prepared from the template in each folder.

FIGURE 16. CRYPT FILES IN THE LOGIC UNITS AND NETWORK SHARES

After finishing this step, it will create the image of the desktop in runtime with the text that comes in the config file prepared with the random extension that affect the machine.

The next step is checking the field “net” from the config, and, if true, will start sending a POST message to the list of domains in the config file in the field “dmn”.

FIGURE 17. PREPARE THE FINAL URL RANDOMLY PER DOMAIN TO MAKE THE POST COMMAND

This part of the code has similarities to the code of GandCrab, which we will highlight later in this article.

After this step the malware cleans its own memory in vars and strings but does not remove the malware code, but it does remove the critical contents to avoid dumps or forensics tools that can gather some information from the RAM.

FIGURE 18. CLEAN MEMORY OF VARS

If the malware was running as SYSTEM after the exploit, it will revert its rights and finally finish its execution.

FIGURE 19. REVERT THE SYSTEM PRIVILEGE EXECUTION LEVEL

Code Comparison with GandCrab

Using the unpacked Sodinokibi sample and a v5.03 version of GandCrab, we started to use IDA and BinDiff to observe any similarities. Based on the Call-Graph it seems that there is an overall 40 percent code overlap between the two:

FIGURE 20. CALL-GRAPH COMPARISON

The most overlap seems to be in the functions of both families. Although values change, going through the code reveals similar patterns and flows:

Although here and there are some differences, the structure is similar:

 

We already mentioned that the code part responsible for the random URL generation has similarities with regards to how it is generated in the GandCrab malware. Sodinokibi is using one function to execute this part where GandCrab is using three functions to generate the random URL. Where we do see some similar structure is in the parts for the to-be-generated URL in both malware codes. We created a visual to explain the comparison better:

FIGURE 21. URL GENERATION COMPARISON

We observe how even though the way both ransomware families generate the URL might differ, the URL directories and file extensions used have a similarity that seems to be more than coincidence. This observation was also discovered by Tesorion in one of its blogs.

Overall, looking at the structure and coincidences, either the developers of the GandCrab code used it as a base for creating a new family or, another hypothesis, is that people got hold of the leaked GandCrab source code and started the new RaaS Sodinokibi.

Conclusion

Sodinokibi is a serious new ransomware threat that is hitting many victims all over the world.

We executed an in-depth analysis comparing GandCrab and Sodinokibi and discovered a lot of similarities, indicating the developer of Sodinokibi had access to GandCrab source-code and improvements. The Sodinokibi campaigns are ongoing and differ in skills and tools due to the different affiliates operating these campaigns, which begs more questions to be answered. How do they operate? And is the affiliate model working? McAfee ATR has the answers in episode 2, “The All Stars.”

Coverage

McAfee is detecting this family by the following signatures:

  • “Ransom-Sodinokibi”
  • “Ransom-REvil!”.

MITRE ATT&CK Techniques

The malware sample uses the following MITRE ATT&CK™ techniques:

  • File and Directory Discovery
  • File Deletion
  • Modify Registry
  • Query Registry
  • Registry modification
  • Query information of the user
  • Crypt Files
  • Destroy Files
  • Make C2 connections to send information of the victim
  • Modify system configuration
  • Elevate privileges

YARA Rule

rule Sodinokobi

{

/*

This rule detects Sodinokobi Ransomware in memory in old samples and perhaps future.

*/

meta:

author      = “McAfee ATR team”

version     = “1.0”

description = “This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future.”

strings:

$a = { 40 0F B6 C8 89 4D FC 8A 94 0D FC FE FF FF 0F B6 C2 03 C6 0F B6 F0 8A 84 35 FC FE FF FF 88 84 0D FC FE FF FF 88 94 35 FC FE FF FF 0F B6 8C 0D FC FE FF FF }

$b = { 0F B6 C2 03 C8 8B 45 14 0F B6 C9 8A 8C 0D FC FE FF FF 32 0C 07 88 08 40 89 45 14 8B 45 FC 83 EB 01 75 AA }

condition:

all of them

}

 

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/feed/ 0
Security is Shifting to a Unified Cloud Edge https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/security-is-shifting-to-a-unified-cloud-edge/ https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/security-is-shifting-to-a-unified-cloud-edge/#respond Wed, 02 Oct 2019 16:00:10 +0000 https://securingtomorrow.mcafee.com/?p=96967

More than 95% of companies today use cloud services, and 83% store sensitive data in the cloud. This data is traveling via a larger and more diverse group of devices than ever before, to and from an ever-growing list of cloud services. More importantly, it is moving in ways you may not be able to […]

The post Security is Shifting to a Unified Cloud Edge appeared first on McAfee Blogs.

]]>

More than 95% of companies today use cloud services, and 83% store sensitive data in the cloud. This data is traveling via a larger and more diverse group of devices than ever before, to and from an ever-growing list of cloud services. More importantly, it is moving in ways you may not be able to see, may have no control over, and may not have even authorized.

Even today, many businesses don’t realize the extent of their cloud usage—the average organization thinks they use about 30 cloud services, but in reality, they use nearly 2,000. And those cloud services are hosting an ever-increasing amount of sensitive data—according to our 2019 Cloud Adoption and Risk Report, the number of files with sensitive data shared in the cloud has increased 53% year over year.

In an attempt to regain visibility and control, cybersecurity teams have attempted to stitch together a variety of data protection solutions, each with their own proprietary engine, policies and management platform. As a result, only 30 percent of companies can protect data with the same policies on their devices, network and cloud—and only 36% can enforce data loss prevention rules in the cloud at all. The fact that more than 80% of organizations have separate management controls for DLP and CASB deployments further increases complexity and lowers security efficacy.

With the cloud increasingly the epicenter of business operations, our security strategies must be able to secure not just our network, but every place our employees and our data go—whether it’s a corporate device at headquarters, an unmanaged smartphone on a foreign telecommunications network, or even an authorized user at home working from a personal laptop. And they must be able to do so simply.

To meet this challenge head on, McAfee has introduced Unified Cloud Edge, an industry-first initiative converging the capabilities of its award-winning McAfee MVISION Cloud, McAfee Web Gateway and McAfee Data Loss Prevention offerings within the MVISION ePO platform for a truly frictionless IT environment.

Figure 1: Simplified architecture for Unified Cloud Edge

“The convergence of security solutions that traditionally have functioned independently will improve an organization’s security posture by creating security defenses that work cohesively to defend against attacks,” Rob Westervelt, research director at IDC, said. “But even more importantly, this convergence will help ease the burden of managing security and compliance across hybrid and multi-cloud environments, which is one of the most significant challenges enterprises face today.”

Converging these technologies into a cloud-native platform offers simplicity in policy management, centralized incident management and reporting, and a combined set of application programming interface (API) and proxy-based controls to secure users, devices and data everywhere. Instead of replicating the work of implementing DLP across multiple environments, admins can use one set of content rules across endpoints, networks and cloud services. They can investigate security events, run reports from a single repository and enable a consistent user experience.

The result? Complete visibility and consistent controls over data from device to cloud, and an unrivaled level of simplicity and security.

To learn more about McAfee’s vision for a frictionless IT environment, check out the McAfee Unified Cloud Edge Tech Preview.

The post Security is Shifting to a Unified Cloud Edge appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/cloud-security/security-is-shifting-to-a-unified-cloud-edge/feed/ 0
Aussies Fear Snakes, Spiders and Getting Hacked https://securingtomorrow.mcafee.com/blogs/consumer/aussies-fear-snakes-spiders-and-getting-hacked/ https://securingtomorrow.mcafee.com/blogs/consumer/aussies-fear-snakes-spiders-and-getting-hacked/#respond Wed, 02 Oct 2019 04:08:56 +0000 https://securingtomorrow.mcafee.com/?p=96974

Fears and phobias. We all have them. But what are your biggest ones? I absolutely detest snakes but spiders don’t worry me at all. Well, new research by McAfee shows that cybercriminals and the fear of being hacked are now the 5th greatest fear among Aussies. With news of data breaches and hacking crusades filling […]

The post Aussies Fear Snakes, Spiders and Getting Hacked appeared first on McAfee Blogs.

]]>

Fears and phobias. We all have them. But what are your biggest ones? I absolutely detest snakes but spiders don’t worry me at all. Well, new research by McAfee shows that cybercriminals and the fear of being hacked are now the 5th greatest fear among Aussies.

With news of data breaches and hacking crusades filling our news feed on a regular basis, many of us are becoming more aware and concerned about the threats we face in our increasingly digital world. And McAfee’s latest confirms this with hackers making their way into Australia’s Top 10 Fears.

According to research conducted by McAfee, snakes are the top phobia for Aussies followed by spiders, heights and sharks. Cybercriminals and the fear of being hacked come in in 5th place beating the dentist, bees, ghosts, aeroplane travel and clowns!

Aussie Top 10 Fears and Phobias

  1. Snakes
  2. Spiders
  3. Heights
  4. Sharks
  5. Hackers/Cybercriminals
  6. The dentist
  7. Bees or wasps
  8. Ghosts
  9. Aeroplane travel
  10. Clowns

Why Do We Have Phobias?

Fears and phobias develop when we perceive that we are at risk of pain, or worse, still, death. And while almost a third of respondents nominated snakes as their number one fear, there is less than one-in-fifty thousand chance of being bitten badly enough by a snake to warrant going to hospital in Australia, according to research from the Internal Medicine Journal.

In contrast, McAfee’s analysis of more than 108 billion potential online threats between October and December 2018, identified 202 million of these threats as genuine risks. With a global population of 7.5 billion, that means there is approximately a one in 37 chance of being targeted by cybercrime. Now while this is not a life-threatening situation, these statistics show that chance of us being affected by an online threat is very real.

What Are Our Biggest Cyber Fears?

According to the research, 82% of Aussies believe that being hacked is a growing or high concern. And when you look at the sheer number of reported data breaches so far this year, these statistics make complete sense. Data breaches have affected Bunnings staff, Federal Parliament staff, Marriott guests, Victorian Government staff, QLD Fisheries members, Skoolbag app users and Big W customers plus many more.

Almost 1 in 5 (19%) of those interviewed said their top fear at work is doing something that will result in a data security breach, they will leak sensitive information or infect their corporate IT systems.

The fear that we are in the midst of a cyberwar is another big concern for many Aussies. Cyberwar can be explained as a computer or network-based conflict where parties try to disrupt or take ownership of the activities of other parties, often for strategic, military or cyberespionage purposes. 55% of Aussies believe that a cyberwar is happening right now but we just don’t know about it. And a fifth believe cyber warfare is the biggest threat to our nation.

What Can We Do to Address Our Fear of Being Hacked?

Being proactive about protecting your online life is the absolute best way of reducing the chances of being hacked or being affected by a data breach. Here are my top tips on what you can now to protect yourself:

  1. Be Savvy with Your Passwords

Using a password manager to create unique and complex passwords for each of your online accounts will definitely improve your online safety. If each on your online accounts has a unique password and you are involved in a breach, the hacker won’t be able to use the stolen password details to log into any of your other accounts.

  1. Stop AutoFill on Chrome

Storing your financial data within your browser and being able to populate online forms quickly within seconds makes the autofill function very attractive however it is risky. Autofill will automatically fill out all forms on a page regardless of whether you can see all the boxes. You may just think you are automatically entering your email address into an online form however a savvy hacker could easily design an online form with hidden boxes designed to capture your financial information. So remove all your financial information from Autofill. I know this means you will have to manually enter information each time you purchase but your personal data will be better protected.

  1. Think Before You Click

One of the easiest ways for a cybercriminal to compromise their victim is by using phishing emails to lure consumers into clicking links for products or services that could lead to malware, or a phoney website designed to steal personal information. If the deal seems too good to be true, or the email was not expected, always check directly with the source.

  1. Stay Protected While You Browse

It’s important to put the right security solutions in place in order to surf the web safely. Add an extra layer of security to your browser with McAfee WebAdvisor.

  1. Always Connect with Caution

I know public Wi-Fi might seem like a good idea, but if consumers are not careful, they could be unknowingly exposing personal information or credit card details to cybercriminals who are snooping on the network. If you are a regular Wi-Fi user, I recommend investing in a virtual private network or (VPN) such as McAfee’s Safe Connect which will ensure your connection is completely secure and that your data remains safe.

While it is tempting, putting our head in the sand and pretending hackers and cybercrime don’t exist puts ourselves and our families at even more risk! Facing our fears and making an action plan is the best way of reducing our worry and stress. So, please commit to being proactive about your family’s online security. Draw up a list of what you can do today to protect your tribe. And if you want to receive regular updates about additional ways you can keep your family safe online, check out my blog.

‘till next time.

Alex x

 

 

 

The post Aussies Fear Snakes, Spiders and Getting Hacked appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/aussies-fear-snakes-spiders-and-getting-hacked/feed/ 0
McAfee Receives the 2019 Security Excellence Award From IoT Evolution https://securingtomorrow.mcafee.com/blogs/consumer/2019-security-excellence-award/ https://securingtomorrow.mcafee.com/blogs/consumer/2019-security-excellence-award/#respond Mon, 30 Sep 2019 16:00:48 +0000 https://securingtomorrow.mcafee.com/?p=96949

If you’re like most users, you’ve probably adopted several smart devices into your home over the last few years. Whether it be voice assistants, smart TVs, thermostats, or gaming systems, IoT devices help make our lives easier. But with greater connectivity also comes greater exposure to online threats. However, that doesn’t mean users should avoid […]

The post McAfee Receives the 2019 Security Excellence Award From IoT Evolution appeared first on McAfee Blogs.

]]>

If you’re like most users, you’ve probably adopted several smart devices into your home over the last few years. Whether it be voice assistants, smart TVs, thermostats, or gaming systems, IoT devices help make our lives easier. But with greater connectivity also comes greater exposure to online threats. However, that doesn’t mean users should avoid using IoT technology altogether. With the help of smart security, users can feel safe and protected as they bring new gadgets into their lives. Solutions like McAfee Secure Home Platform, which is now the winner of the IoT Security Excellence Award, can help users connect with confidence.

Here at McAfee, we know smart security is more important now than ever before. That’s why we work tirelessly to ensure that our solutions provide consumers with the best protection possible. For example, McAfee Secure Home Platform provides automatic protection for the entire home network by automatically securing connected devices through a router with McAfee protection. It’s through the proactive evolution of our products that McAfee Secure Home Platform has received this 2019 IoT Security Excellence Award from IoT Evolution World, the leading publication covering IoT technologies.

The IoT Security Excellence Award celebrates the most innovative products and solutions in the world of IoT. It honors technology empowered by the new availability of information being deduced, inferred, and directly gathered from sensors, systems, and anything else that is supporting better business and personal decisions. Winners of this award are recognized for their innovation in gathering and managing information from connected devices that often are not associated with IoT.

“We are thrilled that McAfee Secure Home Platform has been recognized by IoT Evolution World as a recipient of the 2019 IoT Evolution Security Excellence Award. We continue to prioritize creating solutions that lead with ease of use and first-class protection, in order for consumers to best protect every connected device in their homes.” – Gary Davis, Chief Consumer Security Evangelist at McAfee.

As long as technology continues to evolve, so will the threat landscape. This is what drives us to keep developing leading solutions that help you and your loved ones connect with confidence. Solutions like McAfee Secure Home Platform are leading the charge in providing top home network security while still empowering users to enjoy their smart devices.

To stay updated on the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee Receives the 2019 Security Excellence Award From IoT Evolution appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/2019-security-excellence-award/feed/ 0
Opening up Europe’s Cyber Future https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/opening-up-europes-cyber-future/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/opening-up-europes-cyber-future/#respond Mon, 30 Sep 2019 13:00:21 +0000 https://securingtomorrow.mcafee.com/?p=96850

Europe will face a complex cocktail of cyber challenges in the coming five years, from safeguarding our critical infrastructure to protecting itself from election interference and disinformation whilst safeguarding citizen data privacy rights. A new set of leaders is preparing to take office in the European Commission’s headquarters in Brussels to take on these challenges. […]

The post Opening up Europe’s Cyber Future appeared first on McAfee Blogs.

]]>

Europe will face a complex cocktail of cyber challenges in the coming five years, from safeguarding our critical infrastructure to protecting itself from election interference and disinformation whilst safeguarding citizen data privacy rights. A new set of leaders is preparing to take office in the European Commission’s headquarters in Brussels to take on these challenges. McAfee, at the cutting edge of cyber defence and mitigation, stands ready to help them embed the principles of open information exchange and interoperability that form the basis of a robust cybersecurity policy.

The principles of openness and interoperability have long been to key to the growth of the digital economy. But in the field of cybersecurity, these principles take on an even greater importance. Openness and interoperability are a precondition for vibrant competition and rapid innovation, and competition authorities should remain vigilant to ensure it remains in place even as the digital ecosystem begins to gravitate around the giants that best harness the network effects digital technologies can enable.

But openness and interoperability are not just about innovation. They have become cornerstones for keeping citizens safe as they go about their lives. This is because no single actor has all the information needed to prevent, mitigate or remedy a cyber incident. McAfee has a proud history of precisely such partnerships, sharing emerging threat information in real-time with authorities, and helping them keep the critical infrastructure that we all rely on up and running even as they become prime targets for cyberattacks. Hospitals, transport networks and energy grids are the lifeblood of our society, and we need to keep them safe. Hence, we think it’s right that this Commission focus on their needs and develop new rules to safeguard these vital assets.

When it comes to privacy, Europe has made enormous leaps to improve the trust of citizens in digital services, through more robust privacy rules and cybersecurity regulations and we hope that EU lawmakers continue to keep the safety of their constituents as a top priority. At McAfee, we believe you cannot have privacy without security, and that companies must proactively consider privacy and security on the drawing board and throughout the development process for products and services going to market.

But Cybersecurity is also about preparing for the future and in some cases, the best cyber-defences take a long time to develop, and nowhere is this more apparent than in the election interference and disinformation practices that sought to bring the recent EU elections, and our democratic foundations, to their knees.

The May 2019 elections may still be fresh in our memory, but Europe should not lose a second in starting to build its resilience for the next ones. At McAfee, we believe tackling disinformation requires robust cyber hygiene by all. But the best way to address it is using cyber intelligence and tradecraft to understand the adversary, so citizens can better understand the scale of the problem and our politicians can make the most informed decisions on how best to combat it.

McAfee has observed the growing prominence of Cybersecurity on the political agenda. This is a welcome and necessary development to ensure Europe is not taken off-guard by a cyber incident. Of course, Europe’s policymakers in the commission, parliament and council will pay attention to cyber threats when a crisis hits, but as John F Kennedy put it, they would also do well to repair the roof when the sun is shining. Whatever the cyber weather, McAfee will be a trusted partner to make Europe more cyber secure.

The post Opening up Europe’s Cyber Future appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/opening-up-europes-cyber-future/feed/ 0
5 Digitally-Rich Terms to Define, Discuss with Your Kids https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/5-digitally-rich-terms-to-define-and-discuss-with-your-kids/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/5-digitally-rich-terms-to-define-and-discuss-with-your-kids/#respond Sat, 28 Sep 2019 19:19:24 +0000 https://securingtomorrow.mcafee.com/?p=96834 online privacy

Over the years, I’ve been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise. Like the time I reprimanded my son for not thanking his friend’s mother properly before we left […]

The post 5 Digitally-Rich Terms to Define, Discuss with Your Kids appeared first on McAfee Blogs.

]]>
online privacy

Over the years, I’ve been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise.

Like the time I reprimanded my son for not thanking his friend’s mother properly before we left a birthday party. He was seven when his etiquette deficit disorder surfaced. Or the time I had a meltdown because my daughter cut her hair off. She was five when she brazenly declared her scorn for the ponytail.

The problem: I assumed they knew.

Isn’t the same true when it comes to our children’s understanding of the online world? We can be quick to correct our kids when they fail to exercise the best judgment or handle a situation the way we think they should online.

But often what’s needed first is a parental pause to ask ourselves: Am I assuming they know? Have I taken the time to define and discuss the issue?

With that in mind, here are five digitally-rich terms dominating the online conversation. If possible, find a few pockets of time this week and start from the beginning — define the words, then discuss them with your kids. You may be surprised where the conversation goes.

5 digital terms that matter

Internet Privacy

Internet privacy is the personal privacy that every person is entitled to when they display, store, or provide information regarding themselves on the internet. 

Highlight: We see and use this word often but do our kids know what it means? Your personal information has value, like money. Guard it. Lock it down. Also, respect the privacy of others. Be mindful about accidentally giving away a friend’s information, sharing photos without permission, or sharing secrets. Remember: Nothing shared online (even in a direct message or private text) is private—nothing. Smart people get hacked every day.
Ask: Did you know that when you go online, websites and apps track your activity to glean personal information? What are some ways you can control that? Do you know why people want your data?
Act: Use privacy settings on all apps, turn off cookies in search engines, review privacy policies of apps, and create bullet-proof passwords.

Digital Wellbeing

Digital wellbeing (also called digital wellness) is an ongoing awareness of how social media and technology impacts our emotional and physical health.

Highlight: Every choice we make online can affect our wellbeing or alter our sense of security and peace. Focusing on wellbeing includes taking preventative measures, making choices, and choosing behaviors that build help us build a healthy relationship with technology. Improving one’s digital wellbeing is an on-going process.
Ask: What do you like to do online that makes you feel good about yourself? What kinds of interactions make you feel anxious, excluded, or sad? How much time online do you think is healthy?
Act:
Digital wellness begins at home. To help kids “curb the urge” to post so frequently, give them a “quality over quantity” challenge. Establish tech curfews and balance screen time to green time. Choose apps and products that include wellbeing features in their design. Consider security software that blocks inappropriate apps, filters disturbing content, and curbs screen time.

Media Literacy

Media literacy is the ability to access, analyze, evaluate, and create media in a variety of forms. It’s the ability to think critically about the messages you encounter.

Highlight: Technology has redefined media. Today, anyone can be a content creator and publisher online, which makes it difficult to discern the credibility of the information we encounter. The goal of media literacy curriculum in education is to equip kids to become critical thinkers, effective communicators, and responsible digital citizens.
Ask: Who created this content? Is it balanced or one-sided? What is the author’s motive behind it? Should I share this?  How might someone else see this differently?
Act: Use online resources such as Cyberwise to explore concepts such as clickbait, bias, psychographics, cyberethics, stereotypes, fake news, critical thinking/viewing, and digital citizenship. Also, download Google’s new Be Internet Awesome media literacy curriculum.

Empathy

Empathy is stepping into the shoes of another person to better understand and feel what they are going through.

Highlight: Empathy is a powerful skill in the online world. Empathy helps dissolve stereotypes, perceptions, and prejudices. According to Dr. Michelle Borba, empathetic children practice these nine habits that run contrary to today’s “selfie syndrome” culture. Empathy-building habits include moral courage, kindness, and emotional literacy. Without empathy, people can be “mean behind the screen” online. But remember: There is also a lot of people practicing empathy online who are genuine “helpers.” Be a helper.
Ask: How can you tell when someone “gets you” or understands what you are going through? How do they express that? Is it hard for you to stop and try to relate to what someone else is feeling or see a situation through their eyes? What thoughts or emotions get in your way?
Act:  Practice focusing outward when you are online. Is there anyone who seems lonely, excluded, or in distress? Offer a kind word, an encouragement, and ask questions to learn more about them. (Note: Empathy is an emotion/skill kids learn over time with practice and parental modeling).

Cyberbullying

Cyberbullying is the use of technology to harass, threaten, embarrass, shame, or target another person online.

Highlight: Not all kids understand the scope of cyberbullying, which can include spreading rumors, sending inappropriate photos, gossiping, subtweeting, and excessive messaging. Kids often mistake cyberbullying for digital drama and overlook abusive behavior. While kids are usually referenced in cyberbullying, the increase in adults involved in online shaming, unfortunately, is quickly changing that ratio.
Ask: Do you think words online can hurt someone in a way, more than words said face-to-face? Why? Have you ever experienced cyberbullying? Would you tell a parent or teacher about it? Why or why not?
Act: Be aware of changes in your child’s behavior and pay attention to his or her online communities. Encourage kids to report bullying (aimed at them or someone else). Talk about what it means to be an Upstander when bullied. If the situation is unresolvable and escalates to threats of violence, report it immediately to law enforcement.

We hope these five concepts spark some lively discussions around your dinner table this week. Depending on the age of your child, you can scale the conversation to fit. And don’t be scared off by eye rolls or sighs, parents. Press into the hard conversations and be consistent. Your voice matters in their noisy, digital world.

The post 5 Digitally-Rich Terms to Define, Discuss with Your Kids appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/5-digitally-rich-terms-to-define-and-discuss-with-your-kids/feed/ 0
Attention YouTubers: Protect Your Account From Being Hacked https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/youtube-phishing-scam/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/youtube-phishing-scam/#respond Thu, 26 Sep 2019 00:24:39 +0000 https://securingtomorrow.mcafee.com/?p=96831

Did you know that YouTube has 23 million content creators worldwide? Well, it turns out that many of these video gurus found themselves in the middle of a cybersecurity calamity this past weekend. According to Forbes, reporter Catalin Cimpanua discovered a massive spear phishing campaign targeting YouTube content creators, tricking them into giving up their […]

The post Attention YouTubers: Protect Your Account From Being Hacked appeared first on McAfee Blogs.

]]>

Did you know that YouTube has 23 million content creators worldwide? Well, it turns out that many of these video gurus found themselves in the middle of a cybersecurity calamity this past weekend. According to Forbes, reporter Catalin Cimpanua discovered a massive spear phishing campaign targeting YouTube content creators, tricking them into giving up their login credentials.

How are cybercriminals using this sneaky tactic to swoop victims’ logins? Cimpanua discovered that hackers leveraged a substantial database to send emails to a targeted list of YouTube influencers. These emails contained phishing links luring the victims to fake Google login pages. Once the YouTuber filled out their login credentials, the attacker gained full access to the victim’s YouTube account, allowing them to change the vanity URL. This leaves the actual owner of the channel and their subscribers believing that the account has been deleted. Additionally, some of the accounts that were successfully hacked utilized two-factor authentication (2FA) via SMS, suggesting that cybercriminals used a reverse proxy. This type of proxy server collects resources on behalf of another server, allowing a cybercriminal to intercept 2FA codes sent over SMS in real-time.

Those targeted in this phishing scheme include mostly influencers covering a variety of genres, especially technology, music, gaming, and Disney. But with millions of content creators using YouTube as a platform to share their insights with the world, it’s critical that all users follow proper cybersecurity precautions to protect their credentials. So, what are some proactive steps YouTubers can take to ensure that their accounts are kept safe and secure? Check out the following tips:

  • Be on the lookout for phishing emails. If you receive an email from a company or business asking you to confirm your credentials, be skeptical. Phishers often forge messages from legitimate companies hoping to trick users into entering their login details.
  • Think before you click. Before clicking on a link, especially one in a suspicious email, hover over it to see if the URL address looks legitimate. If the URL contains misspellings, grammatical errors, or strange characters, it’s best to avoid interacting with the link.
  • Use two-factor authentication apps. While two-factor authentication is by no means an end-all, be-all security tactic, it does provide a good first line of defense if a hacker attempts to hijack your account. For this particular scheme, cybercriminals were able to bypass 2FA via SMS and intercept security codes. Therefore, users need to look into authenticator app options rather than simply relying on a code sent over SMS.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention YouTubers: Protect Your Account From Being Hacked appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/youtube-phishing-scam/feed/ 0
The Seven Main Phishing Lures of Cybercriminals https://securingtomorrow.mcafee.com/blogs/consumer/mobile-and-iot-security/the-seven-main-phishing-lures-of-cybercriminals/ https://securingtomorrow.mcafee.com/blogs/consumer/mobile-and-iot-security/the-seven-main-phishing-lures-of-cybercriminals/#respond Tue, 24 Sep 2019 23:16:05 +0000 https://securingtomorrow.mcafee.com/?p=96823

One of the oldest tricks in the cybercrime playbook is phishing. It first hit the digital scene in 1995, at a time when millions flocked to America Online (AOL) every day. And if we know one thing about cybercriminals, it’s that they tend to follow the masses. In earlier iterations, phishing attempts were easy to […]

The post The Seven Main Phishing Lures of Cybercriminals appeared first on McAfee Blogs.

]]>

One of the oldest tricks in the cybercrime playbook is phishing. It first hit the digital scene in 1995, at a time when millions flocked to America Online (AOL) every day. And if we know one thing about cybercriminals, it’s that they tend to follow the masses. In earlier iterations, phishing attempts were easy to spot due to link misspellings, odd link redirects, and other giveaways. However, today’s phishing tricks have become personalized, advanced, and shrouded in new disguises. So, let’s take a look at some of the different types, real-world examples and how you can recognize a phishing lure.

Be Wary of Suspicious Emails

Every day, users get sent thousands of emails. Some are important, but most are just plain junk. These emails often get filtered to a spam folder, where phishing emails are often trapped. But sometimes they slip through the digital cracks, into a main inbox. These messages typically have urgent requests that require the user to input sensitive information or fill out a form through an external link. These phishing emails can take on many personas, such as banking institutions, popular services, and universities. As such, always remember to stay vigilant and double-check the source before giving away any information.

Link Look-A-Likes

A sort of sibling to email phishing, link manipulation is when a cybercriminal sends users a link to malicious website under the ruse of an urgent request or deadline. After clicking on the deceptive link, the user is brought to the cybercriminal’s fake website rather than a real or verified link and asked to input or verify personal details. This exact scenario happened last year when several universities and businesses fell for a campaign disguised as a package delivery issue from FedEx. This scheme is a reminder that anyone can fall for a cybercriminals trap, which is why users always have to careful when clicking, as well as ensure the validity of the claim and source of the link. To check the validity, it’s always a good idea to contact the source directly to see if the notice or request is legitimate.

Gone Whaling

Corporate executives have always been high-level targets for cybercriminals. That’s why C-suite members have a special name for when cybercriminals try to phish them – whaling. What sounds like a silly name is anything but. In this sophisticated, as well as personalized attack, a cybercriminal attempts to manipulate the target to obtain money, trade secrets, or employee information. In recent years, organizations have become smarter and in turn, whaling has slowed down. Before the slowdown, however, many companies were hit with data breaches due to cybercriminals impersonating C-suite members and asking lower-level employees for company information. To avoid this pesky phishing attempt, train C-suite members to be able to identify phishing, as well as encourage unique, strong passwords on all devices and accounts.

Spear Target Acquired

 Just as email spam and link manipulation are phishing siblings, so too are whaling and spear-phishing. While whaling attacks target the C-suite of a specific organization, spear-phishing rather targets lower-level employees of a specific organization. Just as selective and sophisticated as whaling, spear-phishing targets members of a specific organization to gain access to critical information, like staff credentials, intellectual property, customer data, and more. Spear-phishing attacks tend to be more lucrative than a run-of-the-mill phishing attack, which is why cybercriminals will often spend more time crafting and obtaining personal information from these specific targets. To avoid falling for this phishing scheme, employees must have proper security training so they know how to spot a phishing lure when they see one.

Spoofed Content

With so many things to click on a website, it’s easy to see why cybercriminals would take advantage of that fact. Content spoofing is based on exactly that notion – a cybercriminal alters a section of content on a page of a reliable website to redirect an unsuspecting user to an illegitimate website where they are then asked to enter personal details. The best way to steer clear of this phishing scheme is to check that the URL matches the primary domain name.

Phishing in a Search Engine Pond

 When users search for something online, they expect reliable resources. But sometimes, phishing sites can sneak their way into legitimate results. This tactic is called search engine phishing and involves search engines being manipulated into showing malicious results. Users are attracted to these sites by discount offers for products or services. However, when the user goes to buy said product or service, their personal details are collected by the deceptive site. To stay secure, watch out for potentially sketchy ads in particular and when in doubt always navigate to the official site first.

Who’s That Caller?

With new technologies come new avenues for cybercriminals to try and obtain personal data. Vishing, or voice phishing, is one of those new avenues. In a vishing attempt, cybercriminals contact users by phone and ask the user to dial a number to receive identifiable bank account or personal information through the phone by using a fake caller ID. For example, just last year, a security researcher received a call from their financial institution saying that their card had been compromised. Instead of offering a replacement card, the bank suggested simply blocking any future geographic-specific transactions. Sensing something was up, the researcher hung up and dialed his bank – they had no record of the call or the fraudulent card transactions. This scenario, as sophisticated as it sounds, reminds users to always double-check directly with businesses before sharing any personal information.

As you can see, phishing comes in all shapes and sizes. This blog only scratches the surface of all the ways cybercriminals lure unsuspecting users into phishing traps. The best way to stay protected is to invest in comprehensive security and stay updated on new phishing scams.

Looking for more security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post The Seven Main Phishing Lures of Cybercriminals appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/mobile-and-iot-security/the-seven-main-phishing-lures-of-cybercriminals/feed/ 0
“Hackable?” Puts Wireless Mice to the Test https://securingtomorrow.mcafee.com/blogs/consumer/hackable/hackable-puts-wireless-mice-to-the-test/ https://securingtomorrow.mcafee.com/blogs/consumer/hackable/hackable-puts-wireless-mice-to-the-test/#respond Tue, 24 Sep 2019 16:37:37 +0000 https://securingtomorrow.mcafee.com/?p=96810

Wireless mice have become the preferred peripheral to scroll and click, and for most users, all they are really worried about is running out of battery at the wrong moment. But do these devices actually have a critical vulnerability? Could cutting the cord allow a hacker to take control of your computer? On the latest […]

The post “Hackable?” Puts Wireless Mice to the Test appeared first on McAfee Blogs.

]]>

Wireless mice have become the preferred peripheral to scroll and click, and for most users, all they are really worried about is running out of battery at the wrong moment. But do these devices actually have a critical vulnerability? Could cutting the cord allow a hacker to take control of your computer?
On the latest episode of “Hackable?” we investigate whether Geoff’s wireless mouse is susceptible and just what kind of damage penetration tester Tim Martin can do with something called a MouseJack keystroke injection attack. Listen and learn if your most sensitive data is at risk!
Listen now to the award-winning podcast “Hackable?”.

The post “Hackable?” Puts Wireless Mice to the Test appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/hackable/hackable-puts-wireless-mice-to-the-test/feed/ 0
ST09: Strategic Intelligence vs. Tactical Threat Intelligence https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st09-strategic-intelligence-vs-tactical-threat-intelligence/ https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st09-strategic-intelligence-vs-tactical-threat-intelligence/#respond Mon, 23 Sep 2019 17:05:25 +0000 https://securingtomorrow.mcafee.com/?p=96804

McAfee’s Director of Product Management Robert Leong and Security Operations Solutions Strategist Andrew Lancashire unpack the differences between strategic intelligence and tactical threat intelligence.  

The post ST09: Strategic Intelligence vs. Tactical Threat Intelligence appeared first on McAfee Blogs.

]]>

McAfee’s Director of Product Management Robert Leong and Security Operations Solutions Strategist Andrew Lancashire unpack the differences between strategic intelligence and tactical threat intelligence.

 

The post ST09: Strategic Intelligence vs. Tactical Threat Intelligence appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/podcast/st09-strategic-intelligence-vs-tactical-threat-intelligence/feed/ 0
5 Hidden Hashtag Risks Every Parent Needs Know https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/5-hidden-hashtag-risks-every-parent-needs-know/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/5-hidden-hashtag-risks-every-parent-needs-know/#respond Sat, 21 Sep 2019 14:00:34 +0000 https://securingtomorrow.mcafee.com/?p=96763

Adding hashtags to a social post has become second nature. In fact, it’s so common, few of us stop to consider that as fun and useful as hashtags can be, they can also have consequences if we misuse them. But hashtags are more than add-ons to a post, they are power tools. In fact, when […]

The post 5 Hidden Hashtag Risks Every Parent Needs Know appeared first on McAfee Blogs.

]]>

Adding hashtags to a social post has become second nature. In fact, it’s so common, few of us stop to consider that as fun and useful as hashtags can be, they can also have consequences if we misuse them.

But hashtags are more than add-ons to a post, they are power tools. In fact, when we put the pound (#) sign in front of a word, we turn that word into a piece of metadata that tags the word, which allows a search engine to index and categorize the attached content so anyone can search it. Looking for advice parenting an autistic child? Then hashtags like #autism #spectrum, or #autismspeaks will connect you with endless content tagged the same way.

Hashtags have become part of our lexicon and are used by individuals, businesses, and celebrities to extend digital influence. Social movements — such as #bekind and #icebucketchallenge — also use hashtags to educate and rally people around a cause. However, the power hashtags possess also means it’s critical to use them with care. Here are several ways people are using hashtags in harmful ways.

5 hidden hashtag risks

  1. Hashtags can put children at risk. Unfortunately, innocent hashtags commonly used by proud parents such as #BackToSchool, #DaddysGirl, or #BabyGirl can be magnets for a pedophile. According to the Child Rescue Coalition, predators troll social media looking for hashtags like #bathtimefun, #cleanbaby, and #pottytrain, to collect images of children. CRC has compiled a list of hashtags parents should avoid using.
  2. Hashtags can compromise privacy. Connecting a hashtag to personal information such as your hometown, your child’s name, or even #HappyBirthdayToMe can give away valuable pieces of your family’s info to a cybercriminal on the hunt to steal identities.
  3. Hashtags can be used in scams. Scammers can use popular hashtags they know people will search to execute several scams. According to NBC News, one popular scam on Instagram is scammers who use luxury brand hashtags like #Gucci or #Dior or coded hashtags such as #mirrorquality #replica and #replicashoes to sell counterfeit goods. Cybercriminals will also search hashtags such as #WaitingToAdopt to target and run scams on hopeful parents.
  4. Hashtags can have hidden meanings. Teens use code or abbreviation hashtags to reference drugs, suicide, mental health, and eating disorders. By searching the hashtag, teens band together with others on the same topic. Some coded hashtags include: #anas (anorexics) #mias (bulimics) #sue (suicide), #cuts (self-harm), #kush and #420 (marijuana).
  5. Hashtags can be used to cyberbully. Posting a picture on a social network and adding mean hashtags is a common way for kids to bully one another. They use hashtags such as #whatnottowear, #losr, #yousuck, #extra, #getalife, #tbh (to be honest) and #peoplewhoshouldoffthemselves on photo captions bully or harass peers. Kids also cyberbully by making up hashtags like #jackieisacow and asking others to use it too. Another hashtag is #roastme in which kids post a photo of themselves and invite others to respond with funny comments only the humor can turn mean very quickly.

When it comes to understanding the online culture, taking the time to stay informed, pausing before you post, and trusting your instincts are critical. Also, being intentional to monitor your child’s social media (including reviewing hashtags) can help you spot potential issues such as bullying, mental health problems, or drug abuse.

The post 5 Hidden Hashtag Risks Every Parent Needs Know appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/5-hidden-hashtag-risks-every-parent-needs-know/feed/ 0
Cybersecurity Platforms: 8 Must-Have Attributes https://securingtomorrow.mcafee.com/blogs/enterprise/cybersecurity-platforms-8-must-have-attributes/ https://securingtomorrow.mcafee.com/blogs/enterprise/cybersecurity-platforms-8-must-have-attributes/#respond Fri, 20 Sep 2019 16:17:24 +0000 https://securingtomorrow.mcafee.com/?p=96759

Defending enterprises against the growing frequency and complexity of cyberattacks is becoming an ever-increasing burden to cybersecurity budgets and manpower. An ESG enterprise-class cybersecurity technology platform white paper commissioned by McAfee shows CISOs have “reached a tipping point where the current cybersecurity point tools are no longer acceptable.” Current high-cost, complex strategies using disconnected point […]

The post Cybersecurity Platforms: 8 Must-Have Attributes appeared first on McAfee Blogs.

]]>

Defending enterprises against the growing frequency and complexity of cyberattacks is becoming an ever-increasing burden to cybersecurity budgets and manpower. An ESG enterprise-class cybersecurity technology platform white paper commissioned by McAfee shows CISOs have “reached a tipping point where the current cybersecurity point tools are no longer acceptable.” Current high-cost, complex strategies using disconnected point tools aren’t working and CISOs are abandoning their collection of cybersecurity point tools in favor of a consolidated, integrated approach.

ESG reports that consolidation is wide spread and growing – 22% of organizations are actively consolidating the number of cybersecurity vendors they do business with on a large scale while 44% of respondents are consolidating the number of cybersecurity vendors they do business with on a limited basis. ESG expects this trend to gain momentum over the next 12 to 24 months.

In response to this consolidation trend, more service providers are attempting to market their disparate tools as a platform. According to the ESG white paper, “Industry hyperbole has led to user confusion about what qualifies as a cybersecurity technology platform.”

Based on ESG’s survey findings, the following eight key attributes should be included in all RFIs/RFPs and become part of every cybersecurity technology platform:

  1. Prevention, detection, and response capabilities. CISOs expect cybersecurity platforms to provide strong defensive capabilities (i.e., rules, heuristics, machine learning models, behavioral algorithms, threat intelligence integration, etc.) capable of blocking and detecting threats with close to 100% efficacy. When threats are detected, cybersecurity platforms should average low false positive rates and provide concise forensic evidence that enables analysts to track events that led to an alert. Cybersecurity platforms should also include simple mitigation techniques such as quarantining a system, halting a process, or terminating a network connection. Users should have the ability to automate these remediation measures when desired.
  2. Coverage that spans endpoints, networks, servers, and cloud-based workloads and API-driven services. Cybersecurity platforms should be able to prevent, detect, and respond to threats across an enterprise IT infrastructure composed of endpoints, networks, servers, or cloud-based workloads and API-driven services. Prevention, detection, and response capabilities should be united so that security and IT operations teams can monitor activities and take actions across any security technology controls and any location.
  3. Central management and reporting across all products and services. All security controls should report to a central management plane delivering configuration management, policy management, monitoring, and remediation capabilities. Central management must be built for scale, support role-based access control, and offer the ability to customize multiple UIs and functions for different security and IT operations profiles.
  4. An “open” design. Security platforms must be built for integration by supporting common messaging buses and open APIs. Best-in-class cybersecurity platforms will also feature an open design capable of supporting third-party developers and security vendors with developer support resources, partner ecosystems, technical support services, and go-to market programs.
  5. Tightly coupled plug-and-play products and managed services. The transition from point tools to cybersecurity platforms may be an arduous process journey requiring a phased implementation. As a result, cybersecurity platforms must play the role of force multiplier, providing incremental value through the integration of additional products and services. Supplementing any security product or managed service should increase the security efficacy and operational efficiency of the entire platform.
  6. Security coverage that includes major threat vectors including email security and web security. Most malware attacks emanate through compromised systems using techniques such as phishing, malicious attachments/links, and drive-by downloads. Cybersecurity platforms must include strong prevention/detection filters that work inline and service the entire IT infrastructure. Filters can be provided by the platform vendor or through third-party integrations.
  7. Cloud-based services. Cybersecurity platforms should be capable of utilizing cloud-based resources for processes such as file analysis, threat intelligence integration, behavioral analytics, and reputation list maintenance. Cloud-based services should be applied to all cybersecurity platform users in real time. When a malicious file is detected at one site, all other platform customers should be updated with prevention and detection rules to safeguard them from that threat.
  8. Multiple deployment options and form factors. The components of cybersecurity platforms should be accessible as on-premises software/devices, cloud-based server implementation, SaaS, or some combination. ESG provides the example of a large global enterprise may deploy on-premises software/devices at corporate headquarters, cloud-based server implementation for large regional offices, and SaaS for remote workers. All form factor options should be anchored by central configuration management, policy management, and global monitoring.

ESG’s white paper advises CISOs to approach cybersecurity platforms with a long-term strategy and project plan that spans a 24-to-36-month timeframe.

ESG also identifies McAfee as “one of a few vendors” whose product fits the description of a cybersecurity technology platform. Because McAfee’s ePO-based cybersecurity technology platform aligns well with ESG’s eight key cybersecurity technology platform attributes and high priority enterprise customer requirements, ESG states “CISOs would be well served to explore McAfee’s ePO-based cybersecurity technology platform as it aligns well with current and future cybersecurity requirements for improving security efficacy, increasing operations efficiency, and enabling the business.

Read more on how McAfee’s ePO can consolidate and improve your enterprise’s cybersecurity defenses.

The post Cybersecurity Platforms: 8 Must-Have Attributes appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/cybersecurity-platforms-8-must-have-attributes/feed/ 0
Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/medical-data-exposure/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/medical-data-exposure/#respond Thu, 19 Sep 2019 15:47:30 +0000 https://securingtomorrow.mcafee.com/?p=96765

Have you ever needed to get an X-ray or an MRI for an injury? It turns out that these images, as well as the health data of millions of Americans, have been sitting unprotected on the internet and available to anyone with basic computer expertise. According to ProPublica, these exposed records affect more than 5 million […]

The post Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open appeared first on McAfee Blogs.

]]>

Have you ever needed to get an X-ray or an MRI for an injury? It turns out that these images, as well as the health data of millions of Americans, have been sitting unprotected on the internet and available to anyone with basic computer expertise. According to ProPublica, these exposed records affect more than 5 million patients in the U.S. and millions more across the globe, equating to 16 million scans worldwide that are publicly available online.

This exposure affects data used in doctor’s offices, medical imaging centers, and mobile X-ray services. What’s more, the exposed data also contained other personal information such as dates of birth, details on personal physicians, and procedures received by patients, bringing the potential threat of identity theft closer to reality. And while researchers found no evidence of patient data being copied from these systems and published elsewhere, the implications of this much personal data exposed to the masses could be substantial.

To help users lock down their data and protect themselves from fraud and other cyberattacks, we’ve provided the following security tips:

  • Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/medical-data-exposure/feed/ 0
Important Updates to DHS’s CDM Program Help Ensure Programs Effectiveness https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/important-updates-to-dhss-cdm-program-help-ensure-programs-effectiveness/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/important-updates-to-dhss-cdm-program-help-ensure-programs-effectiveness/#respond Thu, 19 Sep 2019 15:00:31 +0000 https://securingtomorrow.mcafee.com/?p=96757

The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program is a key component of the federal government’s cybersecurity posture. This important program provides real-time, continuous monitoring of federal networks while also auditing networks for unauthorized changes. While the CDM program has been a boon to the security of many civilian agencies, there […]

The post Important Updates to DHS’s CDM Program Help Ensure Programs Effectiveness appeared first on McAfee Blogs.

]]>

The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program is a key component of the federal government’s cybersecurity posture. This important program provides real-time, continuous monitoring of federal networks while also auditing networks for unauthorized changes.

While the CDM program has been a boon to the security of many civilian agencies, there are opportunities to make it even stronger, and recent legislation introduced in both the House and Senate is vital to the continued success of the program. Just this month, Reps. John Ratcliffe (R-TX) and Ro Khanna (D-CA) introduced the Advanced Cybersecurity Diagnostics and Mitigation Act, which codifies the CDM program and encourages further innovation that will improve the federal government’s cyber readiness for years to come,  helping prevent cyberattacks and intrusions by bad actors.

In addition to officially codifying the program, this bill includes other important requirements that will keep CDM up to date and effective, including:

  • The deployment of new CDM technologies
  • The availability of CDM capabilities for civilian departments and agencies, as well as state and local governments
  • A mandate that DHS develop a strategy to ensure CDM is constantly preparing for the changing cyber threat landscape

Perhaps most importantly, this bill puts a new focus on continuous monitoring as a capability that tools federal agencies use every day should have. This key focus is critical to enabling the federal government to better handle and respond to cyberattacks and other intrusions. While preventing these types of attacks is always the priority, Congress must also equip the federal government with the tools they need to properly handle the worst-case scenario: an attack that impacts the government’s ability to function or one that puts sensitive information at risk.

At McAfee, we’re working every day to help federal, state and local governments better prepare for the threats of today and tomorrow, both on-premises and in cloud and multi-cloud environments. CDM is an ideal vehicle for agencies to use cloud to secure and protect citizen data, provide modernized services and more. Indeed, moving applications and infrastructure to the cloud is one of the innovations CDM should encourage.

Reps. Ratcliffe and Khanna’s bill is identical to its Senate counterpart (S.2318), introduced earlier this summer by Senators John Cornyn (R-TX) and Maggie Hassan (D-NH). These two bills go a long way to building on CDM with important new language that focuses on the innovation companies like McAfee invest in every day to better secure the nation’s cybersecurity posture to better tackle the onslaught of cyber threats facing us every day. We look forward to continuing to work with leaders in Congress to tackle these important issues and to constantly improve CDM.

The post Important Updates to DHS’s CDM Program Help Ensure Programs Effectiveness appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/important-updates-to-dhss-cdm-program-help-ensure-programs-effectiveness/feed/ 0
Chapter Preview: It All Starts with Your Personal Data Lake https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/personal-data-lake/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/personal-data-lake/#respond Thu, 19 Sep 2019 10:00:42 +0000 https://securingtomorrow.mcafee.com/?p=96521

Once, not long ago, data was nestled in paper files or stored on isolated computer networks, housed in glassed-off, air-conditioned rooms. Now, data is digital, moves effortlessly, and gets accessed from devices and places around the world at breakneck speeds. This makes it possible for businesses, organizations, and even individuals to collect and analyze this […]

The post Chapter Preview: It All Starts with Your Personal Data Lake appeared first on McAfee Blogs.

]]>

Once, not long ago, data was nestled in paper files or stored on isolated computer networks, housed in glassed-off, air-conditioned rooms. Now, data is digital, moves effortlessly, and gets accessed from devices and places around the world at breakneck speeds. This makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a whole host of purposes, such as advertising, insurance proposals, and scientific research, to name but a few. The data they are collecting and accessing about you is part of your personal data lake.

Data lake is a term that technologists typically use, but for us, using the term paints a strong visual for an important concept—how we create an extraordinary amount of data simply by going online and using connected devices. Your online interactions create drops of data that collect into streams, and pool together to form an ever-deepening lake of data over time. It stands to reason that the more time you spend online, connecting devices in your home and accessing a growing number of applications on your smartphone, the more quickly your personal data lake grows.


 

As you can imagine, your privacy and security are what’s at stake as you go about your digital life. Ultimately, the more data you share, either knowingly or unknowingly, the more that data potentially puts you at risk. This is true for you and your family members. The stakes get even higher because some of our own behavior can put us at risk. The internet is a platform with a global reach and a forever memory. What you say, do, and post can have a lifetime of implications. As a family, each member has a personal responsibility to look after themselves and each other. This unwritten contract extends to the internet because our actions there can impact our personal and professional lives, not to mention the lives of others. This book is laden with examples of how people get passed over for jobs, ruin romantic relationships, and end up doing actual physical harm to others because of what they say, do, or post online, ranging from sharing a picture of someone passed out at a party because it seemed funny at the time, to something calculated and intentionally injurious, like cyberbullying.

With people admitting that they increasingly spend more time online while connecting more and more devices in our homes, it’s time to understand the permanence of those behaviors and how they can impact all aspects of your life. As you go through the book you’ll better understand how your personal data lake is constantly growing, while laying out useful tips you can use to better manage your information.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Chapter Preview: It All Starts with Your Personal Data Lake appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/personal-data-lake/feed/ 0
Solving the Gamer’s Dilemma: Security vs. Performance https://securingtomorrow.mcafee.com/blogs/consumer/solving-the-gamers-dilemma/ https://securingtomorrow.mcafee.com/blogs/consumer/solving-the-gamers-dilemma/#respond Tue, 17 Sep 2019 17:30:59 +0000 https://securingtomorrow.mcafee.com/?p=96748

As of last year, 2.2 billion1 people consider themselves gamers across the globe. Of that 2.2 billion, over 50% – 1.22 billion2 – play their game of choice on a PC. The sheer number of PC gamers throughout the world, however, has sparked the interest of cybercriminals and cyberthreats targeting gamers have spiked. Threats including malware, […]

The post Solving the Gamer’s Dilemma: Security vs. Performance appeared first on McAfee Blogs.

]]>

As of last year, 2.2 billion1 people consider themselves gamers across the globe. Of that 2.2 billion, over 50% – 1.22 billion2 – play their game of choice on a PC. The sheer number of PC gamers throughout the world, however, has sparked the interest of cybercriminals and cyberthreats targeting gamers have spiked. Threats including malware, potentially unwanted programs (PUPs), phishing, account takeovers (ATO), and more have slowly started to permeate gamers’ domains at an alarming level.

PC gamers often adopt lesser security protocols, as they’re concerned about the potential negative impact on in-game performance. At the same time, they are the most connected, online users, meaning their exposure to threats is generally higher. While they recognize and understand the importance of having cybersecurity, they do not want to sacrifice performance for security. The gamer’s dilemma – security versus performance – is the crux as to why gamers put security second, even though the average gamer has experienced almost five cyberattacks.

There’s good news though – McAfee Gamer Security is here to counter the notion that antivirus slows gamers down. This brand-new security solution from McAfee provides gamers with the security they need without sacrificing performance or creating in-game slowdowns, such as drops in frames per second (FPS) and lag. Built from the ground up, this solution delivers performance optimization by monitoring key system metrics coupled with the ability to manually kill resource hogs on-the-fly, while automatically prioritizing resources and pausing background services. McAfee Gamer Security also features cloud-based MicroAV, which offloads detection from the system to the cloud for all the protection gamers could want or need, without the “bloat” that usually accompanies security software.

While McAfee Gamer Security is now available for purchase, in spring 2019 McAfee surveyed users that participated in beta testing. Here’s how they responded to a few questions we asked:

Overall, what impact, if any, did you feel in your gaming experience?

“I believe I had [experienced] a positive impact of the software during my overall use of the program because it increased the speed of my game as well as gave me peace of mind that I…[stayed] protected during my gameplay.”

What one benefit would make you talk about McAfee Gamer Security to your friends? What is the primary reason for your choice? 

“Good security which doesn’t slow down my system; Normally, antiviruses…hog background resources [and] you trade performance for security. McAfee Gamer Security offers the best of both worlds, without contradicting each other.”

Overall, how useful or not useful has Gamer Security been?                      

“Every couple [of] hours or so while gaming, I…used the software to check up on my RAM/GPU/CPU performance and make sure my system isn’t bottlenecking, there aren’t any irregularities, etc. I also really like that I can experience a boost in my gameplay without having to take the risk of overclocking my components.”

In addition to using a security solution like McAfee Gamer Security, here are some other general tips to help you stay secure while playing your favorite video game:

  1. Ensure all applications, hardware and software are up-to-date. Cybercriminals can take advantage of software, hardware, and application vulnerabilities to spread cyberthreats, such as malware. Keep your devices and applications updated with the latest security patches and fixes to help combat this threat.
  2. Periodically visit your device to add/remove programs. Some apps on your device may be vampirically siphoning in-game performance. Remove apps that you do not need or no longer use.
  3. Create strong, unique passwords. Over 55% of gamers re-use the same password across accounts for online gaming services. And while it might be easier to remember the same password, reusing credentials across multiple accounts could put the hundreds, or even thousands, of invested hours in leveling up characters and gathering rare items at risk in the event one account is breached. Be sure to construct a complex password that is difficult to guess.

And, as always, stay on top of the latest consumer and gaming security threats with @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

Footnotes

  1. Number of active video gamers worldwide from 2014 to 2021 (in millions), Statista, 2019
  2. Number of active PC gamers worldwide from 2014 to 2021 (in millions), Statista, 2019

The post Solving the Gamer’s Dilemma: Security vs. Performance appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/solving-the-gamers-dilemma/feed/ 0
Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/are-cash-transfer-apps-safe-to-use-heres-what-your-family-needs-to-know/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/are-cash-transfer-apps-safe-to-use-heres-what-your-family-needs-to-know/#respond Sat, 14 Sep 2019 16:00:17 +0000 https://securingtomorrow.mcafee.com/?p=96722

I can’t recall the last time I gave my teenage daughter cash for anything. If she needs money for gas, I Venmo it. A Taco Bell study break with the roommates? No problem. With one click, I transfer money from my Venmo account to hers. She uses a Venmo credit card to make her purchase. […]

The post Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know appeared first on McAfee Blogs.

]]>

cash appsI can’t recall the last time I gave my teenage daughter cash for anything. If she needs money for gas, I Venmo it. A Taco Bell study break with the roommates? No problem. With one click, I transfer money from my Venmo account to hers. She uses a Venmo credit card to make her purchase. To this mom, cash apps may be the best thing to happen to parenting since location tracking became possible. But as convenient as these apps may be, are they safe for your family to use?

How do they work?

The research company, eMarketer, estimates that 96.0 million people used Peer-to-Peer (P2P) payment services this year (that’s 40.4% of all mobile phone users), up from an estimated 82.5 million last year.

P2P technology allows you to create a profile on a transfer app and link your bank account or credit card to it. Once your banking information is set up, you can locate another person’s account on the app (or invite someone to the app) and transfer funds instantly into their P2P account (without the hassle of getting a bank account number, email, or phone number). That person can leave the money in their app account, move it into his or her bank account, or use a debit card issued by the P2P app to use the funds immediately. If the app offers a credit card (like Venmo does), the recipient can use the Venmo card like a credit card at retailers most anywhere. 

Some of the more popular P2P apps include Venmo, Cash App, Zelle, Apple Pay, Google Wallet, PayPal.me, Facebook Messenger, and Snapcash, among others. Because of the P2P platform’s rapid growth, more and more investors are entering the market each day to introduce new cash apps, which is causing many analysts to speculate on need for paper check transactions in the future.

Are they safe?

While sending your hard-earned money back and forth through cyberspace on an app doesn’t sound safe, in general, it is. Are there some exceptions? Always. 

Online scam trends often follow consumer purchasing trends and, right now, the hot transaction spot is P2P platforms. Because P2P money is transferred instantly (and irreversibly), scammers exploit this and are figuring out how to take people’s money. After getting a P2P payment, scammers then delete their accounts and disappear — instantly

In 2018 Consumer Reports (CR) compared the potential financial and privacy risks of five mobile P2P services with a focus on payment authentication and data privacy. CR found all the apps had acceptable encryption but some were dinged for not clearly explaining how they protected user data. The consumer advocacy group ranked app safety strength in this order: Apple Pay, Venmo, Cash App, Facebook Messenger, and Zelle. CR also noted they “found nothing to suggest that using these products would threaten the security of your financial and personal data.”

While any app’s architecture may be deemed safe, no app user is immune from scams, which is where app safety can make every difference. If your family uses P2P apps regularly, confirm each user understands the potential risks. Here are just a few of the schemes that have been connected to P2P apps.

cash apps

Potential scams

Fraudulent sellers. This scam targets an unassuming buyer who sends money through a P2P app to purchase an item from someone they met online. The friendly seller casually suggests the buyer “just Venmo or Cash App me.” The buyer sends the money, but the item is never received, and the seller vanishes. This scam has been known to happen in online marketplaces and other trading sites and apps.

Malicious emails. Another scam is sending people an email telling them that someone has deposited money in their P2P account. They are prompted to click a link to go directly to the app, but instead, the malicious link downloads malware onto the person’s phone or computer. The scammer can then glean personal information from the person’s devices. To avoid a malware attack, consider installing comprehensive security software on your family’s computers and devices.

Ticket scams. Beware of anyone selling concert or sporting event tickets online. Buyers can get caught up in the excitement of scoring tickets for their favorite events, send the money via a P2P app, but the seller leaves them empty-handed.

Puppy and romance scams. In this cruel scam, a pet lover falls in love with a photo of a puppy online, uses a P2P app to pay for it, and the seller deletes his or her account and disappears. Likewise, catfish scammers gain someone’s trust. As the romantic relationship grows, the fraudulent person eventually asks to borrow money. The victim sends money using a P2P app only to have their love interest end all communication and vanish.  

P2P safety: Talking points for families

Only connect with family and friends. When using cash apps, only exchange money with people you know. Unlike an insured bank, P2P apps do not refund the money you’ve paid out accidentally or in a scam scenario. P2P apps hold users 100% responsible for transfers. 

Verify details of each transfer. The sender is responsible for funds, even in the case of an accidental transfer. So, if you are paying Joe Smith your half of the rent, be sure you select the correct Joe Smith, (not Joe Smith_1, or Joe Smithe) before you hit send. There could be dozens of name variations to choose from in an app’s directory. Also, verify with your bank that each P2P transaction registers.

Avoid public Wi-Fi transfers. Public Wi-Fi is susceptible to hackers trying to access valuable financial and personal information. For this reason, only use a secure, private Wi-Fi network when using a P2P payment app. If you must use public Wi-Fi, consider using a Virtual Private Network (VPN).

cash apps

Don’t use P2P apps for business. P2P apps are designed to be used between friends and include no-commercial-use clauses in their policies. For larger business transactions such as buying and selling goods or services use apps like PayPal. 

Lock your app. When you have a P2P app on your phone, it’s like carrying cash. If someone steals your phone, they can go into an unlocked P2P app and send themselves money from your bank account. Set up extra security on your app. Most apps offer PINs, fingerprint IDs, and two-factor authentication. Also, always lock your device home screen.

Adjust privacy settings. Venmo includes a feed that auto shares when users exchange funds, much like a social media feed. To avoid a stranger seeing that you paid a friend for Ed Sheeran tickets (and won’t be home that night), be sure to adjust your privacy settings. 

Read disclosures. One way to assess an app’s safety is to read its disclosures. How does the app protect your privacy and security? How does the app use your data? What is the app’s error-resolution policy? Feel secure with the app you choose.

We’ve learned that the most significant factor in determining an app’s safety comes back to the person using it. If your family loves using P2P apps, be sure to take the time to discuss the responsibility that comes with exchanging cash through apps. 

The post Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/are-cash-transfer-apps-safe-to-use-heres-what-your-family-needs-to-know/feed/ 0
Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/dealer-leads-data-breach/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/dealer-leads-data-breach/#respond Thu, 12 Sep 2019 18:54:34 +0000 https://securingtomorrow.mcafee.com/?p=96718

Buying a car can be quite a process and requires a lot of time, energy, and research. What most potential car buyers don’t expect is to have their data exposed for all to see. But according to Threatpost, this story rings true for many prospective buyers. Over 198 million records containing personal, loan, and financial […]

The post Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt appeared first on McAfee Blogs.

]]>

Buying a car can be quite a process and requires a lot of time, energy, and research. What most potential car buyers don’t expect is to have their data exposed for all to see. But according to Threatpost, this story rings true for many prospective buyers. Over 198 million records containing personal, loan, and financial information on prospective car buyers were recently leaked due to a database that was left without password protection.

The database belonged to Dealer Leads, a company that gathers information on prospective buyers through a network of targeted websites. These targeted websites provide car-buying research information and classified ads for visitors, allowing Dealer Leads to collect this information and send it to franchise and independent car dealerships to be used as sales leads. The information collected included records with names, email addresses, phone numbers, physical addresses, IP addresses, and other sensitive or personally identifiable information – 413GB worth of this data, to be exact. What’s more, the exposed database contained ports, pathways, and storage info that cybercriminals could exploit to access Dealer Lead’s deeper digital network.

Although the database has been closed off to the public, it is unclear how long it was left exposed. And while it’s crucial for organizations to hold data privacy to the utmost importance, there are plenty of things users can do to help safeguard their data. Check out the following tips to help you stay secure:

  • Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your accounts for unusual activity. This will help you stop fraudulent activity in its tracks.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/dealer-leads-data-breach/feed/ 0
Countdown to MPOWER 2019: Survival Guide https://securingtomorrow.mcafee.com/blogs/enterprise/countdown-to-mpower-2019-survival-guide/ https://securingtomorrow.mcafee.com/blogs/enterprise/countdown-to-mpower-2019-survival-guide/#respond Wed, 11 Sep 2019 18:53:14 +0000 https://securingtomorrow.mcafee.com/?p=96704

This year, we’re excited to host the 12th annual MPOWER Cybersecurity Summit at the ARIA in Las Vegas, where fellow security experts will strategize, network, and learn about the newest and most innovative ways to ward off advanced cyberattacks. With the show nearly upon us, I’m sharing a “survival guide” for first-time attendees and anyone […]

The post Countdown to MPOWER 2019: Survival Guide appeared first on McAfee Blogs.

]]>

This year, we’re excited to host the 12th annual MPOWER Cybersecurity Summit at the ARIA in Las Vegas, where fellow security experts will strategize, network, and learn about the newest and most innovative ways to ward off advanced cyberattacks. With the show nearly upon us, I’m sharing a “survival guide” for first-time attendees and anyone who might want a refresher of what’s to come. Here are a few tips and tricks to help make your MPOWER experience even more successful and enjoyable.

Travel, Transportation and Accommodations

MPOWER is the best place to leverage your existing McAfee investment, engage with our ecosystem of security experts, connect with other McAfee customers and much more.

If you haven’t yet booked your travel arrangements, be sure you do so as soon as possible to take advantage of the special rates offered by the ARIA Resort & Casino. When you arrive at the Las Vegas McCarran International Airport, it will be a quick 20 minute Uber or Lyft ride to the ARIA. For more information on ground transportation from the airport to the hotel, click here.

TIP: Need some help convincing your company or manager? Click here for our email template (and modify as appropriate) to help justify your attendance at MPOWER 2019.

Innovative Keynote Speakers

We have a great lineup of keynote speakers this year. You’ll hear from Secretary of State Madeleine K. Albright, General Colin L. Powell, and tech venture capitalist Roger McNamee. We’ll also have McAfee leadership on the keynote stage, including CEO Chris Young, EVP & Chief Product Officer Ashutosh Kulkarni, SVP of Cloud Rajiv Gupta, SVP & Chief Technology Officer Steve Grobman, and CMO Allison Cerra.

TIP: Be sure to get to the keynote stage early, as spots fill up fast.

Breakout Sessions

The sessions offered at MPOWER 19 will give you a better understanding of how to maintain the highest standards of security while reducing company costs, streamline processes, and drive efficiencies in the daily administration of your systems. You’ll also have an exclusive opportunity to hear actual McAfee customers discuss how they solved real-world business challenges.

TIP: Once you’ve registered, enter your registration information at the MPOWER 19 My Event site to create a personalized agenda of the sessions and events you most want to attend. Then use your convenient schedule to make sure you don’t miss a thing!

MVISION Training Classes

New at MPOWER this year, MVISION training classes will be available free to customers and can be added to your schedule during registration. Classes will run October 1-3, and each attendee will receive a Certificate of Completion that can be submitted as a Continuing Education Unit (CEU/CPE) to ISC2, CompTIA, and other certification vendors. Seating is limited and available on a first-come, first-served basis—so add a course to your registration today!

TIP: Be sure to get your badge scanned at the door for each session to get credit.

Customer Spotlight

Stop by the Customer Spotlight, located on Level 1 to have fun. This is a place where you can kick back and relax, challenge your peers to a game (Jenga, Connect 4, Cornhole, and many more) or just take a few minutes to catch up on email or recharge your phone. The Customer Spotlight will be open Tuesday through Thursday, 8:00 AM – 5:00 PM.

TIP: The list of the activities is lengthy—there’s something for everyone! For your participation, we offer an incentive program that will earn you points—redeem anytime for McAfee gear and much more.

Expo Hall & Innovation Fair

The Sponsor Expo will feature an impressive lineup of McAfee partners, including some of the world’s most successful businesses. This is your chance to meet with the key players of the security industry—all in one location. Also, stop by the Innovation Fair booth and see what product innovations McAfee has planned in the areas of threat defense, data protection, intelligent security operations, and cloud defense. During the Innovation Fair hours, you will be able to join in on short innovation talks with technical leaders from McAfee.

TIP: Navigating the conference and expo hall will involve a lot of walking. Bring comfortable shoes—your feet will thank you later.

Stay Connected with Twitter

Twitter is one of the best ways to “stay connected” whether you are at the event or attending virtually. You can learn a lot about what’s going on at MPOWER by following the #MPOWER19 hashtag—McAfee will be live tweeting keynotes, favorite session updates, valuable insights, freebies, party details and more. Be sure to tweet your own findings, happenings, etc. using the hashtag.  

TIP: Follow @McAfee, @McAfee_Business for conference updates, company announcements and more!

The MPOWER Mobile App

The MPOWER 19 Mobile App puts a full guide to the conference in the palm of your hand. Just download and enter your MPOWER registration info to access the daily schedule of events, session details, speaker info, and more! Available for iOS & Android, the MPOWER 19 Mobile App will help you maximize the value of the conference and keep you updated on everything that’s happening.

TIP: When onsite at MPOWER 19, visit the Mobile App Help Desk near registration to get all your questions answered. 

MPOWER Special Evening Event

On October 3rd, we’ll be hosting Fall Out Boy for a special performance. Get ready to dance the night away starting at 8 p.m. PT.

See You Soon!

We are committed to bringing together the best of the security industry to unite for a cause that’s bigger than all of us—the digital safety of our customers, organizations, and future generations. We invite you to join us in Las Vegas.

The post Countdown to MPOWER 2019: Survival Guide appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/enterprise/countdown-to-mpower-2019-survival-guide/feed/ 0
How To Practise Good Social Media Hygiene https://securingtomorrow.mcafee.com/blogs/consumer/how-to-practise-good-social-media-hygiene/ https://securingtomorrow.mcafee.com/blogs/consumer/how-to-practise-good-social-media-hygiene/#respond Wed, 11 Sep 2019 05:58:33 +0000 https://securingtomorrow.mcafee.com/?p=96695

Fact – your social media posts may affect your career, or worse case, your identity! New research from the world’s largest dedicated cybersecurity firm, McAfee, has revealed that two thirds (67%) of Aussies are embarrassed by the content that appears on their social media profiles. Yikes! And just to make the picture even more complicated, […]

The post How To Practise Good Social Media Hygiene appeared first on McAfee Blogs.

]]>

Fact – your social media posts may affect your career, or worse case, your identity!

New research from the world’s largest dedicated cybersecurity firm, McAfee, has revealed that two thirds (67%) of Aussies are embarrassed by the content that appears on their social media profiles. Yikes! And just to make the picture even more complicated, 34% of Aussies admit to never increasing the privacy on their accounts from the default privacy settings despite knowing how to.

So, next time these Aussies apply for a job and the Human Resources Manager decides to ‘check them out online’, you can guess what the likely outcome will be…

Proactively Managing Social Media Accounts Is Critical For Professional Reputation

For many Aussies, social media accounts operate as a memory timeline of their social lives. Whether they are celebrating a birthday, attending a party or just ‘letting their hair down’ – many people will document their activities for all to see through a collection of sometimes ‘colourful’ photos and videos. But sharing ‘good times’ can become a very big problem when social media accounts are not proactively managed. Ensuring your accounts are set to the tightest privacy settings possible and curating them regularly for relevance and suitability is essential if you want to keep your digital reputation in-tact. However, it appears that a large proportion of Aussies are not taking these simple steps.

McAfee’s research shows that 28% of Aussies admit to either never or not being able to recall the last time they checked their social media timeline. 66% acknowledge that they have at least one inactive social media account. 40% admit that they’ve not even thought about deleting inactive accounts or giving them a clear-out and concerningly, 11% don’t know how to adjust their privacy settings! So, I have no doubt that some of the Aussies that fall into these groups would have NOT come up trumps when they were ‘checked out online’ by either their current or future Human Resources Managers!!

What Social Media Posts Are Aussies Most Embarrassed By?

As part of the research study, Aussies were asked to nominate the social media posts that they have been most embarrassed by. Here are the top 10:

  1. Drunken behaviour
  2. Comment that can be perceived as offensive
  3. Wearing an embarrassing outfit
  4. Wardrobe malfunction
  5. In their underwear
  6. Throwing up
  7. Swearing
  8. Kissing someone they shouldn’t have been
  9. Sleeping somewhere they shouldn’t
  10. Exposing themselves on purpose

Cybercriminals Love Online Sharers

As well as the potential to hurt career prospects, relaxed attitudes to social media could be leaving the door open for cybercriminals. If you are posting about recent purchases, your upcoming holidays and ‘checking-in’ at your current location then you are making it very easy for cybercriminals to put together a picture of you and possibly steal your identity. And having none or even default privacy settings in place effectively means you are handing this information to cybercriminals on a platter!!

Considering how much personal information and images most social media accounts hold, it’s concerning that 16 per cent of Aussies interviewed admitted that they don’t know how to close down their inactive social media accounts and a third (34%) don’t know the passwords or no longer have access to the email addresses they used to set them up – effectively locking them out!

What Can We Do To Protect Ourselves?

The good news is that there are things we can do TODAY to improve our social media hygiene and reduce the risk of our online information getting into the wrong hands. Here are my top tips:

  1. Clean-up your digital past. Sift through your old and neglected social media accounts. If you are not using them – delete the account. Then take some time to audit your active accounts. Delete any unwanted tags, photos, comments and posts so they don’t come back to haunt your personal or professional life.

  1. Lockdown privacy and security settings. Leaving your social media profiles on the ‘public’ setting means anyone who has access to the internet can view your posts and photos whether you want them to or not. While you should treat anything you post online as public, turning your profiles to private will give you more control over who can see your content and what people can tag you in.

 

  1. Never reuse passwords. Use unique passwords with a combination of lower and upper case letters, numbers and symbols for each one of your accounts, even if you don’t think the account holds a lot of personal information. If managing all your passwords seems like a daunting task, look for security software that includes a password manager.

 

  1. Avoid Sharing VERY Personal Information Online. The ever-growing body of information you share online could possibly be used by cybercriminals to steal your identity. The more you share, the greater the risk. Avoid using your full name, date of birth, current employer, names of your family members, your home address even the names of your pets online – as you could be playing straight into the hands of identity thieves and hackers.
  1. Think before you post. Think twice about each post you make. Will it have a negative impact on you or someone you know now or possibly in the future? Does it give away personal information that someone could use against you? Taking a moment to think through the potential consequences BEFORE you post is the best way to avoid serious regrets in the future.

 

  1. Employ extra protection across all your devices. Threats such as viruses, identity theft, privacy breaches, and malware can all reach you through your social media. Install comprehensive security software to protect you from these nasties.

 

If you think you (or one of your kids) might just identify with the above ‘relaxed yet risky’ approach to managing your social media, then it’s time to act. Finding a job is hard enough in our crowded job market without being limited by photos of your latest social gathering! And no-one wants to be the victim of identity theft which could possibly affect your financial reputation for the rest of your life! So, make yourself a cuppa and get to work cleaning up your digital life! It’s so worth it!!

Alex xx

 

 

The post How To Practise Good Social Media Hygiene appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/how-to-practise-good-social-media-hygiene/feed/ 0
Iron Man’s Instagram Hacked: Snap Away Cybercriminals With These Social Media Tips https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/iron-man-instagram-hacked-social-media-tips/ https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/iron-man-instagram-hacked-social-media-tips/#respond Tue, 10 Sep 2019 22:41:34 +0000 https://securingtomorrow.mcafee.com/?p=96690

Celebrities: they’re just like us! Well, at least in the sense that they still face common cyberthreats. This week, “Avengers: Endgame” actor Robert Downey Jr. was added to the list of celebrities whose social media accounts have been compromised. According to Bleeping Computer, a hacker group managed to take control of the actor’s Instagram account, sharing […]

The post Iron Man’s Instagram Hacked: Snap Away Cybercriminals With These Social Media Tips appeared first on McAfee Blogs.

]]>

Celebrities: they’re just like us! Well, at least in the sense that they still face common cyberthreats. This week, “Avengers: Endgame” actor Robert Downey Jr. was added to the list of celebrities whose social media accounts have been compromised. According to Bleeping Computer, a hacker group managed to take control of the actor’s Instagram account, sharing enticing but phony giveaway announcements.

The offers posted by the hackers included 2,000 iPhone XS devices, MacBook Pro laptops, Tesla cars, and more. In addition to the giveaways added to the actor’s story page, the hackers also changed the link in his account bio, pointing followers to a survey page designed to collect their personal information that could be used for other scams. The tricky part? The hackers posted the link using the URL shortening service Bitly, preventing followers from noticing any clues as to whether the link was malicious or not.

This incident serves as a reminder that anyone with an online account can be vulnerable to a cyberattack, whether you have superpowers or not. In fact, over 22% of internet users reported that their online accounts have been hacked at least once, and more than 14% said that they were hacked more than once. Luckily, there are some best practices you can follow to help keep your accounts safe and sound:

  • Don’t interact with suspicious messages, links, or posts. If you come across posts with offers that seem too good to be true, they probably are. Use your best judgment and don’t click on suspicious messages or links, even if they appear to be posted by a friend.
  • Alert the platform. Flag any scam posts or messages you encounter on social media to the platform so they can stop the threat from spreading.
  • Use good password hygiene. Make sure all of your passwords are strong and unique.
  • Don’t post personal information. Posting personally identifiable information on social media could potentially allow a hacker to guess answers to your security questions or make you an easier target for a cyberattack. Keep your personal information under wraps and turn your account to private.

To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Iron Man’s Instagram Hacked: Snap Away Cybercriminals With These Social Media Tips appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/consumer/consumer-threat-notices/iron-man-instagram-hacked-social-media-tips/feed/ 0
How Visiting a Trusted Site Could Infect Your Employees https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/how-visiting-a-trusted-site-could-infect-your-employees/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/how-visiting-a-trusted-site-could-infect-your-employees/#respond Tue, 10 Sep 2019 19:27:32 +0000 https://securingtomorrow.mcafee.com/?p=96681

The Artful and Dangerous Dynamics of Watering Hole Attacks A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole […]

The post How Visiting a Trusted Site Could Infect Your Employees appeared first on McAfee Blogs.

]]>

The Artful and Dangerous Dynamics of Watering Hole Attacks

A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole attack.

How Does it Work?

Your organization is an impenetrable fortress that has implemented every single cybersecurity measure. Bad actors are having a hard time trying to compromise your systems. But what if the weakest link is not your organization, but a third-party? That is where an “island hopping” attack can take apart your fortress.

 “Island hopping” was a military strategy aimed to concentrate efforts on strategically positioned (and weaker) islands to gain access to a final main land target.

One relevant instance of “island hopping” is a watering hole attack. A watering hole attack is motivated by an attackers’ frustration. If they cannot get to a target, maybe they can compromise a weaker secondary one to gain access to the intended one? Employees in an organization interact with third-party websites and services all the time. It could be with a provider, an entity in the supply chain, or even with a publicly available website. Even though your organization may have cutting edge security perimeter protection, the third parties you interact with may not.

In this type of attack, bad actors start profiling employees to find out what websites/services they usually consume. What is the most frequented news blog? Which flight company do they prefer? Which service provider do they use to check pay stubs? What type of industry is the target organization in and what are the professional interests of its employees, etc.?

Based on this profiling, they analyze which one of the many websites visited by employees is weak and vulnerable. When they find one, the next step is compromising this third-party website by injecting malicious code, hosting malware, infecting existing/trusted downloads, or redirecting the employee to a phishing site to steal credentials. Once the site has been compromised, they will wait for an employee of the target organization to visit the site and get infected, sometimes pushed by an incentive such as a phishing email sent to the employees. Sometimes this requires some sort of interaction, such as the employee using a file upload form, downloading a previously trusted PDF report or attempting to login on a phishing site after a redirection from the legitimate one. Finally, bad actors will move laterally from the infected employee device to the desired final target(s).

Figure 1: Watering Hole Attack Dynamics

Victims of a watering hole attack are not only the final targets but also strategic organizations that are involved during the attack chain. As an example, a watering hole attack was discovered in March 2019, targeting member states of the United Nations by compromising the International Civil Aviation Organization (ICAO) as intermediate target[1]. Because the ICAO was a website frequented by the intended targets, it got compromised by exploiting vulnerable servers. Another example from last year is a group of more than 20 news and media websites that got compromised as intermediate targets to get to specific targets in Vietnam and Cambodia[2].

Risk analysis

Because this kind of attack relies on vulnerable but trusted third-party sites, it usually goes unnoticed and is not easily linked to further data breaches. To make sure this potential threat is being considered in your risk analysis, here are some of the questions you need to ask:

  • How secure are the websites and services of the entities I interact with?
  • Are the security interests of third parties aligned with mine? (Hint: probably not! You may be rushing to patch your web server but that does not mean a third-party site is doing the same).
  • What would be the impact of a watering hole attack for my organization?

As with every threat, it is important to analyze both the probability of this threat as well as how difficult it would be for attackers to implement it. This will vary from organization to organization, but one generic approach is to analyze the most popular websites. When checking the top one million websites around the world, it is interesting to note that around 60%[3] of these are using Content Management Systems (CMSs) such as WordPress, Joomla or Drupal.

This creates an extra challenge as these popular CMSs are statistically more likely to be present in an organization’s network traffic and, therefore, are more likely to be targeted for a watering hole attack. It is not surprising then that dozens of vulnerabilities on CMSs are discovered and exploited every month (around 1000 vulnerabilities were discovered in the last two years for just the top 4 CMSs[4]). What is more concerning is that CMSs are designed to be integrated with other services and extended using plugins (more than 55,000 plugins are available as of today). This further expands the attack surface as it creates the opportunity of compromising small libraries/plugins being used by these frameworks.

Consequently, CMSs are frequently targeted by watering hole attacks by exploiting vulnerabilities that enable bad actors to gain control of the server/site, modifying its content to serve a malicious purpose. In some advanced scenarios, they will also add fingerprinting scripts to check the IP address, time zone and other useful details about the victim. Based on this data, bad actors can automatically decide to let go when the victim is not an employee of the desired company or move further in the attack chain when they have hit the jackpot.

Defending against watering hole attacks

As organizations harden their security posture, bad actors are being pushed to new boundaries. Therefore, watering hole attacks are gaining traction as these allows bad actors to compromise intermediate (more vulnerable) targets to later get access to the intended final target. To help keep your organization secure against watering hole attacks, make sure you are including web protection. McAfee Web Gateway can help provide additional defense against certain class of attacks even when the user is visiting a site that’s been compromised by a watering hole attack, with behavior emulation that aims to prevents zero-day malware in milliseconds as traffic is processed. You may also want to:

  • Build a Zero Trust model, especially around employees visiting publicly available websites, to make sure that even if a watering hole attack is targeting your organization, you can stop it from moving forward.
  • Regularly check your organization’s network traffic to identify vulnerable third-party websites that your employees might be exposed to.
  • Check the websites and services exposed by your organization’s providers. Are these secure enough and properly patched? If not, consider the possibility that these may become intermediate targets and apply policies to limit the exposure to these sites (e.g. do not allow downloads if that is an option).
  • When possible, alert providers about unpatched web servers, CMS frameworks or libraries, so they can promptly mitigate the risk.

Dealing with watering hole attacks requires us to be more attentive and to carefully review the websites we visit, even if these are cataloged as trusted sites. By doing so, we will not only mitigate the risk of watering hole attacks, but also steer away from one possible pathway to data breaches.

[1] https://securityaffairs.co/wordpress/81790/apt/icao-hack-2016.html

[2] https://www.scmagazine.com/home/security-news/for-the-last-few-months-the-threat-group-oceanlotus-also-known-as-apt32-and-apt-c-00-has-been-carrying-out-a-watering-hole-campaign-targeting-several-websites-in-southeast-asia/

[3] “Usage of content management systems”, https://w3techs.com/technologies/overview/content_management/all

[4] “The state of web application vulnerabilities in 2018”, https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/

The post How Visiting a Trusted Site Could Infect Your Employees appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/how-visiting-a-trusted-site-could-infect-your-employees/feed/ 0
Modernizing FedRAMP is Essential to Enhanced Cloud Security https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/modernizing-fedramp-is-essential-to-enhanced-cloud-security/ https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/modernizing-fedramp-is-essential-to-enhanced-cloud-security/#respond Tue, 10 Sep 2019 15:07:01 +0000 https://securingtomorrow.mcafee.com/?p=96605

According to an analysis by McAfee’s cloud division, log data tracking the activities of some 200,000 government workers in the United States and Canada, show that the average agency uses 742 cloud services, on the order of 10 to 20 times more than the IT department manages. The use of unauthorized applications creates severe security […]

The post Modernizing FedRAMP is Essential to Enhanced Cloud Security appeared first on McAfee Blogs.

]]>

According to an analysis by McAfee’s cloud division, log data tracking the activities of some 200,000 government workers in the United States and Canada, show that the average agency uses 742 cloud services, on the order of 10 to 20 times more than the IT department manages. The use of unauthorized applications creates severe security risks, often resulting simply from employees trying to do their work more efficiently.

By category, collaboration tools like Office 365 or Gmail are the most commonly used cloud applications, according to McAfee’s analysis, with the average organization running 120 such services. Cloud-based software development services such as GitHub and Source Forge are a distant second, followed by content-sharing services. The average government employee runs 16.8 cloud services, according to the 2019 Cloud Adoption and Risk Report. Lack of awareness creates a Shadow IT problem that needs to be addressed.  One of the challenges is that not all storage or collaboration services are created equally, and users, without guidance from the CIO, might opt for an application that has comparatively lax security controls, claims ownership of users’ data, or one that might be hosted in a country that the government has placed trade sanctions on.

To help address the growing challenge of security gaps in IT cloud environments, Congressmen Gerry Connolly (D-VA), Chairman of the House Oversight and Reform Committee’s Government Operations Subcommittee, and Mark Meadows (R-NC), Ranking Member of the Government Operations Subcommittee, recently introduced the Federal Risk and Authorization Management Program (FedRAMP) Authorization Act (H.R. 3941). The legislation would codify FedRAMP – the program that governs how cloud security solutions are deployed within the federal government, address agency compliance issues, provide funding for the FedRAMP Project Management Office (PMO) and more. The FedRAMP Authorization Act would help protect single clouds as well as the spaces between and among clouds. Since cloud services are becoming easier targets for hackers, McAfee commends these legislators for taking this important step to modernize the FedRAMP program.

FedRAMP provides a standardized approach to security assessment and monitoring for cloud products and services that agency officials use to make critical risk-based decisions. Cloud solutions act as gatekeepers, allowing agencies to extend the reach of their cloud policies beyond their current network infrastructure. To monitor data authentication and protection within the cloud, cloud access security brokers, or CASBs, allow organizations deeper visibility into their cloud security solutions. In today’s cybersecurity market, there are many cloud security vendors, and organizations therefore have many solutions from which to choose to enable them to secure their cloud environments.  McAfee’s CASB, MVISION Cloud, helps ensure that broad technology acquisitions maintain or exceed the levels of security outlined in the FedRAMP baselines.

McAfee supports the FedRAMP Authorization Act, which would bring FedRAMP back to its original purpose by providing funding for federal migration and mandating the reuse of authorizations. FedRAMP must be modernized to best serve government agencies and IT companies. We look forward to working with our partners in Congress to move this legislation forward. Additionally, we have seen that agencies overuse waivers to green light technology that sacrifices security for expediency.  We must find a better way to thread this needle and ensure that broad technology acquisitions maintain or exceed the levels of security outlined in the FedRAMP baselines as this bill works its way through the legislative process and finds its way to the President’s desk for signature into law.

The post Modernizing FedRAMP is Essential to Enhanced Cloud Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/executive-perspectives/modernizing-fedramp-is-essential-to-enhanced-cloud-security/feed/ 0
Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/#respond Mon, 09 Sep 2019 19:05:58 +0000 https://securingtomorrow.mcafee.com/?p=96648

Executive Summary Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. Many companies use these kinds of systems to detonate malicious […]

The post Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study appeared first on McAfee Blogs.

]]>

Executive Summary

Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. Many companies use these kinds of systems to detonate malicious files and URLs found, to obtain more indicators of compromise to extend their defenses and block other related malicious activity. Nowadays we understand security as a global process, and sandbox systems are part of this ecosystem, and that is why we must take care with the methods used by malware and how we can defeat it.

Historically, sandboxes had allowed researchers to visualize the behavior of malware accurately within a short period of time. As the technology evolved over the past few years, malware authors started producing malicious code that delves much deeper into the system to detect the sandboxing environment.

As sandboxes became more sophisticated and evolved to defeat the evasion techniques, we observed multiple strains of malware that dramatically changed their tactics to remain a step ahead. In the following sections, we look back on some of the most prevalent sandbox evasion techniques used by malware authors over the past few years and validate the fact that malware families extended their code in parallel to introducing more stealthier techniques.

The following diagram shows one of the most prevalent sandbox evasion tricks we will discuss in this blog, although many others exist.

Delaying Execution

Initially, several strains of malware were observed using timing-based evasion techniques [latent execution], which primarily boiled down to delaying the execution of the malicious code for a period using known Windows APIs like NtDelayExecution, CreateWaitTableTImer, SetTimer and others. These techniques remained popular until sandboxes started identifying and mitigating them.

GetTickCount

As sandboxes identified malware and attempted to defeat it by accelerating code execution, it resorted to using acceleration checks using multiple methods. One of those methods, used by multiple malware families including Win32/Kovter, was using Windows API GetTickCount followed by a code to check if the expected time had elapsed. However, we observed several variations of this method across malware families.

This anti-evasion technique could be easily bypassed by the sandbox vendors simply creating a snapshot with more than 20 minutes to have the machine running for more time.

API Flooding

Another approach that subsequently became more prevalent, observed with Win32/Cutwail malware, is calling the garbage API in the loop to introduce the delay, dubbed API flooding. Below is the code from the malware that shows this method.

 

 

Inline Code

We observed how this code resulted in a DOS condition since sandboxes could not handle it well enough. On the other hand, this sort of behavior is not too difficult to detect by more involved sandboxes. As they became more capable of handling the API based stalling code, yet another strategy to achieve a similar objective was to introduce inline assembly code that waited for more than 5 minutes before executing the hostile code. We found this technique in use as well.

Sandboxes are now much more capable and armed with code instrumentation and full system emulation capabilities to identify and report the stalling code. This turned out to be a simplistic approach which could sidestep most of the advanced sandboxes. In our observation, the following depicts the growth of the popular timing-based evasion techniques used by malware over the past few years.

Hardware Detection

Another category of evasion tactic widely adopted by malware was fingerprinting the hardware, specifically a check on the total physical memory size, available HD size / type and available CPU cores.

These methods became prominent in malware families like Win32/Phorpiex, Win32/Comrerop, Win32/Simda and multiple other prevalent ones. Based on our tracking of their variants, we noticed Windows API DeviceIoControl() was primarily used with specific Control Codes to retrieve the information on Storage type and Storage Size.

Ransomware and cryptocurrency mining malware were found to be checking for total available physical memory using a known GlobalMemoryStatusEx () trick. A similar check is shown below.

Storage Size check:

Illustrated below is an example API interception code implemented in the sandbox that can manipulate the returned storage size.

Subsequently, a Windows Management Instrumentation (WMI) based approach became more favored since these calls could not be easily intercepted by the existing sandboxes.

Here is our observed growth path in the tracked malware families with respect to the Storage type and size checks.

CPU Temperature Check

Malware authors are always adding new and interesting methods to bypass sandbox systems. Another check that is quite interesting involves checking the temperature of the processor in execution.

A code sample where we saw this in the wild is:

The check is executed through a WMI call in the system. This is interesting as the VM systems will never return a result after this call.

CPU Count

Popular malware families like Win32/Dyreza were seen using the CPU core count as an evasion strategy. Several malware families were initially found using a trivial API based route, as outlined earlier. However, most malware families later resorted to WMI and stealthier PEB access-based methods.

Any evasion code in the malware that does not rely on APIs is challenging to identify in the sandboxing environment and malware authors look to use it more often. Below is a similar check introduced in the earlier strains of malware.

There are number of ways to get the CPU core count, though the stealthier way was to access the PEB, which can be achieved by introducing inline assembly code or by using the intrinsic functions.

One of the relatively newer techniques to get the CPU core count has been outlined in a blog, here. However, in our observations of the malware using CPU core count to evade automated analysis systems, the following became adopted in the outlined sequence.

User Interaction

Another class of infamous techniques malware authors used extensively to circumvent the sandboxing environment was to exploit the fact that automated analysis systems are never manually interacted with by humans. Conventional sandboxes were never designed to emulate user behavior and malware was coded with the ability to determine the discrepancy between the automated and the real systems. Initially, multiple malware families were found to be monitoring for Windows events and halting the execution until they were generated.

Below is a snapshot from a Win32/Gataka variant using GetForeGroundWindow and checking if another call to the same API changes the Windows handle. The same technique was found in Locky ransomware variants.

Below is another snapshot from the Win32/Sazoora malware, checking for mouse movements, which became a technique widely used by several other families.

Malware campaigns were also found deploying a range of techniques to check historical interactions with the infected system. One such campaign, delivering the Dridex malware, extensively used the Auto Execution macro that triggered only when the document was closed. Below is a snapshot of the VB code from one such campaign.

The same malware campaign was also found introducing Registry key checks in the code for MRU (Most Recently Used) files to validate historical interactions with the infected machine. Variations in this approach were found doing the same check programmatically as well.

MRU check using Registry key: \HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\User MRU

Programmatic version of the above check:

Here is our depiction of how these approaches gained adoption among evasive malware.

Environment Detection

Another technique used by malware is to fingerprint the target environment, thus exploiting the misconfiguration of the sandbox. At the beginning, tricks such as Red Pill techniques were enough to detect the virtual environment, until sandboxes started to harden their architecture. Malware authors then used new techniques, such as checking the hostname against common sandbox names or the registry to verify the programs installed; a very small number of programs might indicate a fake machine. Other techniques, such as checking the filename to detect if a hash or a keyword (such as malware) is used, have also been implemented as has detecting running processes to spot potential monitoring tools and checking the network address to detect blacklisted ones, such as AV vendors.

Locky and Dridex were using tricks such as detecting the network.

Using Evasion Techniques in the Delivery Process

In the past few years we have observed how the use of sandbox detection and evasion techniques have been increasingly implemented in the delivery mechanism to make detection and analysis harder. Attackers are increasingly likely to add a layer of protection in their infection vectors to avoid burning their payloads. Thus, it is common to find evasion techniques in malicious Word and other weaponized documents.

McAfee Advanced Threat Defense

McAfee Advanced Threat Defense (ATD) is a sandboxing solution which replicates the sample under analysis in a controlled environment, performing malware detection through advanced Static and Dynamic behavioral analysis. As a sandboxing solution it defeats evasion techniques seen in many of the adversaries. McAfee’s sandboxing technology is armed with multiple advanced capabilities that complement each other to bypass the evasion techniques attempted to the check the presence of virtualized infrastructure, and mimics sandbox environments to behave as real physical machines. The evasion techniques described in this paper, where adversaries widely employ the code or behavior to evade from detection, are bypassed by McAfee Advanced Threat Defense sandbox which includes:

  • Usage of windows API’s to delay the execution of sample, hard disk size, CPU core numbers and other environment information .
  • Methods to identify the human interaction through mouse clicks , keyboard strokes , Interactive Message boxes.
  • Retrieval of hardware information like hard disk size , CPU numbers, hardware vendor check through registry artifacts.
  • System up time to identify the duration of system alive state.
  • Check for color bit and resolution of Windows .
  • Recent documents and files used.

In addition to this, McAfee Advanced Threat Defense is equipped with smart static analysis engines as well as machine-learning based algorithms that play a significant detection role when samples detect the virtualized environment and exit without exhibiting malware behavior. One of McAfee’s flagship capability, the Family Classification Engine, works on assembly level and provides significant traces once a sample is loaded in memory, even though the sandbox detonation is not completed, resulting in enhanced detection for our customers.

Conclusion

Traditional sandboxing environments were built by running virtual machines over one of the available virtualization solutions (VMware, VirtualBox, KVM, Xen) which leaves huge gaps for evasive malware to exploit.

Malware authors continue to improve their creations by adding new techniques to bypass security solutions and evasion techniques remain a powerful means of detecting a sandbox. As technologies improve, so also do malware techniques.

Sandboxing systems are now equipped with advanced instrumentation and emulation capabilities which can detect most of these techniques. However, we believe the next step in sandboxing technology is going to be the bare metal analysis environment which can certainly defeat any form of evasive behavior, although common weaknesses will still be easy to detect.

The post Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/feed/ 0
3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/3-things-you-probably-do-online-every-day-that-jeopardize-your-familys-privacy/ https://securingtomorrow.mcafee.com/blogs/consumer/family-safety/3-things-you-probably-do-online-every-day-that-jeopardize-your-familys-privacy/#respond Sat, 07 Sep 2019 14:00:58 +0000 https://securingtomorrow.mcafee.com/?p=96602

Even though most of us are aware of the potential risks, we continue to journal and archive our daily lives online publically. It’s as if we just can’t help it. Our kids are just so darn cute, right? And, everyone else is doing it, so why not join the fun? One example of this has […]

The post 3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy appeared first on McAfee Blogs.

]]>

Even though most of us are aware of the potential risks, we continue to journal and archive our daily lives online publically. It’s as if we just can’t help it. Our kids are just so darn cute, right? And, everyone else is doing it, so why not join the fun?

One example of this has become the digital tradition of parents sharing first-day back-to-school photos. The photos feature fresh-faced, excited kids holding signs to commemorate the big day. The signs often include the child’s name, age, grade, and school. Some back-to-school photos go as far as to include the child’s best friend’s name, favorite TV show, favorite food, their height, weight, and what they want to be when they grow up.

Are these kinds of photos adorable and share-worthy? Absolutely. Could they also be putting your child’s safety and your family’s privacy at risk? Absolutely.

1. Posting identifying family photos

Think about it. If you are a hacker combing social profiles to steal personal information, all those extra details hidden in photos can be quite helpful. For instance, a seemingly harmless back-to-school photo can expose a home address or a street sign in the background. Cyber thieves can zoom in on a photo to see the name on a pet collar, which could be a password clue, or grab details from a piece of mail or a post-it on the refrigerator to add to your identity theft file. On the safety side, a school uniform, team jersey, or backpack emblem could give away a child’s daily location to a predator.

Family Safety Tips
  • Share selectively. Facebook has a private sharing option that allows you to share a photo with specific friends. Instagram has a similar feature.
  • Private groups. Start a private Family & Friends Facebook group, phone text, or start a family chat on an app like GroupMe. This way, grandma and Aunt June feel included in important events, and your family’s personal life remains intact.
  • Photo albums. Go old school. Print and store photos in a family photo album at home away from the public spotlight.
  • Scrutinize your content. Think before you post. Ask yourself if the likes and comments are worth the privacy risk. Pay attention to what’s in the foreground or background of a photo.
  • Use children’s initials. Instead of using your child’s name online, use his or her initials or even a digital nickname when posting. Ask family members to do the same.

2. Using trendy apps, quizzes & challenges