The Squabble Over Single File Systems

Many of you are endlessly entertained by the back-and-forth bickering between us storage vendors over things like benchmarks.  



Sometimes the disagreement is over how the test was conducted, or the use of "lab queen" configurations that would never be found in a customer environment.


And, occasionally, there's very strong disagreement around comparing two very unlike things using a common standard.   That's what this post is about.

Why should you care?

In a world of exploding data growth, massive scale and limited resources, how you do things may end up being more important than what you do.  

I believe many IT architects will want to take note of this particular debate, because you'll be seeing ever-more variations of this same theme in the near future.

How This Came About

Nothing brings out the competitive nature of IT vendors more than benchmarks. 

While I'm a general skeptic of many benchmarks, the SPEC tests (specifically the SPECsfs2008 NFS and CIFS workloads) are notable in that the SPEC organization has an ongoing process to ensure the workloads match those of the member organizations. 

Put differently, you can't seriously claim the SPEC isn't "real world".

The testing methodology is difficult to game, although if you scrutinize some of the submissions you can see obvious signs of creativity here and there.   For example, you'll sometimes see some vendors export only a small amount of the total capacity configured in an effort to goose the numbers.  Or occasionally turn down the flush rate from write cache to persistent storage. 

You know, stuff real users wouldn't do.

And, unlike most other benchmarks, most of us bigger vendors routinely make submissions.

There is no cost element defined for the equipment used in submitting SPEC tests, however.  Another form of vendor creativity can result from assigning inflated prices to the other guy's gear, and then showing various per-unit comparisons in an effort to put their own results in a favorable light.

However, this sort of comparison is neither sanctioned nor condoned by the SPEC organizations.  The SPECSFS test is sheer performance, plain and simple.

The Core Of The Current Debate

Simply put, there are two approaches to getting really good numbers from the SPEC tests.

One approach is to architect a single, scalable file system that goes really fast and scales linearly.  Not many of these submissions, as you'll find.

A more common method is to aggregate multiple, independent file systems (using a global name space) to appear -- at least in some aspects -- as a single entity, although it clearly doesn't behave as one, as we'll see in a moment.

My point of view (as well as EMC's) is simple: since these two approaches are radically different in terms of user experience and administrative effort, they shouldn't be directly compared.  Apples and oranges.  At a very minimum, their inherent differences should be well understood by all.

I'll make my arguments here; you can draw your own conclusions.

Let's Start With A Traditional Single File System

Imagine, say, a single 16TB file system, sitting on a filer. 

People start to use it, and -- eventually -- it either fills up, gets slow, or both.  Before long, its time for more performance and/or more capacity.  That usually means another controller or NAS head, in addition to more capacity.

You then acquire a separate device (array, NAS head, etc.) and add it to the configuration.
But you've got a new problem -- you now have to allocate the new capacity and/or performance amongst the people who need it.  How many users and their data go to the first NAS device, and how many to the second?

You sit down, and do a static rationalization of what might go where in an ideal world.  You copy a bunch of data around, and set up new mappings.  Hopefully, you can do all of  this without disrupting users.

But you're working with imprecise information; and of course there's absolutely no guarantee that all your users will continue to be nicely behaved in the future.  For example, one set of users might grow faster in terms of capacity or performance than expected.

In a dynamic environment that's growing fast, that means you'll find yourself sitting down to perform this "analyze, recommend, migrate" loop more often.  Fast forward: more independent filers get added over time.  More capacity needs to be shoveled around from place to place, and it's now taking days instead of hours.  

Users now start to notice that they can't use their data predictably.  Storage admins find themselves pulling late nights and weekends to keep up with the growth.  Over-provisioning performance and capacity quickly becomes a defense mechanism against having to move things around so often.  Overall utilization of resources goes way down as a result.


What might have made sense at 10TB becomes painful at 100TB and downright unworkable at 1000TB.

To give users a simplified logical view, the filers will often aggregate their name spaces (a global name space) so the combination of multiple, independent file systems.  But this ends up being nothing more than a layer of shrink-wrap film over a pallet of multiple containers.  

You can call it one container, but it's patently obvious to all it's just an aggregation of much smaller containers.



Administrators still have to continually juggle what's in each file system container -- both from a performance and capacity perspective.  And power users will often get involved in where their data physically resides -- simply because these capacity, performance and availability issues start to impact them as well.

Not a pretty sight.  But it doesn't have to happen that way ...

Let's Start Again With A Scalable Single File System

.

Now let's go through this same scenario, but using a scalable single file system approach vs. valiantly attempting to aggregate multiple, independent file systems.

Our first 16TB file system goes in like before.  But when the second one is needed for either capacity or performance reasons, the story changes considerably.


The additional unit is quickly configured, and the scalable file system software does any required balancing and/or data migration: transparently and in the background.
The administrator can stick around and watch this magic happen if they like; but once you'e seen it it's about as exciting as watching a washing machine go through its cycles.

A third unit gets added, and a fourth, and so on up to potentially very large numbers indeed.

Each time, the new resources are automatically integrated -- and all available performance and capacity is auto balanced with each new resource added.  Data protection (locating portions on multiple nodes) is also adapted as well to the new resources.

Users see a single giant file system that's essentially "flat' in terms of performance and capacity.  Administrators get to see one giant pool of self-administering, self-balancing and self-protecting resources.  

No downtime, no drama.  

And no need to over-provision as a defensive mechanism.

The level of effort -- and usability -- remains largely constant whether we're talking 10TB, 100TB, 1000TB or more.  Capacity and performance scale; hassle doesn't.

You'll have to admit -- there is a meaningful difference between the two approaches. 
This glaring and obvious difference has been validated in customer forums that I've been at.  On one side of the room, large environments who use a single scalable file system approach.  On the other, those using a more traditional approach of aggregating many, many smaller file systems.

Their worlds are very different indeed :)

In All Fairness

Competitors who only offer the traditional approach of aggregating smaller file systems using a global name space will claim that there are multiple ways of solving customer problems, and that every customer is different.

While it's hard to disagree with that sort of platitude, it's hard to imagine a scenario where the aggregated separate file systems approach would have any sort of decided advantage.  I mean, how many use cases are there where user demands precisely orient around the capacity and performance of a traditional file system?

And, in all fairness, EMC's higher-end VNX products (such as the VG8) have long used this aggregated independent file system approach. 

But, as many of you know, EMC's Isilon is different -- it creates a single, scalable file system over many nodes.

For those of us who are now familiar with both, the differences couldn't be more stark -- especially at scale.

The Magic Of Scale-Out

Compared to our competitors, I think EMC is quite fortunate to now have multiple scale-out technologies in our portfolio.  


In addition to Isilon for scale-out file systems (NAS and CIFS), Greenplum (now augmented with Hadoop!) uses the same architectural style to achieve blazing performance coupled with cost-efficiency and administrative ease.

If you're into distributed object storage (e.g. cloud storage), Atmos uses a scale-out design to achieve the same results.  And, if you're familiar with enterprise block storage at scale, well, that's a VMAX.

And, of course, VMware's products create scale-out clusters using cool technologies such as VMotion. 

As just about any server admin will tell you, a shared pool of server resources that auto-balance is vastly preferable to isolated ones that don't :)

Many years back, we recognized that riding Intel's curve and building products that scaled out as well as up was going to be the architecture of the future: storage, database, servers and so on.

We've invested literally many billions of dollars in this one concept, and will continue to invest many more.  

By this standard, many of our traditional competitors have some very serious work ahead of them.

All Is Fair In Benchmarks, Or Is It?



Perusing the various SPECsfs2008 NFS and CIFS submissions, you have to look carefully to determine whether the competing product simply aggregates multiple, independent file systems to achieve their results -- or creates a single, scalable file system to get the job done.

You won't see it in the inventory of the parts list.  Nor can you spot it from configuration diagrams.   Nor will the submitting vendors likely come forward at the outset and clearly state "hey, we achieved this result by aggregating 24 smaller file systems".  

Your only clue is the subtle entry "file system type" which is intended to be only descriptive in nature.

Many will say "global name space".  A few may say "single scalable file system".



Trust me, there is a difference.


By: Chuck Hollis

SMS Fraud on the Android Market

Thanks to Masaki Suenaga and Andy Xies for their analysis.

Following the tweet from our @threatintel Twitter account last night about malicious applications targeting users in European countries, Symantec Security Response has identified another group of fraudulent apps on the Android market, but this time under a different publisher ID. From our analysis the 11 newly discovered apps are published under the name “Miriada Production” and are identical to the apps published under the name “Logastrod”. These apps are capitalizing on popular game titles, and masquerade as these games, but in fact they just sends two texts to premium-rate, local SMS numbers in the country where the SIM card is registered. The app also prevents notifications from being displayed if the incoming text is from certain numbers.

Once notified of these apps by Symantec, Google acted promptly and removed them from the Android Market.

The malicious content in all the apps appears to be identical. This suggests both publishers took the malicious code from the same template, or, they are the same publisher using two different names.

Note, as with all Android applications, users must choose to allow the permissions requested by applications before they can be installed. Permissions are displayed by the Android operating system under broad headings that summarizes the implications of the permissions requested. For example the permission to allow an application to send SMS or MMS messages is organized under the easy to understand heading of “Services that costs you money”.  Understanding these permissions can help users avoid applications which make unnecessary requests. In this particular instance, the applications ask for the permission to send SMS messages – a service that will cost you money (something users should think twice about before accepting and proceeding with the install).

Symantec customers are protected, since the apps are detected as Android.Rufraud.

By: Symantec Security Response

Raising Kids In The Information Age

As adults, most of us are hard-wired to take parenting very seriously indeed.


Although the mission of raising kids hasn't really changed over the generations, the context certainly has.

The world is now a very different place when I was growing up.  I'd like to be able to reach back into my own childhood experiences as source material for modern challenges; unfortunately, though, way too much has changed.

I find myself having to think hard and long about where the world is going, and how best to prepare my children to thrive in it.

Since many of you reading this are faced with similar tasks (or will be soon!) I thought I'd share a few aspects of how I'm trying to raise my kids in this new world.

Take this unsolicited advice with a grain of salt: every situation is different.  And while there is no guarantee on how my kids will eventually turn out, I am rather pleased as to where they are in their journeys.

Early Access I've always had computers around me, and I've always had computers around my kids.  Online connectivity was always seen as a basic necessity, even when it was 9600 baud through the house phone line.

I clearly remember my first child climbing up on my lap, banging on the keyboard, and squealing with glee when the computer beeped.  That gave way to the inevitable kids games (Putt-Putt was a favorite back then), with progressively richer computer experiences as they grew up.

I now have a young niece, age 6.  I recently splurged and bought her a basic iPad, loaded with fun games and semi-educational software.  It is by far her most cherished possession.  I'd like to think I'm giving her a leg up in the new world.

Competing With The Online World
If you're growing up in the modern era, it's all happening online.

That's where the cool content is, that's where your friends are, that's where your homework gets done, and so on.  Much like Alice in Through The Looking Glass, the small screen is a portal into an endlessly fascinating and engaging world.

As a parent, I don't want to discourage that engagement, but I do know there are downsides as well.
First, I care about balance. I want them to have engaging and fascinating real-world experiences to balance their online ones.

Trying to limit their consumption of online experiences in hopes that they will seek out real-world ones wasn't as successful as I had hoped; I now realize I have to actively put interesting experieces in front of them that will tempt them away from the soft glow of their screens.

Second, I care about hygiene.  There are corners of the digital world that are unsavory -- as there are parts of the physical world.

Rather than try and hide reality; my wife and I have spent serious time educating them about what's out there, how to recognize it, and what to do about it.  From porn to perverts to malware -- it's all out there -- so our goal is to create kids who are digitally aware.

And, of course, their computers were always in a public place in our house; never in their rooms.
Third, I care about conduct.  Of course, I want their online conduct to mirror real-world standards: be polite, watch your language, etc.  It only took a few examples of us coming back to them with something they said or posted online to realize the internet was a very open place indeed :)

But it goes farther than that.  My personal online experience has taught me that there are many people who tend use their keyboards instead of their therapists; I want my kids to spot these same behaviors, recognize them for what they are, and respond appropriately -- usually by ignoring them; or occasionally escalating if the abuse becomes serious.

Learning To Form Independent Opinions
Completing classwork was relatively straightforward in my day.

You went to the library, there were authoritative books, and your task was to assemble and regurgitate the content from those publications into your classwork.  People largely believed what they were told by the mass media, the government, the church, etc.

But that's not the game anymore, is it?

As my children progressed in their classwork, they'd often encounter multiple perspectives online around the same topic or question.  For me, that's when the real learning begins: learning to assess the context and perspective of various authors, assemble your own perspective, and be prepared to defend it.

Life rarely presents you with simple and obviously correct answers.  Authority is a subjective concept in the modern world.

Of course, you sometimes have to defend your approach when their teachers occasionally disagree with their conclusions, and grade accordingly :)

This behavior has carried over into watching mass media.  We'll be watching a "news" program, and they'll often spot the inherent bias.  Or they'll be watching one of the many reality TV shows that seems to feature people who live their lives as train wrecks (Jersey Shore comes to mind), and roundly criticize the cast for their behavior.

I may not agree with all their opinions, but I do appreciate the fact that they have a brain, and aren't afraid to use it.

Education Matters
As parents, my wife and I assume responsibility for our kids' educations.  The school does their part, we do ours.  The local public schools were more than adequate at the outset, but as the kids got older the divergence between what the schools thought important and what we thought important tended to increase.

Over time, our kids ended up at a relatively modest Catholic school; not because we are Catholic, but we saw that the implicit moral code and sense of community made a big difference in their educational experience.

My wife and I also invested substantial time to stay current with their classwork and their social lives; problems inevitably will crop up, and they're always best addressed gently at the outset if humanly possible.

Don't worry if you feel you weren't paying attention in high school; you'll get a second chance at all those classes :)

Thinking about colleges and universities presents a new set of issues; there are clear choices to be made, they can be expensive choices, and the choices tend to matter over time.  In my day, you selected a major (and a school) that tended to point you in a specific career direction: engineer, doctor, lawyer, business person, artist, etc.  While that model can still work for some people; I believe that the really interesting careers are more likely when you attempt to blend multiple traditional disciplines.

Unfortunately, many higher educational institutions haven't fully embraced this notion yet, meaning that -- as a parent -- we have to collaborate with our children to maximize their educational experience in this newer paradigm, working within the constructs of the university, while at the same time acknowledging their individual preferences and inclinations.

It's a delicate and expensive balancing act, and I'm not sure we've quite mastered it yet, but we're certainly trying :)

In my ideal world, my kids would be certifiably "good" at one or two core disciplines, and then spend the rest of their time broadening their perspective: literature, political science, photography, languages, economics, archaeology ... whatever it might be, as long as it is clearly outside their core.

Occasionally, we're fortunate to take them outside of the US to get an up-close view of what goes on outside of this vast country -- and how Americans are often perceived from the outside.

The reason is simple, the world is a diverse place; and I want them to be exceedingly comfortable with all forms of diversity: cultural, intellectual, religious, political, etc.

Social Brand Matters
As part of my work at EMC, I have built a professional social brand.  I have explained to my kids why I've done that, and why I think it will be more important to them in the future.

One promising development: my eldest daughter is in her final undergraduate year at the university; she continues to invest in her professional social brand, and she's seeing the powerful benefits result as she transitions from academia to the workforce.

My youngest daughter (the artist in the family) routinely posts her work in various online forums where she receives feedback from kids like her -- and gets to see what they're all doing.  Peer review in the modern world :)

This, in particular, is a major departure from how things worked in my day.  Yes, networking and being visible was important back then, but we now have access to tools and platforms that are orders-of-magnitude more powerful than before.

My message?  Learn to use them -- they matter -- no matter your choice of profession.

Lifelong Learning Matters
Back in the day, the widely-held perspective was that you got your education, and you went off to work.

Clearly, that approach isn't going to work in the modern economy -- most of the jobs my kids will be applying for might not exist yet.  And as our politicians struggle with "creating jobs", I have to wonder -- how much of the onus rests on us as individuals to keep our marketable portfolio of skills current and relevant?

As a society, we are awash in educational opportunities: both formal and informal.  For example, I can easily keep up not only with topics relevant in my official role here at EMC, but with topics clearly out of the box: current economic thinking, cosmology, physics, biology, music, etc. -- anything that attracts my interest is out there for easy consumption -- if I want to consume.

The behavior I struggle to instill in my children is curiosity -- because it's that natural inquisitiveness that ultimately motivates us to seek out these conversations and dialogues, and thus continually enrich ourselves in the process.

Raise inherently curious kids -- and the rest will likely take care of itself.  At least, I hope so :)

Relationships Matter
One of the incredible benefits of our information age is just how easy it is to stay in close contact with the people you care about.

Email, Skype, texting, Twitter, Facebook ... the mechanisms are simple to use and ubquitiously available.  Yes, writing long letters is becoming a lost art, but the richness of communications can be exceptional.

From my younger kids simply texting "we got here OK" to my eldest daughter continually sharing links she finds interesting -- I never had this sort of close, intimate and constant communication with my family when I was younger.  It was mostly extended (and expensive) phone calls back then :)
We are inherently social beings, and are at our happiest when we feel connected to others in a meaningful way.

Sure, raising your kids in the information age presents new challenges where there might not be the clearest guidance forward.

But it's pretty clear that we all now have the opportunity to stay connected with them and their lives in a way that wasn't possible before.

I'll take it.


By: Chuck Hollis

The 6th Scam of Xmas – Mac Scams

For the sixth scam of Christmas, the criminals gave to me, Mac scams!
 
Many Mac users (I think) still do not think this affects them. However, Mac Malware increases by 10% every month. As I have said many times before, where the people go – criminals follow. Apple’s increase in market share has made them a target for scams and malware.

As with all scams, just a bit of education goes a long way to help spot these scams and not become the next victim. If you use a Mac, here is what you need to know:

Tips to Avoid Becoming a Victim:
1. Download Mac updates as soon as they’re available, so you’re protected from these latest threats.
2. Never download or click on anything from an unknown source.
3. When searching the web, use the safe search tool like McAfee SiteAdvisor®, which tells you if a site is safe to click on or not right in your search results.
4. Keep your computer safe by installing security software such as McAfee® Internet Security for Mac.

Tips on What to Do If You Have Become a Victim:
You’re a victim, now what?
1. Disconnect your computer from the Internet and run a full security scan.
2. Install the Mac update that locates and removes rogue antivirus programs as soon as it’s available.
3. If you have revealed your credit card or other banking information, immediately contact your financial institutions to notify them of the situation.
4. Contact the Cybercrime Response Unit at www.mcafee.com/cru, an online help center for advice and technical assistance, if you think you’ve been a victim of a cybercrime.

Here are a few posts I have written this year that go into more detail about the scams that target Mac users:

http://blogs.mcafee.com/consumer/cyber-security-mom/fourth-scam-of-xmas-fake-anti-virus-scareware

http://blogs.mcafee.com/consumer/fbi-warns-about-scareware-targets-distributors

http://blogs.mcafee.com/consumer/fake-antivirus-pop-ups-mac-edition

This holiday season, why not share the gift of knowledge and share these tips with your friends who use a Mac. Stay safe out there!

By: Tracy Mooney

All You Need To Know About Managed Services - Elements Magazine - Issue 004

The other day my son came to me and told me that I had to listen to a musicianʼs music because they were “sick.” Immediately, I thought how unfortunate it was that such a young and talented person be afflicted with an illness. Of course, my son corrected me, while making fun of my age, by explaining that “sick” meant they were really good and not dying of a horrible disease as I had first thought.

This made me think back to my childhood. The terms we used confused the adults, they were disconnected from our youth culture as well. Then I realized that youth culture, and culture in general, continually takes over words and phrases so that their meaning evolves.

The IT world is not unlike any other “scene” in the modern day. For example, we now speak of Cloud in passing conversation knowing exactly what it is and what its implications are. However, our parentʼs generation may have visions of us taking paper files and somehow launching them into the stratosphere, thus creating “storage in the cloud.”

My question is, how does one differentiate terms and their meanings if they evolve at such a fast rate? Look at the term “Hosted Services.” Can anyone in this day and age place a true meaning on the term? Or is this a term like “sick” that we all have to decipher? At Nitro, we obviously offer Hosted Services; some people might refer to it as Professional Services, and some people might not know what either term means.

Further, although we speak of “Hosted,” some people think of “Cloud” as we can store our files remotely.

In all, this issue outlines multiple aspects and meanings of the term Hosted Services. I encourage you to read these articles and determine their meaning for yourself. I also invite you to read about Nitroʼs Hosted Services as a comparative. At some point, perhaps we can all come to a conclusion as to what these terms mean to all of us.

Now, I must return to my youth-to-adult language dictionary to translate what my kids want for dinner.

Sincerely,
Larry Poirier
Chief Executive Officer
Nitro IT Business Solutions

+Read Elements Magazine

False Epidemic Alerts Spread Malicious Content

Spammers have used scare tactics in the past, notably during the swine flu outbreak in 2009. A similar spam campaign using scare tactics was observed during the weeks leading up to April 1, 2010 as an expansion of the Conficker worm with the possibility of a major threat launch. Overall, scare attacks are meant to cause panic reactions among recipients who may, out of fear, click malicious links or download and install malicious code. Similar approaches have been observed recently, this time with a false epidemic alert. In this spam campaign trumpeting false epidemic news, spammers try to infuse fear in users and encourage them to read instructions to remain safe from infection.

Sample email subjects suggest there is an epidemic in nearly all countries in the world. However, in individual messages they only mention a single country. The list of countries found in sample messages include countries from Afghanistan to Iceland, Philippines to United States. Sample email also list individual US States, such as Kansas, Colorado, Mississippi, New Jersey, Virginia, and Washington.

Subject:  Fwd: Epidemic in Afghanistan
Subject:  Fwd: Epidemic in Alaska
Subject:  Fwd: Epidemic in Algeria
Subject:  Fwd: Epidemic in Andorra
Subject:  Fwd: Epidemic in Anguilla
Subject:  Fwd: Epidemic in Afghanistan
Subject:  Fwd: Epidemic in Alaska
Subject:  Fwd: Epidemic in Algeria
Subject:  Fwd: Epidemic in Andorra
Subject:  Fwd: Epidemic in Anguilla
Subject:  Fwd: Epidemic in Australia
Subject:  Re: Epidemic in Portugal
Subject:  Re: Epidemic in Saint Barthélemy
Subject:  Re: Epidemic in Saint Helena, Ascension and Tristan da Cunha
Subject:  Re: Epidemic in South Sudan
Subject:  Re: Epidemic in Sweden
Subject:  Re: Epidemic in Syria
Subject:  Re: Epidemic in Taiwan
Subject:  Re: Epidemic in Tennessee
Subject:  Re: Epidemic in Togo
Subject:  Re: Epidemic in Tonga
Subject:  Re: Epidemic in Trinidad and Tobago
Subject:  Re: Epidemic in Turkey
Subject:  Re: Epidemic in Tuvalu
Subject:  Re: Epidemic in United Arab Emirates
Subject:  Re: Epidemic in Venezuela
Subject:  Re: Epidemic in Vermont
Subject:  Re: Epidemic in Washington
Subject:  Re: Epidemic in Wisconsin
Subject:  Fwd: Re: Epidemic in United States

The email body informs users that the government is hiding the epidemic news. If users want to benefit from instructions on how not to get infected, they need to click the link provided in the email. This link leads users to a malware site.

The malicious file downloaded is detected as Trojan.Malscript. These files exploit vulnerabilities and may perform heap spraying.

Email users need to be aware of such scare tactics and avoid panic. Do not believe email from unfamiliar senders. We also recommend users not click links in any message without first verifying the source of the email and, importantly, do not install software downloaded from the internet unless it has been scanned for viruses. Please make sure your virus definitions are updated regularly.

By: Mayur Kulkarni

Public Sector Experts Weigh In on Virtual Desktops and the New Virtual Workspace

Have you ever sat in on a TelePresence meeting?  It really makes you think about how technology can make distance disappear, and bring together people across a wide geography for the purpose of collaborating and sharing ideas.  Such is the case with the National Townhall on Desktop Virtualization I participated in recently, along with VMware.  Seven industry experts from seven US cities, discussing the impact or key learnings of implementing desktop virtualization in government, healthcare and education.  I was joined by my colleague Chris Westphal of VMware, and our panelists, bringing firsthand experiences of their journey to desktop virtualization.  If you want to attend the interactive webcast of this event, please click here – I think you’ll find it incrementally valuable if you’re on the verge of a pilot, proof of concept or just researching your options.

This experience reminded me of something important regarding the transformation of the user desktop as we know it.  Immersive business video is increasingly becoming a modality of enterprise collaboration that workers will depend on to be productive.  Consider the fact that ten people had meaningful discourse in this session, without any of them having to board a plane.  IP telephony is the same – we can’t imagine a day without access to our phone.  So when we talk about using virtual desktops making people more productive, and making business more agile, it makes total sense that we expect by extension of that premise, voice, video and virtual desktops to converge in a single workspace that’s accessible on any device, anywhere.  We depend on all of these modalities to be effective, not just one.

Now back to the townhall itself… I won’t spoil it for you, since I really hope you’ll actually attend it and hear first-hand, but some consistent themes came up throughout the meeting that we can all learn from:

Our education sector panelists are striving to achieve a “borderless classroom” for not only K-12, but also higher ed, as well as students pursuing continuing professional education (ex: exec MBA programs).  Being able to deliver an educational, media-rich workspace that’s accessible on any device, while un-tethering students from traditional PC lab environments is key to improving learning, while also attracting the best students at the higher ed and lucrative professional levels where students want to be able to place-shift their learning environment.

Our panelists from the Federal sector have been driving this technology for years… in the DoD, they face unique challenges in terms of coordinating resources across theaters, so providing universally accessible, secure workspaces for employees and contractors is key.  Telework mandates and specific executive orders related to cost-efficient use of technology, coupled with the current budget crisis are all driving accelerated adoption of virtual workspaces.  Additionally, many defense-related departments face increasing base closures and consolidation, that would normally have resulted in relocating employees, or extending commutes, or simply losing experienced talent altogether.  Telework options built on workspace virtualization are providing a more attractive option.

State and local agencies with mobile field service personnel are reaping the benefits of being able to walk into any office or home with the device that best suits them, and get persistent access to their files and applications.  They’re spending more time interviewing or delivering services to communities and constituents, and less time traveling to and from their physical brick-and-mortar office to update case files.

Doing more with what you got is also a consistent theme as our panelists shared their experiences of driving higher ratios of supported users, in some cases doubling the number of constituent users after having made the transition to virtual workspaces.  Eliminating the “sneakernet” in K-12 environments also seemed to be a home-run, along with reaping considerable utility savings associated with lower power thin-clients in the classroom.


Security!  This is implied just by nature of moving to virtual desktops right?  In many respects yes, but in others, you may need to take a closer look.  With the proliferation of BYOD and the myriad of possible user endpoints seeking to access network resources (not just virtual desktop services), our panelists felt there was a heightened need for being able to apply centralized management of device access/policy in this consumer-led movement that circumvents traditional IT control.

Even if you’re not in Public Sector, you might find the experiences shared valuable in shaping your own journey to implement virtual workspaces.  Plan to join us on December 15^th for an interactive, informative session!  After attending, please weigh-in and share your thoughts here!

By: Tony Palikeday

Securing New Digital Devices

Laptops, desktops, Macs, mobiles, and tablets are on many people’s wish lists this holiday season. Once these shiny new devices are connected to the Internet, they will be under siege by malware created by criminals in order to steal identities.

According to a recent McAfee survey, 60% of consumers now own at least three digital devices, and 25% own at least five. Cybercriminals are taking advantage of these new opportunities by widening their nets to target a variety of devices and platforms. McAfee Labs is reporting an increase in Mac and mobile malware, while PC threats also continue to escalate.

Mobiles: Mobile malware is on the rise, and Android is now the most targeted platform.  Attacks aimed at the Android platform increased 76% from the first to second quarters of 2011. Malicious applications are a main threat area, so be careful of third party applications, and only download from a reputable app store. Read other users’ reviews and make sure you are aware of the access permissions being granted to each app.

Macs, iPads, and iPhones: Unfortunately, the popularity of Apple computers and devices has led to escalated threats. As of late 2010, there were 5,000 pieces of malware targeting the Mac platform, and they have been increasing at a rate of about 10% each month.

Since more threats are being aimed at this platform, consider installing security software for your Mac as a proactive measure. Check out Apple’s new iCloud service, which provides several tools for syncing, backing up, and securing data, and consider a product that offers remote locate, wipe, and restore features in case of loss.

Laptops and desktops: Your security software should include, at a minimum, antivirus software with cloud computing, a two-way firewall, anti-spyware, anti-phishing, and safe search capabilities. Additional levels of protection include anti-spam, parental controls, wireless network protection, and anti-theft protection to encrypt sensitive financial documents.

Gaming and entertainment devices: Remember that the Nintendo Wii and 3DS, PlayStation 3, and Xbox 360 are now Internet-connected, making them vulnerable to many of the same threats as PCs. To protect your investment, make reliable backup copies of your games. Take advantage of built-in parental controls that can help shield kids from violent games or limit when the device can be used.
Some multiplayer games allow kids to play with strangers over the Internet, so if you are a parent, consider employing monitoring tools. Connect your device to secure Wi-Fi networks only, and don’t store personal information on your device.

Removable storage devices: Flash drives and portable hard drives require technologies to protect your data. Consider using a secure, encrypted USB stick, which scrambles your information to make it unreadable if your device is lost or stolen. Install security software that protects portable hard drives, and set a password.  Since removable storage devices are small and easily stolen, you should not leave them unattended.

By: Robert Siciliano 

Learn more tips from McAfee here: http://blogs.mcafee.com/consumer/securing-new-devices

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

Six Ways To Protect Your Enterprise From Scams This Holiday Season

Holiday season is like any other time of year for IT security except moreso. Users shop, hunt for bargains, book travel, and check and manipulate their bank accounts a lot more than they do the rest of the year. They’re also often stressed and strapped for cash, so they’re more susceptible to phishing, fake promotions and discounts, and other tricks that grab personal financial information and inject malware into devices and networks. Check out McAfee’s 12 Scams of Christmas blog to learn about some of the more prevalent threats that emerge big time before and during the holiday season.

This is not only a threat to the online consumer, but, thanks to the consumerization of IT, to the enterprise as well. Users hunting for bargains and hitting social networks and personal email at the office or home put the network in danger of malware infection and data theft. Their devices can get infected at home and spread that infection across the enterprise the next time they connect. Those who tend to use the same password for everything can give hackers a way in to your company network to steal your company’s intellectual property.

Holiday season, or shortly before, is a good time reassess your corporate policy and security architectures and re-educate your staff about all the dangers out there. Some of the things to consider and reconsider are.

Passwords In addition to the usual password policies, users should know they should not use the same passwords for shopping, Web sites, and social networks that they use for work applications.

Smart Phones If your company embraces multiple smart phone platforms it’s time to reeducate users to their device theft, data theft, and malware hazards. This is particularly true for Google Android, which has seen a huge increase in malware in the past year. Users should know what and from where they’re permitted to download and should be trained to recognize signs of possible hazards, such as software that seeks permissions it doesn’t really need. Corporate data should by encrypted in transit and at rest. And consider implementing or updating a centralized mobile management solution.

Virtualization An effective way to bring in home laptops safely is to separate home and work applications, data, and other items into separate virtual machines so users can do what they want at home without worrying about affecting the work environment.

Endpoint and Gateway Protection Make sure they are installed, managed, and up to date to guard against the latest threats. An effective network access control (NAC) implementation will ensure that anything that connects to your network is up to date with the latest security patches and software.

Acceptable Use Policy and Enforcement Examine your company’s acceptable use policy to make sure it is up to date with the latest uses and threats and make sure you have the systems in place at the gateway and endpoint to enforce it.

Education Educate users to the latest scams, including phony bargain sites, e-cards, friend requests, charity solicitations, delivery service invoices, online job postings, auction sites, Christmas Carol lyrics, banking emails, mobile applications, antivirus scareware, holiday screensavers, etc. Start with the 12 Scams of Christmas and keep them up to date with the new scams that appear monthly or weekly so they know how to look out for them. Users should report any scams they discover and others should be alerted.

The moral: If it sounds too good to be true, it probably is.

By: Leon Erlanger

Fifth Scam Of Christmas, “Santa in 3-D”!

For the 5^th Scam of Christmas, the criminals gave to me “SANTA IN 3-D”!

During the holidays, friends of mine are always willing to share the latest holiday cuteness via a forwarded email. I have to remain vigilant to be super careful what emails I open up this time of year. Holiday-themed ringtones, e-cards and screensavers can contain malicious code.

If you see email that seems to be from a friend, but it has misspelled words, or the message doesn’t seem like something your friend would say, be cautious. Often times scammers make the messages short and contain a link in the hopes that you will click on the link. That click can either download the malicious file to your computer or it will trick you into giving up your password so they can spam your friends with more of the same sneaky links.
  
Tips for avoiding this scam:

– Your first line of defense is a comprehensive security suite. Make sure it is set to update automatically so your computer remains protected from the very latest threats.

– Hover your mouse over links in emails and check the lower left corner of the screen for the actual link address. Avoid clicking on links that contain misspelled words or suspicious url’s.

– When searching for holiday freebies, use SiteAdvisor, McAfee’s free add-on that tells you the websites that are safe to visit.

Check out more tips at: http://mcaf.ee/6bh53

Stay safe out there!

By: Tracy Mooney

Cybersecurity Is Material To The Business Says The SEC – Finally

The Securities and Exchange Commission’s Disclosure Guidance on Cybersecurity, issued on October 13, is another big step towards the widespread realization that for many organizations, IT and the business are one. More and more critical business processes are dependent on hardware and software and today a company’s worth is just as likely to be based on its intellectual property as its physical assets. Much of that intellectual property is under the trust of IT and can be stolen in a cyberattack.

Take a glance and the disclosure guidance may not seem that important at first, since it contains no new rules or regulations. Read it carefully and you’ll see that the SEC is sending a clear message that publicly traded companies can no longer pretend cyber attacks and vulnerabilities are immaterial to the business.

The guidance spells out several existing business disclosure requirements that should take cybersecurity into account:

Risk Factors Companies should disclose the risk of cybersecurity incidents if they are “among the most significant factors that make an investment in the company speculative or risky.” Disclosures may include the frequency and nature of prior incidents, the probability of future cyber incidents, all the potential costs and other consequences resulting from attacks, and even the adequacy of business’s current preventive actions. The guidance is pretty thorough, even spelling out less tangible financial costs of an attack that should be taken into account, such as lost revenue from unauthorized use of proprietary information, reputational damage, litigation, and failure to retain or attract customers.

Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) Companies should address cybersecurity risks and incidents if the cost or other consequences are likely to have a material effect on results of operations, liquidity or financial condition. Companies may be expected to describe the effects of an actual attack and the actual property that was stolen, as well as whether the impact changes the validity of already reported financial information.

Description of the Business Cybersecurity incidents should be reported if they materially affect a company’s products, services, customer or supplier relationships, or competitive position.

Legal Proceedings Companies should disclose the details of litigation resulting from cyber attacks, such as that resulting from theft of customer information.

Financial Statement Disclosures Companies should carefully consider whether cyber risks and incidents have a broad impact on their financial statements. Some things to take into account include the costs of preventing attacks, customer incentives after attacks, and losses from warranties, breaches of contract, and product recalls or replacement.

Disclosure Controls and Procedures Companies should disclose the impact of incidents on their ability to record, process, summarize, and report information required in SEC filings, if it’s significant, and consider whether existing disclosure controls and procedures have been rendered ineffective.
If you work for a public company you should take this guidance seriously. It’s likely that publicly traded companies will be expected to start reevaluating their cybersecurity practices and audits and become more proactive about disclosing cybersecurity vulnerabilities and attacks. If you haven’t yet incorporated IT security experts in your Risk Management teams, it’s probably time to start thinking about doing so. Even if there are no new regulations here, it’s likely that after a damaging cyber attack, questions will come up about adherence to the SEC’s guidance. You can also bet this is just the beginning of a progression of new legislation and regulatory action addressing the issue of cybersecurity’s impact on the business.

By: Leon Erlanger

Phishers Piggyback on Indian Websites

Contributors: Avdhoot Patil, Ayub Khan, and Dinesh Singh

Have Indian websites become a safe haven for phishers? To better understand, let’s explore how phishers create a phishing site. There are several strategies phishers frequently use: hosting their phishing site on a newly registered domain name, compromising a legitimate website and placing their phishing pages in them, or hosting their phishing site using a web hosting service.

Let’s now focus on the second method which involves the use of compromised legitimate websites.
From April, 2011, to October, 2011, about 0.4% of all phishing sites were hosted on compromised Indian websites. These compromised websites belonged to a wide range of categories but the most targeted was the education category which included websites of Indian schools, colleges, and other educational institutions. Symantec has previously reported on the websites of Indian educational institutions compromised by phishers. The education category consisted of 13% of compromised Indian websites. Some of the other top categories were information technology (11%), sales (9%), Web services (8%), and e-commerce (6%).

The existence of Indian phishing sites in the education category may not be alarming but phishers have exploited Indian websites owned by individuals and organizations across many disciplines:

The phishing sites hosted on these Indian websites spoofed a multitude of brands. The majority of these brands belonged to the banking sector (comprising about 68%). The e-commerce sector comprised about 22%, and information services 3%.

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
• Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

By: Mathew Maniyara

Fourth Scam of Xmas, Fake Anti-virus & Scareware

For the fourth scam of Christmas, the criminals gave to me… fake antivirus pop-ups scaring my family! I have had this scam hit my family twice. The last time, my husband accidentally clicked on what looked like a message that the computer had a virus and Bam! We got the scary blue screen.

These scams even target Mac users, so if you have any kind of computer, you need to keep a watchful eye out for this scam.

Scareware now makes up 25% of all malware. This scam has been used for a few years on PC users. A user is surfing the web when they get a pop-up message that says something like “you may have a virus”. You have no choice but to click on the pop-up when mayhem erupts! … in actuality, you just allowed a malicious program to download and run on your computer.

In the Mac version, Cyberscammers are placing links to fake antivirus software in online search results. They advertise programs with names like “Mac Defender,” “Mac Security” or “Mac Protector,” offering to safeguard your computer from online threats. But once you click on the link, it downloads malicious software onto your machine.

In the background, the program may open up pop-up windows, asking you to upgrade the software for a fee to remove non-existent threats. If you agree to “upgrade,” the cybercrooks get your money—often $50—and you get nothing in return. Or, it may open up pornography, or other undesirable websites.

To avoid this scam, follow these tips:
-  Always have a legitimate copy of a comprehensive security software installed on your device
-  Make sure that software is updated automatically
-  Exercise caution when you click on links. Using software such as SiteAdvisor (www.siteadvisor.com) can help because it distinguishes between safe and risky websites
-  ALWAYS exercise caution while clicking links in emails that look suspicious, even If they appear to come from a known contact
-  Hover your mouse over links without clicking and look in lower left hand corner of the window to see the actual link address – avoid suspicious web addresses that contain misspelled words
-  Hit alt + F4 to close the pop ups.
-  If you think you clicked on a bad link, update your security software and run a scan.

For more information about this type of scam, see this post.

Stay tuned for the next Scam of Christmas and as always, stay safe out there!

By: Tracy Mooney

Secure Mobile Shopping This Holiday Season

Mobile shopping isn’t something I ever thought I’d do. I mean, come on! Why in the world would I use a tiny screen to make big purchases that often require lots of research? But I have found that as I become more dependant on my mobile phone whenever I’m away from my home/office wireless connection, I also accomplish more menial tasks while waiting at a doctor’s office or airport, for example. Tools like the eBay app, Craigslist Pro, and savvy online retailers like Amazon have made mobile shopping simple and easy.

I’m not alone. The National Cyber Security Alliance and McAfee released a study showing that In the last six months, 50% of Americans have used smartphones to research potential purchases, 27% have used them to shop, 12% have used them to shop at auction websites, specifically, and 18% have used their phones to make online payments.

While using a PC to shop online has risks, so does mobile shopping. Caution must be taken. Of those polled, 72% admit to having no security software at all. McAfee researchers found that new examples of mobile malware increased 46% from 2009 to 2010, and within the next one to two years, mobile malware is expected to affect more than one in 20 devices.

To stay safe while mobile shopping this holiday season:

1. Keep security software current. The latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.

2. Automate software updates. Many software programs can update automatically to defend against known risks. If this is an available option, be sure to turn it on.

3. Protect all devices that connect to the Internet. In addition to computers, smartphones, gaming systems, and other web-enabled devices also require virus and malware protection.

4. Plug USB drives and other external devices into your computer and scan them with your security software.

5. Know the seller before making a purchase. If a seller is unfamiliar, do research to see how they have been rated and reviewed before making your first purchase. This is a good idea even if you are a return customer, as reputations can change.

By: Robert Siciliano

Chinese Phish Tastes Bitter With Prizes

Co-Author: Avdhoot Patil

Symantec is familiar with baits commonly used in Chinese phishing sites. A grand prize, for instance, is often used as phishing bait. This November, 2011, phishers continue with the same strategy by including a brand new iPad 2 for a prize. The phishing sites were hosted on a free webhosting site.

The phishing page spoofs the Chinese version of a social networking gaming application. What is most interesting about the phishing page is that it displays a warning for an incorrect password (in red) even before any user credentials are entered. The phishing site announces to users that all fields are required to be filled before proceeding to the lucky draw. Users are prompted to enter their email address, password, email password, and birth date. The phishing site then states the winning email addresses will be drawn and winners would receive an iPad 2 and prize money of 50 million dollars. Ironically, the phishing page wishes good luck to the user towards the bottom of the page. After a user enters their credentials, the phishing page redirects to a legitimate application page of the social networking site.

A similar phishing attack was observed later during the same month only this time the phishing site was in English. The difference in this particular phishing site from the previous example is that it declares the user as a winner in advance. An amount of 124 million dollars in poker chips is claimed as the prize money and the user is prompted to login to attain the prize. The same set of credentials were asked in this phishing site as well. At the bottom of the page, an iPad 2 is stated as a bonus gift in addition to the prize money. After the credentials are entered, the phishing page gives an error of incorrect password. Upon entering the credentials for the second time, the phishing page redirects to the legitimate application page. If users fell victim to these phishing sites, phishers would have successfully stolen their information for identity theft purposes.

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
• Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

By: Mathew Maniyara

Beware of Your Holiday Travel E-Ticket Confirmation

How does Symantec know it's the week of Thanksgiving? Because as the busiest travel day of the year day quickly approaches, the day just before Thanksgiving , there is a surge in fake email ticket confirmations that lead to viruses.

Here is what a fake airline message looks like:


If you inspect the HTML coding for this message carefully, you will notice a malicious link in the anchor tag:





This link redirects to a known malware-hosting site in Russia which previously hosted Trojan.Maljava. Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that exploit one or more vulnerabilities, one of many threats awaiting an unsuspecting user.

So before you click through emails during the holiday rush, here are some best practices to protect yourself from these types of malicious email attacks:

• Be selective about websites you give your email address to.
• Before entering personal or financial details online, ensure the website has SSL encryption (look for things like HTTPS, a padlock, or a green address bar).
• Avoid clicking on suspicious links in email or instant messages as these may be links to spoofed websites. We suggest typing Web addresses directly into the browser rather than relying upon links within your messages.
• Do not open spam messages.
• Do not reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.
• Do not open unknown email attachments. These attachments could compromise your computer.
• Always be sure that your operating system is up-to-date with the latest updates and use a comprehensive security suite. For details on Symantec’s offerings, visit http://www.symantec.com.

By: Sammy Chu

DNSChanger Fraud Ring Busted

Here’s a money making idea: find some advertisers and tell them you can put their ads on billboards at half the going rate. You don't own any billboards? No problem, just go paste the ads over the ones on someone else's billboards.

This idea has not really caught on in the real world—it's impractical to run around town, climbing up poles, and plastering ads on someone else's billboard. You’re also limited to the billboards you can physically reach. Plus it's illegal.

The Internet is another story. There are no physical limitations, no climbing, and some people don't have an issue with doing illegal things, especially when they don't think they'll get caught. The good news is they do get caught, but we'll come back to that.

So what is the equivalent of a billboard on the Internet? A website. Getting people to visit a website and view ads on it is big business. This attracts cyber criminals who try to figure out how they can manipulate this aspect of the Internet for their own gain, and they can. They do it with something called DNSChanger.

What's DNSChanger? The FBI has information on it on their website. It's really nice to see a clear description of such a complicated fraud. Even nicer, the FBI just caught an international fraud ring responsible for compromising millions of computers with malware and defrauding Internet advertisers.
How much could a bad guy possibly make doing this? The ones the FBI just took down made at least 14 million dollars—big money. It took a large number of compromised computers to get all this money: four million computers in more than 100 countries. My bet is that most of those computers didn't have good security software, or didn't keep it up-to-date. That's pretty sad, because this makes life easy for the bad guys. The cyber criminals use malware like Zlob or Tidserv to get DNSChanger on a computer. We have multiple protection technologies that detect these threats, but you have to use the technology in order to be protected.

The FBI has provided some great information to help potential victims identify if their computer has been subjected to the attack. Symantec can help too. If you feel you may have been compromised, even if you're not one of our customers, you can make use of Norton Power Eraser to further analyze and remove any malware on your computer. We can't rely solely on the FBI, we all need to do our part to stop these criminals.

By:  Kevin Haley

For The Third Scam of Christmas, Beware of Phony Facebook Prizes

For the third scam of Christmas, the criminals may give to me…multiple phony Facebook promotions that may steal my identity!

When I first started working with McAfee, during The SPAM Experiment, one of my objectives was to go in search of the free laptop, iPod, etc. You know – those enticing ads that offer an amazing “Free” item in exchange for simply filling out “this form” or for taking advantage of some other attractive offer, that is, purchase this great item and “get a free iPod!”

Well, after a month of clicking on offers and filling out forms all I got was a big, fat goose egg, nada, zilch! I am however, still getting junk mail addressed to the alias “Penelope Retch” that I had created more than two years ago.

So when I see those Facebook promotions that promise some free prize, I know to avoid them. A recent scam advertised two free airline tickets, but required participants to fill out multiple surveys requesting personal information.

If you have spent any time at all on Facebook, you have heard the horror stories from folks who clicked on a bad link and gave away a cell phone number or credit card information only to find a bogus charge on their statement a few weeks later.

So as the holidays gear up and you get busier and busier, please keep these simple tips in mind:

1. Be wary of clicking on an ad on Facebook if you are unclear who the source is.
2. Always read all permissions on a page before accepting the terms and going to the page.
3. If you click on a link and it asks you to log in to Facebook, do not do it! Criminals make it look like an official log-in page so they can steal your password and spam your friends.
4. Be careful giving out any personal information such as cell phone and credit card information online.

As with any offer, if it seems too good to be true, it probably is. For more information about online fraud, see www.lookstoogoodtobetrue.com. To see all of the 2011 12 Scams of Christmas, please click here. Stay tuned for my tips for staying safe the remaining “9 days” of the holidays!

Keep your head this holiday season and stay safe out there!

By: Tracy Mooney

Social Security Number: All-Purpose Identifier

Your Social Security number was never meant to serve the various functions it is used for today. Over the past 70 years, the Social Security number has become our de facto national ID. The numbers were originally issued in the 1930s, to track income for Social Security benefits. But “functionality creep,” which occurs when an item, process, or procedure ends up serving a purpose it was never intended to perform, soon took effect.

Banks, motor vehicle registries, doctors’ offices, insurance companies, and even utilities often require a Social Security number to do business. Why do they need it? Sometimes it’s because your Social Security number is attached to government records like taxes or criminal records, but most often it’s because the number is attached to your credit file.

The IRS adopted our Social Security numbers as identifiers for our tax files about 50 years or so ago. Around the same time, banks began using Social Security numbers to report interest payments, and so on.

All the while, Social Security numbers were required for all workers, so their Social Security benefits could be paid. Most people were assigned a number when they applied, sometime around the age of 16. This was until the 1980s, when the IRS began issuing Social Security numbers to track children and babies who were claimed as dependents. By the late ‘90s, it was standard for most hospitals to provide Social Security number application to new moms.

A federal law enacted in 1996 determined that Social Security numbers should be used for “any applicant for a professional license, driver’s license, occupational license, recreational license or marriage license.” The number can be used and recorded by creditors, the Department of Motor Vehicles, whenever a cash transaction exceeds $10,000, and in military matters.

All this leads up to the unfortunate realization that your Social Security number is out there in hundreds, or even thousands of places. It is most definitely not private, nor can it be adequately protected. It’s just like a credit card number. You give it out, you hope the person or company is responsible with it, you hope it’s not breached, but all you can do is monitor your identity’s health and, if your identity is ever stolen, take the appropriate steps in response.

Be sure you have active, comprehensive protection for all of your devices. McAfee All Access is the only product that lets individuals and families protect a wide variety of Internet-enabled devices, including PCs, Macs, smartphones, tablets, and netbooks, for one low price.

Robert Siciliano is an Online Security Evangelist for McAfee.   See him discuss the use of Social Security numbers as national identification on Fox News. (Disclosures)

By: Robert Siciliano

For The Second Scam of Christmas, The Criminals Gave To Me… Malicious Mobile Apps!

…and Malicious codes ruining my mobile shopping spree!

Back in March of this year I posted a blog entitled The Google Kill Switch and Smartphone tips. At the time there were 21 apps on Google Marketplace that were infected with Malware that Google yanked from the market faster than I could blog the warning call.

McAfee has seen mobile apps designed to steal information from smartphones, apps that send out expensive text messages without a user’s consent and last year 4.6 million Android smartphone users downloaded a suspicious wallpaper app that collected and transmitted user data to a site in China.
These dangerous apps are usually offered for free, and masquerade as fun applications, such as games. Here are a few tips to keep your phone from spoiling your jolly holiday!

1. Read reviews of the app before you download. People are very vocal with criticism; here is where it comes in handy! This is where you will find out if the app doesn’t work on your particular phone, doesn’t do what it promises, or if it is great and users love it.

2. Read the permissions before you download. Is it requesting permission to access your call history, send sms texts or track gps location? If it shouldn’t need that information to work (such as ringtones or wallpaper) – Think twice before you install.

3. Download only from a trusted source.  Stick to apps from well known developers with good reviews.

4. Take advantage of additional security software. Use McAfee Mobile Security or if you have McAfee All-Access, your phone is already covered!

Stay safe out there!

By: Tracy Mooney

What Is On Your PC/Laptop/Smartphone?

The other day I was watching a rerun of “Up in the Air,” in which the character of George Clooney makes a presentation titled, “What’s in your Backpack?” This simple question set me thinking and I started wondering, what was there in MY backpack, which happens to be my life and soul, the computer. I kept thinking about it whilst I switched on the PC.

“What is there in you that I value?” I asked the PC, as I opened My Document. And there they were- family albums, my favourite songs, our resumes, the kids’ project work, my husband’s painstakingly prepared business reports, client data, scanned documents, bank details so on and so forth. Further investigations revealed that our smartphones, laptops and iPads also contained a lot of our important personal data, movies and music. Never realized how digitally documented our lives have slowly become!

With this realization came the obvious fear and WHAT IFs. What if the gadgets were misplaced, lost, or stolen? What if the data fell into unsavoury hands? I can approximately calculate the loss of the gadget but how do I put a price to what they hold in store? More importantly, how do I retrieve lost data?

The new McAfee “Digital Assets” survey reveals that “consumers place an average value of $37,438 on the “digital assets” they own across multiple digital devices, yet more than a third lack protection across all of those devices!”

Further, “60% of the over 3,000 global respondents own at least three digital devices per household, while 25% own at least five. (Digital devices are mainly desktop or laptop computers, tablets, and smartphones.) As many as 41% of those surveyed spend more than 20 hours per week using a digital device for personal use.”

The study pointed out:

–In 2010, malware cost consumers $2.3 billion and caused them to replace 1.3 million PCs
–32% of the consumers who don’t use security protection on all of their devices still don’t think they need it.
–31% cited cost as another reason why they are reluctant to purchase security protection for all of their gadgets
–86% agreed that purchasing security protection was money well spent

Most of us consciously try to safeguard our desktops and laptops by installing at least a basic antivirus. But we leave the protection of our smartphones, tablets, and Macs in God’s hands. Cybercriminals have started focusing on these devices now, as they are easier to hack.
The need of the hour is therefore a multi-device security strategy at a competitive price, something that McAfee understood.

The McAfee All Access (www.mcafee.com/allaccess) is the first full security offering for Internet connected devices. It secures all internet-enabled gadgets, from smartphones and tablets to PCs and netbooks. This means, you need only one license to secure all your devices. Say goodbye to sleepless nights and lost data. Get the AllAcess.

Stay safe online!

By: Anindita Mishra

Maximizing Telepresence’s Value for Federal Agencies

Wanting to treat himself, my friend recently upgraded to the ultimate cable service in his area. He now has thousands of channels from which to choose, access to any movie on demand, and is the proud owner of a remote control with more buttons than the control panel of the Death Star.

You may wonder: Has he expanded his viewing preferences since acquiring the new system? Hmm … no. For one, he’s afraid of his remote—it’s way too complex. He also often struggles to turn the system on.

Those who invest in telepresence need not suffer this technological befuddlement. Nor would they want to miss out on the technology’s benefits, especially after making such a large investment. Yet, as Cisco’s Tim Markey pointed out at our Federal TelePresence Users Forum, several telepresence customers have struggled to maximize the potential of their systems. They had trouble transforming their workplace cultures to communities that embrace video as the paramount means of communication.

Markey talked about some of the ways federal agencies can sidestep the obstacles some companies have faced and create thriving telepresence networks within their offices. His list touched on the following:

1)      Train and support: Provide all potential agency users with the tools they need for success, such as comprehensive system knowledge and demonstrated familiarity with technological functions. Implement support systems and announce their availability to eliminate any user intimidation.
2)      Reward early adopters: Encourage telepresence use throughout the agency by acknowledging and publicizing the positive results experienced by the first employees to successfully use the technology.
3)      Create a telepresence-dependent environment: Reduce travel budgets. Implement HR policies requiring some telepresence use.
4)      Monitor, measure, and report: Evaluate the technology’s performance and communicate successes and opportunities.
5)      Stay flexible: Make changes when needed, and seek support from technology providers. Don’t let the system stop working for you when there might be an easy solution to the problem.
What do you think of this advice? How do you (or how would you) maximize the return on your telepresence investment?

By: Janet Lyons

The First Scam of Christmas, Criminals Gave To Me…Malicious Codes Ruining My Mobile Shopping Spree!

The National Retail Federation did a survey that found that more than half of consumers will be using their Smartphone’s to shop this holiday season. I know I use mine all the time, from scanning items to find the best price and get reviews to using coupons on my phone. Having a Smartphone helps me make the best shopping choices for my family. The stores are all trying to allow us to use our phones to make purchases and make the shopping experience easier and more fun.

As with any popular new topic or device – where the consumers go, the criminals are sure to follow. Unfortunately, my Droid is one of the most at risk with a 76% increase in malware targeting the Android platform in the 2nd quarter of 2011 according to McAfee.

How are criminals targeting Smartphone? The most recent swindle involves QR codes. “Quick Response” codes are those digital barcodes that look like this.



You can find them in magazines and in store windows. When you scan them with your phone, a good code will direct you to a website, which tells you more about a product, pops up a video or directs you to enter a contest. Expect lots of them on Black Friday and Cyber Monday to point you to some great deals!

If you come across a code that is not from a legitimate source, such as a magazine, the code will download will send sms texts to a premium site and you will get a very unpleasant holiday surprise from your cell phone provider in the form of an expensive bill.

With this particular scam, it requires your permission to run the code. To avoid this scam, use a QR code scanner that previews the url. I use QR Droid or Google Goggles for my scanning fun. These scanners show me the destination URL and doesn’t “autorun” or “auto load” anything on my phone without telling me what it is. If you have an iPhone, use Red Laser or Bar-Code for your holiday scanning pleasure.


For more specifics about QR codes and how this type of threat works see these posts by Arun Sabapathy and Jimmy Shah. You can also learn about the 12 Scams of Christmas here.
Stay safe out there!

Tracy

By: Tracy Mooney

DLP For SAP: Protecting ERP Data Across The Organization

Many global organizations operate in highly competitive markets, including countries known to aggressively target intellectual property. A significant amount of sensitive information, including intellectual property (IP) resides in enterprise resource planning (ERP) systems such as SAP and Oracle. Traditionally, the security around this information has been limited to the capabilities of the ERP system through access control, segregation of duties, and monitoring within the ERP system.

However, an authorized user can extract this information – and into many different formats. Once extracted, this information is constantly accessed and modified and so it becomes difficult to protect this information from data loss once it leaves the ERP system. How can you create policies for a DLP solution if you do not know what to look for?

It is also very challenging to identify what data in an ERP needs protection.  A lot has to do with the complexity of ERP databases and the fact that sensitive data can typically be spread out across many tables in the database. Making it easy to focus protection on ERP data elements that are sensitive would be appealing to organizations.

Until recently, there were no effective solutions in the market to allow an organization to easily identify sensitive data in ERP systems and track this sensitive data once it has been extracted from the ERP. A lot worse, there was no easy way to prevent this potentially sensitive information to leave the organization.

With a goal of reducing the risk of losing this valuable ERP data, organizations have been looking for ways to correlate what a user is doing inside of the ERP system with what that user is doing outside of the ERP system.

This is one of today’s more pressing DLP challenges – and it is being solved for a leading chemicals company with an innovative solution using McAfee Data Loss Prevention and Saviynt Access Manager.  With this joint solution, an organization can identify sensitive information as it leaves the ERP system, dynamically create DLP policies to protect that information, and analyze user activities to detect high risk behaviors. Organizations will now be able to track ERP data seamlessly from the ERP to the various data loss points in the organization’s network.

We’ve got this solution working at a leading chemicals company. You can get more details about this implementation in our December 7 webcast.

By: Nikfar Khaleeli

Security 101: Attack Vectors, Part 1

In the first part of this series, we discussed the entry points that an intruder could use to attack our “building,” our metaphor for network security. In the next few posts, we shall focus on the next level: attack vectors.

If vulnerabilities are the entry points, then attack vectors are the ways attackers can launch their assaults or try to infiltrate the building.

In the broadest sense, the purpose of the attack vectors is to implant a piece of code that makes use of a vulnerability. This code is called the payload, and attack vectors vary in how a payload is implanted.
Although there’s no official classification for attack vectors, we often catalog them according to how much interaction with the victim is needed to make them work. For example, if the attack vector is a malicious file, then the victim needs to download and open it for the attack to work. On the other hand, a SQL-injection attack needs little or no interaction with its victims.

These criteria help to determine how massive an attack can be. An attack that requires little interaction will probably be less massive than one that requires a high level of interaction. In the first case, the attacker can target only a certain number of “buildings” at the same time, that number is usually small, and all the work is done by the attacker. In contrast, an attack that depends on a high level of interaction can target many buildings in parallel because the attacker leaves the malicious code somewhere–disguised as file or a website–and its victims retrieve it on their own. So even though the attack requires a lot of work beforehand, at the moment of infection the work of the attack is done by the victims, not the attacker.

Most known attack vectors can be classified in one of three categories of interaction: low, medium, or high. Today we’ll focus on low-interaction vectors, leaving the rest for next time.

Low Interaction
These are vectors that require attackers to do much of the work ahead of time. Most of the effort is simply reconnaissance, figuring out the where and how of the attack. Victims need to do little for these attacks to be successful. Many of the vectors in this category require Internet applications. Here are three common vectors of this type:

• SQL Injection: As the name implies, this vector works only on websites or applications that have direct contact with a database. Typically an attacker finds a legitimate website with some design flaws such that after a user inputs data, the information is not cleaned. (By cleaned we mean that all input is checked for special characters; if found they’re deleted with everything that follows them.) The lack of cleaning allows an attacker to send to the database SQL commands that will be executed–because the website doesn’t check whether the input is valid. As a result, the attacker can execute any SQL code without having the necessary permissions.
• Buffer Overflows (BO): When any application requires user data, it is usually stored in a memory buffer until it is needed. As with SQL injection, sometimes the application does not check that the input fits in the buffer. Enter too much data and it overflows the buffer. When this happens the data that falls outside the buffer is translated into memory direction numbers, and whatever is on that memory direction is executed. An overflow could allow an attacker to at least crash the application, but if it is done correctly an overflow can execute any command the attacker wants, as long as the attacker knows in which memory direction the command is stored.
• Cross-Site Scripting (XSS): This is a special kind of injection, similar to SQL injection. XSS works only on websites that allow the execution of scripting code (such as JavaScript). In this case, when a website asks for user input, the attacker enters scripting code between the <script> and </script> tags. The site reads the input, recognizes it as scripting code, and executes it without restrictions. This can be a one-time attack or a persistent attack if the input is stored in some part of the website (such as a Facebook wall message, or a user’s profile page). This attack is mostly silent because the tags make the scripting code invisible to any visitors.

These basic vectors have a lot of variations, depending of the platform, application under attack, and other criteria. Basically all low-interaction vectors work in a similar manner.
Until next time!

By: Francisca Moreno

Securing Mobile Data Communications

Wireless communication is inherently insecure.  My consulting experience has confirmed that some organizations understand this fact when connecting to wireless networks with their laptops.  However, their awareness falters when connecting their mobile devices to the same networks.  According to a Echoworx study, 44% of the surveyed audience at London’s Infosecurity Europe 2011 conference transmitted sensitive information unencrypted to the Internet via their mobile devices.

OWASP cites spoofing attacks and surveillance as significant when using wireless communications with a mobile device.  Wifi, 3G, GSM, CDMA & bluetooth; these are but a few transport protocols targeted to affect the confidentiality and integrity of the transmitted data.  The controls discussed in this installment are designed to make successful exploits more difficult and to obfuscate the data to the point that successful exploits will result in no return for the attacker.

SSL vs. TLS

SSL and TLS provide an end-to-end secure communication channel, but they support different encryption algorithms.  For example, SSL does not support 3DES or AES encryption; algorithms required by applications that handle sensitive data such as user credentials, as well as personal or business-critical information.  Data classification and organizational requirements will influence which one is implemented on a device.  All Federal information systems that transmit sensitive information, for example, require the use of TLS.

Encryption Algorithms

The selection of encryption algorithms to support a mobile device will be determined by data classification considerations and business requirements.  Several vendors in the defense industry, for example, are developing FIPS 140-2 validated devices to support applications used by the DoD and NSA.  Some private industry applications may require similar encryption levels, but most use cases can be accommodated with SSL or TLS.

OWASP recommends that strong encryption algorithms and key lengths be used to protect data in motion.  It also recommends that only signed certificates be allowed and that they are associated with reputable certificate authorities.  Signed certificates allow you to verify the source and validity of an encryption certificate, countering unsigned certificates often employed by attackers to gain access to information.  Additionally, it is imperative that chain validation is implemented when chained SSL certificates are used.  The encryption management system on the device should make it possible for the user to determine the validity of a certificate via the user interface.

Lastly, the device should employ mechanisms that mitigate the threat of man-in-middle attacks such as SSL strip. These attacks take advantage of SSL connections that do not verify the identity of the remote server.  This allows an attacker to intercept communications, determine the encryption key and decrypt the data in transit.  Countermeasures employ various techniques to verify the communicating devices and the integrity of the encryption information.

The next installment of this series will explore user authentication/authorization and session management.  McAfee’s solutions to this problem space will be detailed and mapped to OWASP recommendations. Until then, be sure to follow us on @McAfeeBusiness for regular updates on McAfee happenings and news.

By: Steven Fox

McAfee Releases Top Five Tips to Avoid Bad Apps

While most apps on the market are legitimate, mobile devices have become a targeted platform for malware. It’s becoming more and more common for cybercriminals to corrupt a legitimate app with hidden malicious functionality. These illegitimate and compromised mobile apps are designed to steal information from smartphones, or to send out expensive text messages without a user’s consent. Dangerous apps are usually offered for free and masquerade as fun applications such as games, calendar and comedy apps. Another nasty trick is to pull a legitimate app off of one marketplace, insert malware into it and then re-publish it on other marketplaces or sites with a similar name.

Today, McAfee released some common-sense practices that anyone can take to help protect their smartphones and tablets from the growing threat of malware and the persistent threat of unsecured devices.

For the moment, the amount of detected smartphone malware is relatively low compared to malware that targets desktop or laptop PCs; but being aware that it exists is the first step toward protecting yourself and your data.

Research apps and their publishers thoroughly and check the ratings – better to install apps that are broadly used in the market or are recommended by your circle of friends and colleagues.

It is wise to purchase from a well-known, reputable app marketplace, such as Google’s Android Market or Apple’s App Store. One way for Android users to avoid installation of non-market applications is to de-select the “Unknown sources” option in the Applications Settings menu on their device. If the option is not listed, it means your mobile service provider has already done this for you.

When you install an app, you’ll see a list of permissions for services that are granted access to the hardware and software components on your device, like contacts, camera and location. If something in the permissions screen doesn’t look right, don’t install that app! For example, a game or alarm clock app probably doesn’t need to access your contacts or have the ability to transmit that data from your device.

Install antivirus software on your phone. It is a good idea to install an antivirus program when you get a new mobile device before you add any other apps.

One way to find out if your device has been infected by a bad app is to keep an eye on your wireless bill. Some rogue apps do things like make expensive calls to foreign numbers to fatten the bank account of various intermediary sites at your expense. Often the calls happen in the background or at times when you don’t realize your phone is doing something. Even if you haven’t been infected, you may have unwittingly subscribed to one of those annoying services that automatically bill you every month for things like ring tones, so check the bill every month; it only takes a few minutes.

McAfee can help users protect their mobile device and the mobile apps that reside on the device with McAfee Mobile Security and McAfee App Alert (beta). To learn more about these solutions, visit http://www.mcafee.com/mobilesecurity/.

By: John Dasher