DNSChanger Fraud Ring Busted

Here’s a money making idea: find some advertisers and tell them you can put their ads on billboards at half the going rate. You don't own any billboards? No problem, just go paste the ads over the ones on someone else's billboards.

This idea has not really caught on in the real world—it's impractical to run around town, climbing up poles, and plastering ads on someone else's billboard. You’re also limited to the billboards you can physically reach. Plus it's illegal.

The Internet is another story. There are no physical limitations, no climbing, and some people don't have an issue with doing illegal things, especially when they don't think they'll get caught. The good news is they do get caught, but we'll come back to that.

So what is the equivalent of a billboard on the Internet? A website. Getting people to visit a website and view ads on it is big business. This attracts cyber criminals who try to figure out how they can manipulate this aspect of the Internet for their own gain, and they can. They do it with something called DNSChanger.

What's DNSChanger? The FBI has information on it on their website. It's really nice to see a clear description of such a complicated fraud. Even nicer, the FBI just caught an international fraud ring responsible for compromising millions of computers with malware and defrauding Internet advertisers.
How much could a bad guy possibly make doing this? The ones the FBI just took down made at least 14 million dollars—big money. It took a large number of compromised computers to get all this money: four million computers in more than 100 countries. My bet is that most of those computers didn't have good security software, or didn't keep it up-to-date. That's pretty sad, because this makes life easy for the bad guys. The cyber criminals use malware like Zlob or Tidserv to get DNSChanger on a computer. We have multiple protection technologies that detect these threats, but you have to use the technology in order to be protected.

The FBI has provided some great information to help potential victims identify if their computer has been subjected to the attack. Symantec can help too. If you feel you may have been compromised, even if you're not one of our customers, you can make use of Norton Power Eraser to further analyze and remove any malware on your computer. We can't rely solely on the FBI, we all need to do our part to stop these criminals.

By:  Kevin Haley

For The Third Scam of Christmas, Beware of Phony Facebook Prizes

For the third scam of Christmas, the criminals may give to me…multiple phony Facebook promotions that may steal my identity!

When I first started working with McAfee, during The SPAM Experiment, one of my objectives was to go in search of the free laptop, iPod, etc. You know – those enticing ads that offer an amazing “Free” item in exchange for simply filling out “this form” or for taking advantage of some other attractive offer, that is, purchase this great item and “get a free iPod!”

Well, after a month of clicking on offers and filling out forms all I got was a big, fat goose egg, nada, zilch! I am however, still getting junk mail addressed to the alias “Penelope Retch” that I had created more than two years ago.

So when I see those Facebook promotions that promise some free prize, I know to avoid them. A recent scam advertised two free airline tickets, but required participants to fill out multiple surveys requesting personal information.

If you have spent any time at all on Facebook, you have heard the horror stories from folks who clicked on a bad link and gave away a cell phone number or credit card information only to find a bogus charge on their statement a few weeks later.

So as the holidays gear up and you get busier and busier, please keep these simple tips in mind:

1. Be wary of clicking on an ad on Facebook if you are unclear who the source is.
2. Always read all permissions on a page before accepting the terms and going to the page.
3. If you click on a link and it asks you to log in to Facebook, do not do it! Criminals make it look like an official log-in page so they can steal your password and spam your friends.
4. Be careful giving out any personal information such as cell phone and credit card information online.

As with any offer, if it seems too good to be true, it probably is. For more information about online fraud, see www.lookstoogoodtobetrue.com. To see all of the 2011 12 Scams of Christmas, please click here. Stay tuned for my tips for staying safe the remaining “9 days” of the holidays!

Keep your head this holiday season and stay safe out there!

By: Tracy Mooney

Social Security Number: All-Purpose Identifier

Your Social Security number was never meant to serve the various functions it is used for today. Over the past 70 years, the Social Security number has become our de facto national ID. The numbers were originally issued in the 1930s, to track income for Social Security benefits. But “functionality creep,” which occurs when an item, process, or procedure ends up serving a purpose it was never intended to perform, soon took effect.

Banks, motor vehicle registries, doctors’ offices, insurance companies, and even utilities often require a Social Security number to do business. Why do they need it? Sometimes it’s because your Social Security number is attached to government records like taxes or criminal records, but most often it’s because the number is attached to your credit file.

The IRS adopted our Social Security numbers as identifiers for our tax files about 50 years or so ago. Around the same time, banks began using Social Security numbers to report interest payments, and so on.

All the while, Social Security numbers were required for all workers, so their Social Security benefits could be paid. Most people were assigned a number when they applied, sometime around the age of 16. This was until the 1980s, when the IRS began issuing Social Security numbers to track children and babies who were claimed as dependents. By the late ‘90s, it was standard for most hospitals to provide Social Security number application to new moms.

A federal law enacted in 1996 determined that Social Security numbers should be used for “any applicant for a professional license, driver’s license, occupational license, recreational license or marriage license.” The number can be used and recorded by creditors, the Department of Motor Vehicles, whenever a cash transaction exceeds $10,000, and in military matters.

All this leads up to the unfortunate realization that your Social Security number is out there in hundreds, or even thousands of places. It is most definitely not private, nor can it be adequately protected. It’s just like a credit card number. You give it out, you hope the person or company is responsible with it, you hope it’s not breached, but all you can do is monitor your identity’s health and, if your identity is ever stolen, take the appropriate steps in response.

Be sure you have active, comprehensive protection for all of your devices. McAfee All Access is the only product that lets individuals and families protect a wide variety of Internet-enabled devices, including PCs, Macs, smartphones, tablets, and netbooks, for one low price.

Robert Siciliano is an Online Security Evangelist for McAfee.   See him discuss the use of Social Security numbers as national identification on Fox News. (Disclosures)

By: Robert Siciliano

For The Second Scam of Christmas, The Criminals Gave To Me… Malicious Mobile Apps!

…and Malicious codes ruining my mobile shopping spree!

Back in March of this year I posted a blog entitled The Google Kill Switch and Smartphone tips. At the time there were 21 apps on Google Marketplace that were infected with Malware that Google yanked from the market faster than I could blog the warning call.

McAfee has seen mobile apps designed to steal information from smartphones, apps that send out expensive text messages without a user’s consent and last year 4.6 million Android smartphone users downloaded a suspicious wallpaper app that collected and transmitted user data to a site in China.
These dangerous apps are usually offered for free, and masquerade as fun applications, such as games. Here are a few tips to keep your phone from spoiling your jolly holiday!

1. Read reviews of the app before you download. People are very vocal with criticism; here is where it comes in handy! This is where you will find out if the app doesn’t work on your particular phone, doesn’t do what it promises, or if it is great and users love it.

2. Read the permissions before you download. Is it requesting permission to access your call history, send sms texts or track gps location? If it shouldn’t need that information to work (such as ringtones or wallpaper) – Think twice before you install.

3. Download only from a trusted source.  Stick to apps from well known developers with good reviews.

4. Take advantage of additional security software. Use McAfee Mobile Security or if you have McAfee All-Access, your phone is already covered!

Stay safe out there!

By: Tracy Mooney

What Is On Your PC/Laptop/Smartphone?

The other day I was watching a rerun of “Up in the Air,” in which the character of George Clooney makes a presentation titled, “What’s in your Backpack?” This simple question set me thinking and I started wondering, what was there in MY backpack, which happens to be my life and soul, the computer. I kept thinking about it whilst I switched on the PC.

“What is there in you that I value?” I asked the PC, as I opened My Document. And there they were- family albums, my favourite songs, our resumes, the kids’ project work, my husband’s painstakingly prepared business reports, client data, scanned documents, bank details so on and so forth. Further investigations revealed that our smartphones, laptops and iPads also contained a lot of our important personal data, movies and music. Never realized how digitally documented our lives have slowly become!

With this realization came the obvious fear and WHAT IFs. What if the gadgets were misplaced, lost, or stolen? What if the data fell into unsavoury hands? I can approximately calculate the loss of the gadget but how do I put a price to what they hold in store? More importantly, how do I retrieve lost data?

The new McAfee “Digital Assets” survey reveals that “consumers place an average value of $37,438 on the “digital assets” they own across multiple digital devices, yet more than a third lack protection across all of those devices!”

Further, “60% of the over 3,000 global respondents own at least three digital devices per household, while 25% own at least five. (Digital devices are mainly desktop or laptop computers, tablets, and smartphones.) As many as 41% of those surveyed spend more than 20 hours per week using a digital device for personal use.”

The study pointed out:

–In 2010, malware cost consumers $2.3 billion and caused them to replace 1.3 million PCs
–32% of the consumers who don’t use security protection on all of their devices still don’t think they need it.
–31% cited cost as another reason why they are reluctant to purchase security protection for all of their gadgets
–86% agreed that purchasing security protection was money well spent

Most of us consciously try to safeguard our desktops and laptops by installing at least a basic antivirus. But we leave the protection of our smartphones, tablets, and Macs in God’s hands. Cybercriminals have started focusing on these devices now, as they are easier to hack.
The need of the hour is therefore a multi-device security strategy at a competitive price, something that McAfee understood.

The McAfee All Access (www.mcafee.com/allaccess) is the first full security offering for Internet connected devices. It secures all internet-enabled gadgets, from smartphones and tablets to PCs and netbooks. This means, you need only one license to secure all your devices. Say goodbye to sleepless nights and lost data. Get the AllAcess.

Stay safe online!

By: Anindita Mishra

Maximizing Telepresence’s Value for Federal Agencies

Wanting to treat himself, my friend recently upgraded to the ultimate cable service in his area. He now has thousands of channels from which to choose, access to any movie on demand, and is the proud owner of a remote control with more buttons than the control panel of the Death Star.

You may wonder: Has he expanded his viewing preferences since acquiring the new system? Hmm … no. For one, he’s afraid of his remote—it’s way too complex. He also often struggles to turn the system on.

Those who invest in telepresence need not suffer this technological befuddlement. Nor would they want to miss out on the technology’s benefits, especially after making such a large investment. Yet, as Cisco’s Tim Markey pointed out at our Federal TelePresence Users Forum, several telepresence customers have struggled to maximize the potential of their systems. They had trouble transforming their workplace cultures to communities that embrace video as the paramount means of communication.

Markey talked about some of the ways federal agencies can sidestep the obstacles some companies have faced and create thriving telepresence networks within their offices. His list touched on the following:

1)      Train and support: Provide all potential agency users with the tools they need for success, such as comprehensive system knowledge and demonstrated familiarity with technological functions. Implement support systems and announce their availability to eliminate any user intimidation.
2)      Reward early adopters: Encourage telepresence use throughout the agency by acknowledging and publicizing the positive results experienced by the first employees to successfully use the technology.
3)      Create a telepresence-dependent environment: Reduce travel budgets. Implement HR policies requiring some telepresence use.
4)      Monitor, measure, and report: Evaluate the technology’s performance and communicate successes and opportunities.
5)      Stay flexible: Make changes when needed, and seek support from technology providers. Don’t let the system stop working for you when there might be an easy solution to the problem.
What do you think of this advice? How do you (or how would you) maximize the return on your telepresence investment?

By: Janet Lyons

The First Scam of Christmas, Criminals Gave To Me…Malicious Codes Ruining My Mobile Shopping Spree!

The National Retail Federation did a survey that found that more than half of consumers will be using their Smartphone’s to shop this holiday season. I know I use mine all the time, from scanning items to find the best price and get reviews to using coupons on my phone. Having a Smartphone helps me make the best shopping choices for my family. The stores are all trying to allow us to use our phones to make purchases and make the shopping experience easier and more fun.

As with any popular new topic or device – where the consumers go, the criminals are sure to follow. Unfortunately, my Droid is one of the most at risk with a 76% increase in malware targeting the Android platform in the 2nd quarter of 2011 according to McAfee.

How are criminals targeting Smartphone? The most recent swindle involves QR codes. “Quick Response” codes are those digital barcodes that look like this.



You can find them in magazines and in store windows. When you scan them with your phone, a good code will direct you to a website, which tells you more about a product, pops up a video or directs you to enter a contest. Expect lots of them on Black Friday and Cyber Monday to point you to some great deals!

If you come across a code that is not from a legitimate source, such as a magazine, the code will download will send sms texts to a premium site and you will get a very unpleasant holiday surprise from your cell phone provider in the form of an expensive bill.

With this particular scam, it requires your permission to run the code. To avoid this scam, use a QR code scanner that previews the url. I use QR Droid or Google Goggles for my scanning fun. These scanners show me the destination URL and doesn’t “autorun” or “auto load” anything on my phone without telling me what it is. If you have an iPhone, use Red Laser or Bar-Code for your holiday scanning pleasure.


For more specifics about QR codes and how this type of threat works see these posts by Arun Sabapathy and Jimmy Shah. You can also learn about the 12 Scams of Christmas here.
Stay safe out there!

Tracy

By: Tracy Mooney

DLP For SAP: Protecting ERP Data Across The Organization

Many global organizations operate in highly competitive markets, including countries known to aggressively target intellectual property. A significant amount of sensitive information, including intellectual property (IP) resides in enterprise resource planning (ERP) systems such as SAP and Oracle. Traditionally, the security around this information has been limited to the capabilities of the ERP system through access control, segregation of duties, and monitoring within the ERP system.

However, an authorized user can extract this information – and into many different formats. Once extracted, this information is constantly accessed and modified and so it becomes difficult to protect this information from data loss once it leaves the ERP system. How can you create policies for a DLP solution if you do not know what to look for?

It is also very challenging to identify what data in an ERP needs protection.  A lot has to do with the complexity of ERP databases and the fact that sensitive data can typically be spread out across many tables in the database. Making it easy to focus protection on ERP data elements that are sensitive would be appealing to organizations.

Until recently, there were no effective solutions in the market to allow an organization to easily identify sensitive data in ERP systems and track this sensitive data once it has been extracted from the ERP. A lot worse, there was no easy way to prevent this potentially sensitive information to leave the organization.

With a goal of reducing the risk of losing this valuable ERP data, organizations have been looking for ways to correlate what a user is doing inside of the ERP system with what that user is doing outside of the ERP system.

This is one of today’s more pressing DLP challenges – and it is being solved for a leading chemicals company with an innovative solution using McAfee Data Loss Prevention and Saviynt Access Manager.  With this joint solution, an organization can identify sensitive information as it leaves the ERP system, dynamically create DLP policies to protect that information, and analyze user activities to detect high risk behaviors. Organizations will now be able to track ERP data seamlessly from the ERP to the various data loss points in the organization’s network.

We’ve got this solution working at a leading chemicals company. You can get more details about this implementation in our December 7 webcast.

By: Nikfar Khaleeli

Security 101: Attack Vectors, Part 1

In the first part of this series, we discussed the entry points that an intruder could use to attack our “building,” our metaphor for network security. In the next few posts, we shall focus on the next level: attack vectors.

If vulnerabilities are the entry points, then attack vectors are the ways attackers can launch their assaults or try to infiltrate the building.

In the broadest sense, the purpose of the attack vectors is to implant a piece of code that makes use of a vulnerability. This code is called the payload, and attack vectors vary in how a payload is implanted.
Although there’s no official classification for attack vectors, we often catalog them according to how much interaction with the victim is needed to make them work. For example, if the attack vector is a malicious file, then the victim needs to download and open it for the attack to work. On the other hand, a SQL-injection attack needs little or no interaction with its victims.

These criteria help to determine how massive an attack can be. An attack that requires little interaction will probably be less massive than one that requires a high level of interaction. In the first case, the attacker can target only a certain number of “buildings” at the same time, that number is usually small, and all the work is done by the attacker. In contrast, an attack that depends on a high level of interaction can target many buildings in parallel because the attacker leaves the malicious code somewhere–disguised as file or a website–and its victims retrieve it on their own. So even though the attack requires a lot of work beforehand, at the moment of infection the work of the attack is done by the victims, not the attacker.

Most known attack vectors can be classified in one of three categories of interaction: low, medium, or high. Today we’ll focus on low-interaction vectors, leaving the rest for next time.

Low Interaction
These are vectors that require attackers to do much of the work ahead of time. Most of the effort is simply reconnaissance, figuring out the where and how of the attack. Victims need to do little for these attacks to be successful. Many of the vectors in this category require Internet applications. Here are three common vectors of this type:

• SQL Injection: As the name implies, this vector works only on websites or applications that have direct contact with a database. Typically an attacker finds a legitimate website with some design flaws such that after a user inputs data, the information is not cleaned. (By cleaned we mean that all input is checked for special characters; if found they’re deleted with everything that follows them.) The lack of cleaning allows an attacker to send to the database SQL commands that will be executed–because the website doesn’t check whether the input is valid. As a result, the attacker can execute any SQL code without having the necessary permissions.
• Buffer Overflows (BO): When any application requires user data, it is usually stored in a memory buffer until it is needed. As with SQL injection, sometimes the application does not check that the input fits in the buffer. Enter too much data and it overflows the buffer. When this happens the data that falls outside the buffer is translated into memory direction numbers, and whatever is on that memory direction is executed. An overflow could allow an attacker to at least crash the application, but if it is done correctly an overflow can execute any command the attacker wants, as long as the attacker knows in which memory direction the command is stored.
• Cross-Site Scripting (XSS): This is a special kind of injection, similar to SQL injection. XSS works only on websites that allow the execution of scripting code (such as JavaScript). In this case, when a website asks for user input, the attacker enters scripting code between the <script> and </script> tags. The site reads the input, recognizes it as scripting code, and executes it without restrictions. This can be a one-time attack or a persistent attack if the input is stored in some part of the website (such as a Facebook wall message, or a user’s profile page). This attack is mostly silent because the tags make the scripting code invisible to any visitors.

These basic vectors have a lot of variations, depending of the platform, application under attack, and other criteria. Basically all low-interaction vectors work in a similar manner.
Until next time!

By: Francisca Moreno

Securing Mobile Data Communications

Wireless communication is inherently insecure.  My consulting experience has confirmed that some organizations understand this fact when connecting to wireless networks with their laptops.  However, their awareness falters when connecting their mobile devices to the same networks.  According to a Echoworx study, 44% of the surveyed audience at London’s Infosecurity Europe 2011 conference transmitted sensitive information unencrypted to the Internet via their mobile devices.

OWASP cites spoofing attacks and surveillance as significant when using wireless communications with a mobile device.  Wifi, 3G, GSM, CDMA & bluetooth; these are but a few transport protocols targeted to affect the confidentiality and integrity of the transmitted data.  The controls discussed in this installment are designed to make successful exploits more difficult and to obfuscate the data to the point that successful exploits will result in no return for the attacker.

SSL vs. TLS

SSL and TLS provide an end-to-end secure communication channel, but they support different encryption algorithms.  For example, SSL does not support 3DES or AES encryption; algorithms required by applications that handle sensitive data such as user credentials, as well as personal or business-critical information.  Data classification and organizational requirements will influence which one is implemented on a device.  All Federal information systems that transmit sensitive information, for example, require the use of TLS.

Encryption Algorithms

The selection of encryption algorithms to support a mobile device will be determined by data classification considerations and business requirements.  Several vendors in the defense industry, for example, are developing FIPS 140-2 validated devices to support applications used by the DoD and NSA.  Some private industry applications may require similar encryption levels, but most use cases can be accommodated with SSL or TLS.

OWASP recommends that strong encryption algorithms and key lengths be used to protect data in motion.  It also recommends that only signed certificates be allowed and that they are associated with reputable certificate authorities.  Signed certificates allow you to verify the source and validity of an encryption certificate, countering unsigned certificates often employed by attackers to gain access to information.  Additionally, it is imperative that chain validation is implemented when chained SSL certificates are used.  The encryption management system on the device should make it possible for the user to determine the validity of a certificate via the user interface.

Lastly, the device should employ mechanisms that mitigate the threat of man-in-middle attacks such as SSL strip. These attacks take advantage of SSL connections that do not verify the identity of the remote server.  This allows an attacker to intercept communications, determine the encryption key and decrypt the data in transit.  Countermeasures employ various techniques to verify the communicating devices and the integrity of the encryption information.

The next installment of this series will explore user authentication/authorization and session management.  McAfee’s solutions to this problem space will be detailed and mapped to OWASP recommendations. Until then, be sure to follow us on @McAfeeBusiness for regular updates on McAfee happenings and news.

By: Steven Fox

McAfee Releases Top Five Tips to Avoid Bad Apps

While most apps on the market are legitimate, mobile devices have become a targeted platform for malware. It’s becoming more and more common for cybercriminals to corrupt a legitimate app with hidden malicious functionality. These illegitimate and compromised mobile apps are designed to steal information from smartphones, or to send out expensive text messages without a user’s consent. Dangerous apps are usually offered for free and masquerade as fun applications such as games, calendar and comedy apps. Another nasty trick is to pull a legitimate app off of one marketplace, insert malware into it and then re-publish it on other marketplaces or sites with a similar name.

Today, McAfee released some common-sense practices that anyone can take to help protect their smartphones and tablets from the growing threat of malware and the persistent threat of unsecured devices.

For the moment, the amount of detected smartphone malware is relatively low compared to malware that targets desktop or laptop PCs; but being aware that it exists is the first step toward protecting yourself and your data.

Research apps and their publishers thoroughly and check the ratings – better to install apps that are broadly used in the market or are recommended by your circle of friends and colleagues.

It is wise to purchase from a well-known, reputable app marketplace, such as Google’s Android Market or Apple’s App Store. One way for Android users to avoid installation of non-market applications is to de-select the “Unknown sources” option in the Applications Settings menu on their device. If the option is not listed, it means your mobile service provider has already done this for you.

When you install an app, you’ll see a list of permissions for services that are granted access to the hardware and software components on your device, like contacts, camera and location. If something in the permissions screen doesn’t look right, don’t install that app! For example, a game or alarm clock app probably doesn’t need to access your contacts or have the ability to transmit that data from your device.

Install antivirus software on your phone. It is a good idea to install an antivirus program when you get a new mobile device before you add any other apps.

One way to find out if your device has been infected by a bad app is to keep an eye on your wireless bill. Some rogue apps do things like make expensive calls to foreign numbers to fatten the bank account of various intermediary sites at your expense. Often the calls happen in the background or at times when you don’t realize your phone is doing something. Even if you haven’t been infected, you may have unwittingly subscribed to one of those annoying services that automatically bill you every month for things like ring tones, so check the bill every month; it only takes a few minutes.

McAfee can help users protect their mobile device and the mobile apps that reside on the device with McAfee Mobile Security and McAfee App Alert (beta). To learn more about these solutions, visit http://www.mcafee.com/mobilesecurity/.

By: John Dasher

Top 15 Cloud Security Best Practices

Cloud security is a huge, ever evolving subject that is difficult to cover in a short space, especially with so many different cloud service types and architectures (SaaS, IaaS, PaaS, external, internal, and hybrid). However, there are a few cloud security practices that just about any organization should apply when working with the cloud.

    Don’t think you can just hand a function over to a cloud provider and forget about it. Like any other IT component, cloud services must be managed and secured using policy, monitoring, and security tools and services.

    Before contracting with a cloud service, make sure your internal security is up to date first. Don’t let your corporate network become the weakest link in the chain.

    If you don’t use cloud services, your employees most likely do or will. IT should evaluate corporate applications, business processes, and data according to their value to the organization and risk when deployed wholly or partially in the cloud, then create a cloud use policy that spells out what may be allowed in the cloud and what isn’t. For applications that can be deployed in the cloud, spell out precautions and tools that must be employed to use the cloud securely.

    Create a list of cloud services that IT has investigated and deemed acceptable in terms of security.

    Start cloud use with low-risk, non-core functions until your organization gets a grip on the security landscape.

    Make it clear that internal developers cannot test software in the cloud using live or sensitive corporate or customer information.

    Investigate cloud provider contracts and SLA’s carefully. Does the provider take responsibility for your data and provide security guarantees? Does the service offer visibility into security events and responses? Is it willing to provide monitoring tools or hooks into your corporate monitoring tools? Does it provide monthly reports on security events and responses? What happens to your data if you terminate the service?

    Don’t accept the provider’s standard contracts and SLAs. Evaluate your own compliance and security needs carefully and employ tech and compliance savvy lawyers to negotiate service contracts and SLA’s that fulfill those needs. Get guarantees on data location or use a hybrid model with data stored internally.

    Examine the provider’s data protection strategies and multitenant architecture, if relevant.

    Look for standard audits and certifications such as SAS 70 Type II or ISO 27001, then examine the audits carefully to understand potential security gaps. Look for ways to fill those gaps. If the provider uses third party providers, examine their certifications and audits as well.

    Make sure the provider allows your organization to audit its security periodically as well.

    Look for software services that comply with SAML, OpenID or other federation standards that make it possible to extend your corporate identity management tools into the cloud. Consider employing two-factor authentication for very sensitive data.

    Encrypt all data BEFORE it goes to the cloud in transit and at rest. Make sure the provider has sufficient strategies for wiping released data from both memory and storage.

    Negotiate specific procedures and roles for incident response. Make sure the provider includes you and considers you a partner.

    In most cases users access the cloud through their client Web browsers. Make sure you employ strong client security tools and that your browsers are properly updated and protected from browser exploits.

The list is endless and the cloud is still an evolving learning experience, but this is a good start. With the right strategies your cloud deployment can be reasonably secure.

To find out what McAfee’s doing in the cloud space, visit our SaaS solution page, and be sure to follow @McAfeeBusiness on Twitter for future updates.



By: Leon Erlanger

Recipe For Spoiling Holiday Cheer: Top Holiday Viruses & Scams

Somehow, it is that time again. The holiday season is upon us and I have no idea where the year went! If you have been following my blog or anyone else on the McAfee team, you know what that means… the 12 Scams of Christmas!

This year we truly have some new threats out there so I decided that I would highlight each of the scams individually this year over the next few blogs. That way I can break each one down clearly. I want you all to know exactly what these scams look like so you can spot them a mile away!
The 2011 list of scams looks like this:

1.    Mobile Malware – Malware targeted specifically at smart phones
2.    Malicious Mobile Applications – Apps for your smartphone containing Malware
3.    Phony Facebook Promotions and Contests – “Get two free airline tickets!” but give up your personal info first!
4.    Scareware and Fake Antivirus – A window pops up on your computer telling you that you have a virus, and you will if you click on it!
5.   Holiday Screensavers – Free holiday themed screensavers aren’t so jolly when they contain malicious code! Steer clear of “Fly with Santa in 3-D”!
6.    Mac Malware – A new and growing threat
7.    Holiday Phishing Scams-  Phony notices from UPS, banking phishing scams and Smishing (SMS phishing) all are tricks criminals use hoping that you are too busy to be careful
8.    Online Coupon Scams – get a coupon or a “free iPad” but give up your banking or credit card info first!
9.    Mystery Shopper Scams – Get paid $50 per hour to shop, but give up that credit card number
10. Hotel “Wrong Transaction” Malware Emails – Email scam looks like it comes from a real hotel and they want to issue a “refund”… after you fill out this form.
11.  “It” Gift Scams – Criminals try to cash in on whatever the hot gift of the year is
12. “I’m Away From Home” Scammers – Updating social networks with “I am out of town” could lead to break ins of your home

I will be going into detail over the next three weeks about each of these scams. In the meanwhile follow these tips from McAfee to stay safe this holiday season.

1. Only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them.
2. Be extra vigilant when reviewing and responding to emails.
3. Watch out for too-good-to-be-true offers on social networks (like free airline tickets). Never agree to reveal your personal information just to participate in a promotion.
4. Don’t accept requests on social networks from people you don’t know in real life. Wait to post pictures and comments about your vacation until you’ve already returned home.

From November 9 – 15, McAfee will be offering a complimentary PDF copy of a just released book on www.facebook.com/mcafee called 99 Things You Wish You Knew Before®… Your Identity Was Stolen, authored by identity theft expert Robert Siciliano.  After this time, the book will be available in print, ePub, and PDF and can be found on Amazon, Amazon Kindle, and the Sony eBook Store and http://www.99-series.com/store.html from $5.99-$14.97.

Post your questions below and I will be sure to answer them over the next few posts. Stay safe out there!

By: Tracey Mooney

The Mobile Ecosystem In The US

It’s no surprise that smartphones and tablets are changing the way people are interacting not only online, but also in every day life. New ways of shopping, reading books, watching TV, communicating with colleagues, family and friends, banking, and even managing one’s health are all made possible with these powerful mobile devices. Ubiquitous computing with 24/7 connectivity is here and all in the palm of your hand. This interesting infographic provides a snapshot of mobile usage in the U.S. According to venture capital firm, Kleiner, Perkins, Caufield and Byers, 60% of time spent on smartphones is considered to be an entirely new class of activity for mobile users and includes social networking, application usage, gaming and mapping. Who knew that interacting with an electronic device would be considered socializing, however, the average U.S. mobile device user spends about 2.7 hours per day doing just that. Some researchers claim that, by 2015, half of online sales will take place from a mobile device. Check it out and let us know where you stand. Are you a power user?

Infographic provided courtesy of LEVEL Studios.  For a larger view or to download: go to www.mcafee.com/mobilesecurity

By: Lianne Caetano

Securing User Credentials On Mobile Devices

Your mobile device is an interface into systems that can store potentially sensitive information about you, your company or your employer.  Given its ease of use and portability, one would expect to find unique, strong credentials to guard against unauthorized access to these resources.  In practice, however, credentials tend to be reused – increasing the odds of account compromise.  According to a University of Cambridge survey, more than 45% of the users surveyed chose to use the same password for multiple web sites.

OWASP cites credential harvesting as a major threat to web application users, including those with mobile interfaces.  The use of Spyware, malware, User Interface impersonation attacks are among the tools used by miscreants to gather user name and passwords.  According to a Trusteer study, nearly 50% of phishing victims revealed their credentials to one site within an hour of receiving the attacker’s email.  Of the passwords gathered, over 75% were used on more than one web site.

The controls discussed in this article reduce the risk of credential harvesting via application reverse engineering and signal sniffing.  However, they do nothing to enforce proper password composition, frequency of change, and distribution of use.  OWASP recommends that unique, complex passwords be used for each resource being accessed with a mobile device.

Authorization Tokens
OWASP recommends the use of authorization tokens as an alternative to passwords.  These tokens are associated with a user and eliminate the need for credentials to be transmitted when authenticating to a server.  Encryption of these tokens is recommended both at rest and in transit, minimizing the risk of meaningful information retrieval if the tokens are intercepted.

Token implementation will vary depending on the requirements of the service or the mobile connectivity management solution.  For example, a service could issue an authorization token after verifying the user’s credentials.  The tokens and service could also be bound for a specific period of time, preventing a persistent connection from which session information may be sniffed.

Regardless of implementation strategy, OWASP recommends that the latest version of an authorization standard such as OAuth be used.  Additionally, tokens should remain active after a session is terminated.  Such sessions may be targets for harvesting.  All tokens should be set to expire after a delay appropriate to the classification of the service or application.  For example, the expiration delay may be longer for Facebook than with a financial application.

Password Encryption
There are valid business use-cases wherein authorization tokens are not ideal.  Strong encryption such as AES should be used to ensure the confidentiality of user credentials.  OWASP also recommends that long-term session IDs be encrypted if they are to be stored on a mobile device.  Cryptographic hashes should also be used to detect unauthorized changes to user credentials.

Keep credentials and application binaries separate
From a purely developmental standpoint, it seems expedient to hard-code credentials into application binaries.  However, few programmers are aware of how the password policy will affect their development requirements.  This policy requires that passwords be changed regularly, requiring the recompilation of all applications with hard-coded credentials.  Additionally, Change Management procedures would impact the speed at which the updated applications could be pushed to staff members.

OWASP recommends that encrypted credentials be passed to an application securely.  This eliminates the need to redeploy applications whenever a password is changed.  This practice also prevents attackers from extracting hard-coded credentials via reverse engineering.

Secure Element Chips
Some mobile devices implement tamper proof smart cards that contain chips called Secure Elements to store credentials securely.  These chips are accessible only by applications possessing specific cryptographic signatures. Google Wallet is an example of this solution, allowing a person to use their mobile device to make payments at specially configured Point of Service devices.  OWASP expects this technology to be implemented increasingly due to the security services it offers.

The next installment of this series will explore controls designed to secure data in transit.  The discussion will include the selection of SSL vs. TLS, the use of SSL proxy and SSL strip solution to mitigate man-in-the-middle attacks, and the use of forged certificates to gain access to data. Until then, be sure to follow us on @McAfeeBusiness for regular updates on McAfee happenings and news.

By: Steven Fox

12 Scams of the Holidays: Do Not Let Cybercriminals Steal Your Holiday Spirit

Tis the season to be wary, fa la la la la la la la la.

The holidays are just around the corner and as we prepare for the excitement and mayhem of holiday planning and shopping, we must not forget that we are not alone. Cybercriminals, too, are looking forward to the hubbub of holiday cheer, readying themselves to take advantage of various aspects of our lives: our desire to spend time with our families, our socially connected lifestyles, our penchant for owning mobile devices, and our collective good spirit.

Listed below are 12 of the most popular holiday cyber scams. Take a look, spread awareness amongst your family and friends, and keep everyone Internet-safe and happy.

Taking advantage of your family

Hotel “wrong transaction” malware emails
Many of us travel over the holidays to unwind, recharge and refresh ourselves. Whether we’re travelling to see friends and family or vacationing with loved ones, all we want to do is to spend some time alone with the people we care about. One of the last things on our minds is to worry about scams, but cybercriminals have created a way to take advantage of our desire for some family time. It has come to McAfee’s attention that scammers have taken to sending out emails that appear to be from a hotel, notifying recipients of a “wrong transaction” that has been charged to their credit cards. Of course, this type of notice is alarming to anyone who receives it, and generally, their first instinct is to download the attached refund form to get their money back. And with a click of a button, victims download malware onto the machines, and there’s no telling what sorts of mischievous activities will follow.

Tip: Play it safe and remember to never open an email from an unfamiliar sender. When in doubt, always call the establishment from which the email seems to have been delivered.

Mystery shopper scams
The holidays would not be complete without holiday shopping for your loved ones, and we could all use a little extra cash to get the perfect gift for that special someone. Some of us pick up seasonal jobs to help finance the gift-giving season, and one of the most popular jobs is that of the mystery shopper, hired to go undercover at a store and report back about the customer service they received. Taking advantage of our generous and hardworking spirit, cybercriminals have taken to sending out text messages to “recruit” mystery shoppers, instructing them to call a number to inquire about the position. Once they call, criminals request their personal information, including credit card and bank account numbers.

Tip: Always remember that legitimate companies would never ask for this information or recruit employees with text messages.

Taking advantage of your connected lifestyle

“I’m away from home” scams
Are you connected to people you don’t know on social networks like Facebook? And do you openly broadcast your travel plans and whereabouts? You can probably see where this is going – there is an inherent risk with letting people know that you will be away from home. Burglars can be pretty tech savvy, and in this day and age, online searches can easily turn up anyone’s home address, and publicizing that your home will be vacant is almost akin to inviting someone to rob you.
Tip: Don’t connect with people you don’t know, and don’t publicize that your home will be empty and open for burglary.

Phony Facebook promotions and contests
It’s not uncommon for companies to advertise great deals and contests on Facebook, and generally, when we see promotions and prizes that look interesting, our first reaction is to sign up. After all, who doesn’t love getting free stuff and saving money? Cybercriminals know this, and will create phony promotions and contests to lure participants, request them to fill out multiple surveys with their personal information, and then pass on this information to spam and telemarketing companies.
Tip: If something sounds too good to be true, it probably is. There is no such thing as a free lunch, and your personal information is much more valuable than anything that any company could offer.

Scareware, or fake antivirus software
Scare is fake antivirus software that tricks users into believing that their computer is at risk of infection, or is already infected, so they agree to download and pay for phony software. With an estimated one million victims worldwide falling for this scam every day, this is one of the most common and dangerous Internet threats.[1] In October 2010, McAfee reported that scareware represented 23 per cent of all dangerous Internet links.[2] Since many consumers typically receive new computers for the holidays, we expect an increase in scareware scams.

Tip: The safest way to go about purchasing security software is by going directly to the website of legitimate vendors or well-established retail outlets.

Malicious content and websites
We tend to spend more time online during the holiday season searching for gifts and other holiday ideas, and will often run into holiday-themed content like ringtones and e-cards that we may want to download. It’s important to remember that there’s a possibility that a good percentage of the content available on the Internet is malicious. In fact, McAfee has found that within the top 100 results of daily top search terms, nearly 50 per cent lead to malicious sites.[3]

Tip: Always use a safe search tool such as McAfee® SiteAdvisor® software, which tells you right in the search results page if a site is safe to click on.

Taking advantage of your mobile devices

Malicious mobile apps
According to a recent McAfee-commissioned global study to assess the attitudes of Internet users all over the world when it comes to such topics as Web security and data protection, 60 per cent of average home Internet users now own at least three digital devices, like PCs, Macs, smartphones and tablets, per household, with 25 per cent of users now owning at least five devices.[4] The growing popularity of mobile devices has proved irresistible to cybercriminals and they’re now increasingly targeting mobile users with malicious applications often disguised as fun downloads like games. These are designed to steal personal information from smartphones or send out expensive text messages.

Tip: Remember to only download apps from official app stores, such as iTunes and the Android Market. It’s also useful to read users’ reviews before downloading them.

Mac malware
The percentage of consumers who own Apple Mac and iOS devices is growing rapidly, and cybercriminals are taking advantage of this by designing a new wave of malware directed as these operating systems. While Apple machines and devices were once seen as insulated from Internet security threats, malware targeting the Mac platform has recently increased by 10 per cent a month,[5] and McAfee predicts that iPhones and iPads are next.

Tip: Always be sure to download Mac updates and install security software such as McAfee® Internet Security onto all iOS devices.

Taking advantage of the holiday spirit

Zombie infections
Computer zombies are just as scary as the walking-dead kind. They are infected computers that are being remotely controlled by a hacker without the owner’s knowledge, and they send out spam and try to infect other unsuspecting systems. Getting infected by a zombie is as easy as clicking on an attachment in a holiday-themed spam email.

Tip: Practice safe surfing and always use antivirus protection.

Holiday phishing scams
There are many seasonal traditions and activities that consumers engage in, including the sending of packages and greetings and participating in and donating to charities. Knowing this, cybercriminals tailor their emails and messages with holiday themes in the hopes of phishing recipients into revealing personal information. Phishing is the act of tricking consumers into revealing information or performing actions they wouldn’t normally do online.

A common holiday phishing scam is a phony notice from a local courier service stating that you have a package and need to fill out an attached form to get it delivered. The form may ask for personal or financial details that will go straight into the hands of the cyberscammer.

Fake charity requests are another popular scam this time of the year. Be suspicious of any unsolicited emails and never respond with sensitive information. If you would like to donate to a charity, pick a well-established organization and contact them directly through their website.

Tip: Always be careful where you click and be sure to scope out the situation before providing your personal information.

Online coupon scams
Couponing has become wildly popular and there’s nothing better than a deal during the holidays. Scammers know that by offering irresistible online coupons, they can convince people to hand over some of their personal information. For example, they could require consumers to provide financial information such as their credit card number to redeem the coupon. And in some cases, scammers are circulating fake coupons that consumers cannot redeem.

Tip: Use reputable coupon sites and always remember that if an offer seems too good to be true, it probably is.

“It” gift scams
Every year there are hot holiday gifts, such as toys and gadgets, that sell out early in the season. Gift-givers sometimes become desperate to obtain the “it” gift and they search high and low for it online. When a gift is hot, scammers will advertise these gifts on rogue websites and social networks, even if they don’t have them. The result is that consumers end up paying for an item and giving away their credit card details, only to receive nothing in return. Once the scammers have their personal financial details, there is little recourse.

Tip: Be wary of those sellers you’ve never had purchasing experiences with, and only purchase items from reputable establishments.

By: Brenda Moretto

Security Can Help You Move To The Cloud

If you’re reading this, you probably know a good deal about cloud computing because it’s probably part of your business. Or, you’re reading this because you’ve heard about the cloud and about the business benefits you can recognize by moving to the cloud. Regardless of your background, if you’re like the majority of business leaders, IT specialists, consultants, and consumers, you likely have security concerns and questions around this technology.

At the McAfee FOCUS 11 Security Conference in October, I had the privilege to meet many IT experts and influencers who shared similar concerns. My message during the conference was that I believe we’re all in this together. It may take some time for the Cloud to garner a solid reputation, but until then, technology partners are becoming more experienced with cloud computing, and technology companies are developing solutions to make moving to the cloud easier.

Take, for example, the McAfee Cloud Security Platform, which offers comprehensive security capabilities from both Intel and McAfee. Our Cloud Security Platform is a new way of thinking about cloud security. It lets you build a secure bridge to the cloud while further developing your existing IT technologies and management processes. The platform includes modules that address security concerns around identity and authentication management, and it helps mitigate concerns many organizations have about securing the infestation of web-based applications that are finding their way across the cloud and into the business organization.

Sometimes, confidence just comes from knowledge. So, I encourage you to keep an open mind about moving to the cloud and use McAfee as a resource to learn more about cloud security. We continue to listen to our clients and industry professionals and work to improve cloud security. In fact, today, we announced the latest evolution of our Cloud Security Platform. I’m excited to find out what you think about it.

By: Marc Olesen

Human Security Weaker Than IT Security

Information technologies have evolved to a level at which the developers, programmers, and security specialists all know what they’re doing, and are able to produce products and services that work and are reasonably secure. Of course, there’s always room for improvement.

Despite the amount of criminal hacking that goes on, users who effectively implement the appropriate measures and refrain from risky behaviors enjoy relative security.

The Wall Street Journal reported on a study by Dartmouth’s Tuck School of Business, quoting professor Eric Johnson:

“Criminal hackers are increasingly turning to digital versions of old-fashioned con games, literally gaining the confidence of employees through innocuous-seeming phone calls purporting to be from fellow workers, or even through regular mail, in order to entice them into downloading malicious code or revealing a password. The threat of data leakage is thus highest where a human is put in a position to decide whether to click on a link or divulge important information. The [phishing] techniques have become more hybrid.”

If you are reading this, chances are you do a pretty good job with information security to prevent identity theft, at least on the consumer level. But you also need to start thinking about avoiding Jedi mind tricks. Within the security world, these cons are known as “social engineering.”
Whether you receive a phone call, an email, or a visitor at your home or office, always question those who present themselves in positions of authority.

You should never automatically place your trust in a stranger.

Within your own home or business, set clear guidelines regarding what information should or should not be shared.

Keep in mind that when you lock a door it can be unlocked, either with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face-to-face, with a cynical eye for a potential agenda.

In the end, if a bad guy has pulled the wool over your eyes, they often will want to infect your Mac or PC. Keep your computers operating systems critical security patches up to date and install a total protection product.

Robert Siciliano is an Online Security and Safety Evangelist to McAfee and Identity Theft Expert.

By:  Robert Siciliano

Share Pics Safely Online

For all of us, the true satisfaction from any event is derived when we share the anecdotes and pictures with friends and families. Whether it be a foreign trip, a wedding, a family get together or a friends’ reunion, we post these pics on our social networking sites like Facebook or Google+ so that others can see and comment on them. This definitely adds to our happiness quotient. Till this point, online photo sharing has been great and keeps ties in tact.

But issues arise when all and sundry get to view the pictures. You may not want mere acquaintances to see your cosy family pics or your boss to see your embarrassing college pics or your school friends to see your silly baby pics. This you can prevent by customising your settings to allow only select people to view photos. But what you can’t do is to prevent people from downloading your pics and storing them for future use in any way they see fit.

I don’t want to create panic but there are threats attached to the very common practice of sharing pics online. Here are some of them:

-Some people love to download pics of strangers and/or friends to use later for some unsavoury purpose, like creating false ids
-Jilted lovers and ex-friends sometimes morph photos to avenge their hurt
-Some unscrupulous firms use photos for product promotion without permission
-Cyber bullies and other aggressive friends might use embarrassing pics to ridicule the child in public

And then I discovered Picasa;  a simple tool that allows you to store and share photos with only those you want. So you can share the link to your family vacation album with only a chosen few you can trust. That way, you can be sure your kids are safe online. Of course, the caveat is that you need to have a Google account.

You can find out how to download and use Picasa here.

There are many other photo-sharing sites, like Snapfish, Kodak Easy Share and AOL that allow you to share photos safely. However, it is recommended that you read the terms and conditions and safety features before opting for the one you prefer. I also chanced upon a site that shares information on how to digitally watermark your page to protect your copyright over them.

There are also some rules that parents must adhere to if they want the kids to be safe on Facebook. For exaple, if kids are prohibited from posting their pics online, parents should also not post the same on their personal sites. Further, it is recommended that you do not post any snap of your children taken at a swimming pool or seaside. You should also refrain from publicly posting your own pics that flout social norms, like smoking and drinking in a gang or riding bikes without helmets; or breach civil laws, like posing in places where it is forbidden to click pictures.

Such simple precautions can make your photo-sharing experience a safe and joyous one. If you know of any other safe ways of sharing pics, do share it with me.

Till then stay safe online everyone!

By:  Anindita Mishra

Cyber Security: A New and Growing Threat for Supply Chains

Before Sept. 11, 2001, most supply chain professionals focused their security measures on preventing the theft of valuable goods in their manufacturing and transportation operations.  After 9/11, greater emphasis was placed on preventing weapons of mass destruction – or disruption – from being placed in cargo containers or other conveyances headed to the United States.

Today, there’s an even more potentially destructive threat to the supply chain community that’s often overlooked.   The volume and sophistication of cyber threats from totalitarian governments or nefarious individuals are increasing exponentially.  This 21st-century threat jeopardizes not only our information infrastructure, including in the supply chain community, but also all levels of high-tech software and hardware products that connect with local or enterprise-wide networks, either hardwired or wirelessly.

Concerns continue to rise about the “injection of viruses” into high-tech hardware products during their journey from manufacturing sources to customer delivery, especially to government agencies.  More than natural disasters, financial instability or political upheavals, what keeps me up at night is the fear that bad guys are injecting bad stuff into products that can disrupt, bring down or steal confidential information from networks.

For example, McAfee reviews about 100,000 potential malware samples per day, identifies over 55,000 new, unique pieces of malware per day and identifies about 2,000,000 new malicious web sites per month.  In the past two years, persistent and highly organized cyber attacks such as STUXNET, AURORA, WIKILEAKS, ShadyRAT and NIGHT DRAGON point out how cleverly the bad guys can worm their way into the world’s most protected networks and either sabotage them, steal intellectual property or compromise government trade or military secrets.

Given these examples, how safe are our networked products – from software to computers and servers — and how can we protect their security from component sourcing to the factory to assembly and delivery to the customer?

First, supply chain professionals charged with manufacturing and delivery processes should look beyond traditional threats such as tsunamis, demand volatility or financial degradation and take extra precautions to ensure that technology products in particular are safeguarded from viral attacks.
At McAfee, the largest dedicated information security company, a number of strict measures have been put into place to protect and prevent the infection of products, especially hardware-assisted security systems such as firewalls, mail and web security network appliances, risk and compliance, cloud-based networks  and intrusion detection and prevention.

For example, all of McAfee’s suppliers must have an information security policy in place for data loss prevention and system control that provides complete protection of both network and host leakage.  Today, the adulteration of data or the loss of Intellectual Property should be center to every company’s core risk program, and that includes the supply chain community.

Compromising a company’s IP can jeopardize an entity’s competitive advantage, cut into market share and even endanger our customers’ reputations, not to mention the vulnerabilities to top secret government information.  The sharing of data from McAfee to our suppliers is important for new product development, continuous improvement of our product, elimination of customer issues and the ongoing growth of product lines.

In addition to strict qualifying standards for its suppliers, we have architected a global supply chain operation where component parts are secured via distribution partners from multiple locations and then assembled, converted into finished products and shipped by trusted sources chosen by customer preference.  Any of our products can be made or assembled from any of our strategic locations in Europe, North America or Asia and also shipped to any other locations, almost at a moment’s notice.

The final assembly and hardware conversion, whether it’s software, adaptor cards or some type of interface card, and final shipment can be done very quickly – we aim for 20 minutes from the time an un-forecasted order comes in (aim for 30-day lead time on predictable orders).  With this type of Sense and Respond network, we’re able to obfuscate the trail of the quickly assembled final product so that it’s nearly impossible to know beforehand where it’s headed, whether it’s an energy grid, nuclear power plant or government agency.

Further, it’s critical to keep as low an inventory and backlog as possible – as the saying goes, “Inventory at rest is inventory at risk”.  This not only makes good security sense, but also good business sense.

By having a geographically dispersed supply chain and trusted partners that can operate as a single unit, professionals can satisfy the unique requirements of customers in various regions.   For example, “Assembled in the USA” verification helps meet stringent U.S. government (and some European government) requirements, but similar in-nation rules and incentives are imposed in other parts of the world, which punctuate the need for highly flexible supply chains.

These different security requirements can be met with what Dr. Hau Lee at Stanford University calls “multi-polar, differentiated supply chains.”  In other words, complete regionalized supply chains working either independently or as a unified operation can meet localized and globalized customer demands while also creating an operation that protects products from being sabotaged with the latest cyber virus somewhere along the way.

By: Dennis Omanoff

Survey: The Best Practices In Data Protection

Sponsored by McAfee, the Best Practices in Data Protection survey is our latest effort to find out what separates the best organizations from the rest. We believe this study is important because it provides insights on how organizations can be more successful when investing in and building a data protection program. The study’s findings reveal that the following are the five key success factors in a data protection program:

•     A formal data protection strategy for the organization and metrics to determine if the strategy is effective.
•     Key metrics from a management console and observation and regular testing of data protection solutions.
•     Data protection technology features that focus on privileged users, restriction of access and outbound communications are considered critical.
•     Centralized management of the data protection program with such features as actionable information, policy administration, reporting, automatic securing of endpoints and monitoring.
•     Automated policies for detection and prevention of end-user misuse of information assets.

I hope you will join me in a webinar on Wednesday, November 2 at 11am PT to learn what your peers are doing to build a successful data protection program. Also, you can get both the Executive Summary and full research report from the McAfee website.

By: Larry Ponemon

Kernel Vulnerabilities and Zero Days: a Duqu Update

We discussed much of the unfolding Duqu attack in our previous post. Some new light has recently illuminated some missing pieces to this interesting attack.

Researchers at CrySys Labs in Hungary have disclosed information about a Word document that is purported to be the installer file for the Duqu attacks. The document loads a kernel driver after exploitation from a possible new zero-day vulnerability, which then loads a DLL into Services.exe to start the Duqu installation. This driver appears to have been compiled on Thu Feb 21 06:14:47 2008, according to the time stamp in its PE header. The driver is not signed, as it is loaded via the zero-day exploit that results in kernel memory access.

We have already seen several indications that this threat was related to Stuxnet in some form. When comparing the code of the first Duqu samples we received with older Stuxnet variants, we noticed several similarities, and even exact matches for some important functions such as the DLL-injection routine, decryption of strings and external modules, and management of tables for indirect API calls, among others. Due to the 2008 timeframe for the driver code in question, we have yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet, which reused old driver code in several cases while creating new exploits.

Detection has been added for these new malware to our existing Duqu coverage: PWS-Duqu, PWS-Duqu!rootkit, and PWS-Duqu!dat.

More to come as this tale unfolds!

By: Peter Szor and Guilherme Venere