Stay Connected and Protected During Work, School, and Play

By Pravat Lall

Stay Connected and Protected During Work, School, and Play

These days, work and home mean practically the same thing. Our house is now an office space or a classroom, so that means a lot of our day-to-day happens online. We check emails, attend virtual meetings, help our children distance learn, use social media platforms to check in on our friends and family – our entire lives are digital! This increase in connectivity could mean more exposure to threats – but it doesn’t have to. That’s why this National Cybersecurity Awareness Month (NCSAM) you should learn what it means to be cyber smart.

In our third blog for this NCSAM this year, we examine what that entails. Let’s dive in.

Stay Secure While Working Remote

According to Stanford research, almost twice as many employees work from home than at the office in the U.S. in response to the COVID-19 pandemic. And this new work-from-home economy is probably only going to expand in the future. Your pets and children will continue to make surprise guest appearances on work calls, or you may continue your new job hunt from the kitchen table. But as you work on juggling your work life and personal life at home base, this doesn’t mean that you should have to juggle security threats too.

The new WFH landscape has also brought about increased risk from . Unlike corporate offices – which usually have IT staff responsible for making any necessary network security updates and patches – users’ home network security is in their own hands. This means users must ensure that their Wi-Fi connections are private and locked with a complex password or employ the help of a VPN to prevent hackers from infiltrating your work.

Be Cybersmart While Distance Learning

Work isn’t the only element of consumers’ lives that’s recently changed – school is also being conducted out of many students’ homes as they adapt to distance learning. As a result, parents are now both professionals and teachers, coaching students through new online learning obstacles. But as more students continue their curriculum from home and online activity increases, so does the possibility of exposure to inappropriate content or other threats.

For instance, the transition to distance learning has led to an increase in online students to lose valuable time meant to be spent on their education.

To help ensure that learning from home goes as smoothly as possible, parents must stay updated on the threats that could be lurking around the corner of their children’s online classrooms. Take the time to secure all the devices that power your kids’ learning with a comprehensive security solution.

Enhance Your Streaming Security

Of course, everyone needs to find a balance between work, school, and play! These days, that means scavenging the internet for new content to help keep entertained at home. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports. However, causing users to turn to other less secure alternatives such as illegal downloads and links to “free” content riddled with malware. This could open consumers up to a whole host of threats.

Users looking to stream the latest TV show or movie should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.

If You Connect It, Protect It

We all need to be cybersmart and aware of the threats that come with our lifestyle changes. By following these pointers, you can block threats from impacting your new day-to-day and ensure security is one less thing to worry about. When looking ahead to the future, incorporate the aforementioned pointers into your digital life so that you are prepared to take on whatever the evolving security landscape brings – now that’s being cybersmart!

Stay Updated

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, look out for our other National Cybersecurity Awareness Month blogs, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and 'Like' us on Facebook.


#BeCyberSmart: Equipping Kids to Stay Safe on New Video Apps

By Toni Birdsong
protecting kids online

These days, spending time with friends face-to-face still isn’t always an option for teens. So, finding a fun, new app can be a little like discovering your own private beach where you can chill out, connect with friends, and be thoroughly entertained. Keeping them safe on that digital beach? That’s where parents can make a difference.

With all the popular, increasingly sophisticated video apps available, it’s easy to understand why safety ends up being the last thing on our kids’ minds. I get it. My daughter and I recently sat for hours watching Tik Tok videos and laughing until we cried.

However, October is National Cybersecurity Month and the perfect time to hit pause and talk about how to stay safe on all the apps vying for our attention.

Popular Apps to Monitor

Triller. The Triller app is a video-based platform, much like Tik Tok, that has been around since 2015. Triller has a variety of filters, and music kids can use with the videos they create.

What to monitor: Triller’s content may not always be appropriate, and because viewers can leave comments on videos, there’s a risk of cyberbullying. Also, Triller has some privacy loopholes such as data collection, location tracking, and a public account default — all of which can be modified in Settings.

HouseParty is a group video chat platform nicknamed the “Quarantine App” since its popularity increased by an additional 10 million users during the COVID lockdown. Houseparty allows users to invite friends and “friends of friends” into group video-chat sessions — much like a party. The app displays up to eight live streams on the screen at a time, creating an instant sense of community.

What to monitor. Because the app allows “friends of friends” to livestream in a group, that unknown element opens the door to a number of safety issues. Encourage kids to deny join requests from unknown people. While some users leave rooms unlocked while live streaming their party, encourage your child to use the padlock function to limit conversations to people who know each other.

Yubo. The Yubo app (formerly Yellow) is also called the “Tinder for Teens.” Kids can connect and live stream with people they know — and easily connect with people they don’t. If two users swipe right, Yubo will match them, and they can share Snapchat or Instagram names. Another app very similar to Yubo is the Hoop app.

What to monitor. Content on Yubo can be explicit and cyberbullying can arise more often since fake accounts are common. Yubo’s swipe format promotes a appearance driven match standard may not be healthy for some teens.

Byte. Another app similar to Tik Tok, Byte, features short-form videos. Byte, created by the Founders of the now defunct Vine app, lacks the filters and music of other video apps, but that’s okay; the simplicity is a plus for Byte fans.

What to monitor: Be aware of inappropriate content, cyberbullying in comments, and unknown “friends” who may be part of your child’s Byte community. Online predators have been known to reach out to kids on this app. While unwanted followers can be blocked, surprisingly, Byte doesn’t give you the ability to make your account private.

App Safety Basics

Practice personal responsibility. The theme for Cybersecurity Month 2020 is Do Your Part #BeCyberSmart. With this in mind, discuss the responsibility that comes with owning technology, be it a smartphone, a game system, a smartwatch, or any other connected device. The goal, says The National Cyber Security Alliance,

“If you connect it, protect it.”

Privacy settings. To protect privacy and keep unknown people from connecting with minors, maximize privacy Settings on each new app.

Increase safeguards. Apps can be addictive and siphon family time, study time, and sleep. A comprehensive security solution can help parents limit device time, monitor activity, and block risky content and apps.

Share wisely. Even a 15-second video shared with “close friends only” can end up in the public stream. Advise your child to only share videos or photos they’d feel good sharing with the world.

Protect personal information. Remind your child not to share private details about themselves or their family members with anyone online. This includes emails, full names, phone numbers, pet names, school names, or location.

Block and report. Talk with your child about what you consider appropriate versus inappropriate content, how to block strangers, and how to report cyberbullying and scams.

Finally, keep talking with your kids — about everything. Ultimately, it will be your consistency in having honest, ongoing dialogue with your child that will be your most valuable tool in keeping them safe online.


ST24: Proaktive Absicherung zur Minimierung von Endgeräterisiken (German)

By McAfee

Vor dem Hintergrund des IT-Fachkräftemangels gestaltet es sich für Unternehmen immer schwieriger, mit der wachsenden Zahl sowie Raffinesse von Cyber-Angriffen Schritt zu halten und drängt Sicherheitsteams dazu, oft nur noch reaktiv agieren zu können. Wie Sie mithilfe einer umfassenden Bedrohungsdatenbank sowie proaktiver Reaktionsmaßnahmen Ihre Endgerätesicherheit verbessern und Reaktionszeiten von Monaten auf Stunden verkürzen können, diskutieren wir in diesem Podcast. Hierfür zusammengekommen sind Heiko Brückle, McAfee Senior Security Engineer, sowie Chris Trynoga, McAfee Regional Solution Architect.



Election 2020 – Keep Misinformation from Undermining the Vote

By Judith Bitterli
Protect Your Vote

Election 2020 – Keep Misinformation from Undermining the Vote

On September 22nd, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about the potential threat from foreign actors and cybercriminals attempting to spread false information. Their joint public service announcement makes a direct statement regarding how this could affect our election:

“Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.”

Their call to action is clear—critically evaluate the content you consume and to seek out reliable and verified information from trusted sources, such as state and local election officials. Not just leading up to Election Day, but during and after as well.

Here’s why: it’s estimated that roughly 75% of American voters will be eligible to vote by mail, potentially leading to some 80 million mail-in ballots being cast. That’s twice the number from the 2016 presidential election, which could prolong the normal certification process. Election results will likely take days, even weeks, to ensure every legally cast ballot is counted accurately so that the election results can ultimately get certified.

That extended stretch of time is where the concerns come in. Per the FBI and CISA:

“Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”

In short, bad actors may attempt to undermine people’s confidence in our election as the results come in.

Our moment to act as smart consumers, and sharers, of online news has never been more immediate.

Misinformation flies quicker, and farther, than the truth

Before we look at how we can combat the spread of false information this election, let’s see how it cascades across the internet.

It’s been found that false political news traveled deeper and more broadly, reached more people, and was more viral than any other category of false information, according to a Massachusetts Institute of Technology study on the spread of true and false news online, which was published by Science in 2018.

Why’s that so? In a word: people. According to the research findings,

“We found that false news was more novel than true news, which suggests that people were more likely to share novel information … Contrary to conventional wisdom, robots accelerated the spread of true and false news at the same rate, implying that false news spreads more than the truth because humans, not robots, are more likely to spread it.”

Thus, bad actors pick their topics, pumps false information about them into social media channels, and then lets people spread it by way of shares, retweets, and the like—thanks to “novel” and click-baity headlines for content people may not even read or watch, let alone fact check.

Done on a large scale, false information thus can hit millions of feeds, which is what the FBI and CISA is warning us about.

Five ways you can combat the spread of false information this election

The FBI and CISA recommend the following:

  1. Seek out information from trustworthy sources, such as state and local election officials; verify who produced the content; and consider their intent.
  2. Verify through multiple reliable sources any reports about problems in voting or election results and consider searching for other reliable sources before sharing such information via social media or other avenues.
  3. For information about final election results, rely on state and local government election officials.
  4. Report potential election crimes—such as disinformation about the manner, time, or place of voting—to the FBI.
  5. If appropriate, make use of in-platform tools offered by social media companies for reporting suspicious posts that appear to be spreading false or inconsistent information about election-related problems or results.

Stick to trustworthy sources

If there’s a common theme across our election blogs so far, it’s trustworthiness.

Knowing which sources are deserving of our trust and being able to spot the ones that are not takes effort—such as fact-checking from reputable sources like, the Associated Press, and Reuters or researching the publisher of the content in question to review their credentials. Yet that effort it worthwhile, even necessary today. The resources listed in my recent blogs can help:

Stay Updated 

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and 'Like' us on Facebook.


Spot Fake News and Misinformation in Your Social Media Feed

By Judith Bitterli
fake news

Spot Fake News and Misinformation in Your Social Media Feed

Where do you get your news? There’s a good chance much of it comes from social media.

In 2019, Pew Research found that 55% of American adults said they get their news from social media either “often” or “sometimes,” which is an 8% rise over the previous year. We can visualize what that mix might look like. Some of their news on social media may come from information sources they’ve subscribed to and yet more news may appear via articles reposted or retweeted by friends.

So, as we scroll through our feeds and quickly find ourselves awash in a cascade of news and comments on the news, we also find ourselves wondering: what’s true and false here?

And that’s the right question to ask. With the advent of the internet, anyone can become a publisher. That’s one of the internet’s greatest strengths—we can all have a voice. Publishing is no longer limited to newspaper, TV, and radio ownership bodies. Yet it’s one of the internet’s greatest challenges as well—with millions of publishers out there, not everyone is posting the truth. And sometimes, people aren’t doing the posting at all.

For example, last May, researchers at Carnegie Melon University studied more than 200 million tweets about the current virus. Of the top 50 most influential retweeters, 82% of them were bots. Some 62% of the top 1,000 retweeters were bots as well. What were they retweeting? Researchers said the tweets revolved around more than 100 types of inaccurate stories that included unfounded conspiracy theories and phony cures. Researchers cited two reasons for this surge: “First, more individuals have time on their hands to create do-it-yourself bots. But the number of sophisticated groups that hire firms to run bot accounts also has increased.”

With the sheer volume of news and information we wade through each day, you can be assured that degrees of false and misleading information make their way into people’s social media mix. And that calls for all of us to build up our media literacy—which is our ability to critically analyze the media we consume for bias and accuracy.

What follows are a few basics of media literacy that can help you to discern what’s fact and what’s fiction as you scroll through your social media feed for news.

The difference between misinformation and disinformation

When talking about spotting truth from falsehood on social media, it helps to first define two types of falsehood: unintentional and the deliberate.

First off, there’s unintentional misinformation. We’re only human, and sometimes that means we get things wrong. We forget details, recall things incorrectly, or we pass along unverified accounts that we mistakenly take for fact. Thus, misinformation is wrong information that you don’t know is wrong. An innocent everyday example of this is when someone on your neighborhood Facebook group posts that the drug store closes at 8pm on weeknights when in fact it really closes at 7pm. They believe it closes at 8pm, but they’re simply mistaken.

That differs entirely from deliberate disinformation. This is intentionally misleading information or facts that have been manipulated to create a false narrative—typically with an ulterior motive in mind. The readiest example of this is propaganda, yet other examples also extend to deliberate untruths engineered to discredit a person, group, or institution. In other words, disinformation can take forms both large and small. It can apply to a person just as easily as it can to a major news story.

Now, let’s take a look at some habits and tactics designed to help you get a better grasp on the truth in your social media feed.

Consider the source

Some of the oldest advice is the best advice, and that holds true here: consider the source. Take time to examine the information you come across. Look at its source. Does that source have a track record of honesty and dealing plainly with the facts? Likewise, that source has sources too. Consider them in the same way as well.

Now, what’s the best way to go about that? For one, social media platforms are starting to embed information about publications into posts where their content is shared. For example, if a friend shares an article from The Economist, Facebook now includes a small link in the form of an “i” in a circle. Clicking on this presents information about the publication, which can give you a quick overview of its ownership, when it was founded, and so forth.

Another fact-finding trick comes by way of Michael Caufield, the Director of Blended and Networked Learning at Washington State University. He calls it: “Just Add Wikipedia.” It entails doing a search for a Wikipedia page by using the URL of an information source. For example, if you saw an article published on, you’d simply search “Wikipedia” The Wikipedia entry will give you an overview of the information source, its track record, its ownership, and if it has fired reporters or staff for false reporting. Of course, be aware that Wikipedia entries are written by public editors and contributors. These articles will only be as accurate as the source material that they are drawn from, so be sure to reference the footnotes that are cited in the entry. Reading those will let you know if the entry is informed by facts from reputable sources as well. They may open up other avenues of fact-finding as well!

Expand your media diet

A single information source or story won’t provide a complete picture. It may only cover a topic from a certain angle or narrow focus. Likewise, information sources are helmed by editors and stories are written by people—all of which have their biases, whether overt or subtle. It’s for this reason that expanding your media diet to include a broader range information sources is so important.

So, see what other information sources have to say on the same topic. Consuming news across a spectrum will expose you to thoughts and coverage you might not otherwise get if you keep your consumption to a handful of sources. The result is that you’re more broadly informed and have the ability to compare and contrast different sources and points of view. Using the tips above, you can find other reputable sources to round out your media diet.

Additionally, for a list of reputable information sources, along with the reasons why they’re reputable, check out “10 Journalism Brands Where You Find Real Facts Rather Than Alternative Facts” published by Forbes and authored by an associate professor at The King’s College in New York City. It certainly isn’t the end all, be all of lists, yet it should provide you with a good starting point.

Let your emotions be your guide

Has a news story you’ve read or watched ever made you shake your fist at the screen or want to clap and cheer? How about something that made you fearful or simply laugh? Bits of content that evoke strong emotional responses tend to spread quickly, whether they’re articles, a post, or even a tweet. That’s a ready sign that a quick fact check could be in order.

There’s a good reason for that. Bad actors who wish to foment unrest, unease, or simply spread disinformation use emotionally driven content to plant a seed. Whether or not their original story gets picked up and viewed firsthand doesn’t matter to these bad actors. Their aim is to actually get some manner of disinformation out into the ecosystem. They rely on others who will re-post, re-tweet, or otherwise pass it along on their behalf—to the point where the original source of the information is completely lost. This is one instance where people readily begin to accept certain information as fact, even if it’s not factual at all.

Certainly, some legitimate articles will generate a response as well, yet it’s a good habit to do a quick fact check and confirm what you’ve read. This leads us right back to our earlier points about considering the source and cross-checking against other sources of information as well.

Keep an eye out for “sponsored content”

You’ve probably seen headlines similar to this before: THIS FAT-BURNING TRICK HAS DOCTORS BAFFLED! You’ll usually spot them in big blocks laden with catchy photos and illustrations, almost to the point that they look like they’re links to other news stories. They’re not. They’re ads, which often strike a sensationalistic tone.

The next time you spot one of these, look around the area of the web page where they’re placed. You should find a little graphic or snippet of text that says “Advertisement,” “Paid Sponsor,” or something similar. And there you go. You spotted some sponsored content. These so-called articles aren’t intentionally developed to misinform you. They are likely trying to bait you into buying something.

However, in some less reputable corners of the web ads like these can take you to malicious sites that install malware or expose you to other threats. Always surf with web browser protection. Good browser protection will either identify such links as malicious right away or prevent your browser from proceeding to the malicious site if you click on such a link.

Be helpful, not right

So, let’s say you’ve been following these practices of media literacy for a while. What do you do when you see a friend posting what appears to be misinformation on their social media account? If you’re inclined to step in and comment, try to be helpful, not right.

We can only imagine how many spoiled relationships and “unfriendings” have occurred thanks to moments where one person comments on a post with the best intentions of “setting the record straight,” only to see tempers flare. We’ve all seen it happen. The original poster, instead of being open to the new information, digs in their heels and becomes that much more convinced of being right on the topic.

One way to keep your friendships and good feelings intact is this: instead of entering the conversation with the intention of being “right,” help people discover the facts for themselves. You can present your information as part of a discussion on the topic. So while you shouldn’t expect this to act like a magic wand that whisks away misinformation, what you can do is provide a path toward a reputable source of information that the original poster, and their friends, can follow if they wish.

Be safe out there

Wherever your online travels take you as you read and research the news, be sure to go out there with a complete security suite. In addition to providing virus protection, it will also help protect your identity and privacy as you do anything online. Also look for an option that will protect your mobile devices too, as we spend plenty of time scrolling through our social media feeds on our smartphones.

If you’re interested in learning more about savvy media consumption, pop open a tab and give these articles a read—they’ll give you a great start:

Bots in the Twittersphere: Pew Research
How to Spot Fake News:

Likewise, keep an eye on your own habits. We forward news in our social media feeds too—so follow these same good habits when you feel like it’s time to post. Make sure that what you share is truthful too.

Be safe, be well-read, and be helpful!

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Celebrating multi-national cultures this Hispanic Heritage Month

By Life at McAfee

Do you know the difference between Hispanic and Latino? What about the traditions that are important parts of the Hispanic culture? Or beloved Spanish or Portuguese phrases that don’t come across in English?

McAfee’s team spans 45 countries, making us a team rich in cultural diversity. We are always learning more about each other and celebrate Latin culture year-round. To commemorate Hispanic Heritage Month, which runs from September 15 – October 15, we’ve asked members of our McAfee Latino Community for their unique perspective on what being Latino means to them and to share more of the distinctive elements of their country of origin and traditions.

Check out some of the wonderful responses we received:

What Being Latino Means to Me:

Favorite Things About Being Latino:

We couldn’t be more proud to celebrate Hispanic Heritage Month by elevating the voices of our team members and celebrating the diverse backgrounds and cultures that make up McAfee.

Simply put, a welcoming work culture where every team member feels accepted and celebrated is part of our DNA. We value all voices which make up McAfee and appreciate how they further enrich our culture.

Interested in joining a company that supports inclusion and belonging? Search our jobs. Subscribe to job alerts. 


Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program

By Philippe Laulheret

From June to August, part of the McAfee Advanced Threat Research (ATR) team participated in Microsoft’s Azure Sphere Research Challenge.  Our research resulted in reporting multiple vulnerabilities classified by Microsoft as “important” or “critical” in the platform that, to date, have qualified for over $160,000 USD in bounty awards scheduled to be contributed to the ACLU ($100,000), St. Jude’s Children’s Research Hospital ($50,000) and PDX Hackerspace (approximately $20,000). With these contributions, we hope to support and give back both to our local hacker community that has really stepped up to help during the COVID crisis, and also recognize, at a larger scale, the importance to protect and further civil liberties and the wellbeing of those most in need.  

This blog post is a highlevel overview of the program, why we choose to take part in it, and a brief description of our findings. A detailed technical walkthrough of our findings can be found here 

Additionally, Microsoft has released two summary blogs detailing the Azure Sphere Bounty Program as a whole, including McAfee’s efforts and findings. They can be found here:


Azure Sphere Core Team Blog

What is Azure Sphere and the Azure Sphere Research Challenge? 

In late May Microsoft started a new bug bounty program for its Azure Sphere platform. Azure Sphere is a hardened IoT device with a secure communication link to the cloud that has been in development for the last few years and reached general availability in early 2020. Microsoft designed and built it from scratch to ensure every aspect of it is as secure as possibleper their security model. To put the theory to test, Microsoft invited a few select partners and hackers to try their best to defeat its security measures.  

The Azure sphere team came up with multiple scenarios that would test the security model of the device and qualify for an increased payout from the regular Azure Bug Bounty program. These scenarios range from the ability to bypascertain security measures, to executing code in the hardware enabled secure core of the device.  

Research scenarios specific to the Azure Sphere Research Challenge 

Why did ATR get involved with the program? 

There are multiple reasons why we were keen to participate in this program. First, as security researchers, the Azure Sphere platform is an exciting new research target that has been built from the ground up with security in mind. It showcases what might become of the IoT space in the next few years as legacy platforms are slowly phased out. Being at the forefront of what is being done in the IoT space ensures our research remains current and we are ready to tackle future new challenges. Second, by finding critical bugs in this new platform we help make it more secure and offer our support to make the IoT space increasingly resistant to cyber threats. Finally, as this is a bug bounty program, we decided from the start that we would donate any award we received to charity, thus using our skills to contribute to the social good of our local communities and support causes that transcend the technology sector.   


We’ve reported multiple bugs to Microsoft as a result of our research that were rated Important or Critical: 

  • Important – Security Feature bypass ($3,300): The inclusion of symlink in application package allows for referencing files outside of the application package mount point. 
  • Critical – RCE ($48,000): The inclusion of character device in an application package allows for direct interaction with a part of the flash memory, eventually leading to the modification of critical system files and further exploitation. 
  • Important – EoP ($11,000): Multiple bugs in how uid_map files are processed, allowing for elevation of privilege to the sys user.  
  • Important – Eop ($11,000): A user with sys privileges can trick Application Manager into unmounting “azcore” and mount a rogue binary in its stead. Triggering a core dump of a running process will then execute the rogue binary with full capabilities & root privileges due to improper handling of permissions in the LSM. 
  • Critical – EoP ($48,000): Further problems in the privilege dropping of azcore leads to the complete bypass of Azure Sphere capability restrictions 
  • Critical – EoP ($48,000): Due to improper certificate management, it is possible to re-claim a device on the Azure Sphere pre-prod server and obtain a valid capability file that works in the prod environment. This capability file can be used to re-enable application development mode on a finalized device (claimed by a third party). The deployment of the capability file requires physical access to a device.  


This research was an exciting opportunity to look at new platform with very little prior research, while still being in the familiar territory of an ARM device running a hardened Linux operating-system 

Through the bugs we found we were able to get a full chain exploit from a locked device to having root access. However, the Azure Sphere platform has many more security features such as remote attestation, and a hardware enabled secure core that is still holding strong.  

Finally, we want to thank Microsoft for the opportunity of participating in this exciting program, and the bounty awards 

How Searching For Your Favourite Celebrity May Not End Well

By Cyber Safety Ambassador: Alex Merton-McCann
Most Dangerous Celebrity

How Searching For Your Favourite Celebrity May Not End Well

2020 has certainly been the year for online entertainment. With many Aussies staying home to stay well, the internet and all its offerings have provided the perfect way for us all to pass time. From free movies and TV shows to the latest celebrity news, many of us have devoured digital content to entertain ourselves. But our love affair with online entertainment certainly hasn’t gone unnoticed by cybercriminals who have ‘pivoted’ in response and cleverly adapted their scams to adjust to our insatiable desire for content.

Searching For Our Favourite Celebrities Can Be A Risky Business

Cybercriminals are fully aware that we love searching for online entertainment and celebrity news and so devise their plans accordingly. Many create fake websites that promise users free content from a celebrity of the moment to lure unsuspecting Aussies in. But these malicious websites are purpose-built to trick consumers into sharing their personal information in exchange for the promised free content – and this is where many come unstuck!

Who Are The Most Dangerous Celebrities of 2020?

McAfee, the world’s leading cybersecurity company, has researched which famous names generate the riskiest search results that could potentially trigger consumers to unknowingly install malware on their devices or unwillingly share their private information with cybercriminals.

And in 2020, English singer-songwriter Adele takes out the top honours as her name generates the most harmful links online. Adele is best known for smashing the music charts since 2008 with hit songs including ‘Rolling in the Deep’ and ‘Someone Like You’. In addition to her award-winning music, Adele is also loved for her funny and relatable personality, as seen on her talk show appearances (such as her viral ‘Carpool Karaoke’ segment) and concert footage. Most recently, her weight-loss and fitness journey have received mass media attention, with many trying to get to the bottom of her ‘weight-loss’ secrets.

Trailing Adele as the second most dangerous celebrity is actress and star of the 2020 hit show Stan ‘Love Life’ Anna Kendrick, followed by rapper Drake (no. 3), model and actress Cara Delevingne (no. 4), US TikTok star Charli D’Amelio (no. 5) and singer-songwriter Alicia Keys (no. 6). Rounding out the top ten are ‘Sk8r Boi’ singer Avril Lavigne (No. 7), New Zealand rising music star, Benee (no. 8), songstress Camila Cabello (no. 9), and global superstar, singer and actress Beyonce (no. 10).

Most Dangerous Celebrity

Aussies Love Celebrity Gossip

Whether it was boredom or the fact that we just love a stickybeak, our love of celebrity news reached new heights this year with our many of us ‘needing’ to stay up to date with the latest gossip from our favourite public figures. Adele’s weight-loss journey (no.1), Drake’s first photos of ‘secret son’ Adonis (no. 4), and Cara Delevingne’s breakup with US actress Ashley Benson (no. 5), all had us Aussie fans flocking to the internet to search for the latest developments on these celebrity stories.

We’ve Loved New Releases in 2020

With many of us burning through catalogues of available movies and TV shows amid advice to stay at home, new release titles have definitely been the hottest ticket in town to stay entertained.

Rising to fame following her roles in ‘Twilight’ and musical comedy ‘Pitch Perfect’, Anna Kendrick (no. 2) starred in HBO Max series ‘Love Life’ which was released during the peak of COVID-19 in Australia, as well as the 2020 children’s film ‘Trolls World Tour’. R&B and pop megastar Beyonce (no. 10) starred in the 2019 remake of Disney cult classic ‘The Lion King’ and released a visual album ‘Black Is King’ in 2020.

Music Has Soothed Our Souls This Year 

While live concerts and festivals came to a halt earlier this year, many of us are still seeking music – both old and new – to help us navigate these unprecedented times. In fact, musicians make up 50% of the top 10 most dangerous celebrities – hailing from all genres, backgrounds and generations.

Canadian rapper Drake (No. 2) sparked fan interest by dropping his ‘Dark Lanes Demo Tapes’ album including hit songs ‘Chicago Freestyle’ and ‘Tootsie Slide’ that went massively viral on TikTok. New Zealand singer Benee also came out of the woodwork with viral sensations Supalonely and Glitter topping charts and reaching global popularity on TikTok.

Known for her enormously successful R&B/Soul music in the early 2000s, Alicia Keys (no. 6) released a string of new singles in 2020. Camila Cabello’s ‘Senorita’ duet with Canadian singer and now boyfriend Shawn Mendes, was Spotify’s most streamed song of 2019. The couple continued to attract copious attention as fans followed stories reporting on the lovebirds self-isolating together in Miami earlier this year.

How to Avoid Getting Caught In An Online Celebrity Scam

Please don’t feel that getting caught by an ill-intentioned cybercrime is inevitable. If you follow these few simple tips, you can absolutely continue your love of online entertainment and all things celebrity:

  1. Be Careful What You Click

If you are looking for new release music, movies or TV shows or even an update on your favourite celebrity then ALWAYS be cautious and only click on links to reliable sources. Avoid ‘dodgy’ looking websites that promise free content – I guarantee these sites will gift you a big dose of malware. The safest thing is to wait for official releases, use only legitimate streaming sites and visit reputable news sites.

  1. Say NO to Illegal Streaming and Downloading Suspicious Files

Yes, illegal downloads are free but they are usually riddled with malware or adware disguised as mp3 files. Be safe and use only legitimate music streaming platforms – even if it costs a few bucks! Imagine how devastating it would be to lose access to everything on your computer thanks to a nasty piece of malware?

  1. Protect Your Online Safety With A CyberSecurity Solution

One of the best ways of safeguarding yourself (and your family) from cybercriminals is by investing in an  comprehensive cybersecurity solution like McAfee’s Total Protection. This Rolls Royce cybersecurity package will protect you from malware, spyware, ransomware and phishing attacks. An absolute no brainer!

  1. Get Parental Controls Working For You

Kids love celebrities too! Parental control software allows you to introduce limits to your kids’ viewing which will help minimise their exposure to potentially malicious or inappropriate websites when they are searching for the latest new on TikTok star Charlie D’Amelio or go to download the latest Benee track.

I don’t know how my family of 6 would have survived this year without online entertainment. We’ve devoured the content from three different streaming services, listened to a record number of hours on Spotify and filled our heads with news courtesy of online news sites. And while things are looking up, it will be a while before life returns to normal. So, please take a little time to educate your family on the importance of ‘thinking before you click’ and the perils of illegal downloading. Let’s not make 2020 any more complicated!!

Stay safe everyone!


Alex x

Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

By Baker Nanduru
Most Dangerous Celebrity

Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyber threats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information. Owing to his international popularity and fan following that well resonates in India, Cristiano Ronaldo takes the top spot on the India edition of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

Ronaldo is popular not only for his football skills, but also for his lifestyle, brand endorsements, yearly earnings, and large social media following, with fans devotedly tracking his every movement. This year, Ronaldo’s transfer to Juventus from Real Madrid for a reported £105M created quite a buzz, grabbing attention from football enthusiasts worldwide. Within the Top 10 list, Ronaldo is closely followed by veteran actress Tabu (No. 2) and leading Bollywood actresses, Taapsee Pannu, (No. 3) Anushka Sharma at (No. 4) and Sonakshi Sinha (No. 5). Also making the top ten is Indian singer Armaan Malik (No. 6), and young and bubbly actor Sara Ali Khan (No. 7). Rounding out the rest of the top ten are Indian actress Kangana Ranaut (No. 8), followed by popular TV soap actress Divyanka Tripathi (No. 9) and lastly, the King of Bollywood, Shah Rukh Khan (No. 10).


Most Dangerous Celebrity

Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows, sports, and movies to watch. For example, Ronaldo is strongly associated with malicious search terms, as fans are constantly seeking news on his personal life, as well as searching for news on his latest deals with football clubs. In addition, users may be streaming live football matches through illegal streaming platforms to avoid subscription fees. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity related news, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

 Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

Use parental control software

Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

 Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

By Baker Nanduru
Most Dangerous Celebrity

Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyberthreats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information.

Thanks to her recent starring roles, American actress Anna Kendrick has found herself at the top of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

You probably know Anna Kendrick from her popular roles in films like “Twilight,” Pitch Perfect,” and “A Simple Favor.” She also recently starred in the HBO Max series “Love Life,” as well as the 2020 children’s film “Trolls World Tour.” Kendrick is joined in the top ten list by fellow actresses Blake Lively (No. 3), Julia Roberts (No. 8), and Jason Derulo (No. 10). Also included in the top ten list are American singers Mariah Carey (No. 4), Justin Timberlake (No. 5), and Taylor Swift (No. 6). Rounding out the rest of the top ten are American rapper Sean (Diddy) Combs (No. 2), Kate McKinnon (No. 9), and late-night talk show host Jimmy Kimmel (No. 7).

Most Dangerous Celebrity

Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows and movies to watch. However, people must understand that torrent or pirated downloads can lead to an abundance of cyberthreats. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity film, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

 Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

 Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

 Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

 Use parental control software

 Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



Check Out the McAfee Most Dangerous Celebrity 2020

By Baker Nanduru
Most Dangerous Celebrity

Attention Streamers: Check Out the McAfee Most Dangerous Celebrity 2020 List

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyberthreats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information.

Known for his BAFTA-winning celebrity chat show and BBC radio show, the UK’s national treasure, Graham Norton, has found himself at the top of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

Graham Norton is a household name thanks to his hugely popular talk show, The Graham Norton Show, which has seen him interview A-listers including Nicole Kidman, Hugh Grant and Helen Mirren. He is also known for his BBC radio show, as well as his inimitable Eurovision commentary. Not shy of celebrity friends, Norton is joined in the top ten list by fellow national treasures such as Ricky Gervais (No.2), and Idris Elba (No.7) and Mary Berry (no.10). Also included in the top ten list are British actor Tom Hardy (No.3) and Gavin and Stacey star, Ruth Jones (No.4). Rounding out the rest of the top ten are UK’s very own Mick Jagger (No.5), Aussie actress Margot Robbie (No.6) and models Kate Moss (No.8) and Bella Hadid (No.9).


Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for celebrity gossip and new shows or movies to watch. For example, given Graham is strongly associated with malicious search terms, indicates that online criminals are using Britain’s love for celebrity gossip and the Eurovision for personal gain. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity film, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

Use parental control software

Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Cybersecurity Awareness Month: If You Connect It, Protect It

By McAfee

Cybersecurity Awareness Month: If You Connect It, Protect It

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

We live in a day and age when even lightbulbs can be hacked.

Perhaps you’ve caught the stories in the news: various devices like home cameras, smart appliances, and other Internet of Things (IoT) devices falling prey to hackers and attacks, such as when the Mirai botnet took out large swathes of the internet in 2016. As posted by Statista, estimates project that the world will have nearly 40 billion IoT devices in the next five years and upwards of 50 billion by 2030. That’s in homes and businesses alike, ranging anywhere from digital assistants, smart watches, medical devices, thermostats, vehicle fleet management devices, smart locks, and yes, even the humble lightbulb—and like our computers, laptops, smartphones, and tablets, they all need to be protected.

The reason is simple: your network is only as safe as the weakest device that’s on it. And we’re putting so much more on our networks than ever before. In effect, that means our homes have more targets for hackers than ever before as well. In the hands of a dedicated crook, one poorly protected device can open the door to your entire network—much like a thief stealing a bike by prying open the weak link in a chain lock. Therefore, so goes the saying, “If You Connect It, Protect It.”

The Eight-Point List for Protecting Your IoT Devices

What’s challenging is that our IoT devices don’t always lend themselves to the same sort of protections like our computers, laptops, and phones do. For example, you can’t actually install security software directly on them. However, there are things you can do to protect those devices, and the network they’re on too.

1) Do your IoT homework

Just because that new smart device that’s caught your eye can connect to the internet doesn’t mean that it’s secure. Before you purchase, read up on reviews and comments from other customers. Look for news articles about the device manufacturer too. The fact of the matter is that some IoT device manufacturers are much better at baking security protocols into their devices than others, so look into their track record to see if you can uncover any issues with their products or security practices. Information such as this can help you make an even more informed choice.

2) Don’t use the default—Set a strong, unique password

One issue with many IoT devices is that they often come with a default username and password. This could mean that your device, and thousands of others just like it, all share the same credentials, which makes it painfully easy for a hacker to gain access to them as those default usernames and passwords are often published online.

When you purchase an IoT device, set a fresh password using a strong method of password creation.  And keep those passwords safe. Instead of keeping them on a notebook or on sticky notes, consider using a password manager. It acts as a database for all your passwords and stores new codes as you create them. As always, don’t store them in an unprotected file on your computer, which can be subject to a hack or data loss.

3) Use two-factor authentication

Our banks, many of the online shopping sites we use, and numerous other accounts use two-factor authentication to make sure that we’re logging in we really are who we say we are. In short, a username and password combo is an example of one-factor authentication. The second factor in the mix is something you, and only you, own, like your mobile phone. Thus when you log in and get a prompt to enter a security code that’s sent to your mobile phone, you’re taking advantage of two-factor authentication. If your IoT device supports two-factor authentication as part of the login procedure, put it to use and get that extra layer of security.

4) Secure your internet router

Your router acts as the internet’s gateway into your home. From there, it works as a hub that connects all of your devices—computers, tablets, and phones, along with your IoT devices as well. That means it’s vital to keep your router secure. A quick word about routers: you typically access them via a browser window and a specific address that’s usually printed somewhere on your router. If you’re renting your router or you’ve purchased it through your internet provider, they should have help documentation that can guide you through this the process. Likewise, if you purchased your own, your manual should provide the guidance you need.

As we mentioned above, the first thing to do is change the default password and name of your router if you haven’t done so already. Again, use a strong method of password creation. Also, change the name of your router. When you choose a new one, go with name that doesn’t give away your address or identity. Something unique and even fun like “Pizza Lovers” or “The Internet Warehouse” are options that mask your identity and are memorable for you too. While you’re making that change, you can also check that your router is using an encryption method, like WPA2, which will keep your signal secure. If you’re unsure, reach out to your internet provider or check the documentation that came with your router.

5) Set up a guest network specifically for your IoT devices

Just as you can offer your guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices, like computers and smartphones, along with the data and info that you have stored on them. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.

6) Use a VPN and a comprehensive security solution

Another line of defense that can hamper hackers is using a VPN, which allows you to send and receive data while encrypting your information so others can’t read it. When your data traffic is scrambled that way, it’s shielded from prying eyes, which helps protect your network and the devices you have connected to it.

7) Update!

As with our computers, laptops, phones, tablets, and apps, make sure you have the latest software updates for your IoT devices. The reasons here are the same: one, they’ll make sure you’re getting the latest functionality from your device; and two, updates often contain security upgrades. If there’s a setting that lets you receive automatic updates, enable it so that you always have the latest.

8) Protect your phone

You’ve probably seen that you can control a lot of your connected things with your smartphone. We’re using them to set the temperature, turn our lights on and off, and even see who’s at the front door. With that, it seems like we can add the label “universal remote control” our smartphones—so protecting our phones has become yet more important. Whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls—in addition to you and the phone as well.

And protect your other things too

And of course, let’s not forget our computers and laptops. While we’ve been primarily talking about IoT devices here, it’s a good reminder that computers and laptops need protection too. Using a strong suite of security software like McAfee® Total Protection, can help defend your entire family from the latest threats and malware, make it safer to browse, and look out for your privacy too.

If you connect it, protect it

We’re connecting our homes and ourselves with IoT devices at an tremendous rate—now at an average of 10 connected devices in our homes in the U.S. Gone by are the days when all we had was a computer or phone or two to look after. Now, even when we’re not in front of a laptop or have a smartphone in our hand, we’re still online, nearly all the time. Take this week to make sure that what you’ve connected is protected. Even that little lightbulb.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Convenience vs. Online Security: Have Your Cake and Eat It Too

By Baker Nanduru
online safety

Convenience vs. Online Security: Have Your Cake and Eat It Too

We live in a world where convenience is king. Personally, I don’t know what I would do without my calendar alerts popping up on my smartphone, ensuring that I don’t miss any important meetings (or birthdays).  I can also use a variety of apps to make appointments with my family’s doctor and check up on my kids’ educational progress while they are at home distance learning. While this technology is great and convenient, it has led to increased connectivity which tends to cause security implications. At what point do we draw the line between convenience and online security, and is there a way to ultimately have both? Let’s take a look.

Are Consumers Confident in Their Online Safety?

Consumers want to live their lives fast. They are constantly on the go, prioritizing speedy technology and convenience – sometimes more than safety. As a result, basic security hygiene, like updating passwords, has fallen by the wayside. In fact, a recent survey conducted by YouGov in April of 2020 revealed that consumers are overconfident in the level of protection that their credentials provide. 77% believe that their banking credentials are the most secure, followed by online shopping (74%), and work network logins (71%). Due to consumers’ overconfidence in the strength of their credentials, over half of online shoppers admitted that they have no plans to update their login details – and even more admitted to not updating bank and work passwords. As someone who just recently wrote a blog on common password habits and how they can affect our online safety,

Finding a Balance Between Convenience and Security

As today’s users are trying to grasp what the “new normal” means for them and how they live their lives, many are branching out from the typical ways they used to order food, take workout classes, and more. Consumers are using food delivery sites that they’ve never used before and signing up for online fitness classes on new platforms to  stay healthy while social distancing. But by using these unfamiliar websites to establish a sense of normalcy, users might forget to take basic security precautions like making sure these websites have the standard https:// security clearance or using a VPN. Paying attention to these security measures while exploring new platforms will allow users to enjoy the convenience of these tools without putting their online safety at risk.

According to McAfee Labs, more than 113,000 websites have been published that used COVID-19 to lure internet users into giving up their personal details. But despite the risks associated with poor security hygiene, consumers appear to be pretty indifferent. When asked if COVID-19 and increased fraud influenced them to use alternative banking or shopping apps/websites with more secure options, over three-quarters of U.S. consumers stated no, or that they didn’t know. At the onset of the pandemic when consumers were under pressure to buy scarce, staple items, 26% of consumers in the U.S. admitted to overlooking online security concerns by using third-party merchants to buy things like toilet paper and disinfecting products.

Today’s users already have so much to worry about – I can’t blame them if their online security is falling by the wayside to allow physical health and wellness to take precedent. It’s times like these when people need to prioritize their health and basic survival above all else that consumers benefit most from intrinsic security that is constantly working in the background, so they can have peace of mind.

Let Them Have Security (and Convenience!)

The good news: convenience and security don’t have to be mutually exclusive. I can still use my healthcare provider’s app to schedule appointments and check in on my kids as they distance learn without risking our family’s privacy. When it comes to balancing convenience and online security, you and your family should use trusted solutions that will allow you to enjoy all that the internet has to offer  by providing security that is easy, convenient, and empowers you to enjoy a safe and private digital live.

Users can enjoy a comprehensive, yet holistic approach to protection by employing the help of a security solution like McAfee® Total Protection. Consumers are safeguarded from malware  so they can continue to use their devices and web browsing to stream live workout classes, catch up with family over video conference, and more. The software’s detection capabilities are constantly being updated and enhanced without compromising users’ device performance.

McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files. McAfee WebAdvisor allows consumers to online shop or order food from their favorite restaurant while giving them the peace of mind that they’re on a safe website.

McAfee Total Protection also includes our secure VPN to ensure your family is prepared for potential threats that could be lurking around the corner. By enabling a VPN on your device, you can feel confident that the next time you bank or pay bills online, your connection is secure. With solutions like McAfee Total Protection and McAfee WebAdvisor in place, consumers can strike a balance between convenience and security, without sacrificing either.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


ST23: Moderner Datenschutz für Microsoft Teams (German)

By McAfee

Für viele ist das Arbeiten im Home Office zur Normalität geworden. Microsoft Teams stellt dabei den Ankerpunkt der effektiven Zusammenarbeit und dem Austausch von Inhalten in Microsoft 365 dar. Welche Auswirkung das jedoch auf die Sicherheit hat, diskutieren wir in diesem Podcast. Hierfür zusammengekommen sind Alexander Haug, unser Security Engineer mit Fokus auf Data Protection, sowie Chris Trynoga, unser Solution Architect und Experte für ganzheitliche Sicherheitsansätze.

Securing Space 4.0 – One Small Step or a Giant Leap? Part 2

By Eoin Carroll

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center in Cork, Ireland

In the first of this two-part blog series we introduced Space 4.0, its data value and how it looks set to become the next battleground in the defense against cybercriminals. In part two we discuss the architectural components of Space 4.0 to threat model the ecosystem from a cybersecurity perspective and understand what we must do to secure Space 4.0 moving forward.

Nanosats: Remote Computers in Space

A satellite is composed of a payload and a bus. The payload is the hardware and software required for the mission or satellite’s specific function, such as imaging equipment for surveillance. The bus consists of the infrastructure or platform that houses the payload, such as thermal regulation and command and control. Small satellites are space craft typically weighing less than 180 kilograms and, within that class of satellites, is what we call nanosatellites or nanosats which typically weigh between 1-10 kilograms. Cubesats are a class of nanosat so you will often hear the term used interchangeably, and for the context of Space 4.0 security, we can assume they are the same device. Nanosats significantly reduce launch costs due to their small size and the fact that many of these devices can be mounted on board a larger single satellite for launch.

Commercial off-the-shelf (COTS) Cubesats typically use free open source software such as FreeRTOS or KubOS for the on-board operating system. However, other systems are possible, with drivers available for most of the hardware on Linux and Windows OS. KubOS is an open source flight software framework for satellites and has cloud-based mission control software, Major Tom, to operate nanosats or a constellation. We mention KubOS here as it is a good example of what the current Space 4.0 operating model looks like today. While we have not reviewed KubOS from a security perspective, developing a secure framework for satellites is the right path forward, allowing mission developers to focus on the payload.

Some of the use cases available with Cubesats are:

  1. File transfers
  2. Remote communication via uplink/downlink
  3. Intra-satellite and inter-satellite communications
  4. Payload services such as camera and sensors telemetry
  5. Software Updates

KubOS is “creating a world where you can operate your small satellite from your web browser or iPhone”. KubOSobjective is to allow customers to send bits and not rockets to space and it is defining a new era of software-designed satellites. The satellite model is changing from relay type devices to remote computers in space using COTS components and leveraging TCP/IP routing capabilities. This model shift also means that there is more software executing on these satellites and more complex payload processing or interaction with the software stack and hence more attack surface.

To date, attacks on satellite systems from a cybersecurity perspective have typically been in the context of VSAT terminals, eavesdropping and hijacking. While there have been vulnerabilities found in the VSAT terminal software and its higher-level custom protocols, there seems to have been no focus and vulnerabilities discovered within the network software stack of the satellite itself. This may be since satellites are very expensive, as well as closed source, so not accessible to security researchers or cybercriminals, but this security by obscurity will not provide protection with the new era of nanosats. Nanosats use COTS components which will be accessible to cybercriminals.

Due to the closed nature of satellites there has not been much published on their system hardware and software stack. However, the Consultative Committee for Space Data Systems (CCSDS), which develops standards and specifications including protocols for satellite communications, does give some insight. The CCSDS technical domains are:

  1. Space Internetworking Services
  2. Mission Ops. And Information Management Services
  3. Spacecraft Onboard Interface Services
  4. System Engineering
  5. Cross Support Services
  6. Space Link Services

The CCSDS standards are divided into color codes to represent recommended standards and practices versus informational and experimental. This is a very large source of data communications for satellite designers to aid them in a reference for implementation. However, as we have observed over the cyber threat landscape of the past few decades, secure standards and specifications for hardware, software and protocols do not always translate to secure implementation. The CCSDS defines a TCP/IP stack suitable for transmission over space datalinks as per figure 1 below. Satellites that become more connected, just like any other device on the internet, their network and protocol software stack will become more accessible and targeted. As we discussed in part 1 <insert link> of our Space 4.0 blog series, there have been many TCP/IP and remote protocol related vulnerabilities in both embedded devices and even state of the art operating systems such as Windows 10. The TCP/IP stack and remote protocol implementations are a common source of vulnerabilities due to the complexities of parsing in unsafe memory languages such as C and C++. There does not appear to be any open source implementations of the CCSDS TCP/IP protocol stack.

Figure 1 – CCSDS Space communications protocols reference model

The CubeSat Protocol (CSP) is a free open source TCP/IP stack implementation for communication over space datalinks, similar to the CCSDS TCP/IP stack. The CSP protocol library is implemented in C, open source and implemented in many Cubesats that have been deployed to space. The protocol can be used for communication from ground station to satellite, inter-satellite and the intra-satellite communication bus. There have been 3 vulnerabilities to date reported in this protocol.

Figure 2 below shows what a Cubesat architecture looks like from a trust boundary perspective relative to the satellite and other satellites within the constellation and the earth.

Figure 2 – Space LEO Cubesat architecture trust boundaries

No hardware, software, operating system or protocol is completely free of vulnerabilities. What is important from a security perspective is:

  1. The accessibility of the attack surface
  2. The motives and capabilities of the adversary to exploit an exposed vulnerability if present in the attack surface

As these low-cost satellites get launched in our LEO and become more connected, any exposed technology stack will become increasingly targeted by cybercriminals.

Space 4.0 Threat Modeling

This Space 4.0 threat model focuses on the cybercriminal and how they can exploit Space 4.0 data for monetization. The following Space 4.0 factors will make it more accessible to cybercriminals:

  1. Mass deployment of small satellites to LEO
  2. Cheaper satellites with COTS components and increased satellite on board software processing (no longer relay devices)
  3. Satellite service models, Ground Station-as-a-Service (GSaaS) and Satellite-as-a-Service (SataaS) and shared infrastructure across government, commercial and academic
  4. Satellite connectivity and networks in space (ISL – inter-satellite links)
  5. Space 4.0 data value

Space security has typically been analyzed from the perspective of ground segment, communications or datalink and space segment. Additionally, the attack classes have been categorized as electronic (jamming), eavesdropping, hijacking and control. Per figure 3 below, we need to think about Space 4.0 with a cybersecurity approach due to the increased connectivity and data, as opposed to the traditional approach of ground, communication and space segments. Cybercriminals will target the data and systems as opposed to the RF transmission layer.

Figure 3 – Space 4.0 threat modeling architecture

It is important to consider the whole interconnectivity of the Space 4.0 ecosystem as cybercriminals will exploit any means possible, whether that be direct or indirect access (another trusted component). Open source networked ground stations such as SatNOGs and the emerging NyanSat are great initiatives for space research but we should consider these in our overall threat model as they provide mass connectivity to the internet and space.

The traditional space security model has been built on a foundation of cost as a barrier to entry and perimeter-based security due to lack of physical access and limited remote access to satellites. However, once a device is connected to the internet the threat model changes and we need to think about a satellite as any other device which can be accessed either directly or indirectly over the internet.

In addition, if a device can be compromised in space remotely or through the supply chain, then that opens a new attack class of space to cloud/ground attacks.

Users and trusted insiders will always remain a big threat from a ground station perspective, just like enterprise security today, as they can potentially get direct access to the satellite control.

The movement of ground services to the cloud is a good business model if designed and implemented securely, however a compromise would impact many devices in space being controlled from the GSaaS. It is not quite clear where the shared responsibility starts and ends for the new SataaS and GSaaS Space 4.0 service models but the satellite key management system (KMS), data, GSaaS credentials and analytics intellectual property (this may reside in the user’s environment, the cloud or potentially the satellite but for the purposes of this threat model we assume the cloud) will be much valued assets and targeted.

From the Cyber and Space Threat Landscape review in part 1 <insert link>, combined with our understanding of the Space 4.0 architecture and attack surfaces, we can start to model the threats in Table 1 below.

Table 1 – Space 4.0 threats, attack classes and layers, and attack vectors

Based on the above threat model, let’s discuss a real credible threat and attack scenario. From our Space cyber threat landscape review in part 1 of this blog series, there were attacks on ground stations in 2008 at the Johnson Space Center and for a Nasa research satellite. In a Space 4.0 scenario, the cybercriminal attacks the ground station through phishing to get access to satellite communications (could also be a supply chain attack to get a known vulnerable satellite system into space). The cybercriminal uses an exploit being sold on the underground to exploit a remote wormable vulnerability within the space TCP/IP stack or operating system of the satellite in space, just like we saw EternalBlue being weaponized by WannaCry. Once the satellite has been compromised the malware can spread between satellite vendors using their ISL communication protocol to propagate throughout the constellation. Once the constellation has been compromised the satellite vendor can be held to ransom, causing major disruption to Space 4.0 data and/or critical infrastructure.

Moving Forward Securely for a Trustworthy Space 4.0 Ecosystem

Establishing a trustworthy Space 4.0 ecosystem is going to require strong collaboration between cyber threat research teams, government, commercial and academia in the following areas:

  1. Governance and regulation of security standards implementation and certification/validation of satellite device security capabilities prior to launch
  2. Modeling the evolving threat landscape against the Space 4.0 technology advancements
  3. Secure reference architectures for end to end Space 4.0 ecosystem and data protection
  4. Security analysis of the CCSDS protocols
  5. Design of trustworthy platform primitives to thwart current and future threats must start with a security capable bill of materials (BOM) for both hardware and software starting with the processor then the operating system, frameworks, libraries and languages. Hardware enabled security to achieve confidentiality, integrity, availability and identity so that satellite devices may be resilient when under attack
  6. Visibility, detection and response capabilities within each layer defined in our Space 4.0 architecture threat model above
  7. Development of a MITRE ATT&CK specifically for Space 4.0 as we observe real world incidents so that it can be used to strengthen the overall defensive security architecture using TTPs and threat emulation

Space 4.0 is moving very fast with GSaaS, SataaS and talk of space data centers and high-speed laser ISL; security should not be an inhibitor for time to market but a contributor to ensure that we have a strong security foundation to innovate and build future technology on with respect to the evolving threat landscape. Space communication predates the Internet so we must make sure any legacy limitations which would restrict this secure foundation are addressed. As software complexity for on board processing and connectivity/routing capability increases by moving to the edge (space device) we will see vulnerabilities within the Space 4.0 TCP/IP stack implementation.

This is a pivotal time for the secure advancement of Space 4.0 and we must learn from the mistakes of the past with IoT where the rush to adopt new and faster technology resulted in large scale deployment of insecure hardware and software. It has taken much effort and collaboration between Microsoft and the security research community since Bill Gates announced the Trustworthy Computing initiative in 2002 to arrive at the state-of-the-art Windows 10 OS with hardware enabled security. Likewise, we have seen great advancements on the IoT side with ARM Platform Security Architecture and Azure Sphere. Many security working groups and bodies have evolved since 2002, such as the Trust Computing Group, Confidential Computing Consortium, Trusted Connectivity Alliance and Zero Trust concept to name a few. There are many trustworthy building block primitives today to help secure Space 4.0, but we must leverage at the concept phase of innovation and not once a device has been launched into space; the time is now to secure our next generation infrastructure and data source. Space security has not been a priority for governments to date but that seems all set to change with the “Memorandum on Space Policy Directive-5—Cybersecurity Principles for Space Systems”.

We should pause here for a moment and recognize the recent efforts from the cybersecurity community to secure space, such as the Orbital Security Alliance, S-ISAC, Mantech and Defcon Hack-a-Sat.

KubOS is being branded as the Android of space systems and we are likely to see a myriad of new software and hardware emerge for Space 4.0. We must work together to ensure Space 4.0 connectivity does not open our global connectivity and infrastructure dependency to the next Mirai botnet or WannaCry worm on LEO.

McAfee would like to thank Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland for their collaboration in our mission to secure Space 4.0.

Securing Space 4.0 – One Small Step or a Giant Leap? Part 1

By Eoin Carroll

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland

The essence of Space 4.0 is the introduction of smaller, cheaper, faster-to-the-market satellites in low-earth-orbit into the value chain and the exploitation of the data they provide. Space research and communication prior to Space 4.0 was primarily focused on astronomy and limited to that of governments and large space agencies. As technology and society evolves to consume the “New Big Data” from space, Space 4.0 looks set to become the next battleground in the defense against cybercriminals. Space 4.0 data can range from earth observation sensing to location tracking information and applied across many vertical uses cases discussed later in this blog. In the era of Space 4.0 the evolution of the space sector is rapidly changing with a lower cost of launching, combined with public and private partnerships that open a whole new dimension of connectivity. We are already struggling to secure our data on earth, we must now understand and secure how our data will travel through space constellations and be stored in cloud data centers on earth and in space.

Low Earth Orbit (LEO) satellites are popular for scientific usage but how secure are they? The Internet of Things (IoT) introduced a myriad of insecure devices onto the Internet due to the low cost of processors and high-speed connectivity, but the speed in its adoption resulted in a large fragmentation of insecure hardware and software across business verticals.

Space 4.0 is now on course for a similar rapid adoption with nanosats as we prepare to see a mass deployment of cheap satellites into LEO. These small satellites are being used across government, academic and commercial sectors for different use cases that require complex payloads and processing. Many nanosats can coexist on a single satellite. This means that the same satellite backbone circuit infrastructure can be shared, reducing build and launch costs and making space data more accessible.

To date, satellites have typically been relay type devices repeating signals to and from different locations on earth in regions with poor internet connectivity, but that is all set to change with a mass deployment of smarter satellite devices using inter-satellite links (ISL) in  constellations like Starlink which aim to provide full high speed broadband global coverage. As the Space 4.0 sector is moving from private and government sectors to general availability, this makes satellites more accessible from a cost perspective, which will attract threat actors other than nation states, such as cyber criminals. Space 4.0 also brings with it new service delivery models such as Ground Station as a Service (GSaaS) with AWS and Azure Orbital and Satellite as a Service (SataaS). With the introduction of these, the satellite will become another device connecting to the cloud.

In our research we analyze the ecosystem to understand the latest developments and threats in relation to cybersecurity in space and whether we are ready to embrace Space 4.0 securely.

Space 4.0 Evolution

What is the Industrial 4th Revolution? The original industrial revolution started with the invention of steam engines then electricity, computers and communication technology. Industry 4.0 is about creating a diverse, safe, healthy, just world with clean air, water, soil and energy, as well as finding a way to pave the path for the innovations of tomorrow.

The first space era, or Space 1.0, was the study of astronomy, followed by the Apollo moon landings and then the inception of the International Space Station (ISS). Space 4.0  is analogous to Industry 4.0, which is considered as the unfolding fourth industrial revolution of manufacturing and services. Traditionally, access to space has been the domain of governments and large space agencies (such as NASA or the European Space Agency) due to the large costs involved in the development, deployment and operation of satellites. In recent years, a new approach to using space for commercial, economic and societal good has been driven by private enterprises in what is termed New Space. When combined with the more traditional approach to space activity, the term “Space 4.0” is used. Space 4.0 is applicable across a wide range of vertical domains, including but not limited to:

  • Ubiquitous broadband
  • Autonomous vehicles
  • Earth observation
  • Disaster mitigation/relief
  • Human spaceflight
  • Exploration

Cyber Threat Landscape Review

The Cyber Threat Landscape has evolved greatly over the past 20 years with the convergence of Information Technology (IT), Operational Technology (OT) and IoT. Protecting consumers, enterprises and critical infrastructure with the rapid parallel innovation of technology and cybercriminals is a constant challenge. While technology and attacks evolve rapidly the cybercriminal motive remains a constant; make money and maximize profit by exploiting a combination of users and technology.

Cybercriminals have much more capabilities now than they did 10 years ago due to the rise of Cybercrime as a Service (CaaS). Once an exploit for a vulnerability has been developed, it can then be weaponized into an exploit kit or ransomware worm, such as WannaCry. Cybercriminals will follow the path of least resistance to achieve their goal of making money.

Nearly every device class across the business verticals, ranging from medical devices to space Very-small-aperture terminals (VSAT), have been hacked by security researchers, as evident from Blackhat and Defcon trends.

From a technology stack perspective (hardware and software) there have been vulnerabilities discovered and exploits developed across all layers where we seek to establish some form of trustworthiness when connected to the internet; browsers, operating systems, protocols, hypervisors, enclaves, cryptographic implementations, system on chips (SoC) and processors.

Not all these vulnerabilities and exploits become weaponized by cybercriminals, but it does highlight the fact that the potential exists. Some notable weaponized exploits are:

  1. Stuxnet worm
  2. WannaCry ransomware worm
  3. Triton malware
  4. Mirai Botnet

Some recent major industry vulnerabilities were: BlueKeep (Windows RDP Protocol), SMBGhost (Windows SMB Protocol), Ripple20 (Treck embedded TCP/IP library), Urgent 11 (VxWorks TCP/IP library), Heartbleed (OpenSSL library), Cloudbleed (Cloudflare), Curveball (Microsoft Crypto API), Meltdown and Spectre (Processor side channels).

Cybercriminals will adapt quickly to maximize their profit as we saw with the COVID-19 pandemic and the mass remote workforce. They will quickly understand the operating environment changes and how they can reach their goals by exploiting users and technology, whichever is the weakest link. The easiest entry point into an organization will be through identity theft or weak passwords being used in remote access protocols such as RDP.

Cybercriminals moved to the Dark Web to hide identity and physical location of servers or using bullet-proof providers to host their infrastructure. What if these services are hosted in space? Who is the legal entity and who is responsible?

McAfee Enterprise Supernova Cloud analysis reports that:

  • Nearly one in 10 files shared in the cloud with sensitive data have public access, an increase of 111% year over year
  • One in four companies have had their sensitive data downloaded from the cloud to an unmanaged personal device, where they cannot see or control what happens to the data
  • 91% of cloud services do not encrypt data at rest
  • Less than 1% of cloud services allow encryption with customer-managed keys

The transition to the cloud, when done securely, is the right business decision. However, when not done securely it can leave your services and data/data lakes accessible to the public through misconfigurations (shared responsibility model), insecure APIs, and identity and access management issues. Attackers will always go for the low hanging fruit such as open AWS buckets and credentials through vendors in the supply chain.

One of the key initiatives, and now industry benchmark, is the MITRE ATT&CK framework which enumerates the TTPs from real word incidents across Enterprise (Endpoint and Cloud), Mobile and ICS. This framework has proved to be very valuable in enabling organizations to understand adversary TTPs and the corresponding protect, detect and response controls required in their overall defense security architecture. We may well see a version of MITRE ATT&CK evolve for Space 4.0.

Space Cyber Threat Landscape Review

Threat actors know no boundaries as we have seen criminals move from traditional crime to cybercrime using whatever means necessary to make money. Likewise, technology communication traverses many boundaries across land, air, sea and space. With the reduced costs to entry and the commercial opportunities with Space 4.0 big data, we expect to see cybercriminals innovating within this huge growth area. The Cyber Threat Landscape can be divided into vulnerabilities discovered by security researchers and actual attacks reported in the wild. This allows us to understand the technologies within the space ecosystem that are known to contain vulnerabilities and what capabilities threat actors have and are using in the wild.

Vulnerabilities discovered to date have been within VSAT terminal systems and intercepting communications. There have been no vulnerabilities disclosed on actual satellites from figure 1 below.

Figure 1 – Security Researcher space vulnerability disclosures

To date, satellites have mostly been controlled by governments and the military so little information is available as to whether an actual satellite has been hacked. We do expect to see that change with Space 4.0 as these satellites will be more accessible from a hardware and software perspective to do security analysis. Figure 2 below highlights reported attacks in the wild

Figure 2 – Reported Attacks in the Wild

In McAfee’s recent threat research, “Operation North Star”, we observed an increase in malicious cyber activity targeting the Aerospace and Defense industry. The objective of these campaigns was to gather information on specific programs and technologies.

Since the introduction of the cloud, it appears everything has become a device that interacts with a service. Even cybercriminals have been adapting to the service model. Space 4.0 is no different as we start to see the adoption of the Ground Station as a Service (GSaaS) and Satellite as a Service (SataaS) models per figure 3 below. These services are opening in the space sector due to the acceleration of vendors into Space 4.0 to help keep their costs down. Like any new ecosystem this will bring new attack surfaces and challenges which we will discuss in the Threat Modelling section.

Figure 3 – New Devices and Services for Space 4.0

So, with the introduction of cheap satellites using commercial off-the-shelf (COTS) components and new cloud services is it just a matter of time before we see mass satellite attacks and compromise?

Space 4.0 Data Value

The global space industry grew at an average rate of 6.7% per year between 2005 and 2017 and is projected to rise from its current value of $350 billion to $1.3 trillion per annum by 2030. This rise is driven by new technologies and business models which have increased the number of stakeholders and the application domains which they service in a cost-effective way. The associated increase in data volume and complexity has, among other developments, resulted in increasing concerns over the security and integrity of data transfer and storage between satellites, and between ground stations and satellites.

The McAfee Supernova report shows that data is exploding out of enterprises and into the cloud. We are now going to see the same explosion from Space 4.0 to the cloud as vendors race to innovate and monetize data from low cost satellites in LEO.

According to Microsoft the processing of data collected from space at cloud-scale to observe the Earth will be “instrumental in helping address global challenges such as climate change and furthering of scientific discovery and innovation”. The value of data from space must be viewed from the perspective of the public and private vendors who produce and consume such data. Now that satellite launch costs have reduced, producing this data becomes more accessible to commercial markets, so we are going to see much innovation in data analytics to improve our lives, safety and preservation of the earth. This data can be used to improve emergency response times to save lives, monitoring illegal trafficking, aviation tracking blind spots, government scientific research, academic research, improving supply chains and monitoring the earth’s evolution, such as climate change effects. Depending on the use case, this data may need to be confidential, may have privacy implications when tracking and may have substantial value in the context of new markets, innovation and state level research. It is very clear that data from space will have much value as new markets evolve, and cybercriminals will most certainly target that data with the intent to hold organizations to ransom or sell data/analytics innovation to competitors to avoid launch costs. Whatever the use case and value of the data traveling through space may be, we need to ensure that it moves securely by providing a trustworthy end to end ecosystem.

As we progress towards the sixth digital era, our society, lives and connectivity will become very dependent on off-planet data and technology in space, starting with SataaS.

In Part 2 we will discuss remote computers in Space, the Space 4.0 threat model and what we must do to secure Space 4.0 moving forward.

McAfee would like to thank Cork Institute of Technology (CIT) and their Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland for their collaboration in our mission to securing Space 4.0.

Election 2020 – Five Tips to Secure a Mail-In Ballot That Counts

By Judith Bitterli
Elections 2020

Election 2020 – Five Tips to Secure a Mail-In Ballot That Counts

Forecasts predict that roughly 80 million votes will get cast by mail-in ballots—double the number cast by mail in the 2016 election. Here are a couple tips to make sure your vote counts for the 2020 election.

Smart use of the internet will help you cast a mail-in ballot that counts.

Projections abound, yet forecasts predict that roughly 80 million votes will get cast by mail-in ballots—double the number cast by mail in the 2016 election. While we’ll only know the final tally of mail-in voters sometime after election day, what we know right now is that nearly 75% of U.S. voters will be able to vote by mail in the 2020 election

If you’re one of those voters, or know someone who is, this quick five-point primer of online resources should help.

Fake ballots, the pandemic and other election concerns

Pew Research found that Americans are split 50/50 as to whether voting in the 2020 election will be “easy” or “hard.” Compare that to the 2018 figures where 85% said that voting would be “easy” in that election. We can chalk that up to several factors this year, most notably the effect of the pandemic on voting, which I touched on in my blog last week.

However, there are other concerns at play. We’ve seen concerns about mail-in ballot fraud, along with confusion about how to get a mail-in ballot, and yet further confusion as to who is eligible to get a mail-in ballot in the first place… just to name a few.

These concerns all share a common remedy: the facts.

Good information, direct from your state election officials, will point the way. Skip social media altogether. It is not a trusted resource. In all, it’s a mistake to get any election information on social media, according to F.B.I. Director, Christopher Wray. Instead, let’s point ourselves in the right direction.

Cast your mail-in ballot securely with these five tips:

  1. Refer to your state and local officials for guidance: Visiting your state’s election website and resources they offer is your best bet for clearing up any questions about your eligibility to vote by mail or to report any difficulties you may have.
  2. Follow the directions closely: Mail-in ballots, and the rules for filling them out, also vary from state to state. Get to know yours with a visit to your state’s election website. Common errors like failing to get a witness signature (or signatures), failing to slip your ballot into a second security envelope, or using the wrong colored pen are all examples of ways ballots can get disqualified in some states. And when you get your ballot, read it closely before you start—including the mailing or drop off instructions.
  3. Know your election timeline: Deadlines are everything—such as when you can apply for an absentee or mail-in ballot, when they need to be returned or postmarked, and if you have other drop off options other than the mail. Again, your state or local election website will clearly call all that out.
  4. Give the mail extra time: Don’t leave your vote to chance. Request your mail-in ballot, as needed, right away. Once you’ve filled it out, get it in the mail early. The U.S. Postal Service has an entire site dedicated to election mail that’s loaded with plenty of good advice for mail-in voters, whether you’re stateside, overseas, or deployed elsewhere with the military.
  5. Track your ballot: The ability and means to track your ballot will of course vary from state to state. However, checking in with your state’s election website will show you what your options are.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


Cybersecurity Awareness Month Helps Us All be #BeCyberSmart

By McAfee
Cybersecurity Awareness Month

Cybersecurity Awareness Month Helps Us All be #BeCyberSmart

October is Cybersecurity Awareness Month, which is led by the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness in conjunction with the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). McAfee is pleased to announce that we’re a proud participant.

Cybersecurity Awareness Month

If there’s ever a year to observe Cybersecurity Awareness Month, this is it.

As millions worked, schooled, and simply entertained themselves at home (and continue to do so) this year, internet usage increased by up to 70%. Not surprisingly, cybercriminals followed. Looking at our threat dashboard statistics for the year so far, you’ll see:

  • 113,000+ new malicious websites and URLS referencing COVID-19
  • 5+ Million threats that exploit COVID-19
  • A large spike in trojan-based attacks in April followed by a higher spike in July and August

And that doesn’t account for the millions of other online scams, ransomware, malicious sites, and malware out there in general—of which COVID-19-themed attacks are just a small percentage.

With such a high reliance on the internet right now, 2020 is an excellent year to observe Cybersecurity Awareness Month, along with its focus on what we can do collectively to stay safer together in light of today’s threats.


Unified under the hashtag #BeCyberSmart, Cybersecurity Awareness Month calls on individuals and organizations alike to take charge of protecting their slice of cyberspace. The aim, above making ourselves safer, is to make everyone safer by having us do our part to make the internet safer for all. In the words of the organizers, “If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees, our interconnected world will be safer and more resilient for everyone.”

Throughout October, we’re participating as well. Here in our blogs and across our broad and ongoing efforts to boost everyone’s awareness and expertise in cybersecurity and simply staying safe online, we’ll be supporting one key theme each week:

Week of October 5: If You Connect It, Protect It

If you’ve kept up with our blogs, this is a theme you’ll know well. The idea behind “If you connect it, protect it” is that the line between our lives online and offline gets blurrier every day. For starters, the average person worldwide spends nearly 7 hours a day online thanks in large part to mobile devices and the time we spend actively connected on our computers. However, we’re also connecting our homes with Internet of Things (IoT) devices—all for an average of 10 connected devices in our homes in the U.S. So even when we don’t have a device in our hand, we’re still connected.

With this increasing number of connections comes an increasing number of opportunities—and challenges. During this weel, we’ll take a look at how internet-connected devices have impacted our lives and how you can take steps that reduce your risk.

Week of October 12 (Week 2): Securing Devices at Home and Work

As we shared at the open of this article, this year saw a major disruption in the way we work, learn, and socialize online. There’s no question that our reliance on the internet, a safe internet, is greater than before. And that calls for a fresh look at the way people and businesses look at security.

This week of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet connected devices for both personal and professional use, all in light of a whole new set of potential vulnerabilities that are taking root.

Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare

Earlier this year, one of our articles on telemedicine reported that 39% of North Americans and Europeans consulted a doctor or health care provider online for the first time in 2020.   stand as just one example of the many ways that the healthcare industry has embraced connected care. Another noteworthy example comes in the form of internet-connected medical devices, which are found inside care facilities and even worn by patients as they go about their day.

As this trend in medicine has introduced numerous benefits, such as digital health records, patient wellness apps, and more timely care, it’s also exposed the industry to vulnerabilities that cyber criminals regularly attempt to exploit. Here we’ll explore this topic and share what steps both can take do their part and #BeCyberSmart.

Week of October 26 (Week 4): The Future of Connected Devices

The growing trend of homeowners and businesses alike connecting all manner of things across the Internet of Things (IoT) continues. In our homes, we have smart assistants, smart security systems, smart door locks, and numerous other home IoT devices that all need to be protected. Businesses manage their fleets, optimize their supply chain, and run their HVAC systems with IoT devices, which also beg protection too as hackers employ new avenues of attack, such as GPS spoofing. And these are just a fraction of the applications that we can mention as the world races toward a predicted 50 billion IoT devices by 2030.

As part of Cybersecurity Awareness Month, we’ll look at the future of connected devices and how both people and businesses can protect themselves, their operations, and others.

Give yourself a security checkup

As Cybersecurity Awareness Month ramps up, it presents an opportunity for each of us to take a look at our habits and to get a refresher on things we can do right now to keep ourselves, and our internet, a safer place. This brief list should give you a great start, along with a catalog of articles on identity theft, family safety, mobile & IoT security, and our regularly updated consumer threat notices.

Use strong, unique passwords

Given the dozens of accounts you need to protect—from your social media accounts to your financial accounts—coming up with strong passwords can take both time and effort. Rather than keeping them on scraps of paper or in a notebook (and absolutely not on an unprotected file on your computer), consider using a password manager. It acts as a database for all your passwords and stores new codes as you create them. With just a single password, you can access all the tools your password manager offers.

Beware of messages from unknown users

Phishing scams like these are an old standard. If you receive an email or text from an unknown person or party that asks you to download software, share personal information, or take some kind of action, don’t click on anything. This will steer you clear of any scams or malicious content.

However, more sophisticated phishing attacks can look like they’re actually coming from a legitimate organization. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. Also, you can hover over the link and get a link preview. If the URL looks suspicious, delete the message and move on.

Use a VPN and a comprehensive security solution

Avoid hackers infiltrating your network by using a VPN, which allows you to send and receive data while encrypting – or scrambling – your information so others can’t read it. By helping to protect your network, VPNs also prevent hackers from accessing other devices (work or personal) connected to your Wi-Fi.

In addition, use a robust security software like McAfee® Total Protection, which helps to defend your entire family from the latest threats and malware while providing safe web browsing.

Check your credit

At a time where data breaches occur and our identity is at risk of being stolen, checking your credit is a habit to get into. Aside from checking your existing accounts for false charges, checking your credit can spot if a fraudulent account has been opened in your name.

It’s a relatively straightforward process. In the U.S., the Fair Credit Reporting Act (FCRA) requires credit reporting agencies to provide you with a free credit check at least once every 12 months. Get your free credit report here from the U.S. Federal Trade Commission (FTC). Other nations provide similar services, such as the free credit reports for UK customers.

Be aware of the latest threats

To track malicious pandemic-related campaigns, McAfee Advanced Programs Group (APG) has published a COVID-19 Threat Dashboard, which includes top threats leveraging the pandemic, most targeted verticals and countries, and most utilized threat types and volume over time. The dashboard is updated daily at 4pm ET.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


8 Ways to Help Senior Adults Stay Safe Online These Days

By Toni Birdsong
senior looking at smartphone

8 Ways to Help Senior Adults Stay Safe Online These Days

Technology has come in handy for most of us during these days of pandemic distancing. But for the -at-risk, homebound senior population, technology has been a lifeline connecting them to family members, online services, and healthcare. Still, this unprecedented shift to virtual life has also come with potential risks that seniors and their families should keep in mind.

According to a Pew study, senior adults continue to become more digitally connected, but adoption rates continue to trail younger users, and digital divides remain. The study also revealed that 77% of older adults needed assistance when it came to learning how to use technology.

If you are a senior or someone helping a senior become more tech-savvy, online safety should be a priority. Here are just some of the risks seniors may encounter and some helpful ways to stay safe.

Secure home routers and devices. Be sure to change your router’s default username and password to something strong and unique. Also, change the default passwords of any connected device before connecting to your home network. IoT (Internet of Things) devices are all the technologies under your roof that can connect such as security systems, healthcare monitors, hearing aids, and smart TVs.  These technologies are embedded with sensors or software that can connect and exchange data with other household devices — and each must be secured to close privacy gaps. There are also routers with embedded security, to help secure the home from threats, no matter what devices is connected to the home network.

Use strong passwords. Strong passwords are essential for in-home devices, personal devices, social media sites, and any healthcare or banking portal. Creating a strong password is also a front-line defense against identity theft and fraud.  For seniors, keeping passwords in one place is important, but can be hard to remember them all.  comprehensive security software  includes password management functionality, which makes it easer, to create and safely archive your passwords. -.

Avoid scams. There are a number of scams that target seniors. Phishing scams are emails that look legitimate that end up taking millions from seniors every year. For this reason, never click on suspicious links from government agencies, banks, hospitals, brokerages, charities, or bill collectors unless you are certain they are legitimate. Scammers use these malicious links to con people out of giving away cash or personal data that can be used to create a number of fraudulent accounts. Consider protecting all personal devices with a comprehensive security solution.

Use a personal VPN. A Virtual Private Network (VPN) encrypts (or scrambles) your data when you connect to the Internet and enables you to browse or bank with your credentials and history protected. To learn about VPNs, watch this video.

Beware of dating scams. People aren’t always who they appear to be online. And while dating scams can happen to any age group, they can be especially harmful to a vulnerable senior who may be lonely and living on a limited income. Love scam red flags: Beware of people who claim to be from the U.S. but often travel or work overseas. Also, avoid people who profess their love too quickly, share personal struggles too soon, and never meet face-to-face.

Take a closer look. Fraudulent websites look very real these days. A secure website will have an “https” in the browser’s address bar. The “s” stands for “secure.” If the web address or URL is just http, it’s not a secure site. Still unsure? Read reviews of the site from other users before making a purchase. Never send cash, cashier’s check, or a personal check to any online vendor. If purchasing, always use a credit card in case there is a dispute.

Never share personal data. Be wary of emails or websites that require you to give personal information, such as your social security number, phone number, account, or family information.  This includes those fun social media quizzes, which are also ways that cybercriminals can find out your personal details, such as a pets name, year you were born, your home town. All those pieces of personal data can be used to commit identity theft.

Monitor financial accounts. Nowadays, it’s essential to review all financial statements for fraudulent activity. If suspicious activity is found, report it to your bank or credit card account immediately. It’s also a good idea to put a credit alert on your accounts to detect potential fraud.

This unique time has issued unique challenges to every age group. However, if you know a senior, keep their potential technology needs in mind. Check in from time to time and offer your help. If you are a tech-savvy senior (and I know many), consider reaching out to peers who may be struggling and afraid to ask. In addition, YouTube has a number of easy-to-understand videos on any tech question. In addition, both Apple and Microsoft stores offer free advice on their products and may also help. Just be sure to visit their official websites to reach legitimate tech support channels.

Stay Connected & Protected: Weaving Security Into Our Social Media Habits

By Baker Nanduru
Social Media Habits

Stay Connected & Protected: Weaving Security Into Our Social Media Habits

Today, there are so many different avenues where we receive information.

Personally, I prefer finding out what’s going on in the world by scanning my favorite news channels’ websites and by receiving personalized feeds and notifications to my phone. My wife, however, scans social media platforms – from Facebook to Twitter to Instagram – to discover the latest happenings. My teenage daughter spends 2+ hrs a day on social media platforms engaging with her friends.

While were initially meant to help us stay connected, they come with their own handful of security implications. Let’s explore what these threats are and how to stay protected.

Sketchy Links Get Social

Users rely on social media to feel connected. So while the world was social distancing, social media grew more popular than ever before – as of March 2020, people are on social media 44% more worldwide. However, with these platforms being so popular, they’ve become a hotspot for cybercriminal schemes.

There’s a variety of potential threats on social platforms, including misinformation, account takeovers, and phishing scams. The latter threat is all too common, as these platforms have become a popular avenue for cybercriminals to spread troublesome links and websites.

To lure unsuspecting users into clicking on these links, hackers often tap into what consumers care about. These topics have ranged from fake tech support scams to getting verified on Instagram.

Scan Social Safely with McAfee® WebAdvisor

At McAfee, we want users to enjoy a safe online social life. That’s why we created a new McAfee® WebAdvisor feature that scans for dangerous links across six major social media sites – Facebook, Twitter, YouTube, Instagram, Reddit, and LinkedIn – so users can scroll their feeds with confidence. To do this, McAfee WebAdvisor now color codes links across these social platforms, as it has always done for online searches, to show which ones are safe to visit.

It’s important to take advantage of new technologies that help us adapt and grow into security superstars. My family and I are excited to see this new feature roll out across our existing McAfee® Total Protection subscription. That way we can keep up with the latest news and trends, as well as stay connected with family and friends without worrying about any potential threats. I can sleep much better at night knowing that my whole family will be both connected and protected.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Career change? Cybersecurity companies are hiring.

By Judith Bitterli
apps that track

Career change? Cybersecurity companies are hiring.

If you’re thinking career change or career shift, there’s a field that has an estimated 4 million jobs open. Cybersecurity.

According to survey and research data from the International Cybersecurity Organization (ICS)2, there’s a cybersecurity workforce gap—a terrifically high volume of jobs left unfilled. Published in 2019, the gap they identified looked like this:

  • Nearly 500,000 jobs unfilled in the U.S.
  • Globally, a gap of 4 million jobs was reported.
  • 65% of the respondents say they’re short on cybersecurity staff.

Needless to say, there’s opportunity in the field for both technical and non-technical roles.

Here’s an important thing to keep in mind about cybersecurity:, it’s not solely about understanding technology. It’s about understanding people too and how people and technology interact.

The moment you see cybersecurity through that broader lens, you can see how the field opens widely to encompass a range of roles. Of course, there are analysts and engineers, yet it also includes other roles like digital forensics and cyber investigation, healthcare information security, cryptography, and even cyber law. Additionally, there’s needed expertise in the realms of privacy, governance, ethics, and even digital ethics. And if you take a role with a security company such as ours, the opportunity further extends to positions in account management, marketing, and operations. (In fact, you can drop by our careers page for a look at our current openings and what workday life is like around here.)

Why now’s a great time to consider a cybersecurity career

There are plenty of reasons. Above that data published in 2019, our unprecedented reliance on the internet to work, learn, and stay connected in 2020, demand for cybersecurity jobs is yet more so on the rise. As so many of us turned increasingly to the internet to get through our day, the same is true for hackers and crooks.

With that, let’s take a quick look at several of the factors working in your favor as you consider a change.

There’s demand for cybersecurity jobs.

We’ve all seen the news stories of major breaches at big retailers, credit reporting agencies, hotels, and even healthcare providers. It’s not just the private sector that’s been grappling with cybersecurity concerns, there’s need in the public sector as well—like municipalities. In all, every organization needs cybersecurity (just as we all need cybersecurity for our homes), and thus there’s plenty of opportunity out there. Using just one of the many possible cybersecurity roles as an example, the U.S. Bureau of Labor Statistics predicts a 32% increase in demand for information security analysts through 2028—which is far higher than the average of other professions.

You don’t need a specific degree in cybersecurity to get a job.

In fact, the same (ICS)2 survey discovered that only 42% of current cybersecurity pros said that their first job after higher education was in the field of cybersecurity. In other words, the majority of cybersecurity pros ended up that way by some means of career shift or change. And they got there through certifications and training rather than by way of a degree from a college or university.

Transferrable skills absolutely apply.

Our own Chief Human Resources Officer, Chatelle Lynch, put it quite well in an interview with Business Insider just a few weeks ago: “It’s no secret that the demand for cybersecurity staff has steadily grown over the past decade,” she says. “This means opportunity, so if you don’t have a degree, don’t let that slow you down. You may have unique work experience or relevant certifications, alternative learning, or transferable skills that you need to make sure you highlight when applying and interviewing.”

For example, she goes on to say that prior military service, IT experience, and volunteer or hobbyist activities (even online gaming) are a good foundation for cybersecurity roles.

Cybersecurity employers seek candidates with non-technical soft skills.

These skills absolutely apply, and they’re sought after skills as well. The ability to work independently, lead projects, write and document well, and particularly strong people skills are vital for a role where you’ll be interfacing with numerous individuals, departments, and business units. Likewise, as called out above, certain roles focus more on the non-technical side of security solutions.

Getting trained in cybersecurity

The beauty of making a career change to cybersecurity is that there are plenty of ways you can get it done at home and on your time.

If you’re just getting started, you can test the waters for free or at relatively low cost with a Massively Open Online Course (MOOC) that gives you the basics on cybersecurity. Future Learn’s “Introduction to Cybersecurity”  from The Open University is one example of an intro program, as is the University of Michigan’s “Securing Digital Democracy” class that’s offered through Coursera.

If you’re already an IT pro or have a strong technical background, there are similar MOOC courses available that cater to your current level of knowledge and skill. The University of Maryland’s “Cybersecurity Specialization” and “Usable Security” are geared accordingly.

For a list of cybersecurity programs available online, drop by Their listing is one of many good places to start.

Other free and low-cost avenues out there include subscribing to some security bloggers, grabbing some hands-on work with coding and IT networking fundamentals from online learning companies like Udemy, Codecademy, and Khan Academy, or joining some online cybersecurity groups for a little professional networking. In all, there’s plenty of opportunity to learn from others, both in structured class settings and in more unstructured peer and mentorship relationships.

Prepare for that online interview

When you’re ready to start your job search, there’s a good chance that your interview will be conducted online. Online interviews have been part of the job-hunting landscape for a few years now, yet with many employers enacting work from home measures, it’s the way hiring gets done right now. I expect this to continue, as employers have embraced its many benefits, particularly in the early stages of interviews. If the prospect of an online interview is new to you, I put together a pair of articles this spring that can help.

Your cybersecurity career

As you make the jump, here’s the most important thing you’ll need: a love of technology and a desire to protect the people who use it. If you can combine a drive to understand both technology and people better with the further drive to see it all through, you’ll be well on your way. Like any career shift or change, there’s work ahead, yet it’s my impression that our field is a welcoming and supportive one—and very much on a keen lookout for new talent.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

ST22: Attivo Networks with Greg Vinson & Tushar Kothari

By McAfee

McAfee’s Global Business Development Manager, Greg Vinson and CEO of Attivo Networks, Tushar Kothari discuss the solutions to Threat Deception.

U.S. Election 2020 – Don’t Let COVID-19 Misinformation Suppress Your Vote

By Judith Bitterli
Elections 2020

U.S. Election 2020 – Don’t Let COVID-19 Misinformation Suppress Your Vote  

In the early days of the COVID-19 pandemic, another pandemic of sorts took root—this one an “infodemic.” Whether designed to mislead, instill fear, capitalize on crank remedies, or push phony cures that caused harm or worse, millions of outright false stories about COVID-19 proliferated across the internet. And continue to do so.

Now, with our upcoming election in the U.S., there’s concern that this infodemic of misinformation about COVID-19 will keep people away from the polls or from working at them. Particularly elders.

With this blog, my aim is to point you toward trustworthy resources online that can help you get your vote cast and counted safely.

COVID-19 misinformation is on the rise

First, a word about COVID-19 misinformation in general.

Since the initial outbreak, we’ve monitored online threats and scams related to COVID-19. As shown in our July 2020 Threat Report, the first three months saw the number of malicious and scam websites related to COVID-19 jump from 1,600 to more than 39,000, along with a wave of spam emails and posts that peddled bogus sites for protective gear, masks, and cures. Now, in mid-September, our threat detection team has uncovered three million online threats related to COVID-19 and counting. (See the daily tally here for the latest figures.)

Elsewhere, global and national public health officials have worked diligently to counter these waves of misinformation, such as the World Health Organization’s COVID-19 “mythbuster” site, in addition to further mythbusting from major news outlets around the world and yet more mythbusting from respected science publications. However, instances of misinformation, both big and small, persist and can lead to negative health consequences for those who buy into such misinformation.

Resources for voting safely 

Whether you’ll vote in person or by mail, these links provide a mix of trustworthy information about voting and the latest verified information about the virus:

  • COVID-19 Page: This is a one-stop site that provides voting resources and information on a state-by-state basis. Here you’ll find the official voter information for your state, links to your state’s election website, and the means to request an absentee or mail-in ballot (as allowed) by your state.
  • The U.S. Center for Disease Control and Prevention’s COVID-19 Site: The focus of this site is how to protect yourself and others and includes the latest information on how COVID-19 spreads, how to select and use a mask, how to practice effective social distancing, and more. The site also covers activities and going out, which are applicable to voters heading to the polls.
  • The World Health Organization COVID-19 Site: This site offers further advice and resources for preventing the spread of COVID-19, along with staying well both physically and mentally.
  • Verified by the United Nations: Verified is a daily or weekly briefing that you can sign up for through the U.N., which contains “content you can trust: life-saving information, fact-based advice, and stories from the best of humanity.”

Be aware that our collective understanding of COVID-19 continues to evolve. The pandemic isn’t even a year old at this time, and new research continues to reveal more about its nature. Be sure to check with these resources along with your local public health resources for the latest on the virus and how to stay safe.

How to Vote by Mail in All 50 States

If you’re considering voting by mail, the following is for you. Published by U.S. News and World Report, this article breaks down how you can vote by mail in your state. While all 50 states allow for mail-in voting in some form or fashion, specifics vary, and some states make it easier to do than others. (For example, a handful of states like Texas, Indiana, and Louisiana currently do not allow COVID-19 concerns as a valid reason for requesting a mail-in ballot.)

Note that this article was published at the end of August, so be sure to follow the links for your state as published in the article for the absolute latest information. Yet don’t wait to look into your absentee or mail-in options. As noted above, each state has its terms and deadlines, so it’s best to review your options now.

Meanwhile, five states— Colorado, Hawaii, Oregon, Washington state, and Utah already conduct their elections entirely by mail. Such practices have proven to be successful alternatives to voting in person, they have slightly increased voter turnout while minimizing the risks of voter fraud.

Follow trusted resources and vote safely this year

Get your vote out safely. Whether it’s by visiting the polls following the safety guidelines or by way of mail as also allowed by your state, it can be done—particularly when you have trusted information sources at hand.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Special Delivery: Don’t Fall for the USPS SMiShing Scam

By Pravat Lall

Special Delivery: Don’t Fall for the USPS SMiShing Scam

According to Statista, 3.5 billion people worldwide are forecasted to own a smartphone by the end of 2020. These connected devices allow us to have a wealth of apps and information constantly at our fingertips – empowering us to remain in constant contact with loved ones, make quick purchases, track our fitness progress, you name it. Hackers are all too familiar with our reliance on our smartphones – and are eager to exploit them with stealthy tricks as a result.

One recent example of these tricks? Suspicious text messages claiming to be from USPS. According to Gizmodo, a recent SMS phishing scam is using the USPS name and fraudulent tracking codes to trick users into clicking on malicious links.

Let’s dive into the details of this scheme, what it means for users, and what you can do to protect yourself from SMS phishing.

Special Delivery: Suspicious Text Messages

To orchestrate this phishing scheme, hackers send out text messages from random numbers claiming that a user’s delivery from USPS, FedEx, or another delivery service is experiencing a transit issue that requires urgent attention. If the user clicks on the link in the text, the link will direct them to a form fill page asking them to fill in their personal and financial information to “verify their purchase delivery.” If the form is completed, the hacker could exploit that information for financial gain.

However, scammers also use this phishing scheme to infect users’ devices with malware. For example, some users received links claiming to provide access to a supposed USPS shipment. Instead, they were led to a domain that did nothing but infect their browser or phone with malware. Regardless of what route the hacker takes, these scams leave the user in a situation that compromises their smartphone and personal data.

USPS Phishing Scam

Don’t Fall for Delivery Scams

While delivery alerts are a convenient way to track packages, it’s important to familiarize yourself with the signs of phishing scams – especially as we approach the holiday shopping season. Doing so will help you safeguard your online security without sacrificing the convenience of your smartphone. To do just that, follow these actionable steps to help secure your devices and data from SMiShing schemes:

Go directly to the source

Be skeptical of text messages claiming to be from companies with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the text, it’s best to go straight to the organization’s website to check on your delivery status or contact customer service.

Enable the feature on your mobile device that blocks certain texts

Many spammers send texts from an internet service in an attempt to hide their identities. Combat this by using the feature on your mobile device that blocks texts sent from the internet or unknown users. For example, you can disable all potential spam messages from the Messages app on an Android device by navigating to Settings, clicking on Spam protection, and turning on the Enable spam protection switch. Learn more about how you can block robotexts and spam messages on your device.

Use mobile security software

Prepare your mobile devices for any threat coming their way. To do just that, cover these devices with an extra layer of protection via a mobile security solution, such as McAfee Mobile Security.

Stay updated

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and 'Like' us on Facebook.

Evolving Security Products for the new Realities of Living Life From Home

By McAfee
Strong Passwords

Announcing McAfee’s Enhanced Consumer Security for New Consumer Realities

With millions of people continuing to work and study remotely, scammers have followed them home—generating an average of 375 new threats per minute so far this year. In response, our enhanced consumer portfolio directly addresses the new needs and new threats people face.

McAfee Labs found that these new threats via malicious apps, phishing campaigns malware, and more, according to its McAfee COVID-19 Threat Report: July 2020, which amounted to an estimated $130 million in total losses in the U.S. alone.

To help people stay safer and combat these threats, today we announced our latest consumer security portfolio. Our enriched products come with better user experiences such as a native Virtual Private Network (VPN), along with new features, including integrated Social Media and Tech Scam Protection—all of which are pressing security essentials today.

Specifically, our product lineup has been updated to include:

Boosts to security and privacy

Scams involving tech support and product activation have continued to sneak into people’s inboxes and search results, which require a critical eye to spot. Here are some tips on how to identify these scams. We’re making it easier for people to stay safer with new features such as:

  • Tech Scam Protection: McAfee® WebAdvisor now provides a warning when visiting websites that can be used by cybercriminals to gain remote access to your PC, helping combat the  $55 million total fraud loss in the U.S. due to tech scams.
  • Advanced Malware Detection: McAfee enhanced its machine learning capabilities to improve overall time to detect emerging threats across devices as well as added protection against file-less threats.

Improvements make it easier for you to stay safer

With jobs and things that simply need to get done “right now,” security can be an afterthought. Sometimes that desire for convenience has consequences, leading to situations where people’s devices, data, and personal information get compromised. In response, we’re doing our part to make security more intuitive so that people can get things done quickly and safely:

  • A Better User Experience: An improved PC and app experience with easier navigation and readable alerts, and clear calls to action for faster understanding of potential issues.
  • Native VPN: Easier access to VPN and anti-malware device protection via one central place and log-in.
  • Updated Password Protection: Access iOS applications even faster with automatically filled in user account information and passwords in both apps and browsers on iOS devices.

Further security enhancements for today’s needs and tomorrow’s threats

With people’s newfound reliance on the internet, we’ve made new advances that help them live their increasingly connected lives—looking after security and privacy even more comprehensively than before on security and the apps they use:

  • Optimized Product Alerts: Redesigned product alerts, so consumers are better informed about possible security risks, with a single-click call to action for immediate protection.
  • Social Media Protection: To help prevent users from accidentally visiting malicious websites, McAfee now annotates social media feeds across six major platforms – Facebook, Twitter, YouTube, Instagram, Reddit, and LinkedIn.
  • Enhanced App Privacy Check: Consumers can now easily see when mobile apps request personal information, with app privacy now integrated into the main scan of Android devices.

McAfee is on a journey to ensure security allows users to be as carefree as possible online, now that more time is spent on devices as consumers navigate a new normal of life from home. For more information on our consumer product lineup, visit

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


Phishing Email Examples: How to Recognize a Phishing Email

By McAfee
email phishing scams

Phishing Email Examples: How to Recognize a Phishing Email

You get an email from claiming that they have found suspicious activity on your credit card statement and are requesting that you verify your financial information. What do you do? While you may be tempted to click on a link to immediately resolve the issue, this is likely the work of a cybercriminal. Phishing is a scam that tricks you into voluntarily providing important personal information. Protect yourself from phishing by reviewing some examples of phishing emails and learning more about this common online scam.

What is phishing?

 Phishing is a cybercrime that aims to steal your sensitive information. Scammers disguise themselves as major corporations or other trustworthy entities to trick you into willingly providing information like website login credentials or, even worse, your credit card number.

What is a phishing email/text message?

A phishing email or text (also known as SMiShing) is a fraudulent message made to look legitimate, and typically asks you to provide sensitive personal information in various ways. If you don’t look carefully at the emails or texts, however, you might not be able to tell the difference between a regular message and a phishing message. Scammers work hard to make phishing messages closely resemble emails and texts sent by trusted companies, which is why you need to be cautious when you open these messages and click the links they contain.

How do you spot a phishing message?

 Phishing scammers often undo their own plans by making simple mistakes that are easy to spot once you know how to recognize them. Check for the following signs of phishing every time you open an email or text:

It’s poorly written

 Even the biggest companies sometimes make minor errors in their communications. Phishing messages often contain grammatical errors, spelling mistakes, and other blatant errors that major corporations wouldn’t make. If you see multiple, glaring grammatical errors in an email or text that asks for your personal information, you might be a target of a phishing scam.

The logo doesn’t look right

To enhance their edibility, phishing scammers often steal the logos of who they’re impersonating. In many cases, however, they don’t steal corporate logos correctly. The logo in a phishing email or text might have the wrong aspect ratio or low-resolution. If you have to squint to make out the logo in a message, the chances are that it’s phishing.

The URL doesn’t match

Phishing always centers around links that you’re supposed to click. Here are a few ways to check whether a link someone sent you is legitimate:

  • Hover over the link in the email to display its URL. Oftentimes, phishing URLs contain misspellings, which is a common sign of phishing. Hovering over the link will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.
  • Right-click the link, copy it, and paste the URL into a word processor. This will allow you to examine the link thoroughly for grammatical or spelling errors without being directed to the potentially malicious webpage.
  • Check the URL of a link on mobile devices by pressing and holding it with your finger.


If the URL you discover doesn’t match up with the entity that supposedly sent you the message, you probably received a phishing email.

Types of phishing emails and texts

Phishing messages come in all shapes and sizes, but there are a few types of phishing emails and texts that are more common than others. Let’s review some examples of the most frequently sent phishing scams:

Account suspended scam

Some phishing emails appear to notify you that your bank temporarily suspended your account due to unusual activity. If you receive an account suspension email from a bank that you haven’t opened an account with, delete it immediately, and don’t look back. Suspended account phishing emails from banks you do business with, however, are harder to spot. Use the methods we listed above to check the email’s integrity, and if all else fails, contact your bank directly instead of opening any links within the email you received.

Two-factor authentication scam

Two-factor authentication (2FA) has become common, so you’re probably used to receiving emails that ask you to confirm your login information with six-digit numerical codes. Phishing scammers also know how standard 2FA has become, and they could take advantage of this service that’s supposed to protect your identity. If you receive an email asking you to log in to an account to confirm your identity, use the criteria we listed above to verify the message’s authenticity. Be especially wary if someone asks you to provide 2FA for an account you haven’t accessed for a while.

Tax refund scam

We all know how important tax season is. That’s what phishing scammers are counting on when they send you phony IRS refund emails. Be careful when an email informs you that you’ve received a windfall of cash and be especially dubious of emails that the IRS supposedly sent since this government agency only contacts taxpayers via snail mail. Tax refund phishing scams can do serious harm since they usually ask for your social security number as well as your bank account information.

Order confirmation scam

Sometimes, cybercriminals will try to tick you by sending emails with fake order confirmations. These messages often contain “receipts” attached to the email or links claiming to contain more information on your order. However, criminals often use these attachments and links to spread malware to the victim’s device.

Phishing at work

You need to be wary of phishing when you’re using your work email as well. One popular phishing scam involves emails designed to look like someone in the C-suite of your company sent them. They ask workers to wire funds to supposed clients, but this cash actually goes to scammers. Use the tips we listed above to spot these phony emails.

When phishing flies under the radar

Often, hackers look for ways to update old schemes so that they go undetected by users already aware of certain cyberthreats. Such is the case with the latest phishing evasion technique, which detects virtual machines to fly under the radar. Cybersecurity firms often use headless devices or virtual machines (a computer file that behaves like an actual computer) to determine if a website is actually a phishing page. But now, some phishing kits contain JavaScript — a programming language that allows you to implement complex features on web pages — that checks whether a virtual machine is analyzing the page. If it detects any analysis attempts, the phishing kit will show a blank page instead of the phishing page, allowing the scam to evade detection. To help ensure that you don’t fall for the latest phishing scams, stay updated on the most recent phishing techniques so you can stay one step ahead of cybercriminals.

What happens if you click a link in a phishing email?

Never click links in suspicious emails. If you click a link you suspect a phishing scammer sent, the link will take you to a web page with a form where you can enter sensitive data such as your Social Security number, credit card information, or login credentials. Do not enter any data on this page.

What do you do if you suspect you’ve been phished?

If you accidentally enter data in a webpage linked to a suspicious email, perform a full malware scan on your device. Once the scan is complete, backup all of your files and change your passwords. Even if you only provided a phishing scammer with the data from one account, you may have also opened the door to other personal data, so it’s important to change all the passwords you use online in the wake of a suspected phishing attack.

How to recognize a phishing email: simple tips

Let’s wrap things up with some summarized tips on how to avoid phishing emails:

  • When in doubt, directly contact the organization that supposedly emailed you instead of opening links included in suspicious emails.
  • Examine suspicious emails carefully to check for telltale signs of phishing, such as poor grammar, grainy logos, or bogus links.
  • If you accidentally click a phishing link, don’t enter any data, and close the page.
  • If you think phishing scammers are targeting you, run a virus scan, backup your files, and change all your passwords.

 Stay protected

 Phishing emails only work on the unaware. Now that you know how to spot phishing emails and what to do if you suspect scammers are targeting you, you’re far less likely to fall for these schemes. Remember to be careful with your personal information when you use the internet and err on the side of caution whenever anybody asks you to divulge sensitive details about your identity, finances, or login information.

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, subscribe to our email, listen to our podcast Hackable?, and 'Like' us on Facebook.


Can You Decode Your Teen’s Texting Language?

By Toni Birdsong
texting slang

It’s hard to believe, right, parents? In just a blink or two, you went from being the teenager dropping cool phrases like “rad” and “gnarly” to monitoring a teenager texting words like “lowkey,” “IRL” and “CD9” into her smartphone non-stop.*

For generations, teens have been crafting terms to differentiate themselves from other age groups. The difference today is that smartphone texting has multiplied the scope of that code to include words, emojis, numbers, and hashtags.

The times have changed, fo’ sho.’

Digital Deciphering

You don’t have to speak your child’s language (please don’t). However, with new terms and risks emerging online each day, it’s a good idea to at least understand what they are saying.

Since kids have been spending more time online due to the pandemic, we thought we might discover a few new and interesting terms. We were right. We found stories of teens referring to the Coronavirus as “Miss Rona” and “Rona,” and abbreviating quarantine to “Quar.” A “Corona Bae” is the person you would only plan to date during a lockdown.

Much of the coded language kids use is meant to be funny, sarcastic, or a quick abbreviation. However, there are times when a text exchange can slip into risky territory. Seemingly harmless, text exchanges can spark consequences such as bullying, sextortion, privacy violations, and emotional or physical harm.

Stay Connected

To help kids avoid dangerous digital situations, we recommend three things: 1) Talk early and often with your kids about digital risk and behavior expectations, 2) Explore and use parental monitoring software, and 3) Know your child’s friends and communities online and in real life.

Note: Context is everything. Many of these terms are used in jest or as casual banter. Be sure to understand the context in which a word is used.

A Few Terms You May See **

Flex. This term means showing off. For example, “Look at her trying to flex with her new car.”

Crashy. Description of a person who is thought to be both crazy and trashy.

Clap back. A comeback filled with attitude.

Cringey. Another word for embarrassing.

Hop off. Mind your own business.

Spill tea or Kiki. Dishing gossip.

Sip tea. Listening to gossip.

Salty. Mad, angry, jealous, bitter, upset, or irritated.

“She gave me a salty look in class.”

Extra. Over the top or unnecessarily dramatic.

Left on read. Not replying to someone’s message.

Ghosting. Ending a friendship or relationship online with no explanation.

Neglext. Abandon someone in the middle of a text conversation.

Ok, Boomer. Dismissing someone who is not up to date enough.

(Throw) shade. Insult or trash talk discreetly.

Receipts. Getting digital proof, usually in the form of screenshots.

THOT. Acronym for That H__ Over There.

Thirsty. A term describing a person as desperate or needy. “Look at her staring at him — she’s so thirsty.”

Thirst trap. A sexy photograph or message posted on social media.

Dis. Short for showing blatant disrespect.

Preeing. A word that describes stalking or being stalked on Facebook.

Basic. Referring to a person as mainstream, nothing special. Usually used in a negative connotation.

Chasing Clout. A negative term describing someone trying too hard to get followers on social media.

9, CD9, or Code9, PAW, POS. Parents are around, over the shoulder.

99. All clear, the parents are gone. Safe to resume texting or planning.

KPC. Keeping parents clueless.

Cheddar, Cheese, or Bread. These are all terms that mean money.

Cap. Means to lie as in “she’s capping.” Sending the baseball cap emoji expresses the same feeling. No capping means “I’m not lying.”

Hundo P. Term that is short for “hundred percent;” absolutely, for sure.

Woke. Aware of and outspoken on current on political and social issues.

And I oop. Lighthearted term to describe a silly mistake.

Big oof. A slightly bigger mistake.

Yeet. An expression of excitement. For example, “He kissed me. Yeeeet!”

Retweet. Instead of saying, “yes, I agree,” you say, “retweet.”

Canceled. Absurd or foolish behavior is “canceled.” For example, “He was too negative on our date, so I canceled him.”

Slap or Snatched. Terms that mean fashionable or on point. For instance, “Those shoes are slap” or “You look snatched.”

And just for fun, here's a laugh out loud video from comedian Seth Meyer's on teen Coronavirus slang you'll enjoy on YouTube.

* lowkey (a feeling you want to keep secret), IRL (In Real Life), CD9 also Code9 (Adult Alert used to hide secretive activity). ** Terms collected from various sources, including,,, and from tweets and posts from teens online.

Telehealth, Distance Learning, & Online Banking: Securing Digital Frontiers

By Baker Nanduru

2020 has propelled us into a new digital reality – one where we are reliant on technology to help us maintain our way of life. This forced all age groups, from 8-80, to learn how to conduct their day-to-day online. I personally had my mother asking a million questions about how to video conference!

But while we’re all looking to remain connectedwe need to also focus on staying protected. For those of us a little more tech-savvy, that means helping our family and friends learn how this new digital reality impacts online security.  

Let’s examine what that entails.

Keeping Personal Health Private

Digital healthcare’s rise was predicted back in January when Bain & Company reported that 40% of U.S. physicians expect to start using telemedicine over the next two years. Then came COVID-19, which drove healthcare providers to turn toward digital options to deliver socially distanced patient care. Many PCPs moved almost entirely to telehealth, with half of those surveyed using telemedicine in over 75% of their patient care.

While telehealth significantly increases patient care availability, there are also intrinsic privacy and security risks that go along with it. For example, telehealth requires that patients submit their health information through online platforms – some of which lack the proper data safeguards and don’t meet HIPAA requirements. Like all data transferred over the internet, private health information used for telemedicine could be intercepted by hackers if users don’t take proper security precautions. This means ensuring you and your loved one employ best practices – locking your platform account with a strong password, ensuring you only give your personal information to your doctor or verified resource, etc. These simple steps from McAfee experts are more important than ever before, as the healthcare industry is a preferred target for criminals.

Supporting Students Distance Learning

School may be back in session, but it looks pretty different than previous years. For parents, this means navigating the unknown terrain that is a virtual classroom – and how the new environment affects your family’s online security 

Distance learning has led to a substantial spike in online video conferencing  tools to conduct virtual lectures – which is only compounded by the fact that kids are already constantly on devices to play and socializeHowever, some of the tools  they use have proven to lack necessary security measures, which could jeopardize your students’ academic success and online security. Beyond video platform concernsthe combination of increased personal device usage on not-as-secure home networks poses a threat of its own 

Parents must ensure their students succeed – at both school and security. While they’re helping kids adjust to distance learning, parents can help keep them safe online by conducting router firmware updates, changing any default passwords on home networks, and leveraging a VPN. Additionally, parents must teach kids good security hygiene, such as always updating an app or device when an update is available. With parents juggling so much right now, they can also look for some extra support in the form of a comprehensive security solution that covers all their family’s devices with an extra layer of protection. 

Bank Online Without Prying Eyes

Many consumers have adopted digital financial services to make contactless payments or participate in online banking – some for convenienceothers to help minimize contact in light of recent events. However, as this tech grows, so does the need for up-to-date security.  

As users incorporate digital financial services into their everyday lives, they may fall victim to the risks commonly associated with making online payments. My mother, for example, is new to mobile banking and doesn’t know to look out for targeted phishing attacks from hackers who are trying to trick her out of money. Even the most tech-savvy online banking users can fall victim to more sophisticated phishing schemes out there. 

To ensure cybercriminals don’t trick my mom into sharing sensitive information by impersonating her bank, we’ve discussed some ways she can identify an attack. Now, she knows to always hover over suspicious links, avoid interacting with messages from unknown senders, and to go directly to her bank’s official website.  

Securing Our New Digital Frontiers

We can use technology to adapt and grow during this time, just as long as we all employ security best practices. So, whether it be telehealth, distance learning, or digital finances, your family should always keep the aforementioned tips top of mind 

And remember – you’re not in this alone. You’ve got the support you need during this new digital reality in the form of a comprehensive security solution, McAfee® Total Protection. With this solution, consumers are safeguarded from malware with cloud-based threat protection that uses behavioral algorithms to detect new threats. It includes comprehensive internet security, multi-faceted privacy protection, and our secure VPN to ensure your family is prepared for any potential threat. 

With robust, comprehensive security in place, your family’s devices will be consistently protected from the latest threats that came from our digital reality. With all these devices safe, everyone’s online life is free from worry.    

How Piyush’s remarkable efforts ignited a larger impact of giving back

By Life at McAfee

At McAfee, we support team members who are passionate about giving back. You are encouraged and empowered to make a substantial impact in improving our community and volunteering to help others. 

Piyusha Software architect in our Bangalore office, is a team member particularly passionate about his community and has dedicated countless hours volunteering at the Sheila Kothavala Institute for the Deaf (SKID).  

Two years ago, his impact was multiplied when he shared his volunteer story during McAfee’s Social Initiative Contest (SIC)a program that contributes resources to the causes important to select employees who volunteer for non-governmental organizations (NGO). 

Moved by Piyush’s story, the judges funded his program for two years in a row! Funding enhanced infrastructure of a special school for hearing impaired kids and provided a tactile library that helps visually impaired students see the world through touch. 

We asked Piyusfour questions to learn more. 

How did you get involved? 

I’m a son of educators. My father was a principal and my mother was a university senior lecturer. The importance of educational success runs deep for me. Seven years ago, I found my own educational calling when I was introduced to theSheila Kothavala Institute for the Deaf  (SKID), an organization that supports the education of differently-abled students and equips them to successfully graduate high school. 

How often do you volunteer? 

What started as weekend volunteer endeavor soon grew into an every-morning commitment. Before going into work at McAfee, dedicate an hour each morning teaching math and volunteering with students at SKID.  

What has helped you the most in your volunteer journey? 

Figuring out how to communicate with hearingimpaired kids was a challenge for me. However, the immense support I received from the kids helped to relieve a lot of the pressure. I started to learn sign language along with them and became more effective at teaching. Spending time every day with these kids has motivated me in unexpected ways. Not only do I want to do as much as I can for them, but I also find myself more engaged at work. I’m thankful McAfee supports our passions in and out of the office.

Describe how your involvement evolved with SKID. What do you hope to accomplish in the future? 

First, want to thank McAfee for their encouragement as I can take my volunteer activities to greater heights and accomplish even more through their supportWith the funds McAfee awarded, I was able to establish a complete science lab and build an interactive curriculum that complements day-to-day learning, procure games catered towards kids with special needs, and build a tactile library for visually impaired students. 

After volunteering seven years with hearing-impaired students, this year, I’ve taken it upon myself to work more with the visually impaired. The joy on the faces of these kids continues to motivate me to do even more! 

Piyush is a stunning example of how one person’s selfless contributions have the power to inspire others and spark change on a large scale. He continues to inspire, not just through his unrelenting dedication to helping others, but through his words by encouraging others to take simple steps in giving back.

The post How Piyush’s remarkable efforts ignited a larger impact of giving back appeared first on McAfee Blogs.

Together, We Block and Tackle to Give You Peace of Mind

By Baker Nanduru

As a leader in cybersecurity, we at McAfee understand that every aspect of your digital life has potential weak spots that could make you vulnerable to threats and attacks. By incorporating security into everything you do online, you’re better protected from potential threats. To mount your offense, we’ve enlisted a team of partners that puts your security needs first, seamlessly blending our security with their services so you can live a confident life online. We bring our McAfee security teams together with industry players like PC & smartphone manufacturers, software & operating system developers, and more to make sure we can keep scoring security wins for you.

PC Partners Sweat the Security So You Don’t Have To

When was the last time you worried about security while you were shopping for a new PC? You were probably checking out the specs, price, and making sure it had all the capabilities you needed for working remotely, distance learning, and maybe a little gaming. And that’s all in addition to the day-to-day productivity, banking, and browsing you do. Like a strong defensive line, HP, Dell, Lenovo, and ASUS work closely with us to make sure that your personal data and devices are secure, especially as you spend more time online than ever before. That’s why so many new PCs are preloaded with a free McAfee® LiveSafe trial to provide integrated protection from malware, viruses, and spyware from day 1 with minimal impact on performance.

McAfee protection goes beyond just antivirus. We help you keep apps and Windows up to date and patched against vulnerabilities, block intruders with our firewall, and help you clean up cookies and temporary files to minimize the digital footprint on your PC.

We build our security directly into the devices consumers rely on for everything from remote yoga to distance learning, so that they know they’ll be safer online, regardless of what their new normal looks like.

Our Defense Is More Mobile Than Ever

Part of a good defense is understanding how the game has changed. We recognize that our customers are using multiple devices to connect online these days. In fact, their primary device may not even be a computer. That’s why we work with mobile providers to ensure customers like you have access to our comprehensive multidevice security options. Devices like mobile phones and tablets allow users to access social media, stream content, and even bank on their terms. For that reason, our mobile protection includes features like VPN, so that you can connect any time, any place safely and use your apps securely.

Retail Partners Make Plug and Play Even Easier

Our online and brick & mortar retail partners are also irreplaceable on the field. We understand that shopping for security can be complicated – even intimidating – when faced with a wall of choices. Whether you’re in-store or browsing online, we’ll work together to address your security needs so that your devices and personal data are protected with the solution that works best for you. Many of our retailers offer additional installation and upgrade support so you can have one less thing to worry about.

Software Partners Help Us Mount a Better Defense

Your web browser is more than a shortcut to the best chocolate chip cookie recipe; it connects you to endless content, information, and communication. Equally important is your operating system, the backbone that powers every app you install, every preference you save, and every vacation destination wallpaper that cycles through. We partner closely with web browsers, operating systems, and other software developers to ensure that our opponents can’t find holes in our defense. Everything that seamlessly works in the background stays that way, helping stop threats and intruders dead in their tracks. Whether it’s routine software updates or color-coded icons that help differentiate safe websites from phishing scams, we’re calling safety plays that keep our customers in the game.

Our Security Sets Teams Up for Success

At McAfee, we work tirelessly to do what we do best: blocking the threats you see, and even the ones you don’t. These days your “digital life” blurs the lines between security, identity, and privacy. So, we go into the dark web to hunt down leaked personal info stolen by identity thieves. We include Secure VPN in all our suites to give you privacy online. It’s these capabilities that strengthen both the offense and defense in our starting lineup of security suites like McAfee® Total Protection and McAfee® LiveSafe.

In short, your protection goes from a few reminders to scan your device to a team of experts helping you stay primed for the playoffs. It’s a roster that includes technology and humans solely devoted to staying ahead of the bad guys, from McAfee Advanced Threat Research (ATR) investigating and reporting like to artificial intelligence and machine learning that strengthens with every threat from every device. In fact, in just the first three months of this year, our labs detected over six threats per second!

Cybercriminals may be taking advantage of this current moment, but together, we can ensure our defense holds strong. After all, defense wins championships.

Vulnerability Discovery in Open Source Libraries: Analyzing CVE-2020-11863

By Chintan Shah

Open Source projects are the building blocks of any software development process. As we indicated in our previous blog, as more and more products use open source code, the increase in the overall attack surface is inevitable, especially when open source code is not audited before use. Hence it is recommended to thoroughly test it for potential vulnerabilities and collaborate with developers to fix them, eventually mitigating the attacks. We also indicated that we were researching graphics libraries in Windows and Linux, reporting multiple vulnerabilities in Windows GDI as well as Linux vector graphics library libEMF. We are still auditing many other Linux graphics libraries since these are legacy code and have not been strictly tested before.

In part 1 of this blog series, we described in detail the significance of open source research, by outlining the vulnerabilities we reported in the libEMF library. We also highlighted the importance of compiling the code with memory sanitizers and how it can help detect a variety of memory corruption bugs. In summary, the Address Sanitizer (ASAN) intercepts the memory allocation / deallocation functions like malloc () / free() and fills out the memory with the respective fill bytes (malloc_fill_byte / free_fill_byte). It also monitors the read and write to these memory locations, helping detect erroneous access during run time.

In this blog, we provide a more detailed analysis for one of the reported vulnerabilities, CVE-2020-11863, which was due to the use of uninitialized memory. This vulnerability is related to CVE-2020-11865, a global object vector out of bounds memory access in the GlobalObject::Find() function in libEMF. However, the crash call stack turned out to be different, which is why we decided to examine this further and produce this deep dive blog.

The information provided by the ASAN was sufficient to reproduce the vulnerability crash outside of the fuzzer. From the ASAN information, the vulnerability appeared to be a null pointer dereference, but this was not the actual root cause, as we will discuss below.

Looking at the call stack, it appears that the application crashed while dynamically casting the object, for which there could be multiple reasons. Out of those possible reasons that seem likely, either the application attempted to access the non-existent virtual table pointer, or the object address returned from the function was a wild address accessed when the application crashed. Getting more context about this crash, we came across an interesting register value while debugging. Below shows the crash point in the disassembly indicating the non-existent memory access.

If we look at the state of the registers at the crash point, it is particularly interesting to note that the register rdi has an unusual value of 0xbebebebebebebebe. We wanted to dig a little deeper to check out how this value got into the register, resulting in the wild memory access. Since we had the source of the library, we could check right away what this register meant in terms of accessing the objects in memory.

Referring to the Address Sanitizer documentation, it turns out that the ASAN writes 0xbe to the newly allocated memory by default, essentially meaning this 64-bit value was written but the memory was not initialized. The ASAN calls this as the malloc_fill_byte. It also does the same by filling the memory with the free_fill_byte when it is freed. This eventually helps identify memory access errors.

This nature of the ASAN can also be verified in the libsanitizer source here. Below is an excerpt from the source file.

Looking at the stack trace at the crash point as shown below, the crash occurred in the SelectObject() function. This part of the code is responsible for processing the EMR_SELECTOBJECT record structure of the Enhanced Meta File (EMF) file and the graphics object handle passed to the function is 0x80000018. We want to investigate the flow of the code to check if this is something which comes directly from the input EMF file and can be controlled by an attacker.

In the SelectObject() function, while processing the EMR_SELECTOBJECT record structure, the handle to the GDI object is passed to GlobalObjects.find() as shown in the above code snippet, which in turn accesses the global stock object vector by masking the higher order bit from the GDI object handle and converting it into the index, eventually returning the stock object reference from the object vector using the converted index number. Stock object enumeration specifies the indexes of predefined logical graphics objects that can be used in graphics operations documented in the MS documentation. For instance, if the object handle is 0x8000018, this will be ANDed with 0x7FFFFFFF, resulting in 0x18, which will be used as the index to the global stock object vector. This stock object reference is then dynamically cast into the graphics object, following which EMF::GRAPHICSOBJECT member function getType ( ) is called to determine the type of the graphics object and then, later in this function, it is again cast into an appropriate graphics object (BRUSH, PEN, FONT, PALETTE, EXTPEN), as shown in the below code snippet.

EMF::GRAPHICSOBJECT is the class derived from EMF::OBJECT and the inheritance diagram of the EMF::OBJECT class is as shown below.

However, as mentioned earlier, we were interested in knowing if the object handle, passed as an argument to the SelectObject function, can controlled by an attacker. To be able to get context on this, let us look at the format of the EMR_SELECTOBJECT record as shown below.

As we notice here, ihObject is the 4-byte unsigned integer specifying the index to the stock object enumeration. In this case the stock object references are maintained in the global objects vector. Here, the object handle of 0x80000018 implies that index 0x18 will be used to access the global stock object vector. If, during this time, the length of the object vector is less then 0x18 and the length check is not done prior to accessing the object vector, it will result in out of bounds memory access.

Below is the visual representation of processing the EMR_SELECTOBJECT metafile record.

While debugging this issue, we enable a break point at GlobalObjects.find () and continue until we have object handle 0x80000018; essentially, we reach the point where the above highlighted EMR_SELECTOBJECT record is being processed. As shown below, the object handle is converted into the index (0x18 = 24) to access the object vector of size (0x16 = 22), resulting into out of bounds access, which we reported as CVE-2020-11865.

Further stepping into the code, it enters the STL vector library stl_vector.h which implements the dynamic expansion of the std::vectors. Since the objects vector at this point of time has only 22 elements, the STL vector will expand the vector to the size indicated by the parameter highlighted, accessing the vector by passed index, and will return the value at that object reference, as shown in the below code snippet, which comes out to be 0xbebebebebebebebe as filled by the ASAN.


The code uses the std:allocator to manage the vector memory primarily used for memory allocation and deallocation. On further analysis, it turns out that the value returned, 0xbebebebebebebebe in this case, is the virtual pointer of the non-existent stock object, which is dereferenced during dynamic casting, resulting in a crash.

As mentioned in our earlier blog, the fixes to the library have been released in a subsequent version, available here.


While using third party code in products certainly saves time and increases development speed, it potentially comes with an increase in the volume of vulnerabilities, especially when the code remains unaudited and integrated into products without any testing. It is extremely critical to perform fuzz testing of the open source libraries used, which can help in discovering vulnerabilities earlier in the development cycle and provides an opportunity to fix them before the product is shipped, consequently mitigating attacks. However, as we emphasized in our previous blog, it is critical to strengthen the collaboration between vulnerability researchers and the open source community to continue responsible disclosures, allowing the maintainers of the code to address them in a timely fashion.

The First Smartphone for Free-Ranging Kids

By Judith Bitterli
Teaching Kids Internet Safety

The First Smartphone for Free-Ranging Kids

In an earlier article, we took a look at smartphone alternatives for free-ranging kids. Next up is the follow-on conversation … the time you give them their first, fully functional smartphone—and how to manage having it in your lives.

For children, learning to use a first smartphone is just like learning to ride a bike. And that’s just as true for you just as it is for them.
When a child learns to ride a bike, they take it in steps and stages. Maybe they start tooling around on little kick-bikes, a tricycle, scooter, or so on, just to get their feet under them so to speak. Next, it’s that first bike with training wheels, and then the big day that they come off (complete with a few scrapes and bruises too). They’re on two wheels, and a whole new world has opened up for them—one that you have to monitor and parent as you give them increasing freedom to roam—from the block, to the neighborhood, to your town—as they grow older and more responsible.

Your Child’s First Smartphone

Now, apply that same progression to the day your child finally gets their first smartphone. Plenty has led up to that moment: the times when they first tapped around your phone as a toddler, when as a preschooler they watched cartoons on a tablet, and maybe when they got a little older they had some other device, like a smartphone alternative designed just for kids.

Then comes along that first smartphone. And for parents it’s a game-changer, because it opens up yet another new world to them. The entire internet.

As you can see, your child doesn’t enter the world of smartphones entirely cold. They’ve already been on the internet and had the chance to experience selective slices of it under your supervision. But a smartphone—well, that’s another story entirely. A smartphone, out of the box, is a key to the broader internet. And just as you likely wouldn’t let your brand-new cyclist ride five miles to go and buy ice cream in town, there are plenty of places you wouldn’t let your new internet user go.

What follows here are a few words of advice that can ease your child into that new world, and ease you into it as well, so that you can all get the tremendous benefits of smartphone ownership with more confidence and care.

Start with the Basics: Smartphone Protection and Parental Controls

Whether you go with an Android device or iPhone, make sure you protect it. You can get mobile security for Android phones and mobile security for iPhones that’ll give you basic protection, like system scans, along with further protection that steers your child clear of suspicious websites and links. While I recommend protection for both types of phones, I strongly recommend it for Android phones given the differences in the way Apple and Android handle the code that runs their operating systems.

Apple is a “closed platform,” meaning that they do not release their source code to the public and partners. Meanwhile, Android is “open-source” code, which makes it easier for people to modify the code—hackers included. So while Apple phones have been historically less prone to attacks than Android phones, any device you own is inherently a potential target, simply because its connected to the internet. Protect it. (Also, for more on the differences between the security on Android phones and iPhones, check out this article from How-To Geek. It’s worth the quick read.)

Next up on your list is to establish a set of parental controls for the smartphone. You’ll absolutely want these as well. After all, you won’t be able to look over their shoulder while they’re using their phone like you could when they were little. Think of it as the next line of protection you can provide as a parent. A good set of parental controls will allow you to:

• Monitor their activity on their phone—what they’re doing and how much they’re doing it.
• Limit their screen time—allowing you to restrict access during school hours or select times at home.
• Block apps and filter websites—a must for keeping your children away from distractions or inappropriate content.

The great thing about parental controls is that they’re not set in stone. They give you the flexibility to parent as you need to parent, whether that’s putting the phone in a temporary time out to encourage time away from the screen or expanding access to more apps and sites as they get older and show you that they’re ready for the responsibility. Again, think about that first bike and the day you eventually allowed your child ride beyond the block. They’ll grow and become more independent on their phone too.

You need more than technology to keep kids safe on their smartphones.

Unlike those rotisserie ovens sold on late-night infomercials, a smartphone isn’t a “set it and forget it” proposition. Moreover, you won’t find the best monitoring, safety, and guidance software in an app store. That’s because it’s you.

As a parent, you already have a strong sense of what does and does not work for your household. Those rules, those expectations, need to make the jump from your household to your child’s smartphone and your child’s behavior on that smartphone. Obviously, there’s no software for that. Here’s the thing, though: they’ve established some of those behaviors already, simply by looking at you. Over the years, your child has seen your behavior with the phone. And let’s face it, none of us have been perfect here. We’ll sneak a peek at our phones while waiting for the food to show up to the table at a restaurant or cracked open our phones right as we’ve cracked open our eyes at the start of the day.

So, for starters, establishing the rules you want your child to follow may mean making some fresh rules for yourself and the entire household. For example, you may establish that the dinner table is a phone-free zone or set a time in the evening when phones are away before bedtime. (On a side note, research shows that even dim light from a smartphone can impact a person’s sleep patterns and their health overall, so you’ll want to consider that for your kids—and yourself!)

Whatever the rules you set in place end up being, make them as part of a conversation. Children of smartphone age will benefit from knowing not only what the rules are but why they’re important. Aside from wanting them to be safe and well, part of the goal here is to prepare them for the online world. Understanding “the why” is vital to that.

“The (Internet) Talk”

And that leads us to “The Internet Talk.”. In a recent McAfee blog on “What Security Means to Families,” we referred to the internet as a city, the biggest one there is. And if we think about letting our children head into town on their bikes, the following excerpt from that blog extends that idea to the internet:

For all its libraries, playgrounds, movie theaters, and shopping centers, there are dark alleys and derelict lots as well. Not to mention places that are simply age appropriate for some and not for others. Just as we give our children freer rein to explore their world on their own as they get older, the same holds true for the internet. There are some things we don’t want them to see and do.

There are multiple facets to “The Talk,” ranging anywhere from “stranger danger” to cyberbullying, and just general internet etiquette—not to mention the basics of keeping safe from things like malware, bad links, and scams. That’s a lot! Right? It sure is.

The challenge is this: while we’ve grown up with or grown into the internet over the course of our lives, the majority of children are amongst the first waves of children who were “born into” the internet. As parents, that means we’re learning much, if not all, of what we know about digital parenting from scratch.

The good news is that you’re far from alone. Indeed, a good portion of our blog is dedicated entirely to family safety. And with that, I’ve pulled out a few select articles below that can give you some information and inspiration for when it’s time to have “The Internet Talk.”

Stranger Danger
Keeping Your Kids Safe from Predators Online
Building Digital Literacy
Screen Time and Sleep Deprivation in Kids
Lessons Learned: A Decade of Digital Parenting
Social Influencers and Your Kids
Getting Kids to Care About Their Safety Online

And those are just a few for starters. We have plenty more, and a quick search will keep them coming. Meanwhile, know that once you have The Internet Talk, keep talking. Making sure your child is safe and happy on the internet is an ongoing process—and conversation, which will cover more in a moment.

Keeping tabs on their activity

One reason parents often cite for giving their child a smartphone is its location tracking capabilities that allow parents to see where their children are ranging about with a quick glance. And whether or not you choose to use such tracking features, that’s a decision you’ll have to make. However, consider your child’s privacy when you do. That’s not to say that you’re not in charge or that you shouldn’t track your child. Rather, it’s a reminder that your child is in fact getting older. Their sense of space and privacy is growing. Thus, if you choose to monitor their location, let them know you’re doing it. Be above the board with the intent that if you don’t hide anything from them, they’ll be less inclined to hide anything from you.

The same applies to parental controls software. Many of them will issue a report of app usage and time spent using the app, along with surfing habits too. Go ahead, monitor those early on and then adjust as them as it feels right to you. Let your child know that you’re doing it and why.

Another thing I’ve seen many of the parents I know do is share the credentials to any social media account their child sets up. Doing this openly lets your child take those first steps into social media (when you feel they’re ready) while giving you the opportunity to monitor, correct, and even cheer on certain behaviors you see. Granted, it’s not unusual for kids to work around this by setting up alternate accounts that they hide from their parents. With parental controls in place, you can mitigate some of that behavior, yet vigilance and openness on your part will be the greatest tool you have in that instance.

While you’re at it, go ahead and have conversations with your kid about what they’re doing online. Next time you’re in the car, ask what’s the latest app their friends are using. Take a peek at what games they’re playing. Download that game yourself, give it a try, and play it online with them if you can. This kind of engagement makes it normal to talk about the internet and what’s happening on it. Should the time come to discuss more serious topics or pressing matters (like a cyberbullying event, for instance), you have a conversational foundation already built.

The common denominator is you.

So, as we’ve discussed, technology is only part of the answer when managing that first smartphone in your child’s life. The other part is you. No solution works without your engagement, care, consistent application of rules, and clear expectations for behavior.

So, as you once looked on proudly as those training wheels came off your child’s first bike, you’ll want to consider doing the digital equivalent in those first months of that first smartphone. Keep your eyes and ears open as they use it. Have conversations about where their digital travels have taken them—the games they’re playing, the friends they’re chatting with. While you do, keep a sharp eye on their moods and feelings. Any changes could be a sign that you need to step in and catch them before they fall or pick them up right after they’ve fallen.
In all, your child’s first smartphone is a wonderful moment for any family, as it represents another big step in growing up. Celebrate it, have fun with it, and play your role in making sure your child gets the very best out of it.

Information Protection for the Domain Name System: Encryption and Minimization

By Burt Kaliski

This is the final in a multi-part series on cryptography and the Domain Name System (DNS).

In previous posts in this series, I’ve discussed a number of applications of cryptography to the DNS, many of them related to the Domain Name System Security Extensions (DNSSEC).

In this final blog post, I’ll turn attention to another application that may appear at first to be the most natural, though as it turns out, may not always be the most necessary: DNS encryption. (I’ve also written about DNS encryption as well as minimization in a separate post on DNS information protection.)

DNS Encryption

In 2014, the Internet Engineering Task Force (IETF) chartered the DNS PRIVate Exchange (dprive) working group to start work on encrypting DNS queries and responses exchanged between clients and resolvers.

That work resulted in RFC 7858, published in 2016, which describes how to run the DNS protocol over the Transport Layer Security (TLS) protocol, also known as DNS over TLS, or DoT.

DNS encryption between clients and resolvers has since gained further momentum, with multiple browsers and resolvers supporting DNS over Hypertext Transport Protocol Security (HTTPS), or DoH, with the formation of the Encrypted DNS Deployment Initiative, and with further enhancements such as oblivious DoH.

The dprive working group turned its attention to the resolver-to-authoritative exchange during its rechartering in 2018. And in October of last year, ICANN’s Office of the CTO published its strategy recommendations for the ICANN-managed Root Server (IMRS, i.e., the L-Root Server), an effort motivated in part by concern about potential “confidentiality attacks” on the resolver-to-root connection.

From a cryptographer’s perspective the prospect of adding encryption to the DNS protocol is naturally quite interesting. But this perspective isn’t the only one that matters, as I’ve observed numerous times in previous posts.

Balancing Cryptographic and Operational Considerations

A common theme in this series on cryptography and the DNS has been the question of whether the benefits of a technology are sufficient to justify its cost and complexity.

This question came up not only in my review of two newer cryptographic advances, but also in my remarks on the motivation for two established tools for providing evidence that a domain name doesn’t exist.

Recall that the two tools — the Next Secure (NSEC) and Next Secure 3 (NSEC3) records — were developed because a simpler approach didn’t have an acceptable risk / benefit tradeoff. In the simpler approach, to provide a relying party assurance that a domain name doesn’t exist, a name server would return a response, signed with its private key, “<name> doesn’t exist.”

From a cryptographic perspective, the simpler approach would meet its goal: a relying party could then validate the response with the corresponding public key. However, the approach would introduce new operational risks, because the name server would now have to perform online cryptographic operations.

The name server would not only have to protect its private key from compromise, but would also have to protect the cryptographic operations from overuse by attackers. That could open another avenue for denial-of-service attacks that could prevent the name server from responding to legitimate requests.

The designers of DNSSEC mitigated these operational risks by developing NSEC and NSEC3, which gave the option of moving the private key and the cryptographic operations offline, into the name server’s provisioning system. Cryptography and operations were balanced by this better solution. The theme is now returning to view through the recent efforts around DNS encryption.

Like the simpler initial approach for authentication, DNS encryption may meet its goal from a cryptographic perspective. But the operational perspective is important as well. As designers again consider where and how to deploy private keys and cryptographic operations across the DNS ecosystem, alternatives with a better balance are a desirable goal.

Minimization Techniques

In addition to encryption, there has been research into other, possibly lower-risk alternatives that can be used in place of or in addition to encryption at various levels of the DNS.

We call these techniques collectively minimization techniques.

Qname Minimization

In “textbook” DNS resolution, a resolver sends the same full domain name to a root server, a top-level domain (TLD) server, a second-level domain (SLD) server, and any other server in the chain of referrals, until it ultimately receives an authoritative answer to a DNS query.

This is the way that DNS resolution has been practiced for decades, and it’s also one of the reasons for the recent interest in protecting information on the resolver-to-authoritative exchange: The full domain name is more information than all but the last name server needs to know.

One such minimization technique, known as qname minimization, was identified by Verisign researchers in 2011 and documented in RFC 7816 in 2016. (In 2015, Verisign announced a royalty-free license to its qname minimization patents.)

With qname minimization, instead of sending the full domain name to each name server, the resolver sends only as much as the name server needs either to answer the query or to refer the resolver to a name server at the next level. This follows the principle of minimum disclosure: the resolver sends only as much information as the name server needs to “do its job.” As Matt Thomas described in his recent blog post on the topic, nearly half of all .com and .net queries received by Verisign’s .com TLD servers were in a minimized form as of August 2020.

Additional Minimization Techniques

Other techniques that are part of this new chapter in DNS protocol evolution include NXDOMAIN cut processing [RFC 8020] and aggressive DNSSEC caching [RFC 8198]. Both leverage information present in the DNS to reduce the amount and sensitivity of DNS information exchanged with authoritative name servers. In aggressive DNSSEC caching, for example, the resolver analyzes NSEC and NSEC3 range proofs obtained in response to previous queries to determine on its own whether a domain name doesn’t exist. This means that the resolver doesn’t always have to ask the authoritative server system about a domain name it hasn’t seen before.

All of these techniques, as well as additional minimization alternatives I haven’t mentioned, have one important common characteristic: they only change how the resolver operates during the resolver-authoritative exchange. They have no impact on the authoritative name server or on other parties during the exchange itself. They thereby mitigate disclosure risk while also minimizing operational risk.

The resolver’s exchanges with authoritative name servers, prior to minimization, were already relatively less sensitive because they represented aggregate interests of the resolver’s many clients1. Minimization techniques lower the sensitivity even further at the root and TLD levels: the resolver sends only its aggregate interests in TLDs to root servers, and only its interests in SLDs to TLD servers. The resolver still sends the aggregate interests in full domain names at the SLD level and below2, and may also include certain client-related information at these levels, such as the client-subnet extension. The lower levels therefore may have different protection objectives than the upper levels.


Minimization techniques and encryption together give DNS designers additional tools for protecting DNS information — tools that when deployed carefully can balance between cryptographic and operational perspectives.

These tools complement those I’ve described in previous posts in this series. Some have already been deployed at scale, such as a DNSSEC with its NSEC and NSEC3 non-existence proofs. Others are at various earlier stages, like NSEC5 and tokenized queries, and still others contemplate “post-quantum” scenarios and how to address them. (And there are yet other tools that I haven’t covered in this series, such as authenticated resolution and adaptive resolution.)

Modern cryptography is just about as old as the DNS. Both have matured since their introduction in the late 1970s and early 1980s respectively. Both bring fundamental capabilities to our connected world. Both continue to evolve to support new applications and to meet new security objectives. While they’ve often moved forward separately, as this blog series has shown, there are also opportunities for them to advance together. I look forward to sharing more insights from Verisign’s research in future blog posts.

Read the complete six blog series:

  1. The Domain Name System: A Cryptographer’s Perspective
  2. Cryptographic Tools for Non-Existence in the Domain Name System: NSEC and NSEC3
  3. Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries
  4. Securing the DNS in a Post-Quantum World: New DNSSEC Algorithms on the Horizon
  5. Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys
  6. Information Protection for the Domain Name System: Encryption and Minimization

1. This argument obviously holds more weight for large resolvers than for small ones — and doesn’t apply for the less common case of individual clients running their own resolvers. However, small resolvers and individual clients seeking additional protection retain the option of sending sensitive queries through a large, trusted resolver, or through a privacy-enhancing proxy. The focus in our discussion is primarily on large resolvers.

2. In namespaces where domain names are registered at the SLD level, i.e., under an effective TLD, the statements in this note about “root and TLD” and “SLD level and below” should be “root through effective TLD” and “below effective TLD level.” For simplicity, I’ve placed the “zone cut” between TLD and SLD in this note.

Minimization et al. techniques and encryption together give DNS designers additional tools for protecting DNS information — tools that when deployed carefully can balance between cryptographic and operational perspectives.

Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys

By Burt Kaliski

This is the fifth in a multi-part series on cryptography and the Domain Name System (DNS).

In my last article, I described efforts underway to standardize new cryptographic algorithms that are designed to be less vulnerable to potential future advances in quantum computing. I also reviewed operational challenges to be considered when adding new algorithms to the DNS Security Extensions (DNSSEC).

In this post, I’ll look at hash-based signatures, a family of post-quantum algorithms that could be a good match for DNSSEC from the perspective of infrastructure stability.

I’ll also describe Verisign Labs research into a new concept called synthesized zone signing keys that could mitigate the impact of the large signature size for hash-based signatures, while still maintaining this family’s protections against quantum computing.

(Caveat: The concepts reviewed in this post are part of Verisign’s long-term research program and do not necessarily represent Verisign’s plans or positions on new products or services. Concepts developed in our research program may be subject to U.S. and/or international patents and/or patent applications.)

A Stable Algorithm Rollover

The DNS community’s root key signing key (KSK) rollover illustrates how complicated a change to DNSSEC infrastructure can be. Although successfully accomplished, this change was delayed by ICANN to ensure that enough resolvers had the public key required to validate signatures generated with the new root KSK private key.

Now imagine the complications if the DNS community also had to ensure that enough resolvers not only had a new key but also had a brand-new algorithm.

Imagine further what might happen if a weakness in this new algorithm were to be found after it was deployed. While there are procedures for emergency key rollovers, emergency algorithm rollovers would be more complicated, and perhaps controversial as well if a clear successor algorithm were not available.

I’m not suggesting that any of the post-quantum algorithms that might be standardized by NIST will be found to have a weakness. But confidence in cryptographic algorithms can be gained and lost over many years, sometimes decades.

From the perspective of infrastructure stability, therefore, it may make sense for DNSSEC to have a backup post-quantum algorithm built in from the start — one for which cryptographers already have significant confidence and experience. This algorithm might not be as efficient as other candidates, but there is less of a chance that it would ever need to be changed. This means that the more efficient candidates could be deployed in DNSSEC with the confidence that they have a stable fallback. It’s also important to keep in mind that the prospect of quantum computing is not the only reason system developers need to be considering new algorithms from time to time. As public-key cryptography pioneer Martin Hellman wisely cautioned, new classical (non-quantum) attacks could also emerge, whether or not a quantum computer is realized.

Hash-Based Signatures

The 1970s were a foundational time for public-key cryptography, producing not only the RSA algorithm and the Diffie-Hellman algorithm (which also provided the basic model for elliptic curve cryptography), but also hash-based signatures, invented in 1979 by another public-key cryptography founder, Ralph Merkle.

Hash-based signatures are interesting because their security depends only on the security of an underlying hash function.

It turns out that hash functions, as a concept, hold up very well against quantum computing advances — much better than currently established public-key algorithms do.

This means that Merkle’s hash-based signatures, now more than 40 years old, can rightly be considered the oldest post-quantum digital signature algorithm.

If it turns out that an individual hash function doesn’t hold up — whether against a quantum computer or a classical computer — then the hash function itself can be replaced, as cryptographers have been doing for years. That will likely be easier than changing to an entirely different post-quantum algorithm, especially one that involves very different concepts.

The conceptual stability of hash-based signatures is a reason that interoperable specifications are already being developed for variants of Merkle’s original algorithm. Two approaches are described in RFC 8391, “XMSS: eXtended Merkle Signature Scheme” and RFC 8554, “Leighton-Micali Hash-Based Signatures.” Another approach, SPHINCS+, is an alternate in NIST’s post-quantum project.

Figure 1. Conventional DNSSEC signatures. DNS records are signed with the ZSK private key, and are thereby “chained” to the ZSK public key. The digital signatures may be hash-based signatures.
Figure 1. Conventional DNSSEC signatures. DNS records are signed with the ZSK private key, and are thereby “chained” to the ZSK public key. The digital signatures may be hash-based signatures.

Hash-based signatures can potentially be applied to any part of the DNSSEC trust chain. For example, in Figure 1, the DNS record sets can be signed with a zone signing key (ZSK) that employs a hash-based signature algorithm.

The main challenge with hash-based signatures is that the signature size is large, on the order of tens or even hundreds of thousands of bits. This is perhaps why they haven’t seen significant adoption in security protocols over the past four decades.

Synthesizing ZSKs with Merkle Trees

Verisign Labs has been exploring how to mitigate the size impact of hash-based signatures on DNSSEC, while still basing security on hash functions only in the interest of stable post-quantum protections.

One of the ideas we’ve come up with uses another of Merkle’s foundational contributions: Merkle trees.

Merkle trees authenticate multiple records by hashing them together in a tree structure. The records are the “leaves” of the tree. Pairs of leaves are hashed together to form a branch, then pairs of branches are hashed together to form a larger branch, and so on. The hash of the largest branches is the tree’s “root.” (This is a data-structure root, unrelated to the DNS root.)

Each individual leaf of a Merkle tree can be authenticated by retracing the “path” from the leaf to the root. The path consists of the hashes of each of the adjacent branches encountered along the way.

Authentication paths can be much shorter than typical hash-based signatures. For instance, with a tree depth of 20 and a 256-bit hash value, the authentication path for a leaf would only be 5,120 bits long, yet a single tree could authenticate more than a million leaves.

Figure 2. DNSSEC signatures following the synthesized ZSK approach proposed here. DNS records are hashed together into a Merkle tree. The root of the Merkle tree is published as the ZSK, and the authentication path through the Merkle tree is the record’s signature.
Figure 2. DNSSEC signatures following the synthesized ZSK approach proposed here. DNS records are hashed together into a Merkle tree. The root of the Merkle tree is published as the ZSK, and the authentication path through the Merkle tree is the record’s signature.

Returning to the example above, suppose that instead of signing each DNS record set with a hash-based signature, each record set were considered a leaf of a Merkle tree. Suppose further that the root of this tree were to be published as the ZSK public key (see Figure 2). The authentication path to the leaf could then serve as the record set’s signature.

The validation logic at a resolver would be the same as in ordinary DNSSEC:

  • The resolver would obtain the ZSK public key from a DNSKEY record set signed by the KSK.
  • The resolver would then validate the signature on the record set of interest with the ZSK public key.

The only difference on the resolver’s side would be that signature validation would involve retracing the authentication path to the ZSK public key, rather than a conventional signature validation operation.

The ZSK public key produced by the Merkle tree approach would be a “synthesized” public key, in that it is obtained from the records being signed. This is noteworthy from a cryptographer’s perspective, because the public key wouldn’t have a corresponding private key, yet the DNS records would still, in effect, be “signed by the ZSK!”

Additional Design Considerations

In this type of DNSSEC implementation, the Merkle tree approach only applies to the ZSK level. Hash-based signatures would still be applied at the KSK level, although their overhead would now be “amortized” across all records in the zone.

In addition, each new ZSK would need to be signed “on demand,” rather than in advance, as in current operational practice.

This leads to tradeoffs, such as how many changes to accumulate before constructing and publishing a new tree. Fewer changes and the tree will be available sooner. More changes and the tree will be larger, so the per-record overhead of the signatures at the KSK level will be lower.


My last few posts have discussed cryptographic techniques that could potentially be applied to the DNS in the long term — or that might not even be applied at all. In my next post, I’ll return to more conventional subjects, and explain how Verisign sees cryptography fitting into the DNS today, as well as some important non-cryptographic techniques that are part of our vision for a secure, stable and resilient DNS.

Read the complete six blog series:

  1. The Domain Name System: A Cryptographer’s Perspective
  2. Cryptographic Tools for Non-Existence in the Domain Name System: NSEC and NSEC3
  3. Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries
  4. Securing the DNS in a Post-Quantum World: New DNSSEC Algorithms on the Horizon
  5. Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys
  6. Information Protection for the Domain Name System: Encryption and Minimization
Securing the DNS in a Post-Quantum World: New DNSSEC Algorithms on the Horizon

By Burt Kaliski

This is the fourth in a multi-part series on cryptography and the Domain Name System (DNS).

One of the “key” questions cryptographers have been asking for the past decade or more is what to do about the potential future development of a large-scale quantum computer.

If theory holds, a quantum computer could break established public-key algorithms including RSA and elliptic curve cryptography (ECC), building on Peter Shor’s groundbreaking result from 1994.

This prospect has motivated research into new so-called “post-quantum” algorithms that are less vulnerable to quantum computing advances. These algorithms, once standardized, may well be added into the Domain Name System Security Extensions (DNSSEC) — thus also adding another dimension to a cryptographer’s perspective on the DNS.

(Caveat: Once again, the concepts I’m discussing in this post are topics we’re studying in our long-term research program as we evaluate potential future applications of technology. They do not necessarily represent Verisign’s plans or position on possible new products or services.)

Post-Quantum Algorithms

The National Institute of Standards and Technology (NIST) started a Post-Quantum Cryptography project in 2016 to “specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.”

Security protocols that NIST is targeting for these algorithms, according to its 2019 status report (Section 2.2.1), include: “Transport Layer Security (TLS), Secure Shell (SSH), Internet Key Exchange (IKE), Internet Protocol Security (IPsec), and Domain Name System Security Extensions (DNSSEC).”

The project is now in its third round, with seven finalists, including three digital signature algorithms, and eight alternates.

NIST’s project timeline anticipates that the draft standards for the new post-quantum algorithms will be available between 2022 and 2024.

It will likely take several additional years for standards bodies such as the Internet Engineering Task (IETF) to incorporate the new algorithms into security protocols. Broad deployments of the upgraded protocols will likely take several years more.

Post-quantum algorithms can therefore be considered a long-term issue, not a near-term one. However, as with other long-term research, it’s appropriate to draw attention to factors that need to be taken into account well ahead of time.

DNSSEC Operational Considerations

The three candidate digital signature algorithms in NIST’s third round have one common characteristic: all of them have a key size or signature size (or both) that is much larger than for current algorithms.

Key and signature sizes are important operational considerations for DNSSEC because most of the DNS traffic exchanged with authoritative data servers is sent and received via the User Datagram Protocol (UDP), which has a limited response size.

Response size concerns were evident during the expansion of the root zone signing key (ZSK) from 1024-bit to 2048-bit RSA in 2016, and in the rollover of the root key signing key (KSK) in 2018. In the latter case, although the signature and key sizes didn’t change, total response size was still an issue because responses during the rollover sometimes carried as many as four keys rather than the usual two.

Thanks to careful design and implementation, response sizes during these transitions generally stayed within typical UDP limits. Equally important, response sizes also appeared to have stayed within the Maximum Transmission Unit (MTU) of most networks involved, thereby also avoiding the risk of packet fragmentation. (You can check how well your network handles various DNSSEC response sizes with this tool developed by Verisign Labs.)

Modeling Assumptions

The larger sizes associated with certain post-quantum algorithms do not appear to be a significant issue either for TLS, according to one benchmarking study, or for public-key infrastructures, according to another report. However, a recently published study of post-quantum algorithms and DNSSEC observes that “DNSSEC is particularly challenging to transition” to the new algorithms.

Verisign Labs offers the following observations about DNSSEC-related queries that may help researchers to model DNSSEC impact:

A typical resolver that implements both DNSSEC validation and qname minimization will send a combination of queries to Verisign’s root and top-level domain (TLD) servers.

Because the resolver is a validating resolver, these queries will all have the “DNSSEC OK” bit set, indicating that the resolver wants the DNSSEC signatures on the records.

The content of typical responses by Verisign’s root and TLD servers to these queries are given in Table 1 below. (In the table, <SLD>.<TLD> are the final two labels of a domain name of interest, including the TLD and the second-level domain (SLD); record types involved include A, Name Server (NS), and DNSKEY.)

Name Server Resolver Query Scenario Typical Response Content from Verisign’s Servers
Root DNSKEY record set for root zone • DNSKEY record set including root KSK RSA-2048 public key and root ZSK RSA-2048 public key
• Root KSK RSA-2048 signature on DNSKEY record set
A or NS record set for <TLD> — when <TLD> exists • NS referral to <TLD> name server
• DS record set for <TLD> zone
• Root ZSK RSA-2048 signature on DS record set
A or NS record set for <TLD> — when <TLD> doesn’t exist • Up to two NSEC records for non-existence of <TLD>
• Root ZSK RSA-2048 signatures on NSEC records
.com / .net DNSKEY record set for <TLD> zone • DNSKEY record set including <TLD> KSK RSA-2048 public key and <TLD> ZSK RSA-1280 public key
• <TLD> KSK RSA-2048 signature on DNSKEY record set
A or NS record set for <SLD>.<TLD> — when <SLD>.<TLD> exists • NS referral to <SLD>.<TLD> name server
• DS record set for <SLD>.<TLD> zone (if <SLD>.<TLD> supports DNSSEC)
• <TLD> ZSK RSA-1280 signature on DS record set (if present)
A or NS record set for <SLD>.<TLD> — when <SLD>.<TLD> doesn’t exist • Up to three NSEC3 records for non-existence of <SLD>.<TLD>
• <TLD> ZSK RSA-1280 signatures on NSEC3 records
Table 1. Combination of queries that may be sent to Verisign’s root and TLD servers by a typical resolver that implements both DNSSEC validation and qname minimization, and content of associated responses.

For an A or NS query, the typical response, when the domain of interest exists, includes a referral to another name server. If the domain supports DNSSEC, the response also includes a set of Delegation Signer (DS) records providing the hashes of each of the referred zone’s KSKs — the next link in the DNSSEC trust chain. When the domain of interest doesn’t exist, the response includes one or more Next Secure (NSEC) or Next Secure 3 (NSEC3) records.

Researchers can estimate the effect of post-quantum algorithms on response size by replacing the sizes of the various RSA keys and signatures with those for their post-quantum counterparts. As discussed above, it is important to keep in mind that the number of keys returned may be larger during key rollovers.

Most of the queries from qname-minimizing, validating resolvers to the root and TLD name servers will be for A or NS records (the choice depends on the implementation of qname minimization, and has recently trended toward A). The signature size for a post-quantum algorithm, which affects all DNSSEC-related responses, will therefore generally have a much larger impact on average response size than will the key size, which affects only the DNSKEY responses.


Post-quantum algorithms are among the newest developments in cryptography. They add another dimension to a cryptographer’s perspective on the DNS because of the possibility that these algorithms, or other variants, may be added to DNSSEC in the long term.

In my next post, I’ll make the case for why the oldest post-quantum algorithm, hash-based signatures, could be a particularly good match for DNSSEC. I’ll also share the results of some research at Verisign Labs into how the large signature sizes of hash-based signatures could potentially be overcome.

Verisign Outreach Program Remediates Billions of Name Collision Queries

By Matt Thomas

A name collision occurs when a user attempts to resolve a domain in one namespace, but it unexpectedly resolves in a different namespace. Name collision issues in the public global Domain Name System (DNS) cause billions of unnecessary and potentially unsafe DNS queries every day. A targeted outreach program that Verisign started in March 2020 has remediated one billion queries per day to the A and J root name servers, via 46 collision strings. After contacting several national internet service providers (ISPs), the outreach effort grew to include large search engines, social media companies, networking equipment manufacturers, national CERTs, security trust groups, commercial DNS providers, and financial institutions.

While this unilateral outreach effort resulted in significant and successful name collision remediation, it is broader DNS community engagement, education, and participation that offers the potential to address many of the remaining name collision problems. Verisign hopes its successes will encourage participation by other organizations in similar positions in the DNS community.

Verisign is proud to be the operator for two of the world’s 13 authoritative root servers. Being a root server operator carries with it many operational responsibilities. Ensuring the security, stability and resiliency of the DNS requires proactive efforts so that attacks against the root name servers do not disrupt DNS resolution, as well as the monitoring of DNS resolution patterns for misconfigurations, signaling telemetry, and unexpected or unintended uses that, without closer collaboration, could have unforeseen consequences (e.g. Chromium’s impact on root DNS traffic).

Monitoring may require various forms of responsible disclosure or notification to the underlying parties. Further, monitoring the root server system poses logistical challenges because any outreach and remediation programs must work at internet scale, and because root operators have no direct relationship with many of the involved entities.

Despite these challenges, Verisign has conducted several successful internet-scale outreach efforts to address various issues we have observed in the DNS.

In response to the Internet Corporation for Assigned Names and Number (ICANN) proposal to mitigate name collision risks in 2013, Verisign conducted a focused study on the collision string .CBA. Our measurement study revealed evidence of a substantial internet-connected infrastructure in Japan that relied on the non-resolution of names that end in .CBA. Verisign informed the network operator, who subsequently reconfigured some of its internal systems, resulting in an immediate decline of queries for .CBA observed at A and J root servers.

Prior to the 2018 KSK rollover, several operators of DNSSEC-validating name servers appeared to be sending out-of-date RFC 8145 signals to root name servers. To ensure the KSK rollover did not disrupt internet name resolution functions for billions of end users, Verisign augmented ICANN’s outreach effort and conducted a multi-faceted technical outreach program by contacting and working with The United States Computer Emergency Readiness Team (US-CERT) and other national CERTs, industry partners, various DNS operator groups and performing direct outreach to out-of-date signalers. The ultimate success of the KSK rollover was due in large part to outreach efforts by ICANN and Verisign.

In response to the ICANN Board’s request in resolutions 2017.11.02.29 – 2017.11.02.31, the ICANN Security and Stability Advisory Committee (SSAC) was asked to conduct studies, and to present data and points of view on collision strings, including specific advice on three higher risk strings: .CORP, .HOME and .MAIL. While Verisign is actively engaged in this Name Collision Analysis Project (NCAP) developed by SSAC, we are also reviving and expanding our 2012 name collision outreach efforts.

Verisign’s name collision outreach program is based on the guidance we provided in several recent peer-reviewed name collision publications, which highlighted various name collision vulnerabilities and examined the root causes of leaked queries and made remediation recommendations. Verisign’s program uses A and J root name server traffic data to identify high-affinity strings related to particular networks, as well as high query volume strings that are contextually associated with device manufacturers, software, or platforms. We then attempt to contact the underlying parties and assist with remediation as appropriate.

While we partially rely on direct communication channel contact information, the key enabler of our outreach efforts has been Verisign’s relationships with the broader collective DNS community. Verisign’s active participation in various industry organizations within the ICANN and DNS communities, such as M3AAWG, FIRST, DNS-OARC, APWG, NANOG, RIPE NCC, APNIC, and IETF1, enables us to identify and communicate with a broad and diverse set of constituents. In many cases, participants operate infrastructure involved in name collisions. In others, they are able to put us in direct contact with the appropriate parties.

Through a combination of DNS traffic analysis and publicly accessible data, as well as the rolodexes of various industry partnerships, across 2020 we were able to achieve effective outreach to the anonymized entities listed in Table 1.

Organization Queries per Day to A & J Status Number of Collision Strings (TLDs) Notes / Root Cause Analysis
Search Engine 650M Fixed 1 string Application not using FQDNs
Telecommunications Provider 250M Fixed N/A Prefetching bug
eCommerce Provider 150M Fixed 25 strings Application not using FQDNs
Networking Manufacturer 70M Pending 3 strings Suffix search list
Cloud Provider 64M Fixed 15 strings Suffix search list
Telecommunications Provider 60M Fixed 2 strings Remediated through device vendor
Networking Manufacturer 45M Pending 2 strings Suffix search list problem in router/modem device
Financial Corporation 35M Fixed 2 strings Typo / misconfiguration
Social Media Company 30M Pending 9 strings Application not using FQDNs
ISP 20M Fixed 1 string Suffix search list problem in router/modem device
Software Provider 20M Pending 50+ strings Acknowledged but still investigating
ISP 5M Pending 1 string At time of writing, still investigating but confirmed it is a router/modem device
Table 1. Sample of outreach efforts performed by Verisign.

Many of the name collision problems encountered are the result of misconfigurations and not using fully qualified domain names. After operators deploy patches to their environments, as shown in Figure 1 below, Verisign often observes an immediate and dramatic traffic decrease at A and J root name servers. Although several networking equipment vendors and ISPs acknowledge their name collision problems, the development and deployment of firmware to a large userbase will take time.

Figure 1. Daily queries for two collision strings to A and J root servers during a nine month period of time.
Figure 1. Daily queries for two collision strings to A and J root servers during a nine month period of time.

Cumulatively, the operators who have deployed patches constitute a reduction of one billion queries per day to A and J root servers (roughly 3% of total traffic). Although root traffic is not evenly distributed among the 13 authoritative servers, we expect a similar impact at the other 11, resulting in a system-wide reduction of approximately 6.5 billion queries per day.

As the ICANN community prepares for Subsequent Procedures (the introduction of additional new TLDs) and the SSAC NCAP continues to work to answer the ICANN Board’s questions, we encourage the community to participate in our efforts to address name collisions through active outreach efforts. We believe our efforts show how outreach can have significant impact to both parties and the broader community. Verisign is committed to addressing name collision problems and will continue executing the outreach program to help minimize the attack surface exposed by name collisions and to be a responsible and hygienic root operator.

For additional information about name collisions and how to properly manage private-use TLDs, please see visit ICANN’s Name Collision Resource & Information website.

1. The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), Forum of Incident Response and Security Teams (FIRST), DNS Operations, Analysis, and Research Center (DNS-OARC), Anti-Phishing Working Group (APWG), North American Network Operators’ Group (NANOG), Réseaux IP Européens Network Coordination Centre (RIPE NCC), Asia Pacific Network Information Centre (APNIC), Internet Engineering Task Force (IETF)

Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries

By Burt Kaliski

This is the third in a multi-part blog series on cryptography and the Domain Name System (DNS).

In my last post, I looked at what happens when a DNS query renders a “negative” response – i.e., when a domain name doesn’t exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries.

The concepts I discuss below are topics we’ve studied in our long-term research program as we evaluate new technologies. They do not necessarily represent Verisign’s plans or position on a new product or service. Concepts developed in our research program may be subject to U.S. and international patents and patent applications.


NSEC5 is a result of research by cryptographers at Boston University and the Weizmann Institute. In this approach, which is still in an experimental stage, the endpoints are the outputs of a verifiable random function (VRF), a cryptographic primitive that has been gaining interest in recent years. NSEC5 is documented in an Internet Draft (currently expired) and in several research papers.

A VRF is like a hash function but with two important differences:

  1. In addition to a message input, a VRF has a second input, a private key. (As in public-key cryptography, there’s also a corresponding public key.) No one can compute the outputs without the private key, hence the “random.”
  2. A VRF has two outputs: a token and a proof. (I’ve adopted the term “token” for alignment with the research that I describe next. NSEC5 itself simply uses “hash.”) Anyone can check that the token is correct given the proof and the public key, hence the “verifiable.”

So, it’s not only hard for an adversary to reverse the VRF – which is also a property the hash function has – but it’s also hard for the adversary to compute the VRF in the forward direction, thus preventing dictionary attacks. And yet a relying party can still confirm that the VRF output for a given input is correct, because of the proof.

How does this work in practice? As in NSEC and NSEC3, range statements are prepared in advance and signed with the zone signing key (ZSK). With NSEC5, however, the range endpoints are two consecutive tokens.

When a domain name doesn’t exist, the name server applies the VRF to the domain name to obtain a token and a proof. The name sever then returns a range statement where the token falls within the range, as well as the proof, as shown in the figure below. Note that the token values are for illustration only.

Figure 1. An example of a NSEC5 proof of non-existence based on a verifiable random function.
Figure 1. An example of a NSEC5 proof of non-existence based on a verifiable random function.

Because the range statement reveals only tokenized versions of other domain names in a zone, an adversary who doesn’t know the private key doesn’t learn any new existing domain names from the response. Indeed, to find out which domain name corresponds to one of the tokenized endpoints, the adversary would need access to the VRF itself to see if a candidate domain name has a matching hash value, which would involve an online dictionary attack. This significantly reduces disclosure risk.

The name server needs a copy of the zone’s NSEC5 private key so that it can generate proofs for non-existent domain names. The ZSK itself can stay in the provisioning system. As the designers of NSEC5 have pointed out, if the NSEC5 private key does happen to be compromised, this only makes it possible to do a dictionary attack offline— not to generate signatures on new range statements, or on new positive responses.

NSEC5 is interesting from a cryptographer’s perspective because it uses a less common cryptographic technique, a VRF, to achieve a design goal that was at best partially met by previous approaches. As with other new technologies, DNS operators will need to consider whether NSEC5’s benefits are sufficient to justify its cost and complexity. Verisign doesn’t have any plans to implement NSEC5, as we consider NSEC and NSEC3 adequate for the name servers we currently operate. However, we will continue to track NSEC5 and related developments as part of our long-term research program.

Tokenized Queries

A few years before NSEC5 was published, Verisign Labs had started some research on an opposite application of tokenization to the DNS, to protect a client’s information from disclosure.

In our approach, instead of asking the resolver “What is <name>’s IP address,” the client would ask “What is token 3141…’s IP address,” where 3141… is the tokenization of <name>.

(More precisely, the client would specify both the token and the parent zone that the token relates to, e.g., the TLD of the domain name. Only the portion of the domain name below the parent would be obscured, just as in NSEC5. I’ve omitted the zone information for simplicity in this discussion.)

Suppose now that the domain name corresponding to token 3141… does exist. Then the resolver would respond with the domain name’s IP address as usual, as shown in the next figure.

Figure 2. Tokenized queries
Figure 2. Tokenized queries.

In this case, the resolver would know that the domain name associated with the token does exist, because it would have a mapping between the token and the DNS record, i.e., the IP address. Thus, the resolver would effectively “know” the domain name as well for practical purposes. (We’ve developed another approach that can protect both the domain name and the DNS record from disclosure to the resolver in this case, but that’s perhaps a topic for another post.)

Now, consider a domain name that doesn’t exist and suppose that its token is 2718… .

In this case, the resolver would respond that the domain name doesn’t exist, as usual, as shown below.

Figure 3. Non-existence with tokenized queries
Figure 3. Non-existence with tokenized queries.

But because the domain name is tokenized and no other information about the domain name is returned, the resolver would only learn the token 2718… (and the parent zone), not the actual domain name that the client is interested in.

The resolver could potentially know that the name doesn’t exist via a range statement from the parent zone, as in NSEC5.

How does the client tokenize the domain name, if it doesn’t have the private key for the VRF? The name server would offer a public interface to the tokenization function. This can be done in what cryptographers call an “oblivious” VRF protocol, where the name server doesn’t see the actual domain name during the protocol, yet the client still gets the token.

To keep the resolver itself from using this interface to do an online dictionary attack that matches candidate domain names with tokens, the name server could rate-limit access, or restrict it only to authorized requesters.

Additional details on this technology may be found in U.S. Patent 9,202,079B2, entitled “Privacy preserving data querying,” and related patents.

It’s interesting from a cryptographer’s perspective that there’s a way for a client to find out whether a DNS record exists, without necessarily revealing the domain name of interest. However, as before, the benefits of this new technology will be weighed against its operational cost and complexity and compared to other approaches. Because this technique focuses on client-to-resolver interactions, it’s already one step removed from the name servers that Verisign currently operates, so it is not as relevant to our business today in a way it might have been when we started the research. This one will stay under our long-term tracking as well.


The examples I’ve shared in these last two blog posts make it clear that cryptography has the potential to bring interesting new capabilities to the DNS. While the particular examples I’ve shared here do not meet the criteria for our product roadmap, researching advances in cryptography and other techniques remains important because new events can sometimes change the calculus. That point will become even more evident in my next post, where I’ll consider the kinds of cryptography that may be needed in the event that one or more of today’s algorithms is compromised, possibly through the introduction of a quantum computer.

Cryptographic Tools for Non-Existence in the Domain Name System: NSEC and NSEC3

By Burt Kaliski

This is the second in a multi-part blog series on cryptography and the Domain Name System (DNS).

In my previous post, I described the first broad scale deployment of cryptography in the DNS, known as the Domain Name System Security Extensions (DNSSEC). I described how a name server can enable a requester to validate the correctness of a “positive” response to a query — when a queried domain name exists — by adding a digital signature to the DNS response returned.

The designers of DNSSEC, as well as academic researchers, have separately considered the answer of “negative” responses – when the domain name doesn’t exist. In this case, as I’ll explain, responding with a signed “does not exist” is not the best design. This makes the non-existence case interesting from a cryptographer’s perspective as well.

Initial Attempts

Consider a domain name like that doesn’t exist.

If it did exist, then as I described in my previous post, the second-level domain (SLD) server for would return a response signed by’s zone signing key (ZSK).

So a first try for the case that the domain name doesn’t exist is for the SLD server to return the response “ doesn’t exist,” signed by’s ZSK.

However, if doesn’t exist, then won’t have either an SLD server or a ZSK to sign with. So, this approach won’t work.

A second try is for the parent name server — the .arpa top-level domain (TLD) server in the example — to return the response “ doesn’t exist,” signed by the parent’s ZSK.

This could work if the .arpa DNS server knows the ZSK for .arpa. However, for security and performance reasons, the design preference for DNSSEC has been to keep private keys offline, within the zone’s provisioning system.

The provisioning system can precompute statements about domain names that do exist — but not about every possible individual domain name that doesn’t exist. So, this won’t work either, at least not for the servers that keep their private keys offline.

The third try is the design that DNSSEC settled on. The parent name server returns a “range statement,” previously signed with the ZSK, that states that there are no domain names in an ordered sequence between two “endpoints” where the endpoints depend on domain names that do exist. The range statements can therefore be signed offline, and yet the name server can still choose an appropriate signed response to return, based on the (non-existent) domain name in the query.

The DNS community has considered several approaches to constructing range statements, and they have varying cryptographic properties. Below I’ve described two such approaches. For simplicity, I’ve focused just on the basics in the discussion that follows. The astute reader will recognize that there are many more details involved both in the specification and the implementation of these techniques.


The first approach, called NSEC, involved no additional cryptography beyond the DNSSEC signature on the range statement. In NSEC, the endpoints are actual domain names that exist. NSEC stands for “Next Secure,” referring to the fact that the second endpoint in the range is the “next” existing domain name following the first endpoint.

The NSEC resource record is documented in one of the original DNSSEC specifications, RFC4033, which was co-authored by Verisign.

The .arpa zone implements NSEC. When the .arpa server receives the request “What is the IP address of,” it returns the response “There are no names between and” This exchange is shown in the figure below and is analyzed in the associated DNSviz graph. (The response is accurate as of the writing of this post; it could be different in the future if names were added to or removed from the .arpa zone.)

NSEC has a side effect: responses immediately reveal unqueried domain names in the zone. Depending on the sensitivity of the zone, this may be undesirable from the perspective of the minimum disclosure principle.

Figure 1. An example of a NSEC proof of non-existence (as of the writing of this post)
Figure 1. An example of a NSEC proof of non-existence (as of the writing of this post).


A second approach, called NSEC3 reduces the disclosure risk somewhat by defining the endpoints as hashes of existing domain names. (NSEC3 is documented in RFC 5155, which was also co-authored by Verisign.)

An example of NSEC3 can be seen with, another domain that doesn’t exist. Here, the .name TLD server returns a range statement that “There are no domain names with hashes between 5SU9… and 5T48…”. Because the hash of is “5SVV…” the response implies that “” doesn’t exist.

This statement is shown in the figure below and in another DNSviz graph. (As above, the actual response could change if the .name zone changes.)

Figure 2. An example of a NSEC3 proof of non-existence based on a hash function (as of the writing of this post)
Figure 2. An example of a NSEC3 proof of non-existence based on a hash function (as of the writing of this post).

To find out which domain name corresponds to one of the hashed endpoints, an adversary would have to do a trial-and-error or “dictionary” attack across multiple guesses of domain names, to see if any has a matching hash value. Such a search could be performed “offline,” i.e., without further interaction with the name server, which is why the disclosure risk is only somewhat reduced.

NSEC and NSEC3 are mutually exclusive. Nearly all TLDs, including all TLDs operated by Verisign, implement NSEC3. In addition to .arpa, the root zone also implements NSEC.

In my next post, I’ll describe NSEC5, an approach still in the experimental stage, that replaces the hash function in NSEC3 with a verifiable random function (VRF) to protect against offline dictionary attacks. I’ll also share some research Verisign Labs has done on a complementary approach that helps protect a client’s queries for non-existent domain names from disclosure.

The Domain Name System: A Cryptographer’s Perspective

By Burt Kaliski
Man looking at technical imagery

This is the first in a multi-part blog series on cryptography and the Domain Name System (DNS).

As one of the earliest protocols in the internet, the DNS emerged in an era in which today’s global network was still an experiment. Security was not a primary consideration then, and the design of the DNS, like other parts of the internet of the day, did not have cryptography built in.

Today, cryptography is part of almost every protocol, including the DNS. And from a cryptographer’s perspective, as I described in my talk at last year’s International Cryptographic Module Conference (ICMC20), there’s so much more to the story than just encryption.

Where It All Began: DNSSEC

The first broad-scale deployment of cryptography in the DNS was not for confidentiality but for data integrity, through the Domain Name System Security Extensions (DNSSEC), introduced in 2005.

The story begins with the usual occurrence that happens millions of times a second around the world: a client asks a DNS resolver a query like “What is’s Internet Protocol (IP) address?” The resolver in this case answers: “’s IP address is”. (This is the correct answer.)

If the resolver doesn’t already know the answer to the request, then the process to find the answer goes something like this:

  • With qname minimization, when the resolver receives this request, it starts by asking a related question to one of the DNS’s 13 root servers, such as the A and J root servers operated by Verisign: “Where is the name server for the .com top-level domain (TLD)?”
  • The root server refers the resolver to the .com TLD server.
  • The resolver asks the TLD server, “Where is the name server for the second-level domain (SLD)?”
  • The TLD server then refers the resolver to the server.
  • Finally, the resolver asks the SLD server, “What is’s IP address?” and receives an answer: “”.

Digital Signatures

But how does the resolver know that the answer it ultimately receives is correct? The process defined by DNSSEC follows the same “delegation” model from root to TLD to SLD as I’ve described above.

Indeed, DNSSEC provides a way for the resolver to check that the answer is correct by validating a chain of digital signatures, by examining digital signatures at each level of the DNS hierarchy (or technically, at each “zone” in the delegation process). These digital signatures are generated using public key cryptography, a well-understood process that involves encryption using key pairs, one public and one private.

In a typical DNSSEC deployment, there are two active public keys per zone: a Key Signing Key (KSK) public key and a Zone Signing Key (ZSK) public key. (The reason for having two keys is so that one key can be changed locally, without the other key being changed.)

The responses returned to the resolver include digital signatures generated by either the corresponding KSK private key or the corresponding ZSK private key.

Using mathematical operations, the resolver checks all the digital signatures it receives in association with a given query. If they are valid, the resolver returns the “Digital Signature Validated” indicator to the client that initiated the query.

Trust Chains

Figure 1 A Simplified View of the DNSSEC Chain.
Figure 1: A Simplified View of the DNSSEC Chain.

A convenient way to visualize the collection of digital signatures is as a “trust chain” from a “trust anchor” to the DNS record of interest, as shown in the figure above. The chain includes “chain links” at each level of the DNS hierarchy. Here’s how the “chain links” work:

The root KSK public key is the “trust anchor.” This key is widely distributed in resolvers so that they can independently authenticate digital signatures on records in the root zone, and thus authenticate everything else in the chain.

The root zone chain links consist of three parts:

  1. The root KSK public key is published as a DNS record in the root zone. It must match the trust anchor.
  2. The root ZSK public key is also published as a DNS record. It is signed by the root KSK private key, thus linking the two keys together.
  3. The hash of the TLD KSK public key is published as a DNS record. It is signed by the root ZSK private key, further extending the chain.

The TLD zone chain links also consist of three parts:

  1. The TLD KSK public key is published as a DNS record; its hash must match the hash published in the root zone.
  2. The TLD ZSK public key is published as a DNS record, which is signed by the TLD KSK private key.
  3. The hash of the SLD KSK public key is published as a DNS record. It is signed by the TLD ZSK private key.

The SLD zone chain links once more consist of three parts:

  1. The SLD KSK public key is published as a DNS record. Its hash, as expected, must match the hash published in the TLD zone.
  2. The SLD ZSK public key is published as a DNS record signed by the SLD KSK private key.
  3. A set of DNS records – the ultimate response to the query – is signed by the SLD ZSK private key.

A resolver (or anyone else) can thereby verify the signature on any set of DNS records given the chain of public keys leading up to the trust anchor.

Note that this is a simplified view, and there are other details in practice. For instance, the various KSK public keys are also signed by their own private KSK, but I’ve omitted these signatures for brevity. The DNSViz tool provides a very nice interactive interface for browsing DNSSEC trust chains in detail, including the trust chain for discussed here.

Updating the Root KSK Public Key

The effort to update the root KSK public key, the aforementioned “trust anchor” was one of the challenging and successful projects by the DNS community over the past couple of years. This initiative – the so-called “root KSK rollover” – was challenging because there was no easy way to determine whether resolvers actually had been updated to use the latest root KSK — remember that cryptography and security was added on rather than built into the DNS. There are many resolvers that needed to be updated, each independently managed.

The research paper “Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover” details the process of updating the root KSK. The paper, co-authored by Verisign researchers and external colleagues, received the distinguished paper award at the 2019 Internet Measurement Conference.

Final Thoughts

I’ve focused here on how a resolver validates correctness when the response to a query has a “positive” answer — i.e., when the DNS record exists. Checking correctness when the answer doesn’t exist gets even more interesting from a cryptographer’s perspective. I’ll cover this topic in my next post.

Chromium’s Reduction of Root DNS Traffic

By Verisign
Search Bar

As we begin a new year, it is important to look back and reflect on our accomplishments and how we can continue to improve. A significant positive the DNS community could appreciate from 2020 is the receptiveness and responsiveness of the Chromium team to address the large amount of DNS queries being sent to the root server system.

In a previous blog post, we quantified that upwards of 45.80% of total DNS traffic to the root servers was, at the time, the result of Chromium intranet redirection detection tests. Since then, the Chromium team has redesigned its code to disable the redirection test on Android systems and introduced a multi-state DNS interception policy that supports disabling the redirection test for desktop browsers. This functionality was released mid-November of 2020 for Android systems in Chromium 87 and, quickly thereafter, the root servers experienced a rapid decline of DNS queries.

The figure below highlights the significant decline of query volume to the root server system immediately after the Chromium 87 release. Prior to the software release, the root server system saw peaks of ~143 billion queries per day. Traffic volumes have since decreased to ~84 billion queries a day. This represents more than a 41% reduction of total query volume.

Note: Some data from root operators was not available at the time of this publication.

This type of broad root system measurement is facilitated by ICANN’s Root Server System Advisory Committee standards document RSSAC002, which establishes a set of baseline metrics for the root server system. These root server metrics are readily available to the public for analysis, monitoring, and research. These metrics represent another milestone the DNS community could appreciate and continue to support and refine going forward.

Rightly noted in ICANN’s Root Name Service Strategy and Implementation publication, the root server system currently “faces growing volumes of traffic” from legitimate users but also from misconfigurations, misuse, and malicious actors and that “the costs incurred by the operators of the root server system continue to climb to mitigate these attacks using the traditional approach”.

As we reflect on how Chromium’s large impact to root server traffic was identified and then resolved, we as a DNS community could consider how outreach and engagement should be incorporated into a traditional approach of addressing DNS security, stability, and resiliency. All too often, technologists solve problems by introducing additional layers of technology abstractions and disregarding simpler solutions, such as outreach and engagement.

We believe our efforts show how such outreach and community engagement can have significant impact both to the parties directly involved, and to the broader community. Chromium’s actions will directly aide and ease the operational costs to mitigate attacks at the root. Reducing the root server system load by 41%, with potential further reduction depending on future Chromium deployment decisions, will lighten operational costs incurred to mitigate attacks by relinquishing their computing and network resources.

In pursuit of maintaining a responsible and common-sense root hygiene regimen, Verisign will continue to analyze root telemetry data and engage with entities such as Chromium to highlight operational concerns, just as Verisign has done in the past to address name collisions problems. We’ll be sharing more information on this shortly.

This piece was co-authored by Matt Thomas and Duane Wessels, Distinguished Engineers at Verisign.

Meeting the Evolving Challenges of COVID-19

By Verisign
Verisign Logo

The COVID-19 pandemic, when it struck earlier this year, ushered in an immediate period of adjustment for all of us. And just as the challenges posed by COVID-19 in 2020 have been truly unprecedented, Verisign’s mission – enabling the world to connect online with reliability and confidence, anytime, anywhere – has never been more relevant. We are grateful for the continued dedication of our workforce, which enables us to provide the building blocks people need for remote working and learning, and simply for keeping in contact with each other.

At Verisign we took early action to adopt a COVID-19 work posture to protect our people, their families, and our operations. This involved the majority of our employees working from home, and implementing new cleaning and health safety protocols to protect those employees and contractors for whom on-site presence was essential to maintain key functions.

Our steps to address the pandemic did not stop there. On March 25 we announced a series of measures to help the communities where we live and work, and the broader DNS community in which we operate. This included, under our Verisign Cares program, making contributions to organizations supporting key workers, first responders and medical personnel, and doubling the company’s matching program for employee giving so that employee donations to support the COVID-19 response could have a greater impact.

Today, while vaccines may offer signs of long term hope, the pandemic has plunged many families into economic hardship and has had a dramatic effect on food insecurity in the U.S., with an estimated 50 million people affected. With this hardship in mind, we have this week made contributions totaling $275,000 to food banks in the areas where we have our most substantial footprint: the Washington DC-Maryland-Virginia region; Delaware; and the canton of Fribourg, in Switzerland. This will help local families put food on their tables during what will be a difficult winter for many.

The pandemic has also had a disproportionate, and potentially permanent, impact on certain sectors of the economy. So today Verisign is embarking on a partnership with Virginia Ready, which helps people affected by COVID-19 access training and certification for in-demand jobs in sectors such as technology. We are making an initial contribution of $250,000 to Virginia Ready, and will look to establish further partnerships of this kind across the country in 2021.

As people around the world gather online to address the global challenges posed by COVID-19, we want to share some of the steps we have taken so far to support the communities we serve, while keeping our critical internet infrastructure running smoothly.

A Balanced DNS Information Protection Strategy: Minimize at Root and TLD, Encrypt When Needed Elsewhere

By Burt Kaliski
Lock image and DNS

Over the past several years, questions about how to protect information exchanged in the Domain Name System (DNS) have come to the forefront.

One of these questions was posed first to DNS resolver operators in the middle of the last decade, and is now being brought to authoritative name server operators: “to encrypt or not to encrypt?” It’s a question that Verisign has been considering for some time as part of our commitment to security, stability and resiliency of our DNS operations and the surrounding DNS ecosystem.

Because authoritative name servers operate at different levels of the DNS hierarchy, the answer is not a simple “yes” or “no.” As I will discuss in the sections that follow, different information protection techniques fit the different levels, based on a balance between cryptographic and operational considerations.

How to Protect, Not Whether to Encrypt

Rather than asking whether to deploy encryption for a particular exchange, we believe it is more important to ask how best to address the information protection objectives for that exchange — whether by encryption, alternative techniques or some combination thereof.

Information protection must balance three objectives:

  • Confidentiality: protecting information from disclosure;
  • Integrity: protecting information from modification; and
  • Availability: protecting information from disruption.

The importance of balancing these objectives is well-illustrated in the case of encryption. Encryption can improve confidentiality and integrity by making it harder for an adversary to view or change data, but encryption can also impair availability, by making it easier for an adversary to cause other participants to expend unnecessary resources. This is especially the case in DNS encryption protocols where the resource burden for setting up an encrypted session rests primarily on the server, not the client.

The Internet-Draft “Authoritative DNS-Over-TLS Operational Considerations,” co-authored by Verisign, expands on this point:

Initial deployments of [Authoritative DNS over TLS] may offer an immediate expansion of the attack surface (additional port, transport protocol, and computationally expensive crypto operations for an attacker to exploit) while, in some cases, providing limited protection to end users.

Complexity is also a concern because DNS encryption requires changes on both sides of an exchange. The long-installed base of DNS implementations, as Bert Hubert has parabolically observed, can only sustain so many more changes before one becomes the “straw that breaks the back” of the DNS camel.

The flowchart in Figure 1 describes a two-stage process for factoring in operational risk when determining how to mitigate the risk of disclosure of sensitive information in a DNS exchange. The process involves two questions.

Figure 1  Two-stage process for factoring in operational risk when determining how to address information protection objectives for a DNS exchange.
Figure 1 Two-stage process for factoring in operational risk when determining how to address information protection objectives for a DNS exchange.

This process can readily be applied to develop guidance for each exchange in the DNS resolution ecosystem.

Applying Guidance

Three main exchanges in the DNS resolution ecosystem are considered here, as shown in Figure 2: resolver-to-authoritative at the root and TLD level; resolver-to-authoritative below these levels; and client-to-resolver.

Figure 2 Three DNS resolution exchanges: (1) resolver-to-authoritative at the root and TLD levels; (2) resolver-to-authoritative at the SLD level (and below); (3) client-to-resolver. Different information protection guidance applies for each exchange. The exchanges are shown with qname minimization implemented at the root and TLD levels.

1. Resolver-to-Root and Resolver-to-TLD

The resolver-to-authoritative exchange at the root level enables DNS resolution for all underlying domain names; the exchange at the TLD level does the same for all names under a TLD. These exchanges provide global navigation for all names, benefiting all resolvers and therefore all clients, and making the availability objective paramount.

As a resolver generally services many clients, information exchanged at these levels represents aggregate interests in domain names, not the direct interests of specific clients. The sensitivity of this aggregated information is therefore relatively low to start with, as it does not contain client-specific details beyond the queried names and record types. However, the full domain name of interest to a client has conventionally been sent to servers at the root and TLD levels, even though this is more information than they need to know to refer the resolver to authoritative name servers at lower levels of the DNS hierarchy. The additional detail in the full domain name may be considered sensitive in some cases. Therefore, this data exchange merits consideration for protection.

The decision flow (as generally described in Figure 1) for this exchange is as follows:

  1. Are there alternatives with lower operational risk that can mitigate the disclosure risk? Yes. Techniques such as qname minimization, NXDOMAIN cut processing and aggressive DNSSEC caching — which we collectively refer to as minimization techniques — can reduce the information exchanged to just the resolver’s aggregate interests in TLDs and SLDs, removing the further detail of the full domain names and meeting the principle of minimum disclosure.
  2. Does the benefit of encryption in mitigating any residual disclosure risk justify its operational risk? No. The information exchanged is just the resolver’s aggregate interests in TLDs and SLDs after minimization techniques are applied, and any further protection offered by encryption wouldn’t justify the operational risk of a protocol change affecting both sides of the exchange. While some resolvers and name servers may be open to the operational risk, it shouldn’t be required of others.

Interestingly, while minimization itself is sufficient to address the disclosure risk at the root and TLD levels, encryption alone isn’t. Encryption protects against disclosure to outside observers but not against disclosure to (or by) the name server itself. Even though the sensitivity of the information is relatively low for reasons noted above, without minimization, it’s still more than the name server needs to know.

Summary: Resolvers should apply minimization techniques at the root and TLD levels. Resolvers and root and TLD servers should not be required to implement DNS encryption on these exchanges.

Note that at this time, Verisign has no plans to implement DNS encryption at the root or TLD servers that the company operates. Given the availability of qname minimization, which we are encouraging resolver operators to implement, and other minimization techniques, we do not currently see DNS encryption at these levels as offering an appropriate risk / benefit tradeoff.

2. Resolver-to-SLD and Below

The resolver-to-authoritative exchanges at the SLD level and below enable DNS resolution within specific namespaces. These exchanges provide local optimization, benefiting all resolvers and all clients interacting with the included namespaces.

The information exchanged at these levels also represents the resolver’s aggregate interests, but in some cases, it may also include client-related information such as the client’s subnet. The full domain names and the client-related information, if any, are the most sensitive parts.

The decision flow for this exchange is as follows:

  1. Are there alternatives with lower operational risk that can mitigate the disclosure risk? Partially. Minimization techniques may apply to some exchanges at the SLD level and below if the full domain names have more than three labels. However, they don’t help as much with the lowest-level authoritative name server involved, because that name server needs the full domain name.
  2. Does the benefit of encryption in mitigating any residual disclosure risk justify its operational risk? In some cases. If the exchange includes client-specific information, then the risk may be justified. If full domain names include labels beyond the TLD and SLD that are considered more sensitive, this might be another justification. Otherwise, the benefit of encryption generally wouldn’t justify the operational risk, and for this reason, as in the previous case, encryption shouldn’t be required, except in the specific purposes noted.

Summary: Resolvers and SLD servers (and below) should implement DNS encryption on their exchanges if they are sending sensitive full domain names or client-specific information. Otherwise, they should not be required to implement DNS encryption.

3. Client-to-Resolver

The client-to-resolver exchange enables navigation to all domain names for all clients of the resolver.

The information exchanged here represents the interests of each specific client. The sensitivity of this information is therefore relatively high, making confidentiality vital.

The decision process in this case traverses the first and second steps:

  1. Are there alternatives with lower operational risk that can mitigate the disclosure risk? Not really. Minimization techniques don’t apply here because the resolver needs the full domain name and the client-specific information included in the request, namely the client’s IP address. Other alternatives, such as oblivious DNS, have been proposed, but are more complex and arguably increase operational risk. Note that some clients use security and confidentiality solutions at different layers of the protocol stack (e.g. a virtual private network (VPN), etc.) to protect DNS exchanges.
  2. Does the benefit of encryption in mitigating any residual disclosure risk justify its operational risk? Yes.

Summary: Clients and resolvers should implement DNS encryption on this exchange, unless the exchange is otherwise adequately protected, for instance as part of the network connection provided by an enterprise or internet service provider.

Summary of Guidance

The following table summarizes the guidance for how to protect the various exchanges in the DNS resolution ecosystem.

In short, the guidance is “minimize at root and TLD, encrypt when needed elsewhere.”

DNS Exchange Purpose Guidance
Resolver-to-Root and TLD Global navigational availability • Resolvers should apply minimization techniques
• Resolvers and root and TLD servers should not be required to implement DNS encryption on these exchanges
Resolver-to-SLD and Below Local performance optimization • Resolvers and SLD servers (and below) should implement DNS encryption on their exchanges if they are sending sensitive full domain names, or client-specific information
• Resolvers and SLD servers (and below) should not be required to implement DNS encryption otherwise
Client-to-Resolver General DNS resolution • Clients and resolvers should implement DNS encryption on this exchange, unless adequate protection is otherwise provided, e.g., as part of a network connection


If the guidance suggested here were followed, we could expect to see more deployment of minimization techniques on resolver-to-authoritative exchanges at the root and TLD levels; more deployment of DNS encryption, when needed, at the SLD levels and lower; and more deployment of DNS encryption on client-to-resolver exchanges.

In all these deployments, the DNS will serve the same purpose as it already does in today’s unencrypted exchanges: enabling general-purpose navigation to information and resources on the internet.

DNS encryption also brings two new capabilities that make it possible for the DNS to serve two new purposes. Both are based on concepts developed in Verisign’s research program.

  1. The client can authenticate itself to a resolver or name server that supports DNS encryption, and the resolver or name server can limit its DNS responses based on client identity. This capability enables a new set of security controls for restricting access to network resources and information. We call this approach authenticated resolution.
  2. The client can confidentially send client-related information to the resolver or name server, and the resolver or name server can optimize its DNS responses based on client characteristics. This capability enables a new set of performance features for speeding access to those same resources and information. We call this approach adaptive resolution.

You can read more about these two applications in my recent blog post on this topic, Authenticated Resolution and Adaptive Resolution: Security and Navigational Enhancements to the Domain Name System.

Verisign CTO Burt Kaliski explains why minimization techniques at the root and TLD levels of the DNS are a key component of a balanced DNS information protection strategy.

Cybersecurity Considerations in the Work-From-Home Era

By Yong Kim
Cyberthreat keywords

Note: This article originally appeared in Verisign’s Q3 2020 Domain Name Industry Brief.

Verisign is deeply committed to protecting our critical internet infrastructure from potential cybersecurity threats, and to keeping up to date on the changing cyber landscape. 

Over the years, cybercriminals have grown more sophisticated, adapting to changing business practices and diversifying their approaches in non-traditional ways. We have seen security threats continue to evolve in 2020, as many businesses have shifted to a work from home posture due to the COVID-19 pandemic. For example, the phenomenon of “Zoom-bombing” video meetings and online learning sessions had not been a widespread issue until, suddenly, it became one. 

As more people began accessing company applications and files over their home networks, IT departments implemented new tools and set new policies to find the right balance between protecting company assets and sensitive information, and enabling employees to be just as productive at home as they would be in the office. Even the exponential jump in the use of home-networked printers that might or might not be properly secured represented a new security consideration for some corporate IT teams. 

An increase in phishing scams accompanied this shift in working patterns. About a month after much of the global workforce began working from home in greater numbers, the Federal Bureau of Investigation (FBI) reported about a 300 percent to 400 percent spike in cybersecurity complaints received by its Internet Crime Complaint Center (IC3) each day. According to the International Criminal Police Organization (Interpol), “[o]f global cyber-scams, 59% are coming in the form of spear phishing.” These phishing campaigns targeted an array of sectors, such as healthcare and government agencies, by imitating health experts or COVID-related charities.

Proactive steps can help businesses improve their cybersecurity hygiene and guard against phishing scams. One of these steps is for companies to focus part of their efforts on educating employees on how to detect and avoid malicious websites in phishing emails. Companies can start by building employee understanding of how to identify the destination domain of a URL (Uniform Resource Locator – commonly referring to as “links”) embedded in an email that may be malicious. URLs can be complex and confusing and cybercriminals, who are well aware of that complexity, often use deceptive tactics within the URLs to mask the malicious destination domain. Companies can take proactive steps to inform their employees of these deceptive tactics and help them avoid malicious websites. Some of the most common tactics are described in Table 1 below.

Tactic What is it?
Combosquatting Adding words such as “secure,” “login” or “account” to a familiar domain name to trick users into thinking it is affiliated with the known domain name.
Typosquatting Using domain names that resemble a familiar name but incorporate common typographical mistakes, such as reversing letters or leaving out or adding a character.
Levelsquatting Using familiar names/domain names as part of a subdomain within a URL, making it difficult to discover the real destination domain.
Homograph attacks Using homograph, or lookalike, domain names, such as substituting the uppercase “I” or number “1” where a lowercase “L” should have been used, or using “é” instead of an “e.”
Misplaced domain Planting familiar domain names within the URL as a way of adding a familiar domain name into a complex-looking URL. The familiar domain name could be found in a path (after a “/”), as part of the additional parameters (after a “?”), as an anchor/fragment identifier (after a “#”) or in the HTTP credentials (before “@”).
URL-encoded characters Placing URL-encoded characters (%[code]), which are sometimes used in URL parameters, into the domain name itself.
Table 1. Common tactics used by cybercriminals to mask the destination domain.

Teaching users to find and understand the domain portion of the URL can have lasting and positive effects on an organization’s ability to avoid phishing links. By providing employees (and their families) with this basic information, companies can better protect themselves against cybersecurity issues such as compromised networks, financial losses and data breaches.

To learn more about what you can do to protect yourself and your business against possible cyber threats, check out the STOP. THINK. CONNECT. campaign online at STOP. THINK. CONNECT. is a global online safety awareness campaign led by the National Cyber Security Alliance and in partnership with the Anti-Phishing Working Group to help all digital citizens stay safer and more secure online.

Typo 1: VulnHub CTF walkthrough (part 2)

By LetsPen Test

Introduction In the previous article, Part 1 of this CTF, we were able to complete the following steps on the victim machine: Getting the target machine IP address by running the VM Getting open port details by using the Nmap tool Enumerating HTTP port 80 service with Dirb utility Enumerating HTTP port 8000 and 8080 […]

Reactive vs. proactive security: Three benefits of a proactive cybersecurity strategy

By Susan Morrow

Introduction  I’ve been writing cybersecurity articles for many years, and in that time, I have only seen increasingly complex security threats. Cybercriminals take their craft seriously. They treat cybercrime as a business, looking for ways to maximize profit while seeking innovative methods to circumvent our efforts to protect our businesses. The figures speak for themselves. […]

The post Reactive vs. proactive security: Three benefits of a proactive cybersecurity strategy appeared first on Infosec Resources.

Brand impersonation attacks targeting SMB organizations

By Susan Morrow

Introduction Building and maintaining a brand is an important part of a successful business. Having a recognized brand confers recognition, and if done well, provides a way of developing trust between customers and company. Brand trust and loyalty go hand-in-hand. Research has shown that 80% of US customers look at the trustworthiness of a brand […]

The post Brand impersonation attacks targeting SMB organizations appeared first on Infosec Resources.

How to use the NICE Cybersecurity Workforce Framework to plan career progression: A practitioners’ guide

By Daniel Brecht

Introduction: An overview of the NICE Cybersecurity Workforce Framework In 2017, the National Institute of Standards and Technology (NIST) published Special Publication 800-181, the NICE Cybersecurity Workforce Framework (or NICE Framework); the document categorizes and describes cybersecurity work as well as the knowledge, skills and abilities (KSAs) needed by professionals to complete tasks in the […]

The post How to use the NICE Cybersecurity Workforce Framework to plan career progression: A practitioners’ guide appeared first on Infosec Resources.

2020 Verizon Data Breach Investigations Report: Summary and key findings for security professionals

By Greg Belding

Introduction The Verizon Data Breach Investigations Report, or the Verizon Data Breach Report, is an annual report intended for information security professionals. It summarizes 3,950 confirmed data breaches and is a collection of work from 81 contributors spanning 81 countries and has grown more than a little bit since last year’s twelfth edition.  Navigating this […]

The post 2020 Verizon Data Breach Investigations Report: Summary and key findings for security professionals appeared first on Infosec Resources.

Microsoft Azure job outlook

By Greg Belding

Introduction The business world is relocating to the cloud and the trend is strong. It has been predicted that by the end of 2020, 83% of all businesses will be in the cloud and by 2021, the percentage of workloads processed in cloud data centers will reach 94%. By 2022, cloud services will be three […]

The post Microsoft Azure job outlook appeared first on Infosec Resources.

Cost of non-compliance: 8 largest data breach fines and penalties

By Greg Belding

Introduction Different regulations and laws will slap organizations with fines and penalties for data breaches. This is because the organization did not take the privacy of their data seriously. However, the authorities take this responsibility very seriously and will not hesitate to punish with fines and penalties that are sometimes in the hundreds of millions […]

The post Cost of non-compliance: 8 largest data breach fines and penalties appeared first on Infosec Resources.

Implementing a zero-trust model: The key to securing microservices

By David Bisson

Introduction Organizations are increasingly integrating microservices into their software development processes. As noted by DZone, microservices break down software into multiple component services, thereby enabling organizations to deploy parts of an application without compromising the integrity of the entire program.  This property also allows developers to address a microservice that starts acting up. The other […]

The post Implementing a zero-trust model: The key to securing microservices appeared first on Infosec Resources.

Typo 1: VulnHub CTF walkthrough (part 1)

By LetsPen Test

In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named Akanksha Sachin Verma. As per the description given by the author, it is an intermediate-level challenge. The goal is to get root access of the machine and read the root flag. You […]

The post Typo 1: VulnHub CTF walkthrough (part 1) appeared first on Infosec Resources.

Open-source application security flaws: What you should know and how to spot them

By Graeme Messina

Introduction Open-source software helped to revolutionize the way that applications are built by professionals and enthusiasts alike. Being able to borrow a non-proprietary library to quickly prototype and build an application not only accelerates progress in projects, but also makes things easier to work with. Open-source libraries when creating applications is not the only positive […]

The post Open-source application security flaws: What you should know and how to spot them appeared first on Infosec Resources.

How to avoid getting locked out of your own account with multi-factor authentication

By Greg Belding

Multi-factor authentication (MFA) is one of the most popular authentication security solutions available to organizations today. It really comes as no surprise, as the multi-factor authentication benefits of enhanced security go beyond the basic password security measures by forcing the user to authenticate with another method that (presumably) only the legitimate user has access to.  […]

The post How to avoid getting locked out of your own account with multi-factor authentication appeared first on Infosec Resources.

Source 1: VulnHub CTF walkthrough

By LetsPen Test

In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named darkstar7471. Per the description given by the author, this is an entry-level CTF. The target of this CTF is to get to the root of the machine and read the flag file. […]

The post Source 1: VulnHub CTF walkthrough appeared first on Infosec Resources.

Japan’s IoT scanning project looks for vulnerable IoT devices

By Rodika Tollefson

The growing world of IoT — and security concerns The Internet of Things (IoT) is still a baby compared to other computing technologies, but the market has already exploded and continues to expand at a healthy pace. Telecommunications giant Ericsson estimates the number of IoT connections to grow from 10.8 billion in 2019 to 24.9 […]

The post Japan’s IoT scanning project looks for vulnerable IoT devices appeared first on Infosec Resources.

Troystealer malware: What it is, how it works and how to prevent it | Malware spotlight

By Pedro Tavares

We are living in an era where malware is part of our daily lives. Emergent campaigns are increasing, each more sophisticated and harder to detect than the last. Malware can reveal itself through different abnormal behaviors, including a giant wave of annoying ads flooding your screen, your system crashing, blocks or repeatedly showing a BSOD […]

The post Troystealer malware: What it is, how it works and how to prevent it | Malware spotlight appeared first on Infosec Resources.

