Login
Cybercriminals are often seen as having the upper hand over the “white hat” community. After all, they’re anonymous, can launch attacks from virtually anywhere in the world, and usually have the element of surprise. But there’s one secret weapon the good guys have: Collaboration. That’s why Trend Micro has always prioritized its partnerships with law enforcement, academia, governments and other cybersecurity businesses.
We’re proud to have contributed to yet another successful collaborative operation with INTERPOL Global Complex for Innovation (IGCI) in Singapore that’s helped to reduce the number of users infected by cryptomining malware by 78%.
Cryptomining On The Rise
Also known as cryptojacking, these attacks have become an increasingly popular way for cybercriminals to make money.
Why?
Because victims don’t know they’ve been infected. The malware sits on their machine in the background mining for digital currency 24/7/365. Increasingly, hackers have taken to launching sophisticated attacks against enterprise IT systems and cloud servers to increase their mining and earning potential. But many still target home computer systems like routers, as these are often left relatively unprotected. Stitch enough of these devices together in a botnet and they have a ready-made cash cow.
That’s why cryptojacking remained the most detected threat in the first half of 2019 in terms of file-based threat components, according to our data.
Unlike serious data breaches, phishing attacks, ransomware and banking Trojans, cryptojacking doesn’t have major impact on the victim. They don’t lose sensitive personal data, there’s no risk of follow-on identity fraud and they’re not extorted for funds by being locked out of their PC.
However, it’s not without consequences: Cryptomining malware can slow your home network to a crawl while running up serious energy bills. It may even bring your home computers to a premature end. Also, there’s always the risk with any kind of malware infection that hackers may switch tactics and use their footprint on your home machines to launch other attacks in the future.
Enter Operation Goldfish Alpha
That’s why we were keen to offer our assistance to INTERPOL during this year’s Operation Goldfish Alpha. Thanks to our broad global visibility into attack trends and infection rates, we were able to articulate the scale of the cryptojacking threat and key mitigation steps, at a pre-operation meeting with ASEAN law enforcement officers in June.
A few months later, we developed and disseminated a key Cryptojacking Mitigation and Prevention guidance document. It details how a vulnerability in MikroTik routers had exposed countless users in the region to the risk of compromise by cryptomining malware. The document explains how to scan for this flaw using Trend Micro HouseCall for Home Networks, and how HouseCall can be used to detect and delete the Coinhive JavaScript that hackers were using to mine for digital currency on infected PCs.
Spectacular Success
Over the five months of Operation Goldfish Alpha, experts from national Computer Emergency Response Teams (CERTs) and police across 10 countries in the region worked to locate the infected routers, notify the victims and use our guidance document to patch the bugs and kick out the hackers.
Having helped to identify over 20,000 routers in the region that were hacked in this way, we’re delighted to say that by November, the number had reduced by at least 78%.
That’s the value of partnerships between law enforcement and private cybersecurity companies: They combine the power of investigative policing with the detailed subject matter expertise, visibility and resources of industry experts like us. We’ll continue to lend a hand wherever we can to make our connected, digital world a safer place.
The post INTERPOL Collaboration Reduces Cryptojacking by 78% appeared first on .
Tax season has always been a pretty nerve-wracking time for hard-working Americans. But over the years, technology advances have arrived to gradually make the process a bit easier. The bad news is that they can also introduce new cyber risks and even more stress.
There are two things that cybercriminals are always on the hunt for: people’s identity data from their accounts, and their money. And during the tax-filing season both can be unwittingly exposed. Over the years, cybercriminals have adapted multiple tools and techniques to part taxpayers with their personal information and funds.
Let’s take look at some of the main threats out there and what you can do to stay safe.
What do they want?
Cybercrime is a highly efficient money-making business. Some reports suggest this underground economy generates as much as $1.5 trillion each year. (See Into the Web of Profit, April 2018, McGuire, Bromium.) And tax-related scams are an increasingly popular way for the bad guys to drive-up profits. The Internal Revenue Service (IRS) claims that “thousands of people have lost millions of dollars and their personal information” to such attacks.
The bottom line is that they’re after one of two things: to trick you into wiring funds to them, and/or to get hold of your personally identifiable information (PII), including bank account and Social Security Numbers (SSNs). This personal data can subsequently be used to defraud you or the IRS, or may be deployed in follow-on identity fraud schemes to capture illicit funds from you.
There are various ways cyber-criminals can achieve these goals. The most common is by using social engineering tactics to trick taxpayers into sending money or personal information. But they might also use malware, either delivered to you personally or targeted at your tax preparer. This means you not only have to look after your own cybersecurity but also demand that the third-party businesses you work with store and transmit your sensitive information securely.
Look out for these scams
Here’s a round-up of the most popular tactics used by tax scammers today:
Impersonation: The fraudster gets in touch pretending to be an IRS representative. This could be via email, phone, social media or even SMS. They usually claim you owe the IRS money in unpaid taxes or fines and demand a wire transfer, or funds from a prepaid debit card. Sometimes they may ask for personal and financial details—for example, by claiming you’re entitled to a large tax refund and they just need you to supply your bank account info.
These interactions are usually pushy. The scammer knows the best way of making you pay up is by creating a sense of urgency and, sometimes, shaming the individual into believing they’ve been withholding tax payments. Phishing emails may look highly convincing, right down to the logo and sender domain, while phone callers will use fake names and badge numbers. Sometimes the scammers use personal data they may have stolen previously or bought on the Dark Web to make their communications seem more convincing.
In some impersonation scams, the fraudsters may even pretend to work for charities and ask for personal details to help disaster victims with tax refund claims.
Spoofing, phishing, and malware: In some cases, a text, email or social media message spoofed to appear as if sent from the IRS or your tax preparer actually contains malware. The scammers use the same tactics as above but trick the recipient into clicking on a malicious link or opening an attachment laden with malware. The covert download that follows could result in: theft of your personal information; your computer being completely hijacked by hackers via remote control software; or a ransomware download that locks your computer until you pay a fee.
Fake tax returns: Another trick the scammers employ is to use stolen SSNs and other personal information to file tax returns on your behalf. They can then try to claim a large payment in tax refunds from the IRS. The PII they use to file in your name may have been taken from a third-party source without your knowledge, and the first you might hear of it is when you go to file a legitimate tax return. It can take months to resolve the problem.
Attacks targeting tax preparers: Over half of Americans use third-party tax preparation companies to help them with their returns. However, this offers another opportunity for scammers to get hold of your sensitive information. In one recently discovered campaign, malware deployed on tax preparers’ websites was designed to download to the visitor’s computer as soon as they loaded the page. The IRS warns that businesses large and small are potentially at risk, as scammers are keen to get hold of tax information which enables them to file highly convincing fake returns in your name.
What to do
The good news is that by taking a few simple steps you can insulate yourself from the worst of these scams. Remember: the IRS does not contact taxpayers by email, text messages or social media to request personal/financial information— so if you receive communications that do, they are definitely a scam. It’s also important to remember that scams happen all year round, not just in the run-up to the tax filing deadline. That means, unfortunately, that you need to be on your guard all the time.
Here are a few other recommendations:
|
|
It also pays to demand that your tax preparer take their own precautions to keep your data secure. They should not be sending sensitive data or documents unencrypted in emails and must take steps on their own to combat phishing emails that target employees, since these can cascade to you during your tax preparation process. Whether hosted in the cloud or running on-premises, the servers that hold your data should also have adequate protection—and you have a right (and a duty to yourself) to ask ahead of time what they’re doing to protect it.
According to the IRS tax preparers should put the following internal controls in place:
|
|
How Trend Micro can help
Trend Micro offers a range of security tools to help taxpayers keep their personal and financial information safe from fraudsters.
Our flagship consumer solution Trend Micro Security (TMS) provides the following protections:
|
|
To find out more, go to our Trend Micro Security website.
The post Tax Scams – Everything you need to know to keep your money and data safe appeared first on .
We’re all getting a little more worldly wise to the dangers that lurk around every corner of our digital lives. We know that the flipside of being able to shop, chat, bank and share online at the push of a button is the risk of data theft, ransomware and identity fraud. That’s why we protect our families’ PCs and mobile devices with security solutions from proven providers like Trend Micro, and take extra care each time we fire up the internet.
But what about the firms that we entrust to handle our data securely?
Unfortunately, many of these organizations still aren’t doing enough to protect our personal and financial information. It could be data we enter online to pay for an item or open an account. Or it could be payment card details that we’ve used at a local outlet which are subsequently stored online. These companies are big targets for the bad guys, who only have to get lucky once to crack open an Aladdin’s Cave of lucrative customer data.
What does this mean? That data breaches are the new normal. Last year in the US there were a reported 1,473 of these incidents, exposing nearly 165 million customer records. The latest affected customers of convenience store and gas station chain Wawa — and it could be one of the biggest ever, affecting 30 million cards.
Let’s take a look at what happened, and what consumers can do to steal a march on the bad guys.
What happened this time?
Wawa first notified its customers of a payment card breach in December 2019. But although the firm discovered malware on its payment processing servers that month, it had actually been sitting there since March, potentially siphoning card data silently from every single Wawa location. That’s more than 850 stores, across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington DC.
The company itself has so far declined to put a number on how many customers have been affected. However, while cardholders were still wondering whether they’ve been impacted or not, something else happened. At the end of January, a hacker began to upload the stolen cards to a notorious dark web marketplace, known as Joker’s Stash.
They are claiming to have 30 million stolen cards in total, which if accurate could make this one of the biggest card breaches of its kind, placing it alongside other incidents at Home Depot (2014) and Target (2013).
How does it affect me?
Once the data goes on sale on a dark web market like this, it is usually bought by scammers, who use it in follow-on identity fraud attacks. In this case, the stolen data includes debit and credit card numbers, expiration dates and cardholder names, but not PINs or CVV records. That means they can’t be used at ATMs and fraudsters will find it hard to use the cards online, as most merchants require the CVV number.
However, if the cards are of the old magstripe type, they could be cloned for use in face-to-face transactions.
Although Wawa said it has informed the relevant card issuers and brands, the cardholders themselves must monitor their cards for unusual transactions and then report to their issuer “in a timely manner” if they want to be reimbursed for any fraudulent usage. This can be a distressing, time-consuming process.
What should I do next?
This is by no means the first and it won’t be the last breach of this kind. In the past, data stolen from customers of Hilton Hotels, supermarket chain Hy-Vee, retailer Bebe Stores, and restaurant chains including Krystal, Moe’s and Schlotzsky’s has turned up for sale on Joker’s Stash. It can be dispiriting for consumers to see their personal data time and again compromised in this way by cyber-criminals.
Too often in the aftermath of such incidents, the customers themselves are left in the dark. There is no information on whether they’ve definitively had their personal or card data stolen, just an ominous sense that something bad may be about to happen. If the company itself doesn’t even know how many cards have been affected, how can you act decisively?
Credit monitoring is often provided by breached firms, but this is a less-than-perfect solution. For one thing, such services only alert the user if a new line of credit is being opened in their name — not if a stolen card is being used. And second, they only raise the alarm after the incident, by which time the fraudsters may already have made a serious dent in your finances.
Monitoring your bank account for fraudulent transactions is arguably more useful in cases like the Wawa breach, but it’s still too reactive. Here’s a handy 2-step plan which could provide better results:
Step 1: Dark web monitoring works
To get more proactive, consumers need Dark Web monitoring. These tools typically scour dark web sites like Joker’s Stash to look for your personal information. The beauty of this approach is that it can raise the alarm after a breach has occurred, when the data is posted to the Dark Web, but before a fraudster has had time to monetize your stolen details. With this information, you can proactively request that your lender block a particular card and issue a new one.
This approach works for all personal data you may want to keep protected, including email addresses, driver’s license, passport numbers and passwords.
Step 2: Password protection
Once you’ve determined that your data has been part of a breach and is being sold on the dark web, one of the most important things you can do is to change your passwords to any stolen accounts, in order to minimize the potential damage that fraudsters can do.
This is where password manager tools can come in very handy. They allow users to store and recall long, strong and unique credentials for each of the websites and apps they use. This means that if one password is compromised, as in a breach scenario, your other accounts will remain secure. It also makes passwords harder for hackers to guess, which they may try to do with automated tools if they already have your email address.
Following a breach, it also makes sense to look out for follow-on phishing attacks which may try to trick you into handing over more information to the fraudsters. Here are a few tips:
|
|
How Trend Micro can help
Fortunately, Trend Micro has several products that can help you, as a potential or actual victim of a data breach, to proactively mitigate the fallout from a serious security incident, or to foil the fraudsters:
Trend Micro ID Security: checks if your personal information has been uploaded to Dark Web sites by hackers. This highly secure service, available in apps for Android and iOS mobile devices, uses data hashing and an encrypted connected to keep your details safe, alerting when it has found a match on the Dark Web so you can take action. Use it to protect your emails, credit card numbers, passwords, bank accounts, passport details and more.
Trend Micro Password Manager: provides a secure place to store, manage and update your passwords. It remembers your log-ins, so you can create secure and unique credentials for each website/app you need to sign-in to. This means if one site is breached, hackers will not be able to use that password to open your other accounts. Password Manager is available for Windows, Mac, iOS, and Android, synchronizing your passwords across all four platforms.
Trend Micro Fraud Buster: is a free online service you can use to check suspicious emails It uses advanced machine learning technology to identify scam emails that don’t contain malicious URLs or attachments but still pose a risk to the user, because the email (which may be extortionist) reflects the fact that the fraudster probably got your email address from the Dark Web in the first place. Users can then decide to report the scam, get more details, or proceed as before.
Fraud Buster is also now integrated into Trend Micro Security for Windows, protecting Gmail and Outlook webmail in Internet Explorer, Chrome, and Firefox. It’s also integrated in Trend Micro Antivirus for Mac, where it does the same for Gmail webmail in Safari, Chrome and Firefox on the Mac.
In the end, only you can guard your identity credentials with vigilance.
The post The Wawa Breach: 30 Million Reasons to Try Dark Web Monitoring appeared first on .
The Mac has always been pretty easy to use, but even the most ardent Mac supporters know there comes a time when their Mac is no longer new and they notice slowdowns in its performance, particularly after intensive use. They’d like a handy one-stop tool to help them optimize memory and CPU performance, free up disk space, and generally speed up their Mac, since they don’t want to dig around in the MacOS for buried utilities they don’t know how to use. Fortunately, Trend Micro has a solution for that.
Trend Micro Cleaner One Pro is an easy-to-use, all-in-one disk cleaning and optimization utility that can help you boost your Mac’s performance. Cleaner One Pro includes a number of Mac housecleaning tools such as a Memory Optimizer, a Junk Files cleaner, a Big Files scanner, a Duplicate Files finder, an App Manager, a File Shredder, and a Disk Map. These functions are all rolled into an easy-to-use interface that helps you visualize your Mac’s usage, while freeing up memory and storage on your Mac.
In this two-part blog, we will show you how you can use Cleaner One Pro to make your Mac run faster, walking you through its features. In Part 1, we focus on Quick Optimizer, the Main Console, and the Cleaning Tools. In Part 2, we’ll focus on System and Application Management, Privacy Protection, and some Other Options.
Once you’ve installed Cleaner One Pro, its Quick Optimizer appears in the Apple Menu, with handy tools to speed up your Mac. Click the icon and it displays a Console that monitors your Memory, Junk Files, CPU, and Network Usage, while letting you Optimize your Memory Usage and Clean your Junk Files with just one click. System Optimizer opens a Window onto the contents of your Mac for more detailed management.
Memory Optimizer
There are applications running in the background of your Mac that take up physical memory and affect its performance. The Memory Optimizer gives you control over how your computer consumes its memory resources—and you can free up your Mac’s memory in seconds with just one click on the Optimize button. If you want to see which apps are taking up significant memory, you can click the three-dot icon next to Memory Usage. It will show your Mac’s memory usage by app, in descending order. Click the Information (i) icon in the Memory Usage window for a breakdown of the types of memory being used.
Junk files, temporary files, system files and other non-essential items will accumulate on your Mac over time. These files take up a lot of space on your hard drive and may degrade the performance of your Mac as you reach higher disk usage. Click the Clean button and the Junk Files cleaner quickly removes application cache, system log files, update files, temporary files and hidden leftover files. You can also see the details of the identified Junk Files by clicking the three-dot icon next to Junk Files.
When your computer starts to run slowly it’s helpful to have a snapshot of its CPU usage. With this feature, you can see which apps are using significant CPU resources and how much percentage they’re using. It also let you know how long your computer has been up and running, since system reliability can degrade if it’s been awhile since you restarted your Mac.
If you want to keep an eye on your bandwidth consumption and avoid exceeding data caps, it’s useful to know the real-time download and upload speeds on your Mac. The Network Usage Monitor also provides a view of other network related information such as your Wi-Fi signal quality.
The Main Console is the core workplace in Trend Micro Cleaner One Pro and provides the following features, which are presented here grouped by purpose:
|
|
To access the Main Console, click System Optimizer in the Cleaner One Pro Apple Menu. The first time you do, you’ll need to authorize full access to your disk, so Cleaner One Pro can access more junk files. Simply click Grant Access in the System Optimizer window and watch the video or follow the written instructions. Complete the steps by closing Cleaner One Pro, then reload it. You’re now ready to begin optimizing.
The hard drive on your Mac holds the entire Mac operating system and important files including your data. As you use your Mac, over time its hard drive will accumulate junk files. These junk files are generated by the system and other programs. Cleaner One Pro is equipped with advanced and efficient algorithms that scan and remove junk files within seconds. Click Scan to scan for Junk Files and when the scan is done, either check a whole category or individual items in the category, then click Remove.
You may have a lot of clutter on your Mac in the form of big or old files that you probably no longer need and may have just forgotten about. Removing big unused files can recover a lot of disk space, but it could be time-consuming to delete them if done manually. Also, it is hard to select files for deletion if you don’t know the proper context— where the files are stored or how important they may be.
Big Files scanner provides a big file collector where you can easily spot and remove these files if you don’t need them anymore. Additionally, if you hover your mouse on a file, you’ll see a magnifier and a lock icon. Once you click the magnifier icon, you’ll locate the actual file. If you click the lock icon, the file will be added to the Ignore List, which will be locked.
Disk Map is a significant tool that helps you analyze the usage of your storage in a visual and interactive map. It quickly scans your drive and builds a visualization of files on the target folder of your Mac, allowing you to easily navigate the system. With Disk Map, you can find out the date when the file/folder was created, modified, and last opened. Furthermore, hovering your mouse on a folder then clicking the magnifier icon will direct you to the file’s location.
Another practice that you are probably comfortable doing is backing-up important files, photos, program installation files and apps on your hard drive. While this is a good practice, it creates duplicate files on your Mac that eventually add clutter and consume disk space. It’s also hard to find files in name searches when you have too many of them.
The Duplicate Files function lets you select a source folder where it will inspect and identify duplicate files on your Mac. In the scan results, an option called “Auto Select” helps you automatically select duplicate files. The information provided by “Auto Select” is listed below:
|
|
You can choose Remove to Trash or Delete Permanently on the confirmation page.
Often, you organize pictures of travels and life events, and also keep a copy to ensure you don’t lose those captured moments. But as digital photos pile up, often similar to others on your drive, they take up a lot of space. To assist you cleaning these up, use Similar Photos, and then choose your photo library to scan the photos on your Mac.
The result will display similar photos and you can choose the ones you don’t need, and the files will be added in the selected list. Click the Remove button to completely delete them from your hard drive.
That’s it for now! The second part of this blog will take up the remaining toolsets of Trend Micro Cleaner One Pro.
Go to Cleaner One Mac for more information or to purchase the app.
The post Cleaner One Pro Speeds Up Your Mac: Part 1 appeared first on .
In Part 1 of this blog, we introduced Trend Micro Cleaner One Pro, a one-stop shop to help you speed up your Mac, highlighting the Quick Optimizer, the Main Console, and the Cleaning Tools. In Part 2, we resume the discussion of how to make your Mac run faster with the remaining Cleaner One Pro features: System and Application Management, Privacy Protection, and Other Options.
Your Mac may get sluggish after a year or two of usage and you may find that booting up takes a lot longer. Doing a Startup Manager scan can help you reduce slowdown due to unwanted startup programs and services, to help your Mac boot faster.
Upon completing the scan, Startup Manager will identify apps under two categories: Login Items and Launch Agents.
Login Items are apps that run automatically upon login. You can manage these apps by enabling them to run automatically or disabling them to make your Mac more efficient. If you don’t need autorun, you can remove the apps from the list.
Launch Agents are background services that run automatically on System startup for the extension features of apps. You can manage these services by letting them run automatically or by disabling them to make your Mac boot faster. Similarly, you can remove these agents if you don’t need them or they’re broken.
When a user installs an app that doesn’t meet their expectations, they’ll never use it again. In many cases, they remove the app by simply dragging it into the trash, assuming the action completely removes the app, but this is not always true. When you uninstall an app, there are often associated files left on your Mac, even after you have emptied the Trash. They’re known as leftovers.
Leftovers are an app’s associated files and folders that can include different languages, log files, agents, or processes that might try to start an application. App Manager aims to resolve this and helps you clean up your Mac by completely removing app leftovers. App Manager detects all app leftovers automatically so you can remove them with just one click.
Data security and privacy are especially important and managing these applies to anyone collecting and keeping data. Data that has reached its retention limit needs to be permanently removed from your file system and to be sure it can’t be recovered you need to overwrite the file with random series of binary data multiple times. This process is often referred to as shredding. With File Shredder, you can remove sensitive files from your hard disk without worrying that they can be recovered.
Preferences allows you to manage how the Cleaner One Pro app performs. In Preferences, you’ll see General, Notifications, Memory, Duplicates, Whitelists and Auto Select.
On the General tab, you can choose Auto start at login and other options according to how you would like Cleaner One Pro to behave during startup.
On the Notifications tab, you can disable the notification about smart memory optimization.
Cleaner One Pro is also equipped with a Smart Memory Optimization feature on the Memory tab. This feature uses artificial intelligence. You can set auto clean when your available memory is low or when an app is closed.
The Duplicates, Whitelists and Auto Select tabs work when you use the Duplicate Files feature on the main console. When there are too many duplicate files on your Mac, you can set the rules on the minimum file size, as well as which files to exempt or prioritize during deletion.
If you need technical assistance about Cleaner One Pro, click the robot icon either in the Apple Menu window or on the Main Console.
A chat support person will attend to your concerns or suggestions when using Cleaner One Pro. In case there is no available support engineer, you can send an email by clicking Send Email. Make sure to provide the correct email address.
Aside from Cleaner One Pro for Mac, we offer Antivirus One for Mac—as well as Cleaner One for iPhone, which you can download by scanning the QR Code. You can also submit your ideas for Other Tools by clicking the panel.
As you use your Mac over time, you need to maintain it to keep it running smoothly. Trend Micro Cleaner One Pro can clean up your disk space, help boost performance, and solve other Mac issues you might encounter during your daily work. As you consider it for your Mac, you may have remaining questions:
What’s the difference between the Free version and the Paid version? The Free version of Cleaner One Pro includes the Memory Optimizer, basic CPU and Network Monitoring, a Junk Files Cleaner, a Big Files Scanner, a Disk Map, and the Startup Manager. The Paid upgrade of Cleaner One Pro unlocks more features, including more Advanced CPU/Network Monitoring, a Duplicate Finder, a Similar Photos Scanner, an App Manager, and a File Shredder.
Is it safe to use Cleaner One Pro? Cleaner One Pro is notarized by Apple, which assures its users both security and privacy.
How can I download Cleaner One Pro? Cleaner One Pro is distributed via the official Trend Micro website and other authorized channels. Note that Cleaner One Pro is also available for Windows. To make it easy for the readers of this blog series, we’ve provided the download links here: Download Mac Version – Download Windows Version
Go to Cleaner One Windows or to Cleaner One Mac for more information or to purchase the apps.
The post Cleaner One Pro Speeds Up Your Mac: Part 2 appeared first on .
“We’re here to serve” is Benny Yazdanpanahi’s motto as CIO for City of Tyler located in Texas. Supporting a population of approximately 107,000, Yazdanpanahi’s vision for his city relies on the use of data to deliver exceptional services to citizens, today and into the future.
Since joining the city nearly 19 years ago, Yazdanpanahi has continually challenged himself and his small IT team to stay agile and to keep the needs of the city’s citizens at the forefront. Today, Yazdanpanahi and his team use IT systems to make more informed decisions, enhance community services, and improve public safety.
“Our citizens, and especially the younger generation, want immediate access to information and online services,” said Yazdanpanahi. “We want to keep pace with the latest technologies, not only for citizens but also to make our city employees more effective and efficient.”
But Yazdanpanahi knows that a highly secure IT environment is essential to their continued success. “Many US cities have been hacked, so security is on top of everyone’s mind. As a city, we want to provide great services, but we have to provide them in a highly secure manner.”
To accomplish those security goals with limited resources and staff, Tyler’s leaders have been collaborating with Trend Micro for several years. The cybersecurity giant has brought a hands-on approach and an ability to stay ahead of the threats. Their adaptability to the threat landscape strengthens the city’s security posture and empowers the IT team to focus on serving the community.
The city has been able to stay secure without additional staff and resources. City employees don’t spend time resolving IT issues and improve their productivity to focus on things that mater for the city.
“If you don’t collaborate with a partner that’s highly experienced in the security field, you can easily get blindsided,” said Yazdanpanahi. “We need someone there, day in and out, focused on security. Trend Micro knows how to protect cities like us. They provide the kind of north, south, east, and west protection that makes my job easier and allows us to use our data to accomplish new, exciting things for our city.”
Read more about Benny’s journey to securing the city:
https://www.trendmicro.com/en_ca/about/customer-stories/city-of-tyler.html
The post Connected Security Solutions Helps City of Tyler’s CIO to Reduce Costs While Enabling Delivery of Enhanced Community & Public Safety Services appeared first on .
Trend Micro Research has developed a go-to resource for all things related to cybercriminal underground hosting and infrastructure. Today we released the second in this three-part series of reports which detail the what, how, and why of cybercriminal hosting (see the first part here).
As part of this report, we dive into the common life cycle of a compromised server from initial compromise to the different stages of monetization preferred by criminals. It’s also important to note that regardless of whether a company’s server is on-premise or cloud-based, criminals don’t care what kind of server they compromise.
To a criminal, any server that is exposed or vulnerable is fair game.
Cloud vs. On-Premise Servers
Cybercriminals don’t care where servers are located. They can leverage the storage space, computation resources, or steal data no matter what type of server they access. Whatever is most exposed will most likely be abused.
As digital transformation continues and potentially picks up to allow for continued remote working, cloud servers are more likely to be exposed. Many enterprise IT teams, unfortunately, are not arranged to provide the same protection for cloud as on-premise servers.
As a side note, we want to emphasize that this scenario applies only to cloud instances replicating the storage or processing power of an on-premise server. Containers or serverless functions won’t fall victim to this same type of compromise. Additionally, if the attacker compromises the cloud account, as opposed to a single running instance, then there is an entirely different attack life cycle as they can spin up computing resources at will. Although this is possible, however, it is not our focus here.
Attack Red Flags
Many IT and security teams might not look for earlier stages of abuse. Before getting hit by ransomware, however, there are other red flags that could alert teams to the breach.
If a server is compromised and used for cryptocurrency mining (also known as cryptomining), this can be one of the biggest red flags for a security team. The discovery of cryptomining malware running on any server should result in the company taking immediate action and initiating an incident response to lock down that server.
This indicator of compromise (IOC) is significant because while cryptomining malware is often seen as less serious compared to other malware types, it is also used as a monetization tactic that can run in the background while server access is being sold for further malicious activity. For example, access could be sold for use as a server for underground hosting. Meanwhile, the data could be exfiltrated and sold as personally identifiable information (PII) or for industrial espionage, or it could be sold for a targeted ransomware attack. It’s possible to think of the presence of cryptomining malware as the proverbial canary in a coal mine: This is the case, at least, for several access-as-a-service (AaaS) criminals who use this as part of their business model.
Attack Life Cycle
Attacks on compromised servers follow a common path:
|
|
The monetization lifecycle of a compromised server
Often, targeted ransomware is the final stage. In most cases, asset categorization reveals data that is valuable to the business but not necessarily valuable for espionage.
A deep understanding of the servers and network allows criminals behind a targeted ransomware attack to hit the company where it hurts the most. These criminals would know the dataset, where they live, whether there are backups of the data, and more. With such a detailed blueprint of the organization in their hands, cybercriminals can lock down critical systems and demand higher ransom, as we saw in our 2020 midyear security roundup report.
In addition, while a ransomware attack would be the visible urgent issue for the defender to solve in such an incident, the same attack could also indicate that something far more serious has likely already taken place: the theft of company data, which should be factored into the company’s response planning. More importantly, it should be noted that once a company finds an IOC for cryptocurrency, stopping the attacker right then and there could save them considerable time and money in the future.
Ultimately, no matter where a company’s data is stored, hybrid cloud security is critical to preventing this life cycle.
The post The Life Cycle of a Compromised (Cloud) Server appeared first on .
How public-key cryptography works Public-key or asymmetric cryptography is one of the two main types of encryption algorithms. Its names come from the fact that it uses two different encryption keys: a public one and a private one. Public and private keys The private key used in public-key cryptography is a random number with certain […]
The post Public-Key Cryptography in Blockchain appeared first on Infosec Resources.
Introduction: This article provides an overview of various techniques that can be used to mitigate Format String vulnerabilities. In addition to the mitigations that are offered by the compilers & operating systems, we will also discuss preventive measures that can be used while writing programs in languages susceptible to Format String vulnerabilities. Techniques to prevent […]
The post How to mitigate Format String Vulnerabilities appeared first on Infosec Resources.
We’ve all been spending more of our time online since the crisis hit. Whether it’s ordering food for delivery, livestreaming concerts, holding virtual parties, or engaging in a little retail therapy, the digital interactions of many Americans are on the rise. This means we’re also sharing more of our personal and financial information online, with each other and the organizations we interact with. Unfortunately, as ever, there are bad guys around every digital corner looking for a piece of the action.
The bottom line is that personally identifiable information (PII) is the currency of internet crime. And cyber-criminals will do whatever they can to get their hands on it. When they commit identity theft with this data, it can be a messy business, potentially taking months for banks and businesses to investigate before you get your money and credit rating back. At a time of extreme financial hardship, this is the last thing anyone needs.
It therefore pays to be careful about how you use your data and how you protect it. Even more: it’s time to get proactive and monitor it—to try and spot early on if it has been stolen. Here’s what you need to know to protect your identity data.
How identity theft works
First, some data on the scope of the problem. In the second quarter of 2020 alone 349,641 identity theft reports were filed with the FTC. To put that in perspective, it’s over half of the number for the whole of 2019 (650,572), when consumers reported losing more than $1.9 billion to fraud. What’s driving this huge industry? A cybercrime economy estimated to be worth as much as $1.5 trillion annually.
Specialized online marketplaces and private forums provide a user-friendly way for cyber-criminals and fraudsters to easily buy and sell stolen identity data. Many are on the so-called dark web, which is hidden from search engines and requires a specialized anonymizing browser like Tor to access. However, plenty of this criminal activity also happens in plain sight, on social media sites and messaging platforms. This underground industry is an unstoppable force: as avenues are closed down by law enforcement or criminal in-fighting, other ones appear.
At-risk personal data could be anything from email and account log-ins to medical info, SSNs, card and bank details, insurance details and much more. It all has a value on the cybercrime underground and the price fraudsters are prepared to pay will depend on supply and demand, just like in the ‘real’ world.
There are various ways for attackers to get your data. The main ones are:
|
|
The COVID-19 challenge
As if this weren’t enough, consumers are especially exposed to risk during the current pandemic. Hackers are using the COVID-19 threat as a lure to infect your PC or steal identity data via the phishing tactics described above. They often impersonate trustworthy institutions/officials and emails may claim to include new information on outbreaks, or vaccines. Clicking through or divulging your personal info will land you in trouble. Other fraud attempts will try to sell counterfeit or non-existent medical or other products to help combat infection, harvesting your card details in the process. In March, Interpol seized 34,000 counterfeit COVID goods like surgical masks and $14m worth of potentially dangerous pharmaceuticals.
Phone-based attacks are also on the rise, especially those impersonating government officials. The aim here is to steal your identity data and apply for government emergency stimulus funds in your name. Of the 349,641 identity theft reports filed with the FTC in Q2 2020, 77,684 were specific to government documents or benefits fraud.
What do cybercriminals do with my identity data?
Once your PII is stolen, it’s typically sold on the dark web to those who use it for malicious purposes. It could be used to:
|
|
How do I protect my identity online?
The good news among all this bad is that if you remain skeptical about what you see online, are cautious about what you share, and follow some other simple rules, you’ll stand a greater chance of keeping your PII under lock and key. Best practices include:
|
|
How Trend Micro can help
Trend Micro offers solutions that can help to protect your digital identity.
Trend Micro ID Security is the best way to get proactive about data protection. It works 24/7 to monitor dark web sites for your PII and will sound the alarm immediately if it finds any sign your accounts or personal data have been stolen. It features
|
|
Trend Micro Password Manager enables you to manage all your website and app log-ins from one secure location. Because Password Manager remembers and recalls your credentials on-demand, you can create long, strong and unique passwords for each account. As you’re not sharing easy-to-remember passwords across multiple accounts, you’ll be protected from popular credential stuffing and similar attacks.
Finally, Trend Micro WiFi Protection will protect you if you’re out and about connecting to WiFi hotspots. It automatically detects when a WiFi connection isn’t secure and enables a VPN—making your connection safer and helping keep your identity data private.
In short, it’s time to take an active part in protecting your personal identity data—as if your digital life depended on it. In large part, it does.
The post Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis appeared first on .
Introduction In the previous articles, we discussed printing functions, format strings and format string vulnerabilities. This article provides an overview of how Format String vulnerabilities can be exploited. In this article, we will begin by solving a simple challenge to leak a secret from memory. In the next article, we will discuss another example, where […]
The post How to exploit Format String Vulnerabilities appeared first on Infosec Resources.
Introduction This article provides an overview of how printing functions work and how format strings are used to format the data being printed. Developers often use print functions for a variety of reasons such as displaying data to the users and printing debug messages. While these print functions appear to be innocent, they can cause […]
The post Introduction to Printing and Format Strings appeared first on Infosec Resources.
Introduction In cryptography, a key is a very important piece of information used to combine with an algorithm (a cipher) to transform plaintext into ciphertext (encryption). The first step of preventive security is not encryption; however, the proper management of a cryptographic key is essential. Key management includes the generating, using, storing, archiving and deleting […]
The post The ultimate guide to encryption key management appeared first on Infosec Resources.
Introduction: An overview of the NICE Cybersecurity Workforce Framework In 2017, the National Institute of Standards and Technology (NIST) published Special Publication 800-181, the NICE Cybersecurity Workforce Framework (or NICE Framework); the document categorizes and describes cybersecurity work as well as the knowledge, skills and abilities (KSAs) needed by professionals to complete tasks in the […]
The post How to use the NICE Cybersecurity Workforce Framework to plan career progression: A practitioners’ guide appeared first on Infosec Resources.
This is the first in a multi-part blog series on cryptography and the Domain Name System (DNS).
As one of the earliest protocols in the internet, the DNS emerged in an era in which today’s global network was still an experiment. Security was not a primary consideration then, and the design of the DNS, like other parts of the internet of the day, did not have cryptography built in.
Today, cryptography is part of almost every protocol, including the DNS. And from a cryptographer’s perspective, as I described in my talk at last year’s International Cryptographic Module Conference (ICMC20), there’s so much more to the story than just encryption.
The first broad-scale deployment of cryptography in the DNS was not for confidentiality but for data integrity, through the Domain Name System Security Extensions (DNSSEC), introduced in 2005.
The story begins with the usual occurrence that happens millions of times a second around the world: a client asks a DNS resolver a query like “What is example.com’s Internet Protocol (IP) address?” The resolver in this case answers: “example.com’s IP address is 93.184.216.34”. (This is the correct answer.)
If the resolver doesn’t already know the answer to the request, then the process to find the answer goes something like this:
But how does the resolver know that the answer it ultimately receives is correct? The process defined by DNSSEC follows the same “delegation” model from root to TLD to SLD as I’ve described above.
Indeed, DNSSEC provides a way for the resolver to check that the answer is correct by validating a chain of digital signatures, by examining digital signatures at each level of the DNS hierarchy (or technically, at each “zone” in the delegation process). These digital signatures are generated using public key cryptography, a well-understood process that involves encryption using key pairs, one public and one private.
In a typical DNSSEC deployment, there are two active public keys per zone: a Key Signing Key (KSK) public key and a Zone Signing Key (ZSK) public key. (The reason for having two keys is so that one key can be changed locally, without the other key being changed.)
The responses returned to the resolver include digital signatures generated by either the corresponding KSK private key or the corresponding ZSK private key.
Using mathematical operations, the resolver checks all the digital signatures it receives in association with a given query. If they are valid, the resolver returns the “Digital Signature Validated” indicator to the client that initiated the query.
A convenient way to visualize the collection of digital signatures is as a “trust chain” from a “trust anchor” to the DNS record of interest, as shown in the figure above. The chain includes “chain links” at each level of the DNS hierarchy. Here’s how the “chain links” work:
The root KSK public key is the “trust anchor.” This key is widely distributed in resolvers so that they can independently authenticate digital signatures on records in the root zone, and thus authenticate everything else in the chain.
The root zone chain links consist of three parts:
The TLD zone chain links also consist of three parts:
The SLD zone chain links once more consist of three parts:
A resolver (or anyone else) can thereby verify the signature on any set of DNS records given the chain of public keys leading up to the trust anchor.
Note that this is a simplified view, and there are other details in practice. For instance, the various KSK public keys are also signed by their own private KSK, but I’ve omitted these signatures for brevity. The DNSViz tool provides a very nice interactive interface for browsing DNSSEC trust chains in detail, including the trust chain for example.com discussed here.
The effort to update the root KSK public key, the aforementioned “trust anchor” was one of the challenging and successful projects by the DNS community over the past couple of years. This initiative – the so-called “root KSK rollover” – was challenging because there was no easy way to determine whether resolvers actually had been updated to use the latest root KSK — remember that cryptography and security was added on rather than built into the DNS. There are many resolvers that needed to be updated, each independently managed.
The research paper “Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover” details the process of updating the root KSK. The paper, co-authored by Verisign researchers and external colleagues, received the distinguished paper award at the 2019 Internet Measurement Conference.
I’ve focused here on how a resolver validates correctness when the response to a query has a “positive” answer — i.e., when the DNS record exists. Checking correctness when the answer doesn’t exist gets even more interesting from a cryptographer’s perspective. I’ll cover this topic in my next post.
Read the complete six blog series:
The post The Domain Name System: A Cryptographer’s Perspective appeared first on Verisign Blog.
This is the second in a multi-part blog series on cryptography and the Domain Name System (DNS).
In my previous post, I described the first broad scale deployment of cryptography in the DNS, known as the Domain Name System Security Extensions (DNSSEC). I described how a name server can enable a requester to validate the correctness of a “positive” response to a query — when a queried domain name exists — by adding a digital signature to the DNS response returned.
The designers of DNSSEC, as well as academic researchers, have separately considered the answer of “negative” responses – when the domain name doesn’t exist. In this case, as I’ll explain, responding with a signed “does not exist” is not the best design. This makes the non-existence case interesting from a cryptographer’s perspective as well.
Consider a domain name like example.arpa that doesn’t exist.
If it did exist, then as I described in my previous post, the second-level domain (SLD) server for example.arpa would return a response signed by example.arpa’s zone signing key (ZSK).
So a first try for the case that the domain name doesn’t exist is for the SLD server to return the response “example.arpa doesn’t exist,” signed by example.arpa’s ZSK.
However, if example.arpa doesn’t exist, then example.arpa won’t have either an SLD server or a ZSK to sign with. So, this approach won’t work.
A second try is for the parent name server — the .arpa top-level domain (TLD) server in the example — to return the response “example.arpa doesn’t exist,” signed by the parent’s ZSK.
This could work if the .arpa DNS server knows the ZSK for .arpa. However, for security and performance reasons, the design preference for DNSSEC has been to keep private keys offline, within the zone’s provisioning system.
The provisioning system can precompute statements about domain names that do exist — but not about every possible individual domain name that doesn’t exist. So, this won’t work either, at least not for the servers that keep their private keys offline.
The third try is the design that DNSSEC settled on. The parent name server returns a “range statement,” previously signed with the ZSK, that states that there are no domain names in an ordered sequence between two “endpoints” where the endpoints depend on domain names that do exist. The range statements can therefore be signed offline, and yet the name server can still choose an appropriate signed response to return, based on the (non-existent) domain name in the query.
The DNS community has considered several approaches to constructing range statements, and they have varying cryptographic properties. Below I’ve described two such approaches. For simplicity, I’ve focused just on the basics in the discussion that follows. The astute reader will recognize that there are many more details involved both in the specification and the implementation of these techniques.
The first approach, called NSEC, involved no additional cryptography beyond the DNSSEC signature on the range statement. In NSEC, the endpoints are actual domain names that exist. NSEC stands for “Next Secure,” referring to the fact that the second endpoint in the range is the “next” existing domain name following the first endpoint.
The NSEC resource record is documented in one of the original DNSSEC specifications, RFC4033, which was co-authored by Verisign.
The .arpa zone implements NSEC. When the .arpa server receives the request “What is the IP address of example.arpa,” it returns the response “There are no names between e164.arpa and home.arpa.” This exchange is shown in the figure below and is analyzed in the associated DNSviz graph. (The response is accurate as of the writing of this post; it could be different in the future if names were added to or removed from the .arpa zone.)
NSEC has a side effect: responses immediately reveal unqueried domain names in the zone. Depending on the sensitivity of the zone, this may be undesirable from the perspective of the minimum disclosure principle.
A second approach, called NSEC3 reduces the disclosure risk somewhat by defining the endpoints as hashes of existing domain names. (NSEC3 is documented in RFC 5155, which was also co-authored by Verisign.)
An example of NSEC3 can be seen with example.name, another domain that doesn’t exist. Here, the .name TLD server returns a range statement that “There are no domain names with hashes between 5SU9… and 5T48…”. Because the hash of example.name is “5SVV…” the response implies that “example.name” doesn’t exist.
This statement is shown in the figure below and in another DNSviz graph. (As above, the actual response could change if the .name zone changes.)
To find out which domain name corresponds to one of the hashed endpoints, an adversary would have to do a trial-and-error or “dictionary” attack across multiple guesses of domain names, to see if any has a matching hash value. Such a search could be performed “offline,” i.e., without further interaction with the name server, which is why the disclosure risk is only somewhat reduced.
NSEC and NSEC3 are mutually exclusive. Nearly all TLDs, including all TLDs operated by Verisign, implement NSEC3. In addition to .arpa, the root zone also implements NSEC.
In my next post, I’ll describe NSEC5, an approach still in the experimental stage, that replaces the hash function in NSEC3 with a verifiable random function (VRF) to protect against offline dictionary attacks. I’ll also share some research Verisign Labs has done on a complementary approach that helps protect a client’s queries for non-existent domain names from disclosure.
Read the complete six blog series:
The post Cryptographic Tools for Non-Existence in the Domain Name System: NSEC and NSEC3 appeared first on Verisign Blog.
This is the third in a multi-part blog series on cryptography and the Domain Name System (DNS).
In my last post, I looked at what happens when a DNS query renders a “negative” response – i.e., when a domain name doesn’t exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries.
The concepts I discuss below are topics we’ve studied in our long-term research program as we evaluate new technologies. They do not necessarily represent Verisign’s plans or position on a new product or service. Concepts developed in our research program may be subject to U.S. and international patents and patent applications.
NSEC5 is a result of research by cryptographers at Boston University and the Weizmann Institute. In this approach, which is still in an experimental stage, the endpoints are the outputs of a verifiable random function (VRF), a cryptographic primitive that has been gaining interest in recent years. NSEC5 is documented in an Internet Draft (currently expired) and in several research papers.
A VRF is like a hash function but with two important differences:
So, it’s not only hard for an adversary to reverse the VRF – which is also a property the hash function has – but it’s also hard for the adversary to compute the VRF in the forward direction, thus preventing dictionary attacks. And yet a relying party can still confirm that the VRF output for a given input is correct, because of the proof.
How does this work in practice? As in NSEC and NSEC3, range statements are prepared in advance and signed with the zone signing key (ZSK). With NSEC5, however, the range endpoints are two consecutive tokens.
When a domain name doesn’t exist, the name server applies the VRF to the domain name to obtain a token and a proof. The name sever then returns a range statement where the token falls within the range, as well as the proof, as shown in the figure below. Note that the token values are for illustration only.
Because the range statement reveals only tokenized versions of other domain names in a zone, an adversary who doesn’t know the private key doesn’t learn any new existing domain names from the response. Indeed, to find out which domain name corresponds to one of the tokenized endpoints, the adversary would need access to the VRF itself to see if a candidate domain name has a matching hash value, which would involve an online dictionary attack. This significantly reduces disclosure risk.
The name server needs a copy of the zone’s NSEC5 private key so that it can generate proofs for non-existent domain names. The ZSK itself can stay in the provisioning system. As the designers of NSEC5 have pointed out, if the NSEC5 private key does happen to be compromised, this only makes it possible to do a dictionary attack offline— not to generate signatures on new range statements, or on new positive responses.
NSEC5 is interesting from a cryptographer’s perspective because it uses a less common cryptographic technique, a VRF, to achieve a design goal that was at best partially met by previous approaches. As with other new technologies, DNS operators will need to consider whether NSEC5’s benefits are sufficient to justify its cost and complexity. Verisign doesn’t have any plans to implement NSEC5, as we consider NSEC and NSEC3 adequate for the name servers we currently operate. However, we will continue to track NSEC5 and related developments as part of our long-term research program.
A few years before NSEC5 was published, Verisign Labs had started some research on an opposite application of tokenization to the DNS, to protect a client’s information from disclosure.
In our approach, instead of asking the resolver “What is <name>’s IP address,” the client would ask “What is token 3141…’s IP address,” where 3141… is the tokenization of <name>.
(More precisely, the client would specify both the token and the parent zone that the token relates to, e.g., the TLD of the domain name. Only the portion of the domain name below the parent would be obscured, just as in NSEC5. I’ve omitted the zone information for simplicity in this discussion.)
Suppose now that the domain name corresponding to token 3141… does exist. Then the resolver would respond with the domain name’s IP address as usual, as shown in the next figure.
In this case, the resolver would know that the domain name associated with the token does exist, because it would have a mapping between the token and the DNS record, i.e., the IP address. Thus, the resolver would effectively “know” the domain name as well for practical purposes. (We’ve developed another approach that can protect both the domain name and the DNS record from disclosure to the resolver in this case, but that’s perhaps a topic for another post.)
Now, consider a domain name that doesn’t exist and suppose that its token is 2718… .
In this case, the resolver would respond that the domain name doesn’t exist, as usual, as shown below.
But because the domain name is tokenized and no other information about the domain name is returned, the resolver would only learn the token 2718… (and the parent zone), not the actual domain name that the client is interested in.
The resolver could potentially know that the name doesn’t exist via a range statement from the parent zone, as in NSEC5.
How does the client tokenize the domain name, if it doesn’t have the private key for the VRF? The name server would offer a public interface to the tokenization function. This can be done in what cryptographers call an “oblivious” VRF protocol, where the name server doesn’t see the actual domain name during the protocol, yet the client still gets the token.
To keep the resolver itself from using this interface to do an online dictionary attack that matches candidate domain names with tokens, the name server could rate-limit access, or restrict it only to authorized requesters.
Additional details on this technology may be found in U.S. Patent 9,202,079B2, entitled “Privacy preserving data querying,” and related patents.
It’s interesting from a cryptographer’s perspective that there’s a way for a client to find out whether a DNS record exists, without necessarily revealing the domain name of interest. However, as before, the benefits of this new technology will be weighed against its operational cost and complexity and compared to other approaches. Because this technique focuses on client-to-resolver interactions, it’s already one step removed from the name servers that Verisign currently operates, so it is not as relevant to our business today in a way it might have been when we started the research. This one will stay under our long-term tracking as well.
The examples I’ve shared in these last two blog posts make it clear that cryptography has the potential to bring interesting new capabilities to the DNS. While the particular examples I’ve shared here do not meet the criteria for our product roadmap, researching advances in cryptography and other techniques remains important because new events can sometimes change the calculus. That point will become even more evident in my next post, where I’ll consider the kinds of cryptography that may be needed in the event that one or more of today’s algorithms is compromised, possibly through the introduction of a quantum computer.
Read the complete six blog series:
The post Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries appeared first on Verisign Blog.
This is the fourth in a multi-part series on cryptography and the Domain Name System (DNS).
One of the “key” questions cryptographers have been asking for the past decade or more is what to do about the potential future development of a large-scale quantum computer.
If theory holds, a quantum computer could break established public-key algorithms including RSA and elliptic curve cryptography (ECC), building on Peter Shor’s groundbreaking result from 1994.
This prospect has motivated research into new so-called “post-quantum” algorithms that are less vulnerable to quantum computing advances. These algorithms, once standardized, may well be added into the Domain Name System Security Extensions (DNSSEC) — thus also adding another dimension to a cryptographer’s perspective on the DNS.
(Caveat: Once again, the concepts I’m discussing in this post are topics we’re studying in our long-term research program as we evaluate potential future applications of technology. They do not necessarily represent Verisign’s plans or position on possible new products or services.)
The National Institute of Standards and Technology (NIST) started a Post-Quantum Cryptography project in 2016 to “specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.”
Security protocols that NIST is targeting for these algorithms, according to its 2019 status report (Section 2.2.1), include: “Transport Layer Security (TLS), Secure Shell (SSH), Internet Key Exchange (IKE), Internet Protocol Security (IPsec), and Domain Name System Security Extensions (DNSSEC).”
The project is now in its third round, with seven finalists, including three digital signature algorithms, and eight alternates.
NIST’s project timeline anticipates that the draft standards for the new post-quantum algorithms will be available between 2022 and 2024.
It will likely take several additional years for standards bodies such as the Internet Engineering Task (IETF) to incorporate the new algorithms into security protocols. Broad deployments of the upgraded protocols will likely take several years more.
Post-quantum algorithms can therefore be considered a long-term issue, not a near-term one. However, as with other long-term research, it’s appropriate to draw attention to factors that need to be taken into account well ahead of time.
The three candidate digital signature algorithms in NIST’s third round have one common characteristic: all of them have a key size or signature size (or both) that is much larger than for current algorithms.
Key and signature sizes are important operational considerations for DNSSEC because most of the DNS traffic exchanged with authoritative data servers is sent and received via the User Datagram Protocol (UDP), which has a limited response size.
Response size concerns were evident during the expansion of the root zone signing key (ZSK) from 1024-bit to 2048-bit RSA in 2016, and in the rollover of the root key signing key (KSK) in 2018. In the latter case, although the signature and key sizes didn’t change, total response size was still an issue because responses during the rollover sometimes carried as many as four keys rather than the usual two.
Thanks to careful design and implementation, response sizes during these transitions generally stayed within typical UDP limits. Equally important, response sizes also appeared to have stayed within the Maximum Transmission Unit (MTU) of most networks involved, thereby also avoiding the risk of packet fragmentation. (You can check how well your network handles various DNSSEC response sizes with this tool developed by Verisign Labs.)
The larger sizes associated with certain post-quantum algorithms do not appear to be a significant issue either for TLS, according to one benchmarking study, or for public-key infrastructures, according to another report. However, a recently published study of post-quantum algorithms and DNSSEC observes that “DNSSEC is particularly challenging to transition” to the new algorithms.
Verisign Labs offers the following observations about DNSSEC-related queries that may help researchers to model DNSSEC impact:
A typical resolver that implements both DNSSEC validation and qname minimization will send a combination of queries to Verisign’s root and top-level domain (TLD) servers.
Because the resolver is a validating resolver, these queries will all have the “DNSSEC OK” bit set, indicating that the resolver wants the DNSSEC signatures on the records.
The content of typical responses by Verisign’s root and TLD servers to these queries are given in Table 1 below. (In the table, <SLD>.<TLD> are the final two labels of a domain name of interest, including the TLD and the second-level domain (SLD); record types involved include A, Name Server (NS), and DNSKEY.)
| Name Server | Resolver Query Scenario | Typical Response Content from Verisign’s Servers |
| Root | DNSKEY record set for root zone | • DNSKEY record set including root KSK RSA-2048 public key and root ZSK RSA-2048 public key • Root KSK RSA-2048 signature on DNSKEY record set |
| A or NS record set for <TLD> — when <TLD> exists | • NS referral to <TLD> name server • DS record set for <TLD> zone • Root ZSK RSA-2048 signature on DS record set |
|
| A or NS record set for <TLD> — when <TLD> doesn’t exist | • Up to two NSEC records for non-existence of <TLD> • Root ZSK RSA-2048 signatures on NSEC records |
|
| .com / .net | DNSKEY record set for <TLD> zone | • DNSKEY record set including <TLD> KSK RSA-2048 public key and <TLD> ZSK RSA-1280 public key • <TLD> KSK RSA-2048 signature on DNSKEY record set |
| A or NS record set for <SLD>.<TLD> — when <SLD>.<TLD> exists | • NS referral to <SLD>.<TLD> name server • DS record set for <SLD>.<TLD> zone (if <SLD>.<TLD> supports DNSSEC) • <TLD> ZSK RSA-1280 signature on DS record set (if present) |
|
| A or NS record set for <SLD>.<TLD> — when <SLD>.<TLD> doesn’t exist | • Up to three NSEC3 records for non-existence of <SLD>.<TLD> • <TLD> ZSK RSA-1280 signatures on NSEC3 records |
For an A or NS query, the typical response, when the domain of interest exists, includes a referral to another name server. If the domain supports DNSSEC, the response also includes a set of Delegation Signer (DS) records providing the hashes of each of the referred zone’s KSKs — the next link in the DNSSEC trust chain. When the domain of interest doesn’t exist, the response includes one or more Next Secure (NSEC) or Next Secure 3 (NSEC3) records.
Researchers can estimate the effect of post-quantum algorithms on response size by replacing the sizes of the various RSA keys and signatures with those for their post-quantum counterparts. As discussed above, it is important to keep in mind that the number of keys returned may be larger during key rollovers.
Most of the queries from qname-minimizing, validating resolvers to the root and TLD name servers will be for A or NS records (the choice depends on the implementation of qname minimization, and has recently trended toward A). The signature size for a post-quantum algorithm, which affects all DNSSEC-related responses, will therefore generally have a much larger impact on average response size than will the key size, which affects only the DNSKEY responses.
Post-quantum algorithms are among the newest developments in cryptography. They add another dimension to a cryptographer’s perspective on the DNS because of the possibility that these algorithms, or other variants, may be added to DNSSEC in the long term.
In my next post, I’ll make the case for why the oldest post-quantum algorithm, hash-based signatures, could be a particularly good match for DNSSEC. I’ll also share the results of some research at Verisign Labs into how the large signature sizes of hash-based signatures could potentially be overcome.
Read the complete six blog series:
The post Securing the DNS in a Post-Quantum World: New DNSSEC Algorithms on the Horizon appeared first on Verisign Blog.
This is the fifth in a multi-part series on cryptography and the Domain Name System (DNS).
In my last article, I described efforts underway to standardize new cryptographic algorithms that are designed to be less vulnerable to potential future advances in quantum computing. I also reviewed operational challenges to be considered when adding new algorithms to the DNS Security Extensions (DNSSEC).
In this post, I’ll look at hash-based signatures, a family of post-quantum algorithms that could be a good match for DNSSEC from the perspective of infrastructure stability.
I’ll also describe Verisign Labs research into a new concept called synthesized zone signing keys that could mitigate the impact of the large signature size for hash-based signatures, while still maintaining this family’s protections against quantum computing.
(Caveat: The concepts reviewed in this post are part of Verisign’s long-term research program and do not necessarily represent Verisign’s plans or positions on new products or services. Concepts developed in our research program may be subject to U.S. and/or international patents and/or patent applications.)
The DNS community’s root key signing key (KSK) rollover illustrates how complicated a change to DNSSEC infrastructure can be. Although successfully accomplished, this change was delayed by ICANN to ensure that enough resolvers had the public key required to validate signatures generated with the new root KSK private key.
Now imagine the complications if the DNS community also had to ensure that enough resolvers not only had a new key but also had a brand-new algorithm.
Imagine further what might happen if a weakness in this new algorithm were to be found after it was deployed. While there are procedures for emergency key rollovers, emergency algorithm rollovers would be more complicated, and perhaps controversial as well if a clear successor algorithm were not available.
I’m not suggesting that any of the post-quantum algorithms that might be standardized by NIST will be found to have a weakness. But confidence in cryptographic algorithms can be gained and lost over many years, sometimes decades.
From the perspective of infrastructure stability, therefore, it may make sense for DNSSEC to have a backup post-quantum algorithm built in from the start — one for which cryptographers already have significant confidence and experience. This algorithm might not be as efficient as other candidates, but there is less of a chance that it would ever need to be changed. This means that the more efficient candidates could be deployed in DNSSEC with the confidence that they have a stable fallback. It’s also important to keep in mind that the prospect of quantum computing is not the only reason system developers need to be considering new algorithms from time to time. As public-key cryptography pioneer Martin Hellman wisely cautioned, new classical (non-quantum) attacks could also emerge, whether or not a quantum computer is realized.
The 1970s were a foundational time for public-key cryptography, producing not only the RSA algorithm and the Diffie-Hellman algorithm (which also provided the basic model for elliptic curve cryptography), but also hash-based signatures, invented in 1979 by another public-key cryptography founder, Ralph Merkle.
Hash-based signatures are interesting because their security depends only on the security of an underlying hash function.
It turns out that hash functions, as a concept, hold up very well against quantum computing advances — much better than currently established public-key algorithms do.
This means that Merkle’s hash-based signatures, now more than 40 years old, can rightly be considered the oldest post-quantum digital signature algorithm.
If it turns out that an individual hash function doesn’t hold up — whether against a quantum computer or a classical computer — then the hash function itself can be replaced, as cryptographers have been doing for years. That will likely be easier than changing to an entirely different post-quantum algorithm, especially one that involves very different concepts.
The conceptual stability of hash-based signatures is a reason that interoperable specifications are already being developed for variants of Merkle’s original algorithm. Two approaches are described in RFC 8391, “XMSS: eXtended Merkle Signature Scheme” and RFC 8554, “Leighton-Micali Hash-Based Signatures.” Another approach, SPHINCS+, is an alternate in NIST’s post-quantum project.
Hash-based signatures can potentially be applied to any part of the DNSSEC trust chain. For example, in Figure 1, the DNS record sets can be signed with a zone signing key (ZSK) that employs a hash-based signature algorithm.
The main challenge with hash-based signatures is that the signature size is large, on the order of tens or even hundreds of thousands of bits. This is perhaps why they haven’t seen significant adoption in security protocols over the past four decades.
Verisign Labs has been exploring how to mitigate the size impact of hash-based signatures on DNSSEC, while still basing security on hash functions only in the interest of stable post-quantum protections.
One of the ideas we’ve come up with uses another of Merkle’s foundational contributions: Merkle trees.
Merkle trees authenticate multiple records by hashing them together in a tree structure. The records are the “leaves” of the tree. Pairs of leaves are hashed together to form a branch, then pairs of branches are hashed together to form a larger branch, and so on. The hash of the largest branches is the tree’s “root.” (This is a data-structure root, unrelated to the DNS root.)
Each individual leaf of a Merkle tree can be authenticated by retracing the “path” from the leaf to the root. The path consists of the hashes of each of the adjacent branches encountered along the way.
Authentication paths can be much shorter than typical hash-based signatures. For instance, with a tree depth of 20 and a 256-bit hash value, the authentication path for a leaf would only be 5,120 bits long, yet a single tree could authenticate more than a million leaves.
Returning to the example above, suppose that instead of signing each DNS record set with a hash-based signature, each record set were considered a leaf of a Merkle tree. Suppose further that the root of this tree were to be published as the ZSK public key (see Figure 2). The authentication path to the leaf could then serve as the record set’s signature.
The validation logic at a resolver would be the same as in ordinary DNSSEC:
The only difference on the resolver’s side would be that signature validation would involve retracing the authentication path to the ZSK public key, rather than a conventional signature validation operation.
The ZSK public key produced by the Merkle tree approach would be a “synthesized” public key, in that it is obtained from the records being signed. This is noteworthy from a cryptographer’s perspective, because the public key wouldn’t have a corresponding private key, yet the DNS records would still, in effect, be “signed by the ZSK!”
In this type of DNSSEC implementation, the Merkle tree approach only applies to the ZSK level. Hash-based signatures would still be applied at the KSK level, although their overhead would now be “amortized” across all records in the zone.
In addition, each new ZSK would need to be signed “on demand,” rather than in advance, as in current operational practice.
This leads to tradeoffs, such as how many changes to accumulate before constructing and publishing a new tree. Fewer changes and the tree will be available sooner. More changes and the tree will be larger, so the per-record overhead of the signatures at the KSK level will be lower.
My last few posts have discussed cryptographic techniques that could potentially be applied to the DNS in the long term — or that might not even be applied at all. In my next post, I’ll return to more conventional subjects, and explain how Verisign sees cryptography fitting into the DNS today, as well as some important non-cryptographic techniques that are part of our vision for a secure, stable and resilient DNS.
Read the complete six blog series:
The post Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys appeared first on Verisign Blog.
This is the final in a multi-part series on cryptography and the Domain Name System (DNS).
In previous posts in this series, I’ve discussed a number of applications of cryptography to the DNS, many of them related to the Domain Name System Security Extensions (DNSSEC).
In this final blog post, I’ll turn attention to another application that may appear at first to be the most natural, though as it turns out, may not always be the most necessary: DNS encryption. (I’ve also written about DNS encryption as well as minimization in a separate post on DNS information protection.)
In 2014, the Internet Engineering Task Force (IETF) chartered the DNS PRIVate Exchange (dprive) working group to start work on encrypting DNS queries and responses exchanged between clients and resolvers.
That work resulted in RFC 7858, published in 2016, which describes how to run the DNS protocol over the Transport Layer Security (TLS) protocol, also known as DNS over TLS, or DoT.
DNS encryption between clients and resolvers has since gained further momentum, with multiple browsers and resolvers supporting DNS over Hypertext Transport Protocol Security (HTTPS), or DoH, with the formation of the Encrypted DNS Deployment Initiative, and with further enhancements such as oblivious DoH.
The dprive working group turned its attention to the resolver-to-authoritative exchange during its rechartering in 2018. And in October of last year, ICANN’s Office of the CTO published its strategy recommendations for the ICANN-managed Root Server (IMRS, i.e., the L-Root Server), an effort motivated in part by concern about potential “confidentiality attacks” on the resolver-to-root connection.
From a cryptographer’s perspective the prospect of adding encryption to the DNS protocol is naturally quite interesting. But this perspective isn’t the only one that matters, as I’ve observed numerous times in previous posts.
A common theme in this series on cryptography and the DNS has been the question of whether the benefits of a technology are sufficient to justify its cost and complexity.
This question came up not only in my review of two newer cryptographic advances, but also in my remarks on the motivation for two established tools for providing evidence that a domain name doesn’t exist.
Recall that the two tools — the Next Secure (NSEC) and Next Secure 3 (NSEC3) records — were developed because a simpler approach didn’t have an acceptable risk / benefit tradeoff. In the simpler approach, to provide a relying party assurance that a domain name doesn’t exist, a name server would return a response, signed with its private key, “<name> doesn’t exist.”
From a cryptographic perspective, the simpler approach would meet its goal: a relying party could then validate the response with the corresponding public key. However, the approach would introduce new operational risks, because the name server would now have to perform online cryptographic operations.
The name server would not only have to protect its private key from compromise, but would also have to protect the cryptographic operations from overuse by attackers. That could open another avenue for denial-of-service attacks that could prevent the name server from responding to legitimate requests.
The designers of DNSSEC mitigated these operational risks by developing NSEC and NSEC3, which gave the option of moving the private key and the cryptographic operations offline, into the name server’s provisioning system. Cryptography and operations were balanced by this better solution. The theme is now returning to view through the recent efforts around DNS encryption.
Like the simpler initial approach for authentication, DNS encryption may meet its goal from a cryptographic perspective. But the operational perspective is important as well. As designers again consider where and how to deploy private keys and cryptographic operations across the DNS ecosystem, alternatives with a better balance are a desirable goal.
In addition to encryption, there has been research into other, possibly lower-risk alternatives that can be used in place of or in addition to encryption at various levels of the DNS.
We call these techniques collectively minimization techniques.
In “textbook” DNS resolution, a resolver sends the same full domain name to a root server, a top-level domain (TLD) server, a second-level domain (SLD) server, and any other server in the chain of referrals, until it ultimately receives an authoritative answer to a DNS query.
This is the way that DNS resolution has been practiced for decades, and it’s also one of the reasons for the recent interest in protecting information on the resolver-to-authoritative exchange: The full domain name is more information than all but the last name server needs to know.
One such minimization technique, known as qname minimization, was identified by Verisign researchers in 2011 and documented in RFC 7816 in 2016. (In 2015, Verisign announced a royalty-free license to its qname minimization patents.)
With qname minimization, instead of sending the full domain name to each name server, the resolver sends only as much as the name server needs either to answer the query or to refer the resolver to a name server at the next level. This follows the principle of minimum disclosure: the resolver sends only as much information as the name server needs to “do its job.” As Matt Thomas described in his recent blog post on the topic, nearly half of all .com and .net queries received by Verisign’s .com TLD servers were in a minimized form as of August 2020.
Other techniques that are part of this new chapter in DNS protocol evolution include NXDOMAIN cut processing [RFC 8020] and aggressive DNSSEC caching [RFC 8198]. Both leverage information present in the DNS to reduce the amount and sensitivity of DNS information exchanged with authoritative name servers. In aggressive DNSSEC caching, for example, the resolver analyzes NSEC and NSEC3 range proofs obtained in response to previous queries to determine on its own whether a domain name doesn’t exist. This means that the resolver doesn’t always have to ask the authoritative server system about a domain name it hasn’t seen before.
All of these techniques, as well as additional minimization alternatives I haven’t mentioned, have one important common characteristic: they only change how the resolver operates during the resolver-authoritative exchange. They have no impact on the authoritative name server or on other parties during the exchange itself. They thereby mitigate disclosure risk while also minimizing operational risk.
The resolver’s exchanges with authoritative name servers, prior to minimization, were already relatively less sensitive because they represented aggregate interests of the resolver’s many clients1. Minimization techniques lower the sensitivity even further at the root and TLD levels: the resolver sends only its aggregate interests in TLDs to root servers, and only its interests in SLDs to TLD servers. The resolver still sends the aggregate interests in full domain names at the SLD level and below2, and may also include certain client-related information at these levels, such as the client-subnet extension. The lower levels therefore may have different protection objectives than the upper levels.
Minimization techniques and encryption together give DNS designers additional tools for protecting DNS information — tools that when deployed carefully can balance between cryptographic and operational perspectives.
These tools complement those I’ve described in previous posts in this series. Some have already been deployed at scale, such as a DNSSEC with its NSEC and NSEC3 non-existence proofs. Others are at various earlier stages, like NSEC5 and tokenized queries, and still others contemplate “post-quantum” scenarios and how to address them. (And there are yet other tools that I haven’t covered in this series, such as authenticated resolution and adaptive resolution.)
Modern cryptography is just about as old as the DNS. Both have matured since their introduction in the late 1970s and early 1980s respectively. Both bring fundamental capabilities to our connected world. Both continue to evolve to support new applications and to meet new security objectives. While they’ve often moved forward separately, as this blog series has shown, there are also opportunities for them to advance together. I look forward to sharing more insights from Verisign’s research in future blog posts.
Read the complete six blog series:
1. This argument obviously holds more weight for large resolvers than for small ones — and doesn’t apply for the less common case of individual clients running their own resolvers. However, small resolvers and individual clients seeking additional protection retain the option of sending sensitive queries through a large, trusted resolver, or through a privacy-enhancing proxy. The focus in our discussion is primarily on large resolvers.
2. In namespaces where domain names are registered at the SLD level, i.e., under an effective TLD, the statements in this note about “root and TLD” and “SLD level and below” should be “root through effective TLD” and “below effective TLD level.” For simplicity, I’ve placed the “zone cut” between TLD and SLD in this note.
The post Information Protection for the Domain Name System: Encryption and Minimization appeared first on Verisign Blog.
As Congress prepares to return to Washington in the coming weeks, finalizing the FY2021 National Defense Authorization Act (NDAA) will be a top priority. The massive defense bill features several important cybersecurity provisions, from strengthening CISA and promoting interoperability to creating a National Cyber Director position in the White House and codifying FedRAMP.
These are vital components of the legislation that conferees should work together to include in the final version of the bill, including:
One of the main recommendations of the Cyberspace Solarium Commission’s report this spring was to further strengthen CISA, an agency that has already made great strides in protecting our country from cyberattacks. An amendment to the House version of the NDAA would do just that, by giving CISA additional authority it needs to effectively hunt for threats and vulnerabilities on the federal network.
Bad actors, criminal organizations and even nation-states are continually looking to launch opportunistic attacks. Giving CISA additional tools, resources and funding needed to secure the nation’s digital infrastructure and secure our intelligence and information is a no-brainer and Congress should ensure the agency gets the resources it needs in the final version of the NDAA.
Perhaps now more than ever before, interoperability is key to a robust security program. As telework among the federal workforce continues and expands, an increased variety of communication tools, devices and networks put federal networks at risk. Security tools that work together and are interoperable better provide a full range of protection across these environments.
The House version of the NDAA includes several provisions to promote interoperability within the National Guard, military and across the Federal government. The Senate NDAA likewise includes language that requires the DoD craft regulations to facilitate DoD’s access to and utilization of system, major subsystem, and major component software-defined interfaces to advance DoD’s efforts to generate diverse and effective kill chains. The regulations and guidance would also apply to purely software systems, including business systems and cybersecurity systems. These regulations would also require acquisition plans and solicitations to incorporate mandates for the delivery of system, major subsystem, and major component software defined interfaces.
For too long, agencies have leveraged a grab bag of tools that each served a specific purpose, but didn’t offer broad, effective coverage. Congress has a valuable opportunity to change that and encourage more interoperable solutions that provide the security needed in today’s constantly evolving threat landscape.
The House version of the NDAA would establish a Senate-confirmed National Cyber Director within the White House, in charge of overseeing digital operations across the federal government. This role, a recommendation of the Cyberspace Solarium Commission, would give the federal government a single point person for all things cyber.
As former Rep. Mike Rodgers argued in an op-ed published in The Hill last month, “the cyber challenge that we face as a country is daunting and complex.” We face new threats every day. Coordinating cyber strategy across the federal government, rather than the agency by agency approach we have today, is critical to ensuring we stay on top of threats and effectively protect the nation’s critical infrastructure, intellectual property and data from an attack.
The FedRAMP Authorization Act, included in the House version of the NDAA, would codify the FedRAMP program and give it a formal standing for Congressional review, a critical step towards making the program more efficient and useful for agencies across the government. Providing this program more oversight will further validate the FedRAMP approved products from across the industry as safe and secure for federal use. The FedRAMP authorization bill also includes language that will help focus the Administration’s attention on the need to secure the vulnerable spaces between and among cloud services and applications. Agencies need to focus on securing these vulnerabilities between and among clouds since sophisticated hackers target these seams that too often are left unprotected.
Additionally, the Pentagon has already committed to FedRAMP reciprocity. FedRAMP works – and codifying it to bring the rest of the Federal government into the program would offer an excellent opportunity for wide-scale cloud adoption, something the federal government would benefit greatly from.
We hope that NDAA conferees will consider these important cyber provisions and include them in the final version of the bill and look forward to continuing our work with government partners on important cyber issues like these.
The post NDAA Conference: Opportunity to Improve the Nation’s Cybersecurity Posture appeared first on McAfee Blogs.
You get an email from bank0famerica@acc0unt.com claiming that they have found suspicious activity on your credit card statement and are requesting that you verify your financial information. What do you do? While you may be tempted to click on a link to immediately resolve the issue, this is likely the work of a cybercriminal. Phishing is a scam that tricks you into voluntarily providing important personal information. Protect yourself from phishing by reviewing some examples of phishing emails and learning more about this common online scam.
Phishing is a cybercrime that aims to steal your sensitive information. Scammers disguise themselves as major corporations or other trustworthy entities to trick you into willingly providing information like website login credentials or, even worse, your credit card number.
A phishing email or text (also known as SMiShing) is a fraudulent message made to look legitimate, and typically asks you to provide sensitive personal information in various ways. If you don’t look carefully at the emails or texts, however, you might not be able to tell the difference between a regular message and a phishing message. Scammers work hard to make phishing messages closely resemble emails and texts sent by trusted companies, which is why you need to be cautious when you open these messages and click the links they contain.
Phishing scammers often undo their own plans by making simple mistakes that are easy to spot once you know how to recognize them. Check for the following signs of phishing every time you open an email or text:
Even the biggest companies sometimes make minor errors in their communications. Phishing messages often contain grammatical errors, spelling mistakes, and other blatant errors that major corporations wouldn’t make. If you see multiple, glaring grammatical errors in an email or text that asks for your personal information, you might be a target of a phishing scam.
To enhance their edibility, phishing scammers often steal the logos of who they’re impersonating. In many cases, however, they don’t steal corporate logos correctly. The logo in a phishing email or text might have the wrong aspect ratio or low-resolution. If you have to squint to make out the logo in a message, the chances are that it’s phishing.
Phishing always centers around links that you’re supposed to click. Here are a few ways to check whether a link someone sent you is legitimate:
If the URL you discover doesn’t match up with the entity that supposedly sent you the message, you probably received a phishing email.
Phishing messages come in all shapes and sizes, but there are a few types of phishing emails and texts that are more common than others. Let’s review some examples of the most frequently sent phishing scams:
Some phishing emails appear to notify you that your bank temporarily suspended your account due to unusual activity. If you receive an account suspension email from a bank that you haven’t opened an account with, delete it immediately, and don’t look back. Suspended account phishing emails from banks you do business with, however, are harder to spot. Use the methods we listed above to check the email’s integrity, and if all else fails, contact your bank directly instead of opening any links within the email you received.
Two-factor authentication scam
Two-factor authentication (2FA) has become common, so you’re probably used to receiving emails that ask you to confirm your login information with six-digit numerical codes. Phishing scammers also know how standard 2FA has become, and they could take advantage of this service that’s supposed to protect your identity. If you receive an email asking you to log in to an account to confirm your identity, use the criteria we listed above to verify the message’s authenticity. Be especially wary if someone asks you to provide 2FA for an account you haven’t accessed for a while.
We all know how important tax season is. That’s what phishing scammers are counting on when they send you phony IRS refund emails. Be careful when an email informs you that you’ve received a windfall of cash and be especially dubious of emails that the IRS supposedly sent since this government agency only contacts taxpayers via snail mail. Tax refund phishing scams can do serious harm since they usually ask for your social security number as well as your bank account information.
Sometimes, cybercriminals will try to tick you by sending emails with fake order confirmations. These messages often contain “receipts” attached to the email or links claiming to contain more information on your order. However, criminals often use these attachments and links to spread malware to the victim’s device.
You need to be wary of phishing when you’re using your work email as well. One popular phishing scam involves emails designed to look like someone in the C-suite of your company sent them. They ask workers to wire funds to supposed clients, but this cash actually goes to scammers. Use the tips we listed above to spot these phony emails.
Often, hackers look for ways to update old schemes so that they go undetected by users already aware of certain cyberthreats. Such is the case with the latest phishing evasion technique, which detects virtual machines to fly under the radar. Cybersecurity firms often use headless devices or virtual machines (a computer file that behaves like an actual computer) to determine if a website is actually a phishing page. But now, some phishing kits contain JavaScript — a programming language that allows you to implement complex features on web pages — that checks whether a virtual machine is analyzing the page. If it detects any analysis attempts, the phishing kit will show a blank page instead of the phishing page, allowing the scam to evade detection. To help ensure that you don’t fall for the latest phishing scams, stay updated on the most recent phishing techniques so you can stay one step ahead of cybercriminals.
Never click links in suspicious emails. If you click a link you suspect a phishing scammer sent, the link will take you to a web page with a form where you can enter sensitive data such as your Social Security number, credit card information, or login credentials. Do not enter any data on this page.
If you accidentally enter data in a webpage linked to a suspicious email, perform a full malware scan on your device. Once the scan is complete, backup all of your files and change your passwords. Even if you only provided a phishing scammer with the data from one account, you may have also opened the door to other personal data, so it’s important to change all the passwords you use online in the wake of a suspected phishing attack.
Let’s wrap things up with some summarized tips on how to avoid phishing emails:
Phishing emails only work on the unaware. Now that you know how to spot phishing emails and what to do if you suspect scammers are targeting you, you’re far less likely to fall for these schemes. Remember to be careful with your personal information when you use the internet and err on the side of caution whenever anybody asks you to divulge sensitive details about your identity, finances, or login information.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Phishing Email Examples: How to Recognize a Phishing Email appeared first on McAfee Blogs.
If you are someone who works for a cloud service provider in the business of federal contracting, you probably already have a good understanding of FedRAMP. It is also likely that our regular blog readers know the ins and outs of this program.
For those who are not involved in these areas, however, this acronym may be more unfamiliar. Perhaps you have only heard of it in passing conversation with a few of your expert cybersecurity colleagues, or you are just curious to learn what all of the hype is about. If you fall into this category – read on! This blog is for you.
At first glance, FedRAMP may seem like a type of onramp to an interstate headed for the federal government – and in a way, it is.
FedRAMP stands for the Federal Risk and Authorization Management Program, which provides a standard security assessment, authorization and continuous monitoring for cloud products and services to be used by federal agencies. The program’s overall mission is to protect the data of U.S. citizens in the cloud and promote the adoption of secure cloud services across the government with a standardized approach.
Once a cloud service has successfully made it onto the interstate – or achieved FedRAMP authorization – it’s allowed to be used by an agency and listed in the FedRAMP Marketplace. The FedRAMP Marketplace is a one-stop-shop for agencies to find cloud services that have been tested and approved as safe to use, making it much easier to determine if an offering meets security requirements.
In the fourth year of the program, FedRAMP had 20 authorized cloud service offerings. Now, eight years into the program, FedRAMP has over 200 authorized offerings, reflecting its commitment to help the government shift to the cloud and leverage new technologies.
Any cloud service provider that has a contract with a federal agency or wants to work with an agency in the future must have FedRAMP authorization. Compliance with FedRAMP can also benefit providers who don’t have plans to partner with government, as it signals to the private sector they are committed to cloud security.
Using a cloud service that complies with FedRAMP standards is mandatory for federal agencies. It has also become popular with organizations in the private industry, which are more often looking to FedRAMP standards as a security benchmark for the cloud services they use.
There are two ways for a cloud service to obtain FedRAMP authorization. One is with a Joint Authorization Board (JAB) provisional authorization (P-ATO) and the other is through an individual agency Authority to Operate (ATO).
A P-ATO is an initial approval of the cloud service provider by the JAB, which is made up of the Chief Information Officers (CIOs) from the Department of Defense (DoD), Department of Homeland Security (DHS) and General Services Administration (GSA). This designation means that the JAB has provided a provisional approval for agencies to leverage when granting an ATO to a cloud system.
The head of an agency grants an ATO as part of the agency authorization process. An ATO may be granted after an agency sponsor reviews the cloud service offering and completes a security assessment.
Achieving FedRAMP authorization for a cloud service is a very long and rigorous process, but it has received high praise from security officials and industry experts alike for its standardized approach to evaluate whether a cloud service offering meets some of the strongest cybersecurity requirements.
There are several benefits for cloud providers who authorize their service with FedRAMP. The program allows an authorized cloud service to be reused continuously across the federal government – saving time, money and effort for both cloud service providers and agencies. Authorization of a cloud service also gives service providers increased visibility of their product across government with a listing in the FedRAMP Marketplace.
By electing to comply with FedRAMP, cloud providers can demonstrate dedication to the highest data security standards. Though the process for achieving FedRAMP approval is complex, it is worthwhile for providers, as it signals a commitment to security to government and non-government customers.
At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards. We are proud that McAfee’s MVISION Cloud is the first Cloud Access Security Broker (CASB) platform to be granted a FedRAMP High Impact Provisional Authority to Operate (P-ATO) from the U.S. Government’s Joint Authorization Board (JAB).
Currently, MVISION Cloud is in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).
MVISION Cloud allows federal organizations to have total visibility and control of their infrastructure to protect their data and applications in the cloud. The FedRAMP High JAB P-ATO designation is the highest compliance level available under FedRAMP, meaning that MVISION Cloud is authorized to manage highly sensitive government data.
We look forward to continuing to work closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.
The post FedRAMP – What’s the Big Deal? appeared first on McAfee Blogs.
Over the last few months, Zero Trust Architecture (ZTA) conversations have been top-of-mind across the DoD. We have been hearing the chatter during industry events all while sharing conflicting interpretations and using various definitions. In a sense, there is an uncertainty around how the security model can and should work. From the chatter, one thing is clear – we need more time. Time to settle in on just how quickly mission owners can classify a comprehensive and all-inclusive, acceptable definition of Zero Trust Architecture.
Today, most entities utilize a multi-phased security approach. Most commonly, the foundation (or first step) in the approach is to implement secure access to confidential resources. Coupled with the shift to remote and distance work, the question arises, “are my resources and data safe, and are they safe in the cloud?”
Thankfully, the DoD is in the process of developing a long-term strategy for ZTA. Industry partners, like McAfee, have been briefed along the way. It has been refreshing to see the DoD take the initial steps to clearly define what ZTA is, what security objectives it must meet, and the best approach for implementation in the real-world. A recent DoD briefing states “ZTA is a data-centric security model that eliminates the idea of trusted or untrusted networks, devices, personas, or processes and shifts to a multi-attribute based confidence levels that enable authentication and authorization policies under the concept of least privilege access”.
What stands out to me is the data-centric approach to ZTA. Let us explore this concept a bit further. Conditional access to resources (such as network and data) is a well-recognized challenge. In fact, there are several approaches to solving it, whether the end goal is to limit access or simply segment access. The tougher question we need to ask (and ultimately answer) is how to do we limit contextual access to cloud assets? What data security models should we consider when our traditional security tools and methods do not provide adequate monitoring? And is securing data, or at least watching user behavior, enough when the data stays within multiple cloud infrastructures or transfers from one cloud environment to another?
Increased usage of collaboration tools like Microsoft 365 and Teams, SLACK and WebEx are easily relatable examples of data moving from one cloud environment to another. The challenge with this type of data exchange is that the data flows stay within the cloud using an East-West traffic model. Similarly, would you know if sensitive information created directly in Office 365 is uploaded to a different cloud service? Collaboration tools by design encourage sharing data in real-time between trusted internal users and more recently with telework, even external or guest users. Take for example a supply chain partner collaborating with an end user. Trust and conditional access potentially create a risk to both parties, inside and outside of their respective organizational boundaries. A data breach whether intentional or not can easily occur because of the pre-established trust and access. There are few to no limited default protection capabilities preventing this situation from occurring without intentional design. Data loss protection, activity monitoring and rights management all come into question. Clearly new data governance models, tools and policy enforcement capabilities for this simple collaboration example are required to meet the full objectives of ZTA.
So, as the communities of interest continue to refine the definitions of Zero Trust Architecture based upon deployment, usage, and experience, I believe we will find ourselves shifting from a Zero Trust model to an Advanced Adaptive Trust model. Our experience with multi-attribute-based confidence levels will evolve and so will our thinking around trust and data-centric security models in the cloud.
The post Data-Centric Security for the Cloud, Zero Trust or Advanced Adaptive Trust? appeared first on McAfee Blogs.
Malicious actors are increasingly taking advantage of the burgeoning at-home workforce and expanding use of cloud services to deliver malware and gain access to sensitive data. According to an Analysis Report (AR20-268A) from the Cybersecurity and Infrastructure Security Agency (CISA), this new normal work environment has put federal agencies at risk of falling victim to cyber-attacks that exploit their use of Microsoft Office 365 (O365) and misuse their VPN remote access services.
McAfee’s global network of over a billion threat sensors affords its threat researchers the unique advantage of being able to thoroughly analyze dozens of cyber-attacks of this kind. Based on this analysis, McAfee supports CISA’s recommendations to help prevent adversaries from successfully establishing persistence in agencies’ networks, executing malware, and exfiltrating data. However, McAfee also asserts that the nature of this environment demands that additional countermeasures be implemented to quickly detect, block and respond to exploits originating from authorized cloud services.
Read on to learn from McAfee’s analysis of these attacks and understand how federal agencies can use cloud access security broker (CASB) and endpoint threat detection and response (EDR) solutions to detect and mitigate such attacks before they have a chance to inflict serious damage upon their organizations.
McAfee’s analysis supports CISA’s findings that adversaries frequently attempt to gain access to organizations’ networks by obtaining valid access credentials for multiple users’ O365 accounts and domain administrator accounts, often via vulnerabilities in unpatched VPN servers. The threat actor will then use the credentials to log into a user’s O365 account from an anomalous IP address, browse pages on SharePoint sites, and then attempt to download content. Next, the cyberthreat actor would connect multiple times from a different IP address to the agency’s Virtual Private Network (VPN) server, and eventually connect successfully.
Once inside the network, the attacker could:
McAfee’s comprehensive analysis of these attacks supports CISA’s proposed best practices to prevent or mitigate such cyber-attacks. These recommendations include:
While these recommendations provide a solid foundation for a strong cybersecurity program, these controls by themselves may not go far enough to prevent more sophisticated adversaries from exploiting and weaponizing cloud services to gain a foothold within an enterprise.
Organizations will gain a running start to identifying and thwarting the attacks in question by implementing a full-featured CASB such as McAfee MVISION Cloud, and an advanced EDR solution, such as McAfee MVISION Endpoint Threat Detection and Response.
Deploying MVISION Cloud for Office 365 enables agencies’ SOC analysts to assert greater control over their data and user activity in Office 365—control that can hasten identification of compromised accounts and resolution of threats. MVISION Cloud takes note of all user and administrative activity occurring within cloud services and compares it to a threshold based either on the user’s specific behavior or the norm for the entire organization. If an activity exceeds the threshold, it generates an anomaly notification. For instance, using geo-location analytics to visualize global access patterns, MVISION Cloud can immediately alert agency analysts to anomalies such as instances of Office 365 access originating from IP addresses located in atypical geographic areas.
When specific anomalies appear concurrently—e.g., a Brute Force anomaly and an unusual Data Access event—MVISION Cloud automatically generates a Threat. In the attacks McAfee analyzed, Threats would have been generated early on since the CASB’s user behavior analytics would have identified the cyber actor’s various activities as suspicious. Using MVISION Cloud’s activity monitoring dashboard and built-in audit trail of all user and administrator activities, SOC analysts can detect and analyze anomalous behaviors across multiple dimensions to more rapidly understand what exactly is occurring when and to what systems—and whether an incident concerns a compromised account, insider threat, privileged user threat, and/or malware—to shrink the gap to remediation.
In addition, with MVISION Cloud, an agency security analyst can clearly see how each cloud security incident maps to MITRE ATT&CK tactics and techniques, which not only accelerates the entire forensics process but also allows security managers to defend against similar attacks with greater precision in the future.
Furthermore, using MVISION Cloud for Office 365, agencies can create and enforce policies that prevent the uploading of sensitive data to Office 365 or downloading of sensitive data to unmanaged devices. With such policies in place, an attacker’s attempt to exfiltrate sensitive data will be mitigated.
In addition to deploying a CASB, implementing an EDR solution like McAfee MVISION EDR to monitor endpoints centrally and continuously—including remote devices—helps organizations defend themselves from such attacks. With MVISION EDR, agency SOC analysts have at their fingertips advanced analytics and visualizations that broaden detection of unusual behavior and anomalies on the endpoint. They are also able to grasp the implications of alerts more quickly since the information is presented in a format that reduces noise and simplifies investigation—so much so that even novice analysts can analyze at a higher level. AI-guided investigations within the solution can also provide further insights into attacks.
With a threat landscape that is constantly evolving and attack surfaces that continue to expand with increased use of the cloud, it is now more important than ever to embrace CASB and EDR solutions. They have become critical tools to actively defend today’s government agencies and other large enterprises.
Learn more about the cloud-native, unified McAfee MVISION product family. Get your questions answered by tweeting @McAfee
The post How CASB and EDR Protect Federal Agencies in the Age of Work from Home appeared first on McAfee Blogs.
Today’s U.S. government is in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape. To support these efforts, McAfee has pursued and received a Federal Risk and Authorization Management Program (FedRAMP) Authorization designation for McAfee MVISION for Endpoint at the moderate security impact level.
This FedRAMP Moderate designation is equivalent to DoD Impact Level 2 (IL2) and certifies that the McAfee solution has passed rigorous security requirements for the increasingly complex and expanding cloud environments of the U.S. government. The FedRAMP Moderate authorization validates the McAfee solution’s implementation of the baseline 325 NIST 800-53 controls, allowing users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).
By achieving FedRAMP Moderate Authorization for MVISION for Endpoint, McAfee can provide the command and control cyber defense capabilities government environments need to enable on-premise and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.
McAfee MVISION for Endpoint consists of three primary components: McAfee MVISION Endpoint Detection and Response (EDR), McAfee MVISION ePolicy Orchestrator (ePO) and McAfee Endpoint Security Adaptive Threat Protection with Real Protect (ENS ATP):
Together, these solutions provide today’s U.S. government agencies the AI-guided endpoint threat detection, investigation and response capabilities they need to confront today’s ever evolving threats across a wide variety of devices. This important FedRAMP milestone is the latest affirmation of McAfee’s long-standing commitment to providing U.S. government agencies advanced, cloud-based cyber defenses to help them meet whatever mission they may confront today and in the future.
Other recent McAfee public sector achievements include:
Please see the following for more information on McAfee’s efforts in the FedRAMP mission:
The post McAfee MVISION Solutions Meet FedRAMP Cloud Security Requirements appeared first on McAfee Blogs.
Government and Private Sector organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container technologies across on-premises, cloud, and hybrid environments. Container adoption is becoming mainstream to drive digital transformation and business growth and to accelerate product and feature velocity. Companies have moved quickly to embrace cloud native applications and infrastructure to take advantage of cloud provider systems and to align their design decisions with cloud properties of scalability, resilience, and security first architectures. The declarative nature of these systems enables numerous advantages in application development and deployment, like faster development and deployment cycles, quicker bug fixes and patches, and consistent build and monitoring workflows. These streamlined and well controlled design principles in automation pipelines lead to faster feature delivery and drive competitive differentiation.
As more enterprises adapt to cloud-native architectures and embark on multi-cloud strategies, demands are changing usage patterns, processes, and organizational structures. However, the unique methods by which application containers are created, deployed, networked, and operated present unique challenges when designing, implementing, and operating security systems for these environments. They are ephemeral, often too numerous to count, talk to each other across nodes and clusters more than they communicate with the outside endpoints, and they are typically part of fast-moving continuous integration/continuous deployment (CI/CD) pipelines. Additionally, development toolchains and operations ecosystems continue to present new ways to develop and package code, secrets, and environment variables. Unfortunately, this also compounds supply chain risks and presents an ever-increasing attack surface.
Lack of a comprehensive container security strategy or often not knowing where to start can be a challenge to effectively address risks presented in these unique ecosystems. While teams have recognized the need to evolve their security toolchains and processes to embrace automation, it is imperative for them to integrate specific security and compliance checks early into their respective DevOps processes. There are legitimate concerns that persist about misconfigurations and runtime risks in cloud native applications, and still too few organizations have a robust security plan in place.
These complex problem definitions have led to the development of a special publication from National Institute of Standards and Technology (NIST) – NIST SP 800-190 Application Security Container Guide. It provides guidelines for securing container applications and infrastructure components, including sectional review of the fundamentals of containers, key risks presented by core components of application container technologies, countermeasures, threat scenario examples, and actionable information for planning, implementing, operating, and maintaining container technologies.
MVISION Cloud Native Application Protection Platform (CNAPP) is a comprehensive device-to-cloud security platform for visibility and control across SaaS, PaaS, & IaaS platforms. It provides deep coverage on cloud native security controls that can be implemented throughout the entire application lifecycle. By mapping all the applicable risk elements and countermeasures from Sections 3 and 4 of NIST SP 800-190 to capabilities within the platform, we want to provide an architectural point of reference to help customers and industry partners automate compliance and implement security best practices for containerized application workloads. This mapping and a detailed review of platform capabilities aligned with key countermeasures can be referenced here.
As outlined in one of the supporting charts in the whitepaper, CNAPP has capabilities that effectively address all the risk elements described in the NIST special publication guidance.
While the breadth of coverage is critical, it is worth noting that the most effective way to secure containerized applications requires embedding security controls into each phase of the container lifecycle. If we leverage Department of Defense’s Enterprise DevSecOps Reference Design guidance as a point of reference, it describes the DevSecOps lifecycle in terms of nine transition stages comprising of plan, develop, build, test, release, deliver, deploy, operate, and monitor.
The foundational principle of DevSecOps implementations is that the software development lifecycle is not a monolithic linear process. The “big bang” style delivery of the Waterfall SDLC process is replaced with small but more frequent deliveries, so that it is easier to change course as necessary. Each small delivery is accomplished through a fully automated process or semi-automated process with minimal human intervention to accelerate continuous integration and delivery. The DevSecOps lifecycle is adaptable and has many feedback loops for continuous improvement.
Specific to containerized applications and workloads, a more abstract view of a container’s lifecycle spans across three high-level phases of Build, Deploy, and Run.
The “Build” phase centers on what ends up inside the container images in terms of the components and layers that make up an application. Usually created by the developers, security efforts are typically focused on reducing business risk later in the container lifecycle by applying best practices and identifying and eliminating known vulnerabilities early. These assessments can be conducted in an “inner” loop iteratively as developers perform incremental builds and add security linting and automated tests or can be driven via an “outer” feedback loop that’s driven by operational security reviews and penetration testing efforts.
In the “Deploy” phase, developers configure containerized applications for deployment into production. Context grows beyond information about images to include details about configuration options available for orchestrated services. Security efforts in this phase often center around complying with operational best practices, applying least-privilege principles, and identifying misconfigurations to reduce the likelihood and impact of potential compromises.
“Runtime” is broadly classified as a separate phase wherein containers go into production with live data, live users, and exposure to networks that could be internal or external in nature. The primary purpose of implementing security during the runtime phase is to protect running applications as well as the underlying container infrastructure by finding and stopping malicious actors in real time.
By applying this understanding of container lifecycle stages to respective countermeasures that can be implemented and audited upon within MVISION Cloud, CNAPP customers can establish an optimal security posture and achieve synergies of shift left and runtime security models. Security assessments are critically important early in planning and design, where important decisions are made about architecture approach, development tooling and technology platforms and where mistakes or misunderstandings can be dangerous and expensive. As DevOps teams move their workloads into the cloud, security teams will need to implement best practices that apply operations, monitoring and runtime security controls across public, private, and hybrid cloud consumption models.
CNAPP first discovers all the cloud-native components mapped to an application, including hosts, IaaS/PaaS services, containers, and the orchestration context that a container operates within. With the use of native tagging and network flow log analysis, customers can visualize cloud infrastructure interactions including across compute, network, and storage components. Additionally, the platform scans cloud native object and file stores to assess presence of any sensitive data or malware. Depending on the configuration compliance of the underlying resources and data sensitivity, an aggregate risk score is computed per application which provides detailed context for an application owner to understand risks and prioritize mitigation efforts.
As a cloud security posture management platform, CNAPP provides a set of capabilities that ensure that assets comply with industry regulations, best practices, and security policies. This includes proactive scanning for vulnerabilities in container images and VMs and ensuring secure container runtime configurations to prevent non-compliant builds from being pushed to production. The same principles apply to orchestrator configurations to help secure how containers get deployed using CI/CD tools. These baseline checks can be augmented with other policy types to ensure file integrity monitoring and configuration hardening of hosts (e.g., no insecure ports or unnecessary services), which help apply defense-in-depth by minimizing the overall attack surface.
Finally, the platform enforces policy-based immutability on running container instances (and hosts) to help identify process-, service-, and application-level whitelists. By leveraging the declarative nature of containerized workloads, threats can be detected during the runtime phase, including any exposure created as a result of misconfigurations, application package vulnerabilities, and runtime anomalies such as execution of reverse shell or other remote access tools. While segmentation of workloads can be achieved in the build and deploy phases of a workload using posture checks for constructs like namespaces, network policies, and container runtime configurations to limit system calls, the same should also be enforced in the runtime phase to detect and respond to malicious activity in an automated and scalable way. The platform defines baselines and behavioral models that can specially be effective to investigate attempts at network reconnaissance, remote code execution due to zero-day application library and package vulnerabilities, and malware callbacks. Additionally, by mapping these threats and incidents to the MITRE ATT&CK tactics and techniques, it provides a common taxonomy to cloud security teams regardless of the underlying cloud application or an individual component. This helps them extend their processes and security incident runbooks to the cloud, including their ability to remediate security misconfigurations and preemptively address all the container risk categories outlined in NIST 800-190.
The post Securing Containers with NIST 800-190 and MVISION CNAPP appeared first on McAfee Blogs.
Organizations across the country – from the private sector to the federal government – have become more digital, especially following the shift to remote work this year. It’s no surprise that cybercriminals around the world have taken notice. According to a new report by McAfee and the Center for Strategic and International Studies (CSIS), cybercrime is now a nearly trillion-dollar industry, and the government sector is not immune.
Across the board, the issue continues to rise – increasing the cost of cybercrime by nearly 50% since our last report in 2018. The threats to the government from cybercriminals are even greater, leading to potential national security risks as dark actors look to steal U.S. secrets and intellectual property.
All levels of government – from state and local to the federal government here in Washington – are taking steps to mitigate the issues, but they must do so differently than their private sector counterparts. Government respondents to the survey reported the highest number of malicious attacks, highlighting the high-stakes environment in which governments operate.
Unfortunately, the report also found that while government organizations face more attacks than their private-sector counterparts, they also take longer to remediate them, leaving our government services, infrastructure, and other critical aspects of society at risk for longer than they need.
Earlier this week, McAfee’s CTO Steve Grobman joined CSIS for a conversation on the report and how we can continue to prepare for and mitigate the risk of cybercrime and its hidden costs with CSIS’ Jim Lewis and Zhanna Malekos Smith, former Federal CISO Grant Schneider and the FBI’s Jonathan Holmes.
Kicking off the discussion, Schneider highlighted the importance of the workforce and the need to take care of them so organizations can quickly rebound from an incident. Schneider noted that if an office were robbed, no one would blame the team, but with cybercrime, victims are often seen as the issue – leading to reduced employee morale and more issues later down the line.
Instead, Schneider argued on the importance of preparing the workforce and that preparation can take several forms, including risk management through NIST’s risk management framework. He also called for organizations to develop a recovery plan, engaging different departments, leadership and the public to be ready for when an incident occurs.
In his discussion of the report’s findings, McAfee CTO Steve Grobman noted they weren’t shocking. Grobman said that as we adopt new technologies, adversaries will continue to find new attack vectors.
This year was particularly notable as much of the federal government transitioned to a remote work environment overnight. As the workforce went remote – critical government information was accessed from home internet routers that lacked the same level of security as government office networks, increasing adversaries’ ability to successfully launch attacks.
Luckily, as Grobman noted, there are ways lawmakers can mitigate the threat of ransomware against government and the private sector.
Across the country, governments are facing ransomware attacks at an alarming rate, and every one of them – at every level – needs to have a plan in place. There needs to be a data-based discussion with leadership to decide how to balance the daily blocking and tackling of threats with limited complication to the continuation of operations and preparation for big intrusions like we’ve seen happen this year.
There are also policy solutions – many of these criminal groups operate in countries that allow them to do so. When negotiating trade deals with countries, the level of cybercrime and the government’s cooperation with or against those groups must be considered.
The cost of cybercrime is now nearly 1% of the global GDP, and it will only continue to rise, impacting companies and governments around the world unless we come together to stop it through basic cyber hygiene, preparation and policy solutions.
The post The Hidden Costs of Cybercrime on Government appeared first on McAfee Blogs.
Last month, I discussed the FedRAMP program’s basics and why it’s such a big deal for the federal government. In short, the program protects the data of U.S. citizens in the cloud and promotes the adoption of secure cloud services across the government with a standardized approach.
But within the FedRAMP program, there are different authorizations. We’re pleased that McAfee MVISION for Endpoint Access recently achieved FedRAMP Moderate Authorization, which allows users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).
As organizations across the country continue to adapt to a remote workforce, the U.S. government is “in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape,” Alex Chapin, our VP of DoD and Intelligence notes.
And he’s right – with the 2021 federal fiscal year in full focus, federal agencies are continuing to push cloud computing as the COVID-19 pandemic continues, creating a real need for security in these applications.
The FedRAMP Moderate designation allows MVISION to provide the command and control cyber defense capabilities government environments need to enable on-premises and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.
This is a massive win for the federal government as it continues to build out its remote workforce capabilities at a time when the GAO is continuing to release best practices for telework, highlighting how remote work is here to stay in the federal government.
MVISION Cloud is currently in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).
At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards to help the federal government secure its digital infrastructure and prepare for an increasingly digital operation. We look forward to working closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.
The post McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise appeared first on McAfee Blogs.
Seems like the internet follows us wherever we go nowadays, whether it tags along via a smartphone, laptop, tablet, a wearable, or some combination of them all. Yet there’s something else that follows us around as well—our PII, a growing body of “personally identifiable information” that we create while banking, shopping, and simply browsing the internet. And no doubt about it, our PII is terrifically valuable.
What makes it so valuable? It’s no exaggeration to say that your PII is the key to your digital life, along with your financial and civic life as well. Aside from using it to create accounts and logins, it’s further tied to everything from your bank accounts and credit cards to your driver’s license and your tax refund.
Needless to say, your PII is something that needs protecting, so let’s take a look at several ways you can do just that.
What is PII? It’s information about you that others can use to identify you either directly or indirectly. Thus, that info could identify you on its own, or it could identify you when it’s linked to other identifiers, like the ones associated with the devices, apps, tools, and protocols you use.
A prime example of direct PII is your tax ID number because it’s unique and directly associated with your name. Further instances include your facial image to unlock your smartphone, your medical records, your finances, and your phone number because each of these can be easily linked back to you.
Then there are those indirect pieces of PII that act as helpers. While they may not identify you on their own, a few of them can when they’re added together. These helpers include things like internet protocol addresses, the unique device ID of your smartphone, or other identifiers such as radio frequency identification tags.
You can also find pieces of your PII in the accounts you use, like your Google to Apple IDs, which can be linked to your name, your email address, and the apps you have. You’ll also find it in the apps you use. For example, there’s PII in the app you use to map your walks and runs, because the combination of your smartphone’s unique device ID and GPS tracking can be used in conjunction with other information to identify who you are, not to mention where you typically like to do your 5k hill days. The same goes for messenger apps, which can collect how you interact with others, how often you use the app and your location information based on your IP address, GPS information, or both.
In all, there’s a cloud of PII that follows us around as we go about our day online. Some wisps of that cloud are more personally identifying than others. Yet gather enough of it and PII can create a high-resolution snapshot of you—who you are, what you’re doing when you’re doing it, and even where you’re doing it too—particularly if it gets into the wrong hands.
Remember Pig-Pen, the character straight from the old funny pages of Charles Schultz’s Charlie Brown? He’s hard to forget with that ever-present cloud of dust following him around. Charlie Brown once said, “He may be carrying the soil that trod upon by Solomon or Nebuchadnezzar or Genghis Khan!” It’s the same with us and our PII, except the cloud surrounding us, isn’t the dust of kings and conquerors, they’re motes of digital information that are of tremendously high value to crooks and bad actors—whether for purposes of identity theft or invasion of privacy.
With all PII we create and share on the internet, that calls for protecting it. Otherwise, our PII could fall into the hands of a hacker or identity thief and end up getting abused, in potentially painful and costly ways.
Here are several things you can do to help ensure that what’s private stays that way:
Square One is to protect your devices with comprehensive online protection software. This will defend you against the latest virus, malware, spyware, and ransomware attacks plus further protect your privacy and identity. In addition to this, it can also provide strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who may try to force their way into your accounts.
Further, security software can also include a firewall that blocks unwanted traffic from entering your home network, such as an attacker poking around for network vulnerabilities so that they can “break-in” to your computer and steal information.
Also known as a virtual private network, a VPN helps protect your vital PII and other data with bank-grade encryption. The VPN encrypts your internet connection to keep your online activity private on any network, even public networks. Using a public network without a VPN can increase your cybersecurity risk because others on the network can potentially spy on your browsing and activity.
If you’re new to the notion of using a VPN, check out this article on VPNs and how to choose one so that you can get the best protection and privacy possible.
In the U.S., the Social Security Number (SSN) is one of the most prized pieces of PII as it unlocks the door to employment, finances, and much more. First up, keep a close grip on it. Literally. Store your card in a secure location. Not your purse or wallet.
Certain businesses and medical practices may ask you for your SSN for billing purposes and the like. You don’t have to provide it (although some businesses could refuse service if you don’t), and you can always ask if they will accept some alternative form of information. However, there are a handful of instances where an SSN is a requirement. These include:
Be aware that hackers often get a hold of SSNs because the organization holding that information gets hacked or compromised itself. Minimizing how often you provide your SSN can offer an extra degree of protection.
Protecting your files with encryption is a core concept in data and information security, and thus it’s a powerful way to protect your PII. It involves transforming data or information into code that requires a digital key to access it in its original, unencrypted format. For example, McAfee Total Protection includes File Lock, which is our file encryption feature that lets you lock important files in secure digital vaults on your device.
Additionally, you can also delete sensitive files with an application such as McAfee Shredder, which securely deletes files so that thieves can’t access them. (Quick fact: deleting files in your trash doesn’t actually delete them in the truest sense. They’re still there until they’re “shredded” or otherwise overwritten such that they can’t be restored.)
Which Marvel Universe superhero are you? Does it really matter? After all, such quizzes and social media posts are often grifting pieces of your PII in a seemingly playful way. While you’re not giving up your SSN, you may be giving up things like your birthday, your pet’s name, your first car … things that people often use to compose their passwords or use as answers to common security questions on banking and financial sites. The one way to pass this kind of quiz is not to take it!
A far more direct form of separating you from your PII are phishing attacks. Posing as emails from known or trusted brands, financial institutions, or even a friend or family member a cybercrook’s phishing attack will attempt to trick you into sharing important information like your logins, account numbers, credit card numbers, and so on under the guise of providing customer service.
How do you spot such emails? Well, it’s getting a little tougher nowadays because scammers are getting more sophisticated and can make their phishing emails look nearly legitimate. However, there are several ways you can spot a phishing email and phony web pages as outlined here.
Comprehensive security offers another layer of prevention, in this case by offering browser protection like our own Web Advisor, which will alert you in the event you come across suspicious links and downloads that can steal your PII or otherwise expose you to attacks.
With social engineering attacks that deceive victims by posing as people the victim knows and the way we can sometimes overshare a little too much about our lives, you can see why a social media profile is a potential goldmine for cybercriminals.
Two things you can do to help protect your PII from being at risk via social media: one, think twice about what PII you might be sharing in that post or photo—like the location of your child’s school or the license plate on your car; two, set your profile to private so that only friends can see it. Review your privacy settings regularly to keep your profile information out of the public eye. And remember, nothing is 100% private on the internet. Never post anything you wouldn’t want to see shared.
The “S” stands for secure. Any time you are shopping, banking, or sharing any kind of PII, look for “https” at the start of the web address. Some browsers will also indicate HTTP by showing a small “lock” icon. Doing otherwise on plain HTTP sites exposes your PII for anyone who cares to monitor that site for unsecured connections.
By locking your devices, you protect yourself that much better from PII and data theft in the event your device is lost, stolen, or even left unattended for a short stretch. Use your password, PIN, facial recognition, thumbprint ID, what have you. Just lock your stuff. In the case of your smartphones, read up on how you can locate your phone or even wipe it remotely if you need to. Apple provides iOS users with a step-by-step guide for remotely wiping devices, and Google offers up a guide for Android users as well.
Theft of your PII can of course lead to credit cards and other accounts being opened falsely in your name. What’s more, it can sometimes be some time before you even become aware of it, until perhaps your credit score takes a hit or a bill collector comes calling. By checking your credit, you can address any issues that come up, as companies typically have a clear-cut process for contesting any fraud. You can get a free credit report in the U.S. via the Federal Trade Commission (FTC) and likewise, other nations like the UK have similar free offerings as well.
Consider identity theft protection as well. A strong identity theft protection package pairs well with keeping track of your credit and offers cyber monitoring that scans the dark web to detect for misuse of your PII. With our identity protection service, we help relieve the burden of identity theft if the unfortunate happens to you with $1M coverage for lawyer fees, travel expenses, lost wages, and more.
The post Take It Personally: Ten Tips for Protecting Your Personally Identifiable Information (PII) appeared first on McAfee Blog.
Quantum computing is the next frontier in computer science. It can bring untold benefits, allowing the development of new materials, tackling pandemics and making the world a greener, safer place. But it also threatens to break the encryption that keeps our data safe from prying eyes. France’s recent announcement to invest €1.8b into Europe’s quantum computing effort – on top of Germany’s two billion euros and the EU’s one billion euro quantum strategy – will help ensure Europe doesn’t miss the boat on what is set to become the cornerstone of innovation in the coming decades.
In short, quantum computing is an entirely new paradigm for making calculations on computers. Today, all computing relies on sequences of ones and zeroes to make increasingly complex calculations, culminating in the smartphones, cloud services and the supercomputers that exist today.
Quantum computing uses peculiar characteristics of physics to allow machines to perform complex algebra calculations in one fell swoop: “It would take ten thousand years to factor something on the fastest computer today, that could be minutes or seconds given a sufficiently powerful quantum computer,” said McAfee’s chief technology officer Steve Grobman on a recent podcast. “Think about it more as waves than binary,” added John King, a McAfee research fellow also on the podcast. “You reinforce the ones that you want, and dampen the ones that you don’t want,” he said.
To achieve these quirks of physics requires machines operating at temperatures colder than outer space, so it is unlikely that every person will have a quantum computer in their basement anytime soon. However, with the Internet and cloud computing, we will have the ability to harness the power of quantum computing remotely, just like data centres can be used from hundreds of kilometers away at the tap of a few buttons in a web browser today.
Nor is quantum computing always going to be superior to the well-developed binary technologies in place today, which are handsomely suited to making precise calculations. “Quantum computing is not well suited for general purpose computing, but for solving very specific math problems that are well suited to the quantum model,” said Grobman.
But the pattern-recognising abilities of quantum algorithms are uniquely well suited to complex problem. Think how to best distribute COVID-19 vaccines across populations, or even the world, or optimising global shipping networks leading to lower emissions from boats and planes.
On the flipside quantum is also, unfortunately, much better at breaking encryption algorithms than tradiditional computing power . Data that is considered secure today could be rendered public knowledge in the coming decade’s advances in quantum technology, with massive implications for company secrets and national security.
In the US and China, private and public actors are already pouring huge investments into quantum, and without considerable efforts, Europe exposes itself to gaping security holes, and missing out on harnessing the power of quantum to solve pressing problems such as climate change.
This is why France’s recent announcement is not just timely, but necessary, for Europe to continue charting a path of global success in the future. Today, the theory of quantum computers is way ahead of their actual capability. But in 10 years, it will be a different story, and given the scale of the challenge, acting now is of essence.
Making the most of quantum is not just about building the computers themselves. The entire paradigm of computer science is being upended. Europe is already facing a shortage of computer scientists, and its future computer science graduates must have the tools and knowledge needed to harness this new technology. This is why France is right to focusing funding not only on research and equipment, but also talent and skills to power this computer science revolution.
For McAfee, making the digital world safe is a top priority, and naturally our attention gravitates toward the opportunities and threats quantum computing poses to keeping data secure and safe.
But making the world a safer place isn’t just about preventing cyberattacks and encrypting valuable data. It’s equally about making the world greener and using the power of technology to solve our pressing societal and economic challenges. Quantum computing will play a key role in all these goals, provided the technology is in the right hands. Bad actors see the same opportunities in quantum to disrupt and bring chaos as we see in making the world a better place, and the only way to stymie their efforts is ensuring that Europe, along with the US and others determined to make the world a better place, stay one step ahead.
The post Europe’s Quantum Story is Accelerating, and the World Will be Better for it appeared first on McAfee Blogs.
Only 57% of women in the U.S. are working or looking for work right now—the lowest rate since 1988.
That telling data point is just one of several that illustrate a stark contrast in these stark times: of the millions who’ve seen their employment affected by the pandemic, women have been hardest hit.
According to the U.S. Bureau of Labor Statistics (BLS), some 2.3 million women left the workforce between the start of the pandemic and January 2021. Meanwhile, the BLS statistic for the number of men who left the U.S. workforce in that same period was 1.8 million. With International Women’s Day here, it’s time we ask ourselves how we can stem this inordinately sized tide of hard-working and talented women from leaving the workforce.
A broader BLS statistic provides a further perspective: a total of 4,637,000 payroll jobs for women have been lost in total since the pandemic began in the U.S. alone. That ranges from executive roles, jobs in retail, and educators, to work in public service and more. Of those jobs lost, about one third of women aged 25-44 cited that childcare was the reason for that unemployment.
Combine that with the fact that globally women carry out at least two and a half times more unpaid household and care work than men, and a global gender pay gap of 23%, it’s easy to see why millions of women have simply dropped out of the workforce to manage children and home schooling—even in the instances where employment is available.
Not that this should surprise us. For example, just a few years before the pandemic, research showed that few Americans wanted to revert to the traditional roles of women at home and men in the workplace. However, when push came to shove, the Pew Research showed that women most often made compromises when needs at home conflicted with work. And now we’ve seen that sentiment come home to roost. On a massive scale.
Put plainly, when the pandemic pushed, women’s working lives predominantly went over the edge.
Within these facts and figures, I’d like to focus on the women who are working remotely while caring for their families, whether that’s their children, elders in their lives, or even a mix of both. What can we do, as employers, leaders, and co-workers in our businesses to better support them?
As early as June, Forbes reported that women were reducing their working hours at a rate four to five times greater than men, ostensibly to manage a household where everything from daycare, school, elder care, and work all take place under the same roof. The article went on to cite ripple-effect concerns in the wake of such reductions like the tendency to pursue less-demanding work, greater vulnerability to layoffs, and reduced likelihood for promotion. In fact, one study conducted in the U.S. last summer found that 34% of men with children at home say they’ve received a promotion while working remotely, while only 9% of women with children at home say the same.
In an interview with the BBC, Melinda Gates, the Co-Chair of the Bill and Melinda Gates Foundation, stated her views on the situation succinctly: “I hope Covid-19 forces us to confront how unsustainable the current arrangement is—and how much we all miss out on when women’s responsibilities at home limit their ability to contribute beyond it. The solutions lie with governments, employers, and families committed to doing things more equitably.” I agree. This is a problem for us to solve together.
As for the role of employers and leaders in the solution, some thinking presented in The Harvard Business Review caught my eye. The article, “3 Ways Companies Can Retain Working Moms Right Now” focuses on what employers can do to better support the women in their workforce. The three ingredients the authors propose are:
If we think about the stressors we all face, this simple recipe actually reveals some depth. It takes knowing, and engaging with, employees perhaps more greatly than before. One sentence in the conclusion struck me in particular:
“It is no longer an option for managers to pretend that their employees do not have lives outside of their jobs, as these evaporated boundaries between home and work are not going away anytime soon.”
I see this every practically every day when I meet with my team. I’m sure you’ve seen it as well. With our laptop cameras on for sometimes hours a day, we’ve all caught glimpses into our coworker’s lives outside the office, seen that 7am meeting rescheduled for 8am to accommodate a busy breakfast rush with the family, or even kiddos pop into the frame during a call to say “hi.” What we may not see is just how much of a struggle that could be for some in the long haul.
Enter again those notions of providing certainty and clarity, rightsizing job expectations, and showing empathy. While not the end-all-be-all answers, they provide a starting point. As employers and leaders, if we can minimize the x-factors, adapt the workloads, and show compassion as we navigate the road to recovery, we can retain employees—and at least mitigate some of the stressors that are pushing women out of their jobs and careers during this pandemic. Exceptional employers and leaders have always done this. And now, in exceptional times, I believe it must become the norm.
Likewise, for co-workers, it’s absolutely okay to check in with people on your team, your vendors, your clients, and other people in your network and simply ask how they’re doing. I’ve had many meetings where we informally go around the horn and talk about what’s going on outside of work. The shared experience of working remotely has a way of creating new norms, and perhaps starting a meeting with an informal check-in way on occasion is one of them.
This is an opportunity to listen, simply so someone can feel better by being heard, and so that we can pinpoint places where we can come in and offer some support.
Some challenges women are facing are beyond our capacity to help firsthand, yet we can identify them when we see them. If you or someone you know is struggling, here are a few resources in the U.S. that can help:
The Office on Women’s Health, part of the U.S. Department of Health & Human services, offers a wealth of resources on its website, along with a help line that can provide further resources as well.
The National Institute of Mental Health has an extended list of articles, resources, and links to services that can provide immediate help for people who are struggling to cope or who are in crisis.
A Better Balance is a nonprofit legal advocacy group that “uses the power of the law to advance justice for workers, so they can care for themselves and their loved ones without jeopardizing their economic security.” They offer a confidential help line that can provide people with information about their workplace rights.
The National Women’s Law Center offers complementary legal consultations and with questions about accessing paid sick leave and paid leave to care for a child whose school or childcare provider is closed because of COVID-19.
As women leave the workforce worldwide, we’ve seen organizations lose precious talent, and we’ve seen women sacrifice their livelihoods and career paths. As such, the pandemic has exacted hard and human costs, ones that have fallen on women in outsized ways.
A problem of this scope is one for us to solve collectively. Apart from the bigger, broader solutions that may be forthcoming, as the employers and co-workers of women, there’s something we can do right now: reach out, listen, and act. These days call for more empathy and adaptation than ever before, particularly for the hard-working women who are doing it all—and then some.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Supporting the Women Most Affected by the Pandemic appeared first on McAfee Blogs.
How our new identity & privacy app can help
By this point in the year you may have already broken some of your New Year’s resolutions, but here’s one to keep: better protecting your online privacy.
After all, we are likely to continue to spend more time online in 2021, whether it be for working, learning, or shopping. This makes taking some preventative steps to shield our identity information more important than ever.
That’s why McAfee has been working on a new identity and privacy app for safeguarding your personal information, and we’d love for you to try it if you’re in the U.S.
Here’s a little bit about our approach. We looked at some of the key areas where users’ private information can be vulnerable, and designed a tool that offers easy-to-use, proactive protection for Windows, Android, and iOS devices, with consistent, familiar experiences regardless of the platform.
We know, for instance, that users are vulnerable when using unsecured networks, like public Wi-Fi. This is where a cybercriminal can potentially capture your login credentials and other personal information as it flows over the network, from your laptop to your bank’s website, for example.
So, we made sure to include a Virtual Private Network (VPN) to keep your information protected from prying eyes. It does this easily, and even automatically, by detecting when you’re on a public network and prompting you to turn on your VPN. The VPN then scrambles, or encrypts, your data as it flows over the network. Unlike some VPNs that require advanced settings to shield your data, our app offers seamless security.
Another area of high risk that we want to address is data breaches. Whether one of your personal accounts is hacked–or worse–another website somehow gets ahold of your data and subsequently gets breached, your data may end up on the dark web. This is where cybercriminals buy and sell information.
To detect these dangerous leaks, we included dark web monitoring, which alerts you if your login credentials have been exposed. It can even provide you with a link to the site that uses those credentials when the information is available. This allows you to swiftly reset your passwords, mitigating the risk.
Given that we saw a spike in corporate data breaches in 2020, where 58% of victims had their personal data compromised, I believe this kind of always-on monitoring of your private information is key.
Most importantly, we wanted to make this personal protection app easy to use and available across all your compatible devices. So, whether you’re out with just your phone, or home working at your PC, you have access to your protection, and can even pick up where you left off on a different device.
I know that organizing my digital life gives me one less thing to worry about, and I hope it’s the same for you. Give the app a try, and please let us know what you think since we are always open to your feedback.
Here’s to a happy and secure year!
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Let’s Commit To Protect Our Privacy This Year appeared first on McAfee Blogs.
It’s popular. It’s uplifting. It’s creative. It’s entertaining. It can also be risky.
All these words equally describe TikTok, the wildly popular social network that allows teens to create and share videos and find critical connections during isolating times. So what makes TikTok both amazing and potentially risky at the same time? It isn’t the app itself but, rather, the way some kids choose to use it.
Several of those risky behaviors making headlines lately include the all-too-familiar topic of viral challenges. The secondary risk? Underage users’ common practice of bypassing TikTok’s age restrictions, which can put them in harm’s way. In 2020, TikTok classified more than a third of its 49 million daily users in the U.S. as being 14 years old or younger.
A recent webinar hosted by Cyberwise featuring Rick Andreoli, Editor-in-Chief at Parentology, and Pamela Rutledge, director of the Media Psychology Research Center, highlighted the risks of some of the latest challenges. (Listen to the full discussion here). Here are just a few of the many challenges parents should know about.
The blackout challenge. The draw to this challenge is somewhat new to TikTok but familiar in the online challenge realm. It involves users live-streaming themselves as they cut off their air supply to the point of losing consciousness. Sadly, this challenge recently had deadly consequences for a 10-year-old TikTok user, according to Newsweek reports. The incident prompted an outcry for the platform to ban users with unconfirmed ages.
Skullbreaker/trip jump challenge. TikTok users carry out this challenge in various ways, but one of the most common includes three friends side-by-side. As the video begins, everyone jumps or dances as pre-planned, only one kid is targeted to go down as the other two swipe the legs out from under them, causing either a face plant or a backward fall. This popular challenge has resulted in several medical emergencies.
The outlet or penny challenge. Fire officials have issued public cautions around this challenge, which involves sliding a penny into a partially plugged-in phone charger or cord. The goal? See who can record and post the biggest sparks or, yes, flames.
Coronavirus challenge. Here’s a challenge that thankfully didn’t gain too much traction before TikTok banned it. It was created by several “influencers” and encouraged TikTok users to post videos of themselves defying the Coronavirus by licking public objects — such as toilets and grocery store items.
A final reminder for parents is this: Challenge yourself to let go of the assumption that your child won’t try foolish things online. Smart kids also make unwise choices — a possibility that’s easily provoked in an environment where influencers, likes, and peer comments can disguise danger. It’s easy to forget that during the teen years, reason and evolving identity are at constant odds, which means emotion can suddenly commandeer logic. For parents, this means that by getting involved in your child’s digital world, you have the chance influence and guide them when they need it most.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post TikTok Update: Dangerous Viral Challenges & Age Restrictions appeared first on McAfee Blogs.
Cryptocurrency enthusiasts are flocking to the Wild West of Bitcoin and Monero to cash in on the recent gold rush. Bitcoin’s meteoric rise in value is making coin mining an appealing hobby or even a whole new career. Coin mining software is the main tool in a prospector’s belt.
Some coin miners, also known as cryptocurrency miners, are tempted by the dark side of the industry and resort to nefarious means to harness the immense computing power needed for cryptocurrency profits. Greedy cryptocurrency criminals employ a practice called cryptojacking, stealing the computer power of unsuspecting devices to help them mine faster. Your device could be at risk at being recruited to their efforts.
Let’s dig into how coin mining programs work, why they turn malicious, and how you can stay safe from cryptojackers.
Mining cryptocurrency takes a lot of time and computer processing power. A coin mining home setup requires a graphics processing unit (GPU) or an application-specific integrated circuit (ASIC). Coin mining software then runs off the GPU or ASIC. Each central processing unit (CPU), or the brain of the computer, plus the GPU or ASIC is referred to as a mining rig.
Once the software is installed, the rig is ready to mine, running mathematical calculations to verify and collect new cryptocurrency transactions. Each calculation is known as a hash, and hash rates are the number of calculations that can be run per second.
From there, casual miners may choose to join a mining pool, which is a club of miners who agree to consolidate their computing power and split the profits based on how much work each miner contributed to the output.
Bitcoin rewards miners every 10 minutes for their efforts. Each time miners solve a string of mathematical puzzles, they validate a chain of transactions, thus helping make the entire Bitcoin system more secure. Miners are paid in bitcoin and they also receive a transactional fee.
While coin mining typically starts off as a casual hobby, coin mining programs can turn malicious when cryptocurrency miners want to earn more without investing in boosting their own computing power. Instead, they reroute their targets’ computing power without asking. This is called cryptojacking.
Mining requires incredible amounts of electricity and the more rigs involved; the more cryptocurrency can be mined. Usually, the utility bills and the cost of running coin mining software negates any profit. For example, a casual miner may have one rig devoted to mining. An average rig processes approximately 500 hashes per second on the Monero network (a type of cryptocurrency). However, 500 hashes per second translates to less than a dollar per week in traditional, or fiat, currency.
Greedy cryptocurrency criminals recruit CPU soldiers to their mining army to improve their hash rate. To do so, criminals download coin mining software to a device and then program it to report back to their server. The device’s thinking power is diverted from the owner and funneled straight to the criminal’s server that now controls it. Compromised devices run considerably slower and can overheat, and the strain on the device can eventually destroy it.
Cryptojackers are not your everyday thieves. Their target is your CPU power, and they employ devious methods to funnel it for their own use. Luckily, there are a few easy ways to thwart their efforts:
Personal devices are often infected through phishing within emails and texts. There are many tell-tale signs of a phishing message. For example, they are often poorly written and use language that indicates that the sender wants a hasty response. Also, phishing attempts often charade as official organizations, like banks and credit card companies. If you are ever suspicious of an email or text, do not open any of the links and do not reply. Instead, contact the organization’s customer support to verify the legitimacy of the message.
Another way miners gain access to personal devices is by camouflaging malicious code in pop-up ads. An easy way to avoid being cryptojacked is to simply never click on these ads. Or even better, install an ad blocker to help eliminate the risk.
Public wi-fi and poorly protected networks present a vulnerable entry point for cybercriminals to hack into your devices. Cybercriminals often attempt to download software remotely to your laptop, desktop, or mobile device to reroute its computing power for their own selfish gains. Always connect to a VPN like McAfee Safe Connect VPN to safely surf unsecure networks.
Cryptojacking code is inconspicuous and generally hidden in legitimate code. Antivirus software, such as McAfee Total Protection, is a recommended way to proactively scan for malware and even identify fraudulent websites. McAfee WebAdvisor has a Chrome extension that specifically blocks cryptojackers.
Be aware of the signs your devices have been cryptojacked. For example, monitor any changes in the speed of your devices and check out your utility bills for dramatic spikes. By remaining vigilant with these tips, you will keep your devices safe from cryptocurrency miners gone rogue.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Why Coin Miners Go Bad & How to Protect Your Tech When They Do appeared first on McAfee Blogs.
In a year where people relied on their digital lives more than ever before and a dramatic uptick in attacks quickly followed, McAfee’s protection stood strong.
We’re proud to announce several awards from independent third-party labs, which recognized our products, protection, and the people behind them over the course of last year.
The Cybersecurity Excellence Awards is an annual competition honoring individuals and companies that demonstrate excellence, innovation, and leadership in information security. We were honored with four awards:
Further recognition came by way of three independent labs known for their testing and evaluation of security products. Once more, this garnered several honors:
As the threat landscape continues to evolve, our products do as well. We’re continually updating them with new features and enhancements, which our subscribers receive as part of automatic product updates. So, if you bought your product one or two years ago, know that you’re still getting the latest award-winning protection with your subscription.
We’d like to acknowledge your part in these awards as well. None of this is possible without the trust you place in us and our products. With the changes in our work, lifestyles, and learning that beset millions of us this past year, your protection and your feeling of security remain our top priority.
With that, as always, thank you for selecting us.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post McAfee Awarded “Cybersecurity Excellence Awards” appeared first on McAfee Blogs.
Something you’ll want to know about all those movies, mp3s, eBooks, air miles, and hotel points you’ve accrued over the years: they’re digital assets that can factor into a divorce settlement.
Understandably, several factors determine the distribution of assets in a divorce. However, when it comes to dividing digital assets, divorce settlements and proceedings are charting new territory. The rate of digital innovation and adoption in recent years has filled our phones, tablets, and computers with all manner of digital assets. What’s more, there are also the funds sitting in our payment apps or possibly further monies kept in the form of cryptocurrencies like bitcoin. Put plainly, the law is catching up with regards to the distribution of these and other digital assets like them.
Yet one thing that the law recognizes is that digital assets can have value and thus can be considered property subject to distribution in a divorce.
In light of this, the following is a checklist of considerations that can help prepare you or someone you know for the distribution of digital assets in a fair and just way.
Nothing offered in this article is legal advice, nor should it be construed as such. For legal advice, you can and should turn to your legal professional for counsel on the best approach for you and the laws in your area.
For starters, let’s get an understanding as to what actually constitutes a digital asset.
Because laws regarding digital assets vary (and continue to evolve), the best answer you can get to this question will come from your legal counsel. However, for purposes of discussion, a digital asset is any text or media in digital form that has value and offers the bearer the right to use it.
To put that in practical terms, let’s look at some real-world examples of what could constitute a digital asset. That list includes, but is not limited to:
However, digital assets can readily expand to further include:
And like any other asset in the case of a divorce, a value will be ascribed to each digital asset and then distributed per the conditions or orders of the settlement.
Arriving at the value of specific digital assets begins with an inventory—listing all the digital assets and accounts you own, just as you would with any other monetary or physical assets like bank accounts, properties, and cars. When you go through this process, chances are you’ll quickly find that you have hundreds if not thousands of dollars of digital assets.
For example, we can look at the research we conducted in 2011 which found that people placed an average value of $37,438 on the digital assets they owned at the time. Now, with the growth of streaming services, digital currency, cloud storage, and more in the past ten years, that figure feels conservative.
Above and beyond preparing for a divorce settlement, taking such an inventory of your digital assets is a wise move. One, it provides you with a clearer vision of the things you own and their worth; two, maintaining such a list gives you a basis for estate planning and determining who you would like to see receive those assets. Likewise, maintain that list on a regular basis and keep it safe. It’s good digital hygiene to do so.
With this inventory, each asset can then have an assessed value ascribed to it. In some instances, a value will easily present itself, such as the cost of a subscription or how much money is sitting in a PayPal account. In other cases, the value will be sentimental, such as the case is with digital photos and videos. Ideally, you and your spouse will simply be able to duplicate and share those photos and videos amicably, yet it is important that you articulate any such agreement to do so. This way, a settlement can call out what is to be shared, how it will be shared, and when.
Not all digital assets are transferrable. Certain digital assets are owned solely in your name. In other words, you may have access to certain digital assets that cannot transfer to someone else because you do not have the rights to do so per your user agreement. This can be the case with things such as digital books, digital music, and digital shows and movies.
In such circumstances, there may be grounds for negotiation and a “limited transfer” in the settlement, where one party exchanges one asset for another rather than splitting it equally. A case in point might be a sizeable eBook library on a device that’s in the name of one spouse. While that library can’t be split or transferred, one spouse may keep the eBook library while another spouse keeps a similarly valued asset or group of assets in return—like say a collection of physical books.
Streaming services will need to be addressed too. Be prepared to either terminate your accounts or simply have them assigned to the person in whose name they are kept. In the case of family accounts, the settlement should determine how that is handled, whether it gets terminated or similarly turned over to one spouse or the other. In all, your settlement will want to specify who takes over what streaming service and when that must occur.
Like dividing up investment accounts where the value of the account can vary daily, digital currencies can present challenges when spouses look to divide the holdings. Cryptocurrency valuation can be quite volatile, thus it can be a challenging asset to settle from a strict dollar standpoint.
What’s more, given the nature of digital currencies, there are instances where an unscrupulous spouse may seek to hide worth in such currency—which is an evolving issue in of itself. This recent article, “Cryptocurrency: What to Know Before and During Divorce,” covers the additional challenges of cryptocurrency in detail, along with an excellent primer on what cryptocurrency is and how it works.
Ultimately, cryptocurrency is indeed an asset, one that your attorney and settlement process will need to address, specifically so that there are no complications later with the transfer or valuation of the awarded currency.
With accounts changing hands, now’s the time to start fresh with a new set of passwords. What’s more, we have a tendency to reuse the same passwords over and over again, which may be known to an ex-spouse and is an inherent security risk in of itself. Change them. Even better, take this opportunity to use a password manager. A password manager can create and securely store strong, unique passwords for you, thus saving you the headache of maintaining dozens of them yourself—not to mention making you far more secure than before.
Again, keep in mind that nothing here is legal advice. Yet, do keep these things in mind when consulting with an attorney. The reality is that we likely have thousands of dollars of what could be considered digital assets. Inventorying them and ascribing a fair market value to them along with your legal professional is the first step in a fair and just settlement.
The post Digital Divorce: Who Gets the Airline Miles and Music Files? appeared first on McAfee Blogs.
World Password Day isn’t the most popular day on the calendar, but it’s an important reminder that good password hygiene is essential to staying safe online. This World Password Day, we’d like to talk about improving your password hygiene, how you can help your friends and family improve theirs, and what the future of authentication holds.
The SolarWinds hack in 2020 is one of the most devastating hacks in the history of the internet. Close to 20,000 company’s systems were compromised, losing billions of pieces of data in the process. If you’re one of the 37% of Americans that go long periods of time without updating passwords*, large-scale attacks like SolarWinds can be devastating. By stealing so many login credentials simultaneously, attackers can potentially access exponentially more accounts by reusing leaked credentials on different sites. Unfortunately this is not an isolated event, data breaches from websites and services we frequently use continue to happen through 2021 as well.
According to a recent survey we conducted, 34% of Americans have reused the same, or similar, password more than once. By using the same password for multiple accounts, attackers only need to find one password, creating a domino effect that makes it easier to access more accounts. If that password is weak, it becomes even easier to tip over that first domino.
Our guidance is to create strong, hard-to-guess passwords to protect your accounts. We recommend creating a unique password for every online account, using more than 16 characters, with upper and lower case letters, some numbers, and special symbols, to make a stronger than average password. How are you supposed to remember all of those strong passwords, though?
Well, password managers, especially those included in comprehensive security suites like McAfee® Total Protection, do much of the heavy lifting for you. For instance, McAfee’s integrated password manager not only helps you create stronger passwords and store them, but will also autofill your credentials and log you into websites as well. These convenient features extend beyond just your computer and can be used on other devices like your phone and tablet. Best of all, password managers that are an integrated part of a security suite can be monitored, so you’ll be alerted if your passwords get exposed in a data breach.
You’ve already taken a step towards improving your password hygiene by reading this blog post. But the next step is, have an honest look at your passwords. Do you write them down, use the same for many accounts, or use weak ones? Then it may be time for a change to better protect your accounts and the personal info in those accounts.
If you’re like a certain member of my family—that will remain nameless, Mom—who kept their passwords written down in a notepad, making the change to a password manager (McAfee’s, naturally) was a life-changing moment. Not only did it help her see just how often she was using the same login credentials, she now has an easy way to store, auto-fill, and even generate strong passwords across all her accounts and devices. An intended bonus was that she also realized how many accounts she was no longer using!
Now that you know more about what makes a strong password and how to protect them, let’s talk about why strong passwords are just the start of keeping your accounts safe. You’re probably already using Two-Factor Authentication for apps and services, but you may not have heard the term before. Two-Factor Authentication, or 2FA, is the second layer of protection to authenticate or prove you are the owner of this account. If you’ve received a text message or an email to confirm a new account signup, that’s a type of 2FA.
Text messages and email aren’t the only types of 2FA. There are USB keys, apps, and even systems built-in to your phone, like facial recognition to open phone apps, for example. Some popular 2FA options are USB keys and Google Authenticator.
The great thing about 2FA is that it helps make your strong passwords even more effective by stopping an attacker from using stolen credentials. If you fell victim to a phishing attack that looked like your bank’s website, the attacker would have your email and password combination. Without 2FA, they could log into your account and pretend they’re you. With 2FA in place, it becomes much harder for an attacker to access your account because they’re missing that last important piece of information.
Humans are almost always the weakest link when it comes to securing information. But by committing ourselves to better password practices, with help from the latest technology, we can make sure passwords are a strong link in our security chain; one that will only get stronger in the future.
For instance, using a device like a key-fob, new passwordless systems can authenticate a user without entering their login details. Not only does this make logging into your accounts lightning fast, you also never have to remember a complicated password again.
Biometric locks, like FaceID, are another example of passwordless entry. Using your face, or a fingerprint to authenticate yourself makes it much harder for attackers to break into your accounts.
We hope this Password Day post has helped answer some questions about password hygiene and how to take better care of your online accounts. Online security changes from day to day, so staying aware of new technologies and building safe new habits is essential. Perhaps one day this day will no longer need to exist on our calendars, as we look to a future where we might not need passwords at all. While we collectively make strikes towards this future, let’s celebrate this day while it lasts.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post World Password Day: Make Passwords the Strongest Link in Your Online Security appeared first on McAfee Blogs.
To enjoy online life to the fullest these days, we often have to give out a certain amount of personal information. That also means the moment you go online you’re giving personal data away. Whether it’s your phone, a game console, or a connected speaker, someone, somewhere, is monitoring your connection. Knowing what data your device sends, and who has access to that information, is an important part of maintaining your online privacy. However, without the right tools, you’re probably giving away a lot more information than you realize. Many believe that one effective way to maintain online privacy is by using a private mode on a browser.
However, it’s a common misconception that “private browsing” modes–like Google’s Incognito–protect your online privacy. It makes sense, they’re called “private browsing”, what else would they do? Well, if you’ve read the news lately, you may have seen that Google is in a $5 billion lawsuit specifically because of their private browsing mode.
The thing is, incognito mode is often misunderstood. When you open an incognito window, you’re told that “You’ve gone incognito.” The explanation underneath says that your browsing history, website visits, cookies, and information you put in forms, won’t be saved. This is where the confusion starts. What the incognito explanation doesn’t tell you is that your browsing information isn’t blocked or hidden from advertisers while in incognito mode. So even though your browsing information “won’t be saved” on your device or available after you close the window, that doesn’t stop the internet from seeing everything you’ve been up to while in that session.
For these reasons, more people use virtual private networks, or VPNs, to protect their browsing history from prying eyes. If you’re new to VPN, this might be the perfect time to learn about what they are, how they work and why you might choose a VPN over private browsing.
VPN protects your devices by wrapping your internet connection in a secure tunnel that only you can access. This stops people —like those nosey advertisers—from seeing what sites you visit. With a secure connection to the Internet, every search request, every website you browse, is hidden from sight. It’s important to point out that VPN doesn’t make you anonymous; they make it so only you can see what you’re doing online. You can learn even more about VPN in this blog.
Without private browsing, your browser tells websites–and their owners–all kinds of things about you like what device you’re using, where you are, what sites you’ve visited, and when. Websites use this information to serve you relevant ads, but it can also be used to track your location and browsing habits.
With private browsing, your browser window is isolated from the rest of your operating system. Isolating the browser is supposed to help block websites from seeing who you are, block cookies and prevent access to your browsing history, but even when using private browsing, tests like EFF’s Panopticlick privacy test can see what device you’re on, where you’re connecting, if you can accept cookies, your OS, and many other types personally-identifying information.
We wouldn’t recommend using incognito mode instead of a VPN, ever. However, Incognito mode has its place in your online security toolkit, as long as you don’t think of it as a replacement for other types of protection. For instance, if you share a device with other people, like family members, then you might want to use incognito mode to make sure your partner doesn’t accidentally find out how much you spent on their surprise birthday gift. But, if you’re concerned with advertisers tracking you and watching what you do online, then you should consider also using a VPN to protect your privacy.
If you’re already a McAfee Total Protection subscriber, you have access to unlimited VPN usage. Protect your personal information, like your banking information and credit cards, from prying eyes with McAfee Total Protection’s Secure VPN. If you haven’t already signed up, now’s the perfect time. McAfee Total Protection provides security for all your devices, giving you peace of mind while you shop, bank, and browse online.
The post Private browsing vs VPN – Which one is more private? appeared first on McAfee Blog.
With so many of us relying on the internet in ways we simply haven’t before, it follows that a safer internet is more important than ever before too.
June marks Internet Safety Month, a time where we can look back at the past year and realize that the internet was more than just a coping mechanism during the pandemic, it evolved into a survival tool.
Our research published earlier this year showed how. It found that we relied heavily on the internet for our banking, personal finance, shopping, and even healthcare—not to mention the ways we worked, studied, and kept in touch with each other online during the pandemic. For millions of families globally, the internet was their connection to the rest of the world.
None of that would have been possible without a safer internet that we can trust. The truth is, part of creating a safer internet rests with us—the people who use it. When we take steps to protect ourselves and our families, we end up helping protect others as well. How we act online, how we secure our data and devices, how we take responsibility for our children, all of it affects others.
Here are just a few ways you can indeed make a safer internet for your family, and by extension, safer for others too:
Start with the basics: get strong protection for your computers and laptops. And that means more than basic antivirus. Using a comprehensive suite of security software like McAfee® Total Protection can help defend your entire family from the latest threats and malware, make it safer to browse, help steer you clear of potential fraud, and look out for your privacy too.
Protecting your smartphones and tablets is a must nowadays as well. We’re using them to send money with payment apps. We’re doing our banking on them. And we’re using them as a “universal remote control” to do things like set the alarm, turn our lights on and off and even see who’s at the front door. Whether you’re an Android owner or iOS owner, get security software installed on your smartphones and tablets so you can protect all the things they access and control.
Another thing that comprehensive security software can do is create and store unique passwords for all your accounts and automatically use them as you surf, shop, and bank. Further, it can keep those passwords safe—unlike when they’re stored in an unprotected file on your computer, which can be subject to a hack or data loss—or sticky notes that can simply get lost.
With stories of data breaches and identity theft making the news on a regular basis, there’s plenty of focus on the things we can do to protect ourselves from identity theft. However, children can be targets of identity theft as well. The reason is, they’re high-value targets for hackers. Their credit reports are clean, and it’s often years before parents become aware that their child’s identity was stolen, such as when the child enters adulthood and rents an apartment or applies for their first credit card.
One way you can spot and even prevent identity theft is by checking your child’s credit report. Doing so will uncover any inconsistencies or outright instances of fraud and put you on the path to set them straight. In the U.S., you can do this for free once a year. Just drop by the FTC website for details on your free credit report. And while you’re at it, you can go and do the same for yourself.
You can take your protection a step further by freezing your child’s credit. A freeze will prevent access to your child’s report and thus prevent any illicit activity. In the U.S., you’ll need to create a separate freeze with each of the three major credit reporting agencies (Equifax, Experian, and TransUnion). It’s free to do so, yet you’ll have to do a little legwork to prove that you’re indeed the child’s parent or guardian.
Smartphone safety for kids is a blog topic in itself. Several topics, actually—such as when it’s the “right” time to get a child their first smartphone, how they can stay safe while using them, placing limits on their screen time, and so on.
Taking it from square one, make sure that all your smartphones are protected like we called out above—whether it’s yours or your child’s. From there, there are eight easy steps you can take to hack-proof your family’s smartphones, such as juicing up your passwords, making sure the apps on them are safe and setting your smartphone to automatic updates.
If you’re on the fence about getting your child their first smartphone, you’re certainly not alone. So many parents are drawn to the idea of being able to get in touch with their children easily, and even track their whereabouts, yet they’re concerned that a smartphone is indeed too much phone for younger children. They simply don’t want to expose their children to the broader internet just yet.
The good news is that there are plenty of smartphone alternatives for kids. Streamlined flip phones are still a fine option for parents and kids, as are cellular walkie-talkies and new lines of devices designed specifically with kids in mind.
And if you’re ready to make the jump, check out our tips for keeping your child safe when you purchase their first smartphone. From basic security and parental controls to keeping tabs on your child’s activity and your role in keeping them safe, this primer makes for good reading, and good sharing with other parents too, when you get serious about making that purchase.
Cyberbullying is another broad and in-depth topic that we cover in our blogs quite often, and for good reason. Data from the Cyberbullying Research Center shows that an average of more than 27% of kids have experienced cyberbullying over the past 13 years. In 2019, that figure was as high as 36.5%. Without question, it’s a problem.
What exactly is cyberbullying? Stopbullying.gov defines it as:
“Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. Cyberbullying can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation.”
Part of the solution is knowing how to spot cyberbullying and likewise taking steps to minimize its impact if you see it happening to your child or someone else’s. The important thing is to act before serious damage sets in or even a criminal act can occur.
The painful truth is that someone’s child is doing the bullying, and what could be more painful than finding out your child is doing the bullying? If you suspect this is happening, or have seen evidence that it’s indeed happening, act right away. Our article “Could Your Child (Glup) be the One Cyberbullying,” outlines ten steps you can take right away.
If you’ve taken steps to solve a situation involving cyberbullying and nothing has worked, know there are cyberbullying resources that can help. Likewise, don’t hesitate to contact your child’s school for assistance. Many schools have policies in place that address cyberbullying amongst their students, whether the activity occurred on campus or off.
With all the emphasis on technology, it’s easy to forget that behind every attack on the internet, there’s a person. A safer internet relies on how we treat each other and how we carry ourselves on the internet (which can be quite different from how we carry ourselves in face-to-face interactions).
With that, National Internet Safety Month presents a fine opportunity to pause and consider how we’re acting online. Very Well Family put together an article on internet etiquette for kids, which covers everything from the online version of “The Golden Rule” to ways you can steer clear of rudeness and drama.
Granted, we can’t control the behavior of others. Despite your best efforts, you or your children may find themselves targeted by poor or hurtful behavior online. For guidance on how to handle those situations, check out our article on internet trolls and how to handle them. There’s great advice in there for everyone in the family.
If we didn’t know it already, the past year proved that a safer internet isn’t a “nice to have.” It’s vital—a trusted resource we can’t do without. Take time this month to consider your part in that, what you can do to make your corner of the internet safer and a thriving place that everyone can enjoy.
The post A Safer Internet for You, Your Family, and Others Too appeared first on McAfee Blogs.
Over the past year, you may have seen the term ransomware popping up frequently. There’s good reason for that as ransomware is responsible for 21% of all cyberattacks, according to a new report. For enterprising hackers, this tactic has become standard operating procedure because it’s effective and organizations are willing to pay. But what does that mean for you and living a confident life online? Fortunately, there are a number of things individuals can do to avoid ransomware. But first, let’s start with the basics.
Ransomware is malware that employs encryption to hold a victim’s information at ransom. The hacker uses it to encrypt a user or organization’s critical data so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.
McAfee Labs counted a 60% increase in attacks from Q4 2019 to Q1 2020 in the United States alone. Unfortunately, the attacks targeting organizations also impact the consumers who buy from them, as the company’s data consists of its customers’ personal and financial information. That means your data if you’ve done business with the affected company. Fortunately, there are many ways you can protect yourself from ransomware attacks.
When a company is hit with a ransomware attack, they typically are quick to report the incident, even though a full analysis of what was affected and how extensive the breach may have been may take much longer. Once they have the necessary details they may reach out to their customers via email, through updates on their site, social media, or even the press to report what customer data may be at risk. Paying attention to official communications through these various channels is the best way to know if you’ve been affected by a ransomware attack.
The top ransomware infection vectors – a fancy term for the way you get ransomware on your device – are phishing and vulnerability exploits. Of these two, phishing is responsible for a full 41% of ransomware infections. Ironically, this is good news, because phishing is something we can learn to spot and avoid by educating ourselves about how scammers work. Before we get into specific tips, know that phishing can take the form of many types of communications including emails, texts, and voicemails. Also know that scammers are convincingly imitating some of the biggest brands in the world to get you to surrender your credentials or install malware on your device. With that in mind, here are several tips to avoid getting phished.
If you receive an email, call, or text asking you to download software or pay a certain amount of money, don’t click on anything or take any direct action from the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links or forking over money unnecessarily.
If someone sends you a message with a link, hover over the link without clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.
Instead of clicking on a link in an email or text message, it’s always best to check directly with the source to verify an offer, request, or link.
McAfee offers the free McAfee WebAdvisor, which can help identify malicious websites and suspect links that may be associated with phishing schemes.
If you do get ransomware, the story isn’t over. Below are 8 remediation tips that can help get your data back, along with your peace of mind.
If you get ransomware, you’ll want to immediately disconnect any infected devices from your networks to prevent the spread of it. This means you’ll be locked out of your files by ransomware and be unable to move the infected files. Therefore, it’s crucial that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup. Backups protect your data, and you won’t be tempted to reward the malware authors by paying a ransom. Backups won’t prevent ransomware, but they can mitigate the risks.
If you discover that a data leak or a ransomware attack has compromised a company you’ve interacted with, act immediately and change your passwords for all your accounts. And while you’re at it, go the extra mile and create passwords that are seriously hard to crack with this next tip.
When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials and generate secure login keys.
Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. For instance, you’ll be asked to verify your identity through another device, such as a phone. This reduces the risk of successful impersonation by hackers.
Be careful where you click. Don’t respond to emails and text messages from people you don’t know, and only download applications from trusted sources. This is important since malware authors often use social engineering to get you to install dangerous files. Using a security extension on your web browser is one way to browse more safely.
Avoid using public Wi-Fi networks, since many of them are not secure, and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN, which provides you with a secure connection to the internet no matter where you go.
While it is often large organizations that fall prey to ransomware attacks, you can also be targeted by a ransomware campaign. If this happens, don’t pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments. Thankfully there are free resources devoted to helping you like McAfee’s No More Ransomware initiative McAfee, along with other organizations, created www.nomoreransom.org/ to educate the public about ransomware and, more importantly, to provide decryption tools to help people recover files that have been locked by ransomware. On the site you’ll find decryption tools for many types of ransomware, including the Shade ransomware.
Adding an extra layer of security with a solution such as McAfee® Total Protection, which includes Ransom Guard, can help protect your devices from these cyber threats. In addition, make sure you update your devices’ software (including security software!) early and often, as patches for flaws are typically included in each update. Comprehensive security solutions also include many of the tools we mentioned above and are simply the easiest way to ensure digital wellness online.
The post 8 Tips for Staying Safe from Ransomware Attacks appeared first on McAfee Blog.
[Disclaimer: The McAfee ATR team disclosed this vulnerability to Peloton and promptly started working together to responsibly develop and issue a patch within the disclosure window. The patch was tested and confirmed effective on June 4, 2021.]
Picture this: A hacker enters a gym or fitness center with a Peloton Bike+. They insert a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with. With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files, or set up remote backdoor access over the internet. They add malicious apps disguised as Netflix and Spotify to the bike in the hopes that unsuspecting users will enter their login credentials for them to harvest for other cyberattacks. They can enable the bike’s camera and microphone to spy on the device and whoever is using it. To make matters worse, they can also decrypt the bike’s encrypted communications with the various cloud services and databases it accesses, potentially intercepting all kinds of sensitive information. As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched.
That’s a potential risk that you no longer have to worry about thanks to McAfee’s Advanced Threat Research (ATR) team. The ATR team recently disclosed a vulnerability (CVE-2021-3387) in the Peloton Bike+, which would allow a hacker with either physical access to the Bike+ or access during any point in the supply chain (from construction to delivery), to gain remote root access to the Peloton’s tablet. The hacker could install malicious software, intercept traffic and user’s personal data, and even gain control of the Bike’s camera and microphone over the internet. Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment; however, the scope of our research was confined to the Bike+.
As a result of COVID-19, many consumers have looked for in-home exercise solutions, sending the demand for Peloton products soaring. The number of Peloton users grew 22% between September and the end of December 2020, with over 4.4 million members on the platform at year’s end. By combining luxury exercise equipment with high-end technology, Peloton presents an appealing solution to those looking to stay in shape with a variety of classes, all from a few taps of a tablet. Even though in-home fitness products such as Peloton promise unprecedented convenience, many consumers do not realize the risks that IoT fitness devices pose to their online security.
IoT fitness devices such as the Peloton Bike+ are just like any other laptop or mobile phone that can connect to the internet. They have embedded systems complete with firmware, software, and operating systems. As a result, they are susceptible to the same kind of vulnerabilities, and their security should be approached with a similar level of scrutiny.
Following the consumer trend in increasing IoT fitness devices, McAfee ATR began poring over the Peloton’s various systems with a critical eye, looking for potential risks consumers might not be thinking about. It was during this exploratory process that the team discovered that the Bike’s system was not verifying that the device’s bootloader was unlocked before attempting to boot a custom image. This means that the bike allowed researchers to load a file that wasn’t meant for the Peloton hardware — a command that should normally be denied on a locked device such as this one. Their first attempt only loaded a blank screen, so the team continued to search for ways to install a valid, but customized boot image, which would start the bike successfully with increased privileges.
After some digging, researchers were able to download an update package directly from Peloton, containing a boot image that they could modify. With the ability to modify a boot image from Peloton, the researchers were granted root access. Root access means that the ATR team had the highest level of permissions on the device, allowing them to perform functions as an end-user that were not intended by Peloton developers. The Verified Boot process on the Bike failed to identify that the researchers tampered with the boot image, allowing the operating system to start up normally with the modified file. To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no signs of external modifications or clues that the device had been compromised. In reality, ATR had gained complete control of the Bike’s Android operating system.
The McAfee ATR team disclosed this vulnerability to Peloton and promptly started working together to responsibly develop and issue a patch within the disclosure window. The patch was tested and confirmed effective on June 4, 2021. The discovery serves as an important reminder to practice caution when using fitness IoT devices, and it is important that consumers keep these tips in mind to stay secure while staying fit:
Stay on top of software updates from your device manufacturer, especially since they will not always advertise their availability. Visit their website regularly to ensure you do not miss news that may affect you. Additionally, make sure to update mobile apps that pair with your IoT device. Adjust your settings to turn on automatic software updates, so you do not have to update manually and always have the latest security patches.
Do your research before making a significant investment in an IoT device. Ask yourself if these devices are from a reputable vendor. Have they had previous data breaches in the past, or do they have an excellent reputation for providing secure products? Also, take note of the information your IoT device collects, how vendors use this information and what they release to other users or third parties.
Above all, understand what control you have over your privacy and information usage. It is a good sign if an IoT device allows you to opt-out of having your information collected or lets you access and delete the data it does collect.
Protect your data from being compromised by stealthy cybercriminals by using an identity theft solution such as the one included in McAfee Total Protection. This software allows users to take a proactive approach to protecting their identities with personal and financial monitoring, as well as recovery tools.
If you are one of the 4.4 million Peloton members or use other IoT fitness devices, it is important to keep in mind that these gadgets could pose a potential security risk just like any other connected device. To elevate your fitness game while protecting your privacy and data, incorporate cybersecurity best practices into your everyday life so you can confidently enjoy your IoT devices.
As stated, McAfee and Peloton worked together closely to address this issue. Adrian Stone, Peloton’s Head of Global Information Security, shared that “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”
Peloton is always looking for ways to improve products and features, including making new features available to Members through software updates that are pushed to Peloton devices. For a step-by-step guide on how to check for updated software, Peloton Members can visit the Peloton support site.
The post Is Your Peloton Spinning Up Malware? appeared first on McAfee Blogs.
The gig economy has become more prevalent in today’s world with the appeal and necessity of flexible work opportunities. Many take advantage of short-term contracts, side jobs, and freelance work to retain more control over how they spend their day and earn their income. However, the proliferation of these flexible work opportunities has transcended into the dark web, allowing individuals to conduct nefarious activities. Rather than contracting handyman or moving services on the dark web, you can find hackers contracting their website hacking services or buyers placing ads looking for a hacker to hire. These acts pose significant risks to online users, given the amount of stolen personal information on dark websites. Take a look at the activities you can expect to find on the dark web and the steps you can take to safeguard your online privacy.
The dark web is part of the public internet that search engines do not index. In other words, what happens on the dark web, stays on the dark web with no traceable records. Most people don’t realize that the dark web is not illegal despite its association with criminal activities. However, the dark web has retained a criminal reputation since it is challenging to track what goes on. As a result, criminals will often frequent the dark web to conduct a variety of illegal transactions, including hacking services.
Researchers are discovering an uptick in activity on dark web forums that includes buying and selling black hat hacking services. 90% of the activity on these forums is from people looking to hire hackers to infiltrate websites and steal databases. Additionally, 4% of the people frequenting dark web forums requested hacking services related to website hacking and malicious code injection.
Another 7% of people on the dark web are hackers contracting out their services and tools. These services and tools include web shells, a file uploaded to a server that an attacker can use to execute operating system commands, as well as access to administrative website interfaces and ready-made exploits. Many of the services offered on these forums range in specialties such as site infiltration to data extraction. As a result, they often attract a variety of customers with numerous requests.
Further, many of the ads seeking hacking services are aimed at database hacking. Those targeting databases are often financially incentivized hackers and companies out to steal their competitor’s information. Databases remain a popular target for hackers since they contain a significant amount of personal information ranging from first and last names to credit card numbers. Cybercriminals can then use this information to commit numerous crimes such as monetary theft, unemployment and tax relief fraud, and identity theft.
For example, the Canada Revenue Agency (CRA) had to suspend approximately 800,000 accounts after discovering matching credentials for sale on the dark web. In a previous data breach, hackers used login credentials to access taxpayer accounts, apply for COVID-19 relief funds, and reroute the funds into their bank accounts. Taxpayers could not log in to their accounts without first taking the necessary steps to regain safe access.
Users must protect their online presence and information as these criminal activities continue to escalate in demand. Here are the five must-dos after discovering a data breach to retain your online security.
Be one of the first to know about a data breach by leveraging security software such as McAfee Total Protection. A comprehensive security solution that includes dark web monitoring actively monitors the dark web for data breaches and exposed information. This information includes but is not limited to your date of birth, email addresses, credit card numbers, and personal identification numbers. Robust security software also provides steps for remediation after a data breach to guide the user to regain control and integrity of their data and privacy.
Companies are required to notify their customers of a data breach under the PIPEDA legislature. Be on the lookout for breach notices from relevant companies since they are often the first to know about a data breach impacting their online customers.
Create news alerts for companies that have access to your information to stay notified of the latest events. Additionally, create notifications for your bank and other financial accounts to monitor for suspicious activity such as unauthorized transactions or a drop in credit score. You will be better prepared to mitigate any cybersecurity threats with the right security software and knowledge of the latest risks.
Looking back to the 800,00 taxpayers whose accounts were suspended, they could not regain access without first changing their login credentials. Changing your login credentials such as your usernames, passwords, and security questions is a critical first step to take after any data breach.
Changing your credentials prevents hackers from accessing your personal information and ensures that you regain control over your account security. The chances of a hacker accessing your data are exceptionally high if you use the same credentials across different accounts. Thus, it’s essential to change your usernames and passwords regularly to ensure your information remains secure.
Just as important as changing your password regularly is changing your password following best practices. Create stronger passwords by using a combination of the following:
Long passwords with a minimum of 12 characters are also more effective than shorter passwords since it makes it more difficult for a hacker to guess. In sum, ensure all passwords are long, complex, and only used once. Use a password manager with a built-in generator like the one included in McAfee’s Total Protection solution to make it easier to access and manage passwords.
If your credentials are exposed in a data breach, using multifactor authentication will ensure hackers cannot access your information using only your login credentials. So even if your username and password are exposed, there is still a layer of security that hackers will not be able to bypass. Block out unauthorized login attempts by enabling multifactor authentication wherever applicable.
The dark web continues to be a primary destination for cybercrime. Online users must remain cautious about the information they retain in their online accounts and the websites with access to their personal information. Your data security and privacy are not always a guarantee, but the more precautions you take with your online safety, the better protected you will be.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post The Rise of the Dark Web Gig Economy appeared first on McAfee Blogs.
What do Burger King and the popular “Doge” meme have in common? They both have cryptocurrencies named after their likeliness. WhopperCoin and Dogecoin are just two examples of the thousands of types of cryptocurrencies that have caught users’ attention over the past few years. Cryptocurrencies are digital tokens generated by a computer after solving complex mathematical functions. These functions are used to verify the authenticity of a ledger, or blockchain.
Bitcoin is the most popular cryptocurrency today, increasing its value by almost 300% in 2020. Today, almost 46 million Americans own at least one share of Bitcoin, illustrating how these cryptocurrencies are the future of tomorrow’s digital payment system — or are they? The same benefits that make them a popular choice with online users have also made them popular amongst online thieves, sparking a wave of ransomware attacks and other cyberattacks more recently. This begs the question: do the benefits of Bitcoin outweigh the risks?
Every rose has its thorn, and several Bitcoin benefits seem to be hitched to online security risks. Here are some cryptocurrency characteristics that may seem appealing to users, but also provide cybercriminals with an opportunity to exploit:
As previously mentioned, cryptocurrency exchanges take place on an online public ledger, or blockchain, to secure online transactions. This means that anybody can observe the exchange online. However, the parties making the transactions are anonymous, disguised with a random number. Bitcoin users can make purchases that are never associated with their identity, similar to a cash transaction.
While the purchase discretion provided by Bitcoin may be appealing to users who want to remain private, this characteristic could also aid cybercriminals in malicious activity. Due to the anonymity of Bitcoin transactions, there is no way for someone to associate a person with a certain cryptocurrency wallet. Furthermore, a user could have multiple wallets, allowing them to spread their currency from one address to another.
For a cybercriminal looking to target an individual with ransomware, the purchase discretion and anonymity of Bitcoin provide a favorable solution. In fact, Bitcoin accounts for approximately 98% of ransomware payments today. Say a hacker carries out a ransomware attack and demands that the user pay a large sum in Bitcoin. If the user completes the payment, the hacker can keep moving the currency from one anonymous account to another. That makes it very difficult — though not impossible — to trace if the individual decides to investigate the case and tries to get their money back.
Another characteristic that Bitcoin users find appealing is the autonomy offered by digital currencies. In theory, they allow users more autonomy over their own money than government-regulated currencies do. With Bitcoin, users can control how they spend their money without dealing with an intermediary authority like a bank or government.
This lack of intermediary authority also opens a door for hackers to exploit. Say a user decides that they want to manage their finances using Bitcoin to bypass banking fees and send money to friends and family in different parts of the world. As previously mentioned, a Bitcoin user is assigned an anonymous private key that acts as their security credential. This key is generated and maintained by the user instead of a third-party agency. But what happens if the key isn’t random enough? An attacker could steal the user’s private key, and they will not be able to recover it since the Bitcoin blockchain is not dependent on any centralized third-party institutions. Therefore, it will be very difficult to track the attacker’s behaviors and recover lost funds.
It is safe to say that Bitcoin has caused a lot of buzz. But do the benefits outweigh the risks? Due to the nature of Bitcoin and most other public blockchains, anyone in the world can perform transactions or cryptographic computations — including cybercriminals. That’s why it is crucial for current cryptocurrency users and those considering cryptocurrency investment to do their research and know what vulnerabilities lie within the world of Bitcoin.
Follow these tips to help protect yourself from common threats that leverage cryptocurrency:
With blockchain, cryptocurrency, and any new and emerging technology, make sure you always remain a bit skeptical. Do your homework before you embrace the technology — research your options and make note of any known security issues and what you can do to mitigate known risks.
If a hacker does target you with ransomware demanding Bitcoin payment, it’s best not to pay the ransom. Although you may feel in the moment that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it is best to hold off on making any payments. Furthermore, a recent study found that 80% of businesses that choose to pay a ransom experience a subsequent ransomware attack. While it may feel like your only option in the moment, paying a ransom could show attackers that you’re willing to make the payment, therefore positioning you as an ideal target for yet another attack.
If you are targeted with ransomware, it’s crucial that you always have backup copies of your files, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device and reinstall your files from the backup. Backups protect your data, and you won’t be tempted to reward the hackers by paying a ransom. Backups won’t prevent ransomware, but they can mitigate the risks.
Large organizations often fall prey to ransomware attacks, so take necessary precautions if a company you’ve interacted with becomes compromised from a data leak or a ransomware attack. Immediately change your passwords for all your accounts, ensuring they are strong and unique. You can also employ a password manager to keep track of your credentials and generate secure login keys.
Add an extra layer of security with a solution such as McAfee® Total Protection, which includes Ransom Guard, to help protect your devices from these cyberthreats and ensure your digital wellness online.
The emergence of Bitcoin has indeed facilitated a wave of cybercrime that was previously difficult to perceive. In this new age of digital payments, blockchain, and cryptocurrencies, make sure that you do your research and stay vigilant when it comes to protecting your online safety. Remember: Bitcoin worth will continue to fluctuate, but your personal security will always remain invaluable.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Do the Benefits of Bitcoin Outweigh the Risks? appeared first on McAfee Blogs.
The COVID-19 pandemic forced many of us to quickly adjust to the new normal — case and point, admitted that they switched to digital activities like online banking, social networking, and online shopping in 2020 out of convenience. Research now shows that consumers’ reliance on this technology is here to stay. PwC found that 44% of global consumers now shop more using their smartphones compared to when COVID-19 began. While having the world at your fingertips is convenient, how does this digital lifestyle change expose users to cyber threats, especially attacks on mobile devices?
It’s no secret that cybercriminals tend to manipulate their attacks based on the current trends set by technology users. As you reflect on how increased connectivity affected your everyday life, it’s important to ask yourself what could be lurking in the shadows while using your mobile devices. With more of us relying on our devices there’s plenty of opportunities for hackers. This begs the question, what does mobile security look like in a post-pandemic world?
In addition to the increased adoption of digital devices, we had to figure out how to live our best lives online – from working from home to distance learning to digitally connecting with loved ones. And according to McAfee’s 2021 Consumer Security Mindset Report, these online activities will remain a key part of consumers’ post-pandemic routines. But more time spent online interacting with various apps and services simultaneously increases your chance of exposure to cybersecurity risks and threats. Unsurprisingly, cybercriminals were quick to take advantage of this increase in connectivity. McAfee Labs saw an average of 375 new threats per minute and a surge of cybercriminals exploiting the pandemic through COVID-19 themed phishing campaigns, malicious apps, malware, and more. New mobile malware also increased by 71%, with total malware growing nearly 12% from July 2019 to July 2020. As consumers continue to rely on their mobile devices to complete various tasks, they will also need to adapt their security habits to accommodate for more time spent online.
Here at McAfee, we recognize that the way you and your family live your digital lives has changed. We want to help empower you to protect your online security in your hyper-connected lifestyle. To help provide greater peace of mind while using your mobile devices, follow these tips to help safeguard your security.
When setting up a new device or online account, always change the default credentials to a password or passphrase that is strong and unique. Using different passwords or passphrases for each of your online accounts helps protect the majority of your data if one of your accounts becomes vulnerable. If you are worried about forgetting your passwords, subscribe to a password management tool that will remember them for you.
Remember to physically lock your mobile devices with a security code or using facial recognition as well. This prevents a criminal from unlocking your device and uncovering your personally identifiable information in the event that your phone or laptop is stolen.
Multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like Gmail, Dropbox, LinkedIn, Facebook, etc. offer multi-factor authentication, and it takes just a few minutes to set it up. This reduces the risk of successful impersonation by hackers who may have uncovered your credentials.
Hackers tend to lurk in the shadows on public Wi-Fi networks to catch unsuspecting users looking for free internet access on their mobile devices. If you have to conduct transactions on a public Wi-Fi network, use a virtual private network (VPN) like McAfee® Safe Connect to help keep you safe while you’re online.
Be skeptical of text messages claiming to be from companies with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the text, it’s best to go straight to the organization’s website to check your account status or contact customer service.
Some cybercriminals send texts from internet services to hide their identities. Combat this by using the feature on your mobile device that blocks texts sent from the internet or unknown users. For example, you can disable all potential spam messages from the Messages app on an Android device by navigating to Settings, clicking on “Spam protection,” and turning on the “Enable spam protection” switch. Learn more about how you can block robotexts and spam messages on your device.
Prepare your mobile devices for any threat coming their way. To do just that, cover these devices with an extra layer of protection via a mobile security solution, such as McAfee Mobile Security.
COVID-19 changed our relationships with our digital devices, but that does not mean we have to compromise our online security for convenience. Incorporating these tips into your everyday life can help ward off mobile cyber threats and stay a step ahead of hackers.
The post The Future of Mobile in a Post-COVID World & How to Stay Secure appeared first on McAfee Blogs.
Equipping and guiding your digitally connected child is one of the toughest challenges you will face as a parent. As your child grows and changes, so too will their online activities. Friend groups, favorite apps, and online interests can shift from one month to the next, which is why parental controls can be a parent’s best friend.
According to a report from Common Sense Media, teens spend an average of seven hours and 22 minutes on their phones a day. Tweens (ages 8 to 12) spend four hours and 44 minutes daily. This is time outside of schoolwork.
That is a lot of time to stroll the streets of cyberspace for entertainment purposes, and it’s only increased since the pandemic.
Striking a balance between screen time and healthy device use is an always-evolving challenge. On the one hand, your child’s device is an essential channel connecting them to their self-identity, peer acceptance, and emotional well-being. On the other hand, that same device is also the door that can bring issues such as cyberbullying, predators, risky behavior, and self-image struggles into your child’s life.
Parental controls are tools that allow parents to set controls on their children’s internet use. Controls include content filters (inappropriate content), usage limits (time controls), and monitoring (tracking activity).
Many of the technology your family already owns or sites your kids visit have basic parental controls (i.e., built-in controls for android and iPhone and social networks such as YouTube). However, another level of parental control comes in software specifically engineered to filter, limit, and track digital activity. These consumer-designed parental controls offer families a higher, more powerful form of protection.
If you are like many parents who land on this blog, you’ve hit a rough patch. You have concerns about your child’s online activity but aren’t sure how to begin restoring balance. Rightly, you want to find the best parental control software and put digital safeguards in place.
Every family dynamic is different, as is every family’s approach to online monitoring. However, most parents can agree that when a negative influence begins to impact the family’s emotional and physical health, exploring new solutions can help get you back on track.
Depending on your child’s age, you may need to consider parental controls if:
1. They don’t respond when you talk to them
If your child is increasingly engrossed in their phone and it’s causing communication issues in your family, you may want to consider software that includes time limits. Connecting with your child during device-free time can improve communication.
2. They’ve started ignoring homework and family responsibilities
There are a lot of reasons grades can plummet, or interests can fade. However, if your child is spending more and more time online, limiting or monitoring what goes on in that time can help restore emotional balance and self-discipline to meet responsibilities.
3. Their browser history shows access to risky content
Innocent online searches can lead to not so innocent results or children may go looking for content simply because they’re curious. Parental controls automatically block age-inappropriate sites and filter websites, apps, and web searches.
4. They won’t give you their device without a fight
If the phone has become the center of your child’s world at the cost of parental respect and family rules, they may be engaged in inappropriate behavior online, connecting with the wrong friends, or struggling with tech balance. With the proper parental controls, a parent can block risky content, view daily activity, and set healthy time limits.
5. They’re losing interest in family outings and other non-digital activities
Poor habits form quietly over time. If your child has dramatically changed their focus in the past three to six months, consider zooming in on why. It may not be technology use, but you may consider an additional layer of protection if it is.
6. They go into another room to respond to a text
While everyone deserves privacy, if constantly sneaking away to communicate with a friend is your child’s new norm, you may consider making some screen time adjustments.
7. They are exhausted
Unbeknownst to parents, kids might be exchanging sleep for screen time. Parental controls can help you nip this unhealthy habit. Setting time limits can help kids experience deeper sleep, better moods, more focus, and more energy.
8. They overshare online
If you browse through your child’s social media and notice their profiles are public instead of private, or if your child tends to overshare personal information, parental controls can help you monitor future activity.
Ideally, we’d all prefer to live in a world where we didn’t need parental controls at all. Unfortunately, that is neither a present nor future reality. So, we recalibrate, keep learning, and keep adding to our parenting skills. As always, we believe the first go-to digital safety tool is investing in consistent open and honest conversation with your child. And the second tool? Yup, reach for the parental controls. While you may hear some hemming and hawing from your kids at first, the peace of mind you gain from having parental controls in place will be worth it.
The post 8 Signs It May Be Time for Parental Controls appeared first on McAfee Blog.
FreshRSS 