I recently gave a speech at TED@Intel on the challenges of parenting in the Digital Age. I asserted that we live in a world in which parents are digital tourists and our children are digital natives.

We came of age in an era when technology complemented how we worked, played, interacted and related to the world around us. Our children are coming of age in a world where technology goes beyond complementing, to profoundly changing how they live their lives, understand the world, and relate to each other.

Given this digital generation gap, I asked the question: Are we truly technically fit to parent in this day and age?

I related the story of a friend who struggled with whether to regulate or forbid his daughter’s use of Twitter. Just as a tourist might decide not to visit a foreign country because it appeared unsafe, my friend’s reaction was to deny his daughter access to her account.

Natives don’t have that choice. They must develop skills to ensure their safety in a potentially dangerous world. In the same way, we need to figure out how to ensure the safe passage of the digital natives — our children — through social media, rather than denying them access altogether.

Our ability to have any real impact on our children’s safety in this digital world will depend on how technically fit we are to parent. And by “technically fit,” I don’t mean “technically savvy.” By immersing ourselves in the digital world, I believe we can equip ourselves with the tools we need to govern and protect our children online.

For more, I invite you to watch the full speech here.

This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9^th NCCDC competition.   It was actually my 2^nd year on the Red Team and 4^th year to attend in total (I judged in 2010 and 2011).  McAfee is actually a perpetual sponsor of this event.  That being said, I have my own selfish agenda when I attend.

Joining in as part of the Red Team is, by far, on of the most educational experiences I could possibly put myself in.   Not only are you tossed into a room w/ folks like Mubix, Vyrus, Raphael Mudge, and others – but also you are on a limited schedule and from the time that the competition starts it’s heated and non-stop.

The general strategy this year was to lay down all our toys and persistence (backdoors, beacons, RATs and other tools) on Day 1.   We made very little noise, hoping that the competing teams would gain a false sense of confidence and not notice our presence on their systems.   This way on Day 2 when the chaos commences, and the teams choose to just ‘restore from backup’ or ‘revert snapshots’ and the like, they end up restoring all our persistent tools and we retain access and ownership.

DarkComet Client Console

And . . . .. . It worked!

Different individuals on the Red Team had their unique tools and methods to gain and retain access and unset the teams’ activities.   As the McAfee guy, I choose to rely on some old, tried and true (and very accessible RATs).  Most of my activities centered on the use of DarkComet and, to a far lesser degree, DNA.

RAT Remote Process View

My philosophy was driven by two primacy goals.   First, I know these things work realllllllllly well.  And with these RATs on the box, I can control and own everything.  Second, and possibly more interesting, is that if these tools work, I know that the teams are not putting any effort into installing/deploying even the most basic endpoint/host-based AV solutions.   This is especially intriguing because, as a sponsor, McAfee provided the competition with our software.   I purposely did NOT do any crypting/packing/obfuscation on the RATs I generated.   I know that McAfee (and just about all other) vendors DID detect these things.  Yet, I still managed to install and persist on most of the hosts that I deployed to (deployed via Cobalt Strike btw).

When the competition was over, I chatted with a few competitors, and mentioned this fact.  I immediately saw the gears start turning.  I could tell they had a real “Ahhhh we should have done that” moment.  Not to mention, that McAfee (and others) detect meterpreter/MSF listeners and Trojans as malware/PUPs.  Those could have been curtailed as well.

Each year, the teams have to setup, maintain, and safeguard an environment for a faux company/entity.  This year the teams were tasked with tasked with the environment of a Correctional Institute.   This includes databases for tracking the whereabouts of prisoners, an e-commerce site for a prisoner commissary, and more.  From the Red Team perspective, this gives us some of our big bets for getting points deducted from the teams.   For example if you kill/mangle/destroy the database for tracking prisoner and personnel, that’s one of the high point items.   After all, they don’t want an IT issue to allow prisoners to go unaccounted for or escape, etc.   Other hot items include public web site defacement and acquisition of PII (personally identifiable information).  For added fun, many of us defaced the web sites by posting the company’s PII for all to see.

Defaced with PII

All and all it was a fantastic experience.   I look forward to future activities with this competition.

UTSA shot a documentary this year.  I’ll post details on that once it’s released.    However, if you’d like to get some really detailed info, Hak5 released a documentary filmed at the 2012 event.   It features great interviews and ‘behind the scenes’ Red Team action.   I’m not interviewed, but you can see the top of my head in a couple shots!!

Hak5 Doc – Jim’s Head

2012 Hak5 Documentary

Additional Blogs on NCCDC 2013

• David Cowen - http://mcaf.ee/wid10
• Raphael Mudge - http://mcaf.ee/ageor
• Alex Levinson - http://mcaf.ee/limh1

NCCDC 2013 Red Team Brief - http://mcaf.ee/uodvk

Bonus:   We recently did our 2^nd AudioParasitics episode with the great Raphael Mudge.   This time we have a full and glorious video demo of Cobalt Strike in action.  We actually walk though scenarios and give you details on how some of these Red Team activities actually occur.

AudioParasitics Episode 141 (video) - http://mcaf.ee/gep69

Nous vivons dans un monde de commodités modernes sophistiquées. L’informatique, intégrée désormais dans tous les aspects de notre vie quotidienne, a permis d’avoir accès à toutes sortes d’informations où et quand nous en avons besoin. Des dispositifs, de plus en plus intelligents, peuvent désormais communiquer entre eux de manière inédite. Ericsson prédit que, d’ici 2020, il y aura 50 milliards d’appareils connectés à Internet. Les possibilités offertes par cet ‘Internet des objets’ sont infinies. Mais sommes-nous prêts pour cet avenir connecté ? Loin de ne concerner que les PCs, téléphones et tablettes, ce sont désormais d’autres appareils (téléviseurs, voitures, appareils médicaux, distributeurs automatiques, etc.) qui deviennent capables de communiquer.

Voiture intelligente, coût important

Si nous nous projetons dans un monde avec 50 milliards d’appareils connectés en 2020 (pour environ 1 milliard il y a un an), le concept de voiture connectée ne surprend plus. Le Nevada vient ainsi de démarrer un programme visant à définir les règles à respecter concernant les voitures se pilotant de façon autonome. Imaginez par exemple de pouvoir un jour prendre un taxi où il n’y a pas de chauffeur, juste un ordinateur derrière le volant. Mais qui dit ère de la voiture connectée dit également ère des menaces se propageant à ces nouvelles cibles.

Attention, logiciels malveillants devant

Le code de la route sera toujours là pour indiquer quand tourner à gauche, s’arrêter ou céder le passage. Malheureusement, il n’y a aucun panneau pour guider les utilisateurs lors de manœuvres sur l’autoroute virtuelle et connectée. Les appareils sans fil, tels que les systèmes d’immobilisation de véhicule contrôlé via le Web qui peuvent désactiver à distance une voiture, pourraient également être utilisés à mauvais escient pour désactiver des véhicules appartenant à des propriétaires peu méfiants. Ceux-ci ne sauront pas ce qui se passe jusqu’à temps que le logiciel malveillant frappe. Au Texas, on a recensé plus de 100 véhicules ayant été désactivés à partir d’un système de désactivation par télécommande. Le système avait été installé par le concessionnaire automobile, mais malicieusement manipulé par un ancien employé mécontent pour désactiver à distance les voitures et faire du tapage en déclenchant leurs klaxons.

Le hacking fait mal

Ce ne sont pas seulement les voitures qui peuvent occasionner des problèmes de sécurité. Imaginez si quelque chose dont vous êtes dépendant pour rester en bonne santé a été piraté par des personnes mal intentionnées ? La menace est bien réelle. Comme de plus en plus de technologies numériques sont introduites dans les véhicules, les systèmes de transports et les matériels médicaux, la menace d’attaque par des logiciels malveillants augmente. En 2008, des chercheurs universitaires avaient déjà fait la démonstration d’une attaque leur ayant permis d’intercepter des informations médicales provenant de dispositifs cardiaques implantables et de pacemakers, allant jusqu’à les éteindre ou à causer des chocs électriques potentiellement létaux.

Virtuel et physique

Comme nos appareils intègrent de plus en plus de nos données et préférences personnelles, l’opportunité pour les hackers d’utiliser ces informations à des fins malveillantes est très tentante. Non seulement notre sécurité physique pourra être compromise, mais nos identités virtuelles le seront également. Et c’est un risque énorme lorsqu’on sait que le temps moyen nécessaire pour réparer les dommages causés par une usurpation d’identité est estimé à 330 heures.

L’innovation sécurisée

Du fait que nous passons de plus en plus nos vies sur Internet, il n’est pas surprenant que des personnes malveillantes aient déplacé leurs attaques en ligne. Internet est une mine d’argent et d’informations qui s’est avérée irrésistible pour les cyberescrocs. Nous devons nous améliorer en termes de protection personnelle si nous voulons ralentir, voire endiguer, le succès des cybercriminels. Nous vivons dans un monde moderne de confort incroyable, mais comme la technologie surpasse nos rêves les plus fous, fabricants et consommateurs doivent, de la même façon, être conscients des conséquences qu’il y a à relier nos identités les unes aux autres, afin d’essayer de préserver notre vie privée et notre sécurité personnelle.

As I contemplate the emerging threat landscape, I can’t avoid reaching the conclusion that the current model of playing catch-up and clean-up to attacks has us on a trajectory for industry failure. But failure doesn’t have to be our ultimate destination. We can prepare for whatever is over the horizon by enhancing our security architectures to prioritize our most important assets and learn from and react to the attacks, as they happen.

During my keynote at RSA, “The New Fundamentals of Security,” I went into detail on how the security industry must apply a new set of approaches to protect the always-on, always-connected enterprise of the present and future. A replay of the keynote can be found here.

Here’s a quick recap of these new fundamentals:

The 3 R’s: Riches, Ruin & Regulation

Organizations need to rethink the way they engage in the strategic planning process for security. A simple exercise called “The 3 R’s: Riches, Ruin and Regulation” helps the security team engage with executives to identify where a thief would attempt to steal the company’s riches; what information would ruin the company if it was leaked; and what regulation frameworks must the business navigate to remain in compliance. Based on the results of this exercise, the security team can develop a holistic security strategy based on priorities central to the business.

Evolution of an Orchestrated Defense

As we look to the future, it is clear that our defenses must evolve and adapt at a more rapid pace than that of our adversary’s threats. Unfortunately, many of today’s solutions are siloed and thus lack the ability to share threat intelligence with the rest of the security infrastructure. This inability to learn, share and apply information between siloes undermines the enterprise’s ability to evolve and adapt. We need to build orchestrated defenses, composed of solutions that share what they have learned from each attack to better fend off and ultimately lock the attacker out of the organization.

Interactive vs. Historical Approaches

The traditional approach to security has always been based on historical information. To be more effective in countering threats, companies need to adapt to a real-time, as-it-happens threat environment with an informed, interactive security posture. While most security practitioners have the historical approach firmly engrained in their brains, the always-on, always-connected paradigm demands a mental shift to where our technology is already headed:  the interactive.

Interactive security will bring a wealth of timely information right to our fingertips, allow us to act faster, and fundamentally change how we manage risk.

The 3 R’s, the orchestrated defense and the interactive approach are the new fundamentals of security for the always-on, always-connected age. They are absolutely imperative to mitigating the threats facing us moving forward. If we take a detour off our current trajectory and make real change in their direction, we will be able to set ourselves on the right course to defeating these cyber threats.

This post was adapted from a recent article in SC Magazine. For the full article, click here.

 “antivirus protection alone barely represents a speed bump to determined hackers”

Andy Greenburg, Forbes

Surprisingly, I actually wholeheartedly agree.

“Antivirus” as Andy calls it, or blacklisting as it’s commonly known in malware protection circles is a pretty simple technique – and fundamentally flawed unfortunately. I’ll break it down to show you why.

1.            Someone gets an infected email, or visits a compromised web site.

2.            The malware is new, and thus not identified by their blacklisting technology, so it installs and they get infected

3.            Somehow some time later, this comes to the attention of their blacklisting software vendor

4.            The infection gets broken down and analyzed – a unique “fingerprint” or “signature” is created

5.            This signature gets distributed out to all the other customers of the blacklisting vendor, and also the blacklisting community

6.            Now, everyone else is protected from this particular threat

Do you see the problems? Firstly of course, it requires a sacrificial sheep – yes, no blacklisting software will detect things it does not know about, so all you have to do to be a successful hacker, is create something new.

Secondly, even when your malware gets detected, there’s a significant delay before the world catches on – much like a new strain of Flu, it can affect thousands of people before anyone realizes, and then it can take days for an appropriate remedy to be put in place. Blacklisting is the same – there’s a lead time between companies like McAfee getting a sample, and us distributing the detection and cure back to our customers. It can take days after the first infection using this old method.

Thirdly, the most damming problem, is that your blacklisting software is always on the defense, it’s always reacting to things that happened in the past – Modern programming techniques mean that creating dynamic, or “Polymorphic”code  is trivial, so everyone who gets infected might be infected by a different version of the malware – can you imagine what trouble that causes a blacklisting system? Not only does everyone get what seems to be a new piece of malware, but even when you’ve analyzed it, there’s little point telling the rest of the world about it, as each malware sample will probably only be seen once.

Maybe that explains why there’s a differing opinion on how much malware exists – anything between 70 million and 150 million examples depending on who you ask.

Blacklisting is valuable as it catches the common, repeat offender malware. The stuff that’s been circulating around for months, if not years, the old examples which keep getting recycled into the field – but as a mechanism to protect you from novel, bleeding edge threats? Not a chance.

So with that said I expect you’re waiting for me to say that there’s no point renewing your subscriptions and you might as well give in now? Thankfully not – nothing could be further from the truth.

Going back to the vendors press release, there’s a key paragraph I want to point out:

Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

There you have all my advice summed up. Blacklisting, or signature based detection is not enough – and luckily, It’s only one of the many techniques leading edge anti-malware products use to protect you.

One of the alternates, which many vendors use (though I am proud to say McAfee lead the market with) is cloud based reputation detection. We call it “File Reputation” though you may have heard it called Artemis which was our code name for the project – This is a technique where, rather than basing decisions on whether the file you downloaded in an email, or got from the web, is “known to be bad” by virtue of it being on a blacklist, we look at attributes of the file, where it came from, whether it’s signed etc, in fact around 80 different things to work out how “suspicious” we think it is, and based on that our products reach out to the McAfee cloud and start asking questions. Very quickly, in fact pretty much instantly as far as you could tell, we can determine the likelihood of anything being malicious or not, whether we’ve seen it before or not.

Better still, that “reputation” can be bolstered by looking at who else is asking questions about the same file – Malware distribution often follows predictable patterns, distribution from known bad domains, geographic peculiarities etc – all this information can be combined to make a judgment on whether your latest financial results spreadsheet which “appears” to in an email from your boss is genuine or not.

This reputation data, or “Global Threat Intelligence” as we call it, is absolutely critical and baked into pretty much every product we offer. Without GTI, you’re really not protected from novel threats. Not by half. 

My colleague Rees Johnson posted a video about McAfee’s GTI reputation engine a while ago. He gave a great example of one of our larger customers, who reported 12,000 potential virus samples to McAfee in 2011 – 7200 of which were not detected by the McAfee blacklisting engine.

We already had our cloud reputation engine in place, but that customer had not turned it on – much like it seems the NY Times were not using cloud based reputation technology from their vendor (supposition on my part of course).

As an academic exercise we turned our reputation system on, set it to the least aggressive level, and re-ran the samples.

The reputation engine, even at this most basic level immediately detected 50% more malware immediately. Turning the reputation system up to its highest level it caught it all –  100% of the samples our customer had were correctly identified.

On average the reputation engines offer protection around 127 hours in advance of the blacklists, or looking at it the other way around, 5+ days opportunity for you to  get infected without it.

If our customer had McAfee File Reputation enabled, not one of those 12,000 samples would have got through to infect their machines – they would have been 100% protected. Generally, enabling the McAfee cloud based reputation services improves the effectiveness of our products by an additional  10-30% when it comes to novel threats – even if every advanced feature of the product are enabled, there’s ALWAYS more protection.

You can imagine our customer was pretty surprised to have such power on hand, and was pretty fast to click the few buttons to enable it on all their 100,000+ machines.

“What about false positives?”- well I must confess there’s always the possibility – we average 0.0001%, or 1 in 100,000 pieces of software are misidentified. Can you live with a 1:100,000 chance of your malware protection product blocking something new? I know I can.

Let’s re-run the scenario I started with.

1.            Someone gets an infected email, or visits a compromised web site.

2.            The malware is new, and thus not identified by their blacklisting technology, so it gets checked out by the cloud reputation system

3.            It’s bad, so it gets blocked

 Game over, everyone happy, everyone safe.

And after all, “Safe Never Sleeps” is our motto.

I want to leave it here as I want to compare apples with apples, but blacklisting, and cloud reputation are not the end of the story – They are both valuable techniques to protect against threats, but still not (in my mind) the most sophisticated, nor the ones we will be using for years to come.

Alongside the simplistic blacklisting, current products have technologies which are more behavioral based – At McAfee we call it “Host Intrusion Prevention” or HIPS for short – It couples a dynamic firewall, again with global reputation knowledge, vulnerability shielding making sure malware can’t take advantages of know software flaws, and behavioral protection for commonly used attack strategies – Turning on HIPS stops malware from making changes to your systems – so again, it’s absolutely essential in preventing the novel new attacks that blacklisting is unaware of. Unfortunately, like reputation, lots of people buy this feature but never turn it on, so they really miss out on the advanced protection it offers.

Finally, I am tremendously excited by advances in whitelisting techniques – the idea of instead of trying to know about all the bad stuff, and trying to make judgment calls on unknown things, we turn that on its head and instead strive to know about the good stuff, and consider everything else bad or suspicious. You can imagine how disruptive that will be to cyber criminals who survive only because they can create new malware faster than we can identify it – all of a sudden anything new is closely watched, blocked, constrained.

Polymorphic malware would be no longer effective, “Advanced Persistent Threats” disappear, we can ignore 30 years of cumulative malware because it’s all ineffective overnight. McAfee calls this  “Application Control”, and I fully believe it’s where, as an industry, we should be moving

But in the mean time – at least turn on the advanced features of the products you bought and get the best protection you can ?

Simon.

There has been a great explosion of chatter in the last day around Anonymous’ “Operation Last Resort” (a.k.a. #OpLastResort).

The entities behind the various “official” communications around this operation have a sense of humor that we must point out (especially because if you don’t catch it, you will end up wiping your disk).

Background

In typical fashion with these events, some data suggests that the whole thing (or at least the leak) is a hoax. Regardless of what data resides in the leaked files, it is apparent that someone is having fun, via the embedded scripts in the USSC site. (See the Update section, below, for details on the Konami scripts.)

Anonymous has infiltrated specific US government systems in response to the “killing” of Aaron Swartz, who committed suicide on January 11. According to various posts and other communication channels, the operation is also tied to Barrett Brown and the law-enforcement actions against him. Ussc.gov (and others) have reportedly been compromised, and various caches of sensitive data have been exfiltrated. The first round is a .rar file (composed of multiple raw downloads). Details on how the compromise or breach took place are not clear or reliable. It is likely (though unconfirmed) that part of the initial intrusion was via SQL injection. Based on phrases in the official videos, RATS or other temporary “leakware” may have existed on compromised systems, and have been subsequently removed by the attackers. Reports suggest that the contents of this leak pertains to various U.S. Supreme Court Justices.

The file set includes an official promo video for the operation, as well as a statement:

"Still there is nothing quite as educational as a well-conducted demonstration...

Through this websites and various others that will remain unnamed, we have been 
conducting our own infiltration. We did not restrict ourselves like the FBI to one 
high-profile compromise. We are far more ambitious, and far more capable. Over the last 
two weeks we have wound down this operation, removed all traces of leakware from the 
compromised systems, and taken down the injection apparatus used to detect and exploit 
vulnerable machines.

We have enough fissile material for multiple warheads. Today we are launching the 
first of these. Operation Last Resort has begun... Warhead-US-DOJ-LEA-2013.AEE256 
is primed and armed. It has been quietly distributed to numerous mirrors 
over the last few days and is available for download from this website now. 
We encourage all Anonymous to syndicate this file as widely as possible.

The contents are various and we won't ruin the speculation by revealing them. Suffice 
it to say, everyone has secrets, and some things are not meant to be public. At a 
regular interval commencing today, we will choose one media outlet and supply them 
with heavily redacted partial contents of the file. Any media outlets wishing to be 
eligible for this program must include within their reporting a means of secure 
communications.

We have not taken this action lightly, nor without consideration of the possible 
consequences. Should we be forced to reveal the trigger-key to this warhead, we 
understand that there will be collateral damage. We appreciate that many who work 
within the justice system believe in those principles that it has lost, corrupted, 
or abandoned, that they do not bear the full responsibility for the damages caused 
by their occupation.

It is our hope that this warhead need never be detonated."

This release is the referred-to “warhead”–specifically “Warhead-US-DOJ-LEA-2013.AEE256.” The “trigger key” referred to in the video is the decryption key for the content. Anonymous also indicated that they will, at some interval, release heavily redacted previews of the decrypted content. As of this writing, these have not emerged. We have, however, seen some fake decryption keys making the rounds.

Now, back to the “humor” that I alluded to earlier in this post. Some of the releases around this operation contain the following handy instructions:

If you did not catch it, at the end that’s an “rm” with force and recursion starting at the root.

What else does this operation entail? It is said that a Twitter-Storm campaign will commence on January 25.

"BEGIN THE MESSAGE OF ATTACK on January 25th at 11:59 PM EST"

Full details on this part of the operation are detailed in some of the groups PADs. This will be an interesting operation to pay attention to during the next few days.

What will the next warheads be? When will we start to see decrypted content from any of the warheads circulating? How will various governments react?

Stay tuned.

Update, January 27

The USSC.gov site is still compromised. A special surprise (via embedded JavaScript) awaits those who  recall some of the old Nintendo/Konami codes. Through a series of keystrokes, a script will let you fly various objects around the page, view fireworks, and more.

Upon execution, the script provides some on-screen controls, and you can even control the various objects (including Nyan Cat) via the arrow keys.

There are major disconnects we often see when auditing the security of an organization. A typical security team will assess the ability to defend against generic threats or attacks and will develop a plan to fill in those holes. More often than not, the resulting roll-out plan is missing a key ingredient: an explicit understanding of the company’s assets that need to be protected.

To guarantee that the security strategy is aligned with the business objectives, we created an exercise to uncover business risks in a non-technical way so that the business risk and security plan dovetail together seamlessly. What we call the 3 R’s: Riches, Ruins and Regulations, helps executives and security professional speak in a common language. The exercise is designed to uncover critical and valuable assets that are core to the line of business. Oftentimes it is only the line-of-business employees that are aware of the presence and relevance of these assets and they are outside the purview of the security team.  Because of this disconnect, the security controls deployed on these systems are often inappropriate in relation to the risk those assets pose to the organization.

How it works is simple, the first step is to identify the 3R’s, then based on the results, the security team employs the analyses to keep the company secure:

Riches

• What assets can be targeted that would be valuable to a thief?
• What are the ways assets can be stolen?
• Who would be most likely to steal this asset?
• How would a thief go about stealing this asset?

Ruins

• What could you target specifically to ruin our reputation?
• What direct costs or liabilities would our company incur if the asset is stolen?
• What indirect costs, such as harm to reputation, would our company incur if the asset is stolen?

Regulations

• What compliance rules does our company abide by?
• Who is responsible for compliance?
• Who audits our company’s compliance with these different regulations?
• Do we have any contracts with penalties for non-compliance?

The primary purpose of the exercise is to uncover assets of significant value if stolen, potential attacks that might cause great damage, and finally the costs associated with failure to meet regulatory requirements. Identifying the 3 R’s will help the security-obligated executives have a clear vision of security as it relates to their company, which is the first step against cyber-threats and attacks.

Here are a few highlights on what we found:

Rootkits Diversify

Our Labs team has found a trend in rootkits over the last few quarters- rootkits diversifying how they attack. As noted in the 2013 Threats Prediction Report, by driving threats into different areas of the operating system stack, the frequency of these advanced attacks that occur outside of the OS are increasing. In addition to the increase in volume, the nature of the attacks is also exponentially more devastating. As we expect to see threats in this area intensify in 2013, McAfee is equipping consumers with the security solutions they need, such as DeepSafe, to prevent these attacks from occurring in the first place.

HTML5

HTML 5 is a framework that opens the door for myriad potential attacks. The update is designed to provide language improvements, capabilities to remove the need for plug-ins, new layout rendering options and much more. While it will enhance user experience, it will give hackers direct access to hardware, quickly increasing the attack surface. This is something we will be keeping a close eye out for in 2013 we feel it will be highly exploited in the future.

Near Field Communication (NFC)

Our Labs team uncovered a new rising trend in mobile theft via NFC-enable smart phones. With NFC prevalence in new models of smart phones like the Samsung Galaxy, the use of “digital wallets” is also growing in popularity with consumers. In 2013 we will see a big trend in attackers who will create mobile worms to steal money via the “bump and infect” method, in places large crowds like airports and malls.

As both mobile- and cyber-attacks evolve and grow in 2013, we’ll be working to keep driving solutions to protect our customers. With McAfee’s solutions like Global Threat Intelligence and hardware-enhanced security, we are continuously evolving our security platform with even more enhancements to come in 2013. At McAfee, we remain dedicated to being responsible cyber citizens- educating consumers and teaching our users how to be safe and secure in the New Year.

This $299 tool is advertised as getting you access to this encrypted data quickly and easily…

Now, this may sound exciting, but as they say, there’s always a catch – you need a memory dump from the machine from when it was authenticated to use this tool – yes, no recovery if you find a cold machine. You have to get access to it while it’s on and the user has logged in, then, after they switch it off, you can recover the data..

Sounds familiar? Well it should, it’s exactly the same idea Passware.com released to the world back in 2010 – I even blogged about it then.

The difference is, Passware (currently) charge you just shy of $750 for their Enterprise Passware Kit.

So, exactly the same idea, just cheaper. Wow.

Let’s revisit the attack one more time just so you can be sure to explain to your worried CISO why this is as much of a non-event as it was 32 months ago.

1. The machine needs to be on, and authenticated for the attack to work
2. If the machine is off, and needs authentication to boot, the attack does not work

Point 2 is of course the important one. If you are using encryption software which does not require user authentication, say Bitlocker without a Password, TPM only mode for example, or you implemented something like EEPC with pre-boot authentication disabled, you already should know that you left the encryption key in the front door and your machines are totally insecure.

If you’re using “volume” encryption, the attack only works if you leave the machine unattended with the volume mounted.

Most McAfee customers are using full disk encryption with pre-boot authentication on, so if you just shut your machine down or hibernate it before leaving it unattended and you’ll be fine.

No one can recover keys from memory on a machine which is off…

The opening subject in Security Battleground delves into this new class of business leaders: the security-obligated executives. It discusses that on any given day, a company can suffer a cyber-attack - whether it be malware, ransomware or crimeware that can cripple an organization and could have potentially irreversible ramifications.

While the C-suite is ultimately responsible for their organizations, many are untrained on what it means to be a security-obligated executive. These executives should know how to identify threats and what warning signs to monitor for to circumvent cyber-attacks before they happen. Below is a field manual the C-suite should use to prepare for the battle against cyber-attacks:

• Pay attention to the types of security threats that exist
  • The types of cyber-warfare and attacks are both enlarging and diversifying. With BYOD heavily on the rise, devices such as smart phones and wireless tablets accessing cloud-based applications provide even more opportunities for attackers.
• Don’t isolate “business” from IT and security operations
  • Encourage the security team to have a strong understanding of the business. It is too often the case that security teams work in isolation. Security teams should know what business leaders value in order to properly match the levels of protection with the risk.
• Perform threat analyses and plan accordingly
  • The security team should be able to identify risk and threats, while the security-obligated executive should be aware of what those vulnerabilities are and how to mitigate them.
• Prepare a strategic plan
  • Identify what the most important security improvements are, with an explicit understanding of the company’s assets that need to be protected. By creating an alignment between specific business risks and security controls, teams will be able to fit the building blocks together to create a strategic plan of action.

As the security gatekeepers of our organizations, which are constantly evolving and becoming more digital, we need to remember we are responsible for all material threats to our enterprises and networks, including information security.