An ode to McAfee.. Purveyors of the finest scamware

So I was getting ready to post about various things that have been keeping me busy recently and some upcoming plans, but a recent interaction with McAfee promoted me to write about their excellent service first..

Last week my father in law’s computer became infected with a trojan.  Not the biggest issue you’d think and a fairly common occurrence.  However he was running fully up-to-date McAfee protection that he actually pays the princely sum of about £55 per year for.

This is failure one, a pensioner who only uses the internet for running an motorcycle club, booking holidays and general browsing becomes infected with a Trojan despite having fully up to date and paid for anti-malware installed.

Then we go through the process of this exceptional anti-malware software trying to remove the trojan that goes something like this;

– McAfee needs to reboot your computer to remove the malware

– Reboot

– McAfee needs to reboot your computer to remove the malware

.. and so on

This failure is issue two.

The next is perhaps the worst failure of all, as a paying customer, my father in law then decided to contact McAfee customer support.  After a long winded conversation with someone who could barely understand him, he was finally put through to technical support.  At last someone who could help.  Well, they did understand the problem and were able to tell him his software that he subscribes to from them was likely disabled by the trojan, and that his firewall was also likely turned off.  Their next statement was that they would required a further £56 in order to provide any assistance.

So – pay a yearly subscription for McAfee anti malware, it doesn’t work..  Then when you call them for assistance they want more money to help resolve the issue caused by their solution not working!

When asked point blank what the subscription fee gets you over and above using a free anti-malware solution the response was well erm nothing sir.

So my advice to you and to anyone you know who may ask you advice on which anti-malware solution to use is;

– Don’t use McAfee

– Don’t pay for it if you are comfortable using one of the many excellent free products such as AVG free

– If you do pay for it, make sure you have a clear understanding of just what your investment will get you

– Oh and don’t use McAfee.

I have no idea if the other paid for solutions offer a service this bad, but it seems to put them on par with the scamware type vendors – here install this, when it doesn’t work pay us more to help.  The only difference is McAfee put a legal and friendly face on their scam, which probably makes them worse.

And to top it off, guess who is probably going to have to go and clean the infected machine now..

Apologies for the slightly ranty post, but this was massively poor on McAfee’s part.

A more balanced post about general IT stuff, my Masters and some upcoming plans will follow shortly 🙂

K

Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

www.microsoft.com/trustedcloud

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.

————

Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?

Stats;

–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance

2.Weaponization

3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.

————————

Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance

Recipe;

  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!

K

 

 

RSA Conference Europe 2012 – The Science Lab: Live RAT Dissection

Great talk and demo from Uri Fleyder and Uri Rivner on VNC based Man In The Browser (MITB) attack.  The talk started with some general observations of the current state of the malware market, then went into the demo.

Whys rats are spreading in the underground – We are moving to much more advanced underground supply chain.  This follows neatly from the Keynote talks around the ever increasing availability of advanced tools.

A great example is the Citadel Trojan kit.  Developed from Zeus – this was sold then source code leaked..  Citadel is a live ongoing project, with many add ons from GUI based Trojan development and deployment.  Citadel only costs $2399 + modules, yearly membership of the Citadel online ‘aap store’ costs as little as $125 per year.  Modules can be bought for low amounts of money such as

Log parser for $295

Automatic iFramer of FTP accounts from logs for $1000

Recent releases of Citadel include multiple enhancements such as injects directly from the control panel.

This highlights just how easy it is to get access to advanced malware creation kits, and how low the cost of entry currently is.

Demonstration of Man In The Browser (MITB) attack showing user accessing a compromised site.  The browser appeared to crash, then the user re-opened it and carried on working.  The user then accessed their bank and received a security warning saying that some checks were being performed to updated their machines security, these may take a few minutes, please do not close or refresh the browser window.

At the same time the criminal received a text telling him a new machine had been compromised.  He then logged into his Zeus control account to see what the machine was and which bot had infected it.

The next step is that the bank site asks the customer to input their credentials including pin + key code to access their account.  This is achieved by inserting java script into the banking page on the user’s browser.

From the malicious users machine the criminal has used VNC to log into the users machine and from their into the users bank account.  The user inputting their pin and code details will enable the criminal to perform a transaction on their account such as a funds transfer.  The criminal does this in the background while the user is waiting for the initial security checks, once the criminal gets to the point where they are stuck and need the users 2-factor credentials they then update the message to request these details as mentioned in the last paragraph.

The criminal is sent the username and password from the initial login;

https://twitter.com/ufleyder/status/255643717027913729/photo/1

Then the 2-factor code from the second message;

https://twitter.com/ufleyder/status/255646235078307840/photo/1

The criminal then sends a sorry site down for maintenance screen to the user again by injecting it via JavaScript to the bank page the user thinks they are accessing.  This is to try and allay any fears or concerns so the user (victim) does not immediately suspect something malicious has occurred.

This works because the user has gone to the banking page they trust, and as they typed the url or went to their saved favourite rather than clicked a link somewhere they assume all is well.

Another advantage for the attacker of this type of attack is that they appear to come from the users machine as they are going through a VNC (remote administration) connection to the users machine.  This circumvents and checks the bank (or whatever site) has in place to be more concerned about connections or transactions initiated from unknown devices.

According to European banks something like 30% of all fraud no comes from same device attacks like this.

Summary;

–          VNC embedded in Zeus clones is a dramatic escalation of the threat level.  Make sure your defences are ready!

–          Continuous monitoring is more resilient – e.g. user behaviour analysis, how fast is the user clicking and entering data, what is their pattern of clicks etc.

–          Don’t rely on identifying the device

–          Consider randomising, encrypting DOM space

–          Zeus and other clones are polymorphic, normal scans are not effective

–          Make sure your machines are getting all relevant patches

–          We used to rely on something you know, this is broken, now we rely on something you have, this is crumbling.. What next, something you are linked with behavioural analysis?

A lot to think about here..

K

USAF Predator control systems compromised by malware

Following on from the very high profile targeted attacks such as the Stuxnet worm that was used to target Siemens supervisory control and data acquisition (SCADA) systems such as those used in Iranian nuclear facilities;

http://www.google.co.uk/search?aq=f&gcx=c&sourceid=chrome&ie=UTF-8&q=stuxnet

 

 

and the RSA security breach that impacted many businesses earlier this year;

http://blogs.rsa.com/rivner/anatomy-of-an-attack/

It has emerged that some USAF (United States Air Force) computer systems have been infected by malware.

While the reports of this state that is it likely to just be a keylogger and not something that is co-opting control of armed military drones, this should be seen as yet another wake up call – any network attached systems or any systems that allow storage devices (e.g. USB drives) to be connected are vulnerable to attack by malware.  I am sure from reading the previous section you have realised that this means pretty much every computer system..

Details can be found here;

http://nakedsecurity.sophos.com/2011/10/10/malware-compromises-usaf-predator-drone-computer-systems/

One particularly worrying comment from the story is around the fact that they are not sure if the malware has been wiped from the systems properly and that it keeps coming back.  Best practice is always to do a clean rebuild of any infected machines, especially something as critical as this!

In short, if high profile security vendors and supposedly secure military computers can be successfully attacked and gaps exploited this should be a wake up call to anyone who does not yet take the security of their systems and data seriously.

Oh, and if in any doubt – reinstall, don’t keep trying to clean the malware from the system!

K