May 27th, 2009

The Web's most dangerous keywords to search for

Posted by Dancho Danchev @ 4:50 pm

Categories: Browsers, Hackers, Malware, McAfee, Research

Tags: Search Engine Optimization, Web, Cybercriminal, Keyword, Search, Marketing Research, Marketing, Dancho Danchev

Which is the most dangerous keyword to search for using public search engines these days? It’s “screensavers” with a maximum risk of 59.1 percent, according to McAfee’s recently released report “The Web’s Most Dangerous Search Terms“.

Upon searching for 2,658 unique popular keywords and phrases across 413,368 unique URLs, McAfee’s research concludes that lyrics and anything that includes ‘free” has the highest risk percentage of exposing users to malware and fraudulent web sites. The research further states that the category with the safest risk profile are health-related search terms.

Here are more findings:

Read the rest of this entry »

March 29th, 2009

CBS 60 Minutes covers Conficker, malware epidemic

Posted by Ryan Naraine @ 6:40 pm

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Data theft, Exploit code, Hackers, Malware, McAfee, Microsoft, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Zero-day attacks

Tags: Malware, CBS Corp., Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Internet, Security, Ryan Naraine

CBS 60 Minutes correspondent Lesley Stahl reports on computer viruses that propagate on the Internet and infect PCs, which enable their creators — often called “cyber gangs” — to learn the information they need to electronically rob bank accounts. Watch the episode (transcript):

October 14th, 2008

Secunia: popular security suites failing to block exploits

Posted by Dancho Danchev @ 5:24 pm

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Exploit code, Hackers, Java, Kernel-level Exploits, Malware, McAfee, Microsoft, Passwords, Patch Watch, Pen testing, Research, Symantec, Vulnerability research

Tags: Secunia, Internet Security Suite, Comparative Review, Dancho Danchev

In a recently conducted comparative review, Danish security company Secunia, tested the detection rate of 12 different Internet Security Suites against 300 exploits (144 malicious files and 156 malicious web pages) affecting popular end user applications, to find that even the top performer in the test is in fact performing poorly in general. Their conclusion :

“These results clearly show that the major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities.

While we did expect a fairly poor performance in this field, we were quite surprised to learn that this area is more or less completely ignored by most security vendors. Some of the vendors have taken other measures to try to combat this problem. One is Kaspersky who has implemented a feature very similar to the Secunia PSI, which can scan a computer for installed programs and notify the user about missing security updates. BitDefender also offers a similar system, albeit this is more limited in scope than the one offered by Kaspersky and Secunia. We do, however, still consider it to be the responsibility of the security vendors to be able to identify threats exploiting vulnerabilities, since this is the only way the end user can learn about where, when, and how they are attacked when surfing the Internet.”

And while it’s boring to scroll through the empty tables of the study, is Secunia’s report a frontal attack against the security software vendors’ inability to block exploits, or are they trying to emphasize on the fact that the end user should make better informed purchasing decisions when relying on All-in-One Security products?

Read the rest of this entry »

September 22nd, 2008

McAfee buys CipherTr-- err, Secure Computing

Posted by Adam O'Donnell @ 8:08 am

Categories: Hirings and firings, McAfee

Tags: McAfee Inc., Secure Computing Corp., Mergers & Acquisitions, Corporate Law, Spam, Financial Accounting, Viruses And Worms, Investment, Finance, Business Operations

Like every other red-blooded American I take a quick peak at my collapsing retirement and savings portfolios in the morning just to give me that extra kick to head into the office. So I pull up Google Finance to see Secure Computing (SCUR) is, up some 23%, one of the big movers for the day. There are very few things that could cause a tech company to jump so much in such a short period of time.
Read the rest of this entry »

August 6th, 2008

Talking Firefox security with Mozilla's Window Snyder

Posted by Ryan Naraine @ 4:57 pm

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Black Hat, Browsers, Exploit code, Firefox, Flash, Google, Hackers, Malware, McAfee, Mozilla, Open source, Patch Watch, Pen testing, Phishing, Vulnerability research

Tags: mozilla firefox, window, training, web browser, mozilla corp., window snyder, web browsers, security, internet, ryan naraine

LAS VEGAS — Mozilla security chief Window Snyder wants to open-source much more than the Firefox browser.

During a sit-down chat at the Black Hat security conference here, Snyder announced plans to launch three new initiatives around threat modeling, training and vulnerability metrics that push the envelope around sharing and collaborating with the rest of the industry.

The most interesting of three centers around a formal threat modeling process for Firefox Next, the next major browser makeover coming from Mozilla.

Read the rest of this entry »

July 21st, 2008

2008 Pwnie Award nominees announced

Posted by Nathan McFeters @ 9:12 am

Categories: Adobe, Arbitrary Code Execution, Black Hat, Black Hat Las Vegas, Complex Attacks, Data theft, Exploit code, Firefox, Flash, Hackers, Kernel-level Exploits, McAfee, Microsoft, Research, ToorCon Seattle 2008, Vulnerability research, Web Applications, Windows Vista, Zero-day attacks, ~Special Series~

Tags: Nominee, Vulnerability, XSS, Attack, Flaw, Dan, XSS Flaw, Lifelock, Security, Nathan McFeters

Well, after getting 134 nominations, and spending countless hours pulling out nominees, the judges for the 2008 Pwnie Awards have announced the final nominees to be voted on.  From the site:

The final list of nominees for the nine Pwnie Award categories is finally published. We’ve received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we’ve done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.

I’m especially excited about this, since Rob Carter, Billy Rios, and I were nominated for the Best Client-Side Bug for our URL and protocol handling flaws research; which just seems to never end by the way (and keeps continuing… see a future talk we will put on at some Black Hat down the road).  We’re up against some stiff competition though, including my fellow Ernst & Young Advanced Security Center co-worker Nitesh Dhanjani, which makes it a great year for EY with three current (myself, Rob Carter, and Nitesh Dhanjani) and one former member (Billy Rios) involved in the pwnies.

For more, read-on!

Read the rest of this entry »

July 2nd, 2008

PCI-DSS 1.1 points to outdated OWASP Top 10

Posted by Nathan McFeters @ 10:12 am

Categories: McAfee, PCI

Tags: XSS, PCI, Security, Storage, Hardware, Nathan McFeters

OK, I’m not going to freak out about this too bad… I’ve already pointed out enough problems with PCI, but I did find it morbidly entertaining.  My good friend Jeremiah Grossman (pictured at right) blogged today about the PCI-DSS 1.1 section 6.5, which covers “prevention of common coding vulnerabilities in software development processes”, and noted that it actually is identical to the OWASP Top Ten from 2004.  Argh… the latest version is from 2007.

Here’s the PCI-DSS list (which is actually OWASP Top 10 from 2004):

Read the rest of this entry »

July 1st, 2008

McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

Posted by Nathan McFeters @ 10:40 pm

Categories: McAfee, PCI

Tags: McAfee Inc., Organize-It, PCI, Phishing, Cyberthreats, Marketing Research, Storage, Hardware, Security, Spam And Phishing

Stay with me here readers, I’m stringing two stories about McAfee together here, a little out of the ordinary, so I hope it makes sense.  If you aren’t interested in the tech details (of which there are very little), please do read for a good laugh.

Network World reported that McAfee conducted an experiment into what would happen if computer users really did respond to all those spam emails and click all those free virus scan popups.  The experiment, called S.P.A.M. (Spam Persistently All Month) took 50 volunteers, both male and female, from numerous countries and tried to determine what would really happen.  Of course, the end result will be exactly what you’d expect, but hey, I’m game for an experiment, and the volunteers get free computers, so let’s read on!

Read the rest of this entry »

May 20th, 2008

McAfee partner isn't McAfee secure

Posted by Nathan McFeters @ 11:16 pm

Categories: McAfee, PCI, Punditocracy

Tags: McAfee Inc., Video, Russ McRee, Corporate Communications, Marketing, Nathan McFeters

I was over reading Russ McRee’s blog today, and I’ve got to say, if McAfee’s HackerSafe (or whatever they’re calling it now) doesn’t die off soon, then he’ll be able to write a novel about their trials and tribulations.

Apparently, McAfee authorized distributor Winferno.com is not HackerSafe… not that it would’ve mattered, as that wouldn’t have helped them prevent the XSS issues that McRee exposed on his blog.  McRee says:

Shouldn’t a McAfee Partner be McAfee Secure?
Apparently not, and being one wouldn’t have cured the XSS blues anyway.
Next in our video series, a supposedly secure shopping cart that is far from.

Here’s an IFRAME.
Here’s the cookie.
As well we know, coughing up the cookie counts as a really bad thing for any shopping cart, let alone an SSL protected shopping cart that happens to be a McAfee Partner and authorized distributor of McAfee Software. But lest we forget, McAfee doesn’t count XSS as concerning.
Here’s the video. 

Read the rest of this entry »

May 16th, 2008

McAfee's HackerSafe: "Um... we go in like a super hacker"

Posted by Nathan McFeters @ 10:45 am

Categories: McAfee, PCI, Punditocracy

Tags: McAfee Inc., Logo, XSS, Hacker, God, Security, Nathan McFeters

Updated 05/16/2008 2:00 p.m. CST: I officially have my first customer for the “Nate McFeters Safe” certification and Jeremiah Grossman and I have signed up another member for Scanless PCI, as noted security researcher Russ McRee has purchased our certifications, see http://holisticinfosec.blogspot.com. 

God is good and created YouTube for laughs and giggles on Friday, and I couldn’t help myself at taking a good chuckle at this.  I saw this youtube video posting which is an episode of “Web Marketing Watch” with Sage Lewis, who interview Cresta Pillsbury of ScanAlert, which has since been purchased by McAfee.  At about 1:19 in the shit literally hits the fan (sorry for my language but I’m still mortified by this video).  Here’s the exchange:

Sage Lewis: And when you are talking about security, what exactly are you referring too?

Cresta Pillsbury: Um… we go in like a super hacker…

If you could’ve been a fly on the wall there, you wouldn’t have believed she said that, but there it is, live like Memorex.  ScanAlert… goes in… like a super hacker.  Like a SUPER HACKER?!

Yes, that’s right… their tool that scans for XSS and SQL Injection, as well as common configuration/patching issues, then THROWS OUT THE XSS FLAWS OR MISSES THEM ENTIRELY, goes in like a SUPER HACKER, and “hacks” your network/application.  Then you get a sweet badge to put on your site for marketing purposes.

Forget all of that, I’ve got a better solution to all of this, it’s called the “Nate McFeters Safe” certification, and it’s a badge that you can put on your site for just $1.95 per site per day, a pittance compared to the cost of Hacker Safe, and I will do absolutely nothing to secure your site EXCEPT:

1.) Promise not to hack your site

You get all the PR bonus of getting to put this sexy logo on your site (image courtesy of Russ McRee and Holistic InfoSec Enterprises, Ltd.):

Plus, you will be just as secure from cross-site scripting attacks as you would if you spent way more for the HackerSafe logo!  Best of all, I’ll never revoke my logo for anything, because even if you do get hacked, that logo ensures that it wasn’t by me!-Nate

P.S., look out in first quarter of 2009, Jeremiah Grossman and I will be teaming up to create the “Nate/JG Scanless PCI Certification” and the “Jeremiah Grossman Safe From Brazilian Jiu-Jitsu Attack Certification”.  Sexy logos are in development.