McAfee Labs – McAfee 2016-10-03 03:08:11

Over the last several days, we’ve seen headlines on potential cyber-attacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts.

Intel Security CTO Steve Grobman fielded a number of questions on these events and revelations:

What do you make of the FBI and DHS announcements that the agencies have detected cyber-attacks on voter registration websites in more than a dozen states?

“These announcements certainly raise concerns. Elections are meant to be anonymous and not traceable back to the individual voter. Thirty-one states and DC offer the kind of online voter registration that the FBI says was targeted. The perpetrators are hacktivists. They probably seek to shake voter confidence in the American electoral system, and they only have to have one high profile attack to achieve this goal.”

What do you make of reports that cybercriminals are behind the theft of 500 million Yahoo! users’ accounts, not government-backed hackers, and these actors sold the data to a state actor?

“Some nation-states have the same cyber gap in their offensive operations as the rest of the world has in defensive operations. Moreover, they face the threat of kinetic repercussions resulting from the digital attribution of a cyber-attack. Therefore, it’s conceivable that these state actors could use a wide range of tactics to mitigate these issues. This could indeed include partnering with criminal or private organizations to achieve their strategic objectives.

Because of this, we need to be careful not to interpret what little we see as definitive proof of a conclusion.

For example, the fact that stolen data can be leaked through criminal underground networks could simply indicate that a nation-state is attempting to mask a cyber espionage operation as a standard cybercriminal breach. It may also be a side effect of a criminal actor acting on a nation state’s behalf. A similar deception can occur in reverse where a criminal or terrorist group can use tactics to falsely implicate a nation-state.”

What should we make of the possibility of a nation-state potentially hacking a U.S. corporation for user emails as an act of espionage?

“For state actors, the political or strategic incentives of orchestrating such a large breach are as real as the obvious financial ones for cybercriminals. A rival state’s intelligence services could find and access the messages of individuals with political, government, military, and even corporate public profiles.

Consider the recent compromise and disclosure of Former Secretary of State Colin Powell’s personal email messages. While probably more tame than the average citizen’s messages, the public disclosure of his communications revealed statements that proved controversial in political and other government circles.

The emails of the less tame or even reckless candidate, three-letter agency chair, general, or CEO could contain material sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions.”

Regarding Verizon’s planned acquisition of Yahoo!, is an analysis of a company’s computer security expected as part of the due diligence in a purchase?

“It is common practice for technology companies conducting due diligence of a potential acquisition to evaluate the cybersecurity posture of that target. This due diligence often includes requesting a list of IT breaches, reviewing the results of any security audits or certifications, evaluating the company’s policies and procedures for IT security, reviewing the company’s privacy policies, and assessing the nature of personal information held by the business, among others.”

Who generally performs such an analysis? Are they paid by the buyer or the seller?

“Security-related diligence is often conducted through a combination of internal teams employed by the acquirer, and, if needed, third-party specialists. The cost of any third-party evaluation is typically borne by the acquirer.”

Would such an analysis have picked up this breach?

“The due diligence process generally requires disclosure of known IT breaches. Security audits or other evaluations conducted during the course of diligence would attempt to assess the likelihood of future breaches or potentially undiscovered IT breaches.”

What was your reaction to the prominent mention of cybersecurity in the presidential debate between Hillary Clinton and Donald Trump?

“It’s refreshing to see cybersecurity at the forefront of the national security conversation during tonight’s debate. In just a few years, we’ve seen cybersecurity go from a function of the IT back office, to the nation’s Oval Office.

While events have tended to drive government into action, more and more of our nation’s top leaders understand the cyber battlefield is as critical as land, sea, air, and space. The prominence of cybersecurity in this week’s debate is tremendous progress, with the promise of further progress to come in the coming months and years.”



The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee.

Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

Despite headlines, hype, and hysteria, U.S. Government rightly chooses cybersecurity guidance over regulation

The Obama Administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course in regards to cybersecurity.

The U.S. Department of Transportation and National Highway Traffic and Safety Administration (NHTSA) opted to work with industry to drive AV innovation, rather than propose regulations that could restrict such innovation, and even potentially undermine the cybersecurity of such vehicles.

DoT’s four-point policy seeks to lay “a path for the safe testing and deployment of new auto technologies” with life-preserving and resource-conserving potential for the American people. Specifically, the policy presents a model for Federal and State regulatory responsibilities, outlines NHTSA’s AV regulatory tools, and proposes new regulatory tools and statutory authorities.

In the area of safety however, the government presents a 15-Point Safety Assessment Guidance, including everything from consumer education, to data recording and privacy, to human machine interfaces, to crashworthiness, to our primary concern: vehicle cybersecurity.

Following is an excerpt from the policy document’s guidance:

 “While [cybersecurity] is an evolving area and more research is necessary before proposing a regulatory standard, entities are encouraged to design their HAV systems following established best practices for cyber physical vehicle systems. In particular, entities should consider and incorporate guidance, best practices, and design principles published by National Institute for Standards and Technology (NIST), NHTSA, SAE International, the Alliance of Automobile Manufacturers, the Association of Global Automakers, the Automotive Information Sharing and Analysis Center (Auto-ISAC) and other relevant organizations.

As with safety data, industry sharing on cybersecurity is important. Each industry member should not have to experience the same cyber vulnerabilities in order to learn from them. That is the purpose of the Auto-ISAC, to promote group learning. To that end entities should report any and all discovered vulnerabilities from field incidents, internal testing, or external security research to the Auto-ISAC as soon as possible, regardless of membership. Entities involved with HAVs should consider adopting a vulnerability disclosure policy.”


This afternoon, Intel Security CTO Steve Grobman commented that the choice of cybersecurity guidance reveals an Obama Administration “highly-supportive” of AV technology and the cybersecurity innovation required to protect it:

“In choosing guidance over regulation, the Administration showed itself to be both industry supportive and tech savvy. They’ve focused on best practices and the Auto-ISAC threat analysis and vulnerability sharing between automakers and component manufacturers.

They clearly understand that the critical cybersecurity challenge in self-driving vehicles will be tackling the threats of today and tomorrow—versus the threats of five years ago.

There’s always a concern that government regulations may stifle the ability of innovators to innovate, whereas guidance tends to create an ongoing, constructive, even progressive dialogue between stakeholders.

But one of the greatest challenges of cybersecurity is that a regulation-based approach to protection never keeps up with the rapid pace of a changing cyber-threat landscape. New threats and vulnerabilities come to light each month.

Well-meaning regulatory regimes can force an opportunity cost upon manufacturers, as limited resources best applied to address today’s most critical threats can be spent wrestling with restrictions meant to address older issues long after they are critical security concerns.”


For more on Intel Security’s perspectives on and technology commitments to vehicle cybersecurity, please see our recent whitepaper and announcements around the Automotive Security Review Board (ASRB).

To learn what ordinary everyday people should know about the cybersecurity of connected cars and driverless vehicles, please see Gary Davis’ blog entitled From the Ground Up: How the Cars of the Future Will Be Secured.


Members of the press interested in speaking to Mr. Grobman on this topic may do so by contacting [email protected].


The post Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars appeared first on McAfee.

Product Coverage and Mitigation for CVE-2013-3893

Microsoft Security Advisory (2887505)

On September 17th, 2013, Microsoft published Security Advisory 2887505, which coverers a remote code execution vulnerability in all supported versions of Microsoft Internet Explorer.   The flaw resides in the handling of objects in memory which have been deleted or improperly allocated.  Specifically, a use-after-free flaw in the HTML rendering engine (aka mshtml.dll) can be used to invoke the vulnerable state.

This flaw is currently being exploited in limited and targeted attacks.  Functional exploitation and malware artifacts have been identified in the wild.



Remediation / Mitigation


McAfee Labs

The following McAfee products / content provide coverage

  • McAfee Vulnerability Manager
    • McAfee MVM / FSL Content Release of 9/18/2013
  • McAfee Antivirus
    • Coverage is provided in the 7204 DATs, released on 9/20/2013
    • Name – Exploit-IE!heur
  • McAfee Network Intrusion Prevention Systems (NIPS)
    • UDS Emergency Release of 9/17/2013
    • UDS signature attack ID 0x4510ef00
    • Name=”UDS-HTTP: Microsoft Internet Explorer onlosecapture Use After Free Vulnerability

As new details emerge, or product coverage is updated, McAfee Labs will keep you posted.






Operation Troy: OpenIOC Release


In conjunction with our investigation into Operation Troy, we will be releasing IOC data in the open and highly flexible OpenIOC Framework format.

The McAfee Operation Troy IOC can be downloaded here.




In addition to various open/free tools, OpenIOC data can be consumed by:

  •             McAfee Network Security Platform
  •             McAfee HIPS
  •             McAfee GTI Proxy
  •             McAfee Web Gateway


For more information around the OpenIOC Framework, please visit: