Android is now far and away the leader is mobile malware. For-profit mobile malware has also grown significantly, with SMS-sending Trojans and other complex Trojans compromising smartphones. Rootkit malware that takes over the operating kernel of a computer or a smartphone is also becoming popular among malicious programmers. As McAfee notes, "The second quarter of the year was clearly a period of chaos, changes and new challenges."

Android mobile malware has become a persistent threat. Earlier in the year the press covered every new iteration of Android malware, starting with DroidDream and jumping every time a smartphone sneezed. Now, just as with PC malware, Android malware is a usual occurrence. Some of the top Android malware Trojans and viruses out there are derivates of DroidDream. That makes a lot of sense as malware is known to morph significantly when it is out in the wild as new programmers get their hands on it and change it to their specific needs (or, just enough to slip through security applications). Security programmers should look out for Android malware in the DroidKungFu family, the DrdDreamLite family and Tcent, which sends text messages to premium services.

For the first half of 2011, malware is at its highest rate ever. Though, if you just take the second quarter into account, it is a touch behind the pace of 2010. Overall this year malware is up 22%. McAfee's library of malware will reach 75 million entries by the end of the year.

One of the most common targets has been Adobe, which now outpaces Microsoft in attracting exploits. That is another knock to Adobe, which has been struggling in the market to create new products that actually run effectively on computers and mobile devices.

McAfee's report covers a sprawl of different types of malware, spam, phishing and social engineering, mobile viruses and malware, and botnets. Reading through the report, it is no wonder that the security companies should be beginning to question themselves and whether or not they can keep up with the flood of malicious activity on the Internet. On one hand, the popular refrain is always "exercise common sense and you will be secure", but motivated hackers have almost no trouble isolating people and companies if they really want to get their information.

The question has to be asked: Is the security industry failing us?

Forrester used data from its Technographics survey over 16 major world markets to note that users are indeed more savvy about the threats to their computers and what they can do about it. The benefactors are the major players in security, most of which have been operating since the mid-1990s, when the first criminal hacker scare and spam started to weed into the mind share of the Internet populace. Norton, AVG, McAfee were the leaders then and are the leaders now. Yet, the vendors are seeing a lot more churn, with consumers dividing brand loyalty among several different products and suites from the major vendors. Have you become more cognizant of Web security in the last couple of years? What kind of products are you using to protect yourself on the Internet?

With users experimenting with more free security products and acquiring security via downloads, the security industry is likely to see consolidation of its top vendors in a battle for user retention. This has already started to happen as can be seen when Symantec bought Norton and rolled it into its consumer (as opposed to enterprise) security division. Symantec's retention rates are some of the best in the industry, which means that Norton has good upside.

Forrester notes that users are not only adopting a variety of security products but are also more aware of security best practices on the Web. Between 300 million and 350 million PCs run freeware.

What is not mentioned by Forrester is which one of these products works the best. All of the top security vendors are experimenting with new products and new ways to trap malware, from server logging and tracking, to virus signatures, white lists, honey pots and more. What Forrester's research does show is that the security vendors are becoming more creative in the ways they role out their products to avoid churn and improve retention rates. The "who is best" argument is as subjective when it comes to security as consumers are about Coke vs. Pepsi.

According to the research, Norton is the No. 1 global security suite with AVG and McAfee the consensus No. 2 in the ecosystem.

Anybody involved in the IT and cybersecurity industry knows that every major industry and government agency around the world is under threat of intrusion through Advanced Persistent Threats (APT). Security company McAfee is reporting one of the largest cases of intrusion ever in a campaign the company calls Operation Shady RAT (PDF) that has infiltrated 72 known (and many other unknown) governments and corporations over the last five years.

RAT - Remote Access Tool - is a technique that hackers use to gain access to computers and servers that allows it to siphon off data. In Operation Shady RAT, that data could include military and industrial secrets, emails from industries and more. If it could be stolen, it probably was. Victims range from the U.S. government, real estate agencies, the International Olympic Committee and small governments such as that of Taiwan. While many media organizations will call this "the biggest hack ever," it really should come as no surprise to anyone in the security field.

McAfee says that 13 defense contractors were also breached, which brings up recent memories of Anonymous hacking Booz Allen Hamilton in July and leaking 90,000 military related emails.

McAfee was able to track the malware signatures (the RAT, more or less) and track it back to a single command-and-control server "in a Western country" that allowed it to track the IP addresses of the victims. What McAfee does not report is exactly what information was actually stolen or how high the intrusions go within each particular organization. As Graham Cluley of Sophos points out, it is one thing to breach the intern's computer, it is quite another to breach Joe the CEO. McAfee does not report how many computers were hacked, who they belonged to or what was stolen.

"Without those details, it is sort of same old, same old," said Cluley over the phone to ReadWriteWeb. "The juicy bit never arrived."

If Shady RAT has been in effect for five years and McAfee has known and been tracking it for a while, the company could have reported it at any time .Yet, the news comes out today (in Vanity Fair, no less) which is the first day of the Black Hat security conference in Las Vegas, the biggest hacker/security conference of the year.

"McAfee's PR team are skilled operators in this regard (there was similar coincidental timing when they issued their "NightDragon" investigation as the RSA Conference opened in February this year)," Cluley wrote in a blog post at Sophos's Naked Security blog.

NightDragon was a similar campaign against corporations, reported by McAfee in February this year. Of other grandiose named campaigns of note in the recent past is Operation Aurora, which was the alleged APT against Google, industries, and the U.S. and foreign governments, reported earlier this year.

Cluley does not think that any more specific information will be coming from McAfee about the nature of the attacks.

"If their PR people found something more interesting, they would have reported it," Cluley said.

In the report, authors Helmi Noman and Jillian C. York "find that nine countries in the region utilize Western-made tools for the purpose of blocking social and political content, effectively blocking a total of over 20 million Internet users from accessing such websites."

Among the key findings by the investigation team of Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain, are nine Middle Eastern countries with ISPs who use Western tech to muzzle the Internet: Bahrain, UAE, Qatar, Oman, Saudi Arabia, Kuwait, Yemen, Sudan and Tunisia.

They use these services to block sites based on a host of content criteria, including gay, lesbian, bisexual and transgender material; proxies and anonymization; sites skeptical of Islam as well as those with a secular or atheistic focus; and dating services.

Among the products used are U.S. tools including Intel's McAfee SmartFilter and Websense, as well as Canadian-made Netsweeper.

The massive blocking lists, the lists of content, specifically sites, that can be blocked by a given software, are maintained by the filtering software company in partnership with their national clients. So the companies themselves are engaging in actions which make blocking of a specific non-profit or tool possible. They are hardly neutral tools, the screwdrivers or wrenches of the Internet. They are purpose-built, dynamic systems.

To co-author Jillian York, the most important discovery in the report is "how the US throws so much money into circumvention technology to get around filtering that its own companies produce." And the most surprising is how easy it is for a site to get misclassified by the filtering producers as porn. Famously these sites have, in the past, included those devoted to breast cancer prevention and treatment.

Why Should We Care?

In addition to the fact that a mislead country is easier to control and its citizens have less information to use when facing an increasingly global reality, there is also the fact that Western communications companies have grown up in societies that, to a greater or lesser degree, value free speech. It is far from coincidental that the largest tech communications companies are American. The atmosphere where free inquiry is an ideal encourages the development of such tools.

By abandoning these ideals when abroad (usually under the cover of "local laws"), the companies that collaborate are implicitly stating, "These are not the sort of people who should have free speech, who could handle free speech if they had it." If there is such a thing as institutionalized economic racism, you could hardly do better at finding an example of it.

As an American it also feels to me that, given free speech is a bear to manage, why should these companies be thriving under my good graces, then throwing it out the window because of a fictional "responsibility" to their shareholders to not make $12 billion when they could make $13 billion.

Of course there's also that little issue of whether we actually believe in democracy. Democracy without access to information is mob rule. As a society, what do we believe? Should we hold companies to the standards we try to achieve as a country? I think we probably should.

Unfortunately, according to ONI, only one company, Websense, has ever made a statement objecting to the use of their tools in the service of strangling speech, But their products, ONI finds, are used for just that thing.

As ONI itself concludes:

"Despite documentation by the ONI and other research and advocacy organizations, little discussion has taken place in the public sphere on the use of Western technologies for government-level filtering.">"Despite documentation by the ONI and other research and advocacy organizations, little discussion has taken place in the public sphere on the use of Western technologies for government-level filtering."

The photo of the gas canister with the U.S. markings during the Egyptian uprisings was big news. The complicity of Western countries in the stiffing of the basic human right of free speech is even more damning and much less talked about.

Tear gas photo by James Buck | Mediterranean map by OttomanPictures

"We've seen significant advancements in device and social network adoption, placing a bulls-eye on the platforms and services users are embracing the most," says Vincent Weafer, senior VP of McAfee Labs. "These platforms and services have become very popular in a short amount of time, and we're already seeing a significant increase in vulnerabilities, attacks and data loss."

Personal Data, Corporate Data

It's not just personal data that will be threatened by these sorts of attacks. As mobile devices become more ubiquitous in the workplace, attacks will follow, says McAfee, noting that the "historically fragile cellular infrastructure and slow strides toward encryption" will make mobile devices a target, putting both personal and corporate data at risk.

McAfee also points to Internet TV as a new target, criticizing a "'rush to market' thinking by developers." McAfee says that "suspicious and malicious apps" will expose privacy and identity data. Furthermore, the move to connect more physical devices will also raise the effectiveness of botnets.

Apple's Vulnerability

Apple users, long blasé about viruses and malware, would be wise to pay attention to security, says McAfee. As with all the areas that the security company has identified here, the increasing popularity of the Mac OS platform - along with a "lack of user understanding of proper security for these devices" in McAfee's words - make Apple a clear target for future attacks.

While most of the predictions focus on "cybercrime," McAfee Labs also suggests that "hacktivism" will become the "new way to demonstrate political positions in 2011 and beyond." Look for more WikiLeaks-like events, with increasing sophistication.

McAfee, which has nearly $2 billion per year in sales, is hoping the acquisition of Trust Digital will allow it to present a total security loop, from endpoint, McAfee's speciality, through a company's smartphones, and back again.

Trust Digital's offerings support iPhone OS, Android, Web OS, Windows Mobile, and Symbian mobile operating systems. McAfee expects to mesh these with its ePolicy Orchestrator, its "enterprise-class, open platform to centrally manage security for systems, networks, data, and compliance solutions."

The companies expect the deal to close by June 30.

McAfee's shares fell 11% last month, as its Q1 revenues and forecast came in under Wall Street estimates. That was in part due to the faulty signature it released that misidentified a Microsoft XP system file as a threat, along with foreign currency changes and a stock buyback.

The negotiations on the company's purchase of Trust Digital would have begun long before that, but the hope no doubt is that this move will contribute toward reconciling future earnings with shareholder and analyst expectations.

During tests this weekend, we discovered the company who claims to "keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams," has several cross-site scripting (XSS) vulnerabilities and provides the bad guys with a brilliant - albeit ironic - launching pad from which to unleash their attacks.

It can't get much worse than this. This is not "yet another embarrassing incident on the Web;" not by a long shot.

Lance James, co-founder of Secure Science Corporation and author of Phishing Exposed, noted that when a criminal locates an XSS vulnerability within a well-known Anti-Virus site, it only makes the attack more effective. "It generates misplaced trust (being that computer users trust AV companies) and is paradise for miscreants involved in Scareware (Rogue Anti-Virus) distribution, as they can infect a legit copy of MacAfee's product and distribute it under their name." James said. "A win for the bad guys through the power of branding; a major loss of trust for McAfee," he added.

Not only do security vulnerabilities harm a company's brand, they can also ultimately harm its bottom line, particularly when the company in point has made millions from the software it produces to protect you online; this will surely injure the McAfee brand.

It all began when we came across a post that described some of the issues facing McAfee. Very quickly, we realized the potential for phishing on one of McAfee's sites, the McAfee Rebate Center, which allows you to inject HTML code into one of the fields it provides on its site.

If you've never seen an HTML injection in action, try this out, it's an interesting experiment.

How To: HTML Injection

1. Go to the McAfee Rebate Center
2. Click on Get Rebate
3. Include this line of code into the 'Date Purchased' field:
   
4. Click on continue

This is a very basic redirect that will take you to ReadWriteWeb.

And voila - you've just effected your first HTML injection.

Although our example is extremely simple; a no-brainer for clever coders, it illustrates a significant and more sinister point: McAfee is clearly vulnerable to XSS attacks. Much like the recent Mikeey worm on Twitter, this XSS issue is a result of poor output filtering. And while Twitter can be forgiven for not laying down the correct foundation in the beginning, the same cannot be said of McAfee, which has built its entire business around its knowledge and expertise in the field of information security.

McAfee Secure May be Providing Incorrect Information to Users

And it gets worse. McAfee has a product called McAfee Secure which helps corporations determine whether their sites are open to malicious attack. The way it works is that sites participating in the McAfee Secure program are checked daily, and if they pass muster, they receive a McAfee Secure badge which is branded with the day of testing.

Unfortunately, it appears McAfee either doesn't run McAfee Secure across all of its sites, or if it does, the product is missing the bleeding obvious.

From the https, to the McAfee domain, this phish site that James created even includes a valid and dated McAfee Secure certificate.

To demonstrate how easily the exploit can be used, James created a phishing site to give ReadWriteWeb readers a real-time example. Go ahead, follow this link, and click on the "add to cart" button (we promise it won't hurt you).

What you are seeing is a cross-site scripting exploit in action. "Imagine," James said, "just how easy it would be to exploit home computers with Trojans that cause harm or steal information." A phishing site, like the one he created, could easily ask you to click a link for more information. "Or," he said, "imagine the e-mail: 'you're eligible for a McAfee rebate on your products, just click here!'" "Basically, the main use I see it for is to spread malware as McAfee."

What he's describing is ominous. The bad guys can create a modified version of a McAfee product or a bogus McAfee update that installs a Trojan, or whatever they like, and it arrives on your home machine, special delivery. You'd never know.

In creating the fake site, James points out that he didn't need to spoof the McAfee Secure logo. "We're using their certificate to validate our attack," he said.

Go ahead. Look up at the URL on the phishing site. See that https://?

Secure right?

Note: We've created a screencast (embedded below) of the redirection exploit for when McAfee fixes this; we hope it's soon.

Update May 5, 2009

It appears the vulnerability on McAfee's rebate site has been fixed; however, the test phishing site is still going strong. James gave us an update: My assumption is that remote referrers are blocking it based on firewall rules but a refresh locally shows it's still vulnerable. An attacker can simply do a meta refresh to redirect to it since that scrubs referrers.