McAfee Security Breach Sheds Light on Cloud Security Dangers

This week Intel’s McAfee security division posted a blog penned by McAfee Director of Security Research David Marcus, who admitted McAfee’s hosted anti-malware service, SaaS for Total Protection, had been hacked and was peering the PCs of customers using the cloud-based service to create drones that spew out spam.

There are two bugs in the single McAfee service. The first blocks an unknown number of IP addresses that utilize SaaS for Total Protection from sending out e-mails. The owners of these IP addresses are then blacklisted by anti-spam services and their communication crippled.

The second bug utilizes ActiveX controllers, which can initiate program code -- malicious or otherwise -- inside the machine of a SaaS for Total Protection customer.

In his blog, Marcus downplayed the threat of the breach of the cloud security service by focusing on the fact that user data should remain safe despite the computers that run SaaS for Total Protection effectively have been turned into bots and, for some time, were not in complete control by their owners.

He added a patch was being tested and would be released through the cloud service automatically to all users of the service, by Jan. 19 (Jan. 20 for users in the United Kingdom).

But the problem has been around for much longer than Marcus let on in his blog.

One security watchdog organization noticed as early as Jan. 2, 2012, that its spamhaus/cbl list was being infected with a trojan spambot. This was an early indicator that was confirmed Jan. 4, when an e-mail sent from one of its computers running the McAfee product sent back an e-mail that said, “Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.”

This is a threat scenario that users of cloud-based, remotely managed software face. If the same service can be delivered to multiple customers, then the same threats can be delivered, too.

Those not wanting to wait for the McAfee patch -- or not trusting of the patch -- can find out how to disable the peering capabilities of the McAfee product here.