Tag Archive for Phishing

Don’t Know Much Security

Don’t Know Much SecurityWith apologies to Otis Redding, Americans don’t know much about security. They don’t know much privacy, or the SPAM they took. A new Pew Research Center survey, “What the Public Knows About Cybersecurity” quizzed 1,055 adults about their understanding of concepts important to online safety and privacy. The results of the Pew survey are unsettling.

questions about cybersecurityThe Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20% answered eight questions correctly. A relatively large percentage of respondents answered “not sure” to questions rather than providing the wrong answer.

Most Americans don’t know how to protect themselves. Only 10% were able to identify one example of multi-factor authentication when presented with four images of online log-in screens.

Most Americans still unknowingly allow themselves to be tracked across the web. 61% of those surveyed were not aware that Internet Service Providers can still see the websites their customer visit even when they’re using “private browsing” on their search engines.

Internet securityA slight majority (52%) of people recognized that just turning off the GPS function on smartphones does not prevent all tracking of the phone’s location. Mobile phones can be tracked via cell towers or Wi-Fi networks.

Only 54% of respondents correctly identified a phishing attack. For cybercriminals, phishing remains a favorite trick for infecting computers with malware. Phishing schemes usually involve an email that directs users to click on a link to an infected website.

phishing attackComputer security software does a good job of blocking most phishing schemes, Stephen Cobb, security researcher for anti-virus software firm ESET told told Phys.org, including many advanced spear phishing attacks targeting people with personalized information.

Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region’s cybersecurity industry told KnowB4.

It is probably our No. 1 concern and No. 1 vulnerability … These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email.

cybersecurity2/3’s of Americans tested, could not identify what the what the ‘s’ in ‘https‘ meant. The article explains that the ‘s’ stands for secure, with website authentication and encryption of digital traffic. It is used mostly for online payments. Security researchers often suggest computer users check the website addresses – known as the URL – as a first step before they click on a link. ESET’s Cobb said, “You wonder if people know what a URL is … Do they know how to read a URL? So there is plenty of work to be done.”

In the most puzzling finding to me, 75% of participants identified the most secure password from a list of four options. And yet followers of Bach Seat know that year after year passwords suck. Could it be that Americans just don’t care about the online security?

Insecure passwordsFortunately some Americans also recognize that public Wi-Fi hotspots aren’t necessarily safe for online banking or e-commerce. The mixed security results highlights that staying secure online is not a priority for Americans at work or at home.

The Wall Street Journal also covered the Pew findings and quoted Forrester: “The percentage of security and risk professionals citing “security awareness” as a top priority rose to 61% last year, from 56% in 2010.”

In the enterprise,Heidi Shey, a senior analyst at Forrester, told CIO Journal that security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.

The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link. Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.

rb-

The data from Pew says that enterprise and home users need to be more security aware. Technology can’t solve stupid so users have to be the last line of defense.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Reducing Your LinkedIn Risks

Reducing Your LinkedIn RisksMicrosoft’s recent purchase of LinkedIn has pushed the struggling ersatz professional networking site back into the limelight. There is plenty of speculation why Microsoft (MSFT) purchased the site for over $2.6 billion but undoubtedly it has to do with LinkedIn’s (LNKD) cache of over 430 million online users. Whatever Redmond’s designs are, now is probably a good time to check LinkedIn security.

Attackers use social networking as part of their reconnaissance activitiesAttackers have long used social networking as part of their reconnaissance activities. They cull personal information posted on the site to craft targeted attacks that have a higher chance of succeeding. The cyber-criminals rely on the fact that people tend to trust people within their personal network and would be more likely to fall for a spear phishing email if it appeared to come from a fellow member. The victims would also be more likely to visit a website if a member of their network suggested it.

The fake LinkedIn profiles “significantly increase” the likelihood that these social engineering attacks will work according to research by Dell SecureWorks. The SecureWorks article describes how attackers use fake LinkedIn profiles. Most of these fake accounts follow a specific pattern:

  1. Attackers bill themselves as recruiters for fake firmsThey bill themselves as recruiters for fake firms or are supposedly self-employed. Under the guise of a recruiter, the attackers have an easy entry point into the networks of real business professionals. Real recruiters already use the service as a way to find potential candidates. LinkedIn users expect to be contacted by recruiters, so this ruse works out in the scammers’ favor.
  2. They primarily use photos of women pulled from stock image sites or of real professionals. Many of these fake LinkedIn accounts use unoriginal photographs. Their profile photos were found on stock image sites, other LinkedIn profiles, or other social networking sites.
  3. LinkedIn securityThey copy text from profiles of real professionals and paste it into their own. The text used in the Summary and Experience sections were usually lifted verbatim, though were sometimes modified, from real professionals on LinkedIn.
  4. They keyword-stuff their profile for visibility in search results. Fake LinkedIn accounts stuff their profiles with keywords to gain visibility in to specific industries or firms Northrup Grumman and Airbus Group through the site’s built-in search functionality.

Attackers target victims via social engineeringThe primary goal of these fake LinkedIn accounts is to map out the networks of business professionals. Using these fake LinkedIn accounts, scammers can establish a sense of credibility among professionals to initiate further connections. The fake network was created to help attackers target victims via social engineering.

In addition to mapping connections, scammers can also scrape contact information from their connections, including personal and professional email addresses as well as phone numbers. This information could be used to send spear-phishing emails.

LinkedIn cyber-thieves use malware disguised as a résumé applicationLinkedIn cyber-thieves use TinyZbotmalware (a password stealer, keystroke logger, multifunctional Trojan) and disguise it as a résumé application. The Dell researchers advise organizations to educate their users of the specific and general risks in their report:

  • Avoid contact with known fake personas.
  • Only connect with people you know and trust.
  • Use caution when engaging with members of colleagues’ or friends’ networks that they have not verified outside of LinkedIn.
  • When evaluating employment offers, confirm the person is legitimate by directly contacting the purported employer.

There are a few ways users can identify fake LinkedIn accounts:

  • TinEye reverse image searchDo a reverse-image search. Tineye.com offers a browser plugin or use Google’s Search by Image to confirm the in picture is legit.
  • Copy and paste profile information into a search engine to locate real profiles.
  • If someone you know is already connected with one of these fake accounts, reach out to them and find out how they know them.
  • If you suspect that you’ve identified a fake LinkedIn account, you should report it. LinkedIn told Panda Security:

We investigate suspected violations of our Terms of Service, including the creation of false profiles, and take immediate action when violations are uncovered. We have a number of measures in place to confirm authenticity of profiles and remove those that are fake. We encourage members to utilize our Help Center to report inaccurate profiles and specific profile content to LinkedIn.

Update LinkedIn Privacy SettingsAs always, it pays to be careful with information that you share online as it can save you many potential problems in the future.

Here are some tips to keep your LinkedIn experience as secure as possible. Update Privacy Settings to understand how you’re sharing information. Smart options include:

  • Turn your activity broadcasts on or off. If you don’t want your connections to see when you change your profile, follow companies or recommend connections, uncheck this option.
  • Select what others can see when you’ve viewed their profile. When you visit other profiles on LinkedIn, those people can then see your name, photo, and headline. If you want more privacy, display anonymous profile information or show up as an anonymous member.
  • Select who can see your connections. You can share your connections’ names with your other first-degree connections, or you can make your connections list visible only to you.
  • Change your profile photo and visibility. You can choose to have your photo displayed only to your first-degree connections, only to your network, or to everyone who views your profile.

Opt into Two-Step Verification to prevent other people from accessing your account. LinkedIn lets members turn on two-step verification for their accounts. This will require an account password and a numeric code sent to your phone whenever you attempt to sign in from a device your account doesn’t recognize.

Opt into Secure Browsing for extra protection against unauthorized access to your Internet activity and to ensure you’re connected to the real LinkedIn website. While LinkedIn automatically secures a connection when you’re on certain pages that require sensitive information, you also have the option to turn on this protected connection when viewing any page.

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Shadiest neighborhoods on the Web

Shadiest neighborhoods on the WebThe Internet is organized into domains. Readers of Bach Seat are familiar with the .net domain since you got here. You are also probably familiar with other web neighborhoods like .com where Facebook and Google live. The people in charge of the Intertubes have decided to add more neighborhoods or technically Top Level Domains (TLD), and today we have over 1,000 TLDs, many of which have only been around for the past two years.

Blue CoatThis rapid growth raises questions about how well those in charge these new TLD’s secure their neighborhood against malware and other threats. CSO Online explains that just like any city, the Web has neighborhoods where dubious activities often take place: spam, scams, the distribution of potentially unwanted software (PUS), malware, botnets, phishing and other suspicious activity.

Web security and WAN optimization firm Blue Coat Systems (BCSI) regularly analyzes hundreds of millions of Web requests from more than 15,000 businesses and 75 million users to track “shady activity” on the Web. In September, it released Do Not Enter: Blue Coat Research Maps the Web’s Shadiest Neighborhoods (PDF), with a list of the 10 top-level domains (TLDs) on the Web that are home to shady sites.

Blocking traffic to the riskiest TLDsBlue Coat recommends that organizations take steps to protect themselves, including blocking traffic to the riskiest TLDs and cautioning users to be careful clicking on any links that contain these TLDs. It further suggests that users who unsure of a source hover their mouse over a link to help verify that it leads to the address displayed in the text of the link, or “press and hold” links on a mobile device to do the same verification

Blue Coat’s list of TLDs most associated with shady sites is constantly in flux but here is their September list.

  • .review – The .review TLD is shady mostly due to scam sites, Blue Coat’s Larsen says. “Just looking at the list of domain names, I would say all of the top 15 are scam sites,” he adds, “.review does not seem to be making any effort whatsoever to keep the bad guys out.”

TLD

  • .country – The security firm says the .country TLD appears to have been colonized by scam network that likes to use a game/survey “reward” or “prize” as bait . Blue Coat’s Larsen told CSO there is a strong connection between some of the supporting ad networks on and known PUS networks (adware and spyware). Mr. Larson says, “So if you’d like to block that entire TLD on your Web gateway, I wouldn’t blame you’.
  • Kim Kardashian.kim – The .kim TLD hosts some legitimate domains, most notably a Korean tech blog and several Turkish sites. According to Blue Coat the TLD earned its shady online reputation due to the presence of scam networks linked to PUS, malware and at least one domain that hosts a domain generation algorithm (DGA) used to pump out domain names that can be used with malware according to the blog.
  • .cricket – Named for the world’s second-most popular sport, the .cricket TLD is another shady neighborhood on the Web. The author notes that while home to some legitimate sites, researcher Larsen points to many instances of search engine poisoning. For instance, StarWarsMovie.cricket pulls lots of random Star Wars items into one place to get traffic — including images clearly lifted from other places.
  • .science – The .science TLD may be .science TLDa victim of its own marketing. In trying to raise the TLD’s profile, the registry gave away free .science domains and became one of the shadiest TLD’s on the web. Blue Coat’s Larsen described their downfall in the CSO article. “Generally they tend to run into trouble when they run promotions for bulk registrations for really low prices … If you can register a domain for a buck, generally there will be bad guys there registering domains.” He says the .science domains seem to be largely associated with spam, and scam sites. The shady activity included a sizable network of ebook sites, which led to a download network that’s been associated with PUS activity in the past.
  • .work – The .work TLD seems to be more about spam and scams than malware, though Larsen’s team did find a few tentative connections to PUS networks. There were some legitimate sites, though Larsen notes that they might be worth blocking as well. Examples include a Turkish porn site. 
  • .party – Mr, Larson told CSO that a number .Party TLDof the sites on the .party TLD may seem legitimate . However he warns, “There are some yellow flags.” of search engine poisoning. The TLD also hosts a number of MP3 sites — probably piracy or something malicious. There’s also a site that hosts what appears to be a shady tracker.
  • .gq – The .gq TLD is the country code for Equitorial Guinea which Blue Coat’s Larson notes that it is in many ways a lifetime achievement award winner. He says, “If we look at all of the .gq sites … nearly 99 percent are shady”. Most of the abuse of .gq noted by Blue Coat has been in the form of search engine poisoning and many cookie-cutter “shady video” sites associated with PUS. It also features some “shocking video” spam/scam sites that spread via social media and a smattering of malware, phishing and porn sites.
  • Barrel full of monkeys.link – The .link TLD is rife with porn content delivery networks and piracy sites, neither of which is counted as “shady” by Blue Coat. There are apparently a handful of legit sites in .link but beyond these legitimate domains are a host of survey scam sites. “Historically, it’s been a place for spammers to live,” Larsen says.

Of course there are well run TLD’s. The best according to Blue Coat are:

Safe web neighborhoods

rb-

These TLD’s are why companies like BluseCoat, Websense and OpenDNS are in business. (OK- Websense and OpenDNS are no longer stand alone companies anymore. Websense has been gobbled by defense contractor Raytheon and then spit out as ForcePoint and OpenDNS has been assimilated into Cisco (CSCO).

You can use these tools to just block most anybody from going to these shady parts of the of web for the reasons explained above.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

You Can Stop Cyber Attacks

You Can Stop Cyber AttacksSeems like every week another major cyber attack is reported. Cyber attacks expose the personal details of millions of users worldwide. Companies are spending over $70 billion to fight off cyber attacks. But even with the best systems in place, hackers can still easily breach the company’s defenses if staff aren’t also being security conscious.

TIntel Security Grouphe Business Insider spoke with Christopher Young, general manager of Intel‘s (INTC) Security Group (aka McAfee) about cyber security. He told BI that employees can prevent data theft. The Intel GM says there are two things that every employee should be doing to help keep their company safe from cyber criminals.

Think before you click. That is the number one thing that every average employee in an organization can do,” Intel’s Young said.  He cites a recent Intel survey of security professionals (PDF), which found that humans are still the weakest link when it comes to an organization’s security. According to the report, successful attacks against companies most often stem from three things:

  1. humans are still the weakest linkUser errors caused by lack of awareness,
  2. Unofficial use of online services, and
  3. Using social media sites at work.

Basically, employees are clicking links they shouldn’t be, which can give attackers a way in. One way attackers get in is through the inbox. Mr. Young told BI

Emails are the number one way that attackers are getting in … They [cyber criminals] are crafting emails and attaching malicious files to those emails and their entry points into these organizations is often through tricking the average user or click on an email attachment and launch a malicious file.

I recently wrote how attackers have honed their spear-phishing skills, making dangerous emails less obvious. BI says employees need to be vigilant and ask questions about all the email they receive that raises even the slightest suspicion. Intel’s Young warns staff to question every email.

You should ask why am I getting the email? Why is there a file attached to it? Why am I being asked to click on it? And you should ask all of this before clicking.

suspicious emailsThe second big thing which Business Insider recommends that employees should do to help keep their company safe is to report any suspicious emails or attachments. And if someone does click on a link or download a file that raises eyebrows, report it as soon as possible so that the company’s security team can investigate quickly. Mr Young explains that an early alert can help contain an attack. “So if the average employee smells something they should report it.”

rb-

The IT industry needs to develop a mascot like Smokey the Bear who reminds every body that “Only You Can Prevent Forest Fires.”

Maybe we could put Clippy back to work to pop a little reminder every time you click on email to open it.

 

Related articles

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Spear Phishing

Spear PhishingAs long as there have been people, there have been scammers of some kind. Today, cyber-criminals use the same technology that helps everyone else in their daily lives – the only difference is that they use it for wrongdoing.

PhishingThe outcome of the JPMorgan Chase & Co., hack is that over 76 million user accounts were compromised. It is also very likely that other banks were breached by the same attackers. The breach of JPMorgan Chase should serve as a reminder that even large, sophisticated businesses can be breached by today’s phishing expeditions.

Attackers were able to penetrate JPMorgan Chase’s defenses and roam their networks undetected for months most likely due to one worker who fell victim to a spear phishing attack. Corporate security and hackers are engaged in an asymmetric fight right now. The good guys have to protect the entire enterprise while the bad guys only need a single point of failure to gain access, just one user to fall victim to a spear phishing attack and they are in.

Nigerian princeThe bad guys have the advantage. Anyone can claim to be a Nigerian prince from behind their computer screen and bilk unsuspecting targets for their financial information over email. All it takes is a valid email account – personal or otherwise. With the hackers advantage in mind, here are some tips to help avoid spear phishing attacks and prevent the attackers access to your firm.

Know your enemy – Today’s phishing attacks are not the crude, typo filled emails from Nigeria of yesteryear. Spear-phishers carefully research their targets. They will know your manager’s name, names of your co-workers, and perhaps the projects you’re assigned to. This knowledge and detail makes spear-phishing very effective.

No matter what the nature of an email account is, it is susceptible to all the dangers of the Internet. This is bad news for businesses that use email, and  a lot of organizations out there fit that bill to a T. The more that a company uses email, the greater the chance that they will experience a data breach of some kind.

SPAMThere is really nothing stopping a well-crafted phishing scam from appearing in a corporate inbox and fooling an unwitting employee. Here is a look at three of the email-based scams that could be threatening your business right now:

1) Vendor identity fraud – According to a report from Virginia TV station WHSV, the Better Business Bureau is warning businesses of a recent scam that targets this daily operation as a way to siphon money from corporate bank accounts. The BBB describes the attack:

As part of your job, you pay invoices for several of your business’s vendors … One day, you receive an urgent email from an executive in your company telling you to change how you pay invoices from a vendor. Instead of sending a check, you now need to wire the money straight to a bank account.

This phishing attack is made possible by malicious hacking. Cybercriminals break into company emails and gain enough information to impersonate one of the organization’s suppliers. Next the send off the false email that tells some poor admin to wire the payment to the hackers instead of the supplier and leave businesses out hundreds of thousands of dollars depending on the nature of the vendor.

2) Hackers impersonate branch of FBI.  Nobody likes being accused of crimes that they didn’t commit. This is especially true when the FBI is involved. But a new scheme involving the
Internet Crime Complaint Center has many people thinking their arrest is imminent if they do not fork over a hefty fine via online transaction – something that is unheard of in real law enforcement agencies and that the FBI has been forced to address. DailyFinance contributor Mitch Lipka wrote:

The emails claim that the victim is the subject of a criminal report and that charges are forthcoming … They are then told that they have one or two days to respond or risk arrest, IC3 said. Those who respond are told they have to send money via prepaid cards if they want to avoid prosecution.

3) New Zealand law firms fooled by “clients” – Lawyers are trained to always read between the lines and examine the fine print in legal documents, but what about in their supposedly secure communications?

This is one concept that has been inadvertently brought up in New Zealand thanks to a scam targeting law firms and their clients. There are plenty of things that can be done over email, but that doesn’t mean that they should be. Client and lawyer communications are one of these tasks. According to The National Business Review, criminals will pose as either a law professional or someone they currently represent, asking the opposite party to make a payment or carry out a transaction. This not only puts funds in danger, but also sensitive information. This may land a law firm in serious legal trouble.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.