How to blunt spear phishing attacks

According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened a file that they weren’t supposed to.

For example, Chinese hackers successfully broke into computers at The New York Times through spear phishing. So, what are the steps that IT execs can take to protect enterprise networks from spear phishing?

Most spear phishing attacks take one of two tacks – they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information….or else.

While regular phishing typically involves unsophisticated mass mailings, spear phishes can appear to come from your own IT department, from your own payroll department, from a friend or colleague.

Here are some tips on how to teach employees to avoid getting spear phished.

  1. Read the return url backwards, from right to left. The url might start out with “www.bankofamerica” but when it ends with 120 characters of jibberish, you might start to get suspicious. You can also place your cursor over a link in an email and will see the actual url it will take you to – DO NOT CLICK ON IT, you just hover over it to see if it matches
  2. Don’t fall for what’s being called the “double-barreled phish,” in which you respond to the email with a question, such as “Is this really my buddy Jim.” Phishers are now clever enough to wait a while, in order to show that the response is not automated, and then reply with, “Yes, it’s me, Jim.” Of course, it isn’t Jim.
  3. Never open a PDF from someone you don’t know, since spear phishers are now hiding their malicious zip files inside seemingly innocuous PDFs.
  4. Never give out your password or other personal/sensitive information in response to an unsolicited query.
  5. IT managers should consider training classes targeted specifically at spear phishing.

PhishMe is one of several companies that offer a SaaS-based program whereby IT groups can send fake spear phishing emails to employees and then measure the failure rate.

PhishMe customers are often stunned to find failure rates – in other words, the percentage of end users who click on a spear phish and enter a password – in the 80% range.

The way PhishMe works, when an end user falls for a phish, a giant flash card appears on their screen announcing that they’ve been phished and detailing what they did wrong. The company offers pre-built phishing templates and customers can also customized their spear phishing emails.

Customers receive reports on the success of the spear phishing training program down to the individual end user. He says some companies might take punitive action against an employee who repeatedly clicks on fake phishes, while other companies are using gamification to reward good behavior and to keep people on their toes.

They also noticed when companies stop the training programs, employees revert back to their old behavior, so it makes sense for companies to make anti-spear phishing programs a way of life.



Internet Providers Launching Copyright Alert System Today to Warn Customers About Downloading Content

Five of the United States’ largest Internet service providers are launching today what they call a new system that will “educate” customers about downloading copyrighted content by issuing warnings instead of lawsuits. The program, called the Copyright Alert System, is a creation of the Internet providers and the trade associations representing the film and music industries, and is designed to reduce the amount of content obtained via file-sharing services such as BitTorrent.

Comcast, Verizon, AT&T, Cablevision, and Time Warner are all participating in the program, meaning that the so-called “six strikes” system will apply to most U.S. households with a broadband Internet connection. The trade groups involved include the Recording Industry Association of America and the Motion Picture Association of America, along with their member corporations.

Under the system’s rules, customers found to have downloaded copyrighted content without paying will be issued a series of warnings, along with an increasing chance that their Internet service will be throttled. Customers who receive those warnings may also find themselves suddenly redirected to a website scolding them for their downloads.

Users who receive these warnings may also find themselves blocked from certain “frequently visited” websites, according to documents about the plan obtained last year by Torrent Freak, a website that reports on news about file-sharing. The Copyright Alert System was originally supposed to launch last November, but was delayed until today.

The documents also state that content owners and ISPs could pursue legal action after the fifth warning, though for the most part, the Copyright Alert System is designed to be an extrajudicial program set up by Internet and entertainment companies.

Warnings, the system’s website advises, are issued when content owners find which Internet Protocol addresses are sharing copyrighted materials, then turn those addresses over to the service providers, who in turn identify the associated customer. The warnings can be challenged via the American Arbitration Association, which charges a filing fee.

Security Update Bulletin – Information on lastest threats

Here’s a quick round-up of information we think you should know about –

  • New Ransomware and Phishing Variants Detected (January 31, 2013) Ransomware known as Police Virus carries more strength that previous versions of the malware as it actually has the capacity to encrypt all data on infected machines. This variant disables regedit, task manager, and msconfig to further confound users. The malware tells users that because of a criminal offense, they must pay money or their computers will be encrypted. It spreads through malicious links, infected files, or drive-by downloads.
  • There has also been a surge in phishing emails that appear to come from FedEx. The messages tell recipients that because FedEx was unable to deliver a package, they must click a provided link to print a receipt to bring to their local FedEx office to retrieve the package. The link instead leads to a malicious site that infects their computers with a Trojan horse program. FedEx has posted a statement online warning of the scam and reminding people that the company “does not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords, or personal information.”
  • A new nasty turn in the psychology the criminals are using in this campaign in Germany is to accuse the victim of having a system containing pictures of child pornography and then subsequently displaying such material on the victim’s computer.
  • Mozilla says it will automatically disable all Firefox plug-ins with the exception of the most current version of Adobe Flash. Mozilla says the decision was prompted by security and stability concerns, particularly the risk of drive-by attacks. Blocked plug-ins will include up-to-date versions of Silverlight and Java. Currently, Firefox turns on click-to-play only for those plug-ins that are deemed unsafe or seriously out-of-date. Chrome and Opera offer click-to-play, but users must enable the feature themselves. [We think this is a gutsy move by Mozilla, hopefully the user base will not rebel. Users need some help with the silliness of allow-everything by default: Average people are their own system administrators and the complexity of updating even legitimate third-party apps (insecure by negligence, not malice) is ridiculous.]
  • PayPal has fixed a SQL injection vulnerability in its e-commerce website application that could have been exploited to compromise company databases and steal sensitive information. PayPal awarded a US $3,000 bounty to the organization that discovered the flaw and alerted the company to its existence in August 2012.(January 30, 2013)
  • Universal Plug-and-Play Security Vulnerabilities Prompt
    Recommendation to Disable the Technology (January 29, 2013) Researchers have found three sets of vulnerabilities in the universal plug-and-play (UPnP) component that allows devices to detect and communicate with each other over networks. The flaws could be exploited to steal passwords and documents and to hijack webcams, printers, and other Internet-connected devices. The US Department of Homeland Security’s (DHS) US-CERT has issued an advisory on the matter. UPnP is most used in SOHO configurations. While it may be used internally by enterprises, it is rarely exposed to the Internet by enterprises.  This feature is a hole in firewalls and has been associated with vulnerabilities for a long time.  While the vulnerability is pervasive, the threat and risk have been low.
  • More Headaches for Java (January 30, 31, & February 1, 2013)
    Apple has blocked Java completely in OS X 10.6 and above. Other companies are taking steps to protect their users from Java as well; virtually all plug-ins will be blocked in Firefox (see above).
    Oracle admits that there are serious problems with Java, but says that those problems lie with the Java browser plug-ins and that server-side, desktop, and embedded Java are not vulnerable to the same attacks.

Finally, some good news:

The FBI has arrested a California man in connection with numerous instances of cyberextortion in which he threatened to post compromising pictures of women whose social networking accounts he had hacked hijacked. Investigators believe that Karen “Gary” Kazaryan had more than 350 victims between 2009 and 2011. A recently unsealed indictment charges Kazaryan with 15 counts of computer intrusion and 15 counts of aggravated identity theft.

BlueToad Was Source of Leaked Apple Data, not FBI Laptop

The little-known app company that lost at least a million Apple Inc. iPhone and iPad identification numbers gathered the data from devices without protecting it and was still sending the data as of Monday.

The information was sent by the company, BlueToad Inc., in “cleartext”—without encryption to hide it—violating widely accepted computer-security practices. The identification numbers, device names and other information were then stored in a database that the company said was recently stolen by hackers.

The BlueToad breach is the latest in a series of events that have raised questions about the security and privacy of the fast-growing app economy. Many apps have been found taking data that users didn’t know about. In 2010, the Journal tested 100 iPhone and Android apps and found that more than half were transmitting identifying details without the user’s knowledge, and some were sending more personal information such as contact lists and location information. Since then, several other apps have been caught transmitting details about users without their knowledge.

The device ID number can allow a hacker to gain access to a user’s social networking accounts and other apps. As a result, Apple has long told developers that “for user security and privacy” they “must not publicly associate a device’s unique identifier with a user account.” And Apple last year began telling developers that it was going to phase out the use of UDIDs, in part because of these concerns.

21 Million Medical Records Exposed Since 2009

The U.S. Office of Civil Rights (OCR) has revamped its health information security breach data and now is reporting that there have been more than 21 million medical records exposed over the past three years.

The OCR, a part of the U.S. Department of Health and Human Services, collects breach data under the Health Information Technology for Economic and Clinical Health (HITECH) Act, an extension of the Health Insurance Portability and Accountability Act, which protects the privacy of patient medical records.

The OCR’s revised report of HITECH data breaches involving 500 or more individuals offers details on all of the breaches reported to it since Sept. 2009. In total, the report shows 477 breaches of 500 patients or more, affecting 20,970,222 medical records.

The OCR said it has also received about 55,000 breach reports involving fewer than 500 records during this time period, bringing the total lost data to more than 21 million records.

Theft accounted for 54 percent of the breaches. Twenty percent were unauthorized access or disclosure; 11 percent were lost records and devices; 6 percent were hacking; 5 percent were improper disposal of records; and the remaining 4 percent were other/unknown.

The data contains information on six breaches that each involved the compromise of more than a million records. The largest breach was TRICARE Management Activity, the Department of Defense’s health care program, which reported the loss of 4.9 million records when it lost several backup tapes.

Wow. Backup tapes lost. That should have been easy to avoid.


Bandwith-Burning Malware Among Biggest Consumer Threats

A new malware report indicates Android malware samples grew three-fold last quarter and that one in every 140 devices connected to mobile networks was infected at some point.

Closer to home, about 14 percent of household networks were hit by malware this spring, with a 50 percent increase in high-level bots, Trojans and backdoors.

Among the biggest threats to consumers was the ZeroAccess botnet, which grew to more than 1.2 million super nodes resulting in ad-click fraud that at one point burned through bandwidth equivalent to 45 monthly movie downloads per subscriber.

In recent months, the ZeroAccess botnet has updated its command and control protocol and grown to infect more computers while connecting to over one million computers globally. The concern with ZeroAccess is that it is using the subscriber’s bandwidth maliciously which will cost them money as they exceed bandwidth caps. And, once the computer is compromised, it can also spread additional malware or launch new attacks.

The ZeroAccess/Sirefef bot earlier this year modified its command-and-control protocol to evade detection and quietly distribute fraud-laced malware.

The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.

On the mobile front, most malware involved “trojanized” apps that steal information about the phone or send SMS messages. However, a banking Trojan that intercepts access tokens and two spyware applications also made the Top 20 list.

Researchers noted that Apple took a second hit to its security reputation with the “Find and Call” malware that targeted both iPhone and Android devices.

First Flashback infected the Mac and now it appears that an iPhone app called ‘Find and Call’ uploads the users contact list to a remote server. The server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage the recipient to download the app.

The app has since been taken down from the Apple Store.

Flashback, the Trojan that exploited a Java vulnerability to infect thousands of Mac OS X systems worldwide last spring, infected 10 percent of homes that owned at least one Mac, during the month of April 2012.

Skype – Changes to improve service could alter privacy

Skype, the online phone service long favored by users to bypass traditional phone companies and ensure private conversations, is undergoing changes. One of the features, to be able to communicate beyond the reach of governments, has made this an important tool for political dissidents.

Unfortunately, it has also attracted the attention of criminals. If you are a Skype user, you may have noticed some outages over the past year, as the network has grown to become one of the largest communications companies. To solve those problems, Skype is now going to direct all communications through centralized servers. In the past, communications had been direct, from computer to computer but this has created quality and service issues. Now that they are using centralized servers, the online chats and possibly voice and video calls may be available to governments, depending on the laws in place for each country.

It should be pointed out that surveillance of the audio and video feeds remains impractical — even when courts issue warrants, according to industry officials with direct knowledge of the matter. But that barrier could eventually vanish.

The changes to online chats, which are written messages conveyed almost instantaneously between users, result in part from technical upgrades to Skype that were instituted to address outages and other stability issues since Microsoft bought the company last year. Officials of the United States and other countries have long pushed to expand their access to newer forms of communications to resolve an issue that the FBI calls the “going dark” problem.

Hacker groups and privacy experts have been speculating for months that Skype had changed its architecture to make it easier for governments to monitor, and many blamed Microsoft, which has an elaborate operation for complying with legal government requests in countries around the world.

Microsoft has approached the issue with tremendous sensitivity and a canny awareness of what the issues would be. The company has a long track record of working successfully with law enforcement here and internationally.

Authorities had for years complained that Skype’s encryption and other features made tracking drug lords, pedophiles and terrorists more difficult. Jihadis recommended the service on online forums. Police listening to traditional wiretaps occasionally would hear wary suspects say to one another, “Hey, let’s talk on Skype.”

Skype was slow to clarify the situation, issuing a statement recently that said, “As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible.” Changes allowing police surveillance of online chats had been made since late last year. In the United States, such requests require a court order, though in other nations rules vary. Skype has more than 600 million users, with some in nearly every nation in the world. Political dissidents relied on it extensively during the Arab Spring to communicate with journalists, human rights workers and each other, in part because of its reputation for security.

Skype’s resistance to government monitoring, part of the company ethos when European engineers founded it in 2003, resulted from both uncommonly strong encryption and a key technical feature: Skype calls connected computers directly rather than routing data through central servers, as many other Internet-based communication systems do. That makes it more difficult for law enforcement to intercept the call. The authorities long have been able to wiretap Skype calls to traditional phones.

The company created a law-enforcement compliance team not long after eBay bought the company in 2005, putting it squarely under the auspices of U.S. law. The company was later sold to private investors before Microsoft bought it in May 2011 for $8.5 billion.

Industry officials said the resulting push for the creation of so-called “supernodes,” which routed some data through centralized servers, made greater cooperation with law enforcement authorities possible. The access to personal information and online chats, which are kept in Skype’s systems for 30 days, remains short of what some law enforcement officials have requested.

Hackers in recent years have demonstrated that it was possible to penetrate Skype, but it’s not clear how often this happened. Microsoft won a patent in June 2011 for “legal intercept” of Skype and similar Internet-based voice and video systems. It is also possible, experts say, to monitor Skype chats as well as voice and video by hacking into a user’s computer, doing an end run around encryptions. If someone wants to compromise a Skype communication, all they have to do is hack the endpoint — the person’s computer or tablet or mobile phone, which is very easy to do.

Some industry officials, however, say Skype loses some competitive edge in the increasingly crowded world of Internet-based communications systems if users no longer see it as more private than rival services.