Network Solutions blog: How to Recognize and Prevent Homograph Attacks

I have written a few times about ways to prevent brandjacking. In this blog post for Network Solutions, I discuss the use of homoglyph or homograph attacks by cybercriminals. These attacks involve exploiting international domain names and the idea is simple to explain once you know a bit of Internet history.

When the Internet was first created, it was based on using Roman alphabet characters in domain names. This is the character set that is used by many of the world’s languages, but not all of them. As the Internet expanded across the globe, it connected countries where other alphabets were in use, such as Arabic or Mandarin. 

Several years ago, researchers discovered the homograph ploy, and since then all modern browsers have been updated to recognize the homograph attack methods of using “xn–80ak6aa92e.com” instead of “apple.com.” I go into the details in my blog post and you can see an example of how a browser responds above.

There is an important lesson here for IT professionals: watch out for injection-style attacks across your web infrastructure. Every element of your web pages can be compromised, even rarely-used tiny icon files. By paying attention to all possible threats today, you’ll save yourself and your organization a lot of trouble tomorrow.

Avast blog: Trying to take down Trickbot

TrickBot is a malware network that is often described as one of the world’s largest with at least a million PCs. It is once again in the news. Earlier this month, the botnet was the focus of two independent efforts to take it down: from an industry group led by Microsoft and from the US Cyber Command. The TrickBot attempted takedown is just a sign of things to come. What is interesting is how the private and public sector has worked in tandem, using new strategies such as copyright violations and military-grade operations. I go into the details in

 

 

Live blogging at the Avast CyberSecAI conference

Last year I was fortunate enough to attend in person the CyberSecAI conference in Prague, a unique blend of academic and business researchers and practitioners involved in both cybersecurity and AI fields. This year the conference went completely virtual. I covered most of the sessions through live Tweets and wrote two blog posts that are now up on Avast’s website:

  1. Creating and weaponizing deep fakes. Dr. Hany Farid of UC Berkeley spoke about their evolution, the four different types of fakes, and ways that we can try to solve their challenges. I found his analysis intriguing, and his use of popular figures that were deliberately fakes brought home how sophisticated AI algorithms is needed to flag them definitively.
  2. Understanding bias in AI algorithms. A blue-ribbon panel of experts discussed how to reduce AI algorithmic bias. Should we hold machines at higher standards than we do of ourselves? It was moderated by venture capitalist Samir Kumar, who is the managing director of Microsoft’s internal venture fund M12 and included:
    • Noel Sharkey, a retired professor at the University of Sheffield (UK) who is actively involved in various AI ventures,
    • Celeste Fralick, the Chief Data Scientist at McAfee and an AI researcher,
    • Sandra Wachter, an associate professor at the University of Oxford (UK) and a legal scholar, and
    • Rajarshi Gupta, a VP at Avast and head of their AI and Network Security practice areas.

Part of the problem with defining bias is in separating correlation from causation, which was brought up several times during the discussion.

CSOonline: Homomorphic encryption tools find their niche

Organizations are starting to take an interest in homomorphic encryption, which allows computation to be performed directly on encrypted data without requiring access to a secret key. While the technology isn’t new (it has been around for more than a decade), many of its implementations are, and most of the vendors are either startups or have only had products sold within the past few years. While it’s difficult to obtain precise pricing, most of these tools aren’t going to be cheap: Expect to spend at least six figures and sign multi-year contracts to get started.

I review the early products in this market for CSOonline, describe some of the typical use cases, and provide some suggestions on how to evaluate them for enterprise uses.

Network Solutions blog: How to Counter Darkweb Threats With Proactive Security

Most of us tend to think about the web as a single destination, available through our browsers on our laptops and phones. But over the years there is a much more sinister portion of the web, called the dark web that isn’t easily discoverable by traditional search engines and could contains threats to your business operations and harm your reputation. I describe this shady underbelly and what kinds of information is available there, along with suggestions of tools that you can use to be more proactive about your security such as EchoSec Beacon,  Dark Owl ScannerSixGill’s DarkfeedRecorded FutureZeroFox and Digital Shadows’ Searchlight. These tools can help to provide near real-time access to threat data that is being shared on the darkweb on a variety of discussion forums and other places, again as a way to learn about the early stages of an attack.

Read my post on Network Solutions blog here.

Avast blog: Zerologon is a Nasty Windows Server Domain bug: Patch now!

A new vulnerability in Windows domain controllers has been discovered by security researchers at Secura. In a published paper in September, they found the cryptographic flaw and called it Zerologon. It takes advantage of the Netlogon Remote Protocol that is used in the authentication process. All that is to exploit this flaw – and compromise a wide variety of Active Directory identity services — is a TCP-level connection to the domain controller itself. Secura published a test tool on Github that can tell you whether a domain controller is vulnerable or not. Researchers have seen evidence of its use in the wild already, which is why you want to patch your servers asap.

You can read more about this scourge on my Avast blog post.

Avast blog: When not to accept cookies

Nearly any website you visit asks you to accept cookies, and most of us don’t even think about this choice — we just click “yes” to rid ourselves from the pain of the pop-up. But what are we really agreeing to? What is a cookie, anyway? These small text files were first used in browsers back in 1994 and soon became ubiquitous. Cookies can be used for both productive and evil reasons, and I try to sort them out and show you how to avoid them.

You can read more in my blog post for Avast here.

Network Solutions blog: How to protect your organization from ransomware attacks

Ransomware attacks are still very much a threat, and the ease of perpetuating them is a big reason why. All it takes for a ransom attack to begin is for a single employee to click on a phishing email. Sadly, these attacks aren’t going away anytime soon. Your organization doesn’t have to be such a tempting target for ransomware attacks. There are a few simple ways to minimize your exposure and make it more difficult for attackers to gain a foothold.

You can read my post for Network Solutions blog here and review several practical suggestions on how to prepare your network for the eventual attack.

 

Congradulations: you have been phished!

Phishing scams abound, if my own personal situation is any indication. This past weekend, I received two text messages — technically this is smishing or SMS phishing, but still. One looked like this (don’t worry, it is just a screencap):

You’ll notice a couple of tells. First is that it is addressed to me by name Usually, when my close friends and family send me texts, they don’t include my name. And the fact that a phisher knew my name is a bit concerning. The other is that it contains an active link, just waiting to be clicked on.

I got another text that was slightly less salacious, as you can see to the left. Again, my name is mentioned. Because of the subject, it is more insidious — now that we are ordering almost everything online the packages are coming to our doors in droves. But note this one tell — the package was mailed back in April. Granted, things are slowing down somewhat over at the USPS, but still.

The FCC has issued this warning about smishing with several illustrations. And the crooks are getting more clever, with this case described by Brain Krebs on how one criminal combined smishing with using a cardless ATM transaction (meaning just using a mobile phone for withdrawals) to steal funds from victims’ accounts.

Corporate security folks are trying to get ahead of the attackers, and many regularly conduct phishing simulation or training exercises. Sometimes these misfire. The WaPost reported on a recent phishing training exercise that was completely misguided. The Tribune Co. sent around a message with “Congradulations, executives!!” in the subject line (hence my usage in today’s essay title). The email promises bonuses to come, if only the staffer would click on the enclosed link. Yes, the deliberate mistakes (spelling and duplicate exclamations) and the embedded link should be the tells that something is amiss. Whether you think this insensitive (given the number of layoffs in this industry) or just plain dumb, it still was a poor choice to demonstrate and train users. While it is true that potential phishing messages do use this particular lure, the Trib IT department should have known better.

Smishing isn’t the only lure used by hackers of course. Ironscales has compiled a collection of fake login pages that try to fool people into thinking they are authenticating their AT&T, Apple, Bank of America and more than a dozen other accounts. Their research has shown there are thousands of these fake login pages circulating around online.  Ironically, the email from their PR department announcing this research was flagged by Google as risky, warning me not to click.

So here are a few pointers on how to prevent these types of attacks.

Don’t respond to any calls to action you get via texts or emails. Think before you click on the links or call the phone number listed. Better yet, don’t respond or click or call. This includes sending back a “Stop” text message. Just hit the delete key.

If you feel you have to respond, do it out of band. Go to the Fedex website directly and track your package that way. Call your bank directly to see if you have a fraud alert. Here is a Tweet stream that shows the lengths that one person went through to research and vet one text. My wife got a phishing email recently and did exactly that to find out it wasn’t genuine. 

Finally, is something out of character? Is this a text or email out of the blue from some long-lost correspondent? Or does it contain (one or more) simple grammatical errors?  Or is an offer of money too good to be true? That is because it isn’t. Do you really think the IRS or Social Security Administration sends you texts? News flash: they don’t.

Avast blog: Election hacking updates

As we approach the November general U.S. elections, things are heating up, with both candidates now making actual campaign appearances. We have also seen an increase in cyberattacks and other threats to our elections. This includes efforts to hack into campaign staff’s accounts by foreign governments, physical threats during these campaign stops, and changes to how votes will be recorded.

You can read my full post on Avast’s blog here,where I review the latest in election interference news.