Category Archives: security

iBoss blog: Why Grammar Counts in Decoding Phished Emails

Posted on by
Reply

When it comes to crafting the “best” phishing email scam letter, over the years it has been assumed that the less polished a letter, the better. Having something that is poorly worded, or purposely uses bad syntax and grammar tends to eliminate the sharper-eyed readers who probably wouldn’t respond to the phish anyway. This way the phisher ensures that only the most gullible users will end up getting snared. The use of bad grammar makes the emails seem more authentic, as it would appear to be a personal letter written from a foreigner who isn’t completely fluent rather than from a criminal trying to steal your identity or bank account information.

As Wired magazine wrote about this topic more than a decade ago: “this language evokes someone who is ‘educated, upper-class, out of touch with the common people.’” The Wired piece goes on to describe the nature of how these email scams are constructed and how they use long, complex sentences to draw in their marks.

Another post on Quora said: “The goal of the emails is to get you to write back and reveal some information about yourself. They don’t expect you to believe the letter at first. They only expect you to be curious and to start communicating. Once they get a conversation going, the scam is on.”

Microsoft Research published an academic paper on this subject three years ago that also takes this analysis a step further. “By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select.”

However, the tide may be turning, and finally grammarians might be gaining the upper hand. A new theory is that correct grammar gets better results these days. Leave it to the French to lead the way here. Some criminals are advertising on the dark web for editors to clean up their copy. A blog post from Trend Micro says, “This is the first time we have seen a direct advertisement for a job in the underground” that is called a “cleaner.” The want ad asks for people who can help edit copy, correct spelling and other mistakes. Oh, and by the way: you will be paid in stolen credit card numbers or other stolen goods, just in case you have any doubt that you are working for cyber criminals. As they say in the advertisement, “Ecrivez-vousfrançaisparfaitement?”

One possible cause for having an editor is the complexity of the written French language: its numerous tenses and verb conjugations are legion. (I studied the language myself for many years in primary school and can attest to this issue personally.) Another reason could be a way to differentiate your phishing from others, in hopes of gaining market share from your fellow criminals.

Or, it could all be a hoax: hard to tell. The Trend Micro blog says, “The French sometimes conduct business differently and have unique solutions to their cybercriminal business challenges.” Still, this ad stands out as unique in their research.In any event, phishing certainly has gotten more sophisticated since that first Wired article and chalk the grammar cleaners as yet another development.

Speaking gigs as part of cybersecurity awareness month

Posted on by
Reply

October is cybersecurity awareness month and I am giving a speech at several locations around town to do my part. The speech draws on several blog posts that I have written recently about the debate between security and privacy, and covers the following topics:

progressive

The speech will be given this week at St. Louis’ America’s Center SecureWorld conference and as part of a special month-long series of activities at Fontbonne University, including this St. Louis chapter meeting of ISACA. You can download my presentation here.

Network World review: Check Point Sandblast technology

Posted on by
Reply

Check Point has long been known as a firewall company but it is reaching beyond its roots with a new series of protective technologies under its SandBlast line. SandBlast has been around for several years, but received several significant updates over the past year to make it a truly effective endpoint protection product that can handle a wide variety of zero-day exploits across your entire enterprise, such as this backdoor exploit that we detected from China moments after we installed our product.

china-based-backdoor-attack

You can read my full review here (reg. req.)

The view from a non-profit CIO.

Posted on by
Reply

Being the CIO of a non-profit gives you an entirely different perspective in terms of managing people, resources, and technologies.

David Goodman would know. He has been involved with managing IT operations for different non-profits for most of his professional career. He used to be the CIO of International Rescue Committee, and currently is the CIO-in-Residence at NetHope, an umbrella organization that is a resource for some of the world’s largest non-profit aid organizations.

“The biggest challenge for non-profits about IT is that few people understand it in that context. We usually don’t have any roadmap or a sizable staff for how we are going to implement any new technology. Many organizations don’t have any dedicated infosec staff, or if they do they only have one person for this task.”

Often, IT takes a hit due to unplanned consequences that is more because of the where the non-profit is located than anything related to the technology itself. For example, he tells the story of a nonprofit that opened an office in a very insecure country. “We opened an office there to help benefit refugees, which is our mission. We made connections with the local militia to make sure that we were permitted to do this and didn’t have any issues until one day our office was overrun by the militia and our people were taken hostage. They didn’t like what we were doing. While that doesn’t happen too often, it was pretty scary for our staff and volunteers. They took all of our computing equipment. Eventually, we were able to get them to release everyone, although two Americans were held in a hotel for a few extra weeks.”

Planning for this situation is a challenge, as you might expect. But the office had no incident response frameworks, no security policies. “There were passwords written on whiteboards. There were staffers using personal Skype accounts to communicate with headquarters. Because all the laptops were stolen, the rebels were using the staff’s personal Skype accounts that were set to autologin and were sending messages impersonating the staff. They couldn’t easily shut down these personal accounts.” Eventually all personnel returned safely and everyone was accounted for. But they lost all their equipment: “that was never seen again.”

Few IT managers or CIOs have to deal with this kind of situation. “It is pretty nasty stuff, and it is because of the nature of how many international nonprofits operate and the places they have their offices are often in conflict areas. This means we don’t just worry about IT security, but the safety of the staff too.”

Here is another example. At one international nonprofit, he wanted to improve the organization’s password policies. The issue was that many of the staffers are scattered around the world and don’t regularly login to their enterprise Active Directory domain controller which meant that staff didn’t get regular notifications of expiring passwords. “So for the field staff, we set their domain passwords not to expire. As you might imagine, this wasn’t great infosec policy, so I tried to implement a better one that had complexity and change management built-in. I got buy-in from senior management and approval from the CEO. We were ready to implement it, and I sent a reminder email to some of the affected parties, including the CEO.”

Suddenly he scuttled the whole idea: “He told me that he had been using the same password for more than 30 years and wasn’t about to change it now. So the very straightforward and approved password policy was shelved, and there are probably still hundreds of people using non-expiring passwords around the organization.” Goodman couldn’t get him to understand why a better password policy matters.

All is not gloom and doom however. At NetHope, he is working with a number of major donors, including the Gates Foundation and MasterCard International, to create non-profit specific security controls that can be used for guiding IT auditing and compliance. “We will have a set of best practices on how to appropriately secure critical data, all based on existing standards like ISO, NIST, and PCI. We will also provide implementation guidance so that nonprofits without dedicated info sec staff — which is nearly all of them — will know how to implement these controls.”

Like what you are reading?

Subscribe to Inside Security!



The view from a small college CIO: Infosec is getting harder to do.

Posted on by
Reply

Ravi Ravishanker is the CIO and Associate Provost at Wellesley College in Massachusetts. He has been in IT for many years, and supports an organization with more than 1400 faculty and staff. I spoke to him in September 2016. “Information security has continued to be one of the highest priority for every one of the IT organizations I have worked for. The only difference is that it has become harder and its relative importance compared to the other things we have to do has gotten higher, which results in much higher resource allocation to security across the entire institution.”

He recalls back in 1986, when he began his IT career. He was writing code in assembler for a VAX VMS. This was done to make it faster to execute. “However, we made a programming error to have one user send a file to another using TCP/IP. Because of an internal security lapse, the students found out they could send someone else’s files using our program. It didn’t take long to fix the problem, fortunately.” Coming into the modern day, he finds that vulnerability scanners are one of his most important security tools. “This is because they expose vulnerabilities about network ports that shouldn’t be open. Similarly, scanners that test our web apps for a range of vulnerabilities are also essential.”

“We realize that given our limited resources, we have to be very diligent. First and foremost, data and network security needs to be a priority for everyone in the IT organization, not just a select group of security administrators. Also, security is a joint partnership between IT and our users; it is a shared responsibility of the entire the enterprise. If our users aren’t following best practices, they can expose our enterprise to data security issues. Security is a critical part of everything that we do.”

To date, he hasn’t seen much in the way of insider threats at the college. “People in higher education have a sense of loyalty to the institution, and we place a lot of trust in our employees. While insider threats are always a potential issue, we are in a space where it is minimal.”

The college has moved into the cloud and continues to increase its cloud footprint. “We try to do as much due diligence when we sign up with a new provider and make sure that they are giving us the security that we need. We thoroughly review the contracts and agreements from security and compliance perspectives before signing up with a provider.”

“We are a fairly small IT organization and currently our user services, which manages desktop support, and the systems and network groups are all under one director. This works really well in terms of information exchange between the groups and easy access to the systems and network engineers. However, we recently decided to reorganize this group and we hope that this relationship will be preserved because this relationship is critical from information security perspective.”

Like what you are reading?

Subscribe to Inside Security!



iBoss blog: How to Communicate to Your Customers After a Breach

Posted on by
Reply


There have been numerous breaches at major consumer retail companies over the past year. Most of these are followed with some kind of  “apology letter,” laying out what customers can do to protect their credit and what information was stolen from the retailer’s databases. Sadly, there aren’t any shining examples from this collection of correspondence. And the cases that I’ll cite here are what to avoid rather than to mimic. But there are some important lessons to be learned, both from designing the best apology letters to improving IT practices post-breach.

You can read the article on the iBoss blog here.

Inside the Jihadist’s Tech Toolkit

Posted on by
Reply

A July report entitled Tech For Jihad: Dissecting Jihadists’ Digital Toolbox details and analyzes how 36 specific tools are used by various jihadist groups. While the news media has focused on how these groups leverage particular social media accounts and these are well documented (that last link has some solid suggestions on improving your social media posture too), there is actually a wide array of other tools that are used to spread propaganda, recruit new members, and launch cyberattacks. Indeed, the jihadists rely a great deal on the Internet and as they increase their digital footprint require the same kinds of security protection that any careful enterprise would employ these days.

Two security researchers from Flashpoint wrote the report: their company is a security vendor that analyzes the dark web and provides other intelligence reports about malicious actors.

At the heart of their toolkit is the Tor browser, which enables anonymous surfing and connecting to the Dark Web for various illegal activities. According to the report, Tor has been in use since May 2007 by the jihadi groups. A year later saw the creation of a custom encryption tool called Asrar Al-Mujahideen. After the Snowden revelations, a new tool was released called Amn Al-Mujahid. A full timeline, from the RecordedFuture blog, can be seen here:

 

The preferred access method seems to be the Opera browser, because it can connect to a free VPN service, and mostly from Android devices. Speaking of VPNs, they were first used in 2012, and the authors found early posts on dark web forums comparing the various VPN technologies and their advantages and disadvantages, just like any solid IT researcher would go about doing. This included an analysis of what kinds of logs the VPN software keeps and how these logs can be erased. The VPN chosen was the CyberGhost VPN (there are free and paid versions, and of course payments in bitcoin is accepted).

Another tool mentioned in the report is the HardDiskSerialNumberChanger, which can further obfuscate the originating device identifying information coming from the local hard drive. Another tool is called FakeGPS, which provides a false physical location to various social media clients such as Facebook and Twitter. This enables users to pick some fake location when they post social updates.

Then there is various encrypted email services, including HushMail, ProtonMail, GhostMail and Tutanota, among others. The authors document the use of these products by jihadists beginning in February 2013. This was followed with encrypted text messaging chat services, such as What’sApp and Telegram. Telegram in particular is used to disseminate official statements from Jihadi leadership to the general public. Because it offers end-to-end encryption, this makes messages difficult to read while in motion and is why the app is becoming more popular among jihadists. Taken together, what is clear is that jihadists are doing a great deal to carefully hide their locations and digital tracks.

This is just a few of the tools that are employed by these organizations. There are others, including home-grown mobile apps that are used to spread propaganda (including their own podcasts and other media streams) in both English and Arabic to supporters. These media streams have proven so popular that “culture jammers” have released their own apps that purport to be the “real” ISIS podcasts to confuse their audience. This is what Google’s Project Jigsaw has been working over the past year to target aspiring ISIS recruits and dissuade them from signing up. By using search algorithms, the program places ads alongside common search terms and keywords that link to anti-ISIS English and Arabic YouTube channels. Jigsaw hopes these links of testimonials can debunk the Jihadi narratives, and so far it seems to be working. Click through rates on Jigsaw’s curated videos were three times more than the pro-ISIS links, according to Wired magazine.

Clearly, this increasingly comprehensive outlook shows how seriously jihadists handle their operational cyber security and other online activities. But it could also be a useful example for ordinary enterprise IT workers, who travel abroad or who wish to maintain a higher level of security themselves.

There is much that can be learned from the jihadist infosec toolkit and how they make use of the Internet for recruitment.

As the authors conclude, “While jihadists incessantly adapt their behaviors to evade surveillance, we must adapt our surveillance tactics to keep up. The more we understand about how jihadists leverage digital technologies to engage in nefarious activities, the better equipped we will be to defend ourselves and mitigate risk as effectively as possible.”

SecurityIntelligence: No Business Is Too Small for SMB Cybersecurity

Posted on by
Reply

Smaller businesses, like the HVAC company that caused the Target penetration in 2013, often think they are too small to be security targets, but SMB cybersecurity can have big implications. Size doesn’t matter as long as your firm has something of value that someone thinks is worth stealing, or a connection that someone thinks is worth exploiting.

However, the more vertical the SMB market, the more likely it is to sustain attacks. I explain why in this post for IBM’s SecurityIntelligence.com blog.

The death of the SMS OTP

Posted on by
1

As mentioned in Andrew Showstead’s blog post last month, the National Institute of Standards (NIST) has come out with a ruling on its digital authentication guidelines. They state that many types of SMS messaging as a second authentication factor (2FA) should now be considered insecure. This is actually not news. There have been numerous insecurities and hacks and other SMS 2FA compromises, starting with this 2012 hack of Wired author Mat Honan. Since then, Wired has put everyone on notice about insecure SMS 2FA and there is this FireEye blog post about combining SMS and phishing attacks. And one well-known digerati got his phone hacked by having the attacker just call his cell provider to change his SIM number.

In any case, the NIST document and the implied underlying decisions both require further explanation.

First off, the NIST ruling isn’t set in stone. It is a ‘preview,’ which means they are still collecting comments, and their document and their recommendations may undergo revision. Interestingly, you can submit your comments on GitHub here. That represents a big change for NIST, and they should be applauded for trying to use the open source community natively. As they posted, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.”

Second, if you are going to comment, you should probably start with reading this blog post from Paul Grassi, a senior standards and technology advisor at NIST. The original document linked above is a difficult read, even for the most technical among us. For example, one of the NIST terms used is that SMS as an authentication factor is “deprecated.” What is that? Grassi says “you can use this puppy for now, but it’s on its way out.” Meaning that federal agencies should start exploring other 2FA options, or puppies in his parlance.

Speaking of federal agencies, while this NIST stuff is going on, the Social Security Administration didn’t quite get the right memo. They announced in late July that beginning immediately, anyone using their website to track their retirement benefits or communicate with the agency will be required to enter a cellphone and use a SMS message as an additional authentication factor when logging into their account.

Ironically, the agency claims it is doing this to adhere to federal standards just at the same time that NIST is trying to raise the bar on those same standards. As you might imagine, security analysts have already weighed in. Brian Krebs says the move by SSA “does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are. The new measure does little to prevent fraud.” Krebs does give the agency props for using other authentication methods at the time a retiree sets up an account, but still there are weaknesses.

Third, Grassi makes some other good points, one of which being that not all SMS services are created or operate equally and not all of them are tied to actual physical cell phones. There are some virtual VOIP numbers (think Google Voice) that can forward texts to anywhere and anyone. Or that text messages can show up on the locked cellphone screen, so that the user doesn’t even have to have possession of his or her phone to enter the appropriate code sequence. That is part of the issue around sending an SMS one-time password (OTP) as an additional authentication factor. It no longer becomes “something you know” but is just “something else that you know.”

Finally, with all the hue and cry about the NIST document, we tend to lose sight that sending an SMS for OTP is still better than having no additional authentication factors. “For normal people, 2FA is still going to limit the ability of an attacker to intercept or alter both your password and your SMS code,” says Violet Blue writing in Engadget recently.

Does this mean that SMS OTP is dead? Not quite. Certainly, as several security experts quoted in a recent SearchSecurity article say, the move by NIST is long overdue. SMS authentication shouldn’t be the sole second factor. There are better authentication methods, such as the Vasco Digipass Go and Crontosign products mentioned in Showstead’s blog post, and numerous other efforts with using selfies and photos too.  The key takeaway? You need multiple authentication factors now more than ever, and SMS should be one of them, but not the only one.

Security Intelligence: Use a Malware Simulator to Better Defend Against Ransomware

Posted on by
Reply

If you are looking for ways to run a malware simulator to test ransomware and other forms of malware in your environment, but don’t want to deal with the actual materials to infect your systems, look no further than the Shinosec ShinoLocker suite. This is a malware simulator and target attacking suite for penetration testers and other researchers. I talk more about this innovative product in my post today for SecurityIntelligence blog.