Why you should be afraid of phishing attacks

I have known Dave Piscitello for several decades; he and I served together with a collection of some of the original inventors of the Internet and he has worked at ICANN for many years. So it is interesting that he and I are both looking at spam these days with a careful eye.

He recently posted a column saying “It sounds trivial but spam is one of the most important threats to manage these days.” He calls spam the security threat you easily forget, and I would agree with him. Why? Because spam brings all sorts of pain with it, mostly in the form of phishing attacks and other network compromises. Think of it as the gateway drug for criminals to infect your company with malware. A report last December from PhishMe found that 91% of cyberattacks start with a phish. The FBI says these scams have resulted in $5.3 billion in financial losses since October 2013.

We tend to forget about spam these days because Google and Microsoft have done a decent job hiding spam from immediate view of our inboxes. And while that is generally a good thing, all it takes is a single email that you mistakenly click on and you have brought an attack inside your organization. It is easy to see why we make these mistakes: the phishers spend a lot of time trying to fool us, by using the same fonts and page layout designs to mimic the real sites (such as your bank), so that you will login to their page and provide your password to them.

Phishing has gotten more sophisticated, just like other malware attacks. There are now whaling attacks that look like messages coming from the CFO or HR managers, trying to convince you to move money. Or spear phishing where a criminal is targeting someone or some specific corporation to trick the recipient into acting on the message. Attackers try to harvest a user’s credentials and use them for further exploits, attach phony SSL certificates to their domains to make them seem more legitimate, use smishing-based social engineering methods to compromise your cell phone, and create phony domains that are typographically similar to a real business. And there are automated phishing construction kits that can be used by anyone with a minimal knowledge to create a brand new exploit. All of these methods show that phishing is certainly on the rise, and becoming more of an issue for everyone.

Yes, organizations can try to prevent phishing attacks through a series of defenses, including filtering their email, training their users to spot bogus messages, using more updated browsers that have better detection mechanisms and other tools. But these aren’t as effective as they could be if users had more information about each message that they read while they are going through their inboxes.

There is a new product that does exactly that, called Inky Phish Fence. They asked me to evaluate it and write about it. I think it is worth your time. It displays warning messages as you scroll through your emails, as shown here.

There are both free and paid versions of Phish Fence. The free versions work with Outlook.com, Hotmail and Gmail accounts and have add-ins available both from the Google Chrome Store and the Microsoft Appsource Store. These versions require the user to launch the add-in proactively to analyze each message, by clicking on the Inky icon above the active message area. Once they do, Phish Fence instantly analyzes the email and displays the results in a pane within the message. The majority of the analysis happens directly in Outlook or Gmail so Inky’s servers don’t need to see the raw email, which preserves the user’s privacy.

The paid versions analyze every incoming mail automatically via a server process. Inky Phish Fence can be configured to quarantine malicious mail and put warnings directly in the bodies of suspicious mail. This means users don’t have to take any action to get the warnings. In this configuration, Outlook users can get some additional info by using the add-in, but all the essential information is just indicated inline with each email message.

I produced a short video screencast that shows the differences in the two versions and how Phish Fence works. And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in. Check out Phish Fence and see if helps you become more vigilant about your emails.

CSO Online: As malware grows more complex, protection strategies need to evolve

The days of simple anti-malware protection are mostly over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potentially harmful infections. This is because malware has become sneakier and more defensive and complex.

In this post for CSO Online sponsored byPC Pitstop, I dive into some of the ways that malware can hide from detection, including polymorphic methods, avoiding dropping files on a target machine, detecting VMs and sandboxes or using various scripting techniques. I also make the case for using application whitelisting (which is where PC Pitstop comes into play), something more prevention vendors are paying more attention to as it gets harder to detect the sneakier types of malware.

White paper: Invisible mobile banking security

As more banking customers make use of mobile devices and apps, the opportunities for fraud increases. Mobile apps are also harder to secure than desktop apps because they are often written without any built-in security measures. Plus, most users are used to just downloading an app from the major app stores without checking to see if they are downloading legitimate versions.

Besides security, mobile apps have a second challenge: to be as usable as possible. Part of the issue is that the usability bar is continuously being raised, as consumers expect more from their banking apps.

In this white paper for VASCO, I show a different path. Mobile banking apps can be successful at satisfying the twin goals of usability and security. Usability doesn’t have to come at the expense of a more secure app, and security doesn’t have to come at making an app more complex to use. Criminals and other attackers can be neutralized with the right choices that are both usable and secure.

Why runtime application self-protection is critical for next gen security

raspToday most of us go about implementing security from the outside in. The common practice to define and then defend a perimeter isn’t viable any longer. With the added complexities of more mobile endpoints, agile development and more sophisticated malware, better protective methods are needed.

In this white paper I wrote for VASCO , I describe a method that is gaining traction by defending the actual apps themselves using runtime self-protection. RASP, as it is called, comes from a Gartner 2012 report, but is catching on with several vendors, including Arxan Technologies, HPE App Defender, Immun.io, Lookout App Security/Bluebox, Prevoty, Vasco Digipass for Apps, Veracode and Waratek.

RASP can be a solid defense and a way to isolate and neutralize a potential threat, so you can operate your business safely in these uncertain environments.

 

The death of the SMS OTP

As mentioned in Andrew Showstead’s blog post last month, the National Institute of Standards (NIST) has come out with a ruling on its digital authentication guidelines. They state that many types of SMS messaging as a second authentication factor (2FA) should now be considered insecure. This is actually not news. There have been numerous insecurities and hacks and other SMS 2FA compromises, starting with this 2012 hack of Wired author Mat Honan. Since then, Wired has put everyone on notice about insecure SMS 2FA and there is this FireEye blog post about combining SMS and phishing attacks. And one well-known digerati got his phone hacked by having the attacker just call his cell provider to change his SIM number.

In any case, the NIST document and the implied underlying decisions both require further explanation.

First off, the NIST ruling isn’t set in stone. It is a ‘preview,’ which means they are still collecting comments, and their document and their recommendations may undergo revision. Interestingly, you can submit your comments on GitHub here. That represents a big change for NIST, and they should be applauded for trying to use the open source community natively. As they posted, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.”

Second, if you are going to comment, you should probably start with reading this blog post from Paul Grassi, a senior standards and technology advisor at NIST. The original document linked above is a difficult read, even for the most technical among us. For example, one of the NIST terms used is that SMS as an authentication factor is “deprecated.” What is that? Grassi says “you can use this puppy for now, but it’s on its way out.” Meaning that federal agencies should start exploring other 2FA options, or puppies in his parlance.

Speaking of federal agencies, while this NIST stuff is going on, the Social Security Administration didn’t quite get the right memo. They announced in late July that beginning immediately, anyone using their website to track their retirement benefits or communicate with the agency will be required to enter a cellphone and use a SMS message as an additional authentication factor when logging into their account.

Ironically, the agency claims it is doing this to adhere to federal standards just at the same time that NIST is trying to raise the bar on those same standards. As you might imagine, security analysts have already weighed in. Brian Krebs says the move by SSA “does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are. The new measure does little to prevent fraud.” Krebs does give the agency props for using other authentication methods at the time a retiree sets up an account, but still there are weaknesses.

Third, Grassi makes some other good points, one of which being that not all SMS services are created or operate equally and not all of them are tied to actual physical cell phones. There are some virtual VOIP numbers (think Google Voice) that can forward texts to anywhere and anyone. Or that text messages can show up on the locked cellphone screen, so that the user doesn’t even have to have possession of his or her phone to enter the appropriate code sequence. That is part of the issue around sending an SMS one-time password (OTP) as an additional authentication factor. It no longer becomes “something you know” but is just “something else that you know.”

Finally, with all the hue and cry about the NIST document, we tend to lose sight that sending an SMS for OTP is still better than having no additional authentication factors. “For normal people, 2FA is still going to limit the ability of an attacker to intercept or alter both your password and your SMS code,” says Violet Blue writing in Engadget recently.

Does this mean that SMS OTP is dead? Not quite. Certainly, as several security experts quoted in a recent SearchSecurity article say, the move by NIST is long overdue. SMS authentication shouldn’t be the sole second factor. There are better authentication methods, such as the Vasco Digipass Go and Crontosign products mentioned in Showstead’s blog post, and numerous other efforts with using selfies and photos too.  The key takeaway? You need multiple authentication factors now more than ever, and SMS should be one of them, but not the only one.

Authentic8 whitepaper: Why a virtual browser is important for your enterprise

The web browser has become the defacto universal user applications interface. It is the mechanism of choice for accessing modern software and services. But because of this ubiquity, it puts a burden on browsers to handle security more carefully.

silo admin console2Because more malware enters via the browser than any other place across the typical network, enterprises are looking for alternatives to the standard browsers. In this white paper that I wrote for Authentic8, makers of the Silo browser (their console is shown here), I talk about some of the issues involved and benefits of using virtual browsers. These tools offer some kind of sandboxing protection to keep malware and infections from spreading across the endpoint computer. This means any web content can’t easily reach the actual endpoint device that is being used to surf the web, so even if it is infected it can be more readily contained.

Authentication for the next generation

mobileThe new “my way” work style and the demand for on-the-go access to any service from any device and virtually any location requires that you bring your best encryption game with you when you’re on the move. This is especially true for the group of people often labeled Gen Y, or 20-somethings. Why? Because they are so digitally native and so used living their lives with instant access to their money, their friends, really anything that they do. As they are so steeped in technology, they tend to forget that there are lots of folks online who want to steal their identities, empty their bank accounts, and cause other havoc with their digital lives. But Gen Y is also more likely to use mobile banking than their elders, and more likely to go elsewhere if banks do not offer the mobile services they desire.

For a white paper for Vasco, I wrote about the challenges around providing better and more native authentication technologies for Gen Y and indeed, all users.

ITworld: A get-up-to-speed guide on hyper-converged infrastructure

The market for hyper-converged systems is quickly evolving. Traditional storage infrastructure vendors remain the largest installed base, but software-defined and hyper-converged storage providers represent the fastest growing market segment, with some of the latter vendors rapidly increasing their market share.

ITworld: A get-up-to-speed guide on VDI

Virtual desktop infrastructure, better known as VDI, is undergoing a new life. A few years ago, it was plagued by lackluster user experiences and cost overruns. Now, thanks to an injection of new technology and better implementations, there’s a lot to like. Faster, cheaper technology has made it an interesting option for companies seeking a way to support flexible, work-from-anywhere environments.

How does this transformation happen? This get-up-to-speed guide posted on ITworld explores how VDI can help organizations navigate shifts in business, and user needs.

ITworld: A get-up-to-speed guide on moving legacy apps to the cloud

Making a case for moving legacy apps to the cloud is becoming easier, with the biggest driver being the ability to shift costs from capital to operating expenses, which can save money. Also, renting capacity rather than owning servers and network infrastructure allows more flexibility in how computing resources are provisioned, enabling workloads to be matched to demand. Quick provisioning is key: New servers can be brought up in the cloud in just minutes, not only making it easier to improve availability but also enabling more flexible disaster recovery mechanisms.

This get-up-to-speed guide explores the key approaches to migrating legacy apps to the cloud, and the value each can bring to your business. You can download my guide here.