Congradulations: you have been phished!

Posted on by
2

Phishing scams abound, if my own personal situation is any indication. This past weekend, I received two text messages — technically this is smishing or SMS phishing, but still. One looked like this (don’t worry, it is just a screencap):

You’ll notice a couple of tells. First is that it is addressed to me by name Usually, when my close friends and family send me texts, they don’t include my name. And the fact that a phisher knew my name is a bit concerning. The other is that it contains an active link, just waiting to be clicked on.

I got another text that was slightly less salacious, as you can see to the left. Again, my name is mentioned. Because of the subject, it is more insidious — now that we are ordering almost everything online the packages are coming to our doors in droves. But note this one tell — the package was mailed back in April. Granted, things are slowing down somewhat over at the USPS, but still.

The FCC has issued this warning about smishing with several illustrations. And the crooks are getting more clever, with this case described by Brain Krebs on how one criminal combined smishing with using a cardless ATM transaction (meaning just using a mobile phone for withdrawals) to steal funds from victims’ accounts.

Corporate security folks are trying to get ahead of the attackers, and many regularly conduct phishing simulation or training exercises. Sometimes these misfire. The WaPost reported on a recent phishing training exercise that was completely misguided. The Tribune Co. sent around a message with “Congradulations, executives!!” in the subject line (hence my usage in today’s essay title). The email promises bonuses to come, if only the staffer would click on the enclosed link. Yes, the deliberate mistakes (spelling and duplicate exclamations) and the embedded link should be the tells that something is amiss. Whether you think this insensitive (given the number of layoffs in this industry) or just plain dumb, it still was a poor choice to demonstrate and train users. While it is true that potential phishing messages do use this particular lure, the Trib IT department should have known better.

Smishing isn’t the only lure used by hackers of course. Ironscales has compiled a collection of fake login pages that try to fool people into thinking they are authenticating their AT&T, Apple, Bank of America and more than a dozen other accounts. Their research has shown there are thousands of these fake login pages circulating around online.  Ironically, the email from their PR department announcing this research was flagged by Google as risky, warning me not to click.

So here are a few pointers on how to prevent these types of attacks.

Don’t respond to any calls to action you get via texts or emails. Think before you click on the links or call the phone number listed. Better yet, don’t respond or click or call. This includes sending back a “Stop” text message. Just hit the delete key.

If you feel you have to respond, do it out of band. Go to the Fedex website directly and track your package that way. Call your bank directly to see if you have a fraud alert. Here is a Tweet stream that shows the lengths that one person went through to research and vet one text. My wife got a phishing email recently and did exactly that to find out it wasn’t genuine. 

Finally, is something out of character? Is this a text or email out of the blue from some long-lost correspondent? Or does it contain (one or more) simple grammatical errors?  Or is an offer of money too good to be true? That is because it isn’t. Do you really think the IRS or Social Security Administration sends you texts? News flash: they don’t.

Avast blog: Election hacking updates

Posted on by
Reply

As we approach the November general U.S. elections, things are heating up, with both candidates now making actual campaign appearances. We have also seen an increase in cyberattacks and other threats to our elections. This includes efforts to hack into campaign staff’s accounts by foreign governments, physical threats during these campaign stops, and changes to how votes will be recorded.

You can read my full post on Avast’s blog here,where I review the latest in election interference news.

Avast blog: Back to campus means understanding your data security

Posted on by
Reply

As college students try to return to campus, some are being asked to allow the college unprecedented access to their whereabouts and health information, as we posted last week. Many are learning about the personal implications of their data security for the first time, let alone dealing with being quarantined. I’ve previously explored the wide ranging methods colleges are using to try to bring students back to campus safely and how they are planning to track their students (and staff). In this post, I talk about some of the infosec issues with tracking the college crowd. It all comes down to having solid IT leadership and necessary skills on staff to do proper security vetting.

You can read more on my blog for Avast today.

RSA blog: Security Is No Longer A Binary Decision

Posted on by
Reply

IT security has evolved from being a completely binary operation to taking a more nuanced approach. Back in the days when R, S, and A first got together, it was sufficient to do security on this pass/fail basis – meaning a large part of security was letting someone in or not to your network. Or allowing them to use a particular application or not or allowing them access to a particular network resource (printer, server) or not. In some of my other blog posts, I have mentioned this nonbinary approach in passing, particularly when I have talked about adaptive authentication. This is the core reason that the authentication “adapts” to particular conditions – for example, if someone is attempting a second login with “impossible travel” conditions. Or if you are trying to authenticate not just the user but their device as well.

But the nonbinary issue is bigger than authentications. And it is a product of our times: First, because of the pandemic and more remote working conditions, IT shops have had to make drastic changes in their infosec policies, procedures, and products. But more importantly, a nuanced approach is needed more than ever because everyone has somewhat different security circumstances. “It isn’t just one size doesn’t fit everyone; it is that one size doesn’t fit many circumstances,” said Erik Jost, the Chief Technologist for NTT Data in a recent conference session.  Everyone’s network infrastructure is different and has changed greatly since the beginning of the pandemic. Let me give you a few examples:

Figuring out attribution to the source of an attack. Sometimes there are shades of grey that could indicate a variety of outcomes, or even that an attack wasn’t from an adversary but just from a badly configured laptop of an employee. Or an attacker may deliberately confuse things by planting false flags in their code so that they could slip inside your network undetected, such as by disguising their malware as a normal piece of code that is part and parcel to the underlying operating system. The ability to block these sneakier methods calls for a nuanced approach, so you can link the various steps in a malware’s kill chain and make it harder for an attacker to move around your network before more damage is done.

Password rules that are too complex. Many IT shops put in place requirements for password construction that are too onerous: 20-character passwords that must be changed every month, for example. This makes employees more motivated to come up with more predictable passwords that they can remember and manage, which defeats the whole purpose of having complex passwords to begin with.

–Over-protective endpoint security. While it is great to plug as many holes as possible across your endpoint collection, if you lock down your endpoints too much, employees will shift their work to the cloud and their personal devices that aren’t locked down. That is also self-defeating.

Finding “missing” network segments. It is just human nature: we can be forgetful, and in some cases as a result of misconfiguration, we can forget about an entire network segment or collection of servers. Your endpoint/intrusion detection tools tend to be more pass/fail on this and can give you false results. If these tools offered a more nuanced approach, you might recognize that the forgotten equipment is legitimate and you need to modify your system asset tables to properly account for them, rather than collect a bunch of false warning messages.

URL shorteners. Remember how they were all the thing not too long ago? Now they are less favored, because they can hide malware or take you to places that will compromise your endpoint’s browsing session. Again, nuance please. This is what happened at the email provider SendGrid, which is now owned by Twilio. Many of their customers give the shortened URLs generated by their software an automatic pass.  That turned out to be one way that attackers could compromise their customers’ accounts.

–Dealing with detecting impossible travel. The impossible travel situation once was absolute: after all, no one can travel across the globe very quickly, especially these days. But as more of us work remotely and make use of VPNs, that means calculating what is possible is a lot harder to do just by computing the raw distance between the implied geolocations. If I change my VPN endpoint from one continent to another, does that mean my account has been compromised or is it because I am trying to obtain a better or faster Internet connection? Nuance once again.

— Sloppy outboarding of former staff. Did your recently fired employee access your network? We don’t always outboard former staff completely and can sometimes leave residue of access rights scattered around the network. Detecting these mistakes will require a finer – and more thorough — touch.

As one article written back in 2017 stated, “Cybersecurity requires a more nuanced approach than rushing headlong into the cyber-security marketplace to snap up the shiniest solutions, sanctioning wholesale Internet separation, or locking out USB devices entirely. Senior management of large organizations should also be wary of blanket cybersecurity policies that conflict with local operational needs.” I couldn’t agree more.

I remember c|net: a look back on computing in the mid-1990s

Posted on by
1

The news this week is that c|net (and ZDnet) have been sold to a private equity firm. I remember when c|net was just starting out, because I wrote one of the first hands-on reviews of web server software back in 1996. To test these products, I worked with a new company at the time called Keylabs. They were the team that built one of the first huge, 1000-PC testing labs at Novell and were spun out as a separate company, eventually spinning off their own endpoint automation software company called Altiris that was acquired by Symantec and now is part of Broadcom. They were eager to show their bona fides and worked with me to run multiple PC tests involving hundreds of computers trying to bang away on each web server product. “1996 was an exciting time for computing,” said Jan Newman who is now a partner at the VC firm SageCreek and was one of the Keylabs founders. “The internet was gathering steam and focus was changing from file and print servers to the web. I believe this project with David was the very first of its kind in the industry. It was exciting to watch new platforms rise to prominence.” Now we have virtual machines and other ways to stress test products. The review shows how the web was won back in the early days.

Here are some observations from re-reading that piece.

  1. The demise of NetWare as a server platform. Back in the mid 1990s, NetWare — and its associated IPX protocol — was everywhere, until Microsoft and the Internet happened. Now it is about as hard to find as a COBOL developer. One advantage that NetWare had was it was efficient: you could run a web server on a 486 box at about the same performance as any of the Windows servers running on a faster Pentium CPU.
  2. Remember Windows NT? That was the main Microsoft server platform at the time. It came in four different versions: running on Intel, DEC Alpha, MIPS and PowerPC processors. Those latter two were RISC processors that mostly have disappeared, although Apple Macs and Microsoft Xbox’s  ran on PowerPCs for years.
  3. Remember Netscape? In addition to their web browser that made Mark Andreesen rich, they also had their own web server, called FastTrack, that was in beta at the time of my review. Despite being a solid performer, it never caught on. It did support both Java and JavaScript, something that the NT-only web servers didn’t initially offer.
  4. The web wasn’t the only data server game. Back in the mid-1990s, we had FTP, and Gopher as popular precursors. While you can still find FTP (I mainly use to transfer files to my web server and to get content to cloud images), Gopher (which got its name from the University of Minnesota team mascot) is gone into a deep, dark hole.
  5. Microsoft’s web server, IIS, was underwhelming when first was released. It didn’t support Java, didn’t do server-side includes (an early way to use dynamic content), didn’t have a web-based management tool, didn’t support hosting multiple domains unless you used separate network adapters, didn’t have any proxy server support and made use of an unsecured user accounts. Of course, now it is one of the top web server platforms with Apache.
  6. You think your computer is slow? How about a 200 MHz Pentium. That was about as fast as you could expect back then. And installing 16 MB of RAM and using 10/100 Ethernet networks were the norm.

Network Solutions blog: How Passwordless Authentication Works and How to Deploy It

Posted on by
Reply

Passwords are known as the bane of every IT security manager, but often it’s the way they’re used that creates the most problems. Passwords are shared and reused across numerous logins and can frequently be easily guessed by using pet and children’s names. In other cases, passwords are compromised by users who stick with the default manufacturer settings years after their hardware is installed. This has given rise to a number of solutions that are labeled ‘passwordless,’ even though they technically still use some form of authentication.

You can read more with my post for Network Solutions blog here.

CSOonline: 10 common cloud security mistakes that put your data at risk

Posted on by
Reply

The news is filled regularly with attacks on misconfigured cloud servers and the leaked data that criminals obtain from them. The errors happen because we are all human. We might set up a cloud server with loose (or no) credentials and forget to tighten them when the server is placed into production. Or we fail to keep software up to date when exploits are discovered or get IT involved to audit the finished production app to ensure that it is as secure as possible.

You can read my post for CSOonline here on the 10 most common cloud configuration mistakes.

Getting my kicks on the old Route 66

Posted on by
4

Like many of you this past Labor Day weekend, my wife and I took a drive to get out of our pandemic bubble. And as the NY Times ran this piece, we also got our kicks on Route 66. Their photographer went to the portion through Arizona and New Mexico; we stayed a lot closer to home, about an hour’s drive from St. Louis. This wasn’t our first time visiting this area, but we wanted to see a few sights from a safe distance, and also for my wife to visit an ancestral home not far off the Mother Road, as it is called.

St. Louis has a complicated relationship with Route 66: there are many different paths that the road took through the city to cross the Mississippi River at various bridges over the years the road was active. And for those of you that want to discover the road in other parts of the country, you will quickly find that patience is perhaps the biggest skill you’ll need. Different parts were decommissioned or rerouted after the freeways were constructed that brought about its demise. In our part of the country, that is I-44, which goes between St. Louis and Oklahoma City, where it connects up with I-40.

My favorite Route 66 memory spot within city limits has to be the old Chain of Rocks Bridge, which was opened in the 1930s and was featured in that now classic film “Escape From New York.” The bridge is now a bike/pedestrian path and it is one of the few bridges that is deliberately bent in the middle. It lies on the riverfront bike trail that I have been on often.

Once you leave the city and head west you need to be a determined tracker. Many parts of it are on the map as the I-44 service road, but that doesn’t tell the entire story about the actual original roadbed that in many cases no longer exists. Speaking of which, one of the places that you might have heard of is Times Beach. The beach refers to the Meramec River and the reason for its memory is this is the town that became contaminated with Dioxin. Now the streets remain but not much else, and the state has turned it into a state park. The visitor center is a former roadhouse that was built in 1936. Speaking of other bygone inns, in a few miles you’ll pass the Gardenway Motel near Gray’s Summit. The motel had 40 rooms and was built in 1945 and eventually closed in 2014. It was owned by the same family during its entire run. A separate advertising sign still stands down the road.

There are a lot of other classic signs nearby too, but like I said you have to spend some time exploring to find them. If you are looking to stay in one of the period motels that is still operating, you might try the Wagon Wheel in Cuba, a few miles further west.

Another example of the bygone era that Route 66 spanned was captured by this National Park Service webpage on the Green Book. This was a guide for Black motorists who couldn’t stay at the then-segregated lodgings mentioned above. Mrs. Hilliard’s Motel in St. Clair, which is in the area, operated briefly in the 1960s. The guide (which was published annually from 1936 to 1964 by Victor Green) had other recommended and safe places for Black travelers such as dining and gas stations. Our history museum has an excellent explanation of its use and some sample pages here, which you can contrast with what was portrayed in the 2018 film.

One of the things that I learned when traveling in Poland is that history is often what you don’t see, sometimes painfully removed, other times left to rot and decay. That will require some investigation. Route 66 is a real time capsule to be sure.

CSOonline: Securing Microsoft Teams

Posted on by
Reply

As more remote work from home happens, your collaboration tools need more scrutiny. A popular choice for instant messaging and video conferencing is Microsoft’s Teams, and securing this application will be a challenge. There have been Teams-specific exploits observed, for example. And even if Teams isn’t targeted, it could fall victim to general DDoS or ransomware attacks, which would be an issue if you depend on Teams for internal communications post-attack. And while Microsoft has published numerous suggestions on how to better secure Teams, the process is vexing and error-prone.

You can read my published analysis for CSOonline here. I also compare how Teams security stacks up with Slack. Avanan, pictured above, has versions for both.

Avast blog: Everything you should know about social media scraping

Posted on by
Reply

Last month, a massive data leak exposed more than 300 million different accounts from social media platforms. The collection included 192 million records scraped from two different Instagram collections, along with 42 million records scraped from TikTok and an additional 4 million records scraped from YouTube.

The records include usernames, profile photos, emails, phone numbers, age and gender along with specifics about followers and other engagement for each account. The leak involved a set of three open data shares from the company Social Data: a few hours after being notified, the shares were properly secured.

There are several things that are interesting about this leak: its source, how the data was obtained, and what this means for your own social media consumption. You can read more on the Avast blog.