Information Security from a fly fisherman...: February 2016

Friday, February 19, 2016

Baiting...

You arrive at work and find a USB flash drive (“memory stick”) lying in the parking lot…

What should you do?

1. In order to determine if someone in my department lost this, I’d plug it into my computer and view contents of the files on it, which might help me find its owner.
2. I’ll hand this off to my IT support person. I won’t plug it into my computer, since I don’t know where it came from and what is on it.

The Answer: #2. “Baiting” is a common method for an attacker to gain access to a computer or a network. They use physical media and rely on the curiosity or greed of the victim. When the files on the device are opened, malware is executed and attempts to take control of the victim’s computer.

What to do: Have unclaimed found media inspected by your IT support personnel. Like unexpected emails, don’t trust media found in unexpected places.

Wireless access dilemma...

You are waiting in an airport and need to connect to a wireless network. You see the following “Free Public WiFi” wireless network available:The airport is charging $10 an hour for wireless and this one is free!
The question: Do you connect or not?

The answer: Don’t do it. “Free Public Wi-Fi” is both a hacker’s dream and security glitch, forming a rogue connection directly to someone else’s computer rather than to a hot spot. Originally caused by a glitch, it is often used by hackers, knowing many people have the inability to resist connecting to such a network. If you connect through one controlled by a hacker, your activities will be watched, and your connections will be hijacked.

What to do: ALWAYS know what wireless access points you are connecting to. Establishments providing legitimate wireless access normally provide the name of their access points. Don’t connect unless you are sure.

Continue or stop?

You are using a wireless access point at a local Starbucks. Upon connecting to your email, you see this:

The question: Continue or stop?

“Just this one time won’t hurt anything.”
“I’ve seen this before, sometimes a certificate expires, so it’s ok.”
“I really need to look at that email!”

The answer: Don’t continue, close the webpage. If you see this, an attacker may be “proxying” your connection, capturing your passwords, seeing everything you do, and hijacking your connection.

What to do: DON’T trust a secured connection if there is a problem with the website’s security certificate.

Sensitive Information Theft, A Real Life Example..

October 29, 2012 — COLUMBIA, SOUTH CAROLINA -- The South Carolina Department of Revenue announced that a cyber attack exposed tax returns, credit cards and personal information for over 3 million people.

What happened?

Hackers obtained a user name and password for one employee…

They used it to connect to the department’s network, log onto as many computers as possible and install password capturing software.

Using this one user’s account, they ultimately got a different user’s login and password that gave them access to critical databases, and then proceeded to steal the information.

This cost the South Carolina Department of Revenue millions of dollars to resolve…

How did this happen?

A link in a malicious phishing email was clicked on by a single user. This act apparently caused the installation of the password stealing malware, which is how the hackers got the user’s password. And things just got worse from there.

Remember:
· Don’t click on links in emails unless you are absolutely sure of their content
· Surf the Internet very carefully!

Physical theft of sensitive information...

One of the most common means of sensitive information theft is physical. This often happens when an employee takes sensitive information offsite on a portable computer or device without following proper precautions.

Stolen portable computers (laptops, tablets, smart phones) containing sensitive/protected information…

Stolen or lost memory sticks or portable hard drives that are unencrypted…

Even paperwork containing sensitive information that is stored in a briefcase or laptop case…

Remember that just one instance of stolen sensitive information can result in unfavorable press coverage and financial loss. California Breach Notice laws require that all those affected be personally notified and sometimes compensated in order to protect their identities.

What can we do to lower the chances of physical theft?

Do not store your password with your portable computer

You should secure your portable computer with a strong password, but never keep the password in the laptop/portable computer case or on a piece of paper or label attached to it.

Encrypt your laptop and any portable media containing sensitive data

Just one stolen laptop with sensitive information on it can result in unfavorable press coverage and require that all those affected be personally notified. Don’t store anything unencrypted on a portable device that you wouldn’t be comfortable with the general public viewing. Encrypt external hard drives, memory sticks and other storage as well.

Secure your portable computer when unattended

Attach a laptop with a security cable to something immovable or to a heavy piece of furniture when it is unattended. Devices are available that sound an alarm when there is unexpected motion or when the computer is moved outside a specified range around you.
Do not leave your portable computer in your car
Don’t leave your portable computer on the seat or even locked in the trunk. Locked cars are often the target of thieves.
Do not store your portable computer in checked luggage. Always carry it with you.

Keep track of your portable computer when you go through airport screening

Portable computers are frequently stolen at airport screening areas. Hold onto your device until the person in front of you has gone through the metal detector. Watch for your device to emerge from the screening equipment.

Keep it off the floor

No matter where you are in public – at a conference, a coffee shop, or a registration desk – avoid putting your laptop on the floor. If you must put it down, place it between your feet or up against your leg, so that you are aware of where it is located at all times.

Secure your laptop when in the office

Secure your laptop by locking it in a docking station, if available, using a security cable, a locked office or a locked cabinet.

Record identifying information and mark your equipment

Record the make, model and serial number of the equipment and keep it in a separate location. Consider having the outside of the case labeled with your department’s contact information and logo.

Backup your files

Make an encrypted backup of your files before every trip. In the event that your laptop is lost or stolen, you will still have a copy of your data.

Panic clicking...

There has been a number of reports of some very well done Verizon Wireless phishing attempts. Clicking on the links causes the attempted install of a new variant of the Zeus bot, a nasty data stealer.

See if you can spot the fake one:

------------

Answer: the top one is fake. The only give away is that the fake e-mail doesn't include the partial account number, and typically indicates a large bill > $1,000 (at least large for me :). It is assumed that the large amount is supposed to cause panic clicking.

Legitimate phone call or not?

You receive a phone call from someone claiming to be from Microsoft support. He informs you that your computer is sending them error messages, and it appears to be infected with a password-stealing virus.

He tells you how to look at the event logs on your computer, and informs you that the event logs with warning signs show that your computer is infected.

The support person then directs you to an official Microsoft website where he asks you to download and install a special remote access tool so that Microsoft support can fix your computer for you.

What should you do?
· Continue, as the support page appears legitimate.
· Hang up.

Answer: Hang up. This case of phone phishing and its many variants are real and ongoing organized crime activities.

It has been estimated that thousands of people have fallen for this scam.

The scam: the caller does not work for Microsoft, and the website is scarily real looking, but it is not. If you take the suggested actions, you give a stranger access to your computer.

On its website, Microsoft explicitly says it never places unsolicited calls for tech support, security updates, software validation, or the so-called “Microsoft Lottery.” More information on Microsoft-related scams can be found here:
http://www.microsoft.com/security/online-privacy/msname.aspx

What to do: If you truly believe that someone cold calling you may be from legitimate computer support, verify by hanging up, looking up their phone number and calling the company yourself.

Password cracking in the news...

We hear a lot these days about passwords being cracked after they are stolen from online sites.

What is stolen from those sites is usually an encrypted version of the password called a hash that looks something like this:

A87F3A337D73085C45F9416BE5787D86
When the above hash is run through password cracking software, it easily yields the password:

Passw0rd
Password hashes are also sometimes stolen when your computer becomes infected with malware.

Do you know which password, of the 2 below, is more secure against password cracking attempts?

A$w45#7!
Welcome2thuHotelCalifornia
If a bad guy stole the hashes for these two passwords and tried to brute force them, here’s how long it might take to crack them (assuming the bad guy had no hints):

A$w45#7!
Between 8 to 18 hours, faster if multiple computers were available

Welcome2thuHotelCalifornia
1.29 hundred trillion centuries

So, the correct answer is the LONG passphrase.
Fourteen characters or more is considered best.

Obviously, this example is a known song lyric, so someday it and others like it might ultimately be added as part of a cracking table. This has already happened to common phrases such as “Beam me up Scottie”. That’s why we changed one word’s spelling to add a little entropy. A better approach is to personalize your passphrase. An example: Welcome2BarbM’sHotelCalifornia

Other passphrase examples:

Somuch2doinsolittletimethisweek!
I really need a vacation and want to go 2 Barstow
My cat Max hates it 2 when I give him a bath

PS: These are examples only; Be sure and don’t use the exact passwords above.;)

Your friend probably didn't just get robbed in a foreign country

It happens often. Imagine that you receive an email from a friend or colleague claiming that he or she is stranded in a foreign country and desperately needs your help to get home. The email originates from the friend's real email account and may even include the same email signature that your friend uses when emailing you. Thus, you might be inclined to believe that the email was legitimate, at least at first glance. However, the emails are a clever scheme by Internet criminals designed to trick people into sending them money.

Many different versions of these scam attempts have been seen. Names and other details differ depending on who's email account the scammers have hijacked, as do the countries where the "friend" is supposedly stranded. The amounts of money requested in the messages may also differ. But, in spite of such superficial differences, all such messages are versions of the same basic scam. Sadly, many people have become victims of this scam and lost money to these criminals.

If you get an email from a friend who needs you to send them money quickly while they are on vacation, be very suspicious. If they really are on vacation, find a different way to try to contact your friend to find out if this email really came from them. But you can probably rest assured that your friend probably didn’t just get robbed in a foreign country. :)

Call Back Scams...

Employees continue to be targets of call back scams…

In some call back scams, the scammer calls its target person or company from a certain phone number and then hangs up before the phone is answered (before it goes to voicemail). Sometimes the scammer will text its phone number to its target person. The goal with this type of scam is to arouse curiosity, to get the target person to wonder “hmmm…who was that?” and call the number back. When the person calls the number back, sometimes it ends up being a premium service number and their phone bill is charged accordingly.

In the most recent scam attempt, an employee at work was targeted by a Capital One fraud phone scam. The caller left a voicemail requesting a call back, and this call wasn’t expected at all. These scams try to make you unnecessarily concerned about your account and its status, and return the call using the phone number given. The scammer will then try to socially engineer you into giving up your account information.

Be very careful about phone numbers that call your telephone and hang up, or leave a message that you definitely aren’t expecting. Always verify who called before returning the call. In the case of scams such as the Capital One attempt, calling the legitimate telephone number on your card or statement is always the best way to verify.

Of course, I prefer Grumpy Cat’s approach… ;)

Thursday, February 18, 2016

A quick analysis of a suspicious email...

This other day, I received the email below that is a good potential “phish” example. It was suspicious to me because I didn’t expect it, and it has the big “Activate your account” button on it, which always makes me nervous…

I hovered my mouse over the “Activate your account” button, and it showed this URL:

https://click.secure.castlighthealth.com/?qs=e44686b30557b0270415b9d9b54f0dc364469df8a750e6b8e9211d38a52bf60f7eabf3c8b5a4501c

Hmmm….doesn’t match calperscompare.com. Not sure about this one. However, I noticed that the email spells out the actual website, so I could manually enter www.calperscompare.com

Before doing so, however, I entered www.calperscompare.com into one of my favorite URL checking sites, URLVoid.com . It reported no reputation concerns with the website (0 out of 29 is good :).

I then manually entered www.calperscompare.com in my browser, and the site appears legit. To be double-sure, I searched for “Calpers Compare” on the calpers.ca.gov website, and it checks out.

Hope you enjoyed this example of investigating a suspicious email as much as I did! ;)

Password Reuse...

Password reuse—using the same password for multiple sites or services—is both rampant and dangerous.

Sites that have either leaked user passwords and/or had attempted account hacking using reused passwords include:

Linkedin Dropbox Hotmail Gmail Yahoo! Amazon
The worst part: Many users whose passwords were leaked had used the same password for all of their site accounts. This meant that one password loss at one site could have granted access to many or all of their accounts.

An Example

Suppose you use the same password on Sony’s PlayStation Network as you use when shopping with Best Buy. Now, suppose that your PlayStation username and password were among the 77 million leaked in April 2011. An attacker could, in principle, use that information to take a good guess at your password for Best Buy.

From a report by John Fontana at ZDNet:

“After months of Best Buy customers reporting compromised accounts, the company has finally confirmed hackers are attacking its online retail site using credentials stolen from other sites. It’s a worst-case scenario, where credentials stolen from one site are used to access other sites, most notably retail or banking sites where hackers can extract some value.”

Now just imagine if an employee did this same thing, using the same password as their employee user account on an outside site?

What should we do?

As you should with your personal accounts, don’t use the same passwords for employee accounts, especially for work accounts where the password is stored by a 3rd party outside of your organization. And don’t use your employee account passwords on any personal site.
Use a secure password management tool to manage and store all of the passwords for your accounts.
Use 2-factor authentication. Read more about 2-factor authentication here: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201211_en.pdf

Macro malware continues...

We continue to see an uptick in the number of phishing emails with attachments that have macros in them. Here’s an example of an interesting one:

If you have the default macro setting in office, you would see the following message if you opened the file:

By enabling content (running the macro), your system would become seriously infected.

Here’s the checklist for avoiding these dangerous files:

Don’t immediately open attachments that you aren’t expecting. Make sure first that they are from a legitimate source.
IF the file asks to enable macros, be sure to verify the file with the sender before doing so.
NEVER configure Office to allow all macros to automatically run.

Stay suspicious…

A password quiz..

Here’s a quick password quiz:

Which password below is the hardest to crack but the easiest to remember?

Jasmine1

H&1#5dy<?72Rvlt

It’s been a hard days night 4 SueM

If you chose #3, you are a winner. And you probably use easy-to-remember, hard to crack passphrases (see below for why).

Remember, password managers make remembering a lot of passwords unnecessary.

Password: Jasmine1
Time to crack: < 1 second
Why it is bad: In a password cracking wordlist

Password: H&1#5dy<?72Rvlt
Time to crack: 4 trillion years
Why it is bad unless you use a password manager: Complex but hard to remember and type

Password: It’s been a hard days night 4 SueM
Time to crack: 7 quattuordecillion years (however long that is ;)
Why it is good: A personalized remember-able passphrase that’s 34 characters long!

Data Stealers and the Drive-By Download

Most of you are already aware of “phishing” attempts and “Trojan horses” that deliver malware that can infect your computer. Today I want to introduce you to the “drive-by download”…

What you see on your screen is not always all you are getting when you browse the Internet…

It’s not uncommon to get what you didn’t bargain for. “Drive-by downloads” happen during Internet browsing when your computer downloads, without your knowledge, something that infects your system, usually with the intent to steal your information and your credentials. Many websites are often used as part of a multi-step attack, as seen in the example graphic below:

The most common means of infection are from search engine poisoning, malicious forum posts, and malicious advertisements. The computer vulnerabilities that these exploits target commonly include Windows, Java, Flash, and Acrobat software vulnerabilities.

If successful, often a data stealer such as “Zeus” or one of the ever-popular “Exploit Kits” is installed. These tools allow information and credentials to be captured on your computer and sent to an unknown 3rd party.

What can we do to lower the chances of this kind of data theft?

Keep the software on your computer up-to-date
Don’t run vulnerable versions of applications, especially Windows, Java, Flash and Acrobat software. If your computer is up-to-date, these exploits are less effective.

Browse carefully
While not a guarantee, staying on known, good sites and avoiding lesser known sites can lower the risk, and is especially important if you are browsing on a computer that houses or processes sensitive information. In that case, it is better yet to use a different computer to browse the Internet. If possible, limit your browsing at work to sites related to business.

Use a web filter
A web filter will filter known compromised websites. While it can’t catch everything, it does lower the risk significantly. Consider using a web filter at home; free options includes K9 and OpenDNS.

Use updated browsers and operating systems
The latest versions of operating systems and Internet browsers have features for and are designed to better resist these types of attacks.

Don’t surf the web as an “administrator” on your computer
Remember that malware will almost always do as much damage to your computer as your account has permissions to perform. For your home computer, consider browsing the Internet with an account with lesser privileges on your computer. Advanced users should consider browsing using a virtual machine, and using ad blockers and Noscript which can block execution on new or unknown sites.

And don’t forget…Backup your files!
Sooner or later, something bad does happen. Always be sure that you can continue working even if your computer can’t.

Wednesday, February 17, 2016

A very interesting spam email...

As you probably can guess, as a security team we see LOTS of spam email. And we always encourage avoiding any interaction with them. :) The email below is no different, and has the obvious markings of being SPAM. But it has something else very interesting too…

In the orange bar, there is some text. That text and the contents of the message contain what seems to be a rather good recipe for a salad:
***************
* tablespoons olive oil
* 1 12tablespoons fresh lemon juice
* 1tablespoon red wine vinegar
* 2garlic cloves, minced
* 1teaspoon dried oregano(Mediterranean is best)
*
** Salad
------------------------------------------------------------
* 1head lettuce, torn into bite-size pieces ((I use Romaine)
* 3large plum tomatoes, seeded and coarsely chopped
* 1English cucumber, peeled and coarsely chopped (the long, thin, almost seedless ones)
* 1medium red onion, cut into thin rings and soaked for 10 minutes in a small bowl of ice water to make it less sharp
* 1small green pepper, cut into thin rings
* 34cup kalamata olive
* 34cup crumbled feta cheese

We think that you will enjoy this.

1. Seed the bell peppers and cut them into 1-inch chunks. Stem the cherry tomatoes and halve one-half of them, leaving the others whole.
2. Peel and thickly slice the cucumbers, and thinly slice the red onions. Cut the feta cheese into 1-inch cubes. Crush and mince the garlic clove.
3. In a large bowl, combine the bell peppers, tomatoes, cucumbers, onions, feta cheese, olives, anchovies and capers and toss together.
4. In a small bowl, whisk together the vinegar, garlic, dill, oregano, salt and pepper. While whisking, slowly drizzle in the olive oil to make a thick dressing.
5. Pour the dressing over the salad, toss and serve now.This is the most delicious salad - fresh and wonderful-tasting. FYI, lettuce can very much be a part of any greek salad - if you want it to. We like lettuce in my family and I often add it. It would not be 'authentic' in a Horiatiki (village) salad, but who cares?
*****************

Why, you ask??? It’s because spammers often fill the content of their emails with unrelated text that will increase the chances of their email getting past anti-spam filters. Normally, they hide the text in the source of the email, so you can’t see it. In this case, they must have forgotten to do that…

Remember to think before you click! :)

Those online security questions...

I’ve had a few people ask me about how to best handle online security questions. You know, the ones they ask so that you can verify your identity if you forget your password, etc. Security questions are one of the age-old institutions of digital authentication. Their flaws are well documented -- answers are often easy to guess or look up, and companies themselves seem not to take them seriously -- and yet, they're still used everywhere.

The most important thing to remember is that when you answer the questions, make sure that the answers can’t be easily discovered by someone else who might want to impersonate you.

As an option, here’s how I handle it: I’ve created a fictional scenario in my mind about how I grew up -- where I lived (or would have liked to), who my best friend was, what my first car was, you get the idea. And I’ve memorized it (it’s not hard to remember). Whenever I come across online security questions, I answer the questions using the fake scenario! None of that info is available to anyone, so they are super secure answers (like my mother’s fake maiden name, etc.). And no, it has nothing to do with Breaking Bad. ;)

Be safe!

Remember to setup alerts on your bank accounts...

Remember, during security awareness training, when we talked about setting up alerts on our credit card and bank accounts?

Um, ok, good. Well, it payed off (once again). Last week I suddenly received 3 of these alerts:

Yikes! Not me! I immediately got on the phone to Capital One, where I informed them of the unlawful use. Someone got my credit card # and made some purchases in Louisiana. Ultimately Capital One recognized the transactions as suspicious, but I saw it first. :)) As in any computing activity, alerting and monitoring for the win!!

Total charges they made were around $300, which I’m not responsible for. That’s why it’s important not to use a debit card for purchases whenever possible. A bad guy can empty your debit card checking account and the bank isn’t necessarily liable in that instance. Save your debit card for getting cash at your bank’s ATM.

So be sure to turn alerts on for your credit card and bank accounts! And enable 2-factor authentication for your online accounts where it is available (see where at https://twofactorauth.org/).

By the way, 300 dollars at a DOLLAR general store??? Wow, that’s some serious stockpiling…