Friday, March 2, 2018

Bad Boys, Bad Boys, whatcha gonna do when they come for you?

By David Pitts

March, 2018

Phishing, spear phishing, whaling, pharming, viruses, spam, rootkits – it’s as if computer people have their own dictionary! And, they do!

Back in the fall (2017), Deloitte, one of the world’s “big four” accounting firms stated they had a breach of their internal email system. Internet rumor has it that the breach had been around for about a year and involved a compromise of all administrator accounts and their entire email system (c.f. https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/ (1) for more on this). It is not uncommon for systems and companies to have breaches. Companies include Deloitte, Uber, Equifax, Sony, FedEx, Pizza Hut, Yahoo, and the list goes on and on of companies with breaches in just the past year.

Many of these breaches occurred in conjunction with or even through email systems. Current statistics estimate that there are over 100,000 new pieces of malware (malevolent software) found each and every day(2). Perhaps, it is time to rethink how we think about, react to, and compose email.

Hackers look for the path of least resistance. Taking advantage of organizations large and small for most hackers is all the same. They look for vulnerability, and they exploit it. For most hackers, brute forcing a password is a huge waste of time. There are so many other, easier, paths to take that are quicker and result in greater and more frequent success. Once a system is breached, that system is no longer secure. Email servers are a great source of vulnerabilities for hackers. Gaining access to one account can often lead to many more, both inside and outside the organization.

Security takes a look at three facets when it comes to data. The first is confidentiality. Is the data properly protected and limited to the people, systems, and services that need access and no further? Integrity is the second facet. Is the data what it is supposed to be or has it been altered? Is it trustworthy? The third facet is availability. Is the data available when you want it and where you want it by those authorized to view it? In security terms, this is known as the CIA triad(3). Is your data and are your systems confidential, trustworthy and available? Will it be tomorrow?

Recommendations concerning emails:

  • Always read emails you compose as though it might be read by someone other than the intended recipient. Don’t include personal information, ID numbers, phone numbers, email addresses, etc. that are not absolutely needed. Maybe that information, criticism, or whatever would be better shared in a phone conversation? Ask yourself, what would happen if someone like Anonymous or a foreign government, a customer or a competitor saw the email? What if it were released to the press or put on social media? What would be the ramifications to you, your co-workers, your organization, your clients, vendors, and partners?
  • Make sure that if you are including company or personal confidential information that it is protected according to your organization's data classification standards.
  • Make sure your email is addressed to the correct people before you hit send. Many hackers have set up “similar” domain names that account for popular misspellings in order to harvest information.
  • Make sure you use passwords that are complex and lengthy and are different for different types of sites and uses.
  • Ensure your operating system and software is up to date. Even if you think the software is automatically updating, regularly check manually. Software such as Adobe, java, Office products, internet browsers, and security software update frequently. Get in a habit of checking frequently. This includes browser add-ons.
  • Is your firewall on? Software firewalls are recommended to be running on end-user systems.
  • Carefully scrutinize emails and especially attachments. Never open or download an email attachment if you can help it. If you are going to open one, ensure you know where it came from and that your anti-virus is actively checking email attachments. Even emails from people you think are legitimate can contain malware.
  • Do not trust email – particularly unsolicited email
  • Don’t click on links in email messages.
Backup your important data. If your computer right now locked up due to any number of reasons (breakage, malware, ransomware, etc.), do you have a storage device separate from your system where your important files are kept? If you are putting them on an external hard drive, do you detach it when you are not backing up?

The image posted on Krebsonsecurity(4) in 2013 shows some of the value of hacked email accounts. While it could be updated the essence of it is spot on.

You may ask yourself, what is an email credential worth. According to the same Krebs on security article, “One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.comaccounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitterretail for just $2.50 apiece.”

There is lots of good literature out there on recognizing and avoiding email scams including information from US CERT(5) and others. At least once a year read through one or two of these and take note of what is going on and be smart about things. Above all, use common sense! Remember, just about everybody is a victim. Some have not been victimized yet, but it is coming. Also, we are all humans. We make mistakes, we accidentally click on things we shouldn’t and expose ourselves and our organization to risk. Add to that the number of usernames and passwords that are already compromised and in the hands of nefarious people, the problem only gets worse. A security researcher in Paris has unearthed an open web server hosted in the Netherlands that contains as many as 711 million usernames and passwords(6). The bottom line is that we are past the point where we should be thinking about breaches in relation to others. PII is no longer private. Usernames and passwords are compromised. Use 2-step verification where available, add recovery email accounts, harden hardware, use strong passwords, don’t use the router’s default DNS servers, keep software up to date, but remember, even the best defenses fail.

If you do fall victim to an attack. First, know now, it is no fun. It is frustrating and time-consuming. Cleaning up can be very difficult. Sometimes this include completely wiping many computer’s hard drives and reinstalling fresh operating systems (you do have that disconnected backup, right?). Get assistance quickly. Communication with your organization’s security team is key. Taking systems off the network is key. For personal equipment tools like Malwarebytes(7) and superantispyware(8) are useful to have on hand (before the breach).

Oh, and one final note... Microsoft doesn't call you at home. Just don't accept that!


1. Krebs Deloitte Breach: https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/
2. Cybersecurity Threats and Basic Cyber Hygiene: https://www.brookings.edu/on-the-record/cybersecurity-threats-and-basic-cyber-hygiene/
3. CIA Triad: http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
4. The value of a hacked email account: https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
5. US CERT Recognizing and Avoiding Email Scams: https://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf
6. 32 of the most infamous data breaches: https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/
7. Malwarebytes: https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
8. Superantispyware: http://www.superantispyware.com/

No comments: