DISTRIBUTED DENIAL OF service attacks, in which hackers use a targeted hose of junk traffic to overwhelm a service or take a server offline, have been a digital menace for decades. But in just the last 18 months, the public picture of DDoS defense has evolved rapidly. In fall 2016, a rash of then-unprecedented attacks caused internet outages and other service disruptions at a series of internet infrastructure and telecom companies around the world. Those attacks walloped their victims with floods of malicious data measured up to 1.2 Tbps. And they gave the impression that massive, “volumetric” DDOS attacks can be nearly impossible to defend against.
The past couple of weeks have presented a very different view of the situation, though. On March 1, Akamai defended developer platform GitHub against a 1.3 Tbps attack. And early last week, a DDOS campaign against an unidentified service in the United States topped out at a staggering 1.7 Tbps, according to the network security firm Arbor Networks. Which means that for the first time, the web sits squarely in the “terabit attack era,” as Arbor Networks put it. And yet, the internet hasn’t collapsed.
One might even get the impression from recent high-profile successes that DDoS is a solved problem. Unfortunately, network defenders and internet infrastructure experts emphasize that despite the positive outcomes, DDoS continues to pose a serious threat. And sheer volume isn’t the only danger. Ultimately, anything that causes disruption and affects service availability by diverting a digital system’s resources or overloading its capacity can be seen as a DDoS attack. Under that conceptual umbrella, attackers can generate a diverse array of lethal campaigns.
“DDoS will never be over as a threat, sadly,” says Roland Dobbins, a principal engineer at Arbor Networks. “We see thousands of DDoS attacks per day—millions per year. There are major concerns.”
One example of a creative interpretation of a DDoS is the attack Netflix researchers tried out against the streaming service itself in 2016. It works by targeting Netflix’s application programming interface with carefully tailored requests. These queries are built to start a cascade within the middle and backend application layers the streaming service is built on—demanding more and more system resources as they echo through the infrastructure. That type of DDoS only requires attackers to send out a small amount of malicious data, so mounting the offensive would be cheap and efficient, but clever execution could cause internal disruptions or a total meltdown.
“What creates the nightmare situations are the smaller attacks that overwork applications, firewalls, and load balancers,” says Barrett Lyon, head of research and development at Neustar Security Solutions. “The big attacks are sensational, but it’s the well-crafted connection floods that have the most success.”
‘We see thousands of DDoS attacks per day—millions per year.’
ROLAND DOBBINS, ARBOR NETWORKS
These types of attacks target specific protocols or defenses as a way of efficiently undermining broader services. Overwhelming the server that manages firewall connections, for example, can allow attackers to access a private network. Similarly, deluging a system’s load balancers—devices that manage a network’s computing resources to improve speed and efficiency—can cause backups and overloads. These types of attacks are “as common as breathing,” as Dobbins puts it, because they take advantage of small disruptions that can have a big impact on an organization’s defenses.
Similarly, an attacker looking to disrupt connectivity on the internet in general can target the exposed protocols that coordinate and manage data flow around the web, rather than trying to take on more robust components.
That’s what happened last fall to Dyn, an internet infrastructure company that offers Domain Name System services (essentially the address book routing structure of the internet). By DDoSing Dyn and destabilizing the company’s DNS servers, attackers caused outages by disrupting the mechanism browsers use to look up websites. “The most frequently attacked targets for denial of service is web severs and DNS servers,” says Dan Massey, chief scientist at the DNS security firm Secure64 who formerly worked on DDoS defense research at the Department of Homeland Security. “But there are also so many variations on and so many components of denial of service attacks. There’s no such thing as one-size-fits-all defense.”
Memcached and Beyond
The type of DDoS attack hackers have been using recently to mount enormous attacks is somewhat similar. Known as memcached DDoS, these attacks take advantage of unprotected network management servers that aren’t meant to be exposed on the internet. And they capitalize on the fact that they can send a tiny customized packet to a memcached server, and elicit a much larger response in return. So a hacker can query thousands of vulnerable memcached servers multiple times per second each, and direct the much larger responses toward a target.
This approach is easier and cheaper for attackers than generating the traffic needed for large-scale volumetric attacks using a botnet—the platforms typically used to power DDoS assaults. The memorable 2016 attacks were famously driven by the so-called “Mirai” botnet. Mirai infected 600,000 unassuming Internet of Things products, like webcams and routers, with malware that hackers could use to control the devices and coordinate them to produce massive attacks. And though attackers continued to refine and advance the malware—and still use Mirai-variant botnets in attacks to this day—it was difficult to maintain the power of the original attacks as more hackers jockeyed for control of the infected device population, and it splintered into numerous smaller botnets.
‘There’s no such thing as one-size-fits-all defense.’
DAN MASSEY, SECURE64
While effective, building and maintaining botnets requires resources and effort, whereas exploiting memcached servers is easy and almost free. But the tradeoff for attackers is that memcached DDOS is more straightforward to defend against if security and infrastructure firms have enough bandwidth. So far, the high-profile memcached targets have all been defended by services with adequate resources. In the wake of the 2016 attacks, foreseeing that volumetric assaults would likely continue to grow, defenders seriously expanded their available capacity.
As an added twist, DDoS attacks have also increasingly incorporated ransom requests as part of hackers’ strategies. This has especially been the case with memcached DDoS. “It’s an attack of opportunity,” says Chad Seaman, a senior engineer on the security intelligence response team at Akamai. “Why not try and extort and maybe trick someone into paying it?”
The DDoS defense and internet infrastructure industries have made significant progress on DDoS mitigation, partly through increased collaboration and information-sharing. But with so much going on, the crucial point is that DDoS defense is still an active challenge for defenders every day. “
When sites continue to work it doesn’t mean it’s easy or the problem is gone.” Neustar’s Lyon says. “It’s been a long week.”
How good are you at telling the difference between domain names you know and trust and impostor or look-alike domains? The answer may depend on how familiar you are with the nuances of internationalized domain names (IDNs), as well as which browser or Web application you’re using.
For example, how does your browser interpret the following domain? I’ll give you a hint: Despite appearances, it is most certainly not the actual domain for software firm CA Technologies (formerly Computer Associates Intl Inc.), which owns the original ca.com domain name:
Go ahead and click on the link above or cut-and-paste it into a browser address bar. If you’re using Google Chrome, Apple’s Safari, or some recent version of Microsoft‘s Internet Explorer or Edge browsers, you should notice that the address converts to “xn--80a7a.com.” This is called “punycode,” and it allows browsers to render domains with non-Latin alphabets like Cyrillic and Ukrainian.
Below is what it looks like in Edge on Windows 10;Google Chrome renders it much the same way. Notice what’s in the address bar (ignore the “fake site” and “Welcome to…” text, which was added as a courtesy by the person who registered this domain):
IE, Edge, Chrome and Safari all will convert https://www.са.com/ into its punycode output (xn--80a7a.com), in part to warn visitors about any confusion over look-alike domains registered in other languages. But if you load that domain in Mozilla Firefox and look at the address bar, you’ll notice there’s no warning of possible danger ahead. It just looks like it’s loading the real ca.com:
The domain “xn--80a7a.com” pictured in the first screenshot above is punycode for the Ukrainian letters for “s” (which is represented by the character “c” in Russian and Ukrainian), as well as an identical Ukrainian “a”.
It was registered by Alex Holden, founder of Milwaukee, Wis.-based Hold Security Inc.Holden’s been experimenting with how the different browsers handle punycodes in the browser and via email. Holden grew up in what was then the Soviet Union and speaks both Russian and Ukrainian, and he’s been playing with Cyrillic letters to spell English words in domain names.
Letters like A and O look exactly the same and the only difference is their Unicode value. There are more than 136,000 Unicode characters used to represent letters and symbols in 139 modern and historic scripts, so there’s a ton of room for look-alike or malicious/fake domains.
For example, “a” in Latin is the Unicode value “0061” and in Cyrillic is “0430.” To a human, the graphical representation for both looks the same, but for a computer there is a huge difference. Internationalized domain names (IDNs) allow domain names to be registered in non-Latin letters (RFC 3492), provided the domain is all in the same language; trying to mix two different IDNs in the same name causes the domain registries to reject the registration attempt.
So, in the Cyrillic alphabet (Russian/Ukrainian), we can spell АТТ, УАНОО, ХВОХ, and so on. As you can imagine, the potential opportunity for impersonation and abuse are great with IDNs. Here’s a snippet from a larger chart Holden put together showing some of the more common ways that IDNs can be made to look like established, recognizable domains:
Holden also was able to register a valid SSL encryption certificate for https://www.са.com from Comodo.com, which would only add legitimacy to the domain were it to be used in phishing attacks against CA customers by bad guys, for example.
A SOLUTION TO VISUAL CONFUSION
To be clear, the potential threat highlighted by Holden’s experiment is not new. Security researchers have long warned about the use of look-alike domains that abuse special IDN/Unicode characters. Most of the major browser makers have responded in some way by making their browsers warn users about potential punycode look-alikes.
With the exception of Mozilla, which by most accounts is the third most-popular Web browser. And I wanted to know why. I’d read the Mozilla Wiki’s IDN Display Algorithm FAQ,” so I had an idea of what Mozilla was driving at in their decision not to warn Firefox users about punycode domains: Nobody wanted it to look like Mozilla was somehow treating the non-Western world as second-class citizens.
I wondered why Mozilla doesn’t just have Firefox alert users about punycode domains unless the user has already specified that he or she wants a non-English language keyboard installed. So I asked that in some questions I sent to their media team. They sent the following short statement in reply:
“Visual confusion attacks are not new and are difficult to address while still ensuring that we render everyone’s domain name correctly. We have solved almost all IDN spoofing problems by implementing script mixing restrictions, and we also make use of Safe Browsing technology to protect against phishing attacks. While we continue to investigate better ways to protect our users, we ultimately believe domain name registries are in the best position to address this problem because they have all the necessary information to identify these potential spoofing attacks.”
If you’re a Firefox user and would like Firefox to always render IDNs as their punycode equivalent when displayed in the browser address bar, type “about:config” without the quotes into a Firefox address bar. Then in the “search:” box type “punycode,” and you should see one or two options there. The one you want is called “network.IDN_show_punycode.” By default, it is set to “false”; double-clicking that entry should change that setting to “true.”
Incidentally, anyone using the Tor Browser to anonymize their surfing online is exposed to IDN spoofing because Tor by default uses Mozilla as well. I could definitely see spoofed IDNs being used in targeting phishing attacks aimed at Tor users, many of whom have significant assets tied up in virtual currencies. Fortunately, the same “about:config” instructions work just as well on Tor to display punycode in lieu of IDNs.
Holden said he’s still in the process of testing how various email clients and Web services handle look-alike IDNs. For example, it’s clear that Twitter sees nothing wrong with sending the look-alike CA.com domain in messages to other users without any context or notice. Skype, on the other hand, seems to truncate the IDN link, sending clickers to a non-existent page.
“I’d say that most email services and clients are either vulnerable or not fully protected,” Holden said.
For a look at how phishers or other scammers might use IDNs to abuse your domain name, check out this domain checker that Hold Security developed. Here’s the first page of results for krebsonsecurity.com, which indicate that someone at one point registered krebsoṇsecurity[dot]com (that domain includes a lowercase “n” with a tiny dot below it, a character used by several dozen scripts). The results in yellow are just possible (unregistered) domains based on common look-alike IDN characters.
I wrote this post mainly because I wanted to learn more about the potential phishing and malware threat from look-alike domains, and I hope the information here has been interesting if not also useful. I don’t think this kind of phishing is a terribly pressing threat (especially given how far less complex phishing attacks seem to succeed just fine for now). But it sure can’t hurt Firefox users to change the default “visual confusion” behavior of the browser so that it always displays punycode in the address bar (see the solution mentioned above).
Cloud cryptomining as a service is a security risk to users. Expert Frank Siemons discusses cloud mining service providers and what to look out for if you use one.
One of the more interesting news stories over the last year has been the rise — and, currently, the fall of cryptocurrencies.
Bitcoin is the best-known variety, but other cryptocurrencies, such as Litecoin, Ripple and Ethereum, also saw dramatic increases in their worth during 2017. While some of this value dropped off in the first few weeks of 2018, there exists significant value in these currencies.
These virtual coins or their transactions can be mined for a fee, though some coin varieties are more profitable than others. Bitcoin, for instance, has passed the stage where mining at home returns a profit. The complexity and the mining workload have increased so much that the generated electricity costs far outweigh the value of the mined coins.
To avoid individual initial setup costs and to benefit from some of the efficiency increases that large specialized clusters bring, prospective miners can sign up with a cloud mining service provider.
Cloud mining service providers
The main benefit cloud cryptomining providers offer is their economy of scale. Primarily, these providers operate large data centers filled with specialized mining rigs. Everything from purpose-built hardware and software to power consumption is built around gaining maximum efficiency for cryptomining operations.
This significant investment has already been made, and the customer rents a small part of the processing power — expressed in mega or giga hashes per second — based on their expectancy that the currency will be at a certain price point during the rental period.
Security concerns for cloud cryptomining
The mined virtual coins need to be stored in a digital wallet eventually. Home miners are advised to store this wallet on an encrypted offline medium, such as a detachable USB drive, or to use a secure online digital wallet service.
However, both options carry the risk of losing the stored cryptocurrency. This could be due to the theft or loss of the USB drive, a compromised computer, or a hack or bug within a digital wallet service, for instance.
A cloud cryptomining provider is not bound by the same regulations as a traditional bank. This lack of regulation brings with it significant risk. The providers potentially hold a significant amount of value in the form of virtual money, which makes them an attractive target for cybercriminals.
Some research into where data centers are located and under which jurisdiction they fall is fundamental. After all, technically these data centers could hold a significant investment in their virtual vault. Even physical security is an essential factor to consider.
Because cloud cryptomining services depend on distributed networks and require access to the internet, fully air-gapped storage is not possible in a cloud system. This opens up an entry point for external attackers, which is what the NiceHash hackers exploited when they stole an estimated $64 million worth of bitcoin in 2017.
The attackers gained access to a corporate machine through an engineer’s VPN account and started making transactions via NiceHash’s payment system. This simply could not have happened if an offline wallet was used, as is often the case in smaller, individual setups.
Of course, attacks do not need to come from the outside. When relying on a company that is located in another country, the risk of internal fraud is high because it is handling a large amount of money without the protection of banking regulations. Several cases have been reported where either a staff member ran off with a significant amount of virtual currency or the entire cloud mining company was based on a scam.
Several provider comparison sites exist that discuss the reputations of cloud cryptomining companies. It is also advised to check online forums and social media channels before committing to any investment. Research is critical.
Where there is money, there is crime. The substantial increase in cryptocurrency investments and their meteoric rise in value over the recent months have paved the way for many scams and breaches that are traditionally linked to banks and investment schemes.
Does this mean cloud cryptomining is always unsafe? It does not, but it is essential to look at the providers with at least the same amount of scrutiny as one would use when looking at a more traditional investment firm.
Probably even more scrutiny should be applied because of the lack of proper regulation at this point. As always, technology has outpaced policy.
Google has decided to follow on Facebook’s footsteps and ban cryptocurrency-related advertising. The ban will enter into effect starting June 2018, the company said today in a help page.
In June 2018, Google will update the Financial services policy to restrict the advertisement of Contracts for Difference, rolling spot forex, and financial spread betting. In addition, ads for the following will no longer be allowed to serve:
‧ Binary options and synonymous products
‧ Cryptocurrencies and related content (including but not limited to initial coin offerings, cryptocurrency exchanges, cryptocurrency wallets, and cryptocurrency trading advice)
The ban will enter into effect across all of Google’s advertising network, including ads shown in search results, on third-party websites, and YouTube.
Some ads will be allowed, but not many
But the ban is not total. Google said that certain entities will be able to advertise a limited set of the banned services, including “cryptocurrencies and related content.”
These advertisers will need to apply for certification with Google. The downside is that the “Google certification process” will only be available for advertisers located in “certain countries.”
Google did not provide a list of countries, but said the advertisers will have to be licensed by relevant financial services and “comply with relevant legal requirements, including those related to complex speculative financial products.”
Prices for almost all cryptocurrencies fell across the board today after Google’s announcement, and most coins continued to lose value.
Scams and phishing sites to blame
While Google did not provide a backdrop to the reasons it banned cryptocurrency ads, they are likely to be the same to the ones cited by Facebook —misleading ads being abused to drive traffic to financial scams and phishing sites.
There’s been a surge in malware and phishing campaigns targeting cryptocurrency owners ever since Bitcoin price surged in December 2016 [1, 2]. Just last month, Cisco Talos and Ukrainian police disrupted a cybercriminal operation that made over $50 million by using Google ads to to drive traffic to phishing sites.
A report published by “Big Four” accounting firm Ernst & Young in December 2017 reveals that 10% of all ICO (Initial Coin Offering) funds were lost to hackers and scams, and cryptocurrency phishing sites made around $1.5 million per month. The company says that cryptocurrency hacks and scams are a big business, and estimates that crooks made over $2 billion by targeting cryptocoin fans in the past years.
The recent trend of using the overhyped cryptocurrency market and ICOs for financial scams is also the reason why the US Securities and Exchange Commission (SEC) has started investigating and charging people involved in these practices.
This constant abuse of the cryptocurrency theme was the main reason why Facebook banned such ads on its platform, and is, most likely, the reason why Google is getting ready to implement a similar ban in June.
An increase in fileless malware, including PowerShell malware, was reported in McAfee Labs’ December 2017 Threat Report. Discover how enterprises can defend again fileless attacks.
It can be easy to dispute or question industry reports from top security vendors because the data is often collected from those vendors’ customers, and it is frequently used to show how the vendors’ products can better protect enterprises.
However, these reports can often help enterprises improve their information security programs. Antimalware companies often use this data-driven tactic to dig into specific examples of threats so enterprises can determine if they are adequately protected from those threats.
In this tip, we’ll discuss PowerShell malware, the specific example of the Emotet Trojan and enterprise defenses for these threats.
PowerShell malware and the Emotet Trojan
McAfee reported a surge in fileless attacks in 2017’s Q3 in which malicious code in macros used PowerShell to execute malware. One notable piece of fileless malware was the Emotet Trojan.
Before getting into the details of the threat, it’s important to note than when a vendor report states that the highest number of incidents for a specific malware type was observed, that doesn’t necessarily mean that the number is all that meaningful. The amount of malware detected only matters to an antimalware company in terms of how many resources they need to analyze the malware, report on it and ensure that their customers are adequately protected.
When a report references fileless attacks, it also doesn’t necessarily mean that no files were used in the attack. Fileless usually means that no files were left behind on a system for persistence, but files were used in the attack.
The fileless aspect could also mean that PowerShell, cmd or WMIC were used as part of the attack to execute code on the endpoint. This could include downloading a file or writing data to the registry to create a persistence mechanism on the endpoint.
Emotet is a type of banking Trojan that is distributed by botnets; it spams recipients to socially engineer them into opening a malicious attachment — usually a Word document that has a malicious macro. When the macro runs, it calls a PowerShell, cmd or WMIC command to download malware onto the endpoint for persistence.
While files are used in several different parts of the attack, the fileless aspect occurs when PowerShell or cmd is used to download the next step in the attack. Unlike using a downloader to download a piece of malware to the endpoint, the fileless approach can help to avoid potential detection.
Enterprise defenses against PowerShell malware
Since responding to malware threats is absolutely critical, ensuring your enterprise is prepared is important. We’ve discussed fileless malware at length, but malware is constantly evolving and, thus, security tools must do the same.
Some tools have incorporated functionality to address fileless attacks, while other new endpoint security tools have emerged to address these threats and current attacks. However, attacks continue to use known vulnerabilities or insecure functionality, as well as legitimate tools and functions like PowerShell, to take over endpoints.
While the Emotet Trojan contains new functionalities, some of them can still be blocked using basic endpoint security hygiene to prevent known vulnerabilities or insecure functionalities, such as limiting admin privilege, reducing the attack surface of an endpoint by removing or restricting unnecessary applications or tools, whitelisting, and keeping a system up to date with patches.
Your next step should be to check how your existing security tool vendors address Emotet because many different endpoint security vendors have different methods and advice on how to protect your enterprise. One common method among these tools is blocking executables or changes to the system via signatures, behavioral monitoring, or a combination of both detecting and monitoring common methods for persistence, such as preventing the Run registry keys from being modified.
Some of the tools specifically block Microsoft Word from calling out to PowerShell, which can block a malicious PowerShell command from executing on the system.
Examining infected systems on your network to determine how they were infected can identify which security controls need to be updated to properly protect your endpoints.
While the world is changing faster than anyone may realize or want to admit, some of the basics have stayed the same. Ensuring that you are regularly updating your information security program to identify which security controls are properly working is necessary to manage information security risk and protect your enterprise from the Emotet Trojan.
With recent events, like the WannaCry and NotPetya ransomware outbreaks, most organizations are fully alert to the threat of ransomware. They may have invested significant time and energy in response to those events, or they may have spent equal time bolstering their own preparedness. There is a potential attack surface that may have received comparatively less attention, but that is nevertheless equally important: the cloud.
Cloud environments are no less susceptible to ransomware than other environments. However, they have properties that can make response and preparedness different. For example, they might employ different notification and communications channels, they might involve different personnel, and there may be a different control set in use. It can behoove organizations to think through ransomware in the cloud the same way they prepare for ransomware for internal systems and applications.
Ransomware in the cloud
Using an infrastructure as a service (IaaS) platform gives the cloud customer more visibility into the underlying OS than other cloud models, but this, in turn, means that issues, like patching — particularly in the case of legacy or special purpose systems — are just as complex as in other environments, and therefore may take longer than one might like.
The issue is that an IaaS environment might be susceptible to ransomware. What is different with IaaS, though, is how the organization discovers the ransomware, how it responds and how it protects against the threat. As a practical matter, different personnel are often responsible for direct oversight of IaaS workloads compared to other technology.
For example, cloud is conducive to shadow IT. It can be hard for enterprise security teams to identify and manage shadow cloud applications used by employees and lines of business across an organization. Will a development team, business team or other non-IT organization plan for — and be ready to remediate — ransomware in the cloud to the same extent as the technology organization?
Even if shadow IT isn’t a factor for an organization, initial notification of a ransomware event might come through a different channel than expected. For example, notifications could come from a relationship manager for larger deployments; a defined escalation channel with the service provider, which might be a business team; or through a provider-maintained service portal.
Also, keep in mind that both the resolution and implementation of specific countermeasures might need to be done through different channels. As an example, if a key activity in response to a rapidly proliferating ransomware, like WannaCry, is to proactively patch, the manner in which you affect this might vary for the cloud — an enterprise might need to schedule a maintenance window with its provider, for instance.
Aside from IaaS, other cloud models can be impacted, as well. Even SaaS isn’t immune — consider storage such as Dropbox, Google Drive, etc. Typically, these services work by syncing local files to the cloud; for a small organization, this might constitute its primary storage, backup or data sharing mechanism. What happens when the local files are encrypted, deleted, overwritten with garbage or otherwise compromised by ransomware? Those changes will be synced to the cloud.
Mitigation strategies for cloud ransomware
What can organizations do to prepare for ransomware in a cloud environment? There are a few things that can make response significantly easier. Probably the most effective thing organizations can do — for both cloud environments and for any other environment — is to specifically exercise response and escalation procedures.
For example, a tabletop exercise can be very helpful in this regard. A tabletop exercise defuses the primary question: will you pay the ransom? Invariably, someone will suggest paying it regardless of law enforcement and others arguing against it — discussing this specifically ahead of time helps clarify pros and cons when adrenaline levels aren’t off the charts.
Secondly, working through alert and response scenarios ahead of time means you get answers to key questions: how will you be notified of an event? Who will be notified, and what notification pathways correspond to specific cloud relationships? Also, what is required to take responsive action in each of those channels?
It’s also a useful idea to undertake a systematic risk assessment specifically for ransomware. You might, for example, look at backup and response processes to ensure that, should data be specifically targeted by ransomware that seeks to render it inaccessible, the organization has thought through protection and recovery strategies at the technical level.
For an IaaS relationship, think through and test backup and response services that service providers might offer, technical controls that they offer and the countermeasures the organization already employs. This level of risk analysis is probably already done for the enterprise as a whole, but you should take measures to specifically extend that to cloud relationships. This can be somewhat time-consuming for organizations that have numerous service provider relationships in place, but this effort can be folded into a broader activity that has value beyond just ransomware — for example, malware mitigation more generally, data gathering about cloud relationships, threat modeling, cloud governance or other activities that involve the systematic analysis of cloud relationships.
The arguably harder situation in the event of ransomware in the cloud is the intersection of SaaS and smaller organizations — specifically, the possibility of corruption of cloud storage through synchronization of ransomware-impacted files to a remote storage repository. Specific measures to prevent this are available, such as keeping a manually synced or time-initiated mirror of data at another repository, assuming that the volume in question isn’t such that this is prohibitively expensive.
Alternatively, backup solutions that keep prior iterations of data can provide a means of recovery even if the primary storage location is compromised. Regardless of what method an organization employs, though, the most important thing is to think through it in advance and view protection measures critically.
Chime in and let us know what you are doing to stay proactive.
As seen on Tech Target by: John Sammons and Michael Cross.
In this excerpt from chapter four of The Basics of Cyber Safety, authors John Sammons and Michael Cross discuss basic email security.
The following is an excerpt from The Basics of Cyber Safety by authors John Sammons and Michael Cross and published by Syngress. This section from chapter four explores the basics of email and email security.
Email is a term that’s short for electronic mail, and a common method of exchanging messages over the Internet. You’ll use an email client, like Google mail or Outlook, installed on a computer, an app on your mobile phone, or a website to create and read the messages. The email is sent to a mail server, which is a computer that’s used to store and forward messages.
To demonstrate how this works, let’s say that you’re going to send me an email. If you have an email client installed on your computer, you’ll write a message to me and click the send button. That message is sent to a mail server, which may be one provided by your Internet Service Provider (ISP). If I had an email account with another ISP, or a free email service like Gmail, the mail server would forward that email onto the mail server that I use. It would be stored in a mailbox, which would be an area on the mail server that’s designated for mail going to my account. When I retrieve the mail online, I would be accessing that mailbox, and see your email in an area for mail I’ve received called an Inbox.
As we’ll see in the sections that follow, there are a lot of potential problems with using email, but there are settings and decisions you can make to protect yourself. You may have information of some kind included with the email called an attachment, which could be virus infected. It could have links in the email that may take you to a site to fool you into providing sensitive information or automatically download and infect your system with malware. By knowing what to look out for, and configuring your email client properly, you can safeguard yourself and minimize these and other threats.
Depending on what you plan to do on the Internet, it’s advisable to setup separate email accounts for different types of online activities. By this, we’re not saying that you should have different email addresses for each of the sites you commonly visit. The kind of email accounts you have will be based on what they’ll be used for and your need for privacy. Some of the ones you might have include:
A generic account, which is often the first one you have when you sign-up for Internet Service. This will be the one you commonly give to friends, family, and others you want to stay in contact with.
Work email, which is used for business purposes. This may be one created for you by your employer, and should only be used for work-related purposes.
Social media email, used for sites like Facebook, Twitter, and so on.
Email account(s) for chat, instant messaging, shopping, promotional sites, or other sites where you want additional privacy.
There are many reasons why you’d want separate accounts. One is that you should never use work email for personal reasons. Many companies have policies dealing with proper use of technology, and using corporate email to sign up on sites, chat, or simply sending personal messages could result in disciplinary actions or even termination of employment. As we saw in Chapter 1, What is cyber safety?, companies own any email account issued to you, meaning that they can access your mail, and you should have zero expectations of privacy.
Generally, when you sign up with an ISP, you’re issued an email address that includes your name in it or your first initial and last name. For example, my email address might be firstname.lastname@example.org or email@example.com. In looking at it, you can see that all or part of my name is included in the address. As we’ll see throughout this book, these little tidbits of information can be used with other information gathered about you, and reveal more than you want to know.
Before setting up any accounts on social media sites, chat rooms, and so on, you should seriously consider setting up one or more email accounts with less revealing information. In doing so, the name used for the email account should include nonidentifying information. For example, using an email address like firstname.lastname@example.org may indicate you’re a happy person, but it doesn’t reveal who you actually are.
Understanding the Importance of Nonidentifying Email
Keep in mind that your family and friends already know your full name, but many of the online “friends” or connections you make are actually strangers. You never want to reveal more to a complete stranger than necessary, and one of the biggest identifiers of a person is their name. To illustrate a problem with revealing email addresses, let’s say you used a chat site, discussion board, or instant messaging (which we discuss in chapter: Beyond technology — dealing with people) to meet new people and have online discussions. When you set up an account to use any of these, you’re probably given the option of creating a username or alias, so that when you’re chatting other people would see you as “Big Bob” or some other name you came up with. Now, consider that one of these people decided to check your account profile, and saw your email address. If it included your real name, the stranger now knows who you are, and the anonymity and protection provided by an alias or username is lost.
Depending on your needs for the account, you should also limit any information included in a signature in messages. For work email, you might include your work number, extension, company website, business address, and so on. However, you do not want to include this in other emails being sent, unless there is a specific and exceptional reason to do so. Even if you send personal information in an email to someone you trust, there is no guarantee that they won’t forward it, or include others in the reply that would show the original information you sent.
CHOOSING AN EMAIL CLIENT
There are a number of good email clients available, but the one you choose will often depend on the operating system you’re using, and the amount of money you’re willing to pay. The email client you use may be one that’s installed on your computer, or an online version that you access through a browser. Some of the email clients that can be installed on a computer include:
Microsoft Outlook, which runs on Windows and Apple and is commonly used by businesses. It’s included with Microsoft Office or Microsoft Office 365.
Apple Mail, which is Apple’s email client.
Thunderbird, which is available for Apple, Linux, and Windows machines.
In this section we’ll go through a number of common settings found in email clients that are installed on your computer, using Thunderbird as an example. Thunderbird is a popular, free email client from Mozilla that can be installed on Windows, Apple, and Linux machines, and has a number of features that can be configured to improve your
features should be available under the client’s settings. To configure Thunderbirds Privacy and Security settings:
After opening Thunderbird, click on the Tools menu, and then click Options.
When the Options dialog appears, click on the Privacy icon at the top to display a screen similar to that shown in Fig. 4.1.
Click on the Allow remote content in messages so it appears unchecked. This will prevent any images or other content from being automatically viewed in the email. We’ll explain more about why it’s important not to allow this in a section that follows.
Click on the Tell sites that I do not want to be tracked checkbox so that it’s checked. This will send a request not to track your activities, opting you out of any tracking systems on a site you’re accessing, so that tracking cookies aren’t sent to your computer.
To modify the security settings in Thunderbird, you would click on the Security icon at the top of the Options dialog. Upon doing so, you’ll be presented with several tabs of options, where you can make the following modifications:
On the Junk tab, you can configure settings to train Thunderbird to detect junk mail or SPAM, and specify what happens to email. You can flag an email as junk mail in Thunderbird by right-clicking on a message, selecting Mark, and then clicking As Junk. On this tab, you should do the following:
Click on When I mark a message as junk so the checkbox appears checked, and then either select the option to move it to a junk folder. This will automatically move any junk messages to the account’s “Junk” folder. Alternatively, you can click on the Delete them option, so that your junk mail is automatically deleted.
Click on the Mark messages determined to be junk as read checkbox so it appears checked. In doing so, the message won’t appear as unread, meaning there’s less chance of you accidentally opening it.
Click on the Enable adaptive junk filter logging so the checkbox appears checked.
On the Email Scams tab, click on the Tell me if the message I’m reading is a suspected email scam so the checkbox appears checked. If the email has known elements of being a scam, you’ll be presented with a warning.
On the Anti-Virus tab, click on the Allow antivirus clients to quarantine individual incoming messages so it appears checked. This will allow your antivirus software to remove any infected messages before you read them.
On the Passwords tab, click the Use a master password checkbox so it appears checked. After checking this, you’ll be prompted to provide and confirm a password. The next time you open Thunderbird, you’ll need to enter the password, preventing anyone else from opening Thunderbird and reading your email. To change the password afterwards, click on the Change Master Password button on this tab.
WHY IS IT IMPORTANT TO BLOCK REMOTE CONTENT?
When an email is opened, or viewed in the message pane of an email client, it’s possible for content from a server to appear in the message. If the email is in an HTML format, then you’re viewing a message that’s written in the same language as a web page. Any external content can be displayed in the message as if you’ve visited the sender’s website. Your email client will load any images, including ones that have an executable (Malware) embedded in it, and other content from an external server. While allowing remote content allows you to view any graphic content automatically, it isn’t a secure option.
Another problem with allowing remote content is that it can be used to verify your email address. If I send you a SPAM message, when you load the remote content, your client is contacting my server and requesting that the content be sent. I can now see that you made that request, and can see that it’s a legitimate email account that’s still in use. In verifying that email, I know to contact you further with either additional email, or (as we’ll see in chapter: Cybercrime) attempts to phish additional information out of you.
Also, additional information about you is sent with the request to a Web server for images and other content. The browser or email client will identify the application being used and the operating system its running on, which could be used by a hacker to identify possible vulnerabilities or target distribution of malware. The request will also include your IP address, which can be used to get a rough idea of your location.
When you block remote content and open the email, images and other external content don’t appear in the message. If I want to view the blocked content, I can click on a link at the top of the message to display images and other content, or if I trust the sender to always allow remote content from that sender.
HIDING THE MESSAGE PANE
A common feature in email clients is the Message Pane, which allows you to view the contents of any emails that you select in your inbox. It is a little deceptive in making you think that you haven’t opened the email, as you haven’t double-clicked on it so it opens in a new window. However, the Message Pane does open and display the contents of your email, and (depending on your settings) will display any of the images or external content used. As we mentioned, because emails can be written in HTML, the email client is acting like a browser, and you’re loading the equivalent of a web page with all the potential threats one can provide.
Hiding the message pane allows you to review the subject, sender, and other information listed in your inbox, but won’t show its contents when you click on it. This allows you to select different emails that seem suspicious or appear to be SPAM, and delete them as needed without opening them. To remove the message pane from Thunderbird, click on the View menu, select Layout, and then click Message Pane.
THE DANGERS OF AN ATTACHMENT
The message in an email is only one of the potential threats to your system. Files can also be attached to a message, and these have the same potential risks of files that you download from sites. Documents may be virus infected, and executable files (such as those with an .exe extension) may be attached to install malicious software on your computer. Even though the attachment is with the file, they only pose a threat if they’re activated.
Never open any attachment if you don’t know the sender, or the email seems suspicious. Even if you know the sender, it’s possible that the message and attachment was sent automatically by malware, and the actual person the email says it’s from doesn’t know that the email was sent. To avoid many of the known problems with attachments, ensure that the settings to allow your antivirus program to scan and quarantine email is enabled. If your antivirus can catch and remove infected messages, there’s less chance you’ll open a file that will infect your system.
FREE EMAIL SITES
You could contact your ISP to have additional email accounts setup for various purposes, or you could set them up yourself through an online service. There are a number of sites available for setting up additional email accounts that are free, including:
Gmail (www.gmail.com), which is a free email service from Google.
Outlook (www.outlook.com), which was is Microsoft’s email service formerly called Hotmail.
mail.com (www.mail.com), which provides the ability to choose different domain names in the email address.
These free email services allow you to store and access your email online, using a web-based interface to read and compose messages. Some of these have almost unlimited storage, while others require you to pay for premium accounts that allow you to store mail and attachments over a certain limit. These sites may provide additional features and services that may be useful, such as online calendars and file storage.
When looking at the features of free online email, you want to ensure that the service provides virus checks and good SPAM filtering. As we have seen in Chapter 10, Protecting your kids, antivirus protection will prevent unwanted code from corrupting your data or system, while SPAM filtering will keep unwanted advertisements, scams, and other inappropriate, dangerous, and/or unwanted email from getting into your inbox. Even if you have antivirus software installed on your computer, it’s important to realize that it will not scan and protect email and attachments stored on one of these sites. The email is stored on the email service’s server, so you need to ensure that they provide adequate protection before you download or open anything that’s been sent to you.
SECURITY SETTINGS ON EMAIL SITES
The security settings on free email sites vary. All of them will allow you to change your password, which as we saw in Chapter 2, Before connecting to the Internet, should be done on a recurring basis and use strong passwords. Beyond this, the features you encounter will vary.
While it would be impossible to cover the settings in every online email service, looking at a couple of popular sites will give you a good idea of what’s offered, and how to configure it properly. In the following sections, we’ll look at Mail.com and Gmail. For any email service, you’ll generally find the security and privacy settings for your email under your account settings.
If you’re using mail.com as a free email service, you would login and see a link in the left pane of the screen called Settings (as shown in Fig. 4.2). Clicking this, you would then click on the Mail Security link under Security. Doing so provides you with a number of options, which when checked will activate the related feature:
Spam protection activated, which will prevent SPAM emails from being added to your inbox.
Contacts, which will prevent emails from people in your contact list from being flagged as SPAM. Generally, you can turn this off to prevent junk email that may have been automatically forwarded by people you know from appearing in your inbox. We saw how bots can do this without a person realizing it in Chapter 10, Protecting your kids.
POP3 options, which has a checkbox that indicates you’d like to be sent a daily report about SPAM that may have been received. This allows you to release or delete any mail that may have incorrectly been flagged as SPAM.
Virus protection activated, which checks your incoming and outgoing mail for viruses.
Other options in the security section of your mail.com account include:
Whitelist, which allows you to add email accounts and domains that should always be trusted, and never marked as SPAM.
Blacklist, which allows you to add email accounts and domains that should never be trusted, and you never want to receive mail from. This is especially useful if you are being harassed by a person, getting unwanted email from a company, or know that a particular site is a problem.
External content, which after being clicked, shows a page with a checkbox that allows you to prevent any content hosted on an external site (such as images) from appearing in your email. If this is activated, a link will appear in your email that allows you to show the images, and does not apply to any emails in your SPAM folder (which already keeps external content from being displayed).
Gmail offers a number of features designed to protect your privacy and enhance the security of using email. After logging into Gmail, you can access your settings by clicking on the gear shaped icon in the upper right-hand corner, and then clicking settings. After doing so, you’re presented with a screen with tabs along the top of the screen. Clicking Accounts and Import will provide you with a variety of options to maintain your account, including a section called Change account settings. In this section, you can click on any of the following links:
Change password, where you can enter a new password, and will tell you the strength of that password.
Change password recovery options, which provides the ability to set recovery options if someone hijacks your account, or your password is forgotten. We’ll discuss more about this shortly.
Other Google Account settings, which presents a screen of additional options to control your account preferences, and options and tools related to your privacy and security settings. Again, we’ll delve deeper into this in the paragraphs that follow.
The password recovery features in Gmail allow you to set what happens when you forget your password or it appears an unauthorized person is trying to get into your account. The options on this page allow you to set the following:
Mobile phone, which (after providing your phone number) will be used to send a text message. Because an unauthorized person probably wouldn’t have your mobile phone, this ensures that you’re the person who the account belongs to.
Recovery email address, which can be used to challenge someone attempting to logon, and allows you to reset your password if you’re locked out.
Alternate email address, which allows you to specify a secondary way to log onto your account. This would be a different email address than your gmail.com account.
Security question, which allows you to set a question and answer that will be used to establish that you’re the person who should be logging in.
The Other Google Account settings link takes you to the My Account page at https://myaccount.google.com, where you can access settings that control your account preferences, personal information and privacy (which we’ll discuss further in chapter: Protecting yourself on social media), and sign-in and security options. The My Account page also provides tools for doing a checkup on your security and privacy settings, and will take you step-by-step through setting many of the options we’re about to discuss.
If you click on the Signing in to Google link, you’re given a number of options we’ve already discussed, including the ability to change your password, provide a recovery email address, provide a phone number to recover your account, and set a secret question. You’re also given an option in the Password and sign-in method section to use 2-Step Verification.
When 2-Step Verification is used, you would log onto Gmail as you normally would, but after entering your password, a code is sent via text, voice call, or the Google mobile app. This feature becomes especially important if you use untrusted computers or devices to access your mail, such as public computers. You must then enter this code to access your mail. To set up Google’s 2-Step Verification, follow these steps:
When the Set up your phone page appears, enter your phone number.
If you want Google to send you a text message with a code, click the Text message (SMS) option. If you want a voice call, then click the Voice Call option.
Click Send code.
When you receive the code, enter it in the box on the Verify you phonepage, and then click Verify.
When the Verification codes on this computer screen appears, check the Trust this computer checkbox if you’re using a trusted computer (such as your home computer). In doing so, you might still be able to access your account without a code.
When the Turn on 2-step verification screen appears, click Confirm.
The next link on the My Account page is the Device activity & notifications link, which provides important information about how your account is being accessed. Here, you’ll find information on security events (such as password changes, modifications to your account, and so on), and devices that have recently been used to access the account. It shows the current device you’re using to access your account, as well as any other computers or mobile devices that were previously used. You should regularly review this section to determine if someone else is accessing your account. If something seems amiss, you can click the Secure your account link to change your password, review settings, and add or change recovery information that we discussed earlier. If you don’t think you’ll regularly visit the page to monitor this (as is the case with most people), you should click the Manage Settings link under Security alerts settings. In doing so, you can set whether you’ll receive an email and/or text message when there is a security risk (such as someone trying to access your account) or other account activity (such as when security settings are changed).
The final link is Connected apps & sites. As we saw in Chapter 1, What is cyber safety?, various apps on your mobile device or sites may connect to your Gmail account. By clicking the Manage Apps link on this page, you’ll be able to view which apps have access, and what they have access to (inclusive to such things as your mail, calendar, contacts, or basic account info). If there’s an app you no longer use, you would click on the Remove button beside the app’s name to complete revoke its access. The page also provides a Saved Passwords section, where you can manage passwords saved with Google Smart Lock, which we discussed in Chapter 2, Before connecting to the Internet.
At the bottom of this section, you’ll see an option to Allow less secure apps, which should be turned off. If an app uses less secure technology to sign-on, it can leave your Google account vulnerable, so by default this option is turned off.
There may be times when you need to send an email that’s secure, ensuring that no one other than the person it’s intended for reads it. There are a number of options available for encrypting messages, some of which require installing software like add-ons or extensions to your browser, while others are simple and straightforward.
Infoencrypt (www.infoencrypt.com) is an easy to use site, in which you type a message in a box on the web page, and provide and confirm a password. After clicking the Encrypt button, the page reloads and the message in the box is encrypted. For example, if you were to enter a phrase like “This is encrypted” and used the password test, it would return something like what follows:
The message itself is meaningless, unless the recipient uses the correct password to decrypt it. You would copy and paste the contents of the box and email it to the intended recipient, secure in the knowledge that no one else can read it.
When the recipient receives it, they would click a link that takes them to Infoencrypt’s website, where he or she copies and pastes the email message into the box, and enters and confirms the password you provided separately. After clicking Decrypt, the message is then revealed.
Once the tool is installed, you can then logon to Gmail (www.gmail.com) and you’ll see a new red button with a padlock icon beside the Compose button. Clicking the padlock icon will open a new message dialog. After composing the email, you’d then click the Send Encrypted button.
After you click the button to send your encrypted email, a new message will appear asking you to enter a password and provide a secret hint. The hint should be something that only the recipient would know the answer to, thereby revealing what to enter as a password. After filling this out, click the Encrypt and Send button.
The message that the recipient receives will be encrypted. If they receive it on a standard email client, it will include a link to install the Secure Streak Gmail Extension. If they already have the extension, they will see a link to decrypt the email, and when clicking it will be asked to enter a password and see your hint. After providing the password, the message is decrypted.
About the author:
John Sammons is an Associate Professor and Director of the undergraduate program in Digital Forensics and Information Assurance at Marshall University in Huntington, West Virginia. He teaches digital forensics, electronic discovery, information security and technology in the School of Forensic and Criminal Justices Sciences. Mr. Sammons is also adjunct faculty with the Marshall University graduate forensic science program where he teaches the advanced digital forensics course. A former police officer, he is also an Investigator with the Cabell County Prosecuting Attorney’s Office and a member of the West Virginia Internet Crimes Against Children Task Force. Mr. Sammons is a Member of the American Academy of Forensic Sciences, the High Technology Crime Investigation Association, and Infragard. He is the founder and President of the Appalachian Institute of Digital Evidence, a non-profit organization that provides research and training for digital evidence professionals including attorneys, judges, law enforcement and information security practitioners in the private sector.
Michael Cross is a SharePoint Administrator and Developer, and has worked in the areas of software development, Web design, hardware installation/repairs, database administration, graphic design, and network administration. He is also a former Computer Forensic Examiner with Police Services in the Niagara Region of Ontario, Canada. Working for law enforcement, Mr. Cross was part of an Information Technology team that provided support to more than 1,000 civilian and uniformed users. He performed digital forensic examinations on computers involved in criminal investigations. Over five years, Mr. Cross recovered and examined evidence involved in a wide range of crimes, inclusive to homicides, fraud, and possession of child pornography. In addition to this, he successfully tracked numerous individuals electronically, as in cases involving threatening e-mail. Mr. Cross has consulted and assisted in numerous cases dealing with computer-related/Internet crimes and served as an expert witness on computers for criminal trials. In 2007, he was awarded a Police Commendation for work he did in developing a system to track local high-risk offenders and sexual offenders. With extensive experience in Web design and Internet-related technologies, Mr. Cross has also created and maintained numerous Web sites and implementations of Microsoft SharePoint. This has included public Web sites, private ones on corporate intranets, and solutions that integrate them. In doing so, he has incorporated and promoted social networking features, created software to publish press releases online, and developed a wide variety of solutions that make it easier to get work done
ITG remains committed to their clients day in and day out. Whenever you need someone, you know who to call. Mike and the ITG team care so much about the clients that they want to spread the word. Although it may be strange if Mike stood on a rooftop yelling about all the ways they can help someone, we figured the clients could tell you best. We recently interviewed Linda from NYACP, New York Chapter American College of Physicians, to get her take on ITG and to find out more about what she does!
NYACP is a not-for-profit professional service organization providing education, advocacy and quality improvement/practice management for 12,000 internal medicine physicians in New York state. Linda loves that her work focuses on improving healthcare and helping members achieve success in the ever-changing practice environment.
In a world of such uncertainty and change, wouldn’t you want to feel that passion? Every business will suffer from technological issues, updates and threats to operations by viruses and other intrusions. Lucky for Linda, her limited IT experience was in hiring the right consultant. She has better peace of mind within the company since working with ITG. She has been able to learn more about technology as her business grew and came to better understand the impact of technology and interoperability. This allows her to feel more comfortable with her entire IT infrastructure allowing her to focus more on management and operations.
She was first introduced to ITG by word of mouth from colleagues. After interviewing others and assessing the best choice, Linda chose ITG because of their experience and local reach. She has not been disappointed, and its been years working together! When asked what the process is like to work with ITG she said: “They are a sound, reliable partner, they respond to our needs expeditiously and completely.” She considers the ability to ask questions and get “helpful, meaningful information in easy to understand language (and Diagrams!!!)” to be the best value for a busy executive.
Did you Know……….
Her favorite part of working with ITG is “the staff, the reliability of their recommendations and their service”!
There are laws and regulations in place that require companies to take measures to prevent data breaches and other attacks.
You too can have the peace of mind in your day to day life by partnering with a company that cares about your business, answers questions and immediately responds to concerns. Reach out to ITG today and speak with the team about how they can help!
89.1 percent of all information security leaders are concerned about the rise of digital threats they are experiencing across web, social and mobile channels, according to the 2018 CISO Survey by RiskIQ.
Some 1,691 U.S. and U.K. information security leaders across multiple verticals, including enterprise, consulting, government and education, provided insights into their cyber risk concerns and plans for 2018.
Overall, the survey revealed a coming “perfect storm,” where the problem of staff shortages collides with escalating cybercrime, leaving organizations ill-equipped to manage and respond to cyber risks and threats that are accelerating in an era of digital transformation, pervasive connections and increasingly sophisticated attack strategies sponsored by nation-states and rogue actors.
As the Spectre and Meltdown security flaws in Intel chips dominated the news in early 2018, and after a year of major security breach announcements and settlements, including Equifax, Yahoo and Anthem, the following findings are hardly surprising:
67 percent of cybersecurity leaders do not have sufficient staff to handle the daily barrage of cyber alerts they receive
60 percent expect digital threats to grow as their organizations increase online engagement with customers
The top three digital threats information security leaders fear are phishing and malware attacks on employees and customers; brand impersonation, abuse, and reputational damage; and information breaches
The top risk organizations face today is a lack of experienced staff to monitor and help protect networks from cybercrime
“The RiskIQ 2018 CISO Survey illuminates a growing industry-wide problem, which is that cybercrime is growing at scale, and enterprises are already experiencing critical staff shortages. That’s one reason 1 in 3 organizations have engaged with an MSSP to combat cyber risks and threats, and we expect that number to grow as the competition for top security talent gets far more intense,” said Lou Manousos, CEO at RiskIQ.