5 Tips For Combating Phishing

Phishing attacks are on the rise, but there are steps you can take to combat the threat.

The number of phishing websites increased by 250% between the last quarter of 2015 and the first quarter of this year, according to new Anti-Phishing Working Group data.

That may be an eye-popping increase in activity, but Dylan Sachs, director of identity theft for threat intelligence and remediation company BrandProtect, says it should come as no surprise.

“Email is an attractive target,” he says. “Plus, for the past several years, data leakage has been a major focus. So while companies have focused on large data breaches, the hackers have turned to phishing; they are much quieter attacks.”

According to the APWG report, the retail sector remained the most-targeted industry sector during the first quarter of 2016 at 42.7%, followed by the financial industry at 18.7%, and the payment services industry at 14.7%.  

The vast majority of the phishing sites are hosted in the US. For example, in March 75.6% of the phishing sites were hosted in the US, followed by China at 4.2%.

Given the ubiquity of the threat, what can security teams do about it? Sachs offers five tips for protecting the organization from phishing:

Check new domain registrations. Security managers need to consistently check and see if new domains similar to the domain of the company have been registered. For example, acmetools.com should be suspicious if it found that an acme-tools.com or acme-tools.net was registered. There are two warning signs security managers should look for: First, any domain registered by someone outside the company should be considered suspicious. And, if the domain is registered from outside the company and it’s generating mail exchange (MX) records, then the odds are it is a malicious site and should be blocked.

Flag external emails. Make it a practice to put a flag or icon clearly stating that the email was sent by an outside source. Employees will know who they are communicating with outside the company, but flagging external emails will make the employee look twice before clicking, giving an added layer of protection.

Employ some controls on money transfers. Use some kind of two-factor authentication on money transfers above a certain financial limit deemed appropriate by the company. The two-factor authentication should not be just a dongle, and someone higher up in the organization like the chief financial officer should sign off on more expensive transactions.

Educate the staff. Lower-level HR or midlevel managers in the accounting department are most at risk. Many companies run mock phishing exercises where they identify the people who need more training. Run an exercise to give the staff experience checking for phishing attacks. Then run a mock exercise six months later and see if the staff has improved. Over a period of several months and years, employees will adjust and it will be become another layer of defense.

Set up blacklists. This includes blacklists of websites as well as attachment types. Set it up so all .zip, .doc, and .pdf files are scanned for malicious content before they are delivered to end users.

But even with these phishing protection practices, there are no guarantees that a company won’t still get successfully phished or spoofed by fraudsters, Sachs notes. There is no magic bullet. Rather, take a series of small steps that hedge the company’s bets and reduce the chance it will be infected.

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

More Insights

Pre-Loaded Laptop Software Comes With Security Risks

Laptops from Dell, HP, Asus, Acer and Lenovo all had at least one vulnerability that could result in complete compromise of system, Duo Security report says.

Pre-loaded software update tools installed on laptops from five major OEM PC vendors can lead to a full system compromise in less than 10 minutes, according to an investigation conducted by Duo Security.

Acer, Asus, Dell, Hewlett-Packard, and Lenovo all had at least one vulnerability that could result in a man-in-the middle attack, allowing for a complete compromise of the affected machine, say researchers at Duo Labs, the company’s research arm.

“The Original Equipment Manufacturer software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware (or bloatware). Some apps do nothing more than add a shortcut to launch your web browser to a specific site,” according to the Duo Lab report “Out-of-the Box-Exploitation, A Security Analysis of OEM Updaters.”

Pre-loaded OEM software has serious implications for system security. For example, in early 2015 adware called Superfish pre-installed on Lenovo laptops tampered with the Windows Platform Binary Table, allowing attackers to eavesdrop on unwitting users’ web browser traffic. Later in the year, some Dell computers became vulnerable to man-in-the-middle attacks because of an issue with the eDellRoot certificate authority.

“Every time something like this happens, we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any security review was performed,” the report states.

“The thing about software updaters is that they are inherently privileged. They have to run with full system permission in order to change and modify anything,” says Darren Kemp, an analyst and author of the Duo Lab report.  “A lot of the vulnerabilities we found were easy to find and easy to exploit; it is a real enticing target for attackers.”

All vendors had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, which would allow a complete compromise of a system.  In total, Duo Labs identified and reported twelve different vulnerabilities across all of the vendors.

Key findings included:

  • Dell: one high-risk vulnerability involving lack of certificate best practices, known as eDellroot.
  • Hewlett Packard: two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium- to low-risk vulnerabilities were also identified.
  • Asus: one high-risk vulnerability that allows for arbitrary code execution as well as one medium-severity local privilege escalation.
  • Acer: two high-risk vulnerabilities that allow for arbitrary code execution.
  • Lenovo: one high-risk vulnerability that allows for arbitrary code execution.

“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities,” the report states.

Duo Security recommends that OEMs should consider hardening their updaters through the consistent use of Transport Layer Security (TLS) for the transmission of manifests and packages/executable files. TLS would have made exploitation of the flaws discovered highly improbable, with the exception of those like the eDellRoot issue, the researchers say.

Hewlett-Packard and Lenovo responded and moved quickly to fix high-risk vulnerabilities, says Steve Manzuik, director of security researcher with Duo Security.  However, Duo Security found it “difficult to get a response” from Acer and Asus. “When we did get a response from them, just getting a follow-up or confirmation that ‘Yes we released a patch and are fixing it,’ proved to be very difficult. It required a lot of communication on our end to ensure that they are on the right track,” Manzuik says.

Short of explicitly disabling updaters and removing OEM components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components. However, Duo Security did provide users with some advice:

  • Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before the system is used. Otherwise, reducing the attack surface should be the first step in any system-hardening process.
  • Identify unwanted, unnecessary software and disable or uninstall it — less complexity generally results in fewer security flaws.
  • Purchasing Microsoft Signature Edition systems may be beneficial, but it is not guaranteed to protect end users from flaws in OEM software altogether.
  • Dell, HP, and Lenovo vendors (in specific cases) appeared to perform more security due diligence when compared to Acer and Asus. 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

More Insights

Russian facial recognition program beats Google, but big privacy questions linger

Image: Igor Stevanovic

In November 2015, the Russian company NTechLab’s facial recognition software beat Google and more than 90 other teams from all around the world in the University of Washington’s MegaFace competition. Using deep-learning software, the company had developed an algorithm that correctly identified a celebrity face among billions of photos on a computer.

Winning the contest was “an important benchmark,” said Erik Learned-Miller, Associate Professor of Computer Science University of Massachusetts, Amherst. “There are an awful lot of algorithms out there. NTechLabs is doing better than Google, better than Facebook.”

And, indeed, the Russian startup has been wildly popular, just passing 600,000 registrations, and 3 million searches on its FindFace app.

By scanning just a single photo, FindFace, NTechLab’s “dating service app,” can accurately identify a person in the Russian social network database of more than 250 million photos, in less than half a second, co-founders Artem Kukharenko and Alexander Kabakov said. FindFace can help people find friends online, even using older photos, and can also be a tool to prevent catfishing.

The NTechLab founders said they see many applications for the FindFace app, including:

  • Security: ID checks at e-gates, real-time criminal searches using video surveillance
  • Retail solutions: displaying targeted advertising to in-store customers and identifying repeat customers
  • Dating services: search-by-photo offers people the chance to find someone to date that matches the appearance of a photo

Beyond these applications, the company also sees an opportunity to work with the government. “The Moscow government was really impressed by the current capabilities of NTechLab’s face recognition algorithms,” said Kukharenko. The startup founders said they plan to use their technology to help the government “discover and identity people who commit crimes in sight of the city’s 150,000 CCTV cameras.”

NTechLab also plans to unveil a cloud-based face recognition platform this summer, which will allow companies to use NTechLab’s facial recognition algorithm.

SEE: China developing ATM with face recognition (ZDNet)

But despite NTechLab’s victory, there are reasons to be cautious about overhyping the company’s win. Finding celebrity images, said Learned-Miller, is easier than finding normal people in photos. Also, “the speed is not that interesting,” he said. “The algorithm does a lot of the work ahead of time. It grabs a face, runs it through a neural network, gets features, makes measurements, and pulls the result.”

Still, Learned-Miller is impressed with NTechLab’s performance. He has run his own face recognition test for the last eight years, which he said was, until recently, considered one of the best platforms. “Everybody who thought they had a great face recognizer sent it to me,” he said.

And while NTechLab claims to have developed “the world’s best” facial recognition platform, not all AI experts are convinced that the tech giants lack the capability to be at the top.

“Both Facebook and Google have considered adding similar functionality to their social networks,” said Roman Yampolskiy, director of the Cybersecurity lab at the University of Louisville. “But they decided against it because of obvious disastrous implications for user privacy.”

SEE: Facelock: Familiar faces could replace password recognition (ZDNet)

For example, a Russian artist drew a lot of attention for shooting photos of people on a subway and using the FindFace app to identify the people. “That’s exactly the scenario people don’t want to happen,” said Learned-Miller.

NTechLab founders said they are “working on a solution to make sure that our technology is used only for good purposes.”

Still, Learned-Miller said, “There’s definitely a creepy factor.”

Indeed, Facebook is “more worried about perceptions at the moment. They’re thinking about the implications of these things, whereas a startup doesn’t have much to lose,” he said. “As long as they don’t do something illegal, NTechLab has nothing to lose.”

Still, despite worries about how the tool is used, “it is only a question of time before such tracking of users becomes commonplace,” said Yampolskiy.

Also see…

US court says cops don’t need a warrant for cell location data

(Image: file photo)

Police do not need a warrant to determine a suspect’s location based off cell-site information, an appeals court has ruled.

In a 12-3 vote, the Fourth Circuit appeals court overturned a notable decision last year, arguing that the government can get the information from a third-party, which doesn’t violate a person’s Fourth Amendment right to protection against unwarranted searches and seizures.

The case will be a bump in the road for privacy advocates, who have for the past few years tried to clarify the use of location-based data collected from cell phones and GPS devices. The Supreme Court has yet to take up a case that would definitively rule on the matter.

In Tuesday’s ruling, Judge Diana Motz said obtaining cell-site location data doesn’t violated those protections because the data was already being shared with a person’s cell service provider — a requirement that helps the phone to function.

“Anyone who has stepped outside to ‘get a signal,’ or has warned a caller of a potential loss of service before entering an elevator, understands, on some level, that location matters,” Motz wrote.

“Whenever he expects his phone to work, he is permitting — indeed, requesting — his service provider to establish a connection between his phone and a nearby cell tower,” she said.

Not all the justices on the court agreed.

Judge James Wynn, who voted in the minority, said in his dissent that should a suspect have any “vague awareness that their location affects the number of ‘bars’ on their phone,” that person can’t know that such data is being collected and stored by the carrier.

(via Reuters)

Microsoft believes blockchain tech could help fight human trafficking, child exploitation

On Wednesday, Microsoft announced that it was joining forces with Blockstack Labs and ConsenSys to develop an open source, blockchain-based identity system that could help better protect people who don’t have access to legal identification.

According to Microsoft’s blog post announcing the project, the announcement was made in light of the ID2020 Summit on Identity, and as part of the UN’s Sustainable Development Goals (SDG). They are hoping to rally developers around the world to contribute and to spark a conversation on the potential impact of a blockchain-based identity.

SEE: Encryption Policy Template (Tech Pro Research)

The ID2020 forum brings together top thinkers in the tech community to work on tackling major social issues with the power of technology. To shed some light on the magnitude of the issue of legal identification, Microsoft provided the following data points:

  • 5B people are without proper identification, that’s one-fifth of the world’s population.
  • One in three children under the age of five does not officially exist because their birth has not been recorded.
  • Cumulatively, 230M children under the age of five have no birth certificate; this number is growing.
  • 50M children, the size of the UK, are born without legal identity each year.

The issue of legal identification is often taken for granted in countries such as the US and the UK, but it isn’t always easy to obtain in every country. People without proper identification are more vulnerable to crimes such as human trafficking, prostitution, and child abuse.

According to the blog post, one of the key goals of the UN SDGs is to provide legal identity to all by the year 2030, including registration of birth. The idea is that a blockchain-based identity could help toward this goal. According to Microsoft, the system would allow “people, products, apps, and services to interoperate across blockchains, cloud providers, and organizations.”

SEE: Microsoft blockchain-as-a-service gains momentum with banking partnership (TechRepublic)

More about IT Security

Blockstack Labs and ConsenSys bring their Bitcoin and Ethereum-based identity solutions, Blockstack and uPort to the mix. The open source nature of the collaboration among the companies means that the system produced will be able to be able to work on future blockchain or other decentralized systems that may come about. Being platform or system agnostic seems like it would be a core feature needed for this solution to be successful.

Individually, Microsoft has been making many strides in the blockchain space lately. In late 2015, it released the Ethereum Blockchain as a Service (EBaaS) on Azure, and it partnered with the R3 banking consortium in April 2016 to further its blockchain prowess. Working on a project like this identity system shows that Microsoft is interested in all aspects of blockchain technology, not just the ones that make good business sense.

Microsoft said that an open source framework will be available on Azure “in the coming weeks,” and developers will begin to be able to experiment with an identity layer in their applications.

The 3 big takeaways for TechRepublic readers

  1. Microsoft is partnering with ConsenSys and Blockstack Labs to build an open source, blockchain-based identity system that could help alleviate some of the human rights abuses suffered by people with no legal identification.
  2. The proposed system would be self-sovereign and could also help people interoperate across blockchains and cloud providers.
  3. This partnership is the latest investment in blockchain that Microsoft has made, showing that the company considers the technology important to the future of the digital world.

Also see