basic email and web security september, 2015 daniel hegglin security officer [email protected]
TRANSCRIPT
Agenda
“The Internet is a bad neighborhood.”How did I get here?Why people are so easily trickedCharacteristics of scam emails – things to look for and tools to helpCan I open this attachment?Can I click on this link?Q&A
2
How did I get here?
How did I get here?-Lakewood High School – Math focus-Cal Poly SLO University - Computer Science-Internship IBM-Permanent with IBM, Cisco, YAGO, Cabletron, a few more-Software Engineer in Networking-Director of Service and Support-Back to Engineering!
3
How did I get here?
Day of a software security engineer-Lots of coordination-Planning and validating-Meetings-Coding-Metrics and Presentations
Security is a continuously evolving field. Today’s latest hacks are common tomorrow.
For security software engineers, software engineering is the first step. Make sure they do at least one internship – they will learn amazing amounts and understand what it’s like.
4
5
Real K-State Federal Credit Unionweb site
Fake K-State Federal Credit Unionweb site used in spear phishing scam
6
Spear phishing scam received by K-Staters in January 2010“Phishing” scams try to trick you into providing private
Information, like a password or bank acct info. “Spear phishing”Targets a specific population – in this case, K-State email users.
7
The malicious link in the email took you to an exact replicaof K-State’s single sign-on web page hosted on a server in the Netherlands
which will steal your eID and password if you enter it and “Sign in”.Note the URL highlighted in red – “flushandfloose.nl”, which is obviously
not k-state.edu
8
Real SSOweb page
Fake SSOweb page
9
Real SSOweb page –note “https”
Fake SSOweb page –
site not secure (http,
not https) andhosted in theNetherlands
(.nl)
10
Real SSOweb page –Use the eIDverificationbadge tovalidate
Fake SSOweb page
11
Result of clicking on eID verification badge on a legitimate K-State web site that uses the eID and password for authentication
12
Most EffectiveSpear PhishingScam
13
Most EffectiveSpear PhishingScam
14
Most EffectiveSpear PhishingScam
How to identify a scam
General principles: Neither IT support staff nor any legitimate
business will EVER ask for your password in an email!!!
Use common sense and logic – if it’s too good to be true, it probably is.
Think before you click – many have fallen victim due to a hasty reply
Be paranoid Don’t be timid about asking for help from
your IT support person or the IT Help Desk15
How to identify a scam Characteristics of scam email
Poor grammar and spelling The “Reply-to:” or “From:” address is unfamiliar,
or is not a ksu.edu or k-state.edu address Uses unfamiliar or inappropriate terms (like “send your
account information to the MAIL CONTROL UNIT”) It asks for private information like a password or
account number The message contains a link where the displayed
address differs from the actual web address It is unexpected (you weren’t expecting Joe to send
you an attachment) Does not provide explicit contact information (name,
address, phone #) for you to verify the communication. Good example is spear phishing scam that tries to steal your eID password is signed “Webmail administrator”
16
How to identify a scam Beware of scams following major news events or natural
disasters (e.g., after Hurricane Katrina asking for donations and mimicking a Red Cross web site)
Seasonal scams like special Christmas offers, or IRS scams in the spring during tax season
They take advantage of epidemics or health scares, like H1N1 scam last year
Often pose as legitimate entity – PayPal, banks, FBI, IRS, Wal*Mart, Microsoft, etc.
If unsure, call the company to see if they sent it (we did this with recent email from Manhattan Mercury)
Hackers very good at imitating legitimate email – will use official logos, some links in the email will work properly, but one link is malicious
Many make sensational claims; remember to apply the common sense filter – if it sounds too good to be true, it probably is
17
Useful sources of information Google – search for unique phrase in the suspected scam
to see what others are reporting about it Web sites of organization targeted by scams often have
information, like the IRSwww.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1
Snopes to debunk/confirm hoaxes, rumors, and other “urban legends” – snopes.com
Teach yourself with Sonicwall’s “Phishing and Spam IQ Quiz” – www.sonicwall.com/phishing/
K-State’s IT security web site updated regularly SecureIT.k-state.edu
Current threats and spear phishing scams posted on K-State’s IT threats blog threats.itsecurity.k-state.edu/
18
Evaluating attachments Don’t open email attachments you were not expecting
From someone you do not know From someone you know, but weren’t expecting them to
send you a file (infected computers can send malicious emails from the owner of the computer to everyone in their email addressbook)
This is especially true if the content of the email message is brief, vague, and/or unusual
19
Evaluating attachments Ignore or delete it if it’s not expected or important; not
worth the risk of opening it and infecting your computer
Beware of executable files embedded in .zip attachments – is a common way for hackers to send .exe files that would normally be deleted by email systems
If there’s any reason to believe it might be legitimate, validate the attachment before opening it Contact the sender and ask if it is legit Ask your IT support person or the IT Help Desk Test it with antivirus software to see if it is a known malicious
program
20
What can we do?
21
Remember - Hallmark, amazon.com, Twitter, etc. do not send information or instructions in attachments
Don’t open attachment unless you are expecting it and have verified with sender
Analyze attachments before opening them Think before you click Be paranoid!
Malicious links/sites – to click or not to click, that is the question.
Malicious advertisements Drive-by Download (don’t even have to
click!) Search engines tricked to present
malicious/bogus result near the top of your search results (aka Blackhat Search Engine Optimization (SEO) Poisoning)
22
Web Browsing Threats
Can I click on this? Watch for displayed URL (web address) that does
not match the actualdisplayed: http://update.microsoft.com/microsoftupdate actual: http://64.208.28.197/ldr.exe
Beware of link that executes a program (like ldr.exe above)
Avoid numeric IP addresses in the URLhttp://168.234.153.90/include/index.html
Watch for legitimate domain names embedded in an illegitimate onehttp://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/
23
Can I click on this?
Beware of email supposedly from US companies with URLs that point to a non-US domain (Kyrgyzstan in example below)From: Capital One bank <[email protected]>URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
IE8 highlights the actual domain name to help you identify the true source. Here’s a web address from an IRS scam email that’s actually hosted in Pakistan:
24
Can I click on this?
Beware of domains from unexpected foreign countries Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.phpLithuania: http://kateka.lt/~galaxy/card.exeHungary: http://mail.grosz.hu/walmart/survey/Romania: http://www.hostinglinux.ro/Russia: http://mpo3do.chat.ru/thanks.html
MANY scams originate in China(country code = .cn)
Country code definitions available at: www.iana.org/domains/root/db/index.html
25
Can I click on this?
Watch for malicious URLs cloaked by URL shortening services like: TinyURL.com Bit.ly CloakedLink.com
26
Can I click on this?
TinyURL has a nice “preview” feature that allows you to see the real URL before going to the site. See tinyurl.com/preview.php to enable it in your browser (it sets a cookie)
Bit.ly has a Firefox add-on to preview shortened links: addons.mozilla.org/en-US/firefox/addon/10297 It also warns you if the site appears to be malicious:
27
Malicious Advertisements Isn’t just NY Times…
ratemyprofessors.com (!!) msnbc.msn.com health.msn.com music.msn.com astrology.msn.com realestate.msn.com usatoday.com cnbc.com digg.com mail.live.com addictinggames.com foxsports.com hollywoodreporter.com
These legitimate sites are not in cahoots with the criminals, they’re just not careful enough in screening ads from third party ad networks
28
Drive-by Downloads
The scary thing is you don’t even have to click on anything – just visiting a site with malicious code can initiate a download that installs malware on your computer without you knowing it.
Symantec claims every one of the top 100 websites in the world have served up malicious code at some point
JavaScript in the ad executes when the page is loaded and tries to exploit a vulnerability in Adobe PDF reader, Java, or Flash… or all three; this is why a tool like NoScript or something that blocks ads is effective 29
Drive-by Downloads
Commonly used to promote fake antivirus software (aka “scareware” or “extortionware”) – make you believe your computer is infected with lots of malware, enticing the nervous user to “Click Here” to buy fake security software for $30-$100, plus they steal your credit card information
Can be used to infect your computer with any malware – keyloggers, Trojans, Torpig, …
Malware changes at a very rapid rate to escape detection by AV software; hackers test their malware against 43 popular AV products at virustotal.com before launching
Prevention is by keeping Adobe Reader, Flash, and Java updated with latest security patches 30
What’s a feller to do?
If you’re not scared by now, then I’m worried about you and I pity your IT support person
31
Conclusion
There’s no way to be 100% secure surfing the web these days
Use multi-faceted approach to reduce your risk (browser security features, browser add-ons, Trend Micro security software, educate yourself)
These tools and techniques make your browsing experience less convenient and may frustrate you at times, but they are necessary in today’s hostile online climate
Think before you click!
32
What’s on your mind?
33