Phishing.  It’s been a hot topic and the focus of IT security services companies for a long time.  What is it?  Phishing is a way of acquiring information including, usernames, passwords, and credit card details, as well as other personal information through methods that are masquerades for trustworthy entities.  For example, emails meant to look like official emails from a bank or other official business are intended to make the recipient “log on” to the phisher’s website and provide user names and passwords.

A more advanced type of phishing is what is termed spear phishing.  This type of phishing has led to a lot of concern from the IT security services market.  With spear phishing, the phishing emails target specific organizations in an attempt to gain unauthorized access to confidential data.  With traditional phishing, the emails typically appear to come from large, well-known companies such as eBay or Paypal; conversely, spear phishing emails appear to come from an individual within the recipient’s company and often from persons holding authority.

IT security assessment services and IT security watchdogs have discovered yet another highly targeted email attack using phony conference invitations to garner information from recipients.  These spear phishing attempts are targeting government related organizations around the world, specifically those related to the defense industry.  The focus of the attacks is to try to use existing security flaws in various Adobe programs to place a Trojan on vulnerable computers, thus providing backdoor access for hackers to hijack the system.

The malware, once placed, becomes undetectable by disguising itself as a Windows Update utility.  Security researchers from IT security services companies, Seculert and Zscaler ThreatlabZ, uncovered this particular spear phishing method.  After joining forces to analyze the incidents involving the malware, they issued a joint warning.  Similar spear phishing attacks were tracked back to 2009.   The most recent targets of these attacks are companies (foreign and domestic) that own intellectual property related to geospace, aerospace, and defense industries.  Of particular concern is the level of sophistication of the malware.  Malware that infiltrates into virtual machine environments will simply exit the machine.  In suitable environments, the malware is implanted and the infected machine connects with the command-and-control (C&C) server then transmits system information such as the type of operating system and identifiers that allow the zombie to authenticate with the server.  After the initial connection is successfully completed, the infected system gains the potential to download and upload files, as well as executing commands.

With this latest method of spear phishing, recipients receive emails that contain PDF attachments from phony companies, inviting recipients to various conferences.   Once opened, the PDF files contain malware that implements zero-day vulnerabilities resident in Adobe Reader, allowing for installation of the RAT (Remote Access Trojan) malware.    Because the malware hides itself as a Windows Updater, the Trojan is named the MSUpdater Trojan.

At this time the people responsible for these attacks are unknown.  Given that the targets are all specific government related organizations, there is suspicion that the attackers are high-profile entities, and could possible even be a country.

IT security service integrators have long believed and warned that attachers responsible for spear phishing attacks start by researching their victims through professional networking sites.  This way, the attacks can be customized in ways that gain the interest of the target recipient.  For example, conference invitations include invitations to industry conferences relevant to the recipient and his or her job or interests.

IT security services consulting personnel advise that targeted victims should understand that the attacks are advanced threats and tend to be persistent.  Not only have the attacks continued undetected for quite a length of time, but they will continue on in the future.

Spear phishing takes many forms.  A recent example is the Sony PlayStation Network hack.  While it is unknown how much personal information was hijacked through this attack, it is believed it was much worse than the Epsilon and PSN breaches.    It is possible that the attackers may have gained credit card information.  Whether this is actually the case or not, it is of major concern because any information gained can subsequently be used to personalize future spear phishing attacks.  Spear phishing attempts are much more convincing when they contain personalized information and whether or not the original attacks garner the desired information, with personalization, the odds of gaining further information go up when more personal information is available to include in future spear phishing efforts.

What is known at the present time is that the attackers appear to be very patient and take the time to thoroughly research their targets.  Tending to target organizations whose intellectual property and assets have high value, the malware campaigns constantly evolve with frequent changes in binaries, which serves to allow the malware to continue to fly under the radar.

Law enforcement agencies such as the FBI take spear phishing seriously.  Organizations such as the US Secret Service and the investigative agencies related to the various Departments of Defense actively work to uncover and contain it.  In the meantime, people and organizations must be wary.  The keys for combatting spear phishing attempts are vigilance, IT security risk assessment services and, where necessary, outsourcing IT security services.  Education is vital and includes methods to determine whether URLs are legit, not clicking on email links, and keeping security tools active – and current!  It is money well spent to employ IT security services consulting companies to perform risk assessment and education, and to consider managed IT security services.

The combination of a manual and tools vulnerability assessment and a penetration test will provide you with the most accurate results possible. The main difference between the Platinum test and the other tests is that you will not only get a list of the vulnerabilities found which can be false positive, you will also be able to see which vulnerabilities i was able to exploit. This will show you the most up to date security status of your network, server and application.

1. Initiation – project is defined.
2. Analysis – functional and physical characteristics are defined.
3. System Specification – hardware specifications defined.
4. Design and Development – code is being created.
5. Implementation – product being implemented.
6. Maintenance – application is being maintained and/or disposal.

Phase 1 – Initiation

A critical phase in the software development cycle. During this phase, the project is defined, everyone involved gets the proposal document for review and a risk analysis is performed on the project to address any threats during the Design and Development phase.

Phase 2 – Analysis

A document is being generated and outlines the functional characteristics of the project. A project plan and a design document are being developed to define the project requirements, such as number of employees involved in the project, employees skill set, schedules, etc. Policies are being developed to outline the software baselines, guidelines, standards and procedures. The security and performance requirements are being determined in this phase as well.

Phase 3 – System Specification

This phase addresses the hardware and physical layers of the project. What kind of hardware is required to run the application, how the software is going to access the hardware, which servers are going to be used, which networks are going to used by the software (Internet, Intranet, etc), and more.

Phase 4 – Design and Development

Most companies skip phases 1-3 and jump straight to phase 4 (Design and Development) which is wrong, irresponsible and and expensive.

The Design and Development is a technical phase that is supposed to meet the requirements defined during the analysis phase. The software needs to be tested and verified so that it meets the design specifications (Verification process) and ensuring it fulfills the business needs (Validation process).

Phase 5 – Implementation

The software is now ready and functioning as it supposed to. Now is the time to install the application on the computers/servers and run further testing and inspections.

Accreditation and certification (confirmation of the software characteristics defined in phases 1-3) are initiated and completed.

Phase 6 – Maintenance

The last phase of the software life cycle includes software updates and bug fixes. Customer requests are integrated during this phase and not the previous phases which minimize the customer interruptions during the software development (any project management dream).

Another important aspect to phase 6, is that software auditing and constant security tests are being performed to ensure that the software performs as designed and specified.

You might have heard the term “Strong Password” and may have wondered what it meant. Strong implies that it is more difficult to compromise and making it a stronger password is fairly easy to do. First we would like to lay out a few background facts and then we will show you an easy way to create a strong password.

Facts:

• People are the weakest link in the security chain, and the easiest way to get a user’s login details is by asking him/her for it (see our related article on Social Engineering techniques to see how this is done).
• Breaking Alpha Numeric (numbers and letters only) passwords will only take few minutes for a skilled hacker, even if it is up to 14 characters long.
• Most passwords are combination of a name plus few numbers and 8 characters long (jack1234).
• Most people will write down their passwords and store them in an obvious place like under the keyboard or pasted to the monitor.

Strong Passwords

The real goal here is to make a password that is not only strong but one that is easy enough for you to remember without writing it down.
We recommend creating a password with two distinct parts: part one is the password’s first 3 characters combined with the last 3 characters, and part two is the characters between those two sections.
Part one can be a constant and part 2 will need to change every time you change your password. We recommend password changed every 30-60 days – I know this sounds tedious but reassembling your credit ratings and trying to recover your stolen house are far more troublesome!

Part One

Part one contains the first and the last characters of the password and we recommend that it contain symbols and/or special characters and/or numbers. By using the special characters you are making a Brute Force attack a much more challenging exercise for a hacker. A Brute Force attack is when someone uses software to attempt every possible combination until one works. For every character you add to the sample set the job gets much larger for the attacker. Eventually if enough different characters/symbols are used it becomes impossible to use Brute Force unless they have few months to wait for the password.

A key concept of part one is to build it in a way that you will remember it.
For example: !@# )(* seems rather random but its actually (looking at the keyboard) 123 and 098. You can now see that you can leverage extra symbols in a meaningful way that is meaningful only to you.

Part Two

Part two needs to have at least 8 characters using lower and uppercase letters and also numbers (same rules as you typically use now when renewing your passwords).

For example: Lior1234

So my Strong Password could be:!@#Lior1234)(*

Remember the goal of using as broad a symbol set as possible and still making it easy for you to remember.

Phase 5 – Implementation

The software is now ready and functioning as it supposed to. Now is the time to install the application on the computers/servers and run further testing and inspections.

Accreditation and certification (confirmation of the software characteristics defined in phases 1-3) are initiated and completed.

Phase 6 – Maintenance

The last phase of the software life cycle includes software updates and bug fixes. Customer requests are integrated during this phase and not the previous phases which minimize the customer interruptions during the software development (any project management dream).

Another important aspect to phase 6, is that software auditing and constant security tests are being performed to ensure that the software performs as designed and specified.

How does the entire process unfold? Databases maintain the critical information used within a website. They allow visitors to the website to collect and submit information from the database through a web browser. In this hacking technique, an SQL command is sent through a web application for implementation by being tacked on to normal data entry. In case the commands are not filtered properly, web applications are likely to face hacker attacks through SQL injection PHP. Since, databases are the core point of a website, they store information related to the customers, employees, suppliers and other stakeholders related to the website. A database may store vital information about company statistics, payment information and other user credentials. Therefore, an SQL injection attack allows a hacker to extract vital information from the database of a website. Parts of a website that may give the scope to a hacker to execute an attack are support request forms, login pages, product request forms, search pages, feedback forms and shopping carts. For instance, when visitors log into a website from a login page entering their username and password, they submit their details and queries through a form. The SQL query is then sent to the database for confirmation where the user gains access to various sections of the website. At this point, an SQL injection attack can enable a hacker to access information stored in the database by adding SQL commands to the data entry in the form.

A hacker making use of SQL injection PHP, ASP, .NET, JAVA can gain complete access to the database of a website and get empowered through any kind of information that is gathered in the process.

More…

Threat description

An intruder file is introduced into the hosted web site through an invasive file submission. This threat can be executed very simply through a short HTML form (3 lines!). This is a less common but highly impactful attack. Any file of any type can be introduced in this fashion, and unless you have taken specific measures to prevent this specific type of an attack, your web site can be easily breached.

This threat is a multistage attack, with each subsequent step driving the attack further into the web site.

Stage 1: upload the intruder file via the short form

Stage 2: activate the file

Stage 3: retrieve any stolen data (password, client files etc…)

Threat impact if not remedied

Depending on the file type uploaded different impacts can be felt. The file types can range from executables delivering viruses or destroying data through to simple text files with scripts that can further compromise security through password discovery. The damages of this type of an intrusion are limited only by the intentions and creativity of the attacker.

Countermeasure approach

The countermeasures for this type of attack cannot be effectively deployed at the network or host layer. Firewalls and host intrusion detection tools cannot detect this type of an attack as the channel for the attack is a legitimate channel for data flow into the application. The file would flow right through the open ports on the firewall and would march right past host intrusion detection software. The only way to use these tools to protect you would be the blunt approach of screening out all uploaded data and/or files. This would likely constrain the application in question. However if the below described approach is taken, then these tools can play a small part in the ongoing remediation.

Instead, the countermeasure must be deployed at the application level. This threat is remedied by building a filter on uploaded data. Many websites have pages that allow for data to be legitimately uploaded, so files must be screened. The filter has a predefined sequence of steps is takes to assess the data. The filter will vary by the application and environment it is protecting. It can assess a variety of things from the file source (legitimate server?) though to the content.

As expressed, the filters will vary greatly by application but a simple example of the sequence could be;

File acceptance steps

Step 1) Server source of file inspected – valid server? yes/no

Step 2) Page source is inspected – valid page for file upload? – yes/no

Etc…

Once the file itself is accepted a secondary validation phase can be executed to validate the file type and content;

Content acceptance steps

Step File type acceptable – valid file type? Yes/no

Step 9) File content check – safe content? Yes/no

Etc…

This sequence is one designed to look for reasons to reject the data. Each step is logged and capable of an alert so that immediate, severe threats can be addressed, and the logs can later be inspected to ensure no legitimate data is being rejected. The logs are also a useful data source to learn about any ongoing or continued attacks. Tip: If you see a repeated attack from a consistent IP then the firewall can be made more useful by adding the IP address to the blocked traffic list that can be enforced by the firewall.

Threat description

When one takes a penetrating look at the components of computer crime it reveals itself to be the same as any other crime. There’s an attacker and a victim, and the attacker requires the same three components to be successful – Motive, Opportunity and Means (MOM).

In recent history computer crime was less prevalent as the elements of MOM were few. Naturally the ever-present profit has always been around, but punitive revenge attacks such as denial of service, and malicious random attacks such as viruses created out of ego, are relatively new Motives.

Means and Opportunity have also greatly increased as both computer knowledge and computer access have increased.

Years ago, few enough people knew how to operate a computer and even if they did there was little value in attacking them. Most companies that might have been the target of an attack were not even connected to the internet. Now that the internet is all but ubiquitous the Means and Opportunity are vastly increased.

As we have evolved, computers have become more user-friendly, and many more people have started to use them which added more MOM’s (easier access using the internet, money transactions all over the web, on line gaming sites, web-based banking etc…)

Looking at IT security history, the bad guys were always far more sophisticated than the people who tried to stop them, if they were even aware of the threat, and the term security was only applicable in the physical world. Even if companies could conceive of IT security it was almost impossible to achieve it because the lack of security professionals and the lack of security protection tools in the marketplace.

Today it’s a different story. MOM is more powerful than ever. Even the uninitiated can download powerful intrusion tools and can find free written guides to penetrating systems. Millions of pages of instruction available to anyone interested in reading it – massively accessible Means. In few minutes you can hack a bank account and steal someone’s life savings because there are still many financial institutions that are not protecting their clients and their systems with any sophistication – for some this presents irresistible Opportunity! So we see the stage is set today – powerful Motive, perfect Opportunity and the best Means.

Today the vulnerability in the electronic space can be reduced. There are many products and strategies that can be deployed. There are many robust tools out there that log attacks and prevent them in real-time. These tools and strategies can provide security for a committed company. As long as the defense is treated as an ongoing process and not an end-state the battle can be well-waged.

Another new aspect is that as our laws regarding cyber crime evolve, more and more computer crimes are being sent to court and attackers are being sent to prison. Computer crime is being prosecuted just like physical crime so that when attackers try to attack a virtual target and they will have the same chances to be caught and punished as criminals committing crimes in the physical world. Eventually only the most skilled attackers will escape prosecution, the same as in the physical world.

Having had a brief look at yesterday and at today, let’s now examine what we expect for tomorrow.

So can we conclude that if companies can apply their focus and attention to providing ongoing modern IT security then most of the attackers can be easily kept unemployed? Unfortunately we cannot. As attackers are blocked from attacking one way they will seek another. As in the past attackers attacked networks and hosts until it became too difficult so they switched their focus to attacking applications which were more vulnerable than hosts.

Being blocked at the application level now, attackers are now preying on the end users directly. This can easily bypass most of the company’s IT security protocols and processes. In the last few years we see new attack patterns like XSS, Phishing and other client side attacks which take advantage of the fact that most users know nothing about IT security or their role in keeping things secure.

It was noted above that a bank with weak protection could be compromised in a few minutes. A bank where IT security is current and advanced, can be much more difficult to compromise through a direct system attack. A much easier way to attack a bank account in a protected institution would be to trick a user into providing all of their login and other access details. This is the goal of most Phishing emails we see on a daily basis. These emails often ask for some sort of verification – in fact most of these emails are dressed up as security checks! In reality the user is redirected to a cloned website where the login data is captured and later used to compromise the account.

The same technique can be used for stealing security data details from employees. Phishing emails, phony phone inquiries and other social engineering techniques can be easily used to get confidential data that can later be used to penetrate corporate systems for any nefarious purpose. Shockingly the best way to get someone’s security details such as a login ID and password combination is to just ask them for it! J

So while the electronic battle is being waged in the corporate world and the defense of systems is getting better every day, individuals are still very much at risk. Root causes are older operating systems at home (most users are still running Windows 95/98) no anti-virus protection, and the general view of the computer as a home appliance. Unlike a refrigerator which might run 10 or even 20 years, a computer cannot be used for the same length of time, and also you don’t store your life savings in the refrigerator (except in movies and some crazy people).

People need to increase their security education and awareness and to form new habits while breaking old ones (e.g. stop writing passwords on post-its and sticking them to the monitor). The more we know the more we can protect ourselves from the bad guys.

Identity thieves rely on basic values that are part of the fabric of society – honesty, common sense and the desire to help one another.

Different Social Engineering techniques (synonymous with manipulation) work differently with different people. Chinese philosophy identifies 5 different types of personalities, and each type makes decisions based on different criteria. For example there are some people that are very cold and sharp and make fact based decisions. Social Engineering techniques for these people will involve explicit deals that they can’t refuse. Another example is the compassionate personality, people who love to help others. Social Engineering techniques for these people will involve a heart-breaking story which will make them give the thief what they seek.

Each personality is susceptible to different approaches. You can develop a custom Social Engineering technique for each type of personality.

Tools

Thieves will use Phone, Email, SMS (text messages), paper Mail and even direct contact to accomplish their task, which is getting critical information from you. All types of Social Engineering tactics are directed to the same goal and that is manipulating you into sharing sensitive information with the thief. The most common way of running a Social Engineering attack is by phone or email.

Common attack scenario

Someone contacts you by phone in order to get some data from you. They may introduce themselves as “Rob, calling from the Visa security department”. They will alert you to a $2500 transaction on your account from a location in Thailand and will ask you if you initiated this transaction. This immediately alarms you and puts you off balance, wanting to make the problem go away and to assure your good standing with Visa. So when “Rob” asks you to confirm a few details such as your Visa account Number and expiry date so he can cancel the transaction, you will be only too happy to oblige.

Now you have equipped the thief with all the information he needs to run up real charges on your card, or worse, he can use that information as leverage to commit an even bigger crime such as emptying your bank account or stealing your house. The people committing these crimes have no conscience and will gladly take anything and everything they can from anyone.

The same types of information gathering ploys are at work over other communication mediums such as Email and SMS.

Dumpster Diving

Dumpster diving is a term used to describe when a thief takes a less obvious approach and literally digs through your garbage looking to gather data that way. Pre-approved credit applications from your bank are a great example something valuable for an identity thief to take from your garbage. They can accumulate a fair amount of information from a few pieces of discarded mail.

Prevention

1. Everyone should own a shredder and should use it with any discarded mail, especially anything of a financial nature.
2. Be wary! There is no free lunch. No one will give you anything for free. No one can profit by giving anything away. When you receive email, paper mail or a phone call with a free offer, delete shred or terminate the conversation as appropriate.
3. If you own property, call the lawyer that worked on the transaction for you and ask him if you have Identity Theft Insurance for your property. It is also commonly referred to as Title Insurance. If you have it, ask him to send you a copy and verify it’s content. If you do not have Title Insurance then by all means get it immediately. It is not comparatively expensive and should only be a one-time fee. In the event that someone steals title to your house and sells it without your knowledge or consent, you can get your money back. It is common today for a lawyer working on the purchase of a house to require the buyer purchasing the house to get Title Insurance as a condition of the deal.
4. Treat Email as the most unreliable communication possible! You can get Emails from a thief that appear to be from someone you know. Email is very easily altered. Banks and other financial institutions will never ask you to send them sensitive information using Email. If you get Email that asks you to send your information or click on a link to login to your account, this is likely fraud.
5. In the event that a Bank, a government agency or any other service provider calls you regarding a problem and asks you to identify yourself, stop the conversation. Ask the person for his name and department and tell them that you are going to call the company and ask for them. Use the phone number that is being published on their website or printed directly on your credit card. Do not trust the phone number that they may offer to provide you.
6. Your system administrator (either at work or your provider at home) will never ask you to divulge your password. Usually when a thief contacts you and asks you to change your password, he will try to put pressure on you so you will not think and will oblige him. Once you offer your password, they can obviously do damage.
7. In North America people tend to trust each other unless they are alerted to something amiss. Be more suspect of information requests and don’t be afraid to ask questions and challenge people (politely of course
   J). If you see someone that you don’t know working in your office (electrician, cable guy, etc) ask your office manager who he is or if you are the manager try to find out who he is and who gave him the permission to work in the office.
8. Free software and hardware are common ways to for thieves to gain your identity details. They will perhaps send you a CD with free software or provide you a free USB key with great options on it. Once you use it a spy program (Trojan horse) will likely be installed on your machine and it will:
   • Send the thief all your passwords, personal files, browser history and all the information you would like to be protected.
   • Install a key logger that will send the thief everything you type on your keyboard, which is another avenue to trap passwords
   • He can also then use your computer as a penetration point to more computers on your network or anywhere on the web
   • He could also remotely install software on your machine that will make your computer a “zombie”. A zombie is a totally controlled soldier unit that acts as part of a big army, which when commanded by the attacker, can participate in attacks on targets inside or outside your company (which is a criminal offense that you now have been an unwitting part of).

Threat description

One of the most common questions I am asked regarding home use wireless routers is “What is the risk if someone uses my Internet connection?” The answer below highlights the concerns, some of which are critical.Is it just free internet they are after or is something else at work here?

It’s not just free internet they are after. There are many other goals to using someone else’s connection. They are;

1) Hijacked connection
Someone using your internet connection can use that connection to attack another computer. A hacker who tries to attack a target, particularly a secure target, will never use his own Internet connection because secure targets always log all activities. While it is true that a hacker can spoof his connection details and mask his location, it’s easier and less risky to use someone else’s connection. That way, the hijacked connection will be logged and will potentially get the blame for the attack, keeping the true attacker anonymous.

2) Attack the host computer or another computer on the same network
Despite the ever decreasing cost to buying a new computer, most computers being used in homes these days are still on old versions of operating systems such as Windows95/98, and moreover they have no active anti-virus protection (some even have anti-virus software installed but it was not active because the trial version was over and/or it was never even activated by the user). This is mildly surprising given the date of this writing being October 2007. This is significant due to the fact that the older operating systems are very easy to penetrate.

Once penetrated via the wireless connection, the hacker can install simple software, known as a Trojan horse, that will automatically transmit to the hacker personal information such as passwords, internet history etc… This information would allow the hacker to log in to your bank account or even connect to your office using your VPN and do an incredible amount of damage.

This is a common approach as it provides good results for hackers with minimal risk.

3) Hijacked computer – the Zombie
This differs from #1 above in that a hijacked connection can be used at that specific time for an attack. A computer that has been compromised and turned into a Zombie can be used repeatedly at the will of the hacker. This is accomplished in the same way as above, through the installation of software through the wireless connection. The software allows the hacker to remotely activate a coordinated attack from an army of Zombies. This then involves your computer in a criminal offense (alarmed yet?)

4) Data Stash or Data Store
There are many hackers who have lots of stolen (or otherwise illegal) data that they need to hide. They can easily use a victims machine to store the information on. The techniques that they use are masked so well that only forensic computer tools can detect what has happened. The files will not be visible to the user and the disk space will also not show as used – it’s very hard to know when this has happened.

5) Bandwidth
There are some hackers who will use your connection to download or upload very large amounts of data. These files can be many Gigabytes in size and can cause additional billing for some someone’s internet connection.

6) Privacy Violations
Imagine a hacker activating your microphone and just listening in on conversations in your house. They can access the camera in the same way if your computer has one. If a corporate attack is underway, a home-based privacy attack can provide good inputs to support a corporate attack. A CEO or CIO might be good targets for a home based privacy attack.

How can we protect ourselves?

It’s not just free internet they are after. There are many other goals to using someone else’s connection. They are;

1) Configure your Operating System Firewall (most operating systems have one included) to have some level of protection. There are also many commercially available options that can replace or supplement the one built into the Operating System. They are not overly complex to configure and there are many manuals and step by step guides available either with the software or free over the Internet.

2) Install up-to-date anti-virus software, ideally one that also provides anti-hacking protection. It is advisable that one also learn how to use the software effectively as most anti-viruses have many protections that you need to know how to work with. There are many good tools out there, but as of this writing I use Kaspersky on my computers.

3) When your computer is not in use, shut-down your router or internet connection.

4) If you need to store any critical information such as bank account details, private keys or something similar, store it on secure media such as a secure USB drive that keeps the information encrypted, and can’t be retrieved by a hacker.

5) Use the encryption and other security features provided within the Router itself. The hardware units that provide the wireless service come complete with documentation that outlines how to configure the security features. It may takes a little while to understand how to set it up and then how to configure the legitimate computers to have access, but it’s a worthwhile exercise.