The Security Pub

Random Thoughts About Security

Category Archives: Security Awareness

Beware of password-protected documents carrying malware

Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware,” say the researchers. “It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed.

Check out Help Net Security for the full article

Fake Facebook Application that Steals Login Information

Yet another fake application that is stealing Facebook users’ login credentials has recently been discovered by Symantec researchers.

This application lures in users with videos titled “Tornado Randomly Appears During Soccer Game” or “Video: This is the best April Fools’ prank ever!”, when the user clicks on the message an automatic download of a script that logs the user out of Facebook and then displays an Error message inviting him to log in in order to continue:

For more information regarding this “Fake” Facebook application click here.

Phishing Scams are on the Rise

“Phishing” is where fraudsters send spam or pop-up messages to lure recipients into volunteering personal, financial or credential-related information from unsuspecting victims. That information can then be used to commit identity theft, or enter password-protected sites using your account. As phishing schemes become more sophisticated, it becomes increasingly important to be vigilant.

Learn more about how to spot a bogus phishing message, the important steps you can take to avoid getting “hooked,” and what to do if you’ve mistakenly responded to a phishing email with your personal information.

[box type="info"]The “Dos, Don’ts and Nevers” of Phishing

  1. DO Delete suspicious messages immediately.
  2. DON’T click on any links in the message.
  3. Instead, DO copy and paste the URL into a new browser window.
  4. NEVER respond to an unsolicited email, or supply personal information as requested by an email, even if the message looks real.
  5. NEVER supply your passwords or other sensitive information via an email message. No legitimate organization should request your password or other types of sensitive information via an email message.[/box]

What to do if you’re compromised

If you believe you might have inadvertently revealed sensitive information such as your password, you should change your password immediately.

If you provided personal financial accounts information that could be used for identity theft or fraud in response to a fraudulent e-mail claiming to be sent by outside agencies, you should immediately contact the company being spoofed.

Form Based Phishing Attacks are on the RISE

As always, spammers are keeping abreast with the important events of the season’s, and know that January is when the public usually submits tax returns and starts getting refunds. Websense is reporting that the form-based approach is being used more frequently than the usual direct links to phishing sites.

What are form-based email attacks?

Form-based attacks is just another type of phishing attack.  Instead of using a link to take the user to a phishing site, the hacker includes a form that the user is asked to complete. When the user completes the form and submits it, the details are then sent to the attacker. Here is a short video that shows an example.

Security Awareness: Social Engineering Part Two

This is the last article in this two part series on Social Engineering.  The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of this article, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or un-trusted sources or to visit un-trusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.

Below are several examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.

IMPERSONATION

In this situation, the perpetrator pretends to be someone else (i.e., impersonating a senior official or someone from the help desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.

Remember be cautious when responding to requests for sensitive or confidential information. Never give out your password to anyone, even if they claim that’s the only way they can assist.

PIGGYBACKING or TAILGATING

All too often, people will hold the door open for someone entering a secure area or the building without even knowing who the individual is or asking where they are going. The unauthorized individual may pre-tend to be a delivery person, a visitor, or even a fellow employee. This is referred to as “piggybacking” or “tailgating.”

Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.

SHOULDER SURFING

This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing”, and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.

BAITING

This scenario involves an attacker asking a variety of seemingly innocuous questions designed to “catch” the right answers. The attack is often done over the telephone but can also be done in person. Items of conversation can also be introduced based upon replies received. Small amounts of facts are interjected at the right time into the conversation to make requests for information sound legitimate. Information you know could be valuable to an attacker-whether that information is about your work environment, fellow employees, projects, or personal information-must be handled with extreme care. Be mindful of what you say to whom.

SURVEYS

Many of us have no doubt been recipients of requests to participate in surveys—whether online, via telephone or otherwise. The surveys may be for legitimate purposes or might be a scam. In either case, be aware of unwittingly disclosing information that may be used inappropriately. For example, disclosure of details about your company, its network or infrastructure could prove extremely useful to someone with malicious intent. If you receive a survey request, you should contact the sponsoring organization to ensure the survey is legitimate, and make sure you are not sharing sensitive or confidential information with unauthorized individuals or organizations.

DUMPSTER DIVING

Do you shred all unneeded confidential or sensitive documents? Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information. When confidential and sensitive documents are no longer needed, be sure to shred or properly destroy these items appropriately.

Putting It All Together

The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information.

  1. Before releasing any information to anyone, it is essential to at least establish: the sensitivity of the information your authority to exchange or release the information the real identity of the third party (positive identification) the purpose of the exchange.
  2. Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places.
  3. Before you throw something in the trash, ask yourself, ?Is this something I would give to an unauthor-ized person or want to become publicly available?? If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.
  4. If you don’t know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about their authorization or access permission, report the situation to the appropriate staff.

Security Awareness Topic 2 – Social Engineering (1 of 2)

What is Social Engineering?

Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. - Wikipedia

Background

Like fraudsters generally, social engineers take advantage of human gullibility.

blackboard SE Social engineers manipulate people into revealing or allowing access to information assets by taking advantage of psychological traits (i.e., trust). Social engineering attacks play directly on the most vulnerable part of our information security framework: you and me. We are the weakest link in information security’s chain.

In a corporate context, social engineering is a factor in many information security incidents, including (perhaps especially) those perpetrated by insiders. Associates have plenty of opportunities to use social engineering on each other, whether under the guise of casual inquiries or even jokes. An example might be (“Oh go on – I bet your password is something easy to guess like your cat’s name…”). They have the perfect cover story and plenty of opportunities to exploit their co-workers if desired.

Social Engineering Impacts

Social engineering techniques give unauthorized access to information.

‘ [1] Pretext calls’ by internal users can be particularly convincing as they already have access to vast amounts of internal information to build their credibility. They can browse the email address book for telephone numbers and job titles to pick out suitable targets. Picking up the name of sensitive systems and projects is a breeze for insiders as well.

nophishingFinally, we come to the personal impacts of social engineering. Identity theft for instance, is a fact of modern life. Some identity thieves use social engineering methods such as pretexting as part of their repertoire and [2] phishing methods to actively exploit our gullibility though social engineering.

1. Pretext — An effort or strategy to conceal something.

2. Phishing — An attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to enter details at a website, although phone contact has also been used.

The Security Pubs Security Awareness Series will continue talking about “Social Engineering” by discussing the risks, threats, and what we can do to help detect and avoid social engineering. So be on the look out next month.

Security Awareness Topic 1 – Password Best Practices

I am going to start a Security Awareness Series.  On a monthly basis I am going to post a Security Awareness topic based on Best Practices & Industry Standards.  The first topic of the series is going to cover Password Best Practices.

Create a strong password

Use strong passwords to protect your computing resources. Here are some rules to create strong passwords:joetech

  • Use two numbers in the first eight characters.
  • Pick long passwords, at least 8 characters in length if the system allows it.
  • Don’t use a common dictionary word, a name, a string of numbers, or your User ID.
  • One of the easiest to remember and hardest to crack password methods is the pseudo-random password. The actual password is generated from an easy to remember phrase that is important to the user. This phrase can be the words from a book that you particularly like, words from a song that you always remember with ease, a statement that some powerful figure made that you will never forget. The key to a successful password is to create a phrase that is easy for you to remember, but no one else will ever think about attributing it to you.
    • personal phrase: “My first dogs name was the best…”
      password: my1donawa…
      method: Chose first two letters from each word until a total of eight characters resulted.
    • personal phrase: “I love to drink Landshark Lager…”.
      password : iltdll22
      method: Chose first letter from each word, followed by your age.
    • personal phrase: My Brother’s Birthday Is april(4) Twenty Two Nineteen Sixty three(3)
      password : mbbi4tt19s3
      method: Chose the first letter from most words, and substituted numbers for letters.
  • Certain special characters may be used. However, note that some applications may not accept special characters. If this problem is encountered, changing your password to a combination of letters and numbers should solve the problem. Examples of permitted special characters are shown below:

$     .     ,     !     %     ^     *

Avoid a weak passwordpost-it-with-crossed-off-passwords

When creating passwords, avoid the following:

  • Easy to guess passwords such as a blank or “password”
  • Your name, spouse’s name, or partner’s name
  • Your pet’s name or your child’s name
  • Names of close friends or coworkers
  • Names of your favorite fantasy characters
  • Your boss’s name
  • Anybody’s name
  • The name of the operating system you’re using
  • String of numbers or letters, like 1234, abcde
  • The hostname of your computer
  • Your phone number or your license plate number
  • Any part of your social security number
  • Anybody’s birth date
  • Other information easily obtained about you (e.g., address, town, alma mater)
  • Words such as wizard, guru, password, nimda,and so on
  • A username in any form (as is, capitalized, doubled, etc.)
  • A word in the English dictionary or in a foreign dictionary
  • Place names or any proper nouns
  • Passwords of all the same letter
  • Simple patterns of letters on the keyboard, like asdfg
  • Any of the above spelled backwards
  • Any of the above followed or preceded by a single digit

dilbert_passwords

Protect your password from misuse

  • Do not let anyone else know or use your password.
  • For optimum security, don’t write your password down.
  • Be aware of when a password is sent securely across the Internet. URLs (Web addresses) that begin with “https://” rather than “http://” are secure for use of your password. The “s” in “https” means that the Web site is encrypted and cannot easily be read by other people.
  • If you suspect that someone else may know your current password, change your password immediately.
  • Change your password periodically, even if it hasn’t been compromised.
  • Don’t type your password while anyone is watching.

Be on the look out for the next topic Social Engineering in The Security Pubs Security Awareness Series.