Compromise Monday – Now What?

Last week saw an inauspicious beginning to Cybersecurity Awareness Month with user data compromises announced at:

The American Banker Association, number undisclosed
T-Mobile, 15 million, over 2 years ending Sept. 16, 2015
Scottrade, 4.6 million during late 2013 and early 2014
Patreon, the crowdsourcing website, 2.3 million users

scottrade

Now you are aware of Cybersecurity. What next? You can’t fix your vendors. You can have some more free credit monitoring to augment the free monitoring you got when Anthem lost your records, or Target, or Neiman Marcus, or The Office of Personnel Management, or

[fill in the blank].

Let’s look at how credit monitoring protects you. There are several steps:

The bad guy steals your data
The bad guy does something to hurt you
The monitoring company captures the bad activity
The bad activity appears on a monitoring report
You recognize the bad thing on the report
You initiate remediation

A key step in this process is you must sustain damage. Monitoring kicks in after you are damaged.

For a few bucks, you can actually do something to protect yourself. You can put a step between stealing your data and identity theft. As Brian Krebs describes in How I Learned to Stop Worrying and Embrace the Security Freeze, you can put a freeze on your credit that does a lot to prevent identity theft. In addition to monitoring services, consider the value of the Security Freeze.

Chinese Hacking Secrets Revealed

The secret behind Chinese hacking has been revealed by ThreatConnect. CNN Money reports:

The hackers’ techniques don’t sound very sophisticated: They send innocent-looking emails to unsuspecting recipients, whose computers then get infected with malware that trawls for sensitive information.

This graphic from ThreatConnect shows the key role played by spearphishing.

threatconnect

Source: ThreatConnect

This simple technique is devastatingly effective because it is easy to create an email that deceives users into taking the actions desired by the attackers. In its September 24, 2015 first page story, “Sleuths Link Hacker to China’s Military,” the Wall Street Journal describes how a spearphishing email works. The Wall Street Journal writes,

The email attachment would tempt anyone following the diplomatic standoff between China and other countries in the South China Sea.

How can you help your users fight being deceived? Use SP Guard from Iconix. SP Guard lets IT quickly and easily tell users which senders are trusted.

Iconix Issued Seventh U.S. Patent For Email

ICONIX, Inc., the industry leader in visual email solutions, announced on September 15, 2015, that the United States Patent and Trademark Office has issued Iconix’s seventh patent titled “User interface for email inbox to call attention differently to different classes of email.” The abstract for U.S. Patent 9,137,048, dated September 15, 2015, states: “Sender emails have their Truemarks (icons) displayed in the sender column of a list view” and “fraudulent emails have a fraud icon displayed with a warning in the sender column.”

Technology from this patent is used in all of the Iconix^® offerings, including the Iconix Truemark^® service, which helps protect consumer users from phishing attacks, and Iconix SP Guard^TM, which helps protect enterprises from spear-phishing attacks. The Iconix services utilize the two main forms of email authentication – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) – to verify the source of a message, and then highlight legitimate email messages with an icon in the inbox and open messages. This gives users an intuitive “visual ID” for email messages, thus allowing them to quickly assess the legitimacy of messages. The result is increased trust and confidence in email and increased safety for users and businesses.

You can read the full press release here.

NSA Director Warns — Don’t Underestimate Impact of Users on Security

On September 8, 2015, Admiral Mike Rogers, NSA Director and Commanding Office of US Cybercommand, conducted a briefing at the Wilson Center. During that briefing he was asked about the recent breach of the Joint Staff by a spearphishing attack.

You can view the entire event at the Wilson Center website.

Sun Tzu Explains Cyberwar 2,500 Years Ago

The US Government does a very good job of technically securing its systems. There is rarely a report of attackers compromising US Government computers through technical exploits. So, how do attackers do it?

A recent report in The Hill describes how Chinese and Russian cyberwarriors are using the same tactics to cyberattack the United States Government. What are these common tactics? Spearphishing emails. Why would two adversaries adopt identical tactics?

art-of-war

About 2,500 years ago Sun Tzu, the Chinese general, strategist and tactician, wrote what is considered by many to be the definitive work on military strategy and tactics — the Art of War. Among the principles he set forth are these:

All warfare is based on deception.
So in war, the way is to avoid what is strong, and strike at what is weak.

In a spearphishing attack, the attackers use deception to target the weakest element in every computer network — the users.

Attackers know how to get small volumes of email delivered. Email delivery is not a secret because email is a standards-based system open to everyone. Attackers know that users, not IT, will decide what emails to open — at the peril of the enterprise. SP Guard strengthens defenses by allowing IT to give real time intelligence to the real decision-makers — users.

Phishers Steal $100 Million

Federal authorities have shut down a ring of hackers who used techniques such as phishing to infiltrate newswire services to gain access to corporate press releases.

Sec Johnson

Homeland Security Secretary Jeh Johnson briefs the press, flanked by U.S. Attorney Paul Fishman and SEC Chair Mary Jo White.

The indictment alleges how the hackers users used phishing to infiltrate the newswire services and how they used anti-forensics to evade detection for five years. Using these press releases, the criminals were able to quickly place trades before the public had access to the information. For example, the SEC alleges:

At times, the hackers and traders had a very narrow window of opportunity to extract and use the allegedly hacked information. In one particularly dramatic instance on May 1, 2013, the hackers and traders allegedly moved in the 36-minute period between a newswire’s receipt and release of an announcement that a company was revising its earnings and revenue projections downward. According to the SEC’s complaint, 10 minutes after the company sent the still-confidential release to the newswire, traders began selling short its stock and selling CFDs, realizing $511,000 in profits when the company’s stock price fell following the announcement.

Remediation is nice and catching bad guys is good. But that takes a long time during which a lot of harm can occur. The need to protect against phishing is clear.

Pentagon Spearphished

The Pentagon has been infiltrated by a spearphishing attack that targeted the Joint Chiefs.

pentagon

CNN is reporting that the unclassified email system used by 4,000 users on the Defense Department network has been down for more than 10 days following a sophisticated cyber attack that used spearphishing to compromise the system. Sources suspect that the attack came from China or Russia and are pointing the finger at Russia because of details of the attack that differ from typical Chinese attacks. Quoting CNN:

All of the required cyber protection and patches were in place, but the attack still was able to find a way into the network that the U.S. government had not seen before, according to the preliminary analysis, the senior Defense official said.

Spearphishing? Deciding Isn’t Easy

Part of the fallout from the Office of Personnel Management (OPM) data breach is the need to provide identify protection services to the millions of compromised government employees. In its efforts to provide these services to compromised federal workers, the OPM contracted with a private company. That contractor, CSID, sent an email with a link to enroll in identity protection services.

ArmyTimes reports that acting upon warnings from the Army Threat Integration Center, Fort Meade’s Cyber Security Network Defense Team identified a message from CSID as a spearphishing attempt. The Fort Meade Cyber Security Network Defense Team warned Army personnel to “close the message immediately and report it as spam to the Cyber Security Network Defense Team,” according to a warning posted on the Fort Meade Facebook page.

The message has lots of spearphishing red flags to trigger a warning. For example:

The from is a spoof — claiming to be from the OPM CIO, yet the email domain is not the “opm.gov” it is “csid.com”.
The salutation is poorly personalized, “Dear Recipient”.
This is a well-crafted message with a strong call to action designed for the recipient.
There is a deadline that warns of undesired consequences.
There are questionable links to csid.com, not opm.gov.
Active links contravene OPM’s cybersecurity webpage that warns against clicking links.
The email has an “enroll now” button which is a phishing red flag.

Despite these red flags, this is a real email that is the gateway to cyber protection!

These must be a better way! There is — SP Guard from Iconix.

Fake State Department Email Attacks Reporter

Yesterday, Aaron Boyd, a reporter at the Federal Times, wrote that someone tried to plant malware on his system through the use of a fake State Department email. Mr. Boyd reports:

Among the many emails waiting in my inbox this morning was one that seemed to come through a State Department .gov domain address. It purported to be a fax from a State Department machine, containing a PDF file…Getting an unsolicited email or document isn’t that unusual in the day-to-day of a reporter. However, the link to download the document went to a .org site (not the actual State Department site) and the file itself was a ZIP, not PDF. Seeing the red flags of a potential spear-phishing attempt, I contacted our IT department and we opened the file in the safety of a sandboxed environment.

Fake Email Fax

What is unusual about this incident wasn’t the attack — it was the response of the intended victim. Mr. Boyd’s very careful approach to email is laudable — but it is also unusual. Also yesterday, Ilia Kolochenko, writing in CSO, wrote about email attacks:

Unfortunately, human psychology cannot be altered by security training and awareness alone, so people will always have their basic instincts dominating over acquired skills. We were recently assisting a medium-size insurance company that decided to outsource cybersecurity management to a third-party provider, cutting the majority of internal security jobs. Security people received a very well prepared
[fake] email from the management about their future placement and dismissal compensations. Everyone, including senior security experts who have been in the industry for dozen of years, clicked on the included link.

How can more people overcome their basic instincts and be like Mr. Boyd? IT could help them by highlighting trusted email using SP Guard. Users will decide which emails to trust. That decision can be guesswork or it can be guided by IT.

OPM- OMG! Update 2

OPM Director Katherine Archuleta resigned last week in the wake of the loss of millions of personnel records.

Here’s the latest tally of lost records according to the Washington Post:

Of those whose data was in the OPM background-check system, 19.7 million had applied for a security clearance. An additional 1.8 million were spouses, family members and other non-applicants, officials said.

Also exposed were 1.1 million sets of fingerprints, detailed financial and health records, and computer usernames and passwords that applicants used to fill out their security-clearance forms online.

Meeting with reporters last Thursday, FBI Director Comey said,

It is a very big deal from a national security perspective and from a counterintelligence perspective. It’s a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government.

No one is saying how the hack was pulled off. In a speech last week, Jeh Johnson, Secretary of Homeland Security, observed,

What amazes me when I look into a lot of intrusions, including some really big ones by multiple different types of actors, it often starts with the most basic active spear-phishing where somebody is allowed in the gate and penetrates a network simply because an employee clicked on something he or she shouldn’t have.

Secretary Johnson

How do you keep people from clicking on something he or she shouldn’t have? That is where SP Guard from Iconix comes into help defend against spearphishing by providing employees with visual trust indicators, helping them tell real emails from clever attacks.