NSA Used In Spearphishing Scam

Cyveillance reports on a new spearphishing scam that masquerades as the National Security Agency.   The malicious email claims to be from the NSA and exploits the recent compromise of the RSA two factor authentication token to deceive the recipient.   This is an image of the scam email:

Cyveillance elaborates on the power of this scam:

The sender name is spoofed to appear to come from “protection@nsa.security.gov” and the links go to national-security-agency.com, a domain that was just registered yesterday. This attack is a perfect example of how deeply spear-phishers understand the psychology of social engineering users.  It invokes the authority of a respected and mysterious government agency, it uses fear of being hacked or getting “in trouble” at work to prompt action, and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack.  This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

Cyveillance provides this advice to users:

Here are some of the tips that can help you spot scams like this one:

1. Supposed needs for patches, security updates and vulnerability fixes are a favorite technique of scammers and phishers. Even if the message appears to come from someone in your own company, treat all such requests as suspicious and verify with your IT team by voice or fresh email to the actual IT person who supports you.
2. Treat ANY email that tells you to download something as malicious until proven otherwise.  Again, contact your IT team before installing anything on your system.
3. Hover (but do NOT click)  your mouse over all links in the email.  The true destination of the link will pop up next to your mouse pointer. If you’ve never heard of the site, treat it as dangerous. Does the site in the link address match the site in the sender’s email address? If it does not, be suspicious.  Is the pop up destination different from the URL shown in the visible text of the email, what we call a bait-and-switch link? If so, this is a major warning.
4. Finally, any link that ends in .zip or .exe should be treated as extremely hazardous and not clicked on.

This advice does not address scams that use malicious attachments, a common spearphishing scam.  A malicious attachment was the method used to compromise RSA.

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email.  Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP-Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Iconix Goes Dutch

Maarten Oelering, an IT Consultant and Email Delivery Expert in Holland, noted in a tweet today that Marktplaats (NL) is now sending with DKIM and supporting the Iconix trust icon.  Marktplaats is a Dutch affiliate of eBay.

You can check out our Marktplaats experience at http://www.iconix.com/locale/nl/marktplaats/

How 24,000 Pentagon Files Were Stolen

On July 14,  2011, during a speech introducing the Pentagon’s new cybersecurity strategy, Deputy Defense Secretary William J. Lynn, III disclosed that 24,000 files had been lost to “foreign intruders.”  Lynn said the files contained some of the U.S.’s “most sensitive systems, including aircraft avionics, surveillance technologies.”

How could this happen?  FastCompany reports that this was accomplished using a spear-phishing email to deliver an email payload with a zero day exploit.  The malicious email was sent to a defense contractor, rather than the Department of Defense.  The key to a successful spear-phishing attack is creating a highly personalized email that will deceive the recipient into taking the call to action.   Employees of defense contractors were targeted because it is easier to mine the internet for useful personal data (needed to craft a highly targeted spear phishing email) about contractor employees than government employees. 

The spear-phishing email delivered a zero day exploit.  A zero day exploit is a new loophole in the security system that is unknown, and therefore available to compromise systems.  For example, an email purporting to be from HR or a colleague contains an attachment that appears highly relevant.  When the attachment is opened, malware is installed on the recipient’s computer by using the zero day exploit. 

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email and training isn’t effective  – so what can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP-Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact our sales team. At 408-727-6342, ext 3 or use our online form.

U.S. Dept. of Defense Cybersecurity Strategy

Yesterday the U.S. Department of Defense released its cybersecurity strategy.  The DoD summarized the importance of cybersecurity:

Along with the rest of the U.S. government, the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations.

The report stresses the role of people as the first line of defense. 

People are the Department’s first line of defense in sustaining good cyber hygiene and reducing insider threats. To mitigate the insider threat and prevent dangerous disclosures of sensitive and classified information from occurring, DoD will strengthen and go beyond the current information assurance paradigm, including the exploration of new operating concepts to reduce vulnerabilities. DoD’s efforts will focus on communication, personnel training, and new technologies and processes.

Iconix recently released a whitepaper on the effectiveness of training against spear phishing attacks.  In that paper, we questioned the effectiveness of training to fight this problem.  Our concerns were confirmed by research from the Department of Homeland Security.  The Department of Homeland Security found that before training, spear phishing was effective 22% of the time.  After training, people were fooled 21% of the time.  Training resulted in a one percentage point change.  Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.

 

Are Spear Phishing Victims Idiots?

In  a June 27, 2011 article entitled, “Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy“, Bloomberg reports that people whose systems are compromised in spear phishing scams are idiots. Spear phishing is a scam in which the miscreant sends personalized emails to deceive the recipient into comprising data.

The article cites the alarming statistic that in Department of Homeland Security experiments, 60% of people who found USB drives in the parking lot plugged the devices into their computers.  The article continues that human errors negate all the time and investment in firewalls and other technical defenses.  The article cites the advice of Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp and former head of the Justice Department computer crime unit:

“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

When the criminals use suspicious emails with suspicious links, for example webpages that request credentials, human stupidity is the cause and suspicion is a good response.

But times are changing.  Criminals are getting smarter.   The recent study, “Email Attacks: This Time It’s Personal”  released by Cisco reports suspicious emails with suspicious links are being replaced by highly targeted emails that do not rely on obvious ploys to steal credentials.  Criminals are moving from high volumes of ineffective emails to small numbers of well-crafted highly personalized messages that are indistinguishable from legitimate email.  The problem is no longer stupidity, but the inability to tell good emails from bad emails.

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email and training isn’t effective  – so what can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP-Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact our sales team. At 408-727-6342, ext 3 or use our online form.

10 Biggest Data Breaches Of 2011 (So Far)

Yesterday, CRN published its list of the 10 Biggest Data Breaches of 2011. 

This is the summary:

In the battle against spear phishing, one solution stands out — SP Guard from Iconix.

Jefferson Lab Identified as Cyber-victim

Yesterday, we wrote about the compromise of three U.S. National Laboratories. 

Venture Beat has now identified the third facility.  That facility is Jefferson Lab in Newport News, Virginia.

On July 6, 2011, General Michael Hayden, USAF Ret., spoke before The Potomac Institute for Policy Studies on cybersecurity.  General Hayden is a former director of the CIA and the NSA.  Discussing the cyber-attacks such as these, General Hayden said, “If we don’t act boldly, something really bad is going to happen.”  Michael Tiffany, Chief Architect at Recursion Ventures, also spoke. He observed, “Today the people who are succeeding at these types of attacks are the ones who are try the hardest. It’s actually not very difficult.”  

We see how easy it is to launch a spear-phishing attack.  Data to customize the email content is readily available on the internet.  Social networking sites make personal information very accessible.  Differentiating real email from fake email is almost impossible.  Lt. Col. Gregory Conti, a computer security expert at West Point observed:   

What’s ‘wrong‘ with these e-mails is very, very subtle. They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.

Three US National Labs Compromised by Spear Phishing

Digital Doa reports that on July 1, the networks of

Battelle Memorial Institute
Pacific Northwest National Laboratory and
An undisclosed national laboratory

suffered sophisticated attacks.  As of today, July 7, Pacific Northwest National Laboratory (www.pnnl.gov) was still off-line.

Battelle manages several Department of Energy labs including:

• Brookhaven National Laboratory
• Idaho National Laboratory
• National Renewable Energy Laboratory
• Oak Ridge National Laboratory
• Pacific Northwest National Laboratory
• Lawrence Livermore National Laboratory

Computer World reports that  although the specifics of the attacks have not been disclosed, they were probably perpetrated by spear-phishing email, in the manner of the attack on Oak Ridge National Laboratory earlier this year.

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email and training isn’t effective  – so what can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP-Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact our sales team. At 408-727-6342, ext 3 or use our online form.

Homeland Security Proves — People Are Security Risk

Bloomberg reported on data security studies conducted by the U.S. Department of Homeland Security (DHS).   The article discussed how easy it is to mislead people into taking actions that compromise systems.   The Bloomberg article was widely quoted about the finding that 60% of employees who found a thumbdrive in the parking lot plugged it into their computers.  Bloomberg reported the figure was 90% if the thumbdrive was stamped with a government logo.

DHS has now refuted the story.  DHS reports that actual rate at which employees plugged in the thumbdrives was only 20%,  not 60%.  DHS also reported on two other methods to fool employees into compromising systems — spear phishing and IT Support Imposters.  Finally, DHS reported on the effectiveness of training to combat these schemes.  These are the results of training:

Fooled Before            Fooled After
Training                        Training

Found Thumbdrive                 20%                               2%
Spear phishing                      22%                              21%
IT Imposter                           40%                              43%

Iconix does not find these results surprising.   Training people not to use something they find in the parking  is pretty straightforward.   Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.