President Obama On Cybersecurity

In the July 19, 2012 edition of The Wall Street Journal, President Obama wrote about cybersecurity. The President wrote:

… foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day. Last year, a water plant in Texas disconnected its control system from the Internet after a hacker posted pictures of the facility’s internal controls. More recently, hackers penetrated the networks of companies that operate our natural-gas pipelines. Computer systems in critical sectors of our economy—including the nuclear and chemical industries—are being increasingly targeted.

He observed:

Nuclear power plants must have fences and defenses to thwart a terrorist attack. Water treatment plants must test their water regularly for contaminants. Airplanes must have secure cockpit doors. We all understand the need for these kinds of physical security measures. It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries.

What is the most common digital backdoor that is wide open to our cyber adversaries?  As the Administration recently demonstrated for the U.S. Senate, that backdoor is spearphishing. Spearphishing is a cyberattack in which the adversary sends a highly targeted email to the intended victim in order to deceive the victim into an action (e.g., visit a website, click a link, open an attachment) that compromises the security of the systems. Note that in spearphishing, the point of attack is not the security technology, but the people.  Why are the people targeted instead of the systems? Because targeting people is the easiest and most effective way to enter a secure network. How effective is spearphishing?  Spearphishing has been demonstrated to have an effectiveness rate of up to 75%.

How can a spearphishing attack be prevented?  What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders. At Iconix we identify trusted senders. Our identification system makes it easy for users to distinguish trusted senders from attackers masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.

75% Of Employees Are Tricked By Spearphishing Emails

In research reported last year in Kaspersky’s threatpost, Aaron Higbee, the Chief Technology Officer at Intrepidus Group, stated that 70% to 80% of employees are fooled into taking compromising actions when they receive test spearphishing emails.

Spearphishing is a scheme in which targeted emails are sent to individuals to deceive the recipient into taking compromising actions, such as visiting a malicious website, disclosing sensitive information or installing malware.  You can see a demonstration of spearphishing at Spearphishing – The Movie.

The Kaspersky posting contains two specific suggestions.  First, train your employees to spot and avoid spearphishing emails.  Second, use email authentication.  At Iconix, we support both of these suggestions.  However, it is important to note that neither of these suggestions is a silver bullet.

Training. While it is possible to train people to detect suspicious emails, training relies on three key assumptions:

1. People pay attention to subtle clues about email authenticity.

2. People do not engage in automated responses driven by habit.

3. Spear-phishing emails contain clues that betray their nefarious purpose.

The first two assumptions were demonstrated to be problematic by the research of Arun Vishwanath, PhD, “Why Do People Get Phished?” The third assumption fails in the case of the most pernicious emails.  The most effective spearphishing messages are carefully crafted and highly targeted by smart bad guys who target their messages using intelligence gleaned from social networking tools. The examples of well-crafted spearphishing emails are too numerous to count. Lt. Col. Greg Conti of West Point summed it up in the New York Times –  [emails] come in error-free, often using the appropriate jargon or acronyms for a given office or organization. You can read more about training in our whitepaper, Phishing Training – A Losing Cyberwar Strategy.

Email Authentication.  At Iconix we strongly support email authentication. Email authentication is an important step in providing integrity to email.  However, email authentication is subject to a number of technical limitations which make it ineffective against technically astute hackers.  You can explore the technical limitations of email authentication in our whitepaper, Defending Against Spoofed Domain Spearphishing Attacks.

How can a spearphishing attack be prevented?  What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders.  At Iconix we identify trusted senders. Our identification system makes it easy for users to distinguish trusted senders from attackers masquerading as trusted senders.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.

Spearphishing – Cybercriminals New and Improved Attacks Using Metadata

The International Business Times recently reported on the ways cybercriminals are defeating corporate IT security.

First, the new malware being used by attackers is harder to detect. Citing IDC research, the article states, “traditional forms of computer security, including antivirus software and firewalls, are only effective against 30 to 50 percent of the malware found today.”

Second, attackers are becoming far more effective in delivering malware into the enterprise through the use of spearphishing. Instead of using crudely crafted messages that are sent to large numbers of people in hopes that a few people will be deceived, in spearphishing the attacker gathers information about the victim and then crafts a personalized email that is has a strong call to action for the particular recipient. The article reports that KPMG, as part of its upcoming survey, entitled Forbes 2000, downloaded around 2.5 terabytes of freely available information from the websites of the companies involved in the report. KPMG found  that  looking at the metadata from the websites provided an incredible amount of personal and sensitive information.  Martin Jordan, Director of Information Protection at KPMG, said

Within the metadata we are taking out  usernames, IP addresses, email addresses. This is all the stuff that Russian criminal gangs use when they are spear phishing your CEOs, your head of technology.

While such metadata can be shielded from legitimate search activities by using a robots.txt file to instruct honest search engines not to index the metadata, hackers are not bound this convention. The metadata disclosed who authored a particular document or press release, giving attackers the username of the head of public relations for example. Using this information, the attackers are able to target that person directly, seeking sensitive information which they can then sell on to interested parties.  The hackers are able to send the targeted person an email with a strong call to action.  When the recipient “takes the bait” malware is installed on the victim’s machine that gives the attackers the ability to install command and control software that can be used to steal data.  You can see how this is done by watching the movie posted at Spearphishing – The Movie.

How can a spearphishing attack be prevented?  What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders.  At Iconix we identify trusted senders. Our identification system makes it easy for users to distinguish trusted senders from attackers masquerading as trusted senders.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.

Court of Appeal Rules Against Bank in Cybertheft

Yesterday (July 5, 2102), the United States Court of Appeals for the First Circuit issued its much anticipated ruling in Patco Construction Company vs. People’s United Bank d.b.a. Ocean Bank.  The court summarized the facts as follows:

Over seven days in May 2009, Ocean Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the perpetrators correctly supplied Patco’s customized answers to security questions. Although the bank’s security system flagged each of these transactions as unusually “high-risk” because they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders, the bank’s security system did not notify its commercial customers of this information and allowed the payments to go through. Ocean Bank was able to block or recover $243,406.83, leaving a residual loss to Patco of $345,444.43.

The trial court judge had ruled that the bank had met its obligation to act in a commercially reasonable fashion because it had met the security standards of the  Federal Financial Institutions Examinations Council (FFIEC). The Court of Appeals overruled the trial court, finding that meeting the FFIEC standards did not establish that the bank had acted in a commercially reasonable manner.  The court elaborated on security measures that the bank could have implemented beyond the FFIEC guidelines to protect its customers.  The court’s discussion noted that the reasonableness of security measures had to be determined in light of the threat environment.

This failure to implement additional procedures was especially unreasonable in light of the bank’s knowledge of ongoing fraud. As early as 2008, Ocean Bank had received notification of substantial increases in internet fraud involving keylogging malware. By May 2009, Ocean Bank had itself experienced at least two incidents of fraud on the bank’s system which it attributed to either keylogging malware or internal fraud. In both instances, the perpetrators had acquired and successfully applied the customer’s passwords, IDs, and answers to challenge questions.

The keylogger used to attack Patco was Zeus.  Zeus is spread by spearphishing, a scheme in which highly targeted emails are sent to victims in order to deceive the victim into installing malware or otherwise compromising its systems.  SP Guard from Iconix defends against spearphishing attacks.

The case was sent back to the trial court for further proceedings consistent with the opinion of the Court of Appeals.