I got this email from Apple Support about my Apple ID. That’s not surprising since their developer site may (or may not) have been breached last Thursday (see here for details).
It was a little more surprising since I’m not an Apple developer and don’t have an Apple ID – but hell, I’m not going to argue; they might sue me.
But, despite the fear of being sued, I would suggest that Apple spends a little time on its grammar and style checker. The spelling’s not bad, but it doesn’t seem to understand the relationship between full-stops (or American periods) and spaces.
Oh, and that sentence. “We need your help in order to not be frozen your account,” is decidedly not Anglo-Saxon in structure.
So, Apple, until you can improve things, I don’t think I’m going to bother with you. But one last thing. Although you’ve got the link “update Now >” looking quite reasonable, I do suggest you change the name of your support site hidden beneath it. http:// e-kosmetyczka.waw . pl/404.html could almost look like a scam site.
Last month Bruce Schneier made an interesting comment:
I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere… If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in.
On Security Awareness Training
My favourite riposte comes from Ira Winkler:
That argument basically says that if the bad guy gets in, all security countermeasures are irrelevant. By that measure, we should abandon security as a whole, since all countermeasures have and will fail.
Arguments Against Security Awareness Are Shortsighted
But Schneier has a point – training clearly isn’t working since (according to Trend Micro) more than 90% of successful APT attacks start from a spear-phishing success. But Winkler also has a point - all [technical and human] countermeasures have and will fail. Does that mean we should just give up on security in general and awareness training in particular?
Clearly not. Surely the solution is not to abandon what isn’t good enough, but to improve it until it is good enough. The question then becomes how do we make security training more efficient? Since the majority of breaches start from a phishing or spear-phishing attack, then phishing is where we should start. But if traditional awareness training isn’t working, perhaps we need to think of something new.
Wombat Security Technologies thinks it has the answer: simulated attack training. In a nutshell, this involves phishing your own staff. This has two huge advantages: it is teaching through experience rather than teaching through lectures (and practical always sticks better than theoretical); and it is measurable. If somebody falls for a phish, and gets sent to a benign destination with a company ‘gotcha’ message, he or she won’t want it to happen again. Secondly, however, it allows the company to measure the success of its training scheme.
If 20% (it will likely be more than 80% to start with) fall to the first phish, and then 25% fall to the next one, then clearly there is something wrong with the overall training package, and it needs to be re-evaluated. More likely, however, the number of victims will steadily decrease over time. Repetitive victims can then be pulled out for more targeted training; and super-repetitive victims can be assigned the gardening detail.
Wombat has published a new report based on the practical experience of several CSOs from major companies:A Security Officer Debate: Are simulated phishing attacks an effective approach to security awareness and training? It is well worth reading to see how simulated attack training works in practice; and what steps you need to take to get it started.
PS. Note that these are CSOs. Schneier is a CTO.
A few of my recent stories on Infosecurity Magazine over the last couple of days…
Peter the Great beats Sun Tzu in cybercrime
Despite the hoohaa about the ‘Chinese cyberthreat’ (in reality, read east Asia), Russia’s Peter the Great (in reality, read east Europe) is beating Sun Tzu in modern cyber wargames. Eastern Europe has better cybercriminals than eastern Asia.
Beware of iPhone delivery phishes
iPhone pre-orders are now showing a 3-4 week shipping estimate. Since Apple announced that 2 million pre-orders were sold for the iPhone 5 in just 24 hours, delivery delays are not likely to disappear quickly.
NullCrew: the principled hacker group?
In a wide-ranging interview broadcast over online Spreaker radio but conducted probably via IRC, UK Anon Winston Smith has been talking to Null, the leader of the NullCrew hacking group.
Quantum Key Distribution takes to the air
An aircraft in flight has successfully transmitted quantum encryption keys to a ground station, bringing closer the time when satellites can be used to provide a theoretically (allegedly) secure communications network.
YouTube declines to remove Mohammad video clip
Asked by the White House to reconsider whether the infamous Mohammad video clip is in violation of its terms of service, Google has replied that it is not. Although it is blocking the clip in Egypt, Libya, Indonesia and India, this, says Google, is in keeping with local laws.
AlienVault doxes the man behind the PlugX RAT
AlienVault has been tracking the PlugX remote access trojan for some months, and following extensive detective work has now uncovered enough information to name the person behind it.
My recent news stories…
You don’t need to be hacked if you give away your credentials
GFI Software highlights the problems of users’ carelessness with their credentials: who needs hacking skills when log-on details are just handed over?
22 May 2012
A new solution for authenticating BYOD
New start-up SaaSID today launches a product at CloudForce London that seeks to solve a pressing and growing problem: the authentication of personal devices to the cloud.
22 May 2012
New HMRC refund phishing scam detected
Every year our tax details are evaluated by HMRC. Every year, a lucky few get tax refunds; and every year, at that time, the scammers come out to take advantage.
22 May 2012
UK government is likely to miss its own cloud targets
G-Cloud is the government strategy to reduce IT expenditure by increasing use of the cloud. It calls for 50% of new spending to be used on cloud services by 2015 – but a new report from VMWare suggests such targets will likely be missed by the public sector.
21 May 2012
New Absinthe 2.0 Apple jailbreak expected this week
The tethered jailbreak for iOS 5.1, Redsn0w, still works on iOS 5.1.1. This week, probably on 25 May, a new untethered jailbreak is likely to be announced at the Hack-in-the-Box conference.
21 May 2012
TeliaSonera sells black boxes to dictators
While the UK awaits details on how the proposed Communications Bill will force service providers to monitor internet and phone metadata, Sweden’s TeliaSonera shows how it could be done by selling black boxes to authoritarian states.
21 May 2012
Understanding the legal problems with DPA
We have known for many years that the EU is not happy with the UK’s implementation of the Data Protection Directive – what we haven’t known is why. This may now change thanks to the persistence of Amberhawk Training Ltd.
18 May 2012
Who attacked WikiLeaks and The Pirate Bay?
This week both the The Pirate Bay and WikiLeaks have been ‘taken down’ by sustained DDoS attacks: TPB for over 24 hours, and Wikileaks for 72. What isn’t known is who is behind the attacks.
18 May 2012
BYOD threatens job security at HP
BYOD isn’t simply a security issue – it’s a job issue. Sales of multi-function smartphones and tablets are reducing demand for traditional PCs; and this is hitting Hewlett Packard.
18 May 2012
25 civil servants reprimanded weekly for data breach
Government databases are full of highly prized and highly sensitive personal information. The upcoming Communications Bill will generate one of the very largest databases. The government says it will not include personal information.
17 May 2012
Vulnerability found in Mobile Spy spyware app
Mobile Spy is covert spyware designed to allow parents to monitor their children’s smartphones, employers to catch time-wasters, and partners to detect cheating spouses. But vulnerabilities mean the covertly spied-upon can become the covert spy.
17 May 2012
Governments make a grab for the internet
Although the internet is officially governed by a bottom-up multi-stakeholder non-governmental model, many governments around the world believe it leaves the US with too much control; and they want things to change.
17 May 2012
Last week’s news stories (Jan 30 to Feb 3):
Security researchers break satellite phone encryption
German researchers have cracked 2 satellite phone encryption codes – huge implications.
EU publishes 10 Myths about ACTA
EU says ACTA ain’t bad, just misunderstood.
VeriSign repeatedly hacked in 2010
VeriSign was repeatedly hacked in 2010, and never even told its own senior management.
Science and Technology Committee publishes Malware and Cyber Crime report
Commons committee makes recommendations on how to tackle cybercrime.
New development in post-transaction banking fraud
Banking malware now seeks to divert telephone calls between banks and customers.
Counterclank is not malware, just aggressive adware
Contrary to Symantec’s initial claim, Android’s Counterclank (Apperhand) is not a trojan.
Major UK companies still not blocking porn namesakes
UK companies remain open to cybersquatting by YourBrandName.xxx
New Forrester Report: Big Data Risks
Forrester describes how to secure Big Data.
Resilience is the key to security says World Economic Forum
WEF suggest an holistic view of resilience to risk rather than an isolated view of prevention.
A call for a new standard in infosec training and awareness
We need a new standard to improve security awareness in users.
IE6 users: no longer caught between a rock and a hard place
A new product allows legacy IE6 applications to run in new versions of the browser.
75% of all new malware are trojans
PandaLabs 2011 report is full of facts, figures and information.
Spam and phishing are growing problems: DMARC has the answer
A new standard is being developed to help stop spam and phishing.
CSO Interchange: Cloud concerns are largely propaganda
Misunderstandings about the cloud make it seem a problem rather than an opportunity.
Up to five million Androids infected with Counterclank
Android’s largest ever infection reported by Symantec.
I’m not behind Kelihos botnet, claims Sabelnikov
Man named by Microsoft says I didn’t do it, guv.
Over the last few days there have been at least three major security reports:
- the IBM X-Force 2010 Trend and Risk Report (IBM)
- The Holistic Portfolio: Decision Making in the Mobile Ecosystem (TNS)
- Underground Economies (McAfee/SAIC)
All three are worth reading – but I’m going to cherry-pick from them in order to justify my own preconceptions about the future of mobile security. But first I must ask you to accept a personal observation: the majority of mobile phone users do not recognise a need for security, and currently have little or no security.
We’ll start with the future direction of threat suggested by McAfee/SAIC:
The targets for the underground economy have shifted significantly in the last couple of years. While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.
We don’t really know how long this has been going on, but it came to the fore in early 2010 with Google’s revelation of what became known as Operation Aurora and the advanced persistent threat (APT). IBM concurs with this view: “The single most common threat vector used over the past few years as observed by ERS [IBM's Emergency Response Services] is spear phishing where an object contains a link to a web page that contains malware.” Spear phishing is the targeting of an individual or small group of people for a specific purpose – such as the theft of intellectual property.
How is this relevant to the mobile market? Well, it isn’t; at least, not yet. However, the IBM report shows the increase in mobile vulnerabilities, with these two graphs showing how matters have escalated over the last year:
Nevertheless, IBM says these figures should be seen in context. It points out that
First, most of what is considered best practice around securing mobile devices is still not nearly as well defined as it is in the corresponding personal computing space. Second, the underlying platforms themselves are substantially untested and likely contain years of vulnerability discovery ahead of them.
And it further comments that
We aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today, because mobile devices likely do not represent the same kind of financial opportunity that desktop machines do for the sort of individuals who create large Internet botnets. As e-commerce involving mobile phones increases in the future, it may bring with it a greater financial motivation to target phones, and an associated increase in malware attacks. However, mobile devices do represent opportunities for sophisticated, targeted attackers today.
Our conclusion so far, then, is that mobile phones are not yet heavily targeted; but that the potential already exists.
Let’s now apply IBM’s comments to the threats defined by McAfee/SAIC: stolen credit cards (that is, mass identity theft typically delivered as malware and phishing spam via botnets); and intellectual property theft via spear phishing. Neither of these appear to be happening to any great extent in the mobile market; but IBM points to the increasing use of mobile e-commerce as a spur for the former, while the potential for the latter already exists. This is where we turn to the TNS survey, which shows in particular, that the use of mobile phones for mobile banking (including the e-wallet) and social networking are the main drivers behind the future use of mobile phones.
Mobile banking and mobile payments will mean an increasing likelihood of account details and passwords being stored on mobile phones. That will attract the criminals seeking to steal credit card details. Social networks are an ideal source of the personal information that can be used for the individual social engineering that lies at the heart of spear phishing. And that will attract the criminals seeking to penetrate corporate networks in order to steal intellectual property. An increasing use of mobile phones for social networking is a given; the only question is how quickly and to what extent will banking and payments migrate to the mobile platform. Well one technology (not new, but only now taking off) that has the potential to change things very quickly is near field communications (NFC).
NFC is already in use, although not yet widespread in phones, in Barclaycard’s contactless payments. “This allows people who have a Barclaycard to swipe their card across a payment terminal (if the retailer has an appropriate terminal, such as at Prêt a Manger), without entering a pin for purchases of up to £15,” explained Amali de Alwis, a senior research consultant at TNS. “It is a similar line of technology that will be incorporated into mobile phones to allow people to make payments using their mobile instead of a card.” In other words, the migration of bank cards onto mobile phones is technologically easy via NFC, and already well in hand (as seen by Barclaycard’s presentation at the Barcelona Mobile World Congress last year).
“According to recent press, Apple are looking to incorporate this technology into their i-Phones, and additionally Google have teamed up with Citigroup and MasterCard to facilitate these types of services on Google Android phones – buzz is saying within the coming year,” continued Amali.
“From our Mobile Life study we also have consumers telling us directly that there is a demand for these types of services to be available, and that consumers are already willing to consider the use of their mobiles as an e-wallet/payment device (and in some cases, such as with the use of M-Pesa in Kenya, are already doing so), and we see growth potential here not only as a device for paying for goods in store, but also for services such as bill payments.”
If we put all of these elements together we have a new platform that is not yet fully exploited by the bad guys, but one that offers a mass target that will increasingly hold financial details ripe for identity theft, and personal details ripe for socially engineered intellectual property theft – and yet it remains a platform where security is hardly considered by the user. Unless the security industry and/or the phone manufacturers can rapidly explain the need for, and implement adequate security – that is one hell of a window of opportunity for the bad guys over the next few years. My suspicion is that IBM’s current observation that “we aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today” will change dramatically, very quickly.
Amit Klein, CTO at Trusteer, has an interesting blog on the incidence of successful phishing:
We recently conducted research into the attack potency and time-to-infection of email phishing attacks. One of our findings was eye-popping, namely, that 50 per cent of phishing victims’ credentials are harvested by cyber criminals within the first 60 minutes of phishing emails being received. Given that a typical phishing campaign takes at least one hour to be identified by IT security vendors, which doesn’t include the time required to take down the phishing Web site, we have dubbed the first 60 minutes of a phishing site’s existence [as] the critical ‘golden hour’.
Trusteer’s solution is for the security industry to recognise and react to phishing campaigns with greater speed:
As an industry, our goal should be to reduce the time it takes for institutions to detect they are being targeted by a phishing attack from hours to within minutes of the first customer attempting to access a rogue phishing page. We also need to establish really quick feeds into browsers and other security tools, so that phishing filters can be updated much more quickly than they are today. This is the only way to swiftly takedown phishing websites, protect customers, and eliminate the golden hour.
But as users, we cannot simply rely on the industry to protect us. That is a dereliction of responsibility when we need to accept more, not less, personal responsibility for our behaviour online. Amit Klein is right – the industry needs to be as effective as possible. But just as the industry needs to block phishers, we as users need to ignore phishers.
There are two primary actions we can take. The first is increased security awareness; and that means continuous staff training. The second is to make it more difficult to be phished, by preventing the automatic running of scripts by our browsers. For example, Firefox users can install the NoScript add-on (see here for an interview with its developer, Giorgio Maone). Non-Firefox users should become Firefox users.
Psychology is strange. A threat from a master is far more acceptable than a threat from a novice – even though the danger is greater. Being phished by a novice is insulting: is that all they think of me?
Here’s one. Look at the grammar. Look at the spelling. Look at the punctuation. Surely I’m worth a bit more effort than that!
The site hidden under the link is ‘admemex dot com’. I thought I’d have a look – but Firefox tried to stop me. That was reassuring.
But I persisted – I wanted to see how good (or bad, considering the text grammar) a site forgery might be. This is where I landed; and as far as I went.
But compare the site forgery to the genuine page:
Not bad, eh? If the email author had spent as much effort in his (or her) text as was spent on the website forgery, then we might not be as safe as we are.
But remember this: curiosity compromised the cat. Don’t click on dubious links at home – go play in the road where it’s safer.