Posts Tagged ‘phishing’

Apple Customer Support needs to try harder with its emails

July 23, 2013 1 comment

I got this email from Apple Support about my Apple ID. That’s not surprising since their developer site may (or may not) have been breached last Thursday (see here for details).

It was a little more surprising since I’m not an Apple developer and don’t have an Apple ID – but hell, I’m not going to argue; they might sue me.




But, despite the fear of being sued, I would suggest that Apple spends a little time on its grammar and style checker. The spelling’s not bad, but it doesn’t seem to understand the relationship between full-stops (or American periods) and spaces.

Oh, and that sentence. “We need your help in order to not be frozen your account,” is decidedly not Anglo-Saxon in structure.

So, Apple, until you can improve things, I don’t think I’m going to bother with you. But one last thing. Although you’ve got the link “update Now >” looking quite reasonable, I do suggest you change the name of your support site hidden beneath it. http:// e-kosmetyczka.waw . pl/404.html could almost look like a scam site.

Categories: All, Security Issues

If you want to beat the phishers, start with your users

April 17, 2013 1 comment

Last month Bruce Schneier made an interesting comment:

I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere… If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in.
On Security Awareness Training

My favourite riposte comes from Ira Winkler:

That argument basically says that if the bad guy gets in, all security countermeasures are irrelevant. By that measure, we should abandon security as a whole, since all countermeasures have and will fail.
Arguments Against Security Awareness Are Shortsighted

But Schneier has a point – training clearly isn’t working since (according to Trend Micro) more than 90% of successful APT attacks start from a spear-phishing success. But Winkler also has a point  – all [technical and human] countermeasures have and will fail. Does that mean we should just give up on security in general and awareness training in particular?

Clearly not. Surely the solution is not to abandon what isn’t good enough, but to improve it until it is good enough. The question then becomes how do we make security training more efficient? Since the majority of breaches start from a phishing or spear-phishing attack, then phishing is where we should start. But if traditional awareness training isn’t working, perhaps we need to think of something new.

a discussion about simulated attack training

a discussion about simulated attack training

Wombat Security Technologies thinks it has the answer: simulated attack training. In a nutshell, this involves phishing your own staff. This has two huge advantages: it is teaching through experience rather than teaching through lectures (and practical always sticks better than theoretical); and it is measurable. If somebody falls for a phish, and gets sent to a benign destination with a company ‘gotcha’ message, he or she won’t want it to happen again. Secondly, however, it allows the company to measure the success of its training scheme.

If 20% (it will likely be more than 80% to start with) fall to the first phish, and then 25% fall to the next one, then clearly there is something wrong with the overall training package, and it needs to be re-evaluated. More likely, however, the number of victims will steadily decrease over time. Repetitive victims can then be pulled out for more targeted training; and super-repetitive victims can be assigned the gardening detail.

Wombat has published a new report based on the practical experience of several CSOs from major companies:A Security Officer Debate: Are simulated phishing attacks an effective approach to security awareness and training? It is well worth reading to see how simulated attack training works in practice; and what steps you need to take to get it started.

PS. Note that these are CSOs. Schneier is a CTO.


see also: Joe User is the weakest link – a presentation at the Infosecurity Virtual Conference

Categories: All, Security Issues

Spear-phishing is the single biggest threat to cyber security today

December 7, 2012 Leave a comment

Arguably, there is no security incident without end-user involvement; either by the user actively doing something he shouldn’t, or passively not doing something he should. The criminals’ usual route is to socially engineer the target into doing something he shouldn’t (see The art of social engineering); like click a dubious link or open a malicious attachment. This is basic phishing. The original mass phishing campaigns, sending the same email to hundreds of thousands of targets, have an increasingly lower return for the criminals: users have become adept at spotting them. So today criminals are choosing higher value targets and sending personalized emails to an individual or small group of individuals. This is spear-phishing.

malicious attachments

Spear-phishing malicious attachments: source Trend Micro

Criminals – whether individuals, organized criminal gangs or state-sponsored groups – are all selecting spear-phishing as the attack method of choice. A recent study by Trend Micro has shown that 91% of all successful APT attacks start via a spear-phishing attack; and 94% of those are emails carrying a malicious attachment. To put this into perspective, many (not all) security experts believe that any organization targeted by an APT will fall to the APT. The corollary, and one that I accept, is that anybody targeted by a well-crafted and researched spear attack will succumb to that attack, or the next one, or the one after that.

This is because there is no guaranteed defence against spear-phishing. It is man versus man – technology won’t work. You can filter incoming emails, but you might miss one. You can filter the target URLs, provided you know about all of them, but that misses the disguised malicious attachments.

This all begs the question of why spear-phishing is so successful; and it’s because the criminals do their homework. They treat the internet as their own big data playground, and harvest little snippets of information from different places to combine into a remarkably detailed profile of potential targets. There are huge criminal databases of stolen data. Just this week it emerged that the Nationwide insurance group in the US had personal details of 1.1 million Americans stolen, including “Social Security number, driver’s license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer.” A couple of months ago, 3.6 million South Carolina tax payers had details stolen (itself via a spear-phishing attack) from the Department of Revenue.

What they don’t already have they get from the social networks and indeed the target’s company website. Email, personal interests, friends, position in company, age and location can all be found. From this profile it becomes relatively easy to compile a compelling email that looks 100% genuine and irresistible.

Indeed, the very way in which we do computing makes phishing very effective. A fascinating PhD study thesis by Michele Daryanani (Desensitizing the User: A Study of the Efficacy of Warning Messages) made available this summer draws a connection between hyperactive operating system warnings and desensitizing the user – including to phishing attacks.

So what can we do? The main defence is user education. There are specialist training companies; and PhishMe in particular specialises in teaching how to avoid being phished.


now with social engineering

Yesterday, Metasploit  announced it is joining the battle with a new release of Metasploit Pro 4.5, introducing ‘advanced capabilities to simulate social engineering attacks’. HD Moore, the originator of Metasploit and chief security officer at Rapid7, describes it thus: “Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but it’s hard to know how effective these measures are, or even if you’re focusing on the right things. Metasploit assesses the effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you reduce your risk.” In other words, it allows you to test your users and see which of them fall to phishing under what circumstances – spear-training against spear-phishing as it were.

But I’d like to add my own recommendation: that governments should understand that more often than not, education is better than legislation. If government would spend a fraction of its security budget, and a fraction of their energy, on educating users rather than legislating against choice, then we would all be a lot safer. And happier.

Categories: All, Security Issues

Recent stories on Infosecurity, featuring Trend Micro, phishing for Apples, NullCrew and more…

September 19, 2012 Leave a comment

A few of my recent stories on Infosecurity Magazine over the last couple of days…

Peter the Great beats Sun Tzu in cybercrime
Despite the hoohaa about the ‘Chinese cyberthreat’ (in reality, read east Asia), Russia’s Peter the Great (in reality, read east Europe) is beating Sun Tzu in modern cyber wargames. Eastern Europe has better cybercriminals than eastern Asia.

Beware of iPhone delivery phishes
iPhone pre-orders are now showing a 3-4 week shipping estimate. Since Apple announced that 2 million pre-orders were sold for the iPhone 5 in just 24 hours, delivery delays are not likely to disappear quickly.

NullCrew: the principled hacker group?
In a wide-ranging interview broadcast over online Spreaker radio but conducted probably via IRC, UK Anon Winston Smith has been talking to Null, the leader of the NullCrew hacking group.

Quantum Key Distribution takes to the air
An aircraft in flight has successfully transmitted quantum encryption keys to a ground station, bringing closer the time when satellites can be used to provide a theoretically (allegedly) secure communications network.

YouTube declines to remove Mohammad video clip
Asked by the White House to reconsider whether the infamous Mohammad video clip is in violation of its terms of service, Google has replied that it is not. Although it is blocking the clip in Egypt, Libya, Indonesia and India, this, says Google, is in keeping with local laws.

AlienVault doxes the man behind the PlugX RAT
AlienVault has been tracking the PlugX remote access trojan for some months, and following extensive detective work has now uncovered enough information to name the person behind it.

News stories on Infosecurity Magazine: 17, 18, 21 and 22 May, 2012

May 22, 2012 Leave a comment

My recent news stories…

You don’t need to be hacked if you give away your credentials
GFI Software highlights the problems of users’ carelessness with their credentials: who needs hacking skills when log-on details are just handed over?
22 May 2012

A new solution for authenticating BYOD
New start-up SaaSID today launches a product at CloudForce London that seeks to solve a pressing and growing problem: the authentication of personal devices to the cloud.
22 May 2012

New HMRC refund phishing scam detected
Every year our tax details are evaluated by HMRC. Every year, a lucky few get tax refunds; and every year, at that time, the scammers come out to take advantage.
22 May 2012

UK government is likely to miss its own cloud targets
G-Cloud is the government strategy to reduce IT expenditure by increasing use of the cloud. It calls for 50% of new spending to be used on cloud services by 2015 – but a new report from VMWare suggests such targets will likely be missed by the public sector.
21 May 2012

New Absinthe 2.0 Apple jailbreak expected this week
The tethered jailbreak for iOS 5.1, Redsn0w, still works on iOS 5.1.1. This week, probably on 25 May, a new untethered jailbreak is likely to be announced at the Hack-in-the-Box conference.
21 May 2012

TeliaSonera sells black boxes to dictators
While the UK awaits details on how the proposed Communications Bill will force service providers to monitor internet and phone metadata, Sweden’s TeliaSonera shows how it could be done by selling black boxes to authoritarian states.
21 May 2012

Understanding the legal problems with DPA
We have known for many years that the EU is not happy with the UK’s implementation of the Data Protection Directive – what we haven’t known is why. This may now change thanks to the persistence of Amberhawk Training Ltd.
18 May 2012

Who attacked WikiLeaks and The Pirate Bay?
This week both the The Pirate Bay and WikiLeaks have been ‘taken down’ by sustained DDoS attacks: TPB for over 24 hours, and Wikileaks for 72. What isn’t known is who is behind the attacks.
18 May 2012

BYOD threatens job security at HP
BYOD isn’t simply a security issue – it’s a job issue. Sales of multi-function smartphones and tablets are reducing demand for traditional PCs; and this is hitting Hewlett Packard.
18 May 2012

25 civil servants reprimanded weekly for data breach
Government databases are full of highly prized and highly sensitive personal information. The upcoming Communications Bill will generate one of the very largest databases. The government says it will not include personal information.
17 May 2012

Vulnerability found in Mobile Spy spyware app
Mobile Spy is covert spyware designed to allow parents to monitor their children’s smartphones, employers to catch time-wasters, and partners to detect cheating spouses. But vulnerabilities mean the covertly spied-upon can become the covert spy.
17 May 2012

Governments make a grab for the internet
Although the internet is officially governed by a bottom-up multi-stakeholder non-governmental model, many governments around the world believe it leaves the US with too much control; and they want things to change.
17 May 2012

Categories: All, Security News

My news stories on Infosecurity Magazine

February 5, 2012 Leave a comment

Last week’s news stories (Jan 30 to Feb 3):

Security researchers break satellite phone encryption
German researchers have cracked 2 satellite phone encryption codes – huge implications.

EU publishes 10 Myths about ACTA
EU says ACTA ain’t bad, just misunderstood.

VeriSign repeatedly hacked in 2010
VeriSign was repeatedly hacked in 2010, and never even told its own senior management.

Science and Technology Committee publishes Malware and Cyber Crime report
Commons committee makes recommendations on how to tackle cybercrime.

New development in post-transaction banking fraud
Banking malware now seeks to divert telephone calls between banks and customers.

Counterclank is not malware, just aggressive adware
Contrary to Symantec’s initial claim, Android’s Counterclank (Apperhand) is not a trojan.

Major UK companies still not blocking porn namesakes
UK companies remain open to cybersquatting by

New Forrester Report: Big Data Risks
Forrester describes how to secure Big Data.

Resilience is the key to security says World Economic Forum
WEF suggest an holistic view of resilience to risk rather than an isolated view of prevention.

A call for a new standard in infosec training and awareness
We need a new standard to improve security awareness in users.

IE6 users: no longer caught between a rock and a hard place
A new product allows legacy IE6 applications to run in new versions of the browser.

75% of all new malware are trojans
PandaLabs 2011 report is full of facts, figures and information.

Spam and phishing are growing problems: DMARC has the answer
A new standard is being developed to help stop spam and phishing.

CSO Interchange: Cloud concerns are largely propaganda
Misunderstandings about the cloud make it seem a problem rather than an opportunity.

Up to five million Androids infected with Counterclank
Android’s largest ever infection reported by Symantec.

I’m not behind Kelihos botnet, claims Sabelnikov
Man named by Microsoft says I didn’t do it, guv.

Categories: All, Vendor News

The mobile phone, its (lack of) security, and the future

April 3, 2011 2 comments

Over the last few days there have been at least three major security reports:

All three are worth reading – but I’m going to cherry-pick from them in order to justify my own preconceptions about the future of mobile security. But first I must ask you to accept a personal observation: the majority of mobile phone users do not recognise a need for security, and currently have little or no security.

We’ll start with the future direction of threat suggested by McAfee/SAIC:

The targets for the underground economy have shifted significantly in the last couple of years. While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.

We don’t really know how long this has been going on, but it came to the fore in early 2010 with Google’s revelation of what became known as Operation Aurora and the advanced persistent threat (APT). IBM concurs with this view: “The single most common threat vector used over the past few years as observed by ERS [IBM’s Emergency Response Services] is spear phishing where an object contains a link to a web page that contains malware.” Spear phishing is the targeting of an individual or small group of people for a specific purpose – such as the theft of intellectual property.

How is this relevant to the mobile market? Well, it isn’t; at least, not yet. However, the IBM report shows the increase in mobile vulnerabilities, with these two graphs showing how matters have escalated over the last year:

IBM fig 76

Total Mobile Vulnerabilities

IBM fig 77

Total Mobile Exploits

Nevertheless, IBM says these figures should be seen in context. It points out that

First, most of what is considered best practice around securing mobile devices is still not nearly as well defined as it is in the corresponding personal computing space. Second, the underlying platforms themselves are substantially untested and likely contain years of vulnerability discovery ahead of them.

And it further comments that

We aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today, because mobile devices likely do not represent the same kind of financial opportunity that desktop machines do for the sort of individuals who create large Internet botnets. As e-commerce involving mobile phones increases in the future, it may bring with it a greater financial motivation to target phones, and an associated increase in malware attacks. However, mobile devices do represent opportunities for sophisticated, targeted attackers today.

Our conclusion so far, then, is that mobile phones are not yet heavily targeted; but that the potential already exists.

Let’s now apply IBM’s comments to the threats defined by McAfee/SAIC: stolen credit cards (that is, mass identity theft typically delivered as malware and phishing spam via botnets); and intellectual property theft via spear phishing. Neither of these appear to be happening to any great extent in the mobile market; but IBM points to the increasing use of mobile e-commerce as a spur for the former, while the potential for the latter already exists. This is where we turn to the TNS survey, which shows in particular, that the use of mobile phones for mobile banking (including the e-wallet) and social networking are the main drivers behind the future use of mobile phones.

click for full size

Strong growth in social networking and mobile banking

Mobile banking and mobile payments will mean an increasing likelihood of account details and passwords being stored on mobile phones. That will attract the criminals seeking to steal credit card details. Social networks are an ideal source of the personal information that can be used for the individual social engineering that lies at the heart of spear phishing. And that will attract the criminals seeking to penetrate corporate networks in order to steal intellectual property. An increasing use of mobile phones for social networking is a given; the only question is how quickly and to what extent will banking and payments migrate to the mobile platform. Well one technology (not new, but only now taking off) that has the potential to change things very quickly is near field communications (NFC).

NFC is already in use, although not yet widespread in phones, in Barclaycard’s contactless payments. “This allows people who have a Barclaycard to swipe their card across a payment terminal (if the retailer has an appropriate terminal, such as at Prêt a Manger), without entering a pin for purchases of up to £15,” explained Amali de Alwis, a senior research consultant at TNS. “It is a similar line of technology that will be incorporated into mobile phones to allow people to make payments using their mobile instead of a card.” In other words, the migration of bank cards onto mobile phones is technologically easy via NFC, and already well in hand (as seen by Barclaycard’s presentation at the Barcelona Mobile World Congress last year).

click for full size

Contactless payment will migrate to the mobile phone

“According to recent press, Apple are looking to incorporate this technology into their i-Phones, and additionally Google have teamed up with Citigroup and MasterCard to facilitate these types of services on Google Android phones – buzz is saying within the coming year,” continued Amali.


Amali de Alwis, TNS

“From our Mobile Life study we also have consumers telling us directly that there is a demand for these types of services to be available, and that consumers are already willing to consider the use of their mobiles as an e-wallet/payment device (and in some cases, such as with the use of M-Pesa in Kenya, are already doing so), and we see growth potential here not only as a device for paying for goods in store, but also for services such as bill payments.”

If we put all of these elements together we have a new platform that is not yet fully exploited by the bad guys, but one that offers a mass target that will increasingly hold financial details ripe for identity theft, and personal details ripe for socially engineered intellectual property theft – and yet it remains a platform where security is hardly considered by the user. Unless the security industry and/or the phone manufacturers can rapidly explain the need for, and implement adequate security – that is one hell of a window of opportunity for the bad guys over the next few years. My suspicion is that IBM’s current observation that “we aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today” will change dramatically, very quickly.

Categories: All, Security Issues