Cybersecurity: Russian Hackers, Privacy, and You

WordCamp

I was invited to give a presentation about Cybersecurity at WordCamp Orange County 2017, I chose to discuss privacy aimed toward the average user. It was my first WordCamp presentation.

WordCamp is a conference that focuses on everything WordPress. WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.

 

Here is the video of my presentation:

References

Recognizing Computer Threats: Email

By Chris Williams

Promotional email

Chances are, if you see an unsolicited email that appears to originate from a company that you don’t recall signing up for, it’s probably spam or phishing. Since many retailers require double opt-ins now, it’s more difficult to get “accidentally” registered for an email subscription than it was a decade ago. Regardless, we recommend doing a follow-up with the company in question just to be sure; our goal is to rule out the possibility that your email account was hacked (see previous posts on compromised email accounts for a primer on this topic).

When dealing with a potential phishing email do not use the URL, email address, or phone number provided within the suspicious communication; instead look up the company’s information via your preferred search engine, making sure you are on the company’s direct website (not a competitor, affiliate, or knock-off). If the message is a scam the contact info provided won’t usually point to the real entity—it will more likely take you to a fake site that will attempt to capture your credentials or trick you into installing malware.

Scenario: fake offer with malicious “unsubscribe” link

Tom signs into his Gmail account and reads the contents of his inbox. He sees a bunch of ads for games and T-shirts he’d like to have, along with an advertisement from a company he doesn’t remember doing business with: “wigits.com”. Maybe someone registered his email address on their mailing list due to a typo? No problem: Tom simply clicks the Unsubscribe link down at the bottom of the email message, expecting it to take him to a website where he can manage his “subscription”; only one problem, the email was actually a phishing scam, and the moment his browser navigated to the malicious URL (disguised as the Unsubscribe link, of course) it started a drive-by-download which infected his system with malware. Antivirus warnings start flashing and the threat is neutralized—or is it?

What could Tom have done differently? For starters, he could have done a Google search on this company to make sure it’s even real. Sometimes phishing emails are convincing, sophisticated messages with official-looking logos (stolen from PayPal, Amazon, etc.); sometimes they are terrible hacks with bad grammar and poor punctuation. In the latter case, the companies being represented may or may not even exist.

Let’s discuss our hypothetical in a bit more detail:

If wigits.com came up as a search result via a reliable search engine such as Google, at least Tom would know that the company isn’t totally fictitious. However, that doesn’t mean the communication itself is legit, so we must dig a bit deeper.

Both the web address and phone number for wigits.com should be published online. Tom can simply navigate to their site (again, using a reliable search engine to locate it) and find whatever contact info he needs to verify his “subscription”. He can call, email, or see if they offer a way to manage email opt-outs directly on the site.

Let’s assume there is no email address or subscription management feature on the site. No problem! A phone call to customer service will suffice. We expect one of two scenarios to occur:

  • Tom calls and speaks to an agent, provides his information, and is told that his email address is not on file with wigits.com.

OR

  • Tom calls and speaks to an agent, provides his information, and learns that he was in fact signed up for wigits.com promo emails. He then unsubscribes, assuming at this point that it was due to a mistake (maybe his address is similar to another user’s—it’s pretty commonplace for that to occur).

Malicious attachments

“What if there’s no URL in the body of the message? Perhaps the email just has a harmless little .zip file attached… no way that can be bad, right?”

Malicious attachments are one of the most insidious vectors used to infect victims with malware; within this category of threat, there are perhaps two major methodologies in widespread use: disguising the attachment’s file extension, and hiding the payload inside “real” data. An example of the former would be a malicious file masquerading as a .pdf file or Word document; an example of the latter would be a Macro-enabled Excel workbook that runs a malicious script when opened.

Fortunately, many email filtering systems can be configured to block any attachments with mismatched file extensions (the file extension shown in the document name doesn’t match its actual file type), and most systems can simply blacklist certain “high-risk” file extensions altogether. For instance, files with .zip extensions are often blocked entirely by anti-spam platforms; this is because they are so prevalent in phishing campaigns and very effective. As long as the file containing the payload is still zipped it will typically appear clean to antivirus software. While there may be a window of time to scan the file and prevent infection, this isn’t always the case.

The takeaway

Spam and phishing emails are increasing in frequency and complexity as scammers become savvier. Unfortunately, a contributing factor in this increase is the fact that these scams successfully fool a lot of people; users that open links and attachments they should have avoided are a major vector for the spread of malware. Similarly, unsuspecting users can be led to bogus versions of real sites and voluntarily give up their personal and account info.

Some file extensions are more suspect than others, but all attached files should be treated as suspect unless you have reasonable assurances of their legitimacy.

For the sake of repetition: never click a link provided in an email message if you aren’t sure of the authenticity of the message and/or its sender. Contact the company using a known-good phone number or email address.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Current Events – Top 5 Cybersecurity Developments of 2016

By Chris Williams

To kick off the new year, we’ll take a look back at 5 of the most important cybersecurity events and trends from 2016, along with the circumstances that made each noteworthy.

5 – IoT-fueled DDoS attacks result in highest throughput events in Internet history

The threat posed by distributed denial of service (DDoS) attack has increased significantly over the past year; as attack techniques including reflection and amplification become more sophisticated, the amount of traffic which can be directed to attack a target now measures in hundreds of Gbps and will likely break the 1 Tbps threshold (if it hasn’t already) in a single attack before long.

We examine some of the causes and implications of this trend in greater detail, in an earlier article: https://paradoxprimeia.com/2016/12/06/mirai-ddos-iot-security/

4 – Among the first publicized instances of a nation state employing cyber warfare to influence the democratic process of another nation state

No voting machines were breached, and no tallies were altered—one cannot say that the election was “hacked” in a strict sense. Instead, information was obtained illegally by a team of hackers and then disseminated for use in a large-scale information campaign designed to influence the outcome of the election by shifting public opinion; a much more roundabout method that creates a measure of “plausible deniability” for all those involved, to be sure.

According to what has been released, the team that breached the Democratic National Committee’s network and obtained incriminating emails from key DNC personnel was not working directly for Russia. This is hardly a surprise. According to those same reports, however, investigators have been able to determine the origin of the hackers as well as their financial ties to Russian stakeholders; this, combined with various intelligence that demonstrates Russian officials had some knowledge in the campaign, paints a fairly compelling albeit circumstantial case.

However, the “who/what/when/where/why/how” isn’t necessarily the most pressing issue we face—our follow-up question should be, “what comes next?” Since the floodgates of political interventionism have apparently been opened, and the United States still has yet to address a multitude of issues with its critical infrastructure (among many other targets), there is ample cause for concern. Could a more direct election hack be next? Could we face a Stuxnet-style attack on our nuclear plants, or an attack similar to the one which took down power stations in the Ukraine? With the latest attacks in Kiev also being linked to Russia, it’s definitely a question worth asking.

3 – Ransomware continues to increase in prevalence, cybersecurity experts talk preparedness

Although ransomware has existed in some form for the better part of this decade, 2015 and 2016 both saw significant leaps in both the complexity and ubiquity of this unique strain of malware. By the end of 2016, losses to consumers and businesses skyrocketed to an estimated $1B; that figure puts this rapidly expanding form of cybercrime in a position to potentially replace credit card fraud as the top fiscal threat to organizations and consumers. It’s of course too early to see what 2017 holds, but we can only hope that increased awareness of the risks (as well as mitigating strategies such as appropriate back-up procedures for critical data) causes this trend to reverse itself.

In the meantime, hospitals, retailers, law enforcement agencies, and even private users should all be wary of suspicious files, unsolicited emails, and other potential vectors that we’ve discussed in previous posts. Like many attacks, a human element must be exploited in order to be successful; cybersecurity experts continually point to users as the most easily exploitable target, but training methods have not kept pace with threats.

2 – Apple sets a precedent by favoring consumer privacy over the demands of intelligence agencies

The terrorist attacks which occurred in San Bernardino in late 2015 had consequences which will almost certainly influence consumer privacy and data security for many years—due not to the nature of the attacks themselves, but rather the course of subsequent investigation and legal maneuverings which continued well into 2016.

At issue was one of the iPhones used by the attackers, which was locked using Apple’s built-in device encryption feature; the FBI requested Apple to provide them a means of bypassing that encryption, but their request was refused on the grounds of privacy protection. (There were other factors, however the premise “If we give you a backdoor then anyone can potentially have the same backdoor” is a fair argument which summarizes Apple’s position). Even after the conflict had escalated to a lawsuit, Apple stayed the course, declining to provide a workaround to investigating agencies; however, since the FBI eventually found another way of cracking the phone’s security measures, the suit was dropped and the whole affair essentially fizzled out.

Apple’s refusal to cooperate is a polarizing topic, with their stance drawing both praise and criticism from cybersecurity professionals. Regardless of how that debate plays out, the important thing to note is that private companies cannot be compelled to provide consumer information to government agencies without due process—at least not yet. Additionally, Apple was among the first companies of its size to publicly decline putting a backdoor into their systems; technology and telecom companies have historically complied with even the most invasive of federal programs in the interests of national security.

1 – Data breaches result in billions of compromised consumer records throughout organizations worldwide

The following is a “short list” of data breaches which were publicized (not necessarily took place) in 2016:

  • Yahoo 1 billion user accounts
  • Yahoo (again) 500 million user accounts
  • MySpace 360 million user accounts
  • LinkedIn 167 million user accounts
  • Office of Child Support Enforcement 5 million records
  • 21st Century Oncology 2.2 million patient records
  • Verizon 1.5 million enterprise clients
  • Centene 950,000 patient records
  • IRS 700,000 taxpayer records
  • FBI 20,000 employee records
  • DHS 9,000 employee records

Over the past few weeks we’ve examined data breach trends and discussed some potential safeguards which consumers should be cognizant of. You can check out these articles at:

https://paradoxprimeia.com/2016/12/23/recognizing-computer-threats-data-breach-awareness-1/

The takeway

If 2016 was any indication, the cybersecurity landscape for 2017 will consist of a vast array of threats; consumers, businesses, and governments are all susceptible in part because of the common (human) element. User training & awareness programs should be considered by all organizations, regardless of size.

Copyright © 2017 ParadoxPrime IA, All rights reserved