Encrypt That Drive

Promise me you’ll return to this blog piece, but go ahead and open a new tab and search for “stolen laptop.” Filter the search results for a specific year. Or refine the search within an industry, eg. healthcare or financial. Too many results. Too many incidents. The U.S. Department of Health and Human Services, Office for Civil Rights, has a breach portal – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf – only incidents involving more than 500 PHI records are in the database. Search for theft of laptop.

Stolen laptops from a car, home or office. Lost, misplaced, theft or burglary. All industries have been affected – healthcare systems, clinics and labs, state and city agencies, universities and schools, accounting firms, financial and insurance firms, energy and gas companies, the largest soda company in the world…

After a laptop is reported stolen, one of the first defensive action is to disable access of the laptop and the employee into the corporate domain. Removing user access from the corporate domain does not disable local access to the stolen laptop hard drive. Bypassing the desktop logon can be as easy as a Google search. Or mounting the hard drive to another operating system. Files and data can then be accessed, in clear text.

Access to the desktop can lead to access to the laptop owner’s personal email or other saved logins. Logins to a 3rd party vendor that may have sensitive information on clients and patients. Or the vendor site may have programmatic or API access for the thief to pivot to another site for additional information and access.

Laptops can contain local databases containing PII or PHI. Or downloaded lab reports for a patient. Or email attachments of tax documents for a mortgage refinancing application. Or credentials to other database portals.

More companies are encrypting the mobile devices they provide their employees, but many still do not. Furthermore, too many employees are accessing work email or downloading client documents on their own personal devices.

An enterprise security program should include the encryption of its hard drives, particularly in laptop drives. The policy should include encryption of its data-at-rest. This is the additional layer of security where ALL the data, the entire physical hard drive, is encrypted.

All the files in the drive remain encrypted when the laptop is powered off. Upon powering on, the user is prompted for a password to decrypt the drive, which will then continue to boot up to the logon into the operating system desktop. Without the first (encryption) password, the drive and all its data – system and data files – remain encrypted.

The requirement for encrypted hard drives may vary by industry, whether the vendor is under a military or government contract, or operating under PCI- or HIPAA- compliance. But if one of your corporate laptops gets stolen and the first thought that crosses your mind is, “I hope it doesn’t contain any of **MY** sensitive information?,” then that laptop needs to be encrypted.

It should be company policy to encrypt all company-issued laptop drives. Even if the drive does not have any PII or PHI, work documents, e-mail and browser history access alone through the stolen laptop can be used to obtain further access into sensitive corporate, staff, customer or client information. Whole volume encryption will secure the data-at-rest. Well, it’s a start.

Cartoon courtesy https://xkcd.com/

Resources:

https://www.dataev.com/it-experts-blog/why-laptop-encryption-is-a-must-for-all-businesses-not-just-big-ones

https://www.businessnewsdaily.com/9391-computer-encryption-guide.html

They Price It Right! Come on down…

Healthcare from United States, come on down! Welcome to “They Price It Right!” There goes the industry, high-fiving all the other industries in the studio as it rushes towards Drew Carrey and the stage. And pays the ransom.

In 2017, healthcare organizations accounted for 15% of all security incidents and data breaches, second only to financial institutions (from Verizon’s 2017 DBIR). 66% of malware was installed through either email links or attachments. The healthcare industry has also been hard hit with ransomware in recent years.

* The above images captured from Verizon’s 2017 Data Breach Investigations Report

The last several years have seen a dramatic increase in ransomware within healthcare. To quote the CEO of an organization that DID pay out the ransom demand, “These folks have an interesting business model. They make it just easy enough. They price it right.” Symantec’s ISTR on Ransomware 2017 reports the average ransom demand “appears to have stabilized at US$544 indicating attackers may have found their sweet spot.” Ahhh…can just picture the blackmailer getting a notification that their target had succumbed and paid up…that hit the sweet spot.

However, a reminder; a $500 ransom may not seem much to an organization with millions or billions in revenue, but that’s per infection (sorry, pun not intended as we’re discussing the healthcare industry). Dozens or hundreds of infection can easily tally up the ransom to total in the tens or hundreds of thousands.

Furthermore, paying the sweet spot ransom does not guarantee even a bittersweet outcome. SentinelOne’s 2018 Ransomware Study shows 42% of ransom payments did not result in data recovery. 58% demanded a second payment.

* The above image captured from SentinelOne’s Global Ransomware Study 2018

Most ransomware is delivered through email. Phishing. Spearphishing. Targeted targets. Email addresses for an organization can easily be harvested using readily available open source tools. 15 minutes to create a phishing campaign with the newly found targets with a link or malicious attachment. The context of the email can be social media related, user needs to reset their password, they have a package that was undelivered, the CEO has attached a memo addressed to all staff. The recent Russian indictments – regardless of the reader’s political leanings – are proof that PHISHING WORKS! (Also blogged here in stateofsecurity.com)

Technology has come a long way – email filters, domain verification, Sender Policy Framework, malware and link scanners – plus many more help in filtering out the 50-70% of the email traffic that is spam. But they still get through. I know for one my Inbox is not spam-free or devoid of any phishing messages.

Since technology is not at the point where it’s able to stop all phishing email, it is up to the user to NOT click on that link or attachment. Sure, there are technologies that prevent bad things from happening if a user DOES click on a phishing link or malicious attachment. But then again, technology is not at the point where they are 100% effective.

Businesses with big budgets buy all kinds of hardware and software solutions to try to counter phishing. But they ignore a big piece of the phishing attack model, and that is the end user. And here, education and training is imperative.

Repeating phishing exercises should be conducted on all or selected groups of employees. These campaigns should be at not-too-regular intervals, so as not to evoke an anticipation from the employees – alright, here come some vaguely suspicious email on the first day of each quarter; I’ll just delete them. Then the rest of the year, they blatantly open, view and click on any and all email links. The simulated campaigns should be randomized and as unexpected as possible.

These campaigns should also be followed up with some education, either some static web pages, training video or live in person session. Phishers are always coming up with new tricks and methods. As a result, end users should be brought up to speed with their new tricks. A couple academic research papers on the efficacy of phishing training demonstrate that EDUCATION WORKS! (links under Resources below)

Then there needs to be a culture of non-retribution. Phishing exercises should be conducted with learning as the objective. Employees should come away with a heightened awareness of phishing and the social engineering tricks used by phishers that make you just want to click that link/attachment.

Employees should be encouraged to report any suspicious email so that word gets around. Homeland Security’s “See something, say something” campaign applies here too; someone is perhaps targeting your firm, alert your fellow colleagues.

Resources:

https://www.verizonenterprise.com/resources/reports/2017_dbir_en_xg.pdf

https://go.sentinelone.com/rs/327-MNM-087/images/Ransomware%20Research%20Data%20Summary%202018.pdf

https://www.healthcaredive.com/news/must-know-healthcare-cybersecurity-statistics/435983/

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

https://blog.barkly.com/phishing-statistics-2016

http://www.cs.cmu.edu/~jasonh/publications/apwg-ecrime2007-johnny.pdf

https://www.usenix.org/system/files/conference/soups2017/soups2017-lastdrager.pdf

https://www.dhs.gov/see-something-say-something/about-campaign

Prescription pharmacy bags – do you just trash them?

When you get your prescription filled at a pharmacy, the medication is usually dispensed in amber colored pill bottles packaged in a pharmacy paper or plastic bag. Once the medication has been consumed, many discard or recycle the bottles.

There have been several articles on how to remove the sensitive information contained in the medication labels on the bottles. The information include the patient’s name and address, name of doctor and medication details. Recommended methods of removing the information include striking them out with a marker pen or removing the label. Some locations will accept the bottles and remove the labels and information for you, and recycle the bottles.

However, nothing is said of the pharmacy paper or plastic bag that the pill bottles come in when you get them from the pharmacist. When I get my meds from the pharmacist – from a big name national grocery store – I am asked for identification to receive them. I am asked of my name and phone or birthdate, and they verify with the information printed on the bag.

Most people are not aware of or don’t consider the information on the front of these bags. The information can be much more sensitive than what’s on the pill bottle labels. These bags are thrown in with the trash, never shredded. That leaves the information vulnerable to dumpster divers and identity theft.

The pharmacy bags the big grocery store dispenses the prescriptions in are sealed plastic bags. I can’t shred them so I stretch and tear the plastic to destroy the information. Most people will not take the trouble to do that. I have spoken with the pharmacist at the location I pick up my medications at with my concerns. Their process is obviously not up to him but perhaps he could pass on the concerns.

Take note of the label information your medications come in, not just the pill bottles but the pharmacy bag. Your private information is not only on the pill bottles but on the bag when they hand you your meds. Dispose of these packaging appropriately.

 

Resources:

http://rxoutreach.org/education-understanding-prescription-medication-labels/

https://www.popsci.com/old-medications-prescriptions-disposal

It’s OK to save all my passwords in Word, no?

In a follow up to my last blog on password managers, many of my family members and friends have still not picked up on the habit of using them – mostly because of the refused acceptance that there is a small price to pay for increased security; the price being a couple clicks to bring up the password manager app to look up the password for a web site login.

Password managers are still what is recommended to store unique and complex passwords for each authentication/login credentials you may have each domain, computer, web site. But for those family members and friends who have refused to adopt a password manager, I recommend the following.

Instead of saving your passwords in a Word document, save your password hints. We’ll get to how to write these hints later. Save the Word document encrypted, and make the filename something less obvious than passwords.docx – maybe “Favorite Movies.docx.” Depending on PC/Mac version, the encryption feature is found in the Save process under Tools or Options, Security. This is one password you need to remember – make it a good and memorable one.

You may think, Word encryption is not the greatest. True. But this layer of security – encrypting the document with a non-enticing file name – at least keeps the nosey, non-hacker person who might come across your file.

As to what information to keep in the file, you don’t want to store your passwords as-is (in plaintext) in a Word document, even though the file may be encrypted. You should only store information that can help you remember the password. For example, if your passwords are famous movie quotes, to remember the credentials for 2 sites could be saved as:

ebay.com = Clint Eastwood

amazon.com = Jack Nicholson

Each of the above actors has a famous, iconic movie line, and using a consistent transformation method on those quotes, the actual passwords for the sites would be:

ebay.com = gOaheaDmakEmYdaY

amazon.com = yoUcanThandlEthEtrutH

In the above example, the actual passwords are formed by capitalizing the last character of each word in the password hint, and eliminating all spaces and special characters. This transformation process should be memorized and be consistent for all the passwords saved in the Word document.

You can choose whichever transformation process, as long as it’s consistent so you can remember and don’t have to write it down somewhere, eg. capitalize the last 2 characters of each word or capitalize the second character of each word or substitute every first character with a number.

This way, if someone gets a hold of your Word document, and manages to decrypt its password, they will only have a list of password hints, that only you can transform into the actual passwords.

Some other examples of passwords and password hints that you could use:

  • Names of friends and family members, with their birth years as passwords, and the city where they live as password hints, eg.
  • Save in the Word document your password hints:
  • ebay.com = Denver, CO
  • amazon.com = Chicago, IL
  • And from the above password hints, you know your best friend lives in Denver and your aunt in Chicago.
  • Password for ebay.com = JimmyJones1989
  • Password for amazon.com = GertrudeSmith1955

You could even do this:

  • Save in the Word document the following password hints:
  • ebay.com = Go ahead. Make my day.
  • amazon.com = You can't handle the truth!
  • And from the above password hints, use your memorized transformational process, eg capitalize the 2nd character of each word.
  • Password for ebay.com = gOaHeadmAkemYdAy
  • Password for amazon.com = yOucAnthAndletHetRuth

This is “security through obscurity” – much of the information is available but in order for the information to be effective (for the passwords to work), they need to be manipulated using an algorithm that only the user knows but has committed to memory.

You can then email yourself this document. And when you need to look up the password for some site, look up the email, enter the document password to decrypt it, get the info, and use your memorized transformational process to re-construct your password for that site.

This is better than nothing. Better than the alternative of using easy to remember (and crack), simple and the same passwords for all logins. Best to use a password manager, though.

Be safe…

Resources:

https://www.cnet.com/how-to/the-safe-way-to-write-down-your-passwords/

https://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices

I’m running out of Post-Its to write down my passwords

We all know to use non-dictionary, complex passwords for our email or online banking or online shopping accounts; whether we put that into practice is another issue. Even less in practice is, using a different password for each of our accounts; that is, never use the same password twice.

Why? The online gaming site that you logon to crush candy may not be as prudent in its security as the financial advisor site that is managing your 401K. The gaming site may store your password in cleartext in their database, or use a weak encryption algorithm. They may not be subject to regulations and policies that require them to have a regular vulnerability assessment. Using the same password for both sites will place either of your accounts vulnerable and at risk.

If a breach occurs and a site’s user data and passwords are unscrambled – as with 3.3 million users of a popular gaming site (article here) – then the hacker can try the discovered password on the user’s other accounts – email, bank, company site logon. And if the user uses the same password across the board, bingo.

You might think unlikely, improbable – how will the hacker know which website to try the discovered credentials? If the email harvested from the gaming site is myemailaddress@gmail.com, they could try the credentials to log into gmail. If the email is @mycompany.com, the hacker would look for a login portal into mycompany.com. The attacker could look for social media accounts registered with that email address. Or any other website that may have an account registered with that email address. The last estimate in 2017 is that there are over 300 million Amazon.com users. The attacker could try the discovered credentials on this popular site; if your favorite password is your birthdate – 12250000 – and you use it for all your logons, the attacker would be on an Amazon shopping spree as you read this blog.

This cross-site password use is not a security issue only through an online data breach; you may have misplaced your trust and shared your password, or entered your credentials on someone else’s computer that had a key logger or you accidentally saved your logon, or browsed the internet using an open wireless hotspot where someone was sniffing the traffic, or through any other instance that your password finds its way to the wrong eyes.

OK, so I need a different password for each different account that I have. I’m gonna need a bigger keyboard to stick all the Post-It notes with the passwords to every account I have underneath it. Or, maybe I could use a password manager.

A password manager is a database program that you can use to store information for each of your online accounts, website, username, password, security questions, etc. They are encrypted, requiring one master password to unlock its contents, all your saved passwords; “Ash nazg durbatulûk” – one ring to rule them all.

Remembering one long, strong, complex, impossible-to-brute-force-or-guess password, you can then gain access to all your other impossible to guess passwords. Almost all password managers also have a feature to generate random, complex passwords that you can use for each of your accounts.

There are many password managers out there, some commercial paid-for programs, some free open-source, with varying features. Some store your data in the cloud, some fill-in the login form automatically in the browser with your account credentials, some you can copy and paste the credentials from the program and the data in the clipboard is erased after a specified time period… You should choose a password manager that is both secure and usable.

Secure in that the encryption used to store the saved credentials and data is impossible to crack. Research what level of encryption your organization requires data to be stored with. When using the password manager, is the data self contained or is it exposed or available for use to other programs, and how. Does the password manager program run in secure memory space or written to a pagefile or swap memory that can be dumped by an attacker.

The password manager should be usable so that the user will be more likely to use it on a daily basis. If it slows down the user too much, it will be ignored and old habits die hard, the user will revert to poor password use behaviors.

An example real-world use of a password manager: Desktop and mobile versions of an open-source password manager can be installed on the Mac, Windows, Linux, Android and iOS operating systems with the one database file containing the credentials data saved in a cloud service. The user can access, view and edit the credentials from any of the devices with the installed program.

Password managers can be an an essential tool in securing your credentials. Do your research; research specifications, read reviews, compare functionality and usability. Also look up which managers have had bugs or vulnerabilities, how quick were the patches released, how was the vendor’s response to the flaws.

Using the same password for even only 2 websites should be a no-no. And forget trying to remember unique passwords to over 20 online accounts (recent research found the average US user has 130 online accounts). Plus, many sites force you to change passwords (rightfully so) on a regular basis. What is my current password to xyz.com that I last logged on 18 months ago?

Password managers can help you use a unique, strong password for each account. A data breach at one website (which seems to be reported on a weekly basis now) should not force you to change your password for any other websites. But protect that ONE master password. It is the one ring that rules them all.

Resources:
https://expandedramblings.com/index.php/amazon-statistics/
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

The hotel wifi is encrypted, it’s all good…No?

One of the modern amenities we always look for when booking a hotel room is that it has wifi. However, there are considerations and issues.

When using the hotel wireless network, you are a part of a network with many hundreds of other hotel guests. Innocent and anonymous, family, corporate, hotel guests. And possibly hackers and generally anyone up to no good. They could potentially snoop and view your unencrypted browsing activity. They could scan your laptop and leverage an existing vulnerability.

Traveling from one hotel to another, it can be tedious to enter the hotel wifi passcode to your 10 wireless devices to get connected each time you book into a new hotel (your devices, your spouse’s, your kids’).

You may think the hotel wifi is encrypted because you had to enter a passcode to get connected, but that is not necessarily true. The wireless network may simply require you to login using your room number and last name in order to be authorized to get connected, but that does not necessarily mean the connection is encrypted.

You could use a VPN to encrypt all your internet activity, but you still have to set up all your devices to connect to the hotel wifi first. And you need to have a VPN subscription/setup.

So, how can we secure our wireless connectivity to the hotel wireless network a little bit more?

One of the easiest solutions is to use a travel router. They range in cost from $30 to several hundred. They could be as small as a matchbox or a pack of cards. They could have all the features of a home router, and more. They can be setup as a router, a bridge, a wireless repeater, an access point, a firewall; some even have a SIM card slot so that you can connect to a cellular network and have multiple devices share the internet connection. Others can be setup as a file server or even have a battery, so it can be a free-standing device with no cable attachments.

On a recent multi city trip, I brought along one of these – a RAVPower FileHub Plus, reviewed in this article. I’d set it up before traveling into bridge mode, with my own non-broadcasting SSID with WPA2 encryption. I connected my laptop, phone and tablet to it, and saved the wireless connection details on each device.

After checking into each hotel, I’d connect my laptop or tablet to the router device, and setup its WAN connection – if I connect the device to the hotel room Ethernet, then there’s no need for this step. Otherwise, I would setup the device to connect its WAN to the hotel wireless. Then immediately, all my other devices would have internet connectivity, through my own router, encrypted.

If the hotel wireless network requires a login first, like you have to enter your room number and name, you would do that once, from a browser on any of the devices, then all the other devices would immediately have internet access. Easy. Secured. (Well, as secure as WPA2 can be.)

Connecting to a hotel wireless connection has some considerations – it may not be encrypted and you are connecting to a network where your device is easily visible to all several hundred others. Take some simple precautionary steps to create an additional layer of security around your devices.

Be safe…

Phishing URLs

How many of us inspect a link before we actually click on it? Be honest now, how many hover your mouse over the link and identify the destination in the status bar or popup, before you actually click? If the link is from a trusted site, say in the middle of a CNN article, very likely you don’t. If it’s a link in an email from your colleague, maybe. And even then, how closely do you look?

In many of MicroSolved’s social engineering exercises, alright, authorized phishing campaigns, creating fake links that appear valid is a tried and true method. To make an email look like it’s from John Glenn, a very familiar name recognized as an American hero, it takes 2 minutes to create an email address JohnGlemn@gmail.com. Or BilllyCrystal@gmail.com. Alright, how many of you actually caught the 3 lower case L’s in Billly? And the misspelling of Glemn in the email address?

Same thing with domains. Not to pick on this domain but why is MICRPSOFT.COM registered? Don’t browse to that domain, it gets forwarded to a suspicious link – which proves the point. An internet search for the string “MICRPSOFT” comes up with nothing for that string, all results are for “MICROSOFT.”

It’s a common technique referred to as URL hijacking or Typosquatting. It counts on the user not paying attention to what they’re typing into the browser address bar. Or it counts on the user not noticing the misspelling even if they were hovering the mouse over a link before they clicked.

Many of you have heard of the Equifax breach earlier this year. They registered and set up a domain for the public – equifaxsecurity2017.com. At this site, you could get more information, as well as enter your SSN (last few digits) to find out if your personal data had been part of the breach. However, a security professional registered securityequifax2017.com – and many legitimate sites actually directed traffic to this fake domain instead. Fortunately, it wasn’t anyone malicious, but someone who wanted to prove the point – and did – that these domain names can easily be abused. Equifax itself tweeted the fake domain, thinking it was their own.

So what are we to do? It’s easy to say, just be vigilant, be cautious, be on the lookout. There are tools, browser plugins, background running processes that can check links or clicks. But here’s an anecdote on relying on an “automated” tool that does things for us. I was pulled over at dusk couple weeks ago (wasn’t night yet, could still see the setting sun), driving my wife’s car that did NOT have daytime running lights. My car does. I have so heavily relied on this automated feature that when I was in a different environment that did not have it, I forgot to check the basics – it’s getting dark, are my lights on? Incidentally, the officer just gave me a warning.

Recommendation is, be vigilant, be cautious, be on the lookout. Check those links or email addresses. Check the spelling. Type in the link instead of clicking on it. Copy the link and paste it into the browser address bar, and verify before pressing Enter to navigate to it.

It’s a jungle out there. Be safe…

Have ISP-provided WiFi but don’t think you use it? You could be wrong – and on the open Internet

As with many home networks, you may have an all-in-one cable modem/router/wireless access point provided by the ISP, as well as your own personal router/wireless access point. To prevent a double NAT issue, the ISP router is bridged and the personal router is performing NAT and firewall functions. This setup for a friend’s home network is diagrammed as below:

All wireless devices connect to the Personal-WIFi SSID, with the wireless key saved for automatic reconnection to this access point, and behind the router’s firewall. The ISP-Modem-WiFi SSID was not disabled for the occasional connectivity and bandwidth test. However, whenever he switches to the ISP-Modem-WiFi SSID, he manually enters the wireless key and none of his wireless devices has this wireless key saved. Or so he thought.

About a month ago, he had set his laptop down close to the ISP’s modem in the basement. The laptop was on but was not being used. Later that day, he got on the laptop and noticed he couldn’t connect to any internal sources in his home network but there was internet connectivity. He moved the laptop to the den, and was then able to connect to his media server and file shares. He didn’t think anything of it.

The next day, he discovered for several hours in the previous day, the laptop had had many connection attempts from the internet, several over ftp, telnet, mssql ports. This was alarming because the attempts were coming from the public internet – how were these attempts going through the firewall?

On the laptop runs a HoneyPoint agent – MicroSolved’s proprietary honey pot application – that listens for and responds to connection attempts to specific ports. The agent will then send an alert to the HoneyPoint console for report, alerts or analyses. The laptop HoneyPoint agent had detected these connection attempts. No real service connections were established; no actual breaches occurred. The HoneyPoint agent records the source IP, port being probed, and what data was sent. The attacks indicated discovery probing with a vector towards IoT devices.

But the lingering question was, how could the connection attempts go past the firewall?

It was only serendipitous that he stumbled on the answer. About a week ago, he couldn’t RDP to a Windows box in his internal network, but still had internet. Turns out, the home wifi (Personal-WIFi SSID) was having a hiccup but the laptop had automatically switched to the ISP-Modem-WiFi SSID – outside the firewall. He had inadvertently saved the wireless key to this SSID and was not aware of it. The laptop was now bridged and getting an IP from the ISP, with no firewall or router in between. Also, almost immediately, he noticed the HoneyPoint alerts – connection attempts on the same ftp, telnet, mssql ports were coming in from the public internet.

Lesson learned = if you’re going to keep your wireless access point enabled without a firewall – as in the bridged ISP modem/router – then DO NOT save the wireless key for it on any of your devices (either intentionally or accidentally) or you may be connecting to it without being aware. Best is to disable the wireless, but if you need it, set a strong WPA2 password and do not save the key on any device.

Another lesson learned = In the ensuing troubleshoots, he discovered the router’s uPnP setting had been left enabled, its default setting. That was immediately disabled. Additionally, HoneyPoint agent is a light-on-resources, quick-alerting IDS that does its intended job.

Note of explanation: One could argue the point to bridge the personal router instead of the ISP modem/router, and you would not have this issue. However, if you have many DHCP reservations in your internal network and have ever changed ISP’s, you understand the pain of re-entering those client reservations on a new modem/router. With this setup, you can easily switch ISP’s, slide in a new modem/router and bridge it, and all internal network resources are not interrupted.

Resources: Is UPnP a Security Risk?; Disable This Buggy Feature…

Verifying links before you get phished

Your Mom sends a funny cat video link on YouTube. Your department head sends a link for the training schedule. There’s an email in your Inbox from Amazon for a laptop sale.

Always think twice before clicking on any of those links. Is that email really from Mom or the department head or Amazon? Even if it was really from Mom’s account, is that link really for a cat video on YouTube? Her account, could have been compromised, and the email sent with an obfuscated link.

Phishing works

Phishing campaigns are effective; estimates range from 60 to 90% of all email is a phishing message. MicroSolved’s social engineering exercises have yielded from 11 to 43% success – success meaning recipients have clicked on the benign links in our phishing exercises for clients with their employees. Estimates average 30% of phishing links are clicked.

Obfuscated URL in an Email

So, never click on a link in an email. OK, that may be a little absolute. Only be certain that the link is what you expect it to be. Hover over the link and either a popup or in the status bar of your email client/browser will display the URL. Verify the domain in the link is valid. Simple link obfuscation techniques such as registering a domain named yuotube.com (note the spelling) is an easy phishing and effective trick.

Another trick is hiding the URL behind friendly text, for example, click here. This technique could easily have been used to create a link = stateofsecurity.com – but the the link actually browses to MicroSolved’s home page.

Image links are not immune. That Amazon logo in the email – does that really link to amazon.com? Hover over the link to verify the URL before you click on it. Or better yet, open your browser, type amazon.com in the address bar, then search for and browse to the laptop sale. By the way, don’t browse to yuotube.com, just take my word for it.

Similarly, while browsing or surfing the web, it is always good practice to verify links before you actually click on them. Hover and verify.

Check that browser address bar

So, now that you’ve clicked on that link and landed on the destination web page, are you sure that’s chase.com’s login page? Before you enter your bank account login credentials, check out the URL in the address bar. Make sure it’s https. Any URL that requires you to enter some identification should be over the encrypted protocol, https.

Next, just because the URL has chase.com within it, does not make it a valid chase.com page. Check out the two images below; phishers often trick their victims by obfuscating a URL with a string of an expected valid domain name in the URL:

Note that chase.com is part of the URL, but the login.html page is actually in the badbaddomain.com. The attackers are counting on users to notice the “chase.com” in the URL and click on their link. Once clicked, the user is to taken to a rogue web server with a login page that mimics the real login page for the bank. If the user continues with typing in their authentication credentials, the trap  has sprung – the rogue server has saved the user’s credentials, and the bank account will soon be drained of its funds. Often, after the user enters the credentials, they may be redirected to a valid 404 error page in the user’s bank server, and the user imay be a little confused but unaware that they’ve just given away their credentials.

Current browsers have a feature to help users pick out the actual domain name from the URL – in the top image, the Firefox address bar displays the domain name part of the URL in black font, and everything else in a gray colored font. This is the default behavior; the setting can be changed for the entire URL be the same color format.

Not all browsers display the URL in such a way, Chrome displays the same obfuscated URL as below; the domain and subdomains part of the URL are in black font and the sub-directories and page resource are in grey font:

Shortened URLs

Shortened URLs have become much more popular because of Twitter – it’s a method of reducing a long (regular) URL into a shortened version of usually 10-20 characters. However, because of the condensed URL, it’s not possible to determine the actual address of the link. In this case, it would be wise to copy the shortened URL and validate it with a URL expander website, such as checkshorturl.com or unfurlr.com or unshorten.it.

It’s a minefield out there. Attackers are constantly phishing for their next victim. Be vigilant, beware of what you click, surf safe.

Sources:

https://blog.barkly.com/phishing-statistics-2016