basic email and web security - center for excellence in ...seasonal scams like special christmas...
TRANSCRIPT
Agenda
“The Internet is a bad neighborhood.”
How did I get here?
Why people are so easily tricked
Characteristics of scam emails – things to look for and tools to help
Can I open this attachment?
Can I click on this link?
Q&A
2
How did I get here?
How did I get here?
-Lakewood High School – Math focus
-Cal Poly SLO University - Computer Science
-Internship IBM
-Permanent with IBM, Cisco, YAGO, Cabletron, a
few more
-Software Engineer in Networking
-Director of Service and Support
-Back to Engineering!
3
How did I get here?
Day of a software security engineer -Lots of coordination -Planning and validating -Meetings -Coding -Metrics and Presentations Security is a continuously evolving field. Today’s latest hacks are common tomorrow. For security software engineers, software engineering is the first step. Make sure they do at least one internship – they will learn amazing amounts and understand what it’s like.
4
5
Real K-State Federal Credit Union
web site
Fake K-State Federal Credit Union
web site used in spear phishing scam
6
Spear phishing scam received by K-Staters in January 2010
“Phishing” scams try to trick you into providing private
Information, like a password or bank acct info. “Spear phishing” Targets a specific population – in this case, K-State email users.
7
The malicious link in the email took you to an exact replica
of K-State’s single sign-on web page hosted on a server in the Netherlands
which will steal your eID and password if you enter it and “Sign in”. Note the URL highlighted in red – “flushandfloose.nl”, which is obviously
not k-state.edu
8
Real SSO
web page
Fake SSO
web page
9
Real SSO
web page –
note “https”
Fake SSO
web page –
site not
secure (http,
not https) and
hosted in the
Netherlands
(.nl)
10
Real SSO
web page –
Use the eID
verification
badge to
validate
Fake SSO
web page
11
Result of clicking on eID verification badge on a legitimate K-State
web site that uses the eID and password for authentication
12
Most
Effective
Spear
Phishing
Scam
13
Most
Effective
Spear
Phishing
Scam
14
Most
Effective
Spear
Phishing
Scam
How to identify a scam
General principles:
Neither IT support staff nor any legitimate business will EVER ask for your password in an email!!!
Use common sense and logic – if it’s too good to be true, it probably is.
Think before you click – many have fallen victim due to a hasty reply
Be paranoid
Don’t be timid about asking for help from your IT support person or the IT Help Desk
15
How to identify a scam
Characteristics of scam email Poor grammar and spelling
The “Reply-to:” or “From:” address is unfamiliar, or is not a ksu.edu or k-state.edu address
Uses unfamiliar or inappropriate terms (like “send your account information to the MAIL CONTROL UNIT”)
It asks for private information like a password or account number
The message contains a link where the displayed address differs from the actual web address
It is unexpected (you weren’t expecting Joe to send you an attachment)
Does not provide explicit contact information (name, address, phone #) for you to verify the communication. Good example is spear phishing scam that tries to steal your eID password is signed “Webmail administrator”
16
How to identify a scam
Beware of scams following major news events or natural disasters (e.g., after Hurricane Katrina asking for donations and mimicking a Red Cross web site)
Seasonal scams like special Christmas offers, or IRS scams in the spring during tax season
They take advantage of epidemics or health scares, like H1N1 scam last year
Often pose as legitimate entity – PayPal, banks, FBI, IRS, Wal*Mart, Microsoft, etc.
If unsure, call the company to see if they sent it (we did this with recent email from Manhattan Mercury)
Hackers very good at imitating legitimate email – will use official logos, some links in the email will work properly, but one link is malicious
Many make sensational claims; remember to apply the common sense filter – if it sounds too good to be true, it probably is
17
Useful sources of information
Google – search for unique phrase in the suspected scam to see what others are reporting about it
Web sites of organization targeted by scams often have information, like the IRS www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1
Snopes to debunk/confirm hoaxes, rumors, and other “urban legends” – snopes.com
Teach yourself with Sonicwall’s “Phishing and Spam IQ Quiz” – www.sonicwall.com/phishing/
K-State’s IT security web site updated regularly SecureIT.k-state.edu
Current threats and spear phishing scams posted on K-State’s IT threats blog threats.itsecurity.k-state.edu/
18
Evaluating attachments
Don’t open email attachments you were not expecting From someone you do not know
From someone you know, but weren’t expecting them to send you a file (infected computers can send malicious emails from the owner of the computer to everyone in their email addressbook)
This is especially true if the content of the email message is brief, vague, and/or unusual
19
Evaluating attachments
Ignore or delete it if it’s not expected or important; not worth the risk of opening it and infecting your computer
Beware of executable files embedded in .zip attachments – is a common way for hackers to send .exe files that would normally be deleted by email systems
If there’s any reason to believe it might be legitimate, validate the attachment before opening it Contact the sender and ask if it is legit
Ask your IT support person or the IT Help Desk
Test it with antivirus software to see if it is a known malicious program
20
What can we do?
21
Remember - Hallmark, amazon.com, Twitter, etc. do not send information or instructions in attachments
Don’t open attachment unless you are expecting it and have verified with sender
Analyze attachments before opening them
Think before you click
Be paranoid!
Malicious links/sites – to click or not to click, that is the question.
Malicious advertisements
Drive-by Download (don’t even have to click!)
Search engines tricked to present malicious/bogus result near the top of your search results (aka Blackhat Search Engine Optimization (SEO) Poisoning)
22
Web Browsing Threats
Can I click on this?
Watch for displayed URL (web address) that does not match the actual displayed: http://update.microsoft.com/microsoftupdate actual: http://64.208.28.197/ldr.exe
Beware of link that executes a program (like ldr.exe above)
Avoid numeric IP addresses in the URL http://168.234.153.90/include/index.html
Watch for legitimate domain names embedded in an illegitimate one http://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/
23
Can I click on this?
Beware of email supposedly from US companies with URLs that point to a non-US domain (Kyrgyzstan in example below) From: Capital One bank <[email protected]> URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
IE8 highlights the actual domain name to help you identify the true source. Here’s a web address from an IRS scam email that’s actually hosted in Pakistan:
24
Can I click on this?
Beware of domains from unexpected foreign countries Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/ Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.php Lithuania: http://kateka.lt/~galaxy/card.exe Hungary: http://mail.grosz.hu/walmart/survey/ Romania: http://www.hostinglinux.ro/ Russia: http://mpo3do.chat.ru/thanks.html
MANY scams originate in China (country code = .cn)
Country code definitions available at: www.iana.org/domains/root/db/index.html
25
Can I click on this?
Watch for malicious URLs cloaked by URL
shortening services like:
TinyURL.com
Bit.ly
CloakedLink.com
26
Can I click on this?
TinyURL has a nice “preview” feature that
allows you to see the real URL before going to
the site. See tinyurl.com/preview.php to enable
it in your browser (it sets a cookie)
Bit.ly has a Firefox add-on to preview shortened
links:
addons.mozilla.org/en-US/firefox/addon/10297
It also warns you if the site appears to be
malicious:
27
Malicious Advertisements
Isn’t just NY Times… ratemyprofessors.com (!!)
msnbc.msn.com
health.msn.com
music.msn.com
astrology.msn.com
realestate.msn.com
usatoday.com
cnbc.com
digg.com
mail.live.com
addictinggames.com
foxsports.com
hollywoodreporter.com
These legitimate sites are not in cahoots with the criminals, they’re just not careful enough in screening ads from third party ad networks
28
Drive-by Downloads
The scary thing is you don’t even have to click on anything – just visiting a site with malicious code can initiate a download that installs malware on your computer without you knowing it.
Symantec claims every one of the top 100 websites in the world have served up malicious code at some point
JavaScript in the ad executes when the page is loaded and tries to exploit a vulnerability in Adobe PDF reader, Java, or Flash… or all three; this is why a tool like NoScript or something that blocks ads is effective 29
Drive-by Downloads
Commonly used to promote fake antivirus software (aka “scareware” or “extortionware”) – make you believe your computer is infected with lots of malware, enticing the nervous user to “Click Here” to buy fake security software for $30-$100, plus they steal your credit card information
Can be used to infect your computer with any malware – keyloggers, Trojans, Torpig, …
Malware changes at a very rapid rate to escape detection by AV software; hackers test their malware against 43 popular AV products at virustotal.com before launching
Prevention is by keeping Adobe Reader, Flash, and Java updated with latest security patches 30
What’s a feller to do?
If you’re not scared by
now, then I’m worried
about you and I pity
your IT support person
31
Conclusion
There’s no way to be 100% secure surfing the web these days
Use multi-faceted approach to reduce your risk (browser security features, browser add-ons, Trend Micro security software, educate yourself)
These tools and techniques make your browsing experience less convenient and may frustrate you at times, but they are necessary in today’s hostile online climate
Think before you click!
32
What’s on your mind?
33