SoylentNews is people
SoylentNews
from the do-you-have-a-phishing-license? dept.
Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.
But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.
"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.
[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.
"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.
[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.
This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.
(Score: 5, Insightful) by DannyB on Tuesday August 20 2019, @06:18PM (16 children)
Don't allow directly executable attachments. Warn users of them. Sandbox them. Scan them first.
It seems a neverending war, but make file formats, or rather the programs that parse them, more secure. It should not be possible to cause Word or some video player to execute code by manipulating the data file. If someone opens a PDF, it should not cause their system to become infected.
A corporate email system should flag EXTERNAL emails to alert internal users that this email comes from an outside source.
Try to educate users. People need to be less gullible. And not just around computers. In all areas of life. Voting. Classrooms. When opening paper snail mail. (see Sharknado 6! [youtube.com] Based on the Incredible True Story! Tornadoes pick up sharks, bring them inland and drop them where they can attack people! Sharks move incredibly fast along the ground! These sharks even attacked the T-Rex! I know because I saw it by clicking the link to the trailer for the movie!)
The lower I set my standards the more accomplishments I have.
(Score: 4, Insightful) by AthanasiusKircher on Tuesday August 20 2019, @06:31PM (7 children)
Indeed. This is the most significant thing. I worked for an institution a few years back where someone in the finance office received emails that appeared to come from one of the top administrative officers at the institution, ultimately requesting a wire. Luckily someone there said, "Huh -- we don't usually wire money this way" and asked questions before executing the order. Point is that the email address was spoofed, but the server it came from was wrong, which should have led to a red flag. But no one would know that unless they look at the email headers, or have something to flag such emails.
To respond to one other thing in TFS:
Uh, why not just say, "I'll need to call you back at the number I know is at your official website. Do you have an extension or a way to direct me to get to you using that number? I'm not giving my personal info out on the phone to a random caller until I verify who I'm talking to first."
I frankly don't ever remember any company calling me out of the blue and then asking ME to verify who I am. They have my number; they should assume they're talking to the right person. But if I did have that scenario, I'd do as I mentioned above.
(Score: 2) by vux984 on Tuesday August 20 2019, @07:42PM (6 children)
You should always be able to accept / reject mail claiming to be from your own domain. This is what DKIM and SPF are good for. It doesn't help you if its an "almost spoof" though...
if you are john@fishco.com and someone sends a fully and properly SPF And DKIM secured message from john@FlSHCO.com you'll never catch it automatically. If you want to stop wire-fraud scams, you need clear and well communicated policy on authorizing wire transfers.
"Uh, why not just say, "I'll need to call you back at the number I know is at your official website. Do you have an extension or a way to direct me to get to you using that number? I'm not giving my personal info out on the phone to a random caller until I verify who I'm talking to first."
It's good advice, but you are relying on the victim to be sufficiently un-trusting and wary. And everyone has to get on board, stoners, the elderly, everyone... or someone still falls for it.
" frankly don't ever remember any company calling me out of the blue and then asking ME to verify who I am. They have my number; they should assume they're talking to the right person. But if I did have that scenario, I'd do as I mentioned above."
It's happened to be me several times; I wouldn't say its common, but it definitely happens. I think on the whole companies are getting better but even if they never did it the scammers would keep on because people would still fall for it.
(Score: 2) by vux984 on Wednesday August 21 2019, @12:04AM (1 child)
Today I got hit with another microsoft tech support scam call... with a new angle. This one was claiming I was owed a refund for the microsoft technical support services because the government ordered them to shut it down. ... blah blah blah going to creditcard/bank information whatever.
Nobody savvy is going to fall for this, but the uninformed will. I'm kind of impressed really that they've taken negative news coverage of their own scam tactics and are leveraging that to bolster the credibility of this new scam.
Some poor sap who isn't really following along is still going to have seen talking heads on the news and headlines in the paper or whatever about microsoft tech support scams and that they are illegal etc, and without a finer appreciation for the details could well believe that the last computer they bought had a microsoft technical support surcharge on it that microsoft now has to refund them or something... 'they even heard something about that in the news' right? so it must be true!
(Score: 2) by DannyB on Wednesday August 21 2019, @03:05PM
The greedy will fall for it. Even if they are savvy. Their greed will override their logic and any ability to be spectical.
The lower I set my standards the more accomplishments I have.
(Score: 2) by AthanasiusKircher on Wednesday August 21 2019, @12:18AM (1 child)
What's your solution then? It's fine to complain about imperfect ones, but do you have something better?
Because I don't think there is really one if people are freely allowed to make phone calls in a society. Sure, there are efforts to cut down on spam calls now (and we should try that), but that will never stop all scammers. I remember my grandmother getting scam calls 30 years ago. I also remember a scamming salesman coming to her door even longer ago than that. Scams are nothing new, and if you get rid of one form of it, scammers will try a different one.
I don't really know why anyone would give ANYONE personal information upon request, unless they had a specific need for it. I've been to stores in the past decade that will ring my purchases up at the register and say, "Can I get your phone number?" I simply say, "No." Usually it causes them to look up in slight surprise, because I'm not impolite about it, but I'm also quite blunt. "Well, can I get an email?" "No." "Can I have your ZIP code?" "No." "Sir, our system just requires me to enter..." At that point, if I'm buying an item I can easily get elsewhere, I often just say, "Nevermind. I'll go somewhere that doesn't need my complete biography in order to sell me a lightbulb. Thank you," and leave. If I really just want to make the purchase, I'll just say, "Well, I'll give you a fake ZIP code." And usually the clerk is just happy to accept it.
Similarly, many websites ask for all sorts of personal info for no apparent reason to sign up or register or whatever. I'm not giving them any personal information. If I'm making a purchase and they need to verify my payment address and phone number, I'll enter it then, but sort of that, nobody gets my personal data. You want a birthday? I'll give you a fake one. You want my address? I'll give you a fake one. I have a few I use regularly for these situations, so if I'm ever asked again, I can guess what it was. You want an email? I'll give you a fake one, unless you need to a confirmation to let me use your page, in which case I'll give you my spam email account that I never check except to establish those sorts of accounts.
So, some random person calls you on the phone and starts asking you for personal information? Why the hell would you give it to them? I don't give it to ANYONE unless it's really necessary. (E.g., I have an established business relationship, and *I* made the contact. Or I am trying to establish an ongoing business relationship that requires such information.)
Honestly, kids should be taught this from an early age. Elderly people likely have encountered scammers at some point in their lives, but if they've become gullible or unfamiliar with novel types of scams, they just need to be told not to give out any information to anyone who asks unless they made the contact themselves. If they can't do that, they need to have limited telephone access (keeping outgoing calls for emergencies, but screening incoming), or perhaps even live-in help. Just like children who aren't aware enough of scams, the elderly need assistance and watching. If you have another solution, we're all ears.
(Score: 2) by vux984 on Wednesday August 21 2019, @03:42AM
"What's your solution then?"
I agree there isn't a solution. You can't fix stupid.
But I do think fixing caller id properly would go a long way.
-Don't let people generate numbers at will en masse, that have no bearing to reality, and spoof numbers that don't belong to them.
-Local Numbers belong to entities within the country Telcos should know who is using what numbers, and enforce validation before letting a number through.
- Give people the tools to block them / report them. If I get a spam call claiming to be a number from inside the US; the callerID should be traceable back to a US entity that's responsible for knowing who is making calls with that number, and taking responsibility for what their customers do. (e.g. cut service)
- Show true call origin information. If the connection is coming from India then that should be made known. If they are 'proxying' through a US forwarder so it looks like its coming from the US, fine, but then see the point immediately above.
You also had a good idea.
- provide inexpensive call screening to all customers or even build it into basic services, or free if you are over 65. Really, how many people call my grandmother?? A handful of friends and family members who would rapidly have their numbers whitelisted, and then everything else goes to a professional reception service that screens calls, manages whitelisting, and then connects people -- even offering a short introduction/warning prior to connecting and staying on the call for a minute or two. Major utilities and services could register their registered call out numbers for whitelisting in advance. Local businesses that generate a lot of calls out -- dentist appointment reminders, carpet installers etc, could register to be whitelisted locally or whatever, etc.
So most legit calls wouldn't get need interaction. With all that in place human screeners would only need to be involved in exceptional cases -- family checking in grandma from a hotel in Bangladesh or a payphone in Florida; and a couple bucks on your monthly bill would cover that.
Hell... if the incoming call isn't whitelisted, the caller pays 25 cents before connecting. With all above in place, you might not even need human screeners -- simply charging suspicious callers ought to to ruin the economics of mass-robodialing for victims. Worried about scammers stealing someone's phone service and using it to mass call... default to a $2/month suspicious call limit at which point you need to call customer service to authorize increasing it. So a stolen phone service is good for 8 calls.
There isn't a single good reason this stuff can't be done.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:02AM (1 child)
Huh? Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside). That means e-mails from inside fishco.com should never be routed through the outside MTA unless coming from inside. You can, and should, have a spam rule in place to flag local domains coming from the outside interface.
(Score: 2) by vux984 on Wednesday August 21 2019, @05:14PM
"You can, and should, have a spam rule in place to flag local domains coming from the outside interface."
john@FlSHCO.COM is not a local domain. the l is a lowercase L. so its really john@FLSHCO.COM.
What spam rule would you have in place to flag a message that properly passes SPF and DKIM for FLSHCO.COM, an external domain coming from the external interface??
"Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside)."
You also don't really need this if you have SPF and DKIM/DMARC setup. Instead of a spam rule flagging local domains from an outside the interface you publish a DMARC reject policy. At that point someone trying to spoof your headers, would be caught and rejected because it lacked the signatures. It's actually a better solution because someone trying to spoof email as coming from you and sending to a 3rd party also gets rejected because if the 3rd party is checking DMARC policy they'll see that its not signed properly and that your domain policy says to reject it it if its not signed.
There's not really much advantage to the layout you've described but there's certainly no harm in it as 2nd layer -- defense in depth is impossible to criticize.
(Score: 3, Informative) by edIII on Tuesday August 20 2019, @09:29PM (4 children)
Nope. There are FOUR: SPF, DKIM, DMARC, and encryption. The 5th method hasn't been implemented yet, and that is email user interfaces actually showing the provenance of the email.
-- SPF is super fucking easy. Anybody that says otherwise is a literal IT retard. So many tools out there to assist you, and it's a simple TXT record in the DNS. It's also not used correctly. I'm guessing that 90% of higher of SPF records specify a "soft" response, or in other words, "even if its bad let it through". That was for the early days when debugging was required, and at this point it should be retired with a "fail". Email servers and MTAs have had more than enough time to adjust to SPF usage. More than enough time. We should be using SPF to white list our approved MTAs, and if an email doesn't come from an approved source, the recipient MTA should send the fucker to /dev/null. THIS ALONE WOULD HELP IMMENSELY. If properly implemented, attacks would have to originate from approved IP addresses, which means in order to spoof somebody the attackers have to compromise a different target's DNS and/or MTAs.
-- DKIM is also fairly painless. There are tools to set it up, and it requires a DNS TXT record like SPF. Once it is in place, it allows actual authentication of the email by using information in the headers and a public key available from DNS.
-- DMARC is somewhat new. You could be forgiven for not having one yet. That being said, DMARC helps coordinate usage of SPF and DKIM with defined policies of what to do when DKIM fails. It's another way for a corporation to define policies that receiving entities can use to help authenticate and route emails.
-- Encryption. This one is also stupid simple, while also being almost entirely unused in the real world. Which is a shame. Important contacts between corporations could easily be encrypted in such a way that a spoofer/phisher has exactly ZERO chance of success. End-to-End encryption, if supported in email, would allow two parties to easily prevent all kinds of mischief. Yet for various reasons this is precluded, not in the least by data retention laws and monitoring of employees. However, it's entirely possible to create a workable platform that allows key escrow within corporations.
Lastly, provenance. The vast majority of email users never even see headers, or understand that they're the "envelope". There should be an easy to see and understand provenance of the email. From the start of the chain, to the end of the chain, with security status for SPF, DKIM, and DMARC. If the email address is different (cousin domains), or SPF fails, or any critical rule is broken, the email is NOT RENDERED. If the "envelope" fails and provenance proves to be shit, then the contents should be immediately quarantined and forwarded to the sysadmin.
Finally, the fact that most people just give up and use the big email providers is one of the biggest problems we face in email security. Google just doesn't give a fuck. They've dragged their asses on SPF, DKIM, and DMARC. So much so, that recent attack vectors and phishing campaigns have begun using security flaws within Google and Microsoft to send emails from systems that actually can pass SPF and DKIM (signed by Google/Microsoft). Regardless of how bad the major players are, they're still impossible to blacklist. You can't just tell a user that your email server accepts no emails from Google, although as a sysadmin, that's the very first thing I would do.
Securing email isn't impossible. We actually have the tech to do it. Beyond that, we should be moving to an entirely new system anyways. Email is horrific for data transfers (base64 conversion) and just plain outdated.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by RandomFactor on Tuesday August 20 2019, @10:19PM (3 children)
Haven't been paying attention. There anything actually going on regarding non repudiatable provenance?
Maybe public key signing of headers or something? Or just PKI signing of the body or whatnot?
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by edIII on Wednesday August 21 2019, @01:26AM (1 child)
Not sure I understand you correctly, but this seems like the sending MTA having final say over actions in the receiving MTA. That's not possible, AFAIK. There are useful policies right now, but actions against the policies are always voluntarily followed by the receiving MTAs.
DKIM does sign some of the header, but not all of it. Obviously, there are lot of hops email can go through. DKIM only affects the hop/domain it can sign for.
Between two parties you can set up encrypted email, and that is more than signing the body of the email. It's full encryption of the email content.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by RandomFactor on Wednesday August 21 2019, @02:04AM
yeah, I don't think our words are matching up. That was...orthogonal.
Rather than worry about it, I suspect we can both agree there's not much new in SMTPland.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @05:23AM
You could require S/MIME signatures to mail. Any entity on the chain of custody could sign the mail, this would include the sender and the sending MTA.
(Score: 3, Insightful) by RandomFactor on Tuesday August 20 2019, @09:46PM (2 children)
I've implemented this in various environments over the years.
It's great if you've got the top level backing to make it stick properly and a user base that understands (or can be taught) the difference between 'outside the company' and 'malicious'
However, there can be...issues...
For example - your company has outsourced HR and Retirement and five different helpdesks and Sales and Distribution and Marketing and Communications and random unknown other critical functions to external systems.
Go implement these dozens and dozens of exceptions for these unsecured and easily spoofable external email senders (and more as we go along) and also for these partners (or you are fired.)
And of course if you do remove the flag/stamp/annotation for exceptions things get even cooler as then you get it from both sides - NOW your users and random managers are pissed because WTF? This came from outside and isn't flagged! Fix this, we need to be able to rely on the stamp.
Hey YOU! Department X has told their workers to NEVER open anything flagged so you need to exempt from flagging everything outside they work with (no they didn't check with you first.)
Hey YOU! Salespeople can't scan down through their emails on handhelds because the subject has your stupid stamp in the way.
Hey YOU! The guard shack has to scroll down in emails on their handheld device because you put your dumb annotation at the top of the text.
Hey YOU! Can you flag emails from this (DMARC P=none) company as "TRUSTED SENDER" somehow for us?
Hey YOU! We brilliant devs, who know more about email security than you lot, did NOT set up our dozens of shadow IT AWS systems (that are now production) in SPF/DKIM/DMARC and yes we HAVE to use the primary company domain and no we can't change it.
Hey YOU! Can you make it a highlighted stamp for us? You can? Great, can you do it in the subject?
Hey YOU! We need a stamp, but it needs different wording. And make sure we don't get both. OH, so does this other division. And that one too. Can you do it in different languages for Europe?
Hey YOU! These five different divisions have contracted with their own marketing deliverability firms. Add all these entries to your DMARC records (and we don't care how many the spec says can be in there)
Hey YOU! We need emails to this system exempted because the stamp breaks email processing and we don't want to tweak (or can't even find to tweak) a few code lines.
Hey YOU! Can you help me to carry a stone?
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by legont on Wednesday August 21 2019, @12:05AM
Yep, we have all this. I am getting a real phishing email and a couple of training attacks from security per week. And a list of quarantined emails has a few corporate's every week; self-prison is a bitch. This does not count a dozen or so per day that I simply delete as opposed to reading or reporting them.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Insightful) by edIII on Wednesday August 21 2019, @02:43AM
I read all of that as, "the fuckers deserve it" :)
You can bring a horse to water, but sometimes all you can do is drown the son of a bitch in it.
Technically, lunchtime is at any moment. It's just a wave function.