Basic and Web Security

Size: px

Start display at page:

Download "Basic and Web Security"

Linette Greene
5 years ago
Views:

Basic Email and Web Security September, 2015

1 Basic and Web Security September, 2015 Daniel Hegglin Security Officer

2 Agenda The Internet is a bad neighborhood. How did I get here? Why people are so easily tricked Characteristics of scam s things to look for and tools to help Can I open this attachment? Can I click on this link? Q&A 2

3 How did I get here? How did I get here? -Lakewood High School Math focus -Cal Poly SLO University - Computer Science -Internship IBM -Permanent with IBM, Cisco, YAGO, Cabletron, a few more -Software Engineer in Networking -Director of Service and Support -Back to Engineering! 3

4 How did I get here? Day of a software security engineer -Lots of coordination -Planning and validating -Meetings -Coding -Metrics and Presentations Security is a continuously evolving field. Today s latest hacks are common tomorrow. For security software engineers, software engineering is the first step. Make sure they do at least one internship they will learn amazing amounts and understand what it s like. 4

5 Real K-State Federal Credit Union web site Fake K-State Federal Credit Union web site used in spear phishing scam 5

6 Spear phishing scam received by K-Staters in January 2010 Phishing scams try to trick you into providing private Information, like a password or bank acct info. Spear phishing Targets a specific population in this case, K-State users. 6

The malicious link in the email took you to an exact replica of K-State s single sign-on web page hosted on a server in the Netherlands which

7 The malicious link in the took you to an exact replica of K-State s single sign-on web page hosted on a server in the Netherlands which will steal your eid and password if you enter it and Sign in. Note the URL highlighted in red flushandfloose.nl, which is obviously not k-state.edu 7

8 Fake SSO web page Real SSO web page 8

9 Fake SSO web page site not secure (http, not https) and hosted in the Netherlands (.nl) Real SSO web page note https 9

10 Fake SSO web page Real SSO web page Use the eid verification badge to validate 10

11 Result of clicking on eid verification badge on a legitimate K-State web site that uses the eid and password for authentication 11

12 Most Effective Spear Phishing Scam 12

13 Most Effective Spear Phishing Scam 13

14 Most Effective Spear Phishing Scam 14

15 How to identify a scam General principles: Neither IT support staff nor any legitimate business will EVER ask for your password in an !!! Use common sense and logic if it s too good to be true, it probably is. Think before you click many have fallen victim due to a hasty reply Be paranoid Don t be timid about asking for help from your IT support person or the IT Help Desk 15

16 How to identify a scam Characteristics of scam Poor grammar and spelling The Reply-to: or From: address is unfamiliar, or is not a ksu.edu or k-state.edu address Uses unfamiliar or inappropriate terms (like send your account information to the MAIL CONTROL UNIT ) It asks for private information like a password or account number The message contains a link where the displayed address differs from the actual web address It is unexpected (you weren t expecting Joe to send you an attachment) Does not provide explicit contact information (name, address, phone #) for you to verify the communication. Good example is spear phishing scam that tries to steal your eid password is signed Webmail administrator 16

17 How to identify a scam Beware of scams following major news events or natural disasters (e.g., after Hurricane Katrina asking for donations and mimicking a Red Cross web site) Seasonal scams like special Christmas offers, or IRS scams in the spring during tax season They take advantage of epidemics or health scares, like H1N1 scam last year Often pose as legitimate entity PayPal, banks, FBI, IRS, Wal*Mart, Microsoft, etc. If unsure, call the company to see if they sent it (we did this with recent from Manhattan Mercury) Hackers very good at imitating legitimate will use official logos, some links in the will work properly, but one link is malicious Many make sensational claims; remember to apply the common sense filter if it sounds too good to be true, it probably is 17

Useful sources of information Google search for unique phrase in the suspected scam to see what others are reporting about it Web sites of organization targeted by scams often have information, like

18 Useful sources of information Google search for unique phrase in the suspected scam to see what others are reporting about it Web sites of organization targeted by scams often have information, like the IRS Snopes to debunk/confirm hoaxes, rumors, and other urban legends snopes.com Teach yourself with Sonicwall s Phishing and Spam IQ Quiz K-State s IT security web site updated regularly SecureIT.k-state.edu Current threats and spear phishing scams posted on K- State s IT threats blog threats.itsecurity.k-state.edu/ 18

19 Evaluating attachments Don t open attachments you were not expecting From someone you do not know From someone you know, but weren t expecting them to send you a file (infected computers can send malicious s from the owner of the computer to everyone in their addressbook) This is especially true if the content of the message is brief, vague, and/or unusual 19

Evaluating attachments Ignore or delete it if it s not expected or important; not worth the risk of opening it and infecting your computer Beware of executable files embedded in.

20 Evaluating attachments Ignore or delete it if it s not expected or important; not worth the risk of opening it and infecting your computer Beware of executable files embedded in.zip attachments is a common way for hackers to send.exe files that would normally be deleted by systems If there s any reason to believe it might be legitimate, validate the attachment before opening it Contact the sender and ask if it is legit Ask your IT support person or the IT Help Desk Test it with antivirus software to see if it is a known malicious program 20

21 What can we do? Remember - Hallmark, amazon.com, Twitter, etc. do not send information or instructions in attachments Don t open attachment unless you are expecting it and have verified with sender Analyze attachments before opening them Think before you click Be paranoid! 21

22 Web Browsing Threats Malicious links/sites to click or not to click, that is the question. Malicious advertisements Drive-by Download (don t even have to click!) Search engines tricked to present malicious/bogus result near the top of your search results (aka Blackhat Search Engine Optimization (SEO) Poisoning) 22

23 Can I click on this? Watch for displayed URL (web address) that does not match the actual displayed: actual: Beware of link that executes a program (like ldr.exe above) Avoid numeric IP addresses in the URL Watch for legitimate domain names embedded in an illegitimate one 23

Can I click on this? Beware of email supposedly from US companies with URLs that point to a non-us domain (Kyrgyzstan in example below) From: Capital One bank <cservice@capitalone.

24 Can I click on this? Beware of supposedly from US companies with URLs that point to a non-us domain (Kyrgyzstan in example below) From: Capital One bank <cservice@capitalone.com> URL in msg body: IE8 highlights the actual domain name to help you identify the true source. Here s a web address from an IRS scam that s actually hosted in Pakistan: 24

Can I click on this? Beware of domains from unexpected foreign countries Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/ Pakistan: http://static-host202-61-52-42.link.net.pk/irs.

25 Can I click on this? Beware of domains from unexpected foreign countries Kyrgyzstan: Pakistan: Lithuania: Hungary: Romania: Russia: MANY scams originate in China (country code =.cn) Country code definitions available at: 25

26 Can I click on this? Watch for malicious URLs cloaked by URL shortening services like: TinyURL.com Bit.ly CloakedLink.com 26

27 Can I click on this? TinyURL has a nice preview feature that allows you to see the real URL before going to the site. See tinyurl.com/preview.php to enable it in your browser (it sets a cookie) Bit.ly has a Firefox add-on to preview shortened links: addons.mozilla.org/en-us/firefox/addon/10297 It also warns you if the site appears to be malicious: 27

Malicious Advertisements Isn t just NY Times ratemyprofessors.com (!!) msnbc.msn.com health.msn.com music.msn.com astrology.msn.com realestate.msn.com usatoday.com cnbc.com digg.com mail.live.

28 Malicious Advertisements Isn t just NY Times ratemyprofessors.com (!!) msnbc.msn.com health.msn.com music.msn.com astrology.msn.com realestate.msn.com usatoday.com cnbc.com digg.com mail.live.com addictinggames.com foxsports.com hollywoodreporter.com These legitimate sites are not in cahoots with the criminals, they re just not careful enough in screening ads from third party ad networks 28

29 Drive-by Downloads The scary thing is you don t even have to click on anything just visiting a site with malicious code can initiate a download that installs malware on your computer without you knowing it. Symantec claims every one of the top 100 websites in the world have served up malicious code at some point JavaScript in the ad executes when the page is loaded and tries to exploit a vulnerability in Adobe PDF reader, Java, or Flash or all three; this is why a tool like NoScript or something that blocks ads is 29 effective

Drive-by Downloads Commonly used to promote fake antivirus software (aka scareware or extortionware ) make you believe your computer is infected with lots of malware, enticing the nervous user to

30 Drive-by Downloads Commonly used to promote fake antivirus software (aka scareware or extortionware ) make you believe your computer is infected with lots of malware, enticing the nervous user to Click Here to buy fake security software for $30-$100, plus they steal your credit card information Can be used to infect your computer with any malware keyloggers, Trojans, Torpig, Malware changes at a very rapid rate to escape detection by AV software; hackers test their malware against 43 popular AV products at virustotal.com before launching Prevention is by keeping Adobe Reader, Flash, and Java updated with latest security patches 30

31 What s a feller to do? If you re not scared by now, then I m worried about you and I pity your IT support person 31

Conclusion There s no way to be 100% secure surfing the web these days Use multi-faceted approach to reduce your risk (browser security features, browser addons, Trend Micro security software,

32 Conclusion There s no way to be 100% secure surfing the web these days Use multi-faceted approach to reduce your risk (browser security features, browser addons, Trend Micro security software, educate yourself) These tools and techniques make your browsing experience less convenient and may frustrate you at times, but they are necessary in today s hostile online climate Think before you click! 32

33 What s on your mind? 33

Dissecting Phishing Scams

Dissecting Phishing Scams IT Security Training April 13, 2011 Harvard Townsend Chief Information Security Officer harv@ksu.edu Agenda Definitions with examples What s the big deal? The numbers Phishing