Tag Archives: security

Phishing for beginners – Image #133

image

This originally appeared over at http://easycyber.net and I thought it would be worth providing this beginner’s guide here.  I’m guessing that you’ve heard of phishing, and I thought I’d provide some words around related topics. Let’s start at the beginning though.

Phishing

Most people with email will have received a phishing email at some point. Essentially, it’s a mass mail sent to a lot of people indiscriminately, in the hope that one or more of the recipients will reply or click on a link in the message. The bad guys have either provided a link to a compromised website, or which will download and install malware, or something like that, or they note the replies they receive and build a list of people to target with the sort of fake IT support calls you’ve probably read about. These types of attack are relatively simple and unsophisticated. They don’t target individuals and are effectively a random attempt, a bit like fishermen on a trawler using a net: their catch is indiscriminate.

Spear Phishing

This type of attack is a bit more sophisticated. It follows the same sort of approach as above, but focuses on specific individuals. These emails typically include your name and may also include a little bit of information about you, and will likely be more targeted around some of your likes and interests. Because they are specifically directed at you, and you are they prey, you become the fish that the bad guys try to get without looking at others around you: hence “spear phishing”.

Whaling

This is really just a version of Spear Fishing, but targeted at the biggest fish (OK, so I know that whales are mammals, not fish, but that’s beside the point). As these are the big fish, you can imagine that these are the biggest prize. Typically the bad guys try to get their hands on large sums of money, and may involve more skillful techniques like phoning an employee (a technique sometimes called voice phishing, or vishing) in finance and pretending to be one of the big fish, saying that they’ll be emailing shortly to request immediate payment of a bill. Who queries the boss, right? This type of attack is definitely on the increase.

So how do you protect yourself from these sorts of attack? The following tips may help:

  • If it seems too good to be true, it probably is
  • Don’t click on unknown links in email
  • Don’t reply to messages from people you don’t know
  • If at work and you get an email from senior management which eg doesn’t follow normal processes, ask for confirmation / clarification – but not by replying to the mail
  • Be vigilant – phishing and related attacks are on the increase

Good Tweetment – Image #132

image

A while back I posted about the difficulties I had in “getting” Twitter. I also posted about having created a new account fairly recently.  Since then I think I’ve made more of a concerted effort to use it and have noticed a couple of things:

  • the more you post, the more retweets and followers you seem to get
  • the best time to post seems to be on a Sunday evening
  • people add you to groups without you asking – and I don’t know how to get out of them!
  • I’m really bad at using hashtags

Does that mean that there are loads of people gearing up for work for the week by checking the world of Twitter with their Sunday dinner?  Is it a way of easing ourselves gently in?   Is this how we’re evolving?  And why is it that I seem to need about 5 more letters in my posts than I’m allowed?  lol

New Security Blog – Image #122

image

As I’ve mentioned before, I will shortly be starting a new job. I’ve decided to make use of the free time before I start to set up a more professional web presence, which includes a new Twitter account and a new blog site. If you’re interested in Information Security matters and want to know more, but get confused by all the jargon being used these days, please check out https://easycyber.net and follow it.

SPOILER ALERT – I’ve copied some of the posts from this site to the new one, just to get things started lol. There will be lots more to come over time.

Certification – what does it mean? Image #75

I’ve told you I used to work in IT, right?  And now I work in security.  Across both disciplines, and in much of life, there’s a lot of pressure and in some cases kudos to be obtained by becoming certified in one thing or another.  I just heard today that I can now add another bunch of letters after my name professionally, which is great, but what does it all mean?

image

The cartoon above is one of my favourite Dilbert cartoons.  (I know, Dilbert is geeky and to have a favourite must mean I’m uber-geeky, but that’s the way the bits flow.). And it brings to mind a brilliant example which might have been the root of the cartoon.

In one of our offices one day, this guy came up to me (I was in management at the time) and said “I’ve just passed both the Novell (now you know how long ago this was) and Microsoft certifications. I want a 30% pay rise or I’m leaving.” I told him I’d find out what we could do for him and sent him on his way. Fast forward a day or two, and the same guy called me up.  He wanted to know how to do something with a network card on a system he was working on. I asked him why he didn’t know, as I knew for a fact that it was something covered on both of his certifications in their basic classes – because I’d done them both.  He didn’t have an answer, didn’t get his raise and didn’t stay with the company for long.

I guess the moral of that little story is, in my experience, having a bit of paper to say you can do something is not as valuable as having spent the time doing the things the paper said you were qualified to do.  I’d choose an experienced professional ahead of a well qualified one any day.

Oh, and the certification I won today?  I had to be able to demonstrate at least 5 years experience in a number of different security related disciplines.  Qualified AND experienced? You bet!

Patching – what’s all the fuss about?

I suppose this falls under Security 101, one of the most basic things we’re all encouraged to do with our technology, but there’s always a reason to postpone it: 

  • My machine slows down while it’s downloading the latest patches
  • I’m worried that things won’t work afterwards
  • I keep having to reboot my machine, sometimes several times during one set of updates 
  • I’m busy just now, can I not just do it later?
  • I don’t use the Internet much, so my device can’t be infected
  • I’m not using Microsoft, so there’s no need to patch
  • ….and, well, you know how it goes on…. 

I’m sure you’ve got your own versions of these, but the point is that these are all just excuses for something that should just be part of your normal experience – in my opinion. 

Should we patch absolutely everything? I.e. should we install all updates for all products as soon as they’re available? No, I don’t think so. We should base our patching strategy on a risk assessment. If you find out about a patch for one software programme – let’s say Microsoft PowerPoint – but don’t have PowerPoint on your device, do you need to apply that patch? Not if it only addresses vulnerabilities in PowerPoint, as your device doesn’t have that vulnerability. But if the patch includes other packages which you do have installed eg Excel, then yes, you should. 

Why am I picking on Microsoft? Just in order to use program names that we’re most likely to be familiar with. The same principles apply equally to other vendors and other software packages. Software has vulnerabilities, it’s inevitable. If there are none on the day it is released someone somewhere will find some soon afterwards. And the more valuable the data you access through the software, the more likely someone is try to create an exploit for that vulnerability. 

In my opinion, you should patch regularly i.e. keep patches up to date. Apart from anything else, this lessens the amount of time spent downloading updates, as you’re keeping on top of things (in many respects, the same goes for antivirus updates too). Patch what you have to, but eg if the patch is for a Mac and you’re using Linux, why apply a Mac patch unless the patch also applies to Linux devices. 

Not using the Internet often is no protection either. The only truly secure device (from Internet attack anyway) is one which does not have any form of external interface (wifi, wired, serial cable, whatever) and which is never connected. Some well known legitimate websites have been targeted and have had malicious code embedded in them, infecting users who are only browsing (because no software is totally secure, right?). Botnets are out there looking (in an automated way) for vulernable machines, so you only need to connect once to run the risk of infection. It’s a bit like contraception – if you don’t ever have sex, you’re unlikely to get pregnant, but do it just once without any form of protection and pregnancy is a very real risk. 

If you’re only looking at your personal / home PC / laptop / tablet etc, then you’re unlikely to have a test environment. This is the best place to try out new patches, but if you’re a home user then you probably don’t have the luxury of testing things there. In any event, its notoriously difficult to configure your test environment to exactly match your real, live environment, down to version numbers of DLLs and other components, so you’re probably just testing in a representation of your live environment and there will still be some risk when you deploy for real. So what should you do?

This is where having a good, robust (and tested) backup regime comes in. More on that in a future post, so watch this space…