Its day twenty one of Cyber Security Awareness month and today is Understanding Online Threats.
My main function in life is the security of kit with plugs on. Application security I leave to a different bread of people. However, I have learnt one application security mantra over the years and it fits into todays theme perfectly - In the client / server model - Never Trust The Client.
In an ever increasingly hostile online world, how do you do business with what could be a hostile client, which could be your PC, or the PC of one of your customers.
In the last few days, I've read some amazing tips presented around how to perform authentication. A lot of these are targeted at preventing phishing fraud. Phishing, for those recently returned from a distant planet, is the collection and fraudulent use of credentials to make money. During my day job with a financial institution I have experienced a wide and varied methods used by organised phishing gangs. Probably the most prolific of those in wide spread use is Rock Phish, and it is a good example to gain an understanding of the scale of the problem. Check out f-secure's blog entry, they have a video (here) which shows some of the numerous online banking sites being targeted.
The principal a phisher uses is the time delay between the fraud being performed, and the fraud being detected. This attack method is made more effective by the length of time it takes to take down a phishing web site and as we've seen Rock Phish has increased the effectiveness by increasing the number of web sites being hosted at any one time. Supporting this is a huge organised crime subsystem to get the money into the hands of the bad guys. So, as a user of online banking, auction house, etc, always look for unexpected information. Does the web site show the date of last log in, does it tally with your activities? If not, contact their customer help desk and have your account checked.
Customer education is the first line of defense in the fight against phishing. Teaching your customers not to expect e-mails from your organization ever requesting your credentials is paramount. CyLab have recently released an anti phishing educational game, check it out here .
Phishing often uses URL Obfuscation techniques to make that link you click on all that more real. Ed Skoudis compiled a list of techniques often used by phishers and it is hosted here at the ISC. The page is here and the source code of the attack techniques here
To get over this threat, the use of modern browsers with built in rogue site detection or add on toolbars which alert users to potential phishing sites should be considered. But be careful about how you recommend your customer base to do this, as the phishers could jump on your "download and install now!" bandwagon to distribute trojans. Communication of this sort is only recommended once the customer has authenticated to you, and equally that you have authenticated to them. There are a few examinations of this sort of technology on the web, such as CERT's report .
However, Phishing needs the banks customer to give away their credentials, and customers are becoming more aware of the dangers. So the fraudsters are moving to trojans, and to other areas to cast their phishing nets. The area's of the Internet that phishers are covering is colossal, from Banking, to identify theft, from auction sites, to online gaming, any where a credential is used, and money can be made, phishers are targeting. There will be more on online gaming safety later in the month.
In the financial world, trojans are the 'soup de jour'. If your system has been infected with a modern banking trojan it is game over, it is often safer to format, and reinstall. The trojans are now so advanced as to render what you see through your browser as totally unbelievable.
To protect yourself against this sort of threat, have a good antivirus product installed and update signatures daily, make sure you are patched, and that you are running an effective firewall product. Check with your bank, some of them are giving away AV/Firewall products so you might not even have to buy one. Look back through the last few days to get tips on how to configure your operating system of choice.
The move from username and password authentication to two-factor authentication is underway, some banks and organisations such as e-bay . There are multiple standards in play here, and we will all - maybe in the short term - end up with multiple tokens to use to authenticate as your bank, and your auction site may use different technologies. If your financial organisation of choice uses such two factor authentication for log on, but not for marking your transactions to third parties as valid, then trojans are an active threat to any transactions you make.
How do you protect your online commerce? What steps do you take to protect yourself from the bad guys online? What do you tell you family members and friend to do to stay safe online? Send your suggestions to us here and we may put your idea up in lights.
Ray sent in the following tips:
I stress to my friends and relatives to unwaveringly adhere to the following rules:
- Never respond to unsolicited emails regardless how authentic the email appears.
- Never click on a provided url or dial a provided telephone number. Ever.
- If you think an unsolicited email may be authentic then contact that organization through a previously established communications channel. This could be from a phone number off a bill or contact information from their website (but the website access has to be made from a new browser window using a saved Favorites link that YOU previously established).