Saturday, January 9, 2016

Phishing and browser security Jan 9, 2016

Interesting morning. It is a very Voggy day on Kauai so I am off to a slow start, was working on the SANS Boston 2016 program, and got a notification I received an email from a grad student team getting ready to work on the Ransom32 problem. They pointed out, "After conducting our initial research into the Ransom32 malware, we have some questions regarding the scope of the assignment. While the published articles we have read suggest that the JavaScript source code that forms the basis of Ransom32 could easily be weaponized to run on Linux or OSX and the Javscript source code might be able to be adapted to run within a browser, the only samples thus far encountered in the wild are Windows PE files created using NW.js and mostly delivered via spearphishing emails. "

Yup. The more things change, the more they stay the same. Nifty Javascript attack, but same delivery; phishing. This actually came up on the GIAC Advisory Board mailing list [heavily sanitized]. A credit union's members were targeted.. response was as follows:
"Quick sounding board for steps taken,

-Created an alert on the companies web site regarding the phishing attempt.
-Made a post on social media (Facebook, twitter) that the Credit Union
would never ask for Username/Password etc and should also contact us
directly if you have an concerns.

- The site "harvesting" the credentials appears to have been hacked,
emailed the owners of the site (using the email in the "contact us"
section) to let them know.
- Used the abuse email address in the domain registry to also report that
the site has been hacked.
(Does gmail have a place I can submit for email abuse? its about 48 hours+
after the attack so most likely a moot point but could help someone else if
they want to use the same account)"

All wise and proportional steps. Then, a real treat, Lance Spitzner steps in: 

"First don't feel bad, you are facing a common problem shared by
most organizations.  However to answer your question we have to first ask
you a question.  Are you training your employees to report phishing
attacks, and if so how are you training them and how often?  If you are not
teaching them the indicators of a phishing attack AND how you want them to
report it, then you can't expect them to be effective sensors." 

This is an extremely important point. Until one of these phishing emails gets reported, the security folks can't get involved to take the actions the credit union took. Lance continues:

We see organizations that regularly phish their employees can get the number that
fall victim to less than 10% (sometimes less than 5%) and quite often those
that are falling victim are the new hires.  Same thing with reporting.  The
more you train people on reporting AND the easier you make reporting, the
greater your reporting %.  Warning though, you have to be prepared for
success.  We have seen organizations turn on their "Human Sensors" only to
have their SOC overwhelmed with reports.  That is why we see some
organizations tell their employees if they see an obvious phish, just
delete it. Its the trickier attacks they want reported.  It all depends on
what you want reported and the resources you can dedicate to it.


Lance Spitzner
Director, SANS Securing The Human
Mobile: +1.708.557.6006
Twitter: @lspitzner

I am going to have to ponder this for a while. I can see how to train employees to either report everything they think is suspicious. I can see telling them if you think it is a phish, delete it and move on. But it is not immediately obvious to me how to tell them how to report the trickier attacks. I can do it, (and do), you can do it, but we are security people, we think about this stuff all the time. There are some security company phishing quizzes, opendns, and mcaffe for example. Perhaps they could be incorporated into an organization's security awareness program. Now in the specific case of the credit union:

Some good news, looks like Firefox was blocking the site when the attack
took place, and Chrome started blocking it within 24 hours (and i think

that's awesome, thanks to anyone who works on those applications).

It probably makes sense for organizations to be sure their browsers are taking advantage of the protections available.

The capability is built into most browsers, for example on an El Capitan Mac:
In Safari, Preferences, Security, Warn when visiting fraudulent sites.
In Firefox, Preferences, Security, Block reported attack sites
In Chrome, Preferences, Advanced Settings, Privacy, Protect you and your device from dangerous sites

Phishing will always be with us. We have technology solutions, we have security awareness solutions, we need both and we need to adjust and remind from time to time to lower, not eliminate, the risk.

No comments:

Post a Comment