S is for …

Smishing

This is very similar in concept to phishing, but instead of email being used to deliver malicious code or links to malicious website, SMS text messages are used. The messages often look as though they’ve come from someone you know and / or trust, but they have typically been spoofed to make you think they are legitimate.

As with phishing, if you are in any doubt at all that the message has come from the person you think it has, contact them by another means eg phone them, access their website etc.

Social engineering

This is a broad term, but generally speaking it is the art of persuading someone to provide you with information, or access to something, which they shouldn’t really. It takes many forms, and just as with hacking there are people who do social engineering for good (eg red team members) and those who do it for nefarious purposes (eg con men).

Again in general terms, the good guys will only use techniques that only leave you feeling good about the experience, will not try to manipulate or coerce you into doing somehting you don’t want to. The bad guys will have no qualms about trying everything to bend you to their will.

Spam

This is the catch-all phrase used for unwanted email, much of which may contain viruses or malicious links. In many ways its the electronic version of junk mail (aka direct marketing) which most of us experience.  Over 45% of all email sent globally currently is spam, though in 2014 that figure was over 70%.

When you consider there are over 235 billion emails sent every day, it is clear this is a huge volume of spam, and it is therefore unsurprising that some of it makes it into your mailbox, irrespective of what anti-spam tools you are using.

Spear phishing

Spear phishing is a form of phishing (and whaling), and is different because the emails are directed at specific targets. Information about the target is normally found through Open Source Intelligence gathering, and an email is then crafted to take advantage of that information.

For example, if someone did some research on me and found that I was a fan of London Irish rugby and the band Coldplay, they could create an email designed specifically for me which could perhaps give me the opportunity to get 50% discount on tickets to see Coldplay or 75% off a hospitality package at the rugby. If I was a genuine fan of either I might be tempted by those offers, and might click on any link in the message or open an attachment.

Spoofing

There are software packages available which allow a person to mimic another person’s phone number, and there are also techniques which allow them to send email which looks as though it has come from someone else. This practice is called spoofing.

Imagine you have been receiving text messages from your bank, and one day you get another message (in the same message stream) which asks you to click on a link to update your details. This could be a spoofing attack. One way to check is to contact your bank by phone, in person or on their website.

Next, imagine you get an email from your boss, and it looks genuine. It may be formatted the same as your company email address, and may follow the same naming convention eg mary.brown@acme.corp, but the mail has come from outside your organisation and again it has malicious links or attachments in it. Many organisations protect against this by adding some text to the subject line of an email eg the phrase [EXT] or [external] if it has come from outside the organisation. This is a simple and obvious visual clue.

Stuxnet

Stuxnet was shrouded in secrecy but is now very well known. It was a sophisticated piece of code which targeted a specific make of industrial control system, and was used in an effort to cripple the Iranian nuclear programme. It featured a number of zero day exploits which targeted vulnerabilities in the centrifuges used in a specific power plant, causing them to spin out of control while in the control room everything looked normal. The intent was to prevent the Iranians from developing a nuclear weapons capability.

It is an infamous and ingenious piece of code. For more information, you may want to see the documentary made about it, called Zero Days.

Switch

This is a network device which helps segment a local area network into separate networks. It differs from a router in that it only knows one path from one network to another, whereas a router can search among multiple possible routes and determine the best path for network traffic to take.

 

P is for …

Password

There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

Patching

Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

Payload

Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

Penetration test

A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

Phishing

Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

Principle of Least Privilege

A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

Vehicle Security

You’ve no doubt heard the stories about cars being hacked over WifI or Bluetooth, but today I want to talk about an easier security risk: second-hand, hire and courtesy cars…

I’ve recently had my car in the garage to have it serviced, and I was provided with a reasonably new courtesy car. I had to drive a fair distance so paired my mobile phone over Bluetooth so I could listen to podcasts while driving. As part of the pairing process I was asked if I wanted to replace the existing contact list for the phone in the car, and that set me thinking…

I looked at the sat nav, and guess what? Several pages of addresses were listed, none of which I’d added: these had been created by those who had the car before me.

I looked at the list of connected phones, other than mine, and there were a couple of pages of paired phones, including some which said things like “John Smith’s iPhone”.

I looked at the existing phone contacts listed on the car – none of them were mine.

What does all this mean? It’s all pretty innocent stuff, right? Wrong.

I can now try to match “John Smith” with the addresses listed. I can use the phone contact list to look for people that “John Smith” might know: for example, on social media and sites like LinkedIn. I know what kind of phone he uses, so that tells me more about him too. This is all information I could use to mount a spear phishing attack, if I was so inclined.

Of course, I’m not so inclined: I’d much rather tell you about it so you can protect yourself.

So, what can you do? Simple: if you borrow a car, whether as a hire car, courtesy car, or if you’re selling your car, make sure you delete all your details including addresses and contact information before you hand the car back.

Phishing and Whaling

I’m guessing that you’ve heard of phishing, and I thought I’d provide some words around related topics.  Let’s start at the beginning though.

Phishing

Most people with email will have received a phishing email at some point.  Essentially, it’s a mass mail sent to a lot of people indiscriminately, in the hope that one or more of the recipients will reply or click on a link in the message. The bad guys have either provided a link to a compromised website, or which will download and install malware, or something like that, or they note the replies they receive and build a list of people to target with the sort of fake IT support calls you’ve probably read about.  These types of attack are relatively simple and unsophisticated.  They don’t target individuals and are effectively a random attempt, a bit like fishermen on a trawler using a net: their catch is indiscriminate.

Spear Phishing

This type of attack is a bit more sophisticated.  It follows the same sort of approach as above, but focuses on specific individuals.  These emails typically include your name and may also include a little bit of information about you, and will likely be more targeted around some of your likes and interests.  Because they are specifically directed at you, and you are they prey, you become the fish that the bad guys try to get without looking at others around you: hence “spear phishing”.

Whaling

This is really just a version of Spear Fishing, but targeted at the biggest fish (OK, so I know that whales are mammals, not fish, but that’s beside the point).  As these are the big fish, you can imagine that these are the biggest prize.  Typically the bad guys try to get their hands on large sums of money, and may involve more skillful techniques like phoning an employee (a technique sometimes called voice phishing, or vishing) in finance and pretending to be one of the big fish, saying that they’ll be emailing shortly to request immediate payment of a bill.  Who queries the boss, right?  This type of attack is definitely on the increase.

So how do you protect yourself from these sorts of attack?  The following tips may help:

  • If it seems too good to be true, it probably is
  • Don’t click on unknown links in email
  • Don’t reply to messages from people you don’t know
  • If at work and you get an email from senior management which eg doesn’t follow normal processes, ask for confirmation / clarification – but not by replying to the mail
  • Be vigilant – phishing and related attacks are on the increase