Phishing

Don't get hooked by SCAMers. Know what to look for.

Phishing is a social engineering technique that attempts to fool a user into disclosing sensitive information. Phishing is normally carried out through email or instant messaging (IM) by getting a user to provide details on a fraudulent website or in response to the original email or IM sent. Some of the sensitive information that an attacker attempts to get from trusting users are usernames, passwords, and credit card details. Phishing is one of the most successful methodologies for theft.

To counteract these phishing attempts, it is important to become aware of these techniques. A general rule to follow is to not give any sensitive information to untrusted sources. Never access a trusted source by clicking on a link in an e-mail or instant message. Trusted organizations will never generally ask for username and password information as this type of information is kept strictly confidential. These organizations will generally confirm your identity through other means short of asking for usernames and passwords.

Another technical measure that has become successful in recent years to combat phishing attempts is through programs that test sites that are visited. If a site that comes up in a browser appears to be fraudulent, these types of anti-phishing software will notify the user and prevent them from going to these sites. Although the best course of action is user awareness, these anti-phishing software programs have been successful in protecting users from being fooled into giving away sensitive information.

Pharming

Do you know if this is the REAL website?

Pharming (pronounced farming) is a term that was word played on farming and phishing. It refers to a technical attack that is aimed at redirecting a legitimate website’s traffic to a fraudulent site. This can be done by changing the hosts file on a victim’s computer or by compromising a DNS server. DNS servers are like huge phonebooks that translate common site names to real addresses. The entire Internet functions on these DNS servers and if one is compromised, the attacker can funnel traffic to any site that he/she desires. To the user, the site looks legitimate and will generally attempt to get the user to disclose sensitive information such as logon credentials or other personal information that we should know better than to submit to a vendor that we are already doing business with.

Pharming is similar to phishing in the way that it attempts to fool users into divulging sensitive information, but it goes one step further in actively getting the user to go to these sites by manipulating the DNS servers or the host files of a personal computer.

Sophisticated measures known as anti-pharming are required to be implemented to protect against these types of attacks. Antivirus and other anti-malware software provide no protection against pharming attacks. Individuals can help protect themselves by performing the following:

• Always type in the URL of the website you intend to visit instead of clicking on hyperlinks or bookmarks
• Always look at the website address to ensure it appears to be legitimate and similar to that viewed in previous site visits
• Always question why any institution that you have a relationship with would ask for your personal information (they will already have it on file!)
• Always contact the institution via telephone if you are not certain or something seems suspicious

Online Fraud

An overview of how crooks are stealing YOUR money.

There are many forms and schemes that fraudsters utilize to conduct online or Internet crime. These types of crimes have stolen millions of dollars and have become very sophisticated over the years. The following is a list of some of the common forms of Online Fraud Schemes:

• Auction Fraud – this type of crime involves the use of online auctions where sellers will defraud buyers by making claims of the products they sell that aren’t true or by not even shipping the product once it is purchased.
• Counterfeit Cashier’s Check – this type of crime may involve a buyer that sends a seller a cashier’s check in the amount greater than the amount for which the item was sold. The buyer is then supposed to send the item to the seller along with a money order or another cashier’s check for the difference. The original cashier’s check is of course a fake; however, this crime works because of the delay in which the cashier’s check gets picked up at the bank as being illegitimate.
• Credit Card Fraud – this online fraud comes in many different forms. One method is for criminals to set up a fake website that fools users into giving away sensitive information. Another is by setting up a legitimate site, but using the information it gathers to conduct fraudulent activity on the credit card.
• Debt Elimination – these types of scams promise to assist people to get out of debt or to help them repair their credit report for a price. Most of the time, you can repair your own credit report for free and make payment arrangements with your debtors without the assistance of a third party. Usually, these types of companies make outstanding claims that they never deliver on and take their victims for a ‘ride’.
• DHL/UPS – online fraudsters may utilize DHL or UPS, reputable companies, to assist them in duping victims out of money. Generally, DHL and UPS do not get involved in directly collecting payments from customers, and their fees are usually only associated with shipping costs - never for costs of any other online transactions.
• Employment/Business Opportunities – these types of crimes usually involve obtaining some form of sensitive information from the victim such as a social security number and other types of information.
• Identity Theft – identity theft has become an increasing problem on the Internet. It has become very easy to obtain sensitive information on victims and use this information to open up fraudulent accounts under their names. The act of using one’s identity for financial gain or fraud is considered a component of Identity Theft.
• Internet Extortion – this type of crime may involve a criminal taking over a website and holding it ransom until certain funds are paid.
• Investment Fraud – these types of crimes play on peoples' dream of making it rich and making it fast. These claims may come in the form of a little investment that will return large sums of money. In fact, to draw individuals in, the victim may receive some small checks to confirm the reliability; however, as the victim gives more and more money to the investment, they will eventually lose in the end.
• Lotteries – these types of crimes may come in the form of buying lottery tickets for a chance to share in the winnings or the victim may be asked to pay a fee to obtain their prize that they are claimed to have already won.
• Nigerian Letter or “419” – this fraud again plays on the dream of becoming rich. This type of scam appears to be big from individuals in Nigeria and usually starts out by saying a rich relative passed away with a lot of money and the victim is the beneficiary of such funds. Unfortunately, the funds are locked up by the Nigerian government and require payment, in advance, to release. Once the payment is made; however, the victim is guaranteed the large sum of money.
• Phishing/Spoofing – this type of crime fools victims into going to fake sites and divulging sensitive information.
• Ponzi/Pyramid – these types of pyramid scams have been around for a long time, but now they have moved into an electronic format. It basically works on the premise that the victim sends a group of individuals a small amount of money. Those individuals, in turn, send another group of individuals a small amount of money, like a pyramid. As the network grows, the individual on top is supposed to get funds from everyone below them. It looks good in theory, but schemes such as these never work.
• Spam – advertising has taken a new course in the age of computers and e-mail boxes have been flooded with all types of unsolicited ads. If promises of some miracle drugs are too good to be true, then they probably are.

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3c) that has some great resources to protect you from Online Fraud and also assist in reporting these types of crimes. Visit http://www.ic3.gov for further information and tips to protect yourself against these and other online crime.

Viruses

What are they? How do I get them? How do I get rid of them?

A virus is a self-replicating program. This means that it can propagate, by itself, through different systems throughout a network. A virus requires some sort of user interaction to initiate its payload (program) and usually attaches itself to executable files or document files so as to trick a user into activating them.

A worm is also a self-replicating program. The difference between a worm and a virus is that a worm does not require any user interaction to initiate. For this reason, a worm may be considered a little more dangerous than a virus.

Malware is a term used for any software or program that is considered malicious. This is software that causes harm to systems, uses PC resources, or track user behaviors. This is a broad grouping of programs that include viruses, worms, Trojan horses, adware, and other related software.

Spyware is a malicious program that can ‘spy’ on user actions or track user movements through the Internet. These types of programs can report back to their creators and provide them with the keystrokes that were typed, the websites that were visited, or other sensitive information that the user may have on their computers.

A common result of an infected PC is that it may seem overworked or underpowered. In other words, your computer is no longer capable of executing the programs it always has with the same responsiveness. For example, if you attempt to access the Internet by double-clicking the icon and it takes the computer 2 minutes to open the program, this may be the result of other processes running in the background, such as a virus, worm, spyware, or other malware.

One of the easiest and probably one of the most effective security controls that can be implemented on systems is Anti-Virus, Anti-Spam, and Anti-Malware protection. It is just as important; however, to keep the virus signature files or DAT files, up to date. Since new malware programs or variants of existing malware programs are designed daily, it is important that the anti-virus solution that you implement is kept up to date to these threats. It is also recommended, especially when it comes to e-mail, that users not open any email messages that contain file attachments or have been delivered from an unknown source. Spyware or adware protection should also be used in conjunction with anti-virus on all systems and should be set up to actively scan and monitor these systems.

It is important to stay current on these threats. Here are some sources that can assist you on this:

• CERT Coordination Center www.cert.org
• Internet Storm Center www.incidents.org
• Security Focus Incidents Mailing List http://www.securityfocus.com/archive/75

Vishing

Is the person calling for real? The Caller ID is good, but are they?

Vishing is another highly sophisticated form of social engineering combined with Voice over IP (Internet Protocol) to obtain sensitive information from unexpected users. This type of attack plays on the public trust in landline telephones being terminated at physical locations; however, with the advancement of Voice over IP telephone communication, telephone numbers can be directed to any location. Caller ID can be masqueraded or spoofed to look like it is arriving from a legitimate source.

An example of a vishing scheme is when a user is called by a criminal using an automated program. When a user picks up on the line, they get a recording masquerading as their financial institution advising the user that their credit card has been fraudulently used. The recording provides a telephone number and instructions for the user on how to proceed to protect them from this fraudulent use. The user then calls this number and receives another automated response requesting credit card number information and PIN number information. This system may also attempt to obtain other sensitive information. The criminal element can now utilize this information to carry out other fraudulent activity on this credit card. The user does not expect anything since the scam appears to be legitimate.

Vishing is very hard to monitor and it is advised that consumers do not follow these types of instructions, but instead, call their financial institutions directly if they have any concerns or questions about the claimed activity on their accounts.

PC Protection

How Should you protect your PC?

When we talk about protecting PCs, we need to discuss security as Defense in Depth. What we are saying here is that there are multiple layers of security that need to be implemented to properly and adequately protect your PCs. First, we need to determine how much protection we require. We usually make this type of determination by identifying what type of information is being stored on the PC and the criticality of the PC itself. If the PC is utilized to store very sensitive information than there should be more security controls implemented on this system. If the PC operates critical business functions, likewise, additional controls should be implemented accordingly.

Generally, we talk about security or protection in terms of rings. Each ring is inside the other ring and usually gets tighter and more detailed as the rings get smaller from within. On the outer ring or layer, we are looking at the physical protection surrounding the PC. We look at whether the PC is behind locked doors or open for anyone to use. Is the PC protected from the environment or electrical surges by being plugged in to surge protectors or UPS systems? One of the laws of security involve the actual physical control of the PC, if someone has physical access to your system, it is no longer your system.

The next ring or layer of security usually comes in the form of passwords. Does your PC require a strong password to log on to the system? Does your system automatically go into a password protected screensaver upon at least 15 minutes of inactivity? Do you lock your system if you leave your desk?

Along with passwords, do you have administrative rights on your local PC? Best security practices dictate that administrator accounts should be renamed and that the principle of least privileges should be in affect. This means that only the minimum amount of rights should be granted to a user to allow them to perform their job functions. Software should run in limited access modes and should not have administrator or system level authority.

If your system stores sensitive information, you may want to consider using encryption software to protect this information. There are many types of encryption solutions on the market each with their own pros and cons. You will have to decide which functionality you require and what type of protection level is reasonable for the type of information under protection.

Now that your PC has been locked down, it needs to be maintained. Your system requires to be updated for security patches and vulnerability patches depending on your operating system and software running on your PC. Vulnerabilities are discovered every day and there should be an automated system that will keep track of patches accordingly. For those of you that use Windows, be sure to set your PC to automatically download and install security updates as a measure of protection. Anti-virus software is also an essential tool on your PC and this type of software also needs to be updated regularly to maintain the best level of protection available.

Secure Passwords

What makes a password secure - and why?

Historically there are two schools of thought regarding the creation of passwords. The first is to use a password or passphrase that contains numbers, symbols, and upper and lower case characters. Commonly, the numbers and symbols are used as substitutes for letters that resemble the number or symbol. For example E = 3, i = !, a = @, o = 0, P = 9, S = $ and so on. As a result, a password of “security” may appear as “$3cur!tY”. Challenges to using this type of password is that for many users, the symbolic changes will be difficult to remember resulting in the user writing their password down (which compromises the integrity of the password) in hopes that others will not discover their password cheat sheet.

The second historic school of thought would be to use a word or name that is known to them that others may not “know”. Pet’s names, sports heroes, children’s names, month of birth date or anniversary are just a few examples of passwords used. On the up side, these are usually easier to remember, but conversely easier for anyone else to guess. With the prevalence of publicly available information on the Internet, attackers who don’t even know you could potentially discover this type of information and leverage the security of your home computers and networks.

Researching the Internet for a response may prove to be confusing. Valid and reputable sources are split on length versus complexity, so what should you do? Current and future trends dictate that both long and complex passwords/passphrases should be adopted. By nature, password cracking agents will break passwords to be cracked into 7-character subsets and crack the individual subset. In addition, the prevalence of password cracking tools freely available on the Internet provides anyone with the ability to crack ANY password up to 14 characters in length. So, even if your password is “H75r%*,1WxdN.?”, there are free password cracking programs that are able to decipher that phrase in under 24 hours.

So, choose a password that is at least 8 characters in length and create some of the symbol and numeric switches explained in the first paragraph. Also, if you want to use multiple words in a passphrase, utilize the space bar between words. Space would be considered a symbol and can be confusing to some password cracking applications. For example, people who love their computers could create such a password: ! L0v3 mY C0m9u+3r! = I love my computer! The idea is to compile passwords that are tough for others to guess but easy for you to remember. If for any reason you have to write down your passwords or “password hints”, be sure to lock them away so others do not have access to that file/paper.

Finally, be sure to change all of your critical passwords every month or two. What passwords are critical might you ask; any that protect your finances, credit cards, or the computers where you perform such financial transactions.

http://www.networkworld.com/newsletters/bug/2006/0807bug2.html?page=1 http://www.avertlabs.com/research/blog/index.php/2007/11/02/password-policy-length-vs-complexity

Secure Transactions

How to know you're safe when using websites.

Secure transactions occur when a user identifies themselves by presenting an agreed upon form of identification. This identification is then verified or authenticated to confirm that the person presenting the ID is who they say they are. Once authentication is established, an agreed upon communication standard or channel is established. This communication is generally encrypted so that the sensitive information can not be viewed by unauthorized individuals. After the transaction is complete, the channel is broken down and the session is released. You can tell you are setting up a secure on-line transaction when you go to a site that has https:// in front of it. You will also see a ‘padlock’ appear in your browser indicating that you have established a secure connection with the web server.

The process explained above seems easy enough; however, there is a lot that goes in to providing a secure transaction. In the first part of identifying and authenticating a user, secure transactions usually involve multi-factor authentication. Authentication in its simplest form is providing proof of someone’s identity. In the digital world, this is usually done by providing a username and password. Passwords are a weak form of security since these can usually be easily cracked. To increase security, multi-factor authentication is used.

There are normally three ways by which someone’s identity can be verified or authenticated. The first way that we have already touched on is by providing passwords. This is something that the authorized individual ‘knows’. Another way that someone can prove their identity is with something that they ‘have’. This is usually in the form of a security token. The last way that someone can prove their identity is with something that they ‘are’ like a fingerprint.

For multi-factor authentication to be effective, the system must have at least two of the three methods described above. A common multi-factor authentication system is with ATM cards. In this type of system, in order for an individual to access a bank account, the individual must have a card that is embedded with information pertaining to the card holder and a PIN number. This is something that you ‘have’, the card, and something that you ‘know’, the PIN.

Unfortunately in the on-line banking environment, there is a pseudo-form of multi-factor authentication that is utilized. In most of these systems, a user enters an account number, a PIN number, and provides an answer to a secret question to access their on-line account. In essence, all of these items are single factor in that they are just all something a user ‘knows’. In an attempt to prove that the system is multi-factor, the on-line service may load a ‘cookie’ or provide a security certificate to the local system. This, in essence, acts as a second factor authentication of something a user ‘has’. The fallacy or weakness in these types of systems are that it still only takes what the user ‘knows’ to prove their identity. And in some situations, the secret questions are the same question for all users such as “what is your mother’s maiden name?” or “what is your favorite pet’s name?” Unless there was another alternative method by which the ‘cookie’ or certificate was securely passed to the user or verified by other methods, this on-line banking system is not a ‘true’ multi-factor authentication system.

A secure channel is established once authentication is conducted. This secure channel utilized established through Secure Sockets Layer (SSL). You have seen this protocol being utilized when you go to a web site with an https extension. Secure Sockets Layer (SSL) was developed by Netscape to provide security over the Internet between clients and servers. This Internet Security protocol is compatible with many different encryption types such as RSA, IDEA, DES, 3DES, and MD5. It handles the client-to-server authentication and requires both server and the web browser to be compatible with each other. When SSL is utilized, it will protect the entire session created by the user request.

Special Note: Some Internet Security methods actually utilize ‘cookies’. Cookies are simple programs that are normally readily available through most programming languages and Internet browsers. They are usually used to track user activity on the Internet, but they can also be utilized in providing security. This is done by embedding session keys or other time stamping items to assist the users in maintaining a secure session while they are visiting a web page or web site. Unfortunately, users can manually disable these cookies and even transfer cookies from one computer to another. It is recommended that security mechanisms that utilize cookies not be used when sensitive information is involved.

Wireless Security

Do you know who may be "listening in" on your web traffic?

The Institute of Electrical and Electronics Engineers (IEEE) is the professional standards organization for the development of communication and network standards. With the increase in wireless technology, standards such as the IEEE 802.11b became important to provide a mechanism for authentication and encryption in wireless communication. Wireless security provides for the encryption and message security to ensure the confidentiality and integrity of broadcast transmissions. Wireless security is also concerned with securing the sending and receiving devices. One of the first network security protocols defined by the 802.11b standard is Wireless Encryption Protocol (WEP), also called Wired Equivalency Privacy. WEP is a key-phrase based network security protocol that is used to encrypt transmissions being broadcasted. Unfortunately, WEP used a weak key and can be cracked using tools that are freely available.

To strengthen wireless security, Wi-Fi Protected Access (WPA) was developed. WPA was created by the Wi-Fi Alliance and was designed to enhance the security of wireless networks. There are two flavors of WPA: enterprise and personal. The enterprise method uses an authentication server to distribute different keys to each user while the personal method is less scalable and uses ‘pre-shared key’ (PSK) where every authorized computer on the wireless network is given the same passphrase.

WPA encrypts data using the RC4 stream cipher with a 128-bit key and a 48-bit initialization vector (IV). One major improvement WPA had over WEP is the Temporal Key Integrity Protocol (TKI) which changes the keys dynamically as it is being used. This, combined with the larger initialization vector, effectively defeats the key recovery attacks that WEP faces.

Another wireless security method used by mobile devices such as PDAs and phones is the Wireless Application Protocol (WAP). WAP is a wireless security method that provides protection for mobile devices accessing the Internet. It provides session, transaction, and applications services while having low resource requirements. WAP provides security through the Wireless Transport Layer Security Protocol (WTLS) which performs through either anonymous authentication, server authentication, or client and server authentication. WTLS is a security protocol based on the industry standard Transport Layer Security (TLS) protocol that is optimized for narrow bandwidth communication channels. WTLS provides data integrity, privacy, and authentication as well as Denial of Service protection.

A Service Set Identifiers (SSID) is a 32-character unique identifier that is attached to the packets sent over a Wireless Local Area Network (WLAN). This SSID acts like a password to connect to the access points and all those devices that are trying to communicate on the WLAN must have the same SSID. By default, this SSID usually broadcasts itself to everyone in the WLAN, but it is recommended that this SSID broadcast be disabled. This will provide a little security through obscurity.

In addition, it is recommended that Wi-Fi Protected Access (WPA) be utilized over Wired Equivalency Privacy (WEP) due to the added security that WPA provides. WPA provides improved integrity through its use of cyclic redundancy check (CRC) and secure message authentication code, or message integrity code, which uses a frame counter that prevents replay type attacks.