Caught in the net

Phishing emails continue to trick people into giving away personal information which can be used by fraudsters to inflict harm and financial losses on their victims. Emails can be compelling, made to look like they come from anyone, and with just enough bait on the hook to easily catch people. Fake websites are easy to set up and look like the real sites, and fake emails are easy to send, which can look as though they came from your bank.

Using simulated phishing emails within an organisation for testing employees’ security awareness proved that even experienced information security professionals were susceptible to some phishing emails.

Here are some thoughts to prevent you from becoming the next victim:

  • Never reply to emails asking for passwords, PINs or other logon credentials. No legitimate business will ever ask for these details. Never give your password to anyone, regardless of the circumstances.
  • DO NOT open attachments unless you are 100% sure about the origin of the email
  • DO NOT click on links in emails. Always go directly to the real website and log in to your accounts in the usual way
  • Phishing emails often have poor spelling and grammar along with non-personal greetings such as ‘Dear customer’. However, if they obtained your name and email address from another source, personalised phishing emails will look more authentic.
  • DO NOT reply to any SPAM or Phishing emails.
  • Phishing emails will often create a sense of urgency.  For example, if an offering is too good to be true, or a deal is only available for a short period, or the email informs you of account deactivation if you don’t log in within a specific timeframe.
  • DON’T assume that because the link is HTTPS:// that it is genuine. The fact is that anyone can buy a certificate or set up a certificate authority. Personal details you disclose may be encrypted when sent, but that means nothing if you send encrypted information to a fake website set up by fraudsters.
  • Report phishing emails to the imitated organisations and delete them
  • Phishing emails will often use current events as a means to get your attention and encourage you to take action. People injured in an earthquake, for example, will likely trigger phishing emails asking for financial support and playing on people’s natural empathy for those in need. Likewise, if the deadline for tax returns is approaching, a phishing email would attempt to exploit that urgency.
  • Links in phishing emails will often be hidden behind the text so that it appears to be a link to one site, but the actual URL is for a different website. Hovering over the link will reveal the correct destination.

In terms of the economic viability of phishing emails, with emails sent to millions of potential victims, it only takes a small number of catches for the operation to be profitable.

More on passwords

The strange thing about writing a password blog is that most of the topic is the same as what I wrote about 20 years ago, so the challenge is not writing about passwords, but making the subject of passwords interesting to read. The difference is that during these 20 years, the use of computing technology has increased significantly, and a new generation of people need to know more about how to take their safety and security more seriously. So, it is OK for me to repeat myself on this.

I didn’t think I would write another blog about passwords, but I was recently in a queue for a local cash machine when a teenager in front of me told her friend, ‘Mine is just 1234, so I can easily remember it’. A few laughs followed. I thought it was a joke initially until I saw her type ‘1234’. Even though I was standing 2 meters away, it was impossible not to see and hear what happened.

If the wrong person was in the queue, they could have inflicted serious harm to acquire the bank card. It also reminded me about how often people use Chip and PIN in an unguarded way and how often it is easy to see PINs just by being in the queue. Simple advice here is to frequently change your PIN and be more careful when using your PIN to make a purchase or withdraw cash from an ATM. Simple advice for banks could be to prevent commonly used and easy to guess PINs from being used.

Using weak passwords introduces lots of risks, and with the continually growing use of social media and personal information available online, the ability to guess weak passwords is more effortless. A dictionary attack on a system can take time. If your Facebook page shows that you are a Star Wars fan, they could start with Jedi1 or Jedi1!, or 1000s of variations on this theme, which would be more efficient than a brute force attack with an entire dictionary. Same applies to any information available in the public domain. It gets worse with security questions because if answered truthfully, you are providing immutable facts for security purposes. Your place of birth is unlikely to change, for example, and it is available on a large number of Facebook profiles.

Passwords need to be extremely difficult to guess, and unrelated to anything about you that anyone else would know or be able to find out using a search engine. There are no set rules for how this should be, and there are probably as many options as are there are security consultants. A mixture of upper case, lower case, numbers and symbols is an excellent place to start, and with a password of 8 characters or more. I am being intentionally vague here and not recommending a specific approach. As soon as it becomes an approach, refinement of hacking tools quickly follows, so you should think about how you will make strong passwords and take responsibility for your safety and security.

Someone a long time ago thought it was a good idea to replace some letters with numbers such as replacing ‘I’ with ‘1’, ‘A’ with ‘@’ and ‘E’ with ‘3’. It quickly became popular, but in practice, it means a small change to password-cracking software. If someone is known to be a Star Wars fan, then ‘J3d1Kn1gh+’ could be used along with variations of any other word using the same convention. Even a dictionary word brute-force attack can use these variations. Consequently, replacing letters with numbers has been insecure for a long time. To recap, decide how complicated and obscure your passwords will be.

Avoid using the same password for multiple purposes. Large, established systems, with an extremely security-conscious ethic, could have implemented their system security model in a way that not even the company’s staff can find out customer passwords. The extent that organisations will go to is relative to the value of what they are trying to protect, so other systems will still have their passwords stored in plain text and sent out by email in plain text as password reminders.

In recent years, more and more websites require registration before allowing purchases, and far fewer sites allow one-off purchases. Consequently, people need to have far more user accounts now than they did a few years ago. Using the same password for high-security and low-security systems allows hackers to compromise high-security systems with far less effort. Also, websites can sell cheap widgets, for the primary purpose of harvesting email addresses, passwords and other personal information to compromise higher security systems such as Bank Accounts, Social Media accounts and Email Accounts. Access to a primary email account makes it easier to compromise other sites and services.

Bring Your Own Devices

Should employees be allowed to bring their own devices into the workplace and connect them to the corporate network? There are mixed views on this, and you must carefully consider the advantages and disadvantages and then define corporate policy. Personal devices in the workplace are high risk, and the IT departments would have no control over the content of such devices. 

  • It could result in the theft of data by an employee. As company data is likely to be needed on personal devices to undertake their role within the organisation, use of the data for other purposes is a straight forward next step. Data found on personal devices could easily be considered plausible. If staff used data for other purposes, the evidence is unlikely to be available due to the lack of monitoring.
  • It would be challenging to verify the removal of corporate data on personal devices when employees leave the organisation. Backup copies could be available in remote storage areas such as Dropbox, Google Drive and One Drive. Someone could restore deleted data using recovery tools as a file is never entirely deleted until the file data has been overwritten with other files or securely deleted.
  • If companies allow employees to have data on their own devices, they generally have much less control of the data than if it was on fileservers within the organisation. It isn’t easy to maintain an inventory of sensitive information within an organisation if it extends to personal devices.
  • Using personal devices within a corporate environment also introduces risks associated with malware.
  • Software compatibility could become an issue. In a lot of cases, versions of the software are more recent on personal devices. If document formats have changed, saving a document from a personal device could result in it no longer being accessible to software on corporate devices. If corporate licensed software needs installing on personal devices, it may not be compatible, and if it is, it may be in breach of software licence terms and conditions.
  • With lost or stolen personal devices, it could be impossible to know what corporate data was on the device, and consequently prevent accurate reporting under data protection regulations.

A different kind of risk with personal devices in the workplace is the quantity of time spent undertaking personal activities during working hours. Businesses can control the software on corporate devices, but personal devices will include employee’s software and data. Own devices can introduce a lack of productivity.

Although this blog began with a question, the case is more in favour of not allowing employee’s own devices to connect to the corporate network.