Phone-to-email Spam

Wednesday, November 26th, 2014 | Jim Cheetham | Comments Off on Phone-to-email Spam

Can I send you an email?

In the last few months there has been a rise in “pretexting” phone calls from legitimate marketing organisations, probably in response to anti-spam legislation around the world.

The usual script is an unsolicited phone call from a real live human, asking for permission to use your email address in order to send you some marketing material, usually described as a “White Paper”.

The calls are often made over a low-quality connection (i.e. cheap VoIP) and come from non-native English speakers (a kind way to suggest “offshore call centres”). However, they do generally respond well to a polite “No thanks” as an answer, and to requests to not be called again in the future. If permission is given the eventual email usually represents a legitimate trading company of some sort.

All in all, no real problem.

I have a business opportunity for you!

However, we’re beginning to hear of the same approach being used by spammers, particularly of the advance-fee fraud variety. A small amount of research (i.e. get your name and job title from a website), a hacked VoIP system (which lets them call anywhere in the world for free), and a fresh email address from one of the big free webmail providers potentially gives these criminals a much more direct line to your mailbox and your attention.

This is a particular worry because it won’t be long before these techniques are used for distributing fresh malware – you receive a difficult-to-understand phone call from someone with urgent information to send to you, and a couple of minutes later in comes the email, along with a juicy PDF attachment. Would you resist the temptation to click? How can you tell the difference between an attack, and a real foreign student or academic trying to work with the University?

(Some of you reading this might suddenly realise that you already open too many attachments without stopping to check fully the source!)

What should you do?

The best defence if you are unsure would be to check with your colleagues, see what they think; to check with your IT support; or to ask the ITS Information Security Office for an opinion.

If you don’t have an opportunity to get a second opinion, you have a few technical opportunities to reduce the risk. Firstly, wait a while … come back to the message in a couple of hours time. If the message came out of hours, just don’t open it until you are back at work. Remember that just because it seems to be urgent to someone else it is not necessarily urgent to the University!

Instead of just opening the attachment, ask your anti-virus software to scan it. This is best combined with the “wait a while” approach – if this is a new malware sample (there are tens of thousands per day automatically created), give your AV software time to get an update from the vendor.

Finally, open the attachment in an unusual program. For example, malware PDFs often only successfully attack Adobe Acrobat Reader, so if you have a different PDF reader available you could use that. Instead of opening untrusted attachments with Microsoft Word, open it with a copy of Libre Office. If your job role means that you will be receiving unsolicited attachments regularly, get your IT support to help you install these alternatives.

Finally, if you are in any doubt, leave the file alone and refer the whole thing to the Information Security Office. We can check a lot more details to find out what is going on, and we really don’t mind being asked.

TrueCrypt & file encryption

Thursday, June 26th, 2014 | Jim Cheetham | Comments Off on TrueCrypt & file encryption

TrueCrypt is dead

We used to recommend TrueCrypt as an effective file encryption solution, suitable for exchanging data sets over untrusted networks as well as for medium-term offline storage or backups.

Unfortunately, over the last few weeks it has become clear that the TrueCrypt authors have withdrawn their support for the product; and while the source code is available (and is actively being audited), it is not Open Source licensed, and should not be used in the future. TrueCrypt is effectively dead.

What should I do?

What does this mean for people who are currently using TrueCrypt? I’d recommend that you migrate your data out of TrueCrypt and into some other format; not in a rush, because there are no currently-known attacks or vulnerabilities in the product, but in a well-planned way. You should not start any new storage schemes using TrueCrypt.

What alternatives are there?

There doesn’t seem to be any useable and “free” software that does everything that TrueCrypt did, but most people we talk to don’t actually need all of those features at the same time anyway.

We are currently recommending the 7z archive format with AES encyption as a solution to :-

  • Cross-platform support
  • Protection in transit (email, dropbox, etc); sharing
  • Medium-term storage on untrusted media

Please be aware that University-owned data should always be accessible by the University itself; so if the only copy of your data is encrypted in this way, the passphrase used as the key needs to be made (securely) available to the appropriate people (usually your employment line management).

7z?

7z is the file format originally implemented by the Open Source 7-Zip file archiver, it is publicly described and there are now multiple software implementations available. It is currently regarded as the ‘best’ performing compression software available. Read more on the Wikipedia entry. Command-line users might like the p7zip implementation, packaged in Debian and the EPEL repository for RedHat.

7z applications usually do not use encryption by default; make sure that you select this option for secure storage.

 

Keep an ear out for this – vishing

Thursday, May 1st, 2014 | Mark Bedford | Comments Off on Keep an ear out for this – vishing

The security firm PhishLabs has released some interesting research on a new type of phishing attack involving Voice over Internet Protocol (VoIP). Seems the bad guys send a SMS text message to unsuspecting users advising them that their debit card has been deactivated and advising them to enter their card number and PIN to reactivate it.

So far this has only been seen in the United States and has yet to make it to our shores. It will come just as those nasty irritating hoax Microsoft support calls eventually showed up.

So knowing that this type of attack is in use means that you can have the upper hand, before you reply with your credentials consider, have you actually given you mobile number to your bank, contact your bank using the number from the phone book advising them that you have received such a message (don’t delete the message as it maybe be helpful in pursuing the offender).

Could this happen in NZ

Aside

While scanning my security news feeds I came across this article from azcentral.com which caused me to wince a little. It seems that the Maricopa County Community College District could be spending around $17.1 million, with most of it going on lawyers and services to the millions of people whose personal data was exposed.

The article cites that a breach in 2011 was never addressed properly and this lead to the more costly 2013 event. During April 2013 a server was compromised exposing Social Security numbers and banking information for 2.4 million current and former students and staff from as long as 30 years ago.