User awareness videos

Tuesday, July 12th, 2016 | Mark Borrie | Comments Off on User awareness videos

Here are a couple of videos to help people become a bit more aware of social engineering risks. It would be interesting to hear from you as to which one you think is more effective.

http://click.email.sans.org/?qs=c5f96f16ca893d8d2f0d14de6b7a75772c968cabaa38a6908445ec57e78146b3c527b9f0ea796009

 

Here is another good one from a bank

 

Malware – more than just a virus?

Thursday, March 3rd, 2016 | Mark Bedford | Comments Off on Malware – more than just a virus?

Seems that the term malware is causing confusion as the term itself covers a wide variety of malicious activity and is a contraction of the two words “malicious software”. It is generally used in the information security area to refer to software that is malicious in intent but does not cover unintentionally bad or faulty software.

There is a type of malware called spyware which is sometimes embedded in applications that appear useful but may have additional hidden functionality that gathers marketing information.

The SANS Ouch this month contains information describes it in more detail and provides some tips on ways to protect yourself.

Financial fraud phishing emails

Wednesday, February 17th, 2016 | Mark Borrie | Comments Off on Financial fraud phishing emails

The Information Security team has noted an increase in phishing emails that are targeting staff who may handle financial transactions. Initially these emails targeted senior staff and attempted to get fraudulent payments made by the University. A tertiary organisation up north fell victim to this and may be out of pocket to the tune of over $100k.

The phishing emails are now targeting departmental staff. The email will appear to come from another University staff member and attempt to establish further email communication. The email address will not be an @otago.ac.nz address. Eventually the target victim will be asked to set up a fraudulent financial payment. These emails are asking staff to work outside University financial processes by suggesting that there is some urgency in processing the request and hence bypass normal processes.

Staff who handle financial transactions are asked to be vigilant for these types of attacks. If you receive unusual requests to process payments then ensure that the following is undertaken
– Check with the apparent requester via another channel, i.e. if the request comes via email then give them a call to verify.
– At all times follow the University account processing systems. Contact FSD if you have questions.
– Report any attempts of this nature to the Information Security Office so that we can keep up to date with current attacks.

If you have any questions regarding this matter then please contact myself.

Thanks, Mark

P.S. A copy of this email has been posted on the Information Security Blog site for verification. See https://blogs.otago.ac.nz/infosec/2016/02/17/financial-fraud-phishing-emails/

-- 
Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin 9054, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-8813
Email: mark.borrie@otago.ac.nz

Airline Boarding passes

Thursday, October 8th, 2015 | Mark Borrie | Comments Off on Airline Boarding passes

Ever wondered what is recorded on your airline boarding pass? Well someone has done some analysis of one and quickly turned up some interesting information. The bottom line is don’t throw them away, instead make sure you take them home and destroy them at the end of your travels.

See http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/ for an explanation.

LinkedIn Scams

Tuesday, September 1st, 2015 | Mark Borrie | Comments Off on LinkedIn Scams

In recent weeks there has been an increase in fake requests on LinkedIn for users to connect with people. These are likely to be precursors to attempted scams or fraud.

Some examples I have noticed are from people claiming to be from financial companies based overseas. After connecting with the person a message quickly follows asking for more information about yourself.

If you are unsure about these connect requests there are a few things you can do. Check out the company affiliation. If you cant find the company then there is a good chance it is fictitious.

Also check the profile picture. This is easy with Google. Open the Google search page and select the images link. Now drag the profile pic into the search bar and see if there are any matches. You might be surprised at where that profile picture originated from.

Now there is no requirement that someone will use an actual picture of themselves on LinkedIn, however you may want to think about why someone uses a picture of someone else.

So what to do with these requests. There are options on LinkedIn to report people that appear to be misrepresenting themselves. Alternatively, simply don’t connect or disconnect from people you don’t trust.

Above all else, keep safe.

Phone-to-email Spam

Wednesday, November 26th, 2014 | Jim Cheetham | Comments Off on Phone-to-email Spam

Can I send you an email?

In the last few months there has been a rise in “pretexting” phone calls from legitimate marketing organisations, probably in response to anti-spam legislation around the world.

The usual script is an unsolicited phone call from a real live human, asking for permission to use your email address in order to send you some marketing material, usually described as a “White Paper”.

The calls are often made over a low-quality connection (i.e. cheap VoIP) and come from non-native English speakers (a kind way to suggest “offshore call centres”). However, they do generally respond well to a polite “No thanks” as an answer, and to requests to not be called again in the future. If permission is given the eventual email usually represents a legitimate trading company of some sort.

All in all, no real problem.

I have a business opportunity for you!

However, we’re beginning to hear of the same approach being used by spammers, particularly of the advance-fee fraud variety. A small amount of research (i.e. get your name and job title from a website), a hacked VoIP system (which lets them call anywhere in the world for free), and a fresh email address from one of the big free webmail providers potentially gives these criminals a much more direct line to your mailbox and your attention.

This is a particular worry because it won’t be long before these techniques are used for distributing fresh malware – you receive a difficult-to-understand phone call from someone with urgent information to send to you, and a couple of minutes later in comes the email, along with a juicy PDF attachment. Would you resist the temptation to click? How can you tell the difference between an attack, and a real foreign student or academic trying to work with the University?

(Some of you reading this might suddenly realise that you already open too many attachments without stopping to check fully the source!)

What should you do?

The best defence if you are unsure would be to check with your colleagues, see what they think; to check with your IT support; or to ask the ITS Information Security Office for an opinion.

If you don’t have an opportunity to get a second opinion, you have a few technical opportunities to reduce the risk. Firstly, wait a while … come back to the message in a couple of hours time. If the message came out of hours, just don’t open it until you are back at work. Remember that just because it seems to be urgent to someone else it is not necessarily urgent to the University!

Instead of just opening the attachment, ask your anti-virus software to scan it. This is best combined with the “wait a while” approach – if this is a new malware sample (there are tens of thousands per day automatically created), give your AV software time to get an update from the vendor.

Finally, open the attachment in an unusual program. For example, malware PDFs often only successfully attack Adobe Acrobat Reader, so if you have a different PDF reader available you could use that. Instead of opening untrusted attachments with Microsoft Word, open it with a copy of Libre Office. If your job role means that you will be receiving unsolicited attachments regularly, get your IT support to help you install these alternatives.

Finally, if you are in any doubt, leave the file alone and refer the whole thing to the Information Security Office. We can check a lot more details to find out what is going on, and we really don’t mind being asked.

A primer on phishing emails

Thursday, January 31st, 2013 | Gene Teo | Comments Off on A primer on phishing emails

I’ve put up some basic information about detecting phishing emails. The outlook is not bleak, as some would expect. Based on internal data, over 98% of recipients do not respond to phishing emails.

In a few days I’ll put up some examples of actual phishing emails, and point how the features that betray their malicious intent. There will also be an article on more technical methods of analyzing suspicious emails.

The future of computer threat response

Thursday, August 23rd, 2012 | Jim Cheetham | Comments Off on The future of computer threat response

Dan Geer is a voice in the IT Security world that should be listened to, and he has co-authored a short but intense article in the IEEE S&P Cleartext column that addresses the reality of the rapidly-changing threats that we all face.

Stand Your Ground” has a few key messages, which I’ll try to summarise :-

  • Minimise the number of targets; stop adding new services without effective defences, remove old services. Use the savings to fund better security for what remains.
  • Distrust the internal network; distrust any service that is not continually verified. Defend against outbound traffic as well as inbound traffic.
  • Do not assume perfection is possible; plan for failure modes that reduce services sensibly. Reduce the time-to-repair with automation instead of extending the mean-time-between-failure.

For more reading and a less technical take on these ideas, here’s another article about Dan’s thoughts from Ben Tomhave, a GRC (Governance, Risk & Compliance) consultant.

The dangers of testing in a live environment

Monday, August 6th, 2012 | Jim Cheetham | Comments Off on The dangers of testing in a live environment

On August 1 2012, the New York Stock Exchange started to record significantly unusual levels of activity at 0930, as the markets opened. Trade rates were running at 30% above normal. By the end of the day one trader alone, Knight Capital Group Inc, had burnt over $440 million. The trades damaged market values for the whole day and almost destroyed Knight completely.

Technical analysts Nanex have posted a great analysis of the pattern of trades that enabled them to identify the likely origin of the trades, and to present a reasonable theory that seems to fix the facts: Knight seem to have released an internal trade testing application onto their production servers. It tested the live NYSE market. It lost money, because making money was not a requirement for testing.

It is hard to come up with a test environment for software that acts in a realistic manner, especially when you do not want to let the software itself be aware that it is being tested (because that will change its behaviour, and then it isn’t a proper test, is it?). It is also hard to construct tests that have to change the system state, when testing things that write to databases for example. And if you do accidentally run the test in a live environment, you can always recover from backups, right?

No, not always. Not $440 million’s worth of real-world money …