Dos and Don’ts with Document Embedded Objects

Phishing is a form of online identity theft in which fraudsters trick Internet users into submitting personal information to illegitimate web sites.

The word ‘Phishing’ is a neologism created as a homophone of fishing due to the similarity of using fake bait in an attempt to catch a victim (and hence the picture I have used in this post)

Phishing scams are usually presented in the form of spam or pop-ups and are often difficult to detect. Once the fraudsters obtain your personal information, they can use it for all types of identity theft, putting your good credit and good name at risk. One of the most widely used Phishing techniques is email spoofing, which necessarily means where the attacker sends a legitimate looking email to a victim, which can have links to websites which is malicious or is controlled by the attacker. Emails are also the most widely used Delivery mechanisms, that an attacker uses to deliver the Attack payload or the exploit itself. (I shall talk about Delivery mechanisms and the larger Cyber Kill Chain Concept in a later post).

These emails can also contain attachments like Word documents, Spreadsheets, PDF files, etc.. And embedding objects within these attachments, is one of the easiest ways of delivering the payload, because embedding objects is something that we IT Professionals also use frequently for legitimate reasons. So this is leveraged by attacker to his advantage.

As Amanda Stewart a FireEye says, in her recent post on their blog:

Phishing emails are one of the most common delivery mechanisms for malware authors. The attachments in those phishing emails have a variety of payloads. Well-known delivery methods include: exploiting vulnerabilities in the document program (e.g., doc, xls, rtf), using macros, or embedding user-clickable objects that drop payloads. Out of all these methods, embedding objects in the document is considered a “gray area” because both IT professionals and malware authors use this technique.

In the post, she also talks in detail about the Dos and Don’ts when embedding objects within documents.

Dos

If you must send someone an installation executable or even a form helper program, compress the executable in a password protected ZIP file, where the password is not easily guessable. Using a standardized strong password limits access to users or employees that need to access the program.
Educate your employees to not click on objects in documents without first confirming the source email address.
Enforce content filtering on web and email to prevent employees receiving executable files from the internet
Remove admin/local admin privileges to prevent employees installing new and unknown software onto devices.
Consider Advanced Threat Prevention technologies that can examine emails for sophisticated multi-stage droppers that evade detection of all email security gateways today.

Here is the link to her post; a must read for IT Admins, and also for Security Analysts and Incident Responders: https://www.fireeye.com/blog/threat-research/2015/04/dos_and_don_ts_with.html

Picture courtesy: http://www.cyberoam.com

Digital Intelligence – Whitepaper by GCHQ’s Former Director

David Omand was the Director of GCHQ, from 1996-1997, and the UK’s security and intelligence coordinator from 2000-2005. If you don’t know already, the Government Communications Headquarters (GCHQ) is a British intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance to the British government and armed forces.

He has just published this new paper “Understanding Digital Intelligence and the Norms That Might Govern It.” The paper does have government’s perspective on the whole internet governance topic, a topic which has gained a whole lot of significance & attention after Edward Snowden’s revelations. But it is definitely an interesting read.

Executive Summary:

This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency (NSA) contractor Edward Snowden. Digital intelligence is presented as enabled by the opportunities of global communications and private sector innovation and as growing in response to changing demands from government and law enforcement, in part mediated through legal, parliamentary and executive regulation. A common set of organizational and ethical norms based on human rights considerations are suggested to govern such modern intelligence activity (both domestic and external) using a three-layer model of security activity on the Internet: securing the use of the Internet for everyday economic and social life; the activity of law enforcement — both nationally and through international agreements — attempting to manage criminal threats exploiting the Internet; and the work of secret intelligence and security agencies using the Internet to gain information on their targets, including in support of law enforcement.

He suggests that the norms applicable to digital intelligence, must broadly cover the following. This is definitely reassuring:

There must be sufficient sustainable cause
All concerned must behave with integrity
The methods to be used must be proportionate
There must be right authority
There must be reasonable prospect of success
Necessity

The full paper is available here:

https://www.cigionline.org/sites/default/files/gcig_paper_no8.pdf

Picture courtesy: www.cigionline.org

DigiCert Offers Continuous Monitoring of Digital Certificates to Defeat Fraud

This is a move in the right direction, considering the rampant use of compromised Certificates by hackers to obscure their real identity/motives.

Jason Sabin, CSO of DigiCert, said in an interview that the system is designed to give customers more control of and supervision over the certificates they have in use.

“In some large organizations, you can get people who need to get something done for a certain project so they go and grab a domain and don’t have time to go through whatever process they have in place for getting a certificate,” Sabin said. “So they do it themselves, but then the organization doesn’t know it’s happened, or perhaps it wasn’t done correctly.”

The CertCentral platform that DigiCert is rolling out allows for continuous monitoring of an organization’s certificates, and it also can protect companies against phishing and other attacks that play off of variants of their legitimate domains.

“We can look for people using certificates that are close variants of your domains, like using zeroes for the letter O or things like that,” Sabin said.

Certificate Transparency (CT) is possibly the best approach one can think of today, to detect and prevent unauthorised Certificate usage. But it also has to be noted that the key player behind this initiative, is Google, a company infamous for their thoughts/acts on User Privacy.

Dennis Fisher (@dennisf) has elaborated this in much detail at ThreatPost: https://threatpost.com/digicert-offers-continuous-monitoring-of-digital-certificates-to-defeat-fraud/112227

CT’s official site is also a great read to understand the concept further:

Certificate Logs:

Certificate logs are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates.

Monitors:

Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates.

Auditors:

Auditors are lightweight software components that typically perform two functions. First, they can verify that logs are behaving correctly and are cryptographically consistent. If a log is not behaving properly, then the log will need to explain itself or risk being shut down. Second, they can verify that a particular certificate appears in a log

A must read: http://www.certificate-transparency.org/what-is-ct

Image courtesy: www.hotforsecurity.com

Log Monitoring for e-Commerce: Five Key Areas

e-Commerce has become the most important platform for a Retailer to sell goods. And as the number of financial transactions on e-Commerce sites dramatically increase year-on-year, the more interesting they become to fraudsters and adversaries. The key to detecting security anomalies in this communication channel, is to log every crucial piece of information.

Even from an Operational perspective, it is very important for an e-Commerce company to know exactly what they should log, so that their IT Operations team isn’t overwhelmed with the amount of information being processed and thrown at them for review.

The five key areas to focus on must be:

Checkout: Log every step in the checkout process for errors and set alerts so you know if any part of the process fails.
Shopping cart: Log all add-to-cart failures when they occur, send out an alert, and investigate the problem ASAP. There are a lot of intermittent problems that can create big headaches.
Online catalog/ product page: Look for issues with specific product lines, markets, or other logical groups of products, especially if you have old data or legacy software integrations.
Email signup: Look for both client-side and server-side issues because the business logic resides in both places.
Login & registration. In addition to form submission and validation, focus on authentication and authorization logic as a whole. Log social media login errors, authentication and authorization cookies that may be out-of-sync, and errors from additional authentication checks.

Do checkout his post here: http://apmdigest.com/5-areas-every-e-commerce-business-should-monitor-using-log-data

Image Courtesy: http://www.softprodigy.com