Basic Email and Web Security - PowerPoint PPT Presentation

Basic email and web security l.jpg
Download
1 / 69

Basic Email and Web Security. IT Security Training October 12, 2010 Harvard Townsend Chief Information Security Officer harv@ksu.edu. Agenda. “The Internet is a bad neighborhood.” Why people are so easily tricked Characteristics of scam emails – things to look for and tools to help

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Basic Email and Web Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Basic email and web security l.jpg

Basic Email and Web Security

IT Security Training

October 12, 2010

Harvard Townsend

Chief Information Security Officer

harv@ksu.edu


Agenda l.jpg

Agenda

“The Internet is a bad neighborhood.”

  • Why people are so easily tricked

  • Characteristics of scam emails – things to look for and tools to help

  • Can I open this attachment?

  • Can I click on this link?

  • Helpful security features built into web browsers

  • Tools you can add to your web browsers

  • The value and limitations of anti-virus software (Trend Micro is still your friend)

  • Misc. cautions/tips/tricks

  • Q&A


Slide3 l.jpg

Fake K-State Federal Credit Union

web site used in spear phishing scam

Real K-State Federal Credit Union

web site


Slide4 l.jpg

Spear phishing scam received by K-Staters in January 2010

“Phishing” scams try to trick you into providing private

Information, like a password or bank acct info. “Spear phishing”

Targets a specific population – in this case, K-State email users.


Slide5 l.jpg

The malicious link in the email took you to an exact replica

of K-State’s single sign-on web page hosted on a server in the Netherlands

which will steal your eID and password if you enter it and “Sign in”.

Note the URL highlighted in red – “flushandfloose.nl”, which is obviously

not k-state.edu


Slide6 l.jpg

Fake SSO

web page

Real SSO

web page


Slide7 l.jpg

Fake SSO

web page –

site not

secure (http,

not https) and

hosted in the

Netherlands

(.nl)

Real SSO

web page –

note “https”


Slide8 l.jpg

Fake SSO

web page

Real SSO

web page –

Use the eID

verification

badge to

validate


Slide9 l.jpg

Result of clicking on eID verification badge on a legitimate K-State web site that uses the eID and password for authentication


Slide10 l.jpg

Most Effective

Spear Phishing

Scam


Slide11 l.jpg

Most Effective

Spear Phishing

Scam


Slide12 l.jpg

Most Effective

Spear Phishing

Scam


Most effective spear phishing scam l.jpg

Most effective spearphishing scam

  • At least 62 replied with password, 53 of which were used to send spam from K-State’s Webmail

  • Arrived at a time when newly admitted freshmen were getting familiar with their K-State email – 37 of the 62 victims were newly-admitted freshmen

  • Note characteristics that make it appear legitimate:

    • “From:” header realistic:"Help Desk" <helpdesk@k-state.edu>”

    • Subject uses familiar terms:“KSU.EDU WEBMAIL ACCOUNT UPDATE”

    • Message body also references realistic terms:

      • “IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State”

    • Asks for “K-State eID” and password

    • Plausible story (accounts compromised by spammers!!)


Another effective spear phishing scam l.jpg

Another effective spearphishing scam

This one also tricked 62 K-Staters into giving away their eID password


Another effective spear phishing scam15 l.jpg

Another effective spearphishing scam

Actually did come from a K-State email account… one that was compromised because the user gave away her eID password in another phishing scam!


How to identify a scam l.jpg

How to identify a scam

  • General principles:

    • Neither IT support staff nor any legitimate business will EVER ask for your password in an email!!!

    • Use common sense and logic – if it’s too good to be true, it probably is.

    • Think before you click – many have fallen victim due to a hasty reply

    • Be paranoid

    • Don’t be timid about asking for help from your IT support person or the IT Help Desk


How to identify a scam17 l.jpg

How to identify a scam

  • Characteristics of scam email

    • Poor grammar and spelling

    • The “Reply-to:” or “From:” address is unfamiliar, or is not a ksu.edu or k-state.edu address

    • Uses unfamiliar or inappropriate terms (like “send your account information to the MAIL CONTROL UNIT”)

    • It asks for private information like a password or account number

    • The message contains a link where the displayed address differs from the actual web address

    • It is unexpected (you weren’t expecting Joe to send you an attachment)

    • Does not provide explicit contact information (name, address, phone #) for you to verify the communication. Good example is spear phishing scam that tries to steal your eID password is signed “Webmail administrator”


How to identify a scam18 l.jpg

How to identify a scam

  • Beware of scams following major news events or natural disasters (e.g., after Hurricane Katrina asking for donations and mimicking a Red Cross web site)

  • Seasonal scams like special Christmas offers, or IRS scams in the spring during tax season

  • They take advantage of epidemics or health scares, like H1N1 scam last year

  • Often pose as legitimate entity – PayPal, banks, FBI, IRS, Wal*Mart, Microsoft, etc.

  • If unsure, call the company to see if they sent it (we did this with recent email from Manhattan Mercury)

  • Hackers very good at imitating legitimate email – will use official logos, some links in the email will work properly, but one link is malicious

  • Many make sensational claims; remember to apply the common sense filter – if it sounds too good to be true, it probably is


From the too good to be true class of scams l.jpg

From the “too good to betrue” class of scams

  • Three K-State students fell for this one in August. Fortunately none lost money, although two might have if alert bank tellers didn’t catch the counterfeit checks


From the too good to be true class of scams20 l.jpg

From the “too good to betrue” class of scams


Useful sources of information l.jpg

Useful sources of information

  • Google – search for unique phrase in the suspected scam to see what others are reporting about it

  • Web sites of organization targeted by scams often have information, like the IRSwww.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1

  • Snopes to debunk/confirm hoaxes, rumors, and other “urban legends” – snopes.com

  • Teach yourself with Sonicwall’s “Phishing and Spam IQ Quiz” – www.sonicwall.com/phishing/

  • K-State’s IT security web site updated regularly SecureIT.k-state.edu

  • Current threats and spear phishing scams posted on K-State’s IT threats blog threats.itsecurity.k-state.edu/


Evaluating attachments l.jpg

Evaluating attachments

  • Don’t open email attachments you were not expecting

    • From someone you do not know

    • From someone you know, but weren’t expecting them to send you a file (infected computers can send malicious emails from the owner of the computer to everyone in their email addressbook)

    • This is especially true if the content of the email message is brief, vague, and/or unusual


Evaluating attachments23 l.jpg

Evaluating attachments

  • Should I trust this email?


Evaluating attachments24 l.jpg

Evaluating attachments

  • Should I trust this email?

}

I don’t know

the sender

}

Very brief, vague

instructions

Unexpected

attachment

w/ unknown

content

PDF files can carry malicious

code; do not trust PDF files unless

validated with sender


Evaluating attachments25 l.jpg

Evaluating attachments

  • Ignore or delete it if it’s not expected or important; not worth the risk of opening it and infecting your computer

  • Beware of executable files embedded in .zip attachments – is a common way for hackers to send .exe files that would normally be deleted by email systems

  • If there’s any reason to believe it might be legitimate, validate the attachment before opening it

    • Contact the sender and ask if it is legit

    • Ask your IT support person or the IT Help Desk

    • Test it with antivirus software to see if it is a known malicious program


Evaluating attachments26 l.jpg

Evaluating attachments

  • Saving it to your desktop without opening it or executing it is usually safe

    • If Trend Micro OfficeScan recognizes it as malicious, it will prevent you from saving it to the desktop (a function of the “real time scan”)

    • If not detected, is either OK or a new variant of malware

  • Manually update Trend Micro OfficeScan (point to the OfficeScan icon in the system tray, right click, select “Update Now”), then scan the file (point to the file, right click, select “Scan with OfficeScan client”)

  • If OfficeScan still says “No security risk was found”, submit the file to www.virustotal.com to be evaluated by 43 anti-virus products, including Trend Micro; here’s an example:virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d


Example of malicious email attachments l.jpg

Example of maliciousemail attachments

  • Four different emails with the following subjects received by many K-Staters in July 2009 and again in November:

    • Shipping update for your Amazon.com order 254-78546325-658742

    • You have received A Hallmark E-Card!

    • Jessica would like to be your friend on hi5!

    • Your friend invited you to twitter!

  • Three (somewhat) different attachments:

    • Shipping documents.zip

    • Postcard.zip

    • Invitation card.zip

  • 130+ computers infected in July, 100+ in November; all had to be reformatted and reinstalled from scratch – all because users opened malicious attachments


Slide28 l.jpg

Malicious

Hallmark

E-Card


Slide29 l.jpg

Legitimate

Hallmark

E-Card


Slide30 l.jpg

Malicious

Amazon

Shipping

Notice


Slide31 l.jpg

Legitimate

Amazon

Shipping

Notice


Why was it so effective l.jpg

Why was it so effective?

  • Used familiar services

    • Amazon.com

    • Hallmark eCard greeting

    • Twitter

  • Sensual enticement (“Jessica would like to be your friend on hi5!”)

  • Somewhat believable replicas of legitimate emails

  • Sent it to lots of people (bound to hit someone who just ordered something from amazon.com or is having a birthday)

  • Effectively masked the name of the .exe file in the .zip attachment by padding the name with lots of spaces

  • New variant that spread quickly so initial infections missed by antivirus protection

  • Been a long time since attack came by email attachment so people caught off-guard


What can we do l.jpg

What can we do?

  • Remember - Hallmark, amazon.com, Twitter, etc. do not send information or instructions in attachments

  • Don’t open attachment unless you are expecting it and have verified with sender

  • Analyze attachments before opening them

  • Think before you click

  • Be paranoid!


Web browsing threats l.jpg

Web Browsing Threats

  • Malicious links/sites – to click or not to click, that is the question.

  • Malicious advertisements

  • Drive-by Download (don’t even have to click!)

  • Search engines tricked to present malicious/bogus result near the top of your search results (aka Blackhat Search Engine Optimization (SEO) Poisoning)


Can i click on this l.jpg

Can I click on this?

  • Watch for displayed URL (web address) that does not match the actualdisplayed: http://update.microsoft.com/microsoftupdate actual: http://64.208.28.197/ldr.exe

  • Beware of link that executes a program (like ldr.exe above)

  • Avoid numeric IP addresses in the URLhttp://168.234.153.90/include/index.html

  • Watch for legitimate domain names embedded in an illegitimate onehttp://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/


Can i click on this36 l.jpg

Can I click on this?

  • Beware of email supposedly from US companies with URLs that point to a non-US domain (Kyrgyzstan in example below)From: Capital One bank <cservice@capitalone.com>URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/

  • IE8 highlights the actual domain name to help you identify the true source. Here’s a web address from an IRS scam email that’s actually hosted in Pakistan:


Can i click on this37 l.jpg

Can I click on this?

  • Beware of domains from unexpected foreign countries Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.phpLithuania: http://kateka.lt/~galaxy/card.exeHungary: http://mail.grosz.hu/walmart/survey/Romania: http://www.hostinglinux.ro/Russia: http://mpo3do.chat.ru/thanks.html

  • MANY scams originate in China(country code = .cn)

  • Country code definitions available at:www.iana.org/domains/root/db/index.html


Can i click on this38 l.jpg

Can I click on this?

  • Watch for malicious URLs cloaked by URL shortening services like:

    • TinyURL.com

    • Bit.ly

    • CloakedLink.com


Can i click on this39 l.jpg

Can I click on this?

  • TinyURL has a nice “preview” feature that allows you to see the real URL before going to the site. See tinyurl.com/preview.php to enable it in your browser (it sets a cookie)

  • Bit.ly has a Firefox add-on to preview shortened links: addons.mozilla.org/en-US/firefox/addon/10297 It also warns you if the site appears to be malicious:


Can i click on this40 l.jpg

Can I click on this?


Malicious advertisements l.jpg

Malicious Advertisements

  • Major ad networks (aka “ad aggregators”) affiliated with Google (e.g. Doubleclick.com), Yahoo (yieldmanager.com), Fox and others, covering more than 50% of online ads, have been infiltrated with “poisoned ads” containing malicious code (Source: Avast!)

  • Happened to the New York Times website last fall


Ny times incident l.jpg

NY Times incident

  • Ad placed via phone call from person posing as Vonage, an intl phone company and regular advertiser on NY Times web site

  • Since Vonage well known, they allowed ads to be served by remote 3rd party host (i.e., not the NY Times web server)

  • Legitimate Vonage ads displayed all week

  • During the weekend, legitimatead switched to a malicious onethat served up fake antivirusscareware which tried to getpeople to buy bogus securitysoftware with a credit card


Malicious advertisements43 l.jpg

Malicious Advertisements

  • Isn’t just NY Times…

    • ratemyprofessors.com (!!)

    • msnbc.msn.com

    • health.msn.com

    • music.msn.com

    • astrology.msn.com

    • realestate.msn.com

    • usatoday.com

    • cnbc.com

    • digg.com

    • mail.live.com

    • addictinggames.com

    • foxsports.com

    • hollywoodreporter.com

  • These legitimate sites are not in cahoots with the criminals, they’re just not careful enough in screening ads from third party ad networks


Drive by downloads l.jpg

Drive-by Downloads

  • The scary thing is you don’t even have to click on anything – just visiting a site with malicious code can initiate a download that installs malware on your computer without you knowing it.

  • Symantec claims every one of the top 100 websites in the world have served up malicious code at some point

  • JavaScript in the ad executes when the page is loaded and tries to exploit a vulnerability in Adobe PDF reader, Java, or Flash… or all three; this is why a tool like NoScript or something that blocks ads is effective


Drive by downloads45 l.jpg

Drive-by Downloads

  • Commonly used to promote fake antivirus software (aka “scareware” or “extortionware”) – make you believe your computer is infected with lots of malware, enticing the nervous user to “Click Here” to buy fake security software for $30-$100, plus they steal your credit card information

  • Can be used to infect your computer with any malware – keyloggers, Trojans, Torpig, …

  • Malware changes at a very rapid rate to escape detection by AV software; hackers test their malware against 43 popular AV products at virustotal.com before launching

  • Prevention is by keeping Adobe Reader, Flash, and Java updated with latest security patches


Search engine poisoning l.jpg

Search EnginePoisoning

  • Search engines, like Google, are tricked into presenting a malicious link in the top 10 results for popular searches

  • Known as “Blackhat Search Engine Optimization (SEO) Poisoning”

  • 13% of Google searches for popular or trendy topics yield malicious links

  • Currently used mostly for fake antivirus scams

  • Exploit current events, popular topics

    • January 2010 an all-time high with hackers capitalizing on Haitian earthquake, release of movie Avatar, and announcement of the iPad


Blackhat seo poisoning l.jpg

Blackhat SEOPoisoning

Search for

“Oscars 2010 winners”

Malicious pages

that infect with

FakeAV scareware

Source: Sophos security blog March 8, 2010


Blackhat seo poisoning48 l.jpg

Blackhat SEOPoisoning

  • Examples of exploited topics in 2010:

    • Tiger Woods car wreck, affairs

    • Death of Patrick Swayze

    • Affair of Sandra Bullock’s husband with Michelle “Bombshell” McGee

    • Rumored death of Bill Cosby (pretty common to make up a sensational hoax)

    • Chilean earthquake

    • Moscow subway explosions

    • Plane crashing into IRS building in Austin, TX

    • Sea World killer whale attack

    • Sentencing of TJX hacker

    • Oscars

    • Kids’ Choice Awards

    • Olympics (esp. death of Georigian luge athlete)

    • March Madness basketball tournament

    • April Fools Day (a natural…)


Blackhat seo poisoning49 l.jpg

Blackhat SEOPoisoning

  • How do I prevent it?

    • Be paranoid – think before you click!

    • Pay attention to the link – only visit reputable sites; think before you click

    • Pay attention to warnings from anti-phishing filters, Trend Micro WRS, andother tools you might use to detect malicious links (see later slides)

    • If you click on a search result and security warnings like this pop-up, do NOTclick on anything – contactyour IT support person


Blackhat seo poisoning50 l.jpg

Blackhat SEOPoisoning

  • How do I prevent it?

    • Run antivirus software and keep it up-to-date (required to use Trend Micro on campus)

    • Keep ALL software patched, including the web browsers and plug-ins, Adobe products, Flash, and Java

      • VERY challenging for IT staff, let alone your average user

      • Recent study found that average home user would have to patch 75 times per year (once every 5 days!) using 22 different patching mechanisms


What s a feller to do l.jpg

What’s a feller to do?

If you’re not scared by now, then I’m worried about you and I pity your IT support person


Browser features ie8 l.jpg

Browser features – IE8

  • Domain highlighting

  • SmartScreen filtering – block access to malicious sites and file downloads


Browser features ie853 l.jpg

Browser features – IE8

  • Pop-up blocker- if it causes a problem with an application, add a specific exception; don’t turn off the pop-up blocker

  • If you don’t see a malicious pop-up message, you won’t be duped by it.


Browser features ie854 l.jpg

Browser features – IE8

  • InPrivate Browsing – good if using a public computer in a lab or Internet Café since it leaves no trace of your browsing activity. The cache (“temporary Internet files” which are local copies of content from web sites you visited recently), cookies, and browser history (web address of sites you visited recently) are not stored.


Browser features firefox l.jpg

Browser features - Firefox

  • Anti-phishing and anti-malware protection – detects and blocks access to known malicious sites and downloads


Browser features firefox56 l.jpg

Browser features - Firefox

  • Pop-up Blocker

    • Similar to IE; add exceptions at Tools->Options->Content

  • Private browsing – cache, cookies, and history not saved, just like “InPrivate Browsing” in IE

  • Instant Website ID – provides detailed identity information, if available, about the site:


Browser add ons l.jpg

Browser add-ons

Web of Trust from www.mywot.com

  • Available for Firefox,IE, Google Chrome

  • Rates web sites on

    • Trustworthiness

    • Vendor reliability

    • Privacy

    • Child safety

  • Warns you if about to visit a poorly rated site

  • Tags ratings in Google search results, which is really helpful for detecting Blackhat SEO Poisoning

  • Also tags links in web-based email like K-State’s Zimbra Webmail and Gmail

  • Provides user comments about the site and its rating


Browser add ons58 l.jpg

Browser add-ons

NoScript from noscript.net

  • Extension for Firefox (not available for IE)

  • Prevents execution of JavaScript, Java, and Flash – the most common culprits for web-based attacks

  • Can selectively allow trusted sites

  • Often able to view content of interest without enabling all scripts – you don’t need to see the ads or that cute Flash animation!

  • Takes some getting used to and it takes a while to build up the exceptions for trusted sites so it’s not always getting in the way of your productive use of the web


Browser add ons59 l.jpg

Browser add-ons

Adblock Plus from adblockplus.org

  • Again, only for Firefox (IE is not nearly as extensible as Firefox!)

  • I haven’t used this tool but others have recommended it for blocking advertisements

  • Some have argued against blocking ads since they provide the revenue that allows so much free content on the web


Help from trend micro l.jpg

Help from Trend Micro

  • Web Reputation Services (WRS)

    • Blocks access to known disreputable sites

    • Enabled in both Windows and Mac versions

    • K-State IT security team regularly reports new malicious links to Trend to add to the block list

  • Also provides traditional “antivirus” malware protection


Trend micro wrs is your friend l.jpg

Trend Micro WRS isyour friend


Recognizing fake antivirus alerts l.jpg

Recognizing FakeAntivirus Alerts

Actual pop-up alert from Trend Micro OfficeScan:


Recognizing fake antivirus alerts63 l.jpg

Recognizing FakeAntivirus Alerts

Example of a Fake AV “scareware” alert that tries trick you into buying worthless software to fix a non-existent infections:


Misc tips tricks l.jpg

Misc. Tips/Tricks

  • Use a Mac 

  • Firefox vs. Internet Explorer (IE)?

    • Both have vulnerabilities

    • Both have helpful security features

    • ActiveX in IE historically been a security concern but is less of a target these days

    • If you use IE6 or IE7, upgrade to IE8 because of significant security improvements plus application compatibility

  • Stay away from questionable sites

    • Pornography

    • Gambling

    • Some gaming sites

  • Peer-to-peer file sharing applications are dangerous since they too have been infiltrated with malware; the movie you download may also have malware attached to it that will infect your computer when you try to run the movie.


Misc tips tricks65 l.jpg

Misc. Tips/Tricks

“… because that’s where the money is.” Willie Sutton, famous 19th century bank robber on why he robs banks

  • Beware of where you do your online banking – cybercriminals are actively hunting you online and targeting your computer because “that’s where the money is”

  • 66 instances of Torpig malware at K-State thus far in 2010, 34 in 2009 – steals username/passwords and banking info

  • The American Bankers Association recommends using a dedicated computer for online banking since malware typically gets on a computer via web surfing or email

  • A low-end $500 PC or netbook good for this, or re-purpose the old computer when you upgrade

  • Make sure your banking computer is protected with a strong password

  • At the very least, don’t do online banking on the same home computer your children (and their friends) use!

  • Create a separate regular user account for your children on your home computer(s)!!


Misc tips tricks66 l.jpg

Misc. Tips/Tricks

  • Don’t let your browser store/remember important passwords like:

    • eID

    • Financial accounts

  • 38% of bank account or username/password information stolen by Torpig malware came from the browser’s password store on the compromised computer

  • Password-protect the browser password store


Misc tips tricks67 l.jpg

Misc. Tips/Tricks

  • Don’t keep yourself logged into important accounts

  • Similar to letting the browserstore username/password;effect is the same – anyonewith access to the computerhas access to those accounts

  • Never do either on a public computer


Conclusion l.jpg

Conclusion

  • There’s no way to be 100% secure surfing the web these days

  • Use multi-faceted approach to reduce your risk (browser security features, browser add-ons, Trend Micro security software, educate yourself)

  • These tools and techniques make your browsing experience less convenient and may frustrate you at times, but they are necessary in today’s hostile online climate

  • Think before you click!


What s on your mind l.jpg

What’s on your mind?


  • Login