Basic Email and Web Security
Basic Email and Web Security
Basic Email and Web Security
IT Security Training
October 12, 2010
Harvard Townsend
Chief Information Security Officer
harv@ksu.edu
Agenda
“The Internet is a bad neighborhood.”
Why people are so easily tricked
Characteristics of scam emails – things to look for and
tools to help
Can I open this attachment?
Can I click on this link?
Helpful security features built into web browsers
Tools you can add to your web browsers
The value and limitations of anti-virus software (Trend
Micro is still your friend)
Misc. cautions/tips/tricks
Q&A
2
Real K-State Federal Credit Union Fake K-State Federal Credit Union
web site web site used in spear phishing scam
3
Spear phishing scam received by K-Staters in January 2010
“Phishing” scams try to trick you into providing private
Information, like a password or bank acct info. “Spear phishing”
Targets a specific population – in this case, K-State email users.
4
The malicious link in the email took you to an exact replica
of K-State’s single sign-on web page hosted on a server in the Netherlands
which will steal your eID and password if you enter it and “Sign in”.
Note the URL highlighted in red – “flushandfloose.nl”, which is obviously
not k-state.edu 5
Fake SSO
web page
Real SSO
web page
6
Fake SSO
web page –
site not
secure (http,
not https) and
hosted in the
Netherlands
(.nl)
Real SSO
web page –
note “https”
7
Fake SSO
web page
Real SSO
web page –
Use the eID
verification
badge to
validate
8
Result of clicking on eID verification badge on a legitimate K-State
web site that uses the eID and password for authentication
9
Most
Effective
Spear
Phishing
Scam
10
Most
Effective
Spear
Phishing
Scam
11
Most
Effective
Spear
Phishing
Scam
12
Most effective spear
phishing scam
At least 62 replied with password, 53 of which were
used to send spam from K-State’s Webmail
Arrived at a time when newly admitted freshmen
were getting familiar with their K-State email – 37 of
the 62 victims were newly-admitted freshmen
Note characteristics that make it appear legitimate:
“From:” header realistic:
"Help Desk" <helpdesk@k-state.edu>”
Subject uses familiar terms:
“KSU.EDU WEBMAIL ACCOUNT UPDATE”
Message body also references realistic terms:
“IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State”
Asks for “K-State eID” and password
Plausible story (accounts compromised by spammers!!)
13
Another effective spear
phishing scam
This one
also tricked
62 K-
Staters into
giving away
their eID
password
14
Another effective spear
phishing scam
Actually did
come from a
K-State email
account…
one that was
compromised
because the
user gave
away her eID
password in
another
phishing
scam!
15
How to identify a scam
General principles:
Neither IT support staff nor any legitimate
business will EVER ask for your
password in an email!!!
Use common sense and logic – if it’s too
good to be true, it probably is.
Think before you click – many have fallen
victim due to a hasty reply
Be mistrustful
Don’t be shy about asking for help from your
IT support person or the IT Help Desk
16
How to identify a scam
Characteristics of scam email
Poor grammar and spelling
The “Reply-to:” or “From:” address is unfamiliar,
or is not a ksu.edu or k-state.edu address
Uses unfamiliar or inappropriate terms (like “send your
account information to the MAIL CONTROL UNIT”)
It asks for private information like a password or
account number
The message contains a link where the displayed
address differs from the actual web address
It is unexpected (you weren’t expecting Joe to send
you an attachment)
Does not provide explicit contact information (name,
address, phone #) for you to verify the communication.
Good example is spear phishing scam that tries to
steal your eID password is signed “Webmail
administrator” 17
How to identify a scam
Beware of scams following major news events or natural
disasters (e.g., after Hurricane Katrina asking for
donations and mimicking a Red Cross web site)
Seasonal scams like special Christmas offers, or IRS
scams in the spring during tax season
They take advantage of epidemics or health scares, like
H1N1 scam last year
Often pose as legitimate entity – PayPal, banks, FBI, IRS,
Wal*Mart, Microsoft, etc.
If unsure, call the company to see if they sent it (we did
this with recent email from Manhattan Mercury)
Hackers very good at imitating legitimate email – will use
official logos, some links in the email will work properly, but
one link is malicious
Many make sensational claims; remember to apply the
common sense filter – if it sounds too good to be true,
it probably is 18
From the “too good to be
true” class of scams
Three K-State students fell for this one in August.
Fortunately none lost money, although two might have if
alert bank tellers didn’t catch the counterfeit checks
19
From the “too good to be
true” class of scams
20
Useful sources of information
Google – search for unique phrase in the suspected scam
to see what others are reporting about it
Web sites of organization targeted by scams often have
information, like the IRS
www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1
Snopes to debunk/confirm hoaxes, rumors, and other
“urban legends” – snopes.com
Teach yourself with Sonicwall’s “Phishing and Spam
IQ Quiz” – www.sonicwall.com/phishing/
K-State’s IT security web site updated regularly
SecureIT.k-state.edu
Current threats and spear phishing scams posted on K-
State’s IT threats blog threats.itsecurity.k-state.edu/
21
Evaluating attachments
Don’t open email attachments you were not expecting
From someone you do not know
From someone you know, but weren’t expecting them to
send you a file (infected computers can send malicious
emails from the owner of the computer to everyone in their
email addressbook)
This is especially true if the content of the email message is
brief, vague, and/or unusual
22
Evaluating attachments
Should I trust this email?
23
Evaluating attachments
Should I trust this email?
}
I don’t know
the sender
} Very brief, vague
instructions
Unexpected
attachment PDF files can carry malicious
w/ unknown code; do not trust PDF files unless
content validated with sender
24
Evaluating attachments
Ignore or delete it if it’s not expected or important; not
worth the risk of opening it and infecting your
computer
Beware of executable files embedded in .zip
attachments – is a common way for hackers to
send .exe files that would normally be deleted by
email systems
If there’s any reason to believe it might be legitimate,
validate the attachment before opening it
Contact the sender and ask if it is legit
Ask your IT support person or the IT Help Desk
Test it with antivirus software to see if it is a known malicious
program
25
Evaluating attachments
Saving it to your desktop without opening it or
executing it is usually safe
If Trend Micro OfficeScan recognizes it as malicious, it will
prevent you from saving it to the desktop (a function of the
“real time scan”)
If not detected, is either OK or a new variant of malware
Manually update Trend Micro OfficeScan (point to the
OfficeScan icon in the system tray, right click, select
“Update Now”), then scan the file (point to the file,
right click, select “Scan with OfficeScan client”)
If OfficeScan still says “No security risk was found”,
submit the file to www.virustotal.com to be evaluated
by 43 anti-virus products, including Trend Micro;
here’s an example:
virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d 26
Example of malicious
email attachments
Four different emails with the following subjects received by
many K-Staters in July 2009 and again in November:
Shipping update for your Amazon.com order 254-78546325-
658742
You have received A Hallmark E-Card!
Jessica would like to be your friend on hi5!
Your friend invited you to twitter!
Three (somewhat) different attachments:
Shipping documents.zip
Postcard.zip
Invitation card.zip
130+ computers infected in July, 100+ in November; all
had to be reformatted and reinstalled from scratch – all
because users opened malicious attachments
27
Malicious
Hallmark
E-Card
28
Legitimate
Hallmark
E-Card
29
Malicious
Amazon
Shipping
Notice
30
Legitimate
Amazon
Shipping
Notice
31
Why was it so effective?
Used familiar services
Amazon.com
Hallmark eCard greeting
Twitter
Sensual invitation (“Jessica would like to be your friend on hi5!”)
Somewhat believable replicas of legitimate emails
Sent it to lots of people (bound to hit someone who just ordered
something from amazon.com or is having a birthday)
Effectively masked the name of the .exe file in the .zip attachment
by padding the name with lots of spaces
New variant that spread quickly so initial infections missed by
antivirus protection
Been a long time since attack came by email attachment so people
caught off-guard
32
What can we do?
Remember - Hallmark, amazon.com,
Twitter, etc. do not send information or
instructions in attachments
Don’t open attachment unless you are
expecting it and have verified with sender
Analyze attachments before opening them
Think before you click
Be paranoid!
33
Web Browsing Threats
35
Can I click on this?
Beware of email evidently from US
companies with URLs that point to a non-US
domain (Kyrgyzstan in example below)
From: Capital One bank <cservice@capitalone.com>
URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
IE8 highlights the actual domain name to help
you identify the true source. Here’s a web
address from an IRS scam email that’s
actually hosted in Pakistan:
36
Can I click on this?
Beware of domains from unexpected foreign
countries
Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.php
Lithuania: http://kateka.lt/~galaxy/card.exe
Hungary: http://mail.grosz.hu/walmart/survey/
Romania: http://www.hostinglinux.ro/
Russia: http://mpo3do.chat.ru/thanks.html
MANY scams originate in China
(country code = .cn)
Country code definitions available at:
www.iana.org/domains/root/db/index.html
37
Can I click on this?
Watch for malicious URLs masked by URL
shortening services like:
TinyURL.com
Bit.ly
CloakedLink.com
38
Can I click on this?
TinyURL has a nice “preview” feature that
allows you to see the real URL before going to
the site. See tinyurl.com/preview.php to enable
it in your browser (it sets a cookie)
Bit.ly has a Firefox add-on to preview shortened
links:
addons.mozilla.org/en-US/firefox/addon/10297
It also warns you if the site appears to be
malicious:
39
Can I click on this?
40
Malicious Advertisements
Major ad networks (aka “ad
aggregators”) affiliated with Google
(e.g. Doubleclick.com), Yahoo
(yieldmanager.com), Fox and others,
covering more than 50% of online ads,
have been infiltrated with “poisoned
ads” containing malicious code
(Source: Avast!)
Happened to the New York Times
website last fall 41
NY Times incident
Ad placed via phone call from person posing as
Vonage, an intl phone company and regular
advertiser on NY Times web site
Since Vonage well known, they allowed ads to
be served by remote 3rd party host (i.e., not
the NY Times web server)
Legitimate Vonage ads displayed all week
During the weekend, legitimate
ad switched to a malicious one
that served up fake antivirus
scareware which tried to get
people to buy bogus security
software with a credit card 42
Malicious Advertisements
Isn’t just NY Times…
ratemyprofessors.com (!!)
msnbc.msn.com
health.msn.com
music.msn.com
astrology.msn.com
realestate.msn.com
usatoday.com
cnbc.com
digg.com
mail.live.com
addictinggames.com
foxsports.com
hollywoodreporter.com
These legitimate sites are not in cahoots with the criminals,
they’re just not careful enough in screening ads from third
party ad networks 43
Drive-by Downloads
The scary thing is you don’t even have to click on
anything – just visiting a site with malicious code
can initiate a download that installs malware on your
computer without you knowing it.
Symantec claims every one of the top 100 websites
in the world have served up malicious code at some
point
JavaScript in the ad executes when the page is
loaded and tries to exploit a vulnerability in Adobe
PDF reader, Java, or Flash… or all three; this is why
a tool like NoScript or something that blocks ads is
effective 44
Drive-by Downloads
Commonly used to promote fake antivirus software (aka
“scareware” or “extortionware”) – make you believe your
computer is infected with lots of malware, enticing the
nervous user to “Click Here” to buy fake security
software for $30-$100, plus they steal your credit card
information
Can be used to infect your computer with any malware –
keyloggers, Trojans, Torpig, …
Malware changes at a very rapid rate to escape
detection by AV software; hackers test their malware
against 43 popular AV products at virustotal.com before
launching
Prevention is by keeping Adobe Reader, Flash, and
Java updated with latest security patches 45
Search Engine
Poisoning
Search engines, like Google, are tricked into
presenting a malicious link in the top 10
results for popular searches
Known as “Blackhat Search Engine
Optimization (SEO) Poisoning”
13% of Google searches for popular or trendy
topics yield malicious links
Currently used mostly for fake antivirus scams
Exploit current events, popular topics
January 2010 an all-time high with hackers
capitalizing on Haitian earthquake, release of
movie Avatar, and announcement of the iPad
46
Blackhat SEO
Poisoning
Search for
“Oscars 2010
winners”
Malicious pages
that infect with
FakeAV scareware
47
Source: Sophos security blog March 8, 2010
Blackhat SEO
Poisoning
Examples of exploited topics in 2010:
Tiger Woods car wreck, affairs
Death of Patrick Swayze
Affair of Sandra Bullock’s husband with Michelle “Bombshell”
McGee
Rumored death of Bill Cosby (pretty common to make up a
sensational hoax)
Chilean earthquake
Moscow subway explosions
Plane crashing into IRS building in Austin, TX
Sea World killer whale attack
Sentencing of TJX hacker
Oscars
Kids’ Choice Awards
Olympics (esp. death of Georigian luge athlete)
March Madness basketball tournament 48
51
Browser features – IE8
Domain highlighting
52
Browser features – IE8
Pop-up blocker- if it
causes a problem
with an application,
add a specific
exception; don’t turn
off the pop-up
blocker
If you don’t see a
malicious pop-up
message, you won’t
be duped by it.
53
Browser features – IE8
InPrivate Browsing – good if using a
public computer in a lab or Internet Café
since it leaves no trace of your browsing
activity. The cache (“temporary Internet
files” which are local copies of content
from web sites you visited recently),
cookies, and browser history (web
address of sites you visited recently) are
not stored.
54
Browser features - Firefox
Anti-phishing and anti-malware
protection – detects and blocks access
to known malicious sites and
downloads
55
Browser features - Firefox
Pop-up Blocker
Similar to IE; add exceptions at
Tools->Options->Content
Private browsing – cache, cookies, and
history not saved, just like “InPrivate
Browsing” in IE
Instant Website ID – provides detailed identity
information, if available, about the site:
56
Browser add-ons
Web of Trust from www.mywot.com
Available for Firefox,
IE, Google Chrome
Rates web sites on
Trustworthiness
Vendor reliability
Privacy
Child safety
Warns you if about to visit a poorly rated site
Tags ratings in Google search results, which is really
helpful for detecting Blackhat SEO Poisoning
Also tags links in web-based email like K-State’s Zimbra
Webmail and Gmail
Provides user comments about the site and its rating
57
Browser add-ons
NoScript from noscript.net
Extension for Firefox (not available for IE)
Prevents execution of JavaScript, Java, and
Flash – the most common culprits for web-based
attacks
Can selectively allow trusted sites
Often able to view content of interest without
enabling all scripts – you don’t need to see the
ads or that cute Flash animation!
Takes some getting used to and it takes a while
to build up the exceptions for trusted sites so it’s
not always getting in the way of your productive
use of the web
58
Browser add-ons
61
Recognizing Fake
Antivirus Alerts
Actual pop-up alert from Trend Micro OfficeScan:
62
Recognizing Fake
Antivirus Alerts
Example of a Fake AV “scareware” alert that tries trick you into
buying worthless software to fix a non-existent infections:
63
Misc. Tips/Tricks
Use a Mac
Firefox vs. Internet Explorer (IE)?
Both have vulnerabilities
Both have helpful security features
ActiveX in IE historically been a security concern but is less of a
target these days
If you use IE6 or IE7, upgrade to IE8 because of significant
security improvements plus application compatibility
Stay away from questionable sites
Pornography
Gambling
Some gaming sites
Peer-to-peer file sharing applications are dangerous since
they too have been infiltrated with malware; the movie you
download may also have malware attached to it that will infect
64
store
Misc. Tips/Tricks
Don’t keep yourself logged into
important accounts
Similar to letting the browser
store username/password;
effect is the same – anyone
with access to the computer
has access to those accounts
Never do either on a public computer
67
Conclusion
There’s no way to be 100% secure surfing the
web these days
Use multi-faceted approach to reduce your
risk (browser security features, browser add-
ons, Trend Micro security software, educate
yourself)
These tools and techniques make your
browsing experience less convenient and may
frustrate you at times, but they are necessary
in today’s hostile online climate
Think before you click!
68
What’s on your mind?
69