Want to know what happens backstage at Redpill Linpro?
Soon we can welcome you in!
Coming soon
Backstage
Sign up for our newsletter

Are you a risk to your company?

Fri, 09/29/2017 - 14:57 -- Redpill Linpro
No aspect of a company is ever more than the sum of its parts. This means that a company's security depends heavily on the awareness and education of its employees. It is not enough that only the dedicated security manager knows all about the latest and best security measures. EVERYONE in the company must be informed on how to stay safe both on an individual and organizational level.

This is why we share tips and information on security on a weekly basis and here is the second compilation of highly useful security tips. You can read our first compilation here.  

Event based phishing

Phishers and scammers will take advantage of certain current, often time critical, events to add validation or credibility to their scam. Furthermore, disturbing or shocking events will lower people's guards when it comes to questioning the contents of an email.

Some examples of event based scams

Natural disasters like hurricanes, floods, and earthquakes: targets in the vicinity of a disaster area may receive an email with an attachment claimed to be a list of survivors, and they are asked to check the list for relatives.

Personal relations: After the ILOVEYOU worm made its rounds, coming from personal friends, family, and coworkers, people have become aware that malware may very well originate from people you would normally trust. This kind of scam still exist, though.

Famous people: Nigeria scammers will often link to publicly available news articles about some semi famous or official person from which you are about to receive a few hundred million dollars.

Tax returns: Timed correctly, an email claiming to include or link to a document showing how much money you will receive from taxes can be quite alluring. Political events like elections: People can get quite emotional during or after significant political events. A well-formed notification suggesting the outcome of an election, or promising the outcome of some other cliffhanger situation, may be pretty hard to resist.

As always, be alert. If something's too good to be true, it usually is!

  

Use good pass phrases

A while ago, intruders guessed the password of a Redpill Linpro mail account and used it for spamming. In addition to the general annoyance of more spam for the recipients, a compromised mail account will cause bad reputation for the abused company. The company's IP range could be blacklisted, causing delivery problems for other legit email.

Since the password of the compromised account turned out to be ridiculously trivial to guess, we initiated a quality check of all email passwords. Some available hardware was used for establishing a password guessing cluster, using the program "John the Ripper". At its peak performance the cluster tries 5.5 million passwords per second.

A password guesser works either by testing suggestions from a list of words and well-known passwords, and varying the words ("password" can be mutated to "p4ssw0rd", "PaSsWoRd", etc), or by pure bruteforcing (testing all combinations of all possible letters, digits, special characters). The fastest approach is using word lists, which incidentally is how we humans make up passwords as well.

Some passwords were found after only a few minutes, while others took more time. The owners of the related mail accounts were contacted and their passwords were changed. The easier passwords found included '6YhnmjU7', '2wsxcde34rfv', 'qweasdzxc123', 'Redpill#2014', and 'Redpill2017'. Note the keyboard patterns of the first three!

After a few days, the password guessing cluster found almost 8% of the email account passwords. To protect against password guessing, a fairly long passphrase is better than a short and complex password. Check it out here

 

SHA-1 hash function broken, and what it means to you

Google and a Dutch institute (CWI) have managed to break the SHA-1 cryptographic hash. A hash is most often used for checksumming files, strings, etc - which in turns makes it useful for verifying file integrity and identifying changes.

As a really silly example, let's say you have agreed to pay SEK123 for something, and you want to make sure no-one changes the amount. The digit sum of the number "123" is 1 + 2 + 3 = 6. If we agree to use the digit sum for verification, we can say that the digit sum 6 confirms that the number 123 has not been modified. The problem with this is that a lot of other numbers will also result in 6 as the digit sum, so you might end up having to pay SEK15000 instead, since 1 + 5 + 0 + 0 + 0 is also 6. Obviously better checksums are required for unique identification, and this is where cryptographic hashes like MD5, SHA-1, SHA-256 etc enter the scene.

What Google and CWI have done is similar to the digit sum example, only with the cryptographic hash SHA-1 where such a collision was thought to be rather improbable. By being able to craft SHA-1 hashes, attackers may make one file look like another. This allows them to do things like hide malware in a file that's been checkedsummed as known good ("the SHA-1 checksum says it's OK"), replace repository files without automated integrity checks noticing it, fake Digital Certificate signatures, modify ISO images, and so on.

Breaking SHA-1 was not a simple task, and the demonstrated attack took 6,500 years of single-CPU computations so this is not a standard script kiddie attack. However, now seems like a good time for moving from SHA-1 to more complex cryptohashes like SHA-256 or SHA-512, or and least not rely on SHA-1 alone. For instance, several file integrity tools use at least three hashes for keeping score on file changes.

More details on the attack can be found here, including information on how web browsers have adjusted to this finding.

Encryption explained

While most of us agree that encryption is necessary for a lot of purposes, not everyone understands how it really works. Ed Felten, whose name might ring some bells, has written a short and to-the-point primer on encryption. The document has been written with policymakers in mind, avoiding too technical terms and instead focusing on principles and mechanisms.

Even if you're pretty well versed on encryption this could be a useful read, even if for no other reason than better explaining encryption to others in layman's terms.

The introduction spans only 4,5 pages and you find it here.

 

Think before you click

Recently, a Norwegian parliament representative clicked a link in an email he received, unwittingly triggering a mass phishing email submission originating from himself. The parliament's IT department confirms that malicious code was executed on the representative's computer. Whether additional harm was done to the internal network is not known.

Full story (in Norwegian)

For such attacks and exploits, Windows are more often targeted than Linux, but everyone should think twice before following links in emails. Be extra skeptical when receiving an emails that urge you to act fast, and/or ask you to provide personal information or otherwise log in somewhere. Clumsy language and unintelligible phrasing are also quite often indicators of malicious intent.

In short: Stop, think, connect!

 

Activate two-factor authentication whenever possible

More and more services and sites offer two-factor authentication. When you log in to a site or service, two-factor authentication will ensure that you are you by requiring more than a single (and some times easy to guess) password. Two-factor authentication, "2FA", is based on something you know (your password) as well as something you have (a one-time code sheet, a one-time password token fob) or cat obtain (a one-time password sent to your cell phone) or even who you are (retina scans, fingerprint).

Electronic Frontier Foundation, EFF, is publishing a series of articles explaining how to enable 2FA on a selection of services and sites. Here you find the introduction article.

Secure SMS and calls with Signal

With a cell phone app called Signal, you can send encrypted SMSes and make encrypted calls - even video calls. The app exists for Android and IOS, and has been highly praised by security professionals. Even under external code review and security audit, where weaknesses tend to be exposed, the product is considered "pretty solid"[1].

When having to communicate passwords and other sensitive info over SMS, you should consider using Signal. Just make sure the recipient uses it as well. Read more here.

 

Mac malware

When it comes to malware, Linux and Mac users have traditionally been much less targeted than Windows users. However, over the last few months, some new varieties of Mac malware designed for the end users have surfaced. As a recent blog article[1] explains, documents and PDF files with malware infecting Mac systems have been observed.

As usual, two things to remember that will protect you against the majority of malware: 1 - keep your systems patched, and 2 – think before you click. Read more here.

 

Stay safe during vacation

On vacation, you're generally supposed to stop thinking about your job and instead relax and recharge. However, when it comes to security you should never drop your guard completely. Here's a few reminders that will help you staying safer when away from your regular environments.

  • Be skeptical to free WiFi. Particularly outside of Europe, or for those still paying through the nose for mobile data even within EU, it's tempting to connect to open WiFi networks. If you do, keep in mind that your traffic can easily be monitored. Use a VPN if possible, and make sure to use encrypted services for reading email and such.

  • Patch your devices, including cell phones, before leaving home. Connecting to random networks will expose your devices to unknown threats. As ransomware is now also spreading over local networks, make sure you are not a target. If you're bringing a dual-boot laptop, remember to apply security patches to both (all?) operating systems.

  • Protect your information. Some countries might confiscate your devices for inspection in customs, and you may be requested to unlock it before it being analyzed without you present. If you're normally keeping confidential/sensitive information on your device, delete it before traveling.

  • Back up before leaving. If your device(s) should be stolen or lost while on holiday, at least make sure you're not losing all your precious content.

  • Encrypt your devices, enable password lock, and consider enabling remote wipe capabilities. Should your device(s) end up in less honest hands, the unit would need to be fully reset before being useful to anyone else.

 

Who's listening?

When discussing sensitive matters, make sure the conversation is kept private. You can never be sure who listens in public places. Remember that both our own business plans and strategies, as well as those of our customers, should be considered "business confidential" and could be quite useful to competitors. Business matters or other topics that may be considered sensitive should not be discussed in public places, over the phone while running to catch your train, or even in a lunch room shared with other tenants.

If you're not sure whether certain information should be considered sensitive, you should ask your team leader or the customer. When handling information on behalf of customers, it's usually the customer's (specifically, the "data owner"'s) responsibility to classify the information's level of confidentiality. If in doubt, do not discuss it if there's a chance of someone overhearing.

 

E-mails can easily be forged

The protocol that's pretty much the standard for sending email on the Internet is named SMTP - the Simple Mail Transfer Protocol. And the "simple" part holds true. Manipulating email headers, many email clients can easily be tricked into showing faked sender addresses without revealing the real one. That way, the recipient can be led to believe the sender is someone else.

Lately, a British individual referring to himself as the "email prankster" has succeeded tricking multiple officials using even cruder methods. By registering accounts with different freemail providers like hotmail and gmail, gullible recipients who haven't cared to check the obviously faked (even deliberately misspelled) sender addresses have been duped into revealing embarrassing and even sensitive information. The victims of the email prankster include British banking officials and politicians, and lately White House officials.

When people who really should know better fall for this, it demonstrates how easily we humans can be manipulated. The prankster employs standard tricks for social engineering, including on-topic references to current events and issues important to the recipient. That way, the recipient will rush into responding without even suspecting duped.

More about the email prankster here and his Twitter account.