Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Dark Reading Radio: The Human Side Of Online Attacks
Newest First  |  Oldest First  |  Threaded View
theb0x
theb0x,
 User Rank: Ninja
6/20/2014 | 12:46:23 AM
Phishing and Your Identity
It seems that the more features we have may bring more trouble to the table than it's worth with email and your identity on the internet.

Everyone loves to personalize their email message body in one way or another. Wheither it be their BOLD font, or company logo in their signature at the bottom. But using HTML markup and viewing embedded images from an internet based source will instantly reveal your public facing IP address to the Phisher leveraging an infinate possibility of attacks to your company network.

The Picture You Never Saw.

The concept is quite simple and highly effective in targeted phishing attacks.

A tiny 1x1 pixel embedded image in the body of the email hosted on the Phisher's webserver logs your IP when the email is viewed.


Right away this raises 3 concerns:

1) When the email is opened it instantly confirms to the Phisher that the user actually viewed it.

2) The Phisher has now identified your User Agent String (Email Client / Web Browser Version etc)

3) They have your IP Address and have already started enumerating all the ports on your Router / Firewall.

 

Because phishing is increasingly more targeted you can see how a simple HTML based email can provide a Phisher with enough intellegence to craft the most effective attack vector against that user.

 

 

 

 

 
theb0x
theb0x,
 User Rank: Ninja
6/19/2014 | 1:22:31 AM
Re: Phishing
I think there are certain departments in a company that continued training could be very useful. For example: Human Resources. They may be more targeted with emails claiming to have an attached resume in regards to an open position. In the process of hiring they may have to sort through dozens if not hundreds of responses to a job listing. How are they to quickly and safely determine wheither or not to view the attachment of the candidate? Because the HR email address is publicly facing the internet this makes it an extremely vulnerable target.

Another prime example is Shipping/Receiving. Employees using online resources to ship and track packages. The most common response I hear after a machine has been compromised is "I was expecting a package so I clicked the tracking link." Again they may have the task of proccessing/tracking hundreds of packages.

We could just take the fun out of email and strip all incoming mail of HTML code and have an improved attachment restrictions and filtering proccess.

But even using signature based and the most advanced heuristic detection teqniques some will still get through.

I also don't expect an end user to be able to analyze IP header information from an email to determine it's origins or legitimacy.
RetiredUser
RetiredUser,
 User Rank: Ninja
6/18/2014 | 4:14:31 PM
Re: Phishing
@DarkReadingTim

It's a touchy call and highly depends upon your users.  For instance, I've supported IT for users that saw us as a reason not to learn anything at all about their computers, outside of typing and reading emails.  On the other hand, I've worked with users that were very interested in learning new things, especially about how to not be victims of malicious email.

I think you also need to ask "What if they fail?  Repeatedly?"  What is the consequence?  I know for some jobs, if you can't certify or reach a certain level of testable knowledge, you can't stay in the role.  Would failing to master the basics or recognizing phishing attempts bring a drastic response?

In general, I love the idea.  Especially if I get to write the CBT :-)  Though I've never been one for certifications or degrees, I absolutely believe a person should be able to demonstrate knowledge of what they are tasked to do.  And if you are tasked to be a responsible employee, then perhaps you should demonstrate that skill.

But, of course, as with any employee testing, you can update this test and put it in front of staff every 6 months, and there will still be victims of phishing, whether the staff pass the tests or not.
DarkReadingTim
DarkReadingTim,
 User Rank: Strategist
6/18/2014 | 2:35:45 PM
Re: Phishing
Interesting idea -- quizzing users on what they know. Our speaker today advocated the use of phishing simulations over quizzes. What do readers think?  Is there a good way to test users to see what they know or don't know about phishing attacks and how to spot them?
theb0x
theb0x,
 User Rank: Ninja
6/18/2014 | 2:32:03 PM
Phishing
There is an excellent resource worth checking out to test your ability to recognize phishing attacks.

It's called the SonicWall Phishing IQ Test. You can find it here: http://www.sonicwall.com/furl/phishing/

 

What I like is that it provides an explaination at the end for each question.  You or your employees/clients just might learn something. 

I got 100% first try but I must say some of them are quite tricky. Look closely at each example!
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
6/18/2014 | 8:55:17 AM
Great topic & speaker -- Be there or be square!
Some logistal suggestions for newbies to our radio show. To access the broadcast and live chat, you will need to register for the site and today's broadcast, which may require you to temporarily disable your popup blocker. 

If you can't attend today's event, the audio will be available after the fact, as well as the transcript to the text chat.

Finally, if you have specific questions or comments about the topic, you can post them in advance here and we will deliver them to our virtual radio studio for our guest to address.

 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file