Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/18/2020
02:00 PM
Len Shneyder
Len Shneyder
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Bigger the News, the Bigger the Cyber Threats

Criminals use disasters, wars, and now pandemics as air cover to focus collective anxiety and fear into highly targeted, malicious messaging.

Cybercriminals are the world's greatest opportunists. It's not unusual to see retailers react and respond to things in the news — holidays alone are evidence of this. However, nothing sells like an emergency, and this is even more true for criminals who use disasters, wars, and now pandemics as air cover to focus collective anxiety and fear into highly targeted, malicious messaging. 

Cybersecurity professionals have a saying: "It's easier to hack people than systems." I think it's appropriate to add that people desperate for answers, solutions, cures, and vaccines are even easier to hack than those who have the space and time to consider the consequences of clicking a link, making a purchase, or logging in to a site they're not sure is real. 

COVID-19 has created a massive opportunity for the criminal underground — COVID-related abuse skyrocketed by as much as 14,000% in a matter of weeks. Trusted sources of information like the World Health Organization, Centers for Disease Control, and others are being targeted by criminals using their names and brands to hide beneath. 

This identity and trust problem isn't new. COVID didn't create the Internet's digital messaging woes — though it exacerbated the problem. Because we are glued to our phones, laptops, and televisions, desperate for any inkling that something will change for the better in the days and weeks to come, the opportunity is rife for abuse. 

So, what can we do about this?

First, Let's Define the Problem
Phishing is a social engineering attack that is most often, but not always, conducted through email. The thrust of phishing messages can be anything from asking recipients to reconfirm their password (creating fear that their account has been limited or suspended) or any number of lures that compel us to log in to a fake site or send personally identifiable information to some netherworld where we're fleeced for as much as fraudsters can grab. 

The rise of phishing tracks with the growth of the Internet and the growth of the Internet's first and most widely used communication mechanism: email. Email, as an open framework for people to share ideas and information (and yes, cat videos and memes) was designed more than 40 years ago when today's use cases weren't yet fathomable. It went largely unsecured over the years. However, as more people and businesses began to rely on the medium, the criminal world took notice. In the early 2000s, the problem had come to a head. As more people signed up, more abuse began to happen. 

The Solutions Have Been Around
Organizations like the Messaging Malware Mobile Anti-Abuse Working (M3AAWG) Group were created to deal with problems of massive scale. Email was the first problem the organization and its members began to tackle and continue to work on today as the threat landscape and countermeasures have evolved.

Over the last 15 years, the Internet Engineering Task Force (IETF) has standardized new technologies to make it harder for cybercriminals to abuse the domains that send legitimate email. Three of these technologies — each a different component of email authentication — are essential to preventing a significant amount of the fraud we see today. 

M3AAWG and its member organizations have endorsed the widespread adoption, use, and implementation of these technologies to protect wanted and crucial communications.

At its core, phishing is a social engineering attack that hijacks the trustworthiness of email. Recipients trust the from domain they see when a message arrives. Until email authentication was developed, anyone could send a message that appeared to come from any domain. With the following authentication standards in place, organizations and individuals can trust that the COVID-19 information they're sending or receiving is safe, accurate, and, in some cases, actionable. Our health and well-being should be the top priority right now, not being one click away from a digital catastrophe. 

Sender Policy Framework (SPF)
At its core, SPF is a simple list that a domain owner publishes, telling the world which services are allowed to send mail for the domain. When an email is received, a simple check can validate if it has been approved. On its own, this does not stop abuse, but it is part of a layered system of checks and balances that help mailbox providers, such as M365, Gmail, and Yahoo Mail, discern the good from the bad.

While it's conceptually simple, there's a lot of technical nuance in maintaining a proper SPF record. Here's a detailed rundown of how to manage yours.

Domain Keys Identified Mail (DKIM)
DKIM is a cryptographic method of signing email that attaches a unique identifier to messages using public key cryptography, which has the added benefit of being able to tell if a message has been modified after it was sent, perfect for stopping malicious parties.

It's important that all parties not only sign all outgoing mail with DKIM but also ensure the DKIM signatures are aligned with the sending domain in the from header field.

Domain-based Message Authentication, Reporting and Conformance (DMARC)
The final piece of this puzzle is DMARC. With SPF and DKIM, there's nothing that tells a receiving mail system what to do if a message fails to authenticate. DMARC lets this policy be explicitly published, telling a receiving mailbox provider what to do with messages should they fail a check of both SPF and DKIM.

As with all things, the devil is in the details and the experts strongly advise domain owners to publish this record with a reject policy, ensuring that messages that do not pass aligned SPF or DKIM will not be delivered, shutting out bad guys from the inbox. 

There are innumerable problems in the world now, and layering on a technical challenge, in addition to the obstacles we're all facing during this crisis, can be monumental. 

If your communications are integral to helping inform and coordinate COVID response, then you need to take the necessary steps to secure your messaging infrastructure. Not only are we relying on scientists to keep us safe, but we have to rely on our tech experts at organizations such as M3AAWG, DMARC.org, APWG, and other tech and policy organizations to keep the systems we treasure free of abuse so that we can all be part of each other's socially distant circles and provide what comfort and care we can during this crisis.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register
 

Len Shneyder is Co-Chair of the Election Special Interest Group at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), where industry comes together to work against botnets, malware, spam, viruses, DoS attacks, and other online exploitation to fight ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.