Tuesday, March 27, 2012

Email safety

2011 saw big time hacks on huge companies that one would think are fairly secure. Unfortunately, some of these attacks could have been prevented or slowed down by exercising a little more caution with email. The RSA breach started with somebody receiving an email and simply opening an attachment. How would something so simple cause such a problem? It’s really quite easy.

Over the last few years companies have spent the majority of their security budgets on perimeter and end point defenses like firewalls, intrusion detection/prevention and anti-virus tools. That kind of takes the fun out of it for most attackers since it makes them have to actually work to get in. So what do the bad guys do? Get into a different line of work? Ah, probably not. They look for an easier way in. And that way usually ends up looking to those who already have access to let them in.

Since most employees won’t just blindly give out their passwords (ok, this link would contradict that statement big time), attackers have to be more creative. That is where phishing and other forms of Social Engineering comes in. I could probably write a ton on Social Engineering, but I’ll save that for some other time. Phishing is just a term coined for building very realistic email to entice the recipient to either trigger malicious code or give up sensitive information. This could be anything from providing a link to a web site that contains malicious code, to delivering an infected file, to flat out asking the person to provide sensitive information.

It’s not always easy to distinguish the good from the bad now. Well except for 419 scams. Those are pretty obvious, but oddly enough you still hear about people getting taken for their life’s savings with these scams (see 419 gone bad for a recent incident that went really bad). In case you haven’t heard about 419s, they are the strangely worded emails announcing you have the winning ticket in some foreign lottery or some long lost relative who happened to be the heir to the king of some obscure country just left you a gazillion dollars. The catch is you have to provide a “slight” processing fee in order to get the money. That is usually followed up by a request for more money and more money and so on.

Some popular scams that seem to picking up speed are masquerading as a relative that may be on a trip overseas who has lost passport and wallet, or was rushed to hospital and the insurance doesn’t cover it, or they were involved in an accident that insurance doesn’t cover, or even in extreme cases they need ransom for kidnappers. It’s not all that hard to make up a believable scenario researching posts on various social media sites like Facebook, Twitter, LinkedIn and Foursquare. People talk about where they are and where they are going and when. They also post pictures that may be geotagged so the location information is there whether they openly say it or not. All of that information can be extremely helpful when planning a good phishing attack. SonicWall has a phishing test if you want to see some examples.

There are still the old-fashioned attacks where the user is directed to a web site that either implants malicious code like backdoors when visited or asks for sensitive information. Actually it may not be the web site that is compromised, it may be a third-party ad or graphic that contains the malicious code. Malicious attachments are still available as well. Microsoft office docs are losing ground to doctored PDF files. There are lots of ways to hide bad things in a PDF.

So what can you do to help protect yourself from email attacks?
  • Be aware of things that just don’t look right
    • Maybe you go by your middle name and you get an email from a “friend” addressed to your first name. Maybe something in the email references an old employer or an old address. Look for things that seem out of place.
  • Don’t assume that a message is ok if it is from somebody you know
    • That person may not even know you got the message. It is not difficult at all to spoof an email to make it look like it’s coming from a known sender.
  • Banks, financial institutions and government agencies will probably never send emails asking to confirm sensitive data by responding to the email or by visiting a provided link
    • That is the general rule, but there are apparently enough people falling for it that it makes the news quite often
  • Turn off the mail tool preview pane for the inbox, junk mail and deleted/trash folders
    • Although it is not very common, there are some attacks that can be triggered just by opening an email. If you have the preview pane turned on, some mail clients will automatically show the top message when you start up. If that message has something bad in it, you don’t even have a chance to stop it from opening.
  • Before clicking on a link in an email, verify the link is actually what you think it is
    • Email in HTML format is notorious for tricking users into clicking on links that don’t go where they think. With HTML, it is possible to display the link as one thing, but the actual URL in the link is different. This is so you can do things like display a link to “unsubscribe” or “visit web site” and not have some nasty 200 character URL cluttering up the place. It is a good idea to get into the practice of looking at the underlying link URL to see where it is actually going. Some ways to do this depends on what is available through your mail client. Most will have an option to view source, but that can be really nasty to pick through. An easier option might be to hover over the link to see what is displayed. Some clients offer a “save link” or “copy link” option if the link is right-clicked. If that is the case, you can then paste the link into a text file to read.
  • Most businesses use links with domain names, not IP addresses
    • One way to hide an obvious bad link is to show an IP address instead of the domain name in the link. Who would ever look up an IP address? If it’s in the message it has to be right, right? Nope. Most of the time an IP address in a link is a red flag.
  • Beware of links that are slightly different than the real name
    • A good example may be this domain name, "". Attackers could register a site named "" and send out realistic looking mail with that link in it. Just quickly looking at it you may not see the difference, but even one character makes it a completely different address. Misspelling the name slightly is also a popular trick – "". That is known as Cyber or Domain Squatting.
  • When given the option for receiving email from a web site or company, opt for the text-only format
    • While not as flashy, it can be safer since there is no way of glossing over doctored URLs. Plus you can’t just click the URL, you have to copy/paste it into a browser. The text versions will not have the images either, which can also be sources of bogus code.
  • If your email provider offers spam blocking, turn it on
    • This will catch the obvious junk.
  • Don’t reuse passwords for multiple email accounts
    • And don’t use the same passwords for banks, work, whatever.
  • Configure the virus scanning tool on your computer to scan messages and attachments
    • While this may not catch everything, it can help.
  • When you reply to emails, make sure to check the address in the reply-to field
    • You could end up sending a reply to somebody you had no intent to send to in the first place. This is bad if the reply contains any kind of sensitive data.
  • When in doubt, contact the sender to see if they actually sent the message
If anyone can think of some that I may have missed, send them my way. And as always, please get in touch with me if you have any questions or comments about any of this.