233 - Phishing


I receive a number of phishing attempts, perhaps one per day. I think I spot them, but I have been wondering whether (i) I can do better (ii) what others do (iii) what a business does and (iv) how one measures success in educating one’s staff into avoiding phishing attempts.

At the personal level, if you’re phished, you will find out about it when you appear to have spent money you’re pretty sure you didn’t. So to speak. Or your identity is ç. There is disturbing correlation between education, possibly equating to perceived competence in IT, and the likelihood of being phished. It is not (just) that these are richer marks (and so more rewarding for the phisher), but these people are somehow more susceptible to falling for scams, ruses and the like. It may be a feature of confidence; it may be one of carelessness; it may even be that the click occurs before the brain has engaged.

The most likely giveaway, whosoever the mail purports to come from, is the sender’s address. On my system that is pretty easy to see. Even then some addresses look very much like they might be real. I insert some examples nearby. The second obvious no-no is opening any attachment without thought. Don’t do that, check first that this is from who you think it is.

Recent examples I have had:
Web.Fillings@companieshousecomplaint.co.uk            Companies House?
wyceny@yoona.pl , service@online.com,                               Clearly NOT Apple
noreply@www.brandmngr.com, account-update@cpanel.com           Amazon or not?
info@4sat.eu                                                                  Clearly NOT Adobe Systems
ups@upsquantumview.com                                            UPS or not?
brenda@babyworld.co.uk                                               Clearly NOT Scotland Yard
id1-955xb8t0szh@mail.fireflyuk.net                                Clearly NOT Lloyds Bank

It is easier if you have few accounts (example, I don’t bank with Lloyds), but if you have a lot of traffic with a spoofed source, you are quite likely to open a mail out of familiarity.
The big no-no is opening an attachment, so we all need to be very clear about having checked a source before we do that. But imagine if your address book has been hacked and the phisher is simply presenting one of your own frequently used addresses? You’d fall for this, and so would I.

What do you do if you’re the IT department for a company? I searched a little to see if I could discover what has been learned. I wrote some time ago about Measures of Success Essay 84. Lo and behold, I find that phrase which I think I coined first being used more and more (good, I say).  CSO [1] describes some research done by Duo Security. Eleven thousand employees across 400 companies were sent an email inviting them to be phished (I would love to share the email sent). 31% clicked the link. 17% provided usernames and passwords. Disaster?
How do you measure success in training your staff?
Some have measured success based on clicks. As such, if the employees avoid 80-percent of the Phishing emails delivered during an assessment, they see that as a win. From there, the assessment moves to focusing on the 20-percent that did click links. [....] The measurement of clicks can also be a problem. What counts as a click? Is a click simply following a malicious URL, or does that include attachments as well? Are hybrid attacks, those that use links and attachments counted as clicks, or are they measured differently? 


Surely an 80% success at the target end is at the same time a 20% success for the  attacker – which is a win, and I’d think any value of ‘win’ is bad. Yet you can’t expect a system to be 100% secure (you can, you make it stand-alone and completely divorced from other systems, but that is not practical). Presumably at many firms it is very difficult to keep all of the staff up-to-date with the routines and, depending upon staff turnover, having as many as 90% up to speed with the intended policies might be a major effort.¹  For some companies, 80% would be deemed a success. I think that means that dealing with the missing 10-20% is a significant problem.  So the resources put aside for this might amount to restrictions on one’s access to the system without some ‘licence’ (an in-date internal qualification saying you’re safe on the system), with perhaps layers of security and access. Even, perhaps, separating types of IT transaction within the firm. 
Let’s agree that if 80% of an attack is dodged by staff, that is a win of sorts. If the staff are educated by each attack (a learning business, essay 227), then 80% may well rise further. If the 20% of any attack only succeeds partially, being caught by other routines, then maybe the phishing is reduced to what one might consider manageable proportions. How can there be an ‘acceptable level’, when a single failure could lead to catastrophe?

What is the level of this sort of crime? We are told that cybercrime is at its highest ever levels and that it is the biggest area of criminality at the moment. It is very difficult to count the ‘level’ of this sort of activity [the measures of success are a problem]. See source [3], which explains many of the problems with this. Counting attempts, measuring harm, or assessing loss – all are difficult, and to some extent they hardly help. But they would indicate the levels of resource we ought to be putting into combatting this crime. At one level, I can see that to some firms the whole IT thing becomes something you would wonder if you can do without. I would be inclined to severely restrict external access.

What should we be doing to reduce our own susceptibility? Sources [4], [5], [6].

Your confidential info.  Be very sensitive to handing out confidential information. Especially financial stuff.  [What about credit cards details, then?].   
Don’t be pressured into giving sensitive stuff out. Don’t put confidential info into forms within emails. You don’t know who can read that.
What have you agreed to?  Be aware of a website’s privacy policy (will they sell their mailing list?) How do you know which sites you have signed up to? When you do that ‘signing-up’, were you aware of that? Did you check to see if you are aware of the consequences?
Emails Watch for generic requests. Is this personalised? Does the source that this purports to come from seem to be missing some info you think they ought to know, like who you are and what your account number is?
Be very careful in opening a link from an email. Is this from a source you trust? Does the URL ‘look’ right? Does the URL start https:// or just http:// ?
Software Use security software, but don’t assume it does everything. It can’t prevent you being stupid, or gullible. 
Install software updates. Be careful what you install, what permissions you grant (and have given) to software.
Passwords    Do not re-use passwords. You do that and you are as secure as the most vulnerable target – you’re as strong as your weakest link. The trouble is that then you need a list of your passwords (mine is already 150 entries) and keeping that secure is a whole new nightmare. 
Look at having a password manager, which reduces your problem to one master password (which is then the new target, isn’t it? How often will you need it? I’d need mine several times a day. 
Use two-factor authentication when it is on offer.
Physical access  Who has  access to your phone, your ‘pad, laptop, keyboard? Can you install pass-codes? facial recognition? finger-printing? 
Can you track your device if (when) it goes missing? Will it erase itself if too many passcode attempts are made? Have you set auto-login? Don’t. 
Do you use open wifi? Is Siri available from your lock screen? Can you lock individual apps? Does one device complain when another loses connection (e.g. watch and phone)?
When you walk away from your desk, is your computer accessible to/by others? Do you leave sensitive stuff onscreen? Are you aware of the occasions when you do this? 

Can’t be bothered? Have you done any risk analysis on the consequences? Have you thought at all about what happens if you lose (even just misplace briefly) a device? Are you the sort of person who lets others ‘borrow’ your phone? [Yes, it is funny to some if your address book is replaced with other names, as it is funny to those same ‘friends’ if a salacious mail you sent to one person is copied to a parent, but I suggest this is not a friend in the sense that most people use the term]. What happens if one of your passwords is known to someone who doesn’t like you? How easy would it be to guess? If they know that one, how many other things could someone get access to with the same password? If you don’t think about this, there is a sense in which you deserve to be hacked. Are you also in the habit of leaving the house unlocked?


If you spot a phishing attempt—I’m using this descriptor for spoof mails, phishing, scams of any description coming through the internet—do you do nothing? I report every one of them. Sometimes I have a return of thanks (HMG is one such) and this is an assurance that Something is Being Done to stamp out the metaphorical fire. Out, out, damn spot. Spot of the black variety. Kill.

The approved action is to forward the offending mail with all header information made visible to that part of the business that is dedicated to dealing with this. There are similar sites for spam mail (a lesser evil but nonetheless something we could all do without). I have a number of addresses saved to which I report such stuff, and am prepared to search for these addresses. Spoof@paypal.com, phish@paypal.com, spam@icloud.com, abuse@btconnect.com, spam@intego.com:  These give you an idea of the terms in use.


I was rung by someone telling me they were my bank who then wanted to go through security information before doing some business. The person on the other end was genuine, so they were remarkably surprised at my response, along the lines that I’d tell them some info if they told me some. Surely security is a two-way thing? You want my postcode? Tell me the postcode for my previous address and I’ll do that. But then I feel exactly the same way if I’m the one initiating the call. I have had to explain this to several call-centre staff; yes, I have upset people who are so blinkered by <list> they can’t see that this is a problem; they know they are in a trusted position but they do not see that just because they know that doesn’t mean I do too. Yes, too, I’m prepared to lose access to that business if they don’t ‘get’ it. Is security not that serious?

As I wrote in a recent essay [229], many conversations are based upon trust. If we have not established some trust, which I think especially necessary with the phone, then conversation will be a distinct problem.

A recently observed tv advert for a bank, demonstrates how identity theft might be achieved easily from the sort of things we post so readily on Facebook (name, DoB, address). I wonder, each time I see that ad, just how many people completely miss the message and do exactly those actions pictured. Thinking of other recent essays [231 for example] (i.e. things I have been thinking about recently), I wonder how many people have already been thinking “This should be taught at school”. Which I also read as “They should do something about that”.

Which is not a million miles away from “This is not my problem”. Oh, yes it is.

DJS 21070629
top pic from here  

I wondered, a little later, if we can tighten up on the terminology.
Spam - unwanted mail
Phishing - attempting to persuade you to part with significant confidential information. Requires you to respond. Phishing is method of retrievalSee.
Spoofing - masquerading as another so as to cause you to harm yourself, typically phishing or spamming but possibly delivery of malware.         See. Spoofing is a method of
delivery.
Malware - software that intends harm.

I then wondered, given that much of the instruction to avoid phishing malware hinges upon you NOT opening the attachment or clicking the link, if such stuff can be delivered without an attachment. See [8] below.

File-less malware is the key label. [9, 10 ]  Short version, keep up to date with your OS upgrades. If it is fileless, the malware is in your RAM but not on your hard drive, so when you turn the computer off, the malware is killed. Lesson, then, turn the computer off more often. Mine is on for weeks at a time (and no more, having written this!!).  Search Angler exploit kit, Poweliks, malvertising, Fessleak. Result: If you’re being told your Flash or Reader (or whatever) needs updating, you do NOT click the offered box, but instead go to the recognised site and do an upgrade from there. Best of all, do the upgrade from within your own OS (Apple: bottom row of system preference icon page).   

I am wondering if there is an equivalent process on our cars: as they become steadily ‘cleverer’, telling us that the tyres are under-inflated, that the windscreen wash needs topping up and so on, do we therefore allow the old habits of actually checking the car in advance of a trip to simply fall by the wayside (so to speak)? Do we persuade ourselves that the car is looking after itself, so we will respond to its demands? I complain, to general laughter at the garage, that the car moans as much as the wife (which, to be fair, is not much at all), where it would be truer to say that it demands attention and will insist that attention be pretty prompt. I am also aware, though , that I now only check the tyres after the car has said I should have already done this, that I only check the oil level after it has complained I didn’t do that, and I fill the wash-bottle only after it has, yet again, complained that I didn’t already do that.  This is me being lazy. I see strong parallels with our attitudes to security when at the computer. Which, these days, equates to being on the internet.

What some of us are going to have to do is keep much of our private activity off-line, probably by using separate drives, though partitions may be sufficient. To go ‘live’ one engages a single drive used for temporary data. Not unlike having a public persona, perhaps; perilously close to separating doing from thinking and saying. Somehow i doubt that many of us will even attempt to discover how to do that until after an immediate brush with electronic disaster. This is the cost of convenience.

DJS

[1] http://www.csoonline.com/article/3110975/techology-business/how-do-you-measure-success-when-it-comes-to-stopping-phishing-attacks.html
[2]  https://www.cs.jhu.edu/~sdoshi/index_files/p1-garera.pdf
[3] http://www.law.leeds.ac.uk/assets/files/staff/FD18.pdf
[4]  https://uk.norton.com/7-tips-to-protect-against-phishing/article
[5] https://www.wired.com/2014/09/dont-get-hacked/
[6] https://www.theguardian.com/technology/2017/mar/26/12-ways-to-hack-proof-your-smartphone-privacy-data-thieves
[7] http://www.stmargaretward.co.uk/our-school/e-safety/how-to-avoid-phishing
[8] https://www.howtogeek.com/135546/htg-explains-why-you-cant-get-infected-just-by-opening-an-email-and-when-you-can/

1 At PMC we attempted to have all staff First Aid qualified. We discovered that achieving a 90% level was significant effort and that 95% might be the best we could achieve. Turnover was low, but qualifications must be renewed every three years and it was difficult to find the time for staff to go on courses, even with the employer being keen to pursue this and happy to spend the money. Teachers have relatively little free time, so they are not easily available for courses. You might say a 3-year cycle equates to replacing all staff in three years, which is a high staff turnover. On the other hand, in-service training is not a one-off and for IT skills it might well need to be on an annual cycle – a lot of work. In an environment where INSET is counted as 2 or 3 days per year and each such day has at best a number of possibilities, it is not at all hard to see that some people will slip through the net (and will need to be pushed hard into the re-qualification). A school might easily reach a position where all three INSET days per year are consumed by trying to keep everyone’s qualifications current. Learning business, anyone? Essay 227

  Email: David@Scoins.net      © David Scoins 2020