Aug
07
Filed Under (Uncategorized) by dw on 07-08-2017

According to the South African Banking Risk Information Centre (SABRIC), South Africans lose in excess of R2.2bn to internet fraud and phishing attacks annually!

This gives South Africa the embarrassing status of having the third highest number of cybercrime victims worldwide!

South Africa has suffered more cybercrime attacks than any other country in Africa.

Antonio Forzieri, Cyber Security Practise Lead: EMEA at Symantec, is quoted as saying that “one in 214 emails sent in South Africa during 2014 was a spear-phishing attack.”

This morning’s attack on the University of Stellenbosch was a spear-phishing attack. (“spear-phishing” is not a new water sport!)

Phishing emails target a broad group of users in hopes of catching a few victims but spear-phishing emails are far more focussed.

SPEAR-PHISHING is where the perpetrator targets a specific person or organisation – like the university. This takes the form of emails addressed to you, ostensibly from within the organisation using an internal e-mail account. It looks familar and appears legitimate!

This morning’s attack came in the form of an e-mail, disguised as being sent from a trusted source, (a known university e-mail address) and tried to fool victims into voluntarily disclosing sensitive information such as usernames and passwords, by encouraging people to open a link that took them to a site that was disguised to look like the university’s webmail login page.

Most spear phishing emails have a “call to action” as part of their tactics, which an effort to encourage the receiver into opening a link or attachment or suffer some consequence: “We have detected your mail settings are out of date…Sign in and automatically update your mailbox…”

What was concerning about this morning’s attack, was that the perpetrators had registered a South Africa domain name (which can only be done South Africa) using a name very similar to Stellenbosch, and by including the university’s network acronym, SUN in the domain name! This was not a random attack. It was focussed and judging by the amount of e-mail addresses it was sent to, was specifically engineered to compromise the university network.

What can we do?

  • Prevention always begins with educating all employees about the new reality of spearphishing attacks. By now, everyone should know about the old-style phishing emails, full of typos and promises of unearned millions – they are no longer your main worry. New spear-phishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone that your colleagues trust.
  • Always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today.
  • Report anything suspicious. If you accidentally executed anything that you later became suspicious about, you should report it as well. It is important to remove the stigma and embarrassment of being fooled. Anyone, even security experts, can be tricked today, given the sophistication of the attacks.
  • Start to aggressively test employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past.
  • Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.
  • Lastly, if a spearphishing attempt is successful in your institution, then use the actual phishing email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons into focus is welcome.

The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.

Apr
14

wordpress-under-attack-cropSince 12 April 2013, the WordPress blog system world-wide is facing its most serious coordinated brute force attack. Some WordPress hosts have reported that they have blocked as many as 60 million requests against their hosted WordPress customers in a single hour.

This attack, which targets administrative accounts, appear to be coming from a sophisticated botnet that may have as many as 100,000 computers, based on the number of unique Internet addresses the attacks are coming from.

…And Internet security experts have estimating that the botnet has the power to test as many as 2 billion passwords in an hour.

WordPress users should always make sure that their passwords, especially for admin accounts, are long and not guessable from a password list. Of course, that’s good advice for just about any password you use, but it’s especially applicable right now.

While it’s difficult to tell what the aggressor is trying to accomplish with this current round of password cracking, the consequences could be disastrous. It has been suggested that the perpetrator could be trying to upgrade a botnet composed of ordinary PCs into one that is made up of servers.

Last year, a brute force attack against Joomla sites created a server-grade botnet, created with a tool called Brobot, that overwhelmed US financial institutions with DDoS attacks.

One risk is that personal bloggers that set up WordPress installations might not have thought to set up a highly secure password. However, it’s not just the blogger’s posts that are at stake, as the attacker could potentially use the login to gain access to the hosting server, a more valuable prize that could cause even more damage.

This botnet is going around all of the WordPress blogs it can find trying to login with the “admin” username and a bunch of common passwords.

If you still use “admin” as a username on your blog, change it, use a strong password, and better still change the name of the admin account to something else, which will certain block the botnet attack.

I personally run 7 WordPress blogs, excluding this GERGABlog, and a year or so ago, after a attack crippled 3 of the sites, I removed the default “Admin” account and had set very strong passwords on all of them.

On Friday evening I installed a small plugin, recommended by my hosting company, which blocks an Internet address from making further attempts after a specified limit of retries is reached. I set the plugin to log all Internet Addesses that had been locked out, and after barely 30 minutes, 3 of my 7 blogs had logged more than 5 Internet addresses that has tried to attack my blog and had been locked out. I could see that the attack was underway and was very glad that my paranoia had paid off!

May
28
Filed Under (Uncategorized) by dw on 28-05-2012

Social networking services like Facebook are dangerous. You lose your privacy and open yourself to a number of risks.

For example, two masked robbers robbed the wrong home, hours after a teenager posted a photo on Facebook of a large pile of her grandmother’s savings.

Police in New South Wales, Australia, said that the men, armed with a club and a knife, struck at the home of the 17-year-old’s mother in the country town of Bundanoon on Thursday night, but were told the daughter no longer lived there.

The bandits searched the house and took a small amount of cash as well as other property before leaving. No one was injured.

Police said that earlier in the day the girl had posted a picture on her Facebook page of a “large sum of cash” she had helped count at her 72-year-old grandmother’s home in Sydney, 75 miles north-east of Bundanoon.

No matter how “cool” or convenient Facebook is, it is always important to keep a close watch on its security implications. Each of these services comes with its own set of security concerns which can put your information
systems and/or personal data at risk. (the incident above is one such example)

For example, you have posted an update on your Facebook profile say: “Looking forward to the family holiday next week at the beach house.” Although these might seem relatively harmless, the third bullet point could raise some concern. You have just told all your friends, as well as all their friends, that you will be away from home for a full week. This is comparable to putting a sign on the main road that shouts “Empty House” for passers-by to see. Even if you have a burglar alarm or neighbors keeping an occasional eye on the home, you still don’t want to create the temptation for strangers (Friends of Friends) to consider helping themselves to the contents of your house.

This is just one of the risks you might encounter when using Facebook, and this is one to the reasons why I prefer to steer away from social networking services. You rarely know or meet your “friends”, and this exposes you to unacceptable risks to your personal safety! Optimism aside, the world is full of mean-spirited people who would want to exploit and harm you. Be careful!