Social Engineering>Phishing

Tips for Spotting a Phishing Email

Every day users are targeted with phishing emails from all around the world.  These emails can range from overtly “spammy” and easy to detect, to quite sophisticated an difficult to notice.  We have found that this is typically the least defended position in an organization, as well as one of the easiest to exploit.  Even organizations with millions of dollars worth of network security equipment can be vulnerable if even a single user clicks on a malicious link.  Here are some tips and tricks for spotting phishing emails:

Do You Know the Sender?

There are two parts of an email that make the ‘sender’ portion of an email, the “From” field and the “Reply-To” address.  The “From” field identifies the name of person who sent the email.  This field can easily be spoofed.  The “Reply-To” address is the email address that will receive an email if you reply to it.  This cannot be spoofed; therefore, what you see is who you will send the email to.  For example, the following headers show the “From” and “Reply-To” fields in this phishing email: phish-headers

Outlook displays the following information:phish-outlook

If an email purports to be from a well known brand or company, but the actual email address does not appear to be one that would come from that company (USPS <info (at)>) then the email should be deleted.

Is This Something You Expected?

Let’s say you received an email from UPS stating that a package was undeliverable.  Ask yourself, were you expecting a package, or did you order anything?  More often than not, the justification for receiving a phishing email simply wont make sense.  Another type of a phishing email could claim to be from a financial institution.  Perhaps the email could appear to be from a bank, or it might request account or credit card information.  You should ask yourself, “do you actually have an account with this bank?”  If not, it is probably a phishing scam and should be deleted.  If emails such as these contain very specific information about you, or lead you to believe that you may have inadvertently been compromised, you should check your credit report and make sure no new accounts have been opened in your name.

Did Your Systems Flag This as Suspicious?


Many times email clients do a pretty good job of recognizing spam.  More often than not, you should trust the email client’s recommendations, and delete these messages.  As you can see in the photo above, Outlook recognized this email as spam and moved it to the junk mail folder.  This automatically prevents images from being downloaded, and blocks any links that may be in the email.

Are There Grammar Mistakes?

Emails from large corporations will go through rigorous proofs and checks for grammar.  This does not mean that they will never have mistakes, however, mistakes are usually unlikely and very few in number.

Our courier couldnt make the delivery of parcel to you at 20th April.

Notice in the above example that there is no apostrophe in “couldn’t” and the word “the” is missing before “parcel”.  These errors are dead giveaways.  Additionally, the US is one of the only countries in the world that uses the MMDDYYYY format for dates.  This email used DDMM format which is common throughout the rest of the world.  This wouldn’t have come from the USPS.

Is a File Attached?

Many phishing emails will attempt to have the user open malicious files.  Most email systems will block file with executable program extensions (such as .exe or .bat) however, there are many known vulnerabilities in other well known file types, such as Adobe.  They could also try to mask malicious files within a ZIP file.  Flags should be raised any time an unexpected email is received with attachments, especially if the email matches any other of the signs listed in this article.

Does The Email Ask for Personal Information?

Financial institutions will never ask for personal information in an email.  They will also never ask for a password at any time, whether via email or on the phone.  Most phishing emails will attempt to glean some sort of personal information, whether its as simple as trying to get a user to respond to an email simply to determine whether or not that email is valid, to asking for usernames and passwords, or banking information.  Sometimes an attacker will ask for the information directly in the email, but most will link to a separate file or web page which will ask a user for information.  Guard this information well.  If you have to ask yourself, “Shouldn’t this organization know that information about me already,” then likely, the email is a scam.

Are There Links In The Email?

Before ever clicking a link in any email from anyone, first hover over the link to see if the link in the ToolTip matches the link you see and to make sure the URL is something you recognize.  If it is not a .com URL, then I would be highly suspicious.  The email below says it is from USPS, however, look at the URL when we hover over the link:phish-url


Checking URLs in an email should become second nature, otherwise, you will eventually click a malicious link.  Another item of note is that, even if you recognize the URL, any URL that ends in .php should automatically require extra scrutiny.


Once you learn what typical phishing emails are comprised of, your ability to spot one will significantly improve.  Phishers can become sophisticated when they are specifically targeting individuals or organizations.  These take a great deal of acumen to spot.  However, these typically follow the 80/20 rule.  You spend 20% of your effort to spot over 80% of phishing emails.  According to Symantec, 1 in 392 emails contain a phishing attacks.  They are not uncommon, and if successful, can be very dangerous.  Stay vigilant.


Internet Explorer Zero Day – Emergency Patch Released, includes XP

UPDATED 5/1/2014: Microsoft has released an emergency out-of-band update for Internet Explorer that resolves this issue.  They are including updates to IE in Windows XP as well.  We recommended deploying this update as soon as possible.

Microsoft released an advisory on April 26th:

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Mitigation Steps (Details on TechNet):

  • Install EMET . According to Fireeye, “EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.”
  • Also according to Fireeye, “Enhanced Protected Mode in IE breaks the exploit in our tests”. Keep in mind that Enhanced Protection Mode in IE can break some plugins.
  • Disable Flash . The vulnerability is not a Flash vulnerability, but flash is required to exploit.


For organizations and users who have not upgraded from Windows XP, this vulnerability does affect IE6-IE8 which can run on Windows XP.  Windows XP will not be receiving updates as it is now out of support.  It is critical that organizations upgrade from Windows XP.

Compliance|Computer & Network Security|Information Security|Research

Verizon Breach Report 2013: What Does It Mean For Your Organization

Each year Verizon releases their Breach Report; it is sort of a state of the union with regard to last year’s breaches.  It is worthy research to help determine the industry trends that could help steer the budgets and focus of IT departments.  This year’s report includes 1,367 Confirmed Data Breaches, and 63,437 Security Incidents.

No one is immune:

[av_image src=’×126.jpg’ attachment=’1929′ align=’center’ animation=’no-animation’ link=” target=”]

According to the report, 92% of all breaches can be categorized in 9 groups.  Here is a summary of things every organization should be doing to keep from being included in next year’s report:

  • Restrict Remote Access
  • Enforce Password Policies
  • Deploy AV
  • Employ Network Monitoring
  • Reconsider Network Topologies and Connectivity
  • Two Factor Authentication
  • AppDevs use the OWASP Top Ten
  • Information Management – Where is your data and who has access?
  • Review User Accounts
  • Encrypt Devices
  • Use mobile device management systems
  • Patch Your Stuff
  • Implement Change Management
  • Maintain Logs
  • Monitor your corporate email addresses for breaches:

Let’s break down the sections for quick overview of the report:

Point-Of-Sale Intrusions

In 2013 over 99% of POS intrusions were initiated by external parties, but even worse, in 99% of the cases an external party (law enforcement. fraud detection or customer) notified the organization of the breach.  So this begs the question, Is Compliance Enough?

What can you do?

  • Restrict Remote Access
  • Enforce Password Policies
  • Use POS systems only for POS activities
  • Deploy AV
  • Employ Network Monitoring
  • Reconsider Network Topologies and Connectivity

Web App Attacks

Applications are vulnerable from many fronts.  The attack vector is almost always in the OWASP Top Ten and Developers need to be familiar with each item in the top ten.  60% of compromises occur within minutes of an attack.  Over 85% of attacks are discovered in days, and 50% can take months or longer to discover.  So while discovery is the area that needs the most focus, most organization, once they discover the attack, respond within days.

What can you do?

  • Two Factor Authentication
  • Strongly Consider your CMS
  • Validate Inputs
  • Enforce Lockouts
  • Monitor Outbound Connections

Insider and Privilege Misuse

Most crimes by trusted parties are perpetrated for personal or financial gain.  In 71% of these incidents the attack began on the corporate LAN, and 28% took advantage of physical access within the corporate facility. This means that most of these types of attacks take place at work.    72% of these attacks were perpetrated for financial gain, and in 70% of intellectual property theft the person stole information within 30 days of announcing their resignation.

What can you do?

  • Information Management – Where is your data and who has access?
  • Review User Accounts
  • What data that leaves your network
  • Publish Audit Results

Physical Theft and Loss

Corporate assets are stolen more often than vehicles or residences, and 40% of thefts involve mobile assets.  80% of these thefts allowed a user to gain access through disabled or bypassed controls.

What can you do?

  • Encrypt Devices
  • Encrypt Devices!
  • Use mobile device management systems
  • Segregate Secure Data (logically and physically)
  • Consider preventing secure data from being mobile

Miscellaneous Errors

Almost all data breaches include some element of human error.  Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure.  According to the report, “government organizations frequently deliver non-public information to the wrong recipient; so much so, in fact, that we had to remove it from [one of our figures] so that you could see the other error varieties.

What can you do?

  • Implement a DLP Solution
  • Create better publishing policies
  • Control what is trashed and what is shredded


Zeus is still number one in malware attacks.  Statistics in this area are difficult to manifest because there are variables such as instead of removing a virus, the machine is just wiped.  Additionally, often times the partners who report these outbreaks never know about them.

What can you do?

  • Patch Your Stuff
  • Keep Browsers up to Date
  • Disable Java in the Browser
  • Use Two-Factor Authentication
  • Implement Change Management
  • Leverage threat feeds

Payment Card Skimmers

100% of incidents involved data disclosure.  Most skimming occurred at ATMs and gas pumps.

What can you do?

Cyber Espionage

According to Verizon, “Strategic website compromises (SWCs) have proven to be an effective tactic of state-affiliated threats to infiltrate the networks of target organizations.”  Over 75% of compromises took advantage of browser based zero-day vulnerabilities.

What can you do?

  • Patch Your Stuff
  • Make Sure AV is Up to Date
  • Train Users
  • Segment Networks
  • Maintain Logs

DOS Attacks

No data was disclosed as a result of a DoS attack.  The average attack utilized a sustained 10Mbps of bandwidth.  The amount of traffic in the Spamhaus attack ranged from 85-120Gbps. Yikes!

What can you do?

  • Turn off unused ports and services
  • Segregate essential IPs from unused IPs
  • Contact your provider about anti-DDoS services
  • Have a plan in place
  • Know your servers’ limits

Computer & Network Security>Microsoft|Computer & Network Security>Patches

Windows 8.1, Server 2012 R2 no longer receiving updates

Microsoft has said the Windows 8.1 and Server 2012 R2 will no longer receive updates unless they have the April 2014 updates installed.  In other words, you can wait until November to install the April update, but you will not receive any updates from May until November until the April patch is installed.

In a recent security update from Microsoft, Steve Thomas at Microsoft posted a TechNet article stating that Microsoft will no longer issue security patches for Windows 8.1 or Windows Server 2012 R2, starting in May, because “Microsoft wants to ensure that customers benefit from the best support and servicing experience.”

Since Microsoft wants to ensure that customers benefit from the best support and servicing experience and to coordinate and simplify servicing across both Windows Server 2012 R2, Windows 8.1 RT and Windows 8.1, this update will be considered a new servicing/support baseline. What this means is those users who have elected to install updates manually will have 30 days to install Windows 8.1 Update  on Windows 8.1 devices; after this 30-day window – and beginning with the May Patch Tuesday, Windows 8.1 user’s devices without the update installed will no longer receive security updates.

There have been a number of issues reported regarding installing the update from failed installations to errors when installing.

According to the same article:

Microsoft plans to issue an update as soon as possible that will correct the issue and restore the proper behavior for Windows 8.1 Update KB 2919355 scanning against all supported WSUS configurations. Until that time, we are delaying the distribution of the Windows 8.1 Update KB 2919355 to WSUS servers.

You may still obtain the Windows 8.1 Update (KB 2919355) from the Windows Update Catalog or MSDN. However, we recommend that you suspend deployment of this update in your organization until we release the update that resolves this issue.

Hopefully, Microsoft will extend support for these versions because that does not leave IT Pros much time to deploy to their networks.

Computer & Network Security>Java

Critical Oracle Update – Fixes 104 Vulnerabilities

Oracle announced a critical update for a number of products including Java.   According to Oracle, “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.”

We recommend patching Java as soon as possible.  Many organizations do not patch Java due to business application constraints.  Serious consideration should be given to the risks of Java vulnerabilities in light of these situations.  Updates can be optained from the Java website or using the Java Control Panel.

37 of these vulnerabilities affect Java SE.  35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password, and 4 of the vulnerabilities have a CVSS rating of 10.0 (If a user is not running with administrative rights, the CVSS base score becomes a 7.5).  For more information see the Java SE Risk matrix  and an explanation of the of CVEs.

Fixes for the following CVEs are included in this patch:


Computer & Network Security|Compliance>Encryption|Information Security|Research

Leave no stone un-turned when patching Heartbleed

Most people are now up to speed about the existence of Heartbleed, but new information is coming out that the focus has only been on server side exploits.  Meldium, released a blog post titled Testing for “reverse” Heartbleed.  According to Meldium, “While patching our systems for the recent Heartbleed vulnerability, we found that some sites (including huge web properties), which had patched their servers were still vulnerable to a variant of the attack that we’re calling “reverse heartbleed.”  They have also released a tool to test this.

What does this mean?

Basically it means that OpenSSL patching can’t stop just at servers and infrastructure devices.  It has to go all the way down to the client level.  There are many client tools and agents that utilize TLS for communication.  Meldium provides a list of the types of clients that are vulnerable:

  • Traditional Agents such as Dropbox or Office
  • Social Networks such as Facebook fetch URLs of certain types and perform actions on them
  • File sharing apps or anything that can allow a user upload an images
  • Web spiders like Googlebot
  • API consumers that allow integrations across websites
  • IDendity federation protocols such as OpenID
  • Webhooks which allow a user to register interest in a certain event happening and get a call back.

This particular vulnerability does appear to be harder to exploit than the original heartbleed.

What should you do?

The steps for remediation are the same as the original attack.  We have them outlined in our post Heartbleed: What you need to know.

Computer & Network Security|Compliance>Encryption|Information Security

Heartbleed: What You Need To Know


Heartbleed is a serious vulnerability that can allow attackers to intercept secure communications.  Email, Websites, VPNs, and other trusted security technologies are at risk – passwords and encryption keys can be breached.  You most likely have something that is affected. 

What to do

  1. Update anything using OpenSSL, see below for more information.
  2. Check to see if you are vulnerable. (Adrian Hayter, a consultant with CNS Hut3, revealed a proof of concept that many of the testing tools have bugs themselves)
    1. Check your public facing websites for the vulnerability.  Use one of these tools: SSLLabs
    2. Check internet facing equipment to see if it uses OpenSSL.   This can include firewalls, VPN, mail servers or services that utilize TLS; anything that uses SSL.
  3. Apply vendor patches.  Here is a good list of vendor notifications for fixes.  Here is a list of file transfer applications and their status.
  4. Update IPS/IDS devices with signatures to detect the vulnerability.

UPDATE 4/11/2014: Vulnerable devices do not have to be using SSL actively.  We have confirmed a Windows Server running IIS running a file sharing application over port 21/FTP is vulnerable even though it is not using an SSL certificate.

These last two are not easy, but recommended – it is that serious.

  1. Once you have updated a website, revoke any SSL certificates for sites that were vulnerable, and reissue them.  Keep in mind any sites that share an SSL certificate with a vulnerable site, even if that site was not vulnerable.
  2. Issue password resets for network users, and notify users to reset their personal passwords for affected sites.  Here is a good list of sites that are affected: Sites affected by Heartbleed

*These tools can give false negatives.  This means that if it says a site is vulnerable, it is, but if it says it is not, it could still be vulnerable, so don’t use only these tools to test.

More information:

What is heartbleed?

First, it is very serious and this is something everyone in IT needs to familiarize themselves with.  This graphic gives a very simple explanation of the bug.  Heartbleed is a vulnerability found in OpenSSL.  OpenSSL is an opensource, commercial grade program that allows the implementation of SSL v2/v3 and TLS v1.  This means that websites using SSL, VPNs and TLS that utilize OpenSSL could be vulnerable.  For a comprehensive overview, Troy Hunt, has a really good blog post.  There is also a variant, ‘reverse’ Heartbleed, that can affect client infrastructures as well.

What’s the big deal?

Heartbleed allows an attacker to view information stored in memory of a website that is vulnerable.  This could include usernames, passwords, private keys or more.

What can this affect?

This can affect the obvious, HTTPS, VPN, TLS services that run on websites, routers, firewalls and email servers as well as the certificates that effect those servers.  The scary part is this can also affect services such as IMAP, POP, FTP, SFTP SSH and more.  Not only do some of these services use certificates, they can also run openssl on the servers that support them and make them vulnerable.

Computer & Network Security|Compliance>Encryption|Information Security|Research

The Heartbleed Bug

The Heartbleed Bug is a recently discovered critical vulnerability found in widely used open-source implementations of the SSL/TLS protocols, OpenSSL .  SSL/TLS is used to provide security and privacy in many internet applications such as email, instant messaging, VPN, and secure web pages.

The vulnerability was the result of an implementation problem (or a program mistake) in OpenSSL, which has left a large amount of private data exposed to the internet.  Most people are likely to be directly, or indirectly affected by this bug due to OpenSSL being the most popular cryptographic library and transport layer security currently in use on the Internet.

OpenSSL 1.0.1 through 1.0.1f are currently vulnerable to this exploit and exploitation of this bug leaves no trace of anything abnormal happening, making it very hard to detect attack.  The latest version of OpenSSL, 1.0.1g, is not affected, and we recommend upgrading to this version as soon as possible.

If you publish any secure services to the internet, you can test to see if your services are affected by the Heartbleed bug by going here:  Heartbleed Test or SSL Labs

More detailed information about the Heartbleed bug can be found here:  Heartbleed Bug and Troy Hunt.

UPDATED:  There are a myriad of websites right now explaining what Heartbleed is and how it works, so I won’t try to reproduce those, and have linked some of them above.  I do want to point out a couple of things.  It has been reported that many of the ‘site checkers’ are returning false negatives, so don’t rely solely on the checkers, but of other checks as well.

Second, there are two sites that I have found useful for seeing who is vulnerable:  Mashable lists many of the common websites for general users.  This post in github scanned the top 10000 sites in Alexa.

Information Security>Data Breach|Research

Data Breach?


A colleague was notified today by his bank, BBVA Compass, that his account was likely involved in a breach and that shortly his debit card was going to be cancelled and he would be issued a new one.  He went to a branch office to deposit a check and asked the teller why  a recording from the bank called the day before asking him to call back for important information(confirming that it was not a robo-call). His point was if it was really important shouldn’t a person have been on the other end of the line?

It is a good sign to see the bank taking a more proactive approach to protect their clients’ personal information in the early stages of  a breach response. The phone call leaving only a call back number may have been an effort to reduce the chance that a slowly awakening public might think this was an elaborate Social Engineering campaign playing off their fear from the recent Target breach or there may be some self-interest necessitating BBVA Compass’ proactive response. However this story unfolds it does not change the benefit of this early and decisive response for their clients.

We have been unable to substantiate or confirm any additional details about this breach.  For now, well done BBVA, for taking care of your customers.  If any additional details surface, we will update this blog post.