Although we’ve not heard of anything specific, with the demise of support for Windows 7 on 1/14/2020, don’t be surprised if nefarious scoundrels attempt to deceive users into surrendering personal data or even control of their computers with promises of cheap or free upgrades.
Especially in the consumer market, users may be reluctant or delinquent in upgrading their older equipment and it wouldn’t be surprising for unsuspecting victims to be accosted by web-based attacks threatening dire consequences unless they “upgrade immediately!”
I wouldn’t be surprised if these attacks also come in the form of robo-calls with outlandish claims that an outdated computer has been “detected” and is “compromising other systems.” While these types of tech support scam phone calls are not new, the demise of Windows 7 support may give con artists leverage they can use to social engineer their way into users’ systems or accounts.
WRITING OUT “2020”
I recently heard of a warning regarding the new year, 2020. If you’re used to writing out a date and abbreviating the year using the final 2 digits, like 01/05/19, you might consider not abbreviating the year in 2020.
While it’s not as common to use long hand to write out a date, this year provides a unique opportunity for documents to be easily forged. A date written as 1/5/20 can be easily modified by adding digits to the end making the date either earlier or later than it was intended.
Texas DIR and TAMU System help promote awareness through various programs. DIR recommends review of the NICCS content noted here, sponsored by the Department of Homeland Security:
With the January 3rd announcement of the side-channel MELTDOWN/SPECTRE vulnerabilities and resulting impact on billions of devices it seems IT Security is 35 points behind at the start of a 4th quarter and the other team knows we are throwing long on every play. Clearly, the understanding that everyone associated with technology – from processor engineer to student worker racing to a workstation with a browser pop-up announcing the user has “won” an Amazon GiftCard – now knows they have a long-term role in IT Security.
We aren’t in the 4th quarter!
IT security takes a game plan. In the frenzy of announcement, we sometimes lose sight of the greatest risks. Let’s take MELTDOWN. It is not in the wild. It would take intrusive software on the device to exploit this vulnerability that security researchers discovered. It has even been said it requires a statistical probability either over a long period of time or across many devices to have successful mapping memory from the vulnerability and then plant an exploit. Guess what? It is even harder when a user reboots 🙂 The NIST National Vulnerability Database rate these as a medium risk vulnerability with a low exploitability score. Contrast that with ransomware that are high risk and have double the exploitability.
So what’s the game plan? If I was the lone IT support with 300 end-user devices and a handful of servers I would expect to spend 30 hours a month on IT Security and compliance. Some of this time each month is not just patching, scanning, fighting AV and packet-sniffing alerts but educating users THAT REMAINS THE GREATEST RISK, increasing security via automation, and getting rid of legacy security “holes” (like too many local administrators and old OSes). We’re not going to lose this game! We are only at half-time and while a little behind we have a good game plan of USER EDUCATION, vulnerability management, patch management, more security automation, and our all-SEC running back.
So what to do about MELTDOWN/SPECTRE? Intel has said if the OS is patched MELTDOWN does not really require firmware. Of the two variants of SPECTRE, both INTEL and flip-flopping AMD have announced they still must complete a firmware that addresses one of the variants. It will be weeks before that firmware is out. Chrome is about to release a browser version that purposely slows down direct cache processing to close the timing hole that can be exploited via the Chrome browser. Part of risk management is knowing your high value targets and that means the first thing to patch are servers with lots of credentials in memory and in February when there is a long-field-tested stable firmware test the firmware on one low-impact system and then apply the firmware to high-value targets.
There is a lot of information on these exploits but one of the best reference is Intel itself. At the below link INTEL provides both what they and other vendors from Acer as an OEM to Microsoft to Ubuntu are doing. Now let’s go out there on the field and take the lead!
Email is a hacker’s best friend!
Some of us probably use up to a handful of different mail clients on different platforms at home, at work, and in our mobile lives. Counting different product versions still in use, there are almost 100 potential mainstream mail clients that might be used. That is why it is not surprising that a security researcher recently found over 30 mail clients that had a vulnerability he dubbed Mailsploit. The researcher used the extension of the ASCII coding scheme that the email wrapper can utilize to instead spoof header info, circumvent anti-spoofing software, and introduce code injection into certain lesser-known mail clients.
This is why it is extremely important if users have a mail client of personal preference due to features or taste, they recognize they have the possibility of being spoofed. If they choose to use a value-added mail client/app they should be aware that they are accepting risk. Outlook, Outlook Web Access, Gmail do not have the Mailsploit vulnerability risk, but the Mailsploit client list shared by the researcher also points out what clients/apps can be exploited. Some of these are very mainstream clients on millions of devices. Most of us think very little about their mail client on a daily basis, as an example many Outlook users believe they can easily recall messages via the Recall function. They have no concept of both the Exchange Store dependency or the fact the recipients have to be using Outlook too on the function for a successful recall of an email; thus many recalled messages thought to be recalled are never really recalled. How could a user be expected to understand what happens when an email header is unwrapped?
Not only is email is a hacker’s best friend but at phishing time email is a very loyal companion!
Phishing has overtaken brute force as the preferred method to get credentials. The sophistication of some phishing attacks’ impersonation of legitimacy is quite astonishing. As most updated browsers now alert users to sites that are “Not secure” – in other words sites that do not use https – the Phishers have been moving their attack servers to SSL_certificated servers. PhishLabs reports a quarter of all attacks now link to a site that is https with a valid certificate and will appear in the browser icon as secure (green lock “Secure” in Chrome). What compounds the problems is the phishers also make sure the certificated site’s URL appears legitimate at a glance:
As a point of education, go to PhishTank and — if you have an hour — page through all the reported phishing sites detected in a single hour. It may take you an hour to do an hour of phishing sites reported– it is staggering. Take time to click a few that seem of interest by their name that will give you a safe framed look and you can safely see how legitimate the phishers’ credential capture entry screens appear. Many security firms have pointed out training on phishing is most effective when users are sent emails that measure whether the targeted users click a link in an internal potential phishing link. An IT-prepared unanticipated pseudo-phish email to judge users needing training on phishing is worth a dozen abstract warnings. When it comes to changing phishing behavior, training that help users learn by doing has been measured as far more effective than just getting a “be aware …” email.
20th century folks use to worry about their snail mail being stolen and getting a paycheck or compromising their accounts, in the 21st century the worry is you might click the email link that compromises your life!
So as we get those New Year’s emails from old acquaintances – hopefully not forgotten – or what looks like a Facebook email reminder on a holiday party photo you are tagged in we really need to know what we’re clicking on. Or better yet your Security Team hopes you enjoy the holidays with as little work clicking as absolutely necessary!