Phishing security email

Sent to my teachers and staff, names and addresses changed:

Welcome to the second letter in my series of information security tips!

Phishing is an attempt to get your information, including financial information, by masquerading as someone else. It most often takes the form of an email purporting to be from a trusted source. Take, for example, this recent actual example from right here at Cliff Valley.

From: Head of School [mailto:head@school.org]

Sent: Wednesday, May 06, 2015 12:08 PM

To: Finance

Subject: Request

Hi Finance,

 Hope you are having a splendid day. I want you to quickly email me the details you will need to help me  process an outgoing wire transfer to another bank.

I will appreciate a swift email response.

Thanks.

Head of School

Finance recognized this as suspicious right away. But look at all the things this phishing attempt got right. It’s a well-written email, apparently from Head of School’s actual email address, with a perfectly reasonable request. There are also number of red flags here, such as the slightly stilted language, the vagueness, and a few formatting issues. But place this email in an environment where people don’t know each other as well, and it seems pretty convincing! If Finance weren’t so sharp, the email response would go to the phisher (the actual return address is different from the one appearing in the email, a process known as spoofing), and money would quickly disappear from Cliff Valley’s bank account to an untraceable account.  A phishing attempt that is targeted at specific people, like this one, is called “spear-phishing,” and can be very effective.

Phishing attempts happen all the time! Check your spam or junk mail folder, and it will likely be filled with mail apparently from your bank, FedEx, and social media sites. These may look exactly like actual email from these sites and may have links that lead to legitimate looking sites as well. There may not be any obvious warning signs that they’re phishing attempts.

Fortunately, there is an easy and foolproof way to protect yourself from these. NEVER follow a link from an email to a financial site. Just type the site’s name directly into the browser (do not cut and paste), and you can be sure to end up at the legitimate site. If you think you may have followed a suspicious link by mistake, you should log in to the legitimate site as soon as possible and change your password. Fortunately, most phishing attempts are easy to spot when you are looking for them. It’s important to be vigilant, however!

Security Emails to Staff

A number of recent news items have convinced me I need to begin a series of cyber-security related emails at school. I’ll post those messages here, as well. I began with a recent news story.


Friday’s Scary Internet Attack

Last Friday, huge swaths of the internet were unavailable for much of the day. The outage was due to a Distributed Denial of Service attack, or DDoS. To over-simplify a bit, it involves sending a flood of messages to a computer to overwhelm it. This is usually a computer serving websites or email, for example. “Distributed” just means it comes from many computers at once, usually machines compromised by malicious hackers. This type of attack is well known, and has been around for a decade or more.

Two aspects Friday’s attack make it different. First, the devices launching the DDoS were not unprotected home computers, as is typically the case. Instead, they were what is known as the Internet of Things (IoT). They were DVRs, baby monitors, and internet connected cameras; new consumer products that connect easily to the internet. These devices frequently have poor security. In this case, tens of millions of devices were involved in the attack.

Second, the target of the attack was not a specific website, but part of the Internet’s infrastructure. The attack was aimed at a major DNS server hub. DNS is what allows you to type in a human-friendly address, such as fool.org, instead of a machine-friendly address, such as 151.101.193.143. DNS in one of the oldest parts of the internet and was built without modern security in mind, making it vulnerable to attack.

A third detail, which may be the scariest, is that the software to carry out this sort of attack was just released to the public, practically guaranteeing it will become a common occurrence. It’s now possible for just about anyone to launch this kind of attack if they have a minimal proficiency with computer hacking.

While this attack was against the central infrastructure of the internet, it was made possible by poor security of internet devices everywhere. It’s a scary reminder of the importance of keeping your online life secure, for your own safety as well as the safety of everyone else. In the coming weeks I’ll be sending some emails with ways to protect yourself and your devices. Please take a few minutes read them. With just a little effort, we can avoid the scariest tricks this Halloween! Thanks,

Thom

Other sources:

NYTimes report

A more technical explanation, by a respected security professional.