In case you’ve missed it, the holiday season is here. And at Ping, we’ve kind of developed a tradition. Last year, we shared – and very capably voice acted if we do say so ourselves – A CyberSecurity Christmas Carol. This time, we tackle another classic tale, and it’s a bit poetic. Of course, this story has a network security bent cause that’s what we do. Gather round your phone, laptop, Alexa, or whatever podcast listening device you favor, for ‘Twas the Hack Before Christmas.
In an anything but silent night of headlines, hear about the FireEye/SolarWinds/federal government cyber attack. And then, we share concerns about COVID-19 vaccine distribution cybersecurity. Finally, we review why Google services like YouTube, GMail, & more went down December 14.
Oh, and Happy Holidays!!
How to listen
Listen to Ping – A Firewalls.com Podcast using the player above…
Missed our previous episodes? You can get them anywhere you listen to podcasts, or go to our full episode list.
Learn even more about network security through our blog, which features new content every week.
New episodes are usually released every other Wednesday. Have a special request for a topic or a question for our network engineers to address? Email us at firstname.lastname@example.org and it could be on our next show. Thanks in advance for any listens, follows, subscribes, reviews, comments, shares, and generally spreading the word!
Google has given websites a not-so-subtle prod towards security in 2018. Beginning this July, Google Chrome began visibly marking all HTTP sites as “not secure” in the address bar, signaling to visitors that their data may not be fully secure when interacting with a non-HTTPS enabled domain. What does this change mean for you and why does Google think this move is worthwhile? Keep reading to learn more about these security-focused changes rolling out this year.
Where Is the “Not Secure” Warning?
Starting with Chrome Version 68, Google will begin marking the address bar with one of two icons: if the website is secure, a green padlock with the word “Secure” (or, alternatively, the website’s verified domain name) will be displayed on the far-left of the site URL. Sites still rolling with the unsecured HTTP protocol will display a gray “i” icon accompanied by the ominous phrase “Not Secure.”
What’s the Difference Between HTTP & HTTPS?
Hyper Text Transfer Protocol (HTTP) is the protocol that acts as a bridge between your browser and the website you are accessing. Third parties can (and do) intercept this data to glean information about visitor activity and browsing behavior. In HTTPS, the additional “S” stands for “Secure.” This indicates that the data transferring between your browser and a secured website has been encrypted and is unreadable to third parties. A website featuring an HTTPS URL has purchased and deployed an SSL Certificate. SSL certification requires some form of verification for the website’s ownership by a third-party authority.
Securing your website with an SSL certificate should be considered not only the “new normal” for the web, but the bare bones security measures that vendors and site operators should offer to visitors. This is especially crucial for ecommerce, banking, or financial websites where sensitive information such as credit card numbers or personally-identifying data is being submitted.
Should I Avoid Non-Secured Websites?
The short answer is: in most cases, yes. If you plan to give your credit card or bank account information to a website, that site owes it to you as a customer to at least attempt keeping your data secure. Deploying SSL certificates and HTTPS protocols can be an expensive and time-consuming process, but it is a good-faith step that organizations undertake to signal to visitors that their data will be safe in the website’s hands. Domains fail to purchase and deploy SSL certificates oftentimes because they have chosen to cut corners in order to save money. Your personal data should not be sacrificed for someone else’s bottom line.
If you make a purchase through an unsecured ecommerce website, understand that your sensitive data is being transferred to that website’s server with no encryption while in transit. With 81 of the Internet’s top 100 websites having made the migration to HTTPS and the aggressive moves by Google to further fuel that trend, HTTPS is no longer just an added benefit but a cost of doing business in the modern world.
Over the last year, Google has teamed up with University of California, Berkley and the International Computer Science Institute to collect, analyze, and report data on the contemporary landscape of black-hat email credential theft. In a period between March 2016 and March 2017, Google anonymously inserted themselves into private forums, credential trading markets, and dark web paste sites in order to learn how the bad guys, looking to steal your login and password information, are operating and evolving in the modern era. Or, as Kurt Thomas et al, authors of the study, put it, Google’s newest study “presents the first longitudinal measurement study of the underground ecosystem fueling credential theft and assesses the risk it poses to millions of users.” So, what’s that all mean for you? Let’s break down the numbers and outline 3 major take-away’s from Google’s study to understand how miscreants are trying to compromise your email security.
This study analyzed databases of purportedly stolen email credential information throughout 2016. Of these datasets, roughly 788,000 instances were the result of keyloggers, 12.4 million were sourced from phishing kits, and 1.9 billion credentials stolen in larger data breaches.
1. The Bad Guys Are Staying Up-To-Date. Are You?
If you’ve considered beefing up your security infrastructure but decided that it’s probably safe to lag a year or two behind the latest technology, you’re being outclassed by the competition. Online black-hat forums distribute pre-built phishing kits and keyloggers with thousands of variants and iterartions to ensure that they stay on the cutting-edge of cyber crime. Google’s study identified over 4,000 different strains of phishing kits available in 2016, and that’s only the variants they DID find.
The bad guys aren’t making off with only information from old, unused, or abandoned accounts. 7% to 25% of recovered credentials matched the current login credentials of the accounts they were stolen from. (Don’t worry, Google made sure to reset any compromised accounts they identified!) Phishing kits in particular showed troubling results in this area: a whopping 25% of the stolen data that Google reviewed matched current, usable login credentials. The study concluded that victims of phishing kits are 400 times more likely to be successfully hijacked than an average user.
2. Corporate Phishing is a Cyber Gold Rush
That old prospector was right when he warned us all about the dangers of social engineering in the age of communication. During their research period, Google detected 234,887 instances of potentially valid credentials being transmitted to an exfiltration point (bad guys’ email) per week. Read that statement again. Not 234,887 attempts. 234,887 successful transmissions of potentially valid credentials per week. The estimated success rate for a phishing kit is 9%.
Phishing kits were largely aimed at victims located in the United States, with just shy of 50% of identified victims’ geolocations based in the U.S.
83% of phishing kits collect geolocation data in addition to login credentials
40% collect financial information such as credit card data
18% collect phone numbers
16% collect User-Agent data such as the browser, device, and platform in use at the time of the attack
9% collect social security numbers
3. “Stronger Passwords” Can Only Do So Much
Increasingly, organizations are coming to terms with the fact that a simple login/password combination is the bare bones when it comes to email security. Even hashed passwords based on salt values are proving flimsy under scrutiny, with Google’s report estimating that almost 15% of the stolen credentials in their study were hashed using MD5 and 10% with SHA-1 cryptographic hash functions.
To make matters worse, it can hardly be said that victims are learning from their mistakes. Research indicated that of victims that had their credentials stolen, only 3% later chose to switch to a two-factor authentication process as opposed to a simple login/password combination.
What Can I Do About It?
These numbers may be grim, but so long as organizations are as dedicated to email security as the bad guys are to stealing data, there is hope. Increasing usage of two-factor authentication as well as password management apps mean that the business world’s approach to cyber security is begrudgingly moving past the bare minimum. An even more secure future can be found in various email security subscriptions, encryption services, and anti-virus/anti-spam clients. Here are a couple recommendations for products that can prevent your login credentials from winding up on a black market spreadsheet.
Email encryption is the process of encrypting the content of outbound messages in order to prevent 3rd party entities from intercepting and reading that data. In many cases, this means that the readable plain text has been scrambled into a cipher text which can only be unjumbled by a private key held by a recipient that matches the public key attached to the encrypted data. Email encryption services are usually subscription services that entail additional features and services in addition to message encryption.
Record ID Matching: Scans outbound content for sensitive information before delivery
Attachment Scanning: Probes potentially harmful attachments to ensure safety before opening
Predefined Compliance Policies: Built-in policies designed to be easily deployable for common problems and compliance issues such as HIPPA or PCI
Approval Boxes: Allows you to preview unverified emails before they are opened onto your network
SonicWall TotalSecure Email provides complete protection for both inbound and outbound e-mail by providing award-winning anti-spam, anti-virus, anti-phishing, and policy and compliance management in one easy-to-use solution. For larger organizations there is simply no easier way to get complete email security. TotalSecure is a comprehensive package that holistically protects your inbox’s attack surfaces from every conceivable angle of attack by bundling several useful subscriptions together into a single strategy.
McAfee Anti-Virus: To keep the bugs at bay
SonicWall Time Zero: Protection from zero-day threats, focusing on the time frame between initial detection and receiving signature-based solutions
Corporate Phishing Protection: Uniquely identifies phishing attempts and enables admin to handle them independently from spam
Email Policy Management: Allows admin to quickly create and enforce corporate compliance policies
End-User Spam Management: Delegates spam management to end-users, reducing false positives and easing the load on your IT guys