Tuesday, January 19, 2016

Open Season on ID Theft

It's that time of year again, tax time for the US and UK. Scammers keep track of the dates, too, and they've rolled out their 2015 tax year-themed malware and identity theft campaigns.

So how do they trick victims? The most common method is phishing. Here's an example making the rounds:

Clicking on the link takes the victim to a page that looks similar to this:

There are several hints that neither the email above nor the purported IRS page are legitimate. First and foremost, according to the IRS, they won't "initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."

Next, take a closer look at the URL:

Notice the domain name, "executiva.net." It should be obvious that the IRS web pages are all hosted on irs.gov.

Another clue in the URL is something we see often in phishing pages, the presence of multiple top level domains (TLDs). In this case, we see both ".com" and ".net." Without going too far into the technical weeds, a domain's TLD is the root of its home on the Internet where browsers or other Internet-connected devices can find it. While a domain can be registered with multiple TLDs,- such domain.com, domain.net, domain.org, etc. - each will reside on separate websites in order to route properly with each root TLD serving as a guide. There can be only one at a time.

So what can you do to protect yourself this (and every) tax season?

1) As mentioned in previous posts, I'm a fan of security freezes. It can be a hassle but a one-hour investment of your time buys you a lifetime of peace of mind.

2) Never click on links in emails. Period. Too many online companies have trained us all to click but it's safer to type in the web address yourself to ensure that you land where you expect to land.

3) Hover your mouse over hyperlinks in email. In all browsers that I can think of, this reveals the full and true address associated with the link. In phishing emails, you'll notice mismatches between what you expect to see and the real address.

4) Report phishing attempts to the IRS. They have great information and guidance, along with appropriate reporting email addresses, here: https://www.irs.gov/uac/Report-Phishing

Tuesday, December 1, 2015

Keep Your Spirits Bright

The holiday season is upon us, the time of year when we defy our normal spending and travel patterns. A bicyclist in Los Angeles hops on a plane to visit friends in Omaha where they spot a great deal on a putter that they ship to their favorite uncle in Texas. A Memphis lawyer spends Cyber Monday hunting for the best deals on imported wine for pickup in an NYC shop for their former college roommate. Best friends head to Las Vegas for a break from the early Colorado winter.

Why are these activities important? Because banks and credit card processors use automated fraud detection systems that "learn" our normal spending habits and locations then raise alerts on anomalous behaviors. The bad guys look forward to this time of year as much as kids await the season's first snow day. Fraudsters can count on consumers breaking their own models which may slow down these anti-fraud detections, giving criminals more time and flexibility for identity theft.

Some banks are better at detection than others, of course. But the onus isn't completely on them. There are simple steps you can take to protect yourself.

First and foremost, everyone should have a security freeze on their credit. Sometimes called a "credit freeze," this requires your direct participation to grant explicit access to your credit report in any request for information or application against your social security number. It's a bit of a pain to implement because you need to contact all of the "big 3" credit reporting agencies - Experian, Equifax and TransUnion - but the hour or so out of your life is worth the peace of mind knowing that fraudsters can't open new accounts in your name. You can learn more about security freezes at the FTC website here: http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

There are other steps you can take to keep the criminal Grinches at bay. Check your bank and credit card activity online more closely during the holidays, at least once a week. And while you're there, enable two-factor authentication ("2FA"), sometimes called "advanced access" or "identification code." This is a huge step in preventing bad guys from brute-forcing and/or phishing your login credentials. You can read more about that topic in my previous post, "What's In a (Pass)word?" Since that post was first published, more online services offer 2FA including banks, email providers and social networks.

With these few precautions, you can spend less time worrying about identity theft, or, worse, cleaning up the aftermath of fraud, and spend more time with loved ones. Happy holidays!

Friday, September 25, 2015

One Woman's Perspective

The topic of women in technology has come up a lot this year. I have never wanted to be included in any group, team, or job simply because my gender meets some diversity quota. I have always expected (and sometimes demanded) to be recognized for my unique skills and talent. What sets me apart, and I've noticed a similar trait among the other women in cyber crime fighting circles, is that I'm not just competent but also confident. I can only speak from my own experience but that confidence started with my parents. They told me - and showed me - that I could be or do anything and I believed them.

My mother led by example, breaking barriers as the first female stadium announcer in the US; she was the voice of the Reno Silver Sox, a now-defunct minor league baseball team. When we left Reno she worked as a temp in our new home town and soon rose to the executive level at that agency. In my house, gender inequity was something we saw on TV that my parents had a heck of time explaining to me.

As a little girl I broke things to figure out how they worked then I put them back together. Sometimes I made them work better than they were before or added capabilities. I started with radios and telephones, graduated to televisions and small appliances, and, ultimately, found my way to computers and software.

So, what did my parents do during my auspicious early years? My dad gave me a corner of his workshop and some basic safety instructions then turned me loose. He took me to Radio Shack to spend my allowance on electronic components when I wanted to build things from scratch just to see if I could. He gave me old junk that hadn't worked for years so I could tinker or cannibalize the parts for other projects. I have a brother who showed similar interests. My dad treated us exactly the same.

That's where the magic happened and that's where I think the we can all effect real change - if you have a daughter, feed her curiosity, encourage her enthusiasm and give her the confidence to follow her passions. If you don't have a daughter, it's a safe bet you know someone who's a parent of a daughter, whether they're your friends, your cousins, your in-laws, whatever.

Accomplishments take perseverance and perseverance requires a "damn the torpedoes" attitude which comes from within, not from someone saying "we need more <insert your underrepresented group here>." I believe I can accomplish any goal because I don't stop until I do and I now have a track record to prove it. That's the challenge I throw down in front of each of you, and will continue to tackle myself. Mentor girls. Inspire girls. Encourage girls. Be among the people they remember who gave them the confidence to keep going.

Sunday, April 5, 2015

What's In A (Pass)Word?

Prevailing wisdom among information security practitioners is that passwords are outdated as a secure means of authentication. However, until a better way achieves wide adoption they are a fact of online life.

Password Harvesting

So how do the bad guys get your password in the first place? There are lots of ways:

  • Sites like LeakedIn and Pastebin are popular locations for "dumps," collections of usernames or email addresses and associated passwords found by good guys, disclosed by rivaling bad guys, or posted as proof of an attacker's l337ness.
  • Spammers buy or trade validated credential dumps in underground forums, lists of usernames/email addresses with passwords that they've proven to be active by running them through automated account checking programs to log into the account at least once.
  • Credential-harvesting malware, like keystroke loggers and web form injections, that collect usernames and passwords typed into browsers on victim computers and get sent to a central collection point under the attacker's control.
  • Phishing emails that entice victims to login into replica, or "spoofed," websites that look exactly like popular online banking and email sign-in pages.
  • Brute force attacks against websites built on popular free platforms, like Wordpress and Joomla, or Internet-facing databases using automated scanning and exploit tools.

All of the attack tools are incredibly easy to find and so are credential dumps.

3 Basic Rules

The best defense is a good offense. It's trite but true. Let's start with the basics. Good password hygiene consists of 3 factors: complexity, length, and uniqueness.

A complex password is one that consists of upper and lower case letters, numbers, and special characters. The purpose of complexity is to defeat password crackers, automated programs that compare encrypted or hashed passwords against word lists. This is euphemistically known as a "dictionary attack" for a good reason. Password crackers run comparisons against plain language word lists and obvious variations. The more recognizable the password, the faster it can be cracked. For example, poppy123 is revealed in milliseconds, while pO9Py!@# can take hours or days, depending on the password-cracking program.

Just as important is password length. To grossly oversimplify the description of the computational process, password crackers "recognize" each character of a password, one by one. Therefore, the longer the password, the harder you force the cracker to work. It's kind of like the joke about outrunning an angry bear - you don't need to have the longest password, you just need to have one that's longer than the next guy's. Miscreants who crack passwords are typically going for quantity. They stop cracking when they've decrypted a victim list long enough to be worth their while, financially speaking. The harder password hashes get tossed out or recycled into credential lists they'll later sell or trade themselves for someone else to have a whack at them.

The single most important hygiene factor is uniqueness. This means that every time you register for an online account or change an existing password, you create a password that you don't use anywhere else. In other words, your email password is different from your Facebook password that's different from your Twitter password, banking password, and so on. Obviously, this means we have to keep track of an awful lot of passwords. There are several schools of thought on how best to do this. There are apps called password lockers that let you store all of your passwords and associations in a single place on your computer or smart phone. There's also good, old fashioned pencil and paper - writing down this information in a notebook. Some people I know use "forgot your password" as their preferred method, using this feature on websites to change their password every time they log in, subscribing to the above concepts with zeal because they're not worried about remembering it. Each password management method has its pluses and minuses. The right way is the one that works for you.

Additional Protections

But, wait, you're saying. What about that credential-stealing malware and phishing mentioned earlier? All the clever strategies in the world won't help if you hand your password to the bad guys in these cases. And you're right. This is where two-factor authentication and keystroke scrambling come in.

Two-factor authentication, also known as 2FA, is where you not only need a password but another piece of code to prove that you are who you say you are. Examples of this are cryptographic tokens, like chip-and-pin cards or USB dongles, and SMS text codes, a unique identifier sent to your cell phone that you type into a website to complete the login process. The former can't be easily replicated by miscreants, while the latter can be captured by keystroke loggers but the data is nearly worthless because it's only good for a very limited time. If you notice my equivocation, this is intentional. No 2FA method is 100% hack proof but, again, the harder the challenge the more likely the bad guys will go after easier targets and away from you.

Keystroke scramblers are anti-keystroke loggers, programs that turn your typing into random characters when collected by malware and phishing sites, while sending the real information to the website you're logging into. Keystroke scramblers do this by encrypting each action of the keyboard at the driver or operating system kernel level and verifying the recipient website. Again, this technology isn't 100% guaranteed to keep your passwords out of the hands of the bad guys but it certainly makes your information a less desirable target by wasting their time.

Will passwords be replaced with stronger authentication mechanisms some day? A lot of smart people are working towards this very goal. Until a solution is ubiquitous, these tips should help you stay safer online.

Tuesday, March 12, 2013


I love my day job. It can be a lot of fun. I used to say that one of the reasons I enjoyed my work is that no lives were at stake. It wasn't like I worked for a hospital or the military. Then I saw a call for help in a computer security forum. Life has a funny way of making a point.

Back in the olden days of 2007 computer forensics practitioners like me were discouraged from working at the defense table in a courtroom. One of the best known industry groups at the time flat-out rejected the application of anyone who had ever worked against a plaintiff or prosecution in any jurisdiction. Thus, when I saw a plea by Alex Eckelberry, a respected name in security circles, I knew he faced an uphill battle in his quest. I jumped at the opportunity to right not only the wrong that Alex set out to fight, but also what I felt to be a breathtakingly misplaced bias among industry peers. Scratch that. I didn't "feel" it, I knew. I came to technology from a litigation background. I worked almost exclusively for defense attorneys and I knew what evil lurked in the hearts of men and hard drives. As I advanced through the digital forensics field, a few among us talked about the day when computer evidence wrongly interpreted would send an innocent person to jail. The State of Connecticut vs. Julie Amero proved us prescient.

Julie Amero was a substitute teacher who had been convicted in a 6-day trial and faced 40 years in prison for multiple counts of impairing the morals of a minor. How did she allegedly accomplish this fiendish feat? Porn-related pop-ups on a classroom computer.

In  January 2007, Alex helmed an anti-malware company and read about the case in a newspaper. That was how most people got their news back in those days. He knew, without even knowing the details, that such a porn storm was the hallmark of certain families of malicious programs. These programs almost never got onto a computer with users' knowledge much less intention. The sentencing was to take place in March so Alex put out the call. He needed people who could help him free her. Fast.

If anyone asked, I would tell them we worked on the case for at almost a year. Going back through my notes and email it turns out that it all happened in a little over two months. The team was assembled in February, the evidence analyzed, the sequence of events recreated and presented in a summary document to the Connecticut State Attorney in March. None of us were paid. That was never the point. Someone's life was at stake. Hell, one life had already been lost - Julie had been pregnant when she was arrested. The emotional strain took a physical toll and she lost the baby. Our team did our damnedest to free her from further suffering at the hands of amateurs and the uninformed.

We won. Sort of. The original conviction got vacated but the AG had political aspirations. He pushed for a new trial. Julie's health continued to be pummeled, along with her reputation throughout her ordeal. She eventually copped a misdemeanor plea to end it. You can read the forensic team's report here. Alex blogged about the case case here; this post links back to many others. You can see the Good Morning America post script here.

So, yeah, I love my job. I change lives. Once in a while, I'm honored to save one.