Category: Network Security

Stop Clickers with Stickers! Security Awareness improvement for FREE!

Let’s see now, over the last several years working in IT Security and Security Awareness a few things have become crystal clear;

  1. Technologies are super easy to patch, you just need a process and a little buy-in.  After patching the risk is minimal.
  2. People can’t be patched, even though sometimes we really wish they could be.   After security awareness training the risk is still present, albeit hopefully minimized a degree.
  3. People need to be aware of security at all times, it has to become part of the business culture. Worrying about end users is what keeps me up at night–our business is one click away from losing brand reputation, money, private information or even (swallow hard) the IT Security guy’s job.  Generic security awareness is not good enough.

What if we security practitioners could keep security on the minds of employees all the time?  What if there was an easy way to keep people focused and thinking about the dangers of phishing emails, malicious websites and generally being more pro-security?   Sounds great right?  Where do I sign up?    Haha!  If it were only that easy!

Combining that need with some of the motivators I’ve experienced over the years gave me an idea;  What if the ‘free stuff’ phenomenon could actually drive down my phishing click rate?  Jeez…if it worked it would solve one of my main problems with security awareness, (the ‘awareness’ part for about 10% of end users)   and do it in a way that is positive all around!    Although in it’s infancy, I’ve been experimenting with this new method of ‘security through free stuff’.  Here’s how it works;

At security and IT conferences, I collect as much schwag (free promo materials) as I can, looking especially for the nice stuff (no offense to the pen-peddlers, but you guys really gotta up your game).  You know, Tshirts, cool laptop stickers, flashlights, rocketbooks, light sabers and other geeky stuff and gadgets.  Sign up for it all!  (then screen your calls for the next year…)  Then when I get back to the office, I give that stuff away like it were Aunt June’s fruitcake–but only after sneaking in a learning experience to unknowing end-users.   For example:

A recent email I sent to the IT group — ‘You can win this new cloud shaped stress ball, laptop sticker, pair of earbuds and a multi device charger if you answer the following question:   “According to Verizon’s 2017 Data Breach Executive Report ,  what percentage of breaches were caused by weak or stolen passwords?”‘

Have the target audience send you the answer and raffle the schwag, keep track of the names in a txt file, then paste them in and randomly select a winner on a random selector site like http://www.miniwebtool.com/random-name-picker/      In this case there are actually two answers, although they are very close to each other–probably a rounding error!   But for those who give two answers, you have to assume they read the article fairly closely.  winning…Winning…..

Another idea is to have people reply with one security issue they have noticed in their work environment, and have each offer a possible solution to mitigate it.   This could work great for an IT team, because we all know of one area or another where there is a hidden risk that others may not be aware of.  It also give the security guy information into the inner working of every IT employee, including the risks and potential threats in their environment.  Mmuuhhaahahah!  Now you are getting it, right?

The great thing about this is it’s fun, it’s free and it disarms those people who are already grumpy about security by giving them something of apparent value for FREE!  The psychology behind this is fascinating.  Check out Rick Paulas’s column entitled “The Strange Effects of Free Stuff; How the allure of free tricks your mind into accepting irrational options”   In that article he talks about the ‘Zero Price Effect’.

“When people are offered something for free, they have this extreme positive reaction that clouds their judgment.”

Haha!  Clouds their judgment!  Hey, if that helps someone to NOT CLICK something, I’m all for it!

 

Hey y’all…If you’ve made it this far, maybe you’ve got an idea or two to share!  Share your ideas and suggestions below!  Or if you would just like to send me some schwag and help the cause, contact me privately: nerd at nerdosaur.com!

 

Finding personally identifiable information (PII) with PowerShell.

Good network security involves defense-in-depth. This means that you should implement several different defenses to keep your network, platform or computer secure. The first part of a good defense is to keep the bad guys out of your network using a firewall, but in the event that they circumvent your firewall you need ‘plan B’.   Plan B in this example could be application whitelisting on your devices, strong passwords, anti-malware, anti-virus, PC firewalls, least privilege network design etc. Okay, that’s all great– but what if bad guys are able to circumvent ‘plan B’?

That’s when you need to know what is on your network that they might want. If you have a server with personnel files or credit card information, that will most likely be the first place many miscreants would attack. But did you know there could be a goldmine of private information on your PC’s and you don’t even know it? How much is the data on your PC worth? Brian Krebs has in interesting article called ‘The scrap Value of a Hacked PC’   The data on your PC may be worth more than you realize!
There are several tools out there that can find PII on your computer, but one easy and fast way is to run a powershell script. You can even use this script to find PII on other computers in your network. (Yes, if a bad guy gets in he could easily run this script against you and your network using the tools you currently have on your PCs).

Simply open Powershell and paste in the following scripts to check your computer for SSN’s. When the script is finished, it will write a CSV file with the results.

Find SSN on remote PC
Note: Your credentials must be allowed on the target PC, adjust the path to suit your needs. The UNC path syntax works for all of the examples below to hit remote targets.
Change computername from ‘mypc’, and username from ‘myusername’ to your target computer and username
Change the path to a local path to scan locally, for example c:\users\fred

REM+++++++++++++++++++ – Finds SSN with space or dash (-) between numbers on a remote PC++++++++++++++++++++
Get-ChildItem -Path “\\mypc\c$\users\myusername\desktop” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[0-9]{3}[-| ][0-9]{2}[-| ][0-9]{4}” | Select-Object Path, Line, LineNumber | Export-Csv “c:\ssn_pii.csv”

Now that we’ve established we can look for ssn’s, let’s scan for files on your PC with the word ‘Password’ in them.

REM+++++++++++++++++++ – Finds ‘password’ in documents, and saves to csv file
Get-ChildItem -Path “c:\users\” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[P|p]assword” | Select-Object Path, Line, LineNumber | Export-Csv “c:\passwordPII.csv”

Now let’s scan for credit card numbers on your PC:

REM+++++++++++++++++++ – Finds any cc numbers in documents, and saves to csv file
Get-ChildItem -Path “c:\users” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[4|5|3|6][0-9]{3}[-| ][0-9]{4}[-| ][0-9]{4}[-| ][0-9]{4}” | Select-Object Path, Line, LineNumber | Export-Csv “c:\CC_PII.csv”

I’ve found that some of these scripts give false alarms as there are a lot of temp files with all sorts of numeric data in the, but the goal here is to find obvious breaches in your security at little to no cost. If you want a full detailed report and automatic scans, you probably should be looking at a fully supported software solution.

Now that you know how easy it is to find PII on your computers, clean them up and be careful where you use and keep your private data!

Add a Report Phishing Button in Outlook

Add a ‘report phishing’ button in Outlook; forward spam and phishing emails to your internal security team the right way!

 

PhishMe offers a great solution for the enterprise with its anti-phishing training and phishing simulations.   The service also provides an easy way for end-users to report the messages to their IT department and use for statistical tracking.  Their solution for end-user reporting is an add-in in Outlook, providing a simple way for the end-user to click a button to report messages.   I wanted the same thing for my security program, but we didn’t contract with PhishMe,  so I needed another solution.   I didn’t want to enlist a developer to create an Outlook add-in button, so  I came up with a relatively easy solution.   If you are good at scripting or have some workstation management tools this should be no problem to implement across the enterprise.   Below are the steps you can use to reproduce a  ‘report phish’ button in Outlook that automatically sends your security or IT department a full copy of the phishing emails.   It also does much more that forwards the email, it sends the junk mail as an attachement in an email, preserving the message headers that will be needed for forensics.

 

  1. Install the Microsoft Junk Email reporter add-in for Outlook 2010 or 2013. The download can be retrieved at  https://www.microsoft.com/en-us/download/details.aspx?id=18275

 

  1. Open Outlook and verify you now see the junk options in the ribbon.

Outlook phish button

 

 

 

 

 

  1. phishing outlook button 3Right click a blank space in the ribbon and choose ‘Customize Ribbon’. On the right side, under “Customize the Ribbon” select Main Tabs, and expand the Home (Mail) tab.  Click the ‘New Group’ button and rename it to be something useful “report junk” or “report phish”.

 

 

 

 

4. Next, select the  ‘report junk’ button on the left side, and add it to the ‘report phish’ group you just created by clicking the ‘add>>’ button.    Rename it and give it an icon of your choice.  Now you should have a new icon in your main mailbox view that you can use to report junk.  By default, the add-in will only report the junk to Microsoft, however with a registry hack you can blind-copy  (bcc) an email address of your choice.  the full junk mail message will be sent as an attachment, with all the header information that is missing from a forwarded message.   This works great for sending to an IT department or a security operations center (SOC).

outlook phish 4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Your Outlook ribbon should now look similar to this:

outlook phish button toolbar

 

 

How to report phishing to your IT department across the enterprise.  If you want the junk email reporter to forward to your IT department, add the destination email address to the registry using the following registry key.  (Typical registry hack warning here, don’t do this if you don’t know what you are doing…)  You can also copy the following lines and create your own .reg file, I’ll leave that up to you.   Replace the email address in the code with the address that will get a copy of the message.

“Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Junk E-mail Reporting\Addins]”BccEmailAddress”=”phishy@yourdomainhere.com”

 

 

  1. (Optional) Open up an email in outlook.  Since Outlook uses a new ribbon for this view, you have the option of putting the new button in the mail-read view too.  Now repeat steps 3-6 to create a button in the mail-read view if you choose.

 

  1. Now that you have created the new buttons, test them to make sure they work using an email address of your choice.

 

  1. If you want to apply this to multiple computers across the enterprise, there are several ways you can do it. Use a script, SCCM or a workstation admin tool of your choice.  Make sure the following three requirements are met on your PC’s and you should be good to go:
    1. Verify that the junk email reporting add-in is installed.
    2. Copy the .reg key from step 7 to all computers, or manually edit the registry with the email address you want the junk email to be forwarded to.
    3. From your working, test computer, find the files called olkexplorer.officeUI and olkmailread.officeUI  in C:\Users\%username%\AppData\Local\Microsoft\Office\     These files contain the ribbon info that you just created.  You can copy them to the user’s profiles, overwriting the files that are currently there.   *note, this may delete previously created custom ribbons if they exist.   It may be a good idea to rename the old files first.
    4. Restart outlook

I’ve noticed that this does not work in 64bit Office installs, I assume this has something to do with the junk email reporting add-in.  These instructions will work with Windows 7 and office 2010, and 2013.    It takes a little effort to get this working enterprise-wide, but when combined with security training and phishing simulations it gives you some great information on how end-users react to phishing emails.  It also empowers the end-user.  They are now becoming part of the solution, instead of part of the problem.

I really like to hear from you!  Let me know if you try this, or if you have any other solutions to make life a little better while fighting spam and phish attacks!

 

 

How to Manage Spear Phishing Threats

For the last few years, the number of spam emails seems to have gone up drastically.  Along with this, the danger of the emails has increased significantly as well.  Now that most of the pharmaceutical emails are being blocked either in the cloud, or at the network perimeter, most of what is left is zero day viruses and malware or other heinous exploits that can wreak havoc in the network.  Often, this malware can steal passwords or other private information, or take your files for ransom and cost you hundreds of dollars, lost productivity and employee time.

This is one of the areas of network security we are constantly watching and trying to stay ahead of.

There are two basic types of spam email

  1. Spam: Unwanted and unsolicited email advertising for legit, or not-so-legit products.  Often including pharmaceuticals that should not be talked about in polite company.   Spam is literally ‘spammed’ to thousands of recipients, with the hope that a few make it through the spam filters and someone buys the product.
  2. Phishing: Phishing is sent in a similar fashion, but the end motive is much different.  Phishing emails are sent to trick the recipient to click on an embedded link or an attached file so that malware can be installed.   The malware can do anything from encrypt your files (ransomware), to exploit a weakness in an application on your computer, which can lead to the bad guys completely taking over your computer, or using it for illegal purposes.

 

Phishing can be broken down even further.

  1. Spear fishing: The bad guy does some reconnaissance and finds out some specifics about who works at company and what their job is.  Then specifically targets that individual with an email that looks legit, but has fraudulent intentions.  For example, a bad guy may find out you work in accounts payable and may send you a fraudulent mail asking for money to be wired to a new account.  This can be especially troubling if the bad guy has done some good research and knows your clients.  They can then spoof the domain of your client and send you a legit looking email.   It’s a good idea to keep as much information that can be used this way from the internet. (Specifically LinkedIn or Facebook).  Keep your information private, especially when it comes to business and partners.
  2. Whaling: Where would you go if you wanted to steal as much money as possible?  Well to the people who have access to the money, silly!  This is called whaling for obvious reasons, they go for the big fish—maybe your company’s CEO/CFO/CIO/President/VP.  If they don’t have good training in phishing and network security, your whole business is at risk.   I have personally seen many attempts at whaling and they look something like this:

CFO gets an email from the CEO asking if the wire to xxx company has gone through yet, they need it done now! CFO believes they missed the first email so obviously the CEO is angry because they are late in acting (or so the bad guys would have you believe).   The CFO, recognizing the email is from the CEO (a spoofed email) acts quickly and wires the money to the account in the previously attached PDF file.

Managing the fraudulent email threat

So how do you protect against this type of threat?  Well, most businesses are using some type of malware protection, spam filtering, anti-virus software.  That is a good first step, and is needed for a solid foundation in email and network security.   However it doesn’t protect you against the latest trend in malware which uses zero day exploits that traditional antivirus can’t detect.  Antivirus is signature-based, and there is time needed to create the signatures and get them to your PC.  Spam filtering is typically signature based as well.  Zero day exploits are called zero day because they come out quickly before any signatures can be written.    Bad guys are always looking for weaknesses in your protection, and you will always have weaknesses.  The best way to stop spam from infecting your PC or network is to train your employees about the threats of phishing, spam and unsolicited email.

Emailed malware or fraud attempts will not work 100% of the time when users don’t click the email link, or don’t respond to the suspicious request.  

100% is a pretty good number, and it can be achieved through non-technical means—training.

Fraudulent Email Security Training

A great way to train employees to not click is to send them simulated phishing messages.  Study some of the phishing email examples, and try to reproduce them.  Focus especially on those that are the greatest targets.   The focus here is not to humiliate your employees, but to let them know this is a significant problem and you are here to help.  It helps the company, but will also help the employees in their personal digital world when they leave the office.   There are some great partners in the cloud to help with this, and many offer free trials to check out their services. Here are a few:

 

Phishme.com   Excellent resources and education.  Easy to use and offers a nice Outlook add-in that employees can use to report the email to IT.  (This can be done for free using Microsoft’s junk email reporter, but I digress…look for more details  in a future post)

KnowBe4.com  Great service that includes Kevin Mitnick Security Awareness training videos.   The videos seem to be more ‘real world’ than the others I’ve seen.  They really explain the threat from an end-user perspective, and are very valuable in helping employee awareness.   The simulated phishing is 2nd to none, having many email templates so you can adjust your training based on your company’s  threat levels.

Phish5.com   One thing I can say about phish5 is that their price is right.  When I looked at them they were very affordable, and had many email templates that could be used.  The only issue I had with them was their inability to provide me with customer testimonials, they didn’t follow up when I asked.

Others   There are many others out there, and more coming all the time.  Post below any that I missed or you have experience with.

 

 

From the IT perspective

I’ve found a few home-grown solutions to help the IT department track phishing emails with the help of employees, but I will save that more technical discussion for another post.  The key here for IT is to know your enemy.  Do you know what emails are getting sent to your employees today?  Do you know how they currently respond to the emails?  Do they regard clicking on that spam as a serious problem, or are they relying on IT to fix it if something happens?   These are all good questions to ask, and I suggest you gather as much information as you can now, it will come in handy when you develop a training program.

There are several ways bad guys can get personal information, many include the traditional hacking, bad passwords, unknown or forgotten ingresses to the network (think wireless or VPN), unscrupulous vendors, and even disgruntled employees.   All can be major security issues for your organization.  Review and know your network, and train employees on the basics like phishing, password complexity and other things you take for granted working in IT.  Remember, network security is becoming everyone’s job, not just IT.   Spread the love!