Between you, me and that dodgy-looking USB: A little bit of paranoia never hurt anyone Arriving at a recent conference organised by one of the government's many regulatory bodies, I received my obligatory lanyard – and something else, credit-card-shaped, emblazoned with the branding for event. "What's this?" I asked. "Oh, that's a USB key." I presume the conference organisers mistook my wild-eyed stare of …
Once USB-C (3.1) sticks become more common, security threats will only increase.
As you can route PCI over USB-C, goodness knows the sorts of attacks that could then be carried out.
You're dealing with marketroids & PR.
These are the folk who will keep sending out emails which exactly emulate phishing emails to customers and would-be customers. Emails, even, warning their customers of the dangers of phishing. They'll keep doing that until you prise their keyboards from their (hopefully) cold, dead hands.
Given half a chance they'll hoard customer details contrary to GDPR until they earn their employers multi-million quid fines.
They'll make every effort to force ads onto people who make abundantly clear by using ad blockers that ads are unwelcome and hence hugely counter-productive.
They lobbied Bambi's govt to make exceptions for existing customers to let them bypass TPS and make those calls despite use of TPS should send the same message as ad-blockers.
They're the biggest single risk to their employers in terms of pissing off potential and existing customers and in attracting GDPR fines.
You're never going to talk sense into them.
Hello:
You're dealing with marketroids & PR.
Indeed ...
But these utterly despicable abortions of nature respond to a boss, who in turn responds to management, who in turn responds to upper management, who in turn responds to the board who in turn ...
I'm sure you get the idea.
To all these shitheads it's all about the money (moolah, dough, wonga, bread, etc.) and only about the money and up to a point in makes sense: if they do not get the results expected from them, they are out of a job.
None of these minions serving the upper echelons give a monkey's toss about what their actions mean or their consequences.
So they just do as they are told, instead of putting spokes in the wheel, like I was once told I should and was then promptly sacked.
Business ethics? Corporate responsability and accountability?
Yes, they've surely heard of all that at some time or another but these have long ago become abstract values.
Cheers,
O.
But these utterly despicable abortions of nature respond to a boss, who in turn responds to management, who in turn responds to upper management, who in turn responds to the board who in turn ...
...more often than not come from a background in marketing and PR.
There's your problem, right there, and it's cultural, not technical or political in nature.
Meanwhile, at our $BIGCORP...
1. E-mail received about warning about phishing attempts from external e-mail addresses targeting people by their name and encouraging them to click on a link. Do not click on the link, do not enter account details such as username or password, report as spam.
2. Followed by an e-mail sent from an external company to me about an anonymous employee survey, participation is very strongly encouraged, and please click here.
You couldn't make it up, etc...
> report the email as attempted phishing
Yup. This. I see stupid stuff happen all the time, and people just facepalm without telling anyone that can do anything about it.
The amount of "WAIT. WHAT?!" faces and "well that stops now!" I've gotten when I've asked "do you know about [stupid thing]?"
My company was recently acquired.
I was given a new email address and a new web-based email account <my_name>@BIGCORP.COM
The *very first* email in my new inbox, was titled "Mandatory Security Training!" and came with a link, which I stupidly clicked and entered my newly provided credentials, only to be informed that this had been a phishing email from their "IT security team" and that I had failed.
So, like a good boy, I went to change my password.
"Password cannot be changed because you have had this one for less than 7 days"
Had a new co-worker with something similar. When he clicked the "Mandatory Training" email, and was reprimanded for clicking on a spammy link. A spammy internal link, but still, he should have forwarded it to the internal security "check link for validity" service, which no one was using.
It turned out he actually had. Being a new employee, he'd followed the policy verbatim.
It turned out that the suspicious link account that you were supposed to forward links to had its' spam filter cranked up to maximum sensitivity. In other words, the suspicious link checker account blocked all incoming links that were suspicious from being seen by the team that was supposed to check them. Which of course explained why "no one used it". People in fact had been using it for months, but all their emails had been deleted before being read.
Management then asked why no one noticed or commented on the fact that IT had not responded to their submissions. "We're so used to being ignored that it didn't seem worth mentioning" was the answer, much to the shock of executives.
$HOSPITALS often outsource their purchasing and payment systems these days, I just rip my hair out when they email us PAYMENT.HTML and PO#76293.HTML documents ... if you deal with China then you're used to getting New_Order.XLS files too, and of course when my customers need to send a picture of something it's always PICTURE.DOC ... these are real, not fake - they come in every week.
1. E-mail received about warning about phishing attempts from external e-mail addresses targeting people by their name and encouraging them to click on a link. Do not click on the link, do not enter account details such as username or password, report as spam.
2. Followed by an e-mail sent from an external company to me about an anonymous employee survey, participation is very strongly encouraged, and please click here.
You must be at IBM...
At $WORK we get the corporate (IT "InfoSec") -sponsored phishing attempts too, with dire warnings of how many employees still fall prey, and then inevitably followed by even more security theatre measures which do more harm than good.
Status quo, right? Everybody has this now, and "InfoSec" departments push their agenda with scare tactics and bogeymen more than ever.
And yet, they don't seem to be able to manage the obvious common sense things. E.g. $WORK uses a common SaaS IT ticket tracking system -- you've heard of them, they're awful. But the real point is that they're awful outside of $COMPANY's borders and control, meaning that any corporate intellectual property in an IT ticket is on the internet.
Same with some of the doc/publishing suites (Engineering product plans in o365 Sharepoint, anyone?) and even source code in some cases.
So yes, don't click those scary phishing email links from "InfoSec", but do share the company jewels with the cloud.
Several years ago, our IT send out one of their OMG world-is-ending ALL CAPS blanket emails to the company.
To summarize, it said:
"A new malware attack is being spread through malformed URLs in email links. Our firewall is currently not configured to protect against these types of attacks, and we are currently waiting for a fix from the vendor. In the meantime, employees are not, under any circumstances whatsoever to click on any external links. Disciplinary action will be taken against those who fail to comply with this mandate.
You are required to confirm that you have read, and understood this new mandate. You must sign the electronic form at www.externalcorp.com/signatures.asp no later than Friday. Failure to comply will result in disciplinary action, including termination".
Yes, employees were required to click an external link in order to promise not to click on internal links. With both actions being grounds for dismissal.
"Who hasn't had an email from their banks with a "click here" rectangle for customers to log in and learn about some new trick with their account."
Me for some time now. I reported a number of these to their phishing report helpline. I eventually emailed that or some similar address than in the continued absence of any reply I'd discontinue the email address set up specifically for said bank. No reply so I gave them the chop. They don't seem to have noticed their emails bouncing.
Who hasn't had an email from their banks with a "click here" rectangle for customers to log in and learn about some new trick with their account.
I haven't seen such from Kiwibank. Westpac - some of their emails have been known to be virtually indistinguishable from known phishing attacks.
And one bank in NZ displays 3rd party advertising (or used to), AFTER your log-in. With won't say which Bank that is, but that they're a Bank in New Zealand. A couple of characters should be able to figure that out...
Ugh don't remind me. It isn't just PR and marketroid people.
Once upon a time, at a big corporate firm I worked at, we had the "report this email as phishing" button, which we were to use if a suspicious email shows up.
anyway, one day, I started getting emails from the "IT Security department", asking me to click on a link with their updated security policy on it.
Thing is:
- The email headers did not match the domain in the "to" field, nor did it match the name of the sender.
- The email headers showed not the company domain, but some generic sounding one I had never heard of, and the company search engine did not return any results for the domain
- The email was generically written, not even my name in it
- The URL that I was to click on was on yet another third party domain, which was a complete unintelligible alphabet soup of a domain, with long strings of what looked like random characters, ending in ".doc"
Knowing about doc macros, exploits, etc.. there was no way I was going to click on the link while on the corporate windows box, and the entire thing smelled like a phishing email (and who better to impersonate than the IT security staff, a lot of people would listen to them just because they are the "IT security" people).
so I promptly clicked the "report phishing" email, and was on my way. I did this repeatedly over the course of two weeks, until my manager called me into his office.
Apparently the head of the IT security team was livid with rage because their important IT security policy was being flagged as a phishing email (apparently if someone flags an email as "phishing", all the other people get a "this might a phishing email" header on the email, so they don't click on it, because it can be grounds for termination of you knowingly infect the company).
Apparently the random letters are a tracking ID for my account, so they know that (a) I am the one reporting the email, and (b) I haven't read the document yet.
All my points about how it looks like a phishing email were accepted by my manager, then immediately overruled.
I was told that the email is safe, and that I should stop reporting it as phishing, and more to the point that I should click on the link to view the policy.
So I did what I was told, and the first page of the IT policy was about the risks of phishing emails, and what to look out for (which was almost the exact same criteria I reported the email for), without a hint of blasted irony from the "IT security" team.
So now, I have to assume that no matter how dodgy an email (or its attachments) look, I have to trust it if it says "IT security team" on it. Talk about blowing a gaping hole in a companies security policy. Seeing as all future emails I have since received from the security team are still looking like a phishing email, I can see my complaints fell on deaf ears, and there were no repercussions for them.
My point is, we have a long long way to go before "best practices" can be considered in security. Companies still don't get it, if even their security teams are not able to make an email seem legitimate. Instead you get in trouble for "showing up" the security team.
I feel that they are only doing this "IT policy" and phishing email training to "tick a box" on their cybersecurity checklist. They don't actually care about security or preventing phishing. It is a "cover your ass" ploy from legal, nothing more.
As long as attitude like that is prevalent in companies, nothing will get better, and it may well get worse. You can't expect the PR and marketroids to be any better when the culture they work in encourages such behavior.
They'll keep doing that until you prise their keyboards from their (hopefully) cold, dead hands.
You should NEVER, under any circumstances, kill a marketing or PR droid and then take their keyboards from them.
It is far better, and far FAR more enjoyable, to take their keyboards from them while they're living and then apply said keyboard in an appropriate manner until both cease to function! (unless it's a really good keyboard, in which case find something else for said application).
Would make for a nice point in a talk about security : get answers to the following questions and then comment on the results :
1. Did you accept a free USB stick at the entrance ?
2. Are you going to put it in your device ?
3. Are you going to give it to another employee, or to a family member ?
4. Did you accept a free coffee ?
5. Did you accept a free brownie (cake, not human) ?
6. Did you pick up a brownie you saw on the floor and eat it ?
7. Did you accept and read the glossy literature ?
8. Did you accept the cute air freshener to hang in your car ?
9. Did you accept the promotional item modelled on a presidential seal ?
We're accustomed to dealing with most of these threat models. Mostly without errors, but occasionally we screw up.
Acceptable answers to:
1. Did you accept a free USB stick at the entrance ?
2. Are you going to put it in your device ?
are
(a) No
(b) Yes, and I'm going to reformat it before I mount it or give it to anybody.
Anything else shows insufficient paranoia. But of course (b) requires that you know how to reformat it and that you are running an OS that gives you the option of reformatting a USB device before its filing system is accessed.
> Reformatting won't protect you against malware at the firmware or chip level
I'm just going to jump in with a shameless plug for a pet project of mine - an open-source USB hardware firewall.
https://github.com/robertfisk/USG/wiki
It allows only known-good USB commands to pass, thus blocking BadUSB type attacks. (The filesystem may still be infected but a reformat will take care of that.) It is designed exactly for the scenario of someone handing you an untrusted USB stick and expecting you to plug it into your system.
The firewall runs at USB-1 speed for now, but a little bird says check back in a month or two if you need more speed.
The firewall runs at USB-1 speed for now, but a little bird says check back in a month or two if you need more speed.
The project looks great, and as someone who has had to work with untrusted USB's many times (cheap (thus disposable) laptop running Linux, later a Pi-like device), the device project looks great and is has replaced one of my presents-to-self for early next year :)
One question... Would your device manage and shielding against USB killers (ie those things that dump a hefty chunk of volts into the data lines)?
> Would your device manage and shielding against USB killers (ie those things that dump a hefty chunk of volts into the data lines)?
The firewall will provide some protection against USB killers, simply because the voltage spike has to pass through 2 ESD clamps and 2 microprocessors before reaching your computer. So the firewall will be destroyed, but your computer may be saved.
But of course (b) requires that you know how to reformat it and that you are running an OS that gives you the option of reformatting a USB device before its filing system is accessed.
That's little use if it presents itself to the USB bus as something other than a file system, for example as an input device.
Ages ago I was tempted to put replacement QR codes at all the labels in Tesco veggie section. I noticed recently they are gone.
You mean especially QR codes are dangerous?
I managed to find an app that reads them (and other barcodes) and only decodes & displays, with an option to save it or create a Firefox tab. Most phones seem to open the browser directly.
I despise people using obfuscated short codes (invented for Twitter and no longer needed there?). 1: The short code provider knows your IP, the time, your browser, OS and previous web site. 2: You have no idea what it will load.
What is needed is a paranoid mount option for USB devices - the OS would report to the user what the device says it is but would not execute any code on the device. If the device presents as having storage then a full virus scan would be executed on the storage and the results displayed. The files (if any) on the device would not be accessible until after the virus scan and the user acceptance of the scan result.
To allow for the possibility of a USB bricker device, all data and power lines should be protected by zener diodes (clamp data to +5.5v/-0.6v and power to +(maximum charging voltage +1 volt)/-0.6v)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
