#146: Forensic Inspections and a Digital Sign-off
And a chat about computer forensics with Bill Oettinger!
Here's another issue of the free edition of the _secpro! Thanks for checking out our work for another week - we hope you find something useful in it! If you like it, please consider supporting our team and...
When you do, you can access podcasts, templates, events, discounts, and a variety of other benefits. Thanks from the _secpro team! On with the show!
Hello!
Welcome to another _secpro! We're branching out to our fellow cybersecurity experts to bring you the best news the internet has to offer!
Original Content from _secpro
An interview on "Learn Computer Forensics" with Bill Oettinger
Quantum Computing and Cybersecurity: A New Era Begins with IEEE P1947
This week's news:
Krebs on Security - Why CISA is Warning CISOs About a Breach at Sisense
Krebs on Security - Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers
Bruce Schneier - US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack
This week's tools:
Cheers!
Austin Miller
Editor-in-Chief
Austin talks to...
A new feature! I've been chatting with various people from the cybersecurity community and wondering how they go about their day-to-day. Leading on from last week's template for digital signatures policies (make sure to check out Substack if you haven't already!), I spoke to Paul and Roland about the importance of effective signature policies. And, if you would like to be featured here in the future, get in touch with us on our _secpro Slack channel!
So, what precisely is the point of keeping a digital signatures policy?
In my opinion, having a policy where all “internal” emails are digitally signed by default, i.e., where all emails sent by the associates of company A to other associates of company A are digitally signed, significantly improves the organisation’s security posture with respect to phishing attacks. Phishing attacks (like other social engineering techniques) are arguably one of the most dangerous attack vectors in practice. [Editor: as Cloudfare noted in their 2023 report, there were over 13,000,000,000 phishing attacks last year - so we agree completely!]
- Paul
And would you say it is effective?
It works from a psychological perspective because it allows the organization to train its associates to follow a very simple policy: only trust emails that are signed and never trust emails that are unsigned. Simplicity is key if we want people to behave in a secure manner because we are humans, not machines; anything that puts a burden on us will eventually be ignored or circumvented.
As a sad example, sticky notes with passwords when you have complicated password policies (e.g., at least 12 characters including caps, numbers and special characters + password needs to be changed every 6 months) have become part of the cybersecurity folklore. The same is for emails: a white collar employee receives easily somewhere between 30 and 60 emails per day. No one has the time to look into the email headers, etc. to verify whether it is trustworthy or not. As a result, if the email looks legitimate, i.e., as if it comes from another associate of company A, people will tend to e.g., click on the link in the email.
- Paul
A policy where all internal mails have to be signed and only signed mails are to be trusted, would be the most useful, as mails having an internal sender address carry the greatest inherent trust. Phishing emails spoofing an internal sender are therefore the most dangerous for an organization. [Editor: as noted by Paul above, this obviously isn't sufficient alone - cutting off "the most dangerous" threat isn't cutting off all dangerous threats!]
- Roland
What's the easiest way to implement robust digital signatures?
In order to implement this policy in the easiest and most user-friendly way, my suggestion is that at least larger organizations should run their own Certification Authorities, and that certificates should be issued to new employees in course of the onboarding process.
- Roland
Would you say that they actually work?
Outside of people working in sales, purchase and external communications (which is a tiny fraction of all associates in a company), most associates communicate internally 99% of the time. Just think of e.g., engineering departments, accountants, controlling departments, manufacturing facilities, etc. All these people basically have nothing to do with the world outside of the company. So, receiving an email from someone external to the company is kind of an anomaly for them.
Clearly, because the sender has to have valid credentials, i.e., a public-private key pair, for which they have a valid certificate generated by the company’s trust center, outside parties cannot forge the signature - if someone goes all the way to compromise the trust center in order to steal their root signing keys then the company faces much more severe consequences than a phishing email, but we’ll ignore this scenario in our discussion [Editor: whilst definitely committing to comment on it at length in the near future]. That, in turn, means that an employee would receive 99% digitally signed emails and then the few unsigned emails immediately draw attention.
- Paul
A big thanks to Paul and Roland for getting touch with us to share their ideas. Hopefully the rest of our readership will enjoy the expert insight from the front line and be able to make changes based on these testimonies. If you would like to share your thoughts or offer your own comments to be included here, head on over to our Slack channel and drop me or Pavan a line!
Original Content from _secpro
This week's podcast
This week, we're talking with Bill Oettinger about computer forensics and his life in law enforcement.
Miss last week's article by Dr. Keeper Sharkey? Get up to scratch here: Quantum Computing and Cybersecurity: A New Era Begins with IEEE P1947
Time for some news!
Krebs on Security - Why CISA is Warning CISOs About a Breach at Sisense: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.
Krebs on Security - Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers: On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
Bruce Schneier - Backdoor in XZ Utils That Almost Happened: Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it.
Bruce Schneier - US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack: US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior U.S. government officials. "The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations."
Bruce Schneier - Security Vulnerability of HTML Emails: "The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible. A phishing email you had to trust because you knew the sender and they even confirmed that they had forwarded it to you."
This week's tools
Another survey of some popular tools that the _secpro team has been playing with this week. Make sure to tell us all about what you think of them on the _secpro Slack channel!
katepratik/BankMalwareRemover - A useful tool for taking down over 200 types of banking malware, giving you a solid platform to bolster your security posture. Find more details here.
Zimperium/Iranian-banking-malware - A collection of IoCs for well-known banking malware linked to Iranian threat actors.
shreyashdhore/Zeus-Banking-Trojan-Malware-Analysis - A step-by-step breakdown of the Zeus malware and commentary.
ClarkFieseln/IPRadar2 - “Real-time detection and defense against malicious network activity and policy violations (exploits, port-scanners, advertising, telemetry, state surveillance, etc.)”
ClarkFieseln/IPRadar2ForLinux - Same as the above, for Linux users.
ptrandev/adblockah - “A collection of scripts that use /etc/hosts to block advertising-related, tracking, and malicious domains.”
mchara01/mobile_malicious_advertising - “Explore what a malicious advertising network can do to exploit the current model and learn as much as possible for a device user.”