Basic Security Considerations for and Web Browsing

Transcription

1 Basic Security Considerations for and Web Browsing There has been a significant increase in spear phishing and other such social engineering attacks via in the last quarter of 2015, with notable success. In many cases, these campaigns appear to be specifically target personal mobile devices such as smartphones, which generally have weaker security postures when compared to business-class computing platforms with appropriate endpoint protection software installed. Some specific examples of such attacks are included in this document. While there is certainly a lot of convenience for both businesses and customers in the current bring your own device (BYOD) approach to mobile computing, the inherent lack of standardization and limited commercial offerings for effective smartphone endpoint protection, as well as a limited or non-existent mechanism in their web browsers to allow users to validate the destination of hyperlinks before opening them, are the primary reasons these attacks are successful. The results range from installation of malware, being locked out of social media and/or accounts (which are then mined for personal information, contacts and exploited to propagate further attacks), on up to identity theft, fraudulent credit card charges, and money transfers. User awareness of the risks is key to safely leveraging the convenience of mobile computing, without becoming a victim to these campaigns. This white paper provides guidance on a few simple techniques that can improve your cyber security posture. Background facts you may not know: In HTML (the base language most web pages are written in), the text displayed on a hyperlink does not need to be related in any way to the actual destination of the hyperlink. In other words, a hyperlink might say but actually point to a totally different site, such as Just because your web connection is encrypted with SSL (starts with instead of does not mean you are at the site you intended to connect to, or that it is a legitimate site. It just means the certificate is valid. Valid certificates are easy to obtain, through both legitimate and illegitimate means. Inspecting both the certificate itself, and the full URL of the site you are connecting to, are important steps to ensuring you are at your intended destination. Entire web sites, including those used for activities such as online banking, are easily duplicated, modified, and reposted on the web to create phishing sites. This is no more difficult than copying and editing a word document. The resulting sites will often redirect you back to the original site after stealing your credentials (often with a generic message that you typed your password incorrectly, to explain having to enter it a second time.) 1

2 Malware can be embedded in far more than just executable files these days. Virtually any file type, including images, sound files, videos, office documents, PDF, ZIP files, etc can be embedded with malware. Many conveniences such as autorun (which automatically performs an action such as opening a program when you insert removable media such as a CD-Rom or USB stick) often inherently involve a compromise in security. For example, computers with autorun enabled can be infected with malware by inserting such media for a few seconds and removing it, even if the desktop on the computer is locked. Many such features are enabled by default, and must be disabled on networks via Group Policy to improve the security posture. Increasingly, social engineering attacks that are designed to collect information are conducted with server-side scripting, without downloading any malware to your machine (just legitimate code that has an illegitimate purpose), thus leaving little or no opportunity for endpoint protection software to detect a problem. Once they have the desired information, these attacks may or may not be followed up with the introduction of malware or remote access tools to the machine. Large software vendors such as Microsoft, Apple, and others do not directly contact end-users proactively for support issues with individual systems. If you have been personally contacted by a support desk in regards to a problem we detected with your machine via a popup, online chat or telephone, chances are very high they are scammers. Don t allow remote access to your machine, nor give personal information to such support desks. The same can be said for personnel claiming to be from government agencies such as the Canada Revenue Service, the RCMP, etc. Be very skeptical, and ask for detailed identifying information you can validate yourself through means other than the internet. Web pages can be rendered to very closely replicate the appearance and functionality of windows from other applications or even the operating system itself, making it difficult to know that what you are looking at is in fact a web page (unless you have popup blocking enabled). The sending address displayed in an is easily spoofed (can be programmatically-set to whatever the sender wants), it is not necessarily the actual sender. The true origin of an can only be ascertained through examination of the mail header and/or the logs on the receiving server. So how can you use your computing devices and stay safe from these risks? Start with an awareness of the fact that there is a balance to be struck between security and convenience. Do you really need to make that e-transfer right now from your phone, or can you wait until you can do it more safely from your computer? Just because your buddy knows a little bit more about computers than you do and likes a third-party web browser or to download drivers off the internet, do you really need to let him/her do that on your machine without doing your own research? 2

3 Consideration of the following tips will reduce your exposure to a variety of security risks, and can improve your confidence in your online activities: Use the browser that came with your operating system (Internet Explorer or Safari), and apply updates to them as they become available. These are maintained by your operating system vendor through the native O/S update process, and have a larger market share than third-party browsers, which usually results in a shorter window between discovery of vulnerabilities and the vendor patching them. Unnecessary third-party software often introduces additional vulnerabilities and complicates support. Disable (block) popups in your web browser: Internet Explorer: Safari: Avoid opening hyperlinks (web shortcuts) received via on your smartphone if you think you have received a legitimate with links that you need to act on, forward it to an address that you can open on your computer, and validate that the destination of the hyperlinks is legitimate. Here are two example of a spear phishing s received on an iphone, and the same message as it appears in outlook. Note that: o Often the first clues that these are spear phishing s is immediatelynoticeable on the larger screen of a computer o The real destination of the hyperlinks can be seen by hovering the mouse cursor over the hyperlink on your computer: 3

4 4

5 Some spear phishing s may be more difficult to detect even on a desktop computer; be wary of attachments. With the prevalence of HTML use as the native format within many messages, it becomes easy to forget that this is language is well-suited to directing a recipient to nefarious content, such as a spoofed Tangerine online banking site (attached to the ): 5

6 Stationary Phishing is also done to capture traffic to sites by taking advantage of common typing errors users make when entering URLs (web site addresses) into their browser, utilizing spoofed login screens from the actual site. We encourage our customers to carefully create bookmarks or internet shortcuts to their commonly-used websites, and utilize only those bookmarks to reduce this risk. This can be done on all computing platforms, including ipads and smartphones. Packets are easily captured from public wifi access points; minimize use of such access points for sensitive information such as , financial transactions, or logins to unencrypted sites (sites beginning with HTTP are unencrypted; HTTPS sites are encrypted.) While Bluetooth is convenient for linking external keyboards and similar accessories for smartphones, the security mechanisms in this technology are extremely weak; use of Bluetooth for input devices, or headsets if the conversations are sensitive, is strongly-discouraged. Hardwired accessories are recommended. Cross-site scripting attacks are increasingly-common, where multiple sites are opened in the same browser window or within the same browsing session. When conducting sensitive transactions or logins online, be sure to utilize InPrivate browsing for that specific purpose, and completely close the browser when finished. If InPrivate browsing is unavailable, be sure to clear your browsing history (including cookies) before closing your browser. Install and maintain mainstream anti-virus / endpoint security and firewall software on every device that supports it. We recommend Symantec Endpoint Protection. Be very skeptical of free software that purports to do this, at best you get what you pay for, and at worst, it isn t at all uncommon for malware and back-door remote access tools to be packaged as security solutions or other freeware. Be very wary of using free hardware and media, such as jump drives or external hard drives that are either found or provided by third parties. This has been used in high-profile cyber-attacks as a delivery mechanism for malware and spyware. Do not conduct business on personal devices, or personal activities such as social networking on business devices. For personal business, such as online banking, only do this on private (and encrypted) wifi networks, using only apps provided from the institution you are dealing with (not a browser). Ensure those apps utilize HTTPS encryption (SSL), and employ a multi-tiered authentication system (such as a password combined with a PIN or answering some questions only you would know). 6

7 Don t use the same password for everything; use separate passwords for each social networking site, as well as any other systems such as corporate sign-ins or online banking. This is critical to ensuring that if one is compromised, the scope is limited to that platform. Change these passwords periodically. If you must write them down, keep these in very secure locations. If you ever share a password with anyone, be sure to change it at the earliest opportunity. If you purchase online, devote a single credit card to online purchases, and monitor the account activity carefully. Be sure to do your homework on the vendor, including searching for customer reviews and online security reports, before purchasing from them. This should include reading their relevant privacy policies. Be wary of vendors that keep your credit card information on file for future purchases (many large vendors do this), to avoid being one of thousands of victims when their systems get compromised. Avoid using your debit card for online purchases; most banks do not afford debit card users the same protections as they do to credit card users for detecting and mitigating fraudulent use, limitations of liability, etc. Your bank account could be drained long before you get a statement. NEVER use your business address in social networking or online dating! Consider setting up a dedicated address for these purposes, one that isn t used for any actual business or financial purposes, as this address is likely to become a destination for spear phishing and malware delivery. When using HTTPS (SSL) connections to conduct business online, only allow your browser to display secure content (say no if prompted as to whether or not the website can display insecure content). On legitimate sites, insecure content will be limited to ad banners and other items that are not relevant or essential to the business being conducted. Displaying insecure content on the same page can make your session vulnerable to cross-site scripting or memory-related vulnerabilities. When using HTTPS (SSL) connections to conduct business online, be sure to always inspect the certificate, especially if any errors are reported with it. To do so, click on the padlock icon to the right of the URL (address bar), as shown on the following page. Ensure that the certificate is issued by a certificate authority you trust (be wary of CA s in China, Russia and other eastern block nations, from which a considerable amount of nefarious online activity is conducted), and that the certificate is issued to the site and company you intended to visit. Be skeptical of certificates issued to sites not affiliated with the business you are connected to, certificates using small keys (less than 1024 bits), certificates issued for purposes other than authenticating websites, and certificates with expiration dates longer than 3 years. 7

8 Checking SSL Certificates in Internet Explorer: 8

9 9

10 Checking SSL Certificates in Safari 10

11 11

12 Additional Resources Government of Canada Cyber Safety for Small Businesses Canadian Anti-Fraud Centre US Computer Emergency Response Team Cyber Security Tips This document is provided for information purposes only. External links are maintained by third parties, the author assumes no responsibility for their content. Screenshots of Northern Savings Credit Union website used with permission; images 2015 Northern Savings Credit Union. All rights reserved. 12