Monthly Archives: November 2018

Email impersonation attacks: a clear & present danger

Larry Ponemon

Most companies admit that it is likely they experienced a data breach or cyberattack because of such email-based threats as phishing, spoofing or impersonation and they are concerned about the ongoing risk of such threats. However, as shown in this research there is a disconnect between the perceived danger of email-based threats and the resources companies are allocating to reduce these risks.

Sponsored by Valimail, Email Impersonation Attacks: A Clear & Present Danger, was conducted by Ponemon Institute to understand the challenges organizations face to protect end-users from email threats, such as impersonation attacks. Ponemon Institute surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats.

The risks that are causing IT security practitioners to lose sleep are phishing emails directed at employees, executives, customers and partners; and email as a vector for cyberattacks. When asked what measures or technologies will be deployed in the next 12 months to prevent impersonation attacks, more companies say they will be using secure email gateway technology, DMARC, DKIM and anti-phishing training for employees. In fact, more companies will be using automated solutions to improve email trust.

We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively. Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users.

The following findings illustrate the disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study. 

  • Eighty percent of respondents are very concerned about the state of their companies’ ability to reduce email-based threats, but only 29 percent of respondents are taking significant steps to prevent phishing attacks and email impersonation. 
  • Only 27 percent of respondents say they are very confident that their organization knows all of the vendors and services that are sending email using the organizations’ domain name in the “From” field of the message. 
  • Companies have complex email environments. On average, companies in this research have more than 1,000 employees, six servers and 15 cloud-based services that send email on their behalf. However, only 41 percent of respondents say their organizations have created a security infrastructure or plan for email security. 
  • Despite the ineffectiveness of anti-spam and anti-phishing filters, they have been the primary solution for preventing email-based cyberattacks, and impersonation. Sixty-nine percent of respondents say their organizations use anti-spam or anti-phishing filters and 63 percent of respondents say they use these technologies to prevent impersonation attacks.
  • Companies are not spending enough to prevent email-based cyberattacks and fraud. While there is a sense of urgency among respondents to address the numerous threats against their email systems, only 39 percent of respondents say their organizations are spending enough to protect email from cyberattacks and fraud.

Because the risks discussed above are not being addressed, most companies believe they had a material data breach or cyberattack during the past 12 months that involved email. Seventy-nine percent of respondents say their organizations certainly or likely experienced a serious data breach or cyberattack during the past 12 months such as phishing or business email compromise. More than 53 percent of respondents say it is very difficult to stop such attacks.

“With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail. “While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks.”

To read the full study, click here and visit Valimail’s site. 

The life-cycle of a vote, and all the ways it can be hacked

Bob Sullivan

We know every vote counts, but will your vote actually be counted? Or will it be hacked? I’ve spent the last several months reporting on election hacking for my podcast Breach, and I’ve learned a lot: Mostly that vote “hacking” is a much broader problem than people realize.  While lots of attention has been paid to the hacking of electronic voting machines themselves, elections can be hacked months before, or months after, voting day.  Here’s a look at the entire life cycle of your vote, and all the places it can be hacked along the way.

Listen to the podcast on Stitcher

https://www.stitcher.com/podcast/pods/breach

or iTunes

https://itunes.apple.com/us/podcast/breach/id1359920809?mt=2

 

Step 1: Deciding to vote

The voting process begins when people decide to vote (or, they don’t), and register. The enemies of democracy spend a lot of time trying to convince citizens that their vote doesn’t count, that people shouldn’t even bother going to the polls. Encouraging apathy is actually step one.  How does that happen? Through disinformation campaigns — state-sponsored trolling — that are nudged along unwittingly by people who fall for the trick

“Academics will make the distinction that disinformation is false information that’s knowingly spread,” says Nick Monaco, a D.C.-based researcher and expert in worldwide trolling campaigns. “So there’s an intent to deceive people knowingly. Then they’ll say that misinformation is information that is spread unknowingly that’s false. So maybe you retweet a story that you thought was true, that would be a case of misinformation. But if you create a false story to smear someone that would be disinformation.”

In the podcast, we talk about a fictitious election between myself and Alia Tavakolian, my Breach co-host. Someone spreads a rumor online that I am a puppy killer — very untrue — and I lose crucial campaign time fighting off this attack. Why does it spread so quickly?  Bots, using artificial intelligence, talk it up.

“Most news organizations now have incentive (and) choose of their own accord to report on what’s trending online. What if what’s trending online is produced 90% by bots and 10% (by) humans?” Monaco said.

In other words, bots are hacking people’s attitudes. State-sponsored trolling is the hacking of our minds.

“I think that in the first place, if people’s attention is hacked already by a platform, and they’re spending time on this platform, and then they’re receiving messages that might sway their actions … So we already have you in one place, we know where you are, we know what you think about, and we know where you live. Let’s just send you some information that we think would be amenable to what you — what you think, and maybe influence you to act in some way,” Monaco said.

 

 

Step 2: Voter registration

Let’s say you press on past digital propaganda and decide you are going to vote. You register. That data has to live somewhere. And it has to remain accurate.  If a group wanted to engage in voter suppression, they could hack state registration databases and remove names — or just change addresses in a way that would create election-day chaos.

“(Voter) records are maintained in computer databases, many of which are connected directly or indirectly to the internet, and subject to the same kind of data breaches that affect other kinds of internet systems,” said Matt Blaze, a computer science professor at the University of Pennsylvania, where he’s been working on voting technology for the past fifteen years. “We often don’t find out that we’re not listed on the voter registration database when we should be until we show up at the polls to vote.”

This isn’t a theoretical risk. The U.S. government says that Russians tried to access voter registration databases in at least 21 states, and in two states they were able to succeed to some degree.

Even more ominous: If someone wanted to tip an election, they’d do this only in zip codes that traditionally leaned one way or the other.

“Because with the marketing data these days we can microtarget down to the neighborhood how we know a certain neighborhood’s going to vote,” said Maggie MacAlpine, co-founder of security firm Nordic Innovation Labs. “We’ve had some elections that were decided by less than 1,000 people, and the burden tends to be on the voter to say that you are registered or not. So if just ten people in the right place at the right time come in and say, ‘Well, I should be registered, why aren’t I registered?’ If you can keep that spike under the radar, you can actually change things that way.”

Many jurisdictions use e-poll books at voting locations now, to get the best registration information in the hands of poll workers. They also add another layer of technology to the process that can be hacked.

 

Step 3: Voting “Day”

U.S. voting machines have been under scrutiny dating back at least to the hanging chads of Bush v. Gore in the 2000 presidential election.  In 2002, Congress passed the Help America Vote Act, which gave states money and incentives to abandon old-fashioned voting machines and led to the purchase of electronic machines — generally touch-screens (DREs) or optical scan / scantron machines (like multiple-choice tests). They’ve caused a lot of trouble. There have been years of demonstrations showing the machines are vulnerable to various attacks.  Vendors often say these are only theoretical, that the machines themselves are not networked so they aren’t really vulnerable.  Many voting experts disagree.

“What people sometimes don’t understand about voting machines is that they’re really not as isolated from each other and from internet-attached systems as they may seem,” said J. Alex Halderman,  director at the Michigan Center for Computer Security in Society, and another long-time voting expert.

For starters, the machines must be loaded with candidates — somehow.

 

“Before every election, virtually every electronic voting machine in the country has to be programmed, and it has to be programmed with the ballot design. That is the candidates, the races, and the rules for counting,” he said.  This is usually done with an election management system. “(Hackers) can potentially spread malicious software to every voting machine in the jurisdiction just by having that software essentially hitch a ride with the ballot programming that election officials copy to the machines in the field.”

Harri Hursti was the researcher who first hacked voting machines nearly 15 years ago.  His technique actually has a name: “The Hursti Hack.”

“What I found was that the bootloader is looking from the memory card a certain file name. If it finds that name, it will reprogram itself with the contents of that file with no checks, balances whatsoever,” he said. Some of the same machines he hacked 15 years ago are still being used in elections today. “Sometimes I get tired of talking about it…but it took people 15 years to listen.”

Step 4: Vote counting

Once you leave the polling place, an intricate dance of technology takes place.  Perhaps the machine you used creates a local tally and prints out an end-of-day receipt, which is later added to tallies from other machines in that precinct , in that county, and that state. The counts themselves must be accurate, but perhaps more important, the transmission of the counts must be secure.  Many experts see this as a vulnerable step.

“If we’re able to modify the transmission of vote tallies back and forth across these systems, we could potentially influence the vote,” said Mark Kuhr, a security expert with Synack Inc.

The votes might be sent over the Internet. They might be sent via “sneaker net,” with a courier driving memory cards to a central location.  In some states, vote tallies are transmitted wirelessly. And that introduces more potential problems. States that do this claim the data is encrypted, but experts worry about vulnerabilities – such as so-called man-in-the-middle attacks.  Devices like Stingray machines – often usually by police to intercept smartphone transmissions — can pose as cellular network towers and download all information sent towards those towers.

Step 5: Announcing the results

It’s easy to overlook, but perhaps the prime election hacking opportunity might also be the easiest – skip the James-Bond-esque vote-flipping efforts, and just hack a secretary of state’s website to cause confusion.

“We know that the Russians have hacked websites that announce election results in the past,” said Jake Braun, executive director of the University of Chicago Cyber Policy Initiative and organizer of the Voting Village project at hacker conference Def Con. “They did it in the Ukraine a few years back. I mean, can you imagine if it’s election night 2020, and they have to take the Florida and Ohio websites down because they’ve been hacked by Russia, and like Wolf Blitzer is losing his (mind) on CNN and Russian RT has announced that their preferred candidate won, who knows who that is, and then of course the fringe media starts running with it as if it’s real here in the United States. …How long would it take to unwind that? I mean it would make Bush v Gore in 2000 look like well-ordered democracy.”

 

This makes me think of somebody who spent six hours making a wedding cake and drives it to the wedding and gets to the wedding and the second before they’re going to put it on the table, they trip and fall and the wedding cake splatters on the floor. That’s our election process.

Step 6: Accepting the results

Even after the vote is over, it’s not over.  A critical element of democracy is that the losing side accepts the results. Think back to step 1: If an enemy of democracy could foment enough disenchantment that a sizable set of the population refuses to accept the legitimacy of the election, that could be enough to “hack” the election process, too.

“Messaging around the integrity of voter information or the legitimacy of the election is something I’m really worried about,” Monaco said. “So aside from hard hacking of infrastructure, (what scares me most is) a disinformation campaign that would say, ‘The vote’s not legitimate, these people couldn’t vote, their voting records were altered,” even if that stuff’s not true. I mean the scary part is like with a kernel of truth that would really, really empower that disinformation campaign. So that’s like a nightmare scenario for me.”

In our market, the dollar bill is the fundamental unit of capitalism in America, The integrity of the dollar bill is paramount. If one day people decided, “What is the dollar really worth? I’m not sure. I don’t trust this thing.” Our country would collapse. Voting is exactly the same way. The vote is the central unit of democracy, and right now the vote is under serious threat. People right now are asking themselves, “Should I really take a vote or not? Does that really matter? Does it really count? When we added them all up, is it really correct?” It’s that fundamental an assault on our way of life.

The End: Next steps

Kim Zetter, who’s been reporting on election hacking for a decade, lays out the dark reality. Russian election interference is only the latest in a long line of problems with the way we vote in America.

“I would say that the Russians are a red herring because that’s not why we should be looking at this. This problem has existed since 2002, people have ignored it,” she said. What is the real danger? “Everything is the danger. Danger is a software bug that could cause the machine to not record your vote to — to lose votes, to record it inaccurately. The danger is an insider in the election office, anyone who is opposed to U.S. foreign policy, anyone who has a gripe with the U.S. And again, it doesn’t have to be someone who’s really sophisticated. “

If all this seems hopeless, it’s not.  For starters, every single expert we talked to about election hacking said that, while the problem is challenging, democracy is far from doomed.

“I have confidence in our democratic institutions, and we’ve survived a lot,” said Adam Levin, whose company Cyberscout performs security audits for state election officials. “And my belief is that we’re going to survive this as well, but the truth is, look, it is a Herculean task. It is a daunting task. No one denies that. But this country has always stepped up, always. At some point, we dug down deep, and we stepped up.”

What can you do? Step up and vote. And be informed. The biggest vulnerability in democracy is apathy. The fewer people who vote, the easier it is the manipulate the result. The fewer people who work hard to be informed, the easier they are to manipulate.  The angrier you are, the easier it is to set you against your fellow citizens.  So vote on (or before!) election. Read, read, read before and after the election to stay informed. And don’t fall for the enemies’ “divide and conquer” strategy or “let’s you and him fight” tactics. Disagree, but keep America a civil society. There’s a lot you can do to prevent the hacking of democracy. Listening to the full podcast would be a good start.