Beware "Spear-Phishing" attacks!

I just ran across an interesting Tech Crunch article on spear-phishing, by Tom Chapman, a former Navy intelligence officer who now serves as director of cyber operations at cybersecurity firm Edgewave. In the article, he explains the threat and some countermeasures, with just the right amount of detail.

If the definition of spear-phishing, or the immediate danger of it, isn't obvious to you, I strongly recommend that you take a few minutes to learn something about this important subject.

Click here to read the complete article.

In case you're the kind of person who is hesitant to follow miscellaneous links on web pages, here are some excerpts from the article that the link references.

If terrorists ever orchestrate a cyber attack against the U.S., the odds are 9 in 10 that spear-phishing will be the first step of their assault. The same technique that has breached Sony, Anthem, Target, the Pentagon and thousands of organizations every year, spear-phishing is used in some 91 percent of cyber attacks, according to the security firm Micro Trend. We can either spread awareness of spear-phishing now or suffer the consequences later.

Spear-phishing, like phishing, involves emailing a malicious link or file. Whereas phishers send mass emails in hopes of stealing credit card information, Social Security numbers and login credentials from as many people as possible, spear-phishers are more precise. They usually target one or few individuals at an organization, and they conduct extensive research in order to craft a very personal and convincing email. The spear-phisher has a very specific and often more sinister objective than the phisher.

To prevent spear-phishing attacks against our government, companies, friends and family, we all need to understand the mechanics behind these assaults. With this shared knowledge, we can then take collective measures to reduce the likelihood and consequences of spear-phishing.

The spear-phisher’s playbook

Spear-phishing is based on the premise that slipping through a side entrance is easier than breaking down the front door. When you picture spear-phishing, Swordfish or other hacker movies are the wrong image – we’re not dealing with cyber geniuses who bang away on the keyboard until they control the entire network. Effective spear-phishers are really social engineers. They are experts at appearing to be someone you know and trust.

Let’s say I want to attack good old Acme Corporation. First, I would look up everything I could find out about Acme – who works there, what they do, the latest news, etc. I examine its website, public records, social media, news article and whatever else I can find. My target is probably someone with administrator access to the company network – generally, someone in IT.

IT people are easy to identify. Even if I couldn’t find them on LinkedIn or Acme’s website, I could pretend to be a customer with an issue, send an email to tech support and ask for an IT admin to call me.

Once I have my target(s) – let’s say it’s Jane Smith in IT – I dissect her network. What LinkedIn groups is she part of? Who does Jane communicate with most often on Facebook? What do public records turn up? What are her hobbies and interests? Based on this exhaustive research, I craft an email Jane is likely to open and click.

If, for example, she’s active in a LinkedIn group about cybersecurity, I’d join that group, copy their exact branding and perhaps send an email that invites Jane to discuss spear-phishing (oh the irony…). Of course, the “LinkedIn” link will either direct her to a malware site or download an embedded, executable file onto her computer. This malware allows me to steal her Acme network credentials.

Fighting back against spear-phishers

Spear-phishing can affect an entire organization – or country – by targeting just a few individuals. To prevent spear-phishing, everyone in an organization has to share the responsibilities of defense. Effective spear-phishing defense has three components:

Email filtering with a human touch

The first line of defense against spear-phishing is a good spam filter. Essentially, filters analyze and score emails based on the server, the sender’s reputation, spelling and other criteria. However, most filters are black and white – if the score is above X points, it goes through. If it’s below X, spam folder.

Top filters are only 99 percent accurate, which sounds reassuring until you consider that the business world sends and receives 108.7 billion emails per day, according to The Radicati Group, a technology research firm. In other words, over 1 billion business emails per day will be misidentified. Of course, spear-phishers understand how filters work and attempt to trick them.

This is why I recommend using a filter that acknowledges a gray zone around X and uses real human beings to evaluate these ambiguous cases. Human beings can make observations and catch red flags that machines currently can’t.

Organization-wide training

Spear-phishing is preventable if employees know how to identify and avoid it. Teach people to be skeptical of all emails. More specifically, train people to:

Avoid clicking email links. If your LinkedIn group sends an email about a new discussion topic, don’t click. Go to your URL bar and manually visit LinkedIn if you wish to contribute.

Hold their mouse over hyperlinks to see where they actually direct. A foreign country code, like .ru or .cn, should tip you off that something’s fishy.

Never, ever email passwords or banking information, no matter how safe it looks.

Immediately contact IT if they open or click something suspicious. Depending on the case, changing the username and password is sufficient. Other times, IT must delete the account.

24/7 network monitoring

Last year, the Sony hackers were able to steal hundreds of terabytes of data; that should have never happened. If IT personnel were monitoring the network, this activity would have been impossible to miss.

IT must monitor data logs for anomalies 24/7. If 10 GB of data are flowing to China at 2 a.m., that’s suspicious. Someone needs to follow up. Also, IT should monitor outbound traffic flow. If the company is sending out an unusually high volume of emails, that could be a red flag, too.

Don’t let IT fall into the trap of believing that expensive software will make the organization safe. With spear-phishing, cybersecurity solutions are just like security cameras – they can record the real-time events, but they won’t prevent robbers from walking out with all your data. Human beings have to take action.

Her Starbucks Card

I ran across this pretty card, while attempting yet again, to go through Kristan's wallet, and find anything that needs to be dealt with quickly. I can't get very far through her wallet, without running across something that makes me break down and bawl. One of the stocking-stuffers I got her, late last year, was this Starbucks gift card with a stylish Christmas tree on it. She really loved the design, but she never got to use it. So I guess I'll just be thinking an extra special thought of her, every time I use it. It's one of my favorite designs, too.

K loved her car

Kristan really loved her car. After driving it to work and home today, I was reminded of why. And of her. As I type this, I am overwhelmed with grief, yet again. I miss her so very much.

Obituary for Kristan Attardi Hushing

Kristan Attardi Hushing, age 62, passed away unexpectedly on Sunday evening, January 11, 2015, after a long and difficult battle with diabetes. She is survived by her brother John and her husband Sumner.

Kristan grew up in Tahoe City, California, and graduated from Tahoe-Truckee High School in 1970. She first attended the University of California at Irvine, then received her bachelor's degree in Women's Studies from the University of California at Berkeley. She later pursued advanced studies in Marriage and Family Therapy, in San Diego. She received her license in Marriage, Family, and Child Counseling from the State of California.

Kristan worked as a Marriage and Family Therapist in San Diego, California. With her husband, Sumner Hushing, Kristan later moved to Littleton, Colorado, where she received her license in Marriage and Family Therapy from the State of Colorado, and continued her therapy practice, until her illness prevented her from working.

Kristan had an enormously generous heart, and wanted to share with and help others - whether through her therapy work or with a thoughtful gift. She loved animals, particularly her companion dog Mandy. Kristan also possessed a deep curiosity that fueled her passions for her early career, as well as her hobbies of reading, music, and building unique collections. She shared many interests activities with her husband, including skiing, sailing, softball, volleyball, hiking and camping, and flying small planes to interesting places.

An informal “Celebration of Kristan's Life” was hosted at the house, a week after she died. Many pictures of her, from earlier and happier times, were posted around the house, to allow friends and family to learn or reminisce about the many good times she experienced.

I'm still here

I'm having a difficult time, thinking of anything to say here, these days, but here goes. I guess I can say that I'm doing OK, mostly slogging through life as it comes. I've lost some of the momentum I had, reading "How to Survive the Loss of a Love" that my sister Otamay gave me in January. But I'm taking some of the advice I've read in there to heart, especially the part about not making any big changes right now, and just trying to see how my regular routine adjusts itself, to not having Kristan around any more. Just typing that on the keyboard, the tears well up in my eyes, and I can't read the screen any more. So clearly I'm not "fine," but I don't expect that. The housekeeper / dogsitter is helping me get rid of hundreds of pounds of old magazines, newspapers, and store catalogs, a little at a time. I'm also nibbling away at the dozens of subscriptions she had, to email newsletters, so that her inbox will be less full, and I can more easily watch for attempted business and personal communications. Some neighbors have stepped up, and are calling occasionally, to keep me busy with little social events, like going out for meals and walks, and watching movies on our big screen TV in the basement. I'm still dealing with lots of Kristan's medical bills, and expecting that to continue for quite awhile. I'm making the equivalent of a monthly mortgage payment until the end of this year, just to cover her stay at the nursing facility in late 2012, after she broke her neck, and through a miscommunication, we incurred over $10,000 of uninsured financial responsibility, by letting her stay longer than she really needed to, because we were mistakenly told it was covered, and she was getting some helpful therapy. Lately, most of the medical service billers aren't billing insurance right, or at all, so they're demanding that I pay the entire balance, which is very unsettling. I'm having to contact them all - during normal business hours, of course - to find out each of their stories, and to get the insurance information to them. Lorene, the person that was helping us to process the bills, isn't coming any more, because her new caregiver assignment leaves her no free time, so I'm left to my own devices. I'm not looking forward to tax time, which is fast approaching, later in March, although they assure me that it shouldn't be any more complicated than it was before. Except, before I had Kristan and her helpers around, to help collect up all the tax information for the year. I take advantage of the occasional free moment, to try to fly, but mostly crash, my little quadcopter (thank you Gene!) around the bedroom, and sometimes in the larger and taller great room, until the battery runs down, which takes a minute or two. It is really great fun, and very challenging. It likes to zoom unbelievably fast up to the ceiling, and then the vacuum above the propellers makes it stick up there, until I shut off the throttle, whereupon it falls insanely quickly to the floor, before I can react. I'm still too timid, and the weather's too cold and snowy, to take it outside yet, but if it survives the winter, I'm sure I'll take it to a big grassy park, and try it out there, on some warm sunny day. Mandy doesn't like it at all, since it sounds like a giant housefly, and she already hated those things.