RSAC 2016: Bro, Do You Even Cybercrime? Key 2016 Trends
I attended the talks at the 2016 RSA Conference, and one that stood out to me was Bro, Do You Even Cybercrime? Key 2016 Trends. Given by James Lyne, Global Head of Security Research at Sophos and SANS, it was a snappy review of his research on phishing emails, successful vulnerabilities, malicious mobile apps and more.
I arrived a little late, as I mixed up the start time of the talk, but walked in just as he delivered this fun factoid: the most popular place to find USB devices and plug them in is - the toilet. Yep, they found out that most users were finding and getting infected by malware in the bathroom. Weird.
What Makes Great Phishing ClickBait
More phishing email research revealed that users don’t really fall for emails that claim they’ve received their tax refunds. However, an email that stated “here is my resume” resulted in over 200 clicks. Another email that contained content about their “Amazon package” resulted in over 100 clicks, and finally, 19 people actually clicked on the URL in an email that merely said “bruh, do you even click my links?” <--WTF, people.
It’s easy to say that users are just stupid, but they’re probably more so just curious or very trusting, especially if they’re expecting a resume or an Amazon package. The point here is, phishing emails are used often by cybercriminals because they’re very basic, low-tech and low-effort with a high payoff. And they typically target user credentials. Protecting those keys to the kingdom requires an equally basic, but very important security technology - two-factor authentication. Find out more about Why Two-Factor Authentication?
Another way that phishing emails successfully infect targeted users is with the classic Word .doc attachment. James discussed attachments that would leverage security knowledge to get the user to act - one document urged the users to enable macros on their computer in order to view an “encrypted” secret message. This is an example of a clever social engineering attack that actually misconstrues security concepts in order to exploit users’ machines.
Old Vulnerabilities Still Effective As Ever
Another way that cybercriminals attack include toolkits with exploits designed for targeted attacks. And those kits often involve exploits that leverage very old and known vulnerabilities - because they’re still successful. Many organizations never update, for years even. James presented research on the most successful Common Vulnerabilities and Exposures (CVEs) he found, and the leading CVE (48%) was from 2012. The second most successful CVE was from 2014, with others ranging from 2013-2015.
That means another very basic but important way to protect against potential exploits is to update and patch apps and software on your organization’s systems right away. There’s often a gap between when a new patch or version is released and when an organization actually updates - and that’s when attackers attack.
One way to automatically reduce the time-to-update is by using an endpoint security solution that not only detects when out-of-date devices attempt to connect to your network, but also notifies your users to update immediately. Even better - warn your users that they’ll be blocked after a certain number of days if they don’t update. Learn more about Duo’s Self-Remediation feature that does just that.
Mobile Devices Are Also Still Vulnerable
James brought up a final point, which is that many people think mobile devices are somehow more secure than other devices, like laptops. However, they may not realize that they’re running outdated and insecure software on their mobile devices.
Such a funny commentary by @jameslyne in his talk this am: “Oh no problem, I’ll click on that on my phone and see if it’s safe” #RSA2016— Rachel Nislick (@rachelnislick) March 2, 2016
He gave an example of one mobile app that geolocates and changes functionality for users in China. It’s actually an app store within an app - available within an app store. It offers customized apps on non-jailbroken iPhones by replicating Apple windows, with a dynamic updating system that can send code updates to a user’s phone outside of normal Apple update releases.
The app authors were able to reverse the code of an official Apple development system (Xcode) in order to sign apps and allow them to run on an iPhone.
Another analysis of 1002 mostly mainstream, popular apps with a strong Android lean showed that 306 failed to implement TLS correctly, meaning that the apps appeared to encrypt data but didn’t actually offer any protection from public Wi-Fi. James also found that other apps would even store passwords in cleartext.
Overall, the main takeaways include - old document-based malware still works and rarely uses any zero days to be effective, meaning organizations really need to update their software! James also recommends disabling macros software if you don’t use it, as it’s often outdated and vulnerable to basic attacks. He also found that new technology comes with higher expectations of trust, but often those devices don’t live up to it, meaning as users and admins, we still need to be cautious and vigilant.