E-Mail security breaches: A cautionary tale.

This past week, I heard from a business colleague who heads up a firm that operates in the IT sector. It isn’t a large company, but its business is international in scope and its entire employee workforce would certainly be considered tech-savvy.

Nevertheless, the company suffered a serious security breach affecting its e-mail system … and it took nearly one week of investigation, diagnosis and repair to deal with the fallout. Ultimately, the system was secured with everything restored and running again, but it took much longer than  expected.

What had happened was that an unknown attacker obtained the user ID and password for one of the company’s e-mail accounts, and used those credentials to log on to the mail system as the legitimate user. The attacker then changed the contact name on the account to a fake U.S. telephone number – we’ll call it “+1(4XX) 6XX-9XXX” – and launched a program from his/her/its host computer (hosted by Microsoft and located in in a different country than the affected user) which sent out thousands of e-mails having the subject “Missed call from +1(4XX) 6XX-9XXX” and an attachment that looked like a harmless audio file containing a voicemail message.

This type of phishing attack is well-known, and it would be dangerous to open the attachment (no one at the company attempted to do so). The company’s e-mail server eventually blocked the account because it exceeded the maximum outgoing e-mail limit, but strangely enough the administrator was never notified of this fact. The company only discovered the breach after the user called in to complain about receiving thousands of “failed delivery” messages. It took the better part of a full business day just to piece together what was going on, and why.

The attacker also installed a rule on the compromised account which moved all incoming email to an obscure folder. The rule was cleverly disguised, making it easy to overlook and hence more time-consuming to find and remove.

This friend advised that there are a number of “lessons learned” from his company’s experience, which should be considered for implementation by businesses of all sizes everywhere:

1. Implement security policies requiring strong passwords (big, long, hard-to-guess ones) and frequent password changes (once every 90 days or more frequently). In the case of this particular company, its password strength policy was up to snuff but it wasn’t enforcing rotation. That changed immediately after the breach.

2.  Require multi-factor authentication (MFA). This is where a user doesn’t merely enter a password to log on, but also has to enter a one-time code sent via SMS or a smartphone app. It’s inconvenient, but regrettably it’s the world we live in today. In the case of this particular company, it hadn’t been using MFA. They are now.

3.  Be vigilant in reminding users NEVER to click on links or file attachments embedded in received e-mails unless they absolutely trust the sender. Some larger companies have “drills” which broadcast fake phishing emails to their employees. Those who click are identified and sent to “dum-dum school” for remedial training.

Failing that, companies should adopt policies wherein any employee who receives anything via e-mail that looks like particularly clever or tempting phishing, to notify the company about it immediately for investigation.

4.  Discourage users from logging on to their mail accounts from public locations using unencrypted WiFi. It’s easy to sniff WiFi signals and it’s even easier to read the data in unencrypted signals, which appear as plain text. Typically, if the WiFi connection requires a passphrase to be entered in order to connect, then it’s encrypted WiFi. If not … watch out.

5.  Monitor the e-mail server at least once each day to discover any security breaches or threats, since those servers may not always notify administrators automatically. The sooner a problem is discovered, the quicker and easier it will be to contain and kill it.

6.  Require users to archive messages in their Inbox and Sent Items folders regularly.  The moment an attacker is able to access an account, he/she/it can easily retrieve and quickly download all the messages on the server, and those messages could contain confidential or sensitive data. Therefore, taking this action will move those messages to each user’s device and purge them from the central server.

I’m thankful that my friend was willing to share his experience and suggestions for how to avoid a similar breach happening at my own company. Based on the “lessons learned,” we performed an audit of our own procedures and made several adjustments to our protocols as a result – small changes with potentially large consequences.  I suggest you do the same.

Software and security flaws: Even mighty Google isn’t immune.

Here’s a bit of news that doesn’t make one feel very reassured about cyber-security.

Gmail email accounts compromisedIt turns out that a major flaw has existed in the security of Google’s Gmail service for an extended period of time.

And that flaw could have been exploited to extract millions of Gmail addresses – potentially every single one of them, in fact.

What’s even more unnerving is that this flaw wasn’t uncovered by Google’s own engineers, but instead by security researchers in Israel who were kind enough to bring it to the company’s attention.

Thankfully, it was the “good guys” rather than the “bad” who made the discovery.

Evidently, the flaw resided in the sharing feature of Gmail that allows each user to delegate access to his or her Gmail account.

By “tweaking” the web address, the security researchers were able to reveal a random user’s e-mail address.

Once this procedure was proved out, scaling the hack was relatively easy.  By automating character changes using a software tool called DirBuster, the researchers were able to harvest approximately 37,000 Gmail address inside of two hours.

Oren Hafif, one of the security researchers involved in the exercise, blogged recently about the potential scope of the flaw:

“I brute-forced a token in a Gmail URL to extract all of the e-mail addresses hosted on Google.  I could have done this potentially endlessly.  I have every reason to believe every Gmail address could have been mined.” 

While the hack would not have exposed passwords explcitly, it could have left email accounts open to password-guessing attacks — not to mention unwanted spam mail or phishing.

Potentially, the breach could have affected not only personal users, but also businesses that use Google to host their email platforms.

Helpfully, the Israeli security researchers decided to inform Google of their discovery, preferring to be part of the solution rather than let the company twist in the wind.

So … are you ready for the kicker?

Reportedly, it took Google one full month to fix the software bug after being informed about it.

For a core service like email that is so central to the entire Google experience, one wonders why it took one of the world’s largest and most powerful companies weeks rather than just days to fix the problem.

If you’re looking for a redeeming or staisfying finale to this story … there really isn’t one.

Why?  Because in its infinite generosity, Google decided to reward Mr. Hafif for bringing the software flaw to its attention, in the form of a cash award.

One that really, really expressed thanks and appreciation for what he did.

Reportedly, the award amounted to US$500.

Are small businesses under increasing risk of cyber-attacks?

cyberWhen it comes to cyber-security, high-visibility data breaches get all the press, which is understandable.

But small businesses are also victims of cyber-attacks.  And sometimes those events can be financially devastating.

Now a newly published survey quantifies the extent to which small businesses are at risk.  The National Small Business Association polled nearly 850 U.S. small business owners (most with annual revenues between $500,000 and $25 million) in August 2013).  The NSBA survey found that nearly 45% of the respondents’ businesses had been the victim of cyber attacks such as malware, spyware or banking Trojans.

The average cost of these cyber attacks was reportedly nearly $9,000 – with some dollar amounts going much higher.

Separately, another study shows that a record number of cyber attacks targeted small businesses in 2012.  Verizon’s Data Breach Investigations Report examined 855 data breaches and found that over 70% of them involved victim companies with fewer than 100 employees.

Verizon’s 2013 report is showing a continuing increase in cyber attacks on small business, meaning that 2012 was no fluke.

What’s going on here?

According to the Verizon study’s conclusions as well as comments from security experts like Vikas Bhatia, small and medium-sized businesses could be doing a better job of “offensive defense.”

Among the mistakes commonly observed in small businesses are these:

  • Lack of conducting regular backups of business data
  • Neglecting to store backed up data offsite
  • Failing to test data restore functions on a periodic basis
  • Neglecting to keep antivirus software up to date, including software patches and updates
  • Practicing sloppy password protection behaviors (using plain-language passwords … using identical passwords across multiple accounts, etc.)
  • Not understanding cloud-based data storage and what outsourced providers’ liabilities are (and are not) for protecting data

There’s no question that cyber-security continues to be a big challenge – and probably a growing one – for many companies.

But it’s also pretty evident that many businesses could be doing more to protect themselves from the heartburn (and financial fallout) along the way.

Computer security measures: A whole lot of heat … and very little light?

Cyber-security ... how effective is it in relation to the all the effort?If you’re like me, you have upwards of two dozen sets of user names and passwords associated with the various business, banking, shopping and social media sites with which you interact on a regular or occasional basis.

Trying to keep all of this information safe and secure – yet close at hand – is easier said than done. More often than not, passwords and other information end up on bits of paper floating around the office, in a wallet … or in (and out of) your head.

And to make things even more difficult, if you paid attention to conventional advice, you’d be changing those passwords every 30 or 60 days, making sure you’re following the guidelines regarding creating indecipherable permutations of numbers, letters and symbols so as to throw the “bad guys” off your password’s scent.

Now, here comes a paper written by Dr. Cormac Herley, principal research analyst at Microsoft Corporation, that calls into question how much all of this focus on password protection and cyber-security is really benefiting anyone.

Dr. Herley’s paper is titled So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In it, the author contends that the collective time and effort involved in complying with all of the directives and admonitions regarding computer security add up to far more cost than the cost of what is actually caused by cyber-security breaches.

[For the record, he estimates if the time spent by American adults on these tasks averages a minute a day, it adds up to ~$16 billion worth of time every year.]

Here’s a quote from Herley’s paper:

“We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice, we find that the advice is complex and growing, but the benefit is largely speculative or moot.”

It would be one thing if this screed was written by some outré blogger operating on the fringes of the discipline. But it’s coming from a senior researcher at Microsoft.

To illustrate his point, Herley summarizes the whole area of password rules, which he contends places the entire burden of password management on the user. To wit:

 Length of password
 Password composition (e.g., letters, numbers, special characters)
 Non-dictionary words (in any language, not just English)
 Don’t write the password down
 Don’t share the password with anyone
 Change it often
 Don’t re-use the same passwords across sites

How much value each of these guidelines possesses is a matter of debate. For instance, the first three factors listed above are not consequential, as most applications and web sites lock out access after three or four incorrect tries.

Changing passwords often – whether that’s quarterly, monthly or weekly – is never often enough, as any attack using a purloined password will likely happen within a few seconds, minutes or hours of its acquisition, rather than waiting days. On the other hand, for users to change their passwords regularly requires time and attention … and often leads to frustration and lost productivity as people hunt around for the “last, best” misplaced password they assigned to their account.

And as for those irritating certificate error warnings that pop up on the computer screen with regularity, Herley contends that most users do not understand their significance. And even if they did, what options do people have when confronted with one of these warnings, other than exiting the program?

As it turns out, there’s not much to fear, as virtually all certificate errors are “false positives.” With certificates as well as so many other issues of cyber-security, Herley maintains that the dangers are often not evidenced-based. As for the computer users, “The effort we ask of them is real, while the harm we warn them of is theoretical,” he writes.

Herley’s main beef is that all of the energy surrounding cyber-security and what is asked of consumers is a cost borne by the entire population … but that the cost of security directives should actually be in proportion to the victimization rate, which he characterizes as miniscule.

An interesting prognosis … and a rather surprising one considering the source.