I have been thinking a lot about how security practitioners can share information. They need to be able to tell the masses about security issues. I usually refer to this as security awareness. They need to be able to communicate the current security and risk state to organizational leaders. I came across an interest web site that uses a Heat Map to relate security state information.
I was contacted the other day and asked to assess the threat posed by the email below. The message was sent to much of the professional staff of a local school district. The subject line read “URGENT. MUST READ.”. The email was from an email account at a North Carolina, US University. The contents of the message was a link to a web site that read in part “Contact Update”.
Following the link users were taken to a web page that looked like this (see below). The title of the page is “School Support Team” and asks the user to enter their first and last names, date of birth, email address, username, and password (p-word with confirmation).
There is no title that associates the site with the school district. If anything the form asking for a “p-word” should have raised a caution flag to anyone who saw this.
A number of people who received the email message contacted the IT department and asked what they should do. As the IT administrators fielded more calls they sent email messages to all of the district’s users alerting them not to respond to this message.
In the end several employee’s acknowledged that they had not only received and read the email message but that they had followed the link and filled out the form. I wish I could say that these were all low level folks who didn’t know better. But I can’t.
When discovered by the IT staff these employees were advised to change their passwords immediately. Should their accounts have been disabled and thus forced to choose a new password. Probably. But the IT staff and the district don’t have policies in place to mandate such a move.
What’s worse is that some employees complained that they could not change their passwords. You see they would not be able to remember anything else. And some of those same people reported that their school password matched that they use for their home email and banking. Yes. That was priceless.
Some employees complained that the web filter that blocked them from viewing their favorite web sites while at work should have stopped the message getting through or stopped them from being able to access the web site and form. The reality is that the message was delivered via email address from a university. This message exploited the trust relationship formed because the supposed sender was in the “dot edu” domain. The chances that the web or email filter at a school would block a message from another school is thin. An important takeaway from this should be that web sites hosted at free web providers like this one should be blocked. I did advise that they add the site “webs.com’ to their blacklist.
What can come of this? I would expect that any account for which the user entered a username and password will be probed. My guess is that this was a data gathering exercise and that the probes will not start immediately.
If you are a school district IT professional here is what you should add to your defenses. The link in the message referred to a free web hosting site at webs dot com.
The web site used a form that was created at the free form Freedback dot com.
I would suggest adding these sites to your local blacklist.
I did contact Freedback dot com, Webs dot com, and the university that the email came from. To their credit the team at Freedback dot com responded to my twitter requests to block the site within hours. The team at webs dot com responded the next business day. The University still has not responded.
What’s the threat here? Given the use of the “p-word” I don’t think the attacker is local to the east coast of the US. This could be just a person or company that sells into schools gathering data so as to avoid cold calling. This could be an attacker trying to locate users who give up their passwords with the intent of later finding other accounts (think Yahoo Mail or GMail).
My strong recommendation to the person who called me was to step up security awareness training for all district employees.
I don’t know how many people read the IEEE Security and Privacy magazine but this past issue closed with a interesting ‘Last Word’ essay by BT CSO Bruce Schneier titled “IT for Oppression”. It’s avery good read that discusses both the positive and negative use of the technology that many here have used and contributed to in the name of improving security. Schneier makes a great case for his call for more research into how to circumvent these technologies.
While Schneier points out that cyberspace is still waiting the arrival of it’s hero (Gandhi or MLK) he ignores the fact that our system of laws is regularly used to prosecute those who challenge seemingly ‘correct’ uses of security such as the recent Swartz and weev cases .
The cybersecurity research areas include threat avoidance and cyber
defense; cyber operations; network exploitation; situational
awareness; command and control; modeling, simulation, and war-gaming;
cyber infrastructure, and mission assurance.
“The probability for crisis is mounting,” said Alexander, who also
heads the National Security Agency. He told an audience at the
American Enterprise Institute in Washington that he was concerned
about the changing nature of the threat from disruptive to destructive
attacks and that the numbers of cyber attacks against business and
critical infrastructure are on the rise.
It seems all it takes for 75 percent of hackers and IT security
professionals to hand over their personal online information is the
seductive ways of a woman.
“NSA and the Department of Homeland Security (DHS) jointly sponsor the
National Centers of Academic Excellence in IA Education (CAE/IAE) and
CAE-Research (CAE-R) programs. The goal of these programs is to reduce
vulnerability in our national information infrastructure by promoting
higher education and research in IA and producing a growing number of
professionals with IA expertise in various disciplines. Designation as
a CAE/IAE or CAE-R is valid for five academic years, after which the
school must successfully reapply in order to retain its CAE
Students attending these designated schools are eligible to apply for
scholarships and grants through the Department of Defense Information
Assurance Scholarship Program and the Federal Cyber Service
Scholarship for Service Program. Designation as a Center does not
carry a commitment for funding from NSA or DHS.
CAE/IAEs and CAE-Rs receive formal recognition from the U.S.
Government as well as opportunities for prestige and publicity for
their role in securing our Nation’s information systems.”
Long Island Newsday had a very well written editorial on Sunday titled
“Cyber insecurity”. In addition they featured an opinion piece
written by Peter Goldmark titled “Small, smart,and anonymous” that
addresses and discusses the transformation that modern warfare is
experiencing due to cyber threats.
Last week I attended the 14th annual NY State Cyber Security
Conference held at the state office and conference center complex
(under The Egg) in Albany, NY. The 6th Annual Academic Symposium on
Information Assurance ran concurrently with the main conference. This
was my forth year attending the event and I really enjoyed the
conference and symposium this year. They were both very well
organized and presented.