How do you tell your audience that somebody found a vulnerability on your site?

Disclosing vulnerabilities is a part of handling your risk exposure. Many times, web vulnerabilities are found by security firms scanning large portions of the web, or it may come from independent security researchers that have taken an interest in your site.

022217_1129_HowFileSilo1.jpg

Ignoring the communication issues around vulnerability disclosure can cost you a lot. Working on maturity at the top is a high ROI activity!

How companies deal with such reported vulnerabilities usually will take one of the following 3 paths:

  1. Fix the issue, tell your customers what happened, and let them know what their risk exposure is
  2. Fix the issue but try to keep it a secret.
  3. Threaten the reporter of the vulnerability, claim that there was never any risk regardless of the facts, refuse to disclose details

Number 2 is perhaps still the normal, unfortunately. Number 1 is idea. Number 3 is bad.

If you want to see an example of ideal disclosure, this Wired.com article about revealing password hashes in source shows how it should be done.

A different case was the Norwegian grocery chain REMA 1000, where a security researcher reported lack of authentication between frontend and backend, exposing the entire database of customer data. They chose to go with route 3. The result: media backlash, angry consumers and the worst quarter results since…., well, probably forever.

So, what separates the businesses that do it the right way, and those that choose to go down the way of the rambling angry ignorant? It is about maturity and skills a the top. This is why boards and top management need to care about information security – it is a key business issue.

 

 

Hijacking existing email threads: taking phishing to a new level

Phishing e-mails is the most common way for a hacker to breach the initial attack surface. Filters and blacklisting technologies have been less than effective in stopping such threats, and it is up to the cybersecurity training and awareness of the user to ensure safe choices are made. Now phishermen have new ideas about making their bait more trustworthy; hijacking existing mail threads, piggybacking on existing interpersonal trust. A received an e-mail sent me from a contact who told me he realized he’d fallen for a scam the second he submitted his username and password to the phoney login site he was led to. Here’s (a somewhat edited) excerpt of the e-mail thread leading him into the phisherman’s trap.

From: Jim Salesman
To: Danny Customer

Subject: Re: confirm order details

Dear Danny,

thank you for your purchase. Please download and check these documents.

clickphish

With best regards,
Jim


From: Danny Customer
To: Jim Salesman

Subject: Re: confirm order deetails

Dear Danny,

I agree to the conditions as you have suggested. Make sure the part serial numbers are indicated correctly on the labels.

With best regards,
Danny

——- (after multiple e-mails back and forth)

Where does the link lead to?

The link does not lead to a Google page, despite claiming to be a Google Docs file. Also the lack of Google branding in the download section could be an indicator. The URL is “ehbd-dot-ml/hbdesigns/gibberish/” and is rendered over http – no security. It displays a selection of “login credentials” to choose from.

phishinglogin

OK, so here are several well-known brand names.

So, who owns the domain ehbd-ml? A whois search shows the domain is registered to Mali Divi. B.V. in the Netherlands.This firm has been active since 2012 and owns a number of free domains. It has a VAT number and one employee, according to this site: https://www.opencompanies.nl/elektrotechniek-mali-dili-bv-amsterdam-56155794.

Why submitting your info is dangerous

My friend realized the mistake the moment he hit “submit”. He then called his company’s IT department, and was told to change his passwords and run a virus scan. That was the right thing to do. But why is this dangerous?

Giving hackers access to your e-mail makes it easy for them to:

  • your e-mails and attachments
  • they can impersonate you by sending e-mails as you
  • they can hijack other accounts where your email is used to reset your password

Lessons learned

Phishing scammers are skilled at exploiting established trust between you and your contacts. Always be suspicous about links in e-mails, even from people you know. Before clicking, always check:

  • Does the URL look reasonable?
  • Does the branding (logos etc.) look right for the contents?
  • Is the site it leads to secured when you would expect it to be? All major service providers will only serve https – not http
  • Is the domain name strange? The .ml top domain is the national domain for Mali in Africa. Google Docs does not use that as the default login site domain.