PHISHING – Part 2

There are a wide variety of methods uses to perpetrate phishing attacks, some of which include:

• Email / SpamWeb Based Delivery
• Instant Messaging
• Session Hacking
• Trojan HostsLink
• System Reconfiguration
• Content Injection
• Phone Phishing
• Malware Phishing
• Key Loggers

CURRENT TRENDS IN PHISHING

Initially, phishing was categorized as a type of spam, however due to current trends in phishing attacks it has emerged has a category of cyber-attack that can stand on its own. In fact, there are now many variants of phishing attacks which will be discussed in following articles and according to [1] email has been surpassed as the most common distribution instrument for phishing attacks. Links followed while web browsing and using messaging systems such as skype, account for over 80% of registered phishing attacks.

THE PHISHING PROCESS

Executing a phishing attack has a few stages, the following is a common approach used:

1. The attacker obtains the e-mail addresses of the intended victims.
2. The attacker generates an email that appears genuine and requests the email recipient to perform some action.
3. The attacker sends the email to the intended victims in a way that seems to be legitimate,  obscuring the true source.
4. Depending on the content of the email, the recipient opens a malicious attachment, completes a form, or visits a web site.
5. The attacker stores the victim’s sensitive information and exploits it for some kind of gain.

CONTEMPORARY PHISHING ATTACKS

The increase in the use of technology has also resulted in the increase in the number of methods and platforms used to execute phishing attacks. The following are a lists of common variations of traditional phishing attacks:

SMiShing

Definition: A form of Phishing that uses short messaging services (SMS) or text messages on mobile devices as a means of gather information that will then be used to exploit the victim.

Continue reading “PHISHING – Part 2” →

PHISHING – Part 1

Fishing usually involves the dangling of bait in a substantial body of water to entice and attract fishes to bite.  When a fish take the bait, it usually gets reeled in at great personal cost, quite often its life.

Similarly, phishing is a social engineering attack in which users are tricked into biting the bait and revealing personal information which may result in identity theft, financial loss and compromised confidentiality of information.  The most common baits used in phishing attacks are emails and websites; claiming to represent legitimate enterprises, making sincere requests to the unsuspecting email reader or web surfer.   The next few articles in this series will define and describe the variety of attack categorized as phishing while examining some of the most common anti-phishing techniques used to mitigate these types of exploits.

Statistics show that phishing attacks though simple in design have increased exponentially in recent years.  Continue reading “PHISHING – Part 1” →

Cloud Computing

The United States National Institute of Standards and Technology’s (NIST) defines cloud computing as: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” C.I.A Bytes puts it this way, in traditional computing the computer and its peripherals such as

C.I.A Bytes puts it this way, in traditional computing the computer and its peripherals such as keyboard, printer and hard drive combine to perform a series of inputs, outputs, processing and storage while being physically located in the same space or very close proximity. In the cloud computing environments it is quite similar, the key difference being that the storage device(s) and often processing are no longer located in the same place as the input and output peripherals, thus a network interface becomes necessary to provide access to data assets held on the storage device(s). There are three categories of services, offered by the Cloud: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).

Strengthened Mobile Data Encryption and Law Enforcement – Part 2

IV.   The Debate

The increase in the strength of encryption offered by Apple and Google have been viewed as a response to Edward Snowden’s public revelation of just how much the government infringes on the perceived privacy of its citizens.  Companies thus felt a need to reassure their customers that they value their right to privacy and were willing to go to certain lengths to convey this message [8].  One may argue that according to the provisions set out in CALEA, the tech giants are well within their rights to do so since they are in fact not breaking any laws by implementing technology to ensure more secure mobile communications.

On the other hand “Law enforcement officials have likened the new encryption to a house that can’t be searched or a car trunk that could never be opened [8]”, testimony from employees of the FBI describe cases in which access to smart phone data were instrumental in cracking criminal cases, often involving kidnappings and murder [5] , thus a grim picture is painted of the inability to decrypt data during investigations – one of criminals running wild and free, outsmarting law enforcement officials.

In contrast some security experts feel that the government is being hysterical [2], that the amount of criminal investigations which have been frustrated by the inability to decrypt information is marginal at best, and according to statistics provided by [3], this in fact seems to be the case, see fig1.

Fig 1 – Authorized wiretaps which encountered encryption in 2014[9]

Continue reading “Strengthened Mobile Data Encryption and Law Enforcement – Part 2” →

Strengthened Mobile Data Encryption and Law Enforcement – Part 1

There are times when technology can create a great deal of tension challenging the status quo and effecting immediate change. 

This post takes a look at the effect of encryption on law enforcement both historically and most recently with the announcement by Google and Apple Inc: to strength mobile data encryption by providing default encryption mechanisms for users of both the Android and iOS operating systems.  It explores the alarming response to this announcement by American law enforcement agencies and examines whether or not there is merit in the disturbing picture painted by law enforcement of investigations being foiled by the government’s inability to decrypt communications. 

I.    Introduction

The CIA triangle represents the foundational goals of Information Security:  Confidentiality, Integrity and Availability; Cryptography is used to primarily provide the first of this triad – Confidentiality.  Cryptography involves the use of ciphers (encryption algorithms) to encipher and decipher messages so that only the intended recipient is able to gain access to the encrypted message.  In practice, cryptography is susceptible to many types of attacks however modern cryptographic methods have evolved from Caesar and Vigenère ciphers to algorithms which are extremely difficult to break.  Today’s “strong encryption” requires the use of super computational power to crack and even then the amount of time needed to break these ciphers, often make the job unthinkable and unachievable in this lifetime; this presents a challenge to law enforcement organizations.

This post is structured as follows: section II briefly describes the encryption methods used by Apple’s IOS and Google’s Android operating systems, the two market leaders in the mobile operating system market.  It also highlights the changes, to mobile data encryption announced by both vendors in 2014 and the concerns which resulted in regard to law enforcement.  Section III sheds some light on the history of law enforcement and strong encryption, detailing some of the measures taken historically by the US Government to assist law enforcement agents with the challenges of encryption technology.  Section IV provides an analysis of both sides of the strong encryption debate and highlights some possible strategies in balancing the use of strong encryption and the needs of law enforcement.  Section V provides a brief summary and thus concludes the paper.

II.    The Buzz

A.   Software encryption used by iOS and Android

In September 2014, Apple announced its decision to change the way it would encrypt data present on its devices using Apple’s iOS, with the release of the new version of iOS – iOS8.  Prior to this announcement, devices running on iOS offered encryption however the encryption only protected a small amount of the data found on the device and Apple was able to bypass the security features on the rest of the data resident on the mobile phone [2].

B.   Changes to iOS and Android

The announced update to iOS8 saw the encryption of all mobile data, which is protected by a user’s passcode [3]. This essentially took any power out of the hands of Apple, that is, Apple could no longer bypass a user’s passcode and gain access to the encrypted data, thus it became pointless for law enforcement agents to request access to mobile data via wiretap orders to Apple, as had been previously done.

To compound the issue, a few days after Apple’s announcement, Google: creator of the Android operating system, which is the world’s most popular smart phone OS [4] announced their decision to follow the trend set by Apple.  According to Google their latest release of the Android OS – Android 5.0: the L-release, would offer default enabled encryption; files then would only be viewable by someone entering the device password.  Keys to the encryption and decryption ciphers would not be stored outside of the device by Google, so, like Apple wiretap orders served by law enforcement officials to the Tech giant for access to data on Android devices would be impossible to fulfill [4].

C.   What this means for law enforcement

“Going dark” refers to the incapability of law enforcement authorities to decipher encrypted forms of communication while carrying out criminal investigation as technology continues to evolve.  The announcement of updated encryption settings by Apple and Google has brought this lack of capability to the forefront.

The problem is not that law enforcement agents are unable to access data but that even when data is accessed the information cannot be deciphered and so becomes unusable, frustrating the investigation process.  According to testimony by [5], the Executive Director of the Science and Technology Branch of the FBI, although mobile data encryption is not new, the recent announcements by Apple and Google put a new spin on the problem: “ previously encryption had to be selected by the user now it is turned on automatically, requiring no affirmative action by the consumer ”.

Continue reading “Strengthened Mobile Data Encryption and Law Enforcement – Part 1” →

The Triad

The C.I.A – no not the Central Intelligence Agency, but CONFIDENTIALITY, INTEGRITY AND AVAILABILITY perhaps the three most important tenants of Information Security.

Confidentiality – Is the information meant for your eyes?

Confidentiality looks to the issue of authorization, ensuring information confidentiality means ensuring that the person or system accessing information is the authorized to do so; thus, without authorization, there should be no access.

Integrity – Is the information really what it purports to be?

Integrity speaks to the issue of trust:  that what is being represented is what was intended. Information that has been modified intentionally or unintentionally without authorization loses its integrity.  There should be controls in place to prevent this or at the very least detect such unauthorized modifications.

Availability – Is the information accessible to those who are entitled to it?

Availability looks at access to information, it is a waste of time, money and other resources to prevent access to information by legitimate users, in contemporary information systems it is common to make provisions for redundancy and information recovery in the event of incidents or disasters which threaten the availability of information.

In today’s age of information, when info-sec practitioners develop policies, standards, procedures and implement controls, it is always with the intent of preserving the confidentiality, integrity and or availability of information.