In my last article, we discussed shedding the fears we have of the technologies we interact with by learning more about them.
Building on that philosophy, we’ll venture down a rabbit hole now that we’re online and looking to browse, shop, bank, and interact safely. As society becomes increasingly reliant on the conveniences of the Internet, it will be important to know basic safety and how to identify possibly dangerous activity.
Somehow people have come to feel less and less worried about email being an attack vector in the modern arena. Unfortunately, this complacency has done an injustice as email attacks are still a dominant method by which attackers compromise their targets.
Our penetration testing team uses email attacks on almost every engagement, and we see through our work with HoneyPoint as well as other intelligence that this continues to be a staple of the modern attacker’s arsenal. But what does that mean to you?
Hopefully, the average user has gotten into the habit of filtering spam, only opening email from known senders, and only opening attachments when they are known and/or expected.
But are we seeing the possible danger in an email from email@example.com or firstname.lastname@example.org when we have only ever received email from email@example.com or firstname.lastname@example.org?
Attackers spend a lot of time doing their homework and finding trust relationships to exploit in obscure ways such as these. If in doubt about the source of an email, send a separate email to the sender to verify it.
Browsing the Internet is fun, entertaining, and often necessary. Web browsers are also a ripe playground for nefarious activity which means the more risky places you visit, the bigger the chance that you’ll face some sort of danger.
First, like all software, we need to be using a fully patched deployment of the latest stable version of the browser. Here is one of many statistical breakdowns of browser security for review, which should make a user consider which web browser they want to use.
Internet Explorer controls a majority of the market simply due to being packaged with Windows as a rule, but the other options are stable, smooth, and less of a target making a successful attack less likely.
In addition to being compromised simply by using a weak browser, we must also be aware of where we browse and look for oddities when we surf.
Looking at the URLs in the browser’s address bar, hovering over links to see where they direct and then ensuring that’s where you end up, realizing the pop-up browser window (telling you the machine is infected with a crazy number of infections and must be dealt with NOW) is a browser window, not a legitimate warning from your Anti Virus solution (you ARE running AV, right?).
After all, modern browsers still struggle with BROWSING properly, we can’t expect them to properly provide AV coverage too!
While browsing safely is much deeper than we have space to cover in this post, one last activity we’ll discuss is online banking. Banks do a good job protecting us while providing online service for the most part.
Individual users must still run a tight ship to keep the attack surfaces as small as possible. First off, change your banking passwords regularly. I know this sounds like a pain in the backside, but it’s worth it. I promise my next post will discuss more about how to manage this with ease.
Secondly review your account often, looking for discrepancies (If you want details on the plethora of fraud I’ve encountered doing this, contact me on twitter). And finally, log off.
Most banking web applications are designed to properly terminate your session upon logging off which prevents any issues with stale sessions that might be hijacked by an attacker.
Embrace the conveniences that technology provides, but do so with a sharp mind and open eyes. Following these few basic tips will help build the skills that become second nature to a wise and seasoned traveler on the Information Super Highway!
Cross-posted from State of Security