According to Fox News, White House sources “partly confirmed” an alarming report that U.S. government computers—reportedly including systems used by the military for nuclear commands—were breached by Chinese hackers earlier this month. I’m not sure whether a Chinese hacker is someone who has smoked too long or a computer expert. But I guess I should read on. So should you.
“This was a spear phishing attack against an unclassified network,” a White House official assured FoxNews.com. “These types of attacks are not infrequent and we have mitigation measures in place.”
Although a law enforcement official who works with members of the White House Military Office confirmed the Chinese attack to FoxNews.com, as of the writing of this blog post, it remains unclear what information, if any, was taken or left behind in the attack, which occurred through an opened email. That’s one of the many reasons I prefer the Twilight Bark to email.
TechTarget.com defines a “spear phishing attack” as “an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.” Real spear fishing, on the other hand…is a great idea. Share your catch with me!
While we have devoted previous RJW blog space to discuss cyber security as it relates to password encryption and security software, we have yet to share information to help our clients and friends take precautions with technological protection as it pertains to email. So, today, in an effort to continue providing helpful information for disaster preparation, let us take a few minutes to offer a few helpful hints which, if observed, should keep your computer running smoothly and safeguard proprietary information.
First, it is worthwhile to note that routine email phishing schemes differ from spear-phishing attacks in that spear phishing messages appear to come from a trusted source such as a large and well-respected company or website with a broad membership base, such as eBay or PayPal. On the other hand, with spear phishing, the source of the email is constructed to look as though it came from within the recipient’s own company…usually a person of authority within the organization. This one is tricky since I always open emails that come from the chief. Guess I should be more careful about that in the future.
The Computer Crime Research Center reports that a West Point teacher and National Security Agency expert named Aaron Ferguson emailed a message to 500 cadets asking them to click a link to verify their grades. Ferguson’s message appeared to come from a West Point colonel. More than 80% of recipients who received the message clicked through, receiving a notification that they had been duped and their failure to exercise caution before clicking could have resulted in downloads to the West Point computer system of spyware, Trojan horse and/or other malware. Or, worse yet…you could be taken to a website that has lots of cat pictures!
Although most people have learned enough about computer use to proceed with caution when opening emails from unknown sources and in responding to unexpected requests for confidential information. We’ve all heard horror stories about Nigerian emails asking for large cash deposits to “help rescue loved ones from African prisons.” We’ve also learned, by and large, to avoid divulging personal data inside email messages—which can be hacked or clicking on links in messages unless we are positive about their source.
However, the average person is ill-equipped to recognize forged emails that seemingly come from people we trust because spear phishing is sophisticated. That’s how employees of Sony managed to unwittingly give away private information regarding their PlayStation Network, Epsilon data was recently breached, and several credit card companies and financial institutions have had to mail apologetic notices to their customer base.
The success of any spear phishing scam generally depends on these things:
1. The apparent source must appear to be known and trusted.
2. The information within the message supports its validity.
3. The request makes sense.
4. The sender doesn’t offer any bacon. (Okay, I’ll admit I added #4.)
So what can you do to avoid being caught unaware?
• The FBI recommends that you keep in mind that most companies, banks, agencies, etc., don’t request personal information via e-mail. If in doubt, give them a call instead of clicking through the email link. (But don’t use the phone number contained in the email which is usually phony.)
• Do not provide personal information, such as a password, a credit card number or any data that can be used to unlock an application or network, in reply to an email.
• Use a phishing filter. Many of the latest web browsers have built-in security software or offer the utility as a plug-in.
• Learn to recognize what your security software warning messages look like. If you get something that looks similar but appears to be a bit “off,” delete the email and block the sender.
• Never follow a link to a secure site from an email. Instead, enter the URL manually into the address bar of your web browser. I prefer browsing the woods with my nose. It’s safer than going anywhere in cyberspace.
• Report suspicious emails to your tech department on a regular basis. Tell employees to call security about anything suspicious and train them not to forward bogus emails.
• Do not open suspicious attachments. When it doubt, block it out.
• If your firm is ever victim to a successful spear phishing attack, assess the damage and recover. Eradicating the malicious software won’t be easy. You will have to backtrack to a clean starting point of your system before it was corrupted.
When a disaster of any kind strikes, prior planning and clear decisive action can help save lives. For the latest emergency management training for facility/building managers, contact RJWestmore, Inc. Our new Version 3.0 system offers the best emergency training system.