Thursday, January 18, 2018

Cloudmark Puts Spear-Phishing in Its Cross Hairs

A new study finds that even though most organizations have some form of email security technology, many consider spear-phishing a significant threat. Among the most impactful attacks on the Internet today is spear-phishing, in which an attacker takes targeted aim an individual or an organization in an attempt to steal information. The targeted nature of spear-phishing makes it more challenging to defend against traditional spam, and is driving email security vendor Cloudmark to develop a new purpose-built technology called Trident to protect users. As part of its efforts to fully understand the spear-phishing challenges that enterprises face, Cloudmark commissioned a survey, which examines current attitudes and experiences about spear-phishing. The poll of 300 IT decision-makers, conducted by independent research firm Vanson Bourne, found that 73 percent reported that spear-phishing currently poses a significant threat to their organizations. While organizations are worried about spear-phishing, 71 percent indicated that they already have some form of email security technology in place. "Even while many organizations have implemented technology solutions, they're still seeing attacks getting through," Angela Knox, senior director of engineering and threat research at Cloudmark, told eWEEK. What's more, 32 percent of respondents admitted that their organizations suffer a financial loss as a result of an attack. Additionally, 15 percent of respondents indicated their organizations suffered a decrease in stock price after a spear-phishing incident. "It's a very hard problem to solve, and many solutions out there today solve a big chunk of the phishing problem but not all of it," Knox said. "Spear-phishing is very low volume and highly targeted." To help solve the targeted spear-phishing attack problem, Cloudmark is now launching its Trident technology, which has been purpose-built from scratch to help organizations detect and block spear-phishing attempts. The Cloudmark global threat network, a commercial email threat database, feeds into the new Trident system, said Matt Grant, vice president of global marketing and communications. The global threat network provides IP address and domain reputation information that helps to provide context for Trident. "Trident is an SMTP [Simple Mail Transfer Protocol] agent that an organization can put in front of an existing secure email gateway," Knox said. "Many organizations are already filtering bulk spam and general phishing attacks." The idea with Trident is to go a step further and look at the email patterns of users and organizations to help identify potential outliers that could be indications of a spear-phishing attack. Cloudmark is also providing its customers with a dashboard that delivers visibility into the state of spear-phishing attacks inside an organization. The dashboard identifies which employees are receiving the highest volume of spear-phishing attack attempts and what types of messages are coming in and where they are coming from, Grant said. Cloudmark used the open-source Go language to develop Trident. Go was first developed by Google and has become increasingly popular in recent years as a high-performance language for applications. "A lot of our existing products are written in C, but Go provides us the ability to have the same speed but with a more structured language," Knox explained. "With Go, you're more likely to have fewer bugs when you're doing development." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.    

Court agrees, company can fire employee for Yahoo messaging after fair...

But only if clear notice is given that private use of company resources is forbidden.

Bernie Sanders lawyers to Wikipedia: Take down our logo, you’re violating...

In today's political DMCA spat, $10 sticker sales are pitted against fair use.

Fiat Chrysler goes on the warpath with oddly forthright press release...

The federal racketeering lawsuit filed against the automaker by two dealerships ruffled more than a few feathers. Andrew Krok Cars are Andrew's jam, as is strawberry. He started his auto-industry career working as a photographer and social ...

Hyatt Latest Hotel Chain to Disclose Data Breach

Hyatt officials admit that malware infected the chain's systems in 2015. The announcement follows the disclosure of attacks at the Starwood and Hilton chains. Hyatt Hotels is the latest hotel chain to admit th...

Cock.li server seized again by German prosecutor, service moves to Romania

Vincent Canfield: "I will definitely never host anything in Germany ever again."

Apple’s Mac OS X Gatekeeper Still at Risk

A researcher alleges that existing patches for Apple's software security technology don't go far enough to protect users. Apple's Gatekeeper technology is intended to protect Mac OS X users from malicious software, but according to Patrick Wardle, director of research at Synack, there are some holes that could enable attackers to exploit systems and bypass Gatekeeper. Gatekeeper is the built-in anti-malware technology that Apple has integrated into OS X since the OS X 10.7.5 "Mountain Lion" release in 2012. "Gatekeeper conceptually is good technology and protects users from inadvertently running unsigned code," Wardle told eWEEK. "The fundamental issue that I found is that Gatekeeper does not validate external content." The way Gatekeeper works is that the initial application that a user runs has to be signed and verified, according to Wardle. However, if that application executable in turn looks for secondary content in the same installer package, the auxiliary content is not verified by Gatekeeper. The flaw was reported to Apple, and a patch was issued for the vulnerability identified as CVE-2015-7024. The only problem, according to Wardle, is that the patch is incomplete and an attacker could still bypass Gatekeeper's protections to load unsigned code. "The way Apple patched the issue is to just blacklist the signed Apple binaries that I used to trigger the flaw," he said. "I'd like to see Apple release a patch that is more comprehensive, and they have indicated to me that they are working on a bigger Gatekeeper fix." The correct fix would be for a Gatekeeper hook into the Mac OS X kernel where it can monitor all process execution, Wardle said. As any system process is started, the kernel-hooked Gatekeeper could then validate any process that is being run from the Internet to make sure that it has been digitally signed. The other fix for the CVE-2105-7024 vulnerability is for users to only download software via the Apple Mac store, which is not impacted by the vulnerability. Wardle is no stranger to Apple Gatekeeper vulnerabilities and first alleged insecurity in the system back in March 2015. The vulnerability that Wardle first identified is a flaw identified as CVE- 2015-3715 that Apple has already patched, though again the claim made by Wardle is that the patch is not entirely complete. The CVE- 2015-3715 flaw affects dynamic-link libraries (DLL) that are statically linked with an application. Apple now scans executables to identify when DLLs are imported, and if the DLLs are located outside of the application bundle and not in a trusted system directory, Gatekeeper blocks the application. "But if the application dynamically loads libraries from a local location, a malicious installer package could bypass Gatekeeper," Wardle said. "The problem is that Gatekeeper doesn't do any runtime analysis or analysis on secondary components." While Apple works on further hardening Gatekeeper against the risks of unsigned binaries running on a system, Wardle is releasing a free tool called Ostiarius that can help Mac OS X users by blocking unsigned binaries from running. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Croatian cake pirates threatened with lawsuits

If you have Disney characters on your confections, you will be sued.

Microsoft Exchange Online Protection Combats ‘Peer Phishing’

New updates make it tougher for phishers to pull off scams that rely on impersonating bosses, co-workers and other personnel. Microsoft is combating email-based insider spoofing, making it harder for the emplo...

Department of Transportation going full speed ahead on self-driving cars

Secretary Foxx wants to develop consistent autonomous car policies across the US.

Obama administration hits pause on new coal leases

Interior Department to revamp program based on competitive pricing, environment.

FCC had “productive” net neutrality talks with Comcast, AT&T, T-Mobile

Carriers explained data cap exemptions (and, in T-Mobile's case, throttling).