Blog – Cyberlight Security

Posted June 25, 2018

When was the last time you sent critical financial information on the back of a postcard? Hopefully, the answer is never… or at least “once, in 1962, but I learned my lesson.” It’s an intuitively stupid idea. So why is it then, that we still trust email with so much sensitive information? They’re equivalent to each other, in security terms. Allow me to explain.

Firstly, there are so many email providers that even if yours offers protection through encryption, emails are often sent unencrypted because the recipient provider doesn’t support it. Don’t believe me? Google stated in 2014 that between 40% and 50% of all emails exchanged between Gmail and other providers were sent insecurely. This is often the great failing of ‘zero-knowledge’ providers, like Protonmail, that market their privacy credentials: the moment I email anyone who’s not on a secure service, all that protection goes out the window. The message is sent naked. What’s more, major providers, like Gmail, water down their encryption so they can also read your emails. All the better to serve ads to you, my dear.

The Sony hack of 2014 is a great example of how these issues can converge into one mammoth problem for you and your business. Of everything leaked, the emails were the most memorable: a media feeding frenzy and PR disaster encircled Sony as business secrets and dirty laundry were aired for all to see. If you’d like to avoid Sony’s fate, we have some solutions for you. Just listen to the podcast.

Curb Your Enthusiasm: A.I. Will Not Save Us From Phishing

Posted June 26, 2018

Phishing is by far the biggest security threat to any organization. It’s the most common source of attacks and has been at the root of spectacular cyber incidents like the Sony hack and the Petya ransomware attack. Due to the grave danger that phishing poses, remedies are highly sought after. Lately, companies have turned to machine learning and artificial intelligence, the supposed solutions to all societal problems, to combat phishing.

It’s a seductive proposition: AI-based products promise flawless security – “it’s a machine, it doesn’t make mistakes!” - alongside convenience, since they automate the process. One implementation of this is Microsoft’s Office 365 “Advanced Threat Protection” security, which checks emails for words and phrases that could hint at malicious activity, such as impersonating legitimate companies (e.g. Apple or Microsoft) and sentences asking for payments or password resets.

However, researchers at Avanan revealed on June 19^th how hackers can bypass Microsoft’s tool by adding random words to the email body at font size zero (‘ZeroFont’), which will appear to the scanner as unstructured, non-malicious gibberish. To the recipient, the ZeroFont text is invisible, thus creating an entirely different email.

You read that right! A technique used by students to pad their assignment papers is enough to fool a cutting edge algorithm.

This is not the first time scammers have duped algorithms using simplistic methods: a few weeks earlier, Avanan also discovered that something similar was possible with URL links.

It is likely that hackers will continue to study how these bots function and find new ways to fool them. These criminals are creative, adaptable and unpredictable, whilst the machine defender is uncreative, inflexible and predictable. As such, these tools could lead to more breaches, as they teach consumers to switch off their scepticism whilst the AI serves up scams as “trusted messages”.

Luckily, there are simple behaviours and habits that humans can learn to spot phishing attempts. For example, it is not possible to change the font in the sender address field. Therefore, one look at the sender lets you to identify a phishing mail, even if it slipped through the filter.

In order to truly protect yourself against phishing, learning ways to spot a phishing mail rather than relying on a machine will prove to be more sustainable. It takes humans to outsmart other humans.

Posted June 09, 2018

Have you heard of the attention economy? That ugly outgrowth of sensational reporting that prizes generating clicks over generating discussion? Unfortunately, the security world is no stranger to such tactics. Each year, we're seeing an increasing number of vulnerabilities with their own logos, catchy names, and disclosures that look more like press releases. It's security meets Buzzfeed.

Just as people are now avoiding mainstream media for their own sanity, the public will start to tune out security news if all the industry focuses on is doomsday moments. That's a shame, given that mundane, but highly useful fundamentals like passphrases, encryption, and phishing training are still often neglected.

After yet another of these chicken little moments from the security press, Phil and I discuss what you can do to cut through the noise and find quality information. Check it out.