Posted June 26, 2018
Phishing is by far the biggest security threat to any organization. It’s the most common source of attacks and has been at the root of spectacular cyber incidents like the Sony hack and the Petya ransomware attack. Due to the grave danger that phishing poses, remedies are highly sought after. Lately, companies have turned to machine learning and artificial intelligence, the supposed solutions to all societal problems, to combat phishing.
It’s a seductive proposition: AI-based products promise flawless security – “it’s a machine, it doesn’t make mistakes!” - alongside convenience, since they automate the process. One implementation of this is Microsoft’s Office 365 “Advanced Threat Protection” security, which checks emails for words and phrases that could hint at malicious activity, such as impersonating legitimate companies (e.g. Apple or Microsoft) and sentences asking for payments or password resets.
However, researchers at Avanan revealed on June 19th how hackers can bypass Microsoft’s tool by adding random words to the email body at font size zero (‘ZeroFont’), which will appear to the scanner as unstructured, non-malicious gibberish. To the recipient, the ZeroFont text is invisible, thus creating an entirely different email.
You read that right! A technique used by students to pad their assignment papers is enough to fool a cutting edge algorithm.
This is not the first time scammers have duped algorithms using simplistic methods: a few weeks earlier, Avanan also discovered that something similar was possible with URL links.
It is likely that hackers will continue to study how these bots function and find new ways to fool them. These criminals are creative, adaptable and unpredictable, whilst the machine defender is uncreative, inflexible and predictable. As such, these tools could lead to more breaches, as they teach consumers to switch off their scepticism whilst the AI serves up scams as “trusted messages”.
Luckily, there are simple behaviours and habits that humans can learn to spot phishing attempts. For example, it is not possible to change the font in the sender address field. Therefore, one look at the sender lets you to identify a phishing mail, even if it slipped through the filter.
In order to truly protect yourself against phishing, learning ways to spot a phishing mail rather than relying on a machine will prove to be more sustainable. It takes humans to outsmart other humans.
Posted June 09, 2018
Have you heard of the attention economy? That ugly outgrowth of sensational reporting that prizes generating clicks over generating discussion? Unfortunately, the security world is no stranger to such tactics. Each year, we're seeing an increasing number of vulnerabilities with their own logos, catchy names, and disclosures that look more like press releases. It's security meets Buzzfeed.
Just as people are now avoiding mainstream media for their own sanity, the public will start to tune out security news if all the industry focuses on is doomsday moments. That's a shame, given that mundane, but highly useful fundamentals like passphrases, encryption, and phishing training are still often neglected.
After yet another of these chicken little moments from the security press, Phil and I discuss what you can do to cut through the noise and find quality information. Check it out.