Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Tuesday, 19 September 2017

Email hosted protection tested

Our first cloud-based email protection report is now available.

Email provides a route right into the heart of our computers, phones and other devices. As such, it is frequently abused to perform a variety of attacks against potential victims of cybercrime.

Latest report now online.

The sophistication of attacks vary but many rely on our almost unbreakable instinct to open, read and interact with messages sent to work and personal email accounts. Businesses rely on email security services to filter out large numbers of such attacks.

The range of attack types in the real world is wide, but in general we consider there to be two main categories: targeted attacks, in which the attacker attempts to target a specific individual; and public attacks, which spread wide and far in an attempt to compromise as many people as possible.
Many of the same techniques are used in public and targeted attacks. The least technically sophisticated include requests for a money transfer or banking login credentials. More credible attempts include professionally-formatted emails and links to fake websites designed to trick users into entering their valuable details.

Attackers with more resources may use malware to achieve their goals, either in the form of attached files or by linking to websites that exploit visiting computers.
SE Labs monitors email threats in real-time, analysing large  numbers of messages and extracting samples that represent  large groups of those threats. Human testers then manually verify that any malware included works properly before re-sending these threats to our own accounts through the tested services.

We also generate targeted attacks using the same tools and techniques used by advanced attackers. In gathering threats this way we achieve a realistic and relevant coverage of existing threats in a small set of test samples.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Thursday, 7 September 2017

Can Microsoft Solve Security?

Windows is becoming increasingly secure. Does this spell the end of third-party security products and services?

Follow the herd
There is a well-regarded theory that, when a certain number of a community is immunised against a contagious disease, the rest of the community benefits from the reduced opportunity of an outbreak. Enough people are immune that a disease can't run rampant through the general population. It can't get enough of a foothold because too many people it encounters are immune. Some people get sick but the spread is limited and the community, including many who are not immune, avoids an epidemic.

Some do not subscribe to the 'herd immunity' theory , noting that diseases still exist in communities that vaccinate and that vaccinations carry their own risks. They also observe that there is a financial cost to vaccination. There are pros and cons to both sides of the debate. Some positions are rational while others are based on emotion, supposition and misinformation. Much the same happens in the world of cyber security and, specifically, issues surrounding anti-virus (aka anti-malware) products and services.

Hygiene issues
Biological disease does not knowingly seek out its victims, unless it is being used in the context of biological weapons (in which case it is an agent of the attacker rather than the attacker itself). In some respects we can compare 'mindless' internet worms with in-the-wild viral or bacterial contagions. All flow where the animals, air, water, computer networks, USB drives or other vectors take them.

In the 1990s and early 00s personal computer security was relatively limited in the general population, including in the business world. You were doing well if you installed a firewall, anti-virus software and maybe used some form of file or disk encryption. If you had a network appliance or two, and backed up your files, you were in exceptionally good shape – relatively speaking.

Even in those days some recognised the benefits of diversity. If you ran Symantec anti-virus on your endpoints, Trend Micro's product on your servers and Kaspersky Lab's on your email server you had pretty good coverage. If Symantec and Kaspersky missed a threat, maybe Trend would pick it up as it hit the servers.

Businesses and other organisations, including those who definitely should have known better (e.g. the UK's MI5 and SIS (MI6) intelligence services), often gave the impression that they were practising good information hygiene. Press reports from the time, and even now, suggest that things are not as we might assume.

Unencrypted laptops containing secret information were stolen, left in taxis and lost at train stations and airports. Databases were exposed to the internet and plundered using basic techniques. Malware files were received in email messages and executed. Sensible IT management, including a rapid patching cycle and decent anti-virus, was probably good enough to mitigate most of the issues. Maybe not enough of our herd was fully protected (immune), but the world did not fall apart every time a new worm was released.

But then attackers evolved their methods and things became more challenging for the defenders. Penetration testing became increasingly popular and sometimes mandatory. The contagions were no longer flowing randomly through the internet. They were being directed by criminals and spies to their targets.

Targeted attacks
While general-purpose worms and other 'viruses' still exist, targeted attacks are occurring more often. Or, at least, we are more aware of more targeted attacks today than previously. In fact corporate espionage at a nation-state level goes back as least as far as the early 18th century, so it's unlikely that targeted internet-based spying started in 2012, when FireEye started to highlight the existence of 'APTs'.

In the early 1700s a French Jesuit priest called François Xavier d'Entrecolles was working in Beijing when he discovered the secret of its world class porcelain manufacturing. He sent this information back to Europe and single-handedly sent the famous Chinese ceramics industry into decline. (Perhaps appropriately, given the theme of this article, he also discovered that the Chinese also used oral vaccination against smallpox.)

Persistent advanced threats
Criminals and spies do not give up when faced with a locked door, closed border or uncooperative opponent. It is their job to achieve a mission and they will do all that is required to complete their goals for money, glory or duty. That said, we don't have to make things easy for them.

Imagine that there was only one lock manufacturer in the world. And only one company in charge of the world's border controls. Imagine that every person thought and behaved in exactly the same way. The bad guys would find life very easy. They need only to be able to pick one style of lock; find weak points in one organisation's procedures; and learn how to influence one type of person.

In reality there is much more diversity. There are dozens of lock manufacturers, hundreds of computer security companies and 7.5 billion human perceptions of the world. Those who wish to subvert the existing order face a lot of challenges. While a defender's life is also hard (attackers can be almost limitlessly unpredictable), attackers are constantly having to discover the lay of the land, create or adjust their approaches to problems and test their attacks to improve their chances of success. They can never assume that an attack will work. They can only try to stack the odds in their favour.

This is true not only of computer security but any security system. From muggers to terrorists, petty thieves to corrupt politicians, you have under-resourced defenders and imaginative attackers. But the diverse ways in which we can protect ourselves always puts the attackers in some position of doubt.

The ideal monolith
If you could create an operating system from scratch, predicting accurately all of the future threats and making no mistakes in your implementation, then maybe a monolithic approach to security would work. You could manage memory in ways that made it extremely hard for attackers to exploit vulnerabilities. You could create network stack implementations resistant to denial of service attacks. You could ensure that included applications were clean of legacy issues, such as trying to load DLLs that no longer exist. You could deny your users, and their applications, access to the deeper recesses of the system. You, the vendor, own the system while your users just borrow it.

Of course, you'd probably want to write or, at least, vet every compatible application before it was allowed to be installed on your system too, or risk vulnerabilities entering your fortress environment. And you'd have to make no mistakes in your coding. History does not offer much hope, but theoretically it's possible.

To a certain extent this is what Apple and Google have achieved with their iOS and Android operating systems. Users do not have low-level access and neither do applications. Anti-malware products cannot automatically remove malware and users have to run exploits against their own devices if they want to be able to perform certain functions, like remove worthless, annoying and space-occupying pre-installed applications. Which might be anti-malware applications! However, the existence of security updates demonstrates that neither Apple nor Google can predict future threats or code 100 per cent without error.

Back to healthcare
Let's think back to the objections to vaccination. There are costs involved and possible impacts on patients' health, although that last concern is extremely controversial. But this is similar to the concerns about anti-malware software. It costs money and, analogous to causing harm, it has some degree of impact on system performance. It might not be written very well, or interact with the system in such a way that it creates some instability. It may even introduce vulnerabilities to the system that did not exist before.

There may be little credible evidence that vaccination of humans creates a vulnerability to autism, but security vulnerabilities introduced by anti-malware products have been proved in the past and will no doubt appear again in the future.

From Microsoft's perspective, it wants to own the world's best operating system, which should be usable, stable and secure. It has a reputation for providing none of these attributes, but in reality it is doing much better than in previous decades.

Windows 10 is harder to hack than Windows XP and Windows 7. It includes anti-exploit technologies and forces users to update, taking the first step towards lending the system to users rather than allowing them to own it. It has its own anti-malware product built in, which it will activate automatically if the user doesn't install an alternative (or if the alternative becomes out of date). Third-party anti-malware products that impact system performance too heavily will be removed at certain stages.

From a user's perspective this could be a welcome move. Responsibility for securing computer systems is delegated to Microsoft, which is assuming part of the role of a managed services company. It handles anti-virus, encryption, web filtering and, if you use OneDrive, even secure storage of your data. If you just care about using your computer, and not administering it, then Microsoft's vision is attractive.

Vive la difference
No company is going to be able to create the perfect operating system, which must balance usability, stability and security. There will always be vulnerabilities in the operating system, its applications and its users. If we find ourselves in a world in which everyone is forced to run a particular version of Windows, with a restricted set of security applications, such as anti-malware, file encryption and network security, then the attackers have very much less work to do in order to achieve their goals.

Currently there are dozens of brands anti-malware products running on systems throughout the world. Attackers can make no assumptions and must work hard to evade and/ or disable many of these products to intrude into any number of systems. Even if some of these products are little better than Microsoft's Windows Defender (and some will be much worse – Windows Defender is a competent application), the very fact that an attacker does not know for sure what s/he will encounter is a good enough reason for diversity to exist in our community. It protects everyone by limiting the attackers' options.

If Windows Defender was the only anti-malware product in the world it would receive far more interest from criminals, penetration testers and mischievous researchers than it enjoys today.

Real world protection
So far we've implied that all anti-malware products are at least roughly as capable as each other. This is not a fair reflection of reality, though. Some very well established brands of anti-malware are extremely limited in their capabilities, while others are exceptionally advanced and wide-ranging in their approaches to the malware problem. Newer entrants to the market have made interesting and ambitious claims about their technologies and some of these have merit. But none of them provide the panacea that they imply or state outright.

A common approach is to use layers of security to achieve a useful level of protection. For example, Vendor A might choose to emphasise website address (URL) reputation, building a world-class, accurate URL filtering system. It might also include some malware signatures and a basic behavioural engine, but its emphasis is on URLs.

Another, Vendor B, might not care at all about URLs but really focusses on characteristics of file content (maybe using machine learning to achieve its goal). It does include some general malware signatures too, though, because it's unwise to ignore what you already know to be bad.

Customers might choose to deploy a really good URL reputation application in addition to a useful machine learning-based file analysis tool. The diversity in the market allows users to choose one or more approaches. Or they might choose a product that claims to offer the full stack. Managing more than one tool is usually harder work than installing one and forgetting about it, but choice is a good thing. As we noted earlier, there are those who argue in favour of running different anti-malware products on different parts of the network. Some large companies even choose different products for different business divisions in the hope that this could compartmentalise a breach.

Test results
Security testing organisations compare products, assessing how effective they are in stopping different types of threats. This might include URLs, malicious JavaScript email attachments and malicious documents. For the purposes of illustration we examined how effective a few of Microsoft's security measures were compared to third-party alternatives.

Hosted Email Services
Microsoft provides anti-malware protection in the cloud for those who use its Office 365 email services. We have found this to be quite effective at stopping known public threats, preventing around (25/75) 33 per cent from arriving into the inbox and sending a further 64 per cent into the Junk folder. However, it was much less effective with targeted attacks, allowing 52 per cent of the threats into the inbox. There were some false positives, but only a few.

Let's compare these figures to a third-party vendor of hosted email protection services. One industry leading competitor stopped nearly all of the public threats from entering either the Junk folder or the inbox. It also blocked all but one of the targeted attacks. There is clearly a benefit to the user when chaining these products together. The third-party product was more accurate and stopped threats from entering the endpoint, whereas although Microsoft's product did flag many threats as being 'Junk', these still ended up within reach of the user. What could go wrong? We have information that one very high profile breach in recent times was the result of a user pulling a message out of the Junk folder and executing its contents…

Email Sandbox Results
Not everyone wants to run their email protection in the cloud. There are technical and legal reasons why some businesses need to keep their data in-house and processed by on-premises security systems. We were approached by one such company to compare 'on-prem' email sandboxing solutions from the very largest vendors in that space.

There was a vast difference in the effectiveness of these products, even when we used some threats that everyone should know about. We found that 20 – 25 per cent of threats went undetected. Clearly there is some level of benefit to using this type of technology, but it's far from perfect and not cheap. They did, however, boost overall security when combined with Microsoft's email security product.

Endpoint Test Results
We regularly test endpoint security solutions with live in-the-wild threats to the public and targeted attacks that we craft ourselves using well-known, easily used tools. We look at products designed for enterprises, small to medium businesses and consumers. We always see Microsoft's products at or near the bottom of the list.

That is not to say that Microsoft Security Essentials (for Windows 7) or Windows Defender (for Windows 8 – 10) is no good. It is vastly better than it was a year or two ago, according to our test results and those from some other well-known testers. But it's definitely not the best and never has been. The idea that users are pushed towards this product is discomforting. The thought that alternatives might disappear due to market forces is frightening.

Diversity for the win
Maybe in the future there will be a useable, locked-down desktop operating system as secure as the mobile versions we use on our Apple and Google phones, tablets and 'netbooks'. While Microsoft is clearly moving towards a position in which it takes more direct responsibility for its users' security, the security gaps are so large, and the attackers' resources so huge, that now is not the time to embrace a walled-garden approach.

The attack landscape is wide and defenders are challenged for resources. The idea of a single product that can be managed easily by a well-trained staff and that defeats all threats is a lovely thing. But it is neither realistic nor desirable. It suggests a single point of failure upon which attackers will be focussing to the exclusion of all else. Once the monolith is broken (and it will be), there are no other layers of protection. You can't download and deploy an anti-malware recovery tool from a third party if there are no third parties still in business.

Diversity in security has always been essential. Just as disease evolves to succeed so do attackers. While we are lucky to have a large group of very clever and dedicated people in our community, producing tools and techniques to defend against the attackers, there are vast numbers of would-be opponents who can continually fail, day after day, until they succeed. Their job will be much easier if they have a limited number of things to break. Let's not make their job any easier than it already is.

Friday, 1 September 2017

Review: ImmuniWeb On-Demand Application Security Testing

What do a start-up, small business and enterprise have in common?

They all have one or more websites.

That's not a very humorous punchline, but the security implications of managing business websites aren't funny either.

In an age when extremely large organisations are being hacked, as well as specialist security companies, website security could not be a more serious business. Throw into the mix regulations such as the data protection act and the incoming GDPR legislation and being the person responsible for the company website just became positively horrible.

A website is a business' public face, whether it be a local taxi company or a global pharmaceutical giant. It is virtually impossible to do business these days without a website and maintain credibility, but a website hack instantly harms any company's standing.

How do websites get hacked? Sometimes the attackers will focus on compromising the site's administrator, but more often than not (in our experience) the site itself is attacked directly by means of an exploit.

Such an exploit could be a aimed at a vulnerability in the platform, such as WordPress, or the server's operating system. Sometimes the hosting company itself is targeted: a good value-for-money proposition for an attacker who wants to run one attack and gain access to thousands of websites.

Will AI save our sites?

Artificial intelligence is great but people are often necessary for some tasks. ImmuniWeb understands that. Assessing the security of a website is non-trivial and, while automated tools exist to test for the presence of various vulnerabilities, often it takes a human brain to really get to the bottom of a problem. Much in the same way that SE Labs uses people to enhance security testing, ImmuniWeb adds the personal touch to checking the quality of a website's security.

The service provides testing for vulnerabilities listed in the OWASP Top Ten Vulnerabilities list, PCI DSS vulnerabilities and a range of other sensible criteria, including predictable CAPTCHA protections and open directory listings.

Wizard setup

Setting up the initial test was a very simple task. Enter a few relevant details into  ImmuniWeb's Wizard-driven website, pay the fee and the work starts. A couple of days later a report is made available and you have around three months to download it before it is deleted automatically. You will receive warnings about the impending deletion.

The report is detailed. The first pages give an overview of the risk level based on how many vulnerabilities have been found, certain administration configuration issues that might exist and even an indication of other websites that might be impersonating yours.

Who is hosting?

The data in the reports is interesting and some of the issues brought to light could be easily solved. It does depend on how you have your web hosting organised, though. For example, if you run your own servers you can follow advice on upgrading certain services, such as Apache or SSH.

However, if your site runs on a hosting platform provided by a third-party, such as GoDaddy, 1&1, 123Reg or a thousand others then you have a choice: You could contact the company and request that they upgrade; or move to another host and hope that they do a better job with updates.

In this review we discovered that the hosting company we use for the SE Labs website was a little behind with some updates. We used the ImmuniWeb report as evidence that there was a potential problem and, to our surprise, the company responded fast and claimed to fix the issues.

While we could verify the changes ourselves (after all, we test security systems ourselves) we understand that for most businesses a second test would be warranted. We ran a second test for this review and were pleased to see that the previous issues had indeed been fixed.

How much?

This is where things could get expensive, though. An on-demand small business (SMB) test costs $1,499. If you are a start-up and want to have your site assessed then this is a reasonable business expense. Multiple verification tests add up, though. A faster 'Express' test is less expensive, coming in at $499. If you expect your site to change frequently then continuous assessments are available, with prices starting at $999 per month.

Total Cost of Reassurance

But while your site might not change, knowledge about security vulnerabilities does. New vulnerabilities are being discovered at a frightening rate and updates for popular web server components, such as MySQL, appear often. When testing our own website ImmuniWeb noted out of date software, which was updated accordingly.

By the time we ran the second test the same, updated software was again out of date. If the same issues happen to you, it might be worth learning how to test the versions of the services running at your web hosting company and give them a prod to update as and when necessary. Paying over $1,000 to assess something they should be taking care of seems unnecessary.

Monitoring the weak link

Losing control of your website is a situation no business wants to contemplate, whether it’s a start-up looking for funding or a massively profitable public company. Web application vulnerabilities are a significant weak point that can and should be assessed regularly. ImmuniWeb provides just such a service but because people are involved, as well as machine learning-equipped systems, there is a significant cost to the system, as well as an advantage over free website scanning sites and tools.

While, on the face of it, using ImmuniWeb's service might appear expensive, compared to training your own team of penetration testers, or sub-contracting a company to do the work for you, it is good value for money.

Monday, 21 August 2017

The Government Encryption Enigma


Is Amber Rudd right about encryption? Jon Thompson isn't so sure.







UK Home Secretary Amber Rudd recently claimed in an article that "real people" prefer ease of use to unbreakable security when online. She was met immediately by outrage from industry pundits, but does she have a point?

Though paywalled, as reported elsewhere, Rudd asks in her article, "Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?"

Rudd name-checked Khalid Masood, who used WhatsApp minutes before he drove a van into pedestrians on Westminster Bridge killing three, and then fatally stabbed a police officer outside Parliament before being shot dead. However, Masood was not part of any MI5 investigation. In fact, a week after the attack, police had to appeal for information about him. His final WhatsApp message seems to have been the first sign that he was about to strike. The recipient was entirely innocent, and knew nothing of his murderous intentions.

There are plenty of other atrocities that were planned in part via social media apps. The attacks on Paris in December 2015, and the Stockholm lorry attack to name but two. In the UK the new UK Investigatory Powers Act 2016 (IPA), which caused so much fuss last year, can compel vendors to decrypt. So, why not just use that? The answer is somewhat complicated.

The IPA makes provision for Communications Service Providers to be served with a notice that they must remove encryption from messages to assist in the execution of an interception warrant. Apart from Providers needing access to private decryption keys, reports suggest that any move to enforce this measure would meet stiff opposition, and may not even be enforceable.

Many of the most popular secure messaging apps use the Signal Protocol, developed by Open Whisper Systems. This is a non-profit organisation and lies outside the UK's jurisdiction, so its compliance would be difficult to obtain, even if the companies using the protocol agreed to re-engineer their platforms to include backdoors, or to lower encryption standards. There are also plenty of other issues to be resolved if Rudd is to get her way.

If the government mandates weaker encryption for messaging apps in the UK, then companies will face difficult business choices and technological challenges. It boils down to a choice: they could weaken their encryption globally, or they could just weaken encryption in the UK. But what happens
if you send a secure message from outside the UK to someone inside the country? Can the UK authorities read it? Can the recipient, using a lower encryption standard, decrypt it? How would international business communications work if the UK office doesn't use the same encryption standard as a foreign parent company?

This isn’t the first time the UK government has attempted to find an answer to the problem of encryption. Back in January 2015, the then-Prime Minister David Cameron gave a speech in which he said there should be no means of communication "which we cannot read". He was roundly criticised as "technologically illiterate" by opposition parties, and later clarified his views, saying he didn’t want to ban encryption, just have the ability to read anyone's encrypted communications.

Authoritative voices have since waded into the argument. Lord Evans, the former head of MI5, has recently spoken out about the problems posed by strong encryption: “It’s very important that we should be seen and be a country in which people can operate securely – that’s important for our commercial interests as well as our security interests, so encryption in that context is very positive.”

Besides, if the government can decrypt all messages in the UK, won’t genuine terrorists simply set up their own "dark" services? Ten seconds on Google Search shows plenty of open source, secure chat packages they could use. If such groups are as technologically advanced as we're led to believe, then it should be simple for them, and terrifying for the rest of us. Wouldn’t it be better to keep such groups using mainstream apps and quietly develop better tools for tracking them via their metadata?

Rudd's argument that "real people" want ease of use over strong encryption implies that secure apps are in some way difficult to set up and require effort to maintain. The opposite is plainly true, as anyone who's ever 'butt dialled' with their mobile phone can tell you.

Rudd's argument also plays into the idea that if you have nothing to hide you have nothing to fear. While writing this piece, I accessed several dozen online information sources, from mainstream news reports of terrorist outrages to super paranoid guides for setting up secure chat services. I accessed many of these sources multiple times. I didn’t access any extremist material, but my browsing history shows a clear and persistent interest in recent atrocities perpetrated on UK soil, secure chat methods, MI5 and GCHQ surveillance methods, encryption algorithms, and so on. Joining the dots to arrive at the wrong conclusion would be a grave mistake, and yet without the wider context of this blog piece to explain myself, how would authorities know I'm not planning to be the next Khalid Masood or Darren Osborne? The answer lies in developing better tools that gather more context than just what apps you use.

Friday, 4 August 2017

Quantum Inside?

Is this the dawn of the quantum computer age? Jon Thompson investigates.

Scientists are creating quantum computers capable of cracking the most fiendish encryption in the blink of an eye. Potentially hostile foreign powers are building a secure quantum internet that automatically defeats all eavesdropping attempts.

Single computers far exceeding the power of a hundred supercomputers are within humanity's grasp. 

Are these stories true, as headlines regularly claim? The answer is increasingly yes, and it's to China we must look for much current progress.

The Quantum Internet
Let's begin with the uncrackable "quantum internet". Sending messages using the properties of the subatomic world has been possible for years; it's considered the "gold standard" of secure communications. Chinese scientists recently set a new distance record for sending information using quantum techniques when they transmitted data 1,200Km to a special satellite. What's more, China is implementing a quantum networking infrastructure.

QuantumCTek recently announced it is to deploy a network for government and military employees in the Chinese city of Jinan, secured using quantum key distribution. Users will send messages encrypted by traditional means, with a second "quantum" channel distributing the associated decryption keys. Reading the keys destroys the delicate state of the photons that carry them, so it can only be done once by the recipient, otherwise the message cannot be decrypted and the presence of an eavesdropper is instantly apparent.

The geopolitical implications of networks no foreign power can secretly tap are potentially immense. What's scarier is quantum computers cracking current encryption in seconds. What’s the truth here?

Encryption Under threat
Popular asymmetric encryption schemes, such as RSA, elliptic curve and SSL, are under threat from quantum computing. In fact, after mandating elliptic curve encryption for many years, the NSA recently declared it potentially obsolete due to the coming quantum computing revolution.

Asymmetric encryption algorithms use prime factors of massive numbers as the basis for their security. It takes a supercomputer far too long to find the right factors to be useful, but it's thought to be easy for a quantum algorithm called Shor's Algorithm.

For today's strong symmetric encryption, such as AES and Blowfish, which use the same key to encrypt and decrypt, the news is currently a little better. It's thought that initially, quantum computers will have a harder time cracking these, only really halving the time required by conventional hardware. So, if you're using AES with a 256-bit key, in future it'll be as secure as a 128-bit key.

A Quantum Leap
How far are we from quantum computers making the leap from flaky lab experiments to full production? The answer depends on the problem you want to solve, because not all quantum computers are the same. In fact, according to IBM, they fall into three classes.

The least powerful are quantum annealers. These are available now in the form of machines from Canada's D-Wave. They have roughly the same power as a traditional computer but are especially good at solving optimisation problems in exquisite detail.  Airbus is already using this ability to increase the efficiency of wing aerodynamics.

More powerful are analogue quantum computers. These are much more difficult to build, and IBM thinks they're about five years away. They will be the first class of quantum computers to exceed the power of conventional machines. Again, they won’t run programs as we think of them, but instead will simulate incredibly complex interactions, such as those found in life sciences, chemistry and materials science.

The most powerful machines to come are universal quantum computers, which is what most people think of when discussing quantum computers. These could be a decade or more away, but they're coming, and will be exponentially more powerful than today's fastest supercomputers. They will run programs as we understand them, including Shor's Algorithm, and will be capable of cracking encryption with ease. While they're being developed, so are the programs they'll run. The current list stands at about 50 specialised but immensely powerful algorithms. Luckily, there are extremely complex engineering problems to overcome before this class of hardware becomes a reality.

Meanwhile, quantum computer announcements are coming thick and fast.

IBM has announced the existence of a very simple device it claims is the first step on the path to a universal quantum computer. Called IBM Q, there's a web portal for anyone to access and program it, though learning how and what you can do with such a device could take years.

Google is pursuing the quantum annealing approach. The company says it plans to demonstrate a reliable quantum chip before the end of 2017, and in doing so will assert something called "quantum supremacy", meaning that it can reliably complete specialised tasks faster than a conventional computer. Microsoft is also in on the action. Its approach is called StationQ, and the company been quietly researching quantum technologies for over a decade.

Our Universal Future
While there's still a long way to go, the presence of industry giants means there's no doubt that quantum computers are entering the mainstream, but it'll probably be the fruits of their computational power that we see first in everyday life rather than the hardware itself. So, solutions to currently difficult problems and improvements in the efficiency of everything from data transmission to batteries for electric cars could start appearing.

Life will really change when universal quantum computers finally become a reality. Be in no doubt that conventional encryption will one day be a thing of the past. Luckily, researchers are already working on so-called post-quantum encryption algorithms that these machines will find difficult to crack.

As well as understandable fears over privacy, and even the rise of quantum artificial intelligence, the future also holds miracles in medicine and other areas that are currently far from humanity's grasp. The tasks to which we put these strange machines remains entirely our own choice. Let's hope we choose wisely.

Monday, 17 July 2017

Next-generation firewalls: latest report

Using layers of security is a well-known concept designed to reduce the chances of an attacker succeeding in breaching a network. If one layer fails, others exist to mitigate the threat.

Latest reports now online.

In this report (PDF) we explore the effectiveness of network appliances designed to detect and block attacks against endpoint systems.

The systems we have tested here are popular appliances designed to sit between your endpoints and the internet router. They are designed to detect, and often protect against, threats coming in from the internet or passing through the local network.

Their role is to stop threats before they reach the endpoints. If they fail to stop a threat, they might learn that an attack has happened and generate an alert, while subsequently blocking future, similar attacks.

In some cases an appliance will take information it considers suspicious and send it to a cloud-based service for further analysis. In this way it might allow a threat through the first time, explore it more deeply using the cloud service and send back information to the appliance so that it will block  that same (or similar) attack in future.

It’s a little like an immune system.

As immune systems adapt to protect against known threats, so threats adapt in an arms race to defeat protection mechanisms. This report includes our first public set of network security appliance results.

Future reports will keep you updated as to how well the industry competes with the bad guys in the real world.

Monday, 10 July 2017

Can anti-malware be 100 per cent effective?

You can probably guess the answer, but we'll explore how products can score very well in tough tests, and which are the best.

Latest reports now online

There are a lot of threats on the web, and going online without protection is very risky. We need good, consistently effective anti-malware products to reduce our risk of infection.

And the ones included in these reports look great – in fact, some score 100 per cent. That means they stopped all the threats that we exposed them to and didn’t block anything legitimate.

But wait a minute! Those in the security industry know full well that there is no such thing as 100 per cent security. There is always a way past every security measure, and this is as true in the anti-malware world as with any other measures for threat protection.

This test includes some of the very best anti-malware products in the world, and pits them against prevalent threats, be they ones that affect hundreds of thousands of users worldwide, or those that could be used to target individuals and organisations. It’s a tough test, but a fair one.

You could argue that any anti-malware product worth its salt would score 100 per cent or thereabouts.

Products can score 100 per cent in our tests because we’re not choosing thousands of weird and wonderful rare pieces of malware to test. Regular users are extremely unlikely to encounter those in the real world.

We’re looking at the threats that could affect you.

Our mission is to help improve computer security through testing, both publicly and privately. We also want to help customers choose the best products by publishing some of those test results.

But don’t forget that success today is not a guarantee of success tomorrow. It’s important to keep monitoring test results.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Thursday, 8 June 2017

Brexit and Cybersecurity

Is the UK headed for a cybersecurity disaster?




With Brexit looming and cybercrime booming, the UK can't afford major IT disasters, but history says they're inevitable.

The recent WannaCry ransomware tsunami was big news in the UK. However, it was incorrectly reported that the government had scrapped a deal with Microsoft to provide extended support for Windows XP that would have protected ageing NHS computers. The truth is far more mundane.

In 2014, the government signed a one-year deal with Microsoft to provide security updates to NHS Windows XP machines. This was supposed to force users to move to the latest version of Windows within 12 months, but with a "complete aversion to central command and control" within the NHS, and no spare cash for such an upgrade, the move was never completed.

This isn't the first IT Whitehall IT disaster by a very long way.

During the 1990s, for example, it was realised that the IT systems underpinning the UK's Magistrates' Courts were inadequate. It was proposed that a new, unified system should replace them. In 1998, the Labour government signed a deal with ICL to develop Project Libra. Costing £146m, this would manage the courts and link to other official systems, such as the DVLA and prisons systems.

Described in 2003 as "One of the worst IT projects ever seen", Project Libra's costs nearly tripled to £390m, with ICL's parent company, Fujitsu, twice threatening to pull out of the project.

This wasn't Labour's only IT project failure. In total, it's reckoned that by the time the government fell in 2010, it had consumed around £26b of taxpayer's money on failed, late and cancelled IT projects.

The coalition government that followed fared no better. £150m paid to Raytheon in compensation for cancelling the e-Borders project, £100m spent on a failed archiving system at the BBC, £56m spent on a Ministry of Justice system that was cancelled after someone realised there was already a system doing the same thing: these are just a few of the failed IT projects since Labour left office seven years ago.

The Gartner group has analysed why government IT projects fail, and discovered several main factors. Prominent amongst these is that politicians like to stamp their authority on the nation with grandiose schemes. Gartner says such large projects fail because of their scope. It also says failure lies in trying to re-implement complex, existing processes rather than seeking to simplify and improve on them by design. The problem is, with Brexit looming, large, complex systems designed to quickly replace existing systems are exactly what's required.


A good example is the ageing HM Customs & Excise CHIEF system. Because goods currently enjoy freedom of movement within the EU, there are only around 60 million packages that need checking in through CHIEF each year. The current system is about 25 years old and just about copes. Leaving the EU will mean processing an estimated 390 million packages per year. However, the replacement system is already rated as "Amber/Red" by the government's own Infrastructure and Projects Authority, meaning it is already at risk of failure before it's even delivered.

Another key system for the UK is the EU's Schengen Information System (SIS-II). This provides real time information about individuals of interest, such as those with European Arrest Warrants against them, terrorist suspects, returning foreign fighters, missing persons, drug traffickers, etc.

Access to SIS-II is limited to countries that abide by EU European Court of Justice rulings. Described by ex-Liberal Democrat leader Nick Clegg as a "fantastically useful weapon" against terrorism, after Brexit, access to SIS-II may be withdrawn.

Late last year, a Commons Select Committee published a report identifying the risks to policing if the UK loses access to SIS-II and related EU systems. The report claimed that then-Home Secretary Theresa May had said that such systems were vital to, "stop foreign criminals from coming to Britain, deal with European fighters coming back from Syria, stop British criminals evading justice abroad, prevent foreign criminals evading justice by hiding here, and get foreign criminals out of our prisons.

The UK will either somehow have to re-negotiate access to these systems, or somehow quickly and securely duplicate them and their content on UK soil. To do so, we will have to navigate the EU's labyrinthine data protection laws and sharing agreements to access relevant data.


If the UK government can find a way to prevent these and other IT projects running into problems during development, there's still the problem of cybercrime and cyberwarfare. Luckily, there's a strategy covering this.

In November 2016, the government launched its National Cyber Security Strategy. Tucked in amongst areas covering online business and national defence, section 5.3 covers protecting government systems. This acknowledges that government networks are complex, and contain systems that are badly in need of modernisation. It asserts that in future there will be, "no unmanaged risks from legacy systems and unsupported software".

The recent NHS WannaCry crisis was probably caused by someone unknowingly detonating an infected email attachment. The Strategy recognises that most attacks have a human element. It says the government will "ensure that everyone who works in government has a sound awareness of cyber risk". Specifically, the Strategy says that health and care systems pose unique threats to national security due to the sector employing 1.6 million people in 40,000 organisations.

The problem is, the current Prime Minister called a snap General Election in May, potentially throwing the future of the Strategy into doubt. If the Conservatives maintain power, there's likely to be a cabinet reshuffle, with an attendant shift in priorities and funding.

If Labour gains power, things are even less clear. Its manifesto makes little mention of cyber security, but says it will order a complete strategic defence and security review "including cyber warfare", which will take time to formulate and agree with stakeholders. It also says Labour will introduce a cyber charter for companies working with the Ministry of Defence.

Regardless of who takes power in the UK this month, time is running out. The pressure to deliver large and complex systems to cover the shortfall left by Brexit will be immense. Such systems need to be delivered on time, within budget and above all they must be secure – both from internal and external threats.

Friday, 19 May 2017

Staying Neutral



Is a fox running the FCC's henhouse?


Net neutrality is a boring but noble cause. It ensures the internet favours no one. So, why is the new chairman of the Federal Communications Commission, Ajit Pai, determined to scrap it?

"For decades before 2015," said Pai in a recent speech broadcast on C-SPAN2, "we had a free and open internet. Indeed, the free and open internet developed and flourished under light-touch regulation. We weren't living in some digital dystopia before the partisan imposition of a massive plan hatched in Washington saved all of us…" Pai also says he wants to "take a weed whacker" to net neutrality, and that its "days are numbered".

These are strong words. A possible reason for them is that Pai was previously Associate General Counsel at Verizon. To understand why this is significant, we must delve into recent history.

In 2007, Comcast (owned by Verizon) was caught blocking BitTorrent traffic. This was ruled illegal by the FCC, and in 2009 Verizon settled a class action for $16 million.

In 2011, Verizon also blocked Google Wallet from being downloaded and installed on its phones in favour of its own, now-unfortunately titled ISIS service, which it founded with T-Mobile and AT&T.

In response, the FCC imposed its Open Internet Order, which forced ISPs to stop blocking content and throttling bandwidth.

At the time, ISPs in the US were regulated under Title I of the 1934 Communications Act. This classed them as "information services" and provided for Pai's so-called "light touch" regulation. Title II companies are "common carriers" on a par with the phone companies themselves, and are considered part of the national infrastructure.


Verizon went to court, and in 2014 successfully argued that the FCC had no authority to impose its will on mere Title I companies. This backfired. In 2015, the FCC decided that ISPs were now part of the national infrastructure, and made them Title II companies. Problem solved, dystopia averted.

Times have changed, and the new Washington administration is keen to roll back what it sees as anti-business Obama-era regulation. Pai was appointed chairman of the FCC in January this year. Given his past at Verizon, his attitude to abolishing net neutrality raises real concerns about the internet's future.

In an April 2017 interview on PBS News Hour, Pai was asked a direct question: supposing a cable broadcaster, like Comcast, created a TV show that competed with an equally popular Netflix show. Without net neutrality, what's to stop Comcast retarding Netflix traffic over its own network, while prioritising that of its own show?

"One thing that's important to remember," came Pai's reply, "is that it is hypothetical. We don't see evidence of that happening…" In fact, net neutrality ensures this situation cannot currently happen, which is why there's no evidence of it.

Taking a wider view, Pai's attitude is also curiously uninformed given that his own web page at the FCC shows that from 2007 to 2011, when neutrality violations were big news and the FCC had to impose its Open Internet Order, he was the FCC's Deputy General Counsel, Associate General Counsel, and Special Advisor to the General Counsel. After a stint in the private sector, he returned to become an FCC Commissioner in 2012.

In his speech on C-SPAN2, Pai also asked, "What happened after the FCC imposed Title II? Sure enough, infrastructure investment declined."

However, the opposite of this assertion is a matter of public record. As Ars Technica discovered, after Title II was imposed, ISP investment continued to rise. Indeed, Verizon's own earnings release shows that in the first nine months of 2015, now labouring under the apparently repressive Title II, the  company invested "approximately $22 billion in spectrum licenses and capital for future network capacity". 

Interestingly, Pai's page at the FCC also states his regulatory position in a series of bullet points. These include:
  • Consumers benefit most from competition, not preemptive regulation. Free markets have delivered more value to American consumers than highly regulated ones
     
  • The FCC is at its best when it proceeds on the basis of consensus; good communications policy knows no partisan affiliation.
History shows that Title II regulation wasn't pre-emptive. It was a response to increasingly bold and shady practices by ISPs that forced the Commission's hand.

Net neutrality currently maintains the kind of free market that big corporations usually crave. It's a rare example of regulation removing barriers to trade. Companies of all types and sizes are currently free to compete on the internet, but cannot deny others from competing.

Scrapping US net neutrality will also affect non-US internet users who access US-based content via a VPN. At the US end of the VPN, traffic is handed off to a US ISP. If that company favours some sites over others (or even blocks them), the ability to access content will be guided towards the choices set out by commercial interests, just as if the user was in the US.

Given all this, it is perhaps rather cynical that the Bill to remove Title II status from ISPs, sponsored by Republican senator Mike Lee of Utah, is called the "Restoring Internet Freedom Act". With Pai also a declared Republican, and dead set on rolling back Title II, the meeting on May 18th to decide whether to proceed could have been a short one with a distinctly partisan flavour.





Tuesday, 11 April 2017

Testing anti-malware's protection layers

Our first set of anti-malware test results for 2017 are now available.

Endpoint security is an important component of computer security, whether you are a home user, a small business or running a massive company. But it's just one layer.

Latest reports now online

Using multiple layers of security, including a firewall, anti-exploit technologies built into the operating system and virtual private networks (VPNs) when using third-party WiFi is very important too.

What many people don't realise is that anti-malware software often actually contains its own different layers of protection. Threats can come at you from many different angles, which is why security vendors try to block and stop them using a whole chain of approaches.

A fun video we created to show how anti-malware tries to stop threats in different ways


How layered protection works

For example, let's consider a malicious website that will infect victims automatically when they visit the site. Such 'drive-by' threats are common and make up about one third of this test's set of attacks. You visit the site with your web browser and it exploits some vulnerable software on your computer, before installing malware – possibly ransomware, a type of malware that also features prominently in this test.


Here's how the layers of endpoint security can work. The URL (web link) filter might block you from visiting the dangerous website. If that works you are safe and nothing else need be done.

But let's say this layer of security crumbles, and the system is exposed to the exploit.

Maybe the product's anti-exploit technology prevents the exploit from running or, at least, running fully? If so, great. If not, the threat will likely download the ransomware and try to run it.

At this stage file signatures may come into play. Additionally, the malware's behaviour can be analysed. Maybe it is tested in a virtual sandbox first. Different vendors use different approaches.

Ultimately the threat has to move down through a series of layers of protection in all but the most basic of 'anti-virus' products.

The way we test endpoint security is realistic and allows all layers of its protection to be tested.

Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Thursday, 6 April 2017

Back from the Dead

Forgotten web sites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for web sites and nothing else.

Over the years, I've signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

The friendly, well written message was a refreshing change from the usual approach, which most often demands immediate, unthinking action. The sender, however, could only call me "J" as he didn't have my forename. There was a protected file attached, but the sender had supplied the password. It was a contract, he said, and he looked forward to hearing back from me.

The headers said the email came from a French telecoms company. Was someone on a spending spree with my money? My PayPal and bank accounts showed no withdrawals.

Curious about the payload, I spun up a suitably isolated Windows 10 victim system, and detonated the attachment. It had the cheek to complain about having no route to the outside world. I tried again, this time with an open internet connection. A randomly-named process quickly opened and closed, while the file reported a corruption. Maybe the victim system had the wrong version of Windows installed, or the wrong vulnerabilities exposed. Maybe my IP address was in the wrong territory. Maybe (and this is more likely) the file spotted the monitoring software watching its every move, and aborted its run with a suitably misleading message.

Disappointed, after deleting the victim system I wondered which site out of hundreds could have been compromised. I'll probably never know, but it does reveal a deeper worry about life online.

Over the years, we all sign up for plenty of sites about which we subsequently forget, and usually with whichever email address is most convenient. It's surely only a matter of time before old, forgotten sites get hacked and return to haunt us with something more focused than malicious commodity spam – especially if we've been silly enough to provide a full or real name and address. Because of this, it pays to set up dedicated accounts for registrations, or use temporary addresses from places such as Guerrilla Mail.

Friday, 24 March 2017

Inside the CIA...


Who is behind the CIA's hacking tools? Surprisingly ordinary geeks, it seems.

At the start of March came the first part of yet another Wikileaks document dump, this time detailing the CIA's hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.

The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware that stands the least chance of detection, analysis and attribution to Langley. We've also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).

There's also a deeper tale to tell. It's about the personalities behind the redacted names working on these tools and techniques. They don’t seem so different from anyone else working in infosec.

User #524297 says he is a "Coffee addict, Connoisseur of International Barbecues, and Varied Malt Beverage Enthusiast." Thanks to his comments, we know an ex-boss (nicknamed "Panty-Raider") was considered "really odd". Another had a large, carved wooden desk that went with him from job to job.

User #524297 also maintains a page dedicated to some interesting ideas. One is to use the OpenDNS DNSCrypt service to hide DNS requests emanating from a compromised host.

Another fun-loving User is #71473. He has a page called "List of ideas for fun and interesting ways to kill/crash a process", which enumerates a dozen homebrew techniques and variations. Most are still at the concept stage, but under the list of uses to which they may be put, he includes "Knockover (sic) PSPs" and "Troll people".

He also describes several proof-of-concept tools for his process crashing techniques. One is called DisorderlyShutdown, which waits a programmable amount of time (plus a random offset to make things seem natural) to select a random process to crash in the hope of leading to "data loss and gnashing of teeth". Another is WarheadsToForeheads, which attempts to crash processes. About this tool, he says: "Considering making this an infinite enumeration to squash all user processes and make the user experience especially horrific."

Revealingly, User #71473 also likes to hack the home pages of other Users: " Its 11:30... time to deface people's unprotected user pages..."

User #11628962 was deeply impressed by Subramaniam and Hunt's "Practices of an Agile Developer", and went to great lengths to enumerate the principles behind the work for others in his group. 

Meanwhile, we learn that User # 71475 loves to listen to music online and lists several streaming services and YouTube channels. He's also an avid collector of ASCII-based emoticons. Everyone needs a hobby, right? ¯\_(ツ)_/¯

Amusingly, User #20873595 is keen for people understand that his last name does not begin with C, implying that it is in fact Hunt. There was also some debate about what User #72907's office nickname should be. "Monster Lite" was the apparent front runner.

We also learned from the dump that some of the Users are heavily into the online card game Hearthstone, which unfriendly foreign state actors are likely now feverishly trying to hack.

The public at large has moved on, and the first of the vulnerabilities highlighted in the dump has been patched, but the industrious CIA hackers who originally found them are still beavering away, creating new tools to replace the old ones, finding new zero-days, thinking up new nicknames, trolling each other, and of course playing Hearthstone.

Tuesday, 7 March 2017

Can You Hear Me?

Are cyber-scammers creating their own fake news stories to exploit? Jon Thompson investigates.

The UK media recently exploded with news of a new phone-based scam. Apparently, all that's needed for fraudsters to drain your bank account is a recording of you saying "yes". It runs as follows:
  1. Someone calls and asks if you can hear them
  2. They record you saying "Yes"
  3. They take your ID and money
What doesn't ring true is the lack of detail between steps 2 and 3. How, exactly, do attackers use this snippet of audio without the rest of your identity? Myth busting site Snopes has the answer: they don't. A good half hour of searching also failed to turn up a single verified victim of the scam despite a huge number of almost identical news reports warning people about it.

Whether it's a hoax or not, it's certainly easy to see how cyber-scammers can take advantage of the generated fear. Your "bank" calls, says you've been the victim of this very scam, and asks you to visit a special web site to enter your details and get your money back. Previous cybersecurity incidents certainly provide good evidence that such secondary scams may soon plague a phone near you.

Remember the TalkTalk hack of October 2015 and the scandalised headlines that followed? Four million customers were suddenly at risk, according to some ill-informed reports. The supposed Russian jihadist gang behind the attack was ransoming the purloined data. The Daily Express even reported that they were already raiding the accounts to fund their evil deeds.

The truth was far more mundane. A 17-year-old boy from Norwich had discovered an SQL injection using a vulnerability scanner, and syphoned off about 157,000 account records. However, with this data potentially in the wild, any attempted fraud experienced by TalkTalk customers was suddenly blamed on the hack.

In fact, telephone-based cyber-fraud is a numbers game. The more calls you make, the more likely it is that you'll hit the right set of circumstances. It's a brute force attack, and that's exactly what the scammers started to do. Nearly 18 months later, they're still finding ways to use the hack as a pretext to call unsuspecting customers.


At the time, some customers even reported that their broadband was being deliberately slowed by criminals, who then called them offering to fix the problem in exchange for visiting a phishing site and entering account details to get a special refund. Again, this is a numbers game: for every set of circumstances that make the scam work, there might be thousands of calls to people with the wrong broadband provider or who have no bandwidth problems. It's never the precision spear phishing attack it's reported to be by the bemused victims.

So, high profile hacks can subsequently spawn profitable campaigns for fraudulent callers keen to cash in on the chaos and fear. The problem is, juicy high profile hacks come along at random. What's needed is something more dependable.

This brings us back to the supposed "Can you hear me?" scam. Several reports in the past few days on Who Called and other very active nuisance call sites have mentioned the scam in passing as something else to look out for, but none say that this was the focus of the call being reported. The story has begun to take on a life of its own, but without any direct evidence that the scam actually exists.

Could it be that scammers themselves have concocted and spread a fake news story, which they intend to subsequently exploit with a campaign? It's not that great a leap of imagination, given the innovations developing in other areas of bulk cybercrime, such as ransomware. Only time will tell, but the next few months should be fascinating for both threat watchers and cyber-criminals alike.



Wednesday, 15 February 2017

17 Things Spammers Get Wrong


No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why.

The headlines say phishing scams are at an all-time high, and ransomware is growing exponentially, but conspicuous by their absence are examples of the emails behind successful attacks. It's becoming the cliché in the room, but there may be a reason: embarrassment.


Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.

To the average spammer, however, it's all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.

This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we're massively overestimating the amount of effort and intelligence invested by spammers.

With that in mind, what follows is a short list of 17 mistakes I routinely see, all of which immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.

1.    No Subject Header

This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it'll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.

2.    No Set Dressing

Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.

3.    Generic Companies

Generic companies are rare but I do occasionally see them. Who is "the other financial institution" and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.

4.    Multiple Recipients

This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.

5.    Poor Salutation

Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: "Dear fred.smith"). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.

6.    No Body Text

Sending an email with a tantalizing subject header such as "Overdue – Please Respond!" but no body text explaining what or why it's overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.

7.    Auto-translated Body Text

Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.


8.    The Third Person

This is a great example of a spam writer trying to distance himself from his crime. "PayPal has detected an anomaly in your account" and "they require you to log in to verify your account" just look weird in the context of a security challenge. This is supposed to be from PayPal, isn't it?

9.    Finger Trouble

I'm fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they're blind drunk. Random punctuation marks and extra characters that look like they've been hit at the same time as the correct ones don't make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.


10.    Unexpected Plurals and Tenses

Using "informations" instead of "information" is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as "we detect a problem" instead of "we detected a problem" also stick out a mile.


11.    Missing Definite Article

Many spam emails stand out as somehow "wrong" because they miss out the definite article. One recent example I saw read: "Access is blocked because we detect credit card linked to your PayPal account has expired." An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.

12.    The Wrong Word

"Please review the document and revert back to us immediately". Revert? Really? Surely, you mean "get back", not "revert back". It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.

13.    Misplaced Emphasis

Unusually capitalised phrases such as "You must update Your details to prevent Your Account from being Suspended" look weird. Initial capitalisation isn't used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.






14.    Tautological Terrors

"It is extremely mandatory that you respond immediately". Not just mandatory but extremely mandatory? Wow, I'd better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.








15.    Grandiosity

Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway.  Here's an example from last September when a gang famously tried to distribute malware on the back of a new media player release: "To solemnise the release of our new software". Solemnise means to mark with a formal ceremony.

What they really meant was: "To mark the release of our new software".  The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.

16.    Overly-grand Titles

Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn't he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash.


17.    Obfuscated URLs

If the collar doesn't match the cuffs, it's a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.