SE Labs runs second cybersecurity education programme for schools
SE Labs is running its Level:Up security education programme for the second year in a row, partnering with local schools to provide a thorough cybersecurity overview specifically created for key stage 4 and key stage 5 students.
The programme will take place from the 10th to the 14th of July 2023, and will be based at our offices in Wimbledon from 10:00 to 15:00 each day.
SE Labs takes a central role in understanding and assessing IT security. We use our unique position to help guide young people into the cybersecurity world. This year we started running our school’s Cyber Security Week course.
Setting a path to cybersecurity
We have already spoken in the past about the rather fluid manner of getting into cybersecurity. There is no specific, necessary pathway to begin a career in the industry. In many cases attempting to take what some see as the obvious path has problems. We want to help start educating cybersecurity’s next generation.
SE Labs CTO Stefan Dumitrascu offers some words of advice and encouragement to those considering a career in cybersecurity. And to those who may not think that they can do it!
Are you considering a career in cybersecurity? What does it take? A degree in computer science? A bag of certifications? A laptop full of stickers and a body full of tattoos and piercings? Depending on who you talk to, and which Twitter accounts you follow, you might believe you need all the above. But that’s not (necessarily) true.
Attacking the problem
At SE Labs we test security products by attacking through them, like real attackers. We are red-team testers, which means we must know how to behave like bad guys such as cybercriminals. And as our business grows we need to find people to join us.
It’s widely acknowledged that the cyber security workforce needs more talented young people to engage. Just as we, at SE Labs, want to help fix information technology security by testing products and services, we also want to encourage an interest among young people, hopefully igniting a passion for understanding and defending against hacking attacks. We want to bring cyber security to schools.
We test next-gen security products AND encourage the gen-next!
Bringing cyber security to schools
Our attempts to enable youth from progressing from complete novice, through to getting their first job and then to reaching the top of industry, is an initiative to bring about the needed change and fill the gaps.
As part of our new corporate social responsibility programme we set up an event at Carshalton Boys Sports College to introduce the concept of cyber security and its career prospects to the students.
Around 15 participants ranged from year 10s to sixth formers (aged 16-18) attended the main presentation and all year groups approached us at the stand we set up.
We outlined various topics in the presentation including the different types of cybercrime and attacks; and institutions offering free and paid courses to certain age groups on cyber security, aimed at students.
We also addressed how to break into the cyber security sector; what positions are available in the industry; and how employees are in high demand in both public and private sectors, part- and full-time, in virtually every industry in countries around the world.
Targeted attack introduction
Then we went through a test run of a targeted attack to demonstrate what it looks like and what it means.
“Why do we use Kali Linux?”, “What should I do to get into cyber security?”, “What are the skills required?”, were a few curious questions asked by the students at the end of the presentation.
Those who came over to the stand wanted to know who we were, what we do and simply, “what is cyber security?”
They were interested in who are clients are (we gave limited answers due to NDAs), what do they need us and how did we manage to get this far. A lot of these were asked by the younger years who were inquisitive to learn more about this subject. Positive!
Feedback from the college
On behalf of the Governors, Head Principle, students and parents of Carshalton Boys Sports College, I would like to thank you for your valued input, helping to make our Directions and Destinations Day a great success.
Our staff work tirelessly to open our students’ minds to the possibilities available to them, but without the support of partners like you, that job would be impossible. Together we had the school filled with a sense of purpose all day and responses we have had from students and parents have shown us that the day has inspired our students.
We have already started thinking about the future and would be grateful if you have any suggestions about how we might make things even better next year.
Thank you once again for giving your time, energy and expertise last week.
Well, yes! A career in cyber security is a journey for sure, but a worthwhile one. And in the end, it’s more about people than machines, as a mind’s software can be more powerful than any hardware.
No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why spammers fail so often.
The headlines say phishing scams are at an all-time high, and ransomware is growing exponentially, but conspicuous by their absence are examples of the emails behind successful attacks. It’s becoming the cliché in the room, but there may be a reason: embarrassment.
Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.
To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.
This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.
With that in mind, what follows is a short list of 17 mistakes I routinely see spammers make. All of them immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.
1. No Subject Header
This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.
2. No Set Dressing
Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.
3. Generic Companies
Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.
4. Multiple Recipients
This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.
5. Poor Salutation
Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.
6. No Body Text
Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.
7. Auto-translated Body Text
Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.
8. The Third Person
This is a great example of a spammer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?
9. Finger Trouble
I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.
10. Unexpected Plurals and Tenses
Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile as being from spammers.
11. Missing Definite Article
Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.
12. The Wrong Word
“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.
13. Misplaced Emphasis
Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.
14. Tautological Terrors
“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.
Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway. Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.
What they really meant was: “To mark the release of our new software”. The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.
16. Overly-grand Titles
Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash. Spammers would, though.
17. Obfuscated URLs
If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.
The 2016 US Presidential Election may not be the first held in the shadow of Wikileaks, but it is the most entertaining. When John Podesta received an email apparently from Google in March this year warning that someone had used his password to sign into his account, events began to resemble an episode of Veep, with Chinese whispers quickly replacing information. Not knowing any better, Podesta forwarded the email to a member of staff to deal with. After a hop or two, the email was passed to the Clinton campaign’s IT Helpdesk Manager. He in turn made the rookie mistake of not inspecting the message’s header or checking the Bit.ly link it contained. Both would have shown this to be a phishing attack.
Instead, the Helpdesk Manager concluded that the email was real, and Mr Podesta should change his password right away. However, the reply also contained the advice that Podesta should ignore the email and log in directly to Google. He even supplied the correct URL to do this and explicitly said that Podesta should turn on 2-factor authentication at the same time.
The Helpdesk Manager has since been somewhat unfairly vilified in the press. The fact is that his explicit advice was lost in favour of a simpler message as his reply began to filter back up the chain of command.
According Wikileaks, Sara Latham seems to have been the person who actually contacted the helpdesk on Podesta’s behalf. She also received the Manager’s reply, and added her own endorsement of the phishing link.
Having been told it was real, it seems that either Special Assistant Milia Fisher or Podesta himself then clicked on the original phishing link and attempted to change the password. The rest has been pundit fodder ever since.
You can bet that the Clinton campaign spent money on insurance, health and safety training, and other measures to ensure a safe working environment, so why not basic cybersecurity training? Maybe it did, and the people concerned simply didn’t attend. It seems sensible that in future campaigns, no one should get access to devices without first demonstrating that they can spot a simple phishing email, IT helpdesk Managers included.
Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us?
To find the truth, we talked candidly to a branch manager from UK bank NatWest.
SE: First of all, what’s the scale of the online fraud problem from the bank’s perspective?
I won’t lie. It’s massive. We’re always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.
SE: If you’re scammed can you get your money back?
It all depends. The basic thing is if it’s not a transaction you’ve made, its fraud and we can help. If it’s something you’ve done yourself that’s it, the money’s gone. Where it gets tricky is when you think you’re signing up to a one-off payment but the small print says it’s every month and you don’t realise. It might be cleverly worded, but it’s up to you to read what it is you’re buying. If there’s any doubt, don’t do it or bring it in for us to check.
SE: How do you protect people’s money in general?
The monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they’re legitimate. Tell us you’re going to France for the week and we’ll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It’s just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It’s a pain for them, but if you tell us what you’re doing it’s usually fine.
We see a lot of “Make $2000 a month from home”-style spam. What’s the scam there?
It’s usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It’s an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you’re being used. Basically, if you’re caught acting as a money mule, then you’re as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people’s accounts. Again, it’s one of the things the system looks for that’s out of the ordinary.
Can the banks stop people being duped into sending money to scammers abroad?
You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it’s their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it’s a large amount, we’ll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they’re doing and where they’re sending it. We have had cases where people have lost considerable amounts because they’re convinced the online fraud is real.
What’s the most outrageous thing you’ve seen?
I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That’s all it was. But it prevented the card from being returned, so people walk off thinking the machine’s swallowed it. You pull on the wire and the card pops out. It’s called a Lebanese Loop. Simple and easy. Once you’ve got the card you’ve got the expiry date and the CVV number on the back and you can go shopping.
What’s your personal message to customers?
Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it’s still a scam. These people aren’t stupid. No one wants to give you free money. You haven’t won a foreign lottery, either. There’s no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it’s very profitable for them. Start with the idea that everything’s a scam, ask us to confirm anything you get that you don’t understand and you’ll be alright.
What other guidance is there for people?
There’s lots about but it’s a bit scattered. Barclays did a good TV advert about phone scams. We’ve published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That’s the best thing to tackle online fraud.
Archive of security product and service test results
Cyber Security DE:CODED Podcast
SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.