Tag Archives: Gmail

Firms Must Redefine Cyber Perimeter

The rising business use of cloud services and mobile devices has opened a Pandora’s box of security exposures.

Software as a service (SaaS) tools such as Salesforce.com, Gmail, Office 365 and Dropbox, as well as social media sites such as Facebook, LinkedIn and Twitter, are all being heavily leveraged by companies to boost productivity and collaboration. This SaaS trend also has opened up a whole new matrix of access points for malicious attackers to get deep inside company networks.

Wall Street recognizes that all organizations will have to acknowledge and make decisions on how to mitigate new business risks introduced by cloud services. And big bets are being placed on new technologies to help companies get a handle on these fresh exposures.

See also: The Need for a Security Mindset

ThirdCertainty recently sat down with David Baker, chief security officer at Okta, a cloud identity management vendor that’s one of dozens of security vendors developing cloud security systems. A $75 million round of private investment last fall pushed Okta’s market valuation to more than a billion dollars, vaulting it into so-called “unicorn” status.

Okta’s backers include a who’s who of venture-capital firms that are placing big bets on cybersecurity plays: Andreessen Horowitz, Greylock Partners, Sequoia Capital, Khosla Ventures, Altimeter and Glynn Capital, among others.

Baker talked to us about this particular big bet on cybersecurity tech. The text is edited for clarity and length.

3C: Congratulations on achieving unicorn status.

Baker: Thank you. We have a lot of work to do as a company to continue growing. The problem that we solve is really about enabling companies —  enterprises, as well as small, medium and big companies — to adopt the cloud.

3C: How would you frame the big challenge?

Baker: The problem for companies now is that the things I need to access in the cloud bring a whole host of security concerns. I have users working within my four walls, and they have to authenticate into these applications where I have critical business data. It could be information about my company’s source code, or email or all of the files we share. So what’s needed is a secure way of authenticating users into all of those systems.

It also is a challenge to provision that identity into the downstream applications and, just as importantly, to de-provision users. So when a user eventually is transferred to a different group or is terminated, their access has to be disabled. So it’s about managing that identity and also managing the access of that identity to these cloud services.

3C: Lots of employees set up their own Gmail or Dropbox account to be more productive. It sounds like they shouldn’t be doing that?

Baker: Correct. The security piece is knowing what set of tools you want your employees using, and then making sure you have an authentication mechanism in place to enable them to go securely into those cloud-based applications.

See also: Cyber, Tech Security Start to Merge

3C: The company sets the rules, and its employees should use only the company-sanctioned versions?

Baker: Correct. Users get exactly the version of Dropbox the company wants them to use, not their own personal account. Okta creates a secure connection to that version. The IT administrator can give the employees access to hundreds of apps. Right now, we have connectors to well over 4,000 different applications across the internet.

3C: Seems like we’re extending the traditional network perimeter. It’s not just the on-premises servers and clients that companies have to be concerned with, it’s everything out in the internet cloud that employees might try to use.

Baker: I’ll do you even one better. The perimeter really exists with respect to identity. When I’m sitting at home or in the coffee shop and using my cellphone to get access into an application, I am now the perimeter. So that’s why we like to say, really, identity is the new perimeter.

This article first appeared at Third Certainty.

More stories related to cloud security:
Be selective about what data you store and access from the cloud
Cloud apps routinely expose sensitive data
SOC-2 compliance crucial for keeping data safe in the cloud

New Attack Vector for Cyber Thieves

It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015.

Here is an example where the scammer targets an attorney from a big city in the Northeast.

Attack vector: The scammer gathers intelligence about real estate transactions handled by an attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail and instead wires the funds into an account designated by the scammer.

More video: Scammers exploit trust in Google’s platform

Distinctive technique: The funds initially get routed to another law firm in the Southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”

Wider implications: U.S. consumers are well protected by federal law, and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. Most of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.

Infographic: More Americans living with data insecurity

Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)

3C: Businesses are losing one heck of a lot of money to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer

Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business, you’re out of luck.

3C: Why aren’t suspicious transactions flagged more often?

Goodman: The government will tend to go after companies for anything that may have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attorney sort of invited spoofing?

Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.

Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.

3C: Could this have been avoided?

Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”

Cloud Apps Routinely Expose Sensitive Data

An alarming number of cloud-based apps used by enterprise employees don’t encrypt data at rest or require two-factor authentication.

And an astounding number of employees are still uploading highly sensitive data to the cloud and sharing files on unsecured platforms, according to the Cloud Adoption Risk Report Q4 2014 from cloud security vendor Skyhigh Networks.

Security & Privacy News Roundup: Stay abreast of key developments on cybersecurity and online privacy topics

The recent breach of 80 million records at health insurer Anthem was an example of how cloud services that don’t encrypt data leave personal records exposed to savvy cybercriminals.

The Q4 report was based on usage data from 15 million employees at 350 companies worldwide. It found that the average company used 897 cloud services in the fourth quarter of 2014, up from 626 the year before.

Data at Risk

While the number of cloud providers that have invested in key security features more than doubled last year, still only 11% encrypt “data at rest” — inactive files stored in data bases. Only 17% have multifactor authentication.

“In light of the recent breaches, that’s alarming,” says Kamal Shah, Skyhigh’s vice president of products and marketing.

“The Anthem breach is a great example of how, if you’re not careful, cloud services can be used to exfiltrate data out of the organization,” he says.

More than a third of users uploaded at least one file with sensitive information to a file-sharing cloud service, Skyhigh found. Some of that information included customer Social Security numbers (SSN), date of birth, credit card or bank account numbers and personal health records.

Skyhigh also found that 22% of files uploaded to cloud-based file sharing apps had sensitive or confidential information. At the same time, 11% of documents were shared outside the enterprise, and 18% through third-party email services like Gmail, Yahoo and Hotmail, which don’t encrypt data at rest.

File-Sharing Exposure

The growing trend in file sharing is driven by the limitations of email, Shah says. Besides having size constraints as files get larger, email is a static environment.

“File-sharing is much more active — a living, breathing space,” he says.

Less surprising in the study was the number of compromised identities — especially given the record number of breaches and vulnerabilities in 2014. Skyhigh found that 92% of companies have compromised credentials, with 12% of users affected, on average, at each company.

“A lot of people use the same passwords for their work life as they do for their personal life, and when they’re compromised, those credentials can be used to steal corporate data,” Shah says.

The trends driving the rapid cloud adoption are driven by legitimate business needs, Shah notes. Which means the old way of doing business — by simply restricting app usage — no longer works for IT managers.

“Shadow IT is not bad because employees are using these cloud services for the right reasons,” he says. “The old way of blocking services is no longer effective.”

What that means for IT administrators is the need to educate their employees about the risks of apps that are not enterprise-ready, he says. (Skyhigh’s definition of enterprise-ready includes cloud services that rank one to three on a scale to 10 based on attributes like encryption, two-factor authentication, legal condition of service and so on.)

Despite all the breaches, the use of cloud adoption will continue to accelerate rapidly, Shah says.

“For enterprises, there’s urgency to take action before it’s too late,” he says. “If you don’t act now, the problem will get bigger and bigger.”

This article was written for ThirdCertainty by Rodika Tollefson.