Mere hours after writing here about the Epsilon data breach, how it may lead to spear phishing and why spear phishing is more dangerous than normal phishing, comes the story that the Epsilon breach itself may well have been the result of . . . spear phishing.
According to iTnews
A data breach exposing the customer details of the likes of Citigroup, Hilton Hotels and Dell Australia was part of a series of socially-engineered attacks first reported by an Epsilon technology partner some four months ago ... Epsilon has been aware of the vulnerability behind this attack for some months.
Epsilon, while unknown to many until now, is a potential gold mine for bad guys. Not only do they have millions of email addresses, but they also store additional data about the people using those email addresses.
An expert quoted by Computerworld referred to the additional data as "behavioral". In other words, Epsilon knows about stuff you do. The better to generate marketing emails. I'm in their database, very likely you are too.
How disappointing then that someone at Epsilon, like employees at RSA and Condé Nast, seems to have fallen for a spear phishing scam.
According to Return Path spear phishing emails were sent to employees at many email service providers last year. In a warning about these attacks, Neil Schwartzman wrote that the emails targeted their marks by name and appeared to come from friends or co-workers. Par for the course.
That's the news, now let's take a step back.
Spear phishing targeted at consumers is one thing. Home users will always make mistakes, get tricked and/or be un-informed. But they can only hurt themselves.
Spear phishing targeted at large companies is quite another matter. Employees of companies with sensitive data (pretty much every company) need to be protected from themselves in order to protect the data held by the company, if not its very ability to stay in business. I can't imagine any company continuing to do business with Epsilon.
The conclusion that I draw from the recent high profile success of spear phishing attacks is employees should not be allowed to read email on a Windows computer.
The Windows operating system is shark infested waters. IT departments may think they're great swimmers, but swim with sharks long enough and something bad will happen.
You could make a case that employees also shouldn't be allowed to access websites from a Windows machine. Many people, myself included, have suggested only doing online banking on a computer running Linux.
Windows experts speak of Defense in Depth. I hear this to mean the Windows ecosystem has as many holes as Swiss cheese.
This is not meant to denigrate Windows or Microsoft. Certainly they are a victim of their own success - the large installed base attracts bad guys because that's where the users are. And in the case of RSA, the exploited bug was in Adobe's Flash.
But, if most malware runs on Windows, you are safer not using Windows. And, lacking a standard system-wide patching architecture, Windows users are all but guaranteed to be using software with known bugs.
Yet, replacing Windows in large companies is not realistic. But there are ways to give it the type of sandboxing protection the iPad already has.
My recommendation is Sandboxie, which I have been using for a long time.
Sandboxie can run any Windows application in a virtual sandbox. This walls off the application from the rest of the system. Malicious software (malware) that tries to install itself, is forced to live in the virtual sandbox rather than the real system.
If you run an email client such as Outlook or Thunderbird in a sandbox, then a hole needs to be punched into the sandbox that allows the folder where emails are stored to be persistent. But, that should be the only folder that the email program is allowed to actually update. Any other files/folders that are updated by the email program live only in the sandbox, not the real system.
It's a simple thing to clear out the sandbox, in fact it can be done automatically when the sandboxed application shuts down. I like to set up a sandbox that always clears out everything when the application it's running closes.
If the email program self-updates, as does Thunderbird, then simply run it outside the sandbox to install the patches.
There are visual indicators that an application is running inside a sandbox. You can configure both the title bar and/or a colored border around the application.
If an email message contains a link to a malicious website, Sandboxie protects the computer. When the email program starts a web browser, the browser runs inside the sandbox. Not good if you want to save a bookmark, but great for defending from malware.
You can define many sandboxes, each configured differently. There are a large number of per-sandbox configuration options.
For example, if you log on to Windows as an administrator, there is a per-sandbox option to run programs in the sandbox as a limited/restricted user, offering another layer of protection.
You can define a sandbox for your email program that allows it to update the folder where messages are saved, while other sandboxes, used for other applications, are prevented from updating the same folder.
Sandboxes are designed to prevent changes to the underlying system, but not to make it invisible. Programs running in a sandbox can see and read all the files on the computer. Thus malware can run in the sandbox, see sensitive files and send them off to the bad guys before it gets removed when the sandbox is emptied out.
To protect against this, Sandboxie allows you to define files and folders that will be hidden from applications running in a sandbox.
Update: A reader comment below mentioned another security option for a sandbox - the ability to limit the programs that are allowed to run. For example, you might set up a sandbox for your favorite web brower where Sandboxie insures that only the browser runs in the sandbox, nothing else.
There are both free and paid versions of Sandboxie. The free version requires you to right click the icon for an application and opt to run it in a sandbox (shown below). The paid version can be configured to always run an application in a sandbox.
Someone using the free version who opts to sandbox an application is presented with a list of available sandboxes. In the screen shot below, there is only one, the ThrowMeAway sandbox. As noted earlier, this sandbox, which I named and configured, discards all system changes when the application running inside it terminates. Great for testing new software.
Sandboxie is a mature product, I've written about it before, and I recommend it.
A recent article at Maximum PC suggested a similar program called BufferZone Pro. I have no experience with it and found the vendor's explanation of the product confusing. BufferZone Pro is free for non-commercial use and uses the term "virtual zone" rather than sandbox.
Windows systems can also be protected by running Internet facing applications in a virtual machine, but this is a big step up in complexity compared to Sandboxie which offers its protection with relatively little disruption to the end user.
Perhaps someday, companies will run Linux on the bare metal and sandbox Windows applications in virtual machines. I'm not holding my breath.
As I write this, the full featured, commercial edition of Sandboxie costs $43.50 for home users. For this price, you get the right to install it on all the computers you own. And you only need to buy it once, you will not have to buy it again next year or when a new version is released. Commercial licensing is different.
That said, the free version has very few limitations and is an excellent place to start.
For the record, I have no relationship with the vendor, other than being a customer.