Bank Chief Email Con Illustrates Limits of Security
Press, Text, Wall Street Magazine Pro Newsletter / Jun 16, 2017

By Kate Fazzini

A recent spate of incidents involving spoofed email exchanges between senior leaders at large, global banks and a self-described “prankster” makes clear one of the most pervasive fears around cyberrisk: that it requires a carefully calibrated combination of technology and white glove security training to overcome the power of “social engineering.”

Over the course of the last two weeks, the prankster, calling him or herself “Sinon Reborn” posted, email exchanges to Twitter with top executives from Goldman Sachs & Co. , Bank of England, Barclays PLC, Citigroup Inc. and, most recently, Morgan Stanley Group Inc.

The prankster used spoofed email addresses to masquerade as known associates to the executives, including members of their respective boards of directors, a form of social engineering. The conversations ultimately posted to Twitter were notably innocuous, the kind of small talk businesspeople fire off to one another numerous times throughout the day. The humor, as it were, appears to lie mostly in the fact that the high-ranking executives responded at all.

In this series of pranks, not only did the typical email filtering tools used by banks not filter out the emails, but the executives were able to reply without apparently receiving any warnings about the spoofed sender. How this happened is unclear, and representatives for those affected institutions declined to comment or could not be reached for this story.

In addition, the use of “sandboxed” or segregated email communication apps—a standard of mobile security—may have backfired. The applications in some cases, according to those familiar with the events, only displayed the name of the sender and not the email behind it. It would have been difficult, if not impossible, for the executives to know the email was coming from a fake address.

“People were laughing at this story, but it’s a serious matter. Literally every day we get emails like this from people we know,” said Matti Kon, chief executive of InfoTech Solutions for Business, a security software company based in New York. “If I get an email from one of those who works with me, who is close to me, and he has the spirit of the person I know well, I may suffer from it also.”

Education on Confidence Artists

The limits of technology, then, must be matched by both education and a personal security strategy for high-ranking executives, said Scott Vernick, a privacy and data security partner with law firm Fox Rothschild LLP.

“Some executives pride themselves on being accessible, and there are limits to what certain individuals will or won’t tolerate in terms of limiting contact,” said Mr. Vernick. “But, in training we do for family offices, for executives, their immediate staff, is to make yourself less available.”

This includes not publishing email addresses or maintaining a separate, difficult-to-guess corporate email address for interactions with personal friends and key business contacts. Also maintaining limited social media exposure is key, including not posting many personal details on platforms like LinkedIn or Facebook. “In fact, we try to keep people away from Facebook altogether,” he said.

Top executives, particularly in the financial sector, often receive “white glove” technology services, security services and specialized training. At any sized business, Mr. Kon characterized the need for training to be focused not just on the sterile-sounding social engineering tactics that hackers use, but perhaps reframed to focus on the tricks of confidence men—some of which are age-old—that have simply now gone digital.

“It’s not so much a computer issue, technology plays a part in it, but in all [businesses] con artists come to the door,” he said. “In this case the con artist didn’t really want to cause any damage it seems, but just wanted to play a prank.” That’s obviously not usually the case, he said, and as a matter of course very targeted education should continue and evolve at the executive level to help key leaders protect themselves against such attacks.

He referred to news regarding Facebook Inc. chief executive Mark Zuckerberg, who reportedly had email and social media accounts breached more than once last year.

“Even the smartest people in the world who know and understand security fall victim to this, but they still need to remember the possible damage and the risk,” said Mr. Kon. “Because as with, ‘see something, say something,’ if there is a bag left on a bench, we depend on people who are paying attention and will notice it.”

(Kate Fazzini writes about cybersecurity for WSJ Pro. She has held roles in cybersecurity at Promontory Financial Group and JP Morgan Chase &Co., and is an adjunct professor of cybersecurity at the University of Maryland, teaching cybersecurity for business and government. Write to Kate at kate.fazzini@wsj.com.)

Fortanix Raises $8 Million for Encryption Technology

By Cat Zakrzewski

Fortanix aims to protect applications for companies, using encryption technology to secure them both in the cloud and on-premises servers.

The startup said on Wednesday it has raised $8 million in Series A funding from Foundation Capital and Neotribe, a new firm founded by former NEA partner Kittu Kolluri.

The Palo Alto, Calif., company had previously raised an undisclosed seed round from Foundation Capital.

Fortanix Chief Executive Ambuj Kumar said that the way companies approach security today is broken. “Most security companies today, they either try to tell you a breach has happened or they will create an alert that a breach is about to happen,” he said.

He said Fortanix’s technology is preventive. “If you use run-time encryption, you will never get breached,” Mr. Kumar said.

The company’s encryption could be breached, however, if there was an error in the company’s code, he said. The company is constantly testing its code to make sure there are no holes that could be exploited, said Mr. Kumar.

The company’s technology is designed to allow applications to process data without ever exposing application code to the operating system or other processes.

EDITOR’S NEWS PICKS

Q1 Salary Figures: A typical senior cybersecurity specialist working in the U.S. during the first quarter of 2017 was paid an annual salary of $118,887, according to research highlighted by SC Magazine. Non-senior cybersecurity pros are on track to take home $100,279 this year, and the ongoing demand for qualified cybersecurity talent is likely to continue driving salaries up, experts said. Recent research determined the number of open cybersecurity jobs could exceed 3 million positions within five years.

Unhealthy DMARC Adoption: Only six of the 50 largest hospitals in the U.S. are moving to adopt the Domain-based Message Authentication, Reporting and Conformance standard, an anti-phishing protocol known as DMARC, according to research to be unveiled Thursday by the Global Cyber Alliance, a not-for-profit agency dedicated to raising awareness about best security practices. Of the 48 largest for-profit hospitals, at least 22 hospitals have deployed DMARC in a limited capacity. The DMARC standard has been widely praised through the security community, although the difficult installation process and wonky controls mean the protocol has not taken with many companies outside the financial sector.

Sneaky Security Sellers: Analysts from Forrester Research are warningbusiness leaders to beware of cybersecurity vendors that rely on buzzwords to sell their products. There’s a real need for effective, up-to-date software, Forrester notes but when so many say “they’re using artificial intelligence or machine learning for detection, security decision makers are left shaking their heads, trying to figure out what’s real and what’s not.”

Privacy Or Pizza: Web users say they put a high value on their internet privacy, though a comprehensive new study from the Massachusetts Institute of Technology has determined that few people are actually willing to go through the necessary steps to protect themselves online. Researchers told The Register “virtually no one reads” privacy policies, enabling companies to gather and analyze sensitive data “with very few legal boundaries.” Even more, while many survey respondents said they value keeping their email address private, most proved willing to give up a friends’ email in exchange for free pizza.