Data Sheet—Saturday, November 19, 2016

Nov 19, 2016

Why are people still such suckers for phishing? At a security event in New York this week, top law enforcement officials shared their concerns and, to my surprise, their biggest pre-occupation was plain old e-mail.

“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing," Homeland Security Secretary Jeh Johnson told the crowd, referring to malicious emails that appear to come from a credible source.

He has a point. The John Podesta email debacle began when the politico fell for a fake Gmail message, and those celeb-gate hacking victims likewise got tricked by phishing. So what can we do about it?

Education is one approach. Johnson says his agency sends emails to its own employees with suspicious links for goodies like "free Redskins tickets." Those who click on the link receive instructions to show up to a spot to collect their tickets—where they instead receive a free lesson on cyber-hygiene.

And of course technology is another way to fight phishing. At the security event, Manhattan District Attorney Cyrus Vance announced that the non-profit Global Cyber Alliance had created a free tool to help organizations install DMARC software to detect fraudulent and spoofed messages.

"Phishing—mundane as it is—is the biggest threat we face and need to tackle," said Vance, who added that, after terrorism, cyber-security is New York's top priority.

Meanwhile, the phishing plague means security firms like Proofpoint are doing a roaring trade in helping companies navigate new twists such as "angler phishing" (yes, it's named after Finding Nemo) that rely on contaminated social media links.

So readers, be careful what you click—though do click on some of the good stuff we have below to get up to date on the latest cyber news. (We're light on fin-tech items this week but, in light of the Coinbase-IRS news, you bitcoin buyers are probably too busy fretting about an audit).

Jeff Roberts

@jeffjohnroberts

jeff.roberts@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune's daily tech newsletter. You may reach Fortune reporter Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Get your head out of the iClouds. iPhone owners can lock down their device from outside eyes — even those at Apple. But iCloud has always been a different story. Those who enable it (ie most of you) put their data in an online warehouse that ran be raided by the FBI and others. Now, it turns out this data also includes call logs and FaceTime meta-data. (Fortune)
This is Poison Tap. It's about as sinister as the name suggests. A hacker famous for his low-cost exploits has built a $5 card-sized device that, when plugged into a computer's USB port, can intercept all its unencrypted web traffic. It works even if the computer is locked with a password. (Ars Technica)
Cheap-o phones call China for free. There's lots of reasons not to rely on $50 Android phones, but here's one more: researchers found many of the devices sold in the US come with a built-in backdoor that transmits your text messages to China every 72 hours. (New York Times)
Name - and shame! - that device: IT Security firm Zscaler helpfully scanned IoT devices in use by its enterprise customers and said which ones are insecure. So take a bow, Chromecast and Roku, you're all good. Wish we could say as much for these popular makers of printers, TVs, DVRs and security cameras. (Zscaler blog)
Give me the good (and bad) news. Well, you can be glad DDoS attacks are not on the rise. What a shame, then, that they're increasing in severity. A new Akamai report cites a record number of "mega attacks" in the last quarter, powered in part by the Mirai botnet. (Fortune)
Oh, and if there are any Edward Snowden haters out there, this expletive-bomb headline will make your day.

Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.

ACCESS GRANTED

Robert and I got an exclusive tour of New York City's brand new cyber-crime lab, where we saw forensic detectives crack phones and catch crooks.
Fortune got a glimpse of Law & Order in the digital age. The lab is Exhibit A in how America’s biggest city is embracing big data analytics and a dash of hacker culture to solve complex crimes ...
Visitors turn their attention to the spectacular array of electronics contained within. Circuit boards, hard drives, wires, soldering irons, and phones of every make and model are strewn about eight workstations.
Read more on Fortune.com

ONE MORE THING

Wikileaks wigs out and so does the cat. The world of Wikileaks and Julian Assange is a screwy, squirrelly place at the best of times. But lately the wiki-geeks are wigging out over alleged oddities in the hash system that forms part of a "dead man switch" for Assange. Oh and his cat is now wearing a tie, really. (New York mag)

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions