Spot The Difference
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
One way to test your powers of observation is to play the ‘Spot the difference’ game. That is where you have two pictures and you need to find the differences between them. Here is one from the LA Times
This might be a little more difficult since it is reduced in size to fit, but zooming in might help. I’ll give you one difference. Look at the roll of paper towels
This game can be made more difficult by increasing the number of objects, reducing the size of the objects, reducing the number of colors, and other techniques. This allows the puzzle maker the option of creating puzzles suitable for various ages. This gives a larger market. It also doesn’t’ require much more than patience and reasonable vision as prerequisites to play.
Here is another one:
| Column A | Column B |
| Microsoft | Microsoft |
| Micro.soft | MicroNOTsoft |
| Microsoft. | MicrosoftNOT |
If you don’t study the two columns closely you won’t see any difference. Hint: Zoom way in and you will see the differences in the 2nd and 3rd row. There is a difference in row 1. Here is what the table above looks like in plain text.
| Column A | Column B |
| Microsoft | Micro¬soft |
| Micro.soft | MicroNOTsoft |
| Microsoft. | MicrosoftNOT |
The differences are not easily visible in the first table because of some display tricks. In row 1, the strange character is a soft hyphen. It is one of several invisible (not normally displayed in HTML) characters that are used for formatting. This article from Microsoft says:
Invisible characters do have legitimate uses. They are, for the most part, intended for formatting purposes: for instance, to indicate where to split a word when the whole word can’t fit on a single line. However, an unintended consequence of these characters not displaying like ordinary text is that malicious email campaign operators can insert the characters to evade security.
The ’NOT’ in rows 2 and 3 is obscured by using a 1 point font. HTML allows for a 0 point font so even zooming in would not help. I wrote this blog in Word and 1 point was as small as I could go. It is still pretty good at hiding what was there.
What is the malicious use of these legitimate formats? If your user gets an email that wants them to click on a link that looks like support.microsoft.com but due to formatting tricks is really NOTsupport.NOTmicrosoft.com.RU ( NOTsupport.NOTmicrosoft.com.RU using 1 point font) and the capitals in the real link are 0 point, that will take them somewhere really bad. Also, the invisible characters can be used to mix up spam filters by changing keywords that would trigger the filter.
In this article, a phishing attack is described that uses a vulnerability in the UPS.com website to display a malicious page and feed a malicious Word document to the user. What makes this pernicious is the fact that if the user is checking URLs, they will see the legitimate UPS.com URL shown in the browser bar. As far as the user is concerned, what they are downloading is coming from UPS. This has since been fixed but one takeaway from the article is this:
While the email sender clearly showed a suspicious domain, as the XSS vulnerability allowed the URL and download page to appear legitimately from UPS, many people would have fallen for this scam.
The bold and underline are mine. The point is that users need to be alert no matter how good the email looks. Things are being done in the background that they can’t see and things that, if observant and careful, they can see. Even if everything looks good, suspicion is your best friend. Content can often be a clue. Is the request unusual (Buy gift cards)? Are the circumstances cited for action unusual (In a meeting, can’t be disturbed. Need this done ASAP)? Does the request violate policy (Change the wire transfer information on one person’s say so) ?
As the bad guys get ever more creative, users need to become ever more vigilant. It would be great if we could install some magic gateway that would protect the users and the business from malicious traffic, but that is unlikely. Users who know what to look for, who understand what the correct policy is , and understand the value of security will continue to be the last line of defense. They can do that as long as they can spot the difference between good and bad.
