I would be very busy the week of Christmas, while IT security staff is probably operating at 20% normal strength. Not only is it the weakness in numbers, but also the holiday mood. How many of you are actually working full days? IDS logs – thats probably the last thing on your mind now that you have Guitar Hero III in the breakroom.
I would get busy if I heard that a company was being acquired. From my experience, most companies put a freeze on all discretionary spending from the time a deal is announced untill it closes. Unfortunately, security is often thrown into that discretionary spending budget, making it easy on the bad guys for several months!
If I really wanted to spend Christmas with my family, I would just come back another time and phish employees…that works irrespective of season.
Phishing is now recognized as a 2007 SANS Top 20 risk, and rightly so. What I was even more excited to see is SANS calling out the countermeasure correctly. They didn’t recommend deploying millions of dollars worth of technology to “catch” phishing attacks, but said “user awareness is a key defense. The most promising method of stopping spear phishing is continuous periodic awareness training for all users; this may even involve mock phishing attempts to test awareness”. As I said in a previous blog post , we are in total agreement with SANS on the efficacy of this countermeasure. In fact we are so in agreement that we have developed a solution (https://cofense.com/) to do exactly that – run mock phishing attacks to test and measure employee awareness.
The development of our phishing attack emulation service, to be hosted at https://cofense.com/, is on target for a February 2008 release. We are in the midst of alpha testing at this time and hope to be ready for beta in January 2008. At that time, we will be opening up the service for free evaluation. If you are interested in being notified (via email) when the evaluation accounts become available please sign up at signup (we will not phish you 🙂 ).
If you’ve been noticing a little silence on the blog recently, it’s been because a lot of the ranting has been going into developing what we think is a great anti-phishing user awareness tool. Take a peek at our main site at www.PhishMe.com
Conducting ethical phishing attacks has never been easier. User awareness will be improved, enforced, and for the first time for many users, easy to measure and trend over time. You can sign up for the mailing list right now that will let you know when the full blown service is launched. We will be offering free trial accounts that will allow you to get a taste of the features and test out if a few of your users will bite.
Another key feature of PhishMe is the built in templates to make your job of crafting phishing attacks simple yet effective and modern. How do you think your employees would respond to a message about a “virus outbreak”. Will they just follow the instruction in an email without verifying any of the information? What about a message to update their HealthCare information on a new third party site? The number of people that fall victim to these types of attacks will make you wonder why hackers even bother with anything that isn’t social engineering.
Building employee awareness to social engineering attacks, like Phishing, is clawing its way up the CISO’s priority ladder; and rightly so. But, what good are aware employees if your customers can be directly targeted by such attacks?
A month ago, monster.com had to deal with a phishing attack that targeted their clients and did so with some success. Security experts commented in this USAtoday article urging job seekers to expose minimal data and blaming monster.com for not enforcing strong passwords. I don’t want to undermine the soundness of those suggestions. However, I don’t believe they will solve the issue at hand. How about educating your clients and users about such threats? Now some of you may argue that these educational campaigns that include informative blurbs on the website don’t really work. Agreed. Is it time we adopted an innovative approach of emulating a phishing attack against our clients and instantly educating those that succumb by explaining what the exercise entailed and the do’s and dont’s? Such exercises have worked effectively when educating employees; that should be proof enough of their efficacy. And yes, I’m sure your legal counsel would shed a few drops of sweat if you suggested this exercise. But then there were a few who reacted in similar fashion when the concept of network pen testing was introduced.
Monster.com was not a one-off target. Here’s another company responding to a phishing attack against its clients:
From:[email protected] [mailto:[email protected]] Sent: Friday, September 14, 2007 4:45 PM To: Subject: Fraudulent EmailsBeginning yesterday, certain ADP clients and other parties started receiving fraudulent e-mails that appear to be sent from ADP. They were not. If you receive these e-mails DO NOT OPEN, FORWARD, LAUNCH OR RESPOND TO THEM. IMMEDIATELY DELETE THEM. The e-mails and their attachments are malicious and could harm your computer. We believe they are attempting to compromise your data.WHAT YOU NEED TO KNOW: Here is what you should be on the lookout for:
The subject line may read: “Agreement Update for [Your Company Name (Case id: ______)]” or “Complaint Update for [Company Name (Case id. #)]”.
The e-mail may have an attachment named either Agreement.rtf or Agree.rtfor may instruct you to “download a copy of your complaint.”
These attacks are sophisticated and you may receive other fraudulent e-mails. Please be careful not to open any suspicious attachments or to download any files.
ADP will continually update the information on its website to help you identify and avoid problems from these suspicious e-mails. You will be able to visit http://www.adp.com/about_fraudulentemail.asp for the latest information.
WHAT YOU NEED TO DO: If you received one of these suspicious e-mails do not open the attachment and do not provide any information of any kind. Delete the e-mail and any attachment immediately.
WHAT IS ADP DOING ABOUT THIS: ADP’s security team is working with law enforcement as well as outside experts to identify those responsible for this attack. If we identify any further steps needed to protect your computer, ADP will immediately post this information on our website.We appreciate your understanding as we work with law enforcement and you to resolve this matter.
Corporations have invested millions in security processes and technology. It’s time we focussed on the “people” factor. – Rohyt
A recent survey of over 279 IT Executives indicated that the greatest security challenge they faced was building an effective security awareness program and encouraging their employees to embrace it. Employees, albeit unaware, oblivious or unconcerned, continue to fall prey to conniving social engineers compromising sensitive data protected by millions of dollars worth of technology. The return on investment on building user awareness is apparent and no longer a hard sell for IT security staff. The real problem lies in building an effective program that actually changes the mindset of the employees. In a society where 90% of recovering coronary bypass patients do not change their dietary and lifestyle habits, will an awareness program really change their attitude towards information security?
This year we conducted numerous social engineering exercises for Fortune 500 companies, whose success relies heavily on the protection of intellectual property. These exercises involved scripted telephone calls to the organization’s customer service departments and mass phishing emails targeting a randomly selected set of employees. The objective was to collect sensitive data; the results were astounding. At one organization, 627 of the 1000 people targeted by phishing emails (aimed at pilfering the employees’ corporate VPN credentials) succumbed to the attack and only 4 of the 373 that did not respond reported the issue to information security staff. It’s not so much those statistics that made the results astounding, but the fact that the organization had recently conducted user awareness workshops that addressed the threats posed by social engineers. So where did they go wrong? Are the information security personnel to blame for developing ineffective programs or the employees for their lack of following direction? I believe it’s a combination of both; but the information security staff must assume the onus of taking the initiative of developing innovative user awareness programs that make a lasting impression. The majority of the security awareness sessions I’ve attended whave been unstimulating affairs couching the do’s and don’ts of security. Another approach used involves mandatory computer based training (CBT) programs for employees. At the end of the CBT session the employees had only improved their mouse-click speed. On the other hand, an approach I’ve found to be very successful entails sending out email to all employees (or to a representative sample of them) that mimics a true phishing attack aimed at garnering personal information. If the employees yield, they are immediately presented an informative message explaining the attack and redirected to the corporate awareness materials. This approach has proven to be very effective as the people who are most vulnerable are educated right away, and the next time a real phishing attack comes through, the emulation exercise will probably be the first thing that comes to the employee’s mind. One of our clients experienced a drop in the “hit rate” for such attacks from 67% to 4% over the course of three such phishing exercises!
I’m sitting at Dulles airport right now, at gate C19, on my way to Vegas. I’m excited to catch up with friends and colleagues at BlackHat this year. I realized a few days ago that my 81 slide presentation for DefCon isn’t for a 75 minute slot.. instead I’ll be trying to fit it into a 50 minute slot! Wish me luck!
Public Wifi is so dicey… I would never use it for anything other than entertainment during delays. If I need to get work done I hop on EVDO. Captive portals are everywhere… and if you pay much attention to security you probably know how easy it is to MAC change and steal wireless services. These captive portals are interesting to me because the service is so dangerous to use. One bad guy with Cain and Abel can really wreck havoc.
T-mobile hot spots are no longer the only targets – ATTWIFI, pcswifi, and others are all fighting over this precious spectrum. I decided to check out the other captive portals to see if they are doing anything better then MAC address authorization. Look what I ran into:
What is “Other Provider”? Intrigued I put in some bogus credentials to see if the next screen would prompt for a non-listed hot-spot service provider like Boingo. Nope… I just got an authentication failure screen. I wonder how many users will supply AT&T with non-AT&T credentials. Not good AT&T. You shouldn’t have an “Other Provider” category.
On June 19th a spoiler for the next Rowling book Harry Potter and the Deathly Hallows was posted to the full disclosure mailing list:
http://seclists.org/misc/harrypotterspoilers.html (WARNING: If you’re a Harry Potter fan you may want to hold off reading it.) The spoiler was nothing more than a summary of which main characters allegedly die in battle with Voldemort and other rivals.
What is more interesting is how this book was allegedly obtained. The author of the messages claims he launched a phishing attack against Bloomsbury Publishing.
“The attack strategy was the easiest one. The usual milw0rm downloaded exploit delivered by email/click-on-the-link/open-browser/click-on-this-animated-icon/back-connect to some employee of Bloomsbury Publishing, the company that’s behind the Harry crap.”
The claim is that a spear phishing attack was executed against Bloomsbury Publishing staff. Was Bloomsbury Publishing really phished? This telegraph.co.uk story: “Harry Potter ‘hacker’ posts plot on internet” has a quote from a Bloomsbury spokeswoman, “There are lots and lots of rumoured versions of the book (on the internet). We don’t confirm or deny any rumours.”
Did the Bloomsburg phishing attack really happen or was it a hoax? https://cofense.com/ doesn’t know but one would think that if this hack really did happen over a month ago, that the Harry Potter and the Deathly Hallows would be all over bittorrent. I checked a few tracker sites before starting this blog post. All the claims on Demonoid were that the 5 available Deathly Hallows books were either hoaxes or ……..
********** BREAKING NEWS **********
Demonoid has removed all of the hoax torrents and only this one remains:
“I found this on another site, for those of you who simply can’t wait. It only includes the book up to pg.495. But at least now we can compare the fakes to the real thing. Enjoy and remember to seed!! ”
This one appears to be someone who has taken digital photos of 495 pages. Now that is someone dedicated to their piracy!
********** END NEWS **********
So it seems that there is still no official full copy on bittorrent but it’s only a matter of time.
“it is conceivable that a successful download-based exploit was launched, according to a member of the hacker community, who asked that his name not be used. He pointed out that hackers have begun to carefully target companies and market segments. A well-crafted attack that uses correct names and titles, and spoofs a sending address from a partner firm, can be highly effective.”
For the record, it’s beyond conceivable, it’s happening now. In the recent incident response projects that we’ve worked the attack vector used to gain a foothold into the organization is a targeted phishing attack. It’s not just a problem for the commercial world either.
Do you think that the DOD is requiring mandatory anti-phishing training because they fear that they might get hacked using this method? Check out this quote from this DOD battles spear phishing article:
“At this point, the true scope of compromise and exploitation is unknown, but likely thousands more users and computers have been, or will be, successfully targeted,” the bulletin states. “
It’s too bad that external penetration testing no longer mimics the ways that attackers are getting into organizations. If you’re responsible for commissioning an external penetration test against your organization, maybe it’s time to do more than full TCP/UDP port scans (*Think social engineering). Today’s myspace generation of attackers don’t even know what UDP is.
We’ve all heard there’s no such thing as a free lunch, but this is not always easily remembered when online. The latest example of that is the number of iPhone related phishing messages that had flooded my inbox while I was on vacation. Some of the links didn’t even need to claim it was a ‘free’ deal; just a site claiming to have the cool tool in stock was enough to get clicks.
Of course this is nothing new. Go back and replace ‘iPhone’ with ‘Wii’ or ‘PSP’ or ‘Nano’ and you get similar results. As a gadget geek, I’m always at least a little tempted when I see one of these deal emails come in. I think back to the few times I have gotten a free lunch from the Internet borg, free speakers from some early online music start up or free Microsoft discs from a Vista promotion. It’s not far fetched to believe that some new start up is blowing their marketing wad to ride the wave of the latest ‘gotta-have-it’ item. But like they say “if it sounds too good to be true, then it probably is not”… And then multiply by 3.14 to take into account the Internet factor 🙂
Damn you, spammers! I think you may have found my weakness.