|
|
 |
|
 |
|
Archive for the ‘Phishing’ Category
|
|
 |
|
 |
|
|
|
|
Tuesday, May 7th, 2013
Spring. For some it signals rejuvenation, rebirth, everything blooming… but for security administrators it can mean new security risk. Spring means that the next round of college seniors will be entering the workforce soon, which for phishers means a fresh group of targets. Hopefully their college educations have prepared them for the majority of challenges they will face, but when it comes to phishing that is unlikely. The types of phishing emails students and consumers receive are quite different from what employees receive, and without training, young employees can’t be expected to avoid tactics they haven’t seen.
 This email sent to Kansas State students attempts to elicit login and password information. In the higher-education arena, hackers want to infiltrate universities for the purpose of stealing credentials, to gain access to user accounts to send spam from the accounts or use university resources. (Here is a recap of the phishing problems higher education faces: http://blog.phishme.com/2012/05/educause-2012-spc-quick-review/ ) Take this recent attack on the University of Illinois as an example. Consequently, the most common phishing tactics college students face is a simple solicitation of login credentials in the body of the email. Kansas State provides examples of phishing attacks sent to its users (see the image to the left). Slightly more capable attackers may provide a URL taking recipients to a phony landing page that appears to be from the IT department.
University-focused spear phishing attacks typically don’t employ a high level of sophistication. Attackers are not packing malware or setting up masked command and control to go after students and faculty. (At least we should say the incidents that are publicized. That doesn’t mean that there are not advanced threat actors targeting university grant based R&D, hospitals, fundraising and endowment investments.)
Enterprises face much more varied and dangerous risks, as cyber criminals, nation-states, and hacktivists are all targeting their intellectual property and sensitive information. In addition to the data entry tactics, employees at large organizations receive highly targeted and customized spear phishing emails containing malicious links and attachments. Adversaries use a variety of continually evolving social engineering techniques, such as conversational phishing, to trick recipients. A young employee who has never received a targeted phishing email may not realize how adversaries gather details to write emails tailored to the recipient and organization, nor understand the implications of clicking on a malicious link or attachment. They may think they know what spear phishing is based on university security awareness campaigns. Furthermore, this generation of new workers is extremely connected through social media, providing attackers with ample information to use in targeted emails.
Graduating students may think they know what spear phishing is based on university security awareness campaigns.
New employees – whether young or experienced – may also think their role is not significant enough to merit receiving a targeted email, or that security isn’t their responsibility. Last fall, PhishMe commissioned a poll that revealed almost half of all respondents were more concerned about being phished at home than at work. There is definitely a prevailing notion in the workforce that security is the IT department’s concern, a view some in our industry recklessly share. As they begin their jobs, this year’s graduating seniors will undergo a great deal of training, both formal and informal, so why shouldn’t security be part of that?
This post isn’t intended to pick on graduating seniors, as they are no different than any new employee in many respects. For instance, if you are defense contractor that is constantly bombarded with phishing emails, any new employee may require training, regardless of experience. This is why it’s important for security awareness to be a continuous process throughout the year. When security awareness is part of your organization’s culture, the security risk posed by new employees can be more easily mitigated.
One of the many pre-built training modules included in PhishMe focuses on educating new employees about the differences between the consumer focused phishing they are used to receiving, and the enterprise-focused spear phishes targeting employees. Typically this content is reserved for PhishMe customers, but we wanted to share an example in this case:
–Aaron @higbee
|
|
|
|
|
|
|
|
|
Tuesday, April 23rd, 2013
When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).
If a user is tricked into revealing login credentials to a false landing page, 2-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the 2nd factor of authentication, but the underlying tactics would remain the same. Even if a session cookie expires every few hours (which for Twitter would be days – not hours or minutes), then the attackers would still be able to cause the kind of mayhem we saw today. As we saw, it only took minutes for a tweet to make stock trading algorithms go bonkers. The following graphic provides a visual of the process a hacker would follow to get past 2-factor authentication (note that this isn’t how the AP was hacked, it’s how a hacker would attack Twitter if it had 2-factor authentication):
For an organization like the AP, which likely has multiple users accessing its Twitter account, security measures would have to extend to whatever platform it uses to perform group tweeting. At PhishMe, we have struggled to find an effective way to share tweeting privileges, as Twitter itself doesn’t offer a way to do this; we’ve been forced to use 3rd party platforms. Any additional security Twitter implements won’t be very valuable for organizations if it doesn’t also roll out an ability to have multiple users tweet from an account.
This is not to say Twitter shouldn’t implement a more robust layer of authentication, but it also begs the question of how far should it go? Twitter wasn’t designed for group use. If it adds layers of security, will it solve the group use problem?
The fact is, if the AP employees had recognized the phishing email, and never surrendered login information in the first place, this all may have been avoided. As long as users fall for these tactics, adversaries will develop tactics to trick users into leading them around technical security layers.
–Aaron @higbee
|
|
|
|
|
|
|
|
|
Friday, April 12th, 2013
A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing. The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls. Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization. This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.
Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.
If you have trained your entire user base on the variety of techniques used in spear phishing emails, they will be able to recognize and respond to attacks, even highly personalized and targeted ones. Basically, a well-trained user base that knows how to properly react to phishing emails will keep your enterprise prepared as cyber criminals, nation states, and hacktivists continue to refine their tactics to get past technologies designed to stop them. Regardless of what kind of tactics they use, the core goal of a phishing email is to trick the human – getting past technology is just a roadblock. This fits in with the points Aaron made about “sophisticated” attacks in our last post. A savvier user base makes “longlining” not quite as scary as it’s made out to be.
In addition to dramatically decreasing the attack surface, increasing employee awareness increases user-reported incidents, which provides incident responders with near real-time information about attacks. This additional source of information can have a significant impact on mitigation and containment strategies and allows responders to focus on proactive measures.
A thriving user reporting program could be especially useful when an enterprise is hit by longlining attack. According to ProofPoint, “longlining” means that in a matter of hours, adversaries “can cost-effectively send 10,000 or even 100,000 individual spear phishing messages, all capable of bypassing traditional security.” If security administrators are aware of phishing attacks, they can react faster and limit the damage of an attack.
This doesn’t dismiss the need for technology solutions (as we’ve discussed before), but highlights the never ending cat and mouse game that has become email security. In the end an aware workforce is still the best way to fill technology gaps exploited by “new” phishing techniques like “longlining” and will continue to be a CSOs most pervasive and effective weapon again advanced threats.
|
|
|
|
|
|
|
|
|
Monday, March 18th, 2013
What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).
On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.
All of this has created the impression that we are constantly under attack by some spooky, mysterious, sophisticated adversary. And while everyone seems to agree that the attacks are sophisticated, we still don’t have a real definition of what it actually means to be sophisticated.
The recent APT1 report from Mandiant® provided us with a wealth of information to process (discussed in our blog post here) and it could help us pin a definition on the elusive meaning of sophisticated.
According to the report, APT1 is a well-organized group that has most likely operated with significant financial backing from the Chinese government. The scale of APT1’s operations, Mandiant said, would require the backing of a sophisticated organization. Suffice it to say that being backed by the government of the most populous country in the world means there is a pretty high level of sophistication in the organization of APT1, but when it comes to their tactics, their level of sophistication is more cheap yellow mustard than Grey Poupon. (Anybody else notice that APT1 was using tools right out of Hacking Exposed books? You have to wonder…) Mandiant has been clear on this position, APT1 wasn’t the most capable in terms of technical showmanship. And they didn’t have to be.
First, as the Mandiant report noted, APT1 (and most cyber criminals and nation states) uses spear phishing as its preferred method of entry. Carrying out the phishing tactics described in the report doesn’t require a CS degree from MIT. Packed executable malware in zip files? Not Sriracha, but total Weak Sauce. Would anyone consider registering a free webmail account under the name of a company’s executive and sending out fake emails to be sophisticated? Furthermore, this has been a common tactic for years, so even if it were highly sophisticated, users should be made aware of it.
The conversational phishing tactics discussed by APT1 and in our previous blog posts is another effective, yet minimally sophisticated tactic. Is it highly sophisticated to respond, “It’s legit” when a recipient questions the email’s authenticity? It would be pretty difficult to craft a more simplistic response than that. In this case, it’s not difficult to educate employees to verify an email via phone or in-person rather than through email if they question the authenticity.
Phishing tactics are constantly evolving, but there are ever-present characteristics that identify them. A user base that questions unexpected emails, verifies suspicious emails through alternate means, is wary of attachments and links in emails, and knows to avoid giving out login credentials is going to be resilient to the attack vector preferred by the “sophisticated” adversaries we keep hearing about.
All phishing emails, regardless of the techniques they employ, are trying to exploit human nature, meaning a continually educating a user base that is vigilant can prevent a majority of attacks from succeeding. Technology may change, but human nature has remained constant. This is why so many phishing emails appeal to greed or fear.
So maybe phishing itself isn’t highly sophisticated, but shouldn’t anti-virus protect against the simple threats? Not necessarily. With the current state of AV, a hacker merely needs to mildly tweak their code packer to avoid detection. These aren’t ultra-complicated techniques, as AV will only protect you against yesterday’s threat.
One thing I have always wondered is why is the “sophisticated” malware linked to a public breach isn’t released to the public? If this stuff is indeed so complex and difficult to defend against, shouldn’t we share it with the best and brightest in the industry, so they can analyze the malware? Could the payloads be less sophisticated than we’ve all been made to believe? It would be very instructive for the security community if we could have access to the malware and decide for ourselves what constitutes a sophisticated capability.
In summary, these sophisticated threats are sophisticated in the sense that they are highly organized and have significant resources at their disposal, but the tactics they employ to breach networks are not anything mysterious or too hard for us to defend against. Sure, a zero day exploit might be scary, but, even the best zero day in an email or booby trapped URL can be avoided by an educated user base.
I’m not sure how long organizations are going to be able to wave the “way-too-Sophisticated” flag and get a pass. Maybe one day we will have an open review and create a Sophistication Rating System.
I propose a Sophistication Rating System… the SRS
 Scale from 1 to 10:
10: New,-custom stuff with zero days
5-6: Average well known Trojan packed with new packing method
3: Just your average Zeus Trojan packed easily or with known packing tools
1: a simple unpacked Trojan…
I wasn’t sure if I even wanted to blog about this. Shouldn’t I just be grateful that these breached organizations are brave enough to publicly disclose? Am I nitpicking about the use of the word sophisticated or are others feeling the same way?
–Aaron Higbee @higbee
p.s. I’m a big fan of the Contgio Malware Dump. Thank you for the good work you do.
|
|
|
|
|
|
|
|
|
Thursday, March 7th, 2013
 “It’s legit,” an APT1 hacker wrote in response to a recipient who questioned the validity of a spear phishing email sent by the now notorious Chinese hacking group. This recipient had the awareness to initially question the authenticity of the phishing email, but when APT1 responded, it added an element of trustworthiness to its communication, one that could trip up even a savvy employee.
This is one of the tactics Mandiant® described in its report about APT1, and is something we at PhishMe® have observed as well from both our customers and our contacts in the industry. To address this issue, we rolled out the Double Barrel, a new scenario type that will simulate the conversational phishing techniques used by advanced adversaries like APT1. This has been in development for months, and it was a happy coincidence that we rolled this out the same week that Mandiant provided the world with a concrete example.
One important thing to note about this feature is that it is intended for our veteran customers who already have mature PhishMe programs in place. This is for a user base that is already resilient to basic phishing tactics. At PhishMe, we’re proud to not only provide our customers with new features, but to have a customer base mature enough to demand them. Just as the “P” in APT stands for persistent, our customers need to be persistent in training their user base, and the Double Barrel will allow our customers to enhance their already successful programs in a meaningful way that addresses a real world problem.
Just as the name suggests, the Double Barrel allows our customers to send not one but two phishing emails in each campaign. A Double Barrel scenario sends one benign email (the lure) that contains nothing harmful and doesn’t solicit any response from the recipient. It could be a friendly introduction such as, “Hello, we met at XX Conference last week, I have a report I’d like you to review, I will send it over shortly.” An hour or so later, the aforementioned report arrives, just as promised.
Double Barrel scenarios can be customized to swap delivery order (sending the lure after the malicious email), stagger the delay between emails, and flag one or both emails as “Urgent.”
As with all other PhishMe scenarios, Double Barrel features a bevy of content developed by our team and based on our real world experience:
– Aaron Higbee
|
|
|
|
|
|
|
|
|
Tuesday, January 8th, 2013
With 2013 upon us, it will be a busy year at PhishMe, as we are already scheduled to appear at around 70 events. That means another year of heavy traveling for our sales and marketing team. While it’s definitely exciting to visit new places and introduce new people to PhishMe, as with anything else in life, there are risks involved. Does your organization have employees that travel frequently? If so, they are probably being targeted by phishers.
Employees that are constantly on-the-go receive a slew of emails confirming reservations and itineraries (we speak from experience), and are thus easy targets for phishers. For example, a busy employee has an upcoming flight and receives an email warning of a schedule change. A change could throw off the schedule for a critical meeting, so this email has appealed to emotion by threatening to disrupt important plans. From reading Twitter posts, the criminal knows what airline an employee is traveling on, and that the flight leaves early in the morning. From the airline’s website, the criminal can deduce the exact number of the flight the employee is taking. Perhaps this criminal even knows which conferences your employees are traveling to and which hotel chains your company uses, and can tweak an email to be very specific and accurate.
This threat is real, and major airlines have been warning customers. Delta Air Lines issued a warning to customers about a new phishing attack that claims the recipient has purchased a Delta ticket, a credit card has been charged, an invoice/receipt is attached to an email, or a website may offer free flights for following or liking an account.
US Airways has issued similar warnings, and American Airlines maintains a page with phishing warnings and tips for its customers, including examples of recent phishing emails (many of them appearing quite genuine) that customers had received. American’s page in particular, offers a great resource, but is skimming that page as effective as an immersive training exercise delivered to your employees’ inboxes?
By implementing a PhishMe program at your organization, you’ll empower your employees to recognize the signs of a phishing email, giving them the knowledge to properly react to those emails without slowing down their travel schedule or compromising your organization’s network.
|
|
|
|
|
|
|
|
|
Wednesday, November 21st, 2012
If you’re like me, then the idea of fighting the midnight crowds on Black Friday holds limited appeal, even if it means getting an 80% discount on a big screen TV. But thanks to Cyber Monday, people can get ridiculous deals without peeling themselves away from their computers – or offices.
The convenience of scoring a deal from your desk has made the Monday after Thanksgiving the biggest online shopping day of the year, with sales expected to top $2 billion. However, just because we no longer have to risk being trampled, shouted at, or otherwise sacrifice our dignity to get a hot deal, it doesn’t mean that Cyber Monday is entirely safe, and enterprise networks are not immune from the dangers.
Unlike Black Friday, Cyber Monday occurs during the workweek, which means much of the bargain hunting will occur during work hours, and across enterprise networks. These scams may be targeting consumers, but criminals are still trying to use them to gain access to corporate networks and the sensitive information they contain.
Cyber Monday’s proximity to the Thanksgiving holiday makes it even more dangerous for enterprises. Thanksgiving is one of the heaviest phishing days of the year, as phishers take advantage of understaffed operation centers to send out phishing attacks at a rate 336% greater than average, meaning that when employees are sifting through their emails on Cyber Monday, there’s a much greater chance a phish will be waiting for them.
If Black Friday has taught us anything, it’s that people will do crazy, unruly, outlandish, unspeakable things to score a sweet deal on a pair of Ugg boots or a set of new power tools. An online deal is no different, and many normally rational people will abandon caution when an email with a link to a deal for a $99 Xbox crosses their inbox.
The danger in online shopping is also no longer confined to computers. According to McAfee, Americans are using mobile devices for shopping in ever-increasing numbers, with 1 in 4 Americans planning to shop using a mobile phone or tablet this holiday season. With many organizations adopting Bring Your Own Device (BYOD) policies, mobile phishing scams pose a great risk to companies as well, as that text offering a coupon by clicking a link could open the door to the company’s network. In fact, the FBI issued a warning about mobile malware just a few weeks ago. Add to that the growing number of malicious links and scams being sent over social media, and employees are never far from a phishing scam.
In an ideal world, employees would never use a corporate machine or network to conduct personal shopping. In the real world, however, the best defense is an educated workforce that can properly recognize and react to a phishing scam. The good news is that whether it’s Cyber Monday or any other major event that attracts phishing scams, the same rules for staying safe apply. Will your workforce be ready?
|
|
|
|
|
|
|
|
|
Friday, August 31st, 2012
I read Aitel’s article right before leaving for BlackHat: “Why you shouldn’t train employees for security awareness”
Popcorn in hand, this should be a fun read. After all, we agree that traditional awareness methods don’t seem to be sticking.
…
Reading… a phishing mention, ok good …
hrm …
“It’s a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk”
Wait what?!@#
…
A hit piece about security awareness with a sole focus on spear phishing.
“You talkin’ to me? You talkin’ to me? Then who the hell else are you talking… Well I’m the only one here.”
I wasn’t convinced the article wasn’t an elaborate troll, but CSO prodded, and Aitel reiterated. Most recently he was on a panel for PaulDotCom’s episode 300 and stuck to his original script. In the Security Leadership » Security Awareness section of CSO Online, these two articles have 80+ comments. The past ten articles combined (excluding these) have a grand total of three comments. Over-the-top opinions get page views. So here we go.
A phishing pentest is a waste of money
That statement aims squarely at the profitable pentest service line and kneecaps the zing from the juicy report that’s needed to sell next year’s assessment. It also irritates the mercenary face punchers when they have to go back to traditional attack and report work. Pentesters pay good money for point-and-clicky exploit tools. Who am I to cripple a feature set and spoil their fun? A report about how you weren’t able to break in flounders, while one about how you were able to trick employee X into clicking Y leading to compromise reads like a slasher novel. A pentester needs to deliver a thriller in order to level up in the customer’s security budget. Phishing does that nicely.
Any organization who believes they need to spend money to find out if they are vulnerable to spear phishing needs a new CSO.
“I felt like destroying something beautiful.”
I’m the last person to rehash the “there is no value in pentesting / pentesting is dead” debate. security needs testers who are motivated by the sole desire to destroy something beautiful. I employed a team of face punchers at Intrepidus Group who enjoy their job thoroughly. I’ll be the first to tell you this type of person is not who you want implementing and executing defensive security policy and strategy for your enterprise network. They punch faces and write reports.
It’s no wonder a number of passionate network defenders took issue with the article’s advice. Not only is a phishing pentest a complete waste of money, it squanders and taints a valuable teaching opportunity that could be used to improve security. Emotional beings don’t like to be penetrated for the sake of penetration. They’re fragile, very fragile! I have a list of organizations who can’t use the PhishMe method because an overzealous pentester went over-the-line!
PhishMe.com!# TURF WARS
The original article hits, heart rates increase, copy-cat services moan. Commenters comment, the twittersphere tweets, bloggers blog, and the dust settles. The responses were what I was expecting. It was good to see PhishMe customers chime in with their true-to-life experiences completely dismissing the article. The most disappointing commentary (yet not surprising) was the twitter echo chamber of offensive testing curmudgeons piling on with no experience making a meaningful impact to the security defense of an organization to speak from. Donny you’re out of your element!
It’s a simple matter of turf. PhishMe forces the intersection and commingling of the offensive and the defensive.
There is something about the PhishMe method that rubs pentesters the wrong way and this won’t be the last time we have them reaching for Alka-Seltzer. In the hierarchy of security industry egotism, face punching and popping shells is the most visible. There are no high fives or pelvic desk thrusts for blocking-tha-shit-out-of -packets. Along comes PhishMe looking hotter than the bride on the wedding day. “Social Engineering!?!—that’s my job!” I don’t expect face punchers to give up selling phishing tests. I just want them to stop getting the practice banned by screwing up the delivery.
“I live my life one EIP register at a time…“
The article’s bulleted suggestions of what organizations should be doing instead of phishing awareness training just goes to show how disconnected the offensive mind can be. ***Breaking News: *** Those suggestions: They are already doing them! If you define success or defeat in digital defense by code execution on a single internal host, then reducing your employee’s phishing susceptibility from 68% to 5% probably does seem like a #fail. Let’s gloss over an organizations natural headcount churn. For the sake of discussion, let’s assume a significant reduction in phishing susceptibility isn’t reason enough to do the PhishMe method. Most can appreciate the following byproducts of a PhishMe program:
• Dramatic increase in incident reporting — Employees learn how and who to report suspicious emails to. Getting incident reports to the right people instead of the spam bucket does wonders.
• Employees learn the difference between phishing-fraud at home vs. targeted phishing at work.
• Inconsistent email messaging goes away — You cannot have terrible, unverifiable, non-standard corporate email communications alongside a PhishMe program. The presence of PhishMe will force an already needed email communication change.
• Situational Awareness — The time from initial phish to the first report will dramatically decrease. This is a huge advantage to the network defender.
• Email defenses get reexamined: Initiatives like SMIME and rejecting inbound email spoofing the organization’s domains get prioritized.
You would think with all these measurable benefits that it wouldn’t be too hard to convince someone to put down their hammers and refocus on improving the security posture of an organization. But I still encounter the resident assessment guy within an organization who is irritated by the fact that PhishMe isn’t an attack tool. I would say to their CSOs: Don’t buy PhishMe and force your pentest team to create awareness. More often than not they can’t get out from under their own attack-and-report mindset . Instead they are bitterly jealous they are stuck working on improving security, while their peers get to have fun punching faces. For now email remains broken. Putting all your eggs in the technology basket hasn’t been working. We don’t have a single customer who purchased PhishMe to fill a compliance need. PhishMe walks a different path. We change behavior.
Regards,
Aaron Higbee
p.s. “Is Pentesting Worth it?” A round table at PaulDotCom’s 300th episode begins at 5:15pm today. Care to wager on some panelist insisting that a pentest without a phishing component is the ‘wrong way’?
|
|
|
|
|
|
|
|
|
Wednesday, June 6th, 2012
Spoiler: LinkedIn password leak: What it means for phishing? Answer: Not Much!
When people talk to us about phishing, they often want to know “What’s next in phishing? What else are you seeing?”
This gets asked a lot, and is one of my least favorite questions because the truth is, email based spear phishing works as-is It has no reason to evolve right now.
But certainly in the age of social-media-Cloud-SaaS-BYOD attackers are going to shift away from email right? We take our cues from the incident response community. We are sticking with email based spear phishing until they say otherwise. I pointed out in a previous post Spear Phishing Vs. Spear Phishing these large data dumps will help build some authenticity into the general consumer fraud phishing emails, that will continue to be the case.
Is this LinkedIn data dump going to be different?
What do we know this breach? Not much right now. I have the current dump and it’s just an unsalted sha1 hash of the passwords. The dump that is on the internet right now is just the password hash. We must assume though that the bad guys have the username:shapassword hash, and that it’s only a matter of time before that combo is widely distributed. My LinkedIn password was terrible. It was 7 characters long and only letters and numbers. I looked for it in the dump but couldn’t find it. (i’m reading now that it’s been discovered that many of these hashes are damaged that that the first three bytes are zero’d out. When I zero out the first three chars of the sha1 hash of my old password I find it.)
Will a phisher be able to take control of hundreds of LinkedIn accounts and launch phishing attacks from within the LinkedIn portal?
A lot of what is going to happen will depend on how LinkedIn handles this situation. LinkedIn owes the public some answers about its password storage. (Check out my old TripAdvisor blog post about their breach). If LinkedIn does it like Zappos and allow users to login with the old password and then reset it, it could be a disaster. LinkedIn should *not* handle it this way. Instead they should lock out every account that has an exposed password hash and force users to do a password reset.
Let’s assume an attacker does get access to hundreds of accounts because of this. They will be able to use the data gleaned to create a highly personalized and targeted story, but many of us have fairly public LinkedIn personas and are very liberal about accepting invites to connect. I don’t think this will have a meaningful impact on phishing.
What about an attacker sending phishing messages through LinkedIn’s InMail?
I suppose it’s possible but we haven’t heard of any cases yet. The message may seem more authentic to the recipient but let’s not forget that LinkedIn’s messaging system doesn’t allow attachments. So the attacker will have to send links (which LinkedIn does make active) to the victims. Here is what it would look like to send:
And in the victims email box:
So the LinkedIn platform isn’t a very good one to send phishing attacks with. Are there any other concerns? You betcha! Password re-use! Earlier in this post I admitted to having a poor LinkedIn password. But that didn’t get my heart racing because I’m a fanatic advocate of password managers that auto- generate and store complex passwords. I have 185 items in my personal password manager. (I had 183 this morning until I changed my LinkedIn and personal Twitter password) These massive credential breaches will continue to happen. Companies like LinkedIn will continue to have terrible password storage practices. (sha1 unsalted. Really? Whip yourself.) We still don’t know how LinkedIn will handle this. If this breach does lead to an uptick in consumer based phishing, it will be hard to tie it to LinkedIn because the phishing emails will likely come from compromised email accounts that shared the same LinkedIn password, not LinkedIn itself.
–Aaron Higbee @higbee
Edits:
Nice post here about this: http://www.novainfosecportal.com/2012/06/06/leakedin-passwords-linked/
UPDATE: LinkedIn gives more details. Already they are handling this better then some other breaches.
Check out this blog post from LinkedIn’s Vicente Silveira: http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
Of course this is an embarrasing situation for them, but I’d like to give them credit for:
- Disabling these accounts instead of letting people log in to a password change.
- Giving people some good information about password resets and not following links in email. (phishers will use this breach story to try to compromise accounts in spite of this but good for them to put out a warning.)
- Using the word Salt and promising to give us more details about the security meachnisms that will be going into place.
|
|
|
|
|
|
|
|
|
Tuesday, May 22nd, 2012
Last week I attended the Educause Security Professionals Conference 2012 in Indianapolis Indiana and was lucky enough to co-present with Emory University to discuss the phishing problems higher education face. This event had an entire track devoted to Awareness & Training and of course a major topic for discussion was phishing.
Beyond presenting and spending time answer questions at our booth, I spent a lot of time in the sessions learning about the IT security issues they face. The professionals that work in this space really have their work cut out for them.
- They have all the challenges of supporting security, enforcement, abuse of services, and account compromise from the students and alumni services.
- They also have the classic enterprise security challenges when it comes to supporting faculty and business administration.
- On top of that, many have an added layer of challenges keeping their hospitals and research centers protected and in compliance with the applicable regulations.
Maintaining security for these different audiences really keeps you on your toes and the depth of ability and expertise I saw at Educause was truly impressive. (hat tip)
What ‘phishing’ means in Higher Education…
The most visible phishing problem is student account compromise. The attackers want student credentials to abuse resources. This could either mean using a compromised email to phish for more accounts (more about that later), send spam email, access restricted publications/journals, or abuse VPN services to bypass geo restrictions. The earlier emphasis on ‘most visible’ was to speak to the fact that the aftermath of an account compromise is usually the only indicator an email phishing attack occurred. The account compromised will spend out loads of spam or launch further attacks, which of course is quite different from the spear phisher attacker who is trying to gain access to a network and maintain secret control.
A great session I attended was by Harvard Townsend of Kansas State University. He presented the multi-pronged approach they use to bring awareness to the phishing problem. K-State has a lot of valuable data about the types of incidents they respond to, the number, and the frequency. (It’s probably not a surprise that phishing related incidents make up the bulk of their response efforts).
YouTube video: K-State IT Services Cyber Security Awareness
One of the most creative ways I’ve seen to get the word out about phishing was a video Kansas State produced. (besides PhishMe, I’m biased  ) This video has fantastic production and insight into the type of phishing problem higher education is facing. In their multi pronged approach they even ran this video on their Jumbotron during a sold out game!
I really enjoyed the Educause Security Professionals Conference and will have more to share about it later this week.
Aaron Higbee - @higbee
|
|
|
|
|
|
