SoylentNews is people
SoylentNews
from the do-you-have-a-phishing-license? dept.
Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.
But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.
"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.
[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.
"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.
[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.
This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.
(Score: 3, Insightful) by Thexalon on Tuesday August 20 2019, @07:40PM (4 children)
The only real solution to password-gathering spear-phishing is to make your passwords or other relatively static credentials insufficient for actually doing anything important on their own. It's relatively simple to implement these days, and it would have kept, for instance, John Podesta's emails from becoming public.
Another aspect of this that seems relevant: If the top people in the organization you are trying to protect aren't the sort to regularly bully their subordinates into doing unusual things without explanation, and even praise subordinates who ask pertinent questions, it's more likely that somebody pretending to be one of them will get questioned and stopped before they succeed in taking what they want.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by edIII on Wednesday August 21 2019, @01:34AM (3 children)
This is a fairly incomplete solution though. You assume that the phishing can work, that the victim is brought to the attacker's web page, and that subsequent use of the credentials will fail. Although you don't say it, you allude to 2FA. What happens though when the 2FA provides a simple code like Google's Authy? As an attacker I could collect that, but then only have 60 seconds in which to operate. It's a tight window, but a coordinated attack in real time might pull that off. The attacker already possesses access to the secured terminal in this situation and is ready to pass the credentials. I can't be completely sure, but I think the window can actually be two minutes because it will take a code 60 seconds behind. I've seen that strangeness in Google Authy.
Additionally, the victim just visiting the phishing page can be enough to deliver payloads. Browsers absolutely suck at security, and the best defense is simply to never load the attacker's content/scripts.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Thexalon on Wednesday August 21 2019, @01:51AM (1 child)
There are other forms of 2FA (or 3FA if need be), and they aren't perfect, and aren't necessarily easy, but are needed if you're trying to protect a high-value target like, say, a prominent politician.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by edIII on Wednesday August 21 2019, @03:11AM
Ohh, I didn't imply 2FA wasn't worth it. I actually see properly implemented 2FA with a hardware key as a serious solution.
What I was saying is that it is an unacceptable risk to allow the user to visit the attacker web page. You were saying that we needed to nullify any advantages that receiving security credentials would provide, and I'm just pointing out that is only one form that the attack may take.
I think you mean MFA (MultiFactorAuth) when you say 3FA, but the same problem exists if the attacker's web page can initiate the 2FA process client side to receive the codes. It's a very tight and difficult attack window, but not something beyond nation state level resources attacking, say, a prominent politician.
On the whole though it's a much better idea to prevent the user from ever visiting the phishing page in the first place, because that can result in compromising a whole machine.... which usually resides on the inside of a protected network.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:40AM
TOTP allows you to configure the CT time. The default is 30 seconds, but most services I've used seem so settle on 10 to 15 seconds. Then the recommended acceptable codes are the immediate past, present, and immediate future code, which most seem to stick to, or use the "half" time rule, due to clock skew issues. By default, that would mean codes are valid for 90 seconds; if using the stricter standard, they are valid for 20 seconds, but realistically only 15.
FWIW, Authy and Google Authenticator are two different implementations of TOTP, and not the only ones that exist.