Phishing: An Interesting Twist On A Common Scam
After Two Security Assessments I Must Be Secure, Right?
---------------------------------------
Imagine you are the CIO of a national financial institution and you've recently deployed a state of the art online transaction service for your customers. To make sure your company's network perimeter is secure, you executed two external security assessments and penetration tests. When the final report came in, your company was given a clean bill of health. At first, you felt relieved, and confident in your security measures. Shortly thereafter, your relief turned to concern. "Is it really possible that we are completely secure?" Given you're skepticism, you decide to get one more opinion.
The day of the penetration test report delivery is now at hand. Based on the previous assessments, you expect to receive nothing but positive information......
The Results Were Less Than Pleasing
-----------------------------------
During this penetration test, there were several interesting findings, but we are going to focus on one that would knock the wind out of anyone responsible for the security of online systems. Particularly if you are in the business of money.
Most people are familiar with the term "Phishing". Dictionary.com defines the word Phishing as "the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords". Although SPAM / unsolicited e-mail and direct web server compromise are the most common methods of Phishing. There are other ways to accomplish this fraudulent activity.
Internet Router Compromise Makes For A Bad Day
----------------------------------------------
In this case, the Internet router was compromised by using a well-known CISCO vulnerability. Once this was accomplished, the sky was the limit as far as what could be done to impact the organization. Even though the company's web server was secure, and the Firewall that was protecting the web server was configured adequately, what took place next made these defense systems irrelevant.
Instead of setting up a duplicate login site on an external system, then sending out SPAM in order to entice a customer to give up their user ID, password, and account numbers, another approach, a much more nefarious approach was taken.
Phishing For Personal Or Financial Information
----------------------------------------------
You remember that router that was compromised? For proof of concept purposes, the router configuration was altered to forward all Internet traffic bound for the legitimate web server, to another web server where user ID, password, and account information could be collected. The first time this information was entered, the customer would receive an ambiguous error. The second time the page loaded, the fake web server redirected the customer to the real site. When the user re-entered the requested information, everything worked just fine.
No one, not the customer, nor the company had any idea that something nefarious was going on. No bells or whistle went off, no one questioned the error. Why would they, they could have put the wrong password in, or it was likely a typical error on a web page that everyone deals with from time to time.
At this point, you can let your imagination take over. The attacker may not move forward and use the information collected right away. It could be days or weeks before it is used. Any trace of what actually took place to collect the information would most likely be history.
What Do You Really Get Out Of Security Assessments
--------------------------------------------------
I can't tell you how many times I've been presented with security assessment reports that are pretty much information output from an off-the-shelf or open source automated security analyzer. Although an attacker may use the same or similar tools during an attack, they do not solely rely on this information to reach their goal. An effective penetration test or security assessment must be performed by someone who understands not only "security vulnerabilities" and how to run off-the-shelf tools. The person executing the assessment must do so armed with the tools and experience that meets or exceeds those a potential attacker would have.
Conclusion
----------
Whether you are a small, medium, are large company, you must be very careful about who you decide is most qualified to perform a review of your company's security defense systems, or security profile. Just because an organization presents you with credentials, such as consultants with their CISSP....., it does not mean these people have any real-world experience. All the certifications in the world cannot assure you the results you receive from engaging in a security assessment are thorough / complete. Getting a second opinion is appropriate given what may be at stake. If you were not feeling well, and knew that something was wrong with you, would you settle for just one Doctor's opinion?
Quite frankly, I've never met a hacker (I know I will get slammed for using this term, I always do), that has a certification stating that they know what they are doing. They know what they are doing because they've done it, over and over again, and have a complete understanding of network systems and software. On top of that, the one thing they have that no class or certification can teach you is, imagination.
About The Author
----------------
Darren Miller is an Information Security Consultant with over sixteen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. If you would like to contact Darren you can e-mail him at Darren.Miller@ParaLogic.Net. If you would like to know more about computer security please visit us at http://www.defendingthenet.com.
Hot Hardware
Hartford Courant, United States - 15 hours ago
New York Mellon disclosed in May that the security breach affected 497333 Connecticut residents, most of them depositors of People's United Bank in ...
Security breach at bank hits 12M people: BNY Mellon records could ... TMCnet
Bank of NY Mellon says data breach now affects 12M CNNMoney.com
Bank of NY Mellon data breach now affects 12.5 mln Reuters
SC Magazine UK - Dark Readingall 49 news articles
ChattahBox
Washington Post, United States - 23 hours ago
Security Flaw and repair date: A recently discovered security flaw will be fixed by September, Apple ( NSDQ: AAPL) told Macworld today. ...
Network Security Apple Won't Fix iPhone Passcode Hole Until September CIO Today
Apple promises September fix for iPhone security flaw Macworld
Apple To Fix iPhone Security Flaw CRN
ChattahBox - eFluxMediaall 123 news articles
MarketWatch - 2 hours ago
A new pre-security Houlihan's opened this week in the Lindbergh Terminal Ticketing Lobby, near Checkpoint 1. The full-service restaurant is accessible to ...
MarketWatch - 11 hours ago
an international provider of specialized technology-based radiological, nuclear, environmental, disaster relief and security solutions to government and ...
Visit Bulgaria
Deutsche Welle, Germany - Aug 28, 2008
The UN Security Council met behind closed doors to discuss the crisis in Georgia, its first meeting since Russia recognized the independence of the two ...
Video: Victims of Georgian attack mourned RussiaToday
Georgia break-up 'irreversible' TVNZ
Georgia seeks UN sanctions on Russia RTT News
The Associated Press - BBC Newsall 269 news articles
NetworkWorld.com, MA - 9 hours ago
"By teaming with IBM ISS, our objective is to both strengthen our security systems and improve the efficiency and effectiveness of our security operations," ...
Procter and Gamble Selects IBM Internet Security Systems to Help ... CNNMoney.com
Proctor & Gamble Taps IBM ISS For Cyber-Security Contract InformationWeek
Proctor & Gamble Chooses IBM ISS for Cyber Security IT Business Edge
Bizjournals.comall 18 news articles
RTE.ie
ZDNet UK, UK - Aug 28, 2008
... easy it was to break into the Nasa systems, or, to quote his dad when I spoke to them both outside the House of Lords in June -- "The security was crap. ...
Space station computer virus raises security concerns New Scientist (subscription)
The IT Security of the ISS Wired News
Ground Control To Major Tom: Check Your Laptop For Worms CRN
InternetNews.comall 216 news articles
Los Angeles Times, CA - 15 hours ago
Two attackers wrested a handgun from a security guard at a Los Angeles bank Thursday, then fatally shot him with his own weapon, police said. ...
New info in security guard shooting case abc7.com
Bank Security Guard Shot, in Critical Condition After Robbery MyFox Los Angeles
Security Guard Shot Outside Bank Dies KTLA
Los Angeles Times - Los Angeles Timesall 6 news articles
eFluxMedia
InternetNews.com - 5 hours ago
An Apple spokesperson told Reuters via e-mail that Apple was aware of the iPhone security flaw and is preparing a software update to fix the flaw, ...
IPhone security flaw allows bypassing of password San Francisco Chronicle
Hold On To Your iPhones, Apple Says Fix On The Way CRN
iPhone Suffers From Major Security Bug eFluxMedia
CNET News - VNUNet.comall 40 news articles
Washington Post, United States - 21 hours ago
25 editorial "Social Security on Ice" about Democratic presidential nominee Barack Obama's suggestion of a higher FICA tax on earned income of more than ...
We Cannot Tax Our Way out of the Entitlement Crisis American Enterprise Institute
Deficit Hawks Rain on Obama’s Parade CQPolitics.com
all 3 news articles
A Personal Experience with Identity Theft
Some months ago, before there was much publicity regarding phishing and identity theft, I became... Read More
How To Clean the Spies In Your Computer?
Manual Spy Bot Removal > BookedSpaceBookedSpace is an Internet Explorer Browser Helper Object used to... Read More
Securing Your Accounts With Well-Crafted Passwords
In the past I've never really paid much attention to security issues when it comes... Read More
Firewall Protection - Does Your Firewall Do This?
The first thing people think about when defending their computers and networks is an up-to-date... Read More
What Every Internet Marketer Should Know About Spyware
If you run any type of Internet business, Adware and Spyware can be a very... Read More
An Open Letter From a So-called Stupid
Someone recently told me, "You would have to be a stupid to lose your personal... Read More
Dont Fall Victim to Internet Fraud-10 Tips for Safer Surfing
The Internet offers a global marketplace for consumers and businesses. However, criminals also recognize the... Read More
Cybercriminals Trick: Targeted Trojan-Containing Emails
Threats we ordinary Web users face online leave us no choice but learn. Haven't you... Read More
Protecting Your Children On The Internet
If you are a parent, as am I, I think we can agree there is... Read More
Criminals are Fishing For Your Identity
What is Phishing? In a typical Phishing attack, a criminal will send you an email... Read More
Phishing-Based Scams: A Couple of New Ones
Phishing in its "classic" variant is relatively well-known. Actually, 43.4... Read More
Internet/Network Security
Abstract Homogeneous symmetries and congestion control have garnered limited interest... Read More
Is Your Music Player Spying On You?
In today's times spyware is a very serious issue and... Read More
Be Alert! Others Can Catch Your Money Easily!
So called phishers try to catch the information about the... Read More
Wells Fargo Report Phishing Scam
First off I should explain what phishing is. Phishing is... Read More
Wireless Network Security
Working from home has its advantages, including no commute, a... Read More
Online Cell Phone Scams and Spam
They're out there. Individuals trying to make a quick buck... Read More
Dont be a Dork ? Protect Yourself
There are folks out there who use their powers for... Read More
Internet Small Business and Fraud
Be careful of sites that promise to send you "instant... Read More
How Can Someone Get Private Information From My Computer?
From the "Ask Booster" column in the June 17, 2005... Read More
How To Clean the Spies In Your Computer?
Manual Spy Bot Removal > BookedSpaceBookedSpace is an Internet Explorer... Read More
Top Five Online Scams
The top five online scams on the Internet hit nearly... Read More
An Open Door To Your Home Wireless Internet Network Security?
This is not some new fangled techno-speak, it is a... Read More
What Can Be Done About Spyware And Adware
Having a good Spyware eliminator on your computer is vital... Read More
How to Thwart the Barbarian Spyware!
Today,on most internet user's computers, we have the ability to... Read More
Network Security 101
As more people are logging onto the Internet everyday, Network... Read More
Reducing Fraudulent Transations ? 5 Simple Ways To Protect Yourself
The money being spent online is steadily growing. With billions... Read More
Internet Identity Theft - How You Can Shield Yourself
With the advent of the World Wide Web, a whole... Read More
Spyware Attacks! Windows Safe Mode is No Longer Safe
Many of us have run into an annoying and time-consuming... Read More
Desktop Security Software Risks - Part 1
This is the second in a series of articles highlighting... Read More
Virus Prevention 101
Blaster, Welchia, Sobig, W32, Backdoor, Trojan, Melissa, Klez, Worm, Loveletter,... Read More
The 5 Critical Steps to Protecting Your Computer on the Internet
Spyware, viruses and worms... oh my!If you are connected to... Read More
The One Critical Piece Of Free Software Thats Been Overlooked
Can You Prevent Spyware, Worms, Trojans, Viruses, ... To Work... Read More
Don?t Become An Identity Fraud Statistic!
"You've just won a fabulous vacation or prize package! Now,... Read More
7 Ways to Spot a PayPal Scam E-Mail
Paypal is a great site and is used by many... Read More
Internet Security |