Phishing: An Interesting Twist On A Common Scam
by Darren Miller
Published on this site: June 10th, 2005 - See
more articles from this month...
After Two Security Assessments I Must Be Secure, Right?
Imagine you are the CIO of a national financial institution and
you've recently deployed a state of the art online transaction service
for your customers. To make sure your company's network perimeter
is secure, you executed two external security assessments and penetration
tests. When the final report came in, your company was given a clean
bill of health. At first, you felt relieved, and confident in your
security measures. Shortly thereafter, your relief turned to concern.
"Is it really possible that we are completely secure?"
Given you're skepticism, you decide to get one more opinion.
The day of the penetration test report delivery is now at hand.
Based on the previous assessments, you expect to receive nothing
but positive information......
The Results Were Less Than Pleasing
During this penetration test, there were several interesting findings,
but we are going to focus on one that would knock the wind out of
anyone responsible for the security of online systems. Particularly
if you are in the business of money.
Most people are familiar with the term "Phishing". Dictionary.com
defines the word Phishing as "the practice of luring unsuspecting
Internet users to a fake Web site by using authentic-looking email
with the real organization's logo, in an attempt to steal passwords,
financial or personal information, or introduce a virus attack;
the creation of a Web site replica for fooling unsuspecting Internet
users into submitting personal or financial information or passwords".
Although SPAM / unsolicited e-mail and direct web server compromise
are the most common methods of Phishing. There are other ways to
accomplish this fraudulent activity.
Internet Router Compromise Makes For A Bad Day In this case, the
Internet router was compromised by using a well-known CISCO vulnerability.
Once this was accomplished, the sky was the limit as far as what
could be done to impact the organization. Even though the company's
web server was secure, and the Firewall that was protecting the
web server was configured adequately, what took place next made
these defense systems irrelevant.
Instead of setting up a duplicate login site on an external system,
then sending out SPAM in order to entice a customer to give up their
user ID, password, and account numbers, another approach, a much
more nefarious approach was taken.
Phishing For Personal Or Financial Information
You remember that router that was compromised? For proof of oncept
purposes, the router configuration was altered to forward all Internet
traffic bound for the legitimate web server, to another web server
where user ID, password, and account information could be collected.
The first time this information was entered, the customer would
receive an ambiguous error. The second time the page loaded, the
fake web server redirected the customer to the real site. When the
user re-entered the requested information, everything worked just
fine.
No one, not the customer, nor the company had any idea that something
nefarious was going on. No bells or whistle went off, no one questioned
the error. Why would they, they could have put the wrong password
in, or it was likely a typical error on a web page that everyone
deals with from time to time.
At this point, you can let your imagination take over. The attacker
may not move forward and use the information collected right away.
It could be days or weeks before it is used. Any trace of what actually
took place to collect the information would most likely be history.
What Do You Really Get Out Of Security Assessment
I can't tell you how many times I've been presented with security
assessment reports that are pretty much information output from
an off-the-shelf or open source automated security analyzer. Although
an attacker may use the same or similar tools during an attack,
they do not solely rely on this information to reach their goal.
An effective penetration test or security assessment must be performed
by someone who understands not only "security vulnerabilities"
and how to run off-the-shelf tools. The person executing the assessment
must do so armed with the tools and experience that meets or exceeds
those a potential attacker would have.
Conclusion
Whether you are a small, medium, are large company, you must be
very careful about who you decide is most qualified to perform a
review of your company's security defense systems, or security profile.
Just because an organization presents you with credentials, such
as consultants with their CISSP....., it does not mean these people
have any real-world experience. All the certifications in the world
cannot assure you the results you receive from engaging in a security
assessment are thorough / complete. Getting a second opinion is
appropriate given what may be at stake. If you were not feeling
well, and knew that something was wrong with you, would you settle
for just one Doctor's opinion?
Quite frankly, I've never met a hacker (I know I will get slammed
for using this term, I always do), that has a certification stating
that they know what they are doing. They know what they are doing
because they've done it, over and over again, and have a complete
understanding of network systems and software. On top of that, the
one thing they have that no class or certification can teach you
is, imagination.
Darren Miller is an Information Security Consultant with
over sixteen years experience. He has written many technology &
security articles, some of which have been published in nationally
circulated magazines & periodicals. If you would like to contact
Darren you can e-mail him at [email protected].
If you would like to know more about computer security please visit
us at http://www.defendingthenet.com
|
