Black Hat 2008 USA – Bad Sushi Beating Phishes at their own game
September 2008 by Michael Hayes CTO, B-4-U Inc.
Bad sushi, beating Phishes at their own game. Nitesh Dhanjani and Billy Rios Gave a great talk on Phishing. Phishing is double trouble for both individuals and corporations; it is both a Technology problem and a Social Engineering issue. It’s simple, can I steal information from you by enticing you to enter information or tricking you to enter private information. How long will it take before you discover your private information is now public?
Michael Hayes CTO, B-4-U Inc.
Looking through the rear view mirror:
Bad sushi, beating Phishes at their own game. There is a proliferation of Web sites available that freely trade in stolen financial information. Banks, E-Commerce E-sites and other financial institutions need to pay special attention to Phishing, and double their efforts to protect themselves, their employees and their clients. More up-to-date user friendly Access Technologies need to be implemented and maintained.
The key messages in this space are as follows: 1- Phishing is a highly lucrative business for the Phishers. With a very small investment Phishers can build scripts, e-mails to collect financial information, Social Security numbers, Logon IDs and Passwords, plus Credit Card Info and sell them in volume. 2- The entry point for nefarious users to create phishing opportunities is very low. This is both from a learning perspective, investment and technology. Today there are both sites and toolkits that will allow individuals to build phishing exploits, plus there is a network of WEB sites and individuals to help build these exploits, including fill in the blanks type script. 3- Phishing almost always contains a social engineering aspect, an e-mail, a message, a fake WEB site; social engineering may be the hardest issue to overcome in this environment.
Additionally, the issue of Phishing is increasing, with more and more sites put up and taken down in hours that look like legitimate web sites, spelling mistakes, one letter off the correct name etc. WEB sites with different or closely matching names each of these facilitates Phishing.
One of the fundamental vulnerabilities of Phishing is the static nature of much of our private data, and until this is changed, there will be an exposure for each individual. A prime example is a National ID or Social Security Number. At birth this is given to an individual and all other aspects of information is linked to this number. Once and individuals National ID or Social Security Number is compromised that individual is owned.
This is also true for most bank accounts, credit cards or employee numbers, once you sign-up to this environment that number is tied to your person, and once it is captured your are exposed to how it will be used.
Through the looking Glass:
Financial Institutions and Enterprises in General need to look at Education, Protection and Enforcement to protect information of their Clients and Employees from Phishing. Education is the most important key from kids to adults, constant reminders of the importance of not sharing personal information, and clearly not sharing this information. Also the continuous education of people on what to look for to protect themselves from social engineered attacks Phishing impacts all levels and users of both the Internet and Intranet.
Technology solutions are still evolving but should include reviews of WEB code, scans of Web page for vulnerabilities, improved Password, Password Replacement (single use codes), Enforcement of SSL Certificates with user education, Protection of your Corporate WEB SITES is critical.
Short term recommendations include setting up an education program for clients and employees, every day a new tip, remember, it takes 30 times for an Advertisement or message to be recognized, Scanning your corporate WEB for vulnerabilities, and checking for Parasites on your web site. Improve access control for your clients and customers. Eliminate cross site links within your own company to minimize cross scripting issues.