Social Speaing, I mean Phishing

The idea of social engineering is not unique to computers, and is certainly not new to the world.  Con-men have been squeezing information out of people with a courteous smile and willing ear for hundreds of years, and now the internet is starting to see the mixture of con-art and coding.  This technique is known as phishing.  Phishing is defined as:  a party who misrepresents themselves as a reputable 3rd party site, to garner information that comprises one or both parties.  If this was too wordy, its when someone (con-artists) pretends to be someone else (aka your bank) to get information they should have(your account name, password and routing number).  In a study by Gartner, it was found about 1/5 users had clicked on a phishing link in their history.  

Even worse, phishers are getting smarter.  Some are using public records to discern commonly used security questions. As per: http://threatsim.com/2013/01/29/call-it-2013-year-spear-phishing/

We all know that Facebook, LinkedIn, and the Internet in general make it really easy to find personal info that can be used to spear phish your end users. If an attacker is that motivated to get someone at your company, then it’s only a matter of time before they are successful.

 Especially with facebook and myspace making information so available, the ability to find especially personal information is at an all time high (thanks picture of ... fluffy, thats right fluffy was my old dogs name!).  A study conducted by Indiana University showed that people who had a lot of information posted on social networking pages were MUCH more vulnerable than other potential victims.  They also found that gender had an affect on if a user would fall for this type of attack, with women typically being more trusting than men.

Just basic spoofing with the addition of this social phishing has lead to an alarming rate of compromised users.  The victims of these attacks, once they find out often are incredibly upset, but often for the wrong reasons.  After being contacted by the University of the previously referenced study,  some victims believe there email has been hacked (how else could we spoof?  oh wait its really easy), which in fact had not been the case, but they did not have the technical knowledge to understand this.  Some went into denial, and would not acknowledge that they had been hacked.  This is dangerous as a user will not correct their behavior to fix the issue.  The last reaction is understandable anger at having their privacy violated.  

Sadly these messages can often be prevented, and the largest one is education.  With the rise of computers, an ethical or safe computer use class should probably be mandatory in high school or at the very least college. Even telling users to check to make sure the URL is correct, and to check for HTTPS:  would be a huge step in the right direction.  Education beyond this would help users be aware of threats to them and their online identity.

As per: http://newswatch.nationalgeographic.com/2013/03/06/hacking-the-mind-social-engineering/

Earlier today I was listening to one of my favorite podcasts, The Drill Down, and Dwayne D.mentioned how frustrating it is for many people to juggle multiple passwords, especially those that need to change frequently.

One of the other co-hosts suggested using a two-pronged security system, which requires a code to be sent to a device for access. Another suggested using a virtual vault to store passwords behind encryption. Dwayne was skeptical, arguing that access needs to be as simple as possible for users, while still being secure.

The other way to prevent these attacks is to require digitally signed email addresses, so that we can actually tell who is sending what.  Another way is to develop software that detects websites that are likely phishing, or even emails that are likely spoofed.  This software would not be hard to develop, such as a way to tell the difference between www.Iightscibe.com and www.lightscribe.com ( iightscribe and Lightscribe if you wouldnt tell).  Amazon has had a number of attacks conducted against it, and its users.  I’m sure they’d be all about solving this.  

In addition, the industry really does need to be less lazy, per: http://www.infosecurity-magazine.com/view/24356/successful-bank-phishing-attacks-target-compromised-infrastructure/

Agari found that system administrators aid phishing attacks by deploying unprotected infrastructure. Systems administrators could have prevented one-quarter of successful phishing attacks against banks by patching known vulnerabilities, the company judged.

In addition, Agari found that botnets no longer pose a significant phishing threat, with only 0.5% of successful bank phishing attacks sent by botnets.

Realistically, without education, further study and people actually caring; there is no way this problem is going to get solved.  We need to as a society start giving a damn, and start educating our end users.  Phishing is such a profitable scheme that it sure isn’t going away.