Don’t get caught by Tabnapping

Aza Raskin has written about a cunning new phishing attack he’s dubbed Tabnapping.

Basically it’s a scripting attack which can be installed on your own website or used with cross-site scripting on a target website.  It relies on the user switching away from the infected site to another browser tab. When the infected page registers it has lost focus for a short period the page changes to a login screen (fake of course) of another site such as Gmail, Twitter, or any other site the attacker wants to grab user credentials for. This happens ‘unnoticed’ by the user as they are busy on another tab.

Eventually the user will notice the tab, which now has the Gmail etc favicon displayed. When they navigate back to it they’ll think they’ve been logged out and try to log back in.  Credentials Pwnd! The fake site will then pass the credentials on to the real site, logging the user in who is none the wiser.

There are of course problems with this attack. The user may notice the change, the page displayed may be for a site the user doesn’t use, the user may have Noscript installed and so on.  But as with most phishing the attacker doesn’t require success in every attack.

It got me thinking about who might be vulnerable to an attack like this.  For my part, yes I could get tricked, but old habits mean I don’t tend to keep a lot of tabs open.

Rationing safeguards your data too!

I began using the web in the days of dial-up and machines with 32MB RAM. I was running a network of machines with Windows 3.11 and every program I opened slowed the machine down considerably. My home machine is now quite old and struggles along on 500MB. If one of the kids (or the wife) double clicks instead of single clicks then the browser tries to open twice grinding the machine to a halt for a minute or more.

Consequently I’m perhaps overly paranoid about memory loss. I rarely run more than two programs simultaneously, and tend to close tabs rather than just opening extra ones. I don’t even like having too many icons on my desktop.

Sometimes I feel like an old timer who still remembers rationing.

Yet I have colleagues (younger and older) who either have never needed to ‘ration’ resources or who have forgotten what it was like in the bad old days of 32MB ram modules.  These are the same people that lose stuff on their screen and stay logged in to their webmail accounts all day.

Complexity is the enemy of security. Perhaps clutter is too?

Rational Rejection of Security Advice – what can we do about it? (Pt 1)

Cormac Herley of Microsoft Research has written a thought provoking paper which outlines economic reasons why security advice is often ignored.

The guts of the problem according to Herley is that:

most security advice simply offers a poor cost-benefit tradeoff to users and is rejected

If you are interested in security awareness then you should read his paper, partly because it will save me trying to explain it here (my brain hurt trying to get my head around some of the economic concepts) but also because it asks some searching questions of current security awareness practices.  I for one will be tuning my delivery of security advice as a result.

The paper however does fall down IMHO in a few ways. It is more an economics paper than a technical one, and like all good capitalists Herley assumes a level playing field with everyone starting from zero.  An example of this is where he estimates that the annual cost of phishing loses in the US is $60 million. He then goes on to explain that the cost of mitigating phishing (in the US) therefore works out at 33 cents (or 2.6 minutes of an individual’s time) if we were to spend more on fixing the problem than the loses incurred by that problem.

This all sounds reasonable, if we assume that the cost of phishing in the US is $60million without any prior phishing awareness campaigns taking effect.

As a colleague pointed out, the paper also assumes that there is a quantifiable cost associated with the time a person spends engaging with awareness information. This cost assumes that people are productive 100% of the time – which is of course how an economist would perceive the perfect workforce.  Anyone living in the real world knows this to be different.  Sure, if my awareness materials stop an employee doing something productive instead of encroaching on their Facebook time at work then yes, let the accountants have their day. But if my materials are engaging enough to replace that ‘non-productive’ time (because they’d rather play the new security awareness game than Farmville) then what they learn only has to reduce the attack surface of the organisation even minutely to be a worthwhile spend.

There’s a lot of other really good stuff in Herley’s paper, and a lot of good discussion about it.

My conclusion from reading it was that as security professionals we need to offer simple, realistic advice that is easy to follow, and focuses on quantifiable risks not worst case scenarios.

How we do this is a challenge.  I’m currently writing a submission for AusCERT. Hopefully it will get accepted because the presentation will provide some of my own answers to the questions posed by the paper. More here soon.

Phish on Friday

Most of my posts are written on the bus.  I commute and the trip takes about an hour each way. There’s plenty of time to get the laptop out and flick off a quick posting but some days I find myself just staring out the window at the passing suburbia.  Today is such a day.  I tried reading the ISC2′s Infosecurity Professional mag but it was just too heavy going.  Security professionals, especially those that have come from an IT background can sound incredibly dry if they try to impress by using too much business speak. These guys just weren’t pulling it off. 

So I read an article from the NZHearld about how Cisco have found an alarming increase in the amount of personalised spam or ‘spear phishing’. The article then discussed a newer variation of this called ‘whaling’, where emails are sent to executives claiming that their businesses are under investigation by the FBI or that there’s a problem with their personal bank account.

You’d have to have been living under a rock not to have picked up on the picean trend in the naming convention for social engineering attacks over the last few years. I wondered about pharming but yes there are such things as fish farms so I suppose this maintains the analogy.

Anyway I decided, as I couldn’t be bothered writing anything insightful or clever, to try to come up with a few other other fishy terms. I’m not online while writing this so can’t research to see if the terms have already been coined.

Apologies in advance if they have:

Schooling – Sending spam messages to social network groups

Skooling – Sending spam messages to social network groups on sites meant for older persons (old skool)

Sealing – advertising targetted at the very young online

Craypot – Setting up a fake social network profile displaying lots of personal information to investigate how often it is targetted by phishermen

Life vest – a backup of important files on a thumbdrive

Angling – using pop-up messages to encourage unsuspecting victims to visit your website where they will buy your dodgy goods

Pearling – looking for vulnerable systems on which to drop rootkits

Scientific Research – Looking at illegal images online when you know that morally and legally you shouldn’t

Bait Catcher – a site where you can buy stolen identities (for 89p)

Dropping Burley – spreading rumours online

Eeling – phising for slippery customers such as infosec professionals that should know better

Glass Bottom – Annonymous Proxy

If you think of any more – let me know!