We’ve heard the key words many times, but what are the identity related attacks that we’re trying to fight against? Let’s take a look at a few examples from the top of the list.
Phishing
It’s an impersonation technique. In essence, the most known use case is when the attacker creates a website that looks exactly like a bank or an on-line shop. When you visit the website, you think you’re logging into your bank, but in fact, you just hand over your credentials to the attacker. Because it’s a copy of the genuine website, you need to land on the page that the hacker wants you to, so there’s an element of voluntary action here, I am showing how they’ll make you end up on the malicious site in the next paragraph. You can also come across ‘spear phishing’, which is just a targeted version, where you focus on a specific individual(s) or an organisation.
Social engineering version 1 (1995)
Ok, we’re in for a biggie here. This technique has existed for as long as scam artists have, but really it gained popularity thanks to one and only (in)famous individual – Mr Kevin Mitnick. They even made a movie about his exploits – ‘Takedown’. While he’s a convicted hacker, he’s also very popular these days, performing audits for various businesses, showing that every organisation can be breached, at least that’s what he claimed (100% success rate) when I met him in 2017 (if my memory serves me right) at the Security Expo in Birmingham’s National Exhibition Centre (NEC). In the old days, he would call Motorola’s engineering offices, claiming he needs access to some data, as part of a particular project and lo and behold they would send him the source code via corporate mail. We’re way too clever for these scenarios today, but make no mistake Social Engineering has evolved just as much as we became more vigilant. Long story short you establish some trust by disclosing an information that superficially should be privy only to a closed circle then convince the victim to disclose the data, ideally the username and password, of course! We all have been warned by our bank that they would never ask for it. If they never would, then if someone asks… it’s a social engineering attack.
Social engineering version 2 (2000)
Ok, so we’re resistant to phone calls. Are we resistant to emails, though? Hmm… turns out we still aren’t. The better the quality the bigger the chance of successful deception. Have a look at the two URL’s below. They seemingly look the same, but they aren’t. The first one is genuine link, the second could be used to deceive you.
https://www.lloydsbank.com vs https://www.IIoydsbank.com
As a rule of thumb, you just don’t open anything you don’t trust from email, instead go directly from the browser or google search (though you may find some bad ones there, too). You can read Mozilla’s recommendation how to make sure the website is genuine here.
Social engineering version 3 (2020)
This is the scary bit and the new, relatively cheap way to breach an organisation. If you have read my last blog, you know I mentioned The Ten Immutable Laws of Security by Microsoft TechNet. Let’s have a look at law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore. So, how are we going to do that? Well, one way is to lure the user using the techniques mentioned earlier, but what about the physical access to your device. Some time ago, a one creative creature had an outrageous idea. We stopped using CD’s in favour of memory sticks and pendrives, so that was an easy way in. If I install a micro chipset in the pendrive itself and turn it into keyboard, I can inject any combination, which in practice looks like really, really, really fast typing. You plug the stick in, it’s a genuine drive, you can see files. 10 seconds later a shell opens (via short key combination) and some lengthy script gets pasted, immediately closing the window, so you don’t know what was there. Chances are you are going to miss it or… simply ignore it. It’s a thing and even got a name – a bad USB or USBola. It was very expensive in the beginning. Nowadays, it’s commercially available from hak5.org at a bargain price of $50. How do I give it to you without arousing suspicion? Well, how about I write ‘Payroll March 2021’ on it and drop it on the floor in your office. What do you think will happen 😉 There are many ways to deliver the device, imagination is your limitation.
Unfortunately that’s not the end of the story. We now know not to trust pendrives if we’re not sure about them, in fact cloud is the thing now! We copy all the data via Internet, there’s no need for memory sticks anymore. How about we pack that device into iPhone or Android charging cable? In fact why don’t we put a WiFi controller in the plug for a good measure, too? Now we can run the commands we want, whenever we want, and if we’re really evil we will actually distract the user from looking at their screen while we do it. I have run a program on your device, it’s mine. And before you ask, this can be as simple as powershell script, antivirus won’t detect it.
In the early days, the price of such cable could reach a staggering $1M, which really is not much for a state sponsored attack, but today… hak5.org stock them at around $150 including an adapter/controller to program it. And they look every inch like Apple’s cable. So, next time when you borrow a charging cable ask yourself, ‘do I really trust it?’.
Password Spraying
In a brute force attack, you pick one user and try all combinations of passwords until you hit the correct one. A special use case would be a dictionary attack where instead of checking every combination (lengthy process) you just check the most common passwords or those that have been compromised (you can check if your password leaked here). Password spraying is the other way round. You pick a particular password, let’s say ‘password123’ and try it against many user accounts, hoping you get a hit. This kind of attack can be easily prevented with Risk Based Authentication – you can check more about it in my blog here.
Credential Stuffing
Just another variant really. Let’s say we have some passwords that were compromised, leaked to the Internet. What you can do now is launch a fully automated, large scale attack against thousands if not more services to see if the credentials haven’t been re-used somewhere. One of the reasons why this is so successful is that we… reuse passwords across different services (long live SSO). It’s a good idea not to use the same password in many places and utilise password vaults (check my blog about them here).
Conclusion
Is there an aurea mediocritas (golden mean) that would help us prevent all of the above? I am sure this may be controversial, so let me be specific. Short story – yes. Multi Factor Authentication reduces the surface area of credential based attacks to near zero. As far as phishing is concerned passwordless solutions like WebAuthN, negate the concept completely. Social engineering… it’s not only a technical thing, it’s an attack against us as humans, and we will always be vulnerable one way or another.