Friday, December 31, 2004
The basis for this type of attack is the trust that the attacker establishes with the user. I'll give you an example. Lets say you received a phone call and this is how the conversation proceeds:
Caller: Good Afternoon. This is Bob calling from the SomeBigName Bank.
Caller: According to our records you are eligible for an interest-free credit card from our bank.
(Notice how he is baiting you)
You: Okay, what are the terms of your credit card?
Caller: No interest upto first 6 months. Low 8.4% APR after that. No annual fees.
You: Can I apply now?
Caller: Yes. What is your social security number?
You: 000-00-0000 (you tell him your real #)
(You hear some clickety clickety in the background. You visualize him typing out your application for you. )
Caller: May I have your existing bank details? With which bank do your hold you account?
(... and this goes on and on till you have given away most of your sensitive financial information to a complete stranger on the phone)
Caller: Thanks. You credit card should arrive in 2-3 weeks from now. Have a nice day.
You: Thanks, bye.
How did the attacker establish trust? He pretended to be calling from SomeBigName bank. You mentally connected the dots. "If he is calling from a bank and offering me a credit card, then he surely must be their rep".
Take another scenario. If 'Bob' knew that you have an account with a particular bank (by either sifting through you postal mail or otherwise) he could have pretended to be calling from that bank and might have asked you for your ATM PIN to 'reset' you account. Social engineering might even happen at work - in a corporate environment. Lets say you receive a spoofed email asking you to reset your computer password to 'Gr8Us3R'. You believe it to be coming from your IT department and change your password. Now its easy for the attacker to get into your system, because you reset the password to whatever s/he wanted.
One of the best known social engineers in recent history is Kevin Mitnick. There is even a Steven Spielberg movie - Catch Me If You Can (2002) based on a real life con artist (Frank Abagnale Jr).
In cases of social engineering attacks, you are yourself responsible for revealing sensitive information. No amount of sophisticated security, firewalls, strong passwords can protect you from these attacks. The best defense against social engineering for corporates is training users about security policies and asking them to challenge anyone asking them to divulge or reset their passwords or other sensitive information. Next time you receive a phone call or an email, make sure it is infact from the same person or organization that you believe it to be from.
Sunday, December 26, 2004
Speed up your Firefox browser
1. Type about:config
2. Find and change the values as shown below:
network.http.pipelining -> true
network.http.proxy.pipelining -> true
network.http.pipelining.maxrequests -> 10
3. Close the about:config tab. Enjoy the newfound speed.
In the act of full disclosure, let me tell you that Microsoft's IE browser already uses http request pipelining. Incase you are interested, the mozilla site does a beautiful job of explaining what HTTP/1.1 Pipelining means.
Friday, December 24, 2004
ID device for online security
The devices, which are handheld and small enough to attach to a keychain, are expected to cost customers roughly $10. They display a six-digit number that changes once a minute; people seeking access to their accounts would type in that number as well as a user name and password. The devices are freestanding; they do not plug into a computer.
The users can still be tricked into revealing their username, password and the number from the device via phishing. I dont see how this solution solves the ever growing problem of phishing. I guess, the banks decided to tackle the issue of password or account hijacking. But they need to consider other security compromise scenarios as well.
Monday, December 20, 2004
Now, I have seen instances when the user uses a very simplistic password. For example, people set the password as their favorite color and the hint they setup to remind them of the password is 'your favorite color'. Just think about this. If someone wants to access your account without your permission and they click on the 'forget password' link, they would be shown your hint and asked to answer the question. In the above-mentioned example the unauthorized user would just have to enter different color names - red, blue, green etc and would hit upon your password in just a few tries.
Passwords and password hints are meant to be used for authorized access. Dont ever use a password hint that consists of a finite set (Eg. favorite color or make of car). Password should be atleast 8 or more characters consisting of a combination of upper-lower alphabets and atleast 2 numbers (Eg. 4U2reZtiq). The challenge question or the password hint has to be equally cryptic. As a user you would instantly recognize it, but to some unauthorized user it would just seem meaningless.
Sunday, December 19, 2004
Too good to be true
Goodday and how are you i am Lysander M. Overstreet i own a store in Manchester in The united Kingdom i am a computer operator were i work in the local coucil and i am interested in ordering for some unit of items from you to be shipped too my Daughter in Africa who is there on promotion from are place of work so i will like too order for a phone from your store to be shipped too her after receiving payment confirmation and i am interested in making the payment immediately i here from you the payment would be made via BIDPAY (western union Auction Payment).And i will like
to pay you $1300 and i will like you to ship out the good immediately you received the payment confirmation thank you and i will like too here form you soonest.Also i will like too you too ship the goods too my daughter in nigeria via USPS Global express EMS 3 to 5 days express too nigeria so i will like to know also if you can ship out the good immediately after receiving my payment confirmation from BIDPAY western union Auction Payment and alos will like to known if you can ship out the Laptop after receipt of Paymnet.Thank you and i expect to here form you your full name and address so i can go ahead and make the Payment.
Thank you and bye for Now and have a Happy Sunday .
Just by looking at this email, a few alarm bells went off in my head.
- Why would a guy residing in the UK want to buy a laptop from someone in Seattle?
- My asking price $1000, he said he is going to pay $1300!! - WOW
- His english is PATHETIC. Dude, you are not in UK believe me.
- Buying a laptop from an individual without even inspecting it!!!
The sermon that I am trying to preach here is that if something seems too good to be true, then believe me, it is. Notice that Lysander didnt mention the word 'laptop' anywhere in the lengthy email. It is just called 'item'. So most likely its a mass mail. Generic enough to get through unsuspecting eyes - but not mine. If the mail is sent through a Yahoo account, then most likely you can look up the profile of the person. A quick check at http://profiles.yahoo.com/lysandermaxwell gave out the truth that this mail ID was created on Dec 15th, 2004 just for scamming purposes.
All I can say is well tried Lysander, but your dirty trick aint gonna work out here. So ladies and gentlemen, next time you receive something in your mail that seems to be tooooo darn good to be true - just hit the delete button.
Thursday, December 02, 2004
Secure access to Gmail
Copyright Anand Jain 2004, 2005. All rights