Friday, December 31, 2004

Social Engineering

A Social Engineering attack is initiated when a person is tricked into revealing sensitive informtation that s/he knows about. It can either be information about themselves or about something/someone else. The attack is completed when the attacker uses this information to gain unauthorized access to networks, ATM's or systems in order to commit fraud, network intrusion, industrial espionage, identity theft etc. This sensitive information can be anything ranging from credit card numbers, social security number, username, passwords, ATM PIN etc. I consider phishing to be a kind of social engineering attack.

The basis for this type of attack is the trust that the attacker establishes with the user. I'll give you an example. Lets say you received a phone call and this is how the conversation proceeds:

Caller: Good Afternoon. This is Bob calling from the SomeBigName Bank.
You: Okay.
Caller: According to our records you are eligible for an interest-free credit card from our bank.
(Notice how he is baiting you)
You: Okay, what are the terms of your credit card?
Caller: No interest upto first 6 months. Low 8.4% APR after that. No annual fees.
You: Can I apply now?
Caller: Yes. What is your social security number?
You: 000-00-0000 (you tell him your real #)
(You hear some clickety clickety in the background. You visualize him typing out your application for you. )
Caller: May I have your existing bank details? With which bank do your hold you account?
(... and this goes on and on till you have given away most of your sensitive financial information to a complete stranger on the phone)
Caller: Thanks. You credit card should arrive in 2-3 weeks from now. Have a nice day.
You: Thanks, bye.

How did the attacker establish trust? He pretended to be calling from SomeBigName bank. You mentally connected the dots. "If he is calling from a bank and offering me a credit card, then he surely must be their rep".

Take another scenario. If 'Bob' knew that you have an account with a particular bank (by either sifting through you postal mail or otherwise) he could have pretended to be calling from that bank and might have asked you for your ATM PIN to 'reset' you account. Social engineering might even happen at work - in a corporate environment. Lets say you receive a spoofed email asking you to reset your computer password to 'Gr8Us3R'. You believe it to be coming from your IT department and change your password. Now its easy for the attacker to get into your system, because you reset the password to whatever s/he wanted.

One of the best known social engineers in recent history is Kevin Mitnick. There is even a Steven Spielberg movie - Catch Me If You Can (2002) based on a real life con artist (Frank Abagnale Jr).

In cases of social engineering attacks, you are yourself responsible for revealing sensitive information. No amount of sophisticated security, firewalls, strong passwords can protect you from these attacks. The best defense against social engineering for corporates is training users about security policies and asking them to challenge anyone asking them to divulge or reset their passwords or other sensitive information. Next time you receive a phone call or an email, make sure it is infact from the same person or organization that you believe it to be from.

Sunday, December 26, 2004

Speed up your Firefox browser

Hack A Day posts a hack on how to speed up your Firefox browser.
1. Type about:config
2. Find and change the values as shown below:
     network.http.pipelining -> true
     network.http.proxy.pipelining -> true
     network.http.pipelining.maxrequests -> 10
3. Close the about:config tab. Enjoy the newfound speed.

In the act of full disclosure, let me tell you that Microsoft's IE browser already uses http request pipelining. Incase you are interested, the mozilla site does a beautiful job of explaining what HTTP/1.1 Pipelining means.

Friday, December 24, 2004

ID device for online security

CNet's reports that starting from early 2005 some banks are going to start issuing small ID devices that let users identify themselves when they log onto the bank's website.
The devices, which are handheld and small enough to attach to a keychain, are expected to cost customers roughly $10. They display a six-digit number that changes once a minute; people seeking access to their accounts would type in that number as well as a user name and password. The devices are freestanding; they do not plug into a computer.

The users can still be tricked into revealing their username, password and the number from the device via phishing. I dont see how this solution solves the ever growing problem of phishing. I guess, the banks decided to tackle the issue of password or account hijacking. But they need to consider other security compromise scenarios as well.

Monday, December 20, 2004

Password hints

When users forget their password for a particular web service they are usually challenged with a question, the answer to which only they themselves would know. This establishes the fact that this is infact the same user who signed up for the service. Once the user enters a satisfactory answer, they are allowed to proceed and reset their password. On certain websites, the users themselves are responsible for setting up a challenge question. Sometimes while signing up for a new service the user is asked to enter a password hint. This hint would be shown when the user clicks on the 'forgot password' link when they forget their password.

Now, I have seen instances when the user uses a very simplistic password. For example, people set the password as their favorite color and the hint they setup to remind them of the password is 'your favorite color'. Just think about this. If someone wants to access your account without your permission and they click on the 'forget password' link, they would be shown your hint and asked to answer the question. In the above-mentioned example the unauthorized user would just have to enter different color names - red, blue, green etc and would hit upon your password in just a few tries.

Passwords and password hints are meant to be used for authorized access. Dont ever use a password hint that consists of a finite set (Eg. favorite color or make of car). Password should be atleast 8 or more characters consisting of a combination of upper-lower alphabets and atleast 2 numbers (Eg. 4U2reZtiq). The challenge question or the password hint has to be equally cryptic. As a user you would instantly recognize it, but to some unauthorized user it would just seem meaningless.

Sunday, December 19, 2004

Too good to be true

A few days ago, I was trying to sell my Dell Inspiron 600m laptop through Craigslist. Now, I mostly rely on Craigslist to buy and sell things. Its works like a charm. This morning I received an email from someone called Lysander from UK. The text of the email read like this:

Hello ,
Goodday and how are you i am Lysander M. Overstreet i own a store in Manchester in The united Kingdom i am a computer operator were i work in the local coucil and i am interested in ordering for some unit of items from you to be shipped too my Daughter in Africa who is there on promotion from are place of work so i will like too order for a phone from your store to be shipped too her after receiving payment confirmation and i am interested in making the payment immediately i here from you the payment would be made via BIDPAY (western union Auction Payment).And i will like
to pay you $1300 and i will like you to ship out the good immediately you received the payment confirmation thank you and i will like too here form you soonest.Also i will like too you too ship the goods too my daughter in nigeria via USPS Global express EMS 3 to 5 days express too nigeria so i will like to know also if you can ship out the good immediately after receiving my payment confirmation from BIDPAY western union Auction Payment and alos will like to known if you can ship out the Laptop after receipt of Paymnet.Thank you and i expect to here form you your full name and address so i can go ahead and make the Payment.

Thank you and bye for Now and have a Happy Sunday .


Just by looking at this email, a few alarm bells went off in my head.

The sermon that I am trying to preach here is that if something seems too good to be true, then believe me, it is. Notice that Lysander didnt mention the word 'laptop' anywhere in the lengthy email. It is just called 'item'. So most likely its a mass mail. Generic enough to get through unsuspecting eyes - but not mine. If the mail is sent through a Yahoo account, then most likely you can look up the profile of the person. A quick check at gave out the truth that this mail ID was created on Dec 15th, 2004 just for scamming purposes.

All I can say is well tried Lysander, but your dirty trick aint gonna work out here. So ladies and gentlemen, next time you receive something in your mail that seems to be tooooo darn good to be true - just hit the delete button.

Thursday, December 02, 2004

Secure access to Gmail

You might have noticed that the initial GMail login page is served via HTTPS, but as soon as you login successfully it reverts back to the unsecure connection. Well, if you want to continue using your HTTPS (secure) session then simply change the http to https in the browser's URL box, once you are inside the GMail inbox.

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.