Archive for the 'Social Engineering' Category

Security Awareness Posters

Published on September 1, 2008 in Events, Meta, Press Release, Psychology of Security and Social Engineering. 1 Comment

Every year, as part of CSAW, we hold a Security Awareness Poster contest where we ask students to convey a simple message regarding any current issue in information security. These posters always turn out amazing and are among the most impressive, if non-technical, entries we get. Unfortunately, we haven’t been so good at sharing these posters with others and usually only make a few printouts for ourselves in the lab.

Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.

Amanda Morante's 1st place entry from 2006

View the full library of awareness poster images here.

Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!

Fall Penetration Testing and Exploit-Dev course

Published on August 24, 2008 in Exploits, Meta, Reverse Engineering, Social Engineering, Targeted Attacks and Web. 6 Comments

This year’s Penetration Testing and Exploit Development course (Fall 2008) will contain completely rewritten course material, guest lectures from leading security professionals, and free access to commercial tools provided by Fortify Software and Matta (thank you!). Additionally, the class will be held on-campus rather than online as it has been.

The instructor for the course is Nasir Memon with TA’s Dan Guido (me) and Vikram Padman. The syllabus has been finalized and the guest professors as well as their respective topics are as follows:

  • December 4th — FINAL PROJECTS
  • December 11th — hack the planet/show off projects

Students will have to complete one homework assignment every two weeks, a take-home midterm, and do a final project of their choosing. Each two week session will contain one full session of Q&A to review the homework associated with it. Extra credit will be given for participating in CSAW and UCSB iCTF.

Any questions about the course can be e-mailed to me at dguido@gmail.com.

EDIT: The course will be held in room RH227

Cute + Malicious == Deadly

Published on June 28, 2008 in Exploits, Physical Security, Social Engineering, Targeted Attacks and Windows. 0 Comments

In a recent (experimental only) project, I followed one of the multiple guides such as this one on how to make a Lego case for a USB stick. To top it off, I loaded the Hak5 Switchblade packages on the sticks. When used with U3 USB autorun technology, these packages allow automatic theft of various personal data upon insertion of the stick into a Windows computer. Now, doesn’t this just crush the competition (a regular USB stick lost in the parking lot)?

The Mona Lisa

Continue reading ‘Cute + Malicious == Deadly’

Social Engineering final presentations

Published on May 14, 2008 in Academic Papers, Psychology of Security, Social Engineering and Web. 0 Comments

Yesterday marked the end of our first-run Psychology of Security/Social Engineering course here at Poly. Every student made a presentation that described the research project they designed and attempted to run during the semester. I’ll upload the presentations as I get them so check this page often :-) .

  1. The Effectiveness of Security Training / Graphical Indicators of Security
    Joint project by Dan Guido and Boris Kochergin
  2. Personalized Phishing
    Joint project by Brad Schonhorst and Jonathan Voris

I’ve made an executive decision. The mailing list that we used for the course will now be opened to the public for discussion of Social Engineering / Psychology of Security issues. I placed a link on the sidebar of this blog, please sign up if you’re interested!

Update to Single-Site-Browsers (SSBs)

Published on April 28, 2008 in Psychology of Security, Risk Analysis, Security Engineering, Security Industry, Social Engineering and Web. 3 Comments

I spent a lot more time thinking about SSBs over the last week or so and I’d like to use this blog to do a bit of a brain dump. A few days ago, Andrew Jaquith publicly posted the presentation that was sent me to privately. Here are links to his blog and to his presentation.

His presentation makes a number of claims about the security benefits of SSBs. It lists protection against phishing, CSRF, some types of XSS (likely all non-persistent varieties), and domain whitelisting as a future improvement to harden those protections.

I don’t think [current] SSBs completely provide those security benefits unless you do two things:

  1. You block non-SSBs from accessing your website (blocking on user agent string would be enough)
  2. You train users that an SSB is the only acceptable place to enter their password

Without those two requirements satisfied, it is my opinion that SSBs give little security benefit.

If you still allow non-SSBs to access citibank.com, then when a user clicks an XSS’d link to citibank.com, the citibank.com page will still load, and they will still be XSS’d. Similarly, CSRF continues to function as it is likely that the ’session cookie isolation’ benefit of SSBs are negated by the user likely having duplicate cookies in both their SSB and in Firefox (you must ensure the user never logs into citibank.com with their normal browser and obtain a session cookie there, hence the first requirement).

In order for the phishing protection to be effective, users must be aware that they are only supposed to encounter Citibank content in their SSB and not in their normal browser. For instance, if an SSB user encounters a Citibank phishing website in Firefox, will they close their browser and open their SSB instead? It might be the case that users will behave in this way, but I haven’t seen any verifiable proof either way.

[This hasn't been reported on ISIS Blogs yet, but next week marks the end of our first run of "The Psychology of Security/Social Engineering", a first-run research course here at Poly. I'm writing up a research proposal to test the above hypothesis with a group of students in the Fall.]

Lastly, if a bank starts deploying SSBs to their customers, I see this as a first step towards successfully forcing client-side requirements on users where the end-game is fully trusted computing and the open commercial web starts to disappear. This actually goes back to our “Refusing Insecure Customers” debate. It’s an evolution of the same (bad, according to readers) idea.

So, although I see where SSBs have some use and can positively affect your web security, let’s not kid ourselves, they don’t solve that much. To really be effective, they require major changes in the way you do business and [still] rely on an intelligent user. Rather, they look like avoidance of the base problem and an idealistic patch that isn’t going to work.

Oddly enough, I have been using a set of 4 Prism SSBs for the last 2 weeks and have actually grown fond of them, but not for security reasons at all. I like how they show up in my dock, that they rarely crash, and it seems natural to give such webapps “first-class” status as desktop applications. I’ll probably continue using them, but I don’t think I’ve gained any security from doing so.

That said, I think part of the problem here is that SSBs haven’t fully matured yet. I just heard about these things 2 weeks ago and I haven’t heard anyone else in the security community talking about them besides Andrew. They are a topic that deserves more attention and particularly more research from the security community as they embody a lot of attractive ideas. Despite my harsh words, I’m not ready to give up on them yet.

Let’s brainstorm: how could SSBs be more useful to security? Could we change the way they work or change how they are deployed to give us additional benefits? If you’re an InfoSec student with no good topic to research, this is without a doubt a good avenue to explore.

Just wanted to get this out there

Published on April 10, 2008 in Exploits, Social Engineering and Targeted Attacks. 0 Comments

I’m sure most of you have read the article in BusinessWeek that turned up on Slashdot regarding the hacker attacks the US government has to deal with. If you haven’t, you really should read it because despite its obvious inaccuracies (journalists always get something horribly wrong) it’s got a ton of good information. I liked how they explained exactly how the unknown attacker uses phishing (whaling?) so effectively.

But really, my alterior motive for posting this, was so I could point out this one particularly entertaining paragraph buried in the middle of it:

Now, Senate Intelligence Committee Chairman John D. Rockefeller (D-W. Va.) is said to be discreetly informing fellow senators of the Byzantine operation, in part to win their support for needed appropriations, many of which are part of classified “black” budgets kept off official government books. Rockefeller declined to comment. In January a Senate Intelligence Committee staffer urged his boss, Missouri Republican Christopher “Kit” Bond, the committee’s vice-chairman, to supplement closed-door testimony and classified documents with a viewing of the movie Die Hard 4 on a flight the senator made to New Zealand. In the film, cyber terrorists breach FBI networks, purloin financial data, and bring car traffic to a halt in Washington. Hollywood, says Bond, doesn’t exaggerate as much as people might think. “I can’t discuss classified matters,” he cautions. “But the movie illustrates the potential impact of a cyber conflict. Except for a few things, let me just tell you: It’s credible.”

For the record:

“Except for a few things, let me just tell you: It’s credible.”
- Senator Christopher “Kit” Bond (R-MO) on Die Hard 4

We promise we won’t store your password

Published on March 30, 2008 in Privacy, Psychology of Security, Social Engineering and Web. 3 Comments

This is a short rant prompted by another student’s observation that Yelp actually asks for your Gmail password as part of their signup process…

Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:

Facebook asking for my Gmail password
Continue reading ‘We promise we won’t store your password’

Refusing Business from Insecure Customers

Published on March 12, 2008 in Legal, Psychology of Security, Social Engineering and Web. 2 Comments

Late last year in an article titled “In Zombies We Trust,” Dan Geer suggested that there are two types of users — those who blindly say yes to everything and are probably infected with a dozen viruses and those who say no to most everything and likely escape most virus problems — and that it could be a legitimate practice for websites to further scrutinize the actions of those who always say yes to prevent them from getting into trouble while using their site. The premise is that these virus-infected users end up costing the businesses they frequent a significant amount of money by being such persistent problems.

A member of our lab (I’ll leave it to him to take credit for this idea) suggested last week that maybe this should be taken a step further. If I know that one customer of mine is more likely to be infected with a virus (or has a higher susceptibility to phishing, pick your threat) now or in the future, is it reasonable for me to completely deny him my business?

This can be easily tested using either Dan Geer’s test or by sending my customers random phishing messages for my own business (there’s even a phishing appliance to do it for you!). Ie., Paypal sends you a phishing email for themselves (sent from another domain, self-signed certificate, graphics copied incorrectly, differently formatted e-mail, whatever) and if you fall for it, they calculate your future profitability and weigh it against the costs you’ll incur if you actually do get phished in the future. If you’ve got a negative balance after this calculation, your account will be canceled and PayPal will have saved money.

The observation was also made that this is standard practice in other industries. Insurance and, regrettably, healthcare come to mind. Would this be a bad thing for web services?

How do you protect yourself online?

View Results

Loading ... Loading ...

Harvesting credentials from a subscriber base

Published on February 18, 2007 in Privacy and Social Engineering. 1 Comment

If one were the administrator/developer of a service that requires users to supply credentials, can you picture the amount of data one will receive if you:

  1. Use an email as the username.
  2. Provide tight restrictions on the password creation (Decent minimum length, requirements of alpha+digits)
  3. Log unsuccessful logins and password changes

I’m sure you can see where I’m going with this, but if the service is popular the users will always first try their other common passwords until they list their entire mental list of every password they generally use (which most likely do not match the ones they came up with to register with the site), thus collecting credentials of other services the users are members of (A few google searches of their emails, or just the user-name part of the email will reveal most services they are members of.)

I am going on the basis of the idea that most people (or the ones I’ve spoken to) believe that some data like failed authentication attempts, passwords that were changed, and accounts that were removed are erased from existence after the event, but in today’s world of virtually limitless storage and facile logging mechanisms, why wouldn’t administrators log everything that goes through their systems?

I have never heard of such a harvest vector and was thinking of ways to protect from this. Using a password manager like PassSafe can reduce failed attempts and randomly generate a fresh password, but careful attention has to be paid to keep that database secure. Whichever method you use, the goal is to not supply data to a third (or second) party without them needing-to-know.

Email Source Authentication through Network Services: An Open Question

Published on February 9, 2007 in Social Engineering and Spam. 3 Comments

Suppose you have an email that claims to be from a particular web destination (”Chase Bank”, “eBay”, “Middle of Nowhere Bank”, etc.) and directs you to a url purportedly at that location. Suppose further that you possess the capability of extracting both these pieces of information from any email if the email falls into said category. So you have

A. Purported Web Destination of Email
B. URL Email is Instructing you to Follow

So here is an open-ended question: how can you use existing network services to determine that B is an authentic location in A? A subset of existing spam filtering heuristics work quite well towards this end (visible text of html link does not match actual url, href attribute is expressed as IP address, etc.), but using network services opens of a new dimension of validation, one in which the data gathered for heuristic application are outside the control of the email’s sender. So post any ideas you have. Kurt asked a similar question at an SFS meeting last semester pertaining to the parasitic storage project. Whereas his aim was using network services for caching, my aim is using them for source authentication. Thanks and please keep the discussion focused, at least primarily, on this particular method.