Security and Privacy issues with GPS Tracking /Navigation

14 12 2011

Although GPS consumer products have many advantages like allowing users to update their maps with the current road information, but there are some security concerns associated with GPS as well. Hacking a GPS device is commonly referred to as “spoofing”.

“In spoofing, a spoofer creates a false GPS signal, sending an incorrect time and location to a certain receiver.”[1]In this case, the target does not know that the signal is a false one. For a normal GPS user, being a couple of microseconds off the real time is not a big deal but few microseconds off could cause power generators to explode as some power generators uses GPS signals to sync electrical grids to power stations. GPS is also used in various other places like – To help avoid plane collisions, air traffic controllers use GPS. Financial transactions time-stamping in banks is done using GPS. To monitor criminal’s activities, GPS receivers are used by police[2].

Stingrays is the technology used by police to track people’s location. This technology works by mimicking a cellphone tower, getting a phone to connect to it and measuring signals from the phone. It sends a signal to the phone and locate it as long as it is powered on.[3] This device is used by police to locate suspects and also by rescue teams to find people lost in remote areas or buried in rubble after accident.

So, the ill effects of spoofing can be falsifying the geographical location of criminals or falsifying the location of lost people in remote areas to protect criminals or various other reasons. The extent of spoofing can be as worst as plane crashes and generators exploding.  But, it is difficult to build a spoofer as cost of creating a spoofer is as high as $1million[4] and it takes as less as around a week to build a spoofer. Military GPS systems are difficult to be spoofed as they use encryption technology which is not used by normal GPS systems[5].

To prevent these spoofing attacks and to protect GPS systems, manufacturers of GPS systems should consider encryption technologies or other technologies to make GPS systems safer and better. GPS technology makes the world more vulnerable to these attacks, but another technology like encryption can help prevent these spoofing attacks on GPS systems.

Advertisements




On Building a Corporate Computer Investigation Team

13 12 2011

by Christian Roylo

Introduction

Large law enforcement agencies have incorporated computer investigation teams for decades; however in the corporate world, businesses often times rely on untrained IT staff or third party service providers to carry out computer investigative tasks such as computer forensics, eDiscovery, and incident response.  With the increase of computer attacks and the compliance requirements mandated by regulations, there is a benefit for companies to build an in house computer investigative team.

In this article, I would like to share some pointers for anyone who is in the process of building a corporate computer investigative team.  This will be based on my past experiences as a former Federal Agent investigating computer crimes, running a computer investigations team for a large tier-one bank, and working or CERT consulting Federal Law Enforcement.  Although this article focuses on building teams for large Fortune-100 sized companies, many of these principles can be applied towards smaller companies as well.

Depending on the organization structure of the corporation, a computer investigative team could have very focused capability (computer forensics only) or could have a wide range of capabilities covering different information security, investigation, eDiscovery, and response disciplines.   For the purpose of this article, I am using the term “computer investigation team” in a general sense to cover any of these sub disciplines.

To Succeed, You Need Power and Position

Your ability to influence people is critical for the success of your team.  As important as it is to influence people through building relationships and trust, you will oftentimes need to rely on your power and position. Business executives traditionally see computer investigations (and information security in general) as a burden and are likely to place it at a lower priority since it is not a revenue generator.  IT staff members will likely see your team as a nuisance.  Line managers may see your team as a hindrance to the productivity of their teams.

In order to be the most effective, a leader of a computer investigation team should be positioned around a Director level in the organizational chart and should have strong support by someone at the C-level position.  At this level you will be at a better position to influence money, manpower, and policy decisions made by executives, as well as dealing with the non-executives, such as IT staff and line managers.

The intention of this point is not to offend anyone by stating the obvious “power and position equals influence”, but to highlight how critical this is especially due to the nature of the type of work you will be doing, and how different it is from the traditional operational models of other business areas.     The work will be dynamic and responsive.  You will be asking for unplanned and last minute deliverables that require immediate attention from people who may be unfamiliar with or you and your team.     Here is where “pulling rank” is most effective.

Make Quality Friends, and Do it Quickly

The Legal Counsel and Human Resources departments should be the easiest friends to make, and should become your “best friends for life”.  If you aren’t being used much by either department, then it’s time to start building a relationship with them.   Your team will need them both, and it is your task to make them realize how much they will need your team.

Your team will benefit as Legal Counsel will provide you the internal authority to carry out many of your tasks, and will help ensure that you are not breaking any regulations or laws in the process of doing so.  This will not only help carry out your mission as this gives you the muscle when dealing with non compliant business teams, but it also removes the investigative team from making legal decision risks that they may not be qualified to make.  (In other words: C.Y.A.)

It’s important to understand that Legal Counsel is likely paying a lot of money for third parties providing services such as Forensics and eDiscovery.  One study shows that the average $25 billion company spends an average of $10 million a year on eDiscovery services and in some cases as much as $60 million a year, where most of the costs are for unnecessary “bad” eDiscovery services. [1]

These are services that your team should be able to provide to the company and show a cost savings.  Furthermore, I have always argued that an internal team will work harder and better as they have a vested interest in the company and will reduce the risk of “bad” services.  However, this brings up a very important rule: in order to gain the trust of Legal Counsel, your team must be honest, impartial, and not be influenced by unethical motivations.

One thing to keep in mind is that Legal Counsel may have already established a close relationship with a third party service and may be reluctant to switch to your team.  This is okay.  A strategy you could take is to convince Legal Counsel that for certain tasks, third party services have a place (such as tasks that require less investigative strategy and analysis and more resource intensive work such as large data collections or backup tape restores).

Human resources will benefit from your team because you will be able to provide them with concrete evidence for them to use in misconduct investigations.  For example, instead of just relying on a staff member’s word that he saw a fellow office mate is stealing company confidential data, recovering the actual emails of the data being sent to a competitor will be stronger evidence for termination.  This evidence may also be more likely to stand up in court if the staff member decided to sue for wrongful termination or convince the staff member that it may not be even worth taking to court.

Another group you will have a regular relationship with is the IT department; however prepare for a love/hate relationship with them.  You will need IT more than you may realize it, and yet they will give you the most headaches.  Your team will never have the collective knowledge or capability that the IT department will have.  You will have to rely on them on very crucial tasks such as data collection, deploying security applications, and perhaps even approval for large hardware or infrastructure purchases.

It is important to put the IT department into perspective.  They likely don’t view your team as beneficial to their job.  In fact, they may likely see your team as a hindrance.  The IT teams are likely understaffed and overworked and your team’s requests to reallocate their resources in order to carry out data collections are taking them away from their work.  Furthermore, in your team’s day to day investigations, IT system problems will likely be discovered.  When these problems are related to poor security or non-compliance, it does little to help senior management’s view of the IT department’s competency.

One strategy in building a good relationship with the IT department is letting senior management know how much of a critical part they play in the missions of the investigative and information security teams.  Letters of commendations and recommendations for awards can go a long way.  One can imagine how IT staff members perceive the security of their jobs when considering the trend of IT outsourcing and the current state of economic woes.

Follow High Standards by Incorporating Established Policies, Procedures, and Guidelines

While working in the private sector, I have had debates with colleagues from other information security teams who could not understand why our team followed such stringent chain of custody practices.  A few times, I have heard “This incident will never go to court”.  My counter argument was “How do you know?” Which I followed up with “If it does not get to court, what about a civil or regulator hearing, or an internal tribunal?” I finally end with “It’s good practice to always do it the right way, in order to eliminate mistakes, regardless if it ends up in court, hearing, or tribunal.”

In my career, I have seen a share of mistakes that could have easily been prevented if proper policies, procedures and guidelines had been established.  A few of these I made while taking part a criminal investigation where I reanalyzed data collected by a corporate incident response team.    I wonder if those incident responders thought the same way, “This will never go to court”.

I am a firm believer that being in the private sector should not be an excuse for poor practices.  Not only should you be prepared for the “what ifs” and “worse case scenarios”, it just makes sense to follow set policies, procedures and guidelines for the sake of efficiency and organization.

Two of the industry accepted guidelines, which are very good starting points are the Scientific Working Group of Digital Evidence’s “Best Practices for Computer Forensics” [2] and the Association of Chief of Police Officer’s “Good Practice Guide for Computer based Electronic Evidence” [3].

It is important to note is some guidelines may not up to date with the fast changing pace of computer crime trends.  For example, some don’t cover dealing with encrypted hard drives, or non-persistent artifacts stored in memory, oftentimes recommending shutting computers down without checking for the existence of encryption, or taking a memory capture.  This could be detrimental for a forensic response on the computers of a highly skilled digital criminal, or an investigation of a compromised system.

Have a Holistic Understanding of the Architecture and the Relevant Contacts

Another important task you and your team should be focused on is identifying all the different IT areas and domains and who the points of contacts are.   It will save you grief if you do this before an incident or investigation, and not during one.

A large organization that has been through acquisitions, mergers, and divisions will likely have a large, complex hodgepodge infrastructure managed by different and oftentimes segregated groups unaware of each other’s existence.   Couple this with overseas offices, legacy systems, and partial IT roll-outs and you have a potential nightmare for a computer investigative team.

In order to collect the data required to conduct an investigation, I routinely had to coordinate with three to four different groups, and sometimes as many as six to seven.  Separate groups were responsible for administering the different elements: web gateway infrastructure, domain and active directory, Exchange servers, Legacy Lotus Notes backups, data leakage monitoring, antivirus alerts, full disk encryption, and data backup archives, not to mention separate groups for managing overseas networks and subsidiary divisions.

I kept a list of about 15 of “regular go-to contacts” that I worked on establishing and maintaining a good working relationship with.  I made sure these contacts understood our team’s mission and requirements as well as the ramifications for failing to deliver.  Having this list saved me time, and allowed our group to quickly respond and collect data, resulting in getting mitigation and recommendation reports in the hands of executives quickly.  An unintended benefit of having good contacts was that I would regularly hear from one group about IT issues that another group was experiencing, but did not want to share with our group.  Some of these issues would have affected the integrity of the data we collected had we not know about it.

At the end of the day, it’s about the bottom line.

One of the biggest hurdles I had to leap over after moving from federal law enforcement to the corporate world was that I no longer worked for the general public, but instead I worked for the shareholders.  This meant that the expectations set for my team and I were different.

As a leader of a computer forensic investigations team, your main goal is not to “catch the bad guy” or to “see justice is done” but it is to protect the financial interests of the company.  If you can show this, then you have succeeded.  However, I am not suggesting that one should lose feelings of moral obligations towards society as a whole—that is actually a good thing to have.  Your challenge will be finding a way to satisfy your moral obligations while contributing to your company’s bottom line.

References

[1] “Bad eDiscovery Costs 60 Million Per Year”, http://www.lawdable.com/2011/05/articles/e-discovery/bad-ediscovery-costs-60-million-per-year/

[2] “SWGDE Best Practices for Computer Forensics v 2.1”, http://www.swgde.org/documents/current-documents/2006-07-19 SWGDE%20Best%20Practices%20for%20Computer%20Forensics%20v2.1.pdf

[3] “Association of Chief of Police Officer’s “Good Practice Guide for Computer based Electronic Evidence”, http://www.dataclinic.co.uk/ACPO%20Guide%20v3.0.pdf





Wardriving: Legal or Illegal?

12 12 2011

WarDriving was invented by Peter Shipley and is now practiced by hackers, hobbyists and security analysts all over the world. It is the act of finding and exploiting wireless Local Area Network connections while driving around an area with wireless connectivity. This act is also known as access point mapping.  “To do war driving, you need a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. Because a wireless LAN may have a range that extends beyond an office building, an outside user may be able to intrude into the network, obtain a free Internet connection, and possibly gain access to company records and other resources ”[1].

Most culprits have made a sport out of WarDriving because of the ease with which they can do it. An omni directional antenna and a Geophysical Positioning System is all it takes to systematically map out the various wireless access points.

Personally up until I read up on this topic I did not even know it existed. There are probably many like myself who are unaware of attackers like these who then cost then thousands of dollars. The legal implications with regard to war driving are a bit of a grey area. Some people are of the view that is not illegal since one should be free to see what is causing problems with your local wireless network, for example congestion. In my opinion it is not the act that is illegal but it is what one does with the information that they acquire that is the problem. “The illegality is based on the extent and intent of the infringement by the war driver” [2].A WarDriver can do one of the following; dishonestly steal data, gain private information and use unauthorized resources.

An informal survey was done by Freeman to find reasons why people participate in WarDriving acts [3]. The reasons that ranked highest were;

  • To access adult websites without leaving a trail
  • To experience the thrill of being where you are not supposed to be.
  • To sell WI-FI owners security services
  • They are bored.

Once a WarDriver is connected to a network  he or she can sniff the private network and view information such as passwords and credit card numbers. A WarDriver can also make changes to the information and cause the worst outcomes.

Of late lots of cases have been reported including a case of this software company in Seattle that had several employees complaining that their pay checks had not shown up in their bank accounts. It was found that the routing numbers of the bank accounts had been diverted to bank accounts elsewhere, the money quickly loaded onto debit cards and withdrawn. When the investigations were carried out it was found that the owners of the IP addresses from which the crimes had been allegedly committed had no idea what was going on [4]

It is difficult to know and thus catch these culprits until they commit the crime in which case it is too late. How would one be able to monitor what another individual does as they drive around? They may not be the doers of the crime but more than often are the accessory to the crime where they avail that network information to people with ill intentions. As such it is better to be safe than sorry, protect your network!!

Wardrive.net suggests that you implement the following measures [5]:
Checklist from Wardrive.net
(***)
Things you can do to secure your wireless network.

  1. Change the default Admin password on your Access Point (this includes the webinterface).
  2. Check if the firmware for your Wireless Access Point and drivers for your Wireless Adapter(s) are up to date. Update if necessary. Keep checking for new releases in the future.
  3. Use a high level of encryption (WPA2/802.11i strongly preferred) — Use decent keys.
  4. Authenticate wireless users with protocols like 802.1X, RADIUS, EAP (including EAP-PAX, EAP-PSK, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-POTP, EAP-IKEv2, EAP-GPSK, PEAP, and EAP-SIM). These protocols support authentication credentials that include digital certificates, usernames and passwords, secure tokens, and SIM secrets.
  5. Use strong encryption for all applications you use over the wireless network, e.g., use SSH and TLS/HTTPS.
  6. Encrypt wireless traffic using a VPN (Virtual Private Network), e.g. using IPSEC or other VPN solutions.
  7. Use WLAN Security Tools for securing the wireless network. This software is specifically designed for securing 802.11 wireless networks.
  8. Create a dedicated segment for your Wireless Network, and take additional steps to restrict access to this segment.
  9. Use a proxy with access control for outgoing requests (web proxy, and others).
  10. Regularly TEST the security of your wireless network, using the latest Wardriving Tools (the same tools the attacker will use). Don’t use these tools on other networks, and always check local laws and regulations before using any wardriving tools.
  11. Enable strict (sys)logging on all devices, and check your (wireless) log files regularly to see if your security policy is still adequate.

______________

[1]Tech target. Wardriving (Access Point Mapping).Accessed at  http://searchmobilecomputing.techtarget.com/definition/war-driving

[2]Sathu, H. 2006.WarDriving; Technical and Legal Context.http://www.wseas.us/e-library/conferences/2006istanbul/papers/520-188.pdf

[3]Houston, N., Reams, D. & Zelinsky,N. The ethical issues surrounding Wi-Fi. Accessed at http://www.ethicapublishing.com/ethical/3CH10.pdf

[4] Los Angeles Times Newspaper. Accessed at http://www.latimes.com/news/nationworld/nation/la-na-wardrivers-

[5] Wardriving/802.11 security.http://www.wardrive.net/





The Art of Cyber War

9 12 2011

In my blog on Sep 23, I have discussed about applying the strategic principle from the ancient Chinese military treaties, “The Art of War” that knowing your enemy is the key to win a battle, we will finish the discussion by analyzing the last 1/3 of probability to win a Cyber War (CBW).

It is critical that we master the advanced technologies and acquire the insight of our capacity as well as our enemy, but without strategic methodology to apply our knowledge and techniques, we won’t have the full confidence to win the war as SunZi would have.

We need to not only secure the nation-wide critical infrastructure but also individual networks as the impact of an attack can be spread from any corner of Cyber space to the massive major network backbone structure. Therefore, we need to implement different strategies according to hieratical structure. To build a centralized secure control over national critical cyber network such as Dem, Drinking water system, Bank, Hospital, Energy, Transportation, Government Network, and Commercial Nuclear Reactors, etc is at the top of this hierarchy. For private institutions, we need to have a designed secure control that fits into particular needs of an individual institute such as the network secure needs would be much different between General Motor and Google, and Papa John’s Pizza Restaurant.  For individual users like students, there should be a several security control service offered by the institution the users work for or affiliated to. The security system from the top of hierarchy to the bottom should be connected or associated in a large database that can trace or track the connections between each incident in order to better prevent the spread of the attack to major infrastructure.

At the space that is most vulnerable such as a database center of a Cloud Computing Facility, there should be a continuously upgrading and transforming secure management to lead the game with hackers who are similar to virus in terms of constantly transforming and upgrading as well. To take control of virus, we have to keep create new vaccines.





Smart grids and Security

9 12 2011

by Zeal P. Somani

An electrical grid has three major functions- Power Generation, Power Transmission and Power Distribution. Power generation is performed at a power plant(thermal, renewable or nuclear power plant ) at a certain level of voltage, its  transmission from power plants to power companies distribution systems at a stepped up voltage(> 110 kV), and finally distribution to consumers at stepped down voltage(<50 kV).

The communication in this supply chain is a one way communication hence the peaks and valleys of demand are not monitored and hence ignored. Additionally, over the years, the power grid infrastructure has been aging, on the contrast our electricity usage has increased because of the advent of new appliances in our homes and increasing population. Smart grid solves this one way communication limitation in a normal electric grid by facilitating two way communications. This means the flow of communication would be back and forth i.e. between the power plants (generating station) and the users. The contemporary meters that monitor our daily usage of electricity would become smart to monitor and predict our need for electricity and communicate to the generating station.

[1]Justifications for smart grid:

  • Minimize waste- With an ability to forecast demand of electricity with “smart” infrastructure, power plants will produce (supply) its equivalent.
  • Reliability- [2]Brownouts caused by sudden dip in voltage and [3]blackouts caused by environmental factors like hurricanes, tornadoes, heat waves, falling leaves etc. can be managed much efficiently with  better load balancing capabilities with smart grids
  • Renewable Sources of Energy- Renewable sources like sun and wind are intermittent w.r.t weather and season. Hence, with these sources an infrastructure that can talk two way and forecast demand is very necessary

Security in the smart grid:

Interoperability is one of the key features in a smart infrastructure. Interoperability is the ability of different devices to be able to communicate with each other. These devices could be from different vendors, on different platforms, handling different signals and meant for different set of users. This leads to adoptions of open standards of communication. With open standards comes the challenge of security.

The legacy power grids are controlled by SCADA(Supervisory Control and Data Acquisition) Systems. These thefts would still exist in the smart grid infrastructure. Apart from these some of the other security issues posed in the smart grid infrastructure are:

Consumer Privacy– With consumer appliances being able to communicate to smart meters hosted by utility company in order to monitor usage and forecast demand and sometimes even control them. This  leads to lot of personally identifiable information of a consumer being available digitally and hence poses a big threat from hackers involved in identity theft or hackers selling this data in black market

Wireless networks security[4]The HAN(Home Area Network) in the homes of consumers would largely be a wireless networks. For e.g. smart thermostats, smart water heater, smart appliances would be controlled by smart controllers on a Zigbee or mesh wireless networks. These networks are not regulated. The spectrum is open. Hence it poses a big challenge to cumber hacking in open networks or even avoid interference from different signals. Sometimes hackers purposefully load the frequencies with noise to increase interference.

Tampering of meters and service theft– Since meters have gone smart, utility companies face challenge of ensuring tamper proof meters and avoiding any service thefts. Some consumers temper them to avoid paying high utility bills

Public safety of critical infrastructures and safeguarding from terrorism– Following recent news of an [5]attack on a Utility company in Illinois, Stuxnet and Duqu attacks, national security is prime challenge before governments. Adopting a smarter infrastructure, new technologies, making then interoperable makes our network much more open and vulnerable to cyber-attacks of terrorism

Conclusion- There are benefits with smart grids, however there are risks associated as well. [6]Threats like service theft would be become main stream. In order to defend from these attacks a co-ordinated effort from governments, utility companies and consumers is expected to drive the success of smart grid adoption. The federal government is taking several steps in this move towards smart grid. The Federal Smart Grid Task Force was established under Title XIII of the [7]Energy Independence and Security Act of 2007.





Choosing a Secure Cloud Service Provider

8 12 2011

Cloud computing is a promising technology that offers flexibility and cost savings to organizations. However, before going for cloud offerings organizations have to understand the associated security and compliance implications.

The security issues of cloud computing can be broadly classified into: security issues faced by the cloud service providers and security issues faced by the cloud service customers. It is the duty of the cloud providers to ensure that their cloud infrastructure is secure and that their customer’s data and applications are protected. The cloud customers on the other hand have to ensure that their cloud provider has taken proper security measures to safeguard their data and applications.

From a security perspective, the providers and consumers of cloud services have to worry about privacy, compliance and legal issues.

Choosing a cloud service provider is an important decision for an organization. Organizations have to assess the security risks involved when choosing a provider. Below are few of the security issues that technology research and advisory firm Gartner suggests that customers raise with their potential cloud providers.

Before selecting a cloud provider, customers have to make sure the provider has sufficient security programs to safeguard their data. By keeping sensitive data outside the organization, customers are exposing themselves to an inherent level of risk as the data is no longer under the same controls as their in-house programs. Therefore, it is important that the customers know who (administrators) have access to their data and the level of access and what access controls are in place.

Cloud service providers have more than just one customer therefore it is in the interest of the customer to know which other companies the provider is servicing and if there is a risk of exposure of the customer’s data to competitors. Customers should ensure that appropriate measures are taken by the providers for data segregation. Customers should ensure that the cloud service providers are subject to appropriate external audits and security certifications.

Usually customers are unaware of where their data is located. Customers should ask providers to store and process data in particular jurisdictions. This will ensure that the customer know the legal implications of storing their data in particular locations. Customers should also obtain commitment from the providers to obey legal privacy requirements on their behalf.

Customers should make sure they understand and are comfortable with the cloud provider’s disaster recovery plan and management. Customer should ask the provider about their ability to completely restore data and how long it will take.

Investigation in a cloud environment is a challenge. This is because logging and data for multiple customers may be co-located and spread across multiple hosts and data centers. Therefore, customers should get contractual commitment from providers that effective investigative support will be provided and that the provider is experienced in providing such support.

Finally, customers should ensure that appropriate measures are taken by the provider to give the customer’s data back in a format that can be imported to a replacement application in case the provider gets into a situation that it can no longer provide cloud services.

____________________





Sophisticated Phishing Attacks

6 12 2011

Most of us have experience with traditional phishing attacks where we receive emails luring us with various financial incentives or asking us click on links which lead to web pages asking for our SSN, Credit Card details, and other personal information. The Nigerian Prince is one of the most popular phishing attacks and the majority of us might have come across similar attacks multiple times[1]. Fortunately most of us have become aware of these attacks and follow best practices when it comes to handling such emails. Today, phishing attacks have become extremely sophisticated and attackers have novel ways to collect our personal information. Let us look at a few techniques below:

In session Phishing:  Unlike most phishing attacks, this attack does not rely on the user’s ignorance or negligence. It has nothing to do with them clicking on links sent via emails. In a typical attack, a user may legitimately log in into their bank account, and once they are done with their work they might move over to another tab or a different browser window leaving the bank website open and logged in. The user then may encounter a website injected with malicious code. The malware now opens a pop up asking the user for his login credentials. The user believes the pop up is from their bank website and enters details which now the attacker has access to.

There are two conditions needed for this attack to be successful. Firstly, the website must be compromised and infected and secondly the downloaded malware for this site must be able to identify whether the user is logged into the secure website (online banking). Users can avoid this attack by logging out of the online banking account once they are done viewing their account details. Also they should be weary of popups that that ask for their login credentials. Typically, most banks use security mechanisms which log the user out if they have been inactive for more than a specific amount of time. Users have to be aware that banks do not ask users to log into their online banking accounts using a popup.[2]

TabNabbing: This is another innovative sophisticated phishing attack whose name was coined in 2010 by Aza Raskin, a security researcher and design expert. This attack takes into account that a user verifies the URL of the website they are viewing only the first time they open it. Once the browser tab with the website is kept open, users don’t expect it to change into a malicious website. A video depicting this attack is given in this link.

Most users have multiple browser tabs open at the same time. When they are switching between various tabs, they don’t necessarily remember which website is open on which tab. So when they come across a fake Gmail look-alike webpage, they don’t realize the malicious intent in it because they already have their gmail account open in one of the tabs. They tend to assume that the Gmail account session timed out or they previously opened the webpage and forgot to sign in. Once they sign in on this fake webpage using their credentials, these details are acquired by the attackers, and the user is redirected to the authentic Gmail account because they had already signed in. This can be practically experienced by going to this webpage, switching to another tab and then going back to the initial tab. You will notice a Gmail look-alike sign in the initial webpage.

This is clearly one of the toughest attacks to be prevented in any manner. One of the ways in which you could prevent this attack, according to Aza Raskin is by the use of a password manager i.e by actively involving the browser in the process of securing your identity and credentials.[3]

Social Networking Websites: Another form of sophisticated phishing that has become common in the recent years is through Social Networking Websites such as Facebook. In Facebook, you tend to know all the details of friends on your friends list. This is further established by personal pictures or status updates posted on their wall. Phishing in this case is not just about a random email or a fax as in the case of the Nigerian prince email. The attackers are making use of the trust between users and their friends for financial gains.

A typical case of this attack is when your friend starts a conversation with you and indicates that he or someone in his family is in big trouble and needs you to help with some monetary aid. Since they have access to the profile they hacked into they can substantiate their impersonation by verifying names of his family members etc. If the person in question is a really close friend, you may respond immediately by transferring money to the bank account provided. The risk involved in this attack is significantly lower if the user is aware of such attacks on Facebook. A few suggestions are to cross verify with information only known to you and your friend such as details about where you first met, where you last hung out, etc. Sometimes the attacker makes it easy to detect by using incorrect grammar, different style of speaking than your friend, etc.[4]

The use of Social Networking websites as a medium for phishing is a cause for concern. According to Microsoft, the number of phishing attacks seeking personal information on social networking sites users rose from 8.4% in Jan 2010 to a staggering 84.5% at the end of 2010. It also states that 43% of all social networking users have been at the end of phishing attacks as of Dec 2010[5].

To conclude, though companies have been incorporating filters to protect their clients from phishing emails and browsers have been doing their best to protect their users from these attacks, the easiest and the most feasible way is for the users to stay well aware of these attacks. There are quite a few organizations such as Anti Phishing Working Group (APWG) which provide detailed advice on how users can identify and escape phishing attacks as well as what they need to do if they do become a victim of such an attack.[6] There have been several attempts to develop an interactive phishing tool that helps educate users about various ways to identify phishing attacks in a very simple yet efficient manner. One such tool that I tried and highly recommend is the Anti-Phishing Phil developed by CUPS (Cylab usable privacy and security laboratory)[7].

_______________________

1) http://www.katu.com/news/34292654.html

2) http://arstechnica.com/security/news/2009/01/new-method-of-phishmongering-could-fool-experienced-users.ars

3) http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

4) http://techcrunch.com/2009/01/20/latest-facebook-scam-phishers-hit-up-friends-for-cash/

5) http://blog.zonealarm.com/2011/07/how-phishing-hooks-users.html

6) http://www.antiphishing.org/consumer_recs.html

7) http://cups.cs.cmu.edu/antiphishing_phil/