Fairly uninteresting from a technical point of view, but worth noting as a perpetual problem. The Register reports on a recent fishing attack against hotmail and other web based email users. Phishing, Fishing, <><, all refer to what is known as a “Social Engineering” attack. Social engineering attacks attack the user rather than the technology and do so by convincing the user to go along with what the attacker wants or needs. Here’s a snip from Hackers the circa 1995 movie which illustrates the concept:
In it “Dade Murphy alias Crash Override aka Zero Cool” convinces a night security guard he is an employee of the television studio, has some very important work which needs to be done, and convinces the guard to read him the dial up phone line for the studio’s system. This part is a bit dated, but back when war driving was war dialing, most remote access was by dial up modem not the Internet. What Dade has done here is negate technical security measures, e.g. an unlisted number, by getting an insider to help under false pretenses. There is a really good section in “CYBERPUNK: Outlaws and Hackers on the Computer Frontier” which talks about the halving your security for every individual who knows a secret. I highly recommend the book, I read it when I was in high school and could not put it down.
The general control flow of a phishing attack goes something like this:
- Send the victim a complicated message involving a problem. In the AOL days this would often be a message along the lines of “ATTENTION: Due to a general error in the login system your password was not correctly recorded.”
- The user is directed to fill out a form, respond to a message, or in some way is guided through a seemingly official process to alleviate the problem. “Please reply with your password or you will be logged off”
- The user believes, because of the information overload and their own gullibility, the message is authentic (even if the window they are typing their password into says not to do that.) They follow the instructions and send off their password to the attacker.
- Optionally, the attacker provides some form of reassurance the problem is now corrected so as to sooth any suspicions by the user.
Social engineering attacks have been around for as long as there long before computers, but in the context of computer security these attacks are potentially far more damaging than they would otherwise be. To date we only have three real types of authentication:
- Something you know (password)
- Something you have (dongle, key, etc)
- Something you are (iris / finger / voice prints etc)
The something you are is not very practical – it often has to be repeated, is not easy to implement, has lots of complications. The something you have is very effective but has an added cost, can be inconvenient if you forget or lose the device, and can be cumbersome if you need a different device for each thing you authenticate to. Something you know is the easiest, most convenient, most economical form of authentication to date, and it is the most vulnerable to social engineering attacks.
The worst part is the lack of solutions for combating social engineering attacks. The best we can hope for is to educate the gullible about the dangers of giving out their passwords, and preach the gospel of using multiple complex passwords so one broken one will not compromise all of your accounts.