I was asked to comment yesterday on the story that emerged about the Google mail accounts that were compromised over the last few days, so I thought I'd put some of my answers down here. First off, Google wasn't compromised; a set of phishing emails were sent out and a fake Gmail login set up to harvest login details. These were used to set up forwarding rules to copy mail to another account.
Unfortunately, although a large number of people are aware of phishing and are (to a certain extent) vigilant, it only takes one person within the organisation to fall for the attack to compromise security. The scammers are becoming better at targeting people and making the initial phishing contact more believable to some people. Phishing is not just about email, although that is the most common avenue for the initial contact. Social media is also commonly used and we have seen the use of SEO to force phishing sites to the top of search engine rankings as well. User education is the only real way out of this.
Could this be cyber espionage? I would think that is most likely given the profile of those targeted. Information is worth a lot of money and political weight. In recent years we have seen a decrease in attacks designed to deface/destroy/delay/deny services and information. Instead, we are now seeing information and identity theft as major goals. Viruses won't necessarily stop your computer from working, but they will use Trojans to steal your login credentials. Malware now will silently sign your machine up to botnets rather than perform an obviously malicious action.
What can companies like Google do to stop this? Well, they can improve their SPAM filtering for a start. It is possible to eliminate the vast majority of phishing emails, which would drastically reduce the problems. However, many of the major vendors aren't strong enough on this. Secondly, user education would help a lot, but can't always help you against the best social engineers. To be honest, though, the governments and organisations that these people work for shouldn't allow the use of gmail, or other accounts (which have fewer controls than a corporate email setup), for official business and should educate their users to use different passwords, be vigilant, etc.
Spear phishing is a more difficult one to combat as it targets a specific user or group of users that the attacker has knowledge of. If I know your habits and who your friends are then I can use that information to trick you much more easily. If you receive an email or Facebook message from your partner, do you hesitate before opening it? The reason this doesn't happen more is that it takes background research and, by definition, targets very few people. This technique is only relevant if you want what that specific user has access to. Hence it is more likely to be information that they were after.
Another way to combat these types of attack is to use one-time passwords as well, so that intercepting a single logon only gives you access during that session, and isn't valid in the future. However, tokens are prohibitively expensive for Google to hand out to everyone. There are other solutions such as SMS tokens, but these aren't all that cheap, when multiplied up by the number of gmail users, and aren't without their problems. Software token solutions such as Swivel, GrIDsure, FireID, etc., are possibly cost-effective enough to be implemented and could drastically reduce the success of these attacks. However, none of these stop the man-in-the-middle (MITM) attack, so you could still hijack the session and set up a forwarding rule to obtain a copy of all their mail. Google do allow you to set up alerts and have to validate changes through a 2-step process, but you have to enable this. This should be the default for all of these services. Perhaps they could also add a footer to all versions of the email to specify where it has been forwarded to.
How worrying is this sort of attack? Well, that depends. Most people can be socially engineered - look at Derren Brown! For the individual, spear phishing is unlikely to be a problem, but with a lack of education they may well fall for a bulk phishing scam anyway (thousands do or nobody would bother). However, for those with access to secrets or other valuable information, it is a serious issue. It all comes down to how good the attacker is. I believe that HM Treasury is the most attacked entity in this country and that is mostly for information rather than evading tax or performing Denial-of-Service, etc. They should be worried about this type of attack.
Unfortunately, although a large number of people are aware of phishing and are (to a certain extent) vigilant, it only takes one person within the organisation to fall for the attack to compromise security. The scammers are becoming better at targeting people and making the initial phishing contact more believable to some people. Phishing is not just about email, although that is the most common avenue for the initial contact. Social media is also commonly used and we have seen the use of SEO to force phishing sites to the top of search engine rankings as well. User education is the only real way out of this.
Could this be cyber espionage? I would think that is most likely given the profile of those targeted. Information is worth a lot of money and political weight. In recent years we have seen a decrease in attacks designed to deface/destroy/delay/deny services and information. Instead, we are now seeing information and identity theft as major goals. Viruses won't necessarily stop your computer from working, but they will use Trojans to steal your login credentials. Malware now will silently sign your machine up to botnets rather than perform an obviously malicious action.
What can companies like Google do to stop this? Well, they can improve their SPAM filtering for a start. It is possible to eliminate the vast majority of phishing emails, which would drastically reduce the problems. However, many of the major vendors aren't strong enough on this. Secondly, user education would help a lot, but can't always help you against the best social engineers. To be honest, though, the governments and organisations that these people work for shouldn't allow the use of gmail, or other accounts (which have fewer controls than a corporate email setup), for official business and should educate their users to use different passwords, be vigilant, etc.
Spear phishing is a more difficult one to combat as it targets a specific user or group of users that the attacker has knowledge of. If I know your habits and who your friends are then I can use that information to trick you much more easily. If you receive an email or Facebook message from your partner, do you hesitate before opening it? The reason this doesn't happen more is that it takes background research and, by definition, targets very few people. This technique is only relevant if you want what that specific user has access to. Hence it is more likely to be information that they were after.
Another way to combat these types of attack is to use one-time passwords as well, so that intercepting a single logon only gives you access during that session, and isn't valid in the future. However, tokens are prohibitively expensive for Google to hand out to everyone. There are other solutions such as SMS tokens, but these aren't all that cheap, when multiplied up by the number of gmail users, and aren't without their problems. Software token solutions such as Swivel, GrIDsure, FireID, etc., are possibly cost-effective enough to be implemented and could drastically reduce the success of these attacks. However, none of these stop the man-in-the-middle (MITM) attack, so you could still hijack the session and set up a forwarding rule to obtain a copy of all their mail. Google do allow you to set up alerts and have to validate changes through a 2-step process, but you have to enable this. This should be the default for all of these services. Perhaps they could also add a footer to all versions of the email to specify where it has been forwarded to.
How worrying is this sort of attack? Well, that depends. Most people can be socially engineered - look at Derren Brown! For the individual, spear phishing is unlikely to be a problem, but with a lack of education they may well fall for a bulk phishing scam anyway (thousands do or nobody would bother). However, for those with access to secrets or other valuable information, it is a serious issue. It all comes down to how good the attacker is. I believe that HM Treasury is the most attacked entity in this country and that is mostly for information rather than evading tax or performing Denial-of-Service, etc. They should be worried about this type of attack.
Comments
Post a Comment