
Phishing Has Gotten Very Good - apawloski
http://www.schneier.com/blog/archives/2013/03/phishing_has_go.html?utm_source=twitterfeed&utm_medium=twitter
======
trotsky
While hill staffers and other washington movers and shakers were being carpet
bombed two years ago during budget negotiations, it was really eye opening how
much individual effort was put forth. They were exploiting a flash 0-day that
was embedded in various .xlsx .docx and .pdfs - pretty slick as it got them
around noscript policies and outside any sandboxes.

The turn around time was crazy - on at least two occasions the workflow went:

recent victim gets first/early copy of policy paper written that day -->
document is taken, translated to a different format and has 0 day inserted -->
emails with exploit are sent to no more than 10-15 people the victim
frequently discusses the topics covered in the paper with. --> Many include
personalized notes that include observations the victim had sent to the author
--> Time from initial email receipt to exploits all mailed: around 3 hours

Now that's how you get a 95% open rate.

related: <http://contagiodump.blogspot.com/search/label/CVE-2011-0611>

~~~
mshron
Citation needed? If true, that's a pretty crazy story.

~~~
modeless
Yeah, what? Who is sponsoring 0-day exploit attacks against Hill staffers? Do
the parties go that far to get an edge against each other in negotiations?
That seems like it would be front page NYTimes material.

~~~
ubernostrum
Political parties in this country would _never_ stoop to criminal activity to
gain strategic information. Why, if such a thing were to happen, and to
involve high-ranking government officials, I bet it would be a major national
scandal and maybe even lead to some unprecedented resignations!

------
enraged_camel
I love how everyone here is extremely focused on the security of different
technologies (Chromebook, Office, Java, etc.), when really the point of the
article is that regardless of what technology is used, the weakest link in any
system will always be _people_.

Schneier stated this explicitly: "Amateurs target systems, professionals
target people." It doesn't matter if your money is behind a five-foot-thick
reinforced-concrete safe if the banker can be convinced to open it for an
attacker.

~~~
markdown
> It doesn't matter if your money is behind a five-foot-thick reinforced-
> concrete safe if the banker can be convinced to open it for an attacker.

So we should use thinner walls or none at all?

Don't be obtuse.

We talk about the walls, because stronger walls reduce the chances of a break-
in.

~~~
enraged_camel
>>So we should use thinner walls or none at all?

This is the textbook definition of a strawman.

What I am pointing out is that nobody is discussing how to train/educate
humans to be more resistant to social engineering attacks. Instead there seems
to be an echo chamber of "X system is so much secure than Y system!" which is
really banal.

------
cromwellian
I wonder how many of these exploits are simply the result of the following
five factors:

o Windows o Internet Explorer o Java o Flash o Office

People can whine all they want about Chromebooks not running non-cloud stuff,
but IMHO, diplomats, executives, et al should be required to use locked down
machines for communications, and training to educate people about opening
email links should be widespread.

I get emails all the time from my bank and credit card companies, but even if
I visually inspect the link targets, I don't trust them, I always type in the
location myself if it is a site that I know I'm going to enter important
credentials into.

~~~
jiggy2011
You can get them all to stop using Java/flash/office etc but then the
attackers will just start to target whatever they switch to.

~~~
eslaught
If "whatever they switch to" is ChromeOS + web apps, then it's going to be
much more expensive to get past a Chrome sandbox than any of the current
exploitation favorites. Sure, it's not impossible, but at least making
exploitation more expensive will put the little guys out of business. And
Google has sufficient money to throw at Chrome security that it will become
more expensive over time, not less.

~~~
camus
web apps are on servers that can be hacked. if facebook or twitter can be
hacked so can b google docs or any SAAS.

~~~
eslaught
Of course. But that's very different from hacking the user's own machine,
which effectively provides the hacker with access to everything the user does.
Hacking a single service means that you merely get access to that one service,
plus anything else where the user used the same password. And we already have
technologies which would make it so that hacking a service would only give
access to that one service, e.g. Mozilla Persona[1].

[1]: <https://www.mozilla.org/en-US/persona/>

~~~
kyllo
>plus anything else where the user used the same password

Assuming the service is storing unsalted password hashes that can be cracked
using a rainbow table, or (god forbid) plaintext passwords, right?

~~~
drivebyacct2
If I have compromised a server, it's pretty trivial to have login.php also
POST a copy of the raw user/pass to my server if I wanted.

------
fnordfnordfnord
This is not new. Government officials and corporate executives have always
been targets of espionage. That spies would disguise their attempts as common
spam/phishing is unremarkable; as is the notion that some ordinary hackers
might also preferentially target this class of people.

~~~
yalue
Exactly. The term the article should be using for it is "social engineering."
It would only take a minimal amount of research to create a legitimate-looking
email to a Coca-Cola executive or whoever. Emails claiming to contain coupons
for free sexual performance enhancers won't exactly work for most people, so a
little research isn't a stretch at all.

~~~
Jabbles
A well-worded email claiming to contain a PDF CV of an ambitious graduate
could easily be opened by a CTO.

Or "Check out my blog... (I specialise in Javascript so please turn NoScript
off.)" The possibilities of social engineering are scary.

~~~
runejuhl
You might want to put a link to your blog somewhere.. :)

------
andreyf
It's 2013, and clicking on an evil link can still compromise your machine? I'd
say the failure is much larger than just the anti-virus industry.

~~~
btipling
A lot can happen when you click a link. You download content like images, run
plugins, open up third party apps (like iTunes or a chat client). You render
images, you can start the hardware accelerated canvas stuff. You're
downloading all of this content onto your computer and then your computer
processes it. It's not like you're using a remote viewer to view something not
on your computer. Going to a website is downloading files.

~~~
stephengillie
A lot of things _that I don't want to happen_ occur when I click on a link.
Cookies are sent to foreign servers without my knowledge or consent.
Advertisements are displayed. Audio can be played without my consent. Powerful
flash and javascript plugins can run without my consent that can hijack my
browser and deny me the use of my computer until I restart it.

When I click on a link, I _want_ a remote text and image viewer. Sometimes
I'll allow certain sites like youtube to run flash, even automatically. This
computer is my tool, not someone else's, and in 2013 clicking on a link
shouldn't be a wildly uncontrolled and dangerous experience.

~~~
badgar
I'm sorry that the web isn't what you want it to be. Unfortunately for you,
the web never was what you want it to be.

Maybe switch to gopher?

~~~
stephengillie
The web is what it is. In theory, my processors would only run the code I want
them to -- not the selection of code, scripting, and plugins that any random
website may have. I work very hard to make that theory into reality.

------
arkitaip
So how do you protect yourself from these highly-targeted attacks?

How about running the browser in a sandbox that resets all changes on exit?
I've actually set up Firefox (hardened) + Sandboxie on Win7 but exactly how
good is this setup?

~~~
jgrahamc
Use a browser that's not on your machine.

See, for example, <https://www.authentic8.com>

~~~
sltkr
So to avoid leaking any private data to third parties, I should send all my
private data to a third party using a proprietary protocol?

------
malandrew
This is one of the reasons I'm pretty happy about the new execution model
being discussed by the W3C's System Applications Working Group. The move of
sensitive information from the desktop to the browser is leading to a
"sandbox" everything approach, which may not be safer, but should at least
mitigate the damage done. Nowadays if you compromise the machine of an
individual, you own everything they use and everything they do. With some sort
of sandboxing between tabs and between privileged user resources (contacts,
messages, email, calendaring), the amount of resources an attacker can control
is reduced. The problem on the desktop is that the default M.O. has always
been to trust the user entirely with respect to everything, but machine
administrative (root) actions. With sandboxing and new security models around
the user's own data, the M.O. now becomes only trust the user within one area
of their life, but not between areas of their life (so a PDF document can't
affect their email without explicit user action)

Sandbox all the things.

~~~
hollerith
>This is one of the reasons I'm pretty happy about the new execution model
being discussed by the W3C's System Applications Working Group.

What would make me even happier is a way for me to _read_ the _writings_ of my
favorite authors without relying on many millions of lines of source code
(i.e., a "modern" browser) and the inevitable security holes in those millions
of lines.

~~~
malandrew
Well, Mozilla is starting afresh with its Servo browser engine based on its
Rust language. Given the design choices for Rust and Servo, I imagine that
it's going to be a lot more secure and stable than the current crop of browser
engines (Webkit, Gecko, Trident, etc.)

------
anonymousDan
Anyone come across Bromium before ( <http://www.bromium.com/> )? I think some
of the 'micro-virtualization' ideas they describe sound really interesting. I
believe it was founded by some of the people behind Xen.

------
danial
While this is interesting it shouldn't really be surprising. Whatever happens
in the real world is inevitable in the cyber (ugh, dislike that word) world.
Government and commercial espionage is fairly common and employs the use of
sophisticated infiltration, sabotage and subversion techniques; this is just
its parallel on the Internet.

------
lake_rogue
Don't you all know what this means? Someone gone and caught the big phish.

Bruce's site is hacked.

Clever self-referential hackers. We're all done for.

------
rwmj
I think many of these attacks could be prevented if we controlled outbound
connections more carefully.

