Monday, November 4, 2013

Phishing Countermeasures Unleashed

In this article I have my best to gather and explain all those possible ways by which phishing can be avoided. Here I am going to explain Phishing counter measures in very details. As you know phishing is kind of technical and psychological attack on human nature, which make him/her to reveal their sensitive information to the attacker. For more information on phishing you may visit Wikipedia and search for a topic “Phishing”. Here I am going to provide you all possible counter measures for phishing attacks.


INTRODUCTION

Phishing attack is a complex combination of technology as well as psychology. There are numerous ways in which people are being made fools and they can be conned by hitting on unsecured website links. Especially with the growing of the marketing industry, these types of attacks are being risen. 2007 case study shows that phishing attackers were collecting and purchasing Google AdWords in order to install RAT on victim’s systems. By this attacker can click on a couple of adds through which they can earn some money. 

DIFFERENT PHISHING COUNTERMEASURES

1.    Auto Generate Domain Specific Password
Many researchers have developed such kind of  mechanism in which when you give username and password, it turns into domain specific password and that is even via transparently method. The basic idea behind this is to hashing of passwords with a secret key along with website domain name. Web site domain name is very important because it will tell that password to go into that domain [1].

Even if the user uses the same password for every entry point in the world, it gets changed due to this mechanism so it becomes really hard for the attacker to get the password as the password will be be very unique and long which will be hard to remember.

Advantages :
1.    Looks cool.
2.    Works fine on a theoretical basis.

Disadvantages :
1.    Practical implementation is quite difficult.
2.    Many banks use multiple domains and sub domains.
3.    Some site forces user to keep password with a combination of uppercase, lowercase and symbols.
4.    It’s a static solution if users travels from here to there without his/her laptop then this mechanism not helpful anymore. She/he has to carry his/her device everywhere along with them.

2.    Specific Applications
Here I am going to tell one scenario which was used to happen previously back in 80s. Many corporate banking systems use some back up operating system in portable device such as CD, DVD or in any other portable device. That device contains their own piece of the operating system. Let’s suppose this is a matter of administration, but if the bank is providing any kind of mobile or desktop application to use their bank service, it can be the worthwhile target for attack. What attacker needs to do is just to tell their victim is “Apply Our Latest Upgraded Application In Order To Secure Transaction”.

The best way to protect this mechanism is low cost SSL certificate. This protocol supports certificates for both servers & client. To find more on this topic you may visit the link given in reference. There are basically main 2 functions of SSL. First check the real identity of its holder and second is to encrypt and passing data between client & server. So if SSL is there, there are very chances that fishermen will get his/her victim. Server’s certificate identifies the website which you are visiting through your browser application. The client certificate is used for verification and authentication process. Then the data transportation process gets started.

Advantages :
1.    Its not end-to-end security.
2.    It is not bulletproof secure mechanism.
Disadvantages :
1.    Process of certificate management is tedious to handle.
2.    Researchers have implemented javascripts which can fool browser applications.
3.    Malware can steal the information of certificate.
4.    In the very worst case scenario, fisherman may manage to convince her/his victim that “Your certificate got expired, so give us back for secure demolition”.

3.    Web Browser’s PWD Database
In this type of mechanism, random passwords are generated and stored in the browsers. It has more advantage than the first method of hashing passwords. It is more “secure” , as the browser will only give the credentials to the only right URL. So for instance if I saved password for my website www.chintangurjar.com then it will only pass these credentials if only this URL appears. If there will be a bit change in the URL, then it won't pass credentials. Firefox has this mechanism that it stores passwords after encrypting it, but this feature is not by default so many of people won’t use that even.

Advantages :
1.    Easy to implement and uniqueness is there to use.
2.    No specialized or purchased software requirement is needed.

Disadvantages :
1.    It doesn’t work fully with subdomains. If I have saved password for www.chintangurjar.com then if I want to log in through subdomain.chintangurjar.com then it won't allow me to pass credentials through this URL.
2.    Even Here, passwords stored here in plain text, so there is always a fear of stealing password via malware, RAT or other suspicious activity.

4.    Virtual Keyboards
This mechanism was the Favourite mechanism for organizations and individuals back in the 90s. Rather than using traditional hardware keyboard, people used to use virtual keyboard which appears on the screen.


People as well as some banking organization were assuming that attackers won't able to capture activity of their keyboard. This mechanism has been defeated by attackers. Now a days they have a mechanism to capture screen as well as a virtual keyboard.

5.    Educating Your People
Many organizations conduct seminar and workshops on ethical hacking and internet security safety in order to educate their employees. This can be a quality step towards security awareness, though many of their employees do not take that seriously and they do not follow the instructions given at the workshop/seminar. Those kind of employees can be a potential target of attackers/phishers.

There are some scenarios by which we can think about how to educate your employees. Logical awareness has to be build. Firstly, they were given the instructions to check the English. To respond to that bad guy started writing professional English which is really more than 95% identical to the original website. Thus victims got exploited. Then phishers started to use lock symbol by keeping in mind that if some clever employee/person knows about SSL, then she/he can be trapped even. 

Phishers has done this by forging it via implementing graphics. They did it by putting lock icons in the url (favicon), on the web pages. Thus how they have got exploited. Banks started putting last four digits of credit card or other bank account detail, in response to that attackers also started putting first four digits of those constant numbers which are constant numbers of card detail provided by any bank varies from area to area and etc.. Thus again persons got exploited.

Mitigations : Logical awareness has to be raised. Customers have to think of their own that is that legal, legitimate or fake? When this awareness will rise with them automatically, there won't be any need of workshop, seminar for ethical hacking awareness.

6.    Phishing Scam Alert Add-ons/Extensions
Many organizations have built toolbars which use a ton of problem discovering & solving methods to send URLs and look for is there any fake url or not. Even Microsoft has also produced this feature inbuilt in internet explorer 7 previously. The concept is like this. If server visits any known fake/phishing url, then that tool bar turns into the red color. It's that phishing or fake site is the one suspect site, then it turns into yellow color. Now a days website uses “extended validation”. It’s a new type certificate which is sold on the website only after their credentials are checked very carefully and particularly. So if browser toolbar finds such type of website, then it turns into green.

The first mechanism is already being broken by researchers. It is presented in a research paper which’s link is mentioned in the references [8]. That is very unconventional and unusual semi technical method for breaking into the victim’s mind. It uses “picture-in-picture” method. Here phisher displays a picture of the browser with a green tool bar so that that user thinks it is safe to visit and thus how she/he gets exploited.


As you can clearly see that malicious url is not https://www.paypal.com/uk...whic is inside the windows but it is which the oWhichhder windows. The attacker also puts the favicon, outside logo which proves the legitimacy of his work. Thus how people think that this is the real page and they gets login into the website and their credentials gets compromised. The second scenario which is extended validation can be broken by url manipulation. The attacker used to keep the almost identical URL and they buy their own certificate and installs that on their server. Now Url of that phishing site and original site is almost identical like below:

        Original Site: www.chintanwov.com
        Phishing Site: www.chintanvvov.com

As you can see from both url that in the first URL its wov and in second url attacker may put something like this vvov so vv looks like W and the client thinks that it’s a genuine website and she/he gets log into that. Thus how their credentials gets stolen and they get exploited. These types of phishing sites are called “dodgy sites”.

7.    2FA – Two Factor Authentication
2 Factor authentication is also known as 2FA. It is also known as 2 step verification. It is also known as multi factor authentication in which it doesn’t only required username and password, but additionally it also required a some piece of information which only the user knows. That piece of information is known as physical token. Using traditional credentials along with the physical token makes very harder for a phisher to exploit his/her victim.

The concept of 2 factor authentication is explained in below pic. Let's suppose you are going to access any VPN website. (1) Here first authentication is done via traditional credentials such as username and password. It is called primary authentication. (2) Then domain controller calls on user mobile or any other device (mobile is a standard device which will be having with all users) and it will send a token code or the Automator call on his cell. (3) Then it checks for the right identity. (4) If the credentials are verified user will be given authorization to access the VPN as shown in below pic.


In the UK, some banks are using 2 factor authentication but not in this traditional mobile token way. They have given password calculators to the users which has multi functions such as generating real time security code to login into customer’s account and even to make a transaction.
Let's take a real life scenario from the UK. One of the top famous banks named Barcalys uses their small device called PINentry. Each device is registered with a unique card that is given to their customers. The device is looking like this below pic.


Now if you want to login into online Barclays account you need to give your basic details such as last name and card number. Once you click on login it will ask you for the security code. Now you need to verify your identity by inserting your card into this PINentry and by clicking on identity. Give your secret pin of card and it will autogenerate a random number. Once you type that number on website it will allow you to login. Now if phisher stole this device and put his card into this, it will flash below message shown in the picture.


If any customer wants to make a payment it will also ask security code which you will have to get it from this machine. Not even that but it will also tell you to input the exact amount of money which you already entered in the website. If both figures get matched, you will be allowed to make a transaction.
Thus two factor authentication works. No doubt it's very effective and promisingly secure. However to pass through all these processes for just login, is a tedious, time consuming method as per customer’s point of view.

8.    TPM Chip – Trusted Computing Mechanism
This mechanism is set up by TPM chips, known as “Trusted Platform Module”. If two computers are doing regular transactions then there is this chip placed on motherboard physically to tie them both.


As you can see from the diagram that this whole mechanism can be implemented on a single chip. However this mechanism has portability/roaming problem. Roaming can not be done easily on these devices. 


This chip places on an endpoint device which stores RSA key. It makes an RSA key pair which is saved within the chip and cannot be accessed by any software. Then SRK (Storage Root Key) is generated only when the system administrator accesses the computer. There is one more second key which is known as AIK (Attestation Identity Key). It is there to protect that chip from unauthorized access. They created hashes. If the system wants to connect to the network or end device, it passes the hash and they gets verified by the network or another end device. So if the match fails, access denied. Thus how it gives complete bulletproof security against phishing.

9.    Encrypted Key Exchange Process – Prevent Dictionary Attacks
Many researchers come up with a research in an authentication protocol. They implemented with serious of protocols for encrypted key exchange. Now this key is generated by combining the shared password. And this process is taking place in such a way that phisher man ( who is the man-in-middle ) can’t guess it. Those protocols were awkward to implement and use. Also they were too much time consuming either.

THE FUTURE OF PHISHING

1.    Pick an alternative
It happened in the past. We have one educative case study of salesforce.com  back in November 2007 [18]. In this case attacker got the password from one of a staff member. After that customers started getting fake bills and invoices. It leads us to the point that, if its hard to get the website or organization, the next step is to attack their suppliers.

2.    Attackers are becoming smarter and cleverer
Research conducted by various people shows that by the time phishing attacks on emails have grown their skills. Phishers are getting smarter and clever as there are using social media. They know whom to target, which are the weak links, what are they lacking in and how to setup a trap for them. By assuming this I can make a small joke on this. Future attackers will not call on your cell that, I am Mr. Xyz from this bank and kindly give me your details.  They will represent themselves by forging email from the real bank’s email id.

3.     Impact of marketing industry
The various marketing industry is getting more and more people to click on their links. Let's suppose in 100 advertise, now phisherman will put their phishing site and paying genuinely in the marketing industry to get more and more victim to click on that.  Now you can imagine there are millions and billions internet users on the earth. Now you are clever enough to calculate the probability of users who are going to click on dodgy websites.

CONCLUSION
It's hard and very dangerous to predict the future of phishing as its an open sky. There is no limitation of thoughts, though rather than mentioning technical terms in future phishing its always better to describe non-technical (general) terms with that. So that everyone can understand it.

REFERENCES
1. http://crypto.stanford.edu/PwdHash/
2. https://www.globalsign.co.uk/ssl-information-center/what-is-an-ssl-certificate.html
3. http://en.wikipedia.org/wiki/Custom_software
4. http://www.bespokesoftwaredevelopmentltd.co.uk/what-is-bespoke-software.asp
5. http://www.cs.ucdavis.edu/~rogaway/ocb/gcm.pdf
6.https://lh5.googleusercontent.com/7cVNJ8EhQcXl3I8fk7YASmLdcHiup9Kn4XQPdQmsicl-sRXmIZSqOB5mmHyjMg_ajm-ImvFudJo=s640-h400-e365
7. http://sunithaemblix.files.wordpress.com/2013/08/virtual-bluetooth-keyboard1.jpg
8. http://www.usablesecurity.org/papers/jackson.pdf
9. https://www.clerkendweller.com/posts/2009/picture-in-picture-1.png
10. https://cdn.clickatell.com/wp-content/uploads/2013/07/Courtesy_of_upgrade.onlinetech.com.png
11. http://farm3.staticflickr.com/2337/2248084983_b02bf93557.jpg
12. http://www.barclays.co.uk/cs/Satellite?blobcol=urldata&blobkey=id&blobtable=MungoBlobs&blobwhere=1260087396572&ssbinary=true
13. http://www.barclays.co.uk/Helpsupport/HowtousePINsentry/P1242560253457#usepinsentry
14. http://upload.wikimedia.org/wikipedia/commons/e/ee/Barclays_Pinsentry_5920.jpg
15. http://upload.wikimedia.org/wikipedia/commons/thumb/0/0b/TPM_english.svg/580px-TPM_english.svg.png
16. http://www.tabletpcreview.com/assets/1876.jpg
17. http://www.pcworld.com/article/137057/article.html
18. http://www.bmj.com/content/321/7261/612.full


No comments: