"What would work even against an infosec guy? Linkedin invites."
April 6, 2014 8:23 AM Subscribe
I assume that by reading the linked article, my router has now been hacked. Wonderful.
posted by beelzbubba at 8:45 AM on April 6, 2014 [10 favorites]
posted by beelzbubba at 8:45 AM on April 6, 2014 [10 favorites]
This is a nice example of why never to click links that are in email. If your bank or LinkedIn or whatever sends you something via email, you should be able to retrieve that same information by going to their webpage and logging in. This "don't click email links" policy is especially true if you have an adversary who is motivated enough to write custom Metasploit modules targeting your specific type of router.
posted by antonymous at 8:51 AM on April 6, 2014 [13 favorites]
posted by antonymous at 8:51 AM on April 6, 2014 [13 favorites]
At the end of the story the router dies and the infosec guy goes back to his AOL install CD-ROM.
posted by skammer at 8:53 AM on April 6, 2014 [7 favorites]
posted by skammer at 8:53 AM on April 6, 2014 [7 favorites]
So now just clicking to check the profile of the invite is enough? Bloody wonderful.
Clicking any link in an email has always been an attack vector. Spoofing a Linkedin email was just an easy way to get the victim to click one.,
posted by bitdamaged at 8:56 AM on April 6, 2014
Clicking any link in an email has always been an attack vector. Spoofing a Linkedin email was just an easy way to get the victim to click one.,
posted by bitdamaged at 8:56 AM on April 6, 2014
I read that one last weekend. Not bad.
What it fundamentally became, though, is a case of social engineering in order to carry out the targeted exploit.
There was lots of vulnerability scanning in order to profile the target, but he still couldn't compromise the DNS until you trick the user into going to a maliciously-designed site. That's one reason why I never click links from emails; if I want to check LinkedIn, I will go to the site manually, on my up-to-date browser with specific add-ons like HTTPS-Everywhere.
Then, of course, came the waiting game for him to download and install a payload that could be compromised, in this case N++. I can only imagine how many fake sites he had to set up, pointed to by his fake DNS, in order to have a good chance that one of them would be updated in a reasonable time. Another reason to manually check hashes/signatures on software and why software should always be signed (not just a digest, as that can be faked easier).
Bottom line, a reasonably sophisticated individual could use this attack against most individuals (security professional or not), but it's a complex process, combined with social engineering luck and plenty of waiting, that makes it tough to scale up. I'm sure the NSA's TAO group uses techniques like this all the time, but there's very little chance of it happening to any given person from just random hackers...
posted by mystyk at 8:59 AM on April 6, 2014 [3 favorites]
What it fundamentally became, though, is a case of social engineering in order to carry out the targeted exploit.
There was lots of vulnerability scanning in order to profile the target, but he still couldn't compromise the DNS until you trick the user into going to a maliciously-designed site. That's one reason why I never click links from emails; if I want to check LinkedIn, I will go to the site manually, on my up-to-date browser with specific add-ons like HTTPS-Everywhere.
Then, of course, came the waiting game for him to download and install a payload that could be compromised, in this case N++. I can only imagine how many fake sites he had to set up, pointed to by his fake DNS, in order to have a good chance that one of them would be updated in a reasonable time. Another reason to manually check hashes/signatures on software and why software should always be signed (not just a digest, as that can be faked easier).
Bottom line, a reasonably sophisticated individual could use this attack against most individuals (security professional or not), but it's a complex process, combined with social engineering luck and plenty of waiting, that makes it tough to scale up. I'm sure the NSA's TAO group uses techniques like this all the time, but there's very little chance of it happening to any given person from just random hackers...
posted by mystyk at 8:59 AM on April 6, 2014 [3 favorites]
JESUS WHY THE HELL DO I STILL HAVE JAVA AND FLASH INSTALLED AND WHY ARENT I USING SANDBOXIE FOR EVERYTHING
posted by Foci for Analysis at 9:08 AM on April 6, 2014 [8 favorites]
posted by Foci for Analysis at 9:08 AM on April 6, 2014 [8 favorites]
NSA's TAO group doesn't need to use social engineering to get into a man-in-the-middle position, because they already have control over some of the backbone routers that your traffic has to go through. So all they'd need to do is wait for you to download any executable over a non-SSL connection.
posted by destrius at 9:10 AM on April 6, 2014 [3 favorites]
posted by destrius at 9:10 AM on April 6, 2014 [3 favorites]
I do all my computing on abacus and a custom-built analytical engine powered by a small army of street urchins. I do have occasional virus problems, but they don't affect the data, and there are always orphans hanging around the stews eager for any sort of work. There are also exploits, obviously, but I merely adjust my monocle and soldier on.
posted by GenjiandProust at 9:11 AM on April 6, 2014 [28 favorites]
posted by GenjiandProust at 9:11 AM on April 6, 2014 [28 favorites]
I wouldn't dismiss social engineering; it's a key arrow in the quiver of the serious attacker. For instance, if you got an email at work that appeared to be from your boss and it contained an attachment which appeared to be a PDF, would you open it? Most people would. But it turns out that the email wasn't actually from your boss, and the PDF makes use of an exploit against Acrobat to do something nasty to your computer.
This isn't hypothetical; we've been shown examples of it at work in "anti-phishing training". For specific targets, attackers use information from public and semi-public places like LinkedIn to build a picture of the organizational structure around their target, and then use that information to craft email that's intended to slip under the suspicion radar of the victim.
posted by Slothrup at 9:12 AM on April 6, 2014 [5 favorites]
This isn't hypothetical; we've been shown examples of it at work in "anti-phishing training". For specific targets, attackers use information from public and semi-public places like LinkedIn to build a picture of the organizational structure around their target, and then use that information to craft email that's intended to slip under the suspicion radar of the victim.
posted by Slothrup at 9:12 AM on April 6, 2014 [5 favorites]
SPY SAPPIN' MAH ROUTER
posted by LogicalDash at 9:21 AM on April 6, 2014 [11 favorites]
posted by LogicalDash at 9:21 AM on April 6, 2014 [11 favorites]
So all they'd need to do is wait for you to download any executable over a non-SSL connection.
NSA etc.. can do man-in-the-middle over SSL as well. But there is a way to detect it using "fingerprinting".
posted by stbalbach at 9:35 AM on April 6, 2014 [1 favorite]
NSA etc.. can do man-in-the-middle over SSL as well. But there is a way to detect it using "fingerprinting".
posted by stbalbach at 9:35 AM on April 6, 2014 [1 favorite]
So all they'd need to do is wait for you to download any executable over a non-SSL connection.
Many people seem to falsely assume SSL is bullet proof when it comes to man in the middle attacks, as evidenced in this argument I had in the green, that I am still angry about 7+ years later.
posted by ill3 at 9:50 AM on April 6, 2014 [6 favorites]
Many people seem to falsely assume SSL is bullet proof when it comes to man in the middle attacks, as evidenced in this argument I had in the green, that I am still angry about 7+ years later.
posted by ill3 at 9:50 AM on April 6, 2014 [6 favorites]
This was very good.
posted by kiltedtaco at 9:56 AM on April 6, 2014
posted by kiltedtaco at 9:56 AM on April 6, 2014
People who click on LinkedIn links, real or spoofed, are already compromised in a much more serious and fundamental way than this exploit.
posted by srboisvert at 10:13 AM on April 6, 2014 [29 favorites]
posted by srboisvert at 10:13 AM on April 6, 2014 [29 favorites]
Yes hello, random people can be targeted by competent hackers. Is the concern about clicking a link in an email message, or merely opening the email itself? What are the best solutions to beating targeted attacks, short of becoming a computer engineer, never reading email, or becoming a Luddite and moving to the woods with no wi-fi?
posted by quiet earth at 10:19 AM on April 6, 2014 [2 favorites]
posted by quiet earth at 10:19 AM on April 6, 2014 [2 favorites]
How was he compromised by visitong the (fake?) LinkedIn?
posted by Joe in Australia at 11:22 AM on April 6, 2014
posted by Joe in Australia at 11:22 AM on April 6, 2014
There isn't really any more technical danger in clicking an email link than there is in clicking any other link, its just that the email links are more likely to have been crafted by very clever and sneaky ne'er-do-wells.
"Never click a link in an email" isn't terrible advice, but it's essentially taking advantage of the wisdom of crowds. Dangerous links on the wild internet tend to get noticed and removed. But in your inbox, you are the whole crowd.
The danger of email links is really a matter of your own failings, your own inability to be perfectly vigilant and skeptical and expert at all times. That's true about all of us, we're safer in the herd.
Don't click on links in emails moo.
posted by Western Infidels at 11:40 AM on April 6, 2014 [1 favorite]
"Never click a link in an email" isn't terrible advice, but it's essentially taking advantage of the wisdom of crowds. Dangerous links on the wild internet tend to get noticed and removed. But in your inbox, you are the whole crowd.
The danger of email links is really a matter of your own failings, your own inability to be perfectly vigilant and skeptical and expert at all times. That's true about all of us, we're safer in the herd.
Don't click on links in emails moo.
posted by Western Infidels at 11:40 AM on April 6, 2014 [1 favorite]
Any practical take-aways for the computer semi-literate?
My uh...friend didn't really understand all that...
posted by Fists O'Fury at 11:40 AM on April 6, 2014 [1 favorite]
My uh...friend didn't really understand all that...
posted by Fists O'Fury at 11:40 AM on April 6, 2014 [1 favorite]
Why is an infosec guy using a consumer router with the vendor's firmware, "latest version" or not? Why does he have UPnP enabled?
posted by George_Spiggott at 11:42 AM on April 6, 2014 [2 favorites]
posted by George_Spiggott at 11:42 AM on April 6, 2014 [2 favorites]
How was he compromised by visitong the (fake?) LinkedIn?
It's complicated and I'm not sure I understand all of the steps, but it appears to have gone something like this:
The hacker figured out which router his victim was using. That router had a bug in its admin software that could be exploited by a web request, but it had to come from a device connected to the router (either via wifi or cable).
When he visited the fake site, there was a bit of javascript that caused his computer (which was connected to the router) to make a cross-site request to the router, giving the hacker control of the router.
Once the hacker had control of the router and DNS, any download not over SSL could be replaced with a trojan horse.
posted by justkevin at 11:51 AM on April 6, 2014 [1 favorite]
It's complicated and I'm not sure I understand all of the steps, but it appears to have gone something like this:
The hacker figured out which router his victim was using. That router had a bug in its admin software that could be exploited by a web request, but it had to come from a device connected to the router (either via wifi or cable).
When he visited the fake site, there was a bit of javascript that caused his computer (which was connected to the router) to make a cross-site request to the router, giving the hacker control of the router.
Once the hacker had control of the router and DNS, any download not over SSL could be replaced with a trojan horse.
posted by justkevin at 11:51 AM on April 6, 2014 [1 favorite]
Say, this maltego thing sounds interes-
"Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux."
ಠ_ಠ
posted by tiaz at 11:52 AM on April 6, 2014 [4 favorites]
"Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux."
ಠ_ಠ
posted by tiaz at 11:52 AM on April 6, 2014 [4 favorites]
Why is an infosec guy using a consumer router with the vendor's firmware, "latest version" or not? Why does he have UPnP enabled?
I don't think the point is that this guy was using what everyone else has. I think the point is that using what everyone else has makes you vulnerable.
But yes, at some point, even "an infosec guy" has to make a determination between customization/security and convenience/cost (counting personal time investment). In this case, he also invested in a case of beer so that he would know what making that determination introduced in terms of vulnerability.
posted by dhartung at 11:56 AM on April 6, 2014 [3 favorites]
I don't think the point is that this guy was using what everyone else has. I think the point is that using what everyone else has makes you vulnerable.
But yes, at some point, even "an infosec guy" has to make a determination between customization/security and convenience/cost (counting personal time investment). In this case, he also invested in a case of beer so that he would know what making that determination introduced in terms of vulnerability.
posted by dhartung at 11:56 AM on April 6, 2014 [3 favorites]
I don't think the point is that this guy was using what everyone else has. I think the point is that using what everyone else has makes you vulnerable.
But yes, at some point, even "an infosec guy" has to make a determination between customization/security and convenience/cost (counting personal time investment). In this case, he also invested in a case of beer so that he would know what making that determination introduced in terms of vulnerability.
You're reading something into it not present in the article. It doesn't say much about Bill's assumptions or willingness to harden his network, only that he requested the attack.
Turning off UPnP is trivial; it's really not a trade-off for ease and convenience unless you're really irrationally lazy. If you're into gaming or whatever you can manually open the requisite ports whenever you like. Or even do it once and leave them open; that'd still be vastly more secure than leaving UPnP turned on.
Installing well-validated and maintained third-party firmware is something even people who don't work in infosec do all the time. Apart from security it tends to be a lot more powerful, useful and stable.
But for those who aren't clear on it I'll just say this: anyone in infosec knows that the entire purpose of UPnP on a router is to allow any program inside your network, without any authentication, to open a hole in your firewall and allow bidirectional communication between any computer and the outside world. You would expect him to have this turned off. (Also, vendor router firmware is shit. Order one that's supported by a proven third-party firmware that is subject to constant FOSS community validation, and install one of them.)
posted by George_Spiggott at 12:12 PM on April 6, 2014 [1 favorite]
But yes, at some point, even "an infosec guy" has to make a determination between customization/security and convenience/cost (counting personal time investment). In this case, he also invested in a case of beer so that he would know what making that determination introduced in terms of vulnerability.
You're reading something into it not present in the article. It doesn't say much about Bill's assumptions or willingness to harden his network, only that he requested the attack.
Turning off UPnP is trivial; it's really not a trade-off for ease and convenience unless you're really irrationally lazy. If you're into gaming or whatever you can manually open the requisite ports whenever you like. Or even do it once and leave them open; that'd still be vastly more secure than leaving UPnP turned on.
Installing well-validated and maintained third-party firmware is something even people who don't work in infosec do all the time. Apart from security it tends to be a lot more powerful, useful and stable.
But for those who aren't clear on it I'll just say this: anyone in infosec knows that the entire purpose of UPnP on a router is to allow any program inside your network, without any authentication, to open a hole in your firewall and allow bidirectional communication between any computer and the outside world. You would expect him to have this turned off. (Also, vendor router firmware is shit. Order one that's supported by a proven third-party firmware that is subject to constant FOSS community validation, and install one of them.)
posted by George_Spiggott at 12:12 PM on April 6, 2014 [1 favorite]
Why is an infosec guy using a consumer router with the vendor's firmware, "latest version" or not? Why does he have UPnP enabled?
The cobbler's children go shoeless. En casa de herrero, cuchillo de palo.
posted by murphy slaw at 12:23 PM on April 6, 2014
The cobbler's children go shoeless. En casa de herrero, cuchillo de palo.
posted by murphy slaw at 12:23 PM on April 6, 2014
I don't understand how the links in the fake LinkedIn e-mail could show that they are actual links to that domain? You can only fake how the link looks in the actual e-mail, right? There still needs to be an actual fake url which you can easily see by, like, hovering your cursor over it? Or am I completely not getting that step?
posted by Pyrogenesis at 12:30 PM on April 6, 2014
posted by Pyrogenesis at 12:30 PM on April 6, 2014
Even genuine links in email can go through some weird third-party service with an unrecognized domain for tracking and marketing purposes. My bank does that; it annoys the crap out of me. I never click them and I've written to them several times to complain.
posted by George_Spiggott at 12:33 PM on April 6, 2014
posted by George_Spiggott at 12:33 PM on April 6, 2014
Also depending on how crappy and javascript-addled the email reader is, it's possible in certain conditions to even fake the mouseover popup.
posted by ceribus peribus at 12:36 PM on April 6, 2014
posted by ceribus peribus at 12:36 PM on April 6, 2014
I don't understand how the links in the fake LinkedIn e-mail could show that they are actual links to that domain? You can only fake how the link looks in the actual e-mail, right? There still needs to be an actual fake url which you can easily see by, like, hovering your cursor over it? Or am I completely not getting that step?
<a href="http://www.metafilter.com" onclick="do_evil_including_change_this_link_desination()">
BTW every google search results page does this. Mouse over the link and you'll see the destination. Click it or copy the actual url and you'll be routed through a google url before hitting the destination.
posted by bitdamaged at 12:37 PM on April 6, 2014 [1 favorite]
<a href="http://www.metafilter.com" onclick="do_evil_including_change_this_link_desination()">
BTW every google search results page does this. Mouse over the link and you'll see the destination. Click it or copy the actual url and you'll be routed through a google url before hitting the destination.
posted by bitdamaged at 12:37 PM on April 6, 2014 [1 favorite]
BTW every google search results page does this. Mouse over the link and you'll see the destination. Click it or copy the actual url and you'll be routed through a google url before hitting the destination.
Actually, Javascript onclick won't work in any email client, so that's not how it is done.
However, there are a bunch of ways to fake out a url in an email. A ton. Here is one of the ones we used to see for phishing attacks, that I kinda like :
http://www.linkedin.com@918162721
That looks like linkedin.com and maybe some id number to indicate who is actually clicking it. That URL actually goes to Metafilter. In fact, that number is Metafilter's IP address converted to an integer. The @ sign is used to specify usernames in URLs. So what this is actually saying is go to the IP address that is at 918162721 (or 54.186.13.33 if you were to break into bytes) and make my username "www.linkedin.com".
Safari now will warn you about this link as a possible phishing attack, Chrome does not.
Anyway, then he gets him to go his fake website, where is fake website using a Cross site attack to change the settings on his router through the web interface.
posted by ill3 at 12:47 PM on April 6, 2014 [25 favorites]
A few years ago I got compromised because I run a backup email server at home and I'd gone a few months without patching it. I was able to reconstruct what happened mainly because, on a file server, there's really no reason to delete logs for a low-volume service, you're just not going to lose much space and, as in this case, keeping logs forever actually comes in handy.
What happened is some bot used a (by then) known SMTP buffer overrun execution exploit, one for which a patch already existed and I would have had if I had maintained it properly. The exploit then hit the web to get the real payload: a fake HTTP daemon that mostly sat there quietly but would periodically check in with an IRC server to get its marching orders. I only noticed because the process called itself "httpd", and that's not what my real internal web server is called. But it would have been quite easy for the process to hide itself a lot better than that; I was actually lucky that it was such a stupid and crude implementation.
Lesson learned -- apart from the obvious "keep your system patched": firewall your servers properly. If you don't use it as a desktop then it doesn't need be able to hit arbitrary sites using arbitrary protocols at arbitrary times. Exploits are usually only a few bytes of code: they have to bootstrap themselves into real malware functionailty by fetching the main payload from somewhere.
posted by George_Spiggott at 12:54 PM on April 6, 2014 [2 favorites]
What happened is some bot used a (by then) known SMTP buffer overrun execution exploit, one for which a patch already existed and I would have had if I had maintained it properly. The exploit then hit the web to get the real payload: a fake HTTP daemon that mostly sat there quietly but would periodically check in with an IRC server to get its marching orders. I only noticed because the process called itself "httpd", and that's not what my real internal web server is called. But it would have been quite easy for the process to hide itself a lot better than that; I was actually lucky that it was such a stupid and crude implementation.
Lesson learned -- apart from the obvious "keep your system patched": firewall your servers properly. If you don't use it as a desktop then it doesn't need be able to hit arbitrary sites using arbitrary protocols at arbitrary times. Exploits are usually only a few bytes of code: they have to bootstrap themselves into real malware functionailty by fetching the main payload from somewhere.
posted by George_Spiggott at 12:54 PM on April 6, 2014 [2 favorites]
What I don't understand is why the last line didn't include a Ruby on 'Ales pun.
posted by radwolf76 at 1:10 PM on April 6, 2014 [6 favorites]
posted by radwolf76 at 1:10 PM on April 6, 2014 [6 favorites]
destrius: "NSA's TAO group doesn't need to use social engineering to get into a man-in-the-middle position, because they already have control over some of the backbone routers that your traffic has to go through. So all they'd need to do is wait for you to download any executable over a non-SSL connection."
You are assuming they don't already have control over one (or more) of the CA's that issue valid certificates. This is a stretch for your average MiTM attacker, but probably not the NSA.
posted by pwnguin at 1:17 PM on April 6, 2014 [1 favorite]
You are assuming they don't already have control over one (or more) of the CA's that issue valid certificates. This is a stretch for your average MiTM attacker, but probably not the NSA.
posted by pwnguin at 1:17 PM on April 6, 2014 [1 favorite]
Safari now will warn you about this link as a possible phishing attack, Chrome does not.
FYI Firefox does too.
posted by urbanwhaleshark at 1:25 PM on April 6, 2014
FYI Firefox does too.
posted by urbanwhaleshark at 1:25 PM on April 6, 2014
This is a nice example of why never to click links that are in email.
There is one problem here that I can see. Most websites that allow setting up accounts with them confirm them by sending the user an email and having them click a link with a code in it to confirm their identity. Some of them allow you to copy and paste a code into their site instead, but I don't think that's all.
posted by JHarris at 1:54 PM on April 6, 2014
There is one problem here that I can see. Most websites that allow setting up accounts with them confirm them by sending the user an email and having them click a link with a code in it to confirm their identity. Some of them allow you to copy and paste a code into their site instead, but I don't think that's all.
posted by JHarris at 1:54 PM on April 6, 2014
That looks like linkedin.com and maybe some id number to indicate who is actually clicking it. That URL actually goes to Metafilter.
Mouseover still shows it as an ip address and not as the url as written on the page. So basically the target of the attack clicked a link without checking whether the urls match? If onclick does not work, does something else?
posted by Pyrogenesis at 1:55 PM on April 6, 2014
Mouseover still shows it as an ip address and not as the url as written on the page. So basically the target of the attack clicked a link without checking whether the urls match? If onclick does not work, does something else?
posted by Pyrogenesis at 1:55 PM on April 6, 2014
Safari now will warn you about this link as a possible phishing attack, Chrome does not.
FYI Firefox does too.
Good to know.
Here is a version that won't set off an alarm on Safari anyways, and I would guess not in Firefox either :
http://918162721?email.linkedin.com
Back when I sold encrypted email/statements to banks I lived and breathed this phishing stuff and there was at least 10 different ways we came up with to do this, or that we saw in the wild. These were the top two methods that I am able to recall. Good to see the browsers have come a little ways.
posted by ill3 at 1:55 PM on April 6, 2014 [5 favorites]
This is why I never read the links when browsing Metafilter.
posted by Pruitt-Igoe at 1:56 PM on April 6, 2014 [5 favorites]
posted by Pruitt-Igoe at 1:56 PM on April 6, 2014 [5 favorites]
That looks like linkedin.com and maybe some id number to indicate who is actually clicking it. That URL actually goes to Metafilter.
Mouseover still shows it as an ip address and not as the url as written on the page. So basically the target of the attack clicked a link without checking whether the urls match? If onclick does not work, does something else?
No JavaScript works in any email clients. In fact, Outlook Web Access will even strip JavaScript out of attached HTML files. Most marketing emails are html emails so you don't even see the URL but a fancy button or whatever. The way that people do this is the way I am describing. My most recent example : http://918162721?email.linkedin.com mouse overs properly. It doesn't really matter though, in my experience very very few people look at the mouseover and even if they saw an IP address, so what, companies have people clicking back to weird random servers all the time. I literally worked with security researchers all day long and the game was to try to trick each other into clicking a shady link (rhymes with moat sects) over yahoo messenger or IRC. We could basically fool each other most of the time (though one key to deception was having the patience of waiting months and dozens of valid links before sneaking in a bad one). So if security researchers will fall for this, and they know they are being attacked this way, what hope does the average citizen. I mean the article itself sort of proves that. This guy asked to be hacked. He understands security, yet even while expecting to be hacked he clicked a fake linkedin email. That does not surprise me one bit. I live and breath this stuff and someone that knew me could probably come up with the right thing to get me to click it, as I could do for 99% of people I know in the security community and out.
posted by ill3 at 2:04 PM on April 6, 2014 [5 favorites]
Mouseover still shows it as an ip address and not as the url as written on the page. So basically the target of the attack clicked a link without checking whether the urls match? If onclick does not work, does something else?
No JavaScript works in any email clients. In fact, Outlook Web Access will even strip JavaScript out of attached HTML files. Most marketing emails are html emails so you don't even see the URL but a fancy button or whatever. The way that people do this is the way I am describing. My most recent example : http://918162721?email.linkedin.com mouse overs properly. It doesn't really matter though, in my experience very very few people look at the mouseover and even if they saw an IP address, so what, companies have people clicking back to weird random servers all the time. I literally worked with security researchers all day long and the game was to try to trick each other into clicking a shady link (rhymes with moat sects) over yahoo messenger or IRC. We could basically fool each other most of the time (though one key to deception was having the patience of waiting months and dozens of valid links before sneaking in a bad one). So if security researchers will fall for this, and they know they are being attacked this way, what hope does the average citizen. I mean the article itself sort of proves that. This guy asked to be hacked. He understands security, yet even while expecting to be hacked he clicked a fake linkedin email. That does not surprise me one bit. I live and breath this stuff and someone that knew me could probably come up with the right thing to get me to click it, as I could do for 99% of people I know in the security community and out.
posted by ill3 at 2:04 PM on April 6, 2014 [5 favorites]
Back when I sold encrypted email/statements to banks
I ah, assume this didn't go so well?
At one point we had 7 of the world's top 10 largest banks, but you are correct, ultimately the phishing thing about wiped us out on the statement side. We pivoted and turned to selling encrypted email for HIPAA compliance. We were able to sell the company to Cisco for a small/medium chunk of change, and the technology we invented is still sold today as the "Cisco Registered Envelope Service".
posted by ill3 at 2:08 PM on April 6, 2014 [8 favorites]
I ah, assume this didn't go so well?
At one point we had 7 of the world's top 10 largest banks, but you are correct, ultimately the phishing thing about wiped us out on the statement side. We pivoted and turned to selling encrypted email for HIPAA compliance. We were able to sell the company to Cisco for a small/medium chunk of change, and the technology we invented is still sold today as the "Cisco Registered Envelope Service".
posted by ill3 at 2:08 PM on April 6, 2014 [8 favorites]
Ok, thanks ill3 - especially for showing me that I accidentally happen to be paranoid in the right place. I only asked about this particular thing because I always check the mouseover (except of course in those ordinary, expected e-mails that I have no reason to suspect, examples of which are numerous).
I have another ignoramus's question: if I were to click on a phishing link and then realized it's bad, how much help would clicking the stop button of the browser be? I'm assuming none, but what precisely does the stop button do, in the end? Can it cancel something completely in the middle, for example? Or does it wait for particular things to be downloaded? Downloaded but not executed? Or what? Or is it so that payloads are so small that it can't possibly have any meaningful effect?
posted by Pyrogenesis at 2:24 PM on April 6, 2014
I have another ignoramus's question: if I were to click on a phishing link and then realized it's bad, how much help would clicking the stop button of the browser be? I'm assuming none, but what precisely does the stop button do, in the end? Can it cancel something completely in the middle, for example? Or does it wait for particular things to be downloaded? Downloaded but not executed? Or what? Or is it so that payloads are so small that it can't possibly have any meaningful effect?
posted by Pyrogenesis at 2:24 PM on April 6, 2014
Pyrogenesis:
It could actually help to click the stop button. The stop button will stop loading the web page and drop the socket and stop loading the elements of the webpage. If you hit it before you downloaded the cross scripting bit (in this example) it would in fact save your bacon. I mean, this article is scary and all that, but you have to remember this guy was a) a very good hacker and b) targeting a single individual whom he had a lot of information about already (a spear phish vs being phished with a net). I think if a very very good hacker targets you individually there is probably not much you can do about it. I haven't been a hacker for 25 years, and have long been on the other side, but to me when ever a hacking target comes up theoretically, 9 out of 10 people are easier to social engineer than actually hack (if you are targeting an individual). If you know what social engineering is, and how to protect yourself from that, you are in pretty good share. Anyway, these net type phishing attacks, while they still exist are not always as sophisticated as this, also they aren't tailored to your interests - though granted Linkedin is pretty universal. More importantly many many "net" phishing attacks get picked up by SPAM filters these days as SPAM engines look for commonality and these attacks have commonality - there is no commonality in a spear phish so SPAM filters offer little protection from them.
posted by ill3 at 2:41 PM on April 6, 2014
It could actually help to click the stop button. The stop button will stop loading the web page and drop the socket and stop loading the elements of the webpage. If you hit it before you downloaded the cross scripting bit (in this example) it would in fact save your bacon. I mean, this article is scary and all that, but you have to remember this guy was a) a very good hacker and b) targeting a single individual whom he had a lot of information about already (a spear phish vs being phished with a net). I think if a very very good hacker targets you individually there is probably not much you can do about it. I haven't been a hacker for 25 years, and have long been on the other side, but to me when ever a hacking target comes up theoretically, 9 out of 10 people are easier to social engineer than actually hack (if you are targeting an individual). If you know what social engineering is, and how to protect yourself from that, you are in pretty good share. Anyway, these net type phishing attacks, while they still exist are not always as sophisticated as this, also they aren't tailored to your interests - though granted Linkedin is pretty universal. More importantly many many "net" phishing attacks get picked up by SPAM filters these days as SPAM engines look for commonality and these attacks have commonality - there is no commonality in a spear phish so SPAM filters offer little protection from them.
posted by ill3 at 2:41 PM on April 6, 2014
Once again, my cranky old man insistence that email be plain-text only proves itself.
It's trivially easy to spot the fake email messages that get past the spam filter when the included links are http://this.is.really.linkedin.hackme.ru and the like.
Also, an "infosec" guy running telnet on a router? Leaving upnp running for the convenience factor is understandable, if lazy.
Leaving telnet running is just dumb.
The article does make clear though, how vulnerable we all are to relatively simple hacks if we aren't on guard all the time.
And who among us is?
posted by madajb at 4:09 PM on April 6, 2014 [2 favorites]
It's trivially easy to spot the fake email messages that get past the spam filter when the included links are http://this.is.really.linkedin.hackme.ru and the like.
Also, an "infosec" guy running telnet on a router? Leaving upnp running for the convenience factor is understandable, if lazy.
Leaving telnet running is just dumb.
The article does make clear though, how vulnerable we all are to relatively simple hacks if we aren't on guard all the time.
And who among us is?
posted by madajb at 4:09 PM on April 6, 2014 [2 favorites]
I wouldn't dismiss social engineering; it's a key arrow in the quiver of the serious attacker.
Agreed. I think that it's really missing the point to write this off as "meh just social engineering not a problem" which (not specifically in this thread) tends to be the reaction to similar cases.
The whole point here is that a very sophisticated user — someone in the security industry; far more savvy than we can reasonably expect average people to be — was tricked into clicking on an email link and from there, got their local network compromised.
This is a serious technical problem. As long as email programs display links and allow you to click on them, telling people "don't click on links in emails" is not really a solution. Many legitimate companies send out emails with clickable links in them. For most users, 99.99% of the time (probably way more, like five or six nines more) they'll click on those links without a problem. Requiring the user to consciously choose not to use a particular, standard feature of their computer every single day in order to possibly avoid getting compromised someday isn't reasonable. And it's bad design.
Besides which, there are lots of other ways to get a person to click on a link to a compromised site besides putting it in an email. That happens to be easiest, but it's not the only way to do it. You could probably do it, if you were dedicated enough, by getting into one of their social networks and posting links that seem to be the sort of stuff that they're just generally interested in. (Basically just pull an Ebaums and mirror/steal all sorts of stuff that they're likely interested in and post links to it. If the exploit payload is specific enough to their computer/network, other people will probably never notice it.)
posted by Kadin2048 at 5:46 PM on April 6, 2014 [1 favorite]
Agreed. I think that it's really missing the point to write this off as "meh just social engineering not a problem" which (not specifically in this thread) tends to be the reaction to similar cases.
The whole point here is that a very sophisticated user — someone in the security industry; far more savvy than we can reasonably expect average people to be — was tricked into clicking on an email link and from there, got their local network compromised.
This is a serious technical problem. As long as email programs display links and allow you to click on them, telling people "don't click on links in emails" is not really a solution. Many legitimate companies send out emails with clickable links in them. For most users, 99.99% of the time (probably way more, like five or six nines more) they'll click on those links without a problem. Requiring the user to consciously choose not to use a particular, standard feature of their computer every single day in order to possibly avoid getting compromised someday isn't reasonable. And it's bad design.
Besides which, there are lots of other ways to get a person to click on a link to a compromised site besides putting it in an email. That happens to be easiest, but it's not the only way to do it. You could probably do it, if you were dedicated enough, by getting into one of their social networks and posting links that seem to be the sort of stuff that they're just generally interested in. (Basically just pull an Ebaums and mirror/steal all sorts of stuff that they're likely interested in and post links to it. If the exploit payload is specific enough to their computer/network, other people will probably never notice it.)
posted by Kadin2048 at 5:46 PM on April 6, 2014 [1 favorite]
Here are my two takeaways from this article:
- If a dedicated attacker want to hack me, I'm pretty much screwed
- LinkedIn is even worse than just annoying and useless
This is why I'm posting this from a computer that's not connected to the internet.
posted by blue_beetle at 6:42 PM on April 6, 2014 [1 favorite]
posted by blue_beetle at 6:42 PM on April 6, 2014 [1 favorite]
telling people "don't click on links in emails" is not really a solution.
This is a good point. Clicking on links is a feature of computers that should work. Routers that can be hacked due to a link is the problem.
posted by kiltedtaco at 7:49 PM on April 6, 2014 [1 favorite]
This is a good point. Clicking on links is a feature of computers that should work. Routers that can be hacked due to a link is the problem.
posted by kiltedtaco at 7:49 PM on April 6, 2014 [1 favorite]
Well, this article got me to update my router firmware and turn off uPnP, so there's that.
posted by Chrysostom at 7:53 PM on April 6, 2014
posted by Chrysostom at 7:53 PM on April 6, 2014
This is a good point. Clicking on links is a feature of computers that should work. Routers that can be hacked due to a link is the problem.
One of many, many problems. You can fix your router so that clicking a link won't influence it in any way (apart from turning off UPnP, make sure your router password isn't saved in your browser and be sure you log out when you're done administering it), but that doesn't scratch the surface of the problems that a spoofed link in an email can cause you.
Generally speaking, click a link if you understand why it was sent to you -- i.e. it's not something unsolicited -- you're sure it's what it appears to be (mouseover review and or "view message source") and it doesn't purport to go somewhere that could do you real harm if it's a spoof, e.g. your paypal account or any vendor that has your credit card details on file. Generally in the latter cases it's better to just use your own bookmark to go to the site, or type in the URL yourself. (But beware typosquatters too.)
posted by George_Spiggott at 8:17 PM on April 6, 2014
One of many, many problems. You can fix your router so that clicking a link won't influence it in any way (apart from turning off UPnP, make sure your router password isn't saved in your browser and be sure you log out when you're done administering it), but that doesn't scratch the surface of the problems that a spoofed link in an email can cause you.
Generally speaking, click a link if you understand why it was sent to you -- i.e. it's not something unsolicited -- you're sure it's what it appears to be (mouseover review and or "view message source") and it doesn't purport to go somewhere that could do you real harm if it's a spoof, e.g. your paypal account or any vendor that has your credit card details on file. Generally in the latter cases it's better to just use your own bookmark to go to the site, or type in the URL yourself. (But beware typosquatters too.)
posted by George_Spiggott at 8:17 PM on April 6, 2014
How I Hacked Your Router
Geeze, was the Greta Gerwig spinoff not enough?
posted by threeants at 9:28 PM on April 6, 2014 [3 favorites]
Geeze, was the Greta Gerwig spinoff not enough?
posted by threeants at 9:28 PM on April 6, 2014 [3 favorites]
"Then, of course, came the waiting game for him to download and install a payload that could be compromised, in this case N++. I can only imagine how many fake sites he had to set up, pointed to by his fake DNS, in order to have a good chance that one of them would be updated in a reasonable time"He didn't have to create any sites - once he had control of the target's DNS resolution, he used a package called evilgrade which appears to wait for vulnerable apps to check in for an upgrade. When they do, it can fake a "new version is available" response, and the user installs the backdoored version.
So as soon as the target fired up Notepad++, it checked in for an update, and he opted to have it installed...
posted by lordelphin at 1:59 AM on April 7, 2014 [3 favorites]
And if I did have a browser 0-day in my back pocket, I would have used it to win the pwn2own last week.
Not to mention that asking someone to hack you is a great way of getting 0-day out of them.
posted by atrazine at 4:16 AM on April 7, 2014 [1 favorite]
Not to mention that asking someone to hack you is a great way of getting 0-day out of them.
posted by atrazine at 4:16 AM on April 7, 2014 [1 favorite]
The article does make clear though, how vulnerable we all are to relatively simple hacks if we aren't on guard all the time.
And who among us is?
I was at one time in favor of a government agency, like the CFPB, auditing and giving certification to all hardware and software on the market, in the same way the NHTSA certifies all roadgoing equipment.
After Snowden, everyone would just (correctly) believe the government was only doing it to make sure they could compromise everything that passed through their labs.
The other solution is pretty ugly for open source - remove liability protections. If someone gets hacked using your stuff, you can get sued for negligence. This will mean independent, private labs like UL will need to audit and certify new releases, and the public can be (reasonably) certain certified products will be provably secure and updated automatically using secure mechanisms. (Autoupdating programs that don't protect against MITM or poisoned DNS attacks by authenticating the where it's updating from would fail certification, for instance.)
posted by Slap*Happy at 6:52 AM on April 7, 2014
And who among us is?
I was at one time in favor of a government agency, like the CFPB, auditing and giving certification to all hardware and software on the market, in the same way the NHTSA certifies all roadgoing equipment.
After Snowden, everyone would just (correctly) believe the government was only doing it to make sure they could compromise everything that passed through their labs.
The other solution is pretty ugly for open source - remove liability protections. If someone gets hacked using your stuff, you can get sued for negligence. This will mean independent, private labs like UL will need to audit and certify new releases, and the public can be (reasonably) certain certified products will be provably secure and updated automatically using secure mechanisms. (Autoupdating programs that don't protect against MITM or poisoned DNS attacks by authenticating the where it's updating from would fail certification, for instance.)
posted by Slap*Happy at 6:52 AM on April 7, 2014
I wouldn't dismiss social engineering; it's a key arrow in the quiver of the serious attacker
I think the point is the approach described here doesn't scale. It's something to be very concerned about if you think you might be specifically targeted, but it's not something everyone should be concerned about. One of the take-aways for everyone from this article should be to think twice about what you chose for those backup "security" questions in case you forget the password. I pick whichever one is first and provide an answer by mashing my keyboard. Those questions are A Bad Idea and their presence a code smell.
posted by yerfatma at 7:53 AM on April 7, 2014 [1 favorite]
I think the point is the approach described here doesn't scale. It's something to be very concerned about if you think you might be specifically targeted, but it's not something everyone should be concerned about. One of the take-aways for everyone from this article should be to think twice about what you chose for those backup "security" questions in case you forget the password. I pick whichever one is first and provide an answer by mashing my keyboard. Those questions are A Bad Idea and their presence a code smell.
posted by yerfatma at 7:53 AM on April 7, 2014 [1 favorite]
Slap*Happy: "This will mean independent, private labs like UL will need to audit and certify new releases"
That sounds tricky. Yea, it'd suck for open source, assuming you can track down github usernames to real people. But it'd also suck for whoever's in the business of certifying these things.
Imagine you're the guy in UL labs responsible for certifying routers. If you certify a router that's safe but really isn't? Better brush up your resume! And no matter how long you spend with a talented 'tiger team' assaulting the device, you're liable to miss a thing or two. The best methods we have available are formal verification processes which analyze the program source code to prove things like 'under no set of inputs does this array index overflow the size of the array.'
Problem is, the biggest formally verified piece of software is the L4 microkernel, which doesn't do fuck all other than isolate processes and relay messages between them. And the verification is far from 'proven immune to malicious inputs.' It's mainly 'proven free from a few common parallel software problems.' And in this context, program analysis can backfire in it's own special way, if you recall the Debian SSL bug.
So the only way I see around this is to offer certifiers liability protections. At which point, you've invented Bond Ratings Agencies for software: people who are paid by vendors to vouch for product, but hide under 1st amendment rights, and whatever liability protection you'd need to offer.
posted by pwnguin at 9:36 AM on April 7, 2014 [1 favorite]
That sounds tricky. Yea, it'd suck for open source, assuming you can track down github usernames to real people. But it'd also suck for whoever's in the business of certifying these things.
Imagine you're the guy in UL labs responsible for certifying routers. If you certify a router that's safe but really isn't? Better brush up your resume! And no matter how long you spend with a talented 'tiger team' assaulting the device, you're liable to miss a thing or two. The best methods we have available are formal verification processes which analyze the program source code to prove things like 'under no set of inputs does this array index overflow the size of the array.'
Problem is, the biggest formally verified piece of software is the L4 microkernel, which doesn't do fuck all other than isolate processes and relay messages between them. And the verification is far from 'proven immune to malicious inputs.' It's mainly 'proven free from a few common parallel software problems.' And in this context, program analysis can backfire in it's own special way, if you recall the Debian SSL bug.
So the only way I see around this is to offer certifiers liability protections. At which point, you've invented Bond Ratings Agencies for software: people who are paid by vendors to vouch for product, but hide under 1st amendment rights, and whatever liability protection you'd need to offer.
posted by pwnguin at 9:36 AM on April 7, 2014 [1 favorite]
Except UL certifies stuff that sometimes winds up being unsafe (and they and the manufacturers get to pay for these mistakes). What it does is set acceptable baseline standards, and makes certain manufacturers adhere to them. If neither the standards nor the adherence to them are up to snuff, you don't get the certification.
No-one expects perfection (tho that would be nice), but it would be nice to buy a router or iPad game (or carrier-grade firewall or ERP suite) and not have it strip-mine your data. Currently, you need expensive pen testing (usually more than a sixpack of microbrew) and even more expensive IT auditing and mitigation programs - this is a burden for large shops with deep pockets, it's just not done at all with small shops and typical home users.
If a home user could see a "Security Certified" logo, they'd know the manufacturer took reasonable steps to make sure the hardware and software met the best available standards, and were tested on it by an impartial and legally liable third party.
(Tho UL is having some trouble in recent years with certifying goods manufactured overseas, and is trying to weasel out of liability because of it - but these types of shenanigans wouldn't apply to reviewing software and firmware.)
posted by Slap*Happy at 10:32 AM on April 7, 2014
No-one expects perfection (tho that would be nice), but it would be nice to buy a router or iPad game (or carrier-grade firewall or ERP suite) and not have it strip-mine your data. Currently, you need expensive pen testing (usually more than a sixpack of microbrew) and even more expensive IT auditing and mitigation programs - this is a burden for large shops with deep pockets, it's just not done at all with small shops and typical home users.
If a home user could see a "Security Certified" logo, they'd know the manufacturer took reasonable steps to make sure the hardware and software met the best available standards, and were tested on it by an impartial and legally liable third party.
(Tho UL is having some trouble in recent years with certifying goods manufactured overseas, and is trying to weasel out of liability because of it - but these types of shenanigans wouldn't apply to reviewing software and firmware.)
posted by Slap*Happy at 10:32 AM on April 7, 2014
Just create a GUI in Visual Basic, and you are in.
posted by Xoebe at 10:48 AM on April 7, 2014 [2 favorites]
posted by Xoebe at 10:48 AM on April 7, 2014 [2 favorites]
« Older Unrecognized state continues to exist anyway | Turn that camera OFF Newer »
This thread has been archived and is closed to new comments
posted by infini at 8:27 AM on April 6, 2014 [2 favorites]