First of all, I hate the term “social engineering.” It’s a relatively new term for a concept as old as dirt – lying or manipulating – and makes it sound like a sophisticated, new, and legitimate undertaking. Wannabe hackers are proud of themselves when they get someone to open a URL with malicious content, but let’s face it, the reason this works so well is that people are dumb.
I don’t mean some people are dumb, I mean all people are. I include myself in this group. We all do stupid things sometimes – some more than others – and when you’re attacking a large organization, usually the easiest way to get in is through people’s naiveté or temporary inattention. The only safe conclusion to draw is that we have to remove Problem Exists Between Keyboard and Chair (PEBKAC) as the low bar in security. Stated more simply, enterprise security has to expect that people are dumb.
One attack I’ve been thinking about recently is a particular type of spear phishing attack. The attacker provides a link to a known web login frontend such as an Enterprise’s webmail login. These are often public facing interfaces so they’re easy to clone, and the attacker does just that. They send an email to several people in an organization with a message that says they should check their webmail using the enclosed link, which happens to be a Trojan clone of the webmail login page. Perhaps the premise of the email is that the sender is from IT and would like to verify that the user is currently working. The URL is perhaps an unsecured http link to the webmail server and the attacker has a man-in-the-middle attack waiting to intercept the unsecured password entry. Even more simply, the URL may point to a webserver that is outside the enterprise domain.
Users frequently do not understand the types of threats that are out there and generally won’t think twice about entering their credentials in a web page as long as it looks the way they expect it to. This is the gist of why the web is broken. Browsers have no way to warn users that they’re visiting the “wrong” site.
So while there’s a lot of bluster recently about how SSL is broken, this type of attack can simply bypass SSL altogether.
So using the browser for authenticating users isn’t a good idea even though it’s done all the time. Ideally, a frontend would authenticate that the backend to which it is attaching (something equivalent to the webmail server) is a known, trusted site, for example using PKI. There are alternatives. Imagine, for example, a protocol in which the server provides a random salt value, and then the client provides many hashes that ostensibly represent the hashed password, only one of which is correct. The server must then indicate what the correct hash is. These servers that are unable to correctly identify the correct hash might cause a security alert, and clients which are unable to provide the correct hash might be blacklisted. This sort of protocol just can’t be enforced by a browser, which is why the web is broken. This protocol isn’t perfect, but it’s much better than the browser authentication model. The point is that browsers aren’t good at protecting user secrets, since people are dumb.
Another alternative is to use a tailored endpoint environment, where isolation and firewalling rules protect users from themselves. If you’re not familiar with Qubes OS, I suggest taking a look. Qubes represents one possible direction for the (arguably distant) future of client computing security. In the above attack scenario, a user’s VM containing their email could be firewalled, such that embedded links would be prevented from accessing sites outside the enterprise or accessing internal sites without the use of SSL to authenticate the webmail server. This would drastically reduce the change that users would reveal their authentication credentials inappropriately outside the enterprise. Isolation does not prevent compromise but it significantly mitigates the damage and poses significant challenges for attackers to increase their reach past the point of infection.
We can’t leave security up to the end user. If we do we’ll lose because people are dumb.
