Highly Effective Gmail Phishing Technique Being Exploited. Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited. This entry was posted in General Security, Miscellaneous on January 1. Mark Maunder 1. Replies. Update on February 2. Chrome has resolved this issue to my satisfaction. Earlier this month they released Chrome 5. If you now view a data URL, the location bar shows a “Not Secure” message which should help users realize that they should not trust forms presented to them via a data URL. It will help prevent this specific phishing technique. Update at 1. 1: 3. Tuesday January 1. I have received an official statement from Google regarding this issue. You can find the full update at the end of this post. As you know, at Wordfence we occasionally send out alerts about security issues outside of the Word. Press universe that are urgent and have a wide impact on our customers and readers. Unfortunately this is one of those alerts.
There is a highly effective phishing technique stealing login credentials that is having a wide impact, even on experienced technical users. I have written this post to be as easy to read and understand as possible. I deliberately left out technical details and focused on what you need to know to protect yourself against this phishing attack and other attacks like it in the hope of getting the word out, particularly among less technical users. Please share this once you have read it to help create awareness and protect the community. The full Proceedings published by USENIX for the conference are available for download below. Individual papers can also be downloaded from the presentation page. Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Wheeler http://www.dwheeler.com/contactme.html. D Magazine editor Tim Rogers, who employs Brown as a columnist, reported last week that Brown was remanded into custody by the US Marshals Service during a “routine. The Phishing Attack: What you need to know. A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this. Network Security Firewall User Manual NetDefendOS Security Security Ver. 2.40.00 Network Security Solution http:// Page 2: User Manual. There are many different influenza A viruses; some are found in humans and others in animals such as avian flu in birds and poultry. Avian influenza A viruses usually. Interop speaker Bill Kleyman sees security as one component of the Internet of Things, which all companies are going to have to embrace.Questions and Answers from the Community. The page that you see when you ask a new question is the page that everyone will see. This attack is currently being used to target Gmail customers and is also targeting other services. The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender. You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts. A commenter on Hacker News describes in clear terms what they experienced over the holiday break once they signed in to the fake page: “The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list. Every once in a while, an app like Unroll.me pops into the spotlight to remind us that we all tend to authorize a lot of apps to access our email and social media. For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised. Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot. Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any Saa. S services you use and much more. What I have described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique. How to protect yourself against this phishing attack. You have always been told: “Check the location bar in your browser to make sure you are on the correct website before signing in. That will avoid phishing attacks that steal your username and password.”In the attack above, you did exactly that and saw . When you glance up at the browser location bar and see . If you widen out the location bar it looks like this: There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker. As you can see on the far left of the browser location bar, instead of . If you aren’t paying close attention you will ignore the . It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it. I describe that in the next section. When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google: Make sure there is nothing before the hostname . You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign- in page. Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page. Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this. Why Google won’t fix this and what they should do. Google’s response to a customer asking about this was as follows: “The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are – obviously – trivial. Unfortunately that’s how the web works, and any fix that would to try to e. The data: URL part here is not that important as you could have a phishing on any http. I disagree with this response for a few reasons: Google have modified the behavior of the address bar in the past to show a green protocol color when a page is using HTTPS and a lock icon to indicate it is secure. They also use a different way of displaying the protocol when a page is insecure, marking it red with a line through it: During this attack, a user sees neither green nor red. They see ordinary black text: That is why this attack is so effective. In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected. That suggests to our perception that they’re related and the . There may be scenarios where this is safe, so they could use an amber color with a unique icon. That would alert our perception to a difference and we would examine it more closely. Update: How to check if your account is already compromised. I’ve had two requests in the comments about this so I’m adding this section now. If in doubt, change your password immediately. Changing your password every few months is good practice in general. If you use GMail, you can check your login activity to find out of someone else is signing into your account. Visit https: //support. To use this feature, scroll to the bottom of your inbox and click “Details” (very small in the far lower right hand corner of the screen). This will show you all currently active sessions as well as your recent login history. If you see active logins from unknown sources, you can force close them. If you see any logins in your history from places you don’t know, you may have been hacked. Troy’s site is https: //haveibeenpwned. Simply enter your email address and hit the button. Troy aggregates data leaks into a database and gives you a way to look up your own email in that database to see if you have been part of a data breach. He also does a good job of actually verifying the data breaches he is sent. Spread the word. I’ll be sharing this on Facebook to create awareness among my own family and friends. This attack is incredibly effective at fooling even technical users for the reasons I have explained above. I have the sense that most ordinary users will be easy pickings. Please share this with the community to help create awareness and prevent this from having a wider impact. Mark Maunder – Wordfence Founder/CEO – @mmaunder. Update: Official Statement from Google. This is an update at 1. PST on Tuesday the 1. January 2. 01. 7. I was contacted by Aaron Stein from Google Communications. He has provided the following official statement from Google: “We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign- ins, and more. Users can also activate two- step verification for additional account protection.”I asked Aaron two follow- up questions: “Chrome 5. Not secure” in the location bar on non- SSL websites where a page contains a password field or credit card input field. This is a fine example of a visual indication in the location bar that helps secure users. Are the Chrome dev team considering some visual indication in the browser location bar for data URI’s? That would help defeat this attack because, currently, there is no visual indication of anything awry when viewing a phishing data URI. Barrett Brown's Lawyers Still Don't Know Why He Was Abruptly Taken Back to Prison . Please see below the original story. He was then transferred back to FCI Seagoville, the low- security prison from which he was released late last year. The prison’s custody of Brown, 3. BOP spokesperson on Friday. The former Anonymous “agitator” was dealt a 6. January 2. 01. 5, after signing a plea bargain that reduced his potential prison time by more than 6. In a statement to D Magazine, Brown’s mother, Karen Lancaster, said that he had not missed any of his scheduled check- ins with the BOP, nor failed any of the randomly administered drug tests. During his first two years in prison, Brown faced a litany of charges, including the notorious “linking charge” dropped by the Justice Department in early 2. The three- count indictment to which he ultimately plead guilty includes a (highly dubious) charge stemming from his after- the- fact involvement in the 2. Stratfor hack; a second for “transmitting a threat,” because of a You. Tube video in which he vowed to “destroy” an FBI field agent; and a third for obstruction, for failing surrender his laptops to the FBI. Brown’s hard drives were found to contain tens of thousands of pages of chat logs detailing his conversations with Anonymous hackers and other journalistic sources. Some of the files wound up in the US District Court for the Southern District of New York, where they were presented as evidence against outlaw hacker Jeremy Hammond. Brown’s home confinement period—during which inmates are still considered to be under an “incarcerated status”—was overseen by a program review team comprised of representatives from the BOP, the US Probation Department, and Volunteers of America, a national faith- based nonprofit that runs the Hutchins halfway home. According to Kevin Gallagher, a longtime advocate who crowdfunded tens of thousands of dollars for Brown’s defense, his sentence is set to conclude on May 2. On Sunday, April 3. Brown issued a statement posted via support group, Free Barrett Brown: Last week I was re- arrested by the U. S. Marshals Service on the orders of the Bureau of Prisons, which still technically holds sway over my life until May 2. Contrary to BOP policy, and indeed federal law, I was not provided a written infraction report, much less given the disciplinary hearing that normally precedes punishment. When one is taken back to prison or put in the hole, the institution has 2. After 7. 2 hours, I have still received nothing. Brown Attorney David Siegal (retained last week by D Magazine’s publisher) confirmed Monday morning that his firm had not yet heard the BOP’s justification for Brown’s transfer. Brown made audio records of a BOP representative, as well as two halfway house employees, threatening to charge him with “refusing an order” if he “did any further media interviews without seeking” the BOP’s approval. Less than two weeks ago, VICE News filmed Brown at D Magazine’s office; PBS was preparing to conduct an interview last Friday, but Brown was detained the day before. If Brown is being penalized for speaking to the press without the BOP’s permission, his abrupt arrest comes after months of him doing so without incident. In fact, Brown’s release from FCI Seagoville was documented by cyber- crime filmmaker Alex Winter for Field of Vision—a film unit founded by Oscar- winning documentarian Laura Poitras. As noted by Lancaster: “He has had many interviews since his early release, on November 2. While the handbook given to Brown upon his arrival at the Hutchins home makes no reference to inmate contact with the news media, it does outline some “informal” procedures for disciplinary action. To Brown’s point, that he was “not provided a written infarction report, much less given the disciplinary hearing that normally precedes punishment,” the handbook says this: “All clients are given the opportunity to discuss all disciplinary reporters prior to disciplinary action being imposed.”The handbook also states that during the disciplinary process, inmates “may be transferred to a more secure facility.” Once that’s done, the rules say, the inmate “may not return” to the halfway house, though it does not indicate whether or not one could return to home confinement. As he was taken into custody on Thursday, Brown’s 7. Tuesday. Brown also says that there is “nothing in the BOP media program statements that requires even actual inmates to seek permission to communicate with press.” (Here, Brown is presumably differentiating between himself, an inmate in a “residential reentry program,” and those who are still incarcerated inside a federal facility.) Visitations between incarcerated inmates and journalists are heavily regulated, however, principally under Title 2. Chapter 5 of the Code of Federal Regulation (CFR). For instance, reporters seeking interviews with prisoners must agree to a multitude of conditions, including, but not limited to, the written consent of the subject and the submission of a “formal request” to the warden. Additionally, inmates must authorize the release of otherwise restricted personal information by staff in response to what’s said during an interview, and must consent to allow the prison to comment on any claims made to a reporter. This is all ultimately beside the point: As Brown asserts correctly, these rules do not apply to individuals who, like himself, “have already been released to home confinement.” The purpose and scope of BOP’s policies regarding contact between reporters and inmates is very clear: The rules were created to apply solely to visitations that take place inside a BOP “institution,” a term defined under the administrative law as “a US Penitentiary, a Federal Correctional Institution, a Federal Prison Camp, a Federal Detention Center, a Metropolitan Correctional Center, a Metropolitan Detention Center, a US Medical Center for Federal Prisoners, a Federal Medical Center, or a Federal Transportation Center.”The definition does not extend to inmates restricted to home confinement, nor does it refer in any way to those in the custody of a residential reentry program. According to Lancaster, Brown asked more than two weeks ago to see documentation to support the BOP’s demand for prior approval over interviews; “The forms that they finally came up,” she said, “are forms offered to media when requesting a visit with an inmate in a federal prison setting.”A BOP spokesperson was asked by email on Friday if the agency had any written policy about home- confined inmates speaking to reporters. There was still no response by Monday afternoon. While the BOP remains silent, if Brown’s version of the events is verified, it would only lend further credence to the now pervasive allegation that his arrest was an unnecessary act of retribution by the federal government. Update: May 1st, 4: 2. ETBarrett Brown was released from custody on Monday after spending four days at Federal Corrections Institute Seagoville.“It was about the media,” he said. And they were trying to get me to sign these forms which are not forms applying to that. One of them was to get authorization to get into a prison to interview an inmate. Even when you’re an inmate, even if you’re in . They can send you letters, you can call them—obviously I did it over and over again for years without any official objection.”The US Marshals who arrested Brown had no warrant or paperwork, he said. That’s just how it works. They didn’t do that.” Brown added that wasn’t provided with any documentation revealing why he was re- incarcerated. It’s beyond anything they’ve done to me over the past four years.”Brown’s lawyer, David M. Siegal (Haynes and Boone, LLP) provided Gizmodo with the following statement: The treatment of Barrett Brown by the Bureau of Prisons was unjustified and in violation of his First Amendment Free Speech rights.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |