Skip to main content

Featured

This Thanksgiving I'm Thankful for Government Regulation

Now, don't let the title fool you, I am a firm believer that government is a corrupt money suck. But occasionally, the blind squirrel that is government, finds a nut. The nut in this case is privacy regulation. You have probably heard acronyms like CCPA and GDPR but might not be too familiar with what they are. The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) are both milestones in the struggle for consumers rights. When you cut down the endless pages of nuance and typical government babel, it breaks down into rights.  The CCPA outlines the right to know, right to delete, right to opt-out, and right to non-discrimination. The right to know is how it sounds. It gives consumers the right to know what information a business collects and how it is used or shared. The right to delete means that consumers have the right to request that data pertaining to them be deleted. This one has some exceptions. Some data is required to be kept in accordance...
Post a Comment
Read more
Labels

The Anatomy of a Phish Part 2

In part 1 we covered the basics of phishing but now its time for the more technical stuff. Once the target is selected, a little more recon is done to determine the lure that would work best. For this example, lets target granny’s Facebook account. Once we have her email address, we will craft a fake message that will appear to come from Facebook. Often times attackers will use email accounts from previously compromised users who had a valid email history to avoid spam filters, then change the display name of the email to be something like “Facebook Security” to entice granny into thinking it is a legitimate email. The contents of the message will include some fake Facebook logos and create a sense of urgency. When granny gets an email saying she needs to login to Facebook within 24 hours or the account will be deleted, that puts her on a timetable to act quickly or risk losing all those pictures of her grandkids. The catch is the link conveniently included in the email wont go to Facebook, it will go to the attackers domain. Sometimes this can be a domain they register on their own, or it can also be a subdomain that they tacked onto compromised legitimate website. The link will then go to a Facebook login page. The login page will behave in a few ways. A lazy approach would just allow the user to input their login information and record it for the attacker. This approach gets granny’s password but even she might be suspicious when the username and password she wrote down in her password book isn’t working on the website. A more sophisticated site would allow granny to enter the password 2 times to ensure it was entered correctly, then display a message saying “Success, you may now login to Facebook”, then automatically redirect to the true Facebook site for her to login to. Once the attackers have granny’s Facebook credentials, what then? Well the answer can be a couple of different things. The attacker can login to granny’s account and get more details about her. They might be able to use the information to gain access to her bank accounts or retirement and then divert the funds to their own accounts. If granny is broke, they might user her compromised account to gather information on her friends and determine if any of them would be more suitable targets. I know a post about phishing is relatively low hanging fruit for more veteran cybersecurity professionals, but there is someone out there who needs to read it and hopefully it will save them a headache.
Labels:

Comments

Post a Comment

Popular Posts