A rate limiting is used to check if the user session has to be limited based on the information in the session
cache. If user make too many requests within a given time ,
HTTP-Servers has to respond with status code
429: Too Many Requests.
Description:-
I have identified that when Forgetting Password for account , the
request has no rate limit which then can be used to loop through one
request. Which can be annoying to the root users sending mass password
to one email.
Steps To Reproduce The Issue
Go to Forget Password page
Enter the mail where you want to receive the link
Capture that request in BURP.
Send this to Intruder and set parameter at"Accept-Language: en-US,en;q=0.5"
Now go to payload and select number from 1 to 100.
Click on start attack.
If you will receive 100 mails with this , than this is a bug which have to be reported.
Solution -
I Will Recommend to Add A ReCaptcha & Sort Of Something Which
Requires Manual Human Interaction To Proceed Like You Can Add Captcha
Like 2+2=___ so that it cannot be brute forced and you also can have a
limit at the backend for particular number upto 5 times a day user can
request Forget Password Email or Link something like that will prevent
you from someone exploiting this vulnerability
Impact
If You Are Using Any Email Service Software API Or Some Tool Which
Costs You For Your Email This Type Of Attack Can Result You In Financial
Lose And It Can Also Slow Down Your Services It Can Take Bulk Of
Storage In Sent Mail Although If Users Are Affected By This
Vulnerability They Can Stop Using Your Services Which Can Lead To
Business Risk
Redirect means allowing a website to forward the request for the resources to another URL/endpoint. Let’s assume that you make a request to davindertutorials.com and davindertutorials.com can redirect you to another website(new-davindertutorials.com), so you’ll end up at new-davindertutorials.com even though the original request was made for davindertutorials.com. This is called “redirection”. There are different types of redirects in HTTP, check em out below.
Now Lets understand this vulnerability:
Open redirect is basically what the name says, Openly allow Redirects to any website.
URL redirection vulnerabilities found when user redirect to some other url , mainly the attacker url in unsafe way.
An attacker can construct a URL within the application that causes a redirection to an external domain. This behavior is well known for doing phishing attacks against users of the application.
Redirection Status Code - 3xx
300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
307 Temporary Redirect
308 Permanent Redirect
The redirection can happen on the server-side or the client side.
Server-Side: Request to redirect is sent to the server, then the server notifies the browser to redirect to the url specified via the response.
Client-Side: Browser is notified to redirect to the url specified directly without the intervention of the server.
Why is this an issue?
Think about it for a moment, what if davindertutorials.com, a TRUSTED website allows you to redirect to any other website. Then a malicious user can simply redirect davindertutorials.com to attacker.com, and people fall for it all the time believing that it’s trusted, but infact, it’s not. So allowing redirects to any website without a stop in the middle or without a proper notification for the user is Bad.
Explanation
Let’s say there’s a “well known” website - https://example.com/. And let’s assume that there’s a link like
This link is to a sigup page, once you signup, you get redirected to https://example.com/login which is specified in the HTTP GET Parameter redirectUrl.
What happens if we change the example.com/login to attacker.com?
By visiting this url, if we get redirected to attacker.com after the signup, this means we have an open redirect vulnerablility. This is a classic open redirect vulnerability.
Why does this happen?
This happens due to insufficient redirection checks in the back-end, which means the server is not properly checking if the redirect URL is in their whitelist or not.
Here are some examples of vulnerable code
HTML Meta tags can refresh the site with the given url as it’s content and also you can specify the refresh delay time.
How to find them?
Visit every endpoint of the target to find these “redirect” parameters.
View your proxy history, you might find something. Make sure to use filters.
Bruteforcing helps too.
You might uncover many endpoints by reading javascript code.
Google is your friend, example query: inurl:redirectUrl=http site:target.com
Understand and analyze where the redirection is needed in the target application like redirecting to dashboard after login or something like that.
Some tricks to find this bugs
Test for basic modification of the url like target.com/?redirect_url=https://attacker.com.
Try with double forward slashes target.com//attacker.com.
Try target.com/@attacker.com. In this case the interpretation will be like, the target.com is the username and attacker.com will be the domain.
Test for javascript Protocol javascript:confirm(1).
Try target.com/?image_url=attacker.com/.jpg if there’s an image resource being loaded.
Try IP address instead of the domain name.
You can go further in terms of representing the IP in decimal, hex or octal.
You can also try target.com/?redirect_url=target.com.attacker.com to bypass weak regex implementations.
Chinese seperator 。 as the dot - https://attacker%E3%80%82com.
Test for String reverser unicode(“\u202e”) target.com@%E2%80%AE@attacker.com.
No slashes https:attacker.com.
Back slashes http:/\/\attacker.com or https:/\attacker.com.
Different domain redirect_url=.jp resulting in redirection of target.com.jp which is not the same as target.com.
Try some unicode(including emojis) madness t𝐀rget.com or 𝐀ttacker.com(‘𝐀’ is “\uD835\uDC00”).
Exploitation
Phishing
Assume that the target is example.com. It has a password recovery page at example.com/forgot-password. You enter the email and you click on Forgot Password button, and it’ll send you an email with a password reset link, and this link might look like
Pentesting means finding vulnerabilities by using various techniques and methods .
Organisations hire consultants who have team of complete auditors who perfrom the pentesting .
Auditors are those who know how to find vulnerabilities and perform exploits as well to check the securities issues .
Auditors perform the task depending upon the agreement signed between the organisation and the auditors .
Based on the agreement , Pentesting will be performed. Just like we have different type of hackings like ... black ,white and grey box .. similarly auditors perform pentesting based on the the rights provided to them.
Types of hacking
External pentesting This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service. Example of public hosts: router, firewall, web server, mail server, name server, etc.
Internal pentesting As the name suggests, this type of hacking is executed from the customer’s internal network.
Black box hacking This mode is applicable to external testing only. It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information.
Gray box hacking This method is often refer to internal pentestings. Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited.
White box hacking White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems.
Phases of hacking
Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases. There is a general consensus among the entities and information security professionals that these phases are 5 in the following order: 1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues Usually these phases are represented as a cycle that is commonly called “the circle of hacking” with the aim of emphasizing that the cracker can continue the process over and over again.
Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:
The three devices commonly used to provide security are the firewall, the IDS, and the IPS.
Firewall
A firewall is a network security system that actively monitors and regulates the inbound and outbound network traffic based on a predefined security ruleset. A firewall typically acts a barrier between a trusted, secure internal network and an outside network, such as the Internet, which may not be secured enough. A firewall helps screen out malicious users, viruses, and worms that try to access your network from the Internet.
Some firewalls are simply software that runs on your computer, while other firewalls are sets of complete hardware devices and appliances. Firewalls can operate on individual hosts but are widely implemented on the network level. Firewalls are often used to create a Demilitarized Zone (DMZ), a physical or logical subsection of a network that separates the internal private LAN from the external untrusted network like the Internet. The resources that need to be accessed externally over the Internet, such as a web server hosting a website, are kept in the DMZ. The remaining resources, like the database server and backup servers are all kept in an internal private LAN and are not directly accessible over the Internet. Because the resources in a DMZ are directly accessible to the public, they need to be hardened for security. Firewalls also offer a feature known as stateful inspection , which monitors and keeps track of all the network connections and ensures that all inbound packets are the result of an outbound request. This feature was primarily designed to prevent harmful packets from entering the network and also defend against common information-gathering techniques like port scanning.
Intrusion Detection System
Unlike a typical firewall, which functions on predefined rules, an intrusion detection system is more intelligent in the way it detects various attacks. While a firewall may just check and restrict access to a particular system (based on IP address and port), the IDS would go an extra mile to check whether the traffic contains any malicious code, which might lead to an attack. Just as an anti-virus program has a signature database of known viruses, an IDS has a signature database for known and common attacks. It checks all packets traversing the network and tries to match them against its signature database. If a match is found, it raises an alert about the attack so that the network/system administrator can take appropriate steps to prevent it.
Intrusion Prevention System
An intrusion prevention system does all the jobs that an IDS does, but it also stops the attack (by dropping packets) whenever it encounters malicious traffic in network packets. This ensures an automated response to an attack and reduces manual intervention.
Two important files in the Linux system are responsible for storing user credentials:
/etc/passwd
Is a text file that stores all the account information (except the password) required for user login.
The following sample entry from an /etc/passwd file will help clarify its components:
1. User Name: This is the username used to log in.
2. Password: The X character implies that encrypted password for this user is stored in the /etc/shadow file.
3. User ID (UID): Each user on the system has a unique ID. UID 0 (zero) is reserved for the root user.
4. Group ID (GID): This is the group ID of the group to which the user belongs.
5. User ID Info: This comment field can store additional information about the user, including email, telephone number, and so on.
6. Home Directory: This is the default directory that will be available for the user after login. All the user-specific documents and settings are stored in the respective home directory.
7. Command/Shell Path: This is the path to the command prompt, or shell .
/etc/shadow
Is a text file that stores actual passwords in hashed format. It also stores parameters related to the password policy that has been applied for the user. Following is an example entry from the /etc/shadow file:
1. Username: This is the username to which the password belongs.
2. Password: This is the password stored in hashed format.
3. Last password change: This field indicates the number of days since the last password change.
4. Minimum Age: This denotes the number of days remaining before the user can change his or her password.
5. Maximum Age: This denotes the maximum number of days after which the user must change his or her password.
6. Expiry Warning: This denotes the number of days before which the user must be warned about the password expiring.
7. Inactive: This is the duration in days after password expiry that the account will be disabled.
Create a security policy that includes a section about password guidelines (key length, use of special characters, periodical expiration of keys, account blocking policy, etc.)
Enable auditing services at the operating system level in end-user devices, servers and communications equipment and use log correlation software to perform event monitoring.
Restrict access to the Administrator and root account so that it cannot perform logon through the network, but only physically in the computer console.
Use port security and admission control (NAC) on networking devices so that only authorized users can connect to the network. Replace insecure protocols that send information in plain text as HTTP, SMTP, TELNET, FTP, with their secure counterparts which use digital certificates and encryption for transmission: HTTPS, SMTP, SSL, SSH, SFTP, etc.
Set the switches to detect the sending of free and unauthorized ARP and other known attacks and react to port violation taking appropriate actions and reporting the event.
Implement secure authentication protocols in wireless equipment and isolate wireless segments from other internal subnets using intelligent next generation firewalls68.
Configure intelligent next generation firewalls and other network devices to block attacks.
Use network and security management software for threat detection, vulnerability assessment and automatic response to events.
Design and implement an Information Security Policy based on the ISO 27000 standard.
mplement awareness campaigns about good practices on information security for the end-users.
Train staff from the IT and related departments about information security and specialized topics such as ethical hacking, computer forensics and defense mechanisms.
Define profiles for IT personnel and establish which international certifications on information security your functionaries must obtain according to their position.
Multiple protocols are susceptible of enumeration, we should ask our client which ones are really needed in the network. The obvious preventive measure is to disable those insecure protocols that are not required in the network. However, this is not always feasible, especially if there are legacy applications in the organization that depends on insecure protocols to operate and for which there is no migration scheduled in the short term.
Some defensive measures that you can suggest to your client are:
Configure filter rules on the perimeter firewall(s) to prevent that protocols susceptible to enumeration that do not perform a public function be exposed to Internet (e.g. Netbios).
Implement a migration plan to update the version of legacy operating systems and applications periodically based on cost/benefit. In companies where the number of workstations is large, you might consider a project to replace the desktops by thin clients by using virtualization. License costs are usually lower in virtual environments.
Similarly, in environments with many servers, a consolidation process could not only provide savings in energy consumption, but also on maintenance costs of hardware/software and administration.
If you have a predominantly Windows network, you can deploy Active Directory policies to prevent the establishment of invalid logon sessions and disable the login through the network for the built-in Administrator account. However, care must be taken with legacy programs that could use null sessions.
Although the only 100% secure network is the one that is disconnected, we may take defensive measures that help us minimize security risks in our infrastructure during the scan.
Here are some precautions that we can take:
To start, you cannot scan an application that is not installed. This means that before putting a target on production we should do a “hardening” of the operating system, applications and services.
Hardening means “minimize”. Therefore, for a server to perform a specific function there is no point to enable unnecessary services, neither should be installed applications that do not serve the intended purpose. For example, if the target would be only a Web server (HTTP/HTTPS), then why the service IRC (chat) have to be enabled?
By preventing unnecessary applications remaining active on the equipment, we prevent that potential vulnerabilities become a point for future exploitation.
Enable automatic update of the operating system patches that fix security issues so they are installed in a timely manner.
Keep up support contracts with the hardware/software providers, to reach them in case of an eventuality, for example; a zero-day vulnerability (for which there is no patch yet).
Redesigning the network to include security measures such as segmentation to separate security zones by intelligent next generation firewalls.
Set rules in firewalls to filter unauthorized access from the Internet and internal subnets ports.
Install intrusion prevention systems (IPS) that can work with firewalls and other network devices to detect threats (such as ping sweeps, mass scanning, etc.) and block them immediately.
Perform periodic analysis of vulnerabilities to detect any possible threats to the security of our network and take appropriate corrective actions.
Reconnaissance is the first phase in the implementation of a hacking. The aim of this phase is to discover as much relevant information as we can from the client’s organization or victim.
Now, depending on whether the interaction with the target is direct or indirect, the reconnaissance can be active or passive. Passive reconnaissance We say the reconnaissance is passive when we have no direct interaction with the client or victim. For example, we use a search engine like Google and inquire the name of the audited company, in the results we get the name of the client’s website and discover that the web server name is www.enterprisex.com, then we do a DNS search and get that the IP address of that server is 200.20.2.2
Active Reconnaissance In this type of reconnaissance there is a direct interaction with the target or victim. Examples of active reconnaissance:
Ping sweeps to determine the active public computers within a range of IP’s. Connecting to a service port in order to gather a banner and try to determine the software version. Using social engineering to obtain confidential information.
Reconnaissance tools
The hacker’s platform it’s up to you, but if you ask my opinion I prefer to use Kali Linux.
Footprinting with Google
Google is undoubtedly the most widely used due to its classification technology web pages (Page Rank), which allows us to search quickly and accurately. For our reconnaissance example with Google we will begin with the most simple: searching for the company’s name.
In this example we’ll use as victim the Project Scanme by Nmap8. Scanme is a free site maintained by Fyodor, the creator of NMAP port scanner.
Google operators:
(plus symbol): is used to include words that because they are very common are not included on Google search results. For example, say that you want to look for company The X, given that the article “the” is very common, it is usually excluded from the search. If we want this word to be included, then we write our search text like this: Company +The X
(minus symbol): is used to exclude a term from results that otherwise could include it. For example, if we are looking for banking institutions, we could write: banks -furniture
”” (double quotes): if we need to find a text literally, we framed it in double quotes. Example: “Company X”
~ (tilde): placing this prefix to a word will include synonyms thereof. For example, search by ~company X will also include results for organization X
OR: This allows you to include results that meet one or both criteria. For example, “Company X General Manager” OR “Company X System Manager”
site: allow to limit searches to a particular Internet site. Example: General Manager site:companyX.com
link: list of pages that contain links to the url. For example, searching for link:companyX.com gets pages that contain links to company X website.
filetype: or ext: allows you to search by file types. Example: Payment roles + ext:pdf site:empresax.com
allintext: get pages that contain the search words within the text or body thereof. Example: allintext: Company X
inurl: shows results that contain the search words in the web address (URL). Example: inurl: Company X
Of course there are more operators that can be used with Google, but I think these are the most useful. Returning to our reconnaissance example, we found among the results some pages about the NMAP organization. The one that catches our attention is scanme.nmap.org, this brings us to our next tool: DNS name resolution.
Determining names with nslookup
Now that we know the main site of our client, we can make a DNS query obtain its IP address. In a real case it is possibly to find more than one customer site referenced by Google and therefore we’ll get several IP addresses. Actually, the idea behind getting this first translation is to estimate the range of IP’s that we will need to scan in order to identify additional hosts that could belong to the client. Assuming that our target is using IPv4 addresses, we could test the whole range of hosts inside the subnet. The latter is impractical if you try to address Class A or B, since the scanning process could last longer. To determine the range more accurately, we can use other means as looking in Who-Is directories or performing socia engineering attacks. In this example we will made a name query using the nslookup command
DNS resolution with nslookup on Windows
Note: During an audit of any kind it is important to be organized and take notes of our findings. This will allow us to tie up loose ends while revealing more information as we go. Returning to the nslookup command, we still can learn more from our target. We will use some useful options: set type = [NS | MX | ALL] to set the query type, NS name service, MX mail service (mail exchanger) and ALL to show everything. ls [-a | -d] domain enables you to list the addresses for the specified domain (for which the DNS server for that domain must have this option enabled) -a canonical names and aliases, -d all records in the DNS zone.
Maltego Maltego is a tool that allows collecting data from an organization easily, through the use of graphic objects and contextual menus that let you apply “transformations”
You can also collect all the artifacts in the form of pdf reports ....like
Visual IP Trace route
During the execution of an external black box hacking is useful to know the geographical location of a particular target. Imagine for example that we have obtained the names of the mail server and web server of our client and want to know if these services are hosted on the public network managed by the company itself or if instead, they are located in an external hosting as Yahoo Small Business , Gator, or similar. Why do we want to know this? Very simple, if the target servers happen to be held on an external hosting, in the event we managed to break into such equipment, we would actually be hacking the hosting provider, not our client, in which case we could face a possible lawsuit. Because of this, it is strongly recommended to perform a trace route to discover the geographical location of a target host. That way we would be able to decide “to hack or not to hack”. There are several applications on the market that perform visual traceroute, to name a few: Visual IP Trace, Visual Route. Some of them are free or have paid versions with additional features such as the likelihood of generating reports.
E-mail tracking tools It is possible that during the execution of an external hacking we come across a case in which our client has outsourced DNS, E-mail and Web services, and everything we do only lead us to the hosting provider.
This implies that at least the ISP has assigned to our client one public IP for outbound Internet, so there has to be a router or a firewall doing NAT so that internal users can navigate – I’m assuming the client uses IPv4. If this is the case, then getting this public IP address is now our target, let’s see how we can get this through the analysis of an email.
Raised this new goal now we would make our customer send us an email, and only then we will be able to analyze data from the email header in order to determine the source IP address. This is pretty simple since we have been hired by them to run an ethical hacking, so we could send e-mail pretending to show them how the audit is progressing and wait for the response. For this analysis we can use any email tracking tool or we can manually review the email header; but the use of automated tools has the advantage of obtaining a report. It should be mentioned that the email analysis tools not only help to identify an email source IP address, but also show whether the sender is indeed who he says he is, we can use these applications to determine if we’re dealing with a false email or a phishing email.
Defensive measures Prevent reconnaissance attacks by 100% is virtually impossible, precisely because footprinting is based on finding publicly available information about the target organization. And this information it’s public for a good reason. For example, imagine the ABC organization which sells pet products through its website and through retail distribution stores. Would it make sense to keep secret the address of the website www.abc.com?
Publishing the website allow users to find it through search engines like Google, Altavista, Metacrawler, etc., even without investing in advertising. And how could it sell the products through its website if the customers don’t know how to get there? Therefore, what we can do is to minimize our exposure by making public only what it’s needed. I remember a particular case, during the reconnaissance phase when I found out that the network administrator of my client had posted the Intranet webserver on the Internet. The same word Intranet indicates that this is a server for internal use only. This is a clear example of a service that should not be published. If for any reason is necessary to access it over the Internet, the safest way to do this is through the implementation of virtual private networks (VPNs), but not by opening the port in the firewall so that everyone can find an internal server from Internet. Clarified this point, I suggest some preventive measures:
Keep the information private in the Who-Is directory services paying an annual fee to your hosting provider or NIC.
Avoid posting detailed information about operating systems, applications, hardware and personal information through social media or the news job offering section.
Train all company personnel on information security precautions and how to avoid becoming a victim of a social engineering attack.
Publish over the Internet only services of public nature (corporate web, name server, mail server, etc.) and confine such servers in a demilitarized zone (DMZ).
ISO/IEC 27001, also known as ISO 27001, is a security standard that outlines the suggested requirements for building, monitoring and improving an information security management system (ISMS). An ISMS is a set of policies for protecting sensitive information, e.g., financial data, intellectual property, customer details and employee records.
ISO 27001 is a voluntary standard employed by service providers to secure customer information. It requires an independent and accredited body to formally audit an organization to ensure compliance.
The benefits of working with an ISO 27001 certified service provider include:
Risk management – An ISMS helps govern who within an organization can access specific information, reducing the risk that said information can be stolen or otherwise compromised.
Information security – An ISMS contains information management protocols detailing how specific data needs to be handled and transmitted.
Business continuity – To remain ISO 27001 compliant, a service provider’s ISMS must be continuously tested and improved upon. This helps prevent data breaches that could impact your core business functions.
For service providers, compliance provides peace of mind to your customers, while allowing you to maintain due diligence regarding data security.
ISO COMPLIANCE AND INFORMATION SECURITY GOVERNANCE
ISO 27001 compliance can play an integral role in creating an information security governance policy-the plans, tools and business practices used by an enterprise to secure their sensitive data.
Creating an ISO compliant ISMS is a comprehensive process that includes scoping, planning, training and support. Below are some of the most important elements to be addressed before an enterprise can become certified.
1. ORGANIZATIONAL CONTEXT
Internal and external issues that can affect an enterprise’s ability to build an ISMS, e.g., information security, as well as legal, regulatory and contractual obligations, need to be identified.
2. SCOPE
The information defined in step one is then used to document the scope of the ISMS, outlining relevant areas, as well as boundaries. The ISMS than needs to be implemented, maintained and continually improved according to specific information security risks and ISO 27001 requirements.
3. LEADERSHIP
The enterprise’s management needs the necessary leadership skills to maintain the ISMS. This includes:
Creating an information security policy in line with the strategic direction of the organization.
Integrating the ISMS into standard organization processes.
Communicating the details of the information security policy and highlighting the importance of ISMS requirements.
Promoting the continual improvement to the ISMS.
Ensuring adequate support for staff who work to improve the system.
4. PLANNING
A plan for addressing information security risks needs to be integrated into the ISMS process. This involves:
Establishing and applying a detailed information security risk management process that includes risk criteria, the identification of information security threats, risk analysis and the evaluation of risks relative to the established criteria.
Defining and applying a process for mitigating threats that includes controls needed to implement each risk treatment option.
5. SUPPORT
The enterprise needs to obtain the resources, people, and infrastructure to effectively implement an ISMS.
Support involves training and mentoring staff to deal with sensitive information. Additionally, employees need to be informed as to how they can contribute to the effectiveness of the ISMS and the implications of not conforming to information security policies.
Lastly, internal and external communication policies relevant to the ISMS need to be established. Policies should include the definition of issues that need to be communicated, with whom these issues should be communicated and the methods of communication.
6. OPERATIONS
This step focuses on executing the plans and processes defined in previous sections. The organization needs to document all actions carried out to ensure that processes are executed as planned.
Additionally, outsourced processes need to be identified to evaluate and control information security risks.
7. PERFORMANCE EVALUATION
Performance evaluations ensure the continued effectiveness and future improvement of the ISMS. It also regularly identifies areas for potential improvement in information security.
Internal audits and management reviews need to be conducted and documented at defined regular intervals to evaluate ISMS performance.
8. IMPROVEMENT
Nonconformities with ISO 27001 requirements need to be addressed immediately upon discovery. Organizations need to identify and execute the steps to ensure that the same issues don’t recur.
Additionally, enterprises must continually attempt to improve the suitability, adequacy and effectiveness of their ISMS.
Spear phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email, text message or instant message. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences.
While similar to phishing and whaling attacks, spear phishing is launched in a unique way and its targets differ from other social engineering assaults. As a result, the attack deserves special attention when formulating your application security strategy.
SPEAR PHISHING EXAMPLE
The following example illustrates a spear phishing attack’s progression and potential consequences:
A spoofed email is sent to an enterprise’s sysadmin from someone claiming to represent www.itservices.com, a database management SaaS provider. The email uses the itservices.comcustomer mailing template.
The email claims that itservices.com is offering a free new service for a limited time and invites the user to sign up for the service using the enclosed link.
After clicking on the link, the sysadmin is redirected to a login page on itservice.com, a fake website identical to the itservices.com registration page.
At the same time, a command and control agent is installed on the sysadmin’s machine, which can then be used as a backdoor into the enterprise’s network to execute the first stage of an APT.
SPEAR PHISHING VS. PHISHING AND WHALING ATTACKS
Spear phishing, phishing and whaling attacks vary in their levels of sophistication and intended targets. Their differences are highlighted below.
PHISHING
Phishing involves sending malicious emails from supposed trusted sources to as many people as possible, assuming a low response rate. For example, a phishing email might purport to be from PayPal and ask a recipient to verify their account details by clicking on an enclosed link, which leads to the installation of malware on the victim’s computer.
Phishing emails are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent. The problem is that not everyone notices these subtle hints. Trusted logos and links to known destinations are enough to trick many people into sharing their details.
Spear phishing emails, on the other hand, are more challenging to detect because they appear to come from sources close to the target. Cyber-criminals send personalized emails to particular individuals or groups of people with something in common, such as employees working in the same department.
WHALING
Whaling uses deceptive email messages targeting high-level decision makers within an organization, such as CEOs, CFOs, and other executives. Such individuals have access to highly valuable information, including trade secrets and passwords to administrative company accounts.
The attacker sends emails on issues of critical business importance, masquerading as an individual or organization with legitimate authority. For example, an attacker may send an email to a CEO requesting payment, pretending to be a client of the company.
Whaling attacks always personally address targeted individuals, often using their title, position and phone number, which are obtained using company websites, social media or the press.
The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile.
SPEAR PHISHING MITIGATION
The targeted nature of spear phishing attacks makes them difficult to detect. However, several risk prevention measures can help, including two-factor authentication (2FA), password management policies and educational campaigns.
TWO FACTOR AUTHENTICATION
2FA helps secure login to sensitive applications by requiring users to have two things: something they know, such as a password and user name, and something they have, such as a smartphone or cryptographic token. When 2FA is used, even if a password is compromised using a technique like spear phishing, it’s of no use to an attacker without the physical device held by the real user.
A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document.
Key Generation Algorithms : Digital signature are electronic signatures, which assures that the message was sent by a particular sender.
Signing Algorithms: To create a digital signature, signing algorithms like email programs create a one-way hash of the electronic data which is to be signed. The signing algorithm then encrypts the hash value using the private key (signature key). This encrypted hash along with other information like the hashing algorithm is the digital signature. This digital signature is appended with the data and sent to the verifier. The reason for encrypting the hash instead of the entire message or document is that a hash function converts any arbitrary input into a much shorter fixed length value. This saves time as now instead of signing a long message a shorter hash value has to be signed and moreover hashing is much faster than signing.
Signature Verification Algorithms : Verifier receives Digital Signature along with the data. It then uses Verification algorithm to process on the digital signature and the public key (verification key) and generates some value. It also applies the same hash function on the received data and generates a hash value. Then the hash value and the output of the verification algorithm are compared. If they both are equal, then the digital signature is valid else it is invalid.
The steps followed in creating digital signature are :
Message digest is computed by applying hash function on the message and then message digest is encrypted using private key of sender to form the digital signature. (digital signature = encryption (private key of sender, message digest) and message digest = message digest algorithm(message)).
Digital signature is then transmitted with the message.(message + digital signature is transmitted)
Receiver decrypts the digital signature using the public key of sender.(This assures authenticity,as only sender has his private key so only sender can encrypt using his private key which can thus be decrypted by sender’s public key).
The receiver now has the message digest.
The receiver can compute the message digest from the message (actual message is sent with the digital signature).
The message digest computed by receiver and the message digest (got by decryption on digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash fucntion in which computation of hash value of a is easy but computation of a from hash value of a is very difficult.
Digital Certificate
Digital certificate is issued by a trusted third party which proves sender's identity to the receiver and receiver’s identity to the sender. A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity of the certificate holder. The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other identification information. Digital signature is used to attach public key with a particular individual or an entity. Digital certificate contains:-
Name of certificate holder.
Serial number which is used to uniquely identify a certificate, the individual or the entity identified by the certificate
Expiration dates.
Copy of certificate holder's public key.(used for encrypting messages and digital signatures)
Digital Signature of the certificate issuing authority.
Digital ceritifcate is also sent with the digital signature and the message.
Digital certificate vs digital signature : Digital signature is used to verify authenticity, integrity, non-repudiation ,i.e. it is assuring that the message is sent by the known user and not modified, while digital certificate is used to verify the identity of the user, maybe sender or receiver. Thus, digital signature and certificate are different kind of things but both are used for security. Most websites use digital certificate to enhance trust of their users.
Posts
