Be careful when typing those URLs! TypoSquatters register domains which are very similar to those of popular sites and use them to serve up malware to the unwary. Leave the “c” off of “.com?” You could end up at a shady Omani domain bearing gifts you don’t want to get!
OK, I already tweeted this story with a snarky comment about spelling, but there is an interesting lesson to be learned from this incident. It was plain old human intervention that kept an $80 million dollar fraud from becoming an $800 million plus fraud against Bangladesh Bank. Educating your people to recognize out of the ordinary behavior is one of the best security investments you can make. (Not that losing $80 million is a great outcome).
When your co workers or family members ask what to do about passwords, have them watch this brief, easy to understand and information packed video from the folks at Sophos…
It seems like the latest big security story is a newly discovered flaw in the OAuth and OpenID protocols which allow users to authenticate to third party web sites using their account on another web site like Google, LinkedIn or Facebook. Apparently, it is relatively easy for attackers to create an attack via a phishing email with a link to a site which then asks the user to authenticate (to the fake site) using their Google account (or any other identity provider which supports OAuth and OpenID). The authentication pop up will look legitimate – it will actually seem to point to the identity provider’s web site, but it will, in fact, deliver the unsuspecting user’s credentials to the attacker.
So what do we, as security professionals, do with this information? Given the “behind the scenes” nature of the issue, and the fact that there is no cue to the user that a particular site is trying to use the flaw to gather credentials, we are stuck with telling our users to “be more careful” about using their Google/Facebook/LinkedIn etc. credentials to log in to sites. Well, that’s pretty darn vague. I guess the best advice to give people would be not to set up any new site credentials using OAuth/OpenID until the problem has been fixed.
This is a classic example of the tradeoffs we make between security and privacy. While logging in to multiple sites using credentials from a “trusted” provide makes life easier for the web user, he or she also risks having the security of all of their accounts linked to that ID compromised when that one provider suffers a security breach or there is a problem with the underlying technology. This is one of the many reasons we need to move away from password authentication and come up with easy to use 2 factor login methods to reduce the risk associated with weak/stolen passwords.
SANS recently published the latest edition of their “OUCH!” security newsletter for end users – this month’s topic is Yes – You Actually ARE a Target! – something that we usually have to remind users about on a regular basis, in spite of the regular coverage of hacks, data breaches and other cyber shenanigans which are always afoot these days.
OUCH is a good (and free) resource to augment your organization’s Security Awareness efforts.