Erik Kangas -

Phishing

Social Engineering Please allow John to have admin rights on my account as he is my new developer. Please close my account, I don’t need it anymore My boss lost his password and we are losing $1M/day because we can’t access our account. I don’t know who my account administrator is --- can you point me to the right person?

Kid Engineering? Fake to school saying that they will be absent or leave early – think the school checks sender identity? Fake to another family member… My grade-school kid can’t do this yet…. But in a few years?

The Jedi Trick is Easy

Hack: Sending Forgeries Get a good example to mimic and modify We’ll look at Bank of America Fire up a shell with telnet and permission to use outbound port 25. WARNING: Your IP will be tracked – use a network that won’t track back to you. Learn how to speak SMTP

Sending the BoA Forgery Return-Path: Received: from unknown [ ] (EHLO mta5.ealerts.bankofamerica.com) by p02c12m115.mxlogic.net(mxl_mta ) over TLS secured channel with ESMTP id 9e853d p02c12m115.mxlogic.net (envelope-from ); Thu, 05 Feb :50: (MST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=ealerts.bankofamerica.com; h=From:To:Subject:Date:MIME-Version:Reply-To:Message-ID:Content-Type; bh=YhJz6l84RyMXW/utiX0auH/xtTQ=; b=Dzp0SVPypvq8X0VHConCJLSIYwL23EbgP8VxN4qK765Y57++HbhTQDjaXWc0sFjV7BV6/Np3DD3E dYHiIoxpzSy1GHvwvIDaG0+md1ijOmDwsBgFpE70upc+9WVHaNOYXjWxkO1tsgdfjEeJprcK93Wx Oc5xp60eg3MRnIvLC3A= Received: by mta5.ealerts.bankofamerica.com id hqdcek163hsp for ; Thu, 5 Feb :49: (envelope-from ) From: "Bank of America" Reply-To: "Bank of America” Message-ID: 1. Get a good example message and headers

2. Make Customized Headers Return-Path: Received: by mta5.ealerts.bankofamerica.com id hqdcek163bnq for ; Thu, 5 Feb :25: (envelope-from ) From: "Bank of America" Reply-To: "Bank of America" Message-ID: Subject: Alert! Your Bank of America account has been compromised To: (Add the custom body of the message, next) Note: Omit DKIM Header… we’ll see why later.

3. Make a Malicious Body Create a similar/custom message body, modified to trap the recipient.

4. Target Inbound Server: DNS Recipient (Target): What servers accept addresses? Check DNS MX Records: $ dig +short luxsci.net mx 30 inbound30.luxsci.com. 10 inbound10.luxsci.com. 20 inbound20.luxsci.com.

5. Manual SMTP: Sending $ telnet inbound10.luxsci.com 25 Trying Connected to inbound10.luxsci.com. 220 rs302.luxsci.com ESMTP Sendmail /8.13.8; Sat, 7 Mar :48:10 GMT ehlo mta5.ealerts.bankofamerica.com 250-rs302.luxsci.com Hello mobile mycingular.net [ ], pleased to meet you … (removed to save space) 250 HELP mail from: Sender ok rcpt to: Recipient ok data 354 Enter mail, end with "." on a line by itself To: From: “Bank of America” Subject: Alert! Your Bank of America account has been compromised Date: Sat, 7 Mar :48:10 GMT Message-Id: [Insert the rest of your customized headers] [Insert the customized message content] t27HmAT Message accepted for delivery quit

The Forgery: Received Can you tell its fraud?

Maybe the Raw Headers?

What Can You Believe?

Counter Hack 1: SPF Sender Policy Framework Publish in DNS, which servers are authorized to send for that domain $ dig +short domain.com txt "v=spf1 ptr ~all” E.g. the reverse DNS for the sending IP must match the domain name. Some Forward DNS for host must match the IP. $ dig +short bankofamerica.com txt "v=spf1 include:_txspf.bankofamerica.com include:_vaspf.bankofamerica.com include:_newspf.bankofamerica.com ~all"

Hack: SPF Fails 1. Hard to identify all valid sending servers 2. Forwarding fails 3. Use of weak “~all” SPF 4. Inter-domain forgery 5. Same provider forgery (Doesn’t protect against spam … none of the counter hacks for identity do) $ dig +short hotmail.com txt "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4: /25 include:spf.protection.outlook.com include:spf- a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg- c.microsoft.com ~all"

Counter Hack 2: DKIM Domain Keys Identified Mail Publish in DNS a cryptographic public key Sign every message using the private key. Encompass the body, subject, sender address, and other important headers On Receipt: DKIM public key looked up Signature verified No issue with forwarding. Sender verification and message integrity / replay protection.

Example From Bank of America’s REAL DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=ealerts.bankofamerica.com; h=From:To:Subject:Date:MIME-Version:Reply-To:Message-ID:Content-Type; bh=YhJz6l84RyMXW/utiX0auH/xtTQ=; b=Dzp0SVPypvq8X0VHConCJLSIYwL23EbgP8VxN4qK765Y57++HbhTQDjaXWc0sFjV7BV6/Np3DD 3E dYHiIoxpzSy1GHvwvIDaG0+md1ijOmDwsBgFpE70upc+9WVHaNOYXjWxkO1tsgdfjEeJprcK93Wx Oc5xp60eg3MRnIvLC3A= Checking DNS $ dig +short _domainkey.bankofamerica.com txt "o=~” $ dig +short _domainkey.bankofamerica.com txt "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJlTsW0bYLUNtVk4WDLNml1Jyock XBDIR45WIyTUmN0X96ggBOqdEvawje56qWkniGpC1g1aziAbaxfvzgP9CvtE5iTmCzQF1O1Vh vDxPZjmjCvU/rZDuLwk6Mqvm4lnBRx15eBwtZrm2SJ83yNToIJpMQlPAa8ROpTlqpRrnU4QIDA QAB"

Hack: DKIM Fails 1. Hard to get all servers to sign your messages 2. Legitimate message modification breaks DKIM 3. Consequent use of weak DKIM rules (o=~) 4. Inter-domain forgery 5. Same provider forgery if DKIM usage not strict. Looks strong on paper, often weak in practice

Counter Hack 3: DMARC Domain Message Authentication, Reporting and Conformance 1. Publish in DNS exactly what to do if BOTH SPF and DKIM fail. 2. You can be more strict about your policies if they are otherwise all weak. 3. You can tell recipient filters exactly what to do with “nonaligned” messages $ dig +short _dmarc.domain.com txt "v=DMARC1\; p=quarantine\; pct=100” E.g. If SPF and DKIM both fail – always quarantine the . $ dig +short _dmarc.bankofamerica.com txt "v=DMARC1\; p=none\; E.g. IF both fail – do nothing but send a status report to BoA

Hack: DMARC Problems 1. If your SPF and DKIM were strict … DMARC weakens things -- an “OR” and not an “AND” 2. Inter-domain forgery 3. Same provider forgery if DKIM is not restricted 4. Spam filter support for DMARC is not widespread 5. Most senders do not have DMARC records and are afraid of non-delivery.

Hacking: “To Do List” What is an attacker to do? 1. Research the target and see with whom s/he communicates 2. See if you can determine how the recipient’s spam filters work. 3. Find a good sender with weak/no SPF/DKIM support 4. See if you can use the same servers/provider as that sender so that impersonations look legitimate. 5. Last resort – hack the sender’s systems.

Counter Hack 3: Vigilance 1. Show “From Addresses” 2. Know your JavaScript exposure 1. Loaded scripts, inline scripts, inline events (onClick), etc. 3. Be careful where you click! 1. Copy and paste vs. hover vs. click 2. Click protection scanning; on-click scanning 4. Always look for anomalies and reserve your trust.

Counter Hack 4: PKI Use digitally-signed messages (ya - encrypt too!) using PGP or S/MIME (like “Personal DKIM”) No forwarding issues, intra-domain forgery, or same- provider forgery Key exchange and technology buy-in are the issues here. - PGP has key servers - DIRECT puts S/MIME keys in DNS - Secure providers can do this for you

Counter Hack 5: What else? Messaging portals with authentication requirements 1. Support ticket systems 2. Secure message retrieval systems Closed messaging systems Not using regular identity verification built in from the beginning.

Take Away Use SPF, DKIM, and DMARC as strictly as possible Tune your Spam filters to pay attention to these Do not trust your – be vigilant Never use untrusted messages for authorization of anything Use PGP, S/MIME, or secure closed systems for secure and identifying communications