How to Steal a Password!

Stealing (phishing) passwords to web-based email accounts is simple

by Heinz Tschabitscher

 

Hacking into somebody's web-based email account may be easier than you think, frightening trivial in fact. Here's how and why.

What to get from where

If we want to obtain something we need at least a vague idea of what that is and where we can get it.

Let's assume that we want to gain access to a system protected with a password. One way, an elegant way, to get into the system is to obtain the password. So the password is what we want.

Now we need to find out where to get the password from. Let's also assume that the person who issued the password, the password holder is able to reproduce it if necessary.

How to get it

Under which circumstances will she be willing, eager even to give away that precious phrase?

Right.


Whenever the password is needed to access the protected system she will issue it without suspicion and actually believing she is doing something right. Of course she will have a more or less precise idea of the environment where it is not only required but also "safe" to enter the password.


Our goal thus is to emulate this environment as exactly as possible.

How it Works

When a Hotmail session has been idle for some time, for example, the user is automatically logged out and upon a request to access her account has to re-login.

If this re-login screen is emulated in an email, what is intended to be a security feature turns into a security risk. You type in the password to log into Hotmail again, but the password is silently sent to the password phisher instead.

Of course, a web-based email's log-in screen could also be replaced with an exact copy that sends the user name and password to the password thief instead of (or in addition to) logging you in.

How to Stop it

Unfortunately, no fool-proof way to prevent a mimicry attack seems to exist and no "fix" is actually possible (there is nothing "broken"). All we can do is be alert and make imitating the login-process more difficult.


You can increase your email's security by

• being generally suspicious and
• thinking two times before you type any password anywhere.

How Can You Protect Yourself?

Why Steal Your Password?

As in the scenario described at the beginning, there are many uses that people make of stolen computer accounts. These range from nuisance attacks (sending "joke" email that appears to be from you) to illegal activity (breaking into computers or selling stolen goods). The attraction for the hacker is the potential to carry on these activities by using someone else's identity.


The more accounts the attacker has, the easier it is to hide his or her real identity and location. The primary reason people break in to systems and install sniffers is to steal as many accounts as they can, as quickly as possible.

How Can You Protect Yourself?

You might be thinking that sniffers make the entire Internet completely insecure and that you shouldn't touch it with a ten-foot keyboard. Not at all. You just need to know where the risk is, when you are at risk, and what to do to be safer.


Think of your password as you would your credit card number. When you purchase an item in a store or over the phone with your credit card, that number is visible to others--just as your password is visible during some transactions. If you suspect that someone has your credit card number and may use it, you call your bank and get a new number.


Since passwords are sometimes stolen, it is essential that you change your password regularly. This precaution limits the amount of time a stolen password can be used by an attacker.

It is never a good idea to share your password with others. Sharing accounts makes it difficult for you to know where your password is being used (and exposed) and harder to detect unauthorized use.


Never give your password to someone who calls you on the phone claiming to be a "C&C Computer Operator" or a "UW Security Officer" saying they need to verify information about your account to fix a problem or to investigate a system break-in. C&C staff would not, as a matter of policy, ask someone for their password over the phone. This type of trickery (known as "social engineering") is probably the simplest and most effective method of hacking.

Using Networks You Can Trust

You also need to know which networks you can trust, and which ones you can't. If you go on vacation, for example, and log on to your UW account remotely at an Internet Cafe in Europe or on a colleague's computer at another university, are you sure you can trust that network?


The path you use to connect to Homer determines whether your password is vulnerable to a sniffer. Switched LANs and direct dial-in are trusted because they do not share data with computers that could be running a sniffer program.


If you have to use Telnet sometime on a network you are not sure you can trust, take advantage of the fact that sniffers usually only look at the first few packets of each session. Simply change your password right before you log out each time. If your password was sniffed when you logged on, it will no longer be valid.

No Quick Fix

Why have networks remained vulnerable to sniffers for so long? There are a number of reasons.


Part of the problem is that software companies see the trade-off between spending resources on new features versus adding security. Tight security features often make the systems harder to set up or less convenient to use.

Another part of the problem is the added cost for Ethernet switches, hubs, interface cards that don't support a special "promiscuous" mode that sniffers can use, and new software.

And, finally, part of the problem is incompatibilities between security software products: vendor A software to vendor B software, and older software to newer software.

What Network Administrators Are Doing

Just as stores and restaurants now use carbonless receipts to prevent credit card numbers from winding up in trash cans, your department or network provider can also do things to secure your password over their LAN. Many departments use:

• Network cards that cannot be put in promiscuous mode, so computers cannot be hijacked and turned into sniffers
• Encryption packages that eliminate clear text passwords
Many of these and other steps are already being taken campus-wide. The residence halls, for example, have scrambling hubs. The networks that serve the dial-in modem pools are not shared with any computers. And the UW network backbone and server subnets, made up of Ethernet switches, likewise cannot be sniffed.


Adding a few switches to the subnet does not alone provide privacy protection to the devices connected to it; the privacy goal is only achieved as part of a coordinated upgrade to an entire subnet. C&C has requested funding to begin these projects, as part of an overall campus network upgrade, but it will take quite a while to complete the entire campus.


Departmental computer lab managers or others with special requirements should contact help@cac.washington.edu or for assistance in this area.

Future Network Security

The next level of security on campus will be achieved using encryption (to be covered in our Autumn issue). When passwords are encrypted, the UW network will be much more secure, but only when implemented on all computers you use in your department, in your home, and at other institutions outside the UW where you may have accounts.


One encryption technology that C&C has been exploring is called Kerberos. It is currently being used within the C&C computing clusters, but passwords coming from departmental desktop machines are not yet protected.


C&C has also installed ssh (Secure Shell--a secure login, remote shell, and file transfer program) on all Uniform Access systems, so you can start using it today. Ask your departmental network administrators about using ssh. If you use ssh you can still be sniffed, but because of the encryption it looks like meaningless garbage. If you do start using ssh, it will not be a problem when Kerberos is fully implemented because they are independent technologies.


In the future, more security will be built into the computing and networking infrastructure and the products you use. But like locks on your car and home, you still need to know how and when to use them. Security is never something you can take for granted.

Chinese bank - new home to phishing scamsters

Criminals appear to be using a Chinese bank's server to host phishing sites to steal personal data from customers of eBay and a major US bank. That's according to Internet services company Netcraft, who claim that it's the first time that one bank's infrastructure has been used to exploit another bank.


A user of Netcraft's free phishing toolbar reported receiving a suspicious e-mail, said Paul Mutton, an Internet services developer for Netcraft. The e-mail led to phishing sites located in hidden directories on a server with IP addresses belonging to the Shanghai branch of China Construction Bank Corp., a state-owned bank with more than 14,000 branches.


One of the phishing sites offered customers of Chase Bank, part of JP Morgan Chase, a chance to receive US$20 for filling out a survey. The survey asked for the user's ID and password so the money could be deposited. Further, it requested the person's bank card number, PIN, card verification number, mother's maiden name and their US Social Security number, Netcraft said.

The submitted data is then apparently sent to a form processing server in India, Netcraft said.


The site pulls images and style sheets from Chase Bank's web page. The method is known as "hot-linking" or "bandwidth leeching," Netcraft said. But it also leaves a trail, as the server where the images are pulled from retains of log of IP addresses of computers that requested the images, Mutton said.

There doesn't seem to be any advantage to the phishers in using a bank to host the fake page, which doesn't appear as a secure site to the browser. The URL of the site appears as an IP address rather than Chase Bank's domain name, another suspicious indicator.


On Saturday, Netcraft also found a fraudulent eBay login page with an IP address registered to the Chinese bank.
The fake eBay page carried a VeriSign seal, which is supposed to take visitors clicking on it to a page on Verisign's site vouching for the security of the site. However, the seal used vouches for the security of an entirely different site.


China Construction Bank may be unaware that someone has exploited a security vulnerability on their server, Mutton said. It's also possible the server is infected with a worm that may be allowing unauthorised access, he said.
The scam could also be an inside job. "Anyone who has access to a server either authorised or unauthorized could have done it," Mutton said.

 More

 Top