TabNabber with Social-Engineer Toolkit v0.6

The Social Engineering Toolkit (SET) has been updated to perform “TabNabbing” attacks.

As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.

An attacker now just needs a copy of SET to automate the entire process — replicate a website and then get a victim to access the decoy by manipulation of browser tabs.

This video shows a successful attack using Google mail as the decoy.

Social-Engineer Toolkit (SET) v0.6 – Coming soon… from David Kennedy on Vimeo.

Cloud Architecture: Mother of All Lock-ins?

The CEO of Red Hat, Whitehurst, was quoted by Computerworld today regarding proprietary architecture:

Cloud architecture has to be defined in a way that allows applications to move around, or clouds can become the mother of all lock-ins, warned Red Hat’s CEO James Whitehurst.

This begs the question of incentives. At first glance it seems vendors have every reason to make exit cost high for customers. It helps them ensure loyalty to a platform that has recurring revenue.

However, when security is factored, the exit cost has an additional risk that vendors and service managers must take into account.

Take for example the issue Microsoft has convincing users of version six of their web browser (IE6) to upgrade, as I posted recently. Jeremiah Grossman, CTO of White Hat Security sent me a nice summary in response:

MS is suffering the long term effects of successful proprietary technology.

A web browser is free, which alters the model slightly compared with cloud services, but it sill illustrates a situation where vendors have a big incentive for an easy exit path. I will skirt the issue of whether open systems are more secure than closed. Suffice it to say that given the rate of discovery for software flaws every cloud vendor should be a huge advocate for the benefits of an easy upgrade/migration path.

The Network Solutions breach is another example. At the time of compromise the company revealed a vast number of accounts ran applications on a service still supported but “old and no longer in development”. While both the old and new platforms were compromised a single re-architecture and security fix surely could have been less costly. Did the cost of the fix exceed the cost of a migration path?

Thus, the requirement for a well-managed security life-cycle can help foresee and dissipate risks related to lock-in. Computerworld unfortunately does not mention security in the article. Instead they focus on the usual cloud topics such as performance and resource allocation/sharing.

To be able to move a workload from a data center to a cloud or between two clouds, a connecting API (application programming interface) is needed, and there are a plethora of different ones being developed. Fewer would be better, according to Whitehurst. However, the real challenge isn’t the API, but ensuring that the application will run with the same performance when it has been moved. That is what Red Hat is focusing on. Getting an API in place that allows a workload to be moved is only 10% of the work, Whitehurst said.

Performance. Access to resources that scale is an obvious benefit. Performance gains definitely drive cloud projects as well as marketing. A less obvious benefit, apparently, is the ease of migration from insecure to secure platform (including physical to virtual). How many customers today feel locked-in to old and obsolete hardware that keeps them exposed to known security risks?

Migration tools that break hard-ware lock-ins like Microsoft’s disk2vhd, which I profiled earlier, are not only good for the customer but good for the vendors. Microsoft really, really wants you to stop running NT4 — there is a point at which the proprietary/lock-in model actually hurts the vendor. That is why I would say good migration strategy benefits the vendors as well as customers; helps avoid obsolescence and significantly reduces the cost of managing security. This makes Whitehurt’s point about avoiding lock-ins even more poignant.

Pigeon Accused of Spying

My joke about surveillance seagulls is more relevant than I could have ever imagined. An amusing story called “Pak pigeon has police in flutter” has been published in the Hindustan Times

In an era of spy planes and satellites, the Amritsar (rural) police have detained a white pigeon that could have been — the police claim — used as a Pakistani spy.

The pigeon was reportedly spotted in Ramdas, a tiny town close to the Indo-Pak border, with a Pakistani stamp imprinted and a Pakistani phone number written on its feathers.

What happens if you call the number?