Post on 14-Apr-2018
transcript
7/30/2019 Fowler Phish
1/15
System Maintenance: Please verify your details
Or bloody scammers, theyre at it again
IT Services, Loughborough University1
7/30/2019 Fowler Phish
2/15
System Maintenance: Please verify your details
From: J.Bloggs@some-uni.ac.ukReply-to: dodgy@bigfreemailer.com
Date: Thu, 28 May 2009 09:00:00 +0100
Subject: SOME-UNI.AC.UK WEBMAIL MAINTENANCE
Dear E-mail User,
To complete your Account Verification process, you are to reply this
message and enter your Username and Password respectively in the space
provided below this email.You are required to do this before the next
48hrs of receipt of this e-mail, or your mail Account will be
de-activated and erased from our Database. Your account can also be
verified at:
https://student.some-uni.ac.uk/webmail/
Enter Username ( )
Enter Password ( )
Thank you for using SOME-UNI.AC.UK WEBMAIL
IT Services, Loughborough University2
mailto:J.Bloggs@some-uni.ac.ukmailto:dodgy@bigfreemailer.comhttps://student-webmail.lboro.ac.uk/webmail/https://student-webmail.lboro.ac.uk/webmail/https://student-webmail.lboro.ac.uk/webmail/https://student-webmail.lboro.ac.uk/webmail/mailto:dodgy@bigfreemailer.commailto:J.Bloggs@some-uni.ac.ukmailto:J.Bloggs@some-uni.ac.ukmailto:J.Bloggs@some-uni.ac.uk7/30/2019 Fowler Phish
3/15
Todays session
Evolution of spam Defences
Our new approach to spear phishing
IT Services, Loughborough University3
7/30/2019 Fowler Phish
4/15
Originally no more than an irritation
Marketing, sales relatively innocuous
Developed over the years
advance fee fraud, lottery scams etc
still money-related in the main
Now much more sinister
Evolution of spam
Loughborough University4
7/30/2019 Fowler Phish
5/15
Huge volume
Huge numbers
of machines
Volume
Loughborough University5
7/30/2019 Fowler Phish
6/15
Defence in depth
Filtering as messages arrive Network level
Protocol level
DNSBLs
IP, Netblock, AS Reputation checks
Signatures (DCC Servers for example)
Anti Virus
Content scanning
Heuristics
...
Whats next? (Not the FUSSP, thats for sure)
How do we keep up?
IT Services, Loughborough University6
7/30/2019 Fowler Phish
7/15
A New Approach
We cant control the input properly...
...but (fanfare): we can control the output.
...we can then protect our systems and users
Our solution is called Kochi:
http://oss.lboro.ac.uk/
IT Services, Loughborough University7
http://oss.lboro.ac.uk/http://oss.lboro.ac.uk/7/30/2019 Fowler Phish
8/15
Kochi How it works
Content scanning of outbound messages
Outbound == traversing our mail routing
infrastructure Message passed during SMTP transaction by
MTA to a filter daemon (written in Perl)
Uses ClamAVs daemon API
Already accessible to a large number of MTAapplications
Simple pass/fail result, with details
IT Services, Loughborough University8
7/30/2019 Fowler Phish
9/15
How it works in more detail
First search for key words (big, complex
regex) such as
user, username, pass, password
If keywords found (or skipped), tokenise emailinto candidate user/pass strings
Our defined password policy gives us a regex:
## Regular expression matching valid passwords
my $regex = qr{
(?: (?=\S*?[a-z])(?=\S*?[A-Z])(?=\S*?[0-9])
| (?=\S*?[a-z])(?=\S*?[A-Z])(?=\S*?[^a-zA-Z0-9\s])
| (?=\S*?[A-Z])(?=\S*?[0-9])(?=\S*?[^a-zA-Z0-9\s])
)[-0-9a-zA-Z_=\+\!"\$\%^\&\*\(\)\[\]\{\}\\;:\'\@#~\/\?\.,\|\`]{6,}
}x;
Likewise for usernames (big regex!)
IT Services, Loughborough University9
7/30/2019 Fowler Phish
10/15
Token Pair Authentication
Can hook into all manner of authentication
schemes (did I say its written in Perl?)
If PAM available
combine auth schemes
check multiple auth backends
abstract methodology tailored to platform
Pass/Fail is cached to limit impact on authbackend
If authentication succeeds...
IT Services, Loughborough University10
7/30/2019 Fowler Phish
11/15
Acting on detection results
...your choice of action
Dont bounce or reject the message!
We discard the message and generate an
autoreply in a standard format:Your message with subject "$h_Subject:", contained a valid Loughborough
University username and password.
The message has not been sent.
Usernames and passwords must never be disclosed by e-mail.
If you feel you have received this message in error, please forward this
message to it.services@lboro.ac.uk
--
IT Services
IT Services, Loughborough University11
7/30/2019 Fowler Phish
12/15
Side effects - good
Not only stops phishing
Enforces local policy
Acceptable Use
Security
Good IT practice
...some users try to brute-force around it!
IT Services, Loughborough University12
7/30/2019 Fowler Phish
13/15
Side effects - bad
Difficult to utilise in systems with lockout after
repeated failures
Accounts will be locked!
...can use abstraction in certain systems
Windows Server 2008 AD has fine grained
password security policies but can still be a
problem
Makes it near impossible to send passwords
for user registered services
IT Services, Loughborough University13
7/30/2019 Fowler Phish
14/15
Some statistics
IT Services, Loughborough University14
0.00
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
18.00
20.00
16/02/2009
26/02/2009
08/03/2009
18/03/2009
28/03/2009
07/04/2009
17/04/2009
27/04/2009
07/05/2009
17/05/2009
7-day average
Count
3rd & 4th March -
66 and 13
detections
respectively dueto registration on
non-IT ServicesSystem
30th Mar - phish
to 1000 recipients,
0 responses
16th May - phish
to 1600 recipients,
3 responses
7/30/2019 Fowler Phish
15/15
Summary
Spam, phishing very difficult to stop
Concentrate where possible on detection of
responses Kochi can help!
http://oss.lboro.ac.uk/kochi1.html
Graeme Fowler, G.E.Fowler@lboro.ac.uk
IT Services, Loughborough University15
http://oss.lboro.ac.uk/kochi1.htmlhttp://oss.lboro.ac.uk/kochi1.html