Phising and client side attacks, the future?

Published: 2012-04-07
Last Updated: 2012-04-07 01:13:46 UTC
by Mark Hofman (Version: 1)
5 comment(s)

I've been involved in a few penetration tests recently and one thing that seems to be happening is that privileged access is harder to come by.  It used to be start at 9 have admin by 9.30 (on a slow day). Today it certainly tends to be a lot more work. 

I put it down to improvements in security over the last few years in many organisations as well as improvements in operating systems. Love it or hate it Windows 7 does a pretty good job of securing the machine. Combined with some practices like no local user admins, automatic patching and a decent HIPS it can be quite a challenge to compromise a fully patched and well managed Windows box.  OSX similarly has made some steps towards improving the security of the OS (If only they turned the firewall on by default :-(  ).  So if the operating system is pretty good and likely to get better, the attack vectors have to shift.  Which is where client side attacks enter the picture.  Get the user to attack their system for you.

We have had some good examples of this in the past year where sites were reportedly compromised because someone clicked something they should not have, likely delivered via email.  Just like the wooden horse the gift was accepted (phising email) and the trojan has the nasty surprise.

So on this, for many of you long weekend, I'd like you to have a little think and maybe complete the poll on the page or enter comments here. Phising/social engineering emails and client side attacks, something we are going to see a lot more of in the future or a passing fad?

Have a nice Easter for those that celebrate it.  Have a great weekend for those that do not. 



5 comment(s)


Hey mark i just wanted to comment on this. I am a Systems Administrator. I have a blog that i try to post information to, to help all those out there that may have questions. I believe that our best defense is educating to let less experienced people know of their risks when on the internet. I have seen an uptick in social engineering because of just what you stated, it is harder to break into a well protected network from the outside, however it is very easy if you can get a trusted user on the network to run the exploit for you. here is my post. thanks so much for all your info it has been a important tool for me on a daily basis.

OS's have gotten better in their default security but there are still easy openings, just in a different place. A lot of the attacks have shifted up towards the web application stack. There is a plethora of web applications running which are not properly configured, must run as root/administrator/special privilege, etc.. I also don't think that root/administrator is nearly as important as it was back in the day. Getting an admin account in a web application can easily yield the data/control that the attacker is after especially as many attacks are targeted to either steal data or inject their own code (bot, ads, kit, etc..).
I would agree with that ashcrow. Websites these days are a dime a dozen. I have seen the past few years many programmers switch into different languages because of how the economy has been. This has left many "Shops" with people that have very little knowledge in the languages they are using and trying to build enterprise class applications. I have personally seen this happen. With that the programmers don't have a proper base knowledge of the language and it's best practices. They end up implementing code that works but is full of holes. Management has pushed for code changes to be out faster, but never reviewing the code to ensure that the programmers were not exposing their data. We have truly gotten to the faster, harder, cheaper mentality. And i believe this has degraded the quality of the web applications for alot of business'. Web applications have become very easy to exploit as the langauages have progressed to a feature rich environment. And the clients have pushed to have these applications more integrated into their internal systems which is requiring a certain level of permissions for the services to be able to access network data. it all comes down to being careful and use best practices. Keep up to date with software, and most of all try not to become complacent.
I think Microsoft has made some substantial improvements in it's security patching attitude. 10 years ago they seemed to reluctantly release their patches as if admitting a problem was bad. Now they typically patch as quickly as they can, after they have tested enough to feel comfortable that the patch will not cause problems (a patch cratering a system will scare people away from using future patches). That combined with release Microsoft Security Essentials (free AV) at least gives them a method to help protect agains some attack vectors before they can release and have user have time to apply updates. Apple and Google will also need to spend some time educating their users as these two platforms are developing enough of a following that the number of devices now warrants more attention from Virus and Malware writers.
Targeted, client side attacks will definitely continue to be a trend. After all, "you can't patch stupid" (tm).

And there will always be organizations with Executives who are above any rules or security policies (often the very people targeted in phishing attacks) who will have local admin rights, who are allowed to run software not sanctioned by IT, etc.

As defenses for one threat vector are hardened, the no-goodniks will merely switch to a different vector...

Diary Archives