On 22/09/11 15:08, Charles Marcus wrote:
The only attack I haven't figured out how to eliminate is the social/phishing attack, where $DumbUser gives out their username password voluntarily... although I have been considering faking a phishing attack on my own users, and flagging the ones who fall for it for training.
The University I work at was suffering from this a *lot*. Phishers kept contacting our users pretending to be from our IT helpdesk asking users to reply with their login details so that their mailbox could be refreshed or so their quota could be fixed and other such things.
So I developed an application that sits on our outgoing mail routers looking for login credentials inside emails. If it finds any, it blackholes the email and sends an autoresponse to the sender telling them to never ever send login details via email under any circumstances. It Cc's me in too, and it catches people emailing their logins around on a *daily* basis.
Our usernames follow a very strict format, and we have a pretty strict password policy so what my program does is pull out a list of all the *possible* usernames and passwords and then attempts to authenticate against our AD using them.
I built it into a framework so other people can use it:
http://kochi.lboro.ac.uk/kochi1.html
You need to know how to write Perl though in order to use it. It's not plug and play.
We also added ratelimiting to our outgoing mail, and a system which alerts us whenever anyone hits the limit. If it takes a phisher 2000 spams to get access to one account, but that one account only allows the phisher to send 1000 spams, then it completely destroys the point of what they're doing.
-- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F