Core Security Labs, in an announcement to the press at the 2010 RSA Security conference, has released a tool that makes it easier to perform attacks on users of the social network Twitter. Recently, a subspecies of phishing attacks has arisen, called “spearphishing,” and it’s this type of attack that the Core Security Labs tool facilitates. Most phishing attacks, in which the attacker impersonates a legitimate organization and persuades the victim to give the attacker their credentials, are spammed out, sent to everyone available. Spearphishing attacks are targeted to smaller groups, to organizations or individuals, and are often more effective because they are tailored to decieve that group specifically by including persuasive details related to the group or person. As social networks continue to grow in popularity, the information that people share publicly on such networks enable spearphishing attacks.
The CSL tool specifically uses Twitter to perform spearphishing attacks. A CSL researcher, Pedro Varangot, said that their tool is a framework that can be extended to use other social networks in the attack. The attack tool framework is built on the open-source programming language Python, a favorite language for projects in the open-source world. The researchers have not discovered any new software vulnerability - they’ve just found another vector by which to deliver phishing attacks, which are basically social attacks instead of technical attacks.
These attacks are very relevant because they affect Windows users, Mac users, and Linux users. Phishing attacks try to fool the user much more than they try to fool the computer. That means that no matter what operating system you use, you’re vulnerable to phishing attacks because you’re still using a human brain. Most phishing attacks, to IT people, look ludicrously simple to avoid - but there are a lot of them, and the attacker has the advantage that they only need to succeed once to win big. We defenders need to succeed all of the time just to keep a status quo that’s favorable to us.
Further, this illustrates one of Linux’s major roles in the security world: many major security tools, especially penetration-testing tools like the CSL tool and the Metasploit framework (which some of us saw in action at the RSA conference) are built on Linux. Linux’s modification-friendliness means that it’s a superior platform for performing attacks. It’s easier to modify Linux into an attack platform than it is to twist Windows into that role. Regardless of platform, though, it’s very important for us as IT people to keep in mind that we’ve progressed in security to the point where we humans are the weakest part of the security fence - and so there are more and more attacks that target the weaknesses in human brains instead of in software. Going forward as IT professionals, all of us will need to be educators about those weakness - and about how to compensate for them.
At least until we have clients and IT users who are not human, which will bring its own set of problems.