By William Jackson
Symantec reports a disturbing trend in recent months. It has detected
phishing sites hosted on government URLs. These apparently are not
spoofed addresses but phony sites hosted on genuine government servers.
Fortunately, the company does not report any so far using the U.S.
governments .gov domain. But last month it found the sites on government
servers in Thailand, Indonesia, Hungary, Bangladesh, Argentina, Sri
Lanka, Ukraine, China, Brazil, Bosnia-Herzegovina, Columbia and
Malaysia. Even if the trend has not shown up here, this wrinkle adds new
complexity to the risk-based analysis of government computer systems.
Phishing sites are Web sites built by data thieves to mimic authentic
business or government sites with the intention of harvesting
information. If a victim can be lured to the site, valuable credit card
information or account passwords could be gathered from the phony forms
hosted there. This data is worth money on the underground market and
could lead to identity theft or account fraud.
The trick is not new, and it is not too hard to spoof an address and
make a site mimic a genuine one. But browsers are getting better at
detecting this type of fraud, and the best way for the attackers to
counter it is to host the site on a server using the desired domain so
the resulting URL is genuine. Symantec noted that hosting a phishing
site on an actual government URL gives a sense of authenticity thats
hard to beat.
So how does the attacker get access to a highly secure government
server? The answer is that he probably doesnt. He doesnt need to. All he
has to do is get access to any government server. One is as good as
another. Classified and vital national security systems probably are
pretty well locked down in this country and in any other. But there are
plenty of servers doing mundane, low-risk jobs and serving up routine
information of no sensitivity whatsoever, and these receive much less
attention and resources from security officers.
This raises a knotty problem. Under the Federal Information Security
Management Act, information technology security in the federal
government is based on a philosophy of risk management. It does not aim
for absolute security which is impossible anyway but for the proper
level of security. Administrators do a risk-based assessment of their IT
systems, prioritizing them by their vulnerabilities, their role in the
agencys mission and the criticality of that mission. Any vulnerable
server presents a risk, but that risk is lower if the server is not
doing a critical or particularly sensitive job. Resources are focused on
locking down the critical elements of the system.
But these government-hosted phishing sites illustrate that you also have
to consider the impact of a compromise on others. An agency might be
able to continue functioning just fine with a phishing site on one of
its servers, but many citizens who think they are doing business with
that agency could get hurt. That danger should be factored into any risk
assessment, and it makes any Web server a critical server.
Securing these servers is further complicated by the growth in the kinds
of services they deliver. Web applications are becoming an increasingly
popular channel for hackers. A flaw in the most innocuous application
could open the door for a hacker and allow the installation of a rogue
page or site on some very valuable cyber real estate.
As with any rapidly developing area of IT, the functionality of Web
applications often outstrips their security. As the Web becomes an
increasingly useful way to transact business and gather information, it
is increasingly important to ensure that security goes into these
applications from the start.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com