Arcanus 55 Founder

Nick Krause | March 2019

Arcanus 55 | Private Wealth Safe - Keypad PIN Encrypted USB

The Anatomy of a Spear Phishing 🐠 Assault

Use a key. No, not a mechanical key.

Spear phishing is a targeted attack on a group of individuals who have access to highly valued information. It typically uses falsified websites to trick victims into devolving their user name and password.

Anyone can be a target by association

Spear phishing is a targeted attack on a group of individuals who have access to highly valued information. It typically uses falsified websites to trick victims into devolving their user name and password.

You might think that you are not a likely target for spear phishing but you would be surprised to learn how valuable the information that you access actually is. The documents on your own computer may be trivial however with your password other computers can be accessed over your company’s network. Using your credentials an attacker might access remote servers containing sensitive financial or proprietary information. You do not need to be a c-suite executive to be targeted. You could be a help desk tech, a software tester, or anybody that would legitimately have access to the targeted infrastructure.

Imagine, for example, the hacker wanted access to the data of the fictional XYZ corp. The hacker could probably find many of the employees by their first and last name on LinkedIn. This hacker might guess their work email address by combining the first name, last name, and company domain, so John Doe becomes jdoe@xyz.com. Said hacker might also add extra sequential numbers after the name in case there is more than one John Doe employed by the XYZ corp (jdoe2@xyz.com, …). Additionally, based on your co-workers LinkedIn page’s certifications, an attacker could gain tactical intelligence about the type of infrastructure used at XYZ corp.

The hacker would then need to create a realistic landing page to capture the credentials. Imagine the sign-in page for Google Gmail or Microsoft Outlook. Creating a pixel perfect copy of one of these pages is surprisingly easy for someone with basic FED skills. Google Chrome has the ability to save an entire web page into one file. Simply right-click anywhere on the page and select Save As > Webpage Complete. This will create a somewhat working copy of the sign-in page on the local drive. The hacker would then inject some simple JavaScript to asynchronously save the credentials in some secret location. Maybe use an anonymous and disposable Salesforce developer’s org via web-to-lead iframe.

Now, where to host this phony page? Github allows Internet accessible pages via their gh-pages repositories. An advantage here is that these pages are HTTPS by default, no credit card or phone number required. Trying to serve a faux sign-in page on insecure HTTP would be a conspicuous red flag.

The only thing left is the email itself. Not my area of expertise but I have to believe that those written in proper English are more successful. Yes, I am referring to the Nigerian Prince correspondence.

Getting a bogus email past corporate spam bots can be tricky. Time to think outside the in-box (I’m sorry). The hacker might think to create 100 promo USB sticks with the XYZ company logo laser etched. Then they might create some PDFs with juicy file names like, TaxReturns.pdf, CEOProposal.pdf, or [employee name].pdf. Distribute liberally in the bathrooms, cafeterias, and parking lots of XYZ campus.

Why does this method work? This works because people type the same password habitually without much concentration on the where and why. This is compounded by the fact that people reuse passwords for convenience. The assumption is that if a hacker can acquire your Gmail password then your AD (active directory) password would likely be very similar. Similar enough to brute force guess successfully.

It’s well-established how dangerous spear phishing is and how easily it can reach you. With that in mind, how does one protect oneself?

Use a key. No, not a mechanical key.

The popular options are either a Titan or Yubikey. When you use a physical key a hacker cannot access your account even if he/she has the password.

Waterproof USB Tax Return Fraud and Photo Backup Solution

Clips easily with a carabiner to your backpack.

Google recently launched their Advanced Protection Program specifically to help people “likely” to be targets of spear phishing. They talk about how reporters, activists, and politicians are likely targets. That’s reasonable, but as we’ve discussed, the most “likely” targets don’t even know they are valuable targets. Anyone can be a target by association. Stay safe!

Privacy Paranoid? Encrypted USB Bootable Linux | Password Manager | On-Screen Virtual Keyboard | Airtight Waterproof Capsule.

Programmatic Prose

Unseeable pool

A sharp, scary spear protect

enjoying other face

Privacy Paranoid? Encrypted USB Bootable Linux | Password Manager | On-Screen Virtual Keyboard | Airtight Waterproof Capsule.

Keypad Encrypted USB Best Practices and Safety

Enter The PIN before inserting the USB into its slot. Do not enter the PIN while the Keypad Encrypted USB is connected.

Close all applications before hibernating, suspending, logging off or ejecting the USB device. This is an important step especially if you are using a software cryptocurrency wallet, KeePass or Key Quest Vault.

Put the USB Device back in its capsule when not in use. You should remember to seal the Capsule and store it in a safe place.

Make sure your are not being watched or recorded by a surveillance camera. Be aware of your surroundings and look behind you.

Do not plug the USB into a suspicious computer. Avoid using a computer that may be infected with Spyware. If you must use an unknown computer, boot from a Trusted Operating System, and use the Virtual Keyboard to enter passwords.

Do not use a found USB device. If a USB drive magically appears do not plug it into any computer. Curiosity killed that particular cat. Be cautious if your USB drive was out of your possession for any period of time.