“Foghorn” takes users out of phish-fighting with DNS “greylisting”

[Batu69]

Prototype security tool stops clicks on bad links, blocking DNS lookup for 24 hours.

Go ahead and click it. You know you want to.

 

Clickers gonna click. Despite mandatory corporate training, general security awareness, and constant harping about the risks of clicking on unverified links in e-mails and other documents, people have been, are now, and forever will click links where exploit kits and malware lurk. It's simply too easy with the slightest amount of targeted work to convince users to click.

 

Eric Rand and Nik Labelle believe they have an answer to this problem—an answer that could potentially derail not just phishing attacks but other manner of malware as well. Instead of relying on the intelligence of users, Rand and Labele have been working on software that takes humans completely out of the loop in phishing defense by giving clicks on previously unseen domains a time out, "greylisting" them for 24 hours by default. The software, a project called Foghorn, does this by intercepting requests made to the Domain Name Service (DNS).

 

Greylisting has been used in spam filtering for e-mails, where it deliberately delays e-mails delivered from previously unseen sources and sends temporary errors back to the sender for a few minutes or hours. Spam greylisting operates under the assumption that a real mail server will re-attempt delivery, while spambots likely will not.

 

Foghorn applies the same approach to unseen domain names, but it does so for a different reason: many of the domains behind phishing attacks are active for less than 24 hours before they're rotated to another domain, according to an Anti-Phishing Working Group survey. As Rand said in his presentation about Foghorn at DefCon, "Lots of people are very invested in taking [phishing domains] down quickly, so phishers have to keep moving." By delaying the availability of previously unseen domains, the likelihood of users getting phished could be significantly reduced. Plus, known good domains can always be whitelisted. Additionally, greylisting domains can cut off the command and control for botnet malware that may have already infected systems on the network, since many botnets use random domain generation algorithms to evade detection and change the domains they access frequently—sometimes in as little as hours or minutes.

 

Foghorn is a proof-of-concept prototype DNS greylisting system. Built with Python and the Twisted event-driven networking engine, Foghorn acts as a DNS proxy, filtering outbound DNS requests from devices on a local network. Before being activated, it can be set in "baselining" mode to collect a list of domains typically visited by users on the systems to be protected—these can be "whitelisted" to ensure that they're always reachable.

 

According to Rand's whitepaper describing the project, after Foghorn is activated, "when a workstation attempts to fetch a DNS record not previously seen on the network, the greylister will initially resolve that domain to some locally-controlled asset rather than allowing the request to complete; after some timeout period, the request will then resolve as normal." If a domain isn't requested again within a certain amount of time—by default, seven days—Foghorn resets it for greylisting again. This is intended to protect against phishes from previously safe domains that might get hijacked when they expire.

 

The sites that get greylisted also get recorded in logs by Foghorn, and those logs can be used by a security information and event management (SIEM) system or other security tools to alert administrators to potential attacks (while also identifying which users clicked on them).

 

Foghorn is still very much a work in progress. It currently only handles requests for "A" records—records in the DNS listing for a domain that specify the Internet Protocol address associated with a particular name. It also doesn't catch requests to specific IP addresses instead of domain names, so links that use an IP address instead of a hostname will slip past unless an HTTP proxy blocks them. The approach may not be a good fit for some people, too. But given the cost (and futility) of phishing training, Foghorn may be a great idea for smaller businesses—and you may want to set it up on your parents' home network while you're at it.

 

Article source

[straycat19]

5 hours ago, Batu69 said:

Despite mandatory corporate training, general security awareness, and constant harping about the risks of clicking on unverified links in e-mails and other documents, people have been, are now, and forever will click links where exploit kits and malware lurk.

 

If all you are going to do is training then you will never cure the problem.  Years ago we started removing all links from emails and attachments to emails that come from outside the organization.  If there is nothing for them to click or open then the problem is solved.  It always seems that people want to create new tools instead of using the ones they already have in hand.  Most of the time it is just laziness, they want an automatic process that in the end they don't know what it really does in the background.  This is why it has been reported that systems are becoming less secure instead of more secure because the new generation of security professionals are just plain lazy.  They are too busy tweeting about how great they are and posting all their 'successes' to facebook while all us old farts are busy hacking into their insecure systems and leaving little tidbits of data to tell them how stupid they are.  Unfortunately, they aren't even smart enough to find or read them.  None of us starting out in the mid 60s had anything more than a high school education, but we were the ones building and operating computers when very few people were even aware of what a computer was.  Now we have all these high level college degrees and for what?  Didn't realize that you needed a college degree to be an egotistical idiot, moron, and scumbag security professional.

[Batu69]

50 minutes ago, straycat19 said:

 

If all you are going to do is training then you will never cure the problem.  Years ago we started removing all links from emails and attachments to emails that come from outside the organization.  If there is nothing for them to click or open then the problem is solved.  It always seems that people want to create new tools instead of using the ones they already have in hand.  Most of the time it is just laziness, they want an automatic process that in the end they don't know what it really does in the background.  This is why it has been reported that systems are becoming less secure instead of more secure because the new generation of security professionals are just plain lazy.  They are too busy tweeting about how great they are and posting all their 'successes' to facebook while all us old farts are busy hacking into their insecure systems and leaving little tidbits of data to tell them how stupid they are.  Unfortunately, they aren't even smart enough to find or read them.  None of us starting out in the mid 60s had anything more than a high school education, but we were the ones building and operating computers when very few people were even aware of what a computer was.  Now we have all these high level college degrees and for what?  Didn't realize that you needed a college degree to be an egotistical idiot, moron, and scumbag security professional.

 

You think all internet users like you? know about security system. You think cybercriminal create viruses to target user like you?

Internet users have multi behaviour, laziest, like to click here,click there, kids, grannies, new internet users, users who know nothing about virus/malware spreading methods.

They create this tool to who don't know about security, not to who know about system security.