19 August 2013 | 0
It is being reported that the Washington Post site and Twitter accounts have come under attack from the Syrian Electronic Army (SEA) after what was termed "a sophisticated phishing attack".
It’s funny the way that in almost any admission of an attack, however successful, the word "sophisticated" features prominently. It’s as if to acknowledge anything less would be understating the severity of the event.
But in reality, while what takes place after a phishing attack, or in the deployment of a phishing payload, may well be sophisticated, the actual phishing attack itself is anything but – it usually just relies on plain old stupidity. Fortunately, in the above case, this is something that at least one person involved seems willing to admit.
The well-known security blogger Brian Krebs, who was a Washington Post reporter for years himself, has blogged that one of the Post’s sports writers succumbed to the SEA phishing attack after a sustained campaign against the news room of the paper.
However, Krebs goes on to say that "veteran Post staffer" Gene Weingarten said that he was phished himself directly but that he did not enter any credentials.
"I’m stupid, but not THAT stupid," Krebs quotes Weingarten.
Krebs himself goes on to say "As this incident highlights, phishing attacks and the phishers themselves are growing in sophistication."
I suspect that Krebs is being a little kind to his former colleagues.
The truth is that all phishing attacks start with fooling someone into doing something they should not.
This may be entering credentials somewhere they should not or activating something they should not. Either way, these gambits rely on a human doing something silly. It is really only after this that the real genius kicks in and the term "sophisticated" may be applied in truth.
However, it is generally attributing more to the hackers than they deserve to call phishing attacks sophisticated when generally they are merely adequate – adequate to fool a human being into doing something stupid and then doing something sophisticated with the results.
The real lesson here is not about electronic countermeasures, perimeter security or even tackling hacktivism, but rather about the fact that the human race has been spectacularly consistent in maintaining a top class level of silliness. We know this, we see this everyday and yet we often take no steps to counteract it.
User education and awareness can do more to combat phishing than any filter, monitor or countermeasure. We need to combat stupidity and careless with awareness and attentiveness. Only then can we say that a sophisticated attack was successful because then it will have taken something truly great to have got past educated users protected by appropriate counter measures.
Now that would be something.