It seems even our industry’s best and brightest at last week’s Black Hat conference fell for a not very well executed phishing campaign.
Approximately 7,500 attendees received a fake self service password reset email, sent to the accounts used to register for the conference. The attempt was so weak that it’s surprising anyone fell for it. The email includes a user name and password in a plaintext email, asked recipients to login into a non-Black Hat URL and didn’t even attempt to spoof a Black Hat email address.
The Black Hat team began their apology email with, “Hanlon’s Razor states, ‘Never attribute to malice that which is adequately explained by stupidity'”. They go on to explain that the vast majority of their activities are completed by volunteers. One of them decided to reprogram part of a page and send a self service password reset email that looked like this:
There’s no indication anyone’s personal information or the Black Hat site itself was hacked. The volunteer who put together this email did us a favor.
Why? It reminds us we can never let our guard down. Even innocent looking emails can be a phishing attack or contain malware. I suspect the volunteer who sent the self service password reset email expected attendees to be hurried, rapidly checking their email without thinking about potential risks.
I wonder how Black Hat handles their identification and access management. The volunteer who sent the email obviously should not have had access to Black Hat servers, or at least had more restricted access.
Companies today are often so focused on cyber security threats such as phishing from outside, that IT teams don’t have the resources and sufficient audit controls to address threats from within. Disgruntled employees, past employees with access certification that still gain access, or bored volunteers can all cause malicious or accidental damage. Regardless of the motivation, the result is the same, embarrassing incidents at best, loss of sensitive information at worst.
Network protection begins with identity and access management. Who is the person trying to enter the network? Are they who they say they are? Are they allowed to use self service password reset software? The best endpoint protection in the world is worthless if organizations lack the basic identity and access management controls to ensure only authorized users get to access network assets.
Food for thought, but spare the phishing.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.