As we roll past into the second week of 2019, the Cybersecurity threat, as predicted, is starting to evolve with even greater threats on the horizon. There have already been reports of a massive Security Breach in the healthcare industry in Singapore (quite surprising, since country is so “with it” when it comes to Security), certain websites of the Federal Government being hacked into because of the shutdown, etc. There is even talk of 5G now coming out, with its whole host of Security issues.
So, this goes back to the basic question that we started to answer back in 2018…what is a business or a corporation to do help defend themselves. As mentioned, it takes a proactive mindset, as well as a mix of the right Security tools, being deployed strategically, where they can offer the most value. But, in order to do all of this, an organization first needs to understand where all of its vulnerabilities and weaknesses lie at.
But most importantly, it needs to quickly unearth those vulnerabilities that are not known. How it can do this? Well, it can through what is known as “Penetration Testing”. This is where you have ethical and law-abiding Cybersecurity professionals actually break apart all of your Security defenses to see where these covert, weak spots are located at.
Then of course, the team(s) involved will provide recommendations as to how these holes can be “plugged up”. Penetration Testing (aka “Pen Testing”) makes use of very sophisticated tools, many of them which are available from the Cybersecurity vendors themselves; and there are also a bunch of them that can be downloaded for free from the Internet.
In this regard, just a few days ago, a Cybersecurity researcher in Poland unveiled one of the latest tools that can be used in a Pen Testing scenario. It is called “Modlishka”, which literally means “Mantis” in the Polish language. Best of all, it is an Open Source tool, and can be downloaded for free from GitHub, at this link:
This tool serves two main purposes:
*It has the ability intercept and capture network related data in real-time;
*It can hack into Two Factor Authentication (aka “2FA”) credentials.
While the critics in the Cybersecurity industry praise its first objective, it is the second one that they are afraid of the most. You may be asking why at this point? Well, first of all, 2FA for the longest time has been heralded as one of the best solutions that a business entity can use (or for that matter, even an individual) in order to protect their login credentials, either into their personal device or to gain access to network-based resources.
But on a more granular level, it is highly feared that the abilities of “Modlishka” to crack into 2FA credentials can also be used by the Cyberattacker into launch much more sophisticated Phishing style attacks than the world has ever witnessed before. In other words, these critics are claiming that this new Pen Testing tool is just creating a new avenue for major Security Breaches to occur.
So, how can it be used in a Phishing style attack? Well, Modlishka is in technical terms known as a “reverse proxy”. It literally sits on a Web Server that hosts any kind or type of Phishing domain.
For example, it resides between an unsuspecting victim’s email account (that is based in the Cloud) and their computer and/or wireless device. The Cyberattacker can then spoof this particular domain.
Once the victim then sends their PII Phishing domain, Modlishka can then track and log the confidential information and data. However, it does not set up a fake version of the site.
So, the bottom line is that a Cyberattacker no longer needs to set up a phony and spoofed website in order to capture the PII of a victim. It can get it all through a real and authentic website, via Modlishka. In the end, this saves considerable time and effort on part of the Cyberattacker, and thus, they can launch even more devastating attacks on the genuine websites which are in existence.
As summarized by this quote: “The risk here is that phishers may be able to deceive a larger tranche of the population than they ordinarily can . . . This will give the successful attacker access to all kinds of information and/or networks they should not be able to reach.” (SOURCE: https://www.scmagazine.com/home/security-news/modlishka-pen-testing-tool-could-be-used-for-real-attacks/).
However, if an end user knows a thing or two about Cybersecurity, they can avoid this kind of attack by paying very carefully attention to the URL if it is asking for unusual kind of authentication information. Typically, 2FA also asks for the secure tokens as well, and anything asked for out of this baseline should be a huge red flag, as well.
The critics of Modlishka have also heavily criticized that the tool is trying to show that 2FA now is a broken means of authentication, but Piotr Duszyński, the inventor of this tool, claims that this is not the point to be made. Rather, he insists, 2FA can still be a great Security Tool to be used, but it does have its own set of weaknesses, and as a result, it can be “outsmarted”.
He makes this stance in further detail on his blog site, which can be accessed at this link:
My thoughts on this?
To be honest, anything that is connected and technologically related can be used as a hacking tool, if the Cyberattacker is smart enough. Heck, even the most sophisticated ones out there could quite possibly be reversed engineered in some way for serving any sort of nefarious purpose. But this just proves that 2FA is not all that it is cracked up to be.
Yes, it does provide one more layer of defense than simply using a password or a PIN Number, but what if this second layer is broken into as well? This is quite possible. Then what is the point of having 2FA at all? Perhaps then, a third layer should be implemented which already has proven its worth, such as a Password Manager and a Biometric (such as Iris and/or Fingerprint Recognition)?
These kinds of tools can be quite easily deployed onto a Smartphone such as an iPhone or a Samsung device. The point being here made is that use 2FA if you think you need it, but keep in mind, that it too, can be broken into quite easily, and that you should keep your guard up about it, just like all of your other confidential information and data.