We know HTTP is insecure since across the web IANA’s assigned port list is used by default which says port 80 should be used for HTTP traffic, but it’s not that you cannot run anything else which is “non-standard” in port 80.
Anyways, coming to point you could be running HTTP server on any port 80, 8080, 8090 whatever, HTTP protocol by design is left insecure. Since we cannot change the standard 80 usage everywhere (IPv6 is still on way even after decades) there are multiple remediations that can be used to avoid common challenges with HTTP.
- Instead of serving anything on port 80/HTTP, use it solely for redirecting to correct HTTPs/443. As recommended by cio.gov, letsencrypt
- Enforce HSTS Policy on your domain, by nature it will be effective only when your domain is access by the client once. if you don’t know what HSTS is, it is just a HTTP header that tells browser to always open website in HTTPS.
- Blocking or disabling doesn’t make your server any secure, in fact it makes things worse.
- There is still an open opportunity of MITM attack. The flaw is in protocol not in the implementation of HTTP, which is why anyone can sniff and serve you alternate content, even if you have port blocked in server.
- You will make things worse for your users, they won’t be able to access your website as normally they would.
- if you serve HSTS headers over HTTP, at least HSTS will be enforced on one hand.
- Everywhere you have to type HTTPS, which people don’t do, it is a painful thing to enforce.
- It is not about 80, it is more about not using HTTP anywhere, if you have other ports that serve content over HTTP it is still an issue!
Phishing is a never ending war thug of war where one side is only trying to stop other side from winning, “Attackers are always trying to be innovative while defenders are trying to innovate on the innovation done by defenders.”
Ironic as it may sound, but this is what it is.
This article is not about blaming some organisation not doing enough to protect the customers here it is more about the vendors who are trying to defend, while current time doesn’t demand defence – instead it needs aggressive attack mechanism, even proactive attacks before damage could be done.
To solve the problem I am proposing a N step approach to solve the problem of phishing.
- Get ready with your defences – Just as in war, first strengthen your defences. It can be done by proactively doing following:
- Training your employees
- Asking cybersecurity team to be vigilant
- Performing vulnerability assessment and penetration testing.
- DDOS prevention (you might need, DDOS is cheap these days)
- DMARC, Cousin domains monitoring
- WAF, SIEM & other stuff.
- A small attack ( to know capabilities )
- To get an idea monitor what type of attacks are originating.
- Measure similarity among phishing attacks – you might be able to figure out active APT groups.
- Initiate takedown’s, publish something about them in media (yes, you heard me – more aggressively, see how they react)
- Attack the psychology
- Setting up “honeypot” (honeypot is key, I cannot write the process in detail, but trust me – they are something you will need) to gather information.
- Giving the attacker bogus information
- You win !
But how ?, the key part of approach is psychology – if you attack infrastructure it can be bought easily, success of a phishing attack depends on how good results the attacker gets.
if you ever conducted an actual phishing attack or have observed programmatic logics – attackers have adopted methods to get 2FA from clients but once verified data is valuable. Let’s do some math.
Let’s say you are conducting a phishing attack & it costs you to 100$ to compromise a web site or host it, sending email might cost you 0.001$.
Assuming 1/1000 spam are clicked – you are technically going to spend 1$ per click, let’s say 10% of clickers turn to victim. To get useful data you will require 10$.
if captured data is being sold in market at 20$ for every good data – you are going to make profit of 10$ excluding hosting cost.
but what if you are getting bogus data, which feels just good but now it is useless since 2FA has failed, or may be the server’s are not responding. Overall if vendors can make cost of Phishing high, only those will survive who have willingness to catch a whale.