I thought to ask the effectiveness of using a private DNS to reduce the scope of Phishing attacks.
Is this a valid use case? I am not a real guru in this… but it looks to be a valid case… especially as the hacker will not know the private end point… nor would they be able to access it… as they would not be able to connect to the overlay network… and it would be even better if ziti was app embedded.
in addition, to extend this a bit more… the private endpoint could be configurable by the end user… that way… the end user would know if the link was real or not… because… they defined it themselves to be something special and meaningful when they created the account… ie. http://telco.ziti:123
What are your thoughts on this… does it make any sense?
Generally speaking, I think phising is probably not something OpenZiti will end up protecting you against. Phising is more about sending emails to users and getting them to click on a link where they'll enter information they shouldn't... https://google.com <-- there's an example of a horrible phish.
So - even if you could teach users to make sure the link ends up at a private domain (something ending with ".ziti" for example) The attacker sending the email will just fake that out and make it look like you're going to a private domain https://websearch.ziti even when you're not...
However, if these attackers were to somehow obtain that sensitive information that's relevant to your site, using it will be really hard for them since they won't have clients on the overlay network.
So OpenZiti provides some protections, against the end result, but not against the act of "phishing" itself. That's my train of thought, dunno if anyone has anything else to add.
1 Like
Thanks for your feedback
Phishing came up in discussion last week… along with… a recent public hack due to Phishing… so its sort of topical at the moment.
I was thinking of angles … but it’s probably not as good as strong identities which would stop hackers from accessing the overlay network… even if they gained access to your login credentials.
That last bit is crucial imo. I was chatting to someone recently who asked about OpenZiti supporting MFA push, is ZT supported it as they only saw TOTP.
As I explained, OpenZiti endpoint with a bootstrapped x509 with the policy set saying they can access a resource, push harassment and fatigue attacks are not possible. An attacker cannot just make an MFA request and get access to resources as they are not on the network at all.
Not sure if this is 100% related but ill throw it out. I use KASM (kasmweb.org i think) and I send my outlook or web links to it if im not ABSOLUTELY positive they are legit/ok. It loads up the URL on a different host, in a sandbox docker all via a web GUI. I can also run a Kali/Ubuntu/etc anything that can run in a docker. but i really just use it to make sure URLS are safe. I think this could be helpful in suspected phishing as well.
2 Likes