AuthenticationWorld Blog

ABN Amro has used two factor authentication for several years. However, recently they were successfully phished. As the article indicates, the phishing attack commenced when the user clicked on a link in a email. They were diverted to a fake website exactly resembling the ABN Amro website. The users then entered in their changing token pin. The fake website then sent the pin to the real website, successfully logged in and then withdrew money.

The article quotes the banks recommended five rules to prevent these types of attacks:"

1- Check the lock symbol in the browser and the ABN AMRO certificate

2- Always check your payments instructions

3- Never open e-mails from someone you don't know

4- Only install software from trusted sources

5- Protect your PC with a virus-scanner and a firewall."

Stronger, multifactor authentication cannot stop a phishing attack. Make sure that your users learn to never click on links in email or instant messages or open attached documents unless they are specifically expecting the message and links. Meanwhile, use transaction authentication to protect your enterprise crown jewels.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Turkcell, Turkey's largest mobile phone operator, recently announced its plan to rollout "signatures" on all its mobile phones. Here's what the article "Turkey Starts World's Largest Mobile Signature Rollout" published in cellular-news.com says:

"For instance, the subscriber can access a banking site from their mobile phone, home PC or an Internet café, and enter their customer ID to login or conduct a transaction. The bank then sends an authentication request that prompts the user to enter the secret code they chose when they activated the mobile signature service, using their GSM phone. The SIM card then checks the secret code, creates the digital signature and sends it back to the bank to enable the corresponding transaction on the banking account."

"What makes this Gemalto mobile signature solution more secure is that it relies on something you own (the private key of your digital signature that is securely carried on the SIM card) and something you know (the secret code)."

""Ease of use and security were critical when we decided to implement our m-signature program," commented Cenk Serdar, chief executive for value added services, Turkcell. "We wanted to spare our subscribers the hassle of buying and setting up a smart card reader and carrying an extra smartcard to perform secure online transactions with qualified digital signatures. The Gemalto solution transforms the handset into a highly secure digital signature creation device they feel familiar with.""

All of this security is wonderful but it won't stop a man in the middle attack. Using either a SMS message or an email, the criminals will get the user to click on a link. They will be directed to a fake website. There they will enter in their password. When the digital cert is required the fake website will then pass this along to the real website. After successfully authenticating, the criminals will then take over the session and do bad things.

Refer to my last blog on what happened to ABN Amro. Strong authentication doesn't prevent phishing attacks.

In this case, ease of use for the consumers trumps their security. The banks and retailers will eat the phishing losses as long as they remain a low percentage of their business. BUT, the consumer is still at risk with this "secure" solution.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Bruce Schneier today has a blog on hijacking javascript that is very interesting. In it, he references a recent paper published by Fortifysoftware.

The paper describes what javascript hijacking is as follows:
"Web browsers enforce the Same Origin Policy in order to protect users from malicious websites. The Same Origin Policy requires that, in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, culls through it, and communicates it back to the attacker."

"JavaScript Hijacking allows an attacker to bypass the Same Origin Policy in the case that a Web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any website to be included and executed in the context of any other website. Even though a malicious site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport mechanism, they are often vulnerable while traditional Web applications are not."

As Bruce says in his blog "Like so many of these sorts of vulnerabilities, preventing the class of attacks is easy. In many cases it requires just a few additional lines of code. And like so many software security problems, programmers need to understand the security implications of their work so that they can mitigate the risks they face. But my guess is that Javascript hijacking won't be solved so easily, because programmers don't understand the security implications of their work and won't prevent the attacks."

I agree. I think that this type of attack will become common over the next year as more enterprises and individuals take on web 2.0 type applications using Ajax. The risk to the enterprise is the loss of sensitive data, some of which may be identity data.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Dark Reading published a very interesting article last week "Killer Combo: XSS + CSRF". It describes a presentation given last week at Black Hat Europe by Billy Rios and Raghav Dube of Ernst and Young's advanced security center. The presenters' goal was to explain the high level of threat from combining a cross site scripting attack (XSS) with a cross-site request forgery (CSRF).

The article gives two examples:
"In the first attack, the researchers show how to take over a user's account via XSS and use that browser to attack another Website. In the demo, the user first visits a social networking/blogging site, which is easier to get XSS-infected due to the ability to upload content, post messages/comments, etc. But the attacker's real target is a large credit union site. It works like this: Once the user falls victim to the XSS exploit on the social networking site, XSS is used to take over the victim's browser, Rios says."

""In the grand scheme, we don't actually care about the social networking site," he says. The attack then uses CSRF to link between the social networking site and the credit union site, he says. "Once we control the victim's session with the social networking site, we can force and control a session between the browser and the credit union site.""

"From there, the attacker can attack the credit union site. "We will go into techniques for attacking the credit union, but it's actually the victim that is doing it" unknowingly with their browser, he says. And the victim would have little or no clue the attack was underway, Rios adds. The advantage of combining XSS and CSRF here is that it lets the browser move to different Web domains, not just a single one."

"The second attack demo shows how XSS and CSRF can be used to do damage to an internal corporate network. "Because we're using the victim's browser to do these attacks, we can take advantage of all the privileges and trust established by their browser," Rios says. "Because it's inside the corporate LAN, we can drive it to attack other machines inside the firewall. The age-old moat-around-the-internal-net model is basically thrown out the door because our staging point is inside the internal net.""

"The victim's browser then attacks a network management system on his internal network. CSRF is then able to get information on the internal network. And if the attack is caught or traced back, it's on the victimized user's doorstep. "If they kick down the victim's door, the evidence is on that machine. It was [his] browser that did the attack," and he didn't even know it, Rios says."

"And XSS lets CSRF work more two-way instead of just one way: "CSRF alone is a one-way deal," Rios says. "You do the attack and hope it executed. The only way to verify it is through a secondary channel. With XSS, you can verify the CSRF went through, and you get instant feedback.""

"The demos show targeted attacks on a specific user, but Rios says it would be easy to automate it across multiple users. "We're trying to show that this doesn't require that much sophistication to exploit.""

This type of attack will definitely grow over the coming year. Enterprises beware! This is another attack vector to obtain identity, authentication and valuable enterprise information as well as fraudulently obtain money, services and products.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Today Microsoft released an emergency patch for the windows animated cursor attack publicly reported last week (but since revealed it was reported to Microsoft in December 2006). If you haven't either gotten the automatic update or, downloaded it yourself, then do so NOW. Why?

This is a very high risk attack since the user only has to visit a web page with malware on it or open up an email message. The user doesn't necessarily have to click on a link to activate it. It applies to all Microsoft platforms.

Ryan Naraine has two excellent blogs covering the recent developments. The first blog covering the emergency patch can be found here.

His second blog covers all the recent attacks using the zero day fault. It includes 450 websites containing the malware, trojan attacks, etc.

Absolutely get this patch update and ensure your enterprise is updated. Otherwise you're running an extremely high risk of a successful security breach which can lead to enterprise identity theft, obtaining identity authentication information and possibly lead to capture of enterprise data.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Bruce Schneier had an interesting blog "VBootkit Bypasses Vista's Code Signing Mechanisms" that is definitely worth reading. It refers to story about a paper presented at the recent Black Hat Conference in Amsterdam. The paper shows how how a special bootloader gets around Vista's code signing mechanisms.

If you can control the hardware, you can control the software. This code allows for control of the operating kernel. Thus it's a powerful rootkit attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Eweek today ran an article "Firefox Still Sitting Duck for ANI Exploits". It means that Firefox is also susceptible to the animated cursor attack which Microsoft yesterday released a fix for, Therefore, be very careful what websites you're visiting if you're using Firefox until a patch is released. This attack only requires you to visit a webpage and not necessarily click on anything.

The malware can then be silently donwloaded into your computer and/or enterprise and obtain identity, authentication and enterprise information.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Naraine blogged today "eEye spies new code-exection Windows hole" about a new high severity security hole found by eEye and reported to Microsoft on March 27. "The flaw "allows for remote execution of arbitrary code with minimal user interaction," eEye said in a barebones advisory." says Ryan's blog. This means that likely malware can be installed without the user having to click on a link.

The flaw apparently affects Windows 2000, XP and Windows 2003. If the security hole is confirmed by Microsoft, stay tuned for more news re a patch to fix this.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Computerworld yesterday ran a very interesting story "Hackers now offer subscription services, support for their malware" that is definitely worth a read. The story outlines how organized crime now runs selling, distribution and support of malware as any other business would with their products.

Here are some of the highlight quotes from the article:
"
""We've been seeing a growth of highly organized managed exploit providers in non-extradition countries" over the past year or so, said Gunter Ollmann, director of security strategies at IBM's Internet Security Systems X-Force team. For subscriptions starting as low as $20 per month, such enterprises sell "fully managed exploit engines" that spyware distributors and spammers can use to infiltrate systems worldwide, he said.

The exploit code is usually encrypted and uses a range of morphing techniques to evade detection by security software. It is designed to use various vulnerabilities to try to infect a target system. And many exploit providers simply wait for Microsoft Corp.'s monthly patches, which they then reverse-engineer to develop new exploit code against the disclosed vulnerabilities, Ollmann said.
"
"
While investigating a Trojan horse named Gozi recently, Jackson discovered that it was designed to steal data from encrypted Secure Sockets Layer streams and send it to a server in St. Petersburg, Russia. The Trojan horse took advantage of a vulnerability in the iFrame tags of Microsoft's Internet Explorer and had apparently been planted on several hosted Web sites, community forums, social networking sites and sites belonging to small businesses.

The server to which the stolen information was sent to held more than 10,000 records containing confidential information belonging to about 5,200 home users. It was maintained by a group called 76Service and contained server-side code for stealing data from systems -- as well as code for an administrator interface and a customer interface for data mining, Jackson said.

The front end allowed subscribers to log in to individual accounts, view indexed data and get results from queries based on certain fields such as IP addresses and URLs. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said. A customer query returning three passwords for a small retailer might cost 100 WMZ, while a query for 10 passwords for an international bank might fetch 2,500 WMZ or more. Customers could also choose how they wanted their search results delivered -- as compressed files in e-mails or via FTP.
"
All of which points to increasingly sophisticated software, targeted at specific defense systems, being provided at low cost, with guaranteed results and in a fashion that is well supported. What chance does small and medium sized enterprises have against defending itself against this type of attack over the next one to three years? Very little, in my own opinion.

Their only realistic strategy is to assume they will be successfully breached and plan for multiple layers of stronger authentication defense, followed by the use of transaction authentication protecting their crown jewels. Then put filters on all outgoing traffic through the firewall to pick up sensitive information before it leaves the enterprise.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Information Security News today published a story "Symantec fixes 'high-risk' flaw in Enterprise Security Manager". The story outlines how both Symantec and Kaspersky both have serious security flaws in their products which would allow criminals to take control of the user's computer with malware. Both vendors have security patches out that address this.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Bruce Schneier published a blog today "Dept of Homeland Security Wants DNSSEC Keys" describing an article from The Register that says the US Department of Homeland Security is trying to gain access to the master keys for DNSSEC. As Bruce describes it "This is a big deal" and he's right.

Bruce's blog says the following:
"
Obtaining the master key for the DNS root zone would give US authorities the ability to track DNS Security Extensions (DNSSec) "all the way back to the servers that represent the name system's root zone on the internet".

Access to the "key-signing key" would give US authorities a supervisory role over DNS lookups, vital for functions ranging from email delivery to surfing the net. At a recent ICANN meeting in Lisbon, Bernard Turcotte, president of the Canadian Internet Registration Authority, said managers of country registries were concerned about the proposal to allow the US to control the master keys, giving it privileged control of internet resources, Heise reports.
"

There is no way that any one government should have access to the keys. It would put the entire freedom of the internet hostage to the US or any other government.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Today in eChannelLine they published a story "North America next on the fraud hit list". The article points out several analysts views on online fraud trends.

Essentially, it says that Asia and Europe are currently getting hit with malware comprised of trojan attacks while the US is getting hit more with phishing. The article then goes on to point out that the use of trojans will become dominant during the coming year. I generally agree with the analysis.

I don't agree with one point made in the article. "In Germany and Switzerland, where strong authentication is mandated by law, financial institutions' customers have a printed matrix with secret passcodes. Phishing attacks are useless against them."

This may be true for older style phishing attacks but it's definitely not true for current ones. As I've documented in earlier blogs, the modern phishing attacks get the user to click on a link that takes them to a false bank website. There the user enters in their strong authentication, which is instantly passed to the real bank website to authenticate the user. ABN Amro found out their strong authentication was bypassed this way just a few weeks ago.

However, the article is generally a good quick overview of the growing trend and definitely worth a read.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

An article appeared today in ITBusiness.ca "The key to strong passwords" that describes a $5 piece of software you can download and install on a USB key. According to the article " It has three functions: it generates strong passwords (8, 16, or 128 characters), it provides a secured location for the passwords you'd otherwise forget, and it can lock your PC when the USB key is removed."

Things the article doesn't talk about when you lose the USB key and that this doesn't stop malware trojan attacks that install a keyboard logger on your computer, nor will it prevent attacks using a hardware based keyboard logger. However, this type of device may be of use to home and small businesses.

Caveat emptor.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brain Kreb's today published an interesting blog on Security Fix "I'd Like a Double Espresso and Your Password, Please". In it he documents Don't Steal My WiFi, a powerful free tool that can be used to steal your passwords and eve drop on wireless networks.

Read his blog. Towards the end he provides excellent advice and resources for securing your wireless communications such that you can enjoy the espresso while surfing the net at a internet cafe.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Forbes recently published an interesting story "The Two-Way Peephole". The article covers what banks and brokerages are doing to reduce their hits from phishing and other forms of malware attacks.

What I found interesting was the end of the article. There it describes what I call "transaction authentication" software being used at ING Direct. "When you log in to ING Direct, its fraud-detection system silently takes your computer's fingerprint, examining 40 attributes such as operating system, browser plug-ins and display settings, and compares them against an encrypted list of machines you've registered in advance. If your password is correct but your fingerprint doesn't match and you can't answer two advanced questions, you'll be asked to phone customer service. If you pass, you see a prearranged picture of, say, a dog, so you know the bank site is real. Theoretically, however, a thief could sign up for an account, download the image of pansies and use it to set up his own phishing site mimicking a bank site."

Now that's what I see as the future for most enterprise systems in the future. As non-financial enterprises get hit more from malware attacks, they will slowly come to the conclusion that transaction authentication is warranted, especially for enterprise crown jewels.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brian Kreb's today published a blog "Research Suggests Weakness in Anti-Phishing Technology" that documents how strong or different authentication techniques won't stop phishing attacks. As the researchers show, a man in the middle attack foils the strong authentication.

The researchers efforts have already been done several times in real life with the most recent example being ABN Amro. There one time password was successfully bypassed in a phishing attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

As Brian mentions towards the end of his blog "The single most realiable way to protect yourself from falling victim to phishing scams is to never click on links that arrive via e-mail or instant message prompting you to log in to your bank account."

I have developed a free new product that says "Think on it before you click on it". It's a 3 minute training Flash program which can be viewed right at the employee's desktop. To view it click here and go to here for more information.

IT Week in the UK today ran a story "Companies keep silent on data breaches". It's interesting in that it discusses the fact that recent research shows that one third of all enterprise security breaches go unreported. It raises the question of whether or not to report enterprise security breaches?

In my own personal opinion, I believe that if the breach potentially endangers customer data, then the customers must be notified. If the customers are the general public and not enterprises, then I believe the announcement must be made publicly. In fact, I think that laws need to be standardized across the planet demanding this.

While the impact on the enterprise can be grave in announcing this (e.g. TJ MAX) the long term outlooks for both the consumer and the enterprise are better than by not reporting it and effectively sweeping it under the carpet.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A friend recently sent me a blog "The Myth of Apple's Insecurities". The blog says "If an OS is built on shaky ground, everything layered on top will suffer. This is the position that Microsoft is in now. Apple was in this very position at the end of the last century. They decided to start over, providing a clear upgrade path and supporting legacy applications on the new platform. OS X was developed from BSD and NeXT, built on a foundation that dates back twenty years or more, with the OS base code freely available for download, yet there have been no significant security vulnerabilities in OS X. This isn't due to market share, this isn't due to lack of attention, this is due to proper coding and development. That isn't to say that there are no chinks in Apple's OS armor -- there definitely are -- but the foundation is solid, therefore those chinks aren't likely to destroy the whole shebang. The same is true of Linux, and most UNIX-derived operating systems."

I think that this is a fair point. But it's what wasn't said that bothered me.

The malware game is escalating. Web based attacks are rising. Therefore, even if the MAC platform is the most secure OS in the universe, the user can still be attacked by applications running on it or on the web. Recent security holes in Adobe Acrobat is just one example.

Therefore, all those Mac users should not believe that their platform is bullet proof. They too will need to be running some kind of intrusion detection and prevention system, which is constantly updated, to effectively protect themselves.

Further, while I can agree that the MAC platform is arguably more secure because Apple controls the hardware better than the PC world does, this doesn't mean it's infallible. Last week's Apple advisory on AirPort Extreme Base Station with 802.11n is but one example. Furthermore, if the MAC marketshare increases beyond it's current 5-8% of the market then expect much more attention from the criminals and more software and hardware exploits to be found.

My bottom line: No computer user should be thinking they are secure because of the operating system. As virtualization becomes more common, research like Blue Pill has shown that most OS's are prone to attack.

The debate amongst MAC and Microsoft disciples misses the point. Enterprises who need proven security don't use MAC's, PC's or even Linux. They continue to use AIX, HP-UX, Solaris and other forms of proven Unix. However, even these have security holes. Solaris's telnet security hole found in February this year is but one example.

The next two to three years are going to be tough in the computer security business as malware attacks increase in sophistication. Caveat emptor.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Naraine today blogged about the continuing woes plaguing Vista and Office "MS Patch Tuesday: Vista dinged again".
Ryan says "The update — MS07-021 — is one of five bulletins released in Microsoft’s scheduled batch of patches for April. Four of the five are rated “critical,” Microsoft’s highest severity rating."

"The remote code execution flaw that dinged Vista is an error in the way the Windows Client/Server Run-time Subsystem (CSRSS) process handles error messages. An attacker could exploit the vulnerability by constructing a specially crafted application that could potentially allow remote code execution."

"In all, the MS07-021 update fixes three different CSRSS bugs, all affecting Vista. However, only one of the three is rated critical across the board. The risk from the other two are limited toprivilege escalation and denial-of-service conditions."

In a previous blog also published today "New Word 2007 flaws, exploits released" he then outlines several new attacks, as yet unconfimed by Microsoft:
"
Several new security bugs in the desktop productivity suite have been found and released to the public, including proof-of-concept Word 2007 .docs that could potentially cause code-execution attacks.

The sample .docs have been posted to several known exploit sites, including Milw0rm.com and SecurityVulns.com.

Details on the actual vulnerabilities are scarce. Most appear to be simple denial-of-service issues that cause Word 2007 to crash when the file is opened.

A third bug points to an overflow in wwlib.dll (a core Office library) that could theoretically lead to arbitrary code execution.

The fourth bug released is a heap overflow in in the Microsoft Help subsystem. Again, code execution may be possible.

Microsoft is expected to ship five security bulletins later today to cover a range of Windows flaws but several known Office vulnerabilities will remain unfixed.
"

Bottom line: There is almost NO TIME throughout the year when there isn't at least one high security threat flaw in Office and Word in particular. Be very careful with these applications. Don't click on documents attached to emails for which you are not expecting or, you might be very sorry as malware quietly downloads onto your computer.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Larry Seltzer yesterday wrote a blog in eWeek "Harvesting Teenagers" that is very disturbing. He documents how a new social networking site "Tagged" was documented by Symantec April 9th as requiring users to provide their online authentication credentials to the web mail account.

Here's what Symantec says:
"
This weekend I got an email from a friend, arriving from her Hotmail address. It was actually an auto-generated invitation link to a social networking service called ‘Tagged’. Tagged is employing some very sketchy tactics in expanding their user base. While the whole idea behind Web 2.0 is the combination of existing Web services/technologies to make them more useful, when a user signs up for Tagged, they’re practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book, and prompts you to email your contacts using your Webmail address as the reply-to.

It’s difficult to recall all of the mass-mailing worms we’ve seen that have used similar strategies for propagation. Melissa and Lovebug would be good examples.

Fortunately, Tagged isn’t actually sending the emails as the user whose login credentials they’ve borrowed, the email is just coming from Tagged’s server so it’s not difficult to blacklist. But Tagged’s signup process is sparse on the details about why they ask for the information they want, and what they’re going to do with it. Clearly they’ve snagged all the email addresses in your address book, which would be useful for sending future advertising-based spam, but they’ve also taken your Webmail login credentials and not really told you what they intend to do with it.

It’s interesting in that they’ve circumvented the need to mock-up your Webmail site, but still had the effect of a phishing attack. With the search capabilities of most modern Webmail services, and the amount of people doing online banking, it doesn’t take a lot of imagination to see where this kind of site could head. Though we’ve all heard it before, the best way to avoid these situations is to avoid giving your credentials to third-party sites. Just like you wouldn’t give your banking info to your mailman, you shouldn’t give your banker a copy of your mailbox key.
"

Larry in his blog then actually creates a dummy email account and logs on to Tagged. He reviews the Terms of Service. After which he quotes "Nothing in the TOS says that they will be harvesting addresses from your address book, nor what they are entitled to do with those addresses. Perhaps they consider these addresses as being provided for invitations to Tagged, but that's clearly not true."

Finally, Larry concludes "I have seen the future of teenage exploitation, and it's on social networking sites. Even the "legit" ones like MySpace creep me out some, and I'm sure Tagged isn't the only one that's scams and abuses its users. When users are willing to provide their e-mail login to a Web site, you know we have a long way to go to make the Internet safe."

I agree with him. The advent of Web 2 services where the site is a mashup of various services provides an easy preay for criminals wanting to obtain teenager identities, their authentication credentials and then use them for criminal purposes.

Caveat emptor.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The ironies of life. Here's a great example. Today, Computerworld ran a story "Massive spam shot of 'Storm Trojan' reaches record proportions". In it, they document the largest spam attack of the year to date. Here' why it's ironical:
"
Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers.

Irony, it seems, isn't lost on the attackers. "This is really a self-fulfilling prophecy," said Swidler, "by warning users about a worm attack to get them to click on a worm."
"

Then there's the magnitude of the malware attack:
"
Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through e-mail. Spam rates have jumped as well; Postini said 79% of all e-mail is now spam, while rival MessageLabs Ltd. reported a 13% jump in spam's slice of all messages in just one hour.

"Expect this to grow much larger," Swidler said. "It should top out at 60 million messages within the next 24 hours."

Worse, the malware bundled with the spam is self-replicating, so it's able to sniff out e-mail addresses on infected PCs and send copies of itself to those recipients. "There will be a fair number of additional infections," Swidler said. He warned that even when the spam campaign exhausts itself, the newly compromised computers might be able to sustain large quantities of spam on their own.
"

Then there's the sophistication of the attack:
"
The spam blast also includes a host of randomization and antidetection features, other researchers said. "E-mails are randomized with different filenames, different passwords and different binaries within the ZIP file to evade detection," Ken Dunham, director of VeriSign Inc.'s iDefense rapid response team, said in an e-mail. "And once executed, the worm communicates over a private peer-to-peer (P2P) network to update itself."
"

Add all this up and it's very bad news for many computer users. Don't click on links or document attachments in emails or instant messages. If you do, you may lose your identity information, valuable authentication information and possibly suffer monetary loss as a result.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Here's a blog entry from a PhD student who showed how a phishing attack would successfully work against Bank of America's SiteKey Service. As the blog says ""[W]hen you see your SiteKey, you can be certain you're at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."" Thus, it's a form of authentication.

The student has posted a video of the attack.

Stronger authentication doesn't mean that phishing attacks won't occur. With a man in the middle attack, it usually means that the criminal takes the information and passes it on to the real website which then sends the fake website the images, which in turn then displays them to the user. Thus the security features are broken since the user then enters in their id and pin authentication numbers which the criminal can use to masquerade as the user.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Naraine yesterday wrote a blog "‘Storm Worm’ surge exposes AV deficiencies" which discusses the current poor state of detection of viruses by the anti-virus vendors. Ryan uses the recent Storm-Worm attacks as an example where most anti-virus vendors were unable to detect the attacks.

This blog merely confirms the general thinking of experts that the next two to three years will be a very rough ride for computer users and a very fine time for criminals. The technology needed to defend against different attacks is and will remain the advantage of criminals. Couple this with the current international law weaknesses in arresting and prosecuting criminals operating out of dodgy countries controlling their bots. Finally, add to the mix very wealthy criminal gangs who can pour some of their earnings into thousands of programmers looking for weaknesses in application, network and defense systems.

Enterprises need to have multiple layers of defense using stronger levels of authentication and transaction authentication. They must assume their outer layers will be breached repeatedly over the next two to three years.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Last Friday Dark reading published a story "Study: Browser Warnings Don't Work". It references a new study out of Harvard and MIT that strongly indicated that users ignore browser warning and images used for authentication.

Here's the Dark Reading article's summary of the test:"
In the study, 67 customers of a single bank were asked to perform common online banking tasks. As they logged in, they were presented with increasingly conspicuous visual clues that suggested they might be about to enter a phishing or other fraudulent site.

In the first test, the researchers "broke" the HTTPS security key. The lock-and-key icon at the bottom of the screen clearly was not in one piece, and the URL showed "http" rather than "https." After seeing these cues, all (100%) of the participants proceeded to log in anyway.

In the second test, the researchers removed the site authentication image from the users' browser screens. These images, typified by Bank of America's Sitekey, are supposed to authenticate the site for the user by presenting a pre-selected image that the user can recognize. The researchers did not reveal which site authentication image technology was involved in the test.

When both the HTTPS security key and the site authentication image were displayed in an unsecured state, only 3 percent of the participants stopped the logon process before typing in their passwords. The rest of the users -- 97 percent -- went ahead and logged on.

In the third test, the researchers presented the participants with a browser "warning page" stating that there was a problem with the target site's security certificate. Users were then given the option of closing the page or continuing to the Website.

In the presence of the broken HTTP key, a non-secure URL, an absent site authentication image, and a strongly-worded pop-up warning, 53 percent of the participants chose to continue to the banking site. Only 47 percent chose to abandon the logon before they had typed their passwords.
"
So what does this tell us?

1. There are a certain percentage of users who are going to ignore visual authentication indicators and logon anyways. In this case it's about 50%.

2. Transaction authentication is the best way of reducing risk of attack rather than stronger authentication. If people are going to ignore the warnings and provide their authentication information anyway, then financial institutions best risk reduction is to use other means at the time of the transaction to determine if the user is who they are logging on as. This includes the use of IP address, geolocation, time of day, user profile history, type of computer the user is using, etc.

3. Enterprises need to do more work constantly hammering home to their users the risks of clicking on links in instant messages, emails and opening document attachments. Once the user has clicked on the link, this study indicates the majority of people are going to provide their authentication information regardless of the security features used.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brian Krebs yesterday wrote a blog "Data Breach Aided University Phishing Scam" that outlines how criminals work to target credit unions. In his blog he describes the attack "In June 2006, an unknown number of IU students and faculty received an e-mail warning that online bill-paying services attached to their IU Employees Federal Credit Union accounts would be suspended unless they "renewed" their contract with the institution. According to the school's student news outlet, the Indiana Daily Student, that attack netted up to 80 victims."

He then outlines the work a PhD student, Chris Soghoian did to uncover the facts. The blog states the following:
"
Investigators found phishing kits - ready-made scam e-mails and Web pages - designed to target IU students and customers of the Florida Commerce Credit Union and the Sandia Laboratory Federal Credit Union. Both credit unions had been targeted previously. In fact, a phishing scam targeting Florida Commerce surfaced two days prior to the IU scam.

The records provided by the university indicate that the phishers gained access to one or more accounts on the school's "Steel" server, a cluster of systems provided for students and researchers engaged in projects that require serious data and number crunching. According to the university, some 24,000 IU students have access to that server (Soghoian claims that figure is outdated and that the actual number of user accounts on that server is at least 30,000). By downloading the list of user names with access to the server, the attackers would have had a ready list of targets to use in their phishing scam, Soghoian said.

"The fact that the cluster provides login services means that anyone who's logged in can query user names on the system," he said. "The phishers sent their e-mails from Steel as well, from within network, which I'm guessing would have helped them somewhat in bypassing spam filters.
"

Brian then closes off his blog with the following overview of attacks on credit unions:
"
While most phishing attacks target the nation's largest financial institutions, criminals are turning their sights on smaller banks and credit unions whose customers may not be as adept at dealing with these types of scams. In addition, as the attack against the IU Credit Union shows, scams against smaller institutions are more likely to be successful if the phishers have access to e-mail addresses of individuals known be associated with the targeted institution.

Phishers have targeted more than 185 credit unions during just the past two years, and many of them in multiple, separate attacks, according to anti-phishing and security company Websense.
"

My views on this are that credit unions will likely be increasingly targeted over the next two years. Over the last 12 months, attacks against credit unions have risen 584% according to Cyveillance. Most credit unions are easy pickings for the criminals since there membership is small and relatively easy targetable (like the university credit unions in Brian's blog).

While some credit unions have installed or are currently installing multi-factor authentication, this won't stop successful phishing attacks against them. Stronger authentication is bypassed with man in the middle attacks. Criminals get the user to click on a link that directs them to a fake credit union website. Then the criminals take the multi-factor authentication from the user and log on to the real credit union website. After the user thinks they have successfully logged off, the criminals then withdraw amounts from the real credit union site.

There are only two choices for credit unions to mitigate their risk. Transaction authentication and user education.

Transaction authentication looks beyond the successful user authentication and uses several factors to determine if the identity is who they claim to be. This includes examining the IP address, geo-location, time of day, withdraw amount, user history, etc. Transaction authentication will "weed out" the transactions coming from places like Russia and other notorious places. However, criminals are now placing their phishing sites close to the geolocation where they are trying to defraud the financial institutions to pass through the transaction authentication filters.

The other choice is to educate credit union customers. They need constant reminders of the dangers of clicking on links in emails, instant messages or opening up document attachments. Further, they also need to be educated about attacks like vishing where an email is received from their credit union asking them to call a 1-800 number to do something with their account. When the user calls the number, they provide their authentication and account information to what they think is the credit union but in reality it's the criminals they are giving it to.

Credit unions need to realize they are in an arms race with organized crime that is going to increase over the next two years.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Kelly Jackson Higgins yesterday wrote a piece in Dark Reading "Botnets Battle Over Turf". It's an excellent read on the what I call a "mature market" i.e botnets.

With up to one quarter of all computers on the internet infected with malware, criminals are now battling it out to control the botnets. They're not worried about the police or anti-virus vendors, they're battling it out between themselves.

As Kelly's article states: "
But the savvier botnets go the extra mile to protect their captor capital: Some actually "secure" the bot machines they have infected so no other botnets can steal them or utilize them, too. They install patches on their bots, for instance, to close the security holes and shut down open ports that are vulnerable to attack. "They are installing defenses to make sure no one else doubly infects the machine," says Paul Mockapetris, chairman and chief scientist of Nominum. "There are instances where a machine is infected, and part of that is defense against another infection."

Patching their bots and shutting out other botnets is no harder than initially recruiting a machine as a bot, security experts say. "It would be trivial for a bot to compromise a machine and apply Microsoft's recommended workarounds to prevent re-infection," says David Maynor, CTO of Errata Security.
"

What can be learned from this?

1. The current state of anti-virus and intrusion detection programs is not going to protect your enterprise 100% of the time. In fact, you might be lucky to get 80-90% protection.

2. The enterprise needs many multiple layers of security. Once the criminals are through the front door, they need to face a series of doors to go through as they try and progress to more risk sensitive information and applications. Use stronger authentication as part of this.

3. Don't expect strong authentication to protect your enterprise crown jewels. Once criminals are inside the enterprise electronically, they can deploy trojans and possibly set up internal phishing attacks that breach your strong authentication.

4. Use transaction authentication to protect your enterprise crown jewels. Even if the user successfully authenticates, use all sorts of other factors to ensure they are who you think they are.

5. Have filters on all traffic leaving the enterprise to check it out for sensitive material leaving the enterprise that shouldn't.

6. Educate your users continuously about malware attacks. 77% of attacks begin with the user clicking on something. Reduce the initial chances of malware success by getting users to change their work habits and not to click on links in email, instant messaging or opening up unexpected document attachments.

There's a dark cloud out there that is likely to get darker over the next two years. While criminals battle it out for market share, make sure your enterprise is able to withstand the attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
604-921-6797

McAfee recently released a 16 page report "Rootkits Part 2: A Technical Primer". It is worth a read, especially for the last sections of the document "Payload techniques: proof of concept:.

There the authors Aditya Kapoor and Ahmed Sallam paint the picture of new forms of attacks, not yet documented in the wild, but ones they feel will become common in the future. This includes virtual memory subversion, SubVirt, Blue Pill, raw network manipulation, firmware and hardware manipulation and advanced configuration and power interface manipulation.

Bottom line: Expect lots more trouble, security breaches and costs of cleanup as these attacks become common.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Spear phishing is something I blogged about in March. This is where individuals are targeted for phishing attacks. Last year experts said this would grow and now, several months later, the data confirms this.

In an article published today in ComputerWorld "Single-Victim Phishing Attacks Skyrocket", it says:
"
In a report issued Wednesday, MessageLabs Ltd. said it intercepted 716 messages from 249 targeted attacks last month; those attacks were aimed at 263 domains representing 216 customers.

Last year, said Alex Shipp, a MessageLabs research engineer, the company was seeing two a day on average. "Two years ago it was two attacks a week, last year two a day," he said.
"
The method of attack usually uses MS Office documents. According to the article "Most of the attacks rely on malformed Microsoft Office documents, in particular Word and PowerPoint files, said Shipp. "They're not just using one exploit, but several" in a single malicious file, he added. Together, Office attack documents made up 84 percent of March's detected one-offs."

So, if you're a medium to large scale enterprise, what can you do to prevent this?

Educate.

Stronger authentication won't help prevent these attacks. Intrusion detection and AV solutions may miss the attack. Therefore,