AuthenticationWorld Blog

Verisign today announced that they will be inserting one time passwords into credit cards.

I think that this is generally a long awaited good idea since it will strengthen the authentication used for purchases used with credit cards. However, I take some exception to the statement in the Yahoo! News story that said "Security companies like VeriSign and EMC Corp.'s RSA Security Inc. have been promoting one-time passwords and other "two-factor" authentication systems to combat "phishing" and other scams aimed at tricking users into revealing sensitive data like passwords."

"By requiring a second code that is tied to a device or a card in the user's possession, an online account remains protected even if the regular password is compromised. If a customer loses the device or card, someone would still need to know the username and password to log on."

What one time passwords do is foil attempts by criminals to log on when using uid and passwords obtained from a Trojan malware keyboard logger. Strong authentication however does NOT prevent phishing attacks which are man in the middle attacks.

In a new paper I've just released "Myths about protecting your enterprise from phishing attacks", I explain that a man in the middle attack simply passes on the stronger authentication mechanisms. A recent example the paper mentions is the successful phishing attack on ABN Amro which used two factor authentication.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Naraine today posted a blog outlining to high severity security risks. One is in Trillian, the cross platform IM program and the other is in Winamp when playing MP4 files.

As Ryan notes a patch is available for the Trillian hole. I don't think there is a patch out yet for the Winamp hole. This weakness is already in circulation amongst criminals and has been seen to be used in attacks.

Read Ryan's blog for more detail.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Kelly Jackson Higgins at Dark Reader today published an interesting blog "The Phisher King". It describes how a phisher thinks about phishing. It's definitely worth a read.

The article describes "lithium". "Lithium, who says he's 18 and has been phishing since he was 14, said he has stolen over 20 million identities, mostly via social networking worms. "I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through," he wrote to RSnake, who today published the responses on the ha.ckers.org blog."

The blog says he makes between $3,000-4,000 per day.

"RSnake asked him how many people he typically phishes per day. Depending on the size of the Website, lithium said, it's usually about 30,000."

"Lithium, meanwhile, told RSnake he uses a dedicated server, VPN, network encryption software, and a 1-Mbit/s ADSL line. Tool-wise, the phisher said he uses MyChanger for most social networking sites: "This makes pishing [sic] so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it's great. Other than that, I get ALOT [sic] of custom programs built to suite [sic] my needs from freelance developers," he wrote."

"How does he remain in the shadows? "I use VPN's, Dedicated servers, Proxies and my network traffic is encrypted. All payments are made through egold." "

All in all a very interesting read. This is not organized crime. This is just one criminal. Now expand your thoughts to include organized crime operating out of jurisdictions where the authorities won't prosecute them.

Now that's what I call a big problem.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Today Help Net Security published an interesting article "Tool used to control botnets across 54 countries discovered". It describes a recent investigation by PandaLabs where they uncovered "Zunker", an application that controls botnets. The article says "it was being used to manage a network of tens of thousands of computers across 54 countries.".

The article then proceeds on to describe how Zunker works:
"
The program discovered by PandaLabs also has a statistics section. This includes a series of graphs showing the performance of each bot along with the number of available zombies and their daily or monthly activity. According to Luis Corrons, technical director of PandaLabs: “The program has been carefully designed and is easy to use. Zunker organizes the bots by country, and shows how many bots there are along with reports from each one, how much spam has been sent and what software has been used by the bots to send the spam (gmail, IM, forums, etc...).”

But Zunker is not just a management tool. It also lets the user control the bots. The “Control” menu lets the herder send commands to the bots, for example telling them to send spam. The “template” auction lets the user design the content of the spam with different templates depending on whether the message is aimed at email accounts, instant messaging or forums.

Zunker even gives the creator figures about the lifespan of bots, that is, how many remain active out of those that infected computers. “The last time we checked”, explains Luis Corrons “the percentage was 40%. This means that 40% of bots were still operating. This figure, along with the age of the oldest bots, gives an idea to the hacker of how effective infections are”.

Another option in Zunker is to order bots to download files onto infected computers, for example, malware (Trojans, adware, viruses,…). “This way they exploit infections to the full. The computer is not just used to send spam but also, the user’s personal data such as bank details, etc. is stolen”, explains Luis Corrons.
"

Read the article to get an idea how botnets are used to distribute malware and be used in attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Earlier this week, an Indian researcher, Yash K.S., documented how easy it was for criminals to capture the authentication used to login to Citibank accounts when they use a virtual keyboard (used in Asia but not yet in the US). Read about the hack here.

This is yet but one more example of the futility in deploying stronger authentication for accessing bank accounts. While some stronger authentication, like one-time passwords, will thwart malware keyboard loggers, they won't stop man in the middle phishing attacks. In the case mentioned above, the virtual keyboard will still be prey to malware attacks. Instead of using a keyboard logger, the malware will simply use screen capture software to obtain the pin.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Naraine yesteray blogged "New MS tool isolates Office 2003 zero-day exploits" where he describes a new tool aimed at MS Office 2003 users to prevent the risk from zero-day attacks. His blog says:

"The tool, called MOICE (Microsoft Office Isolated Conversion Environment), is a direct response to the nonstop zero-day attacks that use rigged Word, Excel and Powerpoint documents to plant call-home Trojans on government and corporate networks."

"Microsoft has already built new protection mechanisms into the Office 2007 software suite but customers running older versions of Office are at the highest risk. The statistics are telling: Since January 2006, Microsoft has shipped 20 bulletins covering code-execution holes in Office 2003. Over that same period, only 2 bulletins were shipped for Office 2007."

"When installed on desktop machines and used in conjunction with Group Policy settings, MOICE initiates a process that converts documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a potential security risk."

"The conversion process takes place in a safe, quarantined sandbox environment, so the user's computer is fully protected."

Read Ryan's blog for full details. I recommend enterprises consider this if you're not using Office 2007.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Earlier this past week, Microsoft released a patch addressing 19 flaws all rated as critical. For more information read Ryan Naraine's blog "Patch Tuesday: 7 bulletins, 19 flaws, all critical".

As Ryan notes, six of the nineteen patches applied to Vista. Another fixed the DNS problem while still others addressed flaws in Word, Excel and Office.

While it is good that Microsoft has released this patch, the reality is that at almost anytime during the last year, there have been critical flaws in Office products. When Microsoft fills these holes, others immediately appear as zero-day attacks.

To get around the use of having products that resemble Swiss Cheese from a security perspective, I strongly recommend the implementation of MOICE. Read my blog here for more details.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

F-Secure yesterday posted a blog "Advanced tools to handle stolen information" that reveals how one trojan malware software works. The blog describes what kind of information the trojan stores:
"The reporting tool has a very nice UI. As you can see from the screenshot, everything is structured very nicely, you can see generic information about the computer itself such as hardware information (CPU, RAM, Disk, et cetera). You can also see which version of Windows is being used together with the license key. At the bottom of the screen you can see all of the stolen information such as ICQ credentials, usernames and passwords taken from stored e-mail accounts in Outlook and Thunderbird, and also information stored in the password managers of Internet Explorer, Firefox, and Opera."

The blog then concludes with "The guys behind the trojan are from Russia and the tool is available in both English and Russian languages. This clearly indicates that the bad guys are working in a professional manner, creating easy-to-use tools to quickly get to the information instead of having just TXT files with loads and loads of text to filter through."

Read the blog for more information.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Fortinet last week released a report for April which showed phishing detections up over 13%. Here's the report for more details.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brian Kreb today posted a blog "New Attack Piggybacks on Microsoft's Patch Service" that describes a proof concept attack that uses the Windows updating patch service to install malware on the user's computer. His blog describes the attack as follows:
"
Security researcher Frank Boldewin last week published a "proof-of-concept" program illustrating an attack technique he'd witnessed in March via an e-mail he received. The e-mail appeared to have been sent from a local Internet service provider in Germany. The file included with the message was designed to install a Trojan horse program on a victim's machine enabling other corrupt software to download.

The other software leveraged a Windows program called the "background intelligent transfer service," or BITS. It is used by the Windows automatic updates feature designed to download security updates via a customer's spare network bandwidth.

BITS is designed to resume downloading an unfinished file even after a user restarts or logs off of Windows. As soon as the system restarts or regains Internet connectivity, BITS can pick up where it left off. Additionally, the sender can determine whether the entire file transfer completed successfully by setting a special code on the transfer.

The real danger is -- assuming the Trojan sneaks past a user's anti-virus software -- the user's software firewall likely would not detect the outgoing connection when the victim's machine starts downloading the second-stage payload. That's because BITS is a legitimate system service that the firewall would allow by default or the user long ago allowed it permanent access in and out a firewall.
"

At the end of his blog, Brian notes the following:
"I should note that when I tried this exploit on a Windows XP system running under a limited user account, the attack did not succeed. So if you set up your Windows XP or 2000 machine to run under a limited account, even if you inadvertently download a Trojan, it is very unlikely that it will be able to finish its job."

This is his current recommendation to avoid the attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The Guardian this past weekend ran a story "No phish with home-made chips". It documents the recent deployments of one-time passcodes by Barclay's, NatWest/Royal Bank of Scotland and Lloyds TSB. The article goes on to say "Once you put the debit card into the reader and type in your pin - the one you use in shops - you will be given a number. Your card's chip is encrypted with a tiny selection of the potential 99,999,999 numbers. The bank itself knows on its central computer which these are and the order they will come up in, but the chances of a fraudster working this out are infinitesimal."

The story's implication is that this will stop phishing attacks. What utter rubbish!

People writing these articles are getting confused over trojan keyboard logger attacks and phishing man in the middle attacks. While one-time passwords will address common keyboard logging attacks, it will not stop phishing! Why?

In a phishing attack, the consumer clicks on a link in an email. The website is run by criminals. The criminals act as the man in the middle.

You think you're at the bank's website and enter in your uid and then the one-time password. This is immediately passed by the criminal site to the real bank's website. It is successfully authenticated. The criminals are now logged on as you. You think you are logged on to your bank. At this point, the crminals are now able to eat the chips!

In a recent paper I authored "Myths about protecting your enterprise from phishing attacks", I document this as well as other myths when it comes to defending against phishing attacks. The paper concludes with recommendations on best practices to defend against phishing attacks:

1. Use transaction software.
2. Use phishing filtering software.
3. Train your customers.

Are the banks' efforts wasted? No. It will temporarily limit the success of trojan malware keyboard loggers. However, this benefit may soon erode quite quickly. Criminals will likely devise malware software that recognizes you're going to your bank's website. They may then use a combination of a pharming attack and a phishing attack. Here's how it might look in the near future:

You enter in your bank's url in the browser. Unbeknownst to you, the router you use at home is using the default password. The criminals malware, sitting on your computer, has already figured this out. It then redirects the browser to a fake bank website page by controlling the DNS on the router. So, even though you've entered the correct url in the browser, you end up at a phishing site. You then enter in your id and one-time password, which the criminals then pass on to the bank.

What are the chances of this happening? They're very good since analysts say that over 50% of routers used in the home use the default password setting.

So, in many cases, the introduction by the bank of one-time passwords is expensive publicity to reassure its customers that they are safe while doing online banking with them. However, in reality, this security will be bypassed. Just ask ABN Amro who only a few weeks ago had it's multi-factor authentication foiled by a man in the middle phishing attack.

Caveat emptor.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Naraine today posted an excellent blog "Defeating UAC with a two-stage malware attack" which is a definite must read for enterprise managers who are deploying Vista or planning on doing so. The blog outlines an independent researcher, Rob Paveza’s proof of concept for a two stage malware attack on Vista.

Quoting Symantec's Ron Bowes, Ryan explains the attack as follows:
" The attack the researcher outlines involves the construction of the Start menu. A user’s Start menu is built from at least two locations. One is the user’s Start menu folder and the other is global. These two locations are merged to create the Start menu that the user sees. If the same shortcut exists in both the user’s folder and the global folder, the user’s is used.

The proxy infection tool, which is run by the user, writes to the user’s Start menu folder and reads from the global Start menu folder without requesting elevated permissions. The program searches the global Start menu folder for all programs that require elevation, and creates duplicates in the user’s folder that point to the malicious code. This is the second stage of the attack.

When the user attempts to run a program that has been duplicated, they see a UAC prompt. Because the program already required elevated permission, the user wouldn’t be alarmed. The malicious program, with elevated privileges, executes the intended program, fooling the user into thinking everything is normal. Meanwhile, the malicious program can clean up any trace that it had piggy-backed, and install itself somewhere with permanently-elevated privileges.
"

Read Ryan's blog for more information on the attack as well as recommended strategies for Microsoft to deal with this attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Yesterday, the Register ran a story "Feeling left out? Get your PC infected today!" which documented the work of a researcher who paid for a Google ad campaign which said "Drive-By Download Is your PC virus-free? Get it infected here!". According to the article "The "click here to be infected" campaign was displayed 259,723 times and clicked on 409 times, at a click-through rate of 0.16 per cent or around one in 500. The cost of the six-month campaign was $23, or around 5c per chance to infect a PC."

People will do the dumbest things. Education is important in reducing the percentage of the population who will click on things when they shouldn't.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This past week, Kaspersky Lab's released a blog on Viruslist "Malware Evolution: January - March 2007". It outlines the ongoing internet battlefield between different criminal gangs.

The blog outlined the problems in the first three months of this year:
"The situation was becoming more and more interesting. Three groups, from different countries, who were all busy with the same thing – creating botnets to send spam and harvest email addresses. All these groups are dependent on money from spammers, who will pay good money for the biggest botnet and the largest database. This brought the three groups into conflict with each other, and they are willing to use everything at their disposal to gain an advantage. The result was an unending cycle of attacks on users. In order to infect machines, the virus writers had come up with newer and newer methods to evade antivirus filters."

The blog concludes with "The events of the first three months of 2007 confirmed our worst fears. Virus writers are still continuing to organize multiple short term epidemics by releasing numerous variants of a single malicious program onto the Internet in a short space of time. Naturally, this makes life more difficult for antivirus companies. Vista became a target for hackers, who were not only searching for vulnerabilities, but also for ways to evade some of the security features such as UAC, Patch Guard, and protection against buffer overflows."

Read this blog. It will provide you with an excellent overview of the state of the war against criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Naraine today blogged "Microsoft releases Office exploit isolation tool". Ryan's blog says "The tool, called MOICE (Microsoft Office Isolated Conversion Environment), can be used in tandem with Group Policy settings to convert documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a potential security risk."

I strongly recommend enterprises and users implement this tool to reduce their risk from a successful malware attack. Read Ryan's blog for more details.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com