AuthenticationWorld Blog

Last year I wrote a blog on Joanna Rutkowska's Blue Pill attack. This week, at the annual Black Hat conference, several malware detection companies are taking a run at Blue Pill saying they can detect it. However, maybe the detection won't work.

In "Rutkowska Gets Last Laugh in Rootkit Cat-and-Mouse Game" eWeek lays out why a Matasano attempt to detect the rootkit failed.

In Searchsecurity.com's "Black Hat 2007: Rootkit hunters caught in cat-and-mouse game" they discuss the attempts by other companies to detect the Blue Pill attack. However, as the article notes the following:
"One of the methods Lawson outlined for detecting a virtualized rootkit involves observing changes in the Translation Lookaside Buffer (TLB), a cache in the CPU. When something causes a virtual machine to exit, the hypervisor leaves traces of its presence in the TLB. So, Lawson said, one way to detect a hypervisor rootkit would be to cause it to somehow exit, and then read the TLB and look for changes.

But, Lawson and Ptacek conceded, there's nothing stopping the malware author from writing a feature to detect the "rootkit detector," which Lawson said leads back to the familiar attacker-defender cat-and-mouse game. "

Bottom line: There is no good way to detect Blue Pill attacks. As one of the article's notes:

"So yes, Blue Pill is almost certainly on the horizon. And it's not something that will be easy to ignore even if you think you never use virtualization, either. Last year, Allan said, he left Rutkowska's Blue Pill demonstration feeling pretty comfortable. "Watchfire works in [cross-site scripting]," he said. "I used to say, 'Turn off JavaScript—don't enable it in the browser.' Last year my response was, 'This is easy, just block the ability to do virtualization.'"

That's changing, though, Allan said, with virtualization headed toward ubiquity. "I think we'll see virtualization required in the future; used all the time. It's [already] used in legitimate software, as a feature to do something or other. It's used more and more in hardware and in different components." "

If you can't turn off virtualization, then caveat emptor.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A former Black Hat today wrote an interesting article in Searchsecurity.com "
Metamorphic malware sets new standard in antivirus evasion". The author, Noah Schiffman, outlines the growing challenge of metamorphic viruses. Read the article as he outlines the general architecture of viruses. At the end he states a great recommendation:

"Protection from any type of metamorphic malware is best addressed by blended threat management platforms using a multi-layered approach. Antivirus software, updated frequently, remote access restrictions and compliance monitoring should be employed at the server and end-user levels. Network and personal firewalls should have any unused service ports shut down. Email servers should employ content filters and file scanning. Finally, any corporate setting should develop, maintain and enforce a well-defined and effective set of security policies. In extreme situations, when dealing with highly sensitive data, extra security measures such as real-time emulation analysis and specialized network segmentation may be considered."

Layered defenses. It's the only way to mitigate risk in today's world.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

An article yesterday in Dark Reading "MPack Banking Malware Infects 500,000 Computers" should put the jitters into financial institution security and IT managers. It documents the hacking tool for sale by the Russian underground, for $1,000, that downloads the software via a website the user visits and then obtains bank uids, pins and social security numbers. The success rate is 16% which is quite high.

The article then goes on to claim the following about the malware:
"
"The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind," Finjan researchers reported in an advisory. "Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience."

To make matters even worse for users and IT managers, the malware downloaded by the MPack toolkit is still not detected by the majority of popular security products, according to Finjan. And that makes it very effective in infecting PCs.

"This form of attack is more dangerous than previous forms of Phishing, which relied on fraudulent Web sites," said Yuval Ben-Itzhak, Finjan's CTO, in a written statement. "Because this attack happens on the customers' own PC and is encrypted, it makes it extremely difficult to detect. After the customer fills in the login form on their Web site and clicks on the 'Log In' button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminal's server, instead of sending to bank's server. The customer thinks they are still on the bank's Web site but they are actually sending data to the criminal's server over an encrypted connection."

Ben-Itzhak explained that the crimeware takes over the browser and creates a copy of the real banking page in real-time so the user is further tricked into thinking they're at a legitimate site. For each financial institution, the crimeware sends a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service.
"

Now here's what I think is going to happen in the near future as banks deploy stronger authentication such as card readers, tokens, biometric keyboard, etc. The software will be configured to recognize the bank's authentication mechanisms. Then, in real time, it will construct the bank's webpage and request the user's strong authentication. Then, the rest is the man in the middle attack. The customer enters the info, the criminals pass it along, the criminal is successfully authenticated posing as the customer and it's withdrawl time!

In my own opinion, this type of attack is going to become more common over the coming two years than conventional phishing attacks. No email link to click on. Just have the customers visit a website where the code is downloaded quietly into their computer.

The only real way to mitigate risk from this form of attack is to deploy transaction authentication software. By examining the customer's IP address, their geolocation, time of withdrawl, use profile, past history, hardware on the computer being used, etc. is the way to see a potential loss in the making.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

I cam across an article written early in June by Robin Bloor, an IT director called "10 reasons why the Black Hats have us outgunned". It is worth a read. The article comments on many of the same things I have blogged about for the last year. Have a layered defense.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Information Week today ran a story "Number Of Hackers Attacking Banks Jumps 81%". Secureworks, today at the Black Hat conference, also said that attacks against credit unions rose 62% from last year.

The article says:
"
"You go to a Web site and pay a $100 to several hundred dollars, and you can buy a turnkey exploit package," said Stewart. "You can buy the malware too, and then you're in business You put these components up on a Web site and immediately start infecting people. All you really need to know how to do at this point is set up a Web site."

This new ease-of-use is evident in the numbers.

SecureWorks reported that between June 2006 and December 2006, they blocked attacks from about 808 hackers per bank per month. From the beginning of this year through June, there's been an average of 1,462 hackers launching attacks at each of the company's bank clients. As for the credit unions, SecureWorks reported blocking attacks from 1,110 hackers per credit union per month. That number rose to 1,799 this year.
"

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A very interesting article appeared yesterday in Dark Reading "New Bank Practices Make Hacking Easier". The article quotes Brendan O'Connor, an independent researcher on his research into the recent increase in use of stronger authentication by US Financial institutions as a result of FFIEC requirements.

The article states as follows:
"To prove his point, O'Connor signed up for a number of online banking services, then installed an inline proxy so that he could monitor the exchange between his computer and the bank's. "I just watched the HTTP requests and responses for these sessions, and immediately knew how to break them," he says.

"The methods [banks] are using for device 'fingerprinting' are effectively Javascript and, in some cases, a flash object," O'Connor explains. "If you think about it logically, they are sending code to my computer, and asking it to be honest about its characteristics. Because I can see the code they are using, I can see exactly what questions they are asking my computer, and what a proper response needs to look like.

"I'd hate to call this a 'hack,' because they did the hacking for me," O'Connor says.

The banks believe that by adding a second question or image -- or by requiring the user to send an email -- they are increasing the odds against an attacker guessing his way into a user's account, O'Connor says. But most savvy phishers and thieves don't break in by guessing, but by stealing information through different means, such as keyloggers or social engineering, O'Connor observes.

The banks' new "second" factors of authentication actually improve the attackers' chances of a break-in by making the penetration path more clear, he explains.

"Effectively, I just downloaded the authentication scripts from the target Website -- it happens before you are authenticated, so you just go to the login page and copy and paste," O'Connor says. In his DefCon presentation, O'Connor demonstrated an exploit against one of his own accounts, "to show the audience how ridiculously easy this stuff is to bypass or impersonate," he says.

"At the end of it, I delivered my security image and phrase via my 'phishing' Website to show how an attacker can impersonate the real bank," O'Connor says. "I also did a standard man-in-the-middle attack for challenge questions, to illustrate that [one-time passwords] and challenge questions are just as easy to get past."

O'Connor believes that the efforts of banks and the FFIEC to add additional factors of authentication are a misuse of resources. "

This article merely confirms something I have been writing about for the last two years i.e the need for transaction authentication. The other forms of stronger authentication are prone to man in the middle attacks and, as the article points out, often better attacks by traditional phishing and keyboard logging coupled with social engineering attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

eWeek has a very interesting slide show "The Security of Biometrics: Two Screws and a Plastic Cover" which I strongly recommending viewing. The slide show shows, step by step, how to hack a biometric system.

One of the weak spots in many biometric systems is the use of Wiegand protocol. As the slide show says "The Wiegand protocol is, Franken said, a) in plain text, b) easily intercepted, c) easily replayed, d) includes output from biometric readers, and e) includes output from even strong crypto contactless smart card readers. This means the output, including all data pertaining to a card holder, can be captured on a hacked system."

Security is only as strong as the weakest link.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Several years ago I had a vision for enterprise security management. In my vision I saw that security risk would be assigned by ERP modules. The risk would be assigned based on value of business processes, enterprise information capital, physical assets and identities. Once the risk was assessed, the ERP would then automatically create security policies. These policies would then be automatically enforced throughout the enterprise by the enterprise security/identity/physical access systems.

Further, I saw the problems that large enterprises were going to have understanding the security policies. In my vision, I saw that the ERP security module would display the enterprise graphically. A senior manager or Board member, would be able to slice and dice security visually. For example, enterprise assets could be displayed by levels of risk. This could then be displayed on a building by building basis. Then role access could be displayed overlaying this. The same thing could be done to display business processes by risk. All of this could then be displayed against real time.

At the time, I thought that this vision was not possible. The ERP vendors weren't players in the identity security space. There weren't any standards for identity access and authorization.

Today, the stage is becoming set to begin creating this vision into reality for several reasons:

1. There is the beginnings of an emergent identity data governance protocol in Liberty Alliance that would allow for intercommunication and enforcement of data security across disparate identity silos and identity protocols.
2. BPM and BPEL allow for protocols to manage business processes and tie this to security.
3. ERP vendors like Oracle and SAP are now players in the identity/security space.
4. Many physical access devices are now LDAP compliant allowing them to talk to the enterprise LDAP systems.
5. There is virtual directories allowing for rapid integration of enterprise databases into enterprise directories.

What's missing to complete the vision?

* No document management protocols allowing for interchange of document management security policies tied to identity management authentication and authorization protocols
* Lack of strong security modules in ERP that talk to the risk modules and the identity governance modules

I am quite optimistic that over the next three to four years, my vision will become reality.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The last several weeks has seen very busy activity in the authentication community developing an API for Authentication. For clients, this means that there will be a simple way to publish and interact with protected data and also a simpler way to allow people to give you access to their data. On the server side, it allows users to not have to spread their passwords around the net to get access to the data. OAuth allows users to get access to their data while protecting their account credentials.

Stay tuned for more on this as the spec is released. It is built using much of OpenID.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Dan Thies has a very interesting blog he published on August 16 "Google Proxy Hacking: How A Third Party Can Remove Your Site From Google SERPs". The blog documents his frustration at dealing with Google for the last year to fix the hacking of Google page ranks by the use of proxies. The challenge is that as page ranking becomes extremely valuable to businesses who do business online, criminals or hackers get involved to remove competitors from the Google search results.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Narine yesterday published a great blog "Can Microsoft ever stop kernel tampering in Vista?". He refers to the recent Black Hat conference and the presentation by Joanna Rutkowska and documents the almost impossible task of preventing kernel attacks on Microsoft's Vista. Add to this the development of Blue Pill attacks and the future looks scary from a defense perspective.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Earlier this month, Joanna Rutkowska published a blog updating the Blue Pill attack and the recent comments made at the last Black Hat conference. It's definitely worth a read.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com