RSA was hacked last week and insofar they have released sketchy information on what was compromised and how their corporate customers can truly protect themselves. Online clients of corporate Internet application such as Internet Banking and Trading applications provide the greatest financial gain for the attackers.
Since it has been a week, all corporate customers should be already prepared for the worst case scenario and in progress with their communication plans, replacement program for the tokens, and reset of user passwords. Login and user activity logs for the applications should be also monitored to check that online clients are not already victims of man-in-the-middle attacks, where userids and passwords can be harvested through fake intermidiary 2FA login page. MITM attacks can be achieved through various methods such as spear phishing or arp poisoning.
The underground hacker scene has been quiet, with nary a whisper on the RSA attacks, which give rise to suspicion that this is a pro job with very targeted objective and the stolen RSA materials are just a mean to an end. Let's hope that you are not their target.
Friday, March 25, 2011
Thursday, March 17, 2011
5 Ways to Make Sure You Aren't the Next Wikileak
There are a lot of articles on Wikileaks in recent months, the latest being the leak on Japan Nuclear Plants....not good, and my heart goes out to my friends and colleagues in Japan now, Japanese or others.
This article by CIO website, focuses on five key tips to help your government agency or enterprise avoid being the source of the next Wikileak. Good reminders really.
http://www.cio.com/article/664945/5_Ways_to_Make_Sure_You_Aren_t_the_Next_Wikileak?source=rss_all
This article by CIO website, focuses on five key tips to help your government agency or enterprise avoid being the source of the next Wikileak. Good reminders really.
http://www.cio.com/article/664945/5_Ways_to_Make_Sure_You_Aren_t_the_Next_Wikileak?source=rss_all
Low Orbit Ion Cannon - DoS attacks
What a neat way to have script kiddies joining the people revolution. It's so easy, you don't even have the time to think about consequences any more.
It was reported that LOIC was used in Dec 2010 to attack the websites of companies and organizations that were openly opposing WikiLeaks. More than 30,000 download of the tools were reported to have occurred between 8 - 10 Dec 2010, and may have been routed through anonymization network such as Tor to remove traces. The success of the DoS attacks relies on an opt-in botnet within LOIC software, which volunteers the user's personal computer to be tethered to a single command server to launch the targeted attacks.
LOIC can be simply downloaded from SourceForge http://sourceforge.net/projects/loic/.
It was reported that LOIC was used in Dec 2010 to attack the websites of companies and organizations that were openly opposing WikiLeaks. More than 30,000 download of the tools were reported to have occurred between 8 - 10 Dec 2010, and may have been routed through anonymization network such as Tor to remove traces. The success of the DoS attacks relies on an opt-in botnet within LOIC software, which volunteers the user's personal computer to be tethered to a single command server to launch the targeted attacks.
LOIC can be simply downloaded from SourceForge http://sourceforge.net/projects/loic/.
What should HBGary have done using Google Cloud Computing Services
This is rich. The article is an excerpt of an interview that HBGary CTO Greg Hoglund had with CSO correspondent Robert Lemos in the aftermath of Anonymous breakin to HBGary email systems and to the super rootkits that Greg was developing.
The important message of this excerpt however, is on what to do if you have cloud computing services, especially with Google.
http://www.networkworld.com/news/2011/031711-hbgarys-hoglund-identifies-lessons-in.html?page=1
The important message of this excerpt however, is on what to do if you have cloud computing services, especially with Google.
http://www.networkworld.com/news/2011/031711-hbgarys-hoglund-identifies-lessons-in.html?page=1
Data Protection Compliance Survey
Read this article. It provides a summary of the Thales report "What Auditors Think about Crypto Technologies", which is based on sponsored research recently conducted by The Ponemon Institute. One key point of interest to me is the mention that the use of HSMs for encryption and key management reduces the time spent on demonstrating compliance with privacy and data protection requirements. The key word here is "compliance". It doesn't mean that it is more secure. In fact, IT organisations often thought that deploying HSM is the be all and end all, and often neglect key management. Key management to many of them means key generation and usage. Little thought is put on key expiry, rollover and renewal.
http://it.tmcnet.com/news/2011/03/17/5384344.htm
http://it.tmcnet.com/news/2011/03/17/5384344.htm
Mobile Banking?
An interesting survey done by Mobio Identity Systems for the North America market.
http://www.nearfieldcommunicationsworld.com/2011/03/17/36483/mobile-payment-security-concerns-put-brakes-on-m-commerce-market/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nfcw+%28Near+Field+Communications+World%29
How is it that DBS, Citibank and OCBC offers mobile banking apps on iPhone/iPad? Have they done their due diligence in addressing mobile computing security?
http://www.nearfieldcommunicationsworld.com/2011/03/17/36483/mobile-payment-security-concerns-put-brakes-on-m-commerce-market/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nfcw+%28Near+Field+Communications+World%29
How is it that DBS, Citibank and OCBC offers mobile banking apps on iPhone/iPad? Have they done their due diligence in addressing mobile computing security?
Malware for Online Banking Services?
So what if you have implemented 2-factored authentication for your online banking services?
Recent developments in malware highlighted that it is extremely hard to protect online banking services from malware. Although I still advocate that online banking users have to play their part not to download suspicious software, visit dubious websites and click on that interesting url link in their e-mails, coverted social engineering techniques are there to fool even the most seasonal experts. Malware has evolved a lot in the last 20 years, human beings have not.
There are 3 new trojan variants that recently made the news:
The latest incarnation is a challenge-response implementation that requires part of the payee account number (e.g. last X numbers) to be entered in the token to generate a unique security code. This security code is then entered into the transaction webpage to authorise the transaction. If the payee account is changed by the trojan, the authorisation will not matched.
Recent developments in malware highlighted that it is extremely hard to protect online banking services from malware. Although I still advocate that online banking users have to play their part not to download suspicious software, visit dubious websites and click on that interesting url link in their e-mails, coverted social engineering techniques are there to fool even the most seasonal experts. Malware has evolved a lot in the last 20 years, human beings have not.
There are 3 new trojan variants that recently made the news:
- The trojan OddJob can hijack a user's online banking session in real-time by stealing session ID tokens from infected desktops, and is able to keep the session alive even after user thinks that he/she has logged off.
- The trojan ZeuS can inject codes into a legitimate webpage and tricked the user to enter his/her mobile phone number and model of phone. This information is forwarded to a rogue site that will install a mobile application that intercepts SMSes and forwards messages to another number controlled by the attackers. The Zeus mobile component will work on some Symbian and BlackBerry devices. Once this setup is successful.
- Recently, it was reported that ZeuS and SpyEye have apparently joined forces, and the author of the SpyEye trojan is working hard to develop a new merged variant that may up the ante on man-in-the-middle attacks for online banking services. Latest news suggested that the ZeuS source code is for sale, at an estimated US$100,000.
The latest incarnation is a challenge-response implementation that requires part of the payee account number (e.g. last X numbers) to be entered in the token to generate a unique security code. This security code is then entered into the transaction webpage to authorise the transaction. If the payee account is changed by the trojan, the authorisation will not matched.
2-factored authentication
I am constantly surprised at the various interpretations of 2-factored authentication that I've heard. The Monetary Authority of Singapore (MAS) financial regulators has a good definition of 2FA in their Internet Banking and Technology Risk Management (IBTRM) guidelines version 3.0 (published June 2008). It says:
Two factor authentication for system login and transaction authorisation can be based on any two of the following factors :
- What you know (eg. PIN)
- What you have (eg. OTP token)
- Who you are (eg. Biometrics)
What does this mean for financial institutions operating in Singapore? MAS has previously issued a circular SRD TR02/205 which requires all banks to implement 2FA for Internet Banking by end 2006. By MAS's definition, Internet Banking means:
"Internet banking refers to the provision of banking services and products via electronic delivery channels based on computer networks or internet technologies, including fixed line, cellular or wireless networks, web-based applications and mobile devices. For the purpose of this paper, the generic reference to bank or banks includes financial institutions which provide online trading or other financial services and products on the internet and interconnected networks. Where appropriate, internet banking is to be regarded as synonymous with online financial services."
In summary, as long as you provide an online banking service to your Singapore clients over the Internet, even if its non-transactional (e.g. viewing of account statements), the IBTRM requirement applies.
Subscribe to:
Comments (Atom)