Friday, June 22, 2007

Making our mark

It was time to go. We’d succeeded in breaking into their primary systems and had installed our backdoor. We hung the company shirt and other marketing tchotchke around the room.

Now we had to get out quietly. We waited until we could mix with a shift change and left unnoticed in the crowd.

At the front entrance, we asked to see the security chief. The guards were confused. They didn’t believe us when we said that their boss was in his office. Our mission was complete. The news was not good.

We’ve turned south now. The Aleutians are falling behind us. I can see the first hint of dawn, and home is six hours away.

The end, (part 7 of 7) (go back to part 1)

TriCipher Responds

After I published TriCipher USB key, Tim Renshaw, VP Field Solutions at TriCipher responded with the following confirmations and clarifications:
Yes, we use two authentication "stores". In the TriCipher solution (our name aludes to our 3-key technology) set, we use public key crypto, but instead of having a single private key and public key, each user has 2 private keys and a public key. A private key the user controls and a second private key kept on the TriCipher ID Vault appliance. Of course, then there is a 3rd key, the public key.

For our "USB key" feature, the USB device serves as the 2nd "what you have" factor and of course works in conjunction with the user's password. These two components are used to recreate what is best to think of as the "user's key". Note that loss or theft of the USB key provides an attacker no attack vector to guess or work backward to the password. Same with theft of the password. Whether phished, pharmed, keylogged or social engineered in any way, possession of the password alone is useless without the USB key.

The "user's key" is used in conjunction with the other private key for that user kept on the ID Vault (ID Vault key). To properly authenticate both the user's key and the ID Vault key are used to co-sign, if you will, and consequently create a standard, x.509 certificate based, verifiable signature for any client-SSL enabled relying party site.

Important points:
  • Relying party needs no TriCipher code to accomplish this standards-based function.
  • The two private keys for each user are never recombined anywhere to be compromisable in a single location.
  • The user's private key is never stored anywhere, ever.

No, we do not get in the middle between authenticating sites and users. We utilize the true two-way, mutual authentication SSL mechanism built into both the server and client ends. All our "magic sauce" briefly described above is done between the client and the TriCipher ID Vault directly. It is pretty accurate to think of the connection between the client and the ID Vault as forming a secure, virtual smart card. Certainly as far as all the client code is concerned, the signature is performed by a local, smart card as we again use the existing standards for signing procedures, CAPI and PKCS11.
I still have to wonder about the compromised computer kiosk. If I insert my USB key into an 0wned system, can that system rip the token from the key and log my password?

Friday, June 15, 2007

TriCipher USB key

From the marketing glossy it would seem they use public key crypto, with two authentications stores. One is on the key and the second is on the Web.

The key is used to authenticate you to the TriCipher key vault on the web. TriCipher then authenticates you to the financial web site. My guess is that you establish an SSL tunnel to TriCipher using a certificate on the key. You then authenticate yourself to TriCipher using something you know. Then TriCipher somehow authenticates you to the bank and establishes an SSL session between you and the bank that is already authenticated.

My guess is that TriCipher starts as a man-in-the-middle and then somehow hands off the session, maybe a reverse tunnel is established from the bank back to you?

Since you're running software off of the key and your authentication to TriCipher involves a cert and something you know, it's possible to evade key loggers. One method would be for TriCypher to display a captcha image back to the user which the user combines with their pass-phrase to create a one-time key for the session.

But this is all guess work from a marketing glossy. Might be fun to try it out.

Thursday, June 14, 2007

Phishing and Pharming

I work at a startup. It should come as no surprise that I think we do some very cool things. About a year ago, our Marketing VP realized that we had the ability to offer protection against a certain type of attack.

She created this product.

We’re still often asked, “What are Phishing and Pharming?" Here is my response:

Phishing and Pharming are common attack methodologies designed to harvest authentication credentials and personally identifying information (PII). Criminals use these attack methods to gain unauthorized access to financial, e-commerce, health care or other institutions. The attackers then sell, trade, or use these stolen identities to commit further compromises. Over 90% of these attacks target financial institutions.[1] Ultimately, these identity thefts result in billions in damages from these institutions. [2]

Phishing attacks begin with an email or instant message, the “lure” which tricks the victim into giving up their identity. Common Phishing attacks succeed 3-5% of the time, more advanced techniques like Spear-Phishing achieve 15% success rates.[3] A study at the Indiana University indicated that Phishing attacks that utilize social networks might achieve success rates as high as 70%. [4]

Pharming attacks do not require a lure or any voluntary action from a user. With Pharming, the attacker compromises the network infrastructure of the victim web site. Pharming attacks are typically not detectable by the victim and may go unnoticed for hours or even days. The bank customer almost never detects these attacks and once they are detected, the victim financial institutions are notorious for not disclosing their costs. With clever construction a Pharming attack can achieve more than an 80% success rate.

Pharming is a collection of several old and new attack techniques including: DNS or domain hijack, DNS cache poisoning, Man-in-the-Middle (MITM), script injection, malware seeding and related site attacks involving cross-site scripting (XSS), frames, pop-ups and numerous other exploits of the user’s browser. In March of 2005, one Pharming attack diverted 1,304 domains and harvested over 7,000 victims in only a few hours.[5] More recently a sophisticated Pharming attack targeted 50 financial institutions -- this attack affected at least 1,000 systems per day.[6]

Protecting against these attacks[7]
Phishing is a form of social engineering, preventing these attacks requires a combination of user education and implementation of technologies to make it easier for potential victims to recognize fraudulent sites.

Pharming attacks start with an exploit against the network and application infrastructure of a web site. Financial institutions should perform the following actions to protect against Pharming:
  • Protect your entire site with SSL; educate users to look for the padlock
  • Monitor your domain and DNS infrastructure for cache poisoning, hijack and spoofing
  • Monitor your web servers and DMZ systems for vulnerabilities; implement a continuous security process for vulnerability and patch management of these critical systems
  • Monitor web content for script injection and unauthorized modifications; extend this monitoring to partner sites which include content via frames or cross-site scripting
  • Implement a secure web “watermark” that validates the security of your web site; educate your users to look for and verify the watermark is correct
  • Develop a security response plan with your service providers to react quickly and cooperate to take down a malicious site targeting your institution
For both Phishing and Pharming, provide simple mechanisms for your customers to report abuse or suspect web sites. The prevalence of these attacks will continue to rise with the swell of e-commerce. Responsible institutions must increase the difficulty (and the resulting cost) of making a copycat web website and they must implement continuous monitoring and response processes to respond in the event of an attack.

Citations
  1. APWG Activity Report. (2007 April). Published by the Anti-Phishing Working Group. Retrieved June 14, 2007 from http://www.antiphishing.org/reports/apwg_report_april_2007.pdf
  2. Phishing and Pharming (2006 January). Published by McAfee. Retrieved June 14, 2007 from http://www.mcafee.com/us/local_content/white_papers/wp_phishing_pharming.pdf
  3. 'Spear Phishing' Tests Educate People About Online Scams. (2006 August). Written by David Bank of the Wall Street Journal. Retrieved June 14, 2007 from http://online.wsj.com/public/article/SB112424042313615131-z_8jLB2WkfcVtgdAWf6LRh733sg_20060817.html?mod=blogs
  4. Social Phishing. (2005, December 12). Written by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer School of Informatics Indiana University, Bloomington. Retrieved June 14, 2007 from http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf
  5. SANS ISC Diary. (2005 March). From Sans Internet Storm Center. Retrieved June 14, 2007 from http://isc.sans.org/diary.html?date=2005-03-31
  6. Elaborate ‘pharming’ attack targeted 50 banks. (2007, February 22). Written by Jeremy Kirk of the IDG News Service. Retrieved June 14, 2007 from http://www.infoworld.com/article/07/02/22/HNpharmingattackonbanks_1.html
  7. Protection recommendations from numerous sources including: Microsoft, Symantec, SANS, RSA, CSO Online, Network World and others:
  • http://www.consumerfraudreporting.org/pharming.php
  • http://www.csoonline.com/fundamentals/quicklists_pharming.html
  • http://www.networkworld.com/research/2005/071805-pharming.html?
  • http://www.verisign.com/static/030910.pdf
  • http://www.microsoft.com/athome/security/privacy/pharming.mspx
  • http://www.apani.com/net-news/0606/82
  • http://www.wired.com/news/infostructure/0,1377,66853,00.html
  • http://www.cs.indiana.edu/pub/techreports/TR641.pdf,
  • http://www.infoworld.com/article/07/02/23/HNsecondgoogledesktopattack_1.html
  • http://reviews.cnet.com/4520-3513_7-5670780-1.html
  • http://www.securityfocus.com/columnists/429

Monday, June 11, 2007

Nigerian Scam Emails Just Keep Coming

This scam is older than the Internet, I think it started when the first FAX machine was installed in Nigeria. I used to feel sorry for people who fell for this.

Got this message (how many millions have we all spent on SPAM filters and these still come through) on IP today:

Hello My Good friend, But you don't know my name do you?

How are you today? Hope all is well with you and your family?, Good, thanks for asking. You may not understand why this mail came to you. Oh, I understand, you send this to millions of people because it still works! But if you do not remember me, you might have receive an email from me in the past regarding a multi-million-dollar business proposal which we never concluded. US Law Enforcement gets HUNDREDS of complaints per day about the 419 scam ...

I am using this opportunity to inform you that the multi-million-dollar business has been concluded with the assistance of another partner from India who financed the transaction to a logical conclusion. Probably some poor fool who doesn't know he has been scammed.

Presently, I am in London for investment projects with my own share of the total sum. Nigerian fraudsters make so much money, it is the number 1 scam on the US Government's export page. Meanwhile, I didn't forget your past efforts and attempts to assist me in transferring those funds despite that it failed us some how.

Now contact my Personal Assistant in Abuja, Nigeria and ask him to send you the CERTIFIED CASHIER CHEQUE Look at that! British spelling, maybe he really is in London... of US$1.2M which I wrote in your name in appreciation of your past effort in helping me.

Below is his contact informations:

Name: Mr. Allusine Sakoh
Email: allusinesakoh55@hotmail.com

Who would have thought that "Allusine Sakoh" would be such a popular hotmail address. I imagine they stopped using Yahoo after they reached allusinesakoh666.

Tel: +234-803-537-6903 234 is the Nigerian country code, I wonder if they accept collect calls?

Feel free and get in touched with him for the sending of the draft to any address where you would prefer the draft to be mailed. Please do let me know immediately
you receive the CASHIER DRAFT.

Yes, but will you need to pay a

  1. Clearance fee, paid before the check can be sent?
  2. Commission paid to your Nigerian friend for sending the check?
  3. Some new wrinkle?
  4. Over one million hits on Google for "Nigerian scam"
  5. A greedy fool and his money are soon parted ...

At the moment, I am very busy here in London because of the investment projects which I, and the new partner are having at hand but would appreciate your update once the cheque is deliverred Hey! Another typo, doesn't happen much with these guys. to you thru my email:

Finally, accept my goodwill my dear friend.

Thank you once again and may God bless you.

Mr.Aku Ubah.

This county treasurer got 14 years... More information from the Nigerian Consulate in Atlanta, Georgia.

When you see this email, press delete.

Monday, June 4, 2007

Fourth time is a charm

It was 23:30 local time. We’d just adjusted our tools for another try. Lights had switched off as the last few employees had left. We knew it was time to move.

The “finger” pressed the button, the lock released. Now, on to the prize: we entered the room into the camera’s blind spot. We were behind the server farm. The safety lighting gave us a clear view past the racks. Our targets (the file servers, databases and external firewall) were all in this room. We knew that we had to move fast, capture the data, and, if possible, backdoor the firewall so that we could re-enter from the Internet — this was our goal.

We had arranged our priorities. If we could capture next year’s product design, our client would be chagrined. If we could capture the design for two years hence, they would be appalled. If we could backdoor the firewall and demonstrate the ability to pillage at will… It’s an interesting job; we were earning our payday by emulating our client’s worst enemy or most ruthless competitor.

Part 6 of 7, (to be continued)