29.04.2013 by Martin Kuppinger
The number one issue in the past weeks is the LivingSocial hack, where attackers reportedly have stolen massive amounts of personal data, including names, eMail addresses, birthdates, and encrypted passwords. LivingSocial has confirmed an attack, but not the reported number of 50 million stolen data sets – which would be the vast majority of all LivingSocial users.
However, there still is relatively little information about the details. It is still unclear whether all non-Asian accounts are actually affected. (LivingSocial holds the Asian accounts on another server.) It is not publicly known how the passwords have been encrypted and thus it remains unclear to what extent the attackers might use them for subsequent attacks on other websites. Fortunately, it appears that the credit card information of the LivingSocial users is held in separate databases and is not affected by the attack.
Given that this sort of attack against large sites happens regularly, the question becomes what lessons are learned and what defenses should be taken. The lessons for the companies running such sites clearly are to invest in security, for both protection and monitoring. However, successful attacks will happen and, in contrast to some former incidents at other sites, LivingSocial at least encrypted the passwords and used a separate database for credit card information.
For the users, the answer is also straightforward: raise the bar for authentication. Reconsider using sites and services if they do not provide options for stronger authentication such as (good) 2FA approaches. Clearly using different hard-to-guess passwords is an option, but that is fairly inconvenient – my colleague Craig Burton once stated that you do not have such thing as a password muscle you can simply strengthen by training.
FIDO Alliance and Google
Another interesting bit of news is the uptake of the FIDO Alliance. Google now is also a member of this alliance and there is some chance that the FIDO Alliance might gain sufficient momentum to become a success. I will cover this in a separate upcoming blog post.
Reported number of attacks
During the past few weeks, several companies such as Symantec, IBM (X-Force Report), or Akamai have published their security reports talking about the observed number of attacks. I found two actually interesting aspects in these numbers. One is that the numbers are highly inconsistent. Some companies report massive increases in attacks, others some decrease at least for certain types of attacks.
The other interesting finding is one in the Symantec Internet Security and Threat Report 2013. The report says that the number of targeted attacks increased by 42 percent. This number stands for a shift towards industrial espionage, with small business being affected in 31 percent of those attacks. Direct attacks differ from the large-scale phishing attacks in that the attackers are looking for specific data or to cause concrete harm against specific targets, instead of just trying to phish as much data from their rather anonymous victims.
Data Broker Acxiom to sell data back to real owners?
You may not have heard of Acxiom, a company that describes itself as an “enterprise data, analytics and software as a service company” that is “known worldwide for our marketing database and consumer data”. There was a report that Acxoim plans to introduce a service that allows individuals to reveal the information Acxiom knows about them. In Germany, such services are mandated by law. For instance Schufa, a company that provides information about the financial credibility, offers such service. This is considered a part of your fundamental rights, in that case the “right for informational self-determination”.
Making a business out of this is a somewhat strange thing from a European perspective. In fact what Acxiom is said to plan is that people have to pay to learn about their data. The fundamental difference here obviously is whether “data about you” is “your data” per se or not.
17.04.2013 by Martin Kuppinger
This week, I read an article (in German) about a severe security bug in heating systems provided by Vaillant, one of the larger manufacturers in that space. The issue was found in so called “nano block heating systems” that are made for detached houses and duplex houses.
The entities have an IP-Interface that allows both the service technicians of the vendor and the owner of the heating system to remotely manage the device. However, a security bug allows pretty much anyone to easily access, in clear text, the passwords of the owner, the technician (expert), and even the developer. In other words: attackers can easily gain full access and control all settings. That allows increasing the temperature of the outgoing water in summer, which can damage the heating element. It allows stopping heating in winter, which could result in frost damages. There most likely are other types of damages an attacker can cause.
Even worse, these systems communicate with the DynDNS (Dynamic DNS) service of the vendor. That allows attackers to identify all systems in a simple way, just by “trial and error”.
Vaillant has announced that they will inform the customers, update the software – which requires, despite having an IP interface, that a technician visits the customers – and provide VPN communication for technicians.
This issue is a perfect example of what is happening these days in smart metering and other areas of “smart homes”. Vendors start adding IP interfaces, but they fail in security. In the entire segment of home automation, which is based on standards such as EIB/KNX, understanding of security issues appears to be rather limited. Security is understood as “availability”, not as being secured against attackers. That is, by the way, true for other standards as well – most bus systems in manufacturing are not secure at all. EIB/KNX does not even have a security layer. These bus systems typically rely on simple broadcasting. Who has access to the bus, has access to everything. Once you connect the bus to the Internet, things become obviously highly insecure.
The obvious solution for that is protecting the IP interface. However, as long as that is not done perfectly well, the problem remains. The entire manufacturing industry, but also the automotive industry and others that rely on rather primitive bus systems, have to fundamentally rethink their security approaches. Not doing this is wantonly negligent.
Smart infrastructures require smart security. Not having well-thought-out and well-implemented security approaches in place but relying on stone-aged security approaches for (sometimes) stone-aged bus systems puts us all at risk. There is a good reason for the massive potential of Stuxnet: It arises by opening up unsecure environments – unsecure by design – to the Internet, without appropriately changing the security approaches.
02.04.2013 by Martin Kuppinger
During the past few days, there have been at least two notable events in security. One was the attack on South Korean banks and TV networks. The other was the “Spamhaus incident”. I will talk about these two more in detail further down that post.
Besides that, it was interesting to observe that iOS and OS X seem to become increasingly the malware targets of choice.That is not surprising, however, since there are masses of iOS and OS X devices out there. Thus, the platform is far more attractive than in the past. Combined with the fact that Apple’s patch policy still is not convincing, this results in an increasing number of attacks. When I count the platform related news of the past two weeks in my CNET RSS feed, then 5 out of 6 articles were related to the two Apple operating systems. That just confirms what I have been saying for a long time: It is not that much about whether a platform is secure or insecure; it is about reaching a critical mass to become a target of choice for attackers. They will always find weaknesses, because complex systems never will be perfect. By the way: It would only be fair if the castigators of Microsoft Windows security from the past would act the same way now regarding Apple. Microsoft has learned a lesson. Has Apple already learned its lesson? I doubt that.
One other interesting news article was about Java updates. According to a new Websense report, 94% of endpoints running Java are vulnerable to at least one exploit. This shows that Java Updates do not work well as of now. One of the issues clearly is that Java runs on a variety of devices. While updating PCs is straightforward, other devices – especially the ones where Java is deeply embedded – are hard to update, due to a lack of a simple, standardized approach for patching these devices. From my perspective, Oracle should concentrate on adding sort of “patch support by design” capabilities to all future Java versions. While many people criticize the Microsoft Update concept, it is – from my perspective – by far the best approach that is currently in place across the entire industry.
South Korea vs. North Korea
Last week, some South Korean companies – TV broadcasters and banks – were hit by a massive cyber-attack run by a group that calls itself “Whois Team”. There were clear signs that the attack was part of the ongoing “cold war” between South Korea and North Korea, which currently is escalating again. Despite the fact that it is still unclear where the attack originated, I think that this is another indicator for the emerging risks of cyber-attacks in conflicts between nations.
The “Spamhouse incident”
Finally, a cyber-fight between Spamhouse, a spam-fighting organization, and a group of attackers even made it to the TV news over here in Germany and in other countries. This attack is reported to be the largest DDoS (Distributed Denial of Service) attack ever. It reportedly affected the whole Internet, especially in the U.K., Germany, and the Netherlands (Spamhouse is based in the Netherlands). There are two lessons we can learn from that. One is that the Internet, despite its distributed nature, is not immune to attacks. The second is that obviously cyber-criminals are well prepared to counter attacks against them, having large botnets on hand to place such DDoS attacks.
Physical Attacks on Critical Infrastructure
What I also found interesting were some articles about the Egyptian police arresting three men that tried to cut through some cables for Internet connectivity owned by the Egypt Telecom network. Some days ago, other cables of the Seacom network, being a part of the Internet connecting various countries under the Mediterranean Sea, were destroyed. The Egyptian police arrested the divers that tried to cut through the cables of the Egypt Telecom in action, from what was reported. I have not read anything about the motivation of these attackers. However, this clearly is another indicator of the massive risk for Critical Infrastructures these days.
27.03.2013 by Martin Kuppinger
I read an interesting article about the future of vehicles and their connectivity in the Geo magazine, sort of the German counterpart to the National Geographic magazine. The article was quite interesting; however, I did not find anything about security. This is not a new experience: most of the articles and discussions about the concept of connected vehicles and their integration into the smart grid (plus all the discussions about smart grids and smart infrastructures) still are security-agnostic.
Do we really want to drive unsecured connected vehicles? Do we really want to live in a smart but unsecured world? How smart will that world really be? I have blogged about this way before. In these days of increasing cyber-attacks and of an increased understanding of the risks of critical infrastructures, agnosticism regarding security is not acceptable anymore.
The article discussed concepts like using electric vehicles as a storage for electric power, as sort of a distributed, large battery for storing power from the large power networks. This is a great idea; however, thinking about the required connectivity for that, just in the context of correct billing alone, shows that this is an interesting topic from both the security and the identity perspective.
At EIC 2012, we held a workshop on the topic of the connected vehicle. We had a very intense discussion there. We quickly identified a complex ecosystem of identities that need to share data. However, most data must be shared only between a few selected parties. There are the owner, the driver, the leasing company, the passengers, the garage, the insurance company, the vendor, and the manufacturer, to name just a few of the possible interested parties. Within the car there are components provided by many different manufacturers which might talk to others – or not. There are other cars, there are traffic management systems, there is the police, etc. Not to mention the utilities companies here… It is an extremely complex ecosystem.
Within that ecosystem, sharing of data must be very tightly managed. Some data might pass to the police only, while other data must not go there. However, that might differ from country to country. Some data is only relevant to the driver or the vendor; other data should be also available for the manufacturer.
However, sharing of data is the smaller part of the challenge. The need for well-controlled security and identity becomes even larger when we are talking about controlling the car or the traffic in general. The idea of cyber-criminals taking control of vehicles is frightening.
I know that several car manufacturers are investing in PKI and related technologies to secure communication among various components. That might work for the components within a car, but it will not be sufficient for the bigger ecosystem of the connected vehicle I have outlined above. What we need are bigger concepts, cross-industry, integrating all the related parties and components. The good thing is that many of the answers to the challenges of a connected vehicle are there. Life Management Platforms are one element, which allow managing a lot of related information in a privacy-aware and security-aware manner. The API Economy and API security is important for managing security of all the interfaces in these complex, connected systems. Identity Federation is an important piece of the puzzle as well. However, what I still miss is both a clear view of the big picture and coordinated initiatives for a secure smart planet, including the connected vehicles.
It is past time to act. At EIC 2013, we will have a roundtable for the Automotive Industry – a good place to connect with others. We will have various sessions around Life Management Platforms, the API Economy and other security topics. So do not miss EIC 2013 when you are involved in securing the smart planet of the future and when you are looking for a more holistic approach instead of point solutions for various pieces.
19.03.2013 by Martin Kuppinger
When looking through the security related news of the past two weeks, there is very little that is surprising. Again, the usual topics such as discussions about whom to accuse of cyber-attacks and about newly found attack vectors have led to a series of news articles. There also have been ongoing discussions around privacy. However, as I have said and stated in my previous security blog post: Most topics remain the same. Some weeks it is about routers, this time reports about security weaknesses in connected HP printers and some other routers (TP-Link) spread the news.
However, there have been news articles on two topics that caught my attention.
Trend Micro on ICS/SCADA security
Trend Micro published results of a test they have run to analyze the real security threats for ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition Networks) networks. These environments have been under attack by Stuxnet, Duqu, and Flame over the past years.
Trend Micro chose a small town in California and installed a virtual pumping station with a control system for water pressure. They made the station visible in the Internet. All software components existed, but no water pumps. They created three different “honeypots” with the typical weaknesses found in real world environments.
Within roughly one month, Trend Micro detected 39 attacks out of 14 different countries. The leading countries were China (35%), USA (19%), and Laos (12%). At least twelve attacks appeared to be targeted. One or more attackers repeated 13 attacks on different days. These obviously were targeted and automated. Trend Micro is still investigating the other attacks.
Clearly, there is a well-established ecosystem for espionage and cyber terrorism out there. No single organization with industrial production environments and no single organization in the “critical infrastructure” area can claim that it is not an attack target. It is past time to act and to better protect all IT environments in organizations.
Obama vs. Merkel
I also found some news articles about Obama hosting a meeting on cyber-security with CEOs and on putting cyber-threats amongst the top topics in his call with the Chinese president. This helps increasing awareness in the industry, in governmental organizations, etc.
When looking at Germany, the situation is quite different. There are infrequent statements and activities from some of the ministries. There are some activities by different governmental organizations. However, there clearly is a lack of public statements and attention from Angela Merkel, if I compare this to Barack Obama. At CeBIT fair 2013 she visited, for instance, the booth of a provider of secure smartphones, the “Merkel phone”, which allows her secure, encrypted/scrambled communication. I think that putting the cyber-threats at the top of the agenda would have been far more important than putting the focus on that phone (and the technology provider behind). Time to wake up, I’d say.
06.03.2013 by Martin Kuppinger
When I’ve started writing this series of blog posts recently I thought that I will have sufficient material for a weekly post. However, when looking consequently at the security news of various sources it becomes obvious that there are a few recurring topics:
- New (and old) waves of attacks and new and old types of malware
- New exploits – the target of choice differs, the topic always remains the same
- Discussions about privacy
- Vendors with inappropriate security patch policies
Yes, sometimes there are interesting announcements from vendors. However, besides the new big data approaches of IBM and RSA Security I have covered before, there has not been great news this week, despite RSA Security Conference in the U.S. and the CeBIT fair in Germany starting today (which, by the way, still is the largest IT fair worldwide).
Let’s have a quick look at the most important news.
Java as the new target of choice
It comes to no surprise that there are an increasing number of attacks using Java exploits. This includes some of the known exploits, but also some new ones. This also is not surprising given that hackers look for related weaknesses once a particular type of exploit has been identified. In consequence this means that Java updates have to be performed regularly and that the use of Java (especially within the browser) has to be carefully reconsidered.
Privacy vs. Freedom of Speech?
I read a fairly strange article on a lawsuit Google is facing in Spain these days. The article argues that the privacy debate over here in Europe is around “Privacy vs. Freedom of Speech”. In fact the argument raised therein is that Google is allowed to publish a link based on the Right for Freedom of Speech. Notably, this right exists in Europe as well, not only “Fair Speech” as the author assumes. And the idea behind Freedom of Speech in Europe is to protect the individual, not only the society – which is in stark contrast to what the author says. Maybe the difference is that Europeans do not tend to protect questionable business models and principles through one of the fundamental human rights. From my (European) perspective, the article is based on a fundamental misunderstanding and misconception of what is considered the European position. Notably, there is not the single European position but an intensive debate about these topics.
There is little change in the news around cyber-attacks. There are still masses of attacks and the discussion about who is behind these attacks is continuing. There is good reason to assume that some part of the attacks is state-sponsored, while others are caused by cyber criminals. At the end it is about accepting that there is a severe risk for any organization and any individual and that we need to protect ourselves in a more sophisticated way. In a Trend Micro press release I received yesterday, the author compared it with the “fork” in chess play where you create two threats at a time. The other player can’t defend against both at the same time (but he might threaten you in another way). The argument of the author has been that based on a fork, i.e. multiple defense layers, the attackers are always in danger of being detected. I’m not sure whether the fork is the best pattern in chess to compare with and whether this is not more the approach the attacker could take – but I liked this analogy.
The victim of the week has been Evernote – they reported that some data has been hacked and asked all of their users to reset passwords. Who will be next?
25.02.2013 by Martin Kuppinger
OK, in fact this is about the last few weeks in security this time – but in future it will be most time about looking back at the previous week.
The permanent threats: Chinese hackers, Anonymous,…
Not a single week goes by without news about attacks from various groups. This includes Chinese hackers that are alleged to have attacked the Wall Street Journal or Anonymous that claimed that they have successfully attacked the US Federal Reserve. In the latter incident, it took four days from the announcement by Anonymous until the official statement of the US Federal Reserve. An additional cyber-attack hit the US Department of Energy, according to another news article.
There have been numerous articles about these attacks since, with different parties in the U.S. linking them to official Chinese agencies and the Chinese Army, while China denies these accusations citing a lack of proof.
Attacking the big ones
In this context, the recent attacks on Apple, Facebook, Twitter, and Microsoft (and possibly several other companies) also gained a lot of public interest. U.S. investigators assume that these attacks were driven by Eastern European cybercriminals rather than being Chinese state-sponsored, according to recent news articles.
Kaspersky kills Internet access for Windows XP users – accidentally
A recent Kaspersky antivirus update this month disabled Internet connectivity for Windows XP users at least partially. There is a workaround and a fix available; however, it takes some manual action to solve the problem – no surprise given that the Internet access does not work as expected anymore. Unfortunately, there is no prominent direct link to the information on this issue at the home page of Kaspersky.
Path app ignores privacy again
An article on CNET unveiled another privacy issue in the social network Path. Information about location data might slip out even when access to the location is disabled. Given that Path had some trouble with the FTC (U.S. Federal Trade Commission) recently and had to pay a fine, this new issue comes at the wrong time for them. It also again sheds light on the ignorance or incompetence of start-up companies when it comes to security and privacy – probably both. It will be interesting to see when the growing awareness and concerns of users finally leads to the consequence of not using such services anymore.
EU Commission introduces Cyber Security Plan
The EU Commission this week announced their Cyber Security Plan to strengthen resistance against cyber-attacks and cybercrime. The plan includes the idea of a European Cyber Defense Policy. It also includes the concept of an “attack notification obligation”. The latter led to some intense discussions because some companies do not want to inform the public about these issues. As of now, virtually all large organizations have experienced some form of attack. However, as of now, this is only discussed behind closed doors between the CISOs of these organizations. An attack notification obligation would change that and provide far more information to the officials. On the other hand, it will increase cyber security concerns in the broad public – which might be seen as a positive effect given that it might also increase caution.
A lot of router security issues
Last week, there were again several news articles about security issues of routers and other network devices, including D-Link. At least D-Link delivered some firmware patches, while other devices remain insecure. Which raises the question: Do you have patch management for the firmware of all your devices in place? Another interesting question: Which of the hardware vendors has a well-defined approach for security alerts and security patches in place? The bad news, when following this issue over the past few weeks, is that most vendors are neither willing nor capable of providing patches fast and in a simple-to-apply way. It is long past time for hardware vendors to start working on such an approach – and it is long past time for customers to have a complete patch management plan in place, from firmware up to applications.
Are stronger passwords really THE trend?
In its Deloitte TMT Predictions (Technology, Media & Telecommunications), the company predicts the end of “strong password only security”. The solution proposed is multi-factor authentication, and a little bit of password vaults. However, most of the text focuses on using stronger passwords, longer than eight characters. My colleague Craig Burton recently made the statement: “There is no such thing as a password muscle you can strengthen by training.” Which is to say: People are limited when it comes to keeping passwords in mind, and recommending the use of longer and more complex passwords is not the ideal solution. You do not get better when you have to keep many long and complex passwords in mind; you just consider workarounds like noting them down or re-using always the same password.
When talking about multi-factor authentication, I would rather say that this has been a topic for a “trend” some years back. Yes, we will observe some more implementations. However, multi-factor authentication by itself is not sufficient. Some two years ago, I blogged about the RSA SecurID incident. My recommendation at that time was to think about versatile authentication, combined with multi-factor authentication. Not that this concept was absolutely new back then…
Clearly, there is a trend towards approaches for strong, simple, and flexible authentication, beyond passwords. However, just talking about multi-factor authentication and password vaults is not sufficient. What organizations should evaluate are versatile authentication and, as the next and logical step, context- and risk-based authentication and authorization. That is the real trend. It is about understanding the bigger picture. Look at this to understand the future of authentication and authorization, not at a point approach.
In this context, it is definitely worthwhile to attend EIC 2013 – the future of authentication and authorization and the trends we observe will be an important part of the agenda.
02.02.2013 by Martin Kuppinger
Chinese hackers, US newspapers
This week, several US newspapers, including The New York Times and Wall Street Journal, have reported that they have experienced cyber-attacks related to their coverage of China. In the case of The Times, corporate passwords for every employee had been stolen. Chinese officials called allegations that the Chinese Government commissioned these attacks “unprofessional and baseless”. However, it is not likely that Chinese hackers caused these incidents without at least tacit government approval. In fact, this appears to be sort of a sideshow to the bigger, unofficial and hidden cyber-war (a 21st century sort of a “cold war”) running in the background.
Distrust as a business model?
In a recent survey, the Ponemon Institute asked U.S. adults about the five companies they trust the most to protect the privacy of their personal information. It comes as no surprise that most of the companies forming the “Internet Association” do not rank within the Top 20 of this list. Some like Apple have been in the Top 20 for years. On the other hand, Microsoft is now amongst these top-ranked companies. Overall, the Internet and Social Network providers have low ratings. It will be interesting to observe whether “distrust” as a business model really works over a longer period. The study clearly shows that users are aware of privacy risks. The greater this awareness, the bigger the business risk for the ones who are ignoring these concerns.
UPnP networking flaw puts millions of PCs at risk
A recently discovered security flaw in the UPnP (Universal Plug-n-Play) networking protocol potentially puts millions of PCs at risk. UPnP is a protocol that allows network devices like printers, PCs, or routers to discover each other. By design, this discovery should be limited to the local network. However, the flaw allows attackers to identify devices on the internet and run some well-known attacks against them. The reason for the mass of vulnerable systems is that software libraries used to implement UPnP contain some flaws. Most likely, many of the systems at risk never will be patched because these devices are not sold anymore. Thus, there is a significant risk. Unfortunately, there is no simple solution to this issue. The best approach is ensuring that all incoming UPnP requests are blocked at the router and that this device itself does not use UPnP.
Where will all these people come from?
According to recent news, the Pentagon has decided to increase staffing for its cybersecurity force from 900 to 4,500 people. The most important question this news evokes: Where will all these people come from? I have no clue. We are in a situation where we lack experienced IT security professionals. Hiring 3,600 more of this rare species will be a tough job for the Pentagon. It also will wipe the market for cybersecurity professionals. For other companies and organizations that means they will increasingly rely on Managed Security Service Providers which at least can benefit to some degree from “economies of scale”. The most important challenge with respect to cybersecurity for every economy in the upcoming years will be to force education of IT security professionals. Not only IT but IT security has to become part of education, starting in school. And IT security as a field of study should become one of the most attractive ones, to create the supply governmental and private organizations need urgently.
According to Canadian and Dutch data protection authorities, WhatsApp violates international privacy laws. Users do not have a choice to use the application without granting access to their entire address book. For company policies that simply means that usage of WhatsApp is unacceptable as long as any company-related address information is held on the device. Maybe WhatsApp should really start thinking about security and privacy.
Apple iOS 6.1 – still an unacceptable approach for security patches
Apple this week released iOS 6.1. The update addresses a number of security issues. Amongst these are around 20 that allow infiltrating systems via the Internet and executing code on the target systems. Most of the bugs are related to the webkit which forms the foundation for the iOS Browser Safari. Some of them have been known for quite a while, even while there are no known attacks based on them. Nevertheless, an approach that delivers security patches that are delayed and not just in time, as Microsoft, Oracle and even Adobe do, is simply inadequate. It is long past time that Apple move towards better approaches to security patching. By the way: The update once again deleted the specific APN settings of my UMTS card. Updates that are not able to keep all configurations are just unprofessional.
Online banking: 25% of Germans don’t use it due to security concerns
A survey in Germany, ordered by the initiative D21 (Digital 21), showed that 26% of the participants do not use online banking due to security concerns. That comes as no surprise, when looking at some of the recent incidents. It also sheds an interesting light on the investments of banks to secure online business. A common complaint of banks is that securing online banking is too expensive. That is the reason for not investing in the most advanced technologies or for charging customers for every SMS send out-of-band with a TAN (transaction number). However, besides the money banks spend for successful attacks, the cost of 25% of the customers still relying on classical banking methods with the manual handling involved and thus high costs should not be underestimated. Banks should also consider that this might be just an initial trend and the tendency may be to go back to traditional methods. That then would increase costs for banks. Investing more in really secure online banking might be the cheaper way.
IBM and RSA build security analytics on Big Data technology
A recent announcement from IBM, and information from RSA show that Big Data technology gains momentum as a foundation for security analytics. This goes well beyond traditional SIEM (Security Information and Event Management) and opens new opportunities for advanced analytics of data from various sources. More on that in upcoming blog posts, KuppingerCole reports, and at EIC 2013.
13.12.2012 by Martin Kuppinger
In a recently published study Versafe and Check Point Software Technologies, two software vendors, analyze the recent Eurograpper attack based on the Zeus botnet and ZitMO (Zeus in the Mobile). This attack reportedly diverted up to 36 million € by intercepting financial transactions.
The most interesting aspect of this is that the attack bypassed the out-of-band authentication of financial transactions. The banks use this approach to send TAN codes (transaction numbers) to the mobile phone of the user. It is out-of-band if (and as long) as the user uses another device like his PC for accessing the online banking application.
This approach has been considered (more or less) secure. However, in the scenario described, the attackers targeted both devices. They first attacked the PC. There they tracked and manipulated online banking sessions and asked for phone number and device type of the mobile phone used. Using that information, they send an “important security update” to the mobile phone which contained the malware for that device. Based on that they could intercept transactions and steal mobile TANs.
It is very likely that this has just been the beginning of such attacks, challenging the security of out-of-band mechanisms. As of now, the attack requires Windows on the PC and Android or Blackberry on the mobile device. However, it is just a question of time until iOS, OS X, or Windows Phone will also become “supported” by the attackers.
There is no simple solution to prevent such type of attacks. The most important security measure is good anti-malware protection on every PC and ideally on every mobile device – as long as there is such a solution for the mobile devices. Besides that, fraud detection at the backend, i.e. in banks, is mandatory to identify such issues as fast as possible and to alert customers.
But clearly this type of attack shows that out-of-band authentication, as (relatively) convenient as it might be, is not the holy grail of security in online banking. Maybe this issue will initiate the comeback of other, more expensive (procurement and logistics) and sometimes less convenient solutions like OTP hardware tokens. Maybe it is time that financial institutions start focusing on a reusable approach for such OTP hardware tokens because that always was one of the major inhibitors for acceptance of these devices.
04.10.2012 by Martin Kuppinger
Adobe warned a few days ago that an internal server with access to its digital certificate code signing infrastructure was hacked. This resulted in at least two malicious files being distributed that were digitally signed with a valid Adobe certificate.
If you take the numbers published by Secunia, a security/patch management software vendor, Adobe ranks pretty high in the list of companies with reported vulnerabilities – especially when taking into account that it is only two core products in the case of Adobe (Adobe Reader and Adobe Flash Player), compared to the broad portfolio of either Oracle or Microsoft. When looking at “genuine vulnerabilities”, Adobe ranks 5th behind Oracle, Apple, Microsoft, and Google. The Secunia analysis also lists the Top 50 software portfolio, with Adobe Flash Player ranking 4th and Adobe Reader ranking 8th. Unfortunately, these are the two programs within the top ten of that list with the highest number of exploited critical vulnerabilities.
Another aspect when looking at Adobe from the security perspective is patch management. In Adobe’s case, this is cumbersome. Furthermore, Adobe has started (with their last patch for the Adobe Flash Player) to install Google Chrome and the Google toolbar without user consent – at least that’s what happened on my system. I had to manually uninstall both components afterwards.
So what we see is a mix of
- a massive number of vulnerabilities
- a disputable approach on patch management
- successful attacks to a critical internal security infrastructure
Does Adobe deal with that situation like customers would expect? You might say “yes” given that expectations might be very low. However, when looking at what we should expect from a professional software vendor, there are massive shortfalls.
Did Adobe inform anyone promptly about the malicious files? No, they didn’t. The issue dates back to early July. Adobe claims that they took immediate internal actions including a clean-room implementation of the code signing infrastructure. Maybe they should have taken actions before, to avoid such attacks or to at least detect it when it happens and not after malicious code appears on the Internet.
I just recently blogged about the security issue in Microsoft Internet Explorer. The Adobe approach to security managementalso falls more obviously in the category of “security by obfuscation”. I don’t think that this is the right way to act, especially in case of a software vendor who provides software that ranks amongst the top ten within the average corporate software portfolio.
Taking all these points, then it is past the time that Adobe should start to act far more professionally in their security management and their patch management. Open and timely information, a simplified patch management methodology, and minimal patches without additional software are the minimum requirements – together with an internal IT security approach that is good enough for today’s “advanced persistent threat” types of attacks.