Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User’s Conference in Las Vegas. ‘As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they’re doing,’ Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency’s Technology Directorate and served as the agency’s first CTO. He also held positions as the NSA’s CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act.
The following post gives a news story on how a mobile malware could rob the customers few million Euros, mostly in Europe. Given the banking scenario in India, suck attack could possibly create havoc for Indian consumers. Many banks in India, depend on an SMS for second factor authentication. This malware very well defeats the mechanism. Banks in India, beware.
Read on the news story..
Last version detected of Zeus botnet has been successful in the theft of about $47 million from European banking customers in the past year according revelation of security experts from Check Point and Versafe that discovered a sophisticated offensive.
The researcheres discovered a multi-dimensional and targeted attack, named “Eurograbber”, that stole an estimated 36+ million Euros from more than 30,000 bank customers from multiple banks across Europe. The attacks were originated in Italy and rapidly spread to other countries of UE such as Spain, Germany and Holland.
The attack described in a report released by the security vendors was based on the diffusion of a malware, directed at PCs and mobile devices, that is able to defeat the two-factor authentication process implemented by banks by intercepting bank messages sent to victims’ phones.
The attacks have exploited Android and Blackberry OSs confirming the great interest of cybercrime in the use of new channels, such as mobile and social media, to spread cyber threats. The malware has been designed to attack wide audience infecting both corporate and private banking users and illicitly transfer funds out of customers’ accounts in amounts ranging from 500 to 250,000 Euros each.
The schema of attacks is usual, the victim clicks on a malicious link received via an email as part of a phishing attempt, installing customized variants of the Zeus,SpyEye, and CarBerp Trojans. Infection could also happens either during internet browsing or clicking on a link inside a social network.During first visit to bank web site the malware intercepts the dialogue requesting to the user to enter a valid mobile phone number for authentication purpose and to validate successive transactions. Eurograbber would offer a “banking software security upgrade” that would infect victims’ phones with the mobile version of Zeus, ZITMo (Zeus in the mobile”) that is equipped with a function to intercept the bank’s sms message that include bank’s transaction authorization number (TAN).
In the following picture is proposed the SMS message (Italian ver.) sent to an Italian customer’s mobile device that contains a malicious link to the upgrade for the online banking security software. Clicking on this link user installs the Eurograbber Trojan on the his mobile device.
“Simultaneous with the SMS being sent to the bank customer’s mobile device, the following message appears on the customer’s desktop instructing them to follow the instructions in the SMS sent to their mobile device in order to upgrade the system software to improve security”
To improve security of the operations, banking implemented a 2-factor authentication mechanism validating identity of the clients and the integrity of transactions with introduction of a special code. When the bank customer starts an online banking transaction, the bank sends a TAN via SMS to the customer’s mobile device. The customer then confirms and completes operation entering the TAN code in the online form proposed by banking service.
Once capture the TAN number the malicious code is able to steal funds from victim’s bank account. The collections of infected machines is managed by an efficient Command & Control (C&C) server infrastructure described in the report:
To date, this schema of attacks have been reported only for European institutions but it could potentially affect banks all over the world.
The attack demonstrates that not only desktop PCs have to be protected by security systems but also mobile needs countermeasures to mitigate cyber threats, report states:
“To best protect against attacks like Eurograbber, online banking customers need to ensure they have the most current protection in two areas – on the network that provides them Internet access to their bank and on the computer they use to conduct online banking.”
Secure your Mobile !
Mobile devices, of late, gaining popularity with the acceptance of BYOD (Bring your Own Device) policy across the Corporates. Many large organizations are realizing that it’s easier to develop and deploy their own secure apps for employees with off-the-shelf solutions. Barclays bank, one of the world’s largest bank, hits the News this week by giving 8,500 of its employees an early Christmas present: iPads ! According to Baxter-Reynolds, Barclays’ total cost of ownership for 8,500 iPads works out to approximately £13.8 million, or $2,600 USD per unit.
What about Information Security?
While Barclays is focusing on a bigger business gain and employee confidence, security, of course, is a major concern. “With the lockdown offered on iOS devices — including encrypted content — iPads have all the things that reassure the ‘necessarily-paranoid’ in any bank’s IT department,” wrote Charles Arthur in the Guardian UK, commenting on Barclays’ decision to go with iPads.
Zack Whittaker at ZDNet agrees, saying Barclays confidence in IPad safeguards sets a trend for other companies, particularly banks. “The huge iPad deployment shows a significant level of trust in the Apple platform — that it’s secure enough for banking,” Whittaker wrote in his analysis. “Finance, after all, is only one-notch below national security in the grand scheme of data protection priorities.”
Mobile Security in General
Yes, Barclays invested huge amounts on the devices, training and security management of mobile technology. Waht about other companies- big and small – adopting rapidly the policy of BYOD yet not fully geared to understand and prepare to the face the risk? FBI & Internet Crime Complaint Center (IC3) are warning the smart phone users of malware targeting mobile devices. Malware seems to be the worst threat to the mobility considering the low levels of mobile security awareness equally among the management & users.
Some tips to secure your mobile
- When purchasing a Smart phone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
- Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.
- With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
- Review and understand the permissions you are giving when you download applications.
- Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
- Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
- Be aware of applications that enable Geo-location. The application will track the user’s location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
- Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.
- Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
- If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
- Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
- Avoid clicking on or otherwise downloading software or links from unknown sources.
- Use the same precautions on your mobile phone as you would on your computer when using the Internet.