Real-Time Keyloggers 205
The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."
Re:OTP !! (Score:5, Insightful)
That doesn't stop them from blocking your login such that they are the only ones using the password/id. They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.
Execute them? No. Catch them. (Score:5, Insightful)
This applies to crime in general as well.
Re:OTP !! (Score:5, Insightful)
They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.
If they are smart they can even provide a fake error page once they've acquired the credentials that tells the user that the site is "experiencing technical difficulties" and that they should please try again in 15 minutes. 99.99% of users won't think a thing of it.
Well I agree but (Score:1, Insightful)
Its not like we don't know what countries most of this Cracker crap is coming from. We need to deal effectively with the nations that are lax on this stuff. They are lax because it serves their political interest. Eastern Europe is a big place but rather authoritarian. This stuff could would stop over night if they wanted to stop it.
Re:Well I agree but (Score:4, Insightful)
It's hard to motivate to your voters why you need to spend huge amounts of tax money chasing down cyber criminals that mostly operate abroad, thus not affecting your country in the slightest, when that money could go to catching criminals that do, or to education, health care, whatever.
Re:Execute them? No. Catch them. (Score:4, Insightful)
We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence.
Your post displays a lack of understanding of the criminal mind. Don't feel too bad though, because most people (especially lawmakers) have the same lack of understanding.
The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught. Career criminals believe that only idiots get caught, and since they're smarter than everyone else (thanks to the Dunning-Krueger effect), they won't be caught.
Re:Thwarted by properly designed online banking (Score:3, Insightful)
Nobody can expect good security if the user doesn't watch out and double checks what's happening. The attack you're talking of could very well be done to a poor old lady paying her bills for the month in front of her bank manager. Just slip a bill she shouldn't pay: if neither she or the bank pay attention, the money will be stolen.
Even though I work in this field, and I'd love to come up with a solution that fixes all the issues, I just don't believe it. There will always be monkeys reading through tons of transactions, trying to spot the one that doesn't belong, and you will always having your credit card company calling you when suddenly there's $5k flying through some casino 800 miles from your residence.
There is no ultimate security when it comes to banking apps, especially when you give end-users, and thus end-computers (which can and will be infected/modified/hacked in all ways imaginable or not) access to your application, you can't trust it. The only thing we can try to do is mitigate the risk for the general population, and hope we can filter out the few hacks. If you don't spot it, just pay the bill. The amount of money you lose that way will always be less than trying to fund impossible research that may yield nothing at all.
Exactly right. (Score:3, Insightful)
How many of these stories do we have to see before people wake up and realize that the login and security method is irrelevant if the OS itself is compromised?
You know you're being real-time keylogged when... (Score:2, Insightful)
...Your router's activity light blinks every time you press a key on the keyboard.
I assume it's trivial to detect this type of keylogging.
No single "criminal mind" (Score:3, Insightful)
Your post displays a lack of understanding of the criminal mind. [snip] The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught.
There is no single "criminal mind."
True, many criminals grossly underestimate the chances of getting caught or suffering significant consequences.
Some, those who who protest against governments in violation of the law or who steal from the rich to give to the poor, do so for a real or imagined higher purpose.
Others are aware of the consequences but get some benefit out of it, such as the thrill of "getting away with it," the thrill of showing they are, at least this time, more powerful than their victim or society, the thrill or other benefits of a drug high, or simply for financial gain.
I can give you a USA-based example with misdemeanor speeding tickets: Many people spend their entire adult life speeding 5-10% over the speed limit on the highways even when it is safe to go the speed limit, knowing they will get caught a few times a decade. For them, it's simply a matter of cost-vs-benefit. In some parts of the world or for people with certain political connections, the cost-benefit equation for fraud favors the criminal.
Re:Well I agree but (Score:1, Insightful)
Most of these crackers operate with the full knowledge of the "governments" of the countries they reside in.
Re:Execute them? No. Catch them. (Score:1, Insightful)
"Your post displays a lack of understanding of the criminal mind."
Who the fuck do you think you are? Axel Foley? Your post displays a lack of open-mindedness and foresight.
So you're saying that an increase in the number of arrests (by percent) would not deter criminals, or - to give you the benefit of the doubt - enough to make a difference? Why don't you take a look at the statistics. With respect to that, it seems that perhaps an increase in probability of arrest would be something of a deterrent. Needless to say, making those arrests, that is, not ignoring them as you would do, would also keep those who disregard the law entirely from repeating their offense. Here is a nice chart indicating percent change of crimes from one year to the next.
There will always be people who don't care about the consequences of their actions, and those actions will always be the more damaging when the "unthinkable" occurs (i.e. 9/11, Columbine, and so forth), but one thing that the threat of punishment can do is deter the would-be criminals with weaker motivations or morals that are not completely skewed. This wont prevent the "unthinkable," but it will keep more people from committing most crimes. The main problem with trying to prosecute international cyber-crimes is jurisdiction, which would likely cause a larger bureaucratic mess than the crime itself.
Punishment is supposed to be about demotivation, though the Us doesn't have a great track record on demotivating those convicted of their crimes. The threat however, is likely a more powerful demotivator to those who would be susceptible to being talked out of committing the crime.
Statistically speaking, if it were possible to find and prosecute a sizable enough number of any group of criminals, it would seriously deter enough of them to represent a decrease in the volume of acts committed.
To get back on topic, one time pads and other methods should have been implemented by financial institutions to begin with. This sending of unencrypted bank information - especially to cell phones - to and from clients is ridiculous.
- Spades
Learn some history (Score:3, Insightful)
The speed limit was set to 55mph in the mid-70s to conserve oil.
Even with today's fuel-efficient cars, going 65 saves money over going 85.
This is for at least two reasons:
* atmospheric drag
* engine efficiency
The former you can't do much about save driving with a tail-wind: You will get more drag at 85 than 65, and more drag at 65 than 45, more at 45 than 25, and more at 25 than at a dead stop.
The second is determined by the car's engineering. For cars sold in America, most have maximum engine efficiency somewhere in mid-RPM range, corresponding to somewhere in the 50-70mph range in top gear. Any faster than that and you'll lose efficiency.
As long as people are focused on pollution, don't expect wholesale speed-limit reductions, especially in urban areas.
Oh, there is also the safety factor: Even on a road designed for 85mph travel, that's with a given level of traffic and with a given driver behavior pattern. If the traffic is lighter and the drivers behave "better" the ideal speed may be higher, if the traffic is heavier or you have someone weaving in and out of traffic, or even adverse weather or night driving, the ideal speed may be lower.
Speed limits need to be set on a case by case basis for each road segment, taking into account typical actual traffic patterns including typical actual speeds, the accident and near-accident history of the road, pollution levels in the region and downwind, and other factors. The national maximum of 80-ish mph may be too low, but there are very few places near cities where anything higher than even 70mph makes sense.
!First Time !New (Score:2, Insightful)
Re:The problem is service provider sloppyness (Score:3, Insightful)
How does this provide any security? All the fake site needs to do is get the picture from the BoA site. (Heck a well written script could cause your machine to do it for them.) Once that happens you are no better off than you were before, and likely worse (Since you are training people to assume that "picture means legit", instead of other more secure methods.
Re:No single "criminal mind" (Score:3, Insightful)
How else can you explain an engineering report that lists 120mph as the designed maximum limit for an interstate, and an 85mph recommended limit for travel, but somehow gets signed at 65? The only reason I can conclude why politicians ignore engineers' recommendations is because the politicians view the twenty mph gap as an opportunity - to increase tax revenue.
Something like that. For those of you young'uns who don't remember Dick, his administration flooded TV with advertisements that said "55 saves lives", then violated the 10th amendment to force states to comply with it.
Lowered speed limits had *nothing* to do with fuel efficiency. And for those of you who think that is the case ... get off my lawn!
Re:Thwarted by properly designed online banking (Score:5, Insightful)
I work for RSA and you are absolutely correct. Attempting to authenticate twice with the same tokencode will automatically yield a rejection.
I believe the idea of this "real-time application" is that they see you typing in your passcode and zap that code into the authentication system before you do. The success of this hack is predicated on the notion that they are watching with baited anticipation, ready to spring into action the exact moment you sign into your online bank.
The chance of this actually occurring is highly remote, to say the least. The technique of racing ahead of a potential 2-factor authentication is compelling in theory, but of little practical use. If they're going to get into your bank, it has nothing to do with "defeating" Securid (or any other one-time display mechanism).
Suffice to say, this story is bunk.
Re:Thwarted by properly designed online banking (Score:2, Insightful)
Also, I never intended to say that Authentication Servers implementing SecurID weren't able to counter replay-attacks (this is a base functionality), I was merely stating that it didn't use event-counters to calculate the OTP. Other vendors provide this functionnality, and this enhances security, as instead of having only a time-based OTP (that is, having an OTP that changes every x seconds), you can also include event-based information (an event counter is basically just a number that gets incremented every time the OTP is generated), and thus the server is able to know how many times an OTP has been generated (this also removes the issue you were talking of, a new OTP can be generated on-demand, even if the time-window hasn't changed, the OTP will be different).
The added advantage is that one can monitor how many tries a user needs to successfully login. Also, devices can get "unsynchronised" if too many OTPs are generated (the server only calculates that many OTPs).
Another thing is that some vendors will have the device update its key after every OTP generation (hence the reason the event counter is useful, as to know how many times the key has been updated). This is not something RSA is able to do. They keep yelling to their customers that AES is absolutely required on these devices, and in their case it is. However, other vendors get away with using much lighter encryption keys (3DES, for example), because the key is a brand new one after every single OTP, the OTP is only valid for a few minutes, whereas 3DES still requires 10 hours or so to be cracked.
Re:Time for a secured endpoint like IBM's ZTIC? (Score:3, Insightful)
Long term, what comes to my mind for secure transactions would be placing a hypervisor at the BIOS level, and having a hardened OS dedicated for banking and other items. Then having an OS in another VM for general stuff (gaming, /., etc.)
Of course, there are five issues with putting hypervisors in every PC out there:
1: The hypervisor needs to be hardened. By default, these have a smaller attack surface than an OS, but there are ways to get around its protection. If malware in an untrusted partition is able to flash the machine's BIOS, modify the location where the hypervisor is stored, or edit the NVRAM where the hypervisor settings are stored, game over.
2: Training people to use the protected OS partition as opposed to just pulling up whatever Web browser they are using for browsing their pr0n with all the dubious software "codecs" installed. Once you get the functionality to be able to have a secure partition, getting users to always switch to it before doing sensitive work will be hard. A lot of users balk to any security getting in their way even if it means devastation later on down the road.
3: Concerns about it being Palladium NGSCB v2, loss of owner control over a PC, and DRM stacks enforced by hardware. One can point to the PS3 to show how tough it takes to crack a well engineered piece of hardware.
4: The secure OS will need to be hardened from the ground up with few bells and whistles that can be exploited. The kernel would likely need some type of MAC (mandatory access control) similar to SELinux/TrustedBSD, except that every app that runs would require a profile. This OS may not be as user friendly as some may like because it isn't intended to be a full OS for day to day work, but one that accomplishes basic tasks (Web browsing, E-mail, remote desktop sessions, ssh client, bare bones Open Office functionality) in a secure environment. Things like Flash and other add-ons that can't be vetted line by line in source would have to be left out, making the user experience nowhere as good as a regular operating system.
5: The embedded OS for this has to load fast and have a small RAM footprint. I'm not meaning 15-30 seconds that a normal OS takes to get to operation, but as fast as alt-tabbing to another app and typing in details. If a secure OS takes too long to load, users won't bother using it and take the gamble that their general purpose OS doesn't have malware present.
Re:SecurID - Incorrect (Score:3, Insightful)
If an attacker captures your passcode after you use it to successfully log in
That's the point of it being in real-time. The person on the other end of the keylogger has already logged in by the time your mom has gotten her hand back on the mouse, wiggled it around to find where the pointer is on the screen, moved the pointer to the login button and clicked on it. No, not that mouse button, the other mouse button.
She gets the usual useless error message and decides she must have mistyped something.