Social Engineering in Real-World Computer Attacks

Great little article over at SANS on Social Engineering in Real-World Computer Attacks

More Default passwords?

A young queenslander has been charged with hacking* offences after 'hacking' several ATMs to withdraw $30,000 dollars in cash.

The article is short on detail about how these 'hacks' occured, but they do suggest he "found information on the internet and in an ATM manual that allowed him to change the machines' settings so he could make huge withdrawals of cash"

What sort of information in a product manual would allow you to do something like this? I'm betting it was some kind of default password.

It isn't stated what bank owned the ATMs or if they were all from the same bank - I'm guessing they may have been. After all if you have a trick to do something like this it probably only works on one model of ATM, and if it worked on one ATM from a particular bank, it probably works on another!

Default passwords and misconfigured devices are unfortunately all too common. I suspect the practice is even worse when people are with specialized, unusual devices like an ATM. This seems to be an example of security by obscurity at work, the incorrect assumption that the default password didn't need changing because only authorized personnel have access to the product manual. A quick google for ATM Manuals and default passwords shows plenty of results!

Security by obsucurity can be a controversial topic in security circles. At it's core is the idea of being secure by design, rather than secure because of secrecy. In a recent discussion I was part of with a group of security professionals from different backgrounds there were mixed opinions on the topic. Should your security design have no secrets? Should you publish it on the internet? Well to me the common sense answer there is no, as obscurity or secrecy does have a place in security design and implementation. The important thing is your security should not rely on the design being kept secret.

While I'm certainly not condoning or encouraging this type of crime and there is a degree of supposition on my behalf to assume default passwords were the cause, it would seem to fit. While the young man deserves the punishment for the crime, what about the failure of duty of care on behalf of the bank? The lax security procedures?

*I don't know if being able to google for an ATM manual makes you a 'hacker'....

More multi-factor authentication

Still on the theme of biometrics, is today reporting that Aussies favour fingerprinting to prove ID online. The 'proof' comes from a Unisys Security survey of 1200 Australians. Now I haven't read the survey, but the news item also states: "Unisys...which provides organisations, including the immigration department, with biometric tests..."

Fingerprinting has many problems, some which I mentioned in yesterday's post, but others such as whether fingerprints are sufficiently unique to be used for authentication, how (and if) users will protect their fingerprints any better than they do their passwords and what happens if your fingerprints are compromised?

Fingerprints aren't hard to get, especially if you have physical access to the victim and their environment. For remote capturing, well all those fingerprints will have to be transmitted and stored somewhere, where they can be captured en masse or they just as vulnerable to phishing and man-in-the-middle attacks as passwords. Had all 10 fingerpirnts captured by the bad guys? Uh-oh! Even worse if they're used by law enforcement and immigraton as unique identifiers!

There are also great variances in the accuracy and the methods used for verification in different fingerprint readers. Having banks (or whomever) send out readers to all their customers goes back to the convenience factor I mentioend yesterday.

I think it will be a long time before we see fingerprinting as a common method of web authentication...

three-factor Authentication

Apparently the National Australia Bank (NAB) are looking at moving to three factor authentication. For those who are unaware, 'multi-factor' authentication involves authenticating a subject through a variety of different methods, most commonly 2 of the below:

  • Something you know (eg: a password)
  • Something you have (eg: a security pass or token)
  • Something you are (eg: biometric security such as a fingerprint or iris scan)
and occasionally adding:
  • Somewhere you are (only allowing access from a specific place, such as using a RAS call-back system)
Multi-factor is generally considered more secure than single-factor authentication as an impersonator must capture or reproduce more than just a password (the most common single factor authentication mechanism)

So if two factors is more secure than one then three must be even better right? Well that all depends on a number of factors (excuse the pun!).
The more factors you add to the equation, the more inconvenient authentication becomes to the end user. Convenience is important. This is why passwords are still so popular, despite being shown to be extremely weak security in that many people will give away their password for a candy bar (especially if you are a woman apparently!)

So when implementing two factor authentication, convenience needs to be taken into account. RSA tokens that can attach to a keyring and One Time Passwords (OTP) that are send via SMS to a registered mobile phone are examples of incorporating a reasonable measure of convenience into the authentication process. I know HSBC uses the RSA tokens for their internet banking login authentication and NAB take a different approach, using only a password for login, but a OTP sent via SMS to verify any money transfers (for personal customers anyway. Business customers get a token)

All sounds terribly secure right? Well no. As security guru Bruce Schneier commented back in 2005 in refernce to 2-factor security: " solves the security problems we had ten years ago, not the security problems we have today".
He was, and still is, right. Phishing attacks and Man-in-the-middle (MITM) attacks are examples of very old attacks that can defeat 2-factor authentication by targetting the user. If you can fool the user into providing you with the information you need, you can fool the authentication mechanism.

So if two-factor authenticaion is broken, three-factor authentication will save us! Right?
I'm not convinced. The original article mentions using voiceprint identification for the third factor (something you are). Hmmm.
Biometrics are tricky to say the least. Faces change over time as people age, gain/lose weight and other conditions such as lighting and distance can distort the image viewed by facereadering cameras and lead to false-positives or false-negatives. Fingerprints can change due to accidents or even minor injuries (papercut) and many fingerprint readers have been shown again and again to be easily defeated. Iris scans are very accurate and don't tend to change, but are hardly easily portable or suitable for mobile or home internet banking.
As for voiceprints, well ever had a laryngitis? No? A cold? Bad phone reception?
I'm not convincd they're the way to go and neither are some experts who state: "There is no such thing as a voice print, it's a very very dangerous term. There is no single feature of a voice that is indelible that works like a fingerprint does."

The other unanswered question is what does the NAB hope to achieve by adding a third factor to their authentication? "More security" is not much of an answer, is it anything more than a marketing one-up on their competitors? ("We're the only one who uses three-factor security! bank with us!")
It all seems a bit more like security theatre than real security. Perhaps NAB need to look at their internal security first...

Of Bombs and bums part II

I posted a few weeks ago about the 'bum bomber' who tried to blow up a Saudi prince with an explosive hidden in his rear-end.

Well it seems at last some governments are worried about a sudden upswing in 'bum bombers' and are proposing full body scan x-rays.

One can only hope this is more media beat-up and speculation that actual plans...


By now it's a safe bet anyone working in the security space has heard about the leaked passwords from hotmail, yahoo and gmail.

The most interesting thing so far to come out of the leak is the results of an analysis of the passwords exposed. The results are an interesting mix and shed some light on how the message about using strong passwords is being received out there in user-land.

The most common password found was '123456' with '12346789' coming in second. It's enough to keep a security guy up at night!

Amazingly 'password' didn't make the top 20 list, but despite the fact the average password length was 8 characters, 42% of all the passwords listed were lower case only and only 36% were what we commonly consider 'strong passwords' (in complexity if not length). This shows the message is not being heard.

Why is this a concern to the security guy in the enterprise? Well the same users are likely to be in the office and these results show that the password message is not getting through. Not to mention employees with good intentions emailing work documents to themselves @hotmail so they can be diligent and work on them at home. That same hotmail address with the '123456' password....

The good news (comparitively!) is that the passwords have not been gathered due to a flaw in the security of these industry heavyweights, but by via phishing attacks against the users themselves.
The problem though is even when users are diligent and more complex passwords are used there is the problem of those same users being suckered in by phishing attacks. Even the head of the FBI was banned from online banking by his wife for almost falling victim to a phishing email.

A senior security engineer for nCircle recently presented at SecTor the results of a survey both technical and non-technical users that showed while 83% of users checked for the magic padlock in the browser when entering their credit card details, a dismal 41% checked for the same padlock when entering a password. Although the displaying the magic padlock can be easily faked.
Unsurprisingly almost 50% of users also clicked through security warnings without paying attention to them. In this we're paying the price for training end users to 'just click ok' through countless exposures to buggy software.

People can't be relied upon to pick strong passwords or read security warnings. Security guru Bruce Schneier has written about this back in 2006 when 100000 myspace accounts were exposed through a phishing attack. That wonderful password '123456' made the top 20 back then too, but the best performer was 'password1'.

Bruce comments that "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security?"

He's completely correct and in fact I'd hazard a guess that they've continued to learn and the most common password these days (where complexity rules are applied) is 'Password1'.

What's the answer? Nothing simple comes to mind, but clearly our education of users isn't working today, we need to do better.

And finally a more humourous look at choosing a password...

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme