March 18, 2006

Threatwatch - trojan hijacking, proxy victims, breaching conflicts of legal interest, semi-opaque blue hats

Bad news for Microsoft, but (other) browsers may breath a sigh of small relief. It seems that there is a shift from email-based phishing across to trojan hijacking. Predictable - as people gradually wake up to phishing, and as the easy targets are phished out, we can expect the well-funded attackers to shift to new waters.

LURHQ’s description of an E-gold Trojan was an early foreshadowing of things to come. E-gold is an e-cash operation, similar to Paypal. Turns out they’ve been under constant attack from these advanced Trojans for a few years now.

The E-gold Trojan waits for the victim to successfully authenticate to E-gold’s Web site, creates a second hidden browser session, and uses various spoofing tricks until it drains the victim’s account. Because the stealing and spoofing is started after the authentication is completed, no amount of fancy log-on authentication would prevent the heist. All too telling is LURHQ’s prediction that “other banking institutions are sure to be attacked in this manner in the future.”

In the more mundane and routine phishing waters (thanks, Gordon):

In a smart site redirection, the attacker creates several identical copies of the spoofed site, each with a different URL, often hosted by different ISPs. When the phishing e-mails go out, all include a link to yet another site, a "central redirector." When the potential victim clicks on the e-mailed link, the redirector checks all the phishing sites, identifies which are still live, and invisibly redirects the user to one.

I see signs of a new trend in reportage of threats to US financial institutions. Above, and here:

The report cites the W32/Grams Trojan that targets 'e-gold' but doesn't launch an attack until the authentication process has been monitored and completed, as e-gold uses a number of security measures, such as limiting account access to an individual IP address and the use of one-time passphrases.

Spot it? If you can name e-gold then you can get away with embarressing someone who can't fight back. But if it is a regulated financial institution, it shouldn't be named - if the debit card PIN debacle in the US is anything to go by. Nobody quite knows what is going on there, what happened, and who it happened to. Other than the consumers, that is.

Knowing what happened is critical to security. Only with hard facts as to the real breach can we understand the risks. Only with understanding the risks can we counter them. If big banks have to be embarressed in that process then so be it - the goal is security, right?

Which means that naming e-gold is a net good - they become a proxy for the banks' woeful security practices. "Sucks to be them." But at least they got invited into a new coalition of the willing:

A group of 18 financial institutions and internet providers have joined forces with child advocacy groups in the US and Europe in an effort to eradicate commercial child pornography by 2008. The internet has allowed child pornography to become a multi-billion dollar industry, and the newly formed Financial Coalition Against Child Pornography aims to kill the business model behind the sites by blocking access to payment services including credit cards.

Again, e-gold have been a favourite target of blame for child pornography, and it is not exactly clear that the mud sticks. The reason for putting together a group is possibly explained here:

One problem for the card companies is that it is illegal for anyone other than law-enforcement officials to look at child porn. This has made it difficult to proceed with their own internal controls.

"The great thing about this coalition is that it gives us for the first time an independent entity to decide the validity of a particular image - and if it is child porn or not - and gives us actionable information," says Joshua Peirez, group executive of global public policy at MasterCard in Purchase, N.Y.

How the coalition gets around that illegality question is an open question - but it certainly points the way towards a nominally independent body that can govern the question without other conflicts of interest. And, conflicts of interest and other disasters are the rule with such investigations, as reported here by Adam:

An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and marriages after their names were used to buy child pornography.

Just exactly how do you deal with a false accusation so severe that due process is foregone? Any security strategies for that?

And finally, to return to Microsoft's bad news. They seem to have run something of a coup in security forums:

MARCH 16, 2006 (IDG NEWS SERVICE) - Microsoft Corp. is going public with some of the hacking information discussed at its Blue Hat Security Briefings event. Just days after the end of its third Blue Hat conference, the software vendor today posted the first blog entries at a new Web site. Microsoft is also promising to publish more details on the secretive invitation-only event.

The Web site will include Microsoft staffer's "reflections on BlueHat 3" as well as photos, podcasts and video interviews with some of the presenters, said Security Program Manager Kymberlee Price in a blog posting. "We sincerely hope that our BlueHat 3 speakers (and BlueHat 1 & 2 speakers) will post their comments to the site as well and share their BlueHat experience," she wrote.

Which at first blush sounds almost convincing. So, if it is so open and touchy feely, why is it also so secretive? Routine champions of open process such as Adam have supported the secrecy agenda (albeit under a label of privacy) so we are definately hearing two messages here, among the many echoes of the past.

The normal reason for secrecy is so as to control the agenda for own gain, whatever the headline reason is. In Microsoft's case they benefit if they can get the information they need and not reveal any themselves. Obviously, nobody is quite that naive these days, so some stuff may have to be revealed. Especially, what they do reveal should not reveal their more controversial intentions, so maybe what is not revealed is likely more interesting than what is not. And, as we saw with the "high assurance" case, there is a definate advantage in getting everyone else to respect privacy, as it gives Microsoft first-announcer privileges.

Aside from that, I think we are still in net positive. Microsoft have failed to get their house in order, and we see more and more signs that they are trying various ideas to get outside help. Without admitting this, that is, but the observation remains that they are the only organisation that is doing any out-reach on security at all, and they are the only player that is looking at security for security's sake, albeit highly filtered with other monetary interests.

(I should hasten to add that I doubt this is caused by any new-found public spirit on their part, it's almost certainly a rational analysis of the huge and growing risks Microsoft face in the security field.)

Posted by iang at March 18, 2006 01:46 PM | TrackBack
Comments

"_Spot it? If you can name e-gold then you can get away with embarressing someone who can't fight back. But if it is a regulated financial institution, it shouldn't be named - if the debit card PIN debacle in the US is anything to go by_."

This propaganda-lie is not peculiar to finance systems. In the UK a BSE cluster arose (sometime in the mid-80s) around a small village, this was explained by besmirching the name of the local butcher. The local butcher did not have the resources of a huge supermarket chain to defend himself and hence found himself in the liar's cross-hairs.

Posted by: Darren at March 18, 2006 09:16 AM

WOW - that's heavy

you predicted EXACTLY THAT about a year ago mate and at the time I pooh-poohed you because I figured there is no way anyone would bother with anything so complex.

wow !


> ===============================
> LURHQ’s description of an E-gold Trojan was an early foreshadowing of
> things to come. E-gold is an e-cash operation, similar to Paypal. Turns
> out they’ve been under constant attack from these advanced Trojans for
> a few years now.
>
> The E-gold Trojan waits for the victim to successfully authenticate to
> E-gold’s Web site, creates a second hidden browser session, and uses
> various spoofing tricks until it drains the victim’s account. Because
> the stealing and spoofing is started after the authentication is
> completed, no amount of fancy log-on authentication would prevent the
> heist. All too telling is LURHQ’s prediction that “other banking
> institutions are sure to be attacked in this manner in the future.”
> ===============================

Posted by: Jape at March 18, 2006 09:21 AM

Oh wow, that is just nuts. E-Gold has always been relatively intelligent with their security policies (as opposed to Paypal, for example), but this is almost too much to handle, especially given the anonymity of it all.

I've seen trojans offered on various hacking sites. Of course, E-Gold is the only accepted method of payment, which brings up another ironic set of circumstances for the purchasers.

-Greg

Posted by: Forex Basics at March 29, 2006 05:04 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.