Ok, so I was reading the article by Michael Kassner “Why isn’t everyone hacked every day” (http://www.techrepublic.com/blog/security/why-isnt-everyone-hacked-every-day/6633) which talks about a paper by Cormac Herley and Dinei Florencio about “Where Do all the attacks go?” (http://research.microsoft.com/pubs/149885/WhereDoAllTheAttacksGo.pdf)
In short the paper gives a plausible explanation of why the internet still works at large even though the security state is a mess (well, not exactly, but almost).
One of the key statement that caught my eye was “Thus, how common a security strategy is, matters at least as much as how weak it is“.
Basically this means if you are a bank and you deploy the same security solution than anyone else, you are more likely to be hit as the fraudsters can just reuse an attack vector.
However it occurred to me that this is obviously also true for the bad guys and if all the bad guys would be using the Zeus trojan to perpetrate their crime, the good guys can obviously be much better prepared to defeat the attacks.
If the bad guys are using a new trojan (with new configuration files, encryption, hooking, …) all the time, then the good guys have a much harder time to provide the same level of protection.
If you use any off-the-mill Zeus trojan service, chances are high that you’ll be detected pretty quickly through zeustracker and lots of services provided by many companies that will give financial institutions an early warning.
However if you either use a different trojan or alter the trojan to make the detection and decryption harder (such as the Zeus variants based on the leaked Zeus source code - http://www.tidos-group.com/blog/?p=429), the chances of not being detected will increase. We have seen this over and over again and when Carberp hit the scene, it made a big impact because nobody really knew what was happening and how things worked.
So while the paper by Herley and Florencio talk about the security industry, the same thing applies to the fraudsters as well and as such I’m sure we’ll always see a proliferation of lots of different trojans for exactly this reason.
It seems that things have changed in recent times and suddenly everybody is under attack. First Sony with its reported 70 million compromised accounts, Epsilon, RSA – one of the most trusted brands online, now the worlds largest defence contractor Lockheed Martin, even PBS got targeted simply because they screened a critical documentary about Wikileaks. It doesn’t need much to get the attention of the wrong people. (we noticed that too!)
The resonating message from the media and people on the street is that if they can penetrate these companies, they can penetrate everybody, right?
Is the world turning upside down?
Well, for us security researchers this kind of news is not really new as it is well known that with the right tools, the right knowledge and some clever social engineering, the sky is the limit. A very nice example of how a security company penetrated a bank is here (very good reading) http://bit.ly/c4DhaZ. From the blog post: “We were recently hired to perform an interesting Advanced Stealth Penetration test for a mid-sized bank. The goal of the penetration test was to penetrate into the bank’s IT Infrastructure and see how far we could get without detection”.I specifically used an example that is more than one year old.
I think we are in the situation at the moment not because the lack of solutions out there, but because we tried to solve the problem with the wrong approach and with the wrong tools.
- Example: Wrong Tool: Two Factor Authentication (e.g. RSA) is great for authentication (well not so great anymore, but that’s a different story), but shouldn’t we start authorizing as well? How can it be that a user can do everything once (s)he got authenticated? Shouldn’t we ask whether a particular user is authorized to do something? And naturally we should only give the user an authorization code for that particular action. Not one to do anything and everything.
- Example: Wrong approach: As more and more companies and services are moved to the “cloud” we operate in a different risk exposure and we can’t simply apply the same security controls as if this is an internal application. Take email for example. Typically only accessible from the internal network (with all the security advantages), needs a much different protection from the outside. All these OWA’s (Outlook Web Access), employee remote access tools need additional security. But why only apply a higher authentication and hope that it will solve the security problem as well? We know that Man-In-The-Browser (MITB) trojans can circumvent most authentication solutions deployed today. Hope is not a strategy.
What we really need to do here is to do a threat based approach and use the right tools for the threats. Example: If the threat is a man-in-the-browser (MITB) trojans that alters a banking transaction, it doesn’t make sense to increase authentication. What we need here is a fraud detection solution together with authorization.
And what’s missing in all discussions is real-time detection and prevention capabilities based on suspicious behaviour. We need a much more intelligence based approach where suspicious activity can be detected very early on, preferably before any authentication process is completed. This suspicious activity can be as easy as the time needed to login to an account or time needed to complete the various steps of a wire transfer page.
In most cases we look at from a forensics point of view, we can detect suspicious activity based on the information that is present… But the trouble is that we can only forensically disseminate this information AFTER it has occurred. Let’s put in some systems that will proactively detect these things in real-time.
More on these topics in some upcoming posts…
Lessons learned here:
- just one incident can have disastrous consequences.
- authentication is something different from authorization.
- don’t try to solve a security problem with an authentication solution.
- if you know that your system can be circumvented, the bad guys either already know this as well or they’ll figure it out very quickly.
- implement proactive, real-time solution, rather than reactive, blacklist,heuristic based solutions
- deploy an intelligence based approach. Take advantage of the information you have and make sure you know all the things you need to know.
UPDATE: it seems that the concept of authentication and authorization is not made clear enough, so below is my attempt to clear this up.
- Authentication: Proof that someone or something is who he, she, or it claims to be. (who you are)
- Authorization: Once the system knows who the user is through authentication, authorization is how the system decides what the user can do. (what am I allowed to do)