Year: 2008

The Times They Are a-Changin’

sozeBob Dylan was right. The times are changing, especially in the web security war. It turns out that the hacker group behind the Coreflood Trojan have stolen at least 463,582 usernames and passwords while flying under the radar. How did they accomplish this? Instant messaging worm? Emailing malware out, via a botnet, to everyone and their dog? According to SecureWorks Director of Malware Research Joe Stewart, it all started with a drive-by attack:

According to Stewart, it was by not targeting things like instant messaging or e-mail, which get a lot of attention from security vendors. Instead, the hackers relied on drive-by attacks, and would pick a hosting provider and do a mass hack of every single Web page on that particular server. Then they would wait for users—particularly domain administrators with high-level rights.

So basically, the attackers plan is to put an infected website up, let one user access it and get infected, and then wait for the domain administrator to log into that workstation. After the administrator has logged in, and the malware has privileges, it propagates like an update to all other systems on the network.

Also, the group “did not rely on zero-day attacks, just standard exploits that one can get from various underground forums“.

According to Stewart:

“Their trick is not in getting that initial infection—their trick is being patient and waiting for the right person to log into that workstation and then (taking) over that whole network,” he said.

Ah, the old Keyser Soze trick – The greatest trick the devil ever pulled was convincing the world he did not exist. And like that… he is gone.

links for 2008-08-06 [delicious.com]

Banking by Phone for the Poor – Will Security be an Afterthought?

stupidThis October, in India and Bangladesh, there is a planned roll out of a technology that will enable anyone to transfer money between bank accounts, credit cards and phones via text messages from a cellular (mobile) phone. Using Obopay, you can sign up for an account, and start moving your money around like its nobody’s business.

From the article:

Grameen Solutions, an affiliate of Nobel Prize winner Muhammad Yunus’ Grameen Bank, this week teamed with Obopay Inc., a for-profit mobile payment company based in California, to bring banking to a billion poor people using cellphones.

“Today, it’s difficult to reach these people,” Obopay India Executive Director Aditya Menon said at a news conference in India’s financial capital, Mumbai. “If you solve that problem, you are enabling them to enter the economy.”

The question is, however, will security be an afterthought or will it be a primary focus of this offering? Enabling the access to, and money transfer between, accounts from a mobile platform will require rigorous security safeguards. Surely Obopay has thought of this right? Well, the Obopay website states that it indeed secure as you are required to specify a PIN number upon the creation of your account. This PIN is used any time you send money so “even if you lose your phone your money is safe”….safe?….SAFE?

Why isn’t multi factor authentication a requirement? How easy would it be for someone to pick up your cell phone and empty out your bank account if they knew your super-secret PIN number? How easy would it be for someone to beat your PIN number out of you?

These are all questions that I would have expected to be addressed during the design and implementation of this new technology integration. Alas, it appears that this is not so. Why is that again?

More from the article:

The payoff could be big for companies providing these services. People who are now “unbanked” in China, India and Brazil alone could generate $85 billion in banking revenue by 2015, according to an estimate by the Boston Consulting Group.

Ahhh…that’s right. Money. I often forget that making boat loads of money is always justification for poor application security planning.

Scroll to top