Bob Dylan was right. The times are changing, especially in the web security war. It turns out that the hacker group behind the Coreflood Trojan have stolen at least 463,582 usernames and passwords while flying under the radar. How did they accomplish this? Instant messaging worm? Emailing malware out, via a botnet, to everyone and their dog? According to SecureWorks Director of Malware Research Joe Stewart, it all started with a drive-by attack:
According to Stewart, it was by not targeting things like instant messaging or e-mail, which get a lot of attention from security vendors. Instead, the hackers relied on drive-by attacks, and would pick a hosting provider and do a mass hack of every single Web page on that particular server. Then they would wait for users—particularly domain administrators with high-level rights.
So basically, the attackers plan is to put an infected website up, let one user access it and get infected, and then wait for the domain administrator to log into that workstation. After the administrator has logged in, and the malware has privileges, it propagates like an update to all other systems on the network.
Also, the group “did not rely on zero-day attacks, just standard exploits that one can get from various underground forums“.
According to Stewart:
“Their trick is not in getting that initial infection—their trick is being patient and waiting for the right person to log into that workstation and then (taking) over that whole network,” he said.
Ah, the old Keyser Soze trick – The greatest trick the devil ever pulled was convincing the world he did not exist. And like that… he is gone.
This October, in India and Bangladesh, there is a planned roll out of a technology that will enable anyone to transfer money between bank accounts, credit cards and phones via text messages from a cellular (mobile) phone. Using Obopay, you can sign up for an account, and start moving your money around like its nobody’s business.
From the article:
Grameen Solutions, an affiliate of Nobel Prize winner Muhammad Yunus’ Grameen Bank, this week teamed with Obopay Inc., a for-profit mobile payment company based in California, to bring banking to a billion poor people using cellphones.
“Today, it’s difficult to reach these people,” Obopay India Executive Director Aditya Menon said at a news conference in India’s financial capital, Mumbai. “If you solve that problem, you are enabling them to enter the economy.”
The question is, however, will security be an afterthought or will it be a primary focus of this offering? Enabling the access to, and money transfer between, accounts from a mobile platform will require rigorous security safeguards. Surely Obopay has thought of this right? Well, the Obopay website states that it indeed secure as you are required to specify a PIN number upon the creation of your account. This PIN is used any time you send money so “even if you lose your phone your money is safe”….safe?….SAFE?
Why isn’t multi factor authentication a requirement? How easy would it be for someone to pick up your cell phone and empty out your bank account if they knew your super-secret PIN number? How easy would it be for someone to beat your PIN number out of you?
These are all questions that I would have expected to be addressed during the design and implementation of this new technology integration. Alas, it appears that this is not so. Why is that again?
More from the article:
The payoff could be big for companies providing these services. People who are now “unbanked” in China, India and Brazil alone could generate $85 billion in banking revenue by 2015, according to an estimate by the Boston Consulting Group.
Ahhh…that’s right. Money. I often forget that making boat loads of money is always justification for poor application security planning.
In speaking with some of my fellow Twits, we all agreed that it would have been great to get to Black Hat this year (as well as some of the other security conferences that have passed). We all have reasons for not being able to attend these premier events but the general consensus is that the lack money remains the primary reason.
For me it is both a lack of money and a geographic location issue. Living in Fredericton, New Brunswick, Canada does not provide me with an easy route to Las Vegas, San Francisco, or Boston where most of the conferences are located. The airfare in Canada is ridiculous and for me to hop to a major US city I must first go through Toronto or Montreal. For example, to get to Las Vegas, I’m looking at roughly 4 flights and a round trip price tag of ~$2000. That doesn’t include the price of the conference that I would be attending, hotel, food, and so on. If any of my readers are married, you know that justifying a nearly $6000 price tag to your spouse for you to head to Las Vegas for a week without them, is about as easy as pulling your bottom lip over your head.
To that end, I have decided to found the Poor Bastards/Babes Who Can’t Afford Security Conferences (PBWCASC) (pronounced Peb-Wah-Cask). I have not yet decided if a website will be created or who will be hosting the telethon – Sally Struthers has a good track record…maybe I’ll reach out to her.
So join me, brothers and sisters, rise up against the cost of security conferences and join PBWCASC today!
(P.S. – scientists have not yet determined a way to join an “idea” at this time…please check back later when technology has caught up to my imagination.)