Luke Koops

Command and Control

Tuesday, July 31st, 2012 | Luke Koops

I recently attended the Black Hat USA 2012 in Las Vegas. During the conference, I focused my attention on cyberespionage. This involves attackers who are on a mission with well-defined objectives. They are a source of persistent, targeted attacks. I learned a lot about command and control during my training. Command and control — also known as C&C or C2 — is a major component of the cyber kill chain.

I had the opportunity to build two different command-and-control servers during my training at Black Hat — one with Zeus and one with Poison Ivy. Zeus is designed from the ground up as malware, to facilitate identity theft and to leverage that to steal money or intellectual property.

Poison Ivy is actually called “Poison Ivy: Remote Administration Tool” by the author. At one time he expressed shock that it was being used by foreign governments to spy on their own people. It is more suited to remote access and surveillance than to scripted attacks.

The Zeus server took a long time to set up, partly because of network issues. We started with blank virtual machines (VMs) and built a Linux server from the ground up. The nice thing about that approach is that it makes the build reproducible. With a good network connection, it should be possible to build a server in an hour or two. By contrast, with no preparation, Poison Ivy takes five minutes to set up and deploy.

Zeus has exploit capabilities that are well suited to robbing banks; it also has surveillance capabilities and many add-ons. Backconnect — an optional plug-in module for Zeus that provides additional capabilities — makes it possible to proxy traffic through the victim’s computer. Integration with instant messaging via Jabber helps the attacker get to a keyboard when a window of opportunity opens up.

Setting up a botnet is surprisingly quick, so an intruder could easily learn and deploy several technologies in their attack. Infecting multiple systems with different technologies, using different attack vectors, would help the attacker maintain a foothold after an intrusion is discovered.

A bot can be transferred from one C2 server to another. Thieves are starting to sell bots to spies. Malware that comes in via typical, untargeted channels can later be used to leverage a targeted attack. It’s important for an organization to know if they have a typical infection or are under a targeted attack. It’s like knowing the difference between an ear infection and cancer, as you will see in my post about remediation.

Posted in Malware | Add Comment | No Comments »

Mike Byrnes

Fighting Fraud is a Team Effort

Thursday, July 19th, 2012 | Mike Byrnes

While it’s quite typical for my blogs to take shots at the banks for failing to implement effective security controls, and at the financial regulators for being too slow at releasing guidelines, I think it’s time to emphasize that fighting fraud is a team effort.

By coincidence, my last blog entry, in early July, ended with this exact recommendation. Within a week, news came out that a bank, BankcorpSouth, is suing their customer for failing to adopt security controls, which made it easy for criminals to steal about $400,000.

Read the rest of this entry »

Posted in Fraud Detection | Add Comment | No Comments »

Jon Callas

US Court Decision is Good News for Banking Customers

Tuesday, July 17th, 2012 | Jon Callas

Blogmaster Note: This was originally posted on July 17, 2012 to ComputerWorld UK’s Security Spotlight Blog.

US ruling has implications for UK over bank’s liability

Thefts from a construction company in Sanford, Maine might be the catalyst for much-needed improvements to banking security. The US First Circuit Court of Appeals reversed a decision that said that a bank was not at fault in a theft. Even better, the appeals court encouraged both parties to settle the matter amongst themselves.

Here’s a summary. In May, 2009, the Sanford, Maine construction company PATCO Construction had its on-line banking credentials stolen, most likely through the ZeuS malware. The thieves stole US$588,000 from PATCO’s accounts at Ocean Bank, now People’s United Bank. The thefts were batched in automated clearing house withdrawals over seven days.

Ocean Bank recovered US$243,406 of the losses, leaving PATCO with losses of $345,445. To add insult to injury, the withdrawals exceeded the cash on hand that PATCO had in their account and Ocean Bank gave them an automatic line of credit to cover the theft, charging them interest on the losses as well.

In 2010, PATCO sued Ocean Bank for the losses, claiming that among other things Ocean Bank did not follow the existing US banking requirements for multifactor authentication, relying on a simple password to authenticate and verify transactions.

Should you want more information, Brian Krebs has an excellent article covering many details on his blog. Tracy Kitten of Bank Info Security has another excellent article. The gory details are in the forty-three page decision itself. There are many good details in Matthew J. Schwartz’s article in InformationWeek and in William T. Repasky’s article in FISMA News as well.

The ruling is important because it states that Ocean Bank was “commercially unreasonable” in what it offered to PATCO. Under the Uniform Commercial Code, not only must we customers be responsible, but the banks must meet the new (where new means 2005) guidelines of the FFIEC. Ocean Bank was using the Cyota system through a service, but did not offer out-of-band authentication, tokens, or monitoring.

While this is a US ruling, the basics apply to the UK as well. Ross Anderson has been noting for years that UK banking requires proper authentication and without it, the bank must eat the losses. He has even documented how he sued his bank to recover a loss on his own account in his article, “How to get money back from a bank ”.

If you’re with a financial institution, make sure you offer good authentication. Read the articles I’ve linked to. Call us at Entrust, we’ve been helping financial institutions with these systems throughout the English-speaking world. If you don’t want to call us, call someone else. It’s not hard to do, you just have to do it.

Read the rest of this entry »

Tags: , , ,
Posted in Fraud Detection | Add Comment | No Comments »

Mike Byrnes

It’s an uphill battle – but we’re making progress in the fight against online fraud

Tuesday, July 10th, 2012 | Mike Byrnes

While one would be foolish to say we can now rest on our laurels, I think it time to pause and celebrate some very tangible progress in the fight against online fraud. July 3, 2012 marked the end of a very interesting yearlong journey for Patco, a Maine-based construction company who became the victim of an online fraud attack that pilfered more than $500,000 from their commercial bank account.

After suing Ocean Bank for poor security controls, and ultimately responsibility for the fraud losses, the US District court of Maine ruled in favor of the bank in June of last year. Basically claiming caveat emptor; the court felt Patco Construction agreed to the bank’s security methods when they signed their commercial contract and were, therefore, aware of the risks at hand. While in my mind, the ruling underscored the sad state of affairs in the world of online fraud (for insight check out my previous blog post ) we have really come a long way in the past 12 months.

Here is a snapshot of several key developments since then:

  1. June 28, 2011
    The FFIEC released new (stronger) guidance reinforcing the risk-management framework originally put in place several years earlier. This new guidance directly addresses the security control deficiencies at Ocean Bank.
  2. July 11, 2011
    In a similar online fraud court case, a Dallas-based court ruled in favor of the plaintiff, Experi-Metal, claiming that their bank, Comerica, should have had better fraud detection controls in place.
  3. August 24, 2011
    Ocean Bank found themselves entangled in a different fraud case involving AML; this time, they were found guilty and fined more than $11 million.
  4. January 1, 2012
    The FFIEC begins to audit banks against the new guidance for online security controls.
  5. Read the rest of this entry »

Tags: , ,
Posted in Fraud Detection | Add Comment | No Comments »

Mike Byrnes

Layered Security USING your Mobile Device

Tuesday, June 12th, 2012 | Mike Byrnes

A natural extension to my last post, I find it interesting that most people intuitively see the need to secure mobile devices, applications and transactions, but they are likely unaware of the incredible power and convenience mobile devices present in terms of serving as a security device themselves.


Increasingly, mobile devices are used for more and more tasks — the first application was voice calls, then email, calendars and texting, work use, personal use, social use; the list seems endless. Newer use-cases highlight mobile devices as a payment method to buy our coffee, and Apple will soon introduce a new application called Passbook in their iOS 6 release, which will help manage all your loyalty cards, boarding passes, event tickets, gift cards and more. Now, imagine extending the power of your mobile phone to provide secure access — a virtual key, so to speak — to the things you want to protect in both the online and physical world. Read the rest of this entry »

Tags: ,
Posted in Authentication, Fraud Detection | Add Comment | No Comments »

Mike Byrnes

Layered Security for Mobile Banking

Tuesday, May 8th, 2012 | Mike Byrnes

American Banker published a great article last week covering some of JPMorgan’s security strategies for mobile banking. Lloyd O’Conner explained the importance of layering multiple security technologies to protect their clients — as well as their own company — from the growing cyberthreats that not only target the online channel but are zoning in on the mobile channel as well.

 O’Conner discusses some critical layers, including:

  1. Authenticating to the device: advanced measures (including biomtetrics) beyond simple PIN protection
  2. Authenticating the mobile device to the banking application: leveraging device certificates and device registration
  3. Authenticating the user to the application and encrypting the communication channel.

While I agree 100 percent with JPMorgan — after all, they are demonstrating clear innovation and leadership in mobile banking here — I think there is another layer that needs to be called out as well.

While varied identity authentication layers are critical, some forms of advanced fraud attacks (e.g., man-in-the-browser) have proven to defeat a broad range of authentication approaches.  Adding real-time fraud detection to flush out behavior anomalies is a critical layer to help detect MITB and, fortunately, is totally transparent to the mobile user.

By deploying a layered security framework, FIs can help defeat advanced MITB malware attacks. This approach not only provides world-class fraud prevention, but also helps enhance the end-user experience.

Tags: , ,
Posted in Authentication, Fraud Detection | Add Comment | No Comments »

Mike Byrnes

Potential Breach Affecting VISA, MasterCard — EMV Won’t be Here Soon Enough

Friday, March 30th, 2012 | Mike Byrnes

Brian Krebs scooped a major story yesterday about a potential major credit card breach at a U.S.-based payment processor affecting both VISA and MasterCard.

The news made headlines across top media outlets for good reason: this is NOT the first major credit card breach. 2011 saw a wrath of breaches including Epsilon and Sony, not to mention the “out-of-control” card-skimming fraud that is going on throughout the USA prompting FBI involvement.

Not unlike robbing banks, forging checks or conducting online fraud, criminals find the weak link in security systems and put plans in place to exploit them. Unfortunately, the industry has known for decades that magnetic stripe cards offer poor security protection, and with the shift toward using cards for online payments, it’s no wonder we’re reading about new breaches on a weekly basis.

Fortunately, technology exists that helps dramatically improve credit card security — it’s called EMV or chip-based credit cards. EMV allows for an encrypted security key to be contained within the chip on the credit card, thereby making card-skimming or duplication virtually impossible; or at the very least, extremely difficult, impractical and uneconomical for a criminal to execute. As well, implementations support the concept of a user PIN to help prevent card use when a card is physically lost or stolen. Read the rest of this entry »

Tags: , , , , , ,
Posted in Authentication, Fraud Detection | Add Comment | No Comments »

Mike Byrnes

Leveraging Consumerization Concepts to Combat Security Threats

Wednesday, February 15th, 2012 | Mike Byrnes

Let me be clear right up front. Yes, cybersecurity threats are real. Yes, they are growing in volume and in sophistication. And, yes,  they are the root of the problem. BUT, one of the underlying frustrations I have with the cyber-threat situation is that, in general, many organizations remain anything but creative and strategic when it comes to implementing effective security measures.

We see both extremes. At one end, we have strong security measures that create nothing but havoc and frustration for end-users. And at the other, we see companies implement incredibly weak security measures because they are so careful not to burden their customers with hindrances to the online experience. The net result is similar — users bear the wrath of the security measure and either the pain of using it, or the pain of not having it effectively protect their identities and online assets.

Read the rest of this entry »

Posted in Authentication | Add Comment | No Comments »

Mike Byrnes

Delight or Disappoint? FIs Balance Security and Customer-Experience Paradigm.

Tuesday, December 6th, 2011 | Mike Byrnes

As mentioned in my last post, with organized crime groups clearly focused on the mobile channel, financial institutions will increasingly need to roll out strong security. But, they also need to be mindful of the impact that security has on the user experience.

At a recent conference, I had the pleasure of attending a session hosted by a SVP of security at one of the largest banks in the US. He discussed the current state of cybercrime threats and security challenges, but I was encouraged to hear him also devote considerable time to the importance of the customer experience. He then made what I consider to be a profound statement that applies to virtually every company in today’s Internet age: “Delight or disappoint and they will tweet, and they will blog and the social momentum will take off.”

So how does a bank best approach delighting their customers giving the opportunities and threats associated with Internet- and mobile-based service offerings? I think it’s safe to say many banks have shied away from tackling the problem until now — mostly employing a “do little approach” to protecting their online and mobile customer base. 

A recent article on Bank Information Security’s website discusses a Javelin report, “Banking Identity Safety Scorecard,” which concludes that banks still rely on “old authentication” techniques and have failed to properly vet new mobile applications and services. One of the primary reasons? Banks are sensitive to introducing anything that may add potential customer frustration. Unfortunately, what they fail to realize is that cybercrime is impacting the customer experience and corporate brand. Just take a look at the wrath of major breaches this year and you’ll see why. Read the rest of this entry »

Tags: , ,
Posted in Authentication, Fraud Detection | Add Comment | No Comments »

Mike Byrnes

FS-ISAC Helps Financial Services Fight Cybercrime

Wednesday, November 30th, 2011 | Mike Byrnes

http://www.fsisac.com/

FS-ISAC (Financial Services Information Sharing and Analysis Center) is a highly organized, well-managed, security-focused organization that fosters a growing community of financial institutions and security vendors to collaborate in fighting cybercrime. Entrust is proud to be an ongoing sponsor and the FS-ISAC Fall Summit in Washington D.C. is in full swing.

I had the privilege to participate in a mobile security panel session yesterday and it’s clear, from the spirit of the questions and the conference buzz in general, that securing the mobile channel is top-of-mind for many security professionals. This includes employees accessing corporate networks as well as customers embracing the mobile banking/commerce revolution.

Read the rest of this entry »

Tags: ,
Posted in Fraud Detection | Add Comment | No Comments »

« Older Entries
Newer Entries »