Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Luuuk Stole Half-Million Euros in One Week
Threaded  |  Newest First  |  Oldest First
securityaffairs
securityaffairs,
 User Rank: Ninja
6/25/2014 | 6:40:55 PM
it's just the beginning
The bad actors behind the campaign have temporary changed tactic and infrastructure, the fact that they attacked a single bank could indicate that they were testing their product to use it in further and more sophisticated campaigns against the banking industry in the next months.

Banks are advised!
RetiredUser
RetiredUser,
 User Rank: Ninja
6/26/2014 | 1:46:47 AM
Failure to Connect the Dots
This is an excellent example of why online banking workflows are terribly flawed.  This isn't high-tech hacking here, and the exploit is taking advantage of poor security and disconnected processes between the bank's online interface and the ATM functions. 

On the security end, Ganesan and Vivekanandan in their article "A Secured Hybrid Architecture Model for Internet Banking" note that for securely and privately transmitting the data over the Internet, "most protocols use both public key and secret key cryptography. To implement public key cryptography, the RSA algorithm is used with the key size of 1024-bits. But a hybrid architecture model is implemented with the hyperelliptic curve cryptosystem and it performs the encryption and decryption processes in an efficient way merely with an 80-bit key size. The main objective of this model is to consider and include the hyperelliptic curve cryptosystem and MD5 in the internet banking environment to enrich the privacy and integrity of the sensitive data transmitted between the clients and the application server."  A few years old, this idea is still worth looking at and not currently implemented by any bank in the US that I'm aware.

But more importantly, by not having bank transaction analysis in place that takes into account the human element, online banking fails by not putting 2 and 2 together when specific types of online banking activity is followed by ATM activity in the same accounts.  For crying out loud, my bank freezes my account every time I'm trying to take care of my Christmas shopping, yet will let me execute any number of online purchases or money transfers without blinking an eye.  The processes associated with every type of monetary transaction need to be defined, documented in algorithms, joined intelligently with flexibility for variations during holidays, or family milestones (document the user's childrens' ages, for instance, or marriage date to anticipate anniversary purchases, and so on) – anything to make online banking and associated processes not just secure from a technology standpoint, but from a human standpoint.

Encryption, passwords and network security are only part of the puzzle.  Processes, their interfaces and lifecycles need to be acknowledged as well.
Robert McDougal
Robert McDougal,
 User Rank: Ninja
6/26/2014 | 8:59:57 AM
Re: Failure to Connect the Dots
I am also a proponent of the hyperelliptic curve cryptography (HECC) system.  I think it is a matter of time before we see HECC making a much larger push into the market.  For example, OpenSSL and OpenSSH have built HECC into their products starting with versions 0.9.8 and 5.7 respectively.  The main advantages of HECC over RSA is threefold, increased security with shorter key length, lower CPU usage, and lower memory utilization. 

However the main benefit of RSA is that it is already entrenched.  RSA was first released in 1978 and HECC was released in 1985.  Additionally, developers feel that RSA is easier to understand than HECC which ultimately is a fallacious argument since all of the finer details of the algorithm are contained in a class that a developer calls, just like RSA.

In my opinion, the best valid argument you can make for RSA and against HECC is that RSA relies on the robustness of factorization which has been tested for over 2500 years whereas HECC is based on only 25 years of research.

I have a feeling that HECC will eventually make inroads but it will take time to unseat the champ.

Also, in this incident with a Man in the browser attack, I don't think it matters what encryption algorithm the bank uses because the attackers had the keys to the kingdom.
RetiredUser
RetiredUser,
 User Rank: Ninja
6/26/2014 | 12:07:21 PM
Re: Failure to Connect the Dots
@Robert McDougal

Yeah, you're right on the last point, Robert - I took a moment to "soap box" :-)  But to that point, I think incorporating human factors to the security intelligence in the software for both users and staff would aid in keeping the keys to the kingdom inaccessible.

On a side note, there is a great paper (now stale) on HECC in Java over at Google Code: http://code.google.com/p/heccinjava/
Robert McDougal
Robert McDougal,
 User Rank: Ninja
6/26/2014 | 1:23:43 PM
Re: Failure to Connect the Dots
@Christian Bryant

Thanks so much for the link! 

You are exactly correct on broadening security intelligence to include the human factors.  I too find it hard to believe that actions only one step removed from what is considered a "high-risk" transaction is allowed to take place without batting an eye.  We as security professionals need to be able to see the whole picture and that means being able to judge the risk of a string of transactions rather than on an individual basis.
LindzKay
LindzKay,
 User Rank: Apprentice
6/27/2014 | 3:56:54 PM
Re: Failure to Connect the Dots
I followed the flow of a medical record through our "encrypted" software only to find that some employees were pulling the documents into their downloads folder when they should have been previewing them within their browser.

So much for dots. And a massive fee for ShareFile "encryption."
RyanSepe
RyanSepe,
 User Rank: Ninja
6/29/2014 | 9:23:58 PM
Triple Authentication
With the financial industry being a large target for malicious attacks, do we think there are any motions to incorporate another complimentary method of authentication?

Maybe biometrics or device temp passwords. With a low FAR and FRR, biometrics in the form of a fingerprint could help enhance yet expediently allow the user access to there accounts. This might help attacks that end with extraction from an ATM. For online transactions or transitions, register your device. Once registered everytime you go to transfer a temporary password is sent to that device in which you have to input before the money could be successfully transferred. I know in incorporating these, finance will be a factor but the ROI might be justified against the amount stolen. It will provide another layer of authentication and, in my opinion, is easy for the end user to incorporate into their process. I would think we will see this on the horizon soon.
Bprince
Bprince,
 User Rank: Ninja
6/30/2014 | 12:16:36 AM
Flags
I have a question - how come the sudden transfer of €39,000 didn't trigger something? I mean, that is not a small amount of money. If that doesn't happen with an in person transaction, should the bank maybe send a SMS?

BP


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file