Real-Time Keyloggers

The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."

Real Time?

My Windoze apps at work don't even respond in real time. Maybe the trojan provides a free performance boost?

Re:Real Time?

[Inner_Child]

I understand, it's embarrassing to admit to watching professional wrestling...

Thwarted by properly designed online banking

[upside]

Again, a proper banking system like my bank uses

- a one time pad for logging on
- another set of codes, from which one is picked randomly, to confirm transfers

The one time pad means they can't open a second session. Even if they could hijack the session I've opened they can't transfer money without my explicitly authorizing each transfer by entering the second code.

Re:Thwarted by properly designed online banking

[Jah-Wren+Ryel]

The one time pad means they can't open a second session.

RSA secure-id keys are single-use too. They roll every minute but they also roll on every successful use.

Re:Thwarted by properly designed online banking

An alternative used by at least one bank in Australia is that when you request a transaction they send ans sms to your pre-authenticated mobile number detailing the transaction, i.e who to and how much, and giving an authorisation code that you then enter. That code only authorises that specific transaction.
No need to carry a one-time pad around or a special code generator

Re:Thwarted by properly designed online banking

[CrashandDie]

Disclaimer: I work for one of RSA's competitors in this domain.

The article focuses on RSA's SecurID, but one of the main drawbacks of RSA's SecurID is that it is only time based. Other companies also use event-counters, which means that you can't actually replay the attack.

The parent is right (and I should now, I deploy these solutions), most serious banks will use OTPs (One Time Passwords) for the initial log-on, but then require Challenge-Responses to sign the transactions (website provides a challenge, which can be a completely random number, or based on a number of variables: amount, target account, etc; this challenge is provided to the token (stupidly named "gadget" in the summary), and it spits out a response.) This can be verified by the server.

OTPs have always had this flaw, and this really isn't any news. I've heard of attacks were real-time keyloggers would interrupt the network connection (wifi, ethernet, whatever) on a software/OS level temporarily (I assume by refreshing the DHCP bumf) as to allow the attacker to use the OTP.

However, this can be easily thwarted.

Any good Authentication Server will provide the option to use seeded authentication, and even though this doesn't apply to OTPs (most OTP algorithms actually include clock counter (and event counter if it is implemented, not RSA's case) related information in the OTP, hence the whole OTP is required for authentication), it does apply to Memorable Data. For example, 2nd and 8th character of your secret passcode. Or for example, even better: multiply the 4th digit of your OTP with the 6th digit of your secret passcode. (OTP still required to be input completely). Yeah sure, given sufficient time, the attacker should be able to know what your passcode is, but heck, that's going to require quite some effort.

Wikipedia has a bit of a section about the MITM attacks vulnerabilities of OTPs (even though it is right in SecurID's article, it doesn't apply to them alone, but to the concept as a whole). The main issue, however, with RSA's implementation isn't necessarily the MITM attack, but quite simply, stealing the token. It doesn't have a PIN code, heck, it even just shows the code the whole time (last one I checked did this), and I could read the number right off my friend's keychain.

Also, let us not forget that a one-time attack (which again, shouldn't be much of an issue if banks have a good solution that requires CRs for each transaction) on an account really isn't a big deal. It's a One-Time Password. It's only valid once. After he's visited the account, and seen the balance, that's about as far as he's going to go.

Nothing to see here, please move along. If anything, this is just going to drive our business a bit.

Re:Thwarted by properly designed online banking

[CrashandDie]

A good solution (read as "implementation") would consist of a challenge that the user can verify corresponds to the transaction he wishes to do. Four first digits of the Challenge are the four last digits of the sum. Six last digits of the Challenge are the six first digits of the target bank account. Etc.

Nobody can expect good security if the user doesn't watch out and double checks what's happening. The attack you're talking of could very well be done to a poor old lady paying her bills for the month in front of her bank manager. Just slip a bill she shouldn't pay: if neither she or the bank pay attention, the money will be stolen.

Even though I work in this field, and I'd love to come up with a solution that fixes all the issues, I just don't believe it. There will always be monkeys reading through tons of transactions, trying to spot the one that doesn't belong, and you will always having your credit card company calling you when suddenly there's $5k flying through some casino 800 miles from your residence.

There is no ultimate security when it comes to banking apps, especially when you give end-users, and thus end-computers (which can and will be infected/modified/hacked in all ways imaginable or not) access to your application, you can't trust it. The only thing we can try to do is mitigate the risk for the general population, and hope we can filter out the few hacks. If you don't spot it, just pay the bill. The amount of money you lose that way will always be less than trying to fund impossible research that may yield nothing at all.

Re:Thwarted by properly designed online banking

[bruno.fatia]

My bank has so much more security that even when I want to I can't transfer anything!

Re:Thwarted by properly designed online banking

[Jah-Wren+Ryel]

For starters, I don't think they roll on success (how would the device know, by the way?).

The server enforces it. You can't authenticate multiple times with the same token. The server returns an "an already used" code if it was recently used. I know this because I've written software that uses RSA's secure-id toolkit.

But even if they would: the legitimate user would not be able to know the difference between a failure due to making a typo and a failure due to some hacker beating him to the line.

Again, see the point out about return values from the server-side. The application may choose to report this information directly to the user or simply flag it for the security team to investigate further. I prefer the later because false positives are going to be pretty rare unless the client software is broken in other ways.

Re:Thwarted by properly designed online banking

[Jah-Wren+Ryel]

An alternative used by at least one bank in Australia is that when you request a transaction they send ans sms to your pre-authenticated mobile number detailing the transaction, i.e who to and how much, and giving an authorisation code that you then enter. That code only authorises that specific transaction.

That's common in Europe too. But the result has been that hacking sms in various ways has become of great interest to thieves. If they don't already exist, you can count on seeing java trojans for cells phones that silently forward SMS too.

Re:Thwarted by properly designed online banking

[kafka47]

I work for RSA and you are absolutely correct. Attempting to authenticate twice with the same tokencode will automatically yield a rejection.

I believe the idea of this "real-time application" is that they see you typing in your passcode and zap that code into the authentication system before you do. The success of this hack is predicated on the notion that they are watching with baited anticipation, ready to spring into action the exact moment you sign into your online bank.

The chance of this actually occurring is highly remote, to say the least. The technique of racing ahead of a potential 2-factor authentication is compelling in theory, but of little practical use. If they're going to get into your bank, it has nothing to do with "defeating" Securid (or any other one-time display mechanism).

Suffice to say, this story is bunk.

Re:Thwarted by properly designed online banking

[CrashandDie]

That would depend on the version of the token, I guess. There is not just one universal version. Some have keypads, others don't.

Re:Thwarted by properly designed online banking

[CrashandDie]

Actually, my point was that other vendors provide tokens that require a PIN to be input into the device, rather than to the server. The device can be locked if an incorrect PIN is entered, etc.

Also, I never intended to say that Authentication Servers implementing SecurID weren't able to counter replay-attacks (this is a base functionality), I was merely stating that it didn't use event-counters to calculate the OTP. Other vendors provide this functionnality, and this enhances security, as instead of having only a time-based OTP (that is, having an OTP that changes every x seconds), you can also include event-based information (an event counter is basically just a number that gets incremented every time the OTP is generated), and thus the server is able to know how many times an OTP has been generated (this also removes the issue you were talking of, a new OTP can be generated on-demand, even if the time-window hasn't changed, the OTP will be different).

The added advantage is that one can monitor how many tries a user needs to successfully login. Also, devices can get "unsynchronised" if too many OTPs are generated (the server only calculates that many OTPs).

Another thing is that some vendors will have the device update its key after every OTP generation (hence the reason the event counter is useful, as to know how many times the key has been updated). This is not something RSA is able to do. They keep yelling to their customers that AES is absolutely required on these devices, and in their case it is. However, other vendors get away with using much lighter encryption keys (3DES, for example), because the key is a brand new one after every single OTP, the OTP is only valid for a few minutes, whereas 3DES still requires 10 hours or so to be cracked.

Re:OTP !!

[shird]

That doesn't stop them from blocking your login such that they are the only ones using the password/id. They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.

Re:Biometrics

[vux984]

RSA was good while it lasted. It's still better than nothing. Looks like we may need to invest in biometric laptops for the crew. What a pain.

Reread what they are doing, biometric laptops won't help. They could capture the biometric data as easily as the keyboard data.

Execute them? No. Catch them.

[John+Hasler]

No need to execute them. No need to punish them severely at all. We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence. Given the present one in 100 million risk of being caught an 18th century hanging would offer no significant deterrence.

This applies to crime in general as well.

Time for a secured endpoint like IBM's ZTIC?

[mlts]

I wonder if the next step will be a dedicated hardware device such as IBM's ZTIC, where one does their transaction confirming on a closed secure device. This way, even though the consumer's PC may be compromised, an attacker trying to run transactions would be stopped when there is no device confirming the transaction.

Of course, there are always issues like spamming the user with bogus transactions, or compromise the hardware device. However, it is a lot harder to compromise a hardware device than a generic PC which has to parse/execute/render untrusted code from the Internet on a common basis.

Re:Time for a secured endpoint like IBM's ZTIC?

[mlts]

Long term, what comes to my mind for secure transactions would be placing a hypervisor at the BIOS level, and having a hardened OS dedicated for banking and other items. Then having an OS in another VM for general stuff (gaming, /., etc.)

Of course, there are five issues with putting hypervisors in every PC out there:

1: The hypervisor needs to be hardened. By default, these have a smaller attack surface than an OS, but there are ways to get around its protection. If malware in an untrusted partition is able to flash the machine's BIOS, modify the location where the hypervisor is stored, or edit the NVRAM where the hypervisor settings are stored, game over.

2: Training people to use the protected OS partition as opposed to just pulling up whatever Web browser they are using for browsing their pr0n with all the dubious software "codecs" installed. Once you get the functionality to be able to have a secure partition, getting users to always switch to it before doing sensitive work will be hard. A lot of users balk to any security getting in their way even if it means devastation later on down the road.

3: Concerns about it being Palladium NGSCB v2, loss of owner control over a PC, and DRM stacks enforced by hardware. One can point to the PS3 to show how tough it takes to crack a well engineered piece of hardware.

4: The secure OS will need to be hardened from the ground up with few bells and whistles that can be exploited. The kernel would likely need some type of MAC (mandatory access control) similar to SELinux/TrustedBSD, except that every app that runs would require a profile. This OS may not be as user friendly as some may like because it isn't intended to be a full OS for day to day work, but one that accomplishes basic tasks (Web browsing, E-mail, remote desktop sessions, ssh client, bare bones Open Office functionality) in a secure environment. Things like Flash and other add-ons that can't be vetted line by line in source would have to be left out, making the user experience nowhere as good as a regular operating system.

5: The embedded OS for this has to load fast and have a small RAM footprint. I'm not meaning 15-30 seconds that a normal OS takes to get to operation, but as fast as alt-tabbing to another app and typing in details. If a secure OS takes too long to load, users won't bother using it and take the gamble that their general purpose OS doesn't have malware present.

Re:Biometrics

[John+Hasler]

Anything to avoid a secure OS eh?

Re:OTP !!

[Jah-Wren+Ryel]

They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.

If they are smart they can even provide a fake error page once they've acquired the credentials that tells the user that the site is "experiencing technical difficulties" and that they should please try again in 15 minutes. 99.99% of users won't think a thing of it.

Re:Well I agree but

[Eudial]

It's hard to motivate to your voters why you need to spend huge amounts of tax money chasing down cyber criminals that mostly operate abroad, thus not affecting your country in the slightest, when that money could go to catching criminals that do, or to education, health care, whatever.

Re:Execute them? No. Catch them.

[schon]

We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence.

Your post displays a lack of understanding of the criminal mind. Don't feel too bad though, because most people (especially lawmakers) have the same lack of understanding.

The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught. Career criminals believe that only idiots get caught, and since they're smarter than everyone else (thanks to the Dunning-Krueger effect), they won't be caught.

The problem is service provider sloppyness

[Animats]

Bank of America used to have a good system for authenticating their site. At login, you input your ID, and the B of A site gave you back a photo of your own choosing to tell you that you were on the real Bank of America site. Only then did you input your password.

Last Friday, B of A broke this feature. I'm now getting a password prompt without seeing the photo I'd chosen. My first thought was that there's was a security problem. I checked the SSL cert info, which looked OK. I reinstalled Firefox. No change. I called Bank of America. They wanted me to remove Flash, which I did. No change. They advised me not to log in. Then they passed me off to tech support, which hasn't called back yet.

Then I took out a Linux-based Eee PC 2G Surf that had been unused for months, powered it up, plugged in an Ethernet cable, and saw the site doing exactly the same thing. So it's probably not a client side problem.

What I think happened is that someone at B of A did a partial site redesign and broke something. They introduced some Flash (something called "/sas/sas-docs/html/pmfso.swf") on the password page (a terrible idea, given Flash's history of security vulnerabilities) and along with that, broke some part of the login process.

If, in fact, they've had a break in on the server side, the main login of Bank of America has been compromised for at least three days now. I'm not seeing any indication of that, though; just general ineptitude.

(The page HTML is awful. It's clearly been modified over and over for years without a cleanup. It has Flash, Javascript, CSS, single-pixel GIFs for formatting, and comments like "July maintenance OLB timeout inactivity update starts". The "enter password" page has 966 lines of HTML and JavaScript, not including external files. That's too much flaky machinery for such a security-critical function.)

Re:The problem is service provider sloppyness

[Igmuth]

How does this provide any security? All the fake site needs to do is get the picture from the BoA site. (Heck a well written script could cause your machine to do it for them.) Once that happens you are no better off than you were before, and likely worse (Since you are training people to assume that "picture means legit", instead of other more secure methods.

Exactly right.

[brunes69]

How many of these stories do we have to see before people wake up and realize that the login and security method is irrelevant if the OS itself is compromised?

You know you're being real-time keylogged when...

[philibob]

...Your router's activity light blinks every time you press a key on the keyboard.

I assume it's trivial to detect this type of keylogging.

Re:Biometrics

First of all, RSA SecurID has nothing to do with the algorithm RSA (besides being created by the same people).

Second, biometrics won't help at all since they can simply transmit the biometric data back and have *permanent* access to whatever system uses it.

Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords. If the hacker tries to log in to the system using the same password the victim just did, he will be rejected since that password was already used. If he keeps trying to do this, they will probably detect the attack and remove the trojan (not to mention that a single event where the same password is used twice from two different locations is already suspicious enough). If he somehow manages to get the password and log in with it before the victim does (even though at this point the victim has already entered his password), the victim will not be able to log in and quickly detect the problem.

No single "criminal mind"

[davidwr]

Your post displays a lack of understanding of the criminal mind. [snip] The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught.

There is no single "criminal mind."

True, many criminals grossly underestimate the chances of getting caught or suffering significant consequences.

Some, those who who protest against governments in violation of the law or who steal from the rich to give to the poor, do so for a real or imagined higher purpose.

Others are aware of the consequences but get some benefit out of it, such as the thrill of "getting away with it," the thrill of showing they are, at least this time, more powerful than their victim or society, the thrill or other benefits of a drug high, or simply for financial gain.

I can give you a USA-based example with misdemeanor speeding tickets: Many people spend their entire adult life speeding 5-10% over the speed limit on the highways even when it is safe to go the speed limit, knowing they will get caught a few times a decade. For them, it's simply a matter of cost-vs-benefit. In some parts of the world or for people with certain political connections, the cost-benefit equation for fraud favors the criminal.

Re:No single "criminal mind"

[SL+Baur]

How else can you explain an engineering report that lists 120mph as the designed maximum limit for an interstate, and an 85mph recommended limit for travel, but somehow gets signed at 65? The only reason I can conclude why politicians ignore engineers' recommendations is because the politicians view the twenty mph gap as an opportunity - to increase tax revenue.

Something like that. For those of you young'uns who don't remember Dick, his administration flooded TV with advertisements that said "55 saves lives", then violated the 10th amendment to force states to comply with it.

Lowered speed limits had *nothing* to do with fuel efficiency. And for those of you who think that is the case ... get off my lawn!

Banks do not widely use 2-factor authentication

[mysidia]

They use wish-it-was two-factor

Two-factor authentication is when authentication requires two different factors of authentication. Some possible factors of authentication are something you know (PIN numbers, passwords, usernames, secret answers to questions arranged in advanced), something you have (smart card, key fob, pass-card, a special piece of hardware, a SSL certificate loaded on a device that you can't read), something you are (biometric identification, facial, voice, fingerprint recognition, hardware that reads your GPS position to verify you are at home, a phone number that checks your ANI caller ID information)

Most banks only require something you know. The security question/answer dialogs that are commonly used are equivalent to a second password, granted: a second password that is likely to be a lot less secure.

Issues like the 'temporary passwords' on your key fobs being discovered when you use them can be defeated, by only allowing the password to be used once. If an attempt to use the temporary password is used again, or an attempt is made to use any incorrect temporary password, then all active sessions should be logged out.

In addition both sessions should be warned about the attempt, and that their computer station may be compromised, they should update their antivirus and antispyware scanners, disconnect from the internet, and perform a full scan.

Learn some history

[davidwr]

The speed limit was set to 55mph in the mid-70s to conserve oil.

Even with today's fuel-efficient cars, going 65 saves money over going 85.

This is for at least two reasons:
* atmospheric drag
* engine efficiency

The former you can't do much about save driving with a tail-wind: You will get more drag at 85 than 65, and more drag at 65 than 45, more at 45 than 25, and more at 25 than at a dead stop.

The second is determined by the car's engineering. For cars sold in America, most have maximum engine efficiency somewhere in mid-RPM range, corresponding to somewhere in the 50-70mph range in top gear. Any faster than that and you'll lose efficiency.

As long as people are focused on pollution, don't expect wholesale speed-limit reductions, especially in urban areas.

Oh, there is also the safety factor: Even on a road designed for 85mph travel, that's with a given level of traffic and with a given driver behavior pattern. If the traffic is lighter and the drivers behave "better" the ideal speed may be higher, if the traffic is heavier or you have someone weaving in and out of traffic, or even adverse weather or night driving, the ideal speed may be lower.

Speed limits need to be set on a case by case basis for each road segment, taking into account typical actual traffic patterns including typical actual speeds, the accident and near-accident history of the road, pollution levels in the region and downwind, and other factors. The national maximum of 80-ish mph may be too low, but there are very few places near cities where anything higher than even 70mph makes sense.

!First Time !New

[Eightbitgnosis]

Yes this "new" ability! Oh wait, Sub7 has had a real time keylogger on it for almost 10 years. Oh no, that doesn't sound very new at all.

Let me guess...

[gillbates]

"Made possible by Microsoft(TM)"

Right?

TFA says nothing about the OS involved, which usually means a Microsoft Windows PC. I suppose the NYT is able to sell more advertising if they keep it ambiguous.

Now, to be fair, Linux recently patched a root-privilege bug that went unnoticed for EIGHT years. But, to be just as fair, there are several orders of magnitude more compromises available courtesy Redmond, and due largely in part (as Djikstra quipped...) to their poor reinvention of UNIX.

I have family that use Windows. What am I supposed to do? This is getting ridiculous. Sure, they get the OS they deserve. Sure, my employer gets the security compromises they deserve. But some part of the blame has to be shared by the company which made all of this possible.

Programmers have always written buggy software. But it took Microsoft to create security flaws *by design* - that is, to deliberately architect software in an insecure an unreliable manner. It took Microsoft to disregard the lessons learned in UNIX, (as Djikstra would say) "To reinvent it poorly."

I know, I know, ./ers will say, "Don't use Windows". Okay, I don't. But you have to understand that not everyone is a geek. The folks at corporate *BUY* Windows licenses because they don't know any better. My relatives use it because it came with their computer, or, their department at the university uses word, or they want to play games, or they want something familiar.

What about them?

Is it really acceptable for us to ignore the needs of the average user? Is it really acceptable to blame the victims?

Or, should we hold Microsoft accountable to the same standards adhered to by everyone else in the industry?

SecurID - Incorrect

[endus]

When you authenticate successfully with a passcode the passcode is immediately invalidated and cannot be used again. You cannot complete a login then use the same passcode again. At my old company we had to request special 30-second fobs for this reason. People would connect to a machine using their passcode and then need to su to root, but had to wait for the code on the token to change before they could authenticate again. If an attacker captures your passcode after you use it to successfully log in it's not going to do them any good at all. I feel like I'm missing something because none of the comments that I read above mention this fact. Pretty basic stuff to anyone who has administrated the system before.

Re:SecurID - Incorrect

[Qzukk]

If an attacker captures your passcode after you use it to successfully log in

That's the point of it being in real-time. The person on the other end of the keylogger has already logged in by the time your mom has gotten her hand back on the mouse, wiggled it around to find where the pointer is on the screen, moved the pointer to the login button and clicked on it. No, not that mouse button, the other mouse button.

She gets the usual useless error message and decides she must have mistyped something.

Ribbed

[bobbuck]

I couldn't find any ribbed for "his" pleasure so I had to turn them inside out and tell her I bought the plain ones.

Read Nixon's own words

[davidwr]

Richard Nixon, Statement on Signing the Emergency Highway Energy Conservation Act, January 2, 1974:
"I AM pleased to sign into law H.R. 11372, an act aimed principally at helping to reduce gasoline and diesel fuel consumption during the energy crisis."

I'm not saying you are wrong about the ads, I am saying the official reason for the change was to save energy. I am also saying that if some Wikipedia article is claiming otherwise, it needs to be reconciled with the two articles I mentioned above. Happy editing.