Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sykipot Trojan Variant Stealing DoD Smartcard Credentials

Posted by Soulskill on from the tax-money-well-spent dept.

Trailrunner7 writes "A new research report says variants of the Sykipot Trojan have been found that can steal Dept. of Defense smartcard credentials. The research, published in a blog post Thursday, is the latest by Alien Vault to look at Sykipot, a Trojan horse program known to be used in targeted attacks against the defense industry. The new variants, which Alien Vault believes have been circulating since March, 2011, have been used in 'dozens of attacks' and contain features that would allow remote attackers to steal smart card credentials and access sensitive information."

12 of 44 comments (clear)

  1. Ouch! by jd · · Score: 4, Interesting

    Those cards are heavily used. It's not like this would only impact e-mail, the cards are pretty much used for everything.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Ouch! by HBI · · Score: 3, Informative

      They are frequently reissued and new certs generated. This causes its own issues, though. The reissued cards cost money and time, and they cause an issue when trying to decrypt old mail, for instance. Specifically, you can't.

      The whole PKI infrastructure thing has not been a glowing success in its largest known implementation.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    2. Re:Ouch! by imamac · · Score: 2

      I believe you're referring to my post. I didn't say it would be "totally OK". I said it's better than basic longing/password security. I have seen L/P security breached thousands of times. This is the first I have head of a security issue with DoD CACs.

    3. Re:Ouch! by jank1887 · · Score: 3, Informative

      smart cards are not used without passwords. there's still a 'something you know' aspect to go along with something you have. it's just not the traditional login/password.

  2. That's what they want you to think by dak664 · · Score: 4, Funny

    There is a trojan within the trojan to guide the black helicopters to your home. In fact I risk the BSOD just posting this.

  3. vulnerability in the Adobe Reader by Anonymous Coward · · Score: 2, Informative

    Per the Article:

    >> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

    1. Re:vulnerability in the Adobe Reader by Anonymous Coward · · Score: 2, Insightful

      Per the Article:

      >> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

      Is it just me, or is a program whose purpose (for the vast majority of users) is just to open a document to print turned into a gigantic bloated mess that was far better 10 years ago?

  4. Authentication 101 by cffrost · · Score: 2

    Authentication 101: Something you have and something you know. I've only read the summary, but if these copied credentials ("something you had") can be used to access sensitive resources remotely, then it would seem that "something you know" is something DoD didn't know.

    --
    Thank you, Edward Snowden.

    "Arguments from authority are worthless." —Carl Sagan
    1. Re:Authentication 101 by Jumperalex · · Score: 4, Informative

      If the Trojan can pull pki credentials it can keylog pins.

      --
      If you can't be good, be good at it!
    2. Re:Authentication 101 by gruntled · · Score: 2

      The exploit isn't pulling PKI credentials; the exploit is only effective if the card is in the card reader, according to one of the articles. At which point it can play back the PIN; *that's* the exploit.

      An exploit that can misappropriate identity within your hard-token based authentication system but only so long as the token is plugged into the system isn't much of an exploit since the only reasonable protection offered by hard tokens is...you can't authenticate if the token ain't there. Show me an exploit that allows authentication *without* the token and you'll get my attention.

    3. Re:Authentication 101 by Jumperalex · · Score: 2

      perhaps, but not in the DoD. DoD locks the machine as soon as you remove the card.

      --
      If you can't be good, be good at it!
  5. Well, only sort of... by Thad+Zurich · · Score: 5, Insightful

    The trojan steals "use" of the inserted card, and probably the PIN. The private key remains safely in the card, and the trojan can't use it once the card is removed. The defenses are (1) don't use smart card on untrusted computer, or (2) if no other choice, use smart card only long enough to accomplish a specific task. The smart card PIN can be changed by the user, so it may not even be necessary to revoke the credential after an exposure. However, the trojan also gains temporary use of the card holder's digital signature -- meaning that authentic digitally-signed spear phishing emails could be sent under the card-holder's email account. If the card is inserted but the PIN is never entered, then a trojan might maliciously enter several random PINs and block the card as a DoS attack...