Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sykipot Trojan Variant Stealing DoD Smartcard Credentials

Soulskill posted more than 2 years ago | from the tax-money-well-spent dept.

Security 44

Trailrunner7 writes "A new research report says variants of the Sykipot Trojan have been found that can steal Dept. of Defense smartcard credentials. The research, published in a blog post Thursday, is the latest by Alien Vault to look at Sykipot, a Trojan horse program known to be used in targeted attacks against the defense industry. The new variants, which Alien Vault believes have been circulating since March, 2011, have been used in 'dozens of attacks' and contain features that would allow remote attackers to steal smart card credentials and access sensitive information."

cancel ×

44 comments

Ouch! (4, Interesting)

jd (1658) | more than 2 years ago | (#38692260)

Those cards are heavily used. It's not like this would only impact e-mail, the cards are pretty much used for everything.

Re:Ouch! (3, Informative)

HBI (604924) | more than 2 years ago | (#38692298)

They are frequently reissued and new certs generated. This causes its own issues, though. The reissued cards cost money and time, and they cause an issue when trying to decrypt old mail, for instance. Specifically, you can't.

The whole PKI infrastructure thing has not been a glowing success in its largest known implementation.

Re:Ouch! (1)

binary_state (1226700) | more than 2 years ago | (#38695386)

Incorrect, the old certs are recoverable pretty easily, you vist a website, present your CAC, and have access to all your old Certs.

Re:Ouch! (0)

Anonymous Coward | more than 2 years ago | (#38698342)

Frequently? My CAC does not expire until the end of 2013.

Re:Ouch! (1)

HBI (604924) | more than 2 years ago | (#38699932)

Contractor CACs (the vast majority) expire with the contract year, usually. The interpretation of the rules by local staff is the arbiter of how it is done. Basically, they shouldn't be issuing the CAC for option years that have not been paid for.

Re:Ouch! (0)

Anonymous Coward | more than 2 years ago | (#38692632)

The funniest thing is back in the article about Google saying we don't need passwords anymore, somebody commented on how government agencies use smartcards only with no passwords for non-top-secret stuff, and how that would be totally OK and secure.

Yeah, very secure. ^^

(Everything beyond true 3-factor authentication plus SELinux-like rule-based fine-grained security should be illegal inside the government or any company that cares about anything.)

Re:Ouch! (2)

imamac (1083405) | more than 2 years ago | (#38692680)

I believe you're referring to my post. I didn't say it would be "totally OK". I said it's better than basic longing/password security. I have seen L/P security breached thousands of times. This is the first I have head of a security issue with DoD CACs.

The vulnerability has been known for years. (0)

Anonymous Coward | more than 2 years ago | (#38696548)

And was reported during the prototyping phase.

The CAC is no better than a simple password (the PIN). Once that has been taken, the CAC can be used for anything as long as it is plugged in.

Re:The vulnerability has been known for years. (0)

Anonymous Coward | more than 2 years ago | (#38696602)

Yes, but unlike a password without physical token, the physical token walks out of the computer every evening, at lunch, generally when the armchair warriors leave their computers. It's still a huge improvement.

Re:Ouch! (3, Informative)

jank1887 (815982) | more than 2 years ago | (#38694172)

smart cards are not used without passwords. there's still a 'something you know' aspect to go along with something you have. it's just not the traditional login/password.

That's what they want you to think (4, Funny)

dak664 (1992350) | more than 2 years ago | (#38692284)

There is a trojan within the trojan to guide the black helicopters to your home. In fact I risk the BSOD just posting this.

Re:That's what they want you to think (0)

Anonymous Coward | more than 2 years ago | (#38694714)

All the black helicopters are too busy to go after small fry like you. They're busy killing nuclear physicists in another part of the world.

Obligatory XKCD (-1)

Anonymous Coward | more than 2 years ago | (#38692290)

MUHAHAH !! NOW I CAN GO WHERE THE JANITORS CAN !! (-1)

Anonymous Coward | more than 2 years ago | (#38692344)

Seems like a lot of trouble since it is already fixed. Get a job as a janitor/sleeper cell kard-karrying-kommie and all the world is yours and no one notices (and even avoids you) !!

If Janitor in a Drum made a douche, would anyone buy it ??

Interesting attack (0)

Anonymous Coward | more than 2 years ago | (#38692420)

This is an attack vector that I have worried about with smartcards. The trojan captures the PIN for the card and then uses the card to perform various protected operations.

Technically the secret keys and such are not compromised but as long as the card is inserted then the trojan can use it to do stuff.

I have long argued that smartcards need a built-in pin-pad right on the card itself. Although it wouldn't stop every attack it would prevent man-in-the-middle attacks used to capture the PIN.

Re:Interesting attack (0)

Anonymous Coward | more than 2 years ago | (#38693534)

Wouldn't really help. You could even substitute the keypad for confirm/deny buttons, and it still wouldn't help - think about batch operations (e.g. batch signing of documents) where the card is used multiple times.

Re:Interesting attack (0)

Anonymous Coward | more than 2 years ago | (#38693640)

Like I said, it wouldn't stop every attack but it would prevent man-in-the-middle captures of the PIN.

You can authenticate applications to the card in such a way that it would be difficult or impossible to hijack an active session without administrator access (eg. authentication at the PC/SC daemon level). Currently this is not implemented very well though (not at all in some cases).

vulnerability in the Adobe Reader (2, Informative)

Anonymous Coward | more than 2 years ago | (#38692428)

Per the Article:

>> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

Re:vulnerability in the Adobe Reader (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38692566)

Per the Article:

>> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

Is it just me, or is a program whose purpose (for the vast majority of users) is just to open a document to print turned into a gigantic bloated mess that was far better 10 years ago?

Re:vulnerability in the Adobe Reader (-1)

Anonymous Coward | more than 2 years ago | (#38692760)

Per the Article:

>> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

Is it just me, or is a program whose purpose (for the vast majority of users) is just to open a document to print turned into a gigantic bloated mess that was far better 10 years ago?

reminds me of your moms vag. A gigantic bloated mess that was far better 10 years ago.

Re:vulnerability in the Adobe Reader (0, Funny)

Anonymous Coward | more than 2 years ago | (#38692834)

Per the Article:

>> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

Is it just me, or is a program whose purpose (for the vast majority of users) is just to open a document to print turned into a gigantic bloated mess that was far better 10 years ago?

reminds me of your moms vag. A gigantic bloated mess that was far better 10 years ago.

I can assure you, your mom's is still looking as good today as it was 10 years ago!

Adobe Reader - bloatware (1)

Firethorn (177587) | more than 2 years ago | (#38693734)

It's not just you. I've noticed it as well. Fillable PDFs are of the good, but why do I need 'adobe echosign' when my work already issues digital certificates, a 'convert to PDF' when it's already a PDF, etc..?

Re:vulnerability in the Adobe Reader (1)

Walter White (1573805) | more than 2 years ago | (#38694342)

Is it just me, or is a program whose purpose (for the vast majority of users) is just to open a document to print turned into a gigantic bloated mess that was far better 10 years ago?

I disagree. It was a bloated POS ten years ago. I had a great dislike for PDF documents not because there was anything inherently wrong with the format but rather because the Adobe reader was so clunky and slow.

I will grant that it has probably gotten worse in ten years.

Not so new (0)

Anonymous Coward | more than 2 years ago | (#38692522)

There may be a new variant, but this approach and using ActivClient have been around. Some may suggest this is the reason some government agencies have ensured Windows won't need 3rd party applications and can perform this function natively.

FRIDAY THE THIRTEENTH IS TODAY !! (0)

Anonymous Coward | more than 2 years ago | (#38692540)

Except in China where there is no 13th of any month. Bet you didn't know that !!

Authentication 101 (2)

cffrost (885375) | more than 2 years ago | (#38692844)

Authentication 101: Something you have and something you know. I've only read the summary, but if these copied credentials ("something you had") can be used to access sensitive resources remotely, then it would seem that "something you know" is something DoD didn't know.

Re:Authentication 101 (4, Informative)

Jumperalex (185007) | more than 2 years ago | (#38692982)

If the Trojan can pull pki credentials it can keylog pins.

Re:Authentication 101 (1)

timeOday (582209) | more than 2 years ago | (#38693094)

Maybe I'm confused about what's happening here. If you're using something like a SecureID card, it shouldn't matter that much if somebody gets your PIN, unless they also get your card (and you don't notice and get it deactivated).

Re:Authentication 101 (1)

gruntled (107194) | more than 2 years ago | (#38696764)

I concur. The concept they're selling is that if you're logged into your system with your card and use your pin, they can then use those credentials to gain access to sensitive databases only you are supposed to have access to. I would argue that if your system is so porous that folks are hanging out waiting for you to log in to the network, you're already done.

Re:Authentication 101 (2)

gruntled (107194) | more than 2 years ago | (#38695144)

The exploit isn't pulling PKI credentials; the exploit is only effective if the card is in the card reader, according to one of the articles. At which point it can play back the PIN; *that's* the exploit.

An exploit that can misappropriate identity within your hard-token based authentication system but only so long as the token is plugged into the system isn't much of an exploit since the only reasonable protection offered by hard tokens is...you can't authenticate if the token ain't there. Show me an exploit that allows authentication *without* the token and you'll get my attention.

Re:Authentication 101 (1)

Jumperalex (185007) | more than 2 years ago | (#38697822)

well then i can tell you that the card is always in the reader while the machine is logged in and unlocked. pull the card and the machine immediately locks. perhaps that needs to change?

Or is that mitigated by the fact that when a website or other resource (outlook msg signing) require reauthorization they force a reread of the card and asks for your pin? Policy wise for email that ensures non-repudiation, and for online resources I know it enforces authentication in case someone fails to lock their computer when they walk away. But does that also help prevent token discovery?

Re:Authentication 101 (0)

gruntled (107194) | more than 2 years ago | (#38699064)

You'll find a great many agencies do not require the card to be in the reader at all times while the machine is logged in (this is more of a practical issue than anything else; if people are forced to leave their cards in the readers all the time, they tend to forget about them when running out of the building during a fire alarm). Many agencies basically require the card to be in the reader for initial login, then it can be removed and there's your standard timeout feature after X minutes of inactivity you have to reinsert and reactivate. To sum up: I'm not gonna lose a lot of sleep over this.

Re:Authentication 101 (2)

Jumperalex (185007) | more than 2 years ago | (#38710092)

perhaps, but not in the DoD. DoD locks the machine as soon as you remove the card.

Smartcards suck (1)

WaffleMonster (969671) | more than 2 years ago | (#38693420)

Does it really matter the smart card was attacked? If the machine is compromised to begin with anything you or your computer does with your credentials is compromised anyway.

According to TFA attacker still can only do anything while card is in compromised computers reader. What has failed?

Well, only sort of... (5, Insightful)

Thad Zurich (1376269) | more than 2 years ago | (#38693446)

The trojan steals "use" of the inserted card, and probably the PIN. The private key remains safely in the card, and the trojan can't use it once the card is removed. The defenses are (1) don't use smart card on untrusted computer, or (2) if no other choice, use smart card only long enough to accomplish a specific task. The smart card PIN can be changed by the user, so it may not even be necessary to revoke the credential after an exposure. However, the trojan also gains temporary use of the card holder's digital signature -- meaning that authentic digitally-signed spear phishing emails could be sent under the card-holder's email account. If the card is inserted but the PIN is never entered, then a trojan might maliciously enter several random PINs and block the card as a DoS attack...

Re:Well, only sort of... (0)

Anonymous Coward | more than 2 years ago | (#38696100)

The private key remains safely in the card, and the trojan can't use it once the card is removed.

Call me crazy, but if the private key can be read on the computer when the card is inserted (which it can), it can be copied off the card.

Re:Well, only sort of... (1)

Thad Zurich (1376269) | more than 2 years ago | (#38696604)

That's not how (these types of) smart cards work. The card is smart, and performs private key operations on board the card. All the host gets are session keys, hashes, etc. By design, the private key memory of the card can only be written, at a specially configured programming station. That doesn't mean there aren't user-readable or re-writable areas on the card, but the credential private keys aren't among them. The hardware literally doesn't support reading back private keys, only overwriting them. Any key escrow is accomplished by the programming station, when the card is first written.

Re:Well, only sort of... (0)

Anonymous Coward | more than 2 years ago | (#38696628)

Nope, the private key never leaves the card. So yes, you have hte PIN,and you can use the *ALREADY COMPROMISED MACHINE* to use the CAC card *ONLY WITH THE CARD*. This a big improvement over passwords, which aren't tied toa hardware token.

Re:Well, only sort of... (1)

couchslug (175151) | more than 2 years ago | (#38697480)

DoD has a live distro for telecommuting. They should make its use mandatory for that, and get rid of their Windows desktops. That's as easy as giving the order, just like when we transitioned TO Windows in ancient times.

It's free to download, grab a copy:

http://www.spi.dod.mil/lipose.htm [dod.mil]

datebi.com (-1)

Anonymous Coward | more than 2 years ago | (#38694110)

Are you a bi? Are you bisexual? Do you enjoy this lifestyle? "Datebi.com" is the right site for you to find the people who have the same sexual orientation.

USAF distro solves this for remote users. (1)

couchslug (175151) | more than 2 years ago | (#38697374)

http://www.spi.dod.mil/lipose.htm [dod.mil]

Your taxes paid for it and it's a free download. Grab a copy and check it out. Saves buckets of money in license fees compared to a PE-ish live CD, and won't run Windows malware.

Smartcard attack only works on Windows (1)

microphage (2429016) | more than 2 years ago | (#38698946)

Here is more detail on the attack:

Smartcard access

The rst one is that it creates a new thread with a keylogger routine. The code is very basic, it stores the window name and the keys pressed under a le named MSF5F0.dat on an unencrypted format, example:

Title:Internet Explorer
www.google.es
Title:My Computer

It uses the WIN32 API [alienvault.com] s functions [GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA].
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...