February 23, 2011

An online bank robbery in which computer crooks stole $63,000 from a Kansas car dealership illustrates the deftness with which cyber thieves are flouting the meager security measures protecting commercial accounts at many banks.

At 7:45 a..m. Monday, Nov. 1, 2010, the controller for Abilene, Kansas based Green Ford Sales, Inc. logged into his account at First Bank Kansas to check the company’s accounts. Seven hours later, he logged back in and submitted a payroll batch for company employees totaling $51,970. The bank’s authentication system sent him an e-mail to confirm the batch details, and the controller approved it.

The controller didn’t know it at the time, but thieves had already compromised his Microsoft Windows PC with a copy of the ZeuS trojan, which allowed them to monitor his computer and log in to the company’s bank account using his machine. Less than an hour after the bookkeeper approved the payroll batch, bank records show, the thieves logged in to Green Ford’s account from the same Internet address normally used by the dealership, using the controller’s correct user name and password.

The attackers cased the joint a bit — checking the transaction history, account summary and balance — and then logged out. They waited until 1:04 p.m. the next day to begin creating their own $63,000 payroll batch, by adding nine new “employees” to the company’s books. The employees added were in fact money mules, willing or unwitting individuals recruited through work-at-home job scams to help crooks launder stolen funds.

Green Ford’s controller never received the confirmation email sent by the bank to verify the second payroll batch initiated by the fraudsters, because the crooks also had control over the controller’s e-mail account.

“They went through and deleted it,” said Green Ford owner Lease Duckwall. “If they had control over his machine, they’d have certainly had control over his email and the password for that, too.”

To me, this attack gets to the heart of why these e-banking thefts continue unabated at banks all over the country every week: An attacker who has compromised an account holder’s PC can control every aspect of what the victim sees or does not see, because that bad guy can then intercept, delete, modify or re-route all communications to and from the infected PC. If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking trojans.

It is difficult to believe that there are still banks that are using nothing more than passwords for online authentication on commercial accounts. Then again, some of the techniques being folded into today’s banking trojans can defeat many of the most advanced client-side authentication mechanisms in use today.

Banks often complain that commercial account takeover victims might have spotted thefts had the customer merely reconciled its accounts at day’s end. But several new malware strains allow attackers to manipulate the balance displayed when the victim logs in to his or her account.

Perhaps the most elegant fraud techniques being built into trojans involve an approach known as “session riding,” where the fraudster in control of a victim PC simply waits until the user logs in, and then silently hijacks that session to move money out of the account.

Amit Klein, chief technology officer at Trusteer, blogged this week about a relatively new strain of malware dubbed OddJob, which hijacks customers’ online banking sessions in real time using their session ID tokens. According to Klein, OddJob keeps online banking sessions open after customers think they have “logged off,” enabling criminals to extract money and commit fraud unnoticed.

All of these developments illustrate the need for some kind of mechanism on the bank’s end for detecting fraudulent transactions, such as building profiles of what constitutes normal customer activity and looking for activity that appears to deviate from that profile. For example, in almost every case I’ve written about, the victim was robbed after thieves logged in and added multiple new names to the payroll. There are most certainly other such markers that are common to victims of commercial account fraud, and banks should be looking out for them. Unfortunately, far too many small to mid-sized banks outsource much of their visibility at the transaction level to third-party service providers, most of whom have been extremely slow to develop and implement solutions that would enable partner banks to flag many warning signs of account takeovers.

FOLLOWING THE MONEY

Duckwall praises his bank for moving quickly to contact the mules’ banks after being alerted by the company’s controller at 8 a.m. on Nov. 3. But he said the recovery effort was slowed considerably by the responses from many of the mules’ banks.

“The really frustrating thing was we got on phone with our bank and they immediately contacted all of the other banks, and most of them in turn fax or email you a form that you have to fill out, sign and send back,” Duckwall said. “It’s just really frustrating how long it takes to try to stop something that like that. It was kind of a large disruption in our operation.”

Duckwall reached out to one of the mules, a man named Shawn Young from New York, who received nearly $5,000 of Green Ford’s money. Young hadn’t yet wired the money overseas as instructed by his recruiters, a bogus entity calling itself “R.E. Company” (its Web site is still up at this link). Young said he communicated with the mule recruiters at R.E. Company by logging in to his account at this Web site, uploading his personal and bank account information, and awaiting instructions. Those instructions would later arrive on Nov. 3 (see screen shot below left).

Duckwall said First Bank Kansas managed to recover all but $22,000 of the stolen funds, and that the company and bank have made several security adjustments since the incident.

“Two confirming e-mails are sent…one to me, and one to [the controller]. Our ACH limit for our account is kept at $0 all the time except for pay days,” Duckwall explained in an email. “Then the bank president raises the limit. On paydays, the limit is raised, [the controller] logs in and creates the ACH batch file, and [he] contacts me.  I log in, review the file, and authorize it.  I use a machine from home for that. Then I notify the bank president, who lowers our limit back to $0. Every time the controller and I log in we request a email passcode (no cookies set on our machines).  I receive all of the confirming emails that are generated by the system, on four different machines.”

From where I sit, that’s a ridiculous number of hoops to have to jump through to make a payroll every other week. Also, those changes don’t address the root of the problem: They still succeed or fail based on an insecure mode of communication (email) that can be hijacked on the customer’s end. What’s more, these changes continue to push all of the security and authentication of the transaction out to the customer, which is always the weakest link.


157 thoughts on “Sold a Lemon in Internet Banking

    1. BrianKrebs Post author

      I had an interesting experience this very day at my own bank that shows how few bank tellers actually know what the real deal is.

      I went to my bank where my business account is at to deposit some checks, and at the end of the transaction, the teller asked me, “Hey, have you considered online banking?” And I said sure, but no thanks because the bank won’t cover my loss in the chance that my account credentials somehow get hijacked. She said, “Oh, well you know your money is protected up to $250,000.” I said, yeah, if this bank goes under, my deposits are insured up to that amount, yes. But that has nothing to do with whether the bank will reimburse my business account if I get robbed. And then she thought about it for a second and said, “Oh, yes, I believe that’s correct. We probably wouldn’t in that case. Not with a business account.”

      I just smiled, grabbed my stuff, said thanks and left.

      1. KFritz

        Your interaction with the teller puts the lie to the idea that there is no supply side pressure to adopt online banking. The pressure is NOT from the demand side. I wonder how many customers, during the course of a routine transaction, blurt out, “Will you please tell me about online banking?”

  1. BrianKrebs Post author

    My advice? If you’re operating a business/commercial account and you’re banking online via anything but a Mac, a Live CD, or at the very least a dedicated PC, you’re playing with fire.

      1. BrianKrebs Post author

        Hi Matthew. I appreciate your thoughtful responses on the blog, and your efforts to edumacate other readers here about what doesn’t work and what might. But I’ve tried to refrain from endorsing specific products. I prefer merely to point people away from what’s not working, and toward a class of solutions that might help reduce the risk.

        1. JCitizen

          That’s okay Brian;

          I’m just a subscriber, and am not receiving any compensation from anyone; and I can say freely that I think PassWindow is a good idea.

          It is cheap, flexible, scalable, and can work even if the customer’s PC is compromised(providing part of it is done out of band, in my opinion);we’ve discussed on other forums at length about ways to defeat it, and all bets are off trying to do that! This is just one of the solutions that should be adopted by the industry. At least these kind of ideas will not lead to the expensive chip-and-pin disasters we hear about.

          I’d like to hear from Matthew, what he thinks about a work around for session riding, and how combining his idea with out of band tactics may help?

          1. Matthew Walker

            @Brian, Thank you for your comments and I can appreciate your position. Passwindow is a radically unique solution to the problem described in the article and really has no comparative equivalents to form a class. From the beginning I wondered if it might evolve into a variety of methods however every time I tried to add complexity to the basic method new more complex vulnerabilities would arise. There just isn’t many ways to fracture the characters themselves without losing usability which is necessary to prevent all sorts of online or phone based interrogation tactics and so passwindow will likely remain in a class of its own… (cringe, that sounds really cheesy)

            @JCitizen, I have been going over this exact session riding problem over the past few weeks as I am working on a private project which uses sessions. I implemented dynamic login sessions, I use ssl, I even hash the username and passwords in the browser before its sent to the server but at the end of the day this all feels like a waste of time if you accept the fundamental idea Brian touched on in that you cant stop them getting in and you cant stop them controlling everything you see once they are in. I like the convenience of internet banking and would rather not live in the woods and so I worked backwards in the security equation looking at what I am prepared to trust in the equation to keep the convenience. First of all I am prepared to trust the security of the server as I would like to believe they have teams of people constantly monitoring it, after all if the attackers can get directly into the server I am out of the equation anyway. The next thing I trust is the air gap between my passwindow key card and the computer, I know that no matter how sophisticated the Trojan they are not breaking the laws of physics or good old fashioned statistics. And so I end up with a small window which I do trust to communicate with the server. I know the transaction information and associated OTP is what I do or don’t want to authenticate regardless of ANY electronic or software compromise between me and the server itself, including session riding.

            In the end sessions are just a means to an end which is the actual transaction itself so its better to remove the incentive to hijack the session in the first place by focusing on the attackers goals. (sending money to their mules) We could authenticate every transaction however in the articles case it seems more convenient to just authenticate the outgoing account destinations just once which wouldnt include the mule accounts. The controller in the article would be made visually aware of the system trying to authenticate a new alien outgoing account through the passwindow card and wouldnt enter in the unique associated validation code. In my new website video there is a short example which uses destination account digits.

          2. JCitizen

            Okay. I wouldn’t think it would be difficult at all to do more than one transaction using PassWindow for the legitimate customer, but I see what point your making. It is apparently the somewhat simple process, that control should be implemented on the bank side to assure logical order in transfer request. I think I get it.

            I know my institution does halt unusual electronic requests by me in my day to day business, and I appreciate that. It only takes answering their call to set the original transaction going correctly. BUT, my bank personnel recognize my voice, and they also have an intimate knowledge of me, although the logic algorithm doesn’t. I’m just not familiar with large institutional processes.

          3. JCitizen

            As an addendum to my last post, it does seem that verifying transactions is an overriding theme in what is considered one of the bulk heads in this security discussion.

            So I am learning that perhaps more energy should be placed in this area on the bank side; as user authentication has its limits?

    1. Tom Cross

      Well done, Brian. You’ve given us a concise, clear explanation of the amazing potential these criminals have.

      I try to explain this to my customers every day and it’s always just beyond their ability to grasp the virtual nature of this type of ‘bank robbery’. Your article is so clear, I’d like to share it at my repair counter.

      Do I need your permission to print a copy of this article to share with my customers as I’m explaining to them what a rootkit is?

      For the advice. No MS is preferred, but…

      Here’s our current lineup of security apps and practices:
      Google Chrome
      CCleaner
      MS Security Essentials
      Foxit Reader
      NO Adobe (Acrobat/Reader,Flash)
      Our security ‘package’ also includes coaching to recognize social engineering practices.

      So far, so good once installed on a clean system.

      1. Mike Gray

        Word of warning with chrome. Flash is automatically bundled within chrome instead of an external plugin. So make sure you disable it within the options if your intent is to avoid adobe products.

        Flash gets the notoriety but Java is just as dangerous (if not more) so you should touch on that as well.

    2. TJ

      Brian – I think your advice here is quite sound. I’m curious however why you generally omit computers running installed versions of Linux, yet seem to find the use of a Mac (which has an installed OS) perfectly acceptable? Are Macs in some way more immune to Windows based banking trojans than installed versions of Linux?

      That said, I understand clearly why you recommend LiveCDs.

      1. Nick P

        I agree that it was an interesting omission of desktop installed Linux. The reason he mentioned Mac, I believe, is that it’s minimal market share mean it’s one of the least targeted by automated attacks like drive-by downloads and worms. One study also showed Mac’s were often offline around half the time for unknown reasons, probably because most are used by artists and turned off when they aren’t at work. In other words, they don’t matter much. Linux is slightly more risky because it’s strong server presence makes hackers find exploits in it wherever they can, but desktop Linux still has the security profile of Macs. So, why didn’t he mention it? Maybe a slip up during a hasty short response…?

        As for LiveCD’s, yo will see information about why we prefer that all over this blog. The main reason is that it defeats most persistent threats and rootkits by the mere fact that every time you boot from a LiveCD you get a clean, uninfected OS. If malware infects it, it can only affect what you are doing at that time because it goes away the moment you turn the LiveCD off. The LiveCD can also be made very difficult to infect by choosing a distribution known for security and regularly making LiveCD’s with updated software. This altogether makes life very hard for malware authors. Add in the relative obscurity of Linux and you have a nice counter to most banking trojans.

  2. Jack

    How do you see the security of online banking where one has a pad of onetime passcodes and before logging out, one is shown all transactions and they need to be verified with a passcode from the list?
    Aside from a targeted Man-in-the-middle attack against that bank, would you think it’s vulnerable to more “general” trojans /MiMs (OddJob etc)?

    1. Matthew Walker

      The problem with one time passcodes is they are still vulnerable to this type of trojan attack as they hijack the browser and pass the codes back and forth acting as a man in the middle. The only way to securely authenticate the transaction is mutual authentication where some specific transaction information is included with the OTP authentication code itself. There are some high end authentication devices which have a cumbersome process to do this they call transaction signing however because its an active system which relies on the user entering the details in a very long series of back and forth digits the newer trojans are able to coach the user through doing their own mule authentications. The passwindow method on the other hand does this passively where the user only has to visually verify some transaction information and also being electronics free isnt susceptible to the “your device is broken” message they use to trick the users into following their own script. I dont know of a more secure online method.

  3. C J Flynn

    Being an American in France, and used to American banks technology, it was a bit frustrating at first to get used to the system. Having to sit and smile while the account manager explained how taking payments online was very dangerous and insinuating that if I were to do that I might lose the account. How else to get payments for a series of wifi hotspots, he had no ideas. (That was 8 years ago.)

    Every bank wire still needs to have a fax backup sent to the bank, or it will generate a phone call (things are changing-emails are starting to be accepted, but they like attachments that they can print for the file). Anything extraordinary gets flagged and stopped until after a phone call confirms the transaction…even into the account! If I withdraw money from the account at a different branch of the bank, even with several IDs, even after confirming that there is money in the account via the computer, the teller will call my branch and get permission…and requests a follow-up email, spelling out his or her email address each time. (Surprisingly, if I go to the same branch and the same teller recognizes me, the teller will take it on themselves to not call.)

    Our online banking uses a one time key generator and has a frustratingly short life cycle, i.e., no activity for a couple minutes and you start all over again.

    Frustrating, but like the pin code on credit card transactions – even online transactions get intercepted with a confirmation cycle – that is how they keep fraud costs down. On the other hand, when my wallet was stolen, I walked into a branch, the teller called my account manager who then talked to me, and I was able to walk out with cash, the accounts secured.

    Like you say, a lot of hoops. Some aspects remind me of how things were with my American business accounts in the 80’s, with a slow growing touch of modern. Very personal, somewhat condescending, very mechanical. C’est la vie.

    1. AlphaCentauri

      “they like attachments that they can print for the file”

      If they are so unfamiliar with electronic data, I wonder how easy it is to use social engineering to get them to open a trojan-containing attachment disguised as a large zipped file.

  4. Conrad Longmore

    The bad site you mention is hosted at 93.186.170.37, VPS4Less in Germany. We’ve had the 93.186.170.0/24 range blocked here for months because it is all evil and has been for a long, long time.

  5. Datz

    My bank uses an additional code number that I read off a grid on the back of the debit card provided by the bank. The choice of input is randomised for *every* transaction. Despite this I do not touch my account with a Windows machine.

    1. jeremywc

      This is probably the best thing for a bank to do for commercial customers. It doesn’t sound like this bank had any second factor authentication in place. Grid cards, RSA tokens, etc are pretty good at foiling a lot o this.

      1. Matthew Walker

        While I agree than any second factor authentication is better than nothing which appears to be the case I dont think any of the grid cards or OTP tokens present much of a speed bump against a trojan attack as described in the article. In fact there are many similar articles where OTP style second factor authentication and even some transaction signing tokens were implemented and bypassed http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians
        And here is a SMS mobile authentication bypass
        http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html

        As Brian point out that the attacker “can control every aspect of what the victim sees or does not see” and so the OTP values can simply be passed through to the bank via the attackers trojan and transaction with no feedback to the user about what exactly they are authenticating.

        I realise the OTP defence prevents the old style key loggers however it makes no sense for a modern attacker to jump through the many AV hurdles only then to dump a basic key logger payload onto a system while there are much more advanced methods they can pursue once inside the system such as hijacking the browsers and listening for connected mobiles etc.

    2. timeless

      This isn’t really too helpful.

      Remember you’re dealing w/ a man in the middle attack.

      An attacker could replace your 10$ transaction with a 110$ transaction to a mule.

      The mule could then be ordered to make two transactions:
      10$ to your intended beneficiary
      90$ to the handler
      [mule keeps 10%]

      Your intended beneficiary would receive the payment and thus would not complain that you didn’t pay. As long as the MITM attack is active on your computer it can transparently rewrite the transaction to make it look like you paid the 10$.

      Systems the work (temporarily) involve Out Of Band communication. If you’re using a PC then a phone call should be secure for the next couple of years. (*caller id can be spoofed, and your phone number could be changed in the online banking, so it’s probably not actually safe)

      If I dealt with a bank, i’d want to ensure that my phone number+email address couldn’t be changed online.

      But I, like Brian, decline to do electronic banking (for US accounts).

      I bank by phone (it’s hard to do in person when you’re on the wrong continent). Banks record and log all calls.

      For my European bank, I trust that the “security” I’m offered is pure theater and that I’ll be screwed no matter what. — Heck, their credit card phone number doesn’t work outside business hours (good luck when you’re overseas and need to adjust your limit — yes, I hit that, thankfully I was still in Europe instead of the US).

  6. Rob

    A poll of bankers on this issue would be interesting. I would really enjoy their explanations. The continued lack of response is hard to understand.

    I always try to look at things from the perspective of others but on this issue I am failing.

    1. Helly

      I personally am aware of more banks putting significant effort into mitigating the risk posed by Zeus than not. There is actually even quite a bit of collaboration between various banks to help one another out with strategies and what is working and not. The caveat… these are all mid to large sized banks.

      Credit Unions and small local banks I see are almost never involved in these discussions. They also have a tendency to used the packaged or vendor provided internet banking applications. That makes it really easy to target these companies with trojans.

      The other thing is that a lot of companies I am aware of are building detection mechanisms behind the scenes. So the end user won’t see anything even if they actually are more protected. Also the higher visibility solutions like Trusteer, were still pretty expensive when I last looked.

      I will be the first to admit that my experience may not reflect the industry. But that has been my experience. You asked so I thought I would give it a shot anyway 😉

      1. JCitizen

        I wonder if any state banking associations have attempted to negotiate with Trusteer for a discount volume situation? Seems like this would be the American capitalistic way of doing business?

    2. Ellie K

      This is more than a little late, but you asked about bankers, or at least those who are responsible for payroll. I have run manual weekly payroll in the past, for 5 staff who were all paid as straight contractors (1099’s). This was 10+ years ago, and I was using a paper ledger.

      Since then, I have encountered very few businesses who did NOT use a service such as ADP (there are alternative regional and probably national providers, so I am not endorsing ADP in particular). Whether the company had 3 employees or 3000, it put the burden on ADP for calculating deductions, payroll taxes, etc. as well as all security measures like cutting checks and of course, communications. Some companies had a dedicated line and terminal to ADP or similar payroll service. Others would call in, for smaller companies.

      Of course, this came at a cost.

      It also doesn’t directly address the issue here. But a payroll service does decrease vulnerability to exploits and fraud.

      Hmmm, as I think about it, payroll services might have points of vulnerability of their own….

  7. JimV

    It really would be nice to know a few more details regarding the manner by which this occurred, namely: 1) what OS was/were the compromised machine and the bank’s network servers running, 2) what antimalware application(s) was/were used on both the bank’s network and the compromised machine, and were they up-to-date when the trojan likely entered the system, 3) what protocols or procedure and regular schedule does the bank’s IT administrators follow regarding a full malware scan of the entire network’s systems and components, 4) what are the protocols/procedures for updating the OS and critical applications on the networked computers, 5) if running a Windows OS were the individual computers set to disable “Autorun” for any removable media, and finally 6) what browser was used on the compromised machine and was it up-to-date?

    Definitely a cautionary tale regardless — it seems most banks utilize one or another of the Internet “clearinghouse” systems for Web-based transactions that require a browser that processes ActiveX

    1. BrianKrebs Post author

      Trying not to sound defensive here, but I thought there were quite a few details in the story already 🙂

      Question 1 is already answered. 2 is immaterial, given how few AV products detect the latest threats. 3) this wasn’t a compromise of the bank’s system. 4) no idea. 5) zeus infections generally have little to do with autorun being on or off…the main vector of infection is usually email or in a few cases unpatched apps. 6) no idea.

      1. JimV

        Brian, it was never my intention to be critical of what you wrote, and I deeply apologize if the post made you feel defensive in any way. My bank switched their Internet ‘clearinghouse’ provider last year to someone that requires the use of IE because of their reliance upon ActiveX, and this has been a very sore point with me — I sent the story link to one of the bank staffers I know pretty well to pass along, and the itemized things in my comment were really intended for that specific audience rather than any criticism of you.

        As I have worked overseas a lot the past couple of decades in China, East Africa and Central Asia, I’ve become more reliant in the last 10 years on being able to keep track of my financial accounts in the US via the Internet. Rather than having to prepay several months or more worth of utility and other bills before I leave as was necessary in the 80’s and 90’s, I can now set up many to auto-debit or can initiate credit card and other payments from the laptop that only I use. I don’t use IE at all for anything other than Windows Updates (or the OneCare scan), and personally have used Opera as my primary browser for about 10 years (in part now because it won’t process ActiveX scripts). I utilize a layered antimalware approach on my principal road laptop with a primary/resident antivirus (avast) and secondary weekly manual scans by Spybot, Malwarebytes and Windows Defender. I turned off “Autorun” with registry hacks a long time ago and perhaps it’s overkill, but so far I’ve avoided becoming infected despite plenty of exposure in those malware-infested places.

        Again, I’m sorry to have given a misimpression that I was being critical of your story — I’ve been a reader of yours for many years, and this is one of the few security-oriented websites which I trust implicitly because of your credibility.

        1. JCitizen

          JimV;

          You’re going to have to do a lot more than that to get minimum protection against Zues, Carberp, and OddJob and all their variants.

          I would be advised to at least ckeck you account everyday, to minimize your chances of a timeout, on discovery of loss. Using an online secure credit card would go a long way too.

          1. timeless

            There’s a hazard involved in logging in more often.

            The more times you connect, the more times you use your keys, the more chances for something to be around which catches your info.

            But again, if your computer has Zeus or some future replacement on it, then it can just as easily rewrite your view to hide the past transactions which means no amount of checking from your infected computer will help. — You can trade off using more computers but that increases the risk of you encountering one which is infected just so you can hopefully find out about your loss sooner — not a great tradeoff IMO.

            Plus if your bank does ever get around to setting up pattern detection software they might find one extra log-in from your account less suspicious.

            I’d prefer to get SMS confirmation of all transactions and to do banking by phone. — Does anyone know if banks offer this? A list of banks with friendly/good practices would be helpful so people could shop around.

            If your bank is in the USA, it probably has a 1-800 number. And if you trust Skype, you can call that number for free (disadvantage here is that your phone number to the call center isn’t usefully logged, but the audio should be) from anywhere in the world. If you don’t trust Skype, but do trust Google, they’re offering free calls to the US for the year (some part of Google Voice – the part that lives in Gmail, yes it requires a plugin, no it doesn’t require a US phone number) again, from anywhere in the world. If you call people in the US often, you might have a SIP provider already (which you hopefully trust) in which case you could use it. Otherwise, you can just call normally (not a great idea, although perhaps it wouldn’t be too bad these days).

          2. JCitizen

            @timeless;

            With the defenses I have – I think checking daily is less a hazard than your scenario. For folks who don’t, they can use the automatic phone account helper. This would still give you the last transaction/balance, etc. without going online. At least every bank around here has that service.

            SMS has been cracked too, so their are not many options here, but just a few mentioned by some posters. I wonder if UBS keys have run into any trouble?

      2. Batsy

        Not that Brian needs any defense and I know the reader wasn’t attempting to be critical but.

        1) Unless I’m missing something, the hack was on the client-side not the server-side. What the bank’s servers were running on isn’t the concern nor is the OS necessarily the key point. The seminal question should be how the OS was secured and what defense in depth measures weredeployed on the network

        2) Depending on which report one reads, some reports show that for new malware, even the best AV may catch only a shocking 37-62% of them

        http://www.av-comparatives.org/images/stories/test/ondret/avc_retro_nov2010.pdf

        3) Again, not the bank

        4) Any IT security or network admin will tell you patch can be a very hard thing to keep up with as they should always be tested prior to deployment. Even with PCI, critical patches must be tested and installed within 30 days of (key word) release. So even under the best of circumstances, an attacker potentially has 30 day windows for exploitation (to say nothing of zero-day vulnerabilities which no patch will save you from)

        5) While disabling auto-run may save you from malware (not in this case), malware threats are everywhere (drive by downloads, click happy users etc). However, take heart – Microsoft announced that with SA967940, AutoPlay functionality will only affect CD and DVD media only supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 which reduces the threat for USB devices

        6) Browser is irrelevant against Zeus. Zeus operates by keystroke logging. The best defense is not to get infected at all but one possible defense indepth measure is a product like KeyScrambler that’s free and encrypts the keystroke at the kernal level.

        In these cases, after infection and compromise, other things can serve as a defense in depth measures:

        – Reconcile your statements and transactions daily
        – Depending on solution, some can be setup so that bank transfers require a supervisor authorization – separation of duties (unless they are also compromised)

        1. JCitizen

          Dear Batsy;

          I’ve already reiterated this elsewhere on this thread, but Rapport already claims to block keyboard and video capture. I’ve done more definitive testing on Keyscrambler, so I use it with Rapport. Trusteer does allow other good recognizable security utilities to work with their product, as long as you set it up.

          Most serious IT techs have practically given up on signature based AV/AM protection; although we still use it as a cleanup afterthought. The kernel space, seems to be the new modern battle ground!

          1. Batsy

            Absolutely dude. I’m no different than anyone else in that I wish that it were as simple as getting down on my hands and knees and praying for a panacea (that or Shackleton) but defense in depth is pretty much our best strategy right now.

            I totally agree with the AV. It will not save you for everything but at least it’ll get the low to middle hanging fruit. (Better than nothing I suppose)

            Even with all of the money in the world, at the end of the day, this pretty much sums it up:

            “remember we only have to be lucky once. You will have to be lucky always.”

            – IRA to Margaret Thatcher (after an assassination attempt)

          2. JCitizen

            Looks like Margaret was lucky all the time. I don’t back down to criminal/terrorists either. Whether I go down or not, at least I went fighting!

        2. timeless

          I was under the impression that Zeus did other stuff in addition to simple keylogging, including I believe attacks at the network layer. Some malware actually does include modules for Firefox and presumably IE. If a browser is popular enough, there’s no reason for malware not to add additional code to do extra fancy stuff to it.

          1. JCitizen

            @timeless;

            Zues and its variants, have just about every modern trick up the sleeve; so yes, you are correct. The article pretty well delineates this already.

  8. Nic

    Some banks give to business customers a small electronic device with a tiny screen which prints, every 30 seconds, a supposedly random PIN number. This PIN number must be entered into the online bank html form for the transaction to succeed. This tactic doesn’t completely close the attack window, but it greatly diminishes it (for now). When this tactic catches on, financial malware authors will simply rewrite their tools with this safety-feature in mind.

    Brian, I think your advice “Mac, a Live CD, or at the very least a dedicated PC” is good for most people although it falls on deaf ears. It’s not an easy thing for most , who don’t understand how open their computers are, and who don’t read about malware. For them, any “system” at all is “annoying.” They won’t learn either.

    As much as I don’t like banks, I don’t fault them for not wanting to babysit people who can’t (or won’t) take care of themselves.

    I don’t use Windows (or Mac), and my online banking solution is not not have it set up. Can’t (ab)use what doesn’t exist.

    1. Helly

      The pin number approach you mention is already broken. It can be broken in a number of different ways as well. To sum it up quickly, anything passed in via the clients browser to authenticate them is at risk. The random pin code is only slightly (if that) better than just a username password.

      1. Nic

        Yeah I know. That’s why I wrote:

        “This tactic doesn’t completely close the attack window, but it greatly diminishes it (for now).”

        BTW, what’s with the downvotes on this blog? Almost any comment that doesn’t heap worshiping idoltry upon Brian gets downvoted to oblivion. Even helpful little “there’s a typo in the link provided” comments are deemed inappropriate.

        This is a great blog and Brian seems like a super cool guy (who else would fly to Russia for investigation? That’s cool as hell!), but I don’t worship him, or anyone for that matter.

        1. BrianKrebs Post author

          Downvotes are part of the comment moderating system here. I don’t like moderating comments, which is why I use this (somewhat imperfect) system.

          As I’ve said before, I don’t generally click up or down on any of the comments (except the really obnoxious ones). I did “up yours”. 🙂 I also don’t delete comments very often at all.

          I’ve noticed that if people downvote a comment, it’s not because of lack of idolatry, but rather that the tone of the comment was nasty or off-topic or ad hominem or simply trolling. Not saying your comment fits in there one way or the other, just sharing some observations.

          1. BrianKrebs Post author

            Also, regarding the comment moderation plugin, I should add that I have found my own comments modded way down in some cases when some contingent of visitors arrives from another blogger or sympathetic to a different idea to something I wrote about and have modded me down just by their sheer numbers.

        2. Helly

          I specifically took issue with the “greatly diminishes” portion of the statement. I personally have seen these protections fail time and time again. I don’t think it has any effect at all to be honest. Your point is valid against maybe other types of attacks, password brute forcing, stolen credentials etc.

          As far as comment mods, no idea. I generally don’t have difficulties and usually agree with the mods given out. I wouldn’t sweat it, your comments seem on the level and those generally even out in the voting.

          1. Nic

            @Heffy:

            Just so we’re clear, are you saying the majority of online banking malware toolkits are capable, off the shelf, right now, of diverting funds in real-time while the victim is logged in and doing their normal online banking?

            You say: “Your point is valid against […] stolen credentials etc.”

            Isn’t that how most online banking attacks work, though? The victim types in their username/password, the malware copies the info and sends it back to the fraudster, and at some point later, the criminal uses those credentials to transfer money from the account. From what I’ve read, that’s the majority of cases.

            @JCitizen:

            I’ve thought about that before… you’re probably right. It’s undeniable that the “link typo” comments get downvoted badly, which wouldn’t make sense otherwise.

          2. helly

            @nic Nope, not saying the majority of malware can do this. But sophisticated banking trojans, that are readily available and extremely easy to obtain, do. I believe there are zeus versions that utilize instant messaging to alert an attacker when a victim has logged into their banking site. So in the case of any OTP type device, like the PIN card you mention its worthless. The attacker already has control of the session and can pull any number of tricks on the user at that point.

            There are plenty of examples on this site even where a one time password device has failed to protect a bank account. Sure there is plenty of malware in the category of simple form grabbers that only collect credentials and might be stopped by a OTP.

            But in the story above, and plenty of other cases they are very little deterrent to an attacker. In your original comment you said:

            “When this tactic catches on, financial malware authors will simply rewrite their tools with this safety-feature in mind.”

            You are 100% right, its not an if or when though, its already happened. Deploying a OTP isn’t going to do you much good when more sophisticated trojans are readily available.

        3. JBV

          @ Nic:

          Thumbs down frequently go to: potty-mouths; MS bashers (it’s a huge and really easy-to-use OS that has flaws); and not-too-subtle vendors of various (in)security products.

          Brian-worshipers don’t get or give thumbs up for sheer love – it’s because they show their appreciation for his useful info.

          Typo comments are more appropriately sent to the author by email – posting them suggests a certain smug look-how-smart-I-am braggadocio.

          And, no, I’m not his mother.

          1. Terry Ritter

            @JBV: “Thumbs down frequently go to…MS bashers (it’s a huge and really easy-to-use OS that has flaws);”

            OK then, get ready: Over 99 percent* of malware is targeted at Microsoft Windows. Simply by using something other than Windows, users can achieve the greatest risk reduction possible with a single change.

            For improving online security, nothing is more important than getting off of Windows.

            * “G-Data reckons 99.4 per cent of all new malware of the first half of 2010 targeted Microsoft’s operating system.” From “Windows malware dwarfs other viral threats” at http://www.theregister.co.uk/2010/09/13/malware_threat_lanscape/

          2. Batsy

            JCitizen is right there is no perfect OS. As long as humans are involved (for one reason or another: time, cost, bad process, knowledge etc), there will always be gaps to be exploited.

            One of the trends in IT (let alone security) is the consumerization of IT. Unless you’re the DoD and you have absolute say in the matter, although you may have input and can make recommendations, consumerization has shown organizations everywhere that the user/client/business has the final say. No can say that the iPhone is in the same class of security as the Blackberry.

            Its easy to say use Linux but if the client accepts the risk and demands to use Windows, its IT’s/security’s job to secure it as best as you can.

            It’s pure economics. Malware is mostly for Windows because they own 85% of the desktop market. What gets you the most bang for your buck?

            However, this is a harbinger of things to come especially if you believe the Mac’s market share will increase:

            http://www.networkworld.com/news/2011/022611-hacker-writes-easy-to-use-mac.html?source=nww_rss

            Even in the mobile space, take a look at the news articles for Android. When you look at the number of malware or data leakage due to apps, if you care about such things, using Android vs Apple is really trading functionality/flexibility over security (though Apple isn’t perfect either).

            However interestingly, since Zeus is spread primarily by phishing and drive by downloads. One of the easiest way to reduce the the exposure possibilities is just to go draconian on the user. On that one PC(s), set your corporate web filter to limit the Internet. Block everything except corporate banking site (however, good luck convincing the business owners :P)

            It still drops back to confidentiality vs integrity vs availability.

            One has locks all over one’s house too and there’s always a possibility of someone breaking a window to get in but people aren’t running to install a moat and boiling oil.

            At the end of the day, how much risk are you will to accept and when it does happen – find methods to ensure that one can detect it as early as possible to reduce the exposure.

          3. Jane

            I am not one of those who have actually caught a typo, but if I ever do I am unfortunately too lazy to send an email rather than use the spiffy comment feature.

        4. JCitizen

          It would seem obvious there are some “questionable” personalities who visit this site, to gain knowledge from the “enemy camp” – so to speak.

          So I wouldn’t think it unusual for criminals or crackers to visit here and down vote any good ideas; would you Nic?

          1. Nick P

            It’s a nice idea. It might happen with pro’s, but I doubt it. They have nothing to fear from this site. Complacent/ignorant users, broken banking system, and steady stream of software flaws makes their job quite easy. I think that trolls will cause you guys the most problems with down-voting. They like to disrupt things for no reason. I could also see it happening with people who have a very negative emotional reaction to a post. Overall, though, Kreb’s solution seems to work better than many other approaches.

  9. Paul S

    Can anyone tell me please whether running Ubuntu or a similar linux distribution from within Windows is as safe as running a live cd?

    thanks kindly……

    1. BrianKrebs Post author

      Not “as safe” because the beauty of a live cd is that stuff that’s stored in memory is wiped when you shut down, and you’re left with a clean slate when you boot back into it. Yes, there is the possibility that older live cds can accumulate security vulnerabilities that could theoretically be attacked, but that seems like something of a long shot, at least in the context of the ebanking attacks we’re talking about here. Best solution to that is to just burn a new live cd every so often, to make sure you have the latest version.

      1. Paul S

        Thank you for your quick reply, Brian. Money is tight these days, but I’ll definitely make a contribution via Paypal when the opportunity arises. You’ve kept me out of trouble for a few years now.
        cheers…….

        1. gangbang

          If you speak of a windows live-cd then the answer is NO, mitm attacks used by zeus/spyeye etc. trojans will use the memory while injecting some evil code into you netbanking page, no matter that the cd is mounted RO.
          And so, using a virtualized linux distro within win system or better a linux os itself is a value if want a safe netbanking

          1. JCitizen

            gangbang is right; if I understand him correctly.

            The liveCD approach is only good if you ONLY use it on that one site, or reboot if you want to go to the next site for shopping or banking. I’m pretty sure you don’t want to use (re)writable CD/DVDs either; even though they are easier to update.

            If you bank/merchant page is compromised with malcode, all bets are off!

          2. Terry Ritter

            @JCitizen:

            Some people seem confused about the advantages of using a LiveCD (or DVD) operating system (OS) online. Although banks will return stolen money to individuals, they cannot replace a stolen identity.

            The LiveCD approach is always at least as secure as a conventional system with a hard drive (or flash drive), INCLUDING any dedicated banking online computer. To compare approaches it is important to describe what would happen in each case.

            Both LiveCD and conventional systems can pick up malware in operation. (Of course, encountering malware that will run on a Microsoft Windows system is around 100x more likely than malware for Linux.) But even if the LiveCD system encounters malware, that is automatically “removed” on the next restart. Not so with a conventional system, where malware will infect the hard drive and run on all subsequent sessions.

            “The liveCD approach is only good if you ONLY use it on that one site,”

            “only good”? Really? Whatever the issue, surely the alternative conventional system would have the same problem.

            If a user browses a LiveDVD system to another site they might pick up malware, I suppose, but when that system is restarted the malware is gone.

            In contrast, a user who does the exact same thing on a conventional hard drive system may also pick up malware. That malware probably will infect the drive, and malware may run on all future sessions.

            “or reboot if you want to go to the next site for shopping or banking.”

            The ability to reboot to a clean system in a minute or so is the LiveCD advantage. The system is “cleaned” far beyond what any add-on security program can do.

            “I’m pretty sure you don’t want to use (re)writable CD/DVDs either; even though they are easier to update.”

            Although a DVD writer looks much like a large hard drive, it is vastly different. On a hard drive (or flash drive), “sector” and “track” select a storage area which can be read or written and re-written almost instantaneously. File data are easily changed with minor overwrites in a single blink of drive activity.

            In contrast, DVD systems do not change already written data, but only add files to the end of their single helical track. Changing data within a DVD file is not easy. It means creating a new file, writing all of it, and then creating a new index which includes previous files, and writing that. The writing process is obvious and lengthy.

            If and when LiveDVD operation becomes common, malware may try to write to the DVD. Then we will have to remove the DVD after booting. Sadly, we are unable to remove the system drive after booting Microsoft Windows.

          3. JCitizen

            I agree with you Terry on almost all your comments, you have simply put more explanation to what I meant in the first place. That is good for newbies coming here to KOS.

            However, on the CDR/DVD-RW file modification, I wouldn’t put anything past a good (criminal) code writer, on an open CD, that has not been closed yet.

      2. Nick P

        True, but what LiveCD will you use? There are a few distro’s that are most popular. Usually, I see people booting an Ubuntu LiveCD. Even if these become popular, the limited window of opportunity will stop most unsophisticated attackers. However, serious attackers who have a known vulnerability are just as dangerous to a LiveCD as to a standalone system. Here’s how: upon exploiting the LiveCD, they try to get high privileges. The software that get’s high privileges roots the BIOS. (There’s a recent paper on doing this, although BIOS attacks are pretty ancient.) Computer is reinfected every time the firmware is run.

        The best approach is a dedicated, extremely hardened system w/ a LiveCD or LiveUSB running an isolated browser. One scheme I came up with for lay people was using a KVM switch and a little PC like VIA’s Artigo for the isolated task (e.g. banking). A trimmed down version of Fedora w/ SELinux or Hardened Gentoo could be loaded upon power up, loading the web browser immediately. User goes into private browsing mode, does their business, then shuts down (or restarts). This is actually quite easy and compromise risk is minimum. QubesOS or Red Hat Virtualization w/ hardened, stripped browser VM are also options, but less assurance.

        1. Terry Ritter

          @Nick P: Thanks for your comment!

          “but what LiveCD will you use? There are a few distro’s that are most popular.”

          Microsoft Windows is popular, but that does not make it a good security system.

          I have been using Puppy Linux for over a year, and am using it right now. Even my wife uses it.

          * The main advantage, of course, is that Puppy can be a LiveDVD, which is inherently far more secure than any hard drive boot from any OS whatsoever.

          * Puppy also supports Firefox, which gives the user many security add-ons and features which other browsers do not have. Particularly important are ways to manage certificate changes and detect man-in-the-middle attacks for SSL. Also important (although not unique) is LastPass for individual, long, random passwords.

          * But the real Puppy advantage appears only with use, since actual use involves updating browser, add-ons and configuration periodically. I update irregularly, but typically every couple of weeks or so.

          Puppy Linux supports writing new or changed files back to a new “session” on the boot DVD+RW. On the next boot, the newest files are loaded automatically, for the usual update effect. By only writing to the DVD just after updating, the system remains clean while allowing updates. In my experience, LiveCD systems which do not allow updates are almost unusable.

          “serious attackers who have a known vulnerability are just as dangerous to a LiveCD as to a standalone system.”

          Dangerous? Yes. “just as dangerous”? That depends upon quantifying for comparison things which are dubious at best.

          BIOS infection (hardware infection) is a serious risk for directed attacks. But very little malware is that sort of directed approach. Instead, malware is tossed to the winds and shows up wherever it shows up. Since about 91 percent of the time the new malware will find itself on a Microsoft Windows system, almost all malware is designed to attack Windows, and not Mac or Linux.

          The many Windows systems from across time form a single standard class for malware targeting. But there is no single BIOS, nor a single BIOS update process. There are instead hundreds of motherboard versions, which tend to fragment the target for ordinary malware. This will not affect NSA or their Russian or Chinese counterparts, of course, but it will slow down ordinary malware until they have no other choice.

          I have previously called for the FCC to type-accept computing equipment to be “difficult or impossible” to infect. Equipment and OS manufacturers should provide check systems to allow each owner to certify that their equipment has not been infected.

          Microsoft is especially arrogant in calling for a “health certificate” for individual users, supposedly to keep infected systems off the Net. Yet Microsoft does not supply any sort of check to allow owners to certify their own installations as uninfected and so suitable for online banking. Nor does Microsoft provide a LiveCD form for online banking. This is very sad.

          “The best approach is a dedicated, extremely hardened system w/ a LiveCD or LiveUSB running an isolated browser.”

          Surely, ordinary USB flash drives are more like hard drives than CD’s. Although it is quite possible to boot from a write-protected flashie, eventually, a software update will be required. When the write-protect switch is changed we now have an instantly-infectable pseudo-hard drive and all security bets are off. The whole idea is deceptively dangerous. I have lived with it and it was a massive relief to get back to the LiveDVD.

          1. Nick P

            I appreciate your reply. I’m going to reply to your post point-by-point because that’s how we do it on the blog I come from. 😉

            “Pupply can be a LiveDVD, which is inherently far more secure than any hard drive… whatsoever”

            Agreed. The main selling point is the read-only nature of the LiveCD’s. You mention the LiveUSB like a hard drive in security status. Then, you mention how Pupply Linux basically allows writeable CD’s. That disturbs me. That basically defeats the purpose of security-oriented LiveCD’s. Additionally, I don’t recommend LiveUSB unless it’s the write-only drives that certain manufacturers make. USB is only recommended for speed, not really thinking of typical USB drives if that makes sense. Whatever the boot medium, it should be read-only and immutable except in a very controlled way. Hashed or signed files on the HD come to mind.

            “BIOS infection (hardware infection) is a serious risk for directed attacks. But very little malware is that sort of directed approach.”

            That’s sounds good at first, but you don’t need many malware here. Most malware will support the approach of casting a wide net to catch as many as possible. Targetted approaches are focused on whatever works. If a target is valuable and you eliminate the low-hanging fruit, sophisticated attackers move to the high hanging fruit. We don’t need 45 different BIOS rootkits. Just a few will surfice for those that need them. Additionally, the main BIOS system in use these days is Phoenix. If they get the model NO of your system, they can derive a custom attack. However, Phoenix’s widespread use means they are a decent start. This attack is unlikely for the average [unimportant] person, but targeted attacks against high value assets shouldn’t assume attackers won’t use this. That’s why I mentioned it.

            The last point you missed the greater point. The mechanism itself wasn’t an important part of my proposition. May the best mechanism prevail. The importance was the concept: a dedictated device with an OS & TCB custom to what the app requires; non-DMA hardware connecting it; security-critical functionality & trustworthy user display on the hardened device. I prefer serial ports or ATA-2 (non-DMA) for communication b/c bypassing security system is harder. The device receives and checks communication from the untrusted device, let’s the user verify it, signs it, and transmits it via untrusted device. Compromising untrusted device can only hurt availability, not any other aspect of security. That these products are already on market and doing their job is a testament that this is the right approach.

          2. JCitizen

            I agree with Nick P.;

            I think the new Google netbook with ChromeOS is a good example of what he is talking about. That one has no hard drive at all, and only flash memory for filing. If one could assure the memory was emptied at each reboot, you would get a fresh browser/OS from the cloud each reboot. I’m sure their is a chink somewhere, as I am not totally familiar with the design, but it could possibly be better that a LIveCD, in that the OS could be completely updated between boots!

            You would still have session threats, because many legit merchant and even some banker sites are getting hosed with malware on their customer login pages. It is pretty hard to avoid disaster when that strikes. It happens more often with merchants of course; but their are a lot of small town banks and credit unions that don’t seem to have a clue how to secure a web-page or the server that dishes it up.

          3. Terry Ritter

            @Nick P:

            “The main selling point is the read-only nature of the LiveCD’s. You mention the LiveUSB like a hard drive in security status. Then, you mention how Pupply Linux basically allows writeable CD’s. That disturbs me. That basically defeats the purpose of security-oriented LiveCD’s.”

            Limited updates do not defeat the purpose of security, either in CD’s or any other storage. The critical issue is to prevent malware changes but not owner changes. Doing updates means making changes, so insecurity is possible, but not doing updates at all can be much worse (when flaws are found in the browser, for example). The confusion exposes the trivial model of “anything writable is insecure” as too simple to describe reality.

            There is danger in any update, but Puppy Linux boot DVD updating is vastly more controlled than either a hard drive or USB flash drive update. (It appears that of all LiveCD’s, only Puppy Linux has the DVD update feature.) (I use DVD+RW discs, which work better for me.)

            Simply not updating is not a solution, since browser flaws can be exploited even if the LiveCD has not changed. Not updating also prevents the owner from using available add-ons to provide security features far beyond the base browser. Not updating means not being able to customize the browser, or the presentation, producing a poor user environment.

            Out of the various possibilities, a Puppy Linux DVD+RW save, forced by the owner just after a fresh reboot and update, every couple of weeks or so, seems by far more reasonable and the lesser risk.

            “Whatever the boot medium, it should be read-only and immutable except in a very controlled way.”

            Strong control is exactly why the Puppy Linux boot DVD update is acceptable.

            “Hashed or signed files on the HD come to mind.”

            File hashing may come to *your* mind (like those in Microsoft), but implies a system to read and validate those files. That system must be in software or hardware or both.

            If any part of validation is to be done in software, that code needs to be stored somewhere where it cannot be changed, which is the original problem. If software could stop itself from being subverted, there would be no malware problem.

            If file checking is to be done in hardware, we have a deeper problem, because hardware does not know about files. Hardware knows about track and sector data blocks; the very concept of files is an OS issue, and the OS is what we need to bring in. So hardware to check files must recapitulate much of the detailed OS file structure code, and that had better not have any holes, and it had better never change. If it does, you will not be patching it easily, because if you can, you are back to the original problem.

            And then you need to deal with check failure, given that no OS is up. When the check fails, what is the user to do, since no OS is available? If the OS would re-install itself from CD on every session, we would not need all this stuff, and that is essentially what a LiveCD does.

            The complications are part of the reason why we do not have secure systems now. The suggested (and industry proposed) approach is baroque with an unnecessary over-reliance on crypto magic (although some will be needed). Complexity is the enemy of security, so complex security systems are inherently self-defeating. Most complexity could be avoided simply by creating hardware protection for an OS and boot area on the boot drive (e.g., hard drive or USB flash). The OS would need changes. OS updates probably would require installation by a LiveCD to avoid going through a compromised OS.

            “Most malware will support the approach of casting a wide net to catch as many as possible. Targetted approaches are focused on whatever works. If a target is valuable and you eliminate the low-hanging fruit, sophisticated attackers move to the high hanging fruit. We don’t need 45 different BIOS rootkits. Just a few will surfice for those that need them.”

            Attackers use a broadcast distribution to maximize their profits from ordinary users and small businesses. There do exist, of course, targets which are worth extensive work, but normally that takes actual interaction over a period of time as is typical of intelligence operations, not mere theft. The Google attacks apparently were for code, not cash. Recent oil-company attacks apparently were for prospecting survey data.

            The idea that hardware (BIOS) infection *can* occur is known. However, in contrast to the current banking bot infections, we do not see it. Once again, part of the problem is that we have no test which guarantees to find it. Still, there may be some around, but right now that is not our major problem.

            *After* we fix our major problem, *then* we can work on remaining details. Given the depth of the hole we are in, it is silly to insist that a solution must solve everything at once to have any worth at all. I have called for the FCC to type-accept computing equipment to both prevent and detect this sort of infection, but apparently I speak to an empty room.

            “The importance was the concept: a dedictated device with an OS & TCB custom to what the app requires; non-DMA hardware connecting it; security-critical functionality & trustworthy user display on the hardened device. I prefer serial ports or ATA-2 (non-DMA) for communication b/c bypassing security system is harder. The device receives and checks communication from the untrusted device, let’s the user verify it, signs it, and transmits it via untrusted device.”

            First of all, even if this were to work for banking, it would not kill the bot infection in the customer computer. The user would be left with a bot stealing:

            * All account ID’s and passwords and account contents.
            * All personal and business documents.
            * All email, past, present and future.
            * All personal information and even personal identity itself.

            We also have potentially embarrassing or incriminating data stored by attackers. The possibilities are endless. Although people on this blog are quite concerned about banking theft, the actual issue is much larger.

            Next, I am dubious that any such scheme can work. The 1-time 2-factor external dongle was supposed to stop all this, but did not. Why? And why would that not happen again?

            “Compromising untrusted device can only hurt availability, not any other aspect of security.”

            Sadly, computers are inherently trusted to some extent. Bot compromise can ruin lives quite independent of banking, and those dangers also apply to ordinary users, not just small businesses.

            “That these products are already on market and doing their job is a testament that this is the right approach.”

            You actually use the existence of a security product to argue that it gives security?

            Hundreds of claimed-secure ciphers across millennia testify otherwise. Every previous anti-malware product testifies similarly, since if any of those worked, we would not have a problem.

            Believing marketing claims is not a good way to understand security.

  10. LLou

    You’re the lone voice singing in the wind. I can’t get people to pay attention to this issue. I do the same with the tellers in banks when they ask if I want online banking — I tell them “It’s not safe, and you don’t want to do that either!!!” and am always amused at the startled look on their faces. One of them told me a huge number of retirees are using online banking because of the difficulty for the elderly to get to the bank.

    Did you see the article in The Register about the “new” OddJob trojan that is doing session hijacking of online banking accounts?

    http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D

    1. BrianKrebs Post author

      Hi Llou — yes, I mention (and link to) the trusteer blog post about 10 paragraphs down into the story.

    2. JBV

      Retirees’ online bank accounts are usually personal accounts that are well-protected by law. There are perks for direct-deposit like free checking. Identity/account theft isn’t easy to deal with, but the $$ is safe for them.

      1. JCitizen

        Dear JBV;

        I can personally attest, that crooks will compromise at least one of your local vendors, or online accounts, and at least try to spend some of your money, before the bank shuts your account down. This – even if you have your PC locked like Fort Knox.

        Some of these folks use debit cards, and if they don’t report the missing funds within 24 hours they get to eat the loss. There are also small time hoods in cracker land.

        1. JBV

          I don’t know where you bank or why you are required to report debit card loss within 24 hours to be made whole. That’s not my understanding of how it works – please elaborate on this?

          1. JCitizen

            That is the law where I live, and I’m not telling where for obvious reasons. It is in the US, if that will suffice.

            So far mine, and the law enforcement investigations show that one of my merchants was cracked and that is where the information came from, not my PC. Unfortunately we don’t know which one. Fortunately they didn’t get my banking information, and so far have not compromised my credit or personal ID.

            This is why I use an online secure credit card, that issues vaporous credit card numbers to the vendors, that don’t use paypal, so that if anyone else tries to use the card, the transaction is stopped in its tracks. The card number technically doesn’t exists and is only there to ID the true vendor.

            Next time, I will know which vendor/merchant got the shaft. It won’t be me if I can help it. I have paid for forensic IT services to examine my PC, and it was clean, so I’m sure I didn’t tip my personal data to the thieves. I have also locked by PC down even more since then. I take chances on methods of PC security, because my clients do the same, and I need to know the pitfalls. I only have one account accessible to electronic services, so I can afford to play with fire. So far, I use blended defenses, that don’t always rely on a clean PC, and have not gone the LiveCD route; I do recommend that to my business clients though.

          2. JCitizen

            Correction JBV; that is 48 hours; I didn’t realize I created a typ0 – I have dyslexia anyway. ; )

          3. AlphaCentauri

            I think he is referring to the fact that debit cards that are branded as credit cards do not have the same $50 limit on fraudulent charges if the card (or number) is stolen that credit cards do.

            Banks are not required to make you whole at all with stolen debit cards, but since they collect fees from the businesses where you shop and want to promote their use, they generally will reimburse theft rather than risk having their customers refuse to use them.

            I’m not familiar with the details of the consumer protection laws, but online banking is treated differently from using a credit/debit card at a business.

          4. JCitizen

            True AlphaCentauri:

            Many of the retirees in my community use debit cards because of the fantastic cash back deals they get from their association. Many of them don’t know about the time limit; but I got under the wire at just short of 48 hours, so they had to refund the money. They stated that they likely took a loss on that one.

        2. JBV

          @JCitizen and @AlphaCentauri:

          Thanks for the clarifications.

          I’ve always recommended having a separate CREDIT card, not linked to the bank where you keep your money, and preferably one like BoA that uses Shop Safe where you can get a one-merchant throwaway card number for online transactions. I use one of these for PayPal transactions, with a very low credit limit, because eBay only takes PayPal and I collect junk.

          My regular banking account issues an ATM/Visa card, but I only use it to get ATM funds at trusted locations, and only after tugging on the keypad, etc.

          Sorry about your dyslexia, JC.

          1. JCitizen

            That sounds very good JBV!

            That “Shop Safe” sounds a lot like my Online Secure Discover Card. They also provide a form loader for translations, which is at least a little safer. Probably won’t stop Zues criminals, but I’d like to see them try get away with trying to use the card number – NOT! I’ve had merchants commit mistakes in handling these numbers, and even they can’t get their money! Discover will not issue the funds if the source doesn’t look legit.

            This rarely happens, but you also have to issue a new number everywhere when it expires. Not a problem for me. The good part is nothing gets on my hard drive unless it is encrypted – LastPass does it from the cloud over SSL – Rapport keeps the crooks from riding it into the institution. I’ve tested Key-scrambler against keyboard and video spys, and it passes the most stringent standards; but I haven’t tested Rapport with the same tools yet, but Rapport is configured to accept only these, above mentioned, utilities.

          2. Nick P

            Excellent advice! One advantage of using a separate credit card for higher risk transactions is the legal system. Credit cards have many, many protections that banks are legally forced to comply with. Most debit card protections are the bank’s promises, not the law. There certainly are legal protections for debit cards and other forms of payment. However, with a credit card fraud, the bank looses *their* money while things are sorted out, where *yours* is safe in your checking account.

            Credit card purchases also get nifty legal protections like the no-strings-attached stop payment option used within 60 days of a purchase or the “good faith” stop payment that can be used any time after a purchase. This has proven useful for me for more than one unscrupulous merchant. Just make sure you send all of these complaints, reports of it being stolen, or stop payments in writing, via *certified mail*. This prevents them from “accidentally” loosing your stop payment request.

        3. Yar

          In the case of Bank of America, they offer an Online Banking guarantee of $0 liability for their retail and Sole Prop customers. Since we already cover this for our customers anyway, we will offer the same guarantee before long at my bank. It’s really only clever marketing, as it has the same requirements as Reg E.

          See it here:
          http://www.bankofamerica.com/onlinebanking/index.cfm?template=guarantee

          For this reason and Reg E, personal customers don’t need to and therefore often do not worry as much about online banking security as they should. This basically means the onus falls squarely on the bank no matter how many personal customers are compromised, how often, or for how much money. This can already be expensive for smaller banks.

          All of this is completely unrelated to the case at hand, of course. Business customers are not covered by Reg E, and therefore run into this burning building headfirst and already on fire. The solution we currently recommend to our business customers is a linux live CD which is booted, used only to log into online banking and perform transactions, then removed. While we do not supply the CD’s, we offer a wealth of information on how the process helps protect them and lots of reputable places from which to download the distro.

          We also offer security seminars to all of our business customers to assist them in strengthening their defenses. Our primary recommendation? Implement a live CD using linux and use it specifically in this way.

          Unfortunately, I have no numbers on how many actually take it to heart, but Education is the best weapon we currently have as a community bank. The risk analytics which are the cutting edge of bank security would be nice, but they are very resource-heavy and expensive.

          My bet is the risk-reward ratio for implementing a resource-heavy analytics system in small banks will continue to be too poor for small banks unless the Federal government pegs liability for business losses on the banks rather then the end users. Should this be done? I’m probably picking a fight, but I don’t think Reg E should change to protect all business customers, as it easily allows businesses to grow even more lax in their security practices. This is too important a matter to simply pass the buck to the bank. and make them cover all losses.

        4. Al Mac

          I do not know if this is still the case, but once upon a time some banks had a policy against a customer having an account which was not on-line accessible.

          A person, I am no longer in contact with, so I cannot do follow up details, said that one of his customers was using Quick Books to manage Internet Banking with him, and that there’s virus vs. Quick Books, so that now all the people doing business with the infected QB place, were getting their bank accounts drained.

          So he goes to his bank to get his account taken off on-line, while he works on getting replacement accounts, but although his branch bank arranged for his account to be not on-line accessible, bank HQ assumed that was in error, due to their policy for all commercial customers to be on-line accessible, and put it back on-line. So while he is assuming situation fixed, his account still being drained.

          He says he switched banks, suing first one.

  11. JBV

    @Terry Ritter:

    “For improving online security, nothing is more important than getting off of Windows.”

    Maybe the reason that most malware attacks MS Windows is that most computers use it. It’s a lot easier to bag a duck when you are shooting at a big flock of them.

    1. Terry Ritter

      @JBV: “Maybe the reason that most malware attacks MS Windows is that most computers use it.”

      I have said similar things in my articles and on this forum many times. All large, complex systems will have exploitable faults, including Mac and Linux, and even years of patching cannot change that.

      But for those who simply wish to *avoid* malware, rather than understand it, the reason *why* Windows is the target may not be important.

      “It’s a lot easier to bag a duck when you are shooting at a big flock of them.”

      It is a lot easier for a duck to keep safe when flying apart from the target.

      1. JBV

        Can’t argue with you about that, Terry. But for me, it’s a lot simpler to just use MS products, and to be very, very careful about what sites I visit, what emails I open, keeping security software up to date, and not clicking on links. Unfortunately, most people don’t consider any of these.

        That said, if I were using a computer for business purposes, I’d hire you as a cryptographer, Brian as a consultant, and get a separate dedicated computer with all the layers of protection you’d recommend.

      2. AlphaCentauri

        If as was mentioned, a bank’s website requires IE with ActiveX enabled, is it even possible to do online banking with an operating system other than Windows?

        1. Matthew Walker

          Yes its possible however spare a thought for the entire country of South Korea where until recently the government mandated ActiveX for all online transactions. Google even needed to make a special version of chrome for Korea with ActiveX support.

        2. JCitizen

          It matters not to my clients, who will use Windows, and IE no matter what I say, so I continue to attempt to help them in anyway I can. That is what IT consultants do. I don’t think anyone in this discussion would be guilty of snide judgmental criticism in this instance.

          Besides – in principal – who are the criminals to dictate what OS I use? I prefer to get in their face and fight them to what I hope, is at least a draw!

  12. Phoenix

    Some of us might be a little safer now. Microsoft just released Windows 7 Service Pack 1.

    1. JBV

      Got half an hour to waste? Here’s what MS says is included in SP1:

      “Windows 7 Service Pack 1 is a recommended collection of updates and improvements to Windows that are combined into a single installable update. The service pack can help make your computer safer and more reliable. A typical installation will take about 30 minutes to complete, and you will have to restart your computer about halfway through the process.”

      “What’s included in Windows 7 Service Pack 1 (SP1)
      Windows 7 Service Pack 1 (SP1) is an important update that includes previously released security, performance, and stability updates for Windows 7. SP1 also includes new improvements to features and services in Windows 7, such as improved reliability when connecting to HDMI audio devices, printing using the XPS Viewer, and restoring previous folders in Windows Explorer after restarting.”

      Assuming your safety updates are current, there’s not much here, imo.

    2. Nick P

      You’re not safer because the attack vectors are still there. Social engineering, malware, poor configurations, and session hijacking still work in SP1 whenever an opportunity arises. The problem is more fundamental to how online banking works. Quite simply, the overall protocol and implementation suck. The design intentionally trusts untrustworthy things. That’s always bad if large sums of money are on the line.

  13. Nick P

    We’ve discussed these issues often on Schneier’s blog. Every good solution requires a way to interact with client software with a compromised PC and some unique credential for each session. I think the best scheme is an external device that receives the transaction details, confirms the bank signature, asks for user confirmation, signs it with an onboard key, and sends the result back to be bank.

    The effects are that the bad guys can’t spoof the transaction data and can’t authorize something on their own. Physical attacks or advanced social engineering become the only remaining attack. This is essentially a trusted path and it’s missing in all mainstream OS’s for doing anything more than logging in. There are commercial products on the market already, with some required in Belgium I think.

    There are also other approaches. A secure microkernel that isolates some apps while running others in the untrusted mainstream OS, equipped with trusted path, can also do this. A eCommerce signing app was demonstrated in the Nizza Security Architecture and the now obsolete Green Hill’s INTEGRITY Workstation supported this capability. IBM’s Zone Trusted Information Channel uses a clever USB dongle to allow the user to see the transaction & authorize it with one button press. Then there are methods combining dedicated hardware trusted path I mentioned before with a PKI-enabled smartcard and user PIN. This ended up being my preferred solution and is also implemented commercially, I believe.

    All of these designs are MUCH harder to compromise. The microkernel approaches have already been proven in commercial practice. The hardware trusted paths have also been tried and true. Just waiting on US banks to implement them, by choice or government decree. European deployments of these technologies proved they are relatively affordable, with the user-side being a few bucks for the smart card w/ PC software and around a $100 for dedicated hardware. So, yeah, if *they* can do it, *we* can definitely do it.

    1. Nick P

      @ guy who gave me -1

      I see you just neg’d my post. What specific criticisms and/or evidence do you have against any of my claims? I’d like to hear specifics rather than “this is just bad somehow in my opinion.” Please forgive me if I don’t trust your intuition alone…

    2. JCitizen

      Very interesting Nick P; as I alluded to elsewhere on this page; the kernel space is the new frontier of IT security. I’d like to see more articles of the devices and technology you mention here!

      1. Nick P

        One-upped for your enthusiasm to learn new approaches. (Rare in this industry, for some reason). Here’s a few links to some papers that cover some secure architectures. Most of these rely on a highly verified kernel and controlled information flow to provide a higher assurance level.

        Nizza Security Architecture (implemented)
        http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.65.999

        Lessons learned from GEMSOS high assurance OS
        http://www.iwia.org/2005/Schell2005.PDF

        Covert Channels Example: Processor feature breaks security
        palms.ee.princeton.edu/PALMSopen/wang06covert.pdf

        IBM’s ZTIC dongle at UBS banking
        http://www.youtube.com/watch?v=RGjfWza0Pj8

        That I know of, nobody has designed a system meeting my requirements. The cost wouldn’t be that high, so I’m not sure what gives. Market forces perhaps…

        1. JCitizen

          Thank you Nick P!!!

          I shall follow everyone of them, this weekend! 😀

    3. Clive Robinson

      Nick P,

      Yup we have discussed it at length.

      Just for others the problem is what do you authenticate how and why.

      Most systems only authenticate the comms channel not the transaction.

      And even when the transaction is auuthenticated it is not done properly.

      Further to be secure the transaction authentication has to be through the user otherwise the method can be fairly easily subverted.

      The anoying thing about this as far as I’m concerned is I’ve been saying it for a very very long time (think 1990’s) and I identified nearly all of the threats we see and showed how other lesser systems could be defeated.

      So the question some people should be asking the banks is “why are you still building and pushing systems that are publicaly know to be broken?”

      For those that want to know how I do online banking the aswer is simple “I don’t” and I won’t consider it untill the bank does it properly (which is none of them do currently in the UK or it appears the US).

      If people want to know more about it then have a search against my name on either the Schneier or lightbluetouchpaper blogs and have a read through it.

      1. Nick P

        Clive!? My partner in crime [prevention] from that *other* blog!? Didn’t expect to see your name on a reply. Perhaps our engineering discussions will spill over to this blog and help a few more people out. I just started reading this blog after all those ATM skimmer reports. Imho, Krebs is talented and productive enough that following his blog regularly seems like a good idea. 😉

        1. Clive Robinson

          @ Nick P,

          Yes I do browse through here quite often though a lot of the stuff does not “require my thoughts” on.

          However I get shunted of to the m.krebsonsecurity.com site and it does not work as well (things like the thumbs don’t work and the reply txt box comes up on this Android phone as two lines of about 25 chars).

          But hey that’s the price of connection from your pocket 😉

          1. Nick P

            Perhaps you should just surf the site on your PC and use the mobile-friendly sites when using your mobile. Just a thought… 😛

  14. andy1

    I see the comments about liveCD’s – however, I’d like to know about using something like ubuntu in virtualbox on windows. Is there any way that your session inside virtualbox can be hijacked from the OS? I was hoping someone would post about this but haven’t seen anything about it.
    Thanks!

    1. JCitizen

      @andy1;

      Me personally, I’d rather see windows virtualized on Linux, but that is just me.

      I’m not sure I understand the process, but some malware are virtual aware, and will attempt to thwart the protections subsequently. I don’t remember how, but their are a lot of articles on that at TechRepublic if you Google it.

      From what I understand, if you going to to VM, it is better if it is hardware based. You need to ensure your CPU is qualified for this, even if you use Linux for it.

      Perhaps some one will weigh it and correct me.

    2. Terry Ritter

      Hi andy1!

      “I’d like to know about using something like ubuntu in virtualbox on windows. Is there any way that your session inside virtualbox can be hijacked from the OS?”

      Using a Linux in a “virtual machine” on Microsoft Windows for online use is an exciting idea, which, if it worked, could be game-changer for Windows users. Unfortunately, I do not see that it solves the real problem. Even a “virtual machine” depends on the underlying OS for construction and continuing support. The modest hardware virtualization support built into modern CPU’s does not avoid the need for OS support. A “virtual machine” is a software construct in main memory, and not an independent processing entity.

      If Windows already has been compromised, it may not construct the virtual machine structure as intended. In general, if we cannot trust Windows, we cannot trust anything Windows does, or anything which depends upon it. And we have no tools to certify that our Windows installation can be trusted.

      A compromised underlying OS also will have access to the virtualized memory and so on. Finding the appropriate areas and reading and writing them like a video screen will not be hard, and that is your hijack. But, really, the alternatives are legion. Fixing that issue is not going to solve the problem.

      1. andy1

        That’s kind of what I was wondering – it sounds like there may be ways to intercept the typing and the screen content since it is software based. Though I’m also thinking it would take some doing by the attacker to synchronize to exactly the particular hardware and virtualization setup, rather than say IE in regular windows.

        @Jcitizen – thanks, I’ll take a look at techrepublic when I have a chance.

      2. xAdmin

        @Terry Ritter,

        “we have no tools to certify that our Windows installation can be trusted.”

        I’ve seen you use this repeatedly and it is patently false and needs to stop. If it were true, then it would apply to any OS and/or software, including a LiveCD and thus you could not vouch that even it could be certified and trusted.

        1. Terry Ritter

          @xAdmin: I am glad you pointed that out. It is time this got on the table:

          ““we have no tools to certify that our Windows installation can be trusted.”

          I’ve seen you use this repeatedly and it is patently false and needs to stop.”

          That is a very strange response: Those who claim my statement is “patently false” surely must know of a tool which DOES certify such trust. That tool would find every possible malware, and would never miss any. I want one!

          Well, OK, just trot it out. But without an example, you only prove my point: There is no such tool.

          (In fact, probably nobody but Microsoft could build such a tool, and only then after significant changes to the current Windows design.)

          Not only will this NOT stop, it will intensify, for this very issue is the essence of our problem: If we had a tool which could certify that Microsoft Windows had not been infected, we could simply use that before starting online banking. In principle, that would solve the banking bot problem. Thus, we continue to have a problem only because the tool which I claim does not exist, actually does not exist.

          “If it were true, then it would apply to any OS and/or software, including a LiveCD and thus you could not vouch that even it could be certified and trusted.”

          Even Microsoft Windows is clean immediately after it has been installed. The problem is not Windows per se, but the fact that malware can easily change the OS or boot data without our knowledge. If everyone re-installed their Windows OS before getting on line, we would not have an online banking bot problem.

          In contrast, every LiveCD boot essentially IS a new OS install.

          1. JCitizen

            As far as I’m concerned their is no certified acceptable perfect OS; but steady state on Windows is just as good as a Live CD.

            The threats are the same as using a live CD. One thing for sure though, the malware will not affect the hard drive; only flash/firmware memory, maybe RAM(temporarily), and the current session. We’ve already been over most of that during this discussion.

            No wonder xAdmin is getting bored! 🙂

          2. Terry Ritter

            @JCitizen:

            “As far as I’m concerned their is no certified acceptable perfect OS; but steady state on Windows is just as good as a Live CD.”

            That is an interesting claim. To make it you must know both options fairly well. Sadly, I know very little about Steady State. The last time you brought this up I asked for details and basically got a link and crickets. So how often do you use it?

            When I talk about using Puppy Linux booting from DVD, I describe something I use every day, all day (including right now). Actual use is different than I expected to be. We often need to update our preconceptions when we actually use something.

            The reason sandbox schemes (including “virtual machines”) have not solved our problem is that they must assume an uninfected OS. But many, perhaps even most, customer machines are in fact infected. So there is no way of getting around a full OS re-install for these things to be trusted, and that is vastly different than a simple LiveCD boot. I suppose the claim is that a single re-install is all that is needed for Steady State, but then we need to talk about updates.

            This is not the Windows98 old days. It has not been acceptable to simply ignore browser updates for a long, long time. Personally, I would find any system without effective browsing security add-ons and a configuration update process to be not worth using.

            Maybe you see things differently, and maybe some users would feel as I do.

          3. JCitizen

            Dear Terry:

            I used something just like it called Deep Freeze at my local learning institution. In the ten or so years the college has been using it, they have only had one breach, and that was a networking hardware configuration problem.

            The only pain is unlocking the drive every-time you install something, and I have to update my anti-malware/AV first to make sure I don’t catch anything during the update/install sessions. It was a real pain in the bum, because I try software all the time, so I dumped it. I do recommend it to my XP clients. Microsoft quit offering it with Vista/Win7.

            Most of my clients are pretty unsophisticated, and won’t go that far to do the ultimate in security, so I figure I might as well simulate their environment. I run a honey pot lab, and with steady state, things got REAL boring! So I run the minefields wearing the same boots my clients do, so I can keep up with the mitigation that will happen eventually when you do that on the web.

            Steady state was offered for free for all Windows XP users; I don’t remember if it works on W2K.

    3. Clive Robinson

      Andy1,

      The simple answer is that while the contents of a virtual box may not get “owned” the OS is still responsable for providing it with I/O in a lot of cases (although some systems used to alow direct writes to hardware).

      So if you consider the base OS getting owned and the case of a keyboard and display driver “shim” being installed then the malware controls what you see from the virtual box and what you type into it.

      However there is still the question of how the I/O shim can recognise from just the IO what is running in the virtual box.

      So I would rate this one as “theoretical” at the moment.

      But I said that about IO shims in 2000 and low and behold less than a decade later they where for real changing bank balances displayed on screen.

      @ Nick P,

      what are your thoughts on this.

      1. Nick P

        Well, this seems to be a instance of two different problem areas: TCB and trusted path. I’ve been hammering on about both issues for a while, especially trusted path. For people new to high assurance, a trusted path is a way for the user to interact with the system whereby they know for sure their input is going to the right application and they know which apps have their input. Certain high security designs have these as a requirements, like certified XTS-400/STOP and the open source Nitpicker GUI. They usually have control of the hardware for input and screen, reserving part of the screen to show which app has focus and only giving that app the input and displaying its output. This let’s you know nobody is intercepting your password, you’re seeing the right transaction details for what you’re authorizing, etc. No mainstream OS has this capability in a truly useful way. VM’s on a mainstream OS don’t either. 🙁

        The TCB is the Trusted Computing Base, or what a given piece of software depends on to meet its security requirements. In microkernel designs, this can be as little as 7KB (seL4 size estimate). Mainstream OS’s are often 10-15MB before you count software libraries and stuff. For a virtualization setup, the TCB is the hypervisor + host OS / middleware + VMM + guest OS + guest OS middleware + any dependent third party libraries. Holy crap that’s a lot of code! Problems in any of these may result in a security vulnerability for software in the guest VM. Any root or kernel model compromise will result in the ability to subvert the VM. The best way to reduce bugs is to reduce code, so the TCB should be very small. Like in the QNX Neutrino system that’s powering your lifesupport, Clive. 😉

        The issue you described just seems like a side-effect of violations of these two principles, or a lack of a critical feature in the case of trusted path. That there are free open source implementations and corporate designs still don’t copy them angers me quite a bit. QubesOS is an example of a good design with a somewhat low assurance implementation that people can use now. Expect to see many more “symptoms” whenever companies fail to follow fundamental principles of INFOSEC.

  15. xAdmin

    These articles are getting old. It’s always the same story and same reaction; the theft is a direct result of a compromised end user computer, the finger pointing ensues, and solutions are proposed ad-nauseam. 🙁

    The solution is simple and a matter of the old axiom, “An ounce of prevention is worth a pound of cure.” Prevent the infection of the end user computer and the rest never takes place! End of story. Let people live and learn this concept and take their share of the responsibility and consequences when failing to do so.

    1. AlphaCentauri

      True it’s old, and most of the regulars here know all the issues. But every time Brian publishes one of these, a few more new visitors to the site get their eyes opened.

      We may have felt our stomachs turn when the details of the “Banker Trojan” were first described, before any of us had heard about the resulting infections, but the personal stories are more compelling for people who don’t understand the technical aspects.

    2. Clive Robinson

      xAdmin,

      Unfortunatly your sugestion about preventing the users machine being infected is an impossible goal.

      Seriously you cannot 100% protect a user PC or any computer for that matter.

      It is a subject that both Nick P and myself have debated with others for quite some time now.

      And the argument boils down to the fact that any Universal Turing Engine (UTE) will be vulnerable and due to the work of Kurt Godel it can be shown that any UTE cannot show it is infected whilst it is in operation.

      1. andy1

        sheesh, well there’s a conundrum. You don’t know you’re infected until you notice money streaming out of your account a week later…
        I guess that’s why the responses veered to debating about infections at the kernel level. It seems like there’s just not any perfect way to know exactly what’s going on “under the hood” whether you’re in windows or linux or osx…

        1. Nick P

          Well, there is and isn’t. Clive and I’s debates are usually over high assurance design where one wouldn’t think a breach would ever occur. Certain techniques can produce such a high confidence system using plenty of time and labor, although certain attacks remain (mainly emanation attacks). However, for typical businesses, medium robustness (cross between high and the norm) is good enough. An example of this level would be EAL5-6 on common criteria or Orange Book B2-B3.

          There are only two systems still targeting this level: Boeing’s XTS-400/XTS-500 line using their STOP operating system; the research OS called MK++, a version of the Mach kernel. At this level, kernel code is *extremely* minimized and intensive use of layering and modularization of OS components is used to prevent bugs and ease analysis. The requirements and design are also very precise and must be proven to correspond with no extra or missing code, followed by a proof of correspondence between design and implementation. Mathematical models and proof may be used for higher levels. Covert channel analysis must also occur to identify and minimize unauthorized communication between apps that shouldn’t communicate.

          Look up the XTS-400 and STOP OS; predecessor SCOMP; GEMSOS; LOCK w/ type enforcement. These all were certified to very high assurance levels and two could run legacy UNIX/Linux apps. Try to get papers on it and see it’s architecture. Microkernel architectures also allow systems to monitor themselves and restart components that fail or are compromised. QNX, INTEGRITY, LynxOS-SE, and MINIX come to mind, along with demonstrating good design. On the Linux side, look up SecVisor. It sits in Intel’s hypervisor mode and prevents writes to Linux kernel mode code. It was mathematically verified and is so small that further bugs are unlikely. The SourceT OS from Secure64 uses a reverse stack (like ancient Multics) and Itanium’s custom features to prevent malware infection. Finally, Bodicon’ Hydra firewall has a custom OS that makes malware infection nearly impossible.

          So, it’s definitely doable. Commercial systems exist that provide a nice level of assurance, good performance, and legacy compatibility using emulation. Windows, Linux and Mac don’t do this due to their design (and partly to legacy reasons). It’s inconvenient for the “Linux is secure” crowd but these systems are just too complex and their code too bloated to every prove secure, much less that they haven’t been subverted.

          1. Clive Robinson

            @ Nick P,

            It’s an odd coincidence that you should mention QNX.

            I’m currently in a hospital bed (yet again) having drugs and blood pumped in under the control of one machine and my “obs” or vital statistics being shown on another. Both use QNX as the base OS…

  16. Nick P

    Appreciate your reply. It’s quite a thorough look into the issue. So, I’ll take it point by point.

    “The critical issue is to prevent malware changes, but not owner changes”

    Well said. Updates are very necessary and will require some writeable medium. The model of “anything writeable is insecure” does describe reality well if an assumption is made by the software reading data: the storage medium is trustworthy and wasn’t altered in any way. That’s the problem. An update should occur in a clean-booted medium, with nothing else going on. For instance, Puppy would be reloaded from the DVD with no services running and firewall fully up. A trusted app would, over a secure connection, download the updates and verify their integrity. Then, the updates would be applied and DVD rewritten. It might also be a plus to disable DVD writing except in update mode.

    “Puppy Linux boot DVD updating is vastly more controlled”

    This may be true. I don’t know exactly how the update process happens. I don’t know how easy it is for an infected system to root the LiveCD during an update. Maybe easy, maybe hard. An example of a scheme where it would be easier would be if the update modifies files in the RAM disk, then calls a script or program to activate the burning process. All malware need to do is replace that file with one that roots the newly updated kernel and then calls the burn process. Many rootkit type malware are already capable of surviving an update, so this is worth looking at. But, again, I can’t say anything specific about Puppy’s update process except it’s provides less assurance than truly read-only mediums created by a locked down PC that does nothing but download updates, verify them and make LiveCD’s.

    “if any part of validation is to be done in software… code needs to be stored somewhere where it cannot be changed, which is the original problem”

    That’s actually a solved problem. We already have read-only memory for firmware, write-once USB sticks, and CD-ROM’s/CD-R’s that can’t be rewritten. Also, the software it takes to do a trusted boot is simple and need not be updated/changed much. For example, this capability was present in Orange Book A1-class systems over a decade ago. Today, you still can’t root those systems without physical access. As for software, the eXecute-Only Memory (XOM) system, properly implemented type-enforcement, microkernel+MMU+IOMMU, and microkernel+MMU+TPM methods already allow two things: firmware to run unmolested; trusted boot of main components; trusted update; prevention of malware from modifying code of trusted software.

    Simple example: App 1 and App 2 are in user mode running on OKL4 open-source microkernel. App 1 is a trusted, important app. App 2 doesn’t have the “capability” required to write to App 1. How exactly will App 2 corrupt App 1? It can’t w/out subverting or breaking OKL4, a small, highly robust software in kernel mode. In this model, apps can’t do anything with each other except via messaging passing by the kernel. They just ask for stuff and will be denied if they violate the security policy. Both Perseus and Nizza Security Architectures apply this principle in general to isolate critical apps and processes from untrusted apps. Please look at the links to see why this is basically a solved problem and just hasn’t gone mainstream.

    Nizza Security Architecture
    http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.65.999

    Perseus Security Architecture (now Turaya Desktop/Kernel)
    http://www.perseus-os.org/content/pages/BasicSecurity.htm

    “The user would be left with a bot stealing…”

    Red herring. That’s a different problem with a different set of solutions. This thread is about banking, specifically knowing you authorized the transfer you think you authorized. My proposed solution should do this with decent assurance.

    “2-factor external dongle was supposed to stop all this”

    Said the snake oil security industry. The problem was the transaction data was still presented by the untrusted TCB, allowing the user to be duped. They basically said “Our product will allow an infected PC in control of the verification and transaction details to do its job.” Knowingly making designs trust easily compromised entities is common in the security industry and works thanks to buyers being non-technical, technical types not being security gurus, and plenty of bad marketing. I never bought into it. In IBM’s ZTIC model and in my scheme, the untrusted TCB is just a transport mechanism for encrypted, authenticated data. The verification of transaction details and signing happens on a dedicated, locked down device.

    “You actually use the existence of a security product to argue that it gives security?”

    You were on a role then said that. That’s a strawman argument because I never said the existance of the products proves their security. I explained a general approach, along with a specific design, that provides security through careful engineering. Then, I said there are products on the market that take a similar (or same) approach. Quite far from your characterization of my statements.

    “every previous anti-malware product testifies similarly… believing marketing claims is not a good way to understand security”

    And this is a red herring. My beliefs and practices are derived from years of experience and study in security engineering, software development and pen testing. I’ve never claimed to believe something because of marketing and on Schneier’s blog I’ve bashed plenty of products, even those I like, because of false marketing claims. An example was Green Hill’s saying INTEGRITY RTOS was certified EAL6+, when a limited subset INTEGRITY-178B got certified. I bashed them until they took it off the web site and now they say INTEGRITY is “in the same pedigree as EAL6+”. INTEGRITY is a great product and has a high assurance design, but implementation isn’t high assurance.

    I didn’t buy into or mention anti-virus marketing and, if asked, i would tell you it’s impossible for them to stop all malware because their security is based on the assumption that an algorithm can determine if a given sequence of bits is good or evil (see Evil Bit paper). Every recommendation I’ve made takes a proactive approach that limits attack surface, manages system state, implements a separation paradigm, and enforces strong information control policies.

    That said, we do agree that believing marketing will give a person a serious misunderstanding of security. If anything, one of the greatest sources of my problems in getting higher assurance systems into business and public use is the decades of marketing the managers have heard. The think monolithic OS’s are the best or only approach, that UTM’s make their network secure, etc. etc. It’s an uphill battle. I love showing them how I can beat their expensive Data Loss Prevention system with a Linux PC and a firewire cable (or USB keyboard device). It baffles them that their “secure” systems were compromised and insecure by design, no matter how well configured, updated or whatever. Must bake security in from the start at every level. Most systems don’t do this.

    1. Tony Smit

      You need a computer dedicated to clean updates to the bootable disk. That computer is connected to the Internet only for the time it takes to download the updates. A new disk is burned with the prior setup and the updates installed.

      This way you always have a prior disc to go back to if trouble occurs. What changed and when ?

      DVDs are cheap, two 100-packs cost less than $50.00 – you could burn a new update every business day for a year (excluding weekends and holidays), or you could burn a new update once a week for four years.

      1. JCitizen

        Didn’t I read somewhere that there is a version of Puppy Linux that updates everything on the OS during the session, without navigating to any site?

        That would hold one over for a while until a new disk was necessary.

        I agree that CDRs are cheap, especially compared to the dangerous alternative of having your account pwned!

      2. Nick P

        Nice, Tony, but I’ll add to it. The computer should NOT be connected to the internet. Instead, a different computer should download and hash the updates. Then, these should be sent to the computer that makes the boot discs and verified it. If the Internet-connected computer has a TPM, the system’s integrity could be verified before hashing the updates and the TPM could sign the hash. The bootdisc making computer then verifies it with more assurance.

        The main point is that the computer making the boot disc is the root of trust for the schemes we were discussing. And the root of trust should never be connected to the Internet unless it’s a high assurance design. POSIX, TCP/IP, and all these complex code bases can be removed if this principle is used. For additional security, the design can feature only a ATA port for external data transfer in mode 3 I think it is. This is basically a serial port with no DMA and 20Mbps transfer speed. A simple OS, non-DMA hardware and a simple messaging protocol means the root of trust PC doesn’t have to trust the devices connected to it.

        1. JCitizen

          I’d gladly pay a fee to have newly updated CDs for Puppy Linux sent to me; much like buying the disks at On-Disc except auto shipped. I trust the folks over there; seems like a good way to make money for the project!

          I should think this scheme would greatly assure safe copies for those of us who don’t have the fancy hardware/protocols/knowledge to do it the other way.

  17. Nick P

    The above comment at 2:54pm, Feb 26 was directly at Terry Ritter. For some reason, there was no “reply” button at his post and the @ terry part was lost during some revision. My bad.

  18. Yar

    As an Online Banking Support specialist, I will say that any solution which you might present to a customer has to be easy and fast. Any substantial inconvenience, cost, or loss of time is perceived as a greater loss (read: Pain in the —) than any threat of perceived fraud by the average customer.

    Why is that? Because the customer does not believe it will happen to him or her. Period. Most of them believe that account takeover and online banking fraud is something that happens to escrow companies and huge cash customers. They believe this because they don’t know a lot about computers, and they like it that way. They focus on the business they are in, and leave the computer stuff to us.

    For that reason, they are more receptive to an easy, elegant solution that doesn’t cost them a lot of money and that they can feel confident will work the same way every time. That’s where the Live CD shines. If the Linux distro is small, such as Puppy Linux, it loads reasonably fast and can be placed on an unwriteable medium. There’s no reason to keep the OS on the Live CD updated with every security update, because all you’re doing is navigating directly to your online banking, doing your business, and logging out. Once you’re done with that, who cares what you do, as long as you reboot when you’re done?

    For the average layman, who is my average business customer, it is far easier to use a solution which is inexpensive, self contained, and easy to use. Plus, it requires very little maintenance to remain effective. That is why I recommend it to my business customers.

    Some of the IT guys here at the bank think the Live CD is overkill for the average customer. I think that’s ridiculous. For the cost of a CD and a little bit of time, a customer can have a working solution for preventing fraudulent losses from their Online Banking. It may not be perfect, but it is effective.

    1. JCitizen

      Thank you for your contributions here Yar!

      The only question I would have, would be, “Do you ever send out updated LiveCDs”

      Most IT techs, would appreciate at least an updated browser. Of course the browser could be updated, every boot up – I suppose. And for that matter, the OS; if a reboot weren’t necessary.

      I thought I remembered reading about a version of Puppy Linux that did exactly that?

      1. Nick P

        You’re very welcome! And of course I send out updated LiveCD’s! Updates should occur monthly and immediately for fixing very critical flaws, like the DNS vulnerability or SSL vulnerabilities. Updates are a good way to turn an unknown liability into a small, regular cost (the updating process itself).

        Someone else with hands-on experience usually makes them, though. I work at the design level of projects, although I know some low level stuff in order to spot problems there. The LiveCD’s are made to be highly resistant to infection and to isolate the browser from the system software. I also usually recommend CD-RW’s or DVD-RW’s to reduce costs and increase the rate at which updates can occur. The software on the DVD’s doesn’t have burning functionality and users are instructed to power off if they hear the distinctive sound of a burn in progress.

        A way to cost-effectively copy them is to get a mass-copier for a few grand, make one LiveDVD-RW, and then let the machine copy it to a bunch of others. This largely eliminates the labor involved. It takes time to create a ton of LiveDVD’s, so the discs would be distributed to people in a prioritized fashion based on how critical their job function or data is.

        Although, for businesses, I prefer thin clients for the users and two different networks of virtual machines on the server side: one for internal applications; one for anything connected to the internet. These should communicate using a sort of cross-domain technology that verifies the content, maybe with a security administrator involved for certain file types. There’s some good automated software on the market for this from defense contractors.

        1. JCitizen

          Thanks Nick!

          That is pretty much the way I envisioned it!

          I know what you mean about DOD type solutions, Trustifier beat everything the Army could throw at if from the PDF I saw from the last competition.

          It is just a matter of building trust for the developer.

          And of course, we’ve seen the jokes about military IT security! *snicker*

          1. Nick P

            A word of caution: be careful with Trustifier. I’ve been looking at it on and off for corporate security for a while, but I’m not sure it can adequately protect against kernel-level attacks (which it was partly designed for) and definitely not hardware attacks corporate spies love. Rob Lewis, a trustifier evangelist, has been to schneier blog plenty of times and I told him matter-of-factly why his product doesn’t meet EAL6 or whatever he said they could certify it to. You might be interested in the discussion. Type these words, including quotes, into google: “Rob Lewis” “Nick P” “Clive Robinson” “trustifier”

            Again, I’m not saying it’s bad. But, if you read their claims and you read the nature of the DOD evaluation, you’ll see some serious discrepencies. The Red Team used very traditional techniques, like a sploit running root, to attack a cross-domain document viewer running Trustifier. Cross-domain is a classic MLS problem which has at least half a dozen fool-proof systems and plenty others that are good. It’s just ridiculously simple to implement the security policy, even with something like Bell Lapadula. That a cross-domain solution’s MAC controls couldn’t be circumvented by user-mode processes isn’t a big claim.

            However, if you look at their web site under Ryu, you see much bigger claims (and many weird metaphors). You look at Trustifier and you see tons of claims, with a mention of the DOD testing as if it proves those claims. The only thing the Red Team proved was basic hacking and privilege escalation couldn’t beat Trustifier’s security using a kernel with no known flaws and on a well-understood, [relatively] easily solved problem. I’d LOVE to see the Red Team take on Ryu, the web server + application security server + application firewall + more. My money is on Red Team. However, I’d love to see the company integrate Trustifier with a highly robust OS like INTEGRITY or even QNX, where most OS components are deprivileged user-mode processes.

          2. JCitizen

            @Nick P;

            You took the words right out of my mouth there Nick! Lewis approached our think tank, and we were naturally skeptical. The biggest concern was that the developer was a Pakistani national living in Canada; and we just can’t go very far trusting someone from an enemy country! Sorry! That is why I didn’t say anything about it, because I am not racists, or prejudiced on folks from other cultures/countries; but I just can’t overlook obvious enemy connections, or even the suspicion of it – when planning a secure environment..

    2. Clive Robinson

      @ Yar,

      “Some of the IT guys here at the bank think the Live CD is overkill for the average customer. I think that’s ridiculous. For the cost of a CD and a little bit of time, a customer can have a working solution for preventing fraudulent losses from their Online Banking. It may not be perfect, but it is effective”

      More importantly from the Banks managment perspective it is likley to be cheeper than any of the solutions their IT guys think up or the consultants they over pay 😉

      Good news does not have to be expensive nore bad news cheap.

    3. Terry Ritter

      “If the Linux distro is small, such as Puppy Linux, it loads reasonably fast and can be placed on an unwriteable medium.”

      I am unhappy with this idea that the goal is to have an “unwriteable medium.” There can be no perfect security. Compared to the expected, ordinary risks of browsing errors, the risk of updating malware onto a DVD seems modest, while the frustration of using a static system is demonstrably huge.

      The goal is to save a clean updated system under user control. One DVD advantage is that a write is easily observed, especially when unexpectedly ordered by a program. (Puppy Linux loads completely into RAM, and the DVD drive stops and remains dark and quiet in normal operation.) A Puppy advantage is that the DVD can be removed in normal operation, which is absolute write protection. So, if and when we find a malware which actually tries to write a DVD (remember, we can see that), then it might become worthwhile to run with an open tray.

      Users always want to customize their environment: Homes and cubicles are decorated, cellphones collect apps or at least ringtones and wallpaper, and computers also collect wallpaper, apps, browser tabs and options. As an older user, I epecially appreciate being able to vary the page layout and font size for different pages using the NoSquint add-on. That means I need both the add-on (which the snooty bank might not regard as important), and the ability to save the resulting configurations, which means writable store. I have a handful of security add-ons, which the bank should install for everyone, but people also have their own interests.

      Why should a bank offer the disturbing freedom and risk of LiveDVD updates, and how does that help the bank? Because users like to change things to be their own, and not allowing that is a recipe for failure. I have tried some static LiveCD security systems (e.g., LPS at http://spi.dod.mil/lipose.htm) and quickly run away. I would expect any tightly-controlled system to fail, simply because it would end up being too irritating, too “old school,” and too much trouble to be worth using. Some part of this needs to be fun.

      When users customize, they may buy into and “own” their system. Can freedom turn out badly? Sure. But making those sorts of decisions is what people do–as opposed to robots. Nobody likes to be a robot, and especially nobody likes to be forced to be a robot just to do business. There are always other options.

      After a user gets started with a LiveDVD from the bank, they can do their own minor updates just by allowing Firefox to update and then burning the result. LiveDVD users can do their own major updates by downloading a new .ISO and burning that. Then the bank is out of the loop, which is not necessarily bad. Maybe the bank just offers starter sets.

      At appropriate times, perhaps the bank could suggest something like: “Due to recent changes, now would be a good time to update your browser,” or “Users may want to get the latest .ISO (from here) and burn a new DVD.” A bank FAQ with a “How Do I” section and a local .ISO copy also might be a good idea.

      1. JCitizen

        Very good post Terry;

        I hope you don’t mind me using you as a source the next time I go to a bank conference. I’ll just point them directly to this article and discussion! 🙂

      2. Yar

        @Terry,

        I completely understand. You have a very valid point about being able to observe something writing to the medium, but it would be one more thing which would have to be included in the literature. The question becomes whether the customers would rather invest in a solution which they have to think less about or a solution which is more customizable.

        The solution I was suggesting was one in which the disc’s express and only purpose would be for Online Banking. As a matter of fact, if we were to produce it in-house, it would be a disc which pretty much only allowed the use of the browser and then only for our site. The point would be to harden it to an unforgiving point. If you did this, the static system would not be much of an issue.

        Your solution is more elegant, especially for the tech-savvy, but isn’t that what we’re really talking about? Most of my customers don’t want to know, don’t care to know, and don’t want to mess with any specifics. Many of them either believe they are invulnerable to these attacks or trulyand completely hate computers and don’t want to do anything more than they absolutely have to with them (which seems to include checking emails and opening every attachment and then logging into Online Banking).

        If it comes down that Banks are responsible for this type of fraud (and it probably will before long), then you will see much higher requirements for accessing online banking, and you’ll see a lot more risk analytics on the back end. My FI has already started evaluating alternatives, including putting an analytics solution in place to monitor online activity or simply removing the ability to process transactions online. Either way, it will be an expensive decision for us, but will cost less than the ensuing wave of fraud you’ll see when the customer is no longer required to pay the consequences when they are caught sleeping.

      3. Nick P

        Great points, Terry. The choices center on one’s risks and how they manage it. A DVD-RW solution is potentially adequate for most users at the moment because they are not targeted by sophisticated attackers. Anyone who is should avoid this and other “fun” options, using something that doesn’t leave gaping holes for subversion attempts. That said, most people aren’t going to be attacked by LiveCD subverting malware until LiveCD’s are very ubiquitous (or they have six digits+ worth of cash a hacker’s targeting).

        Puppy’s model is fine for the average user. Your points about users wanting to customize things are right on, but I think of them in a different perspective: users are the weakest link and their actions usually introduce security holes or cause data leakage. I find restricting their freedom to interfere with security-critical functionality is the best route because we’ve seen an astounding amount of losses come from their other approach. My goal is to always strike the right balance between usability and security. Too much of either is a problem.

        That said, I’d rather it be a different distro with Puppy’s update model. The kernel should have as many protections as possible, such as provided by grsecurity or AppArmor. The applications should all be compiled with stackguard. Any unnecessary functionality and services, in kernel or user-mode, should be removed. The user can feel free to expand from there at their own risk, but the system should be very hardened to start with. I haven’t analyzed Puppy’s kernel features but I doubt I’d find more than the basics to stop malware and ensure reliable operation. That said, Puppy might be a decent start for lay people without five digits of disposable income. So would a properly configured Mac and it would be much more “fun” for lay people. 😉

  19. Nick P

    @ Clive Robinson

    “I’m currently in a hospital bed (yet again) having drugs and blood pumped in under the control of one machine and my “obs” or vital statistics being shown on another. Both use QNX as the base OS…”

    Darnit old man, what did I tell you about reverse engineering devices while they are plugged into your body? One of these days you’ll pull out the wrong wire and…

  20. Ronnie

    The problem in this case was the breach happened at the client side. The trojan SHOULD have been detected by a competent anti-malware solution IF there was one installed.

    Doing all that email back and forth just to do the payroll doesn’t address the initial problem. INSTALL A COMPETENT ANTI-MALWARE SOFTWARE!!!

    Moving forward, the bank SHOULD implement better security for verifying online banking transactions, like installing two-factor authentication systems for ALL accounts, not only corporate accounts. Something that CAN’T be monitored from a computer, like a one-time password generated from a token, or sent to the client’s phone via SMS. This on top of the current username/password combo. So even if a trojan gets the username/password from the client’s PC, there’s a secondary authentication that needs to be provided that’s NOT AVAILABLE on the PC.

    1. Terry Ritter

      Hi Ronnie!

      I guess it must seem quite frustrating that nobody seems to be doing what they need to do, and nobody seems to care. If you read the rest of this response, you may soon be even more frustrated. I have been talking about this for years; imagine how I feel.

      The first misconception is:

      “The trojan SHOULD have been detected by a competent anti-malware solution IF there was one installed.”

      Yes, one would think that, especially if you pay good money for that “solution.” However, the reality is that many, perhaps most, modern malware will NOT be detected by anti-virus scanners. This has been getting worse for years, but here is a recent quote:

      “one third of internet users in the EU caught a computer virus, despite the fact that 84% of internet users used IT security software”
      http://www.zdnet.com/blog/security/report-av-users-still-get-infected-with-malware/8108

      (The reported value is taken from virus *detections*, which thus cannot include the worst malware which hides very well and is not detected.)

      (“Many of the malware tools that companies need to deal with these days have been explicitly designed to evade detection and to remain hidden for long periods.” http://www.computerworld.com/s/article/9209719/Attack_mitigation_tools_fall_short_security_vendors_say?taxonomyId=17)

      Reasons for anti-virus not detecting viri include:
      1) the delay caused by the need for a malware to be found before a string-signature can be generated, distributed and finally used;
      2) the breathtakingly-massive and continuously-increasing flow of new malware, so that many attacks will occur in the few hours or day before the signature has been distributed;
      3) during infection, polymorphic malware “encryption” often makes the same malware different on each machine, which thus escapes signature detection;
      4) after infection, complex malware “rootkit” technology often subverts the operating system so that the file system will not even show malware files, and can also hide changes in changed files.

      None of our countermeasures are nearly good enough. We are losing the race.

      The second misconception is:

      (two-factor authentication)
      “So even if a trojan gets the username/password from the client’s PC, there’s a secondary authentication that needs to be provided that’s NOT AVAILABLE on the PC.”

      Actually, malware bot infections can defeat even 1-time 2-factor external dongles. There are many approaches, but consider: while the external authentication value is not typically available on the PC, it IS available on the PC when the user punches it in. Then the malware can use it. One classic article is:

      “Modern banker malware undermines two-factor authentication” September 23, 2009

      “Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process, to which cybercriminals have successfully adapted throughout the last couple of years.”

      http://www.zdnet.com/blog/security/modern-banker-malware-undermines-two-factor-authentication/4402

      But that is old school. Here are some newer quotes:

      “In order to counter the increasing amount of online banking fraud performed via phishing or with the help of sophisticated trojans like ZeuS and SpyEye, banks have introduced two-factor authentication.”

      “Last year, Spanish security firm S21sec identified a ZeuS component specifically designed to steal mTANs in attacks which researchers dubbed Man-in-the-Mobile (MitMo).”

      “”The attack starts on a ZeuS-infected computer, where additional content is injected on the online banking login page asking users for their mobile phone number and make/model in order to allegedly update the security certificate.

      After they provide the information, they are sent a link via SMS to an application designed specifically for their type of device which they are asked to install.

      This is a mobile spyware component that monitors SMS messages and steals mTANs sent by the bank. In fact, it prevents users from being notified of new messages, so that the cybercriminals can initiate transactions and confirm them with the stolen mTANs without raising suspicion.

      http://news.softpedia.com/news/ING-Bank-Polish-Customers-Targeted-by-ZeuS-185523.shtml

      “many companies (not only financial institutions) are using SMS as a second authentication vector, so having both the online username and password is not enough in the identity theft process.”

      “In this post, we are going to talk about a better alternative planned by a ZeuS gang: infect the mobile device and sniff all the SMS messages that are being delivered.”

      http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html

      So, what to do? For that, another quote:

      “G-Data reckons 99.4 per cent of all new malware of the first half of 2010 targeted Microsoft’s operating system. Just 0.6 per cent of the 1,017,208 new malware programs discovered in 1H2010 targeted other systems, such as Apple Mac boxes and servers running Unix.”

      http://www.theregister.co.uk/2010/09/13/malware_threat_lanscape/

      From data like the above, I believe that the single most effective thing anyone can do to avoid malware is to not use Microsoft Windows online. I do not believe a Windows machine can be sufficiently “hardened” by any combination of configuration and add-on packages to be considered “secure.”

      My recommendation is to use a Linux LiveCD (I am using a Puppy Linux boot DVD right now) for any online banking. A very serious alternative is to go back to using the drive-thru. Or just trust the bank to give your money back, after it was stolen by a bot infection which you cannot detect on your own computer.

    2. JCitizen

      Sorry Ronnie;

      But it is well known already that AV and AM solutions do not detect these variants until the damage is already done. You might find them next week after your bank account is empty, but it is simply a cold hard fact that their are too many ways to foil signature based solutions.

      Better to have behavior based solutions or something that can foil the bug’s mission while the PC is infected. Read the posts by the very knowledgeable contributors here, signature based detection is obsolete for this kind of threat. I can count, on one hand, the behavior based solutions that MIGHT foil some of the bugs some of the time, but NOT all of the time. A blended preferably kernel space defense is the present attempt; but as many here say, a LiveCD or similar is the only really affective deterrent in the home or home office arsenal.

    3. Al Mac

      I do not know the details of how this is done – another tech set it up, and it is outside my area of expertise. (I am the AS/400 expert.)

      When a PC connects to our corporate network (hundreds of users), something runs on the server side to check the client PC.

      “Do you have anti-virus?” etc.
      “Is it working?”
      “Are you infected?”

      I do not know all the stuff it checks. Theory is to not let connection go thru, if some user has infected PC, so infection never jumps from client to server to other clients (as happened before this got installed). Risk mainly with laptops wandering the world with users, might get infected when away from the office.

      If this kind of checking is valid, then it should be standard for all networks, including bank networks.

      If PC is infected, bank should send communication by registered mail to the customer, and/or have someone get on the phone and ask to speak to relevant management of the customer.

      1. Terry Ritter

        @Al Mac: “”If this kind of checking is valid, then it should be standard for all networks, including bank networks.”

        That checking is NOT valid. It might stop some problems, but even that will happen less and less. Running various checks is easy enough, but modern malware can hide from virtually any program which runs on the subverted OS. There is no program which guarantees to detect hiding malware. If there were such a thing, we could just use it before banking, and so solve our banking problems. Yet we still have those problems.

        1. Al Mac

          Thanks for the heads up. I will pass it along to my guy. He has also told me he knows about my dual firewall (both hardware and software), thinks that is good security, but I need to replace the hardware one (it won’t deliver firmware updates any more).

          I already knew some security schemes had flaws.

          I used to forward 100% spam as-is to KNUJON.
          http://knujon.com/

          They have cut my spam from over 100 a day to less than 10 a month.

          Then my ISP detected outgoing e-mail as having malware attached (did not detect it incoming) thought I was infected, severed my connection to the Internet, until I could demonstrate to their satisfaction that I was not infected – fortunately my patches were up-to-date – I was not keen on idea of using some other Internet connection to download them, then figure out how to apply to PC without Internet connection.

          I was unable to explain KNUJON to their tech support, so now I delete all attachments before I forward spam to KNUJON.

          1. Terry Ritter

            @Al Mac: “Then my ISP detected outgoing e-mail as having malware attached (did not detect it incoming) thought I was infected, severed my connection to the Internet, until I could demonstrate to their satisfaction that I was not infected”

            Personally, I find this “prove it” attitude quite disturbing. NO TOOL EXISTS which can correctly distinguish between “infected” and “clean” PC’s.

            There are many anti-malware tools and tests, and some will find malware, and some of that will be real. We can even remove what is found, yet remain infected by what was NOT found, because modern malware hides really well. So our Internet access rests on the subjective determination of “Customer Support”-type security which does not know the issues and cannot find the real problems anyway.

            The fundamental inability to prove that one is “clean” is the gaping hole at the center of most attempts to address the malware issue. It does seem odd that government anxiety does not extend to demanding that Microsoft deliver something to certify that their OS installs remain suitable for online banking.

    4. Al Mac

      Another company in our local AS/400 user group (I am no longer in touch with the people involved in this) lost over $ 1 million in a situation similar to the case in the original story.

      They thought they had competent anti-malware etc. installed BUT
      1. Something got installed on user PC, by user, which called for security to be temporarily disabled, while it was being installed, then security was never re-enabled.
      2. IT only checks user PCs when users gripe about something, so problems can go undetected for long time.
      3. Accounting received spear phishing with an attachment which no-one could open … it was forwarded around the office to other people who could not open it either, so they called the place it supposedly came from … no problems … so they forgot about it, not knowing that everyone who had tried to open it, it tried to install a keylogger.
      4. The person whose security was not running, was same person who does payroll, internet banking, a lot of financial details.

      That company needed to have a deal like my company has, where you cannot connect to the network if you are infected, and that is logged, and something is done about it.

  21. Al Mac

    In my opinion, one of the solutions to this is to NOT have ANY e-mail or other Internet access on a company PC which is used EXCLUSIVELY for Internet Banking. With PC prices falling, the cost of an extra PC just for Internet Banking is trivial compared to the security hoops people have to go thru to deal with this kind of risk. Most malware infections arrive by e-mail and other Internet access.

    It is another story for credit cards in retail … people in a store can install skimmers, and other crooked hardware in the places where customers are legitimately allowed to access.

    1. Terry Ritter

      @Al Mac: “In my opinion, one of the solutions to this is to NOT have ANY e-mail or other Internet access on a company PC which is used EXCLUSIVELY for Internet Banking.”

      In MY opinion, having a dedicated PC for Internet banking is a disaster waiting to happen.

      What is the real difference between an ordinary PC and this dedicated PC? Is it that we intend and thus hope the dedicated PC does not browse somewhere bad? Can we define every bad place? And how can we tell if it did go there, just once, long ago?

      Do we expect someone doing banking not to look at the latest numbers from email, then maybe to clean up new email before getting off? Do we really think the owner will not sometime forget that the computer is only for banking, or excuse doing other things, “just once”? What if someone else just sits down to have an innocuous look at Facebook? How could we tell if they did?

      The dedicated Web banking computer is a false solution. A real solution is to do Internet banking from a LiveDVD. Only then can we have some actual assurance that the system will at least start out clean on each session, no matter what mistakes or cute naive actions have occurred before.

      1. Al Mac

        Thanks again.

        I do not know enough about LiveDVD to know how come it cannot be subverted the same way as other solutions, by some user who cannot be bothered to follow the rules, or some executive who is above the rules.

        I had thought that a dedicated PC could have a firewall limited to accessing the banks it is authorized to access, nothing else, and not give user the admin access needed to subvert those rules.

        I recognize and fully acknowledge that whatever security rules are developed at a company, there will be executives who over-rule security professionals, and authorize actions the professionals consider hazardous.

        1. Terry Ritter

          @Al Mac: “I do not know enough about LiveDVD to know how come it cannot be subverted the same way as other solutions,”

          The advantage of the LiveDVD form is that it is difficult or impossible to infect (as compared to the usual PC which boots from a hard drive or even a flash drive). As a consequence, each LiveDVD session starts out clean. So to do banking, we restart and do banking as the first thing.

          “I had thought that a dedicated PC could have a firewall limited to accessing the banks”

          If only malware would play the game we expect, lots of things would work to stop it. Unfortunately, malware LIES! (Imagine that!)

          Malware can pretend to be a browser (or anything else), or just run code in a browser (or anything else), and a firewall cannot tell the difference. There would appear to be no clear signal a firewall could use to tag some outgoing network data as coming from malware (as opposed to normal operations).

  22. Chris

    In an attempt to educate myself on the risks and possible options for online banking security, I’ve read this article, all of the comments, read many other articles, and researched the use of LiveCDs/DVDs.

    Not being a security professional, I hope this isn’t a stupid question.

    In the opinion of the resident security experts, would a dedicate VM, used only for online banking, with access restricted only to specific banking websites (and to Microsoft to install automatic updates) be “reasonable security”? I realize this option won’t be as secure as a LiveCD, but in your opinion would it be a significant upgrade to the standard PC with anti-virus/anti-malware?

    Another one of Brian’s postings (see below) mentioned breaches on virtual machines, but also mentioned “we have yet to see a breach involving a successful attack against the hypervisor”. Not having much VM knowledge, could someone help me understand the the difference between VM malware vulnerabilities versus “no successful attacks against the hypervisor”?

    My recent research:

    In Brian’s recent post of “Are Megabreaches Out? E-Thefts Downsized in 2010″, this quote is included in Verizon‘s fourth annual Data Breach Investigations Report:
    “We have yet to see a breach involving a successful attack against the hypervisor. On the other hand, we constantly see breaches involving hosted systems, outsourced management, rogue vendors and even [virtual machines] (though the attack vectors have nothing to do with it being a VM or not).”

    The Wikipedia definition for HyperVisor is: In computing, a hypervisor, also called virtual Machine Manager (VMM), is one of many virtualization techniques which allow multiple operating systems, termed guests, to run concurrently on a host computer, a feature called hardware virtualization. It is so named because it is conceptually one level higher than a supervisor. The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources. Hypervisors are installed on server hardware whose only task is to run guest operating systems.

    1. Al Mac

      Chris – multiple issues in your post.

      There are constantly evolving threats, so any strategy is only healthy until new threats against it.

      I’d like to see VPN, or equivalent, sign-on to get updates and patches, instead of relying on browsers over regular internet risks.

      Does IBM OS qualify as a hypervisor? By IBM OS I mean the server platform using an IBM OS such as i-Series, System-i, AS/400, OS/390, etc. which is the host to Novell, Windows, other IBM OS, and a server to a network of guest machines, typically PCs, but sometimes some NCs.

      (NC = Network computer, or smart terminal, where the server has all the data, software – the NC is a super-GUI.)

      I know of multiple penetrations on guests or clients of this reality, due to the usual human frailties of the operators of the PCs. This is the same huge problem, which exists outside of the IBM world.

      I know of multiple incidents involving IBM OS server reality. I consider them to be extremely rare, but not non-existent.

      I am not aware of any incidents with NCs connected to IBM OS networks.

      However, I do not recommend the super secure solutions for most business users, because typical business users NEED the applications which currently are full of security risks, and those vendors with their poor security products generally do not support their products running on the high security platforms.

      1. Al Mac

        One function of the IBM OS platform, of which I am familiar, is IT distribution of services to each of the guest OS (Windows, Novell, UNIX etc.), guest packages (e.g. applications in different human languages in different hardware partitions), and networked hardwares (PC NC shared printers), is the distribution of updates and backups, without IT personnel having to personally visit each device.

        If you are on such a network, typically the IBM OS does not connect to Internet in same way that other OS do, and can have a hard disk partition which emulates type of hard disk familiar to a PC, containing copy of all patches relevant to individual PC, under a corporate multi-PC license. With this arrangement, individual PC do not connect direct to Microsoft etc. to get their patches, they are distributed through the company network.

        1. Nick P

          You’re only going to confuse the guy by mixing two different sets of issues: virtualized web browsing and the client/server model. The security ramifications of each are as different as night and day due to the distributed nature of the latter. Securing activities performed on a server by remote clients running a different OS is much more difficult than isolating a web browser on one machine.

          An apples to apples comparison involving IBM would be to look at using the Power Hypervisor or their mainframe LPAR’s to isolate infected hosts vs using a hypervisor on the Intel platform like VMWare or VirtualBox. I can’t make the comparison because I don’t have any of their hardware & software to test.

    2. Terry Ritter

      @Chris: “would a dedicate VM, used only for online banking, with access restricted only to specific banking websites (and to Microsoft to install automatic updates) be “reasonable security”?”

      The basic idea is good, but every situation is different: First, the VM must be installed on an uninfected machine. In my view, that can only be assured immediately after a full OS re-install, or when only using VM’s. Next, the VM design must be strong enough to prevent a breakout into the underlying machine, and that takes time to develop and more time to evaluate and trust. In the end, there probably will be some exotic way through, which will need patching and starting over. Last, what you get, if everything works, is the ability to throw out the latest session and start the next one fresh, much like a LiveCD boot.

      If you would be willing to boot a LiveCD OS into the VM, then you could flush the entire VM contents after each session. Of course very little malware targets Linux code anyway, so Linux would be the main advantage, not the VM.

      However, loading a hard-drive-boot OS into the VM means having anti-vi and updates for that OS. So there is a desire to keep the code around, and the infection danger has always been from malware modifying the code that stays around (usually boot code). This same issue arises with any dedicated banking machine which is why those provide only an illusion of security. So that makes any supposed VM advantage much less clear.

      “Hypervisors are installed on server hardware whose only task is to run guest operating systems.”

      When all the attacker needs is to infect the outer OS’s, there is no need to attack the hypervisor. The hypervisor can be perfectly clean and still support infected OS’s. The real VM advantage is the ability to contain malware, then kill that VM and start over.

      Keeping all the VM contents for next time makes it pretty much like running that same OS without a VM. Trying to have the VM specially protect all the code that will be used in the next session will be very tough.

      1. Al Mac

        I totally agree with Terry’s statement: “The hypervisor can be perfectly clean and still support infected OS’s.”

        There was a breach in Evansville Indiana, resulting in the FBI being called to help out, where the infection of PCs in an accounting office for a company in the grocery food supply distribution business, came from a combination of human error and an e-mail with an attached malware, which one person could not open, so forwarded to co-workers, and now several PCs got the same infection, which included a keylogger.

        So people signing onto the IBM OS (which never got infected) using PCs (infected with keylogger) to do payroll and payables and other financials on the IBM OS applications, ultimately led to over $ 1 million taken out of the company’s bank accounts by mules.

    3. Nick P

      Terry Ritter’s post is a good summary of the issues. To answer your question, using a properly configured VM with as little as possible shared (e.g. shared folders) can often prevent malware from getting onto your main system. Any attacks that happen at the application layer within your browser on session data, like email credentials, will still work. The scheme is mainly designed to isolate web browsing and prevent persistent infection.

      Just take a snapshot of the clean VM & restore from snapshot any time you think it’s infected and on at least a weekly basis anyway. If updates are available, you must: 1) restore from snapshot; 2) apply updates; 3) save new snapshot. Terry’s best comment was using a LiveCD with a VM: I actually do this for my “Browser Linux” VM. A minimal Linux with good security features & configuration running in a VM from a LiveCD will stop most of your worries below the application level. Note that most mainstream virtualization programs allow you to use an ISO file for the virtual CD-ROM, meaning you don’t need a physical CD.

      Another thing to remember is that many modern pieces of malware are designed to detect if they are in a VM and not activate. This mainly applies to malware that hits the main system, not in-browser attacks like clickjacking. The VM-aware malware will activate the moment you put the infected file on your computer and run it. This is why no shared folders and stuff is important and your main machine should still have virus scanning & intrusion prevention enabled.

      Finally, if you can’t avoid using Windows, you still have hope beyond staying patched. First, apply the steps in one of the reputable hardening guides for your version of Windows online. Then, buy a host intrusion prevention system (HIPS) like Comodo Defense+, DefenseWall or Blue Ridge’s AppGuard. These often can prevent many attacks even in the less intrusive modes and usually cost around $30. Use this in combination with an internet security suite that’s compatible in side-by-side operation. Then, use one of these: Chrome; IE in Protected Mode w/ good security settings; Firefox with Adblock Plus, Flashblock, HTTPS Everywhere, and NoScript. I use the latter and know for a fact it’s stopped some malware. A hardened browser on a hardened OS with a HIPS and internet security suite is a force to be reckoned with for most malware & only cost about $80 per year per machine.

      The very best option, though, is to isolate important business functions from the Internet wherever possible. In many cases, certain critical systems don’t even need to be on the Internet or shared with other risky applications. For instance, I would harden the hell out of any system doing ACH & allow nothing else to be done on that system. It would be worth buying a dedicated netbook, using a minimalist secure LiveCD, and configured for maximal security to prevent giant losses Krebs reports on. R&D & accounting computers at small to midsized businesses often don’t need to be connected directly to the Internet either. In all of these cases, appropriate separation methods should be employed to restrict access to what is necessary and safe wherever possible.

      And remember to do regular backups. External HD storage is cheap. Look up current reviews for the best backup program for you, as they change yearly. I mostly used Acronis in the past and backed up the files from their boot CD to prevent subversion of the backup process. Now that I use a Linux distro with a quick installer I just back up my data and regularly reinstall the thing. It’s a fairly quick bit of maintenance that involves a few clicks and cut n pastes.

  23. Chris

    Al, Nick, Terry: Thanks very much for your input. I work for a small private company which has recently been solely focused on cost-cutting. Our IT team is very slim. Trying to get the right people to recognize the security risks for online banking is difficult at best. My IT resources are helpful, but they definitely aren’t as knowledgeable as you guys when we’re talking about the options to improve our security in a no-cost or very-low-cost way.

  24. Jackie

    Yes, thanks so much for all the helpful information. I’ll be implementing many of these tactics this week.

  25. Margaret McEachern

    This design is incredible! You most certainly know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Excellent job. I really enjoyed what you had to say, and more than that, how you presented it. Too cool!

Comments are closed.