Weakness exploited in Defense's Common Access Card program
Most consumers don’t think twice about downloading a PDF from an email, even if it’s not from someone they know. But many times these documents are spear fishing attacks, targeting individuals with high-level network access. The PDF contains a virus that opens a key-logger to track user IDs, passwords and PINs.
This virus, a Sykipot variant, was discovered within the U.S. Department of Defense and was logging Common Access Card PINs. This enabled a hacker to access secure networks when a compromised individual had their credential in the computer.
The attack was discovered and reported by Alien Vault Labs. This variant, which appears to have been released in March 2011, has been seen in dozens of attack samples from the past year.
Cleaning the computer’s operating system, protecting the operating system against the malware, and updating or patching the software application that introduced the malware to the system can prevent the attack.
While integrity of the smart card was not compromised, credentials stored on the smart card may have been used for unauthorized transactions. The smart card PIN should be reset and, as a best practice, new public key certificates should be issued to the user, with the compromised certificates added to the revocation list and validation services.
While trojans that have targeted smart cards are not new, there is obvious significance to the targeting of a particular smart card system in wide deployment by the Defense Department and other government agencies. Attacks are also becoming more and more advanced and it’s becoming increasingly difficult to keep up with them. “Every time we turn around there’s a new attack,” says Jim Zok, an ID industry veteran and former government official.
The Skykipot attack wasn’t new but a variant on an old one, says Randy Vanderhoof, executive director at the Smart Card Alliance. “These threats are not new, they’ve been known about for a while,” he says. “But there’s a slight difference in the way the hack is delivered and they’re finding vulnerabilities that have always existed but have never been exploited before.”
Hackers are continuously finding vulnerabilities and exploiting them. The time it takes for the hackers to find these problems has dramatically decreased. “We use to think we had a year but now we have hours,” Zok explains.
Organizations have to take a risk-based approach to security. Corporations aren’t going to deploy a new system every time a new vulnerability is discovered. It’s not cost effective. Vanderhoof says the question to ask is, “do we want to throw money at this or do we wait and see what alternative strategies might surface once people understand how the attack works.”
Patches and software upgrades can keep systems secure without having to implement entirely new systems. But ultimately there will be a time when the system is no longer secure. “We can harden the credential, we can harden the device but somewhere that credential interfaces with an untrusted computer environment,” Vanderhoof says.
Keeping abreast of the latest attacks and updating anti-virus programs are important but consumer education is needed, Zok says. “Fifteen to 20% of users are afraid of certain behavior but they do it anyway,” he says. “We need to make the public responsible for their own actions.”