Security Watch
Digital Certificates Real Cure for Two-Factor Phishing Spoof
Plus, TWiki vulnerability, EU firewall project, free DNS lookup site fights phishing and the U.S. probes an international hack attack.
Citibank Phish Spoofs Two-Factor Authentication
A phishing attempt was recently spotted that targets Citibank's Citibusiness service customers. The service provides customers with a token card to automatically generate a value used as a second factor during the authentication process. The criminals behind the scheme capture the value being presented by the victim and relay it to the actual Citibank site for verification, thereby effectively bypassing the additional security measure for a single session.
This vulnerability caught the media's attention because two-factor authentication is often touted as being the solution to the password problem. This phishing attack merely demonstrates the inherent problem of all clear text authentication mechanisms: While it's true the value generated by the token is unlikely to be guessed, since it can be intercepted it can be used by anyone who does so...providing they do so within the allocated time interval that the value is valid (typically 60 seconds).
Conversely, if the client and server both used digital certificates to ensure each knows the other and is sure of it, such interceptions would not be possible. In such a case the phishing server would not be validated by the client, and the victim would be alerted to the phishing attempt and know not to proceed with authentication.
There is no silver bullet to security solutions!
TWiki Multiple File Extensions Validation Leads To Upload Vulnerability
TWiki, an environment for performing collaborative authoring via HTTP, contains a vulnerability that could potentially allow for script code to be updated and executed unknowingly by visitors. Patches are available.
It turns out that TWiki does not perform the same validation on files with multiple extensions as it does on those with a single extension. As such, it's possible to upload a PHP script file that is named with a double extension, when it should be prohibited. When the file is clicked by the unsuspecting visitor, the PHP script will execute.
It seems ridiculous to believe that anyone who accepts file names has not built code into their input routines to parse for double-extensions to ensure such a vulnerability cannot exist. Just goes to show that writing secure code is far too often not the goal.
Group Launches Diadem Firewall
The Diadem Firewall project is funded by the primarily by a variety of EU organizations and businesses with the goal of developing high-speed edge devices that can be secured automatically, detect security anomalies and perform adequately for large-scale broadband networks.
These are very laudable goals, but it remains to be seen whether or not they can actually be achieved in the foreseeable future.
Site-Lookup Service Foils Fraud
An interesting new startup has hit the streets, this one offering free DNS lookup services for everyone from individuals to entire corporations. Making money by delivering advertisements on pages that cannot be found (typically 404 pages), OpenDNS offers to attempt to block phishing sites and automatically correct common misspellings.
It will be interesting to see if this business model works. It is certainly a service many will benefit from, and depending on the service's ability to effectively block phishing sites without a high false-positive result, it may dramatically reduce the value phishing criminals currently enjoy.
State Dept. Probes Possible Computer Hack
The State Department is looking into "anomalies in network traffic" involving equipment in the offices that deal with North Korea and China.
You gotta love the wording they used: "While our investigation continues, there is no indication that any sensitive U.S. government information was compromised," a State Department spokeswoman said. Well, just how would they be able to say this if the investigation is continuing and network anomalies were detected? They either know or don't. The anomalous traffic was an indication of a breach; only a full investigation would determine whether that breach reached "sensitive" information or not.
According to the Reuters story, the State Department said, "The case represents a 'textbook example' of the department's ability to detect and defeat a threat before it could do any damage." Again, without knowing what it was or how it happened, the statement would seem full of platitudes and very self-serving. If the investigation is ongoing, then how can they be so sure they have "defeated" the threat?
Their response to the media sounds a little too assured without providing any technical basis for the assertions. We'll have to wait and see.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.