Banking Security Magazine 2 20112

8/2/2019 Banking Security Magazine 2 20112

1/44


2/44

Check out our website and subscribe to Data

Center magazines newsletter!

Visit: http://datacentermag.com/newsletter/

Want to have all the issues of Data Center magazine?

Need to keep up with the latest IT news?Think youve got what it takes to cooperate with our team?


3/44

Dear Readers,

T

he newest Issue of Banking Security Magazine has been released. This time our ma-

gazine is added as a bonus to Hakin9. However, for this issue our authors have pre-

pared even more interesting content and topics than previously. I am sure that all of

you, dear Readers, will nd something that will attract your attention.

The main article in this issue is Analyzing the Biggest Bank Robbery in History written by

Pete Herzog. Most of you know movie Oceans Eleven, which was based on that robbery.

The author is analyzing and presenting how the open source security testing can help to pre-

vent such theft.

In this issue you will also nd articles about network security, online banking frauds and to-

pic that should be of interest to the users of Iphone. In (In)security of using Iphone FinancialApplications the author tries to assess how secure it is to use your mobile for banking appli-

cations and what threats await for unwary users of mobile nancial software.

I hope that the content of this issue will meet you expectations, and you will spend some good

time with the articles published in Banking Security Magazine.

Enjoy your reading,

Grzegorz Tabaka

& Banking Magazine Team

Managing: Grzegorz [email protected]

Senior Consultant/Publisher:Pawe Marciniak

Editor in Chief: Ewa Dudzic

[email protected]

Art Director: Marcin Zikowski

DTP: Marcin ZikowskiGraphics & Design Studio, www.gdstudio.pl

Production Director: Andrzej [email protected]

Marketing Director:Grzegorz [email protected]

Proofreadres:Donald IversonMichael Munt

Elliott BujanFlemming Laugaard

Publisher:Software Press Sp. z o.o. SK02-682 Warszawa,ul. Bokserska 1Phone: 1 917 338 3631www.bankingmag.net

Whilst every effort has been made to ensure the high quality ofthe magazine, the editors make no warranty, express or implied,concerning the results of content usage.

All trade marks presented in the magazine were used only forinformative purposes.

All rights to trade marks presented in the magazine are reservedby the companies which own them. To create graphs and diagramswe used program by Mathematical formulas createdby Design Science MathTypeDISCLAIMER!

The techniques described in our articles may onlybe used in private, local networks. The editorshold no responsibility for misuse of the presentedtechniques or consequent data loss.


4/44

2/2011

C ssu 02/2011

Data Sharing BetweenBankS For BetterriSk aSSeSSment UnDerthe BaSel ii Framework 23Yuval Shalheveth

online Banking FraUD 26Max DerMann

SeCUre weBSite

Development & DeSign 30SebaStian Zuber & torSten aDler

the growing pitFallSoF remote aCCoUntopening 35bob lYDDonS

henDerSon gloBalinveStorS 40henDerSon Global inveStorS

applying iSo/ieC 27001:2005

to a Banking

inStitUtion 5

Florencio cana GabarDa

SeCUre weB Filtering 7Steave JenkinS

SoCial engineeringin Banking SeCtor 10DaviD Montero abuJaS

inSeCUrity oF FinanCialappliCationS on iphone 13MritYunJaY GautaM

analyzingthe BiggeStBank roBBeryin hiStory 17Pete herZoG


5/44

Applying ISO/IEC 27001:2005 to a banking institution

2/2011

Online Banking Security Magazine

Wht is ISMS? Wht is ISO 27001?ISMS stands for Information Security Management System.

ISO/IEC 27001:2005 (also known as ISO 27001) is an inter-

national standard that defines the requirements for an ISMS. If

your organization implements an ISMS that covers ISO 27001

requirements, your organization can get certified by being au-

dited by an accredited certification body. This certification aims

to demonstrate to interested parties that your organization im-

plements rigorous controls to mitigate the risks to information

security in your business.

ISO 27001 historyISO 27001 is a young standard compared with other ISOs.

In 1992, the Department of Trade and Industry (DTI) pub-

lished a Code of Practice for Information Securitythat BSI, three

years later, amended and republished as BS7799.

In 1999, the first schemes appeared and LRQA and BSI be-

came the first accredited certification bodies.

In 2000, ISO converted, by a fast track procedure, BS7799 in

ISO/IEC 17799:2000.

It is important to note that BS7799 and thus ISO/IEC

17799:2000 talked about code of practice or best practices.

It is in 2002 when the ISMS specification appeared as BS7799-

2. This standard was very aligned to ISO 9000.

In 2005, ISO/IEC 27001:2005 was published and BS7799-

2 was withdrawn. This standard aligns with ISO 17799 and is

compatible with ISO 9001 and ISO 14001.

Th bkig istitutio csBanks are huge organizations that process very valuable in-

formation. Managing information security is a big deal and in

fact financial institutions spend lots of money in it. This sector

is investing primarily on identity, access management tools anddata loss prevention according to Deloittes 2010 Financial Ser-

vices Global Security Study. All of these security requirements

appear in ISO 27001 as security controls. The main benefit of

ISO 27001 is not allowing the security tasks to be independent

but to obligate the certified company to have a security strategy

based on controlling known risks.

Implmtig ISO 27001Defining the objectives and scope

The first step to implement an ISMS in an organization is defin-

ing objectives. Objectives should be SMART: specific, measur-

able, attainable, relevant and timely. The objectives will guide

the implementation in order to focus on the important points. Asthis standard should be maintained and continual improvement

is a fundamental requirement, it is important that the company

and its employees notice the improvement. Accomplishing ob-

jectives is a good motivation driver for all interested parties.

When objectives are defined, documented and approved,

the company should start thinking about the ISMS scope. After

good objective definition work has been completed, the selec-

tion of the scope for the ISMS will be easier. The ISMS scope

is a set of processes and locations. ISMS public scopes can be

found at http://www.iso27001certificates.com/Taxonomy/Sco-

peResults.asp.

All the information assets that support these processes in

these locations will be affected by the ISMS policies and proce-

dures. A smaller scope helps to implement the ISMS by reducing

the quantity of work needed but it is important to remember that:

Ifaninformationassetisoutsidethescope,theinforma-

tionowbetweenthisassetandanassetinsidethescope

Applying ISO/IEC

27001:2005 toa banking institution


6/44


2/2011

should be well dened and controlled. Assets outside

the scope are treated similarly to external suppliers.

Processesinthescopeshouldbecoreprocessesofthe

company. If a company tries to implement an ISMS in

ascopethatisseeminglyinsignicant,validityofthescope

can be compromised.

When doubts exist about whether a process should be inside

the scope, it is probably because it should be inside it. (May

need to check with author about intent here. Is this statement

correct?)

Determining the scope is not a trivial task and it is a phase

that should not be taken lightly, because a lot of extra work will

have to be completed if we do it incorrectly.

Risk lysisBanks are companies that work with the concept of risk in al-

most all the operations they do. Risk also appears in Informa-

tion Security in order to try to model the probability of something

bad happening to our data. One fundamental concept in ISO

27001 is that risks should be identified through a risk analysis

and that they should be mitigated, avoided, transferred or ac-

cepted by management.

Risks can be mitigated or reduced by applying security con-

trols from the ISO 27001 annex A or others. Risks can also

be transferred. A company can transfer a risk associated with

a process by outsourcing the process, for example. When you

transfer the risk, the risk never disappears. The risk is com-

bined with other risks associated with controlling the supplier.

Usually, in order to avoid a risk, the only way to do it is to avoid

the process or information asset that has the risk. At the end

there will still appear risks that management can choose toaccept.

Risk lysis mthoologisThere exist a multitude of risk analysis methodologies previ-

ously developed, but ISO 27001 does not require using any of

them. A bank can adapt its own methodology to the ISO 27001

requirements and use it to assess its information asset risks.

Two very important risk analysis methodologies are Magerit

and OCTAVE.

Chg mgmtChange management is fundamental in the banking industry.

It is a concept not very developed in ISO 27001 compared toother standards, but still very important. In ISO 27001 change

management appears in control A.10.1.2 Change Management

that says that changes to information processing facilities and

systems shall be controlled.

One way to control changes in an organization is by defin-

ing and implementing the concepts of a configuration base-

line and the request for change. The configuration baseline

is the initial state of configuration of an organization assetthat should be under change control. From this point, any

change that should be done in the asset configuration should

be proposed through a request for change that must be ap-

proved after being analyzed by a designated responsible

entity. The change is done and the configuration baseline

is updated.

Having a change procedure established is essential in any

banking industry. Being an industry very accustomed to for-

mal procedures helps in the ISO 27001 implementation. The

main focus should then be adapting and integrating currently

established procedures in ISO 27001, and improving them if

possible.

Busiss cotiuityWhen talking about the banking industry, business continuity

is a major preoccupation. In ISO 27001 all business continu-

ity requirements are defined by the controls of the 14 domains

called Business Continuity Management. In addition, the bank-

ing industry is flooded with numerous laws that enforce business

continuity requirements.

Lgl complicLegislation is different in each country and the team that is go-

ing to implement ISO 27001 in a bank must know that without

compliance with the laws ISO 27001 cant be issued.

CoclusiosImplementing ISO 27001 in an organization is always a huge

task. Implementing it in a bank is not an exception. There ex-

ist a number of factors that facilitate the implementation of ISO

27001 in such companies. For example, this business is already

very regulated and procedural. By its very nature, it is logical

to expect that every bank has already implemented a lot of the

ISO 27001 requirements because they are very obvious when-

ever you are worried about security. The main work should be

to adapt, integrate and improve the already established proce-

dures and security controls so they can be aligned with the ISO

27001 requirements.

FLORenCIO CanO GaBaRdaI studied Computer Engineering in Politechnic University

o Valencia (Spain). I specialized in operative systems and

networking or later ocusing in computer security. I cre-

ated the startup SEINHE where we oer security consul-

ting and auditing

References

BankinfoSecurityhttp://www.bankinosecurity.com/

GoogleGroupsISO27001securitygroup

ISO27001Securityhttp://www.iso27001security.com/

GoogleGroupsSeguridaddelainformaciongroup

SCMagazine http://www.scmagazineuk.com/fnancial-institutions-

increase-security-spending-as-threats-and-regulatory-penalties-

rise/article/171986/


7/44

Secure Web Filtering

2/2011

Enter the software intended to create order out of the

chaos by cataloging the web and providing control over

access to web sites based on their category. Schools

have adopted the technology to keep students from download-

ing pirated music and viewing mature content. Businesses have

adopted the technology to reduce the amount of time employees

waste playing games, watching movies and to reduce liability

from lawsuits by employees exposed to offensive web pages or

copyright holders whose unlicensed material was downloaded

to a company computer.

Web filtering has become a massive undertaking as the web

has exploded into billions of web pages. With the popularityof Web 2.0, many of those pages are updated continuously

by users around the world. Youtube hosts videos that can be

posted by anyone; Wikipedia hosts articles and images that

can be added or edited by anyone; Facebook, Bebo, Blogspot,

Flickr, Geocities, and hundreds of thousands of other sites are

similarly driven by a constant influx of unmoderated, user sub-

mitted content.

Adding to this explosion is the shift to the web as the pre-

dominant method of distributing malicious software (malware)

such as computer viruses to innocent web surfers. The volume

of malware found on the web has exploded while the methods

used to infect users computers have become more devious.

At the same time there has been an explosion of websites,

dubbed phishing sites, designed to trick users into entering

passwords, bank account numbers, credit card numbers and

other personal info.

The result of this is that the web is an even scarier place and

the job of web filters is more difficult than ever before with few

web filters able to adequately keep up with these new chal-

lenges. This white paper addresses what it takes to be a se-

cure web filter and to meet the challenges of the modern web

environment.

Scur Wb Filring vs. Classic Wb Filring andAni-VirusClassic web filtering is mainly effective at blocking websites ded-

icated to social networking, pornography, gambling, etc. Secure

web filtering is effective at identifying and blocking those same

areas, but with an added emphasis on blocking sites that host

malware, phishing, exploits or anything that risks the securityof company information. Another distinction is that classic web

filtering will take a site like Facebook or Wikipedia and give the

entire site one category, but secure web filtering will examine

every page of the site and separately categorize pages that are

different from the rest of the site such as pages that host mal-

ware or nude pictures.

It has been common over the last several years for compa-

nies to use classic web filtering in combination with anti-virus

programs. The anti-virus programs are relied on to detect ma-

licious web pages and block malicious downloads, but, in prac-

tice even the best anti-virus software has several hours of lag

time between when the virus is first seen in the wild and when

the anti-virus company deploys signatures. This window of time

when protection is lacking is the window of time virus writers

try to exploit.

These days it is common to see thousands of new virus vari-

ants in a day with numerous variants being posted to the same

distribution point. The virus writer preps a number of viruses not

Secure

Web FilteringThe web is a scary place. The best thing about the weband the worst thing about the web amount to the samething: you can find anything on the web. Movies, pictures,Christmas shopping, software, games, friends its allthere. So also are computer viruses, pornography, con-artists, casinos, militant radicals and hate groups. Most ofthe web is open-access there are no doors, no warnings,no clearly marked safe areas. Children and adultsalike can find themselves in unintended places lookingat content that is offensive, time wasting, fraudulent ordangerous.



8/44


2/2011

caught by top AV scanners, and then deploys them one at a time

as protection comes online for each variant. However, once the

distribution points for the series of virus variants are detected,

access can be blocked regardless of the changing payload. In

other words, secure web filtering, if done right, bridges the gap

between virus release and anti-virus protection.

This new environment means that security best practicesneed to evolve to match the evolution of threats. Without good

secure web filtering computers are constantly at risk. Secure

web filters are now required components in best practice secu-

rity deployments along with anti-virus, intrusion prevention, fire-

walls, log monitoring and other now well established products.

Hallmars of a Scur Wb FilrIt is common for web filters to advertise that they provide anoth-

er layer of security, but it can be difficult to gauge how effective

that protection is. As a first measure, consumers should look

for these hallmarks of secure web filtering without which their

web filter cannot truly claim to be secure.

Targeted Categorization

With billions upon billions of web sites in the wild, it is impor-

tant for a web filter to have the most commonly visited sites

categorized. The Active Web is comprised of web sites that

receive the most traffic and are the most requested by Internet

users. A secure web filter must have a very high percentage

of these Active Web sites categorized, and categorized on a

granular scale. A secure web filter still must carry out the func-

tions of the classic web filter blocking access to inappropriate

sites, while allowing access to critical sites. With that said, an

emphasis on accuracy, particularly as it pertains to the Active

Web, is needed to ensure the effectiveness and usability of aweb filter in a business environment.

Ral-im CagorizaionA secure web filter must have real-time or very near real-time

updating or it cannot block malicious websites as they come

online. The average lifespan of a phishing website is less than

twenty-four hours. Many threats, from anonymizing proxies to

P2P file sharing nodes come on and offline that fast or faster.

In addition, malware is increasingly using the HTTP protocol to

call home to get instructions or send information back to their

publisher.

To prevent access or transfer of information to these sites,

website classification should take place on-the-fly using dynam-ic reputation services, heuristics, content and image scanning,

as well as other indicators. This is often called auto-classifica-

tion; the key to this is making the categorization available in

the cloud immediately. This can prevent worms such as Con-

fiker from spreading or inflicting damage by preventing the call

home process of the virus.

Zro-Hour Malicious Si ProcionMalicious sites pop on and offline very rapidly; often containing

malware and multiple variants to ensure they can get past defini-

tion based anti-virus undetected. In many cases, the distributionpoint is the same, or there will be multiple distribution points for

the same malware. These sites can contain drive-by threats

requiring no user interaction, hidden iframes that download mal-

ware to the computer, or any number of other Web 2.0 threats.

No longer is just the computer the target, the user and their

sensitive personal information is increasingly the primary target.

A secure web filter works by blocking access to these dis-

tribution points, preventing access to the site before any mali-

cious software can even be downloaded. To determine what

sites should be blocked, web filtering companies should have

expert knowledge of malicious code and methods used to dis-

tribute this code throughout the Internet.A web filtering vendor

in the Web 2.0 environment can no longer be singly focused

on URL categorization they must also be experts in virus and

malware detection.

Classic anti-virus programs or web filtering systems can do

little to prevent infection against these zero-hour threats. Us-

ing a web filter with real-time categorization can significantly

decrease the window of vulnerability to any particular virus.

This window of vulnerability is the time between when a virus is

released and when your anti-virus program is updated to rec-

ognize and block the virus. This can often take hours or days,

whereas a secure web filter can block this traffic very quickly

using cloud-based computing to perform an intensive, in-depth

analysis.

Wb 2.0 InspcionThe Internet has turned into a very dynamic environment, with

each site containing varying types of information including vid-

eos, blogs, forums, pictures and other user contributed informa-

tion. On almost any blog or social networking page anonymous

users can post content. This content can often be used with

good intentions; on the other hand it could contain offensive

material, links to malware downloads, malicious images or code.

These sites need to be scanned regularly, looking for malware

and offensive material so that they can be appropriately filtered.

Prior to Web 2.0, a classic web filter would take a site like

google.com, call it a search engine and trust the site and any re-sults it returned unconditionally. While this approach may have

worked in the past, it is no longer sufficient. Because users are

searching on Google, they often assume the results are safe

however, Google searches can also return pornographic im-

ages, links to malware downloads and malicious pages. Some

worms can even redirect Google search results to their own

malicious websites to download even more malware. While

a secure web filter will prevent access to these dangerous

searches, the classic web filter will not. The shift to the web as

the predominant method of malware distribution combined with

the current web atmosphere makes secure web filtering an ab-

solute necessity.

Granular CagorizaionAs was touched on previously, a Web 2.0 site may have pag-

es with all different types of content. Classic web filters might

take a site like www.wikipedia.org and classify the entire site

under education. While the majority of the site is inherently


9/44

Secure Web Filtering

2/2011

educational, many pages on the site should be categorized dif-

ferently or have additional categories assigned to them. For

example, the Wikipeida page on Naturism (advocating social

nudity) contains a several nude images which might be consid-

ered offensive to some and inappropriate for school age chil-

dren. This page requires an additional category, such as nudity,

to correctly prevent access to the page in a work environment,or where young children could view the page. Due to the vary-

ing content from page to page across a site, many sites can no

longer be grouped into one category. Each web page on a site

should be inspected and classified based on the content on that

given page. Granular URL classifications across a variety of cat-

egories must be used for specific pages, paths, subdomains,

and parent domains. This in-depth inspection and granular cat-

egorization is required for the Web 2.0 world and any web filter-

ing company hoping to provide a comprehensive solution must

inspect all page content across the entire site.

Challngs of Scur Wb FilringSecuring the web is more challenging now than ever before.The new dynamic nature of the web, rapid global expansion

and constantly evolving technology and threats invoke a very

demanding undertaking for web filtering companies. Read on

to determine how well your web filtering solution is measuring

up to some of these challenges.

Siz of h WbAt this point, no one knows how many pages or sites the web

actually consists of. As recently as last year, Google announced

they had indexed 1 trillion unique URLs but how many have

they not indexed? How many were not unique and led to the

same content? How many have been removed or are no longeraccessible? It is amazing to think that hundreds of millions of

pages are changed and added to the web per day. At the same

time, this presents a difficult scenario for companies trying to

index or categorize the web.

Its safe to say that under current conditions the entire web will

never be fully categorized. The goal of a web filtering company,

and the most important part is to categorize the sites people

are actually visiting. This brings back the concept of the Ac-

tive Web, or sites people are actually visiting. Sure, there may

be millions of dormant sites available on the internet; but if no

one has visited these sites in 10 years, and there is no security

threat, how important is it to have them categorized? Its not

only the sites people are actually browsing to are important. Toaddress the challenge a web filtering company must focus their

coverage on the active web and getting these active sites and

pages categorized correctly.

Qualiy and FrshnssAccuracy is as important as anything else when considering

a web filtering solution. With the enormous size of the web,

and sites constantly changing as contributions and updates are

made to Web 2.0 pages there is a perpetual struggle to main-

tain accurate categorizations. What was once a personal web

page could be filled with pornographic images the next. How

long would it take to catch the changes and block this page?

It is easy for a web filtering company to categorize a site, but

once that categorization has been assigned, how often is a page

revisited?

These are some important questions. Rescanning of already

categorized web sites is a requirement for web filtering compa-

nies and should take place frequently. This is especially true for

vendors claiming to provide secure web filtering. If these com-

panies arent rescanning sites to ensure that they have not been

compromised, that they dont host malware, and verify that they

havent become phishing sites, then these companies cannot

claim to provide secure web filtering.

LanguagAs the web continues to grow and become more accessible

to various regions throughout the world, the percentage of

non-English sites continues to rise. This will be a continuing

trend and becomes an important consideration for web filter-

ing companies and consumers. Disregarding these sites is no

longer an option and has left many vendors scrambling to find

solutions to this new challenge. Companies are now required

to gain competence in dozens languages to achieve appro-

priate coverage of the web. Moreover, these vendors need to

integrate these languages into their technologies used to filter

and categorize these sites. The resources required for this

can be extensive, not only in terms of technology and devel-

opment time, but also in terms of language experts and web

analyst personnel.

PrformancWith billions of web sites, constant monitoring, in-depth analy-

sis, malware scanning, language analysis and other consid-

erations, performance becomes a major concern. In the world

of high-speed internet, users are no longer willing to wait for

categorizations to be delivered and pages to load. Web filtering

vendors are challenged with the proposition of creating a fast

and simultaneously secure web.

The performance aspects of web filtering are endless. Cloud

based lookups require datacenters located around the worldwith large amounts of bandwidth, redundancy and comput-

ing power. On-disk database systems require large amounts

of space, constant updates and available system resources to

perform fast lookups. Hybrid approaches, which are often con-

sidered the best solution, require both. At the same time, a se-

cure web filter is expected to stop viruses, malware and other

threats. Building the infrastructure and providing web filtering

solution to accomplish this is very demanding and requires inno-

vative capabilities, planning, intellectual property and execution

to match the needs of todays users. Few web filtering vendors

have been able to rise up and meet this challenge.

Proc Your Nwor wih SofSecure web filtering is an integral security deployment for any

business network, large or small. eSoft network appliances

with Web ThreatPak provide comprehensive security coverage

against the newest web based threats. For more information

on how eSoft can help to secure your network, email and web

traffic, visit our website at http://www.esoft.com, or contact our

sales team at 888-903-7638.

SteVe JeNkINSVP EMEA, Q1 Labs


10/44


2/2011

The banking sector is subject to this third type of motiva-

tion, a sector that has become a target for hackers. On

the other hand, social engineering, as practice for obtaining

confidential information by manipulation of legitimate users, it has

become one of the greatest threats from many quarters, especially

the banking sector. The aim of this paper is to lay the foundations of

social engineering applied to the banking sector, the most commonattacks, and other less common, in addition to the formulas that we

have to defend ourselves.

Scial giigSocial engineering is a technique that allows an attacker to ob-

tain sensitive and confidential information of an organization

taking advantage of a known safety slogan people (users) are

the weakest link in the chain.

An organization can invest tens of thousands of dollars on secu-

rity devices and systems, that investment will be useless if a user

or an administrator inadvertently gave his password to an attacker.

We do not want to miss this opportunity to recall the principles set

out by one of the most renowned social engineer Kevin Mitnick, toexplain the success of this technique.

Weallwanttohelp.

Therstmovementisalwaystrustedtheother.

Wedonotliketosayno.

Weallliketobepraised.

These principles represent a declaration of intent, and also a

revelation to any attacker with minimal computer knowledge

and social skills.

In relation to the types of social engineering attacks available, at-

tacks by physical and electronic media are the most common. The

types of social engineering attacks by electronic means used are:

Phonecalls.Thus,askilledattackercanpersuadethevic-

tim to provide users, passwords, network names, etc

Massemailsorspecic.Thisisthemostfrequentwayvic-

tims enter a phishing attack or bank fraud.

Additionally, this is also used to introduce some kind of malware

into an organization. The combination of attacks by physical

and electronic banking is rare but can cause a great impact on

any organization.

Operationally, outside of the principles of Mr. Mitnick, there are

two or three additional premises so we can give a more accurate

picture of why these attacks work:

Thesenseofhumorisessentialinsocialengineering,be-

cause a user becomes relaxed, and this lowers the level

of alertness in the victim.

Gainingthetrustofauserisnotalwaysaconsciousdeci-

sion made by the victim, usually it is instinctive

Why it wks i th bakig sct?The banking sector has two features that work best in social

engineering attacks: trust and delocalization.Financial institu-

tions need to build trust and closeness in dealing with customers,

more than any other sector, since there is a large amount of finan-

cial services available in the market place, customers tend to gowhere they feel safe. If an employee or office manager does not

attempt to gain the trust of a client, they are unlikely to retain that

client as a customer. It is precisely this confidence that initially the

worker provides the hook for a potential attacker through the figure

of a social engineer. On the other hand, there is a huge geographi-

cal delocalization ofvarious offices that usually make up the network

of any bank. The geographic delocalization means that they can

spend months or years until two workers from two different offices

actually meet or talk on the phone.

Obtaining personal data of a specific employee of a bank can pro-

vide a social engineering attack in another office that is geographi-

cally far, just based on this delocalization. These aspects, combined

with the use of electronic banking systems, provide an environment

that greatly facilitates social engineering attacks.

ImpactFor the banking sector, social engineering attacks should repre-

sent the main threat in a formal risk analysis. Although in most

SOCIAL ENGINEERING

IN THE BANKINGSECTORAny computer attack is usually for one of three motives: ego,ideals and / or money. By ego the youngest hackers make

mistakes, as well as seeking recognition by their peers. Byideals people carry their actions to the bitter end, defendinghis political, religious or other reasons. By money...


11/44

SOCIAL ENGINEERING IN THE BANKING SECTOR

2/2011

cases the targets of the attacks are their customers and financial

losses are for them, the attacks have a significant impact on the

reputation and customer confidence of the financial institution

that is successfully breached.

MassThe banking industry has implemented various preventivemeasures to minimize the risk and impact when subjected to

social engineering attacks. These measures include the estab-

lishment of security protocols, digital signatures, and of course,

training and awareness. We find particularly relevant SMS confir-

mations bank transfers that have been imposed in certain organiza-

tions, and to provide an effective defense against phishing attacks.

On the other hand, the establishment of coordinate cards for ac-

cess to the account or authentication operations is rampant among

the various banks. The establishment of specialized units in infor-

mation security within organizations in the banking sector has made

efforts to centralize the management of risks, but there is still a long

way to go, especially in small and medium-sized banks.

Tstd mply attackAfter seeing a formal introduction to social engineering attacks

we will see many very effective social engineering methods with

which an attacker can obtain sensitive information which is im-

portant for more sophisticated attacks.

Begin to harness the trust of unsuspecting employees, with an

example, although it could be called suspicious customers.

In an office of a financial institution comes a potential customer

who wants to open a bank account, and is likely to operate a high

usage bank account. The office manager asks you to bring your

documents in physical form, and the customer says if it can be

submitted electronically, which for him is easier because everythingis scanned. Additionally, we sought information electronic safety

measures of the bank, emphasizing unpleasant past experiences

in other financial institutions: credit information theft, phishing, etc.

Some bank employees reveal a lot, others show less, but all reveal

something, because in a proper environment for dialogue, everyone

wants to win the confidence of potential customers, potential and

evil. When the client sends the evil director of the office documents

to their corporate email, and requires an electronic confirmation of

reading. This fact, which any person can be considered as normal to

ensure the reception has a hidden purpose, read the email header

back, along with information of ICT infrastructure that accompanies

it:emailmanagersystem,servers,firewallsIPaddresses,etc..This

ss another form of fingerprinting, but faster and first-hand.Additionally, employees of bank branches usually like to explain

to a customer about the banks internal operations, like: you look at

the application X rating is bad, we have communication problems

with the application And ... If prior to this the director or employee of

a bank is authenticated before us, we can obtain a variant of shoul-

der surfing, username and password in an instant.

After a while, and some visits to the same office, tens of thou-

sands of dollars of banks investment in computer security systems

are bypassed by a trusted employee... and a suspicious customer.

We can assure you that this works, from experience. The formula

to protect against this attack, like other types of social engineering

attacks is the same, two parts of awareness and training.

Phishig attacksPhishingorelectronicbankingfraudiscurrentlythemaincon -

cern for banks, since supplanting the corporate website of a

bank, the attackers get users to provide their usernames and

passwords.

Over recent years several rootkits have appeared with which to

create phishing attacks mimicking the interfaces and functionality of

the pages of electronic banking. These rootkits can be obtained via

the Internet or by money, but are easily accessible, quite a problem

that leads to the proliferation of such crimes.

Analyzing a little phishing figures, the study of the second quarter

2010ofAPWG,thesectorshardesthitbyphishingarethefinancialand payment services, with 71% of phishing attacks. This gives us

a good indicator of where we are focusing the efforts of hackers.

Regarding the geographic distribution of phishing servers, ac-

cording to the same study shows that U.S. accounts for 68.17% of

phishing servers worldwide, it does not imply that computer attack-

ers belong to those countries, but that they are the attack platforms.

These values are usually quite stable, especially those related to

the high percentage associated with U.S.As for the rest of values

tend to fluctuate in and out of European and Asian countries.

A phishing attack does not directly affect the bank, but their online

banking users, without their knowledge by providing access codes

to computer attackers bank account, which are then used to transfermoney or buy on the Internet without authorization.

Phishingattacksareusuallycombinedwithabarrageofspam,

because you have to convince thousands of potential users of the

bank that something has happened, and to connect to a web page,

which obviously contains the malware phishing.

Experience tells us that the attackers computer platforms are

often ride their phishing attacks and spam in a unified way, utiliz-

ing previously attacked foreign servers. I remember recently a

small company in Spain whose owner, owner in turn hired Internet

line, was charged in dozens of cities across the country, because

they had used the company server to mount this kind of platform,

committing turn to bank robbery offenses for legitimate users, and

running the allegations in the hometowns of the victims. (not surewhat he means to be saying here This case is one of hundreds that

occur worldwide each year.

The methods that have been set up by banks to minimize the

risks of phishing is the awareness and training of users of online

banking, through manuals and information documents, to a greater

or lesser extent depending on the size bank. Therefore, computer

attackers do not usually focus on large banks, but banks, small and

medium size, with fewer safeguards and lower levels of awareness

of users of electronic banking.

On the other hand, we have implemented coordinate cards or

SMS confirmations that minimize risk rather than a users bank is

the victim of a phishing attack.

Organized crime has focused on this type of crime, since theyare white collar, and the benefits are enormous. In fact, have you

heard of Hackerville? Well, maybe not, is the nickname (bad posi-

tion because being a hacker is another matter) of a small town in

Romania has gone from motorcycle dealers to low cylinder luxury

car dealerships and high-powered, what is the reason this change?

Internet users are not aware and weak security measures in some

organizations of banking and financial sector ...

Fals mply attackThis attack was created by our company due to the circum-

stances faced by banking institutions: trust and delocalization.

The false employee attack is a mixture of social engineering

by electronic means and physical media, the basis is to create

a false identity for the attacker. It is difficult to mount the full at-

tack, since it is subject to obtaining prior information and tech-

nical circumstances, but if they get together these factors, it is

really effective. The first thing you do is get the email address of

the technical service or service to internal users of the bank, you can


12/44


2/2011

get in a couple of visits to any office of the entity, by charlatanism or

shoulder surfing. Can also be obtained by any former employee,

contact the bank or otherwise, the world is not as great as one might

think, nor as secure corporate data ...

The next step is to play with the mail server of the financial institu-

tion,youtelnettotheSMTPserviceandmanuallycreatingane-mail

we sent to the director of the bank office. The origin of email is theinternal technical service electronic address that is a valid address

for the mail server, and the body of the message is something like

this: Hello, tomorrow we are checking the equipment of his office.

As a security measure, please note that the person who will review

your equipment is: D. XXXXXXXX .... We just created a false email

used for the purposes of the director of the office, that 90% of cases

does not prove, since the sender address is the usual and has much

work to do on a day to day.

The next step is again on the physical environment, presents the

false employee with the name specified in the mail to the director

of the office, and handles sensitive information and / or copies of

documents from the teams, depending on who are entitled or USB

ports on computers, information can also be obtained during the

first phase of the attack.

Its surprising the possibilities and variations that have this attack,

whichisbasedonexploitingtwoconcepts:theSMTPservervulner -

abilities and trust that provides a known email address.

We can increase the effectiveness of this attack if you select an

office manager who is confident, and this is ascertained by visiting

several different offices to give to our victim.

BaitigIt is an attack that lights take the curiosity or greed of employees

in the form of USB memory, CD-ROM or similar device prop-

erly labeled with corporate logos and a good hook text such asConfidential: Wages HR2012 or personal forecast2012, but

actually is infected with malware. To be honest, you could even

call this a Trojan Horse attack, because the basis is the same.

The malware infects your computer once you access this me-

dium and then the attacker can obtain sensitive and confidential

information of the same. It is an attack that works especially well

with employees who often work with laptops, as safety is usually

lower than desktops.

The defense against this attack goes through the formula of

awareness, and complete protection with anti-malware software

each and every one of the information processing equipment of the

organization, including laptops.

Facig th hash alityThe measurement of actual levels of awareness and training

within a bank or financial institution in the field of social engi-

neering can lead to real headaches for those responsible for

information security, not for their process but by its results.

We venture to say, without risk of error, that nine out of ten work-

ers in the banking sector think that social engineering is something

else, something far more benevolent than it really is. Security Of-

ficers not only have to educate users of electronic banking, rather

complicated in itself, but also employees of the organization. There-

fore the task for the security officers of banks to minimize the risks of

such attacks is hard, especially because it is very difficult to change

user behavior, especially the natural resistance to change we all

have. But everything is complicated when you have to convince

them to maintain minimum levels of alert when dealing with their

own environment.

The reality is harsh in relation to social engineering by electronic

means, although much less in relation to social engineering attacks

by physical means. In fact, it is difficult to establish an effective attack

rate by the middle of Hi, I am the Customer Support Center to take

a look at the teams, we encountered some problems.

The reasons for the decrease in effectiveness of social engineer-

ing attacks by physical means are related to several factors: cred-

ibility, eloquence and physical presence.

AdicsThe formal management of incidents on which phishing has be-

come a priority for the banking sector, by building on the work

ofcompaniessuchasPhishTank,orcreatingyourownrecord.

In the case of creating a record of their own, either individually or

collectively, should be as current as possible with false addresses

phishing affecting the bank, and communicate via a secure chan-

nel for electronic banking users. Thus, we not only educate, but we

can report what happens.

This record can be maintained in a common way with the various

CERTs present in each country. The key to operating this type of

registry is the refresh rate, since from an attacker sends a massmail-

ing to a legitimate user connects to the fake page may take a few

minutes at most. The highest point on the crime occurred between

the time and three hours after the mailing is sent.

On the other hand, we must educate and train internally to em-

ployees, from first to last. The creation of a stable political security of

Social Engineering is an enormous contribution to minimize internal

risk of attack. This fact, as part of a System Security Management

(ISMS) based on ISO /IEC27001,will allow us to efficiently manage

an information security within our organization.

CclsisSocial engineering in the banking sector has become a concern

not only about the potential impact on domestic assets, but alsothe impact to your users and customers, in terms of economic

losses and loss of image. This is in keeping with the loss of con-

fidence in your environment, something that no bank can afford.

Measures to minimize the risk and impact go through improv-

ing awareness and training of users of electronic banking and the

creation of various internal policies and implementing security con-

trols required in the field of social engineering. This combined with

operating ISMS we can provide a significant reduction in the com-

panys internal risk.

In relation to security checks, we believe very effective implemen-

tation of coordinate cards for authentication of users of electronic

banking and SMS confirmation of all bank transfer is made from

the customers account.Just remember is something we all know, we invest in our organi-

zation tens of thousands of dollars on devices, applications, pen-

etration testing or expertise, but with an effective social engineering

attack, all this investment will be futile, because the social engineer-

ing always hits the weakest link in the chain, man.

Mr. DAvID MonTero ABujAS (1976),aka Raistlin, is CISA, CISM and CRISC by ISACA, as well as the only one degree

ISMS Lead Auditor issued by IRCA in Spain. OWASP Andalucia chapter leader and

belongs to the ISO subcommittee JTC1/SC27/WG1 of Spain, where he has worked

in the edition of ISO 27001, ISO 27007, ISO 27010 and other standards of ISO 27000.

In 2006 he founded and now runs as CEO, Grupo iSoluciones, a group of consul-

ting companies specializing in information security and ethical hacking, with he-

adquarters in Spain and Uruguay, providing services worldwide. He can be con-

tacted [email protected]


13/44

(In)Security of Using Financial Applications on iPhone

2/2011

Needless to say, the store is a very rich source of all kinds

of applications. Some of these are utility based apps and

some are games. Apple store has a significant section

called Finance apps which contains a huge list of applications

used for banking, credit card transactions, money transfer and

related usage. Some of the applications which I could spot at a

quick glance of Apple store are Western Union, Barclaycard,Bank of Oklahoma Mobile Banking, Citibank SG, Union Bank,

Bank of America Mobile Banking, U.S. Bank Mobile Wallet, Pay-

Pal, Etrade, Fidelity, ING Direct, J.P. Morgan etc. In this article,

we would discuss about the insecurities of iPhone, and try to as-

sess that how secure is to use mobile for banking applications.

False Secrit of iPhone HardwareWhen the consumers use iphone as a device, they do so be-

cause of the marketing buzz-words like Remote Wipe and

Hardware Encryption. These words are mere marketing terms

intended to create a false sense of security among the consum-

ers. The sales person would tell you that if your iphone is lost,

you can initiate the remote wipe of the device, hence ensuring

that no part of your confidential data is compromised. What

they fail to mention is, this can be done only if the SIM card is

present inside the iphone. Think like a thief and tell, what is the

first thing you would do when you steal an iphone? Yes, you

would remove the SIM card and throw it away. And along with

that, you successfully by-pass the Remote Wipe feature of

iphone. What is left is just your confidential data, at the mercy

of the thief.

Another buzz word was Hardware Encryption (3GS). What

does it mean in practice? All it means is that the iphone hard-

ware ensures that your entire data is encrypted automatically.

Someone who is a bit knowledgeable would be able to use anyof the standard jail-breaking technologies of iphone which would

invoke the hardware chip responsible for encryption to go ahead

and decrypt the data by itself before transferring it to the com-

puter. So, even if the data is stored encrypted on the iphone,

when you mirror that image on the computer, it is unencrypted.

Platform Secrit of iPhone Operating SstemWhile we are discussing about the topic of jail-breaking, we

must know that jail breaking of iphone happens because there

is no encryption of PKI based protection on the iphone boot

loader. Once the jail is broken, the bunch of security features

provided by the iOS (iphone OS) goes for a toss. But before we

describe the effect of jail breaking, let us take a look at some of

the security features that the IOS provides.

1. Application Sandboxing

The idea of a sandbox is to jail any process in a folder so that

it is unable to access any resources on the file system beyond

(In)Security

of Using FinancialApplications

on iPhoneDo you have an iphone ? This is a very small questionwhich has a much deeper connotation. Today, iphone isslowly becoming a requirement of the youth as well as thecorporate professionals. This device bearing an Apple logois a status symbol in developing nations. With iphone,comes a variety of apps which are provided by the AppleStore.



14/44


2/2011

those folders. If you are a Linux user, you may want to revisit

you chroot command which is typically used to jail the process.

Similarly, there is a concept of sandboxing in web servers where

a securely written web server ensures that the web requests are

unable to get out of the webroot and touch other parts of the

file system. IOS provides application sandboxing which sug-

gests that there is a secure folder which is created separatelyfor each application on iphone. This folder contains files which

are specific to this application, including the temporary files. No

application would be able to access the files in the sandbox of

any other application. For example, the browser cache of Sa-

fari installed on the iphone would not be able to access the files

created by the Banking Application; hence, ensuring the data

which you stored while using the banking app is safe from un-

authorized access. The only way to access the files created by

another application is to explicitly create a link between the two

apps in the code itself.

2. Restricted Bletooth ConnectivitA big way of data loss is though Bluetooth connectivity where

any paired device is able to share files over Bluetooth. The

Bluetooth configuration of iphone restricts it from pairing with

any device other than a second IOS based device. Hence, an

iphone can pair with an ipad but not with your Lenovo based

Bluetooth machine. Moreover, the pairing requires a manual

intervention where a randomly generated 6 digit code has to

be entered on the other device for successful pairing. Even

after pairing, we are only allowed to push files through some

specialized application because a direct access to files is not

possible, as discussed in the next part.

3. No Access to FSIphone or rather any IOS based device like ipad, does not

allow a direct access to the file system if the device is not

jail broken. The underlying file system is HFS but it is com-

pletely shielded from direct user access. Even the browser

application like Safari does not have any menu option like

Save which can initiate the file system browse. Hence, this

is an additional step to ensure that the Application Sandbox

is not invaded.

Looking at just the security features as discussed above, the

device seems to be very reassuring to handle the financial ap-

plications securely. Now, here is where it fails.

iPhone Secrit Flaws

1. 3GS Secrit Broken

The famed 3GS security which claims hardware encryption and

hence implies that the device is ready to handle confidential

information related to your finance as well as your corporate

emails and documents is actually broken. If iTunes is used tobackup the device to a machine, the entire encryption can be

bypassed and we can get an unencrypted copy of the disk data.

Additionally, when the device is booting up, it is forced to unen-

crypt the disk for a successful booting operation. This is a time

when an attacker with correct set of tools can extract out the

entire data from the disk.

2. Files Deleted Are NOT Deleted

Like any standard UNIX based system, any delete operation

does not remove the file from the disk. All it does is to mark the

inode related to this file as inactive and then delete the entry

of this inode from the parent directory inode. Hence, the actual

data blocks stay as is on the disk till the point in time when the

same disk blocks are overwritten by another file. The iphone

device has a huge amount of disk space and hence, the typi-

cal time before this section of disk gets overwritten takes is in

the order of months. If the device is stolen or jail-broken at any

point in time, the attack not only gets the data readily available

from the file system but he can use standard recovery tools to

extract out the deleted files as well. This becomes a serious

concern if the files contained some sensitive information related

to the financial data.

3. Iphone as a Ke-Logger

To enhance the usability features of iphone, the device keepstrack of all the words that were ever typed in the device by the

user. It keeps adding these words to its database to ensure that

word prediction works fine. This is supposed to be a usability

feature to auto-learn the users typing habits. This information

is stored on the device in the form of files which can easily be

accessed by an attacker once the device is jail-broken. Most

users are not even aware of the wealth of data which is getting

stored on the iphone everyday when they use this device. From

a financial data perspective, the attacker finds the record of your

bank account numbers, your credit card related information in-

cluding your CVV number. So, if I am an attacker and I manage


15/44

(In)Security of Using Financial Applications on iPhone

2/2011

to get hold of your iphone, and I find out that you are using the

Citibank Mobile Banking application, I can be almost sure that

I would be able to extract the credit card details in some time

once the phone is jail-broken.

4. Iphone Animation and Data Leak

When the user presses the Home button on the iphone device,he ends up seeing a nice animation on the iphone which shows

the application going down and another window image coming

up. Yes, it looks good. What is the price that this usability feature

forces us to pay? When the users presses the Home button,

the device takes the snapshot of the display and stores that as

an image file at a specific directory in the file system. This im-

plies that if the user was using any of the financial applications

and maybe he wanted to do a money transfer to some account,

that entire screen would be captured. This can mean some sig-

nificant loss of financial data as well as privacy.

Vlnerabilit Histor of iPhone and IOS DevicesMobile platforms like Blackberry have the entire OS written inJava. Blackberry runs a hardened version of JVM with JNI and

Reflection disabled as the operating system. Though Android

does not have the OS written in Java, the primary application

development happens in Java similar to Blackberry. Using Java

reduces the attack surface significantly because of the various

security constructs which are provided by the language itself.

On the other hand, iphone kernel is a derivative of the MAC

kernel which is written in C and the primary application devel-

opment language is Objective-C which is not very different from

C when it comes to the kind of language based weaknesses it

has to offer. The biggest foe of the software has always been

Buffer Overflow which can be found in an iPhone based appli-cation but not in Android or Blackberry. The nuisances of buffer

overflow are known from decades now, hence, we would skip

that discussion here.

The vulnerability count specific to iphone device in the small

lifetime of the device can be seen in the chart below. The chart

has been taken from the CVE site where the table shows the

type of the vulnerability that was spotted in the device and then,

there is a graphical representation.

Another significant attack surface on an iphone device is

the web browser. Even though there is a concept of Applica-

tion Sandboxing, most of the applications are connected with

the Browser via some IPC mechanism where a file download-

ed from the browser can directly be sent to an application like

a pdf reader, image viewer, or even any network based applica-

tion. Hence the compromise of the Safari web browser can bea significant attack surface on iphone. Leaving aside the brows-

er application, most of the web based vulnerabilities can have

significant impact in terms of compromising your iphone. Just

to get a feel of what the history shows us about vulnerabili-

ties in Safari and other iPhone related applications, here are

some examples of HIGH severity public issues. Please note that

I have excluded the list of medium and low severity issues since

the high example were enough to prove the point.

CVE-2011-1417: Integer overflow in QuickLook, as used in Ap-

ple Mac OS X before 10.6.7 and MobileSafari in Apple iOS be-

fore 4.2.7 and 4.3.x before 4.3.2, allows remote attackers toexecute arbitrary code or cause a denial of service (memory cor-

ruption and application crash) via a Microsoft Office document.

CVE-2011-1344: Use-after-free vulnerability in WebKit, as used

in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod,

and iPad.

CVE-2011-0154:WebKit, as used in Apple iTunes before 10.2

on Windows and Apple iOS, does not properly implement the

.sort function for JavaScript arrays, which allows man-in-the-

middle attackers to execute arbitrary code.

CVE-2010-1817: Buffer overflow in ImageIO in Apple iOS be-fore 4.1 on the iPhone and iPod touch allows remote attackers

to execute arbitrary code or cause a denial of service (applica-

tion crash) via a crafted GIF file.

CVE-2010-1815:Use-after-free vulnerability in WebKit in Apple

iOS before 4.1 on the iPhone and iPod touch, and webkitgtk

before 1.2.6, allows remote attackers to execute arbitrary code.


16/44


2/2011

The list can continue like this for multiple pages. If you search

for the number of security vulnerabilities till date in iphone, in

the National Vulnerability Database, there is a list of 131 issues

which are already public. Very similar to the iphone chart, here

is a chart showing the trend in the vulnerabilities recorded till

date in Safari web browser.

For Those Who Trst the iPhone KechainMany users who are dealing with banking applications or with

stock based applications find it more convenient to store the

banking password on the iphone keychain. After all, the key-

chain keeps all these passwords secure and encrypted on the

disk. Unfortunately, there is a serious security flaw in the way

this encryption is done in the keychain. The key which is used

for encryption is derived from the hardware related informa-

tion of the iphone and has no correlation with the iphone pass-

word which is set by the user. This implies that this key can

be extracted based on the same iphone hardware information

from a stolen iphone without worrying about cracking the iphone

password. Once the keychain is compromised, your passwords

which are stored in the keychain are compromised as well. This

activity takes nothing more than 6 minutes as demonstrated

by the German security researchers in February 2011. How

can you protect yourself from this attack? You cant. The only

solution is to immediately change all the passwords which are

stored on your keychain in the respective sites. Alternatively, do

not ever store passwords in the keychain. As long as the phone

can be jail broken, the keychain can be broken as well. As we

already discussed, iphone jail breaking is a very common thing

today due to the unencrypted bootloader of iphone.

Conclding Remarksulnerabilities are everywhere and it is not that laptops and

desktops do not have security vulnerabilities. The only problem

which I see in the usage of mobile for doing any financially sen-

sitive operation is that, the device is far less understood than

a PC. This also implies that the users have much less control

on what they want to save and what actually gets saved. Simi-larly, since most of the devices do not have direct access to file

system, the user cannot secure the folders where he is keeping

the sensitive information. Many a times, with some applications

I have observed, the password gets automatically saved in the

keychain without even asking from the user. Next time when the

user starts the application, he would see the screen post login.

Is this a great feature? Yes, if we consider usability. No, if we

consider security. It is the user who needs to make a tradeoff

between what he values more in what context. I value security

far more than usability when it comes to handling my stocks or

my bank account, or even my professional email address. I do

not mind re-entering my password 10 times in a day if I need to

do any kind of financial or official transaction but I would nev-

er store my passwords in the device. After reading this article,

I hope you would do the same.

Reference:

[1] Practical Consideration o IOS Device Encryption Security; Jens He-

ider and Matthias Boll; Feb 2011. http://www.sit.raunhoer.de/en/

Images/sc_iPhone%20Passwords_tcm502-80443.pd

[2] Jailbreak and Unlock the Iphone; http://www.hackthatphone.

com/3x/bypass_passcode_lock.html

[3] National Vulnerability Database; http://web.nvd.nist.gov/view/

vuln/search-results?query=iphone&search_type=all&cves=on[4] Secure Coding Guidelines or IOS; http://developer.apple.com/

library/mac/#documentation/Security/Conceptual/SecureCoding-

Guide/Articles/BuerOverows.html

[5] Apple iPhone secretly tracking users privacy; http://articles.econo-

mictimes.indiatimes.com/2011-04-21/news/29459336_1_iphone-

apple-location-data

[6] Iphone can take screenshots o anything you do; http://www.wired.

com/gadgetlab/2008/09/hacker-says-sec/

[7] Iphone Insecurity; http://www.iphoneinsecurity.com/

[8] Finance App Store Download on ITunes; http://itunes.apple.com/

us/genre/ios-fnance/id6015?mt=8

[9] Apple Iphone CVE security vulnerabilities, versions and detailed

reports; http://www.cvedetails.com/product/11481/Apple-Iphone.

html?vendor_id=49

[10] Apple Saari CVE security vulnerabilities, versions and detailedreports; http://www.cvedetails.com/product/2935/Apple-Saari.

html?vendor_id=49

MRITyuNjAy GAuTAM


17/44

Analyzing the Biggest Bank Robbery in History

2/2011

A

s the story goes, it was on a winter morning in Febru-

ary 2002 when a guard in the Antwerp Diamond Center

got quite the surprise. He found the multi-ton, steel safe

door wide open and the resulting chaos of a destroyed safety

deposit boxes inside the vault. Yet no alarm had sounded. With

a quick call to the alarm central he was informed that the system

was running just fine and there were no notifications since it was

armed the night before. There was no clear sign of a break-in yet

$189 million in diamonds were missing (and still are).

We discussed this robbery in detail. While we didnt have clear

details on how the robbery really went down, we did know the

banks security measures. They were robbed despite that they

were two floors underground, had a three-ton steel door, a steel

gate, closed captioned cameras, heat sensors, light sensors,

and a tremor sensor. So how could this happen? With so many

diamonds at stake and ten layers of security, how did Defense

in Depth fail them? This is exactly what this third, new version

of the OSSTMM is great for. Unlike compliance objectives which

Analyzing

the Biggest BankRobbery in History:

Many banks have no idea what a powerful weapon againstattacks they have in the OSSTMM. The Open Source SecurityTesting Methodology Manual is a free, collaborative projectby the international, non-profit ISECOM that is years aheadof traditional security methods. The power and eleganceof the OSSTMM became clear while I was at a cafe in Bern,

Switzerland last year to meet with two other ISECOMers:Nick Mayencourt, a Board Director and Philipp Egli anISECOM trainer and the talk turned to robbing banks.Thats not uncommon because Switzerland is very bigon banking and also very big on security, especially theOSSTMM. So with the biggest diamond heist of the lastcentury in the news again, you may have seen the movie

based on it called Oceans Eleven, we took a look at thecase through the eyes of an OSSTMM Analyst. This is howit went.

Lessons in OSSTMM Analysis



18/44


2/2011

focus on what you have and how its configured, the OSSTMM

3 scores operational effectiveness- how it works. Some will say

that this is why many organizations employ penetration tests to

get this kind of foresight. They say penetration testing will allow

them to find the effective attacks before the attackers do. Too

bad contemporary penetration tests are not as effective as the

penetration testers want you to believe.The OSSTMM started as a penetration testing methodolo-

gy back in 2001 because penetration testing was the best tool

in the development of a process or system by making the big

picture of operations. The concept was that while quality test-

ing is great for determining how well a component works in a

system, penetration testing will help you understand how well

all the components work together in the system. Like a fire drill

though, penetration tests must be done repeatedly because any

changes in the environment, systems, people, or processes will

affect the results. This is why fire drills are called drills because

its of little good to do them just done once. So the occasional

penetration test may work for the physical and human response

testing of a bank with little change or low turn-over but not for

electronic systems like e-banking web applications which are in

a near constant state of development and improvement. This

is why penetration testing during the development cycle when

the environment is at a constant is it so critical to assuring inter-

operational security gets properly designed into the system.

However, once a system is built and deployed however, pen-

etration testing greatly loses effectiveness. So even a traditional

penetration test of the Antwerp diamond vault would not have

been enough.

Back in 2001 when ISECOM first released the OSSTMM,

penetration testing seemed like the best thing to evaluate op-

erational security. The OSSTMM was created to address whatwere known as the main problems of penetration testing at the

time such as the inconsistency of penetration testing services,

no clear definition or deliverable, penetration testing the skills

of the tester more so than the operations, the cultish promise to

prove a negative (the logical fallacy that if a penetration tester

didnt find problems then system was secure) and the use of

a hidden, proprietary methodology which made it impossible

for a client to really know which tests were performed where.

It was these problems which encouraged a standard security

testing methodology to improve transparency, consistency, and

thoroughness.

As time went on, it was clear this wouldnt solve all the prob-

lems. The biggest problem was that the researchers found therewas no way to quantitatively and accurately measure security

from penetration tests (because of the whole illogical problem

of proving a negative and math being a logical thing). So while a

penetration test can find some of the holes, even some of the big

ones, there is no way they can find them all and certainly no way

they can truthfully say they are finding the ones that hackers

will. Another problem that exacerbated this was that thorough

penetration testing required that the tester gain deep knowledge

of the operations to be sure the right things were being tested

the right way. This was likely the problem that the Antwerp dia-

mond exchange learned the hard way: the winner of any secu-

rity contest is the one who knows more and more deeply about

the systems and operations. So in the development of the third

version of the OSSTMM a new way of thinking about security

emerged which not only corrected these problems with a better,

extremely powerful framework but it took security testing and

analysis far beyond penetration testing. This new way of think-

ing about security requires three main things: 1. Prioritize tests

by shifting the focus from guessing future threats to that which

you have reason to trust; 2. Identify and verify all interactions

and the protections for those interactions; 3. Optimize the bal-

ance between security and operations. It is in applying this new

version of the methodology that the weaknesses of the Antwerp

diamond vault become incredibly, bluntly obvious.

Analyin Oceans ElevenSpectacular bank robberies are part of the standard repertoire

of Hollywood films. Of course realism isnt necessary required.

However, in this case, the character played by George Clooney

as the archetype of the sympathetic bank robber actually did

exist. A year before the robbery of the century, Leonardo No-

tarbartolo drank an Espresso in the Antwerp diamond district.

He rented an office there to trade in wholesale diamonds. He

kept a regular schedule, smiled at the people who he saw each

day, and was sure to be seen walking down the street with the

Gazzetto dello Sport under his arm. He was one of the nicest

and most clever thieves of the modern times.

With a hidden miniature camera he entered the diamond vault

two stories below ground. You see, he kept his diamonds stored

there for safety. That gave him many opportunities to watch

and record the operations of the bank, the personnel, and most


19/44

Analyzing the Biggest Bank Robbery in History

2/2011

importantly, its security. He kept his eyes open for the smallest

details- including the entrance code to the vault.

What You Need to KnowHere well pause the story for a moment. What Leonardo is do-

ing is the first step of an attacker: reconnaissance. Hes looking

for all the points of interaction from outside the vault to the in-side. According to the OSSTMM there are only 2 ways to take

something: you either take it or you have somebody give it to

you. These two different types of interactions are defined as

Access and Trust. So why does Leonardo have access to the

vault? Because hes a polite, well-known businessman in the

area, who happens to be a client of the bank. In OSSTMM ter-

minology, hes abusing operational trust.

Opeational TustThe OSSTMM 3 has integrated tests for operational trust. There

are 10 properties which are logical reasons to trust someone or

something. The easiest technique for using the Trust Properties

is to create quantitative rules from the properties with which we

can use to evaluate the target person, thing, or interaction. The

rules are scored on a percentage and the percentages from all

10 properties are averaged. The closer to 100% you get the

safer it is to extend trust. Its a very accurate way to analyze

and extend trust free of bad intuition or unqualified gut instinct.

One condition trust analysts tend to find in this process is that in

day to day life, people are often satisfied with just one or two of

these properties being met. This is likely because social context

makes it uncomfortable for people to challenge untrusted prop-

erties and its considered offensive to challenge someone who

successfully meets some of the properties, especially Transpar-

ency (like Leonardo whos a nice, known businessman in thearea) and Consistency (hes a registered client who visits to

vault with regularity and never causes problems). Meanwhile, he

would score very low on the other 8 reasons to trust him mark-

ing him as an untrustworthy individual.

Safety vs. SecuityA central theme to security is specifically the definition of secu-

rity. The OSSTMM classifies security as a physical separation

between an asset and a threat. Safety, on the other hand, is the

means to control threats at the point of interaction.

In this case, a vault falls close to the definition of security. It

provides a physical separation between that outside the vault

and the assets inside the vault. Except that you also need to beable to have some interaction with the vault to put new assets

in or take assets out. To prove that, Leonardo the diamond thief

is standing in a vault filled to the ceiling with diamonds.

This is now where Safety comes in to play. Since interac-

tions are required for successful operations, there must be

some operational controls to protect the assets from unau-

thorized exit. The OSSTMM findings show 10 operational

controls to protect against all threats. You cannot say one

control is stronger than another since each protects against

a different umbrella of attack types. However, one implemen-

tation of a control can certainly be weaker than another. One

of the places this is obvious is Authentication. Whether its

a lock and key, login and password, or a Do Not Fly List

these Authentication controls require Identification to function

correctly. If the threat can pass itself off as, say a legitimate

diamond wholesaler, then it will receive Authorization for Ac-

cess, bypassing the Authentication in place designed to pre-

vent a criminal from just walking into the vault to size it up.

Authentication alone can be overcome. This why OSSTMM

recommends multiple, different controls for each point of in-

teraction, described as Defense in Width.

Quality Secuity DefensesThe vault was scrutinized for weeks before the robbery took

place. The vault team included the Genius who was a masterof disabling alarm systems, the King of Keys who was an ex-

pert key forger, and a man they called Monster, a huge, strong

man who was also a monstrously good electrician, driver, lock

pick, and mechanic. Each team member had a task befitting

their skills which also coincided with the interaction points that

Leonardo discovered. So what happened was that each team

member knew more about a particular system within the opera-

tion than the bank personnel did. An OSSTMM analysis would

have discovered that the operators of the security mechanisms

knew little about how they worked and if they would have known

what was required of them, maybe they wouldnt have left Leon-

ardo, or anyone else, alone in the vault.

One day before the robbery, Leonardo entered the vault on

legitimate business. Left alone for privacy, as he knew he would

be, he sprayed the motion and heat sensors with hairspray.

Then he packed up his things and stepped out, thanking the

guard and giving his regards to the wife and kids. Why not, he

was a nice guy.

Contols and LimitationsThe OSSTMM describes 10 operational controls. The concept

provided is that the less reason you have to trust someone

or something (trust properties) then the more varied controls

you should have for protection- up to 10 per interaction. That

is called making the perfect balance between operations andprotection. These 10 controls are divided into two classes: in-

teractive and process. Interactive controls react to direct contact

with the threat where process controls do not. What you see

here is that it is important to have controls which are different.

As it is, most controls on their own are fairly ineffective. What

you dont want is that two different security mechanisms, say

heat and motion detectors, both providing incomplete Authen-

tication and both susceptible to being nullified with the same

can of hairspray.

The bank had installed a heat and motion sensor at the en-

trance of the vault, both Authentication controls, an Interactive

control, which were designed to sound an Alarm, a process

control. Since the Alarm control was dependent on the Authen-tication sensors, no alarm could sound if they were blocked.

This is calculated as a Limitation, a flaw defined not by impact

or prevalence as with risk ratings but by what it does and what it

affects. The value of the Limitation is calculated by which opera-

tional controls are in place as well as how many different types

of interactions are allowed with the targets. This makes it a very

flexible and unbiased way to measure any kind of vulnerability

because, as you know, each flaw is fairly unique in how it af-

fects different operations. Not all buffer overflow vulnerabilities

will give root access if attacked- it depends on the protections in

place. In addition to that, its also easy to categorize Limitations.

For example, a Vulnerability is a flaw which provides Access to

an asset, denies Access to an asset, or allows one to hide an

asset within the scope. Its very straight-forward and requires

no guessing about its ease to use or impact. Sometimes though

a flaw will have more than one type of limitation. For example,

a factory default login and password mechanism on a router

would be a Weakness, which is any flaw that affects Interactive


20/44


2/2011

controls, and a Vulnerability because it provides Access as well.

See, its very straight forward.

There are total of five classifications of Limitations in the OS-

STMM. The last three are Concern, which is any flaw that af-

fects Process Controls; an Exposure, which is any flaw that

provides information of specific attack knowledge or opportunity,

and Anomaly, which is not specifically a flaw however it is anunknown or uncontrolled interaction.

One of the enlightening features of analyzing security accord-

ing to this process is in seeing how poor Controls, that is Con-

trols with inherent Limitations, like login and password schemes

that provide no mechanism against brute forcing, add up to

provide more protection AND more flaws. One can then see

how layers of incomplete or poor controls will actually make

something less secure, especially if the controls they provide

are redundant like two firewalls in a row or just not reliable like

blacklist controls.

What You Need to DoThe team led by Leonardo spared no expense. The bank wasbuilt in what was once a shopping center. The team analyzed

the adjacent rooms and buildings to the vault. The story goes

that the recreated the entire vault ante-room and the vault it-

self in a warehouse in order to study and practice disabling all

the security. Once again, this is the key to security- knowing

the operations at a more thorough and deeper level than those

who apply them. This is what makes penetration testing tool

frameworks with dedicated exploit research teams so valuable

to an organization. Sure, these tools will also help the penetra-

tion tester cover more types of systems and applications more

deeply however, these tools are best used in the hands of the

those who really know the internal operations and processes,the internal employees. Why? Because just knowing how to find

vulnerabilities means nothing if there is little understanding of

the big picture in a complex environment. What are the opera-

tional needs? What are the directions? What are the require-

ments? These are things only an insider can and should know.

However, to avoid being stuck in the vulnerability/patching rou-

tine indefinitely, a cat and mouse game at best, an organization

needs to embrace the hacker role of deeply understanding

how various operational security mechanisms and operational

controls work together for greatest effectiveness. This is where

the latest OSSTMM is strong. Security shouldnt be about just

finding the vulnerabilities known today to quickly patch up but

about finding the perfect balance between security and con-

trols so you are prepared for the vulnerabilities and threats of

Date post:	06-Apr-2018
Category:	Documents
Upload:	vasanth-vasu
View:	221 times
Download:	0 times

Banking Security Magazine 2 20112

Documents