More evidence that Multi-Factor authentication is no Panacea...

posted by Jason Shropshire on Mon, 01/16/2012 - 16:28

I've always been a strong proponent of the judicious use of strong authentication. Due to the government's push to introduce smart cards (known as HSPD-12), and industry standards like PCI, multi-factor authentication is becoming increasingly common for certain system access scenarios across a wide range of organizations. News last week that the Sykipot Trojan has been able to hijack Defense Department smart cards reminds us that these solutions are no silver bullet for security.

"We recently discovered a variant of Sykipot with some new, interesting features that allow it to effectively hijack DoD and Windows smart cards," said Jaime Blasco, a security researcher at AlienVault, in a blog post. "This variant, which appears to have been compiled in March 2011, has been seen in dozens of attack samples from the past year."

Sykipot is commonly used in advanced persistent threat (APT) attacks. According to Blasco, the Sykipot variant recently analyzed by AlienVault contains several commands to capture smart card information and use it to access secure resources.

One of the variant's routines is designed to work with ActivIdentity ActivClient, an authentication software product compliant with DoD's Common Access Card (CAC) specification.

The CAC enables access to DoD computers, networks, and certain facilities. It allows users to encrypt and digitally sign emails and it facilitates the use of public key infrastructure (PKI) for authentication purposes.

This Sykipot variant reads the smart card certificates registered on the victim's computer, steals the card's PIN number using a keylogger module, and uses the information to log into protected resources, as long as the card remains inside the reader, Blasco said. In essence, it becomes a smart card proxy.

There seems to be no end these types of breaches that demonstrate the need for defense-in-depth. I'm predicting that if this trend continues, out-of-band authentication will become increasingly in-vogue...

Tags:

IAM

Authentication

Smart cards

China

Jason Shropshire's blog

Jason Shropshire

Senior Vice President

As a Senior Vice President at InfusionPoints, Jason Shropshire is the market lead for commercial services. In addition he leads Identity and Access Management Infrastructure efforts for InfusionPoints' clients. Mr. Shropshire specifically focuses on the development, deployment and operations of security programs and infrastructure in complex commercial organizations, government agencies and non-governmental organizations. His experience includes serving four years as the Security Architect for a Fortune 50 retailer as well as supporting projects at the Department of the Treasury, The World Bank Group and PepsiCo.

Mr. Shropshire’s expertise spans the full life-cycle of Information Security programs including planning, architecture, design, development, testing, deployment and transition to operations. Mr. Shropshire also serves as a team leader, providing project management support for the large-scale system integrations, by leveraging his broad set of professional experiences across IT and information security disciplines derived from over 12 years of industry experience. With an industry background that broadly spans the IT domain, he provides the breadth necessary to lead complex Information Security programs.

User menu

More evidence that Multi-Factor authentication is no Panacea...

Jason Shropshire

InfusionPoints, Your Independent Trusted Advisor

User menu

You are here

More evidence that Multi-Factor authentication is no Panacea...

Jason Shropshire

InfusionPoints, Your Independent Trusted Advisor