Internet Banking Security Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

I was asked some time ago what sort of things may be considered when looking at .

Below is a list of things which could be considered. It was just a brain dump and as such may not be complete.

Don’t underestimate the value of standard for your infrastructure, website configuration,  database engine configuration/, and /QA environments.

Some thoughts:

  • Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system .

- And all the other things expected for a session (forced changes, aging, etc))
- Tools such as may be use to brute force authenticated sessions.

  • Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.

- These may be side, client side, cookie based, etc.
- Get someone to check the methodologies and the code being used.
- Database query strings can be placed into test entry fields, allowing table dumps to browser.
- Check all pages served are secure and contain user flags.

  • Customer may not be segregated, this needs to be checked.
  • Customer should not reside on the .
  • databases / system should not reside on the webserver.
  • The databases should reside on a private/semi-private .

- A different segment to the main system.

  • Webserver should be dual homed or equivalent (some VLAN techniques are good)

- Separate private and public cards, monitoring/backup/administration
- Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the .

  • At all segregation points ensure rules are in place which appreciates the traffic though that point.
  • All customer where possible should be sourced from a secure back-end database.

- This may be a . i.e. no the main system.
- This usually allows for transactions to appear real time to the customer.
- Many transactions may be batched in reality. (internal or external to the )

  • Ensure suitable rules have been set-up on firewalls.

- There should be inbound and outbound rules on firewalls and filtering routers.

  • Don’t allow any infrastructure on the front end to allow remote administrative connections. (, etc.)

- Use the serial console port to connect to a or back-end terminal .

  • Services not used by the system are active

- These should be disabled.

  • Port scan of the supporting infrastructure (routers /switches) and (s).

- Investigate the reasons for all open ports.

  • Don’t use the main gateway for trusted partner (clearing / RAS / etc.)
  • Do all that standard IIS checks and NT checks (Sample scripts, change management, methodologies, etc.)
  • Ensure denial of service precaution have been taken into account for all infrastructure and equipment.
  • Check the adequacy of the escalation procedures used.

- Look for real-time monitoring and alerting.
- Look for responsibility matrix.
- Look for ownership of issues.

  • Consider upstream carrier(s) (denial of service, IP spoofing, hacking, etc)
  • Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.

- Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).

  • Use dynamic passwords where possible (SecureID, TACACS, etc.).
  • Use encrypted tunnelling where needed (, Firewall 1, etc)
  • Consider looking at other customer methods to enhance existing methods.

- cert, IP address locked to account, etc.
- Consider use of or CVN for issued cards.

  • Consider how passwords are distributed /changed for customers.

- Plain email, telephone, etc.
- Can passwords be changed ?

  • Is additional used between sections of the services once authenticated?
  • Consider what the customer has to once authenticated.

- Look at , RTGS, inter- transfers, to cards, etc.
- If an attacker does get in, what can the do?

  • Use techniques to ensure pages, customer details are not cached at , or client system.

- These are flags that can be set within pages.
- Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
- Caching of SSL pages on the client system can be turned on on some browsers.
- May banks use a (or similar) applet for all customer interaction, restricting all caching issues.

  • Ensure paper based and on-line liability clauses are available are address all effected areas.
  • Ensure within the customer sign-up process liability is reduced.

- I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
- Not very customer focused, but that’s what their legal department recommended.

All of the above can effect the and/or operation of an on-line system.

Other things to consider:

  • External and of the application.
  • Ownership and management of the /applications
  • Publishing points for new content (internal/private/trusted or )
  • Topology of front end.  i.e. document should be in place and managed appropriately.
  • Are limited AP tests performed whenever changes are made to the ? i.e. integrated AP into Change management process.
  • Database . Is it buffered or is it live to the core systems.
  • What facilities are provided? Direct + + + ……. Consider different scenarios for your depending on the feature.
  • What other services are shared within the segment that the service is running. Can this be used to compromise the site. eg. different /business/ organisations with differing strategies/profiles.
  • Consider all external supporting services within you AP. Look at internal/external poisoning opportunities, mail , etc. What IPS’s do they use has the any opportunity to systems or supporting services which may affect .
  • Depending on the size of the , many organisation do not use the same groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external organisation to administer the infrastructure.
  • Look at the business and user methods and paths (client side certs, secure ID, SMART , etc). Consider two factor and modern user methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
  • See if the application sends email to users which may contain interesting information.
  • Better to the application can generally be gained after to the system. i.e. get an legitimate account on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
  • Consider social engineering the Help desk to have an account reset.

No Comments »

Mobile Banking Security and Risk Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

When considering Mobile and the associated risk, the an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered supporting and surrounding the technologies and techniques used.

Here are some things to consider.

assessments generally focuses on two main things.

1/ Sensitivity of the
What is being sent. eg. , numbers, account balance, home address, account number, etc.
may not be sensitive to the , but may be considered by the client as sensitive.
etc……….

2/ Opportunity to the .
What medium is being used?
Is it easy to ?
What is being used?
Are all paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………

Things to consider:

  • resets sent via to client, should not be used as the only method of accessing accounts. An additional client specific (possibly static) pass word/phrase should be used in addition to a dynamically generated . can be sniffed (depending on mode and location).
  • If WAP is used, are all devices capable of ? If devices are not capable of , do we deny to these devices? If client side or (win CE, etc), ensure this can not be compromised by a Trojan’s and other techniques.
  • Has the organisation considered client side certificates to verify the device prior to transactions being accepted? Consider multiple device and user methods (very solution dependant).
  • Most mobile POS terminals encrypt the client entered number, but do not encrypt everything within the . If the medium is compromised, we should consider if the can be cracked and if unencrypted is sensitive. Consider additional i.e. use of all of message (SSL, ) or use a terminal that utilises Derived Unique Key Per ().
  • Many applications have been affected by typical hacks such as session hijacking, SQL , non random session keys (client side and side), etc… These typical hacks should be considered in your Secure SDLC and QA Processes once you are aware of the used and/or deployed.
  • PBX systems and cabling distribution frames can have devices connected to collect transactions. Wireless devices are now being connected to these systems. The attacker sits in their car in the car park outside. This is often done in super markets.
  • Wireless gateways if not encrypted are easily collected by anyone within wireless range. 802.11 and other wireless/infra-red mediums are being used (assess the and medium being used).
  • Has the organisation considered dynamic keys for mobile users? There are some very low cost SecureID solutions available today, but customers need to have these devices on them when they want to do a .

No Comments »

Financial Transaction Processing

Jul 02, 2008 in Banking and EFTPoS

I have been recently working inside one of the larger Banks in .
Through this work I have been looking at the controls and surrounding the of and cards around the Asia Pacific.

I get perform many and systems assessments.
Over the years I have always considered the of the as one of the key considerations.

Until yesterday I had never seen an or tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com

Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.

As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

One of the more extraordinary files is the Atalla Module ()  and for (simulation) tools. So I wonder if and are shaking in their boots. Some how I don’t think so. ;-)

——– ziggurat29 ———

These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.

DUKPT Decrypt (<- the actual file to download)

This is a that will Encrypted Blocks that have been produced via the triple- method.  I used this for testing the output of some Pad software I had created, but is also handy for other debugging purposes.

VISA PVV Calculator (<- the actual
file to download)

This is a that will compute and verify Values that have been produced using the .  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn ), creating and encrypting blocks, decrypting and extracting PINs from encrypted blocks, etc.

VISA CVV Calculator (<- the actual file to download)

This is a that will compute Values that have been produced using the .  MasterCard CVC uses the , so it will work for that as well.  It will compute , CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date.  is simply comparing the computed value with what you have received, so there is no explicit function.

Atalla AKB Calculator (<- the actual file to download)

This is a that will both generate and Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

BogoAtalla (<- the actual file to
download)

This is an Atalla (or simulator).  This software (simulation) of the well-known Atalla Module () that is used by banks and processors for cryptographic operations, such as verifying/translating blocks, authorising transactions by verifying
/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing functions, and are using more modern schemes such as and , and need to do generation, , and translation.

This runs as a listening socket and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native ), but definitely should get identical positive
responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating values and encrypting/decrypting plaintext values.

BogoAtalla for Linksys (<- the actual file to download)

This is the Atalla ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) /test device.

 

Local Files

bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc

2 Comments »

Technology is always being challenged

Jun 18, 2008 in RFID

I read a very interesting paper created by the University of Massachusetts Laboratories and Innealta, Inc.<<

This paper primarily relates to the compromise of contact less technologies () if the and/or have not been implemented correctly or the solution provider has used an inappropriate of and discusses the challenges around and with respect to financial transactions e.g. and compliance.

Additionally, the paper describes a method which is being discussed within many forums around the world and we have now begun to see equipment being produced for the /clonners to use for malicious means.

The overarching point of this paper is to use an appropriate & solutions which supports the / of the user and purpose of the  (financial or non financial)<<

The paper can be found at http://prisms.cs.umass.edu/~kevinfu/papers/-CC-manuscript.pdf

In modern & solutions, newer devices can be used which possess a high degree of power and are therefore able to execute strong cryptographic methods (such as signatures) to protect the and information whilst the is occurring.

These systems often utilise between the / scanner and the tag/ prior to performing the . These methods and are accepted and proven to work within the traditional markets.

As mentioned in the paper, some solution store static digitally signed and/or encrypted which is provided to the / when queried, but this never changes from one to another. This may allow a malicious individual to capture and re-inject the into the at a later stage. The alternative to storing static digitally signed and/or encrypted is to negotiate a key exchange at the time of the in which the /value information is encrypted and subsequently transmitted. With this method the transmitted
changes on every and therefore even if a malicious individual was to capture the encrypted from one , this would not be accepted by the if re-injected at a later stage.

Although this is the case today, older / solutions often use technologies which are not appropriate for financial transactions and therefore may be compromised easily and in some cases without the knowledge of the holder, or .

I find this interesting how some of these less secure solution have been approved for use by acquiring banks and the schemes around the world (if they were told) in recent years, where it has been seen that these solutions have utilised techniques or deployment methods which can be compromised. These technologies and techniques would never be approved within the Point of Sale (PoS) or traditional markets.

It can only be assumed that the need to get product to market quickly at the expense of proper testing, understanding and with due consideration to industry lessons learnt has succeeded again.

No Comments »

Bluetooth - Security

Mar 24, 2008 in Bluetooth

Redirected from Bluetooth

Source

1
2 Wireless- History
3 Wireless- Technologies
4 - Introduction
5 - Advantages
6 - Applications
7 - Issues
7.1 The
7.2 The
7.3 The BLUEBUG
7.4
7.5 Warnibbling
8 Future of
9 See also:
10 Reference List

is a new that utilises waves as a way to communicate wirelessly between devices. It sets up that incorporate all of a persons devices into one system for both convergence and convenience.

Wireless- History

Many people put the invention of [wireless] down to Guglielmo Marconi, who in 1895 sent the first telegraph across the English Channel. Only twelve years later began being used in the public sphere. [Mathias, p.2] Up until then however, many wireless pioneers conducted trials across lakes where the used to transmit the signal was longer than the distance across the lake. [Brodsky, p. 3] After its introduction the main use of wireless was for military where its first use was for the Boer War. [Flichy, p. 103] The invention of ensured the feasibility of wireless technologies. [Morrow, p. 2] By the 1920s, had become a well-recognised mass medium. [Flichy, p. 111] From the 1980s until now, wireless have been through several stages, from 1G (analogue signal), 2G ( signal) and 3G (always on, faster rate). [Lightman and Rojas, p. 3] The history of is a much more recent one, with the first -enabled products coming into existence in 2000. Named after Harald Blatand the first, king of Denmark around twelve hundred years ago, who joined the Danish and Norwegian kingdoms, is founded on this same unifying principle of being able to unite the computer and telecommunication industr[ies]. [Ganguli, p. 5] In 1994 the Company began looking into the idea of replacing cables connecting accessories to mobile phones and computers with wireless links, and this became the main inspiration behind . [Morrow, p. 10]

Wireless- Technologies

is not the only wireless currently being developed and utilised. Other wireless technologies, including 802.11b, otherwise known as Wi-Fi, Infrared Association (IrDA), Ultra- Wideband (UWB), and Home RF are being applied to similar technologies that use with mixed results. 802.11 is the most well known , excluding , and uses the same , meaning that they are not compatible as they cause interference with each other. 802.11 is being implemented into universities in the US, Japan and China, as well as food and beverage shops where they are being used to identify students and customers. Even airports have taken up the 802.11 , with airports all over America, and three of Americas most prominent airlines promoting the use of it. [Lightman and Rojas, p. 202-3] Infrared Association is extremely inferior to that of . Its limitations include only being able to communicate point-to-point, needing a line of sight, and it has a speed of fifty- six kilobytes per second, whereas is one megabyte per second. [Ganguli, p. 17] The Ultra- Wideband is superior to that of in that it can transmit at greater lengths (up to 70 metres), with only half of the power that uses. [Ganguli, p.17] HomeRF is a that is not very well known. It is used for and voice communication and targeted for the residential market segment and does not serve enterprise- class WLANs, public systems or fixed wireless . [Ganguli, p.17-18]

- Introduction

is a short- range device that replaces cables with low power waves to connect devices, whether they are portable or fixed. The device also uses hopping to ensure a secure, quality link, and it uses ad hoc networks, meaning that it connects peer-to-peer. It can be operated worldwide and without a because it uses the unlicensed Industrial- Scientific Medical (ISM) band for that varies with a change in location. [Ganguli, p. 25-6] The user has the choice of point-to-point or point-to-multipoint links whereby communication can be held between two devices, or up to eight. [Ganguli, p. 96] When devices are communicating with each other they are known as piconets, and each device is designated as a master unit or slave unit, usually depending on who initiates the connection. However, both devices have the potential to be either a master or a slave. [Swaminatha and Elden, p. 49]

- Advantages

There are many advantages to using wireless technologies including the use of a , the inexpensive cost of the device, replacing tedious cable connections, the low power use and implemented measures. The use of an unlicensed ensures that users do not need to gain a license in order to use it. Unlike Infrared which needs to have a line of sight in order to work, waves are omnidirectional and do not need a clear path. The device itself is relatively cheap and easy to use, one can be bought for around ten American dollars, and this price is currently decreasing. Compare this to the expensive cost of implementing hundreds of cables and wires into an office and there is no competition. Of course, this is the main reason for the take -up in -enabled devices; it does away with cables. Another of Bluetooths advantages is its low power use, ensuring that battery operated devices such as mobile phones and personal assistants wont have their battery life drained with the use of it. This low power consumption also guarantees minimal interruption from other operated and wireless devices that operate at a higher power. has several enabled measures that ensures a level of and , including hopping, whereby the device changes sixteen hundred times per second. Also within the tools are and that guarantee little interference by unauthorised hackers. [Ganguli, p. 330] One of the best advantages of devices, especially the hands free device that connects to a mobile , is that it removes from the brain region. [Tsang, p.1]

- Applications

The applications that are in or current use for the include such areas as automotive, medical, industrial equipment, output equipment, -still cameras, computers, and systems. [Lightman and Rojas, p. 201] is an ad hoc user, and therefore it may be used for social networking, i.e. people can meet and share files or link their devices together to play games or other such activities. [Smyth, p. 70] Using , a mobile can become a three- way , where at home it connects to a landline for cheaper calls, on the move it acts as a mobile and when it comes in contact with another -enabled it acts as a walkie- talkie. This walkie- talkie option allows for free interaction and communication, as is not connected to any telecommunications . [Gupta, p.1] also allows automatic synchronization of your desktop, mobile computer, notebook and your mobile for the user to have all of their managed as one. [Gupta, p.1]

- Issues

has several which range in level of risk and how widespread the action is. These have the ability to provide criminals with sensitive information on both corporate and personal levels. The only way to avoid such is for manufacturers, distributors, and consumers to be provided with more information on how they are committed, current activity and how to combat them. This information can be used on a level for manufacturers, it can be used by distributors at retail levels to teach consumers the risks and it can be used directly by consumers to be aware of the . The outcome of such research will allow end users of products to have an upper hand in this wireless warfare. is in early stages with regards to both the attackers, their techniques and consumers understanding of these attacks. Some research has been conducted into what the attackers are doing and how they do it. Adam Laurie of A.L Ltd http://www.thebunker.net/release-bluestumbler.htm is leading the research race in and is often linked to academic resources. Laurie’s research has uncovered the following capabilities of attacks:

  • Confidential such as the entire book, calender and the ’s IMEI.
  • Complete memory contents of some mobile phones can be accessed by a previously trusted (”paired”) device that has since been removed from the trusted list.
  • can be gained to the AT command set of the device, giving full to the higher level commands and channels, such as , voice and messaging.

Attacks on devices at this stage are relatively new to consumers, and therefore are not widely seen as a real . Attacks such as the Bluejack are probably more recognised by consumers due to its perceived humorous and novelty nature as well as the ease to Bluejack someone. Users who allow their to be Bluejacked open the door to more attacks, such as the which have a low level of awareness amongst consumers as attackers can attach to the device with out the users knowledge. Corporations are starting to understand the risks devices pose, Michael Ciarochi (in Brewin 2004) stated that ‘ radios were included in laptop PCs that were being configured by an IT Engineer. It raises the possibility of opening a wireless back door into stored on the PCs. Such a weakness would be extremely attractive to hackers. Although invites hackers to such attacks; Venders are playing down the risks, Brewin (2004) said that ‘ advocates last week dismissed growing fears about the short-range wireless , saying any flaws are limited to a few mobile- models. They also detailed steps that users can take to secure devices’. There are many methods of attacks, the , the , Bluebug, Bluejack and Warnibbling are the only recognised attacks at this early stage. Below are explanations of such attacks.

The

It is possible for attackers to connect to the device without alerting the user, once in the system sensitive can be retrieved, such as the book, business cards, images, messages and voice messages.

http://www.salzburgresearch.at/research/gfx/bluesnarf_cebit2004.pdf

Local Copy: BlueSnarf_CeBIT2004.pdf

The

The is a higher concern for users; it allows attackers to establishing a trust relationship through the “pairing” mechanism, but ensuring that the user can not see the target’s register of paired devices. In doing this attackers have to all the on the device, as well as to use the modem or ; WAP and GPRS gateways may be accessed without the owner’s knowledge or consent.

The BLUEBUG

This gives to the AT command set, in other words it allows the attacker to make premium priced calls, allows the use of , or connection the . Attackers can not only use the device for such fraudulent exercises it also allows theft to impersonate the user.

Dibble (2004) explained that ‘Just as was spawned, there’s a new craze that’s spreading across parts of Europe. Reportedly, it’s more prominent in the UK, but popular elsewhere too’. allows attackers to send messages to strangers in public via . When the phones ‘pair’ the attacked can write a message to the user. Although it may seem harmless at first, there is a downside. Once connected the attacker may then have to any on the users device, which has obvious concerns. Powell (2004: 22) explained that ‘Users can refuse any incoming message or , so Bluejackers change their username to a short barb or compliment to beat you to the punch. For example, you might receive along the lines of “Incoming message from: Dude, you’ve been Bluejacked.” Or, “Incoming message from: ROI is overrated.” is regarded as a smaller to as users being attacked are aware they have been Bluejacked. This does not mean however that they are aware that sensitive information is being accessed and used in a malicious manner.

http://www.bluejackq.com/

Warnibbling

Warnibbling is a hacking using Redfang, or similar software that allows hackers to reveal corporate or personal sensitive information. Redfang allows hackers to find devices in the area, once found, the software takes you through the process of accessing any that is stored on that device. Redfang also allows non-discoverable devices to be found. Whitehouse explains when testing Redfang ‘One of the first obstacles we had to overcome was the discovery of non-discoverable devices (it was surprising to see the number of devices that dont by default implement this measure)’. http://www.atstake.com/research/reports/acrobat/atstake_war_nibbling.pdf

Future of

Further information, and somewhat speculation is required for consumers and stakeholders on the future of . Such information will provide a clearer understanding of why of must be improved. Luo and Lee (2004) provide a short term prediction of where is heading, Europe and Asian countries already offer newspapers, subway tickets, and car parking fees via wireless devices. Collins (2003) says that devices ‘appear to be more secure than 802.11 wireless LANs. However, this situation may not last, as the becomes more widespread and attracts greater interest from the hacking community’.

http://www.arraydev.com/commerce/jibc/0402-10.htm

See also:

Reference List

Erin Watson 08:47, 8 Sep 2004 (EST) –nhenzell 12:30, 8 Sep 2004 (EST)

No Comments »

Serious flaws in bluetooth security lead to disclosure of personal data

Mar 24, 2008 in Bluetooth

source