Virtual Keyboard

I’ve just realized there’s actually a significant number of online banking sites using virtual keyboards as part of the authentication process for the banks customers.  So, instead of using your keyboard to enter the password a virtual keyboard appears on the screen where the user is FORCED to enter his/her credentials by clicking on the virtual keys.  And just to add some more security every time you click on one of the virtual keys the  positions of the virtual keys on the keyboard are shuffled randomly (I’m assuming this is present to thwart an attack where the keylogger malware is also logging the mouse click positions as well).

I’ll go over the claimed security advantage that a virtual keyboard  prevents a spyware (such as a keylogger) from recording your password when you’re typing it.  Since the user is clicking on the mouse over random areas on the screen the attacker will not be able to determine what the keys are.  If the scenario here is to protect against a keylogger device (i.e. a hardware keylogger) then this might be true.  But keep in mind that most keyloggers come in the form of malware infecting your computer.  That is, they are just another software installed on your system.  If the attacker is able to install a keylogger on your system, what is to stop the attacker from installing another software that basically does screen captures once you’re on a e-banking site ?

Sometimes it is a given that you’ll be trading off some usability in return for extra security.  We just need to make sure that the trade-off is worth it.

The trade off here is in the convenience of entering the password.  It goes without saying that it is easier for a user to type a string in a field than use a mouse to click on a virtual keyboard.
I’ve enrolled in one of the online banking services where a virtual keyboard is required.  I have to say it is not the most pleasant experience in terms of data entry.  Naturally, I try to complicate the banking password a bit to protect against password guessing (Of course I usually try to apply some of the concepts I wrote about here but online banks usually impose a limit on what you can enter as a password).  In any case, entering the password using a virtual keyboard takes a long time (sometimes close to 30 seconds or even more), especially when you have to hit the shift key multiple times.  Also, since the password is masked when I’m typing it, I can’t really verify whether or not I’m entering the right thing.  The randomization of the positions of the virtual keys every time I click on the mouse further increases the error rate.  More than I would like, I find myself having to re-enter the password because I have entered the wrong value.

There might even be a chance that we’re actually less secure when using a virtual keyboard.   Since the clicks on the screen are visible, you’re basically riskingshoulder surfing in a public place.  It is very easy for a passer-by to look at the screen and take a glance at what you’re entering.  Banks do not usually allow long passwords, so, it is probably within reach of a surfer’s memory.

I would just say the trade-off is just not worth it.  I haven’t really seen a statistic that discloses the number of victims of keylogging malware.  Even if a statistic existed, a key logging malware can easily be transformed into one that captures screenshots.

One would think there are other more effective ways of protecting bank customers from keyloggers.  For starters, customers might want to avoid using public computers.  Maybe the bank itself should check if the customer is accessing the e-banking site from a more familiar location/browser, if not maybe enforce a further authentication barrier. As for virtual keyboards, all what they seems to do is make it more difficult for a legitimate user to access the site.

Source

"Gauss malware: Nation-state cyber-espionage banking Trojan related to Flame, Stuxnet"

Kaspersky Lab researchers have discovered a “complex cyber-espionage toolkit” called Gauss which is a nation-state sponsored malware attack “closely related to Flame and Stuxnet,” but blends nation-state cyber-surveillance with an online banking Trojan. It can steal “access credentials for various online banking systems and payment methods” and “various kinds of data from infected Windows machines” such as “specifics of network interfaces, computer’s drives and even information about BIOS.” It can steal browser history, social network and instant messaging info and passwords, and searches for and intercepts cookies from PayPal, Citibank, MasterCard, American Express, Visa, eBay, Gmail, Hotmail, Yahoo, Facebook, Amazon and some other Middle Eastern banks. Additionally Gauss “includes an unknown, encrypted payload which is activated on certain specific system configurations.”

“Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation,” Kaspersky wrote. “The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.” The malware copies itself onto any clean USB inserted into an infected PC, then collects data if inserted into another machine, before uploading the stolen data when reinserted into a Gauss-infected machine.

The main Gauss module is only about 200k which is one-third the size of the main Flame module, but it “has the ability to load other plugins which altogether count for about 2MB of code.” Like Flame and Duqu, Gauss is programmed with a built in time-to-live (TTL). “When Gauss infects an USB memory stick, it sets a certain flag to ‘30’. This TTL flag is decremented every time the payload is executed from the stick. Once it reaches 0, the data stealing payload cleans itself from the USB stick.” Kaspersky Lab senior malware researcher Roel Schouwenberg said, "It may have been built with an air-gapped network in mind."

There were seven domains being used to gather data, but the five Command & Control (C&C) servers went offline before Kaspersky could investigate them.International Business Times has already laid the blame for creating Gauss at the feet of the U.S. and Israeli governments. Kaspersky said, “We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.” Kaspersky also reported, it’s “hard to believe that a nation state would rely on such techniques to finance a cyber-war/cyber-espionage operation.”

So far Gauss has infected more than 2,500 systems in 25 countries with the majority, 1,660 infected machines, being located in Lebanon. The researchers believe Gauss started operating around August-September 2011. “After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories.’ All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware’.” You can read more about the “abnormal distribution” on theKaspersky blog and or the full technical paper [PDF].

Meanwhile FinFisher lawful intercept malware used by government organizations for intelligence and surveillance activities was discovered in the wild and analyzed by Rapid7. Gamma International claimed it didn’t sell its FinFisher spyware to Bahrain even though Bahrain activists were targeted. Instead the company suggested it might be a “demonstration copy of the product stolen from Gamma and used without permission.” Bloomberg then reported the FinFisher spyware can secretly monitor computers, intercept Skype calls, turn on Web cameras and record every keystroke has now spread to five continents.

After an in-depth analysis of the “governmental malware,” Rapid7’s Claudio Guarnieri concluded, "The malware seems fairly complex and well protected/ obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use. That said, once any malware is used in the wild, it's typically only a matter of time before it gets used for nefarious purposes.”

According to CitizenLab's research and WikiLeaks cables, following should be the supported features:

• Bypassing of 40 regularly tested Antivirus Systems
• Covert Communication with Headquarters
• Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
• Recording of common communication like Email, Chats and Voice-over-IP
• Live Surveillance through Webcam and Microphone
• Country Tracing of Target
• Silent extracting of Files from Hard-Disk
• Process-based Key-logger for faster analysis
• Live Remote Forensics on Target System
• Advanced Filters to record only important information
• Supports most common Operating Systems (Windows, Mac OSX and Linux)

This is also an increase in other multi-platform malware infections such as the ethically questionable backdoor monitoring tools, virtual force for remote searches, sold to law enforcement and intelligence agencies. Russian anti-virus firm Dr. Web discovered a Trojan that could control Mac and Window machines and dubbed it ‘Crisis’. F-Secure found it lurking in a Colombian Transport website. It would "check if the user's machine was running in Windows, Mac or Linux and then download the appropriate files for the platform." It has been called DaVinci/Morcut/Crisis/Flosax, but it's definitely a commercial espionage Trojan sold by The Italian Hacking Team which just happens to be a Gamma/FinFisher competitor. The Hacking Team also brags of being able to get around encryption and specializes in selling services that allow intelligence agencies to monitor 100,000 targets at a time. 

Last but not least of things to worry about on the cyber horizon, there is Rakshasa a “perfect, persistent and undetectable hardware backdoor.”

Source

"FinFisher Spyware Reach Found on Five Continents: Report"

The FinFisher spyware made by U.K.- based Gamma Group likely has previously undisclosed global reach, with computers on at least five continents showing signs of being command centers that run the intrusion tool, according to cybersecurity experts. 

FinFisher can secretly monitor computers -- intercepting Skype calls, turning on Web cameras and recording every keystroke. It is marketed by Gamma for law enforcement and government use. 

Research published last month based on e-mails obtained by Bloomberg News showed activists from the Persian Gulf kingdom of Bahrain were targeted by what looked like the software, sparking a hunt for further clues to the product’s deployment. 

In new findings, a team, led by Claudio Guarnieri of Boston-based security risk-assessment company Rapid7, analyzed how the presumed FinFisher samples from Bahrain communicated with their command computer. They then compared those attributes with a global scan of computers on the Internet. 

The survey has so far come up with what it reports as matches in Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar and the U.S. 

Guarnieri, a security researcher based in Amsterdam, said that the locations aren’t proof that the governments of any of these countries use Gamma’s FinFisher. It’s possible that Gamma clients use computers based in other nations to run their FinFisher systems, he said in an interview. 

“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,” he wrote in his report, which Rapid7 is publishing today on its blog at https://community.rapid7.com/community/infosec/blog. 

The emerging picture of the commercially available spyware’s reach shines a light on the growing, global marketplace for cyber weapons with potential consequences. 

“Once any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes,” Guarnieri wrote in his report. “It’s impossible to keep this kind of thing under control in the long term.” 

In response to questions about Guarnieri’s findings, Gamma International GmbH managing director Martin J. Muench said a global scan by third parties would not reveal servers running the FinFisher product in question, which is called FinSpy. 

“The core FinSpy servers are protected with firewalls,” he said in an Aug. 4 e-mail. 

Muench, who is based in Munich, has said his company didn’t sell FinFisher spyware to Bahrain. He said he’s investigating whether the samples used against Bahraini activists were stolen demonstration copies or were sold via a third party. 

Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio. 

Muench says that Gamma complies with the export regulations of the U.K., U.S. and Germany. 

It was unclear which, if any, government agencies in the countries Guarnieri identified are Gamma clients. 

A U.S. Federal Bureau of Investigation spokeswoman in Washington declined to comment. 

Officials in Ethiopia’s Communications Minister, Qatar’s foreign ministry and Mongolia’s president’s office didn’t immediately return phone calls seeking comment or respond to questions. Dubai’s deputy commander of police said he has no knowledge of such programs when reached on his mobile phone. 

Australia’s department of foreign affairs and trade said in an e-mailed statement it does not use FinFisher software. A spokesman at the Czech Republic’s interior ministry said he has no information of Gamma being used there, nor any knowledge of its use at other state institutions. 

Violating Human Rights? 

At Indonesia’s Ministry of Communications, head of public relations Gatot S. Dewa Broto said that to his knowledge the government doesn’t use that program, or ones that do similar things, because it would violate privacy and human rights in that country. The ministry got an offer to purchase a similar program about six months ago but declined, he said, unable to recall the name of the company pitching it. 

The Estonian Information Systems Authority RIA has not detected any exposure to FinSpy, a spokeswoman said. Neither has Latvia’s information technologies security incident response institution, according to a technical expert there. 

Bloomberg News reported July 25 that researchers believe they identified copies of FinFisher, following an examination of malware e-mailed to Bahraini activists. Their work, led by security researcher Morgan Marquis-Boire, was published the same day by the University of Toronto Munk School of Global Affairs’ Citizen Lab. 

The new study builds on those findings, using the same samples of malicious software. 

Guarnieri’s study found, among other things, that the Bahrain server answered anyone connecting to it with the message, “Hallo Steffi.” 

The investigators then found this pattern in other computers by searching data from an Internet survey research project, Critical.IO, which has been cataloging publicly accessible computers around the world. 

The researchers then developed a map that shows the location of the servers, along with their unique IP addresses on the Internet. 

Gamma’s Muench said none of its server components sends out strings such as “Hallo Steffi.” 

The earlier Citizen Lab research linked the malware sent to the activists to FinSpy, part of the FinFisher spyware tool kit. 

The Citizen Lab research showed the malware took screen shots, intercepted voice-over-Internet calls and transmitted a record of every keystroke to a computer in Manama, the capital of Bahrain, which has been gripped by tension since a government crackdown on protests last year. 

Muench said the computer found in Manama isn’t a FinFisher product. Instead, the server very likely runs custom-built software used to forward traffic between two or more other systems, he said.

Source