The Smart Card Alliance offers platitudes but don’t identify the culprits!
The Smart Card Alliance released their weak response to the recent Sykipot Tojan attack which hijacked the Department of Defense authentication smartcards. Unlike hypothetical attacks on smartcards (the Chinese Remainder Theorem Attack comes to mind with the use of a microwave oven and a calculator) this is a real threat to the security of one’s network and data but not so much to the smartcard itself.
The Sykipot Tojan is taking advantages of the flaws and lack of security in Adobe’s PDF documents (zero-day attack) and Microsoft’s Windows OS and anti-virus suppliers are not blocking infected attachments.
How are these attacks happening? The attacker sends a phishing or spear phishing email with a malware infected attachment to an unsuspecting person or employee. The employee opens the attachment and launches the attack. The malware is a keylogger that captures the PIN of the smartcard, reads the user’s certificates within Windows, and then allows the attacker to use this information to log into unauthorized accounts.
The Smart Card Alliance offers only simplistic security strategies.
- Educate users on safe computer and email practices.
- Maintain up-to-date anti-virus, -malware and –keylogger software.
- Implement user analysis and network forensics tools.
- Include multi-factor authentication (I thought that was the whole purpose of the smartcard)
- Buy a PIN pad smartcard reader. (Expensive)
- Hardening the authentication between user, keyboard, and smartcard. (That’s what the OS is suppose to do)
- Change your card PIN and certificates (Note: changing certificates can wreak havoc on documents, access rights, etc., that used the older certificate. Plus, the attackers will still have access to the older information.)
This is baloney. These recommendations are insulting at best, since it’s Security 101. For the public representatives of the smartcard industry to put out such namby pamby platitudes and either refuse, or even understand how to address the real culprits is an injustice to all of us in the smartcard industry who are working to make data secure and user authentication reliable.
What deeply concerns me about their response is that neither the smartcard industry nor the PKI industry is at fault. Prevention and security is wrongly placed on the user. The fault actually lies with the insecure applications (Adobe), the Operating System (Microsoft) and the network security that don’t detect corrupted files. The attack used was unsophisticated and has been know and experienced for years. Why hasn’t the computer industry addressed these known threats?
So here are my “Key Elements of Security”:
- Scrap Windows 8 and develop an entirely new operating system from the ground up. Don’t make it backward compatible with anything. Make security an integral part of the design. Sure there will be the cost of new applications and drivers but which is worst? The cost of upgrading or the continuation of the multi-billion dollar identity theft loses which can bring down our economy?
- Block all Adobe PDF attachments until they fix their problem. No older PDF attachments will be allowed into any computer.
- Cloud and network manufacture’s products scan attachments for hidden files.
- Charge these companies $1 billion for every security patch they have to release. Windows Patch Tuesday has been going on since Windows 98. Is the Microsoft Management so keen on profits that building a trusted system is of no real importance to them? If the U.S. Postal Service needs a new campaign to get people to actually purchase stamps and other postal products then remind every American that “snail mail” is not affected by viruses and can’t take down your computer or network.
The claim that the Common Access Card (CAC) has reduced network intrusion by 46% when replacing passwords is also very misleading. It has reduced the intrusion when you prevent the users from self-managing their passwords. Time and time again we know that people will pick simple passwords, use the same password everywhere and write passwords on notes. Why? Because we can’t remember that many of them. But if you incorporate a smartcard-based, multi-factor authentication password manager you will see similar intrusion reductions; and, at a fraction of the cost and time. PKI is a great technology and it does some things better than any other technology, but it is not appropriate for everyone. So comparing CAC to self-managed passwords is disingenuous.
As you can see, I am quite distressed and more than a little angry. Not at the hackers, criminals or even the Chinese since they are doing their job and doing it very well. But with the computer industry that allows these attacks to continue. And at the Smart Card Alliance for not identifying the true culprits and offering solid security recommendations. The attack being waged was not sophisticated. So instead of Microsoft, Adobe and others coming up with a new, “pretty” interface, spend the money securing your software.