Authentication , Biometrics , Technology

NICE Actimize's Mary Ann Miller on Banks' Emerging Strategies Tracy Kitten (FraudBlogger) • August 18, 2016    

Banks need to develop multifactor customer authentication strategies that meet demand for strong security as well as convenience, says Mary Ann Miller, an executive adviser at anti-fraud solutions provider NICE Actimize.

See Also: Data Security Risk: A CISO's Perspective

Many banks are focusing on shoring up customer authentication mechanisms by coupling biometrics with other forms of authentication, such as one-time passcodes or even analytics. But forcing customers to go through additional steps can hinder the customer experience, Miller says.

"There's a lot of experimentation going around what I call form factors - the modality of authentication," she says in this video interview with Information Security Media Group. "So you'll see a lot of modalities like biometrics, from facial [scans] to using the thumbprint. But you'll also see financial institutions focusing on management of that authentication journey, too. In combination with looking at experimental new form factors, [they're looking at] actually how do you manage that new form factor and manage that customer experience."

Banks need to carefully consider the types of authentication their customers will accept and use, Miller says. "What we're finding in the industry is that customers really want an easy journey," she says. "They're really looking for strength of security, but they're also looking for customer convenience as well. "

In this video interview at ISMG's recent New York Fraud and Breach Prevention Summit, Miller discusses:

How institutions are using analytics and other back-end data to authenticate users; Why biometrics is not the panacea it was expected to be; and Why additional log-in steps can hinder the online banking experience.

Miller, who specializes in enterprise fraud and risk management, has more than 20 years of experience in decision analytics, operational excellence and customer centricity. She consults with financial institutions worldwide to establish business and technology strategies.

Anti-Malware , Data Loss , Network & Perimeter

Dump May Reveal Russian, US Intelligence Agencies Openly Squaring Off Jeremy Kirk (jeremy_kirk) • August 17, 2016    

The release of spying code authored by one of the most sophisticated hacking groups in the world has prompted questions about whether Russia may be taunting the United States in an unprecedented, public cyber stunt.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

On Aug. 13, a group calling itself the Shadow Brokers released samples of exploits and software implants from the Equation Group, which many security experts suspect is linked to the U.S. National Security Agency. The dumped code is designed to compromise network-level equipment such as firewalls and includes notes on infiltration techniques (see Mystery Surrounds Breach of NSA-Like Spying Toolset).

If Shadow Brokers is indeed a state-sponsored group, its outing of one of its peers is unprecedented. The action comes as the United States investigates potential Russian involvement in the Democratic Party breaches, which have caused turbulence during a fierce U.S. presidential campaign (see DNC Breach More Severe Than First Believed).

Shadow Brokers claims to be auctioning the password for a second, encrypted file that it also released. The password will go to the highest bidder, or alternatively the group claims it will be publicly released if it receives 1 million bitcoins, currently worth about $568 million. That file - which could be fake - might have already served its purpose: creating anxiety within the Equation Group over what might be dumped next.

Leaked Code Matches

There's now little doubt that the sample code that was dumped indeed belongs to the Equation Group.

Moscow-based security firm Kaspersky Lab, which cast the first light on the Equation Group in February 2015, finally weighed in on the new data dump on Aug. 16. It's compared the implementation of the encryption algorithms used by the Equation Group to the code dumped by Shadow Brokers, and found that the crypto is nearly the same.

"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group," Kaspersky Lab researchers write in a blog post.

The Equation Group used the RC5 and RC6 encryption algorithms within its malware. Kaspersky had previously identified 20 compiled versions of RC5/6 code in the Equation Group's malware. The Shadow Brokers' archive provided another large sample set for Kaspersky to analyze, and it found 300 files that implement a specific version of RC6 - used by the Equation Group - in 24 different forms, according to Costin Raiu, director of the Kaspersky Lab research team.

Over 300 tools from the Shadowbrokers leak have shared code with known Equation tools. pic.twitter.com/BtWevPjD14

"The chances of all these being faked or engineered is highly unlikely," according to Kaspersky Lab.

The hacking tools are relatively old - the most recent ones date from late 2013 - which has somewhat diminished their usefulness. But a Brisbane, Australia-based network security consultant has successfully tested one of the exploits against an older version of Cisco's Adaptive Security Appliance firewalls.

The exploit works against Cisco ASA version 8.4, which dates from 2012, says XORcat, who spoke on condition of only being identified by his Twitter handle. The attack creates a backdoor that allows for access to the firewall without a password. A firewall is a key piece of network equipment to attack since all of an organization's web traffic flows through it.

It's unclear if Cisco has patched the buffer overflow vulnerability that the attack exploits or if newer versions are affected. Still, it's an example of a functional exploit that would work against the right product version.

"You get people running old code all the time if they don't have a support contract anymore," XORcat says in a phone interview. "They'll be stuck with whatever version they've got."

But not much of the newly released code rivals the firmware exploits against hard drives that Kaspersky says the Equation Group had developed. The new code, simply put, appears to be less refined. "The sad thing is that all of these Equation Group exploits are totally boring, trivial stuff," writes Héctor Martín Cantero, a Tokyo-based IT security consultant, on Twitter. "None of it is particularly impressive."

Exfiltration Method Remains Unclear

What remains unclear is how the Shadow Brokers may have grabbed the newly leaked tools. One idea floated by none other than former NSA contractor Edward Snowden is that the Equation Group forgot to scrub a command-and-control server that was used for launching an attack.

Cyberattacks are typically staged from proxy servers that are hard to trace back to those running an offensive operation. It's possible that Shadow Brokers compromised one of those servers.

Snowden says the NSA, as well as other state actors, are known to "lurk" on such servers to figure out what their adversaries are up to. But whatever they observe, at least historically, has remained a closely held secret.

"NSA malware staging servers getting hacked by a rival is not new," Snowden writes on Twitter. "A rival publicly demonstrating they have done so is."

Others have suggested the leak came from an insider, based on a screenshot of an internal file structure that Shadow Brokers released. One anonymous commentator, going by the handle Zipa Dux, claims on Twitter that "Shadow Brokers is an insider who grabbed the data via USB and is trying to pass himself off as a foreign group."

@msuiche ShadowBrokers is an insider who grabbed the data via USB and is trying to pass himself off as a foreign group.

@msuiche File directories like the one he screenshot are physically gapped and not accessible externally.Names are changed before deployment

In an email reply to Information Security Media Group, Zipa Dux implied previously working for the NSA's Tailored Access Operations group, which specializes in infiltrating computers.

Zipa Dux says the file directories shown in the screenshot wouldn't be externally accessible and would have to have been taken from an air-gapped system. The filenames for the resources shown also get changed before an operation, meaning that if Shadow Brokers had accessed a staging server, the files wouldn't appear in that form.

"It was also a concern of everyone working in TAO that operators had access to all of this and could easily be taken such as via USB," Zipa Dux says. "One theory is that this guy separated the military/NSA and has been sitting on this data for some time before trying to profit from it. Another could be that he is still working there - however unlikely - and using NSA infrastructure for anonymity."

The name of the group also raises suspicions of an insider theft since many TAO employees played Mass Effect, a popular Xbox video game, Zipa Dupa says. In that game, a "shadow broker" is someone who trades in information.

"We can remember disgruntled employees working there and people that didn't leave on good terms," Zipa Dupa writes.

Dave Aitel, CTO of the penetration testing consultancy Immunity and a former NSA research scientist, has also suggested that an internal leaker might be the source. "First off, it's not a 'hack' of a command and control box that resulted in this leak," Aitel writes in a blog post. "It's almost certainly human intelligence - someone walked out of a secure area with a USB key."

Russian Connection Eyed

The Shadow Brokers intrigue comes as the United States continues to investigate the Democratic Party breaches. Guccifer 2.0, the handle for someone or some group that began leaking Democratic National Committee files in June, continues to release sensitive documents. The most recent significant one included phone numbers and email addresses for close to 200 Democratic party officials.

Snowden hints at a Russian connection to Shadow Brokers. "Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack," he writes on Twitter.

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

Aitel seconds Snowden's observation, based on the timing of the release and the Democratic Party incidents. Also, Shadow Brokers' ability to hold onto the data for more than three years after it was apparently breached shows some operational discipline. The release of it is bold, he writes.

"No team of 'hackers' would want to piss off Equation Group this much," Aitel writes. "That's the kind of cojones that only come from having a nation-state protecting you."

×Close

Request to Republish Content

Cybernetics - the science of studying communications and automatic control systems - has emerged as yet another innovative way for practitioners to translate security in context to business (see: Metrics Project May Help CISOs Measure Effectiveness Better).

The approach taken by Sam Lodhi, CISO at the Medicine and Health Products Regulatory Agency in the UK, uses biological cybernetics - or cybernetics applied to the biological context - to help explain the nuances and risk from information security to his business stakeholders, who are professionals in the healthcare and biological sciences fields.

Making a case for security investments can be tricky, he says, and the value of security means different things to different business stakeholders, depending on their perspective and their patience. While no one disputes that security is necessary, many stakeholders are ambivalent about the concepts and do not care for the technical minutiae with which practitioners tend to bombard management (see: Treat Security As a Business Problem First).

"Getting the right engagement from stakeholders is a big challenge for practitioners today," Lodhi says. "A cybernetics-based model can help get the attention security needs by speaking in terms and concepts that business can relate to, using structured, rational analogies from the business's own context, which helps stakeholders understand risk better."

Cybernetics as a science actually provides formal engineering language and diagrammatic approaches to systems analysis, which can be adapted to present information security risk much more credibly, Lodhi says (see: Security: How to Get Management Buy-In).

In this exclusive interview with Information Security Media Group (see player link below image), Lodhi explains how he uses cybernetics to formulate his model to communicate with management and some of the pros and cons of the approach. He also touches upon how this model can be emulated in other verticals. He speaks about:

Applying cybernetics in the information security context; Why the biological cybernetics-based model worked; Broader applicability across verticals.

Lodhi is the director at Integrated Business Research Systems, a niche professional services firm specialising in technology, risk and business consulting. He has almost 20 years of experience in enabling security strategy, and has successfully influenced executive committees, sat on group boards to direct security and technology strategy and provided oversight has a non-executive director. He is currently serving as the information security transformation director (CISO) at MHRA - The Medicines and Healthcare Products Regulatory Agency, which is an executive agency of the Department of Health in the United Kingdom, responsible for ensuring medicine and medical devices safety.