undefined | Better HN

0 pointschubot11y ago0 comments

So, I'm specifically asking about protecting employees' machines. My reading of the article is that the attackers got a foothold on employees' machines and credentials, and just piggybacked their malicious transactions along with normal transactions.

In that case, it doesn't matter how much security you have in your data center. Employees need access to central systems to do their job, so client security is paramount.

For instance, for a bank or Bitcoin exchange, I think it would relevant how many client operating systems can access your crown jewels. I think if you're just using Mac or Windows with antivirus or whatever, there's already a pretty low upper bound on your client security and thus your overall system security.

What I'm wondering if anybody is deploying some kind of custom client OS similar in spirit to Qubes OS, or a build of Chromium OS or Android, which have application sandboxing beyond what stock Linux, Mac or Windows have.

Also, I would imagine that each teller has their own credentials, and the bank should have policies about the transaction rate / total for a single teller. It sounds like the attackers would have to compromise multiple employee accounts to steal that much money. So you also want to protect employees machines from each other as much as possible (not just "outside" attackers).

I'm guessing that a Bitcoin Exchange doesn't have that many employees, since the whole industry is new. You probably have people just accessing stuff with their personal MacBooks or whatever, and that's fine for now (there are bigger risks). But when you start to have 100, 1000, 10,000 employees capable of doing financial damage, then I think this type of thing will start to matter more.

EDIT: Actually I remember one large deposit I made required three people at a bank to approve it. The teller said, "Wait my boss has to approve this." Then the boss said, "Wait my boss has to approve this". So they are probably using the presence of three credentials and credentials at a sufficient employee level to authorize large transactions. So I take it the attackers would have to target employees with those credentials.

But that can cause problems for customers -- e.g. if the branch manager isn't around, you might not be able to do what you wanted. To some degree, they are using meat space protocols to mitigate risk that their software systems can't handle.

0 comments

justincormack11y ago

Even widespread two factor auth would mitigate a lot of this. Banks are often quite backward because there are few software suppliers, and it is an industry that took to computing early so there is a lot of legacy. But they vary a lot - the implication of the story is that these were perhaps banks in smaller countries - the banks that got defrauded recently in another large case with cashpoint withdrawals from fake cards were middle eastern. You have a lot of choice of banks, choose the weakest...

chubotOP11y ago

I don't believe that's true in this case or in the case of many client attacks.

If you have two factor auth, the employee will go through the process since they need it to do their job for 8 hours a day. Then they will have credentials on their machine (in memory or wherever).

Any attacker sitting on the machine can use those same credentials. Whether you have two factor auth or not doesn't matter.

The point is that you need to prevent the client from getting infected in the first place (which isn't easy if you have 10,000+ employees). As mentioned, if the state of the art is Windows or Mac + antivirus, then your upper bound on security is pretty low.

I recommend reading "Kingpin", a recent book about Max Butler. There's a nice story where he is hired for a penetration test. He guarantees 100% success rate, since he's always been able to get in.

He was coming out of jail and his skills were perhaps rusty, and he couldn't get into this particular server.

So what he did is hack an employee's home computer, steal their VPN credentials, and hack the company server with internal access. Apparently the company was agnry that he did this, but it pretty vividly illustrates the point.

I recall that Kevin Mitnick also used employee VPN attacks. Just because you have hardened Linux, regular updates, jailed processes, etc. on your server doesn't mean it's secure. Employees have to access systems to work, so that is often the weakest link. It's not surprising that this is how major banks got hacked and relieved of millions of dollars.

j / k navigate · click thread line to collapse