back to article US military access cards cracked by Chinese hackers

A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. Smart cards are a standard means of granting active duty military staff, selected reserve personnel, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Chinese Laundry

    I'd be willing to bet that every government in the world is now routing its probes of the US defense department computers through China. But probing around like this is a double edged sword - sometimes you find what you're looking for - and sometimes you find what they want you to find.

    We have a nice collection (updated daily) of compromised PDF and XLS files sent to our mail server from China.

    1. Anonymous Coward
      Anonymous Coward

      Routing?

      Proxied by or VPN sourced from Chink address space, I think you mean using an overlay technology. NOT routed.

      Address space is very carefully handled and approved beforehand both privately and through public BGP peering at IXPs. It is highly unlikely that you could get away with "pointing default" at a Chinese peer and this won't obfuscate your source IP anyway. Behind China Telecom, there is a VERY powerful network. I tell you.

    2. Anonymous Coward
      Anonymous Coward

      I completely agree. One other way of securing a system would be obfuscation, which could be a follow-up to the "you find what they want you to find" method. Placing fake intelligence in an obvious location and hiding real data in an illogical place could be a good defence.

      How they would do that in a serious scenario like a nations security is a bit beyond me! Files with peculiar names, encoded, or maybe on another server, might be the way to do it. I say that as a newbie as I don't have experience in security. Someone give me some pointers!

  2. amanfromMars 1 Silver badge

    There are Worlds more Advanced than those Stuck in a Rotten Rut in the West. Honest to Goodness.

    " Blasco added that the use of dynamic tokens that offer two-factor authentication would thwart this particular line of attack."

    What on Earth makes you not think that the Chinese have cracked the code for harvesting dynamism in authentic power programmers ......Cosmic Source Suppliers. And would provide perfumed gardens for flowers to bloom and seed ....... which is a perfect trap to surrender all to for the control that is freely shared in dynamic token authentication exchanges ...... and in real live situations, in any parallel and conversion of this Virtual AIReality Beta ProgramMING to Self Actualisation and Future Realisation, a graciously received and most acceptable solution guaranteeing prime product performance.

    amfM speaking fluent PRChinese? Pidgin Mandarin? Forbidden City Sense?

  3. Figgus
    Facepalm

    Every time I read a story like this, I wonder one thing:

    WHY IN THE HECK IS THE MILITARY USING WINDOWS?

    They don't need to run games, so what is the attachment to Windows as opposed to a hardened variant of Linux or BSD or somesuch?

    1. Someone Else Silver badge
      Coat

      That's easy

      Figgus opined: "Every time I read a story like this, I wonder one thing:

      WHY IN THE HECK IS THE MILITARY USING WINDOWS?"

      Just remember, "military Intelligence" is an oxymoron.

    2. Hnelson
      FAIL

      It comes down to money. It's cheaper to buy a packaged system and have a face to hold accountable if things go wrong. I'm surprised it took the chinese this long to gather and harvest the encrypted keys off those cards.

      As to the "chinese hackers". These are not lone wolves out in the wild. This is the effort of the PLA with unlimited resources. The keys will not stand a chance against a brute force break.

      1. Figgus

        I know it all comes down to money, but it seems that a military willing to spend a few billion dollars doing R&D for a gun that has a swivel in the middle so it can shoot around corners would have a military willing to pony up for some security.

        1. Destroy All Monsters Silver badge
          Mushroom

          John Brunner hadn't seen anything

          "It all comes down to money".

          SNORT!

          To hear this when 700 billion USD per annum are blown on the *official* flecktarned reichcircus alone [tendency: going UP] is unbelievable.

          The hallowed military of the democratic welfare/warfare state is now just about feeding revenues to be seized from the populace *in the future* to arbitrary companies *now* depending on how much their lobbyists have been working the Central Palace Corridors. That some people in foreign lands get turned into metal-peppered steak, cripples or anatomical displays in torture cellars is totally ancillary and actually meaningless. This can be easily seen in that no political result or success whatsoever has been obtained in the last 20 years. Indeed, things are just getting started on the downhill slope with no politician (no politician not considered "extreme" or "on the fringe" or "unelectable") pulling the handbrake.

          Guess the few shavings for the good people of Microsoft are just natural.

        2. Charles 9
          Stop

          Security is like a castle.

          You can only build so many defenses before you have to knuckle down and "fort up". It's like the old saying, "You have to be lucky all the time, they only have to be lucky ONCE." In any event, if this is a state-sponsored break, then the OS wouldn't matter; exploits and privilege escalations exist for all operating systems (yes, even Linux) for the simple reason that they're all made by fallible humans. If the military were using Linux systems, you can bet every yuan that they'd simply store up a batch of zero-day LInux vulnerabilities to take control and then escalate from there. And in state-vs-state warfare (including cyberwarfare), money is no object, resources are usually plentiful, and motivation is a given.

          1. eulampios

            ..like a castle or a straw house

            Is it this kind of 0-day vuln?

            >>The latest run of attacks also features spear phishing emails that attempt to trick marks into clicking on a link that deposits the Sykipot malware onto their machines. This time around the malware uses a key-logger to steal PINs associated with smart cards.

            infecting your PC by clicking on the link is the vuln. DESIGNED by the Redmond. Don't you get it?

            1. Charles 9

              Not quite.

              Sure, it may be Skyipot today, but what's to stop it being something like Kaiten (Hint: this one's a Linux trojan) the next? And even Linux is vulnerable to privilege escalation (as anyone hacking the Kindle Fire or B&N Nook Tablet can attest). After all, the term "rooting" owes its (cough) roots to Unix.

              1. eulampios

                @Charles the IX

                Everything is vulnerable ( I and many others think closed source software is much more vulnerable than the free one). Exactly, take the number of allegedly infected by Kaiten, the fact that it happened 10 years ago and divide it by the similar figures related to Windows. You get the risk approaching zero.

                And by the way Redmond has has patent on the virus-contracting-by-weblink-click. So any competitor will face a litigation here.

                >>as anyone hacking the Kindle Fire or B&N Nook Tablet can attest

                Mixing cutlets with flies again? Rooting any linux or *BSD with non-encrypted drives is even easier. Just boot off a rescuecd media or similar, when you have a PHYSICAL access to the device.

                1. Charles 9

                  I said something LIKE Kaiten.

                  Kaiten and their like just happen to be proof that Linux is not immune, and I'm simply pointing out that if Linux was vulnerable once, it can be vulnerable again, especially when your adversary is a hostile state with abundant (I'm not going to say unlimited) resources to find vulnerabilities in any piece of software your government uses: open-source or not. That's why I say software security is like a castle. In BOTH cases, a truly determined adversary (like a state) WILL get through no matter how hard you fortify. Things like Stuxnet show just how far some adversaries will go to do some damage. And let's not forget that MacOS X is Unix-based (BSD, this time), and it is finding an increasing number of vulnerabilities.

                  1. eulampios

                    a hyperbolic example

                    What I meant was not that GNU/Linux or even OpenBSD are absolutely immune. I meant that when comparing Windows OS with the most other ones, the former is several magnitudes more vulnerable than the latter.

                    Take this analogy on the risks or probabilities:

                    If you put a tea-kettle on the stove, it most probably boil in a minute. There is a very slip never-observed possibility that it will freeze. It is a hyperbole, of course.

                    1. Charles 9

                      Taking your analogy further...

                      ...your adversary (a state) discovers this possibility and, seeing as it's a way to crack your kettle, works on it (they have the time and money to do it). Next thing you know, you put your kettle over the fire, and come back some time later to suddenly find your kettle cracked open...and the water within stolen.

                      There's two aspects of this article. It's not just that software is vulnerable, but ALSO that STATES don't play by the same rules as most firms. Think of this for a while: who else but a state in the 1940's could pull off something like the Manhattan Project? Or the Space Race in the 1960's?

        3. Archimedes_Circle
          Headmaster

          Technically, the Israelis designed that weapons system. Point taken though.

      2. tjdawson
        Big Brother

        tjdawson

        any software of chinese origin is already suspect and needs to be treated with utmost caution, keeping in mind that they are making a major concerted effort to gather intelligence by any and every means possible, which means every program likely has some sort of code/subroutine embedded in it which sends data collected to the chinese govt.!

  4. Craig Vaughton
    Mushroom

    The Next War

    The next war has already begun and the bad news is we're already losing!

  5. IowaBarnCat
    IT Angle

    US Fed CIO

    Former Microsoft Executive. ;)

  6. Anonymous Coward
    Anonymous Coward

    Sykipot only works on Windows

    > An adapted version of the Trojan targets PCs attached to smart card readers running ActivClient, the client application of ActivIdentity, in what's been described as a 'smart card proxy' attack

    Here is more detail on the attack: Smartcard access .. It uses the WIN32 API [alienvault.com]s functions [GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA].

    http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs/

  7. Anonymous Coward
    Anonymous Coward

    I thought the point of smartcards vs. passwords

    is that the credentials never leave the card in the clear. What is there to intercept?

    1. Paul Hovnanian Silver badge

      It sounds like what they are doing is capturing PINs and for use in a Trojan process that can then log into remote resources. So when you plug in your card to perform some (authorized) function, the trojan begins accessing other resources in the background.

      "By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader."

      So they aren't stealing the card's credentials for future use. They are using your card in real time to access servers and other resources. A bad situation, since when security gets an alarm and comes over to your workstation to see what's up, you'll actually be sitting there with your card in the reader. You might only be playing Solitaire, but the logs will show data being copied to a server in China.

  8. Eric Graves

    Meh

    Contrary to what the article says, a Smart Card and pin wouldn't really get you into anything interesting, it certainly won't give you access to anything classified, and most systems that house sensitive unclassified info require some additional login credentials. Of course, if the trojan is capturing all that too, they may get some intel value out of it if they luck upon infecting the right user, ie, some clueless General who will then come up with even more asinine security policies and training for the rest of us as a cover for his own ineptitude.

  9. Alexander Rogge

    Risks of central electronic security

    Smart cards are wide open to attack, and unlike a metal key and a guard, an attack on the card control system can affect all cards. You can change people, but it's a lot more expensive to figure out where the electronic crack is and how to undo it. Smart cards also make it easy to frame people because the card is being silently accepted as a physical presence. That's harder to do with a key or keypad passcode and a desk guard, because the authentication at the door is verified by another person, not a networked computer. Once the system is compromised, none of the cards can be trusted, and it's back to basics. Meanwhile, innocent people could be made to look like criminals because the system says that they were somewhere or doing something that they weren't.

  10. Anonymous Coward
    Anonymous Coward

    How to destroy a country.

    1. Force everyone to have remote kill switches on their electricity supply, with some encryption that is very complex today, but with time, becomes crackable in three seconds.

    2. Argue with the Chinese.

  11. Daniel B.
    Facepalm

    Wait...

    "Blasco added that the use of dynamic tokens that offer two-factor authentication would thwart this particular line of attack."

    The US MILITARY needs to be told this?!?!?! I thought they already used these things!!!

This topic is closed for new posts.

Other stories you might like