DoD Common Access Card / PIV Pwnage

March 17, 2011

Typically from a cyberdefense standpoint 2 – factor authentication is the way to go.  Well  in its that our adversaries have effectively developed, operationalized and used successful attacks against our Governments Smart Cards, commonly known as the for DOD and PIV for Federal agencies.    I would have to imagine this is highly damaging, embarrassing considering millions and millions of dollars and years of development has been put into the effort for over the last decade.

The irony is that the Federal Government hasnt even rolled completely out these capabilities for agencies, leaving these safeguards as optional for implementation until recently.  Really??

Either way, their are pwned now.  Users are attacked at home while they use their cards, and attackers are alerted and ride the session in to steal the data from Smartcard protected portals.   A Significant effort must have been initiated to circumvent these controls.    This is known as a Smart-Card Proxy attack.  In order to work with the card reader the attacker would have required reversing knowledge or and then wrote code to hook and issue call functions to the vendor software.  They would have also had to to undermine the chain of trust.

BTW soft certificate stealing is par for the course in APT malware so if you think about using them or extracting them to disk with the private key installed then your doubly screwed.  Either that or they will hook all the certificate processes in Windows and dump the private keys/passphrases from there, or get the PINs from normal keystroke logging.

The only vendor that truly makes this software is   So much for their Tagline “Establishing Trust in Online Identities”,,,,

I will reprint the article here since its just so dam scandalous.

The US government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them.

Over the past 18 months, security consultancy has come across several cases where determined attackers were able to get onto computers or networks that required both smart cards and passwords. In a report set to be released Thursday, Mandiant calls this technique a “smart card proxy.”

The attack works in several steps. First, the criminals hack their way onto a PC. Often they’ll do this by sending a specially crafted email message to someone at the network they’re trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold in the network.

After identifying the computers that have card readers, the bad guys install keystroke logging software on those computers to steal the password that is typically used in concert with the smart card.

Then they wait.

When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the bad guys simply redirect that request to the hacked system, and return it with the token and the previously stolen password.

This is similar to the techniques criminals have been using for several years now to get around the extra authentication technologies used in online banking.

Mandiant is the kind of company that businesses and government agencies call to clean up the mess after they’ve been hacked. It has done investigations at about 120 organisations overt the past year and a half. Most of them get hacked via a targeted email. But in many cases, they were actually hacked years earlier, but never managed to remove the malicious software from their network, according to the report.

Companies or government agencies that assume that they are secure just because they use smart cards to authenticate, could be in for a nasty surprise some day, said Rob Lee, a director with Mandiant. “Everything is circumventable in the end,” he said.

As if that were not enough, they are also using Social Networking for C2 including MSN and Google Chat and MSN. 

Funny how AV companies are really quiet about all this novel capabilities.  My dime is that they are sitting untouched in those massive Malware repositories they have.  Maybe if the drop all their Allapple/Virut/Sality samples they could see the forest for the trees.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: