BankInfo Ramnit Article

Tracy Kitten at BankInfo has an interesting article about the Ramnit worm which is worthy of a read (even I would say by the general public). Ramnit is particularly pernicious because:

Ramnit’s man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user’s ID and password, and sometimes other personal information en route to the actual log-in page. The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim’s accounts at will.

That said, I’m not sure I agree with the solution espoused:

“Passwords are not very useful for anything anymore,” [Bill] Wansley says. “They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication [emphasis added] – like Google has recently – for social-media sign-in, and certainly for anything that is for financial or medical-related accounts.”

Certainly a challenge-response methodology would be effective if the response were dynamic (like say an RSA key fob or equivalent smartphone software), however if the two-factor authentication is two static values then there’s nothing that stops the malware from ultimately being designed to capture both factors. It would be “false security” to believe this is a permanent solution.

It then goes on to say:

Passphrases are better than passwords, but multifactor authentication is the new standard. “Nobody should be using their social-media passwords or phrases for their financial accounts,” Wansley says.

While I absolutely agree that users shouldn’t use the same password for financial or other sensitive websites, I’m not absolutely convinced that making stronger passwords is generally an answer. Yes, if you are using straight dictionary words (which the websites should prevent), you are at risk, however a mix of case and say a numeric basically makes the passwords externally uncrackable. That is provided the website properly implements delays and lockouts to the process.

In my opinion too much emphasis in the industry is put on strong passwords where people confuse the idea of a compromised hash (the encrypted form of the password) to external brute-force attack. If the former happens one should simply assume the password is compromised regardless of how strong it is. However most recent compromises involve either brute-force external attacks or outright compromise of the cleartext password – those are different animals than a hash loss. Again, a marginally strong password with delays and lockout will easily survive brute-force attack from an external source (ie: the web).

That’s not to say a degree of password strength isn’t important, but making password too difficult to remember can be counterproductive as it encourages users to write the passwords down or use other insecure methods. In that regards “passphrases” can be a benefit – they can be easy to remember and strong at the same time.

I think too often security professionals focus on what works for them and not the reality of the end user community they are servicing. Sure that gawd awful password complexity requirement is the ideal, but if your end users end up writing it on a post-it or in an Excel spreadsheet the game is over.

2 comments to BankInfo Ramnit Article

  • Creating a password that is both memorable and strong can be difficult, but is crucial for online security. And while you may not feel two-factor authentication is a viable option, I’d like to suggest users consider using it whenever it’s available. Many sites, businesses and financial institutions are making two-factor authentication available to users as either a requirement or an additional security option. As a Symantec employee, I’ve seen the evolution of two-factor authentication, and it’s become much easier to use and implement for users. Users can now use their mobile device as an authentication token. Unlike traditional two-factor authentication token solutions, approaches that enable re-use of existing mobile devices are faster and easier to deploy, and more cost-effective to maintain. And, unlike traditional hardware tokens, users are far less likely to forget their mobile device at home.

  • Well put.

    Just to clarify – I’m absolutely not against two-factor authentication and I think the smart phone app is a great idea. I’m just dubious that are there would be enough market penetration (that is, that there are enough non-smartphone users to make this potentially a problem) and that even given a smartphone application that most users would be willing to deal with it.

    My experience with even a rather well informed user base, is there is a lot of resistance to anything that requires extra effort.

    Still, I would certainly like to see this route if possible.

    Thanks for the well informed response Brendon!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">