DoD ID cards under attack

Share this article:
A pernicious virus that infects the middleware of smart card readers is attacking users of U.S. Department of Defense (DoD) and Windows smart cards. A variant of the Skyipot trojan, the malware uses a zero-day vulnerability in Adobe software to install a keylogger and obtain the PINs and certificate information from smart cards.

The trojan, first identified by Alienvault Labs, appears targeted at a particular type of application.

“We are talking about smart cards, and specifically the DoD Common Access Card," Jaime Blasco, labs manager of Alienvault, told SCMagazine.com on Tuesday from his office in Madrid. "That is the ID card that every DoD employee has, and they use it to access confidential networks and data across the DoD infrastructures. Thanks to this malware, the attackers have the possibility of stealing the PIN used to use this card, and while the card is inside the reader, they are able to use the card to steal the data they want."

Sykipot is not designed to self-replicate across networks, Blasco added. It is a manual malware that has to be controlled in a per-victim basis, so it is not likely that they use this piece of code for advanced persistent threats or other long-term types of attacks. Rather, he said, it is used for spear-phising and zero-day exploits to gain access to networks.

Erin Nealy Cox, managing director and deputy general counsel at Stroz Friedberg, a digital risk management and investigations firm, and a former federal prosecutor, said spear-phishing attacks such as these underscore the importance of educating users in proper safe computing practices. In this case, for example, a user would need to click on an infected PDF file, often in situations where the PDF appears to be a trusted file. Cox said it is essential that employees be trained to look for potential attacks, even on trusted networks.

Randy Vanderhoof, executive director of the Smart Card Alliance, said that the attack does not compromise the smart cards themselves, but rather the middleware that reads the cards. He suggested that this trojan can be overcome if the middleware is hardened. He favors an approach that would get a one-time code from the smart card each time it is used as an extra level of security. This would ensure that the certificates and PIN number associated with the card are not being used inappropriately.

He likened this approach to the payment card industry, which uses a dynamic data element to ensure each transaction is authenticated. However, he added, the payment card industry is a closed environment where the credit card companies control access. Smart cards are used in open environments where the front- and back-end systems might not have the same security levels or technical sophistication.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Tinba variant aimed at U.S., international banks

Tinba variant aimed at U.S., international banks

Researchers at AVAST have unlocked a Tinba variant and discovered it has been customized to target U.S. financial institutions.

Adobe makes delayed updates for Reader, Acrobat available

The Reader and Acrobat fixes were delayed a week due to issues found during testing.

Nigerian police search for ringleader in major bank heist

The suspect, Godswill Oyegwa Uyoyou, conspired with others to hack bank systems and divert 6.28 billion Naira to mule accounts.