DoD ID cards under attackA pernicious virus that infects the middleware of smart card readers is attacking users of U.S. Department of Defense (DoD) and Windows smart cards. A variant of the Skyipot trojan, the malware uses a zero-day vulnerability in Adobe software to install a keylogger and obtain the PINs and certificate information from smart cards.
The trojan, first identified by Alienvault Labs, appears targeted at a particular type of application.
“We are talking about smart cards, and specifically the DoD Common Access Card," Jaime Blasco, labs manager of Alienvault, told SCMagazine.com on Tuesday from his office in Madrid. "That is the ID card that every DoD employee has, and they use it to access confidential networks and data across the DoD infrastructures. Thanks to this malware, the attackers have the possibility of stealing the PIN used to use this card, and while the card is inside the reader, they are able to use the card to steal the data they want."
Sykipot is not designed to self-replicate across networks, Blasco added. It is a manual malware that has to be controlled in a per-victim basis, so it is not likely that they use this piece of code for advanced persistent threats or other long-term types of attacks. Rather, he said, it is used for spear-phising and zero-day exploits to gain access to networks.
Erin Nealy Cox, managing director and deputy general counsel at Stroz Friedberg, a digital risk management and investigations firm, and a former federal prosecutor, said spear-phishing attacks such as these underscore the importance of educating users in proper safe computing practices. In this case, for example, a user would need to click on an infected PDF file, often in situations where the PDF appears to be a trusted file. Cox said it is essential that employees be trained to look for potential attacks, even on trusted networks.
Randy Vanderhoof, executive director of the Smart Card Alliance, said that the attack does not compromise the smart cards themselves, but rather the middleware that reads the cards. He suggested that this trojan can be overcome if the middleware is hardened. He favors an approach that would get a one-time code from the smart card each time it is used as an extra level of security. This would ensure that the certificates and PIN number associated with the card are not being used inappropriately.
He likened this approach to the payment card industry, which uses a dynamic data element to ensure each transaction is authenticated. However, he added, the payment card industry is a closed environment where the credit card companies control access. Smart cards are used in open environments where the front- and back-end systems might not have the same security levels or technical sophistication.