[SecurityRatty] tag: finance

Online Finance Flaw: TIAA-CREF XSS & Potential CSRF

Wed, 03 Dec 2008 06:42:00 +0000

Before discussing a TIAA-CREF security flaw, allow me to clarify my "terms of engagement".
Prior to offering analysis of any security flaws in online financial services, be assured I have engaged the service provider and offered what I believe to a reasonable amount of time to remedy this issue. Specifically, a minimum of two weeks and three unique contact attempts are made. Should the vendor offer a timeline in which the issue will be resolved, so long as it is not months or years, I will wait until they are ready to deploy the fix, then discuss the vulnerability. If I am not in receipt of a reply other than generic customer service replies, I will follow the two week standard, then discuss the issue.

TIAA-CREF, or the Teachers Insurance and Annuity Association - College Retirement Equities Fund, is a respected, widely utilized provider of numerous financial products and services. The TIAA-CREF site is ranked 26,148 on Alexa.com at the time of this writing.

I'll first direct you to the TIAA-CREF Security page, where they discuss the expected elements like identity theft, spoofing, tips, and my favorite, phishing.
Here's where the trouble begins. Obviously, most phishing occurs when some miscreant creates a fake page and attempts to lure victims via email.
The severity of phishing risks are greatly increased by the introduction of a cross-site scripting (XSS) vulnerability in a site that is of high value to phishing attackers.
With such a vulnerability available, the prospect of success for a phisher are much higher given that the malicious URL they would craft could include the actual target domain, rather than a faked misrepresentation. A simple script insertion at the vulnerable variable would then allow the attacker to redirect victims to a maliciously crafted logon page in the context of the vulnerable site.
Sad side note: when you search security at the TIAA-CREF site, the above mentioned Security page is not returned in the results as I write this.
However, the resulting search URL serves as the starting point for our discussion of the flaw:
http://www.tiaa-cref.org/explore/portlets/search.jsp?query=security&strtfrm=1&totpresults=75&srchtype=4&sc=1&frmsite=0
The vast majority of non-search input variables on the TIAA-CREF site offer reasonable XSS protections, likely a blacklist method that redirects you to the following language when common XSS strings are noted, particularly where it counts at logon pages.
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Unfortunately, this methodology was not deployed globally, and thus the following online finance flaw.
All input variables used in TIAA-CREF's search.jsp script are vulnerable to XSS.
Utilized by an attacker, this could have a much more significant impact on TIAA-CREF customers who fall victim to a now more convincing social engineering effort.
Here's the site before script insertion:

Here's the site after script insertion:

Further, certain parts of the site, including the Trust Company logon page, show potential signs of cross-site request forgery (CSRF) in that they accept updates via GET or allow submittal with the referrer stripped.

Lessons learned:
1) Don't assume all is well even though a site may offer examples of how attentive they are to security.
2) Never log on to an online financial service offering (or anything else for that matter) via a link sent to you in an email. Period.
3) Take all steps at your disposal to ensure you are logging in to and transacting with the actual site you intended to utilize. Don't depend on security badges and SSL certificates as your sole means of confirmation.
4) If you note something of concern at a site you utilize, advise them immediately and demand repair or clarification until you're satisfied.

Please feel free to send feedback to TIAA-CREF as I have per my "terms of engagement" above. Hopefully they'll resolve this issue soon, on behalf of customers in their care.

Up next in our series, two of the top five banks mentioned in Javelin Strategy & Research's Banking Identity Safety Scorecard are vulnerable to similar issues.

del.icio.us | digg | Submit to Slashdot

Online Finance Flaws: An Awareness Campaign

Sat, 29 Nov 2008 19:08:00 +0000

Here begins a series regarding web application security inadequacies in online financial service offerings. The services to be discussed will include banks, credit unions, credit card companies, and others. As the economy struggles profoundly, and much of the blame points at the financial sector, I believe it important to point out the false sense of security so many brand-name financial services wrongly instill in their customers.
Often this sense of security is coupled with a typical "security badge" provider, helping drive conversions rather than security, as we will also legitimize how often the badge providers miss the mark on their promises.
Accountability in loan making decisions and practices might have prevented the sub-prime market collapse and the subsequent credit crunch that has hogtied our economy.
Accountability with regard to web application security while providing online financial services is now all the more important as cybercrime will continue to increase at a pace proportionate to economic woes.
Each post relevant to this campaign will include Online Finance Flaw in its title for tracking purposes.
Look forward to surprising flaws in financial services brands you'll recognize.
Perhaps, the more attention we draw to services that should place security above all else, the more likely it is they'll commit to improving their security posture.
Feel free to comment or contribute; we'll begin in a day or two.

Links for 2008-11-17 [del.icio.us]

Mon, 17 Nov 2008 21:00:00 +0000

Links List 10.3.08

Fri, 03 Oct 2008 16:55:16 +0000

Well finally, an upside to the financial crisis – more students in computer science. After the dot-com crash, enrollment went down in computer science, almost 50% since 2003. Many students shifted their interest from the technology field to banking and finance because they thought they’d make more money. And now the financial crisis could scare them into choosing majors and careers that are “safer alternatives”, like IT. And perhaps the trend is reversing for those already on Wall Street as well. Ben Worthen writes about the influx of resumes Kodiak Venture Partners has been getting: from financial-services vets who want to work at tech startups, – not to “strike it rich” this time around, but just to make a living. And it’s not just the tech workers. Seems like the ones that don’t even have any real IT experience are looking too – for jobs as VPs of marketing (harrumph). (img from www.fas.org)

I’m sure you already know about the other “network management” – where ISPs and carriers get their hands publicly slapped for limiting bandwidth to high-traffic offenders. But when is this kind of “network management” a good thing? At a panel sponsored by the FCC in DC, reps from carriers and ISPs discussed what steps they’ve been taking to prepare for a pandemic or other major global crisis – that would force workers to stay at home or work from more remote locations to limit exposure.

Are people paying attention to ICANN? They’re saying that IPv4 will be fully allocated in the next two or three years. Does anyone care? In their bid to make people care, ICANN talks about the state of IPv6 adoption and touts Africa as the most rapid adopter.

SOA soon part of the ‘cloud’? No, please no.

Microsoft – The Silver Lining in Every Cloud. Joe Wilcox over at eWeek’s Microsoft Watch, has been following Steve Ballmer around and collecting some nice quotes on how the company is transitioning. “For many years, we had kind of what I would call the all-encompassing mission, vision and scorecard statement: a computer on every desk and in every home. …Well, our footprint and portfolio is broader than that. “ [In every hand and of course, in every cloud…] “So, as a vision statement we talk about creating seamless experiences that combine the magic of software, the power of the Internet across a world of devices.” The magic of software – something I haven’t thought about for a while. And:

“You need a real platform in the cloud. When we wanted to go after the PC, we built an operating system. When we wanted to go after the phone, we built an operating system. When we wanted to go after the enterprise, we built an operating system. We’ll announce a new operating system, one that runs in the cloud and has a wide variety of capabilities.”

Links for 2008-09-11 [del.icio.us]

Thu, 11 Sep 2008 20:00:00 +0000

OPEN Forum by American Express OPEN » Blog Archive How to Save a Billion Dollars
The Daily Incite - September 11, 2008 | Security Incite: Analysis on Information Security
But I think many security managers are missing the point of what a security management platform is supposed to do. It's about control and automation. The reality is no human can wade through the morass of data that comes out of our security devices.
Security Management: A Chicken & Egg Problem - Discovery and management - Dark Reading
Most enterprises are looking for a product that will solve all of their problems in some sort of off-the-shelf miracle, and when they find out that the currently available tools can't do it, they either postpone their deployment or put them on the back burner.
Trusted Computer Solutions Acquires CounterStorm to Broaden Portfolio of Security Solutions: Financial News - Yahoo! Finance
Dana Gardner's BriefingsDirect: Systems log analytics offers operators performance insights that set stage for IT transformation
Financial Cryptography: Yet more evidence: your CISO needs an MBA
Yet more evidence: your CISO needs an MBA
The Velocity 2008 Conference Experience - Part III - Web Admin Blog
Logging should be actionable - concise, express symptoms. Anything logged is something fixable. It should be giving you less downtime - shorter time to resolution. Logging takes resources, so make it worth it. Filter down your logs to be concise and actionable. Production logging has different goals from dev/QA logging. You’re looking for problem diagnosis and recovery, and then statistics and monitoring. Insight into what the app’s doing.

If a tree falls in someone else's silo...

Mon, 08 Sep 2008 08:29:57 +0000

Must read post by Iang:

In the case of phishing, it is relatively clear. The developers believe the PKI book. The PKI people believe in the efficacy of digital signatures to prove stuff. The cryptographers believe in the perfection of mathematics, and the security world believes in the completeness of their own learning. They are all wrong, but only at the large level of generalisations, not at the detailed level of particular claims. Any one of the claims, in isolation can be shown to be true. But, generalising these brittle claims to be solid building blocks is a completely different question. Few of the claims are strong enough to partake in a general model without severe support; the general model of secure browsing is the best evidence of how it is secure in name only.

How then is it built? By accident or by design, a series of claims meet together in a holy ring of righteous architecture. Each of the proponents claim loudly that their part is strong, but the ring has no strength. Eventually, one of the claims in the links is broken. For phishing, the browsers never did have the potential to show authenticity; not only did they not have the security strength to do it (c.f., Skype v. CSRF), they didn't even do it in practice (recall the lost padlock?), and their recent efforts to show authenticity (c.f. colour debate) reveal how far they are from understanding even the goal, let alone the implementation. Once that link was broken, and money was made, all the others revealed their weaknesses, as crooks systematically worked to breach the lot.

If we look at the wider financial collapse, now underscored by the nationalisation of the worlds biggest financiers of mortgages ($ 5.3 trillion.... or is it $ 5.4 ?), we see the same pattern. The bankers believed in their product. The originators believed in their origination, the securitizers believed in their free market and accurate price, and the holders believed in the assets. The CDO, the subprime, the other 100 special names, each was a contract. Each was clear in and of itself. But, when placed end-to-end, in a line, with a bunch of other agreements, the claims that were good in isolation were not strong enough to participate in the super-claim made of the overall edifice.
The financial system was built like a bridge; each piece rested on the previous one. And then, the clever architects bent the bridge around ... and around again, until the first piece met the last. The elegant keystone of finance was to finally lift up the first one to rest on the last.

Thus, the banks themselves invested their capital in their own product.

Maybe computer security failures won't ever result in $6 trillion worth of failures, but every day we bet more and more of our economy on networked computer systems. And those architectures are built on the precise mindsets that Iang portrays.

Banks are apt to comply with their auditor's request to run scans their resources, but what they do not do is build systems with architectural integrity. Why do you log in with a username and password? Why are the messaging systems not locked down? Where are the strong identity tokens and claims? Do banks know that they are not on a mainframe any more?

Sadly, they don't - they build a web silo and then they hook it up the legacy silo and put a wide open messaging system in between. There is no end to end security design, just silos. The banks build distributed systems, they operate distributed systems, but they don't design distributed systems.

It is too bad, its never been a core competency of banks to design systems, but it never mattered before because IBM just drew up the plan and the banks followed it. Now everyone has their own plan, but the security architecture reflects an auditor's checklist and manager's golf games not risk management decisions or security architecture.

If a tree falls in someone else's silo, your system doesn't hear until their silo knocks yours over...

The key to data security: Separation of duties

Wed, 27 Aug 2008 09:00:00 +0000

Separation of duties is a key control in finance, and it should be required in information security, too. It requires that no one person is able to compromise information.

Fake Porn Sites Serving Malware - Part Three

Tue, 26 Aug 2008 05:02:26 +0000

Continue the Fake Porn Sites Serving Malware and Fake Porn Sites Serving Malware - Part Two series, in part three we'll take a peek at the emerging trend of parking a single domain at up to three different hosting locations, re-establishing connections between malicious ISPs for yet another time in between exposing the domains and the download locations sharing the same IPs.

downlfreesexgirlbeach .com first redirects to infodist1 .com/in.cgi?2 then to watchnenjoy.com/index.php?id=1314&style=black, and finally to the front end to the codec's download location handmadeclips .com, where the codec is downloaded from fwlprocedure .com. Behind these domains, we can easily expose many other fake porn sites and pharmaceutical scams, next to a small portfolio of domains specifically used for hosting the binaries. Due to the obvious rotation I've encountered several times so far, a fake porn site today, is tomorrow's blackhat SEO content farm :

downlfreesexgirlbeach .com - (88.214.198.25)
vids365 .com
downlfreesexgirlbeach .com
top.only-bi .com
wikiei .com
paysuperporn .com
aboutsexporn .com
freactor .com
cheapofficialpills .com
finance-leaders.comnudenakedboys .com
photosgayboys .com
uniqueincest.com
shyincest .com
banrnd.central-xxx .com
tvisklick .info
thebg .net
termion .net
xoxvids .net
bestpricepills .net
bcodecnow .net

infodist1 .com - (88.214.204.40)
farmasearch2008 .com
flaxxvid .com
xanax777pills .com
18virgingirls .com
girlnudegallaryvideox .com
allxxxpornogerlsx .com
jproshin .info
familytaboo .info
fullsitehost .info
20searchonlinesite .net
add-your-video .net
blogs4y .net

adult-shemale .com - (88.214.198.25)
adult-tranny .com
all-shemale .com
bcodecnow .net
best-tranny .com
bestguyportal .com
bestmoviez .com
central-xxx .com
downlfreesexgirlbeach .com
gallery-boy .com
hiosexywomensxxxgirlsx .com
lady-dick .com
bcodecnow .net
mytoppharmacy .com
nakednudeboys .com
nakednudemen .com
nudenakedboys .com
only-bi .com
only-shemale .com
page-reviews .com
paulaslosingit .com
photosgayboys .com
stud-boys .com
the0download .com
wikiei .com
moviez .com
hiosexywomensxxxgirlsx .com
sexygirlsisuniformh0t .com
the0download .com

flwprocedure .com - (77.91.231.201)
movupdate .com
flwupdate .com
formatmpeg .com
movieexternal .com
flwtool .com
aviexecution .com
releasedvideo .com
wmvcompressor .com
movieopens .com
mpegapparatus .com
flwassistant .com
flwinstrument .com
piterserv .com
wovview .com

Some info on a sample codec :
Scanners Result: 11/36 (30.56%)
Trojan-Downloader.Win32.Zlob.cos
Trojan.Popuper.7315
File size: 10240 bytes
MD5...: 467e4e78974dc8b2ee5d7da024daf31a
SHA1..: 311e0c710bb15761ef3dace54b55489830cf5803

Phones back to 69.50.164.50/this/is/stereo/music.php?param=0;1314;1550; 69.50.164.50/this/is/stereo/jazz.php?param=49325611;2:191:5|7:271:0|6:130:0|9:0:5|34:65536:0 and to 85.255.119.244/this/is/stereo/music.php?param=0;4135;1548.

When Emil Kaperski's owned InterCage, Inc. (69.50.164.50) meets UkrTeleGroup Ltd. (85.255.119.244) previously known as Andrei Kislizin's owned InHoster, you know you're on the right track.

Links for 2008-07-31 [del.icio.us]

Thu, 31 Jul 2008 20:00:00 +0000

Too Many GRC Systems? | The IT-Finance Connection
In many ways, GRC today is at a stage similar to CRM 10 or 15 years ago. Then, each department maintained its own customer relations management tools, resulting in inefficiency and customer frustration, as well as duplication of effort and redundancy of i
Five signs that your career is about to get vapid » Brazen Careerist by Penelope Trunk
You can tell if you are avoiding personal growth in your career because you are not feeling challenged. You can tell if you are not feeling challenged if you are not scared. Being scared is what makes life interesting. You should be scared that you are go
McAfee acquires Reconnex, inks distribution pacts | Between the Lines | ZDNet.com
The company said it acquired Reconnex, which makes technology that automates data protection, for $46 million.

The Perfect Storm

Thu, 17 Jul 2008 03:15:00 +0000

Its time to get your raincoats and lifeboats - the perfect storm is finished brewing - it is about to rain down upon us.

This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.

Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.

There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.

So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).

This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.

There just really isn't a (black/underground) market for information that is not credit card or personal finance related.

However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.

Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?

Adrian Lane from Securosis thinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.

I think that the perfect storm is about to be unleashed.