A malware executed attack was highlighted by ActivClient that provides technology for secure authentication (smart cards to comply with the GSC-IS 2.1). The attack is described in detail in a number of sites, such as Security Week here, and I would encourage reading the explanation of the attack by AlienVault here.
What is interesting here and relevant to all security practitioners and sectors is that cryptography at some levels can be made irrelevant. The immense sophistication of the crytography and hardware manufacturing placed within these keycards and their infrastructure, in this case, are countered simply by capturing the pin that is associated with the key. That allows an attacker to access the protected resources the card was designed to restrict. Specifically the attack works because the attacker gets the PIN through a key logger, then binds it to the local computers certificate, and finally attacks remote resources protected by key card whenever the card is connected.
In all, a pretty elegant way of defeating what would be a complex and low-return attack vector (hacking the crytography).
The takeaway is that, as always it seems, the old assumptions that hardware / cryptography / and standard processes are enough is wrong. A practice of continually evaluating the impact of new attack types (variants) and the new ability of attacker. Plus, the recent ongoing attack on the underlying security safeguards as a means of attacking an organization has reached a critical level. In the past 12 months anti-virus source code has been stolen; 2 factor authentication tokens perceived as insecure due to the RSA breach; Certificate Authorities breached and poisoned, and this demonstration of bypassing card security.
The malware yes, could be detected through malware and behavioral IPS type technology on the network and host. The increased activity / parallel queries of a user could yes be detected. The vulnerabilities allowing the installation in this particular case could also be patched. The result though is still an ongoing need to evolve security practices; monitor and respond rapidly to suspect activity, and reduce / limit access as much as possible.
Other thoughts and avenues?
James DeLuccia IV