Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Citadel exploit goes after weakest link at airport: employees

Taylor Armerding | Aug. 16, 2012
Man-in-the-browser attack using Trojan compromises VPN at major hub

Kedem said in most cases, antivirus software will not block or even notify a user, since each version of an attack is new. He said Trusteer checked one exploit against 40 antivirus products, "and only four found it. That's more or less the way it is. If it's (the infection) new, it typically wouldn't be detected by antivirus.

Whatever the method, once the device is infected, an enterprise's firewall is vulnerable, since the purpose of a VPN is to provide users with secure remote access to applications and data that reside inside an enterprise's firewall.

"Once an attacker steals a victim's VPN credentials they can login as the authorized user and have unfettered access to the information and resources associated with the account," Amit Klein wrote.

In the case of the airport, that was accomplished first through form grabbing, which steals the victim's user name and password, and then screen capture, which takes a snapshot of the image presented to the victim by the strong authentication product.

Oren Kedem said this should be a warning to all enterprises with VPNs. "They are definitely all susceptible to this," he said. "The major gap that exists in securing enterprises is outside the perimeter. Inside there is a lot of scrutiny. But once you open it up to BYOD (Bring Your Own Device) and unmanaged devices, you need to consider and apply specific technology and security controls.

"The same process [to improve security] that happened with online banking needs to happen in enterprise," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.