The Smart Card Alliance offers platitudes but don’t identify the culprits!

The Smart Card Alliance released their weak response to the recent Sykipot Tojan attack which hijacked the Department of Defense authentication smartcards. Unlike hypothetical attacks on smartcards (the Chinese Remainder Theorem Attack comes to mind with the use of a microwave oven and a calculator) this is a real threat to the security of one’s network and data but not so much to the smartcard itself.

The Sykipot Tojan is taking advantages of the flaws and lack of security in Adobe’s PDF documents (zero-day attack) and Microsoft’s Windows OS and anti-virus suppliers are not blocking infected attachments.

How are these attacks happening? The attacker sends a phishing or spear phishing email with a malware infected attachment to an unsuspecting person or employee. The employee opens the attachment and launches the attack. The malware is a keylogger that captures the PIN of the smartcard, reads the user’s certificates within Windows, and then allows the attacker to use this information to log into unauthorized accounts.

The Smart Card Alliance offers only simplistic security strategies.

1. Educate users on safe computer and email practices.
2. Maintain up-to-date anti-virus, -malware and–keylogger
software.
3. Implement user analysis and network forensics tools.
4. Include multi-factor authentication (I thought that
was the whole purpose of the smartcard)
5. Buy a PIN pad smartcard reader. (Expensive)
6. Hardening the authentication between user, keyboard,
and smartcard. (That’s what the OS is suppose to do)
7. Change your card PIN and certificates (Note: changing
certificates can wreak havoc on documents, access
rights, etc., that used the older certificate. Plus,
the attackers will still have access to the older
information.)

This is baloney. These recommendations are insulting at best, since it’s Security 101. For the public representatives of the smartcard industry to put out such namby pamby platitudes and either refuse, or even understand how to address the real culprits is an injustice to all of us in the smartcard industry who are working to make data secure and user authentication reliable.

What deeply concerns me about their response is that neither the smartcard industry nor the PKI industry is at fault. Prevention and security is wrongly placed on the user. The fault actually lies with the insecure applications (Adobe), the Operating System (Microsoft) and the network security that don’t detect corrupted files. The attack used was unsophisticated and has been know and experienced for years. Why hasn’t the computer industry addressed these known threats?

So here are my “Key Elements of Security”:

1. Scrap Windows 8 and develop an entirely new operating
system from the ground up. Don’t make it backward
compatible with anything. Make security an integral
part of the design. Sure there will be the cost of new
applications and drivers but which is worst? The cost
of upgrading or the continuation of the multi-billion
dollar identity theft loses which can bring down our
economy?
2. Block all Adobe PDF attachments until they fix their
problem. No older PDF attachments will be allowed into
any computer.
3. Cloud and network manufacture’s products scan
attachments for hidden files.
4. Charge these companies $1 billion for every security
patch they have to release. Windows Patch Tuesday has
been going on since Windows 98. Is the Microsoft
Management so keen on profits that building a trusted
system is of no real importance to them? If the U.S.
Postal Service needs a new campaign to get people to
actually purchase stamps and other postal products
then remind every American that “snail mail” is not
affected by viruses and can’t take down your computer
or network.

The claim that the Common Access Card (CAC) has reduced network intrusion by 46% when replacing passwords is also very misleading. It has reduced the intrusion when you prevent the users from self-managing their passwords. Time and time again we know that people will pick simple passwords, use the same password everywhere and write passwords on notes. Why? Because we can’t remember that many of them. But if you incorporate a smartcard-based, multi-factor authentication password manager you will see similar intrusion reductions; and, at a fraction of the cost and time. PKI is a great technology and it does some things better than any other technology, but it is not appropriate for everyone. So comparing CAC to self-managed passwords is disingenuous.

As you can see, I am quite distressed and more than a little angry. Not at the hackers, criminals or even the Chinese since they are doing their job and doing it very well. But with the computer industry that allows these attacks to continue. And at the Smart Card Alliance for not identifying the true culprits and offering solid security recommendations. The attack being waged was not sophisticated. So instead of Microsoft, Adobe and others coming up with a new, “pretty” interface, spend the money securing your software.

Author's Bio: 

Dovell Bonnett has been creating security solutions for computer users for over 20 years. In order to provide these solutions to consumers as directly, and quickly, as possible, he founded Access Smart. With each of his innovations, the end user — the person sitting in front of a computer — is his No. 1 customer.

This passion, as he puts it, to “empower people to manage digital information in the digital age” also led him to write the popular Online Identity Theft Protection for Dummies. Within the pervasive nature of our e-commerce and e-business community, personal information, from credit card numbers to your pet’s name, is more easily accessed, and identity theft and fraud has become an issue that touches every consumer.

Mr. Bonnett’s solutions reduce security risks for individual users, small businesses and large corporations. His professional experience spans 21 years in engineering, product development, sales and marketing, with more than 15 years focused specifically on smartcard technology, systems and applications. Mr. Bonnett has spent most of his smartcard career translating and integrating technology components into end-user solutions designed to solve business security needs and incorporating multi-applications onto a single credential using both contactless and contact smartcards. He has held positions at National Semiconductor, Siemens (Infineon), Certicom, Motorola and HID. He is the author of smartcard articles, regularly presents at conferences, and helps companies successfully implement smartcard projects. Mr. Bonnett has been an active member of the Smart Card Alliance contributing to the development of physical access security white papers. He holds dual bachelor’s degrees in industrial and electrical engineering from San Jose State University.