Gartner Warns On Dual-Factor Authentication

Security measures like one-time passwords and phone-based call-back authentication, considered fairly robust forms of security and in use by some banks, are no longer enough to protect online transactions against fraud, a new report from research firm Gartner Inc. warns.

In August, NACHA- the Electronics Payments Association issued an alert, warning members about attacks involving the theft of online banking credentials, mostly from small and medium size businesses being used to take over corporate accounts and initiate unauthorized transfers of funds via electronic payment networks.

Several Gartner banking clients have reported being targeted by attacks involving the use of malicious code hidden in Web browsers to intercept and corrupt banking transactions.

Read the entire ComputerWorld article.


A Couple of Vulnerabilities Worth Mentioning

Mozilla has released Firefox 3.5.6, 3.0.16, and SeaMonkey 2.0.1 to address 7 newly-disclosed vulnerabilities. 

3 of the vulnerabilities are rated critical.

Adobe has acknowledged but won’t issue a patch for the recently disclosed “Zero-Day” remote code execution vulnerability in Reader and Acrobatuntil January 12, 2010, which is also the next Microsoft & Adobe Patch Tuesday.  

Many anti-virus products have already added detection for the specific attack that is now in the wild.  Enabling DEP for Acrobat or Reader on versions of Windows which support it limits the potential of the attack to a denial of service.   Individual users can disable JavaScript if they are sure they don’t need it, using Adobe’s instructions:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

Enterprise users are going to be a challenge to deal with, however, Acrobat and Reader let you turn off specific features of JavaScript, allowing you to run other JavaScript programs while still mitigated.  On Windows the setting is made with a registry key.  On UNIX and Mac, with a line in a configuration file.  In both cases the vulnerable function is “DocMedia.newPlayer”.

The exploit itself is being passed around and is available (to Offensive Computing subscribers) here.  It also appears that development of a Metasploit module is underway already.  There goes the neighborhood…

EDIT:  How to disable Adobe Javascript using GPOs: