The Post Bank vs the Pentagon

The SA Postbank, part of the SA Post Office, became the target of cyber crime this month, losing R42 million when the system was accessed illegally and funds transferred into mule accounts. They say in war, the first casualty is the truth, and during information warfare this is even more the case. This has been the case with the ongoing media speculation, and at this stage the truth about what actually happened is still uncertain.

However, there are two things that that should be highlighted. Firstly, there is an urgent need for the approval of the South African National Cyber Security Policy which has been pending for nearly two years and which would not only clearly define Minimum Security Standards but also establish incident response teams to handle similar incidents. Secondly, organisations need to consider the impact of the Protection of Personal Information Act, which requires mandatory disclosure of unauthorized access to personal information, as was clearly the case.

The initial report stated that there were two suspects being investigated, however this was later updated to suggest that keystroke loggers were used to steal the login credentials of the two users. This modus operandi has been present in South Africa for more than five years and is designed to bypass the separation of duties controls that are put in place to protect financial systems.

The Post Office Trust Centre was designed to address these security concerns by introducing strong authentication technologies, however it appears that the technology was never rolled out within the Post Bank environment. The use of two factor authentication such as smart cards has been available for many years, and should be a minimum standard for all Government financial transactions. It is currently deployed in high security environments such as the US Department of Defense, the Department of Homeland Security and the US State Department.

However no technology is a silver bullet. Just days before the Post Bank incident was publicized, security researchers revealed that they had uncovered a new variant of malicious software called Sykipot that targets smart cards used to access restricted servers and networks. Previous Sykipot strains have been traced to command-and-control servers in China, and the researchers said they discovered Chinese characters in a small snippet of code.

Sykipot used an e-mail campaign to lure victims into opening an infected PDF attachment, so the pertinent question is how exactly did the Post Bank computers get infected with a keystroke logger?

The Cyber Crime Research Group’s philosophy is that offense should inform defense and our approach is to understand actual South African security incidents in order to provide guidance as to how to better protect South African organisations. South African organisations are very lucky that they do not have to repel some of the cutting edge hacking techniques used internationally. Unfortunately, it is also clear that cyber criminals do not need them to compromise our systems.

To join the Information Security Group of Africa’s SIG (Special Interest Group) on Cyber Crime please contact Iain Campbell on iain@criticalid.net