Citadel Malware Used to Infiltrate Airport VPN

Discussion in 'Aviation Passenger Security in the USA' started by Fisher1949, Aug 14, 2012.

  1. Fisher1949

    Fisher1949 Original Member Coach

    Looks like TSA's SSI and the stored scan images may be at risk.
    http://m.threatpost.com/en_us/blogs/citadel-malware-used-infiltrate-airport-vpn-081412
     
  2. Sunny Goth

    Sunny Goth Original Member Coach

    Wow, that sounds pretty serious.

    They're clearly not after airport employee's banking credentials - if they just wanted to drain bank accounts they could go after the low-hanging fruit - target the passengers who are doing their banking on the airport wifi. (I just cringed as I typed that last sentence).

    "...with the latest example being the discovery of the Trojan being used to steal VPN credentials for internal users at a major airport."

    and

    "Researchers at Trusteer discovered the attack and notified officials at the unnamed airport, who then disabled employee access through the VPN."

    Are TSA agents/supervisors considered "internal users' and/or "employees" of the airport? If so, maybe the attack is aimed at them to get info on security measures.

    If the TSA isn't considered an internal user or an employee, then it would seem that the malware is targeting other airport employees and actual airport security plans - which seems more serious than targeting the TSA.
     
  3. Mike

    Mike Founding Member Coach

    Virtually all TSA posters* here come through the DHS proxy at IP range (216.81.80.0 - 216.81.95.255). I suspect they have their own internet links directly to the DHS facilities in Virgina. If they were relying on local wireless for access, there would be need to further connect through the DHS proxy to access internet sites.

    So whoever the malware jerks are aiming at, my best bet is that TSA is mostly not vulnerable.

    * The only exception has been Ciarin, who as best I could tell visited us entirely on her own dime & most like her own time.
     
  4. TSA News Blog

    TSA News Blog News Feed

    Kevin-Marks.jpg

    Not only do we already know that while the TSA is busy sticking its hands down your pants, people are wandering up to the airport on jet skies, breaching airport security by climbing over fences, and hiding in airplane wheel wells, but now we find out that computer security may be compromised.
    For the technologically inclined out there, you might be interested to read this article titled, “Citadel Malware Used to Infiltrate Airport VPN.”
    Okay, it didn’t sound good, but I still had to look up “VPN” (virtual private network for those of you who are barely technologically competent like me). Like so much in the digital age, unless you’re proficient at this stuff, it’s hard to know what’s truly safe and secure and anonymizing, and what isn’t.
    Back to the article:
    The Citadel Trojan is really starting to become kind of a pain in the neck. Not content to sit by and watch while its more well-known rivals Zeus and SpyEye get all the attention, the Citadel malware has begun showing up in some interesting places, with the latest example being the discovery of the Trojan being used to steal VPN credentials for internal users at a major airport.​
    The attack is a two-stage operation that is designed to defeat the strong authentication application that the airport had in place. Researchers at Trusteer discovered the attack and notified officials at the unnamed airport, who then disabled employee access through the VPN.​
    Airports are target-rich environments for attackers, thanks to their open wireless networks and the huge population of transient users who are all too eager to use them. Man-in-the-middle attacks on airports’ public networks are common, but this particular attack didn’t target the public network or users but instead went after the airport’s employees and their remote-access application. Getting access through any corporation’s VPN system is a huge win for an attacker, because once she comes in as an authenticated user, she enjoys all of the access ad privileges on the network that the victimized user does.​
    In this particular episode, the attackers used a couple of well-known techniques in order to circumvent the security measures the airport had in place and make off with the victims’ VPN credentials.​
    In other words, we’re talking employees here. The identities and passwords of employees.
    But since the TSA is fixated on panty-explosives and booby-bombs — and treating us all as criminals — the agency will probably just ignore this pesky little security problem. After all, grabbing and groping and finding aha! a butter knife! happens in plain sight, so it “looks like” the TSA is “doing something.”
    But real security and real intelligence don’t make a splash. And don’t warrant a Golly-Gee-Look-What-We-Found post by Blogger Bob. Real security and reality intelligence happen behind the scenes, long before someone gets to an airport.
    (Photo: Flickr Creative Commons/Kevin Marks)
     

Share This Page