1 / 43

The limits of e- banking ? (Are you afraid of ghosts ?)

The limits of e- banking ? (Are you afraid of ghosts ?). Presentation for OWASP BeNeLux Sébastien Bischof Jean-Marc Bost 02.12 .2011. Impossible to dissociate transaction data and signing OTP. ETH( ical ) Hacking on SF1. 4 5 6 7 8 9. GC EZ NN 7W.

holly
Download Presentation

The limits of e- banking ? (Are you afraid of ghosts ?)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The limits of e-banking? (Are youafraid of ghosts?) Presentation for OWASP BeNeLux Sébastien BischofJean-Marc Bost 02.12.2011

  2. Application Security Forum - Western Switzerland - 2011

  3. Impossible to dissociate transaction data and signing OTP ETH(ical) Hacking on SF1 4 5 6 7 8 9 GC EZ NN 7W Application Security Forum - Western Switzerland - 2011

  4. L’ETH(ical) MITC = Man Inside The Computer Application Security Forum - Western Switzerland - 2011

  5. Alone, the victimcanconfirm the transaction  Confirmation? Application Security Forum - Western Switzerland - 2011

  6. Application Security Forum - Western Switzerland - 2011

  7. Trojan infections are a reality Switzerlandexhibits the 2ndlowest infection rate… … but itisalmost30% Trojans are plebiscited by pirates. “42 new malware strains created every minute» According to Microsoft, 5% of Windows PCs are infected(source «Safety Scanner», May 2011) At least 25%, according to Pandalabs, with a majority of Trojans(source «ActiveScan», Q2 2011) Application Security Forum - Western Switzerland - 2011

  8. First, There was the MITM (Man In The Middle)… 2006 • MITM • Middle site • DNS pollution • etc … 2007 Application Security Forum - Western Switzerland - 2011

  9. … then the MITB (Malware In the Browser)… 2007 • MITB • Anserin • Mebroot • Silentbanker 2008 Application Security Forum - Western Switzerland - 2011

  10. … andnow, the MI (Malware Inside) 2009 • MI • Zeus • Ares • SpyEye 2011 Application Security Forum - Western Switzerland - 2011

  11. Zeus and Spyeyes efficiency in numbers • 2009: 1.5 Millions of Infectious Spam towards Facebook • June 2009: 74’000 FTP accounts stolen by par Zeus • 2010: At least 6 millions £ were stolen by a 19 persons gang in England • October 2010: 70 millions US $ by Zeus • 3.6 millions PCs were infected by Zeus in the USA. • 2011: 3,2 millions US $ stolen by a young Russian in 6 month using Zeus and SpyEye Application Security Forum - Western Switzerland - 2011

  12. E-Bankingis not the onlytarget • Otherwebsitescanbevictim • of varioustheftssuch as: • passwords • emails • cookies • Creditcards • … • Withoutevenbeingtargeted! Application Security Forum - Western Switzerland - 2011

  13. E-Bankingis not the onlytarget Facebook Online games Google mail Microsoft Hot mail Windows live McAfee Application Security Forum - Western Switzerland - 2011

  14. E-Bankingis not the onlytarget • Screenshots and screen captions allow to: • Spyvirtual keyboards • Be kept up to date on modifications • Spy on privatematters • … • Stillwithouttargettingsomebody in particular! Application Security Forum - Western Switzerland - 2011

  15. E-Bankingis not the onlytarget … and the ftp connections Application Security Forum - Western Switzerland - 2011

  16. Application Security Forum - Western Switzerland - 2011

  17. MI = Man (or Malware) Inside Application Security Forum - Western Switzerland - 2011

  18. A transaction form Application Security Forum - Western Switzerland - 2011

  19. What You Sign Is What You See Not-) 456 FRA 666 666 Thanks, just perfectfomy transaction! -) The transaction ishijackedby the MI ? Application Security Forum - Western Switzerland - 2011

  20. Whatshouldbe… Memory GUI POST CPT0123456789 TCP9876543210 5000 Application Security Forum - Western Switzerland - 2011

  21. Whatreallyhappens! Memory GUI POST CPT0123456789 456FRA666666 5000 Application Security Forum - Western Switzerland - 2011

  22. Zeus controls the browser by injection The malware controls the PC DLL request response MI DLL Application Security Forum - Western Switzerland - 2011

  23. … and not only the browser Firefox Firefox crash reporter Java update Application Security Forum - Western Switzerland - 2011

  24. Application Security Forum - Western Switzerland - 2011

  25. A «professional» architecture Injection • Je suis: • Multitask • Configurable • Evolutionary • Stealthy • Resilient Commander & Controller Collection Configuration SpyEye’s detection rate by antivirus is approximatively 25% [abuse.ch] Victime Maintenance Application Security Forum - Western Switzerland - 2011

  26. They are not easy to spot Rootkitproperties: • Stealth • Stability • Leave no traces • Persistence to survive reboots • Taking control of a computer • Can hide its communication channels Application Security Forum - Western Switzerland - 2011

  27. Theymightappearanytime Diskview Global view Application Security Forum - Western Switzerland - 2011

  28. Exemple: Bootkit Diskview Global view There existseveraltools to flash the BIOS from a running operational system Alteration Application Security Forum - Western Switzerland - 2011

  29. Andanywhere! System vision Memory representation Process1 Process2 Process Physical reality • The system workswith a virtualrepresentation of the hardware itisrun on. • The programs run by the system rely on the information the system providesthem. • What if wechanged the system’s vision? Application Security Forum - Western Switzerland - 2011

  30. Exemple: DKOM Process1 Process1 Process2 Process2 Process The processes are represented in memory by a structure (EPROCESS) DKOM can, for example, hide a process of thislist(and alsoother system resources) Application Security Forum - Western Switzerland - 2011

  31. What if we combine such techniques? The malware isrunbefore the Operating System The system canbebootedwith the lowestsecuritylevel Malicious routines are executedbefore the system. The malware controls the vision of the system. It is hard to detect and to getrid of it. The system islitteralyhaunted! Application Security Forum - Western Switzerland - 2011

  32. Application Security Forum - Western Switzerland - 2011

  33. Demonstration Token USB : • Embedded smartcardreader • Mutualauthentication • Update system • … + Embedded safebrowser: • Avoids injections « à la Zeus » by providingitsownlibraries (DLLs) • Avoidsanother instance of firefox to beloadedbeforehand But… Application Security Forum - Western Switzerland - 2011

  34. Tunnel between the 2 browsers MS API? Safe-Browser PC-Browser FORM CPT0123456789 456FRA666666 5000 Parsingoutput remoteThread Application Security Forum - Western Switzerland - 2011

  35. Tunnel between the 2 browsers MS API? Safe-Browser PC-Browser POST CPT0123456789 456FRA666666 5000 Windows API remoteThread Application Security Forum - Western Switzerland - 2011

  36. Application Security Forum - Western Switzerland - 2011

  37. Add a bit of social engineering and… A ghostcan do anything if hecontrols the vision of the user Application Security Forum - Western Switzerland - 2011

  38. ZITMO = Zeus + “Social Engineering”(SPITMO withSpyEye) 2008: OWASP recommends the SMS …the use of a second factor such as a mobile phone is an excellent low cost alternative … …is actually stronger than most two factor authentication fobs… …a single weakness in this model - mobile phone registration and updating 2010: Zeus attacks the SMS #2 Uncertain origin #3 Clear text #1 Public number Application Security Forum - Western Switzerland - 2011

  39. Impossible to dissociate transaction data and the OTP! Let’sget back to ETH(ical)hacking conclusions 4 5 6 7 8 9 GC EZ NN 7W Application Security Forum - Western Switzerland - 2011

  40. Is this case social-engineering proof ? !? 4 5 6 7 8 9 GC EZ NN 7W Application Security Forum - Western Switzerland - 2011

  41. What You Sign Is What You See But… Seemsthatitis not the case… The destination accountisregisteredunder the international referencenumber 456 FRA 666 666 according to the new Swift international standard. For yoursecurity, wekindlyaskyou to enter the last 6 numbers of such a referencenumberinto yoursigningdevice and use the security code herebelow to confirm the transaction. Application Security Forum - Western Switzerland - 2011

  42. WYSIWYS or not WYSIWYSThat is the Question Application Security Forum - Western Switzerland - 2011

  43. … Questions? To contact us: Jean-Marc Bost Jean-marc.bost@elca.ch Sébastien Bischof sebastien.bischof@elca.ch Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City

More Related