the limits of e-banking? (are you afraid of ghosts?) presentation for owasp benelux sébastien...
TRANSCRIPT
The limits of e-banking?(Are you afraid of ghosts?)
Presentation for OWASP BeNeLux
Sébastien BischofJean-Marc Bost
02.12.2011
ETHical ghosts on SF1
Ghosts do exist
But they are invisible
Even for « Ghostbusters »
Just a theory?
And they can hypnotise you
Are you afraid of ghosts?
27.10.2011 Application Security Forum - Western Switzerland - 2011 2
ETH(ical) Hacking on SF1
According to the ETH upon ******’s e-banking security: «******’s system with its cardreader can be considered as secure because it requires a confirmation for each transaction before processing a payment towards an unknown account."
4 5 6 7 8 9GC EZ NN 7W
Impossible to dissociate transaction data and signing OTP
27.10.2011 Application Security Forum - Western Switzerland - 2011 3
L’ETH(ical) MITC = Man Inside The Computer
27.10.2011 Application Security Forum - Western Switzerland - 2011 4
Alone, the victim can confirm the transaction
Confirmation?
27.10.2011 Application Security Forum - Western Switzerland - 2011 5
ETHical ghosts on SF1
Ghosts do exist
But they are invisible
Even for « Ghostbusters »
Just a theory?
And they can hypnotise you
Are you afraid of ghosts?
27.10.2011 Application Security Forum - Western Switzerland - 2011 6
Trojan infections are a reality
According to Microsoft, 5% of Windows PCs are infected (source «Safety Scanner», May 2011)
At least 25%, according to Pandalabs, with a majority of Trojans(source «ActiveScan», Q2 2011)
“42 new malware strains created every minute»
Switzerland exhibits the 2nd lowest infection rate…… but it is almost 30%
Trojans are plebiscited by pirates.
27.10.2011 Application Security Forum - Western Switzerland - 2011 7
First, There was the MITM (Man In The Middle)…
MITM• Middle site• DNS pollution• etc …
2007
2006
27.10.2011 Application Security Forum - Western Switzerland - 2011 8
… then the MITB (Malware In the Browser)…
2008
MITB• Anserin• Mebroot• Silentbanker
2007
27.10.2011 Application Security Forum - Western Switzerland - 2011 9
… and now, the MI (Malware Inside)
MI• Zeus• Ares• SpyEye
2011
2009
27.10.2011 Application Security Forum - Western Switzerland - 2011 10
Zeus and Spyeyes efficiency in numbers
– 2009: 1.5 Millions of Infectious Spam towards Facebook– June 2009: 74’000 FTP accounts stolen by par Zeus– 2010: At least 6 millions £ were stolen by a 19 persons gang in
England– October 2010: 70 millions US $ by Zeus– 3.6 millions PCs were infected by Zeus in the USA.– 2011: 3,2 millions US $ stolen by a young Russian in 6 month
using Zeus and SpyEye
27.10.2011 Application Security Forum - Western Switzerland - 2011 11
E-Banking is not the only target
Other websites can be victimof various thefts such as:- passwords- emails- cookies- Credit cards- …Without even being targeted!
27.10.2011 Application Security Forum - Western Switzerland - 2011 12
E-Banking is not the only target
Google mail
Microsoft
McAfee
Online games
Hot mailWindows live
27.10.2011 Application Security Forum - Western Switzerland - 2011 13
E-Banking is not the only target
Screenshots and screen captions allow to:- Spy virtual keyboards- Be kept up to date on
modifications- Spy on private matters- …
Still without targetting somebody in particular!
27.10.2011 Application Security Forum - Western Switzerland - 2011 14
E-Banking is not the only target
… and the ftp connections
27.10.2011 Application Security Forum - Western Switzerland - 2011 15
ETHical ghosts on SF1
Ghosts do exist
But they are invisible
Even for « Ghostbusters »
Just a theory?
And they can hypnotise you
Are you afraid of ghosts?
27.10.2011 Application Security Forum - Western Switzerland - 2011 16
MI = Man (or Malware) Inside
27.10.2011 Application Security Forum - Western Switzerland - 2011 17
A transaction form
27.10.2011 Application Security Forum - Western Switzerland - 2011 18
The transaction is hijacked by the MI
Thanks, just perfect fo my transaction! -)
?
What You SignIsWhat You See
456 FRA 666 666
Not-)
27.10.2011 Application Security Forum - Western Switzerland - 2011 19
What should be…
GUIMemory
POSTPOST
CPT0123456789CPT0123456789
TCP9876543210TCP9876543210
50005000
27.10.2011 Application Security Forum - Western Switzerland - 2011 20
POSTPOST
CPT0123456789CPT0123456789
456FRA666666 456FRA666666
50005000
What really happens!
GUIMemory
27.10.2011 Application Security Forum - Western Switzerland - 2011 21
Zeus controls the browser by injection
response
request
DLL
The malwarecontrols the PC
MI DLL
27.10.2011 Application Security Forum - Western Switzerland - 2011 22
… and not only the browser
Firefox
Firefox crash reporter
Java update
27.10.2011 Application Security Forum - Western Switzerland - 2011 23
ETHical ghosts on SF1
Ghosts do exist
But they are invisible
Even for « Ghostbusters »
Just a theory?
And they can hypnotise you
Are you afraid of ghosts?
27.10.2011 Application Security Forum - Western Switzerland - 2011 24
A «professional» architectureInjection
Maintenance
Collection
Victime
Configuration
Je suis:• Multitask• Configurable• Evolutionary• Stealthy• Resilient
SpyEye’s detection rate by antivirus is approximatively 25% [abuse.ch]
Commander & Controller
27.10.2011 Application Security Forum - Western Switzerland - 2011 25
They are not easy to spotRootkit properties: Stealth– Stability– Leave no traces
Persistence to survive reboots Taking control of a computer Can hide its communication
channels
27.10.2011 Application Security Forum - Western Switzerland - 2011 26
They might appear anytimeGlobal viewDisk view
27.10.2011 Application Security Forum - Western Switzerland - 2011 27
Exemple: BootkitGlobal viewDisk view
Alteration
There exist several tools to flash the BIOS from a running operational system
27.10.2011 Application Security Forum - Western Switzerland - 2011 28
And anywhere! The system works with a virtual representation of the hardware it is run on.
The programs run by the system rely on the information the system provides them.
What if we changed the system’s vision?
Process1 Process2 Process
System vision
Memory representation
Physical reality
27.10.2011 Application Security Forum - Western Switzerland - 2011 29
Exemple: DKOM
The processes are represented in memory by a structure (EPROCESS)
DKOM can, for example, hide a process of this list (and also other system resources) Process1 Process2 ProcessProcess1 Process2
27.10.2011 Application Security Forum - Western Switzerland - 2011 30
What if we combine such techniques? The malware is run before the Operating
System The system can be booted with the lowest
security level Malicious routines are executed before the
system. The malware controls the vision of the
system. It is hard to detect and to get rid of it. The system is litteraly haunted!
27.10.2011 Application Security Forum - Western Switzerland - 2011 31
ETHical ghosts on SF1
Ghosts do exist
But they are invisible
Even for « Ghostbusters »
Just a theory?
And they can hypnotise you
Are you afraid of ghosts?
27.10.2011 Application Security Forum - Western Switzerland - 2011 32
DemonstrationToken USB :
– Embedded smartcard reader– Mutual authentication– Update system– …
+ Embedded safebrowser:– Avoids injections « à la Zeus » by
providing its own libraries (DLLs)– Avoids another instance of firefox
to be loaded beforehand
But… 27.10.2011 Application Security Forum - Western Switzerland - 2011 33
FORMFORM
CPT0123456789CPT0123456789
456FRA666666 456FRA666666
50005000
Tunnel between the 2 browsers MS API?Safe-Browser
Parsing output remoteThreadParsing output remoteThread
PC-Browser
27.10.2011 Application Security Forum - Western Switzerland - 2011 34
POSTPOST
CPT0123456789CPT0123456789
456FRA666666 456FRA666666
50005000
Tunnel between the 2 browsers MS API?
PC-BrowserSafe-Browser
Windows API remoteThreadWindows API
remoteThread27.10.2011 Application Security Forum - Western Switzerland - 2011 35
ETHical ghosts on SF1
Ghosts do exist
But they are invisible
Even for « Ghostbusters »
Just a theory?
And they can hypnotise you
Are you afraid of ghosts?
27.10.2011 Application Security Forum - Western Switzerland - 2011 36
Add a bit of social engineering and…A ghost can do anything if he controls the vision of the user
27.10.2011 Application Security Forum - Western Switzerland - 2011 37
ZITMO = Zeus + “Social Engineering”(SPITMO with SpyEye)
2008: OWASP recommends the SMS…the use of a second factor such as a mobile phone is an excellent low cost alternative …
…is actually stronger than most two factor authentication fobs…
…a single weakness in this model - mobile phone registration and updating
2010: Zeus attacks the SMS
#1Public number
#2Uncertain origin
#3Clear text
27.10.2011 Application Security Forum - Western Switzerland - 2011 38
Let’s get back to ETH(ical) hacking conclusions
«According to the ETH upon ******’s e-banking security: " ******’s system with the card reader device can be classified as secure as it requires a transaction confirmation for a transfer to an unknown account." »
4 5 6 7 8 9GC EZ NN 7W
Impossible to dissociate transaction data and the OTP!
27.10.2011 Application Security Forum - Western Switzerland - 2011 39
Is this case social-engineering proof ?
«Under no circumstances reply to other requests to confirm number or character series, even if the request appears to come from ***** »
4 5 6 7 8 9GC EZ NN 7W
!?
27.10.2011 Application Security Forum - Western Switzerland - 2011 40
The destination account is registered under theinternational reference number 456 FRA 666 666according to the new Swift international standard.
For your security, we kindly ask you to enter thelast 6 numbers of such a reference number intoyour signing device and use the security codehere below to confirm the transaction.
Seems that it is not the case…
What You SignIsWhat You See
But…
«Under no circumstances reply to other requests to confirm number or character series, even if the request appears to come from ***** »
27.10.2011 Application Security Forum - Western Switzerland - 2011 41
WYSIWYS or not WYSIWYSThat is the Question
27.10.2011 Application Security Forum - Western Switzerland - 2011 42
Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City
Jean-Marc [email protected]
… Questions?
To contact us:
Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City
Sébastien [email protected]