Expert demonstrates Microsoft hack

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-955442.html?tag=fd_top

By Reuters 
August 26, 2002, 5:21 PM PT

STOCKHOLM -- Software security widely used for Internet banking and
e-commerce can be easily circumvented, and customer accounts at
several of Sweden's largest banks remain at risk as a result, a
computer expert said Monday.

The Swedish hacking expert, who is well known in computer security
circles, but asked not to be identified, demonstrated to Reuters how
it was possible within minutes to break through security on Web server
software from Microsoft.

The expert showed how to crack the security systems for Internet
banking, breaking into three of Sweden's big four banks in quick
succession. He was then able to show how to conceal his tracks, making
detection difficult afterward.

While stopping short of breaking into customer accounts, the
hacker-turned-consultant said an intruder could have hidden
instructions to transfer sums into a separate account when the
customer authorizes a payment from his Internet bank account.

He relied on a variation of a weakness that came to light two weeks
ago in Microsoft's implementation of Secure Socket Layer (SSL), an
industry standard for transmitting credit card numbers and account
passwords via the Web.

"It's a protocol which is very easy to break through," the computer
expert said. "The protocol doesn't provide the security the users
think it does."

The attack technique exploited a combination of vulnerabilities over
which Microsoft exerts only partial control. A large share of the
blame should fall on network administrators inside banks and other
organizations who fail to install Microsoft's software properly, he
said.

Using the method, an attacker can log in as a Web site customer using
certificate authentication and gain access to the Web site's root
directory and, from there, enter the organization's internal network.

Microsoft has responded to recent reports about the SSL flaw by
admitting its existence, saying it is working to develop a fix, but
also by downplaying the notion that the flaw poses any widespread
security threat.

"Such techniques are difficult, temporary, and generally require
favorable network (layout)," the company states on a Microsoft
technical discussion site.

Microsoft in Sweden denied that SSL could be breached in the way shown
to Reuters.

"I can't even see the theoretical possibility for it to happen", said
Mats Lindkvist, responsible for security at Microsoft in Sweden.

The unnamed expert said an attacker could breach security via hundreds
of computers, making detection of the criminal almost impossible, as
it might take the police up to four to five months just to follow a
trail through 10 computers.

Mike Benham, the San Francisco privacy advocate and security
consultant who first revealed the SSL flaw, offered a technical
description of how this works: "An attacker could transparently proxy
(invisibly transfer) a victim's traffic to the real secure site, while
intercepting and logging all the data."

Microsoft embarked earlier this year on what it called a "trustworthy
computing" campaign to improve the security of its software. The
company was responding to a mounting outcry over widely publicized
software security breakdowns.

The four Swedish banks are not unique. Many of the world's major
financial institutions are similarly vulnerable because they rely on
software using the industry-accepted SSL protocol, computer experts
say.

All four major Swedish banks said they were not aware of any break-ins
into their systems. But spokesmen at some of them said no system could
be perfect.

"If man can fly to the moon, sooner or later someone will be able to
circumvent the security systems," said Jesper Berggren, Swedbank's
head of press relations.

"As far as I can tell no system will ever be 100 percent secure. To
say that our systems are 100 percent secure would be presumptuous,"  
said Lars Lindmark, Handelsbanken's information director.

But computer experts say banks remain highly vulnerable.

"There's been a lot of denial," said Peter Neumann, principal
scientist at Silicon Valley think-tank SRI International and one of
the world's authorities on computer security.

Such flaws result from a mix of fatalistic acceptance and technical
ignorance, he said. "'Everything is fine,' banks say. That's clearly
nonsense. Pretty much everything is vulnerable--certainly more so with
a little bit of insider knowledge."

Swedish security firm Deprotect has managed to use hidden instructions
to transfer tens of millions of dollars from an account at a leading
European bank, said Lars-Olov Guttke, a computer security expert at
Deprotect.

The bank had asked Deprotect to test its security systems.

After two weeks, Guttke told the bank about the transfers, which had
not been detected. The key factor was that the sums transferred
secretly were not big enough to alert the system.

"It might take a few days to figure out how to make the intrusion, but
once you've done that it doesn't take very long to break through the
systems," Guttke said.

Banks spend huge amounts to secure their customer-facing systems, but
tend to neglect internal systems giving access to their networks,
Guttke said. Security veteran Neumann agreed, saying that former
insiders may pose a bigger threat.

Information about the level of computer-related crime is scarce
because few crimes are reported. Companies fear bad publicity and
additional costs if the weaknesses of their security systems become
known.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.