Secure Coding mailing list archives
Re: Solution for man-in-the-browser
From: jeremy.long () gmail com
Date: Sun, 12 Sep 2010 12:01:07 +0000
Completely agree with Jim and Kevin. Once the client host is compromised you can't trust the client. On the server the best you can do is monitor for unusual page flows, click rates that are too high (or time to complete a form is too high), monitor for transactions outside of the norm for the client, different user agent/IP geography from last transaction, etc. Basic fraud monitoring. Your detection ability against Zues like malware is dependent upon the skill of the malware owner/author. Some are clumsy, some you will never see until it is too late (if ever).
--Jeremy On Sep 11, 2010 11:58am, "Wall, Kevin" <Kevin.Wall () qwest com> wrote:
On Sep 10, 2010, at 5:34 PM, smurray1 smurray1 () nycap rr com> wrote:
> Hello,
>
> I have been discussing an issue with an organization that is having
> an issue with malware on it's customer's clients that is intercepting
> user credentials and using them to create fraudulent transactions.
> (man-in-the-browser type attacks similar to what Zeus and other trojans
> are capable of). I told them that they should be using a shared secret
> between the user and the system to use as an input to HMAC to create
> a MAC for the form for the critical transaction.
> I see it working like this. The form that is used for the critical
> transaction would have either a java object or javascript that, after
> the user fills the field and the presses the "submit" button:
> 1) Accepts a single use shared secret from the user.
Jim Manico responded:
> I do not think this will work. Once your browser is trojaned, it's
> game over. The Trojan has the capability to just sit in your browser
> and wait for the user to log in. (Trojans do not need to steal
> credentials to cause harm). Once the user has logged on, the Trojan
> can simulate any user activity such as requesting and submitting
> forms, circumventing CSRF tokens and other web app defenses.
Jim is absolutely correct. You are better off spending time removing
all the malware and securing your machines properly, trying to
educate your users, etc. You may also want to add AV scanning
during the web browsing sessions if you don't already support that.
Besides, once your browser is trojaned, there is no shared "secret", or more
accurately, you would also be "sharing" your secret with the malware
which obviously would not do you any good. Once the browser endpoint
is compromised, NOTHING sent from it can be trusted any longer. For
instance, since TLS provides only point-to-point encryption, malware
running in the browser can read plaintext and insert data at will.
Bottom line, don't waste your development $$ on a problem that cannot
be fixed in this manner.
-kevin
--
Kevin W. Wall 614.215.4788 Application Security Team / Qwest IT
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Solution for man-in-the-browser smurray1 (Sep 10)
- Re: Solution for man-in-the-browser James Manico (Sep 11)
- Re: Solution for man-in-the-browser Wall, Kevin (Sep 11)
- Re: Solution for man-in-the-browser jeremy . long (Sep 13)
- Re: Solution for man-in-the-browser Jeremy Epstein (Sep 13)
- Re: Solution for man-in-the-browser Rorym Forums (Sep 13)
- Re: Solution for man-in-the-browser Wall, Kevin (Sep 11)
- Re: Solution for man-in-the-browser James Manico (Sep 11)