Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System

[Patrick Hof <release () redteam-pentesting de>]

Sorry list if this arrives twice, I got stuck in the moderation queue because I
used the wrong email address.

Hi Thierry,

Thierry Zoller <Thierry () Zoller lu> wrote:

> MITM  is  used  rather  vaguely  in  this  paper.  Are  the proposed
> techniques  working in an MITM situation - where an attacker is in the
> middle of a network stream ? Say on a network over arp cache poisening?
>
> The  paper  afaik  applies  to  systems  that  are  already compromised
> by an attacker, i.e where malware has been installed.

Exactly, the paper states that 

"The assumption is made that the users’ computers are infected with a
specialised malware ('Trojan'), which is able to read and manipulate all data
communications."

> If this is the case what rights (Account acl) does the malware require
> in order to perform the mentioned attacks ?

What we did in a demonstration for German TV was to exploit the victim's PC with
a malicious PDF (JBIG2Decode exploit), install our own root CAs in IE for the
banks and set our own IP in C:\windows\system32\drivers\etc\hosts for the
banking sites. This was of course only a PoC and required administrative
privileges.

You can of course also do a "real" MitM attack if the user does not verify the
SSL certificate or rather does not check for SSL at all. If you're in the middle
of the network stream, you could use something like sslstrip[0] for example. We
are always making the assumption that SSL is used, because I don't know of any
bank letting customers do online banking over a plaintext connection.

However, most of the attacks today focus on installing malware on the user's
system (e.g. those against iTAN) I think. When we showed the PoC, we wanted to
make sure people understand that a lock in the upper corner of their browser and
a certificate for mybankingsite.com does not mean they're secure. If you write a
malicious Firefox extension or IE browser helper object, verifying the SSL
certificate doesn't help anyway, because I can access the plaintext data and
don't need to worry about using my own certificate. This would also only need
user privileges, as far as I know.

> This  brings  me  to  an  interesting more general discussion,
> can one define malware infected workstations  and the attacks they
> perform locally as MITM ? Technically they inject themselves between
> the client and the server, however they need to be installed prior to
> be able to do so. Furthermore they have  access  to  a  lot  more
> information  and possibilities then an attacker that is, say in the
> middle of a network connection.
>
> For  sake  of  allowing  proper risk  assessment by technically less
> trained persons - one should coin a better term than classical mitm -
> but maybe I am mistaken? what about MITMa (man in the machine)

I agree that the terminology is rather vague, maybe we should have explained
that a bit more in the paper. We chose the term MitM because you can still do
the attack if you have not compromised the bank customer's host, you just can't
show a "valid" certificate to the user.


Regards,

Patrick


[0] http://www.thoughtcrime.org/software/sslstrip/

-- 
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/