New Whitepaper - "Continuing Business with Malware Infected Customers"

["WebAppSec" <webappsec () technicalinfo net>]

Hi List,

I figured I'd try sharing a new paper I completed and posted to my site
yesterday.

The paper is based off some of the work I've been discussing at various
conferences recently in relation to the man-in-the-browser attack vectors,
and their effect on financial Web applications - in particular, consumer
online banking.

Titled "Continuing Business with Malware Infected Customers" looks at the
threat from the perspective of "with so many infected computers out there,
and the number not likely to go down, what sort of things can you build in
to your Web application to make it more resilient to man-in-the-browser
attack vectors?". As I'm sure most of the list already knows, the
man-in-the-browser vector is particularly insidious and defeats just about
all the current protection technologies out there - largely because it's
such a convenient vector for social engineering. Anyhow, this paper is
designed to help Web developers take a closer look at their transactional
Web applications and provide various levels of best practice advice on
helping to mitigate the threat. In addition, I'm aiming to raise business
awareness of the fact that they will increasingly just have to assume that a
sizable percentage of their customer base is probably infected - and develop
protection strategies accordingly.

The paper can be found at::
http://www.technicalinfo.net/papers/MalwareInfectedCustomers.html

Cheers,

Gunter


The intro/abstract for the paper...

Continuing Business with Malware Infected Customers - Best Practices and the
Security Ergonomics of Web Application Design for Compromised Customer Hosts

Today's media is full of statistics and stories detailing how the Internet
has become an increasingly dangerous place for all concerned. Figures of
tens of millions and hundreds of millions of bot-infected computers are
regularly discussed, along with approximations that between one-quarter and
one-third of all home computer systems are already infected with some form
of malware. With a conservative estimate of 1.4 billion computers browsing
the Internet on a daily basis (mid-2008 figures), that could equate to
upwards of 420 million computers that can't be trusted - and the numbers
could be higher as criminals increasingly target Web browser technologies
with malicious Web content - infecting hundreds of millions more along the
way. 
Despite these kinds of warnings and their backing statistics, online
businesses have yet to fully grasp the significance of the threat. Most of
the advice about dealing with the problem has focused on attempting to
correct the client-side infection and yet, despite the education campaigns
and ubiquity of desktop anti-virus solutions, the number of infected
computers has continued to rise. The problem facing online businesses going
forward is, if upwards of one-third of their customers are likely to be
using computers infected with malware to conduct business transactions with
them, how should they continue to do business with an infected customer
base? 
This paper discusses many of the best practices businesses can adopt for
their Web application design and back-office support processes in order to
minimize this growing threat, along with helping to reduce several of the
risks posed with continuing to do business customers likely to be operating
infected computers.


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------