the limits of e-banking? (are you afraid of ghosts?) presentation for owasp benelux sébastien...

The limits of e-banking?(Are you afraid of ghosts?)

Presentation for OWASP BeNeLux

Sébastien BischofJean-Marc Bost

02.12.2011

ETHical ghosts on SF1

Ghosts do exist

But they are invisible

Even for « Ghostbusters »

Just a theory?

And they can hypnotise you

Are you afraid of ghosts?

27.10.2011 Application Security Forum - Western Switzerland - 2011 2

ETH(ical) Hacking on SF1

According to the ETH upon ******’s e-banking security: «******’s system with its cardreader can be considered as secure because it requires a confirmation for each transaction before processing a payment towards an unknown account."

4 5 6 7 8 9GC EZ NN 7W

Impossible to dissociate transaction data and signing OTP


L’ETH(ical) MITC = Man Inside The Computer


Alone, the victim can confirm the transaction

Confirmation?



Ghosts do exist



Just a theory?




Trojan infections are a reality

According to Microsoft, 5% of Windows PCs are infected (source «Safety Scanner», May 2011)

At least 25%, according to Pandalabs, with a majority of Trojans(source «ActiveScan», Q2 2011)

“42 new malware strains created every minute»

Switzerland exhibits the 2nd lowest infection rate…… but it is almost 30%

Trojans are plebiscited by pirates.


First, There was the MITM (Man In The Middle)…

MITM• Middle site• DNS pollution• etc …

2007

2006


… then the MITB (Malware In the Browser)…

2008

MITB• Anserin• Mebroot• Silentbanker

2007


… and now, the MI (Malware Inside)

MI• Zeus• Ares• SpyEye

2011

2009


Zeus and Spyeyes efficiency in numbers

– 2009: 1.5 Millions of Infectious Spam towards Facebook– June 2009: 74’000 FTP accounts stolen by par Zeus– 2010: At least 6 millions £ were stolen by a 19 persons gang in

England– October 2010: 70 millions US $ by Zeus– 3.6 millions PCs were infected by Zeus in the USA.– 2011: 3,2 millions US $ stolen by a young Russian in 6 month

using Zeus and SpyEye


E-Banking is not the only target

Other websites can be victimof various thefts such as:- passwords- emails- cookies- Credit cards- …Without even being targeted!



Facebook

Google mail

Microsoft

McAfee

Online games

Hot mailWindows live



Screenshots and screen captions allow to:- Spy virtual keyboards- Be kept up to date on

modifications- Spy on private matters- …

Still without targetting somebody in particular!



… and the ftp connections



Ghosts do exist



Just a theory?




MI = Man (or Malware) Inside


A transaction form


The transaction is hijacked by the MI

Thanks, just perfect fo my transaction! -)

?

What You SignIsWhat You See

456 FRA 666 666

Not-)


What should be…

GUIMemory

POSTPOST

CPT0123456789CPT0123456789

TCP9876543210TCP9876543210

50005000


POSTPOST

CPT0123456789CPT0123456789

456FRA666666 456FRA666666

50005000

What really happens!

GUIMemory


Zeus controls the browser by injection

response

request

DLL

The malwarecontrols the PC

MI DLL


… and not only the browser

Firefox

Firefox crash reporter

Java update



Ghosts do exist



Just a theory?




A «professional» architectureInjection

Maintenance

Collection

Victime

Configuration

Je suis:• Multitask• Configurable• Evolutionary• Stealthy• Resilient

SpyEye’s detection rate by antivirus is approximatively 25% [abuse.ch]

Commander & Controller


They are not easy to spotRootkit properties: Stealth– Stability– Leave no traces

Persistence to survive reboots Taking control of a computer Can hide its communication

channels


They might appear anytimeGlobal viewDisk view


Exemple: BootkitGlobal viewDisk view

Alteration

There exist several tools to flash the BIOS from a running operational system


And anywhere! The system works with a virtual representation of the hardware it is run on.

The programs run by the system rely on the information the system provides them.

What if we changed the system’s vision?

Process1 Process2 Process

System vision

Memory representation

Physical reality


Exemple: DKOM

The processes are represented in memory by a structure (EPROCESS)

DKOM can, for example, hide a process of this list (and also other system resources) Process1 Process2 ProcessProcess1 Process2


What if we combine such techniques? The malware is run before the Operating

System The system can be booted with the lowest

security level Malicious routines are executed before the

system. The malware controls the vision of the

system. It is hard to detect and to get rid of it. The system is litteraly haunted!



Ghosts do exist



Just a theory?




DemonstrationToken USB :

– Embedded smartcard reader– Mutual authentication– Update system– …

+ Embedded safebrowser:– Avoids injections « à la Zeus » by

providing its own libraries (DLLs)– Avoids another instance of firefox

to be loaded beforehand

But… 27.10.2011 Application Security Forum - Western Switzerland - 2011 33

FORMFORM

CPT0123456789CPT0123456789

456FRA666666 456FRA666666

50005000

Tunnel between the 2 browsers MS API?Safe-Browser

Parsing output remoteThreadParsing output remoteThread

PC-Browser


POSTPOST

CPT0123456789CPT0123456789

456FRA666666 456FRA666666

50005000

Tunnel between the 2 browsers MS API?

PC-BrowserSafe-Browser

Windows API remoteThreadWindows API

remoteThread27.10.2011 Application Security Forum - Western Switzerland - 2011 35


Ghosts do exist



Just a theory?




Add a bit of social engineering and…A ghost can do anything if he controls the vision of the user


ZITMO = Zeus + “Social Engineering”(SPITMO with SpyEye)

2008: OWASP recommends the SMS…the use of a second factor such as a mobile phone is an excellent low cost alternative …

…is actually stronger than most two factor authentication fobs…

…a single weakness in this model - mobile phone registration and updating

2010: Zeus attacks the SMS

#1Public number

#2Uncertain origin

#3Clear text


Let’s get back to ETH(ical) hacking conclusions

«According to the ETH upon ******’s e-banking security: " ******’s system with the card reader device can be classified as secure as it requires a transaction confirmation for a transfer to an unknown account." »

4 5 6 7 8 9GC EZ NN 7W

Impossible to dissociate transaction data and the OTP!


Is this case social-engineering proof ?

«Under no circumstances reply to other requests to confirm number or character series, even if the request appears to come from ***** »

4 5 6 7 8 9GC EZ NN 7W

!?


The destination account is registered under theinternational reference number 456 FRA 666 666according to the new Swift international standard.

For your security, we kindly ask you to enter thelast 6 numbers of such a reference number intoyour signing device and use the security codehere below to confirm the transaction.

Seems that it is not the case…

What You SignIsWhat You See

But…

«Under no circumstances reply to other requests to confirm number or character series, even if the request appears to come from ***** »


WYSIWYS or not WYSIWYSThat is the Question


Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City

Jean-Marc [email protected]

… Questions?

To contact us:

Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City

Sébastien [email protected]

the limits of e-banking? (are you afraid of ghosts?) presentation for owasp benelux sébastien...

Documents

security code

s ebanking security

ethical ghosts

afraid of ghosts

international reference

sf1 ghosts

character series

gc ez nn