SlideShare una empresa de Scribd logo

Secure client

Hai Nguyen
Hai Nguyen
Tecnología
1 de 15
Descargar para leer sin conexión
Philipp Gühring 2007-01-24 Concepts against Man-in-the-Browser Attacks Philipp Gühring <pg@futureware.at> Date: 2006-06-16 Update: 2006-09-12 A new threat is emerging that attacks browsers by means of trojan horses. The new breed of new trojan horses can modify the transactions on-the-fly, as they are formed in in browsers, and still display the user's intended transaction to her. Structurally they are a man-in-the-middle attack between the the user and the security mechanisms of the browser. Distinct from Phishing attacks which rely upon similar but fraudulent websites, these new attacks cannot be detected by the user at all, as they are using real services, the user is correctly logged-in as normal, and there is no difference to be seen. The WYSIWYG concept of the browser is successfully broken. No advanced authentication method (PIN, TAN, iTAN, Client certificates, Secure-ID, SmartCards, Class3 Readers, OTP, ...) can defend against these attacks, because the attacks are working on the transaction level, not on the authentication level. PKI and other security measures are simply bypassed, and are therefore rendered obsolete. Acknowledgements Thanks to quintessenz.at for originating the discussion and for feedback on the paper. Thanks also due to the Anti-Fraud Coffee-Room (http://lists.cacert.org/) for feedback and FinancialCryptography.com for peer reviewing the paper. Many thanks to the various individuals who freely gave ideas and insights but prefer to remain nameless. 1 The Problem 1.1 Trojan Technology The new trojan technology is technically more advanced than prior generations by way of combining Browser-Helper-Objects, Browser Extensions, and direct Browser manipulation techniques. 1.2 Browsers As of time of writing, it is known that (2006-09-12) Firefox, Internet Explorer and Opera are successfully targeted, on the Windows, Linux and MacOS X Platform. It is currently not known yet, whether Konqueror, Safari, Lynx and other browser are affected too. The trojans can do the following: • Modify the appearance of a website before the user sees it. • Modify the data entered by the user before it is encrypted and sent to the server. This modification is not visible / detectable by the user or the server. • Change the appearance of transactions returned by the server back to the version that the Page 1/15
Philipp Gühring 2007-01-24 user expects. 1.2.1 Points of Attack • Browser Helper Objects – these are dynamically-loaded libraries (DLLs) loaded by Internet Explorer / Windows Explorer upon start-up. They run inside IE, and have full access to IE and full access to the DOM tree, etc. Developing BHOs is very easy. • Extensions – similar to Browser Helper Objects for other Browsers such as Firefox (hereafter, both will be referred to as extensions). Developing Extensions is easy. • UserScripts – Scripts that are running in the browser (Firefox/Greasemonkey+Opera). Developing UserScripts is very easy. • API-Hooking – this technique is a Man-in-the-Middle attack between the application (.EXE) and the DLLs that are loaded up, both for application specific DLLs such as extensions and Operating System (OS) DLLs. For example if the SSL engine of the browser is a separate DLL, then API-Hooking can be used to modify all communication between the browser and the SSL engine. Developing API Hooks is difficult. • Virtualisation – running the whole operating system in a virtual environment, to easily bypass all the security mechanisms. Developing Virtualisation attacks is difficult. 1.2.2 Method of Attack An attack may progress thusly: 1. The trojan infects the computer's software, either OS or Application. 2. The trojan installs an extension into the browser configuration, so that it will be loaded next time the browser starts. 3. At some later time, the user restarts the browser. 4. The browser loads the extension. 5. The extension registers a handler for every page-load. 6. Whenever a page is loaded, the URL of the page is searched by the extension against a list of known sites targeted for attack. 7. The user logs in securely to for example https://secure.original.site/. 8. When the handler detects a page-load for a specific pattern in its targeted list (for example https://secure.original.site/account/do_transaction) it registers a button event handler. 9. When the submit button is pressed, the extension extracts all data from all form fields through the DOM interface in the browser, and remembers the values. 10. The extension modifies the values through the DOM interface. 11. The extension tells the browser to continue to submit the form to the server. 12. The browser sends the form including the modified values to the server. 13. The server receives the modified values in the form as a normal request. The server cannot differentiate between the original values and the modified values, or detect the changes. 14. The server performs the transaction and generates a receipt. 15. The browser receives the receipt for the modified transaction. 16. The extension detects the https://secure.original.site/account/receipt URL, scans the HTML for the receipt fields, and replaces the modified data in the receipt with the original data that it remembered in the HTML. 17. The browser displays the modified receipt with the original details 18. The user thinks that the original transaction was received by the server intact and authorised correctly. Page 2/15
Philipp Gühring 2007-01-24 1.3 Email Clients In principle, a trojan employing the same attack methods described above could be effective against clients for Email and Instant Messaging. Transaction details could be changed by much the same filtering process, sending the fraudulent transactions on to a server, and displaying the original. As of the time of writing, such trojans have not been spotted in the wild as yet. 1.4 Authentication The trojans are working on a different part of the transactions cycle to authentication. They could still work to effect the authentication, and that might be useful for harvesting account details, but fundamentally they circumvent the standard authentication concepts. Which authentication systems are circumvented? All authentication systems that use the PC as the single channel for transaction data to the server are circumvented: • Username+Password • PIN+TAN • PIN+iTAN • Client certificates • SecureID Tokens • One Time Pad Tokens • Biometry authentication • SmartCard authentication • SmartCard + Class3 reader authentication (with client certificates) • Bürgerkarte / SecurityLayer (when used for Login only, which is currently often done) • (likely also Digital Signatures with SmartCards and Class3 readers) • No authentication (information portals) In effect, if you are relying on any Authentication of the user (or the machine), to authorize transactions, the trojan horses can simply change the transactions without affecting the authentication. 2 Risk assessment 2.1 Current situation Unfortunately the necessary technology for trojans is widely available now. It is not high-tech and high-priced any more. The time-to-market for active attacks is known to be less than 1 day. Every potential target has to worry about the risk of being attacked with this technology now. The technology is easy enough that everyone with webdesign experience can craft a successful attack. 2.2 Future situation Page 3/15
Philipp Gühring 2007-01-24 It is expected that this attack will be productised into widely available construction kits. The first generation of construction kits and compilers have already been seen in the wild. Such kits are making the attack viable for any target, with or without any financial motivation. In the middle-term of 1 year, all client-server applications outside the browser are expected to be at risk too. (Email, Instant Messaging, ...) 3 Solution concepts This section summarises the design and early implementation discoveries of financial institutions that have worked over the last six months to address the attack. 3.1 Secure Client The first attempt by many is to attempt to harden the otherwise insecure clients. 3.1.1 Hardened Browser All browser vendors should make sure that Userscripts, Extensions and BHOs can´t be easily run on SSL protected websites. To create a secure browser, we need to disallow any extensions / browser helper objects, and compile it into one static binary. A hardened browser could be constructed that fulfils the following security requirements: • No Extensions possible (No BHO´s, No Active-X, No Java, No Plugins, No Extensions) • Statically compiled • Stripped (no compiler symbols available to guide the attack) • No outside access (no DOM externally available) • Tightly coupled to cryptography subsystem (no modularity between browser core and TLS engine) • Additional binary-protection methods (encrypted executable, packing, ...) • Do not allow Userscripts to be run on SSL protected websites Additional properties that might be helpful: • HTTPS only, HTTP not compiled into the browser any more • Good security-enhancing tools included such as TrustBar, Petnames, Google Toolbar • Implement a zero-knowledge password proof (TLS-SRP or TLS-PSK) with a UI that is tightly integrated into the browser and not easily forgeable. An additional option for the future is the personalisation of the binaries, such that there is a distinct compiled binaries for every user, customised with their selected but hardened extensions. Pros: • Could be made available on every Desktop additionally to the user's normal insecure browser, so as to be used in parallel when high security sites are visited. • Better usability than a Secure Live-Distribution • Only few changes are needed to current industry standard browsers, mostly to strip them down and hard-compile them. Page 4/15
Philipp Gühring 2007-01-24 Cons: • No reliable way for the server to identify the use of a hardened browser, and differentiate between secure and insecure client access. • There is substantial work in creating parallel browser distro. 3.1.2 Unwriteable Distribution An evolving solution from the open source world is that of Live-Distributions, being distributions of client operating systems running from read-only media such as CDROMs or DVDs. • Knoppix (Linux) http://www.knoppix.org/ • Freesbie (FreeBSD) http://www.freesbie.org/ • BartPE (Windows) http://www.nu2.nu/pebuilder/ This allows the client to bootup securely, and to reboot securely any time it is needed. Pros: • A client achieves a very high security grade, and can likely withstand all currently validated threats. Cons: • It is a severe usability problem for the users to reboot their computer. For many users, losing from one to three minutes, and interrupting their entire workflow completely will be unacceptable. It is currently seen as impossible to ask the users on the large scale to reboot their computer for every small transaction they want to do. Will users need more than one computer? • There are significant costs in production and distribution of media, and potential for unreliability. • The approach assumes that there is no trojan in the platform BIOS, something that is likely to be challenged if the approach takes off. • Printer drivers: A huge problem at the moment with Live-Distributions is the non- availability of printer drivers due to printing companies not making them available. • BartPE potentially has licensing complications with its use of Windows platform. 3.1.3 Virtual Machine A suggested variation for that usability problem is to run the secure operating system in a virtual machine. The risk on the other hand is that attacks that are used against the browsers in the local environment on the host system can also spread into the guest system by affecting the live system or the harddisk image. Two possible products are available in this category: Qemu - http://www.qemu.org/ VMWare - http://www.vmware.com/ Pros: Page 5/15
Philipp Gühring 2007-01-24 • It raises the cost of the attack • Usability is better than a Secure Live-Distribution • Virtual machines are enjoying something of a surge in popularity at the moment, such a strategy may come with other benefits unrelated to security. Con: • Usability is not as good as a Hardened Browser • It will probably not be secure for long. If sufficiently popular, it can be challenged and broken easily as VM-manipulation techniques are already quite sophisticated both for positive and negative purposes. It is likely that local attacks can be automatically applied to guest-applications from outside the VM. 3.1.4 Secure Signature Client The Austrian security community has invented a secure electronic digital signature concept, called SecurityLayer, which defines the system requirements for a „Security Capsule“, and the interface so that any application (local or web-application) can use the Security Capsule to have a document securely displayed to the user and signed by the user afterwards. The definition includes a secure XHTML subset (no dynamic elements, guaranteed readability, ...), the demand for a secure viewer which can display those secure documents to the user before the user can sign the document, to make sure that the user really sees what is being signed/authorized. At the moment, demonstration Security-Capsules which are implemented in Software are available from several vendors. Their security level can be compared to Hardened Browsers. It is hoped that a vendor will take the challenge to implement a Security Capsule in Hardware. Pros: ● A potentially secure solution to the problem ● The demonstrations are promising Cons: ● There are no rumours of a planned hardware implementation yet, so it is expected to take least 1-2 years until they could be on the market. 3.1.5 Class 4 SmartCard reader A theoretical solution for a secure client would be the Class 4 SmartCard reader. Although not available, the device characteristics and security profile are relatively well understood, and appropriate. Class1 Readers are just interfaces without any security mechanisms, Class2 Readers have a keyboard, but no display, Class3 Readers have a small display, Class4 Readers would have to have a secure viewer 2 possible implementations were heard of, but haven´t appeared on the market yet: ● FINREAD http://www.finread.com/ ● Mastercard CAP (using the transaction signature mechanism) Page 6/15
Philipp Gühring 2007-01-24 It would be interesting to see Class4 Readers which implement the SecurityLayer specification in Hardware, and just send forward the whole request to the device, implementing the secure viewer and the signature system in the Class4 Reader. Pros: • It is based on secure hardware. Cons: • There is no sufficiently powerful and cost effective display available on the market as yet. Arbitrary transaction, image or document formats would have to be displayed correctly and securely. • It is an additional device to the PC. • It needs more space on the user's desk. • There are no such devices available on the market yet, and time to market would be at least a year, assuming it were a routine production. • Drivers would need to be installed on the computer. • Price is likely to be high. 3.1.6 Trusted Computing One problem of a Secure client is that it should be able to remotely attestate to the server, that it is a secure client. Otherwise the Server has to assume that the client is not a Secure client. If a secure client can be developed, and that secure client can attestate it´s security to the server, the server can distinguish trusted clients from untrusted clients, and deliver the normal application to the trusted clients, and switch to second channel authorisation (or other mechanisms) for untrusted client. This way users with a secure client can get good usability, while other users without trusted clients will have to use second channel or other mechanisms for authorisation. The question is whether the Remote Attestation feature of TCG/TCPA platform will deliver that attestation function in practice. Pros: • Theoretically makes it possible for the server to distinguish between secure clients and insecure clients. Cons: • The proposal is a long way from deployment. Only a small part of the TCG infrastructure is designed yet, and even those parts have only been developed to an experimental level. • TCG is years away from a usable platform. • Remote Attestation would only address the server's need for a trusted computing base on the client. It does not answer the question as to whether the rest of the client is secure. For example, almost all the operating system would be outside the 'Trusted' base, including such elements as display graphics, keyboard and mouse. Page 7/15
Philipp Gühring 2007-01-24 3.1.7 External Authorisation devices External authorisation devices are similar to Class4 SmartCard readers, with the difference that they have no connection to the PC. So the user has to enter the transaction details himself on the device, possibly entering the transaction details twice ● http://www.vasco.com/phishing/solution_sig.html ● http://www.vasco.com/phishing/solution_cards.html Mobile phones could also be used as external standalone authorisation devices: ● http://motp.sourceforge.net/ (only authentication at the moment, but could be adapted to authorisation) Pros: ● Likely secure enough Cons: ● User has to enter the data twice 3.2 Second channel If the computer cannot provide a secure channel between the application server and the user, we could use a second channel that adds the necessary security property of uncorrelated attacks: • If the user's PC is compromised, the second channel remains un-compromised. The following systems are candidates for secure channels: • Telephone. This channel could be automated, but VOIP often goes through the PC!. (Note that the human voice has interesting security properties.) • SMS messaging from the cell/mobile phone. • HTTP connections from the cell/mobile phone. • FAX • Pager • Email and IM/Chat. As these agents are on the PC, they can also be affected by the trojan, so using them just raises the cost of the attack. We should differentiate between different applications here: 3.2.1 Transaction based Applications Transaction-based systems have the problem of authorisation of the transaction, as opposed to authentication of the user. Is the proposed transaction really the transaction the user wanted done that way, or has it been modified in flight? For transaction-based applications, the following concept has been developed by several European banks: Page 8/15
Philipp Gühring 2007-01-24 • User enters the transaction in the normal way, using her computer and browser on the website. • When the server receives the transaction, it automatically sends back to the user the important transaction details and a transaction code through the alternate channel (SMS, telephone, email, ...) • For example: „If you want to send 140 USD to account 51234829348 please enter the following transaction code: AB234DEF342“ • The user verifies the details. If the transaction details are correct, and what the user wanted, she enters the transaction code („AB234DEF342“) on the website. • The server receives transaction code and takes that as authorisation for the transaction. Pros: • The two channels – web page and cell/mobile – are uncorrelated, so the attacker would have to achieve control over both channels. Two attacks on unrelated platforms is much more expensive. Cons: • The process is very dependent on the application. • It is easy to make mistakes in the system design, potentially opening the door for complex exploits. • SMS is limited to 160 characters, so only a limited number of transactions can be covered in each message (an issue for businesses). • Telephone, SMS, FAX and Pager can have cost ramifications for the server-operators. 3.2.2 Non-Transaction based applications Non-transaction systems are where the user needs to get data from the server, with all the traditional security properties such as confidentiality, integrity and authentication of source. For example, queries to databases. Such non-transaction systems likely need to secure more data than transaction systems, which means the above alternate channel solution (based on low volume devices such as SMS) is not practical. Potentially, other channels such as Email and proprietory communication systems could be used. Even if a second channel was available, it is not clear that the channel could be used in conjunction with the PC in order to secure the non-transaction systems. 3.2.3 Storage problem A further problem that has to be considered is that some of the second channels mentioned above will store messages in the device, and afterwards display the stored message. Unless the user explicitly deletes the message, the message may be stored on the device for an indefinite time. Since the messages may contain confidential transaction details, that confidential data could be accidently Page 9/15
Philipp Gühring 2007-01-24 leaked. Currently known affected second channel types: • SMS • Email • Fax These communication systems were not originally designed to transport and maintain data with confidentiality. 3.3 Secure Communication over insecure systems If we cannot secure the communication systems, and we cannot get a secure second channel, a third possibility is to create secure communication systems on top of the insecure systems. 3.3.1 Captcha It is frequently suggested that the transaction details and transaction code could be transmitted through pictures with the text on it. This is based on the idea that the text cannot be easily modified in an image. This is however a chimera. Cons: • Captchas have proven quite capable at separating blind people from non-blind people. • They have not proven effective for differentiating between computers and humans. • The entire image can be easily replaced by man-in-the-middle attacks. • There are well-developed tools available for reading Captchas, created for websites that wish to franchise another website's capabilities. 3.3.2 Transaction model The cost of the attack can be raised with a more secure transaction model: Old Internet style model: Client Direction Server Identification ---> Authentication <--- Transaction form Transaction data entered ---> Transaction validation Verifying transaction report <--- Transaction report The traditional model generates the transaction data and sends it in one request to the server. This has the disadvantage in letting a man-in-the-middle attack insert itself in one place only. After transaction completion, a single receipt is sent back which can easily be changed as well. Page 10/15
Philipp Gühring 2007-01-24 Client Direction Server Identification ---> Authentication <--- Transaction form Destination code is entered ---> Destination code lookup Verifying destination description <--- Destination description Transaction details ---> Transaction validation <--- Transaction results One idea is to change the transaction model from a one-shot model to a dialogue between the user and the server. In this dialogue, the user and the server „discuss“ the details of the transaction in several rounds, in such a way that it is not possible for a trojan to change details without breaking a single transaction. This is achieved by the server giving individual answers to each bit of the information of the user. The security comes from the earlier transaction details not being changeable at a later stage of the transaction anymore. When something is entered wrongly in the beginning, the whole transaction has to be cancelled and restarted from scratch. Better security can be achieved, if the answers from the server not only depend on the general data the user enters, but also on secret knowledge of the server, which is derived from the user. Pros: • No need for extra hardware or software. • A dialogue style transaction could additionally have a better usability for the user. Cons: • An attacker can launch a separate transaction in parallel in order to divine the information it wishes to display to the user. • It raises the cost of an attack, but it does not solve the problem. 3.3.3 Delayed Webpage delivery One interesting piece we found is that some of the attack mechanisms are only starting to work after the page is fully loaded, so it can change the (visible) contents only after the loading process is complete. On the other hand, the browsers are displaying the first part of the page already during loading it. Since the webserver can delay displaying a page, it should be possible to create a large enough timeframe, that the user in front of the browser has a chance to notice any relevant changes when the page is loaded completely. The webpage would work like that: Content-type: text/html <html><body>Your browser has been taken over, if this text changes itself in the next 5 seconds!</body> <? sleep(5); ?> Page 11/15
Philipp Gühring 2007-01-24 </html> One potential problem of this solution are possible delays of the delivery due to the webserver waiting for the page to have finished before sending it to the browser. So good control over the webserver is necessary for this trick to succeed. Pros: ● Easy to implement Cons: ● Might be difficult for the user to understand ● Delays the website for the user, potentially creating a bad user experience. ● Does only help against some browser engines ● Does not help against advanced attacks with API Hooking or Virtualisation 3.3.4 Using SSL Opera´s security concept for Userscripts is that the user additionally has to allow Userscripts to be run on SSL websites. So having a website use SSL will help a bit against Man-in-the-browser attacks on Opera users, unfortunately the other browser vendors haven´t implemented the same security mechanism yet. Pros: ● Should be done anyway Cons: ● Does not help against advanced attacks. 3.4 Human Security – the „last meter“ One viewpoint on the problem is that current security systems and indeed much of security thinking today are not really end-to-end. One end of the transaction is normally rooted in the user's brain, but most transaction protocols only go as far as her computer. This section looks at how we can go the „last meter.“ 3.4.1 Simple Encryption Simple encryption tables printed on paper, where the user can easily encrypt the transaction details to the server. Pros: • Potentially creatable by the user themselves using other secured platforms • Mobile solution – can be carried in pocket/handbag. Cons: • Needs Paper • Users do not like doing sums. • Integrity, Protection against Replay would need to be solved Page 12/15
Philipp Gühring 2007-01-24 3.4.2 Multi-path passwords - SecLookOn A multi-path password works by defining graphical rules such as „If you see image X in the upper left area, then type in the number that is displayed in the image with a white colour in the upper right area.“ The user has to be trained through the multiple paths, and she has to apply the process on each login. Pros: • Very good security concept. • It could be adapted into a strong authorisation solution. Cons: • It is quite a challenge for the user to learn the concept and memorize all the steps. • Current implementations are authentication only, so they do not as yet solve the problem. This concept has been implemented by MERLINnovations under the name SecLookOn: http://www.seclookon.com/seclookon/ A time-limited demonstration of it can be found at http://sec.generalibank.at/SecLookOn_Generali/ It is currently authentication only. 3.4.3 Shared Secrets - PassFaces Another possibility is to transmit information such as graphics that the user is familiar with and has configured on the site. Since the secrets are transmitted during the dialogue, they are available to the attacker as well as the user. Pros: • May carry side benefits such as personalisation for online sites. Cons: • There are no secrets kept from the attacker. • It covers simple authentications only. It is not clear that it is possible to adapt it for authorisation. For example, see PassFaces: www.passfaces.com 3.5 Server side security 3.5.1 Non-Automatability It is possible to hardening the web-application to make it hard for an attacker to change the page. For example, randomising all URLs and the HTML so as to thwart pattern matching. This would mean automatically rewriting the entire output of a web server, for each page view. Pros: Page 13/15
Philipp Gühring 2007-01-24 • It raises the cost of an attack. Cons: • The attacker can use the user herself to teach it where to change the data. For example, see Visonys Airlock: www.visonys.com 4 Give up It is important to state the worst case scenario – abandon the net. If none of the presented concepts can be applied successfully to a system, and others are not found, the last alternative would be to give up using the internet for security-demanding applications. Pros: • It was good while it lasted. Cons: • Might not be a solution for all applications • Dramatic cost implications, if the users have to switch to other channels • Will likely cause a shock to confidence in some sectors such as retail banking. Epilogue On the first blush, the problem of the man-in-the-browser seemed impossible to solve. After serious investigation by banks and security workshops in Europe, a couple of plausible patches and solution ideas have emerged. All of these solutions have challenges. Implementation, user acceptance and the basic security properties are not forgone conclusions, and only a few promise to be a sustainable solution. A lot of usability challenges will straing the roll-out of the solutions, creating great risks for operators. Still, the alternative is yet more bleak. Early calculations suggest that if the Internet channel is to be abandoned, this will immediately effect issues such as branch staffing levels and even the number of branches. Such a path is considered unacceptable. This paper is presented as only the beginning of the necessarily long and active research in this new field. A lot more concepts and ideas have to be discovered, peer-reviewed, implemented, tested, and rolled out. We will need many risk experiments to find better, usable and workable solutions. (It might be helpful to collect more ideas in this paper, so I will try to update this paper as and when new ideas are available. Keep an eye on the date at the top.) Page 14/15
Philipp Gühring 2007-01-24 References Visonys Airlock http://www.visonys.com/ PassFaces http://www.passfaces.com/ SecLookOn http://www.seclookon.com/seclookon/ FinRead http://www.finread.com/ Browser Helper Objects http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp SecurityLayer http://www.buergerkarte.at/ TCG https://www.trustedcomputinggroup.org/ Captcha http://www.captcha.net/ http://www.cr80news.com/library/2006/09/16/on-card-displays-become-reality-making-cards-more-secure/ Page 15/15

Recomendados

How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksImperva
 
Man In The Browser
Man In The BrowserMan In The Browser
Man In The BrowserSave Manos
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 

Recomendados

How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksImperva
 
Man In The Browser
Man In The BrowserMan In The Browser
Man In The BrowserSave Manos
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Cross Site scripting Attacks - by Adam Nurudini
Cross Site scripting Attacks - by Adam NurudiniCross Site scripting Attacks - by Adam Nurudini
Cross Site scripting Attacks - by Adam NurudiniAdam Nurudini
 
Ijaci vol4 no1-maninbrowser
Ijaci vol4 no1-maninbrowserIjaci vol4 no1-maninbrowser
Ijaci vol4 no1-maninbrowserHai Nguyen
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
A survey on Session Hijacking
A survey on Session HijackingA survey on Session Hijacking
A survey on Session HijackingSeyyedAliAyati
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick Letsfly web
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Content Security Policy - PHPUGFFM
Content Security Policy - PHPUGFFMContent Security Policy - PHPUGFFM
Content Security Policy - PHPUGFFMWalter Ebert
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security Tawhid Rahman
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Xss
XssXss
XssRajendra Dangwal
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Fraternitas maio 2012
Fraternitas maio 2012Fraternitas maio 2012
Fraternitas maio 2012scapolan
 
Brainread
BrainreadBrainread
BrainreadCarla Piper
 

Más contenido relacionado

La actualidad más candente

Cross Site scripting Attacks - by Adam Nurudini
Cross Site scripting Attacks - by Adam NurudiniCross Site scripting Attacks - by Adam Nurudini
Cross Site scripting Attacks - by Adam NurudiniAdam Nurudini
 
Ijaci vol4 no1-maninbrowser
Ijaci vol4 no1-maninbrowserIjaci vol4 no1-maninbrowser
Ijaci vol4 no1-maninbrowserHai Nguyen
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
A survey on Session Hijacking
A survey on Session HijackingA survey on Session Hijacking
A survey on Session HijackingSeyyedAliAyati
 
Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick Letsfly web
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Content Security Policy - PHPUGFFM
Content Security Policy - PHPUGFFMContent Security Policy - PHPUGFFM
Content Security Policy - PHPUGFFMWalter Ebert
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security Tawhid Rahman
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 

La actualidad más candente (20)

Cross Site scripting Attacks - by Adam Nurudini
Cross Site scripting Attacks - by Adam NurudiniCross Site scripting Attacks - by Adam Nurudini
Cross Site scripting Attacks - by Adam Nurudini
 
Ijaci vol4 no1-maninbrowser
Ijaci vol4 no1-maninbrowserIjaci vol4 no1-maninbrowser
Ijaci vol4 no1-maninbrowser
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
A survey on Session Hijacking
A survey on Session HijackingA survey on Session Hijacking
A survey on Session Hijacking
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Content Security Policy - PHPUGFFM
Content Security Policy - PHPUGFFMContent Security Policy - PHPUGFFM
Content Security Policy - PHPUGFFM
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Xss
XssXss
Xss
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 

Destacado

Fraternitas maio 2012
Fraternitas maio 2012Fraternitas maio 2012
Fraternitas maio 2012scapolan
 
The Consumer Sense of Self: Are We Truly Sentient?
The Consumer Sense of Self: Are We Truly Sentient?The Consumer Sense of Self: Are We Truly Sentient?
The Consumer Sense of Self: Are We Truly Sentient?Sentient Decision Science
 
CV_AILEEN EVANGELIO_Secretary
CV_AILEEN EVANGELIO_SecretaryCV_AILEEN EVANGELIO_Secretary
CV_AILEEN EVANGELIO_Secretaryaileen evangelio
 
Presentación asamblea centro de padres 2014
Presentación asamblea centro de padres 2014Presentación asamblea centro de padres 2014
Presentación asamblea centro de padres 2014Soledad de la Cerda
 
Publication ÓVALO Construye. Servicios a Promotores y Constructores de Obras
Publication ÓVALO Construye. Servicios a Promotores y Constructores de ObrasPublication ÓVALO Construye. Servicios a Promotores y Constructores de Obras
Publication ÓVALO Construye. Servicios a Promotores y Constructores de ObrasÓVALO global services.
 
Wired Community @ Collingwood Final Report
Wired Community @ Collingwood Final Report Wired Community @ Collingwood Final Report
Wired Community @ Collingwood Final Report Infoxchange
 
¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la Z
¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la Z¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la Z
¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la ZVirginia Borges
 
Instalación servidor DNS
Instalación servidor DNSInstalación servidor DNS
Instalación servidor DNSK-te Muñoz
 
Nuevo trabajo en canada, alemania y brasil 2012
Nuevo trabajo en canada, alemania y brasil 2012Nuevo trabajo en canada, alemania y brasil 2012
Nuevo trabajo en canada, alemania y brasil 2012Ravila10
 
Ciclo de vida de kendall y kendall
Ciclo de vida de kendall y kendallCiclo de vida de kendall y kendall
Ciclo de vida de kendall y kendallDORIS GUAMAN
 
PwC and AIESEC Partnership Overview 2011
PwC and AIESEC Partnership Overview 2011PwC and AIESEC Partnership Overview 2011
PwC and AIESEC Partnership Overview 2011Claudia Pop-Călinescu
 
JahiaOne - Abercrombie & Fitch explains how they use Jahia
JahiaOne - Abercrombie & Fitch explains how they use Jahia JahiaOne - Abercrombie & Fitch explains how they use Jahia
JahiaOne - Abercrombie & Fitch explains how they use Jahia Jahia Solutions Group
 
Curso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar Serrano
Curso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar SerranoCurso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar Serrano
Curso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar Serranomiguelserrano5851127
 

Destacado (20)

Fraternitas maio 2012
Fraternitas maio 2012Fraternitas maio 2012
Fraternitas maio 2012
 
Brainread
BrainreadBrainread
Brainread
 
El nostre cos
El nostre cosEl nostre cos
El nostre cos
 
The Consumer Sense of Self: Are We Truly Sentient?
The Consumer Sense of Self: Are We Truly Sentient?The Consumer Sense of Self: Are We Truly Sentient?
The Consumer Sense of Self: Are We Truly Sentient?
 
CV_AILEEN EVANGELIO_Secretary
CV_AILEEN EVANGELIO_SecretaryCV_AILEEN EVANGELIO_Secretary
CV_AILEEN EVANGELIO_Secretary
 
Presentación asamblea centro de padres 2014
Presentación asamblea centro de padres 2014Presentación asamblea centro de padres 2014
Presentación asamblea centro de padres 2014
 
Publication ÓVALO Construye. Servicios a Promotores y Constructores de Obras
Publication ÓVALO Construye. Servicios a Promotores y Constructores de ObrasPublication ÓVALO Construye. Servicios a Promotores y Constructores de Obras
Publication ÓVALO Construye. Servicios a Promotores y Constructores de Obras
 
Wired Community @ Collingwood Final Report
Wired Community @ Collingwood Final Report Wired Community @ Collingwood Final Report
Wired Community @ Collingwood Final Report
 
¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la Z
¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la Z¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la Z
¿e-n-o-t-v'-r-i-s-m-o? Enoturismo de la A a la Z
 
Instalación servidor DNS
Instalación servidor DNSInstalación servidor DNS
Instalación servidor DNS
 
Cafe foo
Cafe fooCafe foo
Cafe foo
 
B2B eCommerce
B2B eCommerceB2B eCommerce
B2B eCommerce
 
Cost Savings Today 1 2014
Cost Savings Today 1 2014Cost Savings Today 1 2014
Cost Savings Today 1 2014
 
Nuevo trabajo en canada, alemania y brasil 2012
Nuevo trabajo en canada, alemania y brasil 2012Nuevo trabajo en canada, alemania y brasil 2012
Nuevo trabajo en canada, alemania y brasil 2012
 
Dia de muertos
Dia de muertosDia de muertos
Dia de muertos
 
Ciclo de vida de kendall y kendall
Ciclo de vida de kendall y kendallCiclo de vida de kendall y kendall
Ciclo de vida de kendall y kendall
 
PwC and AIESEC Partnership Overview 2011
PwC and AIESEC Partnership Overview 2011PwC and AIESEC Partnership Overview 2011
PwC and AIESEC Partnership Overview 2011
 
JahiaOne - Abercrombie & Fitch explains how they use Jahia
JahiaOne - Abercrombie & Fitch explains how they use Jahia JahiaOne - Abercrombie & Fitch explains how they use Jahia
JahiaOne - Abercrombie & Fitch explains how they use Jahia
 
rolling stone
rolling stonerolling stone
rolling stone
 
Curso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar Serrano
Curso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar SerranoCurso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar Serrano
Curso Auditoría de Gestión MAR.2014 2da. parte - Dr. Miguel Aguilar Serrano
 

Similar a Secure client

Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)msz
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docpraveena06
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacksijdmtaiir
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile AttackIRJET Journal
 
New or obscure web browsers (4x3 draft 5)
New or obscure web browsers (4x3 draft 5)New or obscure web browsers (4x3 draft 5)
New or obscure web browsers (4x3 draft 5)msz
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxdawitTerefe5
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSheri Elliott
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperHai Nguyen
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Syed Ubaid Ali Jafri
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 

Similar a Secure client (20)

Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
New or obscure web browsers (4x3 draft 5)
New or obscure web browsers (4x3 draft 5)New or obscure web browsers (4x3 draft 5)
New or obscure web browsers (4x3 draft 5)
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaper
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015
 
AW-Infs201101067.pptx
AW-Infs201101067.pptxAW-Infs201101067.pptx
AW-Infs201101067.pptx
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...
 

Más de Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 

Más de Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 

Último

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Último (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

Secure client

  • 1. Philipp Gühring 2007-01-24 Concepts against Man-in-the-Browser Attacks Philipp Gühring <pg@futureware.at> Date: 2006-06-16 Update: 2006-09-12 A new threat is emerging that attacks browsers by means of trojan horses. The new breed of new trojan horses can modify the transactions on-the-fly, as they are formed in in browsers, and still display the user's intended transaction to her. Structurally they are a man-in-the-middle attack between the the user and the security mechanisms of the browser. Distinct from Phishing attacks which rely upon similar but fraudulent websites, these new attacks cannot be detected by the user at all, as they are using real services, the user is correctly logged-in as normal, and there is no difference to be seen. The WYSIWYG concept of the browser is successfully broken. No advanced authentication method (PIN, TAN, iTAN, Client certificates, Secure-ID, SmartCards, Class3 Readers, OTP, ...) can defend against these attacks, because the attacks are working on the transaction level, not on the authentication level. PKI and other security measures are simply bypassed, and are therefore rendered obsolete. Acknowledgements Thanks to quintessenz.at for originating the discussion and for feedback on the paper. Thanks also due to the Anti-Fraud Coffee-Room (http://lists.cacert.org/) for feedback and FinancialCryptography.com for peer reviewing the paper. Many thanks to the various individuals who freely gave ideas and insights but prefer to remain nameless. 1 The Problem 1.1 Trojan Technology The new trojan technology is technically more advanced than prior generations by way of combining Browser-Helper-Objects, Browser Extensions, and direct Browser manipulation techniques. 1.2 Browsers As of time of writing, it is known that (2006-09-12) Firefox, Internet Explorer and Opera are successfully targeted, on the Windows, Linux and MacOS X Platform. It is currently not known yet, whether Konqueror, Safari, Lynx and other browser are affected too. The trojans can do the following: • Modify the appearance of a website before the user sees it. • Modify the data entered by the user before it is encrypted and sent to the server. This modification is not visible / detectable by the user or the server. • Change the appearance of transactions returned by the server back to the version that the Page 1/15
  • 2. Philipp Gühring 2007-01-24 user expects. 1.2.1 Points of Attack • Browser Helper Objects – these are dynamically-loaded libraries (DLLs) loaded by Internet Explorer / Windows Explorer upon start-up. They run inside IE, and have full access to IE and full access to the DOM tree, etc. Developing BHOs is very easy. • Extensions – similar to Browser Helper Objects for other Browsers such as Firefox (hereafter, both will be referred to as extensions). Developing Extensions is easy. • UserScripts – Scripts that are running in the browser (Firefox/Greasemonkey+Opera). Developing UserScripts is very easy. • API-Hooking – this technique is a Man-in-the-Middle attack between the application (.EXE) and the DLLs that are loaded up, both for application specific DLLs such as extensions and Operating System (OS) DLLs. For example if the SSL engine of the browser is a separate DLL, then API-Hooking can be used to modify all communication between the browser and the SSL engine. Developing API Hooks is difficult. • Virtualisation – running the whole operating system in a virtual environment, to easily bypass all the security mechanisms. Developing Virtualisation attacks is difficult. 1.2.2 Method of Attack An attack may progress thusly: 1. The trojan infects the computer's software, either OS or Application. 2. The trojan installs an extension into the browser configuration, so that it will be loaded next time the browser starts. 3. At some later time, the user restarts the browser. 4. The browser loads the extension. 5. The extension registers a handler for every page-load. 6. Whenever a page is loaded, the URL of the page is searched by the extension against a list of known sites targeted for attack. 7. The user logs in securely to for example https://secure.original.site/. 8. When the handler detects a page-load for a specific pattern in its targeted list (for example https://secure.original.site/account/do_transaction) it registers a button event handler. 9. When the submit button is pressed, the extension extracts all data from all form fields through the DOM interface in the browser, and remembers the values. 10. The extension modifies the values through the DOM interface. 11. The extension tells the browser to continue to submit the form to the server. 12. The browser sends the form including the modified values to the server. 13. The server receives the modified values in the form as a normal request. The server cannot differentiate between the original values and the modified values, or detect the changes. 14. The server performs the transaction and generates a receipt. 15. The browser receives the receipt for the modified transaction. 16. The extension detects the https://secure.original.site/account/receipt URL, scans the HTML for the receipt fields, and replaces the modified data in the receipt with the original data that it remembered in the HTML. 17. The browser displays the modified receipt with the original details 18. The user thinks that the original transaction was received by the server intact and authorised correctly. Page 2/15
  • 3. Philipp Gühring 2007-01-24 1.3 Email Clients In principle, a trojan employing the same attack methods described above could be effective against clients for Email and Instant Messaging. Transaction details could be changed by much the same filtering process, sending the fraudulent transactions on to a server, and displaying the original. As of the time of writing, such trojans have not been spotted in the wild as yet. 1.4 Authentication The trojans are working on a different part of the transactions cycle to authentication. They could still work to effect the authentication, and that might be useful for harvesting account details, but fundamentally they circumvent the standard authentication concepts. Which authentication systems are circumvented? All authentication systems that use the PC as the single channel for transaction data to the server are circumvented: • Username+Password • PIN+TAN • PIN+iTAN • Client certificates • SecureID Tokens • One Time Pad Tokens • Biometry authentication • SmartCard authentication • SmartCard + Class3 reader authentication (with client certificates) • Bürgerkarte / SecurityLayer (when used for Login only, which is currently often done) • (likely also Digital Signatures with SmartCards and Class3 readers) • No authentication (information portals) In effect, if you are relying on any Authentication of the user (or the machine), to authorize transactions, the trojan horses can simply change the transactions without affecting the authentication. 2 Risk assessment 2.1 Current situation Unfortunately the necessary technology for trojans is widely available now. It is not high-tech and high-priced any more. The time-to-market for active attacks is known to be less than 1 day. Every potential target has to worry about the risk of being attacked with this technology now. The technology is easy enough that everyone with webdesign experience can craft a successful attack. 2.2 Future situation Page 3/15
  • 4. Philipp Gühring 2007-01-24 It is expected that this attack will be productised into widely available construction kits. The first generation of construction kits and compilers have already been seen in the wild. Such kits are making the attack viable for any target, with or without any financial motivation. In the middle-term of 1 year, all client-server applications outside the browser are expected to be at risk too. (Email, Instant Messaging, ...) 3 Solution concepts This section summarises the design and early implementation discoveries of financial institutions that have worked over the last six months to address the attack. 3.1 Secure Client The first attempt by many is to attempt to harden the otherwise insecure clients. 3.1.1 Hardened Browser All browser vendors should make sure that Userscripts, Extensions and BHOs can´t be easily run on SSL protected websites. To create a secure browser, we need to disallow any extensions / browser helper objects, and compile it into one static binary. A hardened browser could be constructed that fulfils the following security requirements: • No Extensions possible (No BHO´s, No Active-X, No Java, No Plugins, No Extensions) • Statically compiled • Stripped (no compiler symbols available to guide the attack) • No outside access (no DOM externally available) • Tightly coupled to cryptography subsystem (no modularity between browser core and TLS engine) • Additional binary-protection methods (encrypted executable, packing, ...) • Do not allow Userscripts to be run on SSL protected websites Additional properties that might be helpful: • HTTPS only, HTTP not compiled into the browser any more • Good security-enhancing tools included such as TrustBar, Petnames, Google Toolbar • Implement a zero-knowledge password proof (TLS-SRP or TLS-PSK) with a UI that is tightly integrated into the browser and not easily forgeable. An additional option for the future is the personalisation of the binaries, such that there is a distinct compiled binaries for every user, customised with their selected but hardened extensions. Pros: • Could be made available on every Desktop additionally to the user's normal insecure browser, so as to be used in parallel when high security sites are visited. • Better usability than a Secure Live-Distribution • Only few changes are needed to current industry standard browsers, mostly to strip them down and hard-compile them. Page 4/15
  • 5. Philipp Gühring 2007-01-24 Cons: • No reliable way for the server to identify the use of a hardened browser, and differentiate between secure and insecure client access. • There is substantial work in creating parallel browser distro. 3.1.2 Unwriteable Distribution An evolving solution from the open source world is that of Live-Distributions, being distributions of client operating systems running from read-only media such as CDROMs or DVDs. • Knoppix (Linux) http://www.knoppix.org/ • Freesbie (FreeBSD) http://www.freesbie.org/ • BartPE (Windows) http://www.nu2.nu/pebuilder/ This allows the client to bootup securely, and to reboot securely any time it is needed. Pros: • A client achieves a very high security grade, and can likely withstand all currently validated threats. Cons: • It is a severe usability problem for the users to reboot their computer. For many users, losing from one to three minutes, and interrupting their entire workflow completely will be unacceptable. It is currently seen as impossible to ask the users on the large scale to reboot their computer for every small transaction they want to do. Will users need more than one computer? • There are significant costs in production and distribution of media, and potential for unreliability. • The approach assumes that there is no trojan in the platform BIOS, something that is likely to be challenged if the approach takes off. • Printer drivers: A huge problem at the moment with Live-Distributions is the non- availability of printer drivers due to printing companies not making them available. • BartPE potentially has licensing complications with its use of Windows platform. 3.1.3 Virtual Machine A suggested variation for that usability problem is to run the secure operating system in a virtual machine. The risk on the other hand is that attacks that are used against the browsers in the local environment on the host system can also spread into the guest system by affecting the live system or the harddisk image. Two possible products are available in this category: Qemu - http://www.qemu.org/ VMWare - http://www.vmware.com/ Pros: Page 5/15
  • 6. Philipp Gühring 2007-01-24 • It raises the cost of the attack • Usability is better than a Secure Live-Distribution • Virtual machines are enjoying something of a surge in popularity at the moment, such a strategy may come with other benefits unrelated to security. Con: • Usability is not as good as a Hardened Browser • It will probably not be secure for long. If sufficiently popular, it can be challenged and broken easily as VM-manipulation techniques are already quite sophisticated both for positive and negative purposes. It is likely that local attacks can be automatically applied to guest-applications from outside the VM. 3.1.4 Secure Signature Client The Austrian security community has invented a secure electronic digital signature concept, called SecurityLayer, which defines the system requirements for a „Security Capsule“, and the interface so that any application (local or web-application) can use the Security Capsule to have a document securely displayed to the user and signed by the user afterwards. The definition includes a secure XHTML subset (no dynamic elements, guaranteed readability, ...), the demand for a secure viewer which can display those secure documents to the user before the user can sign the document, to make sure that the user really sees what is being signed/authorized. At the moment, demonstration Security-Capsules which are implemented in Software are available from several vendors. Their security level can be compared to Hardened Browsers. It is hoped that a vendor will take the challenge to implement a Security Capsule in Hardware. Pros: ● A potentially secure solution to the problem ● The demonstrations are promising Cons: ● There are no rumours of a planned hardware implementation yet, so it is expected to take least 1-2 years until they could be on the market. 3.1.5 Class 4 SmartCard reader A theoretical solution for a secure client would be the Class 4 SmartCard reader. Although not available, the device characteristics and security profile are relatively well understood, and appropriate. Class1 Readers are just interfaces without any security mechanisms, Class2 Readers have a keyboard, but no display, Class3 Readers have a small display, Class4 Readers would have to have a secure viewer 2 possible implementations were heard of, but haven´t appeared on the market yet: ● FINREAD http://www.finread.com/ ● Mastercard CAP (using the transaction signature mechanism) Page 6/15
  • 7. Philipp Gühring 2007-01-24 It would be interesting to see Class4 Readers which implement the SecurityLayer specification in Hardware, and just send forward the whole request to the device, implementing the secure viewer and the signature system in the Class4 Reader. Pros: • It is based on secure hardware. Cons: • There is no sufficiently powerful and cost effective display available on the market as yet. Arbitrary transaction, image or document formats would have to be displayed correctly and securely. • It is an additional device to the PC. • It needs more space on the user's desk. • There are no such devices available on the market yet, and time to market would be at least a year, assuming it were a routine production. • Drivers would need to be installed on the computer. • Price is likely to be high. 3.1.6 Trusted Computing One problem of a Secure client is that it should be able to remotely attestate to the server, that it is a secure client. Otherwise the Server has to assume that the client is not a Secure client. If a secure client can be developed, and that secure client can attestate it´s security to the server, the server can distinguish trusted clients from untrusted clients, and deliver the normal application to the trusted clients, and switch to second channel authorisation (or other mechanisms) for untrusted client. This way users with a secure client can get good usability, while other users without trusted clients will have to use second channel or other mechanisms for authorisation. The question is whether the Remote Attestation feature of TCG/TCPA platform will deliver that attestation function in practice. Pros: • Theoretically makes it possible for the server to distinguish between secure clients and insecure clients. Cons: • The proposal is a long way from deployment. Only a small part of the TCG infrastructure is designed yet, and even those parts have only been developed to an experimental level. • TCG is years away from a usable platform. • Remote Attestation would only address the server's need for a trusted computing base on the client. It does not answer the question as to whether the rest of the client is secure. For example, almost all the operating system would be outside the 'Trusted' base, including such elements as display graphics, keyboard and mouse. Page 7/15
  • 8. Philipp Gühring 2007-01-24 3.1.7 External Authorisation devices External authorisation devices are similar to Class4 SmartCard readers, with the difference that they have no connection to the PC. So the user has to enter the transaction details himself on the device, possibly entering the transaction details twice ● http://www.vasco.com/phishing/solution_sig.html ● http://www.vasco.com/phishing/solution_cards.html Mobile phones could also be used as external standalone authorisation devices: ● http://motp.sourceforge.net/ (only authentication at the moment, but could be adapted to authorisation) Pros: ● Likely secure enough Cons: ● User has to enter the data twice 3.2 Second channel If the computer cannot provide a secure channel between the application server and the user, we could use a second channel that adds the necessary security property of uncorrelated attacks: • If the user's PC is compromised, the second channel remains un-compromised. The following systems are candidates for secure channels: • Telephone. This channel could be automated, but VOIP often goes through the PC!. (Note that the human voice has interesting security properties.) • SMS messaging from the cell/mobile phone. • HTTP connections from the cell/mobile phone. • FAX • Pager • Email and IM/Chat. As these agents are on the PC, they can also be affected by the trojan, so using them just raises the cost of the attack. We should differentiate between different applications here: 3.2.1 Transaction based Applications Transaction-based systems have the problem of authorisation of the transaction, as opposed to authentication of the user. Is the proposed transaction really the transaction the user wanted done that way, or has it been modified in flight? For transaction-based applications, the following concept has been developed by several European banks: Page 8/15
  • 9. Philipp Gühring 2007-01-24 • User enters the transaction in the normal way, using her computer and browser on the website. • When the server receives the transaction, it automatically sends back to the user the important transaction details and a transaction code through the alternate channel (SMS, telephone, email, ...) • For example: „If you want to send 140 USD to account 51234829348 please enter the following transaction code: AB234DEF342“ • The user verifies the details. If the transaction details are correct, and what the user wanted, she enters the transaction code („AB234DEF342“) on the website. • The server receives transaction code and takes that as authorisation for the transaction. Pros: • The two channels – web page and cell/mobile – are uncorrelated, so the attacker would have to achieve control over both channels. Two attacks on unrelated platforms is much more expensive. Cons: • The process is very dependent on the application. • It is easy to make mistakes in the system design, potentially opening the door for complex exploits. • SMS is limited to 160 characters, so only a limited number of transactions can be covered in each message (an issue for businesses). • Telephone, SMS, FAX and Pager can have cost ramifications for the server-operators. 3.2.2 Non-Transaction based applications Non-transaction systems are where the user needs to get data from the server, with all the traditional security properties such as confidentiality, integrity and authentication of source. For example, queries to databases. Such non-transaction systems likely need to secure more data than transaction systems, which means the above alternate channel solution (based on low volume devices such as SMS) is not practical. Potentially, other channels such as Email and proprietory communication systems could be used. Even if a second channel was available, it is not clear that the channel could be used in conjunction with the PC in order to secure the non-transaction systems. 3.2.3 Storage problem A further problem that has to be considered is that some of the second channels mentioned above will store messages in the device, and afterwards display the stored message. Unless the user explicitly deletes the message, the message may be stored on the device for an indefinite time. Since the messages may contain confidential transaction details, that confidential data could be accidently Page 9/15
  • 10. Philipp Gühring 2007-01-24 leaked. Currently known affected second channel types: • SMS • Email • Fax These communication systems were not originally designed to transport and maintain data with confidentiality. 3.3 Secure Communication over insecure systems If we cannot secure the communication systems, and we cannot get a secure second channel, a third possibility is to create secure communication systems on top of the insecure systems. 3.3.1 Captcha It is frequently suggested that the transaction details and transaction code could be transmitted through pictures with the text on it. This is based on the idea that the text cannot be easily modified in an image. This is however a chimera. Cons: • Captchas have proven quite capable at separating blind people from non-blind people. • They have not proven effective for differentiating between computers and humans. • The entire image can be easily replaced by man-in-the-middle attacks. • There are well-developed tools available for reading Captchas, created for websites that wish to franchise another website's capabilities. 3.3.2 Transaction model The cost of the attack can be raised with a more secure transaction model: Old Internet style model: Client Direction Server Identification ---> Authentication <--- Transaction form Transaction data entered ---> Transaction validation Verifying transaction report <--- Transaction report The traditional model generates the transaction data and sends it in one request to the server. This has the disadvantage in letting a man-in-the-middle attack insert itself in one place only. After transaction completion, a single receipt is sent back which can easily be changed as well. Page 10/15
  • 11. Philipp Gühring 2007-01-24 Client Direction Server Identification ---> Authentication <--- Transaction form Destination code is entered ---> Destination code lookup Verifying destination description <--- Destination description Transaction details ---> Transaction validation <--- Transaction results One idea is to change the transaction model from a one-shot model to a dialogue between the user and the server. In this dialogue, the user and the server „discuss“ the details of the transaction in several rounds, in such a way that it is not possible for a trojan to change details without breaking a single transaction. This is achieved by the server giving individual answers to each bit of the information of the user. The security comes from the earlier transaction details not being changeable at a later stage of the transaction anymore. When something is entered wrongly in the beginning, the whole transaction has to be cancelled and restarted from scratch. Better security can be achieved, if the answers from the server not only depend on the general data the user enters, but also on secret knowledge of the server, which is derived from the user. Pros: • No need for extra hardware or software. • A dialogue style transaction could additionally have a better usability for the user. Cons: • An attacker can launch a separate transaction in parallel in order to divine the information it wishes to display to the user. • It raises the cost of an attack, but it does not solve the problem. 3.3.3 Delayed Webpage delivery One interesting piece we found is that some of the attack mechanisms are only starting to work after the page is fully loaded, so it can change the (visible) contents only after the loading process is complete. On the other hand, the browsers are displaying the first part of the page already during loading it. Since the webserver can delay displaying a page, it should be possible to create a large enough timeframe, that the user in front of the browser has a chance to notice any relevant changes when the page is loaded completely. The webpage would work like that: Content-type: text/html <html><body>Your browser has been taken over, if this text changes itself in the next 5 seconds!</body> <? sleep(5); ?> Page 11/15
  • 12. Philipp Gühring 2007-01-24 </html> One potential problem of this solution are possible delays of the delivery due to the webserver waiting for the page to have finished before sending it to the browser. So good control over the webserver is necessary for this trick to succeed. Pros: ● Easy to implement Cons: ● Might be difficult for the user to understand ● Delays the website for the user, potentially creating a bad user experience. ● Does only help against some browser engines ● Does not help against advanced attacks with API Hooking or Virtualisation 3.3.4 Using SSL Opera´s security concept for Userscripts is that the user additionally has to allow Userscripts to be run on SSL websites. So having a website use SSL will help a bit against Man-in-the-browser attacks on Opera users, unfortunately the other browser vendors haven´t implemented the same security mechanism yet. Pros: ● Should be done anyway Cons: ● Does not help against advanced attacks. 3.4 Human Security – the „last meter“ One viewpoint on the problem is that current security systems and indeed much of security thinking today are not really end-to-end. One end of the transaction is normally rooted in the user's brain, but most transaction protocols only go as far as her computer. This section looks at how we can go the „last meter.“ 3.4.1 Simple Encryption Simple encryption tables printed on paper, where the user can easily encrypt the transaction details to the server. Pros: • Potentially creatable by the user themselves using other secured platforms • Mobile solution – can be carried in pocket/handbag. Cons: • Needs Paper • Users do not like doing sums. • Integrity, Protection against Replay would need to be solved Page 12/15
  • 13. Philipp Gühring 2007-01-24 3.4.2 Multi-path passwords - SecLookOn A multi-path password works by defining graphical rules such as „If you see image X in the upper left area, then type in the number that is displayed in the image with a white colour in the upper right area.“ The user has to be trained through the multiple paths, and she has to apply the process on each login. Pros: • Very good security concept. • It could be adapted into a strong authorisation solution. Cons: • It is quite a challenge for the user to learn the concept and memorize all the steps. • Current implementations are authentication only, so they do not as yet solve the problem. This concept has been implemented by MERLINnovations under the name SecLookOn: http://www.seclookon.com/seclookon/ A time-limited demonstration of it can be found at http://sec.generalibank.at/SecLookOn_Generali/ It is currently authentication only. 3.4.3 Shared Secrets - PassFaces Another possibility is to transmit information such as graphics that the user is familiar with and has configured on the site. Since the secrets are transmitted during the dialogue, they are available to the attacker as well as the user. Pros: • May carry side benefits such as personalisation for online sites. Cons: • There are no secrets kept from the attacker. • It covers simple authentications only. It is not clear that it is possible to adapt it for authorisation. For example, see PassFaces: www.passfaces.com 3.5 Server side security 3.5.1 Non-Automatability It is possible to hardening the web-application to make it hard for an attacker to change the page. For example, randomising all URLs and the HTML so as to thwart pattern matching. This would mean automatically rewriting the entire output of a web server, for each page view. Pros: Page 13/15
  • 14. Philipp Gühring 2007-01-24 • It raises the cost of an attack. Cons: • The attacker can use the user herself to teach it where to change the data. For example, see Visonys Airlock: www.visonys.com 4 Give up It is important to state the worst case scenario – abandon the net. If none of the presented concepts can be applied successfully to a system, and others are not found, the last alternative would be to give up using the internet for security-demanding applications. Pros: • It was good while it lasted. Cons: • Might not be a solution for all applications • Dramatic cost implications, if the users have to switch to other channels • Will likely cause a shock to confidence in some sectors such as retail banking. Epilogue On the first blush, the problem of the man-in-the-browser seemed impossible to solve. After serious investigation by banks and security workshops in Europe, a couple of plausible patches and solution ideas have emerged. All of these solutions have challenges. Implementation, user acceptance and the basic security properties are not forgone conclusions, and only a few promise to be a sustainable solution. A lot of usability challenges will straing the roll-out of the solutions, creating great risks for operators. Still, the alternative is yet more bleak. Early calculations suggest that if the Internet channel is to be abandoned, this will immediately effect issues such as branch staffing levels and even the number of branches. Such a path is considered unacceptable. This paper is presented as only the beginning of the necessarily long and active research in this new field. A lot more concepts and ideas have to be discovered, peer-reviewed, implemented, tested, and rolled out. We will need many risk experiments to find better, usable and workable solutions. (It might be helpful to collect more ideas in this paper, so I will try to update this paper as and when new ideas are available. Keep an eye on the date at the top.) Page 14/15
  • 15. Philipp Gühring 2007-01-24 References Visonys Airlock http://www.visonys.com/ PassFaces http://www.passfaces.com/ SecLookOn http://www.seclookon.com/seclookon/ FinRead http://www.finread.com/ Browser Helper Objects http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp SecurityLayer http://www.buergerkarte.at/ TCG https://www.trustedcomputinggroup.org/ Captcha http://www.captcha.net/ http://www.cr80news.com/library/2006/09/16/on-card-displays-become-reality-making-cards-more-secure/ Page 15/15