Monday, June 16, 2008

Man in the Browser Attacks - Worse Than Viruses?

The problem with computer security terminology is that while some forms of attack sound appropriately nasty, some of the emerging forms of malware sound more like cartoon characters than serious threats. Take, for example, the "Man in the Browser" attack.

The idea that a computer can become "infected" with a virus, or piece of self-replicating malicious code, is universally understood as "bad", because the analogy is fairly straight-forward, and viruses are universally bad things.

But the idea of using CPU cycles to replicate viruses is considered pretty old-hat these days. Most criminals think it better to use your CPU to process transactions, or ship online banking credentials.

In fact, that's all they think about. Today's villains don't spend their time figuring out how to open your CD tray remotely or clog up your memory - they spend their time engineering ever-smarter ways to get their hands on your money.

So while virus-like behavior can sometimes still be helpful, the model for emerging attacks is no longer the infectious agent. Today's model is the "secret agent", or "snitch". Criminals are now focused on placing their malware in line with your transactions.

Which explains why the focus - and the battleground - for security threats and preventative measures alike is now your browser.

Your browser acts as the central interface for almost every transaction on the internet. Browsers are relatively simple creatures - over ten years, they have evolved to simply render the code passed to them into "pages" of text and images, forms, flash objects, popups, and javascript alert boxes, among other things.

When you make a request to your bank, via your browser, both you and the bank's server are saying to your browser, "render this". Unfortunately, your browser can sometimes prove to be a little too obliging.

Man in the Browser (MITB) attacks have been around for several years, but have recently begun receiving more attention because of their (now proven) ability to thwart the additional security that was supposed to be provided by expensive two factor authentication devices, including physical tokens.

Talking to an authentication token salesman about "challenges" used to invoke funny stories about pocket-lint and what happens when tokens accidentally go through the wash, or end up at the cleaners, or in the hands of valet parking attendants.

This is no longer the case - most two factor token sales reps are now extremely aware of the limitations of these devices - and somewhat nervous about the future of their industry. In the past two months, several large banks - including Abbey and HSBC - have announced rollbacks of these programs.

If you're a two factor authentication user, you should be nervous too. Because those sleek black physical security tokens with the gorgeous flashing red LED readouts are fairly easily bypassed using pretty standard social engineering techniques. Read on.

The "hack" looks like this: You head on over to your bank's site, and tab into the wealth management portal. You enter your user name and pull out your expensive, clock-based, two factor authentication token. You turn it on and key the PIN into the site.

What happens next varies, according to the criminal's MO, and the type of malware installed on your machine. But typically, as your page is being rendered, a piece of software now resident in your browser (that you - or your teenage daughter - previously installed because the video you were watching said "you need a new video codec") wakes up and inserts a few additional lines into the code - maybe five lines of javascript - an alert box, a timer function, and maybe some in-page content -and sends a message to a hacker, far far away.

What happens next looks perfectly normal. Upon loading, the alert box pops up - something like the dialog box pictured above - and says "Server synchronization in process... please be patient", accompanied maybe by a nice animated GIF in the bank's colors.

Except at that moment, as you sip your coffee and watch the seconds pass, secure in the knowledge that these sophisticated systems and occasion waiting periods are the "price of modern security", a hacker somewhere is receiving a timely message that you have started an authenticated session and are ready to transact, using the credentials contained in the message. At which point, he can simply log in as you.

Now this doesn't happen every time. Sometimes, the hackers choose to wait, secure in the knowledge that this capability will be there many sessions into the future, and that at some future point an increased account balance may make it more worthwhile to have waited.

And sometimes, the crimeware is configured to allow the hacker session to kick in when you "log out" (was that really the bank's "log out" screen that you just saw? Really?)

As the guys in our labs are quick to point out, there are many variations on the MITB theme, most of them horrible, and well-funded. In some instances, MITB malware is programmed to decrypt and load only when the users requests content from a particular bank (this is apparently a common approach right now in Brazil).

The bottom line is this - no matter what you see going on during your session, if you see something "different" or unexpected happening during your online banking session, close your browser immediately, and call your bank or online broker.

Most online banks are exceedingly good at *not* changing things within their UI - because their user interface designers know that changes make users nervous. So if you see something new, like an alert box, please don't assume that the bank has changed their policy. This almost never happens.

Luckily, this story does have a happy ending. For a solution to the above conundrum (at least one that doesn't involve getting in your car and going to the branch), check out some of my previous posts on SafeCentral - an end-to-end secure session technology that stops MITB attacks from happening in the first place.

I strongly recommend that you download and use this protection - regardless of how sophisticated your authentication token may appear to be. It's free, and it works.

No comments: