lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 24 Nov 2009 13:57:22 +0100
From: Thierry Zoller <Thierry@...ler.lu>
CC: full-disclosure@...ts.grok.org.uk
Subject: Re: New Paper: MitM Attacks against the chipTAN
	comfort Online Banking System

Hi,

Thank you for the information.

MITM  is  used  rather  vaguely  in  this  paper.  Are  the proposed
techniques  working in an MITM situation - where an attacker is in the
middle of a network stream ? Say on a network over arp cache poisening?

The  paper  afaik  applies  to  systems  that  are  already compromised
by an attacker, i.e where malware has been installed.

If this is the case what rights (Account acl) does the malware require
in order to perform the mentioned attacks ?

This  brings  me  to  an  interesting more general discussion,
can one define malware infected workstations  and the attacks they
perform locally as MITM ? Technically they inject themselves between
the client and the server, however they need to be installed prior to
be able to do so. Furthermore they have  access  to  a  lot  more
information  and possibilities then an attacker that is, say in the
middle of a network connection.

For  sake  of  allowing  proper risk  assessment by technically less
trained persons - one should coin a better term than classical mitm -
but maybe I am mistaken? what about MITMa (man in the machine)

All: What's your opinion ?

http://de.wikipedia.org/wiki/Man-in-the-middle-Angriff
http://technet.microsoft.com/en-us/library/cc722487.aspx#EJAA
#1 and #2

Regards,
Thierry

RPG> Abstract
RPG> ========
RPG> ChipTAN comfort is a new system which is supposed to securely authorise online
RPG> banking transactions by means of a trusted device. It is assumed that chipTAN
RPG> comfort specifically protects against man-in-the-middle attacks. Such attacks are
RPG> currently putting bank customers who are using the iTAN system at risk. RedTeam
RPG> Pentesting examined chipTAN comfort and showed that even when using this sys-
RPG> tem, man-in-the-middle attacks can compromise online banking security.


RPG> The full paper is available in German and English at

RPG> http://www.redteam-pentesting.de/publications/MitM-chipTAN-comfort




-- 
http://blog.zoller.lu
Thierry Zoller


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ