lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0705091727440.14619-100000@linuxbox.org>
Date: Wed, 9 May 2007 17:27:58 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: Jim Harrison <Jim@...tools.org>
Cc: Int3 <yashks@...il.com>, bugtraq@...urityfocus.com
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot
 method

On Wed, 9 May 2007, Jim Harrison wrote:
> Without getting into SMTP latency comparisons...
> 
> Perhaps I missed something, but where is the threat demonstrated sans
> code installation?
> I'm not trying to disparage anyone's work, but as you yourself pointed
> out, there is nothing demonstrated here that doesn't qualify as common
> malware.

We are all really in agreement.

> 
> -----Original Message-----
> From: Gadi Evron [mailto:ge@...uxbox.org] 
> Sent: Wednesday, May 09, 2007 1:42 PM
> To: Jim Harrison
> Cc: Int3; bugtraq@...urityfocus.com
> Subject: RE: Defeating Citibank Virtual Keyboard protection using
> screenshot method
> 
> On Wed, 9 May 2007, Jim Harrison wrote:
> > Granted, it's an interesting methodology, but until you can
> demonstrate
> > circumvention of the CitiBank keylogger without installing code on the
> > victim host, a threat is not indicated and cannot be taken seriously.
> 
> Even though I was the first to point out this is old news for the
> malware
> scene in online/e fraud, I'd be the first to bow down before Int3 and
> say
> "thank you for sharing your work with us". Many don't.
> 
> But your point above:
> "without installing malware on the victim host"
> 
> Although true on some level, is bogus for the purpose of this work, as
> it
> being written makes an automatic assumtion on working only after malware
> is installed.
> 
> Although you are right, in practice this is already an heavily abused
> technology, and.. 
> 'Getting malware on a system', who ever heard of such a ridiculous
> idea? :)
> 
> 	Gadi.
> 
> > 
> > -----Original Message-----
> > From: Int3 [mailto:yashks@...il.com] 
> > Sent: Wednesday, May 09, 2007 11:14 AM
> > To: Jim Harrison
> > Cc: bugtraq@...urityfocus.com
> > Subject: Re: Defeating Citibank Virtual Keyboard protection using
> > screenshot method
> > 
> >  
> > This is not malware, it will only help people to experiment and see
> the
> > result without writing one for themself. 
> >  
> > Regards,
> > Yash K.S
> >  
> > On 5/9/07, Jim Harrison <Jim@...tools.org> wrote: 
> > 
> > 	(copied here without permission)
> > 	Step by Step Demo:
> > 	
> > 	- Download POC from http://tracingbug.com/downloads/citihook.zip
> > <http://tracingbug.com/downloads/citihook.zip>  and
> > 	unzip to some directory
> > 	- Launch citihook.exe, this will watch only
> > 	https://www.online.citibank.co.in/ URL
> > 	
> > 	Effectively, "Let me install my malware on your machine to
> > demonstrate
> > 	how vulnerable it is."
> > 	
> > 	P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
> > 	The "problem" ceases to be a vulnerability at this point. 
> > 	
> > 	-----Original Message-----
> > 	From: yashks@...il.com [mailto:yashks@...il.com]
> > 	Sent: Monday, May 07, 2007 3:03 AM
> > 	To: bugtraq@...urityfocus.com <mailto:bugtraq@...urityfocus.com>
> > 
> > 	Subject: Defeating Citibank Virtual Keyboard protection using
> > screenshot
> > 	method
> > 	
> > 	Severity: Critical
> > 	
> > 	Platforms Affected:
> > 	
> > 	Microsoft Corporation: Windows 98 Any version 
> > 	Microsoft Corporation: Windows Me Any version
> > 	Microsoft Corporation: Windows XP Any version
> > 	Microsoft Corporation: Windows 2000 Any version
> > 	Microsoft Corporation: Windows 2003 Any version
> > 	Microsoft Corporation: Windows NT 4.0 Any version
> > 	Citi-Bank: Citi-Bank Virtual Keyboard Any version
> > 	
> > 	Browsers:
> > 	Microsoft Internet Explorer Any version
> > 	Mozilla FireFox Any version
> > 	Any browser runs on Win32 platform ( With slight modification ) 
> > 	
> > 	Original URL :
> > http://www.tracingbug.com/index.php/articles/view/23.html
> > 	
> > 	Regards,
> > 	Yash K.S <yashks@...il.com > | www.tracingbug.com
> > 	
> > 	All mail to and from this domain is GFI-scanned.
> > 	
> > 	
> > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ