lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <4642FE7C.32193.2221AA80@nick.virus-l.demon.co.uk>
Date: Thu, 10 May 2007 11:14:04 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot
 method

Jim Harrison to "Int3":

> (copied here without permission)
> Step by Step Demo:
> 
> - Download POC from http://tracingbug.com/downloads/citihook.zip and
> unzip to some directory
> - Launch citihook.exe, this will watch only
> https://www.online.citibank.co.in/ URL
> 
> Effectively, "Let me install my malware on your machine to demonstrate
> how vulnerable it is."
> 
> P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
> The "problem" ceases to be a vulnerability at this point.

And again, in your subsequent response to a message from "Int3" I've 
not seen in the list:

> Granted, it's an interesting methodology, but until you can demonstrate
> circumvention of the CitiBank keylogger without installing code on the
> victim host, a threat is not indicated and cannot be taken seriously.
 
Jim -- you have _entirely_ missed the point.

Why did Citi introduce these "onscreen keyboards"?

Because a sizable chunk of its userbase was already infested with 
"keystroke logger" type malware, or at least there was a good chance 
this was, or may soon become*, the case...

Some bright cookie at Citi recognized** that if they made their users 
"type" by clicking their mouse on a "virtual keyboard" they would 
sidestep the capture of user credentials by the throngs of extant 
keylogger warez already out there.

"Int3" has shown a trivial way for the bad guys behind the keyloggers 
to subvert this sidestep.

You are right in suggesting that calling this "disclosure" a 
"vulnerability" is a tad "optimistic", but beyond having filed his 
disclosure in the "Vulnerability" section of his site, "Int3" does not 
actually use that word in describing this.

What "Int3" has shown (or, as others have already noted, "shown again"; 
IIRC, the first such discussion and PoC of the abject futility of OSK's 
as defeats for keylogger-compromised end-user systems I saw was back 
about 1999/2000) is that if the remote client system cannot be trusted, 
you cannot trust the remote client.  Whilst trivially correct and 
fundamentally obvious,*** I don't think it does any harm to repeat this 
truism in light of the stupidity of such large and potentially 
influential organizations as Citi adopting such obviously flawed and 
inadequate technology.

That is the point "Int3" was reiterating.  If the problem Citi's OSK is 
supposed to fix is actually that the bad guys already have, or can more 
or less easily get, arbitrary code onto the client machine, then 
changing the way the client user interacts with the machine does not 
solve the problem -- it simply changes the form of data capture the bad 
guys' arbitrary code has to perform.



*   It is well-known that, for example, many of the major South 
American banks have, for some time now, had a _massive_ problem with 
online banking-targetted keyloggers.

**  Or, perhaps more likely, some third-party sold Citi on their patent-
pending "anti-keylogger" technology.

*** Except, it seems, to sections of the banking IT fraternity and, if 
my previous footnote is correct, those who develop "security solutions" 
for the banking fraternity.




Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ