[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <4642FE7C.32193.2221AA80@nick.virus-l.demon.co.uk>
Date: Thu, 10 May 2007 11:14:04 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot
method
Jim Harrison to "Int3":
> (copied here without permission)
> Step by Step Demo:
>
> - Download POC from http://tracingbug.com/downloads/citihook.zip and
> unzip to some directory
> - Launch citihook.exe, this will watch only
> https://www.online.citibank.co.in/ URL
>
> Effectively, "Let me install my malware on your machine to demonstrate
> how vulnerable it is."
>
> P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
> The "problem" ceases to be a vulnerability at this point.
And again, in your subsequent response to a message from "Int3" I've
not seen in the list:
> Granted, it's an interesting methodology, but until you can demonstrate
> circumvention of the CitiBank keylogger without installing code on the
> victim host, a threat is not indicated and cannot be taken seriously.
Jim -- you have _entirely_ missed the point.
Why did Citi introduce these "onscreen keyboards"?
Because a sizable chunk of its userbase was already infested with
"keystroke logger" type malware, or at least there was a good chance
this was, or may soon become*, the case...
Some bright cookie at Citi recognized** that if they made their users
"type" by clicking their mouse on a "virtual keyboard" they would
sidestep the capture of user credentials by the throngs of extant
keylogger warez already out there.
"Int3" has shown a trivial way for the bad guys behind the keyloggers
to subvert this sidestep.
You are right in suggesting that calling this "disclosure" a
"vulnerability" is a tad "optimistic", but beyond having filed his
disclosure in the "Vulnerability" section of his site, "Int3" does not
actually use that word in describing this.
What "Int3" has shown (or, as others have already noted, "shown again";
IIRC, the first such discussion and PoC of the abject futility of OSK's
as defeats for keylogger-compromised end-user systems I saw was back
about 1999/2000) is that if the remote client system cannot be trusted,
you cannot trust the remote client. Whilst trivially correct and
fundamentally obvious,*** I don't think it does any harm to repeat this
truism in light of the stupidity of such large and potentially
influential organizations as Citi adopting such obviously flawed and
inadequate technology.
That is the point "Int3" was reiterating. If the problem Citi's OSK is
supposed to fix is actually that the bad guys already have, or can more
or less easily get, arbitrary code onto the client machine, then
changing the way the client user interacts with the machine does not
solve the problem -- it simply changes the form of data capture the bad
guys' arbitrary code has to perform.
* It is well-known that, for example, many of the major South
American banks have, for some time now, had a _massive_ problem with
online banking-targetted keyloggers.
** Or, perhaps more likely, some third-party sold Citi on their patent-
pending "anti-keylogger" technology.
*** Except, it seems, to sections of the banking IT fraternity and, if
my previous footnote is correct, those who develop "security solutions"
for the banking fraternity.
Regards,
Nick FitzGerald
Powered by blists - more mailing lists