NEWS FROM THE LAB - Tuesday, February 23, 2010

Sprechen Sie SSL? Posted by Mika @ 14:18 GMT

Why is it that banking trojans are a problem when all online banks are HTTPS secured and many of them employ multi-factor authentication?

The answer: Humans are not digital.

If we would have a network cable attached to our brain, and our brain could decrypt and encrypt SSL, there would be no problem. However, due to the "analog" interfaces which human beings have, a web browser has to decrypt the traffic and convert it into images (text characters, icons, et cetera) and sounds. This means that a malicious application that can modify the browser memory can control what the user sees, and what he then sends to the bank via in-band communications. It is technically possible for malware to free ride on authenticated sessions with online services and feed or modify transactions.

If malware can modify the memory of the browser, or some other application, it can gain control. This is not just a problem for online banking and not just with malware. For example, current MMORPG games typically do quite a bit of the computation needed on the client side. Not all of this computation is graphics processing. This creates the possibility for cheating in games by patching the client or its memory locally on the host (Greg Hoglund and Gary McGraw have written a book called "Exploiting Online Games: Cheating Massively Distributed Systems [2007]" on the subject). Another good example of this "client-side dilemma" is voting. Imagine sitting at home on your couch while using your web browser to vote in your local/state/national elections. If and when this becomes possible, malware may be used to rig votes.

Sprechen Sie SSL?

Today's browser is more powerful than yesterday's OS.

The browser is, for all practical purposes, a terminal of the bank, but it is running in a completely untrusted environment. Actually, you could say that the Browser is the new OS. Since important content is more and more in the cloud and accessed via the browser, malware, in theory, does not have to infect the OS at all. Malware only needs to infect the browser and it will be able to access, steal, and modify all the necessary content. Since most browsers have a cross-platform plugin architecture, it may even be possible to create data stealing malware that is not interested in the operating system or file system at all. It will only exist in memory of the browser.

Currently, banking trojans do infect the OS and are typically only a problem for Windows based systems. Banking trojans and other malware that need to bypass HTTPS security operate within the browser. This is called a Man-in-the-Browser (MitB) attack. If the malware would try to intercept the traffic from a lower OS level, it would already be HTTPS encrypted. This is not a new phenomenon but nevertheless it is still on the upswing within most malware author's armory. MitB malware is typically browser dependent and most of them only target Internet Explorer (and possible other browsers using MS WinINet API) and lately also Firefox.

Is safe online banking impossible then?

Aside from keeping your system clean of malware, at least "safe enough" is definitely possible. For example, out-of-band solutions, using an SMS message to review and confirm transactions, provide a good additional layer of security. Some have also suggested using something such as a Live Linux CD when doing online banking.

Alas, both SMS messaging and Live CDs are examples of the old "security versus usability" issue. They're an additional layer of security, but they can also rapidly overwhelm the analog brains of those using them.