Security Evaluation CLX.Sentinel

Transcription

1 Security Evaluation CLX.Sentinel October 15th, 2009 Walter Sprenger Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

2 CLX.Sentinel::Compass Statement Compass Certification of CLX.Sentinel To the best of its knowledge, Compass is not aware to this date of alternative solutions and products which can match the range and strength of the CLX.Sentinel protection mechanisms implemented to safeguard Internet-based e-banking transactions. Slide 2

3 CLX.Sentinel::Agenda Main Threats to ebanking Compass Security Tests Results Slide 3

4 Main Threats to ebanking Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

5 CLX.Sentinel::Man In The Middle Offline Phishing Online Phishing Slide 5

6 CLX.Sentinel::Man in the Middle Phishing User receives with URL or clicks on link on blog, social network etc. User is motivated to connect to a spoofed ebanking web page Offline Attack Hacker captures login information An error page is displayed to the user (ebanking out of service) Hacker uses login information to login to the real ebanking Online Attack The traffic between the user and the ebanking is redirected over the proxy of the hacker The hacker waits until the user logs in to the ebanking The hacker modifies the data transferred or The hacker copies the session information to another browser Slide 6

7 CLX.Sentinel::Trojan Attack Vectors Slide 7

8 CLX.Sentinel::Client Attacks Simple Trojans Limited to a handful of ebanking applications Steal username, password and one time password Steals session information and URL and sends it to attacker Attacker imports information into his browser to access the same account Generic Trojans In the wild since 2007, but still in development Can attack any ebanking (and any web application) New configuration is downloaded continously Targeted Trojans May attack new security features like SMS Authentication, USB Sticks, SmartCards Not yet seen in the wild Slide 8

9 CLX.Sentinel::eBanking Trojan News Slide 9

10 CLX.Sentinel::eBanking Trojan News URLZone Trojan Installation Distribution with LuckySpoilt crimeware toolkit ($100-$300) Infects legitimate websites Drive-By Installation in Firefox, IE6, IE7, IE8, Opera Functionality Replaces transaction in browser on the fly Modifies bank balance screen and transaction screen Hides from fraud detection systems Sends screen shots of logged in user to control server Communication over HTTP to receive new commands (Source: Finjan Cybercrime Intelligence Report 3, September 2009) Slide 10

11 Test Procedure Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

12 CLX.Sentinel::Test Procedure Slide 12

13 CLX.Sentinel::Test Procedure Test Cases Implementation Tests Static Reverse Engineering Dynamic Reverse Engineering Memory Dumping Sniffing communication (USB/Network) Binary manipulation Process Injection Techniques Sending KeyStroke Screen Capturing Keystroke Capturing Access Certificate directly Man in the Middle Attacks DNS spoofing Redirection/Cross Site Scripting Attacks Plugins/Extensions Tests Zero Footprint Tests Session Hijacking Slide 13

14 CLX.Sentinel::TestCase SmartCard TestCase: Read PIN from Keyboard or display spoofed PIN dialog Access SmartCard directly using the SmartCard API/Driver PIN Remediation: Anti-Keylogging Use Customized CardAPI Hash PIN entered Slide 14

15 CLX.Sentinel::MemoryDump TestCase: Dump memory to file Search for session cookie in dump file Use session cookie to access ebanking Remediation CLX.Sentinel: Encrypt memory Remediation ebanking: Bind TLS and application session Verify user agent Slide 15

16 CLX.Sentinel::Screenshots Browser PIN Entry PDF Viewer Warning Slide 16

17 Results Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

18 CLX.Sentinel::eBanking Architecture Protecting the weakest component Bank: WebApp Security and Firewalls (Network/Application) Network: SSL Encryption with Mutual Authentication CLX.Sentinel: Protects Customer environment Customer Transmission Bank Slide 18

19 CLX.Sentinel::App Virtualization Secured Application/Virtualization Browser Apps Browser Apps Browser Apps Browser Apps API API API API API API OS OS OS OS OS HW HW HW HW No virtualization Application Protection Application and API Protection Virtual Machine CLX.Sentinel Slide 19

20 CLX.Sentinel::Communication Slide 20

21 CLX.Sentinel::Results General The specified security features have been implemented and a very good protection level could be reached Protection against Man in the Middle/Phishing Mutual Authentication with Smart Card Certificate Access Control List prevents connection to fake webservers/proxies Server Certificate and IP-Address Verification Protection against Trojan SSL Stack implemented in Binary Checksums and Signatures Binary and Memory Encryption Anti Reverse Engineering and Anti Debugging Techniques used Detects malicious activity on system Slide 21

22 CLX.Sentinel::Results Other Protection Features Anti Screen Capturing Anti Keystroke Logging Disable Application Steering Prevents Resource Manipulation PIN/PUK Hashing Limited Browser functionality Secure Updates Only signed updates possible Improve protection / address new threats Slide 22

23 CLX.Sentinel::Results Residual Risks The Hardened Browser is a software that runs on a potentially unsafe environment Attacker could order CLX.Sentinel and invest a lot of time to reverse engineer the software The attacker could write a Trojan that specifically attacks the CLX.Sentinel Probability Hacker like to choose the easiest way. As long as there are much weaker ebanking systems it is unlikely that the hackers will invest in this difficult and time consuming attack. Slide 23

24 CLX.Sentinel::Statement Compass Why is ebanking safer with CLX.Sentinel? The user is familiar with browsers and USB sticks Strong authentication and session binding with SmartCard Only access to ebanking sites possible Not a monoculture browser (highly customized) Defends against current trojan technology Can be updated with new protection mechanisms Does not leave traces on computer screen captures prevented Slide 24

25 Slide 25