Security Evaluation CLX.Sentinel



Similar documents
Smart Card APDU Analysis

Internet Banking Attacks. Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic)

Application Security Testing

Where every interaction matters.

Detailed Description about course module wise:

Operation Liberpy : Keyloggers and information theft in Latin America

Securing Secure Browsers

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Web Application Report

Enterprise Application Security Workshop Series

BE SAFE ONLINE: Lesson Plan

F5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Multi-Factor Authentication (FMA) A new security feature for Home Banking. Frequently Asked Questions 8/17/2006

Cloud Security:Threats & Mitgations

Protect Your Business and Customers from Online Fraud

The Key to Secure Online Financial Transactions

Threats to Online Banking

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

How CA Arcot Solutions Protect Against Internet Threats

Threat Events: Software Attacks (cont.)

Prevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Factoring Malware and Organized Crime in to Web Application Security

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

FORBIDDEN - Ethical Hacking Workshop Duration

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Basic Security Considerations for and Web Browsing

Skoot Secure File Transfer

Loophole+ with Ethical Hacking and Penetration Testing

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Certified Ethical Hacker Exam Version Comparison. Version Comparison

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Passing PCI Compliance How to Address the Application Security Mandates

Layered security in authentication. An effective defense against Phishing and Pharming

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Stealth OpenVPN and SSH Tunneling Over HTTPS

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Deutsche Bank db easynet. Secure method of use of the db easynet e-banking system

Portal Administration. Administrator Guide

Internet Banking System Web Application Penetration Test Report

Phishing Activity Trends Report for the Month of December, 2007

Business ebanking Fraud Prevention Best Practices

Using Foundstone CookieDigger to Analyze Web Session Management

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Application Security

SENSE Security overview 2014

Guidelines for Web applications protection with dedicated Web Application Firewall

Web Application Firewall

That Point of Sale is a PoS

Course Content: Session 1. Ethics & Hacking

CYBERTRON NETWORK SOLUTIONS

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

elearning for Secure Application Development

(WAPT) Web Application Penetration Testing

LBSEC.

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

STARTER KIT. Infoblox DNS Firewall for FireEye

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

RFG Secure FTP. Web Interface

User Documentation Web Traffic Security. University of Stavanger

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

User Guide for the Identity Shield

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Tips for Banking Online Safely

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Getting Ahead of Malware

Protecting Your Organisation from Targeted Cyber Intrusion

Clientless SSL VPN Users

GlobalSign Malware Monitoring

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Securing Your Business s Bank Account

Transcription:

Security Evaluation CLX.Sentinel October 15th, 2009 Walter Sprenger walter.sprenger@csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

CLX.Sentinel::Compass Statement Compass Certification of CLX.Sentinel To the best of its knowledge, Compass is not aware to this date of alternative solutions and products which can match the range and strength of the CLX.Sentinel protection mechanisms implemented to safeguard Internet-based e-banking transactions. Slide 2

CLX.Sentinel::Agenda Main Threats to ebanking Compass Security Tests Results Slide 3

Main Threats to ebanking Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

CLX.Sentinel::Man In The Middle Offline Phishing Online Phishing Slide 5

CLX.Sentinel::Man in the Middle Phishing User receives email with URL or clicks on link on blog, social network etc. User is motivated to connect to a spoofed ebanking web page Offline Attack Hacker captures login information An error page is displayed to the user (ebanking out of service) Hacker uses login information to login to the real ebanking Online Attack The traffic between the user and the ebanking is redirected over the proxy of the hacker The hacker waits until the user logs in to the ebanking The hacker modifies the data transferred or The hacker copies the session information to another browser Slide 6

CLX.Sentinel::Trojan Attack Vectors Slide 7

CLX.Sentinel::Client Attacks Simple Trojans Limited to a handful of ebanking applications Steal username, password and one time password Steals session information and URL and sends it to attacker Attacker imports information into his browser to access the same account Generic Trojans In the wild since 2007, but still in development Can attack any ebanking (and any web application) New configuration is downloaded continously Targeted Trojans May attack new security features like SMS Authentication, USB Sticks, SmartCards Not yet seen in the wild Slide 8

CLX.Sentinel::eBanking Trojan News Slide 9

CLX.Sentinel::eBanking Trojan News URLZone Trojan Installation Distribution with LuckySpoilt crimeware toolkit ($100-$300) Infects legitimate websites Drive-By Installation in Firefox, IE6, IE7, IE8, Opera Functionality Replaces transaction in browser on the fly Modifies bank balance screen and transaction screen Hides from fraud detection systems Sends screen shots of logged in user to control server Communication over HTTP to receive new commands (Source: Finjan Cybercrime Intelligence Report 3, September 2009) Slide 10

Test Procedure Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

CLX.Sentinel::Test Procedure Slide 12

CLX.Sentinel::Test Procedure Test Cases Implementation Tests Static Reverse Engineering Dynamic Reverse Engineering Memory Dumping Sniffing communication (USB/Network) Binary manipulation Process Injection Techniques Sending KeyStroke Screen Capturing Keystroke Capturing Access Certificate directly Man in the Middle Attacks DNS spoofing Redirection/Cross Site Scripting Attacks Plugins/Extensions Tests Zero Footprint Tests Session Hijacking Slide 13

CLX.Sentinel::TestCase SmartCard TestCase: Read PIN from Keyboard or display spoofed PIN dialog Access SmartCard directly using the SmartCard API/Driver PIN Remediation: Anti-Keylogging Use Customized CardAPI Hash PIN entered Slide 14

CLX.Sentinel::MemoryDump TestCase: Dump memory to file Search for session cookie in dump file Use session cookie to access ebanking Remediation CLX.Sentinel: Encrypt memory Remediation ebanking: Bind TLS and application session Verify user agent Slide 15

CLX.Sentinel::Screenshots Browser PIN Entry PDF Viewer Warning Slide 16

Results Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

CLX.Sentinel::eBanking Architecture Protecting the weakest component Bank: WebApp Security and Firewalls (Network/Application) Network: SSL Encryption with Mutual Authentication CLX.Sentinel: Protects Customer environment Customer Transmission Bank Slide 18

CLX.Sentinel::App Virtualization Secured Application/Virtualization Browser Apps Browser Apps Browser Apps Browser Apps API API API API API API OS OS OS OS OS HW HW HW HW No virtualization Application Protection Application and API Protection Virtual Machine CLX.Sentinel Slide 19

CLX.Sentinel::Communication Slide 20

CLX.Sentinel::Results General The specified security features have been implemented and a very good protection level could be reached Protection against Man in the Middle/Phishing Mutual Authentication with Smart Card Certificate Access Control List prevents connection to fake webservers/proxies Server Certificate and IP-Address Verification Protection against Trojan SSL Stack implemented in Binary Checksums and Signatures Binary and Memory Encryption Anti Reverse Engineering and Anti Debugging Techniques used Detects malicious activity on system Slide 21

CLX.Sentinel::Results Other Protection Features Anti Screen Capturing Anti Keystroke Logging Disable Application Steering Prevents Resource Manipulation PIN/PUK Hashing Limited Browser functionality Secure Updates Only signed updates possible Improve protection / address new threats Slide 22

CLX.Sentinel::Results Residual Risks The Hardened Browser is a software that runs on a potentially unsafe environment Attacker could order CLX.Sentinel and invest a lot of time to reverse engineer the software The attacker could write a Trojan that specifically attacks the CLX.Sentinel Probability Hacker like to choose the easiest way. As long as there are much weaker ebanking systems it is unlikely that the hackers will invest in this difficult and time consuming attack. Slide 23

CLX.Sentinel::Statement Compass Why is ebanking safer with CLX.Sentinel? The user is familiar with browsers and USB sticks Strong authentication and session binding with SmartCard Only access to ebanking sites possible Not a monoculture browser (highly customized) Defends against current trojan technology Can be updated with new protection mechanisms Does not leave traces on computer screen captures prevented Slide 24

Slide 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information