Been reading up on MitB attacks and some things worry me about this.
读过MitB攻击,有些事情让我担心。
From WIKI:
The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure.
One of the most effective methods in combating a MitB attack is through an Out-of-Band (OOB) Transaction verification process. This overcomes the MitB * by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser使用强大的身份验证工具只会增加客户和银行对交易安全的错误信心。打击MitB攻击的最有效方法之一是通过带外(OOB)事务验证过程。这通过验证主机(银行)通过除浏览器之外的通道向用户(客户)接收的交易细节来克服MitB木马
So if I get this straight, that the only real safe method is a non browser confirmation method. (like a phone call or some other external tool)
因此,如果我直截了当,唯一真正安全的方法是非浏览器确认方法。 (如电话或其他一些外部工具)
Would an email count as a OOB Transaction? Or could the MitB send a fake email?
电子邮件是否算作OOB交易?或者MitB发送假电子邮件?
Is there a way to prevent MitB with only code?
有没有办法只使用代码来阻止MitB?
EDIT: I'm asking this because our local banking system are employing a physical keygen system for which you have to push to get a number and then enter that number into a field in the transaction form.
编辑:我问这个是因为我们的本地银行系统正在使用一个物理keygen系统,你必须推送一个数字,然后在交易表格的一个字段中输入该数字。
I have no idea if that is considered safe, since it looks like a MitB attack is just making it look like everything you did is safe and correct but what actually happened is that the form data was changed on submit and is now transferring to some other bank account. So it would have access to this keygen number.
我不知道这是否被认为是安全的,因为它看起来像是一个MitB攻击只是让你看起来像你所做的一切是安全和正确的但实际上发生的是表单数据在提交时被更改,现在转移到其他一些银行账户。所以它可以访问这个keygen号码。
5 个解决方案
#1
Generally speaking if your machine is infected then you are vulnerable no matter what.
一般来说,如果您的机器被感染,那么无论如何您都是脆弱的。
A physical token or "out of band" token is designed to solve the "identity" problem and gives the bank higher confidence that the person logging in is the person they say they are. These sort of mechanism normally involve using a "one time code" technique so that even if someone is recording the conversation with the bank, the token can't be reused. However if the malware is intercepting in real-time then they can maliciously control the account after you have successfully logged in, but often banks require a new 'code' each time you try and do something like transfer money out of the account. So the malware would have to wait for you to do this legitimately and then modify the request. However most malware are not real-time and send data to a 3rd party for collection and later use. Using these "one time token" techniques would successfully defend against this post processing of the login data, because the recorded data can't be used later to login in.
物理令牌或“带外”令牌旨在解决“身份”问题,并使银行更有信心登录的人是他们所说的人。这种机制通常涉及使用“一次性代码”技术,以便即使有人正在与银行记录对话,也不能重用该令牌。但是,如果恶意软件实时拦截,那么他们可以在您成功登录后恶意控制帐户,但是每次您尝试执行类似转移资金的操作时,银行通常都需要新的“代码”。因此,恶意软件必须等待您合法地执行此操作,然后修改请求。但是,大多数恶意软件都不是实时的,并且会将数据发送给第三方以供收集和以后使用。使用这些“一次性令牌”技术将成功防御登录数据的这种后处理,因为以后不能使用记录的数据登录。
To answer your question, there is no way to defend against this only in code. Anything you do could be specifically worked around in a piece of malware.
要回答你的问题,没有办法只在代码中对此进行辩护。你做的任何事情都可以在一个恶意软件中专门解决。
#2
Would an email count as a OOB Transaction?
电子邮件是否算作OOB交易?
Given the prevalence of Web mail services like GMail, I would say No. Even if the target of such an attack isn't using Web mail, an attacker that has control of the target's browser could fire off a fake email, just as you suggest.
考虑到像GMail这样的Web邮件服务很普遍,我想说不会。即使这种攻击的目标不是使用Web邮件,控制目标浏览器的攻击者也可以发出假邮件,就像你建议的那样。
#3
In the article which is the subject of (and referenced by) that Wikipedia article, step 1 in the "Method of Attack" is stated as:
在*文章的主题(并由其引用)的文章中,“攻击方法”中的步骤1表示为:
- The * infects the computer's software, either OS or Application.
该木马感染计算机的软件,无论是操作系统还是应用程序。
The answer to your question is therefore "no": once the O/S is infected then the malware can (theoretically at least) be intercepting your email too.
因此,您的问题的答案是“不”:一旦O / S被感染,那么恶意软件(理论上至少)也可以拦截您的电子邮件。
As an aside, some client platforms (e.g. even mobile phones, not to mention dedicated point of sale terminals) are less susceptible to infection than others.
另外,一些客户端平台(例如甚至移动电话,更不用说专用销售点终端)比其他平台更不容易受到感染。
#4
I suppose you could use critical pieces of the transaction information as part of a secondary or tertiary transaction verification step. That is, if I thought I told the bank account #12345 and it heard #54321 because the data was adulterated by that type of attack, the secondary verification would fail the encryption check. It would also be possible for the bank to echo back something that was more difficult to alter, like an image containing the relevant information.
我想您可以使用交易信息的关键部分作为二级或三级交易验证步骤的一部分。也就是说,如果我以为我告诉银行帐户#12345并且它听到了#54321,因为数据被这种类型的攻击掺杂,则辅助验证将无法通过加密检查。银行也可能回复更难以改变的事情,例如包含相关信息的图像。
The thing about these types of discussions is that it can always get more complicated. Email is not valid out of band step because, I have to imagine I have a rootkit ... if I stop that, I have to imagine that my OS is actually a guest OS running in an evil virtual machine ... if I stop that, I guess I have to imagine it's the matrix and I can't trust anything all to protect my visa card with $200 of available credit. :)
关于这些类型的讨论的事情是它总是变得更复杂。电子邮件是无效的带外步骤因为,我必须想象我有一个rootkit ...如果我停止它,我必须想象我的操作系统实际上是在邪恶的虚拟机中运行的客户操作系统...如果我停止那,我想我必须想象它是矩阵,我不能相信任何一切都可以用200美元的可用信用来保护我的签证卡。 :)
#5
This is my point of view for the man in the browser. The man in the browser is as if:
这是我对浏览器中的人的看法。浏览器中的人就好像:
- The victim stands up, leaves his computer, and move his back to his computer, so he can not touch the keyboard, move the mouse or even see the screen.
- A hacker sits behind victim computer.
- If victim wants to work with his computer he must ask the hacker to do it for him. If he wants to see any result, he must ask the hacker to read the data on the monitor.
- The hacker does his best to convince the user that he is doing what he asks for and repeats what he seas. But try to make the benefit of this situation with no mercy !
受害者站起来,离开他的电脑,然后将他的背移到他的电脑上,这样他就无法触摸键盘,移动鼠标甚至看不到屏幕。
黑客坐在受害者计算机后面。
如果受害者想要使用他的电脑,他必须要求黑客为他做。如果他想看到任何结果,他必须让黑客读取监视器上的数据。
黑客尽力说服用户说他正在做他要求的事情并重复他的海洋。但试着毫无怜悯地利用这种情况!
As a simple case:
作为一个简单的案例:
- Victim may ask hacker to fill a transaction form data as transfer 500USD to mom.
- The hacker instead can type transfer 10000USD to Jack. ( Tamper form data before send)
- The system may display, I have transferred 10000USD to Jack but the hacker says that the 500USD has transferred to Jack. ( Tamper result HTML)
- The victim asks to see his account balance, to make sure that the transfer is done.
- The hacker can say that the the account balance in correct ( This can be done for example, by removing the last line of balance table and changing the balance amount in HTML)
受害者可能会要求黑客填写交易表格数据,作为500美元转账给妈妈。
相反,黑客可以输入10000USD到Jack。 (发送前的篡改表格数据)
系统可能会显示,我已将10000USD转移给Jack,但黑客称500USD已转移给Jack。 (篡改结果HTML)
受害者要求查看他的账户余额,以确保转账完成。
黑客可以说帐户余额是正确的(这可以通过删除余额表的最后一行并更改HTML中的余额来完成)
As for email:
至于电子邮件:
- You are waiting for an email, and ask hacker do I have a confirm email from bank.
- As you can not see the monitor, he say yes you have. (Technically he can generate a fake email easily). (even if you sit on another clean computer, a fake email can be sent to you again)
您正在等待发送电子邮件,并询问黑客我是否收到了来自银行的确认电子邮件。
由于你看不到显示器,他说你有。 (从技术上讲,他可以轻松生成假电子邮件)。 (即使你坐在另一台干净的电脑上,也可以再发一封假电子邮件)
The image generation can not prevent attack.
图像生成无法阻止攻击。
- You ask the hacker, my bank should shows me an image which must display the transfer information, could you see it, what does it says.
- The hacker reply: Yes I can see it, it says "You are transferring 500USD to mom" (The image can easily created by the JavaScript or hacker can point the image url to a server, which generates a dynamic image with appropriate data to cheat user)
你问黑客,我的银行应该给我看一个必须显示传输信息的图像,你能看到它,它说的是什么。
黑客回复:是的我可以看到它,它说“你正在向妈妈转移500美元”(图像可以很容易地由JavaScript或黑客创建,可以将图像URL指向服务器,生成具有适当数据的动态图像作弊用户)
The very dangerous situation may happens as the man in the browser change the flow of the site. In this case even an OTP or kegen system can not prevent the attack. For example:
当浏览器中的人改变站点的流量时,可能会发生非常危险的情况。在这种情况下,即使是OTP或kegen系统也无法阻止攻击。例如:
- You ask hacker that you want to see your balance
- The hacker goes to transfer account page, and fill a transfer account form to transfer 10000USD to jack ( but you don't know what is he doing at all, you are just waiting) he come to a page that asks him for a key. This is the key you which you must give him.
- Now, the hacker says : Well, the bank ask me if you want to see your balance you must enter a key.
- You think, well a key for balance seems strange, but any way lets give that key, I trust this guy !!
- The hacker switch back to transfer form and use the key to do the transfer.
你问黑客你想要看到你的平衡
黑客去转移帐户页面,并填写一个转帐帐户表格,以转移10000USD到杰克(但你不知道他在做什么,你只是在等待)他来到一个页面,要求他一把钥匙。这是你必须给他的关键。
现在,黑客说:好吧,银行问我是否想看到你的余额,你必须输入一个密钥。
你认为,平衡的关键似乎很奇怪,但任何方式让我们给那把钥匙,我相信这个家伙!
黑客切换回传输表单并使用密钥进行传输。
So as you can see there is no server side solution for a Man in the browser you can:
因此,您可以看到浏览器中没有Man的服务器端解决方案,您可以:
- Use a out of the band solution to inform critical information to user. ( This is as if you take a mobile in your hand and although your back is still to your computer but sensitive information are sent to your TRUSTED device and you can see critical information)
- Use a hardened browser to make sure that no one can change its behavior. ( Sit back to your computer :) )
使用带外解决方案向用户通知关键信息。 (这就好像你手里拿着一部手机,虽然你的背部仍然是你的电脑,但敏感信息被发送到你的TRUSTED设备,你可以看到关键信息)
使用强化浏览器确保没有人可以更改其行为。 (回到你的电脑:))
Good samples of what can be done by MITB can be found at: http://www.tidos-group.com/blog/2010/12/09/man-in-the-browser-the-power-of-javascript-at-the-example-of-carberp/
可以在以下网址找到MITB可以做的好样本:http://www.tidos-group.com/blog/2010/12/09/man-in-the-browser-the-power-of-javascript-在最示例-的-carberp /
#1
Generally speaking if your machine is infected then you are vulnerable no matter what.
一般来说,如果您的机器被感染,那么无论如何您都是脆弱的。
A physical token or "out of band" token is designed to solve the "identity" problem and gives the bank higher confidence that the person logging in is the person they say they are. These sort of mechanism normally involve using a "one time code" technique so that even if someone is recording the conversation with the bank, the token can't be reused. However if the malware is intercepting in real-time then they can maliciously control the account after you have successfully logged in, but often banks require a new 'code' each time you try and do something like transfer money out of the account. So the malware would have to wait for you to do this legitimately and then modify the request. However most malware are not real-time and send data to a 3rd party for collection and later use. Using these "one time token" techniques would successfully defend against this post processing of the login data, because the recorded data can't be used later to login in.
物理令牌或“带外”令牌旨在解决“身份”问题,并使银行更有信心登录的人是他们所说的人。这种机制通常涉及使用“一次性代码”技术,以便即使有人正在与银行记录对话,也不能重用该令牌。但是,如果恶意软件实时拦截,那么他们可以在您成功登录后恶意控制帐户,但是每次您尝试执行类似转移资金的操作时,银行通常都需要新的“代码”。因此,恶意软件必须等待您合法地执行此操作,然后修改请求。但是,大多数恶意软件都不是实时的,并且会将数据发送给第三方以供收集和以后使用。使用这些“一次性令牌”技术将成功防御登录数据的这种后处理,因为以后不能使用记录的数据登录。
To answer your question, there is no way to defend against this only in code. Anything you do could be specifically worked around in a piece of malware.
要回答你的问题,没有办法只在代码中对此进行辩护。你做的任何事情都可以在一个恶意软件中专门解决。
#2
Would an email count as a OOB Transaction?
电子邮件是否算作OOB交易?
Given the prevalence of Web mail services like GMail, I would say No. Even if the target of such an attack isn't using Web mail, an attacker that has control of the target's browser could fire off a fake email, just as you suggest.
考虑到像GMail这样的Web邮件服务很普遍,我想说不会。即使这种攻击的目标不是使用Web邮件,控制目标浏览器的攻击者也可以发出假邮件,就像你建议的那样。
#3
In the article which is the subject of (and referenced by) that Wikipedia article, step 1 in the "Method of Attack" is stated as:
在*文章的主题(并由其引用)的文章中,“攻击方法”中的步骤1表示为:
- The * infects the computer's software, either OS or Application.
该木马感染计算机的软件,无论是操作系统还是应用程序。
The answer to your question is therefore "no": once the O/S is infected then the malware can (theoretically at least) be intercepting your email too.
因此,您的问题的答案是“不”:一旦O / S被感染,那么恶意软件(理论上至少)也可以拦截您的电子邮件。
As an aside, some client platforms (e.g. even mobile phones, not to mention dedicated point of sale terminals) are less susceptible to infection than others.
另外,一些客户端平台(例如甚至移动电话,更不用说专用销售点终端)比其他平台更不容易受到感染。
#4
I suppose you could use critical pieces of the transaction information as part of a secondary or tertiary transaction verification step. That is, if I thought I told the bank account #12345 and it heard #54321 because the data was adulterated by that type of attack, the secondary verification would fail the encryption check. It would also be possible for the bank to echo back something that was more difficult to alter, like an image containing the relevant information.
我想您可以使用交易信息的关键部分作为二级或三级交易验证步骤的一部分。也就是说,如果我以为我告诉银行帐户#12345并且它听到了#54321,因为数据被这种类型的攻击掺杂,则辅助验证将无法通过加密检查。银行也可能回复更难以改变的事情,例如包含相关信息的图像。
The thing about these types of discussions is that it can always get more complicated. Email is not valid out of band step because, I have to imagine I have a rootkit ... if I stop that, I have to imagine that my OS is actually a guest OS running in an evil virtual machine ... if I stop that, I guess I have to imagine it's the matrix and I can't trust anything all to protect my visa card with $200 of available credit. :)
关于这些类型的讨论的事情是它总是变得更复杂。电子邮件是无效的带外步骤因为,我必须想象我有一个rootkit ...如果我停止它,我必须想象我的操作系统实际上是在邪恶的虚拟机中运行的客户操作系统...如果我停止那,我想我必须想象它是矩阵,我不能相信任何一切都可以用200美元的可用信用来保护我的签证卡。 :)
#5
This is my point of view for the man in the browser. The man in the browser is as if:
这是我对浏览器中的人的看法。浏览器中的人就好像:
- The victim stands up, leaves his computer, and move his back to his computer, so he can not touch the keyboard, move the mouse or even see the screen.
- A hacker sits behind victim computer.
- If victim wants to work with his computer he must ask the hacker to do it for him. If he wants to see any result, he must ask the hacker to read the data on the monitor.
- The hacker does his best to convince the user that he is doing what he asks for and repeats what he seas. But try to make the benefit of this situation with no mercy !
受害者站起来,离开他的电脑,然后将他的背移到他的电脑上,这样他就无法触摸键盘,移动鼠标甚至看不到屏幕。
黑客坐在受害者计算机后面。
如果受害者想要使用他的电脑,他必须要求黑客为他做。如果他想看到任何结果,他必须让黑客读取监视器上的数据。
黑客尽力说服用户说他正在做他要求的事情并重复他的海洋。但试着毫无怜悯地利用这种情况!
As a simple case:
作为一个简单的案例:
- Victim may ask hacker to fill a transaction form data as transfer 500USD to mom.
- The hacker instead can type transfer 10000USD to Jack. ( Tamper form data before send)
- The system may display, I have transferred 10000USD to Jack but the hacker says that the 500USD has transferred to Jack. ( Tamper result HTML)
- The victim asks to see his account balance, to make sure that the transfer is done.
- The hacker can say that the the account balance in correct ( This can be done for example, by removing the last line of balance table and changing the balance amount in HTML)
受害者可能会要求黑客填写交易表格数据,作为500美元转账给妈妈。
相反,黑客可以输入10000USD到Jack。 (发送前的篡改表格数据)
系统可能会显示,我已将10000USD转移给Jack,但黑客称500USD已转移给Jack。 (篡改结果HTML)
受害者要求查看他的账户余额,以确保转账完成。
黑客可以说帐户余额是正确的(这可以通过删除余额表的最后一行并更改HTML中的余额来完成)
As for email:
至于电子邮件:
- You are waiting for an email, and ask hacker do I have a confirm email from bank.
- As you can not see the monitor, he say yes you have. (Technically he can generate a fake email easily). (even if you sit on another clean computer, a fake email can be sent to you again)
您正在等待发送电子邮件,并询问黑客我是否收到了来自银行的确认电子邮件。
由于你看不到显示器,他说你有。 (从技术上讲,他可以轻松生成假电子邮件)。 (即使你坐在另一台干净的电脑上,也可以再发一封假电子邮件)
The image generation can not prevent attack.
图像生成无法阻止攻击。
- You ask the hacker, my bank should shows me an image which must display the transfer information, could you see it, what does it says.
- The hacker reply: Yes I can see it, it says "You are transferring 500USD to mom" (The image can easily created by the JavaScript or hacker can point the image url to a server, which generates a dynamic image with appropriate data to cheat user)
你问黑客,我的银行应该给我看一个必须显示传输信息的图像,你能看到它,它说的是什么。
黑客回复:是的我可以看到它,它说“你正在向妈妈转移500美元”(图像可以很容易地由JavaScript或黑客创建,可以将图像URL指向服务器,生成具有适当数据的动态图像作弊用户)
The very dangerous situation may happens as the man in the browser change the flow of the site. In this case even an OTP or kegen system can not prevent the attack. For example:
当浏览器中的人改变站点的流量时,可能会发生非常危险的情况。在这种情况下,即使是OTP或kegen系统也无法阻止攻击。例如:
- You ask hacker that you want to see your balance
- The hacker goes to transfer account page, and fill a transfer account form to transfer 10000USD to jack ( but you don't know what is he doing at all, you are just waiting) he come to a page that asks him for a key. This is the key you which you must give him.
- Now, the hacker says : Well, the bank ask me if you want to see your balance you must enter a key.
- You think, well a key for balance seems strange, but any way lets give that key, I trust this guy !!
- The hacker switch back to transfer form and use the key to do the transfer.
你问黑客你想要看到你的平衡
黑客去转移帐户页面,并填写一个转帐帐户表格,以转移10000USD到杰克(但你不知道他在做什么,你只是在等待)他来到一个页面,要求他一把钥匙。这是你必须给他的关键。
现在,黑客说:好吧,银行问我是否想看到你的余额,你必须输入一个密钥。
你认为,平衡的关键似乎很奇怪,但任何方式让我们给那把钥匙,我相信这个家伙!
黑客切换回传输表单并使用密钥进行传输。
So as you can see there is no server side solution for a Man in the browser you can:
因此,您可以看到浏览器中没有Man的服务器端解决方案,您可以:
- Use a out of the band solution to inform critical information to user. ( This is as if you take a mobile in your hand and although your back is still to your computer but sensitive information are sent to your TRUSTED device and you can see critical information)
- Use a hardened browser to make sure that no one can change its behavior. ( Sit back to your computer :) )
使用带外解决方案向用户通知关键信息。 (这就好像你手里拿着一部手机,虽然你的背部仍然是你的电脑,但敏感信息被发送到你的TRUSTED设备,你可以看到关键信息)
使用强化浏览器确保没有人可以更改其行为。 (回到你的电脑:))
Good samples of what can be done by MITB can be found at: http://www.tidos-group.com/blog/2010/12/09/man-in-the-browser-the-power-of-javascript-at-the-example-of-carberp/
可以在以下网址找到MITB可以做的好样本:http://www.tidos-group.com/blog/2010/12/09/man-in-the-browser-the-power-of-javascript-在最示例-的-carberp /