A couple of months ago I was watching It Takes a Thief. For those that do not know about the show, it is where a homeowner allows an ex-thief to try to break into their home. The ex-thief is filmed breaking in and stealing the homeowner’s stuff, later to be returned. In this particular episode the homeowner thought they had the thief completely locked out of the house, but what happened next was completely unexpected to the homeowner.
After checking around the house and not seeing any easy way into the house through an unlocked door or window, the thief heads to the front of the house. From there he closes the blinds on the home’s front porch. The homeowner starts to wonder if the ex-thief is going to pick the two locks on the door, but in utter dismay the homeowner sees the ex-thief pick up a chair and throw it through one of the windows that is inside the porch where the blinds have been pulled. The thief then enters and starts stealing anything he wants.
So why tell this story? It brings up an important point. Why spend the time to pick one or more locks when you can just break a window? If you are going to wreck the house stealing things that are valuable then you really don’t need to invest the time to pick the lock. This same theory applies to IT security.
Internet users have been given a feeling of security every time they see the lock in the web browser that means the information is transmitted securely over SSL, but are they truly secure? Yes the transmission is pretty much secure unless the encryption has been hacked which could take so much time that it isn’t feasible to do during the lifespan of the information being sent, i.e. if breaking the encryption took several years, would that information you sent securely still be relevant? More than likely not. Also the reward ($ or information) of breaking in may not be worth taking several years to hack the encryption.
In other words SSL is secure mostly, right? The answer is no and it is due to the same principles of how the ex-thief broke into the house. Why spend the time to hack the encryption when we could just go around it. What would this take and is it feasible?
Simply all this would take is a small computer virus characterized as SSL evading. This virus would sit on the soon to be victim’s computer and wait for it to go to a certain website or other trigger. Once the trigger has been tripped, for instance going to your banking website, the virus waits for the user to connect via SSL. The user then completes the login process which could be done in any number of ways: username, password, security questions, and fingerprint or other biometrics. Basically any login process whether it is single or multifactor authentication would be vulnerable to this new breed of virus. The virus can now store the login variables and send them back to the hacker. This type of virus is called a credential-stealing variant. A variant could be the bogus SSL virus which would utilize a proxy webpage that is exactly like the banks website to capture the login information to send to the hacker and the banks website.
The next variant is a little more sophisticated. It is called the transaction-based virus. Instead of collecting login information the virus waits until you commit a transaction at your banks website, which the virus then manipulates the transaction into doing something else, like transferring the money to a different account/bank. A transaction that the victim might do could be transferring money from one account to another or paying bills through e-bill pay.
Take the Win32.Grams E-gold Trojan. The Trojan “spawned in November 2004… When the user successfully authenticates, the Trojan opens a hidden browser window, reads the user’s account balance, and creates another hidden window that initiates a secret transfer. The user’s account balance, minus a small amount (to bypass any automatic warnings), is then sent to a predefined payee.” [Source: How SSL-Evading Trojans Work; Infoworld; Issue 18; May 1st 2006; pg 28]
These SSL evading viruses are packaged uniquely giving the Trojan a unique signature that defeats the signature style anti-virus. The best way to stop a SSL evading Trojan is for the website to utilize defensive mechanisms other than authentication. One could also educate about these viruses but may cause some fear in consumers about buying or banking online. Infoworld has listed 10 ways to safeguard your site.
For more information I suggest reading “When SSL Isn’t Safe” in issue 18, May 1st, 2006 of Infoworld.