Man in the Browser via Dynamic CSRF?
Brian Kreb’s article today is entitled “Weaponizing Web 2.0″. The article talks about one of the presentations given at Black Hat this year where the researchers show that there are ways to beat the typical defenses of cross site request forgery (CSRF) using off-domain images that grab referring URLs.
While it is fascinating that people are already figuring out how to beat the defenses against CSRF, I was struck by the explanation of simple CSRF. Here’s how Brian explains it:
A relatively benign CSRF attack takes place on a Web forum, wherein Alice browses a posting left by Bob. Unbeknownst to Alice, Bob has included in his message a booby-trapped image that takes advantage of the fact that she is logged in to that forum in an active session. Inside that image is a link tag that includes the URL needed to post messages on that forum. Once that image loads on Alice’s machine, the embedded link posts a message in her name to the forum, via her browser, without her permission.
In this case, the forum’s webserver sees the transaction as coming from Alice. But page flow analysis would show that Alice was interacting on two distinct page flows. This is analogous to a Man in the Browser attack where the bad actor does not have malware on Alice’s machine, but instead using the malicious link to perpetrate the bad activity.
Page flow analysis of the web server traffic would still identify this as malicious. You might even be able to figure out that it wasn’t malware and was, instead, CSRF, if you notice that the bad behavior tends to always come when the victim gets to a particular page.
If any of you have seen CSRF used in this way, it would be great to talk to you about analyzing your data to see what our page flow analysis flags.
Business Logic Abuse at BlackHat 2009
Good news! This year’s BlackHat USA will feature Jeremiah Grossman and Trey Ford presenting the sequel to last year’s smash hit “Get Rich or Die Trying”. The new presentation, entitled “Making Money on the Web, the Black Hat Way” will include even more ways bad guys are abusing the legitimate page flows of websites to reap huge profits.
Some of the exploits included in the presentation have been discussed by yours truly – for example the iPod warranty exploit and scamming Amazon and iTunes.
For those of you who are interested in learning more about business logic abuse, I encourage you to attend Jeremiah’s and Trey’s presentation. Silver Tail’s own Mike Eynon will be in attendance at BlackHat so if you are interested in other exciting exploits we are seeing, be sure to track him down.
Detecting Man in the Browser Attacks: Silver Tail’s first webinar
For those of you who missed it, Silver Tail had our first webinar. The subject was detecting Man in the Browser attacks. We covered the definition of Man in the Browser, why websites should be thinking about Man in the Browser now, and showed a Man in the Browser attack from three perspectives: the consumer, the web server, and page flows.
If you are interested, we recorded the webinar. You can get to the recording through this link. We’ve gotten great feedback on the webinar, so we think you’ll find it interesting.
Security (or lack thereof) in the Cloud
The case of sensitive Twitter documents being exposed due to a breach of an email account and access to the Google Documents application adds fuel the already discussion that is already approaching inferno status. I’ve heard two very different points of view on whether moving applications to the cloud will help or hinder security.
One side of the debate says that moving applications and data to the cloud is an extremely dangerous proposition. This group contends that putting applications and data in the cloud make it more accessible to the bad guys while assembling data from multiple organizations all in one place.
I absolutely see the point that moving to the cloud has certain risks and could create efficiencies for the bad guys (attacking one place instead of many).
My main worry with keeping data and applications out of the cloud is this: Having an individual instance of each organization’s data and applications sitting within each organization’s data center means the security and protection of those data and applications falls to the security employee/team of each organization. There are now millions of people/teams worldwide with the charter to protect the applications and data of their organizations. While almost all of these people are brilliant at what they do, I see a nightmare of keeping all of them up to date on best practices, system patches and updates, etc.
Taking the cloud scenario to its extreme, we see a type of efficiency that can be gained. When many organizations data and applications are all stored in one place, that place will absolutely have to be an expert at protecting that data and those applications, but it seems like it would be easier to protect a lot of things under one protocol than protecting many things, each in their own disparate environs.
My preference on this point may have something to do with my being control freak. When I think of all of the data and applications that need protecting, it’s easier for me to understand how to protect them if they are all in one place.
The debate on security of the cloud is currently raging. It would be great to hear some other viewpoints on this topic and see where my logic is flawed.
Traditional Password Advice: Not to be totally discarded
There is a paper that talks about how traditional advice on creating and maintaining secure passwords is somewhat dated. The hypothesis of the paper is that since phishing and key logging is so rampant, it is no longer necessary to maintain super secure passwords. A secure password is just as easily used by a bad guy as a weak password if the consumer gives a way the password through phishing or it is observed through a key logger. Instead, it’s important to have a semi-secure password so that it is not vulnerable to password guessing.
The paper also talks about the need to have more secure userIDs postulating that bad guys 
are moving towards horizontal password attacks (guessing the same password against large numbers of accounts). Strong userIDs is helpful in protecting accounts.
One other thing I want to mention is that it is still important to have different passwords for all of your online accounts. If the bad guy phishes the password for your bank account, you don’t want them to automatically have access to your social network account, etc. Even in the case of key logging, if you haven’t logged in to a particular account in a while, if you don’t use the same password across all accounts, the bad guys won’t be able to try your standard password(s) on other accounts.
So, while some of the old password adages may not apply as much any more, some of them are still very appropriate. Please use different passwords on all of your online accounts!
Abuse of Virtual Money: To Regulate or Not to Regulate
The Chinese government has banned the exchange of virtual currency for real world goods or services. Information Week has an article that goes into more details.
It’s not surprising that a government is having to step in to regulate the use of virtual currency in games like World of Warcraft among others. In talking to several companies that provide forms of virtual currency, I’ve found that there are many,
many risks that come along with these types of economic systems. Any time the bad guys can find a way to eek value out of a system, there is incentive to find a way to beat the system.
One advantage to virtual currency, as opposed to real-world currency, is that it is less anonymous. (Take note of this – it is extremely rare that something on the Internet is less anonymous than something in the real world!) In the real-world if you receive stolen money it can be very difficult to track exactly where that money came from.
Online, though, there is often an audit trail that can be followed. Even if the account that gives you the currency is, itself, stolen, there are IP addresses, cookies, etc. that may be helpful in tracking down the perpetrator. Granted, the perpetrator is likely in some other country and hidden behind proxies and Internet cafes, but at least there is somewhere to start.
Will the Chinese government be successful at combatting the abuse of virtual currency? It’s hard to say. But it is likely we will see additional legislation by other countries to try to stave off the nefarious acts that can occur through virtual economies.
Why phishers target low value accounts
PCWorld talks about a recent phishing scam on Twitter. The question in the article is:
In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear.
I’ve posted about this before, but it seems prudent to talk about it again. Phishers will try to get credentials for websites that use email addresses as usernames for one main reason: people often use the same password on all accounts.
If a user is less worried about giving away his Twitter password – since what type of value could that have? – then, that’s the best thing the phisher can target. The user is 
is less likely to be worried about giving away that password and therefore the conversion rate for the phisher is likely to be higher.
If I was a phisher, the other thing I’d think about is that the people who use Twitter are more likely to be tech savvy and, therefore, have lots of online accounts. Therefore, the passwords that I do steal would be more likely to be useful on other sites.
Seems like a good idea to be careful about random tweets!
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (3)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
