New Attack Blends SSL, 'Man-in-the-Browser' Vulnerabilities Written by Jart Armin Lately, Secure Sockets Layer (SSL, and the "S" in HTTPS) has come under fire for undermining Web security. It's been said it is no longer a secure system, due to its reliance on now-hackable MD5 cryptography. Therefore, the argument continues, it must be upgraded to combat new threats to the current Internet security climate. In a recent interview, Taher Elgamal, the man credited with being an inventor of the SSL system, argues there is in principal nothing wrong with the SSL system. The fault, he claims, lies in the way browsers interact with SSL, thus ultimately making the issues attributed to the SSL failure a browser problem. He goes on to say, "Security professionals always struggle with the general public because usability always wins. When you get an expired certificate, the site owner or organization would always prefer to allow the user to do things rather than disallow. This is just an unfortunate fact." What Taher is talking about is the human element, which occurs when we interact with our browsers and the options we are given for the sake of usability. Most users are inclined to click "Yes" if it promises to get us what we want, thus saving valuable seconds in viewing or interacting with a Website, even if it reduces security. But a new form of blended attack has emerged where the victim is socially engineered into becoming an unknowing agent in banking and commercial fraud. The technique uses a combination of SSL-forged Web pages and man-in-the-browser (MIB) attack that is capable of stealing login credentials, account numbers, and various types of financial information. The attack combines the use of what is known as the Brazilian Banking Trojan with phishing to replicate a window that overlays the browser on a given computer. The presence of the trojan is transparent to the user and does not interfere with the normal use of the browser or PC. More importantly, these new MIB cyber-crime engines now come with very advanced Ajax scripting devices and Ajax JSon-based sniffers, which greatly improve the speed and efficiency of the attack. These engines include the ability to alter any content being received by the Web browser before it's rendered to the customer, but they can also make numerical calculations of balances and effectively erase or hide the extra transactions from what the customer sees. The whole attack can now even provide the account balances to appear normal and conceal any reductions made by the cyber criminal. The victims here aren't just individuals, but institutions as well. As much as $500,000 got lifted recently from the bank account of the Novato Sanitary District at the Bank of Marin in Northern California. As the manager of the utility company said, "We won't be doing pure electronic banking anymore." For several days they saw no loss of funds, until the online banking did not match the paper account. Interestingly, this form of new attack has great difficulty penetrating the browser designs like Google Chrome, which uses a sandbox approach; just make sure to avoid third-party OS-based plug-ins! This returns us to Taher’s argument about SSL, and the browser companies' responsibility to create systems that can marry security protocol with usability, with warning systems as to what users are saying "yes" to. Through this blended attack we can see one of the weak points in our systems, and the pressure to activate products that bypass security in order to give us the freedom to do what we want. The question we have to ask ourselves ultimately is this: Who, exactly, is responsible for our problems in our desire for enhanced speed and ease of use? Is it us as individuals? Or is it the browser and software companies, which provide us with secure gadgets that make our lives easier on a daily basis? — Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com