SlideShare une entreprise Scribd logo

Ijaci vol4 no1-maninbrowser

Hai Nguyen
Hai Nguyen
TechnologieActualités & Politique
1  sur  11
Télécharger pour lire hors ligne
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 29 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Keywords: Hacking, Internet Banking, Man-in-the-Browser, Man-in-the-Middle, Security 1. INTRODUCTION In network security terminology, “the Middle” is defined very broadly. In this sense it refers to the domain of action of Man in the Middle (MitM)attacks,inwhichanunauthorizedparty insertsthemselvessurreptitiouslyatsomepoint along the flow of communication between two or more parties. This is so as to gain the ability to monitor the information that is exchanged, and perhaps also to modify that information, generally without being discovered so doing (Tanenbaum & Wetherall, 2011). In theory, the attack can be performed at almost any point along the communication channel between the victims. The Man in the Middle may attack through a server they control at any point along the data channel, or anywhere along the wire that it is possible to arrange for a physical tap. In practice it is impractical to choose a server orwiresomewhereintheimmediatevicinityof a targeted party, and it would be ineffective to attack from somewhere at random in the web where traffic is subject to fluctuating routing tables. Therefore, this approach would usually be commenced with a phishing attack to trick the user into bridging the gap, which will be discussed. If either terminating machine is us- ing a wireless connection, the Man could also interpose himself between that machine and its associated wireless router, by picking up their outgoing signal and then posing as the user’s machine to the router. This would also work if they have control over a LAN device on the same bus as the user. The “Middle” described already encom- passes all points from the moment a signal leaves a machine at one end of a transaction right through until just before it reaches its Man in the Browser Attacks Timothy Dougan, University of Ulster, UK Kevin Curran, University of Ulster, UK ABSTRACT Man-in-the-Browser attacks are a sophisticated new hacking technique associated with Internet crime, es- pecially that which targets customers of Internet banking. The security community has been aware of them as such for time but they have grown in ability and success during that time. These attacks are a specialised version of Man-in-the-Middle attack, and operate by stealing authentication data and altering legitimate user transactions to benefit the attackers. This paper examines what Man-in-the-Browser attacks are capable of and how specific versions of the attack are executed, with reference to their control structure, data interaction techniques, and methods for circumventing security. Finally the authors discuss the effectiveness of counter- Man-in-the-Middle strategies, and speculate upon what these attacks tell us about the Internet environment. DOI: 10.4018/jaci.2012010103
30 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. destination. However, the Man could also breach the integrity of the signal before it even leaves the user’s PC, if he subjects the user to a Man in the Browser (MitB) attack. This is a more recent form of attack in which the user’s browser is corrupted in order to act as the tap in the information stream, an attack which “occurs at the system level, between the user and the browser, [rather than via] the protocol layer” (Litan & Allan, 2006). This, structur- ally speaking, is “a man-in-the-middle attack between the user and the security mechanisms of the browser” (Gühring, 2006). Therefore, in network security terms, “the Middle” is every point along the course an information transaction between the initial input and final output device (i.e., anything that is not a keyboard or a monitor etc). In this sense, the MitB attack is a special case of the MitM attack in which the intrusion occurs at the very nearest end of the middle to the user. 2. MitB IN TERMS OF MitM Let us begin by exploring the places in which MitB differs from MitM. Firstly, MitM inter- cepts data using an inserted or compromised pieceofhardwarethatisexternaltothetargeted system. MitB on the other hand gains access through the software configuration on that sys- tem, generally by way of a Trojan that targets the web browsers on that computer. Secondly, MitM either has to deal with messages that have already been protected by whatever security is associated with the con- nection (and read/alter them mid-flight in both directionsofcommunication),orhastopresent a plausible reason for the user to create their connectionwiththeattacker’sownserver.MitB does not need to bother with the extra work this entails. In the outward-bound direction, it is the author of all compromised messages sent. In the inward-bound direction, it does still have to deal with a fully formed message, but it does not need to be concerned with modifying the message itself so as to conceal its actions. This is because MitB directly controls the browser, and therefore needs only to modify the browser display to be as the user expects. Together this means that it works outside of any client-side and server-side encryption and validation, and therefore does not have to be concerned with increased latency arising from hashing overheads or to provide dummy keys for public key encryption. This implies another advantage of MitB over MitM, in that MitM is only guaranteed to be able to handle public key encryption (and this only up to a point as discussed in the section “Trust”), whereas MitB is “immune” to all forms of encryption, including symmetric key, by being external to it. Finally, MitM is onlytrulyeffectiveadirectedorlocation-based attack, whereas MitB can be spammed to as many computers as its Trojan is able to infect. If the access point of MitM were somewhere at random in the Internet, it is unlikely for it to be able to extract valuable data or make modifica- tions undetectably. This is because packets can be routed independently, so any data gleaned will probably be fragmentary, and replies to any fraudulent modified messages would not be guaranteed to pass through the same compromised point as the outgoing message, making concealment of modifications almost impossible. To maintain constant contact, the MitM attacker must either be physically close enough to the victim to capture their outgoing databeforeithastheopportunitytobifurcate,or trickthevictimintonavigatingtotheattacker’s own server that will act as a stable mid-point. Thiscompelstheattackertoeitherdirectly target or in some other way reach out to indi- viduals or groups, and means that this attack does not scale very well. On the other hand, the only such limitations on MitB are around the level of security that is installed on the systems it attacks or is practiced by the people who use them, and it scales very well. Where MitM is limited to a chosen few targets at a time (most effectively spread by mass spam emails with links to compromised sites), individual MitB Trojans are known to have compromised be- tween hundreds and hundreds of thousands of users’ security concurrently (Finjan, 2009;
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 31 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Stone-Gross et al., 2009; RSA Fraud Action Research Labs, 2008; Murchu, 2009). Although their underlying technical structures are very different, this is not to say that MitB has little in common with MitM. Besides being based on the same principle of the addition of concealed third parties into the flow of transactions, both also have the same capabilities once inside the security provisions of a transaction and both are carried out for similarends.However,itisfairtosaythatMitB exceeds MitM in many ways. 3. MitB CAPABILITIES LeavingMitMbehindfornow,andleavinghow MitB technically accomplishes what it does until later, let us now consider MitB’s general capabilities (some of which may or may not be included in a given version of the attack, and which between versions will vary in method of implementation). These can be broadly classi- fied under five categories. MitB can: 3.1. Steal Data MitB’s control over the browser gives it the ability to collect information both passively by keylogging, and actively by phishing. Any data entered into the compromised browser is potentially available to the attacker, with the abilityforthemtoselectpreferreddatatostealas described below. In addition, and to get around the way in which many security conscious websiteslimittheamountofsensitivedatathey requestfromtheuser,MitBcanpromptforextra data by using its ability to modify the structure of pages displayed in the browser. 3.2. Modify Html Thisisreferredtoashtmlinjectionanditallows theattackertoalterthehtmlofapagebeforeitis senttothebrowserforinterpretation.Typically, this would be used in two ways – firstly, to add extra data entry fields that prompt the user to enter private information in excess of what is normally requested by a page, and secondly to modify server responses. Data field addition allowsformuchmorepowerfuldatacollection, especially if there are data entry fields that are usually obfuscated by a secure site with the intention of defeating keyloggers. Rather than try to defeat a virtual keyboard or a jumbled and/orpartialcharacter-by-characterpassword entry system (i.e., “enter the 3rd , 1st and 5th letter of your password”), this instead allows MitB to alter the login procedure so that the password is enteredin the clear, from whence it can be lifted directly as per the previous ability discussed. Modifying server responses allows MitB to cover its tracks by making the server responseappeartoagreewiththeusersoriginal intentions, which MitB may need to do, as it will sometimes modify data sent by the client to the server. 3.3. Modify Outgoing Data Just as MitB can modify the html that is shown to the user, its level of access also allows it to tamper with outgoing form data the user is submitting to a server. This allows for various fraudulent actions (usually in the context of internet banking) with the added advantage of the request originating with, and being largely composed by, the legitimate user of a web ser- vice. This makes the fraud very much harder to detect and therefore very much more likely not only to initially succeed, but also to remain undiscovered for long enough for the attacker to take advantage of it. 3.4. Choose Targets All of the foregoing is useful only if the MitB Trojan is able to identify what data it should tamper with or steal. Each version of MitB makes a list of items of interest available to its browser monitoring services. The members of this list will typically be used to select two dif- ferent types of data – either individual fields of interest by their proximity to certain keywords, or entire pages of interest by their residing in a chosendomain.Thedomain-targetedattacksare chosen for their value, and this targeting allows the fraud to be tailored to the specifications of
32 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. each chosen domain. For instance, is clearly not of use to perform html injection attacks as discussed above without knowing what to inject and where to do so. Attackers cannot expect inserting a “Please enter password/ email/D.O.B.” field at random into every page tobeverysuccessful.ThereforetheTrojanmust keep a catalogue of particular domains to pay extra attention to, which must include instruc- tionsastowhereandhowwithinthosedomains it should carry out its more sophisticated thefts and manipulations. This level of specificity, combined with instructions to limit non-explicit data theft to data fields that are labelled “Password”, “User Name”, “Email” etc acts to limit the amount of non-valuable data that is stolen. Such a provision is useful because, as implied above, individualimplementationsofMitBattackscan be actively stealing data from many thousands of users concurrently. This becomes an issue when you consider that all stolen data must be communicated back to the owner of the attack over a finite amount of available bandwidth. 3.5. Communicate with HQ There is no point in stealing data without hav- ing some way to retrieve it, so therefore it is a basic requirement of a data-stealing MitB at- tack is that there be a means whereby to extract stolen data.With this requirement of the ability to communicate externally a given, there are many other uses such a connection can be put to. Designating a command server and giving that server control over individual infected machines is a particularly valuable second- ary use of this ability as it allows for remote modification of the Trojan’s parameters and for the software version of the infection to be updated.This in turn enables MitB domain and field targeting to be improved, and provides a procedurebywhichnewfeaturesandtechniques can be added as they are devised. Furthermore, it may be useful to provide access to a server that carries modified security scripts to replace those that protect data in a secure site, tailored corporate image files if a phishing page is be- ing built from scratch, or precise instructions as to how the subsequent steps of the attack are to be carried out. This could be in order to facilitate more elaborate phishing attacks for Trojan implementations that do not have sufficient control over the browser to suppress “mixed content” warnings (that alert the user to the presence in a page of files coming from somewhere not covered by the certificate of the business site they are visiting), or simply to reduce overheads. It is more efficient to do this than to provide a Trojan with a library of instructions, scripts and images suitable to every eventuality. 4. HOW MitB IS PERFORMED We move now into the specifics of how these attacks are carried out. It is important to note at this point that a MitB attack is only one com- ponent in the arsenal of modern Trojans. These Trojans combine different techniques to gain access to and control over systems, maintain themselves and remain undetected. To discuss howaMitBattackiscarriedout,wewillexamine the MitB component of some well-known and widespread Trojans, with reference to the five categoriesdescribedabove.TheTrojanswewill use as examples are all botnets, which suits the remote-controlstyleallowedbyMitB.Theyare: 1. URLzone (a.k.a. Bebloh) – a sophisticated Trojan from the Ukraine focused on Ger- man banking (Finjan, 2009) 2. Torpig (a.k.a. Sinowal) – a flexible botnet that steals data mainly in the USA and Europe (Stone-Gross et al., 2009) 3. Zeus (a.k.a. Zbot, Kneber) – a very wide- spread Botnet that has also been very well covered by the media (Falliere & Chien, 2009) I will discuss each one with regard to the fiveaspectsexplained,andthenbrieflyhighlight notable features at the end.
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 33 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. 4.1. URLzone Stealing Data URLzone is focused more on directly stealing money from victims, rather than stealing their data to sell or to use to commit fraud later on. Such data is still collected however, and I suppose why not? It will “log credentials and activitiesofbankaccounts,[...]takescreenshots of webpages, [and] log and report on other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries” (Finjan, 2009). It monitors the system, and when a new instance of an application it knows how to attack be- gins, it uses API hooking to inject a DLL into the process and intercept system messages. Its primary targets were German banks, but given its level of access there was no reason for it not to steal available data while it was installed. “It limits itself to collect data that is sent by the user using POST method with less than 2,000 bytes” (Chechik, 2009) so as to evade notice by security applications, and only becomes active when the data returned to it are from specified domains. Modifying html URLzone makes most of its money through live modification of outgoing data, but this causes a problem for it.The fraudulent transac- tions it makes need to remain in place for long enough for the money to be transferred to a safe location, but if the customer notices that a modification has been made they will report it to the bank as fraud, which will in turn revoke the transaction. Therefore, the modification must be disguised from the victim, so that the server response will appear as they expect it to. More powerful versions of the data-selection scripts are used here to not only to recognize the critical fields in transaction logs, but also to substitute over these fields ex tempore in the raw html, injecting a copy of the original user submitted value of the field in place of the new and fraud-revealing value returned by the server. This requires that the Trojan have an excellent working knowledge of the format of the banking pages it targets, since there will be many fields per transaction, or transactions altogether, from which it must select one. Modifying Outgoing Data When the Trojan reports captured data from a targeted domain to its controller, the controller has the option to specify that an attack should be carried out. This decision is handled by automation at the server side, and is the only way in which URLzone will perform an active attack – the Trojan itself has no capacity to carry out this kind of attack on its own. This is beneficial in two ways – firstly it avoids the need for the Trojan to use local CPU cycles to compose attacks, and secondly it allows all at- tacks to be made with the latest specifications. That is to say, specifications can be altered at the server in immediate response to changes made in the target sites, and will be used im- mediatelywithoutrequiringtheTrojantoupdate its configuration files. Thespecificmodificationsmadearechosen verycarefullysoastomaximizetheprobability that the attack will succeed. Two data it will steal are the account balance and the maximum transaction allowed. From these it determines an amount that is close to (but slightly less than) the lesser of these two data, including a factor of randomization to deceive anti-fraud systems designed to notice suspicious patterns intransactions.Thisdeterminedamountisthen returnedfromtheservertotheTrojanalongwith a holding account controlled by the attacker to which this amount should be sent. These two fields overwrite those in the original form the victim intended to post, and then the form sent on to the bank, which is none the wiser as to the alteration. Choosing Targets The targeting is in two parts – selecting which field values to steal as determined by a local configuration file, and which site transactions toactivelyattackasdeterminedremotelybythe C&C server. Once again, this remote operation
34 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. allows the time taken to perform complex cal- culations to be independent of local hardware constraints, and any reduction in client-side processing will help the Trojan remain unde- tected by client-side security software. Lo- cally determined target fields are selected by comparing the originating domain of the stolen POST data to a list of domain name masks – if it matches, then the data is chosen and stolen. Communicating with HQ “The communication between the Trojan and the C&C server is conducted over HTTP, hav- ing the data XOR-encrypted” (Finjan, 2009). After initial configuration, all communication from the Trojan is triggered by the domain matching described. Unlike Torpig and Zeus, there is no regular contact with the server, and also unlike Torpig & Zeus, that server is hard coded(MCRC,2009)–alessflexibleapproach as we shall see. 4.2. Torpig Stealing Data Torpig “can inspect all the data handled by [programsoncompromisedmachines,including web browsers] and identify and store interest- ing pieces of information, such as credentials for online accounts and stored passwords” (Stone-Gross,etal.,2009)byusingDLLs,again injected through hooking. This is passive data theft in the same manner as used by URLzone, although not restricted to POST data, and in- cludingdataextractedfrombrowsers’password manager services and miscellaneous system data including Windows user account login passwords. Active data theft is also carried out bywayofphishingattacks,externallycontrolled asdescribedbelow.Theseattackstaketheform of novel pages injected to replace pages on the targetdomain,whichrequestuserdatainexcess ofthatwhichwouldberequestedbyalegitimate security conscious site. This goes beyond site- specific passwords, and may include personal details and multi-factor security components. These will be sent to C&C without any encryp- tion or input obfuscation; another advantage of creatinganewpageratherthanliftingdatafrom fields in current legitimate pages. Modifying html & Modifying Outgoing Data Since Torpig is solely concerned with data theft, it does not modify outgoing data. Since it does not modify outgoing data, it does not need to hide its tracks, and only html modifica- tion it makes is to create phishing pages. This can be achieved trivially, since the injection server returns to the Trojan a URL to a fully formed version of the novel page, which can then be directly substituted for the content of the legitimate page it is replacing. Choosing Targets Targets are chosen in the same way as Torpig picks what POST data to steal – domains of interest are listed in the configuration file ob- tained from the C&C server, and all data the user enters there is stolen. Communicating with HQ The bot sends the accumulated data it has sto- len at fixed intervals, and all communication between Torpig C&C and its bots is carried out over HTTP POST messages encrypted with Torpig’s own base64 + XOR encryption algo- rithm, using a symmetric key sent in the clear (Stone-Grossetal.,2009).Torpigisparticularly notable, and follows a current trend, in that it does not report to a static server in the same way that URLzone did. Based on an algorithm that uses different pieces of date information it generates a list of addresses of potential C&C servers. It then starts from the top of the list sendingrequeststotheseputativedomainsuntil itreceivesavalidC&Cresponse,atwhichpoint therespondingserverbecomesthecontrolserver forthatbotuntilthenextscheduledswitchover. The attackers have the means to generate the same list, and can register some or all of the domains listed in advance, which is very clever because it removes the single point of failure
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 35 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. that was exposed by URLzone. The addresses can be linked to a physical server of the at- tacker’s choosing, and if one address is taken down,Torpigwillautomaticallyrunthroughthe rest of the list until it reaches the next domain attached to a C&C server. Likewise, if a C&C server is taken down, the currently registered addresses can be assigned to a new server and the botnet can continue about its business in the same way.1 4.3. Zeus Stealing Data Zeus steals data according to both hard-coded general practices and configurable selection. It will lift passwords stored in insecure local repositories such as Windows Protected Stor- age, and any login data that is handled in an insecure manner, i.e., sent without encryption. The configuration will additionally allow the attacker to nominate domains from which Zeus should intercept all user input prior to encryp- tion, which can then be forwarded to C&C. In this way, it is like a middle ground between URLzone and Torpig. It has some extra capa- bilities as well, in that it can be configured to capture screenshots upon mouse click events on pages in target domains, and has “a special- ized routine that allows you to configure match patterns to search for transaction numbers in datapostedtoonlinebanks.Thematchpatterns include values such as the variable name and length of the TAN.” (Falliere & Chien, 2009) This latter is especially powerful, asTANs (TransactionAuthenticationNumbers)areoften used to provide the second part of two-factor authentication, which has been successful in preventing fraud from credential theft, since each TAN expires after a single use. Attacks that steal this data must have some way of dealing with its expiration, and so will usually replacetheuser’sTANwitharandomlychosen incorrect alternative – I cannot find a source to confirm that this is true also for Zeus, but it seems likely that is how it operates. What makes this “TANGrabber” routine particularly useful is that Zeus does not need explicit data about where it should expect to find the TAN in user input, but rather can identify TANs by certain shared attributes and harvest as many as it comes across. Modifying html Zeus performs html injection in the same way that URLzone does, and for the same reason that Torpig does. Based on a configured basic understanding of pages on targeted sites, Zeus inserts single or multiple fields into otherwise legitimate pages. The way it does so is fully customizable, and has the benefit of brevity in that only a small change is required, rather than havingtorequestanentirepageofhtmlfroman injection server – the overhead is low enough that it can be carried out client-side. The field willusuallybesetuptorequestextraauthentica- tion data such as sought by Torpig, which will be input in the clear and can be siphoned off directly to C&C. It can also “modify or hijack JavaScript that is used for client side security purposes” (Falliere & Chien, 2009) in the same way, in order to bypass a site’s security. Modifying Outgoing Data Zeus, like Torpig, is only concerned with data theft, and so does not perform any real-time attacks.Theonlyminoroutgoingdatamodifica- tion it makes is substitution of chosen URLs in DNS requests in order to carry out traditional phishing attacks. Choosing Targets All targeting is handled through two libraries of filters, which it compares against the URLs visited by the browser in a similar manner as in Torpig’s target selection. These are either general masked domain names from which all user data is lifted (“WebFilters”), or URL masks associated to pieces of text that must be present in a user submission for Zeus to select it for appropriation.
36 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Communicating with HQ ZeuscommunicateswithC&CviaPOSTedmes- sagessimilarlytoTorpig,butdoessowhenever it has data to send as well as at timed intervals – it does not allow data to accumulate at client side. Server responses from Torpig offer some control over its bots, but Zeus has a great deal more. It can order various functions from C&C varying from stealing extra files, through to re- bootingtheinfectedmachine,andevendeleting Windows’system322 .Thiscontrolcomesmore from Zeus’ aspect as a full botnet suite rather than anything pertaining to MitB, but says a lot about how evolved and powerful Zeus is. Combined with the wideness of its infection, thisisprobablywhyZeushasreceivedsomuch more media attention than other botnets. 4.4. General Characteristics & Techniques It should be clear from the limited sample ex- plored that a great many different techniques are available to support, carry out and take advantageofMitBattacks.Onequestionraised by this array of tools and techniques again regards definitions. At what points does MitB begin and end? Many of the functions carried outinfurtheranceoftheattackdonottakeplace “in the Browser”, and the ways in which the browser can be compromised (though touched ononlylightlyhere)aremanyandvaried.They include API hooking and custom scripting as discussed,DocumentObjectModelexploitation via Browser Helper Objects and Extensions, and even full virtualization (although this is only speculated by Gühring and seems not to have occurred in practice yet.) Because of this, it is probably fairer to see MitB as a Trojan tool rather than a Trojan type. Most of what these MitB implementations have in common are intentions, and general abstract concepts under which to perform their attacks (substitution, misdirection, intelligent selection etc). Where they differ is in terms of technical execution as in the preceding para- graph,andinwhereandwhomtheytarget.Bank- ing customers in Europe and North America are definitely the primary targets, but the long tail of less profitable data theft extends across a broad range of other private data, which can either be abused directly or sold. 5. HOW MITB CAN BE STOPPED Despite being perhaps the most important sec- tion in this paper, it will also be the shortest, as thereisonlyonecurrentlylong-termguaranteed way to defend against MitB, and even that will cease to be so in time. Different companies endorse different (proprietary) methods of de- tection and prevention. Entrust (2010) advise the use of behaviour monitoring tools that can detect suspicious user actions, but this can be defeated by intelligent MitB programming that includes pseudorandom and conservative decision trees. More sophisticated monitoring would lead to more sophisticated decision trees, an arms race in which many would not be protected whenever attackers temporarily gained the upper hand. TriCipher (Litan & Allan, 2006) offers multifactor authentication, which has already been defeated in one form or another by all three Trojans of the case studies. Arcot(2010)offersdigitalsigningembeddedin Adobe Systems clients (which will inevitably transfertheproblemfromMan-in-the-Browser to Man-in-the-Adobe) and Virtual Private Ses- sions that rely on returning confirmation in a human-readablebutobfuscatedstateinanimage file. This latter may or may not work for now, butwillalsoinevitablybeovercomeasmachine reading improves and cracks are found in their proprietary security. The only thing guaranteed to work, ad- mirable also for its simplicity, is out of band confirmation. The Arcot whitepaper trashes OOB authentication via passcode, but does not allow for OOB reporting (via either automated phonecallortextmessage)thatprovidestheuser with a précis of all transactions their accounts attempt,andpreferablytheoptiontoconfirmor reject.Therearetwoproblemswiththis(setting
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 37 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. aside the possibility that attackers could steal phone details and then hack personal phones, but if that has happened to you then you have biggerproblemsthanbankingfraud),whichare: 1. It costs money, and unlike other paid-for solutions, this cost scales with the level of use. 2. It takes Internet banking (and whatever other forms of Internet transaction you wish to protect) at least partially off the Internet, which rather defeats the point of having them on the Internet in the first place. It is probably reasonable to hope for an intelligent and satisfying solution at some time in the future, but one does not appear to be available at this time. Of course, if web us- ers did not get malware infections then there would not be an issue, but this is unlikely to ever come about. 6. CONCLUSIONS & CONSEQUENCES Thereissomeconfusionofterminologyaround MitB. Some sources (Entrust, 2010; Mushaq, 2010) define MitB as any attack that uses browser infection. This occurs even though MitB may only account for one facet of a multi-part attack, one technique in the arsenal of a Trojan. Others (Falliere & Chien, 2009; Stone-Gross et al., 2009) tend to brush over the MitB aspect of a piece of malware, or use it as another word for phishing. It is in any case a subtle and powerful technique, which gives criminals access to a great deal of opportunity for profit. Furthermore, the sophistication of MitB attacks has grown over time, and can be expected to continue to grow as time passes (Imperva, 2010). Security solutions will need to improve similarly, and meanwhile, many people are going to be swindled. The best way to improve security until the industry catches up is to practice good computer hygiene and if possible to keep valuable transactions at least partially off the Internet. In short, an improved level of user edu- cation regarding the dangers of the Internet would be effective at preventing most types of client-side attack, but such caution as would be taken in response to education is lacking among many. On the one hand, you could see the increasing general aptitude among many who access the Internet at providing basic data sanitation for their devices as a sign that improved understanding over time will solve this problem. On the other hand, you could ac- cept that no amount of education will provide protection to the percentage of people who are not willing or able to keep up with changing trends and practices in computing. It follows that these people are exactly the ideal targets for this type of fraud – in effect, distribution of aptitude focuses the attacks upon those least abletoprotectthemselvesagainstthem.General understanding must and will improve, and will help, but will not be a solution. One of the consequences of MitB can be seen by contrast to the effectiveness of one techniquesuccessfulindefeatingMitM–certi- fication.Thisworksbyallowingcommunication betweenclientandservertobeencryptedusing public key cryptography, based on keys from certificates provided by the server, which are themselves issued by CertificationAuthorities. These authorities are themselves certified by other bodies, which are in turn also certified, creating a chain of trust that leads back to a small number of internationally recognised (and browser hard-coded) authorities that can usually be relied upon (Hallam-Baker, 2011) to vouch only for trustworthy servers. However, certification of this type only protects a data stream after it leaves the user’s browser, and doesnothaveanycontroloverhowthatbrowser displays any server response. MitB bypasses this security entirely, since it has access to data before encryption, and has control over what thebrowserdisplaysafteraserverresponsehas been decrypted. MitBunderminesthereliabilityofsecurity inthiswaywithregardstoalloftheotherforms
38 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. of security ineffective against it. It is clear that the possibility of MitB weakens the trust that a user can have in the integrity of their system, but it also weakens the trust that the server can have in the authenticity of messages received from clients. This two way weakening is an obstacle that will need to be overcome in the future, since the establishment of mutual trust is one of the main impediments to growth in the utility of the Internet. “Cybercriminals” are getting better at cybercrime, especially as Computer Science education spreads in 2nd and 3rd world countries with less than stringent Internet law enforce- ment. The examples taken above all seem to have originated in Soviet Bloc countries, but similar attacks have been identified from all over the world, including even the well known “Nigerian Prince” scam. A consequence of the InformationEconomy,insofarasinformationis veryeasytomovefromplace,isthattraditional borderstothescalabilityofsometypesofcrime will be eroded in the same way as has happened fortheborderstosometypesoflegitimatebusi- ness.Therefore, we can expect to see a superior successor in some form to MitB as MitB was to MitM, and thence onward – also we can expect these attacks to become increasingly successful and costly. REFERENCES Arcot. (2010). Protecting Online Customers from Man-in-the-BrowserandMan-in-the-MiddleAttacks. Retrieved from Arcot Resources - Briefs and White PapersforOnlineIdentityFraudProtectionwebsite: http://www.arcot.com/resources/docs/ Protection_ from_MITM_&_MITB_Attacks_White_Paper.pdf Chechik,D.(2009,September30).MalwareAnalysis – Trojan Banker URLZone/Bebloh. Retrieved April 5, 2011, from M86 Security Labs website: http:// labs.m86security.com/ 2009/09/malware-analysis- trojan-banker-urlzonebebloh/ Entrust. (2010). Defeating Man-in-the-Browser. Retrieved April 3, 2011, from Internet Security and Encryption White Papers website: http://www. entrust.com/resources/download.cfm/24002/ Falliere, N., & Chien, E. (2009). Zeus: King of the Bots.RetrievedfromSecurityResponseWhitepapers SymantecCorp.website:http://www.symantec.com/ content/en/us/ enterprise/media/security_response/ whitepapers/zeus_king_of_bots.pdf Finjan.(2009,July).CybercrimeIntelligenceReport, Issue no. 3. Retrieved March 20, 2011, from M86 Securitywebsite:http://www.finjan.com/GetObject. aspx?ObjId=679 Gühring, P. (2006, September 12). Concepts against Man-in-the-Browser Attacks. Retrieved March 3, 2011, from CAcert.org website: http://www2.fu- tureware.at/svn/sourcerer/CAcert/SecureClient.pdf Hallam-Baker, P. (2011, March 23). The Recent RA Compromise. Retrieved March 25, 2011, from Comodo Blogs website: http://blogs.comodo.com/ it-security/data-security/the-recent-ra-compromise/ Imperva. (2010, November 16). Top ten security trends for2011. Retrieved from Continuity Central website: http://www.continuitycentral.com/fea- ture0830.html Litan,A.,&Allan,A.(2006,September12).Threats: Man in the Browser. Retrieved April 10, 2011, from Tricipherwebsite:http://www.tricipher.com/threats/ man_in_the_browser.html MCRC. (2009, July 22). How a cybergang oper- ates a network of 1.9 million infected computers. Retrieved April 2011, from SecureTweets Blog website:http://www.finjan.com/SecureTweets/Blog/ post/ How-a-cybergang-operates-a-network-of-19- million-infected-computers.aspx Murchu, L. O. (2008, January 8). Trojan.Silent- banker Technical Details. Retrieved April 3, 2011, from Symantec Security Response website: http:// www.symantec.com/security_response/ writeup. jsp?docid=2007-121718-1009-99&tabid=2 Mushaq,A.(2010,February19).ManintheBrowser: InsidetheZeusTrojan.RetrievedApril9,2011,from threatpost: Kaspersky Lab Security News Service website: http://threatpost.com/en_us/blogs/man- browser-inside-zeus-trojan-021910 RSA FraudAction Research Labs. (2008, October 31). One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts. Retrieved March 15, 2011, from Speaking of Security – The RSABlogandPodcastwebsite:http://blogs.rsa.com/ rsafarl/one-sinowal-trojan -one-gang-hundreds-of- thousands-of-compromised-accounts/
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 39 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Stone-Gross,B.,Cova,M.,Cavallaro,L.,Gilbert,B., Szydlowski, M., Kemmerer, R., et al. (2009). Your Botnet is My Botnet: Analysis of a Botnet Takeover. RetrievedApril2,2011,fromTakingovertheTorpig botnet website: http://www.cs.ucsb.edu/~seclab/ projects/torpig/torpig.pdf Symantec. (2009). Zeus: King of the Bots. Retrieved April 5, 2011, from Security Response Whitepapers SymantecCorp.website:http://www.symantec.com/ content/en/us/enterprise/media/ security_response/ whitepapers/zeus_king_of_bots.pdf Tanenbaum, A. S., & Wetherall, D. J. (2011). Com- puter Networks (5th ed.). Boston, MA: Pearson. ENDNOTES 1 Note however that this is how Stone-Gross et al. were able to hijack the Torpig botnet. Note too that because the domain selection algorithm can be changed, they were only able to maintain control for 10 days. 2 Whichwillnotmakeyourcomputerrunfaster, despite what you may have heard. Kevin Curran BSc (Hons), PhD, SMIEEE, FBCS CITP, SMACM, FHEA is a Reader in Com- puter Science at the University of Ulster and group leader for the Ambient Intelligence Research Group. His achievements include winning and managing UK & European Framework projects and Technology Transfer Schemes. Dr. Curran has made significant contributions to advancing the knowledge and understanding of computer networking and systems, evidenced by over 650 published works. He is perhaps most well-known for his work on location positioning within indoor environments, pervasive computing and internet security. His expertise has been ac- knowledged by invitations to present his work at international conferences, overseas universities and research laboratories. He is a regular contributor to BBC radio & TV news in the UK and is currently the recipient of an Engineering and Technology Board Visiting Lectureship for Ex- ceptional Engineers and is an IEEE Technical Expert for Internet/Security matters. He is listed in the Dictionary of International Biography, Marquis Who’s Who in Science and Engineering and by Who’s Who in the World. Dr. Curran was awarded the Certificate of Excellence for Research in 2004 by Science Publications and was named Irish Digital Media Newcomer of the Year Award in 2006. Dr. Curran has performed external panel duties for various Irish Higher Education Institutions. He is a fellow of the British Computer Society (FBCS), a senior member of the Association for Computing Machinery (SMACM), a senior member of the Institute of Electrical and Electronics Engineers (SMIEEE) and a fellow of the higher education academy (FHEA). Dr. Curran’s stature and authority in the international community is demonstrated by his influence, particularly in relation to the direction of research in computer science. He has chaired sessions and participated in the organising committees for many highly-respected in- ternational conferences and workshops. He is the Editor-in-Chief of the International Journal of Ambient Computing and Intelligence and is also a member of 15 Journal Editorial Committees and numerous international conference organising committees. He has served as an advisor to the British Computer Society in regard to the computer industry standards and is a member of BCS and IEEE Technology Specialist Groups and various other professional bodies.

Recommandé

Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareEntrust Datacard
 
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESEFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESIJNSA Journal
 
Classification and review of security schemes
Classification and review of security schemesClassification and review of security schemes
Classification and review of security schemesHabitamuAsimare
 
Middle man cheating
Middle man cheatingMiddle man cheating
Middle man cheatingtarunikahsundrajahpi
 
Retail
Retail Retail
Retail CMR WORLD TECH
 
Secure client
Secure clientSecure client
Secure clientHai Nguyen
 
A01450131
A01450131A01450131
A01450131IOSR Journals
 
Intelligent Network Surveillance Technology for APT Attack Detections
Intelligent Network Surveillance Technology for APT Attack DetectionsIntelligent Network Surveillance Technology for APT Attack Detections
Intelligent Network Surveillance Technology for APT Attack DetectionsAM Publications,India
 

Recommandé

Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareEntrust Datacard
 
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESEFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESIJNSA Journal
 
Classification and review of security schemes
Classification and review of security schemesClassification and review of security schemes
Classification and review of security schemesHabitamuAsimare
 
Middle man cheating
Middle man cheatingMiddle man cheating
Middle man cheatingtarunikahsundrajahpi
 
Retail
Retail Retail
Retail CMR WORLD TECH
 
Secure client
Secure clientSecure client
Secure clientHai Nguyen
 
A01450131
A01450131A01450131
A01450131IOSR Journals
 
Intelligent Network Surveillance Technology for APT Attack Detections
Intelligent Network Surveillance Technology for APT Attack DetectionsIntelligent Network Surveillance Technology for APT Attack Detections
Intelligent Network Surveillance Technology for APT Attack DetectionsAM Publications,India
 
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...IJNSA Journal
 
Francesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityFrancesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityAndrea Rossetti
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
Mattias eriksson
Mattias erikssonMattias eriksson
Mattias erikssonHai Nguyen
 
Towards the security issues in Mobile Ad Hoc Networks
Towards the security issues in Mobile Ad Hoc NetworksTowards the security issues in Mobile Ad Hoc Networks
Towards the security issues in Mobile Ad Hoc NetworksAM Publications,India
 
IRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET Journal
 
Protect mobile agent against malicious host using partial mobility mechanism
Protect mobile agent against malicious host using partial mobility mechanismProtect mobile agent against malicious host using partial mobility mechanism
Protect mobile agent against malicious host using partial mobility mechanismijfcstjournal
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetijctet
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackCSCJournals
 
Why do Engineers Choose Lennox?
Why do Engineers Choose Lennox?Why do Engineers Choose Lennox?
Why do Engineers Choose Lennox?STACY DAVIS
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808Hai Nguyen
 
CfWI conference 2012 poster finalists
CfWI conference 2012 poster finalistsCfWI conference 2012 poster finalists
CfWI conference 2012 poster finalistsC4WI
 
Droom of nachtmerrie
Droom of nachtmerrieDroom of nachtmerrie
Droom of nachtmerrieHedwig Schlötjes -Belle
 
Listening sample task sentence completion
Listening sample task sentence completionListening sample task sentence completion
Listening sample task sentence completionHồng Quyên
 
Eecs 2013-18
Eecs 2013-18Eecs 2013-18
Eecs 2013-18Hai Nguyen
 
Indian publishing market
Indian publishing marketIndian publishing market
Indian publishing marketyogeshchander1985
 
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...B com Expo | GL events Italia
 
Planning the future workforce - social workforce apprenticeships
Planning the future workforce - social workforce apprenticeshipsPlanning the future workforce - social workforce apprenticeships
Planning the future workforce - social workforce apprenticeshipsC4WI
 
Performance Persistence by Harvard Business School
Performance Persistence by Harvard Business SchoolPerformance Persistence by Harvard Business School
Performance Persistence by Harvard Business Schoolchaganomics
 
Benchmark job sharing
Benchmark job sharingBenchmark job sharing
Benchmark job sharingConor Doyle
 

Contenu connexe

Tendances

A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...IJNSA Journal
 
Francesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityFrancesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityAndrea Rossetti
 
Mattias eriksson
Mattias erikssonMattias eriksson
Mattias erikssonHai Nguyen
 
Towards the security issues in Mobile Ad Hoc Networks
Towards the security issues in Mobile Ad Hoc NetworksTowards the security issues in Mobile Ad Hoc Networks
Towards the security issues in Mobile Ad Hoc NetworksAM Publications,India
 
IRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET Journal
 
Protect mobile agent against malicious host using partial mobility mechanism
Protect mobile agent against malicious host using partial mobility mechanismProtect mobile agent against malicious host using partial mobility mechanism
Protect mobile agent against malicious host using partial mobility mechanismijfcstjournal
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetijctet
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackCSCJournals
 

Tendances (11)

A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...
 
Francesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityFrancesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber security
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Mattias eriksson
Mattias erikssonMattias eriksson
Mattias eriksson
 
Towards the security issues in Mobile Ad Hoc Networks
Towards the security issues in Mobile Ad Hoc NetworksTowards the security issues in Mobile Ad Hoc Networks
Towards the security issues in Mobile Ad Hoc Networks
 
IRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash Matching
 
Protect mobile agent against malicious host using partial mobility mechanism
Protect mobile agent against malicious host using partial mobility mechanismProtect mobile agent against malicious host using partial mobility mechanism
Protect mobile agent against malicious host using partial mobility mechanism
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manet
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
 

En vedette

Why do Engineers Choose Lennox?
Why do Engineers Choose Lennox?Why do Engineers Choose Lennox?
Why do Engineers Choose Lennox?STACY DAVIS
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808Hai Nguyen
 
CfWI conference 2012 poster finalists
CfWI conference 2012 poster finalistsCfWI conference 2012 poster finalists
CfWI conference 2012 poster finalistsC4WI
 
Listening sample task sentence completion
Listening sample task sentence completionListening sample task sentence completion
Listening sample task sentence completionHồng Quyên
 
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...B com Expo | GL events Italia
 
Planning the future workforce - social workforce apprenticeships
Planning the future workforce - social workforce apprenticeshipsPlanning the future workforce - social workforce apprenticeships
Planning the future workforce - social workforce apprenticeshipsC4WI
 
Performance Persistence by Harvard Business School
Performance Persistence by Harvard Business SchoolPerformance Persistence by Harvard Business School
Performance Persistence by Harvard Business Schoolchaganomics
 
Benchmark job sharing
Benchmark job sharingBenchmark job sharing
Benchmark job sharingConor Doyle
 
B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...
B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...
B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...B com Expo | GL events Italia
 
Listening sample task form completion
Listening sample task form completionListening sample task form completion
Listening sample task form completionHồng Quyên
 
Digital camera1
Digital camera1Digital camera1
Digital camera1harshita84
 

En vedette (17)

Why do Engineers Choose Lennox?
Why do Engineers Choose Lennox?Why do Engineers Choose Lennox?
Why do Engineers Choose Lennox?
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808
 
CfWI conference 2012 poster finalists
CfWI conference 2012 poster finalistsCfWI conference 2012 poster finalists
CfWI conference 2012 poster finalists
 
Droom of nachtmerrie
Droom of nachtmerrieDroom of nachtmerrie
Droom of nachtmerrie
 
Listening sample task sentence completion
Listening sample task sentence completionListening sample task sentence completion
Listening sample task sentence completion
 
Eecs 2013-18
Eecs 2013-18Eecs 2013-18
Eecs 2013-18
 
Indian publishing market
Indian publishing marketIndian publishing market
Indian publishing market
 
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...
B com 2014 | Come ottimizzare la Lead Generation durante eventi e webinar_Mar...
 
Planning the future workforce - social workforce apprenticeships
Planning the future workforce - social workforce apprenticeshipsPlanning the future workforce - social workforce apprenticeships
Planning the future workforce - social workforce apprenticeships
 
Performance Persistence by Harvard Business School
Performance Persistence by Harvard Business SchoolPerformance Persistence by Harvard Business School
Performance Persistence by Harvard Business School
 
Benchmark job sharing
Benchmark job sharingBenchmark job sharing
Benchmark job sharing
 
B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...
B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...
B com 2014 | Mobile App o Mobile Web? Qual è la soluzione migliore per il tuo...
 
Wat je kunt leren van een puppy
Wat je kunt leren van een puppyWat je kunt leren van een puppy
Wat je kunt leren van een puppy
 
E gov(korea)
E gov(korea)E gov(korea)
E gov(korea)
 
Listening sample task form completion
Listening sample task form completionListening sample task form completion
Listening sample task form completion
 
Digital camera1
Digital camera1Digital camera1
Digital camera1
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 

Similaire à Ijaci vol4 no1-maninbrowser

Mitm - Man in the Middle Attack & its Security
Mitm - Man in the Middle Attack & its SecurityMitm - Man in the Middle Attack & its Security
Mitm - Man in the Middle Attack & its SecurityDeepanshu Kapoor
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET Journal
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsAlexander Decker
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
Different Types Of Cyber Security Threats
Different Types Of Cyber Security ThreatsDifferent Types Of Cyber Security Threats
Different Types Of Cyber Security ThreatsDaniel Martin
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Conkarenahmanny4c
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxcroysierkathey
 
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Editor IJCATR
 
cyber security guidelines.pdf
cyber security guidelines.pdfcyber security guidelines.pdf
cyber security guidelines.pdfVarinSingh1
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarMandy Cross
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social NetworkRubal Sagwal
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptxPradeepKumar728006
 
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IJNSA Journal
 
Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...
Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...
Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...cybluseo
 

Similaire à Ijaci vol4 no1-maninbrowser (20)

Cybersecurity -Terms.
Cybersecurity -Terms.Cybersecurity -Terms.
Cybersecurity -Terms.
 
Mitm - Man in the Middle Attack & its Security
Mitm - Man in the Middle Attack & its SecurityMitm - Man in the Middle Attack & its Security
Mitm - Man in the Middle Attack & its Security
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
 
E04 05 2841
E04 05 2841E04 05 2841
E04 05 2841
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
Different Types Of Cyber Security Threats
Different Types Of Cyber Security ThreatsDifferent Types Of Cyber Security Threats
Different Types Of Cyber Security Threats
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
 
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
 
9 3
9 39 3
9 3
 
cyber security guidelines.pdf
cyber security guidelines.pdfcyber security guidelines.pdf
cyber security guidelines.pdf
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan War
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social Network
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptx
 
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
 
Cyber.pptx
Cyber.pptxCyber.pptx
Cyber.pptx
 
Mim Attack Essay
Mim Attack EssayMim Attack Essay
Mim Attack Essay
 
Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...
Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...
Top Cybersecurity Threats For 2023 And How To Protect Your Organization With ...
 

Plus de Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 

Plus de Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 

Dernier

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Dernier (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Ijaci vol4 no1-maninbrowser

  • 1. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 29 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Keywords: Hacking, Internet Banking, Man-in-the-Browser, Man-in-the-Middle, Security 1. INTRODUCTION In network security terminology, “the Middle” is defined very broadly. In this sense it refers to the domain of action of Man in the Middle (MitM)attacks,inwhichanunauthorizedparty insertsthemselvessurreptitiouslyatsomepoint along the flow of communication between two or more parties. This is so as to gain the ability to monitor the information that is exchanged, and perhaps also to modify that information, generally without being discovered so doing (Tanenbaum & Wetherall, 2011). In theory, the attack can be performed at almost any point along the communication channel between the victims. The Man in the Middle may attack through a server they control at any point along the data channel, or anywhere along the wire that it is possible to arrange for a physical tap. In practice it is impractical to choose a server orwiresomewhereintheimmediatevicinityof a targeted party, and it would be ineffective to attack from somewhere at random in the web where traffic is subject to fluctuating routing tables. Therefore, this approach would usually be commenced with a phishing attack to trick the user into bridging the gap, which will be discussed. If either terminating machine is us- ing a wireless connection, the Man could also interpose himself between that machine and its associated wireless router, by picking up their outgoing signal and then posing as the user’s machine to the router. This would also work if they have control over a LAN device on the same bus as the user. The “Middle” described already encom- passes all points from the moment a signal leaves a machine at one end of a transaction right through until just before it reaches its Man in the Browser Attacks Timothy Dougan, University of Ulster, UK Kevin Curran, University of Ulster, UK ABSTRACT Man-in-the-Browser attacks are a sophisticated new hacking technique associated with Internet crime, es- pecially that which targets customers of Internet banking. The security community has been aware of them as such for time but they have grown in ability and success during that time. These attacks are a specialised version of Man-in-the-Middle attack, and operate by stealing authentication data and altering legitimate user transactions to benefit the attackers. This paper examines what Man-in-the-Browser attacks are capable of and how specific versions of the attack are executed, with reference to their control structure, data interaction techniques, and methods for circumventing security. Finally the authors discuss the effectiveness of counter- Man-in-the-Middle strategies, and speculate upon what these attacks tell us about the Internet environment. DOI: 10.4018/jaci.2012010103
  • 2. 30 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. destination. However, the Man could also breach the integrity of the signal before it even leaves the user’s PC, if he subjects the user to a Man in the Browser (MitB) attack. This is a more recent form of attack in which the user’s browser is corrupted in order to act as the tap in the information stream, an attack which “occurs at the system level, between the user and the browser, [rather than via] the protocol layer” (Litan & Allan, 2006). This, structur- ally speaking, is “a man-in-the-middle attack between the user and the security mechanisms of the browser” (Gühring, 2006). Therefore, in network security terms, “the Middle” is every point along the course an information transaction between the initial input and final output device (i.e., anything that is not a keyboard or a monitor etc). In this sense, the MitB attack is a special case of the MitM attack in which the intrusion occurs at the very nearest end of the middle to the user. 2. MitB IN TERMS OF MitM Let us begin by exploring the places in which MitB differs from MitM. Firstly, MitM inter- cepts data using an inserted or compromised pieceofhardwarethatisexternaltothetargeted system. MitB on the other hand gains access through the software configuration on that sys- tem, generally by way of a Trojan that targets the web browsers on that computer. Secondly, MitM either has to deal with messages that have already been protected by whatever security is associated with the con- nection (and read/alter them mid-flight in both directionsofcommunication),orhastopresent a plausible reason for the user to create their connectionwiththeattacker’sownserver.MitB does not need to bother with the extra work this entails. In the outward-bound direction, it is the author of all compromised messages sent. In the inward-bound direction, it does still have to deal with a fully formed message, but it does not need to be concerned with modifying the message itself so as to conceal its actions. This is because MitB directly controls the browser, and therefore needs only to modify the browser display to be as the user expects. Together this means that it works outside of any client-side and server-side encryption and validation, and therefore does not have to be concerned with increased latency arising from hashing overheads or to provide dummy keys for public key encryption. This implies another advantage of MitB over MitM, in that MitM is only guaranteed to be able to handle public key encryption (and this only up to a point as discussed in the section “Trust”), whereas MitB is “immune” to all forms of encryption, including symmetric key, by being external to it. Finally, MitM is onlytrulyeffectiveadirectedorlocation-based attack, whereas MitB can be spammed to as many computers as its Trojan is able to infect. If the access point of MitM were somewhere at random in the Internet, it is unlikely for it to be able to extract valuable data or make modifica- tions undetectably. This is because packets can be routed independently, so any data gleaned will probably be fragmentary, and replies to any fraudulent modified messages would not be guaranteed to pass through the same compromised point as the outgoing message, making concealment of modifications almost impossible. To maintain constant contact, the MitM attacker must either be physically close enough to the victim to capture their outgoing databeforeithastheopportunitytobifurcate,or trickthevictimintonavigatingtotheattacker’s own server that will act as a stable mid-point. Thiscompelstheattackertoeitherdirectly target or in some other way reach out to indi- viduals or groups, and means that this attack does not scale very well. On the other hand, the only such limitations on MitB are around the level of security that is installed on the systems it attacks or is practiced by the people who use them, and it scales very well. Where MitM is limited to a chosen few targets at a time (most effectively spread by mass spam emails with links to compromised sites), individual MitB Trojans are known to have compromised be- tween hundreds and hundreds of thousands of users’ security concurrently (Finjan, 2009;
  • 3. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 31 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Stone-Gross et al., 2009; RSA Fraud Action Research Labs, 2008; Murchu, 2009). Although their underlying technical structures are very different, this is not to say that MitB has little in common with MitM. Besides being based on the same principle of the addition of concealed third parties into the flow of transactions, both also have the same capabilities once inside the security provisions of a transaction and both are carried out for similarends.However,itisfairtosaythatMitB exceeds MitM in many ways. 3. MitB CAPABILITIES LeavingMitMbehindfornow,andleavinghow MitB technically accomplishes what it does until later, let us now consider MitB’s general capabilities (some of which may or may not be included in a given version of the attack, and which between versions will vary in method of implementation). These can be broadly classi- fied under five categories. MitB can: 3.1. Steal Data MitB’s control over the browser gives it the ability to collect information both passively by keylogging, and actively by phishing. Any data entered into the compromised browser is potentially available to the attacker, with the abilityforthemtoselectpreferreddatatostealas described below. In addition, and to get around the way in which many security conscious websiteslimittheamountofsensitivedatathey requestfromtheuser,MitBcanpromptforextra data by using its ability to modify the structure of pages displayed in the browser. 3.2. Modify Html Thisisreferredtoashtmlinjectionanditallows theattackertoalterthehtmlofapagebeforeitis senttothebrowserforinterpretation.Typically, this would be used in two ways – firstly, to add extra data entry fields that prompt the user to enter private information in excess of what is normally requested by a page, and secondly to modify server responses. Data field addition allowsformuchmorepowerfuldatacollection, especially if there are data entry fields that are usually obfuscated by a secure site with the intention of defeating keyloggers. Rather than try to defeat a virtual keyboard or a jumbled and/orpartialcharacter-by-characterpassword entry system (i.e., “enter the 3rd , 1st and 5th letter of your password”), this instead allows MitB to alter the login procedure so that the password is enteredin the clear, from whence it can be lifted directly as per the previous ability discussed. Modifying server responses allows MitB to cover its tracks by making the server responseappeartoagreewiththeusersoriginal intentions, which MitB may need to do, as it will sometimes modify data sent by the client to the server. 3.3. Modify Outgoing Data Just as MitB can modify the html that is shown to the user, its level of access also allows it to tamper with outgoing form data the user is submitting to a server. This allows for various fraudulent actions (usually in the context of internet banking) with the added advantage of the request originating with, and being largely composed by, the legitimate user of a web ser- vice. This makes the fraud very much harder to detect and therefore very much more likely not only to initially succeed, but also to remain undiscovered for long enough for the attacker to take advantage of it. 3.4. Choose Targets All of the foregoing is useful only if the MitB Trojan is able to identify what data it should tamper with or steal. Each version of MitB makes a list of items of interest available to its browser monitoring services. The members of this list will typically be used to select two dif- ferent types of data – either individual fields of interest by their proximity to certain keywords, or entire pages of interest by their residing in a chosendomain.Thedomain-targetedattacksare chosen for their value, and this targeting allows the fraud to be tailored to the specifications of
  • 4. 32 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. each chosen domain. For instance, is clearly not of use to perform html injection attacks as discussed above without knowing what to inject and where to do so. Attackers cannot expect inserting a “Please enter password/ email/D.O.B.” field at random into every page tobeverysuccessful.ThereforetheTrojanmust keep a catalogue of particular domains to pay extra attention to, which must include instruc- tionsastowhereandhowwithinthosedomains it should carry out its more sophisticated thefts and manipulations. This level of specificity, combined with instructions to limit non-explicit data theft to data fields that are labelled “Password”, “User Name”, “Email” etc acts to limit the amount of non-valuable data that is stolen. Such a provision is useful because, as implied above, individualimplementationsofMitBattackscan be actively stealing data from many thousands of users concurrently. This becomes an issue when you consider that all stolen data must be communicated back to the owner of the attack over a finite amount of available bandwidth. 3.5. Communicate with HQ There is no point in stealing data without hav- ing some way to retrieve it, so therefore it is a basic requirement of a data-stealing MitB at- tack is that there be a means whereby to extract stolen data.With this requirement of the ability to communicate externally a given, there are many other uses such a connection can be put to. Designating a command server and giving that server control over individual infected machines is a particularly valuable second- ary use of this ability as it allows for remote modification of the Trojan’s parameters and for the software version of the infection to be updated.This in turn enables MitB domain and field targeting to be improved, and provides a procedurebywhichnewfeaturesandtechniques can be added as they are devised. Furthermore, it may be useful to provide access to a server that carries modified security scripts to replace those that protect data in a secure site, tailored corporate image files if a phishing page is be- ing built from scratch, or precise instructions as to how the subsequent steps of the attack are to be carried out. This could be in order to facilitate more elaborate phishing attacks for Trojan implementations that do not have sufficient control over the browser to suppress “mixed content” warnings (that alert the user to the presence in a page of files coming from somewhere not covered by the certificate of the business site they are visiting), or simply to reduce overheads. It is more efficient to do this than to provide a Trojan with a library of instructions, scripts and images suitable to every eventuality. 4. HOW MitB IS PERFORMED We move now into the specifics of how these attacks are carried out. It is important to note at this point that a MitB attack is only one com- ponent in the arsenal of modern Trojans. These Trojans combine different techniques to gain access to and control over systems, maintain themselves and remain undetected. To discuss howaMitBattackiscarriedout,wewillexamine the MitB component of some well-known and widespread Trojans, with reference to the five categoriesdescribedabove.TheTrojanswewill use as examples are all botnets, which suits the remote-controlstyleallowedbyMitB.Theyare: 1. URLzone (a.k.a. Bebloh) – a sophisticated Trojan from the Ukraine focused on Ger- man banking (Finjan, 2009) 2. Torpig (a.k.a. Sinowal) – a flexible botnet that steals data mainly in the USA and Europe (Stone-Gross et al., 2009) 3. Zeus (a.k.a. Zbot, Kneber) – a very wide- spread Botnet that has also been very well covered by the media (Falliere & Chien, 2009) I will discuss each one with regard to the fiveaspectsexplained,andthenbrieflyhighlight notable features at the end.
  • 5. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 33 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. 4.1. URLzone Stealing Data URLzone is focused more on directly stealing money from victims, rather than stealing their data to sell or to use to commit fraud later on. Such data is still collected however, and I suppose why not? It will “log credentials and activitiesofbankaccounts,[...]takescreenshots of webpages, [and] log and report on other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries” (Finjan, 2009). It monitors the system, and when a new instance of an application it knows how to attack be- gins, it uses API hooking to inject a DLL into the process and intercept system messages. Its primary targets were German banks, but given its level of access there was no reason for it not to steal available data while it was installed. “It limits itself to collect data that is sent by the user using POST method with less than 2,000 bytes” (Chechik, 2009) so as to evade notice by security applications, and only becomes active when the data returned to it are from specified domains. Modifying html URLzone makes most of its money through live modification of outgoing data, but this causes a problem for it.The fraudulent transac- tions it makes need to remain in place for long enough for the money to be transferred to a safe location, but if the customer notices that a modification has been made they will report it to the bank as fraud, which will in turn revoke the transaction. Therefore, the modification must be disguised from the victim, so that the server response will appear as they expect it to. More powerful versions of the data-selection scripts are used here to not only to recognize the critical fields in transaction logs, but also to substitute over these fields ex tempore in the raw html, injecting a copy of the original user submitted value of the field in place of the new and fraud-revealing value returned by the server. This requires that the Trojan have an excellent working knowledge of the format of the banking pages it targets, since there will be many fields per transaction, or transactions altogether, from which it must select one. Modifying Outgoing Data When the Trojan reports captured data from a targeted domain to its controller, the controller has the option to specify that an attack should be carried out. This decision is handled by automation at the server side, and is the only way in which URLzone will perform an active attack – the Trojan itself has no capacity to carry out this kind of attack on its own. This is beneficial in two ways – firstly it avoids the need for the Trojan to use local CPU cycles to compose attacks, and secondly it allows all at- tacks to be made with the latest specifications. That is to say, specifications can be altered at the server in immediate response to changes made in the target sites, and will be used im- mediatelywithoutrequiringtheTrojantoupdate its configuration files. Thespecificmodificationsmadearechosen verycarefullysoastomaximizetheprobability that the attack will succeed. Two data it will steal are the account balance and the maximum transaction allowed. From these it determines an amount that is close to (but slightly less than) the lesser of these two data, including a factor of randomization to deceive anti-fraud systems designed to notice suspicious patterns intransactions.Thisdeterminedamountisthen returnedfromtheservertotheTrojanalongwith a holding account controlled by the attacker to which this amount should be sent. These two fields overwrite those in the original form the victim intended to post, and then the form sent on to the bank, which is none the wiser as to the alteration. Choosing Targets The targeting is in two parts – selecting which field values to steal as determined by a local configuration file, and which site transactions toactivelyattackasdeterminedremotelybythe C&C server. Once again, this remote operation
  • 6. 34 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. allows the time taken to perform complex cal- culations to be independent of local hardware constraints, and any reduction in client-side processing will help the Trojan remain unde- tected by client-side security software. Lo- cally determined target fields are selected by comparing the originating domain of the stolen POST data to a list of domain name masks – if it matches, then the data is chosen and stolen. Communicating with HQ “The communication between the Trojan and the C&C server is conducted over HTTP, hav- ing the data XOR-encrypted” (Finjan, 2009). After initial configuration, all communication from the Trojan is triggered by the domain matching described. Unlike Torpig and Zeus, there is no regular contact with the server, and also unlike Torpig & Zeus, that server is hard coded(MCRC,2009)–alessflexibleapproach as we shall see. 4.2. Torpig Stealing Data Torpig “can inspect all the data handled by [programsoncompromisedmachines,including web browsers] and identify and store interest- ing pieces of information, such as credentials for online accounts and stored passwords” (Stone-Gross,etal.,2009)byusingDLLs,again injected through hooking. This is passive data theft in the same manner as used by URLzone, although not restricted to POST data, and in- cludingdataextractedfrombrowsers’password manager services and miscellaneous system data including Windows user account login passwords. Active data theft is also carried out bywayofphishingattacks,externallycontrolled asdescribedbelow.Theseattackstaketheform of novel pages injected to replace pages on the targetdomain,whichrequestuserdatainexcess ofthatwhichwouldberequestedbyalegitimate security conscious site. This goes beyond site- specific passwords, and may include personal details and multi-factor security components. These will be sent to C&C without any encryp- tion or input obfuscation; another advantage of creatinganewpageratherthanliftingdatafrom fields in current legitimate pages. Modifying html & Modifying Outgoing Data Since Torpig is solely concerned with data theft, it does not modify outgoing data. Since it does not modify outgoing data, it does not need to hide its tracks, and only html modifica- tion it makes is to create phishing pages. This can be achieved trivially, since the injection server returns to the Trojan a URL to a fully formed version of the novel page, which can then be directly substituted for the content of the legitimate page it is replacing. Choosing Targets Targets are chosen in the same way as Torpig picks what POST data to steal – domains of interest are listed in the configuration file ob- tained from the C&C server, and all data the user enters there is stolen. Communicating with HQ The bot sends the accumulated data it has sto- len at fixed intervals, and all communication between Torpig C&C and its bots is carried out over HTTP POST messages encrypted with Torpig’s own base64 + XOR encryption algo- rithm, using a symmetric key sent in the clear (Stone-Grossetal.,2009).Torpigisparticularly notable, and follows a current trend, in that it does not report to a static server in the same way that URLzone did. Based on an algorithm that uses different pieces of date information it generates a list of addresses of potential C&C servers. It then starts from the top of the list sendingrequeststotheseputativedomainsuntil itreceivesavalidC&Cresponse,atwhichpoint therespondingserverbecomesthecontrolserver forthatbotuntilthenextscheduledswitchover. The attackers have the means to generate the same list, and can register some or all of the domains listed in advance, which is very clever because it removes the single point of failure
  • 7. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 35 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. that was exposed by URLzone. The addresses can be linked to a physical server of the at- tacker’s choosing, and if one address is taken down,Torpigwillautomaticallyrunthroughthe rest of the list until it reaches the next domain attached to a C&C server. Likewise, if a C&C server is taken down, the currently registered addresses can be assigned to a new server and the botnet can continue about its business in the same way.1 4.3. Zeus Stealing Data Zeus steals data according to both hard-coded general practices and configurable selection. It will lift passwords stored in insecure local repositories such as Windows Protected Stor- age, and any login data that is handled in an insecure manner, i.e., sent without encryption. The configuration will additionally allow the attacker to nominate domains from which Zeus should intercept all user input prior to encryp- tion, which can then be forwarded to C&C. In this way, it is like a middle ground between URLzone and Torpig. It has some extra capa- bilities as well, in that it can be configured to capture screenshots upon mouse click events on pages in target domains, and has “a special- ized routine that allows you to configure match patterns to search for transaction numbers in datapostedtoonlinebanks.Thematchpatterns include values such as the variable name and length of the TAN.” (Falliere & Chien, 2009) This latter is especially powerful, asTANs (TransactionAuthenticationNumbers)areoften used to provide the second part of two-factor authentication, which has been successful in preventing fraud from credential theft, since each TAN expires after a single use. Attacks that steal this data must have some way of dealing with its expiration, and so will usually replacetheuser’sTANwitharandomlychosen incorrect alternative – I cannot find a source to confirm that this is true also for Zeus, but it seems likely that is how it operates. What makes this “TANGrabber” routine particularly useful is that Zeus does not need explicit data about where it should expect to find the TAN in user input, but rather can identify TANs by certain shared attributes and harvest as many as it comes across. Modifying html Zeus performs html injection in the same way that URLzone does, and for the same reason that Torpig does. Based on a configured basic understanding of pages on targeted sites, Zeus inserts single or multiple fields into otherwise legitimate pages. The way it does so is fully customizable, and has the benefit of brevity in that only a small change is required, rather than havingtorequestanentirepageofhtmlfroman injection server – the overhead is low enough that it can be carried out client-side. The field willusuallybesetuptorequestextraauthentica- tion data such as sought by Torpig, which will be input in the clear and can be siphoned off directly to C&C. It can also “modify or hijack JavaScript that is used for client side security purposes” (Falliere & Chien, 2009) in the same way, in order to bypass a site’s security. Modifying Outgoing Data Zeus, like Torpig, is only concerned with data theft, and so does not perform any real-time attacks.Theonlyminoroutgoingdatamodifica- tion it makes is substitution of chosen URLs in DNS requests in order to carry out traditional phishing attacks. Choosing Targets All targeting is handled through two libraries of filters, which it compares against the URLs visited by the browser in a similar manner as in Torpig’s target selection. These are either general masked domain names from which all user data is lifted (“WebFilters”), or URL masks associated to pieces of text that must be present in a user submission for Zeus to select it for appropriation.
  • 8. 36 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Communicating with HQ ZeuscommunicateswithC&CviaPOSTedmes- sagessimilarlytoTorpig,butdoessowhenever it has data to send as well as at timed intervals – it does not allow data to accumulate at client side. Server responses from Torpig offer some control over its bots, but Zeus has a great deal more. It can order various functions from C&C varying from stealing extra files, through to re- bootingtheinfectedmachine,andevendeleting Windows’system322 .Thiscontrolcomesmore from Zeus’ aspect as a full botnet suite rather than anything pertaining to MitB, but says a lot about how evolved and powerful Zeus is. Combined with the wideness of its infection, thisisprobablywhyZeushasreceivedsomuch more media attention than other botnets. 4.4. General Characteristics & Techniques It should be clear from the limited sample ex- plored that a great many different techniques are available to support, carry out and take advantageofMitBattacks.Onequestionraised by this array of tools and techniques again regards definitions. At what points does MitB begin and end? Many of the functions carried outinfurtheranceoftheattackdonottakeplace “in the Browser”, and the ways in which the browser can be compromised (though touched ononlylightlyhere)aremanyandvaried.They include API hooking and custom scripting as discussed,DocumentObjectModelexploitation via Browser Helper Objects and Extensions, and even full virtualization (although this is only speculated by Gühring and seems not to have occurred in practice yet.) Because of this, it is probably fairer to see MitB as a Trojan tool rather than a Trojan type. Most of what these MitB implementations have in common are intentions, and general abstract concepts under which to perform their attacks (substitution, misdirection, intelligent selection etc). Where they differ is in terms of technical execution as in the preceding para- graph,andinwhereandwhomtheytarget.Bank- ing customers in Europe and North America are definitely the primary targets, but the long tail of less profitable data theft extends across a broad range of other private data, which can either be abused directly or sold. 5. HOW MITB CAN BE STOPPED Despite being perhaps the most important sec- tion in this paper, it will also be the shortest, as thereisonlyonecurrentlylong-termguaranteed way to defend against MitB, and even that will cease to be so in time. Different companies endorse different (proprietary) methods of de- tection and prevention. Entrust (2010) advise the use of behaviour monitoring tools that can detect suspicious user actions, but this can be defeated by intelligent MitB programming that includes pseudorandom and conservative decision trees. More sophisticated monitoring would lead to more sophisticated decision trees, an arms race in which many would not be protected whenever attackers temporarily gained the upper hand. TriCipher (Litan & Allan, 2006) offers multifactor authentication, which has already been defeated in one form or another by all three Trojans of the case studies. Arcot(2010)offersdigitalsigningembeddedin Adobe Systems clients (which will inevitably transfertheproblemfromMan-in-the-Browser to Man-in-the-Adobe) and Virtual Private Ses- sions that rely on returning confirmation in a human-readablebutobfuscatedstateinanimage file. This latter may or may not work for now, butwillalsoinevitablybeovercomeasmachine reading improves and cracks are found in their proprietary security. The only thing guaranteed to work, ad- mirable also for its simplicity, is out of band confirmation. The Arcot whitepaper trashes OOB authentication via passcode, but does not allow for OOB reporting (via either automated phonecallortextmessage)thatprovidestheuser with a précis of all transactions their accounts attempt,andpreferablytheoptiontoconfirmor reject.Therearetwoproblemswiththis(setting
  • 9. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 37 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. aside the possibility that attackers could steal phone details and then hack personal phones, but if that has happened to you then you have biggerproblemsthanbankingfraud),whichare: 1. It costs money, and unlike other paid-for solutions, this cost scales with the level of use. 2. It takes Internet banking (and whatever other forms of Internet transaction you wish to protect) at least partially off the Internet, which rather defeats the point of having them on the Internet in the first place. It is probably reasonable to hope for an intelligent and satisfying solution at some time in the future, but one does not appear to be available at this time. Of course, if web us- ers did not get malware infections then there would not be an issue, but this is unlikely to ever come about. 6. CONCLUSIONS & CONSEQUENCES Thereissomeconfusionofterminologyaround MitB. Some sources (Entrust, 2010; Mushaq, 2010) define MitB as any attack that uses browser infection. This occurs even though MitB may only account for one facet of a multi-part attack, one technique in the arsenal of a Trojan. Others (Falliere & Chien, 2009; Stone-Gross et al., 2009) tend to brush over the MitB aspect of a piece of malware, or use it as another word for phishing. It is in any case a subtle and powerful technique, which gives criminals access to a great deal of opportunity for profit. Furthermore, the sophistication of MitB attacks has grown over time, and can be expected to continue to grow as time passes (Imperva, 2010). Security solutions will need to improve similarly, and meanwhile, many people are going to be swindled. The best way to improve security until the industry catches up is to practice good computer hygiene and if possible to keep valuable transactions at least partially off the Internet. In short, an improved level of user edu- cation regarding the dangers of the Internet would be effective at preventing most types of client-side attack, but such caution as would be taken in response to education is lacking among many. On the one hand, you could see the increasing general aptitude among many who access the Internet at providing basic data sanitation for their devices as a sign that improved understanding over time will solve this problem. On the other hand, you could ac- cept that no amount of education will provide protection to the percentage of people who are not willing or able to keep up with changing trends and practices in computing. It follows that these people are exactly the ideal targets for this type of fraud – in effect, distribution of aptitude focuses the attacks upon those least abletoprotectthemselvesagainstthem.General understanding must and will improve, and will help, but will not be a solution. One of the consequences of MitB can be seen by contrast to the effectiveness of one techniquesuccessfulindefeatingMitM–certi- fication.Thisworksbyallowingcommunication betweenclientandservertobeencryptedusing public key cryptography, based on keys from certificates provided by the server, which are themselves issued by CertificationAuthorities. These authorities are themselves certified by other bodies, which are in turn also certified, creating a chain of trust that leads back to a small number of internationally recognised (and browser hard-coded) authorities that can usually be relied upon (Hallam-Baker, 2011) to vouch only for trustworthy servers. However, certification of this type only protects a data stream after it leaves the user’s browser, and doesnothaveanycontroloverhowthatbrowser displays any server response. MitB bypasses this security entirely, since it has access to data before encryption, and has control over what thebrowserdisplaysafteraserverresponsehas been decrypted. MitBunderminesthereliabilityofsecurity inthiswaywithregardstoalloftheotherforms
  • 10. 38 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. of security ineffective against it. It is clear that the possibility of MitB weakens the trust that a user can have in the integrity of their system, but it also weakens the trust that the server can have in the authenticity of messages received from clients. This two way weakening is an obstacle that will need to be overcome in the future, since the establishment of mutual trust is one of the main impediments to growth in the utility of the Internet. “Cybercriminals” are getting better at cybercrime, especially as Computer Science education spreads in 2nd and 3rd world countries with less than stringent Internet law enforce- ment. The examples taken above all seem to have originated in Soviet Bloc countries, but similar attacks have been identified from all over the world, including even the well known “Nigerian Prince” scam. A consequence of the InformationEconomy,insofarasinformationis veryeasytomovefromplace,isthattraditional borderstothescalabilityofsometypesofcrime will be eroded in the same way as has happened fortheborderstosometypesoflegitimatebusi- ness.Therefore, we can expect to see a superior successor in some form to MitB as MitB was to MitM, and thence onward – also we can expect these attacks to become increasingly successful and costly. REFERENCES Arcot. (2010). Protecting Online Customers from Man-in-the-BrowserandMan-in-the-MiddleAttacks. Retrieved from Arcot Resources - Briefs and White PapersforOnlineIdentityFraudProtectionwebsite: http://www.arcot.com/resources/docs/ Protection_ from_MITM_&_MITB_Attacks_White_Paper.pdf Chechik,D.(2009,September30).MalwareAnalysis – Trojan Banker URLZone/Bebloh. Retrieved April 5, 2011, from M86 Security Labs website: http:// labs.m86security.com/ 2009/09/malware-analysis- trojan-banker-urlzonebebloh/ Entrust. (2010). Defeating Man-in-the-Browser. Retrieved April 3, 2011, from Internet Security and Encryption White Papers website: http://www. entrust.com/resources/download.cfm/24002/ Falliere, N., & Chien, E. (2009). Zeus: King of the Bots.RetrievedfromSecurityResponseWhitepapers SymantecCorp.website:http://www.symantec.com/ content/en/us/ enterprise/media/security_response/ whitepapers/zeus_king_of_bots.pdf Finjan.(2009,July).CybercrimeIntelligenceReport, Issue no. 3. Retrieved March 20, 2011, from M86 Securitywebsite:http://www.finjan.com/GetObject. aspx?ObjId=679 Gühring, P. (2006, September 12). Concepts against Man-in-the-Browser Attacks. Retrieved March 3, 2011, from CAcert.org website: http://www2.fu- tureware.at/svn/sourcerer/CAcert/SecureClient.pdf Hallam-Baker, P. (2011, March 23). The Recent RA Compromise. Retrieved March 25, 2011, from Comodo Blogs website: http://blogs.comodo.com/ it-security/data-security/the-recent-ra-compromise/ Imperva. (2010, November 16). Top ten security trends for2011. Retrieved from Continuity Central website: http://www.continuitycentral.com/fea- ture0830.html Litan,A.,&Allan,A.(2006,September12).Threats: Man in the Browser. Retrieved April 10, 2011, from Tricipherwebsite:http://www.tricipher.com/threats/ man_in_the_browser.html MCRC. (2009, July 22). How a cybergang oper- ates a network of 1.9 million infected computers. Retrieved April 2011, from SecureTweets Blog website:http://www.finjan.com/SecureTweets/Blog/ post/ How-a-cybergang-operates-a-network-of-19- million-infected-computers.aspx Murchu, L. O. (2008, January 8). Trojan.Silent- banker Technical Details. Retrieved April 3, 2011, from Symantec Security Response website: http:// www.symantec.com/security_response/ writeup. jsp?docid=2007-121718-1009-99&tabid=2 Mushaq,A.(2010,February19).ManintheBrowser: InsidetheZeusTrojan.RetrievedApril9,2011,from threatpost: Kaspersky Lab Security News Service website: http://threatpost.com/en_us/blogs/man- browser-inside-zeus-trojan-021910 RSA FraudAction Research Labs. (2008, October 31). One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts. Retrieved March 15, 2011, from Speaking of Security – The RSABlogandPodcastwebsite:http://blogs.rsa.com/ rsafarl/one-sinowal-trojan -one-gang-hundreds-of- thousands-of-compromised-accounts/
  • 11. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 39 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Stone-Gross,B.,Cova,M.,Cavallaro,L.,Gilbert,B., Szydlowski, M., Kemmerer, R., et al. (2009). Your Botnet is My Botnet: Analysis of a Botnet Takeover. RetrievedApril2,2011,fromTakingovertheTorpig botnet website: http://www.cs.ucsb.edu/~seclab/ projects/torpig/torpig.pdf Symantec. (2009). Zeus: King of the Bots. Retrieved April 5, 2011, from Security Response Whitepapers SymantecCorp.website:http://www.symantec.com/ content/en/us/enterprise/media/ security_response/ whitepapers/zeus_king_of_bots.pdf Tanenbaum, A. S., & Wetherall, D. J. (2011). Com- puter Networks (5th ed.). Boston, MA: Pearson. ENDNOTES 1 Note however that this is how Stone-Gross et al. were able to hijack the Torpig botnet. Note too that because the domain selection algorithm can be changed, they were only able to maintain control for 10 days. 2 Whichwillnotmakeyourcomputerrunfaster, despite what you may have heard. Kevin Curran BSc (Hons), PhD, SMIEEE, FBCS CITP, SMACM, FHEA is a Reader in Com- puter Science at the University of Ulster and group leader for the Ambient Intelligence Research Group. His achievements include winning and managing UK & European Framework projects and Technology Transfer Schemes. Dr. Curran has made significant contributions to advancing the knowledge and understanding of computer networking and systems, evidenced by over 650 published works. He is perhaps most well-known for his work on location positioning within indoor environments, pervasive computing and internet security. His expertise has been ac- knowledged by invitations to present his work at international conferences, overseas universities and research laboratories. He is a regular contributor to BBC radio & TV news in the UK and is currently the recipient of an Engineering and Technology Board Visiting Lectureship for Ex- ceptional Engineers and is an IEEE Technical Expert for Internet/Security matters. He is listed in the Dictionary of International Biography, Marquis Who’s Who in Science and Engineering and by Who’s Who in the World. Dr. Curran was awarded the Certificate of Excellence for Research in 2004 by Science Publications and was named Irish Digital Media Newcomer of the Year Award in 2006. Dr. Curran has performed external panel duties for various Irish Higher Education Institutions. He is a fellow of the British Computer Society (FBCS), a senior member of the Association for Computing Machinery (SMACM), a senior member of the Institute of Electrical and Electronics Engineers (SMIEEE) and a fellow of the higher education academy (FHEA). Dr. Curran’s stature and authority in the international community is demonstrated by his influence, particularly in relation to the direction of research in computer science. He has chaired sessions and participated in the organising committees for many highly-respected in- ternational conferences and workshops. He is the Editor-in-Chief of the International Journal of Ambient Computing and Intelligence and is also a member of 15 Journal Editorial Committees and numerous international conference organising committees. He has served as an advisor to the British Computer Society in regard to the computer industry standards and is a member of BCS and IEEE Technology Specialist Groups and various other professional bodies.