Security Evaluation CLX.Sentinel

(1)

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] www.csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Security Evaluation

CLX.Sentinel

October 15th, 2009

Walter Sprenger

[email protected]

(2)

CLX.Sentinel::Compass Statement

Compass Certification of CLX.Sentinel

To the best of its knowledge, Compass is not

aware to this date of alternative solutions and

products which can match the range and strength

of the CLX.Sentinel protection mechanisms

implemented to safeguard Internet-based e-banking

transactions.

(3)

CLX.Sentinel::Agenda

Main Threats to eBanking

Compass Security Tests

Results

(4)

Tel.+41 55-214 41 60 Compass Security AG

(5)

CLX.Sentinel::Man In The Middle

Offline Phishing

(6)

CLX.Sentinel::Man in the Middle

Phishing

User receives email with URL or clicks on link on blog, social network etc.

User is motivated to connect to a spoofed eBanking web page

Offline Attack

Hacker captures login information

An error page is displayed to the user (eBanking out of service)

Hacker uses login information to login to the real eBanking

Online Attack

The traffic between the user and the eBanking is redirected over the proxy of the hacker

The hacker waits until the user logs in to the eBanking

The hacker modifies the data transferred or

(7)

(8)

CLX.Sentinel::Client Attacks

Simple Trojans

Limited to a handful of eBanking applications

Steal username, password and one time password

Steals session information and URL and sends it to attacker

Attacker imports information into his browser to access the same account

Generic Trojans

In the wild since 2007, but still in development

Can attack any eBanking (and any web application)

New configuration is downloaded continously

Targeted Trojans

May attack new security features like SMS Authentication, USB Sticks, SmartCards

(9)

(10)

CLX.Sentinel::eBanking Trojan News

URLZone Trojan

Installation

Distribution with LuckySpoilt crimeware toolkit ($100-$300)

Infects legitimate websites

Drive-By Installation in Firefox, IE6, IE7, IE8, Opera

Functionality

Replaces transaction in browser on the fly

Modifies bank balance screen and transaction screen

Hides from fraud detection systems

Sends screen shots of logged in user to control server

Communication over HTTP to receive new commands

(11)

Test Procedure

(12)

(13)

CLX.Sentinel::Test Procedure

Test Cases Implementation Tests

Static Reverse Engineering

Dynamic Reverse Engineering

Memory Dumping

Sniffing communication (USB/Network)

Binary manipulation

Process Injection Techniques

Sending KeyStroke

Screen Capturing

Keystroke Capturing

Access Certificate directly

Man in the Middle Attacks

DNS spoofing

Redirection/Cross Site Scripting Attacks

Plugins/Extensions Tests

Zero Footprint Tests

(14)

CLX.Sentinel::TestCase SmartCard

TestCase:

Read PIN from Keyboard or display spoofed PIN dialog

Access SmartCard directly using the SmartCard API/Driver

Remediation:

Anti-Keylogging

Use Customized CardAPI

Hash PIN entered

(15)

CLX.Sentinel::MemoryDump

TestCase:

Dump memory to file

Search for session cookie in dump file

Use session cookie to access eBanking

Remediation CLX.Sentinel:

Encrypt memory

Remediation eBanking:

Bind TLS and application session

(16)

CLX.Sentinel::Screenshots

Browser

PDF Viewer

PIN Entry

(17)

Results

(18)

CLX.Sentinel::eBanking Architecture

Protecting the weakest component

Bank: WebApp Security and Firewalls (Network/Application)

Network: SSL Encryption with Mutual Authentication

CLX.Sentinel: Protects Customer environment

(19)

CLX.Sentinel::App Virtualization

Secured Application/Virtualization

HW OS API Browser Apps No virtualization HW OS API Browser Apps Application Protection HW OS API Browser Apps API Application and API Protection HW OS API Browser Apps API OS Virtual Machine CLX.Sentinel

(20)

(21)

CLX.Sentinel::Results

General

The specified security features have been implemented and a very good protection level could be reached

Protection against Man in the Middle/Phishing

Mutual Authentication with Smart Card Certificate

Access Control List prevents connection to fake webservers/proxies

Server Certificate and IP-Address Verification

Protection against Trojan

SSL Stack implemented in Binary

Checksums and Signatures

Binary and Memory Encryption

Anti Reverse Engineering and Anti Debugging Techniques used

(22)

CLX.Sentinel::Results

Other Protection Features

Anti Screen Capturing

Anti Keystroke Logging

Disable Application Steering

Prevents Resource Manipulation

PIN/PUK Hashing

Limited Browser functionality

Secure Updates

Only signed updates possible

(23)

CLX.Sentinel::Results

Residual Risks

The Hardened Browser is a software that runs on a potentially unsafe environment

Attacker could order CLX.Sentinel and invest a lot of time to reverse engineer the software

The attacker could write a Trojan that specifically attacks the CLX.Sentinel

Probability

Hacker like to choose the easiest way. As long as there are much weaker eBanking systems it is unlikely that the hackers will invest in this difficult and time consuming attack.

(24)

CLX.Sentinel::Statement Compass

Why is eBanking safer with CLX.Sentinel?

The user is familiar with browsers and USB sticks

Strong authentication and session binding with SmartCard

Only access to eBanking sites possible

Not a monoculture browser (highly customized)

Defends against current trojan technology

Can be updated with new protection mechanisms

(25)