Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Followup on the Trust Broker Problem

Our recent post on the Bank of India hack drew some heated defence from some of the trust broking vendors whose products failed to adequately identify the attack, some even going so far as to claim our original article was inaccurate.

With one particular vendor, it seems that their system would trigger only if the iframe was able to load malicious code. By the time the various systems were tested, the iframe target site had been taken offline, but the Bank of India site was still trying to load the code (as the article clearly explained).

Even if the site pointed to by the iframe was offline, the presence of a hidden iframe that points to a site that can not be loaded should be a trigger to the fact the original site has been compromised. It isn't until the hidden iframe is removed that it can be determined that the site is no longer vulnerable. Having ascertained that, few details are available regarding how the attacker gained access to the Bank of India site, and whether that access has since been removed.

While the vendor in question believes it is accurate behaviour for their tool, we believe that it is misleading - marking a site that is trying to load malicious code (and failing) as safe. It also means that an attacker who can turn their attack on and off at will, by temporarily disabling their remote server, will have the greatest chance of bypassing this toolset, and others. Increasing use of targeted attacks and extremely mobile malware sites is beginning to make these sort of tools less and less effective.

There was also some complaint about what it means to be a 'Trust broker'. The use of databases vs real time analysis doesn?t matter in how a tool is classified. If the tool is being used to provide a site visitor with an indication of how reliable or safe a site is to visit, then it becomes an arbiter of what is trustworthy. Thus, the vendor is a 'Trust broker'.

It is reassuring to see comments from other vendors who have acknowledged that their current products might have failed in this case, but their next generation of products should be able to catch incidents like this. Others have helpfully pointed out that their products, while not tested in this particular case, were able to flag the site.

3 September 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.