When SSL Isn't Going to save you
After many years of trying from InfoSec and general IT people, users are starting to get a better grasp on the importance of looking for the little lock icon in their browser and https at the start of the URL when they go to enter sensitive personal or financial information online. The more involved step of checking the validity of the SSL certificate hasn't caught on as much but most browsers will alert the user when the certificate appears to have expired or does not match what the browser is expecting.
This improvement in user awareness and online activity is a wonderful thing, however all it means is that the user is applying greater security awareness to an established connection between their system and a website. Malware authors and attackers that are trying to recover sensitive details from a user have a much simpler means of doing so, by compromising either end of the connection, though there is still a small place for MITM attacks against the connection itself. Remote website compromises is a topic which has had recent coverage and is a problem which the user can do little about. Disaffected insiders and motivated external attackers pose real problems for users of popular sites, and it is a problem that unfortunately is not uncommon.
Even the security of an end user's system can easily be compromised, and it is at this point that a user's sensitive data is most likely to be retrieved. Modern browsers make a range of efforts to limit the amount of time that information being passed to a secured website spends in an unencrypted state, but once malware is present on a user's system it is much more difficult to prevent the loss of sensitive information.
Didier Stevens has written a straight forward article that describes how simple it is to trap information passed in Internet Explorer's HTTPS requests even if the user is not running as an Administrator or higher level. All it requires is for malicious software to be running at the same time as the user is visiting websites through a secure connection. As Didier points out, the process of capturing this information is disturbingly easy. While the technique exactly as described by Didier has just been published, capable malware authors have been well aware of process hooking and it would not be unreasonable to assume that if a system has been compromised by malware, then ANY information being passed to and from the Internet can be read by the malware.
If you are using your system for any online financial activity, or any activity that requires the provision of sensitive details, then it is considered prudent to at least be running regular antivirus and antimalware scans, using a regularly updated suite of tools. There is still a real risk to the end user that they will end up compromised, but it is something that happens to the best of them.
21 March 2008
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.