Secure Mobile Applications, part 3 – Bringing it all together!

Secure Mobile Applications, part 3 – Bringing it all together!


Using passwords for authentication

Recently when researching form my Masters project I came across some studies about users and password use.  I think we now know that passwords should be dead and replaced / augmented by something better such as two factor authentication using token or biometrics.  However many systems still rely on usernames and passwords.

In terms of business, in order to improve security many companies now add two-factor authentication when logging in remotely so the user enters their username, some sort of pin or password and a value from a hardware or software token.  This helps with the issues around passwords when remotely logging into systems such as when working from home, it does nothing to improve the security of logging in with just a username / password in the office.

The traditional assumption has been that it is OK to use just username / password when logging in from a more secure location such as the office when you are already connected to the trusted network.  Assuming your business uses modern operating systems that employ salted hashes for any password storage or transmission the issue it not with someone malicious managing to ‘sniff’ the password while it is in transit, or getting hold of the password store.  However what of the users who use the same password for multiple systems?  If your users log into insecure web sites using the same or very similar passwords to those they use to log into the secure business systems?

Studies have shown that nearly all users re-use passwords.

In addition users will tend to use the least complex, easiest to remember password possible – so while your businesses chosen level of complexity may have a password space of xxxxx passwords, the users passwords may actually tend to occupy a much smaller space, or be easy to guess despite meeting the password complexity requirements.

People will also tend to write down passwords that are too difficult to remember easily.

So I’d strongly recommend moving away from just relying on passwords and utilize some form of multi-factor authentication even within the office environment.  This is not as difficult as it may sound – most (all?) modern operating systems support multi-factor authentication out of the box.

If you cannot move away from just relying on passwords then a use education program is a must.  A good password is not just a complex one, it must combine complexity and being difficult to crack with also being easy to remember for the user.  If users can understand both the password policy and the rational for that, along with ways to come up with strong passwords that are easy for them to remember this will lead to a more secure environment.

Interestingly, we again come around to user education and training being a key component of a defense in depth security strategy.


RSA Conference Europe 2012 – The Science Lab: Live RAT Dissection

Great talk and demo from Uri Fleyder and Uri Rivner on VNC based Man In The Browser (MITB) attack.  The talk started with some general observations of the current state of the malware market, then went into the demo.

Whys rats are spreading in the underground – We are moving to much more advanced underground supply chain.  This follows neatly from the Keynote talks around the ever increasing availability of advanced tools.

A great example is the Citadel Trojan kit.  Developed from Zeus – this was sold then source code leaked..  Citadel is a live ongoing project, with many add ons from GUI based Trojan development and deployment.  Citadel only costs $2399 + modules, yearly membership of the Citadel online ‘aap store’ costs as little as $125 per year.  Modules can be bought for low amounts of money such as

Log parser for $295

Automatic iFramer of FTP accounts from logs for $1000

Recent releases of Citadel include multiple enhancements such as injects directly from the control panel.

This highlights just how easy it is to get access to advanced malware creation kits, and how low the cost of entry currently is.

Demonstration of Man In The Browser (MITB) attack showing user accessing a compromised site.  The browser appeared to crash, then the user re-opened it and carried on working.  The user then accessed their bank and received a security warning saying that some checks were being performed to updated their machines security, these may take a few minutes, please do not close or refresh the browser window.

At the same time the criminal received a text telling him a new machine had been compromised.  He then logged into his Zeus control account to see what the machine was and which bot had infected it.

The next step is that the bank site asks the customer to input their credentials including pin + key code to access their account.  This is achieved by inserting java script into the banking page on the user’s browser.

From the malicious users machine the criminal has used VNC to log into the users machine and from their into the users bank account.  The user inputting their pin and code details will enable the criminal to perform a transaction on their account such as a funds transfer.  The criminal does this in the background while the user is waiting for the initial security checks, once the criminal gets to the point where they are stuck and need the users 2-factor credentials they then update the message to request these details as mentioned in the last paragraph.

The criminal is sent the username and password from the initial login;

Then the 2-factor code from the second message;

The criminal then sends a sorry site down for maintenance screen to the user again by injecting it via JavaScript to the bank page the user thinks they are accessing.  This is to try and allay any fears or concerns so the user (victim) does not immediately suspect something malicious has occurred.

This works because the user has gone to the banking page they trust, and as they typed the url or went to their saved favourite rather than clicked a link somewhere they assume all is well.

Another advantage for the attacker of this type of attack is that they appear to come from the users machine as they are going through a VNC (remote administration) connection to the users machine.  This circumvents and checks the bank (or whatever site) has in place to be more concerned about connections or transactions initiated from unknown devices.

According to European banks something like 30% of all fraud no comes from same device attacks like this.


–          VNC embedded in Zeus clones is a dramatic escalation of the threat level.  Make sure your defences are ready!

–          Continuous monitoring is more resilient – e.g. user behaviour analysis, how fast is the user clicking and entering data, what is their pattern of clicks etc.

–          Don’t rely on identifying the device

–          Consider randomising, encrypting DOM space

–          Zeus and other clones are polymorphic, normal scans are not effective

–          Make sure your machines are getting all relevant patches

–          We used to rely on something you know, this is broken, now we rely on something you have, this is crumbling.. What next, something you are linked with behavioural analysis?

A lot to think about here..