Browser Attacks

• They identify three vectors of attack in a browser
  • Go after the OS so it will impede the browser's correct operation
  • Attack the browser
  • Intercept/modify communications to or from the browser.
• Browser Attack Types
  • Browsers are open to attack for various reasons.
    • But the universality of browser use makes it even more vulnerable.
  • Man-in-the-Browser
    • *-in-the-middle attacks:
      • Some agent is inserted in the middle of a communication.
        • Eavesdropping
        • Corruption of information
        • Blocking information transfer completely
        • Injection of information/request/...
        • Mascaraing
      • This usually involves the attacker pretending to be the other endpoint to each party in the communication.
    • The book defines Man-in-the-Browser as a Trojan horse that intercepts data passing through the browser.
      • It exploits the use of the browser to capture information (passwords, account names, account numbers, ...)
      • It exploits the connectedness of the browser to send information to the Man in the middle.
    • The book gives an example of the SilentBanker Trojan horse
      • Had a list of 400 banks to start with.
      • Whenever a connection to one of these banks was made, it recorded and forwarded transaction information.
      • This beat the encryption streams by getting the data before encryption.
  • Side note HTTPS:
    • Originally all network transfers were in plain text.
    • This meant that anyone who could "listen" or sniff the network could read the messages.
    • Secure communications (https)
      • Public/private key exchange
        • Sites with secure servers must have a public key certificate from a CA.
        • This is used to obtain an session encryption key.
        • And all exchanges are encrypted.
          • Browser encrypts request sends it to server.
          • Server receives request and decrypts it.
          • Server encrypts response and sends it to the browsers
          • Which decrypts the response and displays it.
  • Keystroke Logger
    • This is software that monitors keystrokes.
    • A tiny little program that is easy to write
    • This can be hardware or software
    • How often do you type important information (ssno, password, username, credit card number, expire date, cvc...)
  • Page-in-the-middle
    • Build a fake log in page.
    • Forward the details to the real log in page, after recording the information.
    • Just one really good looking login page.
    • And the ability to get people to go to that page to log in.
  • Program Download Substitution
    • The user thinks they are downloading one program.
    • And they might be, but they are also downloading something else.
  • User in the Middle
    • CAPTCHA: Completely Automated Public Turing test to tell Computer and Humans Apart
      • Some simple puzzle that probably requires creativity, pattern recognition, or abstraction that is hard to program.
    • Many sites require solving a captcha to get a new account.
      • This is to enforce that there is a human behind the account
    • This attack is on the account generation process.
    • It involves tricking people into solving captchas
      • Offer some free thing on a site.
      • But require the solution of a CAPTCHA to get it.
      • When the user requests a resource
        • Connect to a sign up site and get the CAPTCHA
        • Provide this to the user
        • Return the solution with a new account request.
• How Browser Attacks Succeed: False Identification and Authentication
  • Human Authentication
    • In the web, human needs frequently cause weaknesses
      • Inability or unwillingness to use appropriate passwords.
      • Failure to use unique passwords
      • Failure to use strong passwords.
  • Computer Authentication
    • Consider an interaction with a bank.
      • The user's browser and computer are ALWAYS between the user and the bank.
      • They are the tool the user employs in the interaction,
      • But they take actions on behalf of the user that the user does not know about.
    • Remember every step in the authentication process is controlled by software.
      • Which as we have seen is subject to malware, interception, ....
    • The exchange of information needs to be constantly monitored for
      • Interception
      • Hijacking
      • And other attacks.
    • They point out
      • Authentication and usability are often in conflict.
      • Computer to computer authentication has limited authentication.
      • Malicious software makes this process more difficult.
  • Successful Identification and Authentication
    • Companies are constantly trying to improve authentication
    • Shared Secret
      • This is the secret question from before.
      • But we have seen the problems where.
    • One-Time Password
      • A one use password.
      • But this is hard with the general population.
    • Out of Band Communications
      • Use of different communications channels for different information.
      • The Social Security Administration has a pre-submitted phone number which they call when you want to log in.
      • Banks send your default PIN in a different communication than the card.
      • US DOD phone communications
        • Start as a normal call.
        • Then the users press a button for secure mode
        • This encrypts all further communications.
        • The phones generate a random number which they display
        • And the users read this number to each other to assure that no substitution has been made.
    • Continuous Authentication
      • or an encrypted session
      • This can be broken if the attacker can
        • Bypass the encryption (before or after encryption)
        • Interrupt the encryption and force a reset of the communications
          • Then intercept the key exchange.
          • Or perform a man-in-the-middle attack
          • Or some other form of attack.