Bro,
Please help to change the email to jehta...@hotmail instead of my
company email. Thanks.
Regards,
EH
On Oct 2, 2010, at 1:44 PM, Mohd Fazli Azran wrote:
Dear members,
I have some opinion to share. Why we must look at this attack as a
threat. But please dont doing this at home. This is not a good ethic
and probably it will miss use for personal interest and if you get
caught it your responsibility. This is for education purpose. This
is just example:
Tool : Cain or Ettercap
Location : Coffee Bean / Starbuck / Old Town
Attack Method : Sniff and ARP poisoning
Many Money Oriented Hacker (MOH) will do this for their own
interest. What would they prefer to sniff is Bank Online.For fun
they will try to get any Social media that you have.
HTTPS/ SSL many Organization not look into it and sometime it
already expired or not qualified. Many people will ignore it and
just accept the cert. Why we should worried HTTPS/SSL it not good
protection for sniffer if the bad implement by organization. Poor
implementation for SSL/TLS by many Organization especially in
Malaysia allow many sniffer to be a MITM. If you see some cert are
create by self signed and some cert maybe just rouge certificate.
You can check all the Bank online if they have valid cert or they
already expired. You also can look if Local bank use CA cert or not.
CA was one of vendor create commercial cert. Are our local bank use
this cert?. If you check many HTTPS/SSL are broken and can be direct
attack/APT by sniffer.
The problem of this i think it not from HTTPS/SSL but it from
Application that use from them. The web online provided by Bank
sometime it not enough to prevent sniffer get the U & P. Some time
the hashing can be manipulated and they can get easily and user are
not detected at all.
We must understand 1st what the process from user to server. Here
the example scenario (Ahmad use Open Network and surf):
1) Ahmad open Browser and surf Online Bank Web
2) Browser will request login form from the server Online Bank
3) Server (Online Bank) will sent random generate challenge
(RGC )"c" Server sends HTML with above form rules
4) RGC attach to the form and sent to Ahmad browser MITM replaces
the form with a simple form u/p are not manipulated
4) Ahmad will enter username "u" and Password "p_user" and submit
User fills out simple form, submits to MITM
5) Ahmad browser will calculate h_user=hash((hash(p_user), c) MITM
calculates h_user from u / p / c
6) Ahmad browser sent "u" and "h_user" to the server. MITM sends u +
h_user to server
7) The server retrieve password hash "h_db" for user "u" from database
8) Server perform comparison which h_user==hash(h_db, c)
9) If this comparison it true, the credential are true and sent back
to Ahmad Browser
10) Ahmad now login to server (Bank Online)
If i miss out some point here please correct it. But you can see the
red text are the process between user, MITM & server. You can do
this and try if you can get any U & P from any local Bank Online
(Maybank, CIMB, BIMB, RHB) and Oversea Bank (HSBC, Citibank,
Standard Chartered) You can compare which web security are more
reliable and are they implement it. The best policy and the process
they do will combat any MITM to get the U/P from server. My point is
are they doing enough to protect user from this threat. Are we?
P/S : I`m not buyers any Bank here just to show what the reality are.
Mohd Fazli Azran
_______________________________________________
Owasp-Malaysia mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-malaysia
OWASP Malaysia Wiki
http://www.owasp.org/index.php/Malaysia
OWASP Malaysia Wiki Facebook
http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/
295989208420
_______________________________________________
Owasp-Malaysia mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-malaysia
OWASP Malaysia Wiki
http://www.owasp.org/index.php/Malaysia
OWASP Malaysia Wiki Facebook
http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
