[ISN] Expert demonstrates Microsoft hack

From: InfoSec News (isnat_private)
Date: Tue Aug 27 2002 - 05:59:17 PDT

  • Next message: InfoSec News: "[ISN] VA toughens security after PC disposal blunders"

    By Reuters 
    August 26, 2002, 5:21 PM PT
    STOCKHOLM -- Software security widely used for Internet banking and
    e-commerce can be easily circumvented, and customer accounts at
    several of Sweden's largest banks remain at risk as a result, a
    computer expert said Monday.
    The Swedish hacking expert, who is well known in computer security
    circles, but asked not to be identified, demonstrated to Reuters how
    it was possible within minutes to break through security on Web server
    software from Microsoft.
    The expert showed how to crack the security systems for Internet
    banking, breaking into three of Sweden's big four banks in quick
    succession. He was then able to show how to conceal his tracks, making
    detection difficult afterward.
    While stopping short of breaking into customer accounts, the
    hacker-turned-consultant said an intruder could have hidden
    instructions to transfer sums into a separate account when the
    customer authorizes a payment from his Internet bank account.
    He relied on a variation of a weakness that came to light two weeks
    ago in Microsoft's implementation of Secure Socket Layer (SSL), an
    industry standard for transmitting credit card numbers and account
    passwords via the Web.
    "It's a protocol which is very easy to break through," the computer
    expert said. "The protocol doesn't provide the security the users
    think it does."
    The attack technique exploited a combination of vulnerabilities over
    which Microsoft exerts only partial control. A large share of the
    blame should fall on network administrators inside banks and other
    organizations who fail to install Microsoft's software properly, he
    Using the method, an attacker can log in as a Web site customer using
    certificate authentication and gain access to the Web site's root
    directory and, from there, enter the organization's internal network.
    Microsoft has responded to recent reports about the SSL flaw by
    admitting its existence, saying it is working to develop a fix, but
    also by downplaying the notion that the flaw poses any widespread
    security threat.
    "Such techniques are difficult, temporary, and generally require
    favorable network (layout)," the company states on a Microsoft
    technical discussion site.
    Microsoft in Sweden denied that SSL could be breached in the way shown
    to Reuters.
    "I can't even see the theoretical possibility for it to happen", said
    Mats Lindkvist, responsible for security at Microsoft in Sweden.
    The unnamed expert said an attacker could breach security via hundreds
    of computers, making detection of the criminal almost impossible, as
    it might take the police up to four to five months just to follow a
    trail through 10 computers.
    Mike Benham, the San Francisco privacy advocate and security
    consultant who first revealed the SSL flaw, offered a technical
    description of how this works: "An attacker could transparently proxy
    (invisibly transfer) a victim's traffic to the real secure site, while
    intercepting and logging all the data."
    Microsoft embarked earlier this year on what it called a "trustworthy
    computing" campaign to improve the security of its software. The
    company was responding to a mounting outcry over widely publicized
    software security breakdowns.
    The four Swedish banks are not unique. Many of the world's major
    financial institutions are similarly vulnerable because they rely on
    software using the industry-accepted SSL protocol, computer experts
    All four major Swedish banks said they were not aware of any break-ins
    into their systems. But spokesmen at some of them said no system could
    be perfect.
    "If man can fly to the moon, sooner or later someone will be able to
    circumvent the security systems," said Jesper Berggren, Swedbank's
    head of press relations.
    "As far as I can tell no system will ever be 100 percent secure. To
    say that our systems are 100 percent secure would be presumptuous,"  
    said Lars Lindmark, Handelsbanken's information director.
    But computer experts say banks remain highly vulnerable.
    "There's been a lot of denial," said Peter Neumann, principal
    scientist at Silicon Valley think-tank SRI International and one of
    the world's authorities on computer security.
    Such flaws result from a mix of fatalistic acceptance and technical
    ignorance, he said. "'Everything is fine,' banks say. That's clearly
    nonsense. Pretty much everything is vulnerable--certainly more so with
    a little bit of insider knowledge."
    Swedish security firm Deprotect has managed to use hidden instructions
    to transfer tens of millions of dollars from an account at a leading
    European bank, said Lars-Olov Guttke, a computer security expert at
    The bank had asked Deprotect to test its security systems.
    After two weeks, Guttke told the bank about the transfers, which had
    not been detected. The key factor was that the sums transferred
    secretly were not big enough to alert the system.
    "It might take a few days to figure out how to make the intrusion, but
    once you've done that it doesn't take very long to break through the
    systems," Guttke said.
    Banks spend huge amounts to secure their customer-facing systems, but
    tend to neglect internal systems giving access to their networks,
    Guttke said. Security veteran Neumann agreed, saying that former
    insiders may pose a bigger threat.
    Information about the level of computer-related crime is scarce
    because few crimes are reported. Companies fear bad publicity and
    additional costs if the weaknesses of their security systems become
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 09:06:05 PDT