All Top Banking

Browser Flaws Nullify EV SSL

Posted by John B. Frank Friday, July 24, 2009

Researchers uncover flaw in handling of EV SSL by popular browsers

New York, July, 2009 -- Intrepidus Group, a leading provider of information security services and software, today announced research that shows new short comings in browser designs that allow an attacker to silently "Man-In-The-Middle" (MITM) Extended Validation (EV) SSL-protected websites. Users of sites that appear to be secure through the "glow" of their green badge, have been found to be at risk of malicious attacks.

Research conducted by Mike Zusman, principal consultant at Intrepidus Group, and independent security researcher Alex Sotirov shows that a common web browser design flaw can be exploited to compromise SSL encrypted data, even when the user sees the green badge of EV SSL. The researchers have devised a new attack, called SSL Rebinding, which exploits this flaw to sniff sensitive data as it leaves the browser. Zusman and Sotirov have also demonstrated that the same flaw can be leveraged to launch browser cache poisoning attacks against EV SSL protected web sites. Both attacks can cause significant exposure and silently expose "encrypted" sessions protected by an EV SSL certificate.

-- SSL Rebinding is an attack against an SSL involving a rogue MITM server which uses a combination of SSL certificates to manipulate client behavior and bypass security mechanisms.

-- EV Cache Poisoning is a persistent attack, where cached content of an EV SSL protected web site can be poisoned without the victim consciously browsing the site.

"Verifying the 'green glow' of EV SSL in the browser has often been pitched as the silver bullet to thwarting phishing attacks," said Rohyt Belani, CEO of Intrepidus Group. "Our research shows that the green glow can be misleading and provide a false sense of security. Employees and customers should be provided a holistic perspective on phishing to best train them to be resilient to this ever-growing threat."

Zusman and Sotirov will present the details of their research findings during the Back Hat USA 2009 Briefings & Training conference. Intrepidus Group has also enhanced its PhishMe solution to empower individuals to identify these attacks and protect themselves from cybercrime exposure.

Black Hat USA 2009 Briefings & Training Presentation

Mike Zusman and Alexander Sotirov will be sharing details of this new research on EV SSL Attacks during the Back Hat USA 2009 Briefings & Training conference at Caesar's Palace in Las Vegas, Nev. Their session will be held on "Day 2," July 30, 2009 in the "//random" track from 3:15 to 4:30 p.m.

About PhishMe

PhishMe is a software-as-a-service (SaaS) solution designed to help prevent damage, theft and loss caused by targeted (spear) phishing attacks. PhishMe facilitates and automates the execution of mock phishing exercises against employees, provides clear and accurate reporting on user behavior, and most importantly provides instant, targeted employee training. This method of delivering training materials is recommended by SANS and found to be most effective by researchers at Carnegie Mellon University.

About Intrepidus

Intrepidus Group (www.intrepidusgroup.com ) is a leading provider of information security consulting services and software solutions. With offices in New York City and the Washington, DC metro area, the company offers innovative solutions to help clients build employee awareness around common information security issues. Intrepidus Group's consultants also conduct hands-on assessments of critical applications, networks and products to uncover vulnerabilities, and provide strategic and tactical recommendations to address identified issues.

PhishMe.com is a registered trademark of Intrepidus Group. All other product and company names herein are or may be trademarks of their respective owners.

Source: Company press release. 



Reblog this post [with Zemanta]

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio