Man-in-the-Browser
-
michaeldayla
- Posts: 56
- Joined: Mon Sep 21, 2009 12:18 pm
Man-in-the-Browser
I've read a lot lately about MITB attacks against banking credentials. I am under the assumption that so long as I only do my banking from a fresh instance of FF and only browse to my bank, then close the browser (I have SB configured to clear the sandbox upon exit), I should be safe from such an attack provided my system is otherwise clean. Am I correct?
Last edited by Guest10 on Sat Aug 14, 2010 9:02 am, edited 1 time in total.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Similar, but not quite.Guest10 wrote:Do you mean Man in the Middle?
http://www.owasp.org/index.php/Man-in-the-middle_attack
http://en.wikipedia.org/wiki/Man_in_the_Browser
I would say that you're at least safer with these steps.michaeldayla wrote:I've read a lot lately about MITB attacks against banking credentials. I am under the assumption that so long as I only do my banking from a fresh instance of FF and only browse to my bank, then close the browser (I have SB configured to clear the sandbox upon exit), I should be safe from such an attack provided my system is otherwise clean. Am I correct?
Re: Man-in-the-Browser
Now talking seriously...michaeldayla wrote:I've read a lot lately about MITB attacks against banking credentials. I am under the assumption that so long as I only do my banking from a fresh instance of FF and only browse to my bank, then close the browser (I have SB configured to clear the sandbox upon exit), I should be safe from such an attack provided my system is otherwise clean. Am I correct?
Yes, you are correct. Considering that outside the sandbox the system is clean and the sandox folder is also clean (not infected or empty), if you browse directly to the bank then you will be safe.
Last edited by Buster on Sat Aug 14, 2010 12:53 pm, edited 1 time in total.
I guess it would depend a lot on the Trojan, and how and where it gets installed.
It can't infect the sandboxed browser's program files folder, but for a browser like Firefox, it could be installed by the user as an extension.
(Kind of like installing a BHO in IE, I would guess)
Hence, the need to only get your Firefox extensions from the Mozilla site, although they have had a couple of security problems with extensions that have had to be withdrawn.
And don't allow direct access to the entire profile folder, so extensions cannot be added while sandboxed.
If the Trojan runs as a separate .exe program in the sandbox, then using Sandboxie's Start/Run Restrictions can stop it from running.
If it can't run, then it can't access the Internet either.
However, if it gets installed and uses the browser itself to do the deed, then Start/Run won't help.
The Firefox NoScript extension can prevent drive by installation of malware if it uses javascript to install itself.
The problem is that NoScript is so unforgiving, and you need to allow temporary permissions so often, that it becomes near routine.
Still, it's ability to block cross site scripting, <IFrame>, <Frame>, and plugins is useful.
Certainly you always want to delete the contents of your sandbox after each browser use, and consider using the setting for Program Stop > Leader Program, if the sandbox is always going to be used by the browser.
Anything left running in the sandbox will be terminated when the Leader Programs stop running.
If the Trojan does get installed while you are on-line, then certainly you will be vulnerable during that session.
Deleting the sandbox contents at the end of the session will get rid of anything that you haven't specifically allowed out of the sandbox.
If the infection is due to some malware penetration at your bank's site, then there's nothing you can do to be safe.
Infection of a DNS server can also cause you to be directed to a false site that looks just like your bank. In fact, it would be in between you and the bank.
Once you surrender your login credentials, that false site can keep that connection open even though you close the browser at your end. Then they can do whatever they want, and your bank thinks that it's still you.
I guess that it's more difficult to do that, since the false site would have to be using a secure https protocol.
For myself, I agree with Fazuul. You will be safer, but with unknown variables, there's no way to say you will always BE safe.
It can't infect the sandboxed browser's program files folder, but for a browser like Firefox, it could be installed by the user as an extension.
(Kind of like installing a BHO in IE, I would guess)
Hence, the need to only get your Firefox extensions from the Mozilla site, although they have had a couple of security problems with extensions that have had to be withdrawn.
And don't allow direct access to the entire profile folder, so extensions cannot be added while sandboxed.
If the Trojan runs as a separate .exe program in the sandbox, then using Sandboxie's Start/Run Restrictions can stop it from running.
If it can't run, then it can't access the Internet either.
However, if it gets installed and uses the browser itself to do the deed, then Start/Run won't help.
The Firefox NoScript extension can prevent drive by installation of malware if it uses javascript to install itself.
The problem is that NoScript is so unforgiving, and you need to allow temporary permissions so often, that it becomes near routine.
Still, it's ability to block cross site scripting, <IFrame>, <Frame>, and plugins is useful.
Certainly you always want to delete the contents of your sandbox after each browser use, and consider using the setting for Program Stop > Leader Program, if the sandbox is always going to be used by the browser.
Anything left running in the sandbox will be terminated when the Leader Programs stop running.
If the Trojan does get installed while you are on-line, then certainly you will be vulnerable during that session.
Deleting the sandbox contents at the end of the session will get rid of anything that you haven't specifically allowed out of the sandbox.
If the infection is due to some malware penetration at your bank's site, then there's nothing you can do to be safe.
Infection of a DNS server can also cause you to be directed to a false site that looks just like your bank. In fact, it would be in between you and the bank.
Once you surrender your login credentials, that false site can keep that connection open even though you close the browser at your end. Then they can do whatever they want, and your bank thinks that it's still you.
I guess that it's more difficult to do that, since the false site would have to be using a secure https protocol.
For myself, I agree with Fazuul. You will be safer, but with unknown variables, there's no way to say you will always BE safe.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
-
michaeldayla
- Posts: 56
- Joined: Mon Sep 21, 2009 12:18 pm
-
Lumberjack
- Posts: 91
- Joined: Fri Nov 25, 2011 12:37 am
Re: Man-in-the-Browser
Buster wrote:Now talking seriously...michaeldayla wrote:I've read a lot lately about MITB attacks against banking credentials. I am under the assumption that so long as I only do my banking from a fresh instance of FF and only browse to my bank, then close the browser (I have SB configured to clear the sandbox upon exit), I should be safe from such an attack provided my system is otherwise clean. Am I correct?
Yes, you are correct. Considering that outside the sandbox the system is clean and the sandox folder is also clean (not infected or empty), if you browse directly to the bank then you will be safe.
And can SBIE protect against man in the middle attacks than with all restrictions/configuration?
And can SBIE block sensitive data being spread across the net with all the restrictions/configuraton?
Someone on Wilder security wrote this:
So you're saying that blocking D: partition and all of my personal documents, my shared documents from getting touched by sandboxed keyloggers (all forms of keyloggers) will not help at all...
It also means that if sandboxed keylogger cannot start run in the first place it will still steal information, although it was downloaded inside the sandbox in the first place...
I have always wondered if DefenseWall protects against sending sensitive data across the net and against all forms of keyloggers who are downloaded to your computer and are trusted or untrusted.
I guess it can because of its HIPS and both inbound and outbound firewall...
And yes my computer system is 100% clean, so why be worried about something that can send sensitive data on the net?
Is this all true or false?
Thanks for your help.
Who is online
Users browsing this forum: No registered users and 1 guest
