HIPS vs "Man-in-the-Middle" (MitM) malware?

If using a dedicated browser with js control, allowing only the bank's js, what more would one need to worry about?

 

Don't rule out the possibility of the banks servers being compromised or a hijacked DNS. Ask Bank of India customers what can happen.

 

I'm hoping for some info on this (servers being compromised such as persistent XSS attack) in another thread. This is a possibility I think, too.

 

I don't recall the exact mechanism that was used. As near as I remember, the banks servers were compromised and were serving malware designed to capture the users credentials as they logged in. There was no need for any kind of persistence.

 

hi
The solution for a threat is not necessary an anti-HIPS...
In my old tests, no HIPS can prevent MITM attack...but it is different of course for detection or prevention of malwares that take MITM or DNS attack as a part of an infection vector and persistence.
Software as Security is not always a good religion.
The only way to circumscribe the question, is a multilmayered client/server security and hardening strategy.
On the client/desktop side, products and tools exist of course.
I've suggested SSLEye in on other thread https://www.wilderssecurity.com/threads/kodachi-a-new-privacy-focused-distro.356015/

https://www.digi77.com/ssl-eye-prism-protection/

Harden SSL from T.Zoller is an interesting, but not suited for standard users.

And no time to guive complete hardening tools and settings...need to have launch!

RGDS

 

As always, great find.

Did some hardening on settings for DNS (at router) and browser (no add-ons allowed, etc).

Thank you mr Kareldjag, working great (see picture)

 

It would be interesting to know how this happened, otherwise I can only speculate on how this was done. In reality, maybe the greatest concern is the possibility, albeit a remote one with legit banking institutions, of a banking server's failure to sanitize user's data, which could be exploited to plant a malicious script designed to either re-direct the victim to the attackers site for stealing the cookie session or, as in the case you allude to, to serve up malware on the victim's machine. Either way, it's still the use of malicious javascript to attack the victim. Script blocking should preclude, at least I would think so, this from ever happening as long as only the required servers are allowed for online banking to function properly.

 

@ kareldjag

Hi & Thanx for the SSLEye info & link I made a new thread about it here https://www.wilderssecurity.com/threads/ssleye.364056

 

hi
As a veteran member this is quite normal...and this reminds me similar topic...about ten years ago with a focus on HTTPS dangers...
But to be up to date,, this Rasheed187 question is not a question for paranoiacs at all, if we consider the evolution of some malwares like Sality, as pointed out by Eset
http://www.welivesecurity.com/2014/...outers-primary-dns-changer-named-win32rbrute/

http://kb.eset.com/esetkb/index?page=content&id=SOLN3530&locale=en_US

Many things can help, browser extensions like Woldip/FlagFox/NoScript, anti ARP poisoning, DNS monitoring, certificate validation and so on.
And of course SSLEye is a plus for online banking, and not difficult to use for most users,, unlike the tool of T.Zoller
http://www.g-sec.lu/tools.html

Personnaly, i like real time pentesting tools, that can be both used for attack and defense, and that intercept in real time requests between the client browser and the server.
As we are on a defense board, i always try here to focus on defense tools.

Rgds

 

A bit OT, but when I read about this, I wonder how HIPS can stop this stuff? Of course blocking outbound internet access will stop it, but does it also make any sense to protect the file system? I mean, is it really that easy for malware to access all of these passwords?

http://blog.avast.com/2014/08/19/reveton-ransomware-has-dangerously-evolved/

 

How exactly do you use SSLEye. For example, if you were going to do some online banking, what would you do with SSLEye?

 

Just enter the URL of your bank, see picture of my previous post (#56 in this thread), rabobank is checked for anomalies,

 

So does that mean that each time a given site is visited, it needs to be checked manually -- or is there a way to automate the process?

Also, what does that "picture" look like if an anomaly is found?

Lastly, I read somewhere that it's not real easy to uninstall this program. Is that true?

 

Don't know I have it still installed. It is an on demand check, It checks whether the SSL hashes are the same using different name server paths. When they don't match it will show a red warning X, it is as simple as that.

I use EMET with IE11 for banking, using the no add-ons link of IE11. I have IE11 allowing HTTPS (port 443) and chrome only allowing HTTP (port 80). I have IE11 locked through GPO using the no-addons/plug-ins link of IE11. Configure EMET for you standard on-line banking business (insurance, tax etc). Problem with EMET is that when you buy something from the internet from a shop, you have not configured it in EMET. That is why I use this freebie (for occasional product ordering) and my wife uses WSA.

 

@ Windows_Security

What do you think about post #60? You can only solve this problem with read/write protection to folders, I suppose?