Unbiased Review of Trusteer Rapport - 44Con 2011

Discussion in 'other security issues & news' started by Hungry Man, Mar 18, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://www.youtube.com/watch?v=EimZQgt7WPg

    Unbiased Review of Trusteer Rapport, Neil Kettle at 44CON London September 2011.

    Here's a fun quote "Anyone who can read even a line of assembler can bypass Trusteer Raport on both OSX and Windows."

    Yikes. If you're running Trusteer I'd give it a second though.

    He also takes a few heavy pokes at Matousec who had released a bogus whitepaper about it.

    Basically, flawed "encryption" (arguably not even) and flawed implementation and a whole lot of other stuff.
     
    Last edited: Mar 18, 2012
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Interesting find and very enlightening. Thanks!
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I wasn't surprised to hear that it was useless but wow... the extent to which he bypasses it and shows how silly the entire thing is.

    Enlightening is the right way to put it.
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Amazing... I wonder how trusteer can manage to ignore it. This makes look the product totally useless.

    Thanks!
     
  5. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    617
    Location:
    Wembley, London
    Thanks for this Hungry.
    Saw it was originally posted to YouTube last October.
    Strange we hadn't heard about this before o_O
    A real eye-opener for sure :)
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.theregister.co.uk/2011/10/11/trusteer_rapport_security_bypass/

    + http://www.digit-security.com/blog/?p=47

    Don't know if Trusteer has been re-tested since?
    Or am I thinking of a different vulnerability?
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    It looks the same... and it seems the issue (access to drivers and turn OFF encryption) has been addressed (or claimed to be addressed) o_O
     
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    My bank's site is strongly recommending install of Trusteer Rapport. I would have done that
    but Linux, plus I think 64bit OS's, are not catered for. In other words I don't feel too bad about
    not being able to install it. :p
     
  9. d0t

    d0t Registered Member

    Joined:
    Apr 23, 2011
    Posts:
    181
    His accent is pretty hard to understand :p
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Mine too, I would have done that but I gave up on useless 3rd party "security" software a long time ago. They eventually cause more issues than they solve.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    One thing that concerns me is the potential for proprietary, site-specific solutions to eventually become mandatory (if the site doesn't detect you are using their approved solution you can't access your account) or pseudo-mandatory (unauthorized transactions won't be reimbursed unless you've been using their approved solution).

    A friend was confused by their bank pushing a software download and called me over. It was Trusteer software, which we researched a bit and decided not to install. We did, however, take a close look at the overall account access experience and I noted several disturbing things including inadequate password length/character support, extremely poor canned security questions, and account pages being instrumented with third-party analytics code. This wasn't the first time I've seen or heard of such problems. So as much as one might want to believe in the idea that their bank will follow best practices and recommend sound additional solutions where available, I don't think one can actually rely on that. It feels strange to say it, but I think knowledgeable people have to be proactive and work to make sure their bank isn't screwing something up.

    Edit: To be fair I should also add "... and to make sure those on the low end don't screw things up for the bank and/or knowledgeable people". I've heard financial reps say that a surprising number of people get quite agitated and offensive when it comes to "inconveniences" like stronger security and/or privacy related steps.
     
    Last edited: Mar 18, 2012
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I don't see why anyone would care if it was proprietary or not, it makes 0 difference whatsoever. As if you're trying to say people would be ok with being forced to use rubbish software if it's not proprietary? :doubt: If it's good and you're forced it, no one will care. If it sucks and you're forced it, everyone will whine.

    But don't worry, any kind of "forcing" would limit the devices that their clients can use, so that will never happen, ever.
     
  13. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Some Dutch banks have recently tried to start a debate on introducing an 'excess'* for clients when banking account money is lost due to malware.
    After a quick uproar, the debate went quiet after several banks mentioned it might not be appropriate atm but I'm sure this idea will rear it's head again and I wouldn't be surprised if banks would start to argue about mandatory security programs to avoid the introduction of an online banking account 'excess/limited liability' in the near future.

    (Excess/limited liability as in 'that part of the cost of a claim which the banking client has to bear in accordance with the (new) terms of the banking account. Not sure of the proper translation/english wording)
    .
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    But charging people for what is essentially their responsibility is different from restricting customers to various devices. For example, what about mobile banking?
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I certainly can't object to your "even if it is non-proprietary it could still be bad" point. That is true, and my failure to mention it should not be taken as an attempt to argue against it. The reason proprietary solutions are of special concern, IMO, is because they have the potential to make analysis more difficult (for many though not all) and also limit a user's level of control.

    For example, and although it does create some potential issues, I think it is good that bank account access is done via extensible web browsers that utilize open standards and for which there are many control enhancing add-ons. It is quite easy to determine what a bank web site is instructing your browser to do and someone so inclined can selectively fix certain problems (like it not using secure cookies, inappropriate data passing to third-party advertising or analytics companies from within account holder pages, whatever). I also think it is good that access is done within a constrained environment and, for example, there is limited or no room for a bank specific "app" demanding greater access to your platform.

    I think very many business models are reliant on perpetual change, and that alone make me extremely hesitant to say that something will never ever happen.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There are questions at the end of the video. Someone basically asks "IS this something that can be patched" and the guy essentially says that it is a fundamental design flaw.

    Any "patch" implemented would likely be a meaningless stop-gap.

    Given how much they put into marketing and how little they put into programming I wouldn't be confident.
     
  17. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Haha... wow... it gets worse.

    Thank you for the link.
     
  19. x942

    x942 Guest

    Time to pull out the fuzzing tools :D
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Go for it. I wonder if we'll see keyloggers start to bypass it. It would take ~10 lines of code apparently.
     
  21. x942

    x942 Guest

    I managed to send a packet filled with "random" payload (fuzzing) and had it crash Trusteer. The browser was unaffected too, leaving the "secure" site open to attack from conventional malware.

    The crash may be a potential exploit I could use to gain access to the computer via a reverse shell. I'm going to see what else I can find.

    Wouldn't it be funny if I could use this "security" software to drop a shell and get access to a computer?
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Hearing things like that just reinforces my opinion of staying away from such 3rd party "security" software.
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Maybe this is wrong, but if the security researcher(s) really want to help fix this, maybe they should get in direct touch with all the banks that are clients of Trusteer, instead?

    After all, it would look bad for all those banks to be suggesting such a flawed security solution? Maybe the banks themselves can force Trusteer to actually work that crap out... or they'll support a different application... Who knows. Maybe the banks just won't care, at all. lol

    Contacting Trusteer for sure didn't help. o_O
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    He did. I believe 3 responded and didn't change anything, one of them he's under NDA with so he couldn't talk about it.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's something I've talked about a lot. You have Trusteer adding attack surface and if you were to exploit it you would
    1) Bypass its protection
    2) Potentially gain access to the 27million using it (going by their downloads.)
     
Thread Status:
Not open for further replies.