Jim Harrison to "Int3": > (copied here without permission) > Step by Step Demo: > > - Download POC from http://tracingbug.com/downloads/citihook.zip and > unzip to some directory > - Launch citihook.exe, this will watch only > https://www.online.citibank.co.in/ URL > > Effectively, "Let me install my malware on your machine to demonstrate > how vulnerable it is." > > P-p-p-p-p-p-leeeze (three anti-social points for that quote)! > The "problem" ceases to be a vulnerability at this point. And again, in your subsequent response to a message from "Int3" I've not seen in the list: > Granted, it's an interesting methodology, but until you can demonstrate > circumvention of the CitiBank keylogger without installing code on the > victim host, a threat is not indicated and cannot be taken seriously. Jim -- you have _entirely_ missed the point. Why did Citi introduce these "onscreen keyboards"? Because a sizable chunk of its userbase was already infested with "keystroke logger" type malware, or at least there was a good chance this was, or may soon become*, the case... Some bright cookie at Citi recognized** that if they made their users "type" by clicking their mouse on a "virtual keyboard" they would sidestep the capture of user credentials by the throngs of extant keylogger warez already out there. "Int3" has shown a trivial way for the bad guys behind the keyloggers to subvert this sidestep. You are right in suggesting that calling this "disclosure" a "vulnerability" is a tad "optimistic", but beyond having filed his disclosure in the "Vulnerability" section of his site, "Int3" does not actually use that word in describing this. What "Int3" has shown (or, as others have already noted, "shown again"; IIRC, the first such discussion and PoC of the abject futility of OSK's as defeats for keylogger-compromised end-user systems I saw was back about 1999/2000) is that if the remote client system cannot be trusted, you cannot trust the remote client. Whilst trivially correct and fundamentally obvious,*** I don't think it does any harm to repeat this truism in light of the stupidity of such large and potentially influential organizations as Citi adopting such obviously flawed and inadequate technology. That is the point "Int3" was reiterating. If the problem Citi's OSK is supposed to fix is actually that the bad guys already have, or can more or less easily get, arbitrary code onto the client machine, then changing the way the client user interacts with the machine does not solve the problem -- it simply changes the form of data capture the bad guys' arbitrary code has to perform. * It is well-known that, for example, many of the major South American banks have, for some time now, had a _massive_ problem with online banking-targetted keyloggers. ** Or, perhaps more likely, some third-party sold Citi on their patent- pending "anti-keylogger" technology. *** Except, it seems, to sections of the banking IT fraternity and, if my previous footnote is correct, those who develop "security solutions" for the banking fraternity. Regards, Nick FitzGerald
