ANDREW PETUKHOV, GEORGE NOSEEVICH, DENNIS GAMAYUNOV

PRESENTATION TITLE:  You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Banking Apps

PRESENTATION ABSTRACT:

It’s no surprise that a typical hackers professional path hits against custom crypto protocols from time to time. There are lots of application-specific crypto-hardened protocols written from scratch which could be found in banking, SCADA, and other types of not-so-common hardware and software systems. In this presentation, we propose a methodology for cracking such systems using a top-down approach with GOST-hardened banking applications as an example. We show how easy it is to break complex crypto because of developers having inconsistent knowledge of modern application level protocols.

Federal Law in Russia states that an electronic document becomes legally valid only after proper digital signing (GOST R 34.10-2001, RFC 5832). Online banking applications are no exсeption: only GOST digitally signed payment orders should be accepted and processed by online banking apps. That said, every bank that is willing to provide online services (be it domestic or an international entity) has to consider two options:

- Buy a “typical” online banking solution from a well-known vendor (BSS, Bifit) and customize it
- Develop or outsource its own banking solution.

The first option implies that the bank will receive all the necessary shiny crypto out of the box. The second option leaves the crypto- question for the bank to handle and this is where numerous crypto solutions and crypto providers come into play. Through our research, we have managed to submit fully trusted requests from “malicious” clients to the banking server as if they were generated by a legitimate client.  Ok, now let us show you the money!

ABOUT ANDREW PETUKHOV (@p3tand)

Andrew Petukhov is the founder and leading expert of Internal Security; CTO of SolidLab. He researches web application security in the infosecurity laboratory of MSU Faculty of Computational Mathematics and Cybernetics since 2004. He is also one of co-founders and an active participant of the CTF team called Bushwhackers.

ABOUT GEORGE NOSEEVICH (@webpentest)

George Noseevich is  a PhD candidate in the infosecurity laboratory of MSU Faculty of Computational Mathematics and Cybernetics; a permanent member of the CTF team called Bushwhackers has participated in OWASP Access Control Rules Tester and was previously rewarded in various infosec contests (Deutsche Post Security Cup, PHD 2012 WAF Bypass, Onsec WAF Challenge https://reward.onsec.ru/winners.html etc.)

ABOUT DENNIS GAMAYUNOV (@jamadharma)

Dennis is a PhD, Senior Researcher, and Acting Head of the Information Systems Security Lab, Computer Science Dept. of Moscow State University, Russia. He is also the leader of the network security research group in MSU, project lead of the experimental event-driven and natively multicore Redsecure IDS/IPS. Dennis is the co-founder of Bushwhackers CTF team, with primary research and practical interests in network level malcode detection, high-speed traffic processing (including FPGA-based), and OS security with fine-grained privilege separation, SELinux and beyond.