Tuesday, July 06, 2010

Why is there a man in my browser?

If you are not familiar with “man-in-the-browser” attacks you should read this article.
Malware integrating itself into a victim's Web browser is nothing new. Increasingly however, these man-in-the-browser attacks are being used to successfully bypass authentication mechanisms used by online banking sites, according to a security researcher.
If you think a one-time password (OTP) token protects you from MITB attacks you are wrong. Smartcards - in many case but not all - can protect against MITB attacks. If you are in corporate security you cannot ignore this either. This is not just about on-line banking! A MITB attack can be used to try to fool privileged users in your corporation to give up passwords or even download files from the administrator's workstation that would give the man in your browser access to privileged passwords.

Use a privileged account management product – like Quest’s Privilege Manager for Unix or ScriptLogic’s Privilege Authority and wash that man out of your browser.

No comments: