Bitflips happen more than you know, especially on mobile devices and especially on cheap phones with memory that has higher FIT rates (Failures-In-Time). In the past, encryption in-transit (TLS/SSL) would have protected you against the most dangerous opportunistic attackers because it was cost prohibitive. Today however, certificates are free. Free for you and threat actors, thanks to Let’s Encrypt and major cloud providers. While free certificate authorities are a net positive for internet security, we already know attackers are leveraging the HTTPS lock for subverting security awareness training and more successful phishing. What about corporate espionage? That’s precisely what we investigated and will demonstrate with this talk.
Demonstrations with bitsquatting include:
- How to steal passwords
- How to steal DOM and session tokens
- How to capture screenshots of what victims are seeing while browsing the web
- How to persist in their cache and spy on their browsing activities
Investigations will include:
- What are the most popularly requested domains by machines (phones, laptops, servers, CI/CD, etc)
- Who has registered bit squats on these domains and has listening ports on HTTP/HTTPS/SMTP?
- What are the actively listening domains and what can they do with these bit squats?
- How are we going to monitor these bit squats for abuse?
Come witness an unfortunate side effect to achieving HTTPS everywhere and learn what can be done to mitigate the risk of this threat. Bad guys beware, good guys beware, anyone could be passively and opportunistically snooping on your packets.
Partner Rob Ragan and Principal Security Associate Oscar Salazar will present their Ghost in the Browser: Broad-Scale Espionage with Bitsquatting talk at Kaspersky SAS in Singapore on Wednesday, April 10, 2019.