Thursday, March 30, 2006
Postbank to begin attaching electronic signature to all e-mail correspondence with customersBy John Blau, IDG News ServiceMarch 30, 2006German retail banking giant Postbank AG, the target of several phishing attacks, aims to curb the theft of online personal information with the help of electronic signatures.The bank will begin attaching electronic signatures to all e-mail correspondence with customers, Postbank spokesman JÃ¼rgen Ebert said Thursday.It's a very good measure, specially when the bank sends messages with links to account balances and other private information. However, they need to be aware that this will not be enough to avoid problems with authentication data theft. In Brazil we've had a large number of phishing scams pretending to be from the Banks a couple of years ago. But now the fraudsters realize that people are already aware that these are fake. They are using a different approach now, sending trojan horses to capture the same information when the users are accessing the real bank website. It's easier to make people click on messages that appear to be from apparently innocent or not related to banking sources, like virtual cards websites or government agencies (saying that you have problems with your tax report, for example). Banks need to protect their communication with their clients, but it won't be enough to ensure that credentials will not be stealed. They need to use additional measures to avoid that, like One Time Passwords cards or tokens like SecureID.
Tuesday, March 28, 2006
There were projects when our evaluation results literally made people cry and beg to buy their products. One vendor even offered a 100K product for free, so they could add the company logo to the list of their customers. Remember, you are choosing the product to protect your assets and if it fails and expose your data - you are the one who will be in trouble."Some vendors look at me like furious animals after arguing with me about their products security features. I just can't hear things like "We have an assymetric 198 bits 3DES encryption" (yeah, it was exactly like that) without complaining.What makes me feel uneasy is that if vendors are used to give answers like that (or just saying "don't worry, the data is encrypted") it means that people are not doing the right questions and neither they understand the answers.
Monday, March 27, 2006
Friday, March 24, 2006
Yesterday I was looking the access log from this blog and noticed a sudden increase on the number of visits. I thought about what could have caused this and today my hypothesis was confirmed.
Thanks Martin McKeay for mentioning the blog in the Network Security Podcast of this week! It was the starting push I was hoping to find.
Martin showed, as all English native speakers, how hard is to say my name when you don’t know Portuguese (Spanish is similar). You can hear how to pronounce it right in http://www.oddcast.com/sitepal/, where you can use the SitePal demo. There is a Portuguese (female Brazilian) voice there that can read anything you type, it’s interesting to play with.
Thursday, March 23, 2006
There are lots of news in the last days about trojans targeting bank customers. Although they are making noise because of their ability to capture authentication data, I still think this is nothing very different from what was being predicted for a long time.
My main concern is with code that still has not appeared. Last year I made a presentation with a PoC about a code that installs itself as a BHO (Browser Helper Object). It is not a trojan that steals information, it changes information. A user can access his Internet Banking website with two factor authentication (like a SecureID) and authenticate again when doing a transaction, but the trojan will not save any information. It just changes the target account. It does not need to be able to send information back to its creator, it fullfills the fraud alone, while being authenticated by the user.
Internet Banking security won’t be safe until the endpoint security problem is not solved. You can build fraud detection and prevention process to live with the risk, but if you want to solve the problem you will need to provide endpoint security.
I usually don’t like to spread FUD by asking people to leave IE and migrate to this or that browser. However, I must admit that today it’s more secure to NOT use IE.
I think there’s a difference that comes from the market share and from the amount of “haters” that MS has. People with intention to do harm will focus on looking for vulnerabilities that can provide them a bigger return, and “MS haters” tend to not follow responsible disclosure guidelines when dealing with MS products. This, even if unrelated to the software quality, will make IE more insecure. I use Firefox and really like it. Making more people adopt it, if my line of thinking is correct, can even make IE more secure as they start to share the focus of attackers.
I believe that all of them have vulnerabilities, and with equal conditions (vuln research focus and responsible disclosure) a well oriented user will be able to use any with acceptable security.
"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein
Monday, March 20, 2006
Security Through Begging
Last summer, the surprising news came out that Japanese nuclear secrets leaked out, after a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It's only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems -- so that the next time this happens, there won't be anyone on the network to download such documents.
Even if their begging works, it solves the wrong problem. Sad.
Is it a joke? Why does Ellison keep ignoring everything David Litchfield is showing about their products.?
(I never thought I would say something like this:) It's time for Oracle to learn a bit about dealing with security issues from Microsoft. Yes, they have a lot of them, but at least they are taking the matter seriously.
Friday, March 17, 2006