Posts by Dr Wheetos

Disaster recovery anyone?

I wonder if they were doing a DR test which went a bit awry? I wouldn't be surprised if this carried on into next week. After all this time it doesn't seem like a network issue.

Prefer Pocket Cloud...

on an Android 3 tablet to control a home server as PC doesn't force you to have a user logged into the server/PC to access it but Splashtop remote does (or at least the free version does).

I don't believe them

> and corrected the problem immediately

OK, so they got in touch with Google did they to get them to delete it from their cache? Or did they just delete the db table? Somehow I don't believe these guys when they make these simple errors that they don't notice but someone else does and they seem to know immediately how to fix it. Wasters.

The message still doesn't get through...

to the developers of these sites. A day doesn't go by without hearing about more sql injection exploits. Just take at look at xssed.com as an example. And it'll be high up on the list of programming errors on sans.org and owasp.org's top 10 security vulnerabilities, I'm sure.

PR for the company?

I attended a meeting with Mr Klein, the CTO of Trusteer, a while back. He asked how effective AV software was these days. He replied that it picked up only 40% of the viruses and malware out there. So I guess if Trusteer can show how good they are at detecting the bad stuff that AV products can't then that's priceless PR for his cause. After all he's in the market of selling his products to the banks!

Paris, because I'd rather she protect my assets.

My 75 year old Dad...

retired his trusty 486 PC running WFW 3.11 just this year. It had to happen as he couldn't get printer ribbons any more! With Word an a Golf game, even Sol, it did everything he needed.

What's the deal?

> CookieMonster then injects images from insecure (non-https) portions of the protected website

So that means the vulnerability exists only if the secure site makes an http request. If the site always sends https, including requests for images and other resources, then there is no vulnerability. Agreed this would require a full scan of the site to ensure it was fully secure though.

There are loads of sites that accept usernames and passwords over an http connection before going to SSL, e.g. web mail apps.

Stop - because we need to think not panic.

Re: So, if it's easy to code against why does no one provide the solution here?

Remember 3 words:

- constrain

- santize

- validate

Treat all input data is evil. If you limit the number of characters accepted for each item of input data, sanitize it, perhaps to accept only alphanumerics, and validate against a regular expression or list of acceptable data, you're pretty well home and dry.

Managers are only interested in getting a product out the door. Security minded developers are more interested in stopping the company from hitting the national press with the latest ID theft story. Which do you think is more important?

Love heart because this stuff keeps me in a job.

Praise where praise is due

It's nice that MS have come clean and implied their online services aren't secure.

Sure, all online services have vulnerabilities but where's the dividing line between an ethical hacker / researcher and someone who's looking for that vulnerability that their next trojan can exploit? How does this stack up against the Computer Misuse Act in a court of English Law?

I give them a big thumbs up though and wished others would follow suit. More people should take notice of what's posted daily on the xssed.com site too.

Oh dear, they never learn

"rigorous courier arrangements and a requirement that physical transfers of data must have the specific authority of a member of the senior civil service"

Still no mention of encrypting the data then....

@Leo Davidson

Let's get back to the point shall we? If your card was being used, I guess you'd be on the phone to them straight away. At least their actions are saving you a call.

Oh dear...

In my opinion, anyone who uses iframe these days is asking for trouble. Bank of India and an Italian bank were hacked this way last year.

My Dad called me too

"Can you help me please? I can't send any emails" came the cry for help. Actually I'd setup his computer last year so he could still send emails using his Sky email address but emails that he used to send through his Tiscali email address have suddenly stopped working. After 1.5 hours of playing with his Outlook settings remotely came to nought so I gave up. He's not too cuffed about it.

@Invalid Certificate

This posting on Heise Security's site about frame spoofing shows that just checking the certificate does not give you a 100% guarantee that you're sending your credentials to the right site.

http://www.heise-security.co.uk/articles/76590/1

This article might be a bit old now (I haven't tested the links) but the fact that it's still happening (links below) show that this attack vector hasn't gone to bed yet.

http://www.beskerming.com/commentary/2007/08/31/265/How_the_Online_Trust_Model_is_Broken_-_The_Bank_of_India.com_attack

http://news.netcraft.com/archives/2008/01/08/italian_banks_xss_opportunity_seized_by_fraudsters.html

My motto is if your bank uses frames on their credentials entry page, don't use their internet service or move to another bank.

In fact this applies to any site that requests user credentials. And to access my tiscali web mail, guess what? Credentials are sent in the clear. Great!

Re: Overkill

For years we've been told not to write our passwords down and here's evidence that the message isn't getting through! I wouldn't advocate anyone doing this.

While I don't use the Barclays PinSentry device, I've used one in a development project. There is a security flaw with authenticating yourself with one of the devices. If you go down the pub and show it to your mates, and one of them remembers one of the numbers (he'd have to be numerically minded as they tend to be 8+ digits long), he could potentially sign in to your online bank account using it. It's a valid number and will remain so until the real owner actually uses the card reader and a new passcode in their bank's online site. OK, he'd also need to know your username and possibly your date of birth or something personal about you, but it would be possible.

Despite this, I'd use it if my bank introduced it. As more banks roll this technology out, there will always be someone else that has a reader if you forget to take yours to work. Then I'd have to watch out for the man in the middle scams. How many people are so paranoid that they check the certificate for the web site they're accessing these days? Count me in.

Re: Symptomatic of a bigger problem

It's probably happened. Just that we haven't heard about it.

Now let's see. Ah, yes, Davey Winder's article in this month's PC Pro shows that full identity details exchange hands for $10 - $150 a time but bank account info is even more lucrative. 25 million records makes this a very nice retirement fund for someone, even after applying discounts. You'd have better chances getting a good return with this data than winning the lottery.