Banks are useless. In response to the case I mentioned recently, Nordea have sent out a notice to all their customers, urging them to install a personal firewall.
Clueless muppets. Get a clue! It's free!
Warning: beheaded Lockheed Martin engineer Paul Johnson.
The first public criminal case in Denmark involving the keywords "theft" and "online bank" is making headlines. The victim was tricked into installing a trojaned remote control tool (which contained a keystroke logger and remote control tool controlled by the attacker). This payload was used to steal the victim's secret keyfile and snoop on his passphrase.
A certain organisation run by muppets immediately demanded a security review of banking systems and urged users to run spyware scanners. I really wish these idiots would shut up. Just shut up.
1) Any violation of the trusted computing base, which is what happened here, will result in exactly the same thing. Yes, I know that using token-based challenge/response systems would prevent an attacker from capturing the victims credentials. It would not, however, prevent the attacker from writing software to intercept and redirect authorized transactions. If the software then deleted itself, the victim would be left with virtually no way of proving a crime took place.
2) Spyware scanners couldn't possibly prevent this. Customised malware is not recognised by virus or spyware scanners.
We do not need reviews or more reactive software. There is nothing new here at all. We need educated users, more secure default operating modes of popular operatingsystems and legislative countermeasures that punish the kind of user neglect that causes theft via online banking systems to take place.
According to the UPS online tracker, my Soekris hasn't been seen since it was picked up. The last scan was 8pm on the 9th in Belgium. However it's going to make scheduled delivery tomorrow is beyond me.
I am not as hip as most people, so I was only invited to open a Gmail account last night.
Content-Type: text/plain; charset=US-ASCII; no
using æ, ø or å.
I recently ordered a Soekris NET4801 (or Søgrise, as they have become affectionally known in certain Danish BSD circles) and a 2.5" 60GB IBM Travelstar. The disk arrived a few days ago, and the NET4801 will arrive soon. It will be taking on the more heavier tasks, such as file & print, web, leafnode, roundup, cvsync, symon, edna and postgresql server, with my CompactFlash-based NET4511 still in charge of DNS, DHCP, wireless networking and internet gateway.
I want to use OpenBSD's support for siteXY.tgz to bootstrap a fully working system and perform administrative tasks in a CVS checkout on my laptop. I do not ever want to login as root, or use sudo. My strategy must be able to scale to hundreds or thousands of machines. I want to prove that the principles described on infrastructures.org work well for smaller sites.
I sense something. I feel like I have something to say; words fail me, however. I have something important on the very tip of my tongue, but it refuses to come out. I am sure if you meet me and look carefully, you will see this expressed in my face.
Recently I found myself in a situation that I have been in before, but only this time, I finally understood what was happening. When someone utters a fact (usually about security) that is not only not right, but not even wrong, I simply do not know what to do. My mind fumbles because I have no idea where to begin explaining this invidual just how wrong he or she is.
A new fight is brewing. You may recall that horrible PC Finder product I mentioned a few other times. The vendor, Gigasoft, has started to threaten certain individuals who has taken part in the debate in dk.edb.sikkerhed. More details are at snakeoil.dk if you read Danish.
I find it highly amusing that someone in Gigasoft's employment started the discussions, and now they're considering legal action because people did not like the idea and said so.
The time is 02:28, and I am going to bed.