Articles from last posting
Read Mary's Globe & Mail column - The Horns of a security dilemma.
LexisNexis and T-Mobile attacks carried out by resourceful youth
Insiders strike again
16 year Swede - and his trusty keylogger - steal Cisco source code
Robin Hood defence sinks like a stone
Britons headfried with PIN fatigue
Debt collection agencies and law firms buy stolen data
Modus Operandi of Phisher Kings Exposed
Housewife loses large sum to keylogger in South Korea
Keyloggers strike again.
A 20-year-old school dropout has robbed the online banking account of a South Korean housewife of 50 million won (USD $50,000) - a first in the high tech country. The Sydney Morning Herald reports that police have arrested the youthful suspect, and an accomplice.
He allegedly carried out the attack by embedding a trojan keylogger in a message he planted on a community internet site. When the victim clicked on the message, her fate was sealed, and the fraudster made off with her online banking details -and a tidy wad of cash.
It is not clear at this stage what bank was involved, or if they will reimburse her. From our posting on the subject last time, you will know that reimbursement in such circumstances is by no means certain, as many banks will view you as the author of your own misfortune.
The article also suggests that South Korean banks provide anti -virus software to their banking customers. This is not a common practice elsewhere, but it may well become standard fare in online banking.
You may not get to log on in future, unless you agree to purchase malware protection from your bank, or a trusted supplier, and/or sign off on an agreement that states you are otherwise fully protected. To the extent that any consumer can rationally make such a representation.
This was a bad few weeks for South Koreans generally.
MSN site in South Korea bites users
Microsoft was left with egg on its face (not an uncommon occurence) after it was discovered by 'security researchers' that users of the popular MSN (S) Korea web site were exposed to attackers who were stealing their passwords.
The error that led to malicious code finding its way onto the MS site, was variously described as a problem with patching the operating system (i.e theirs), or possibly a cross-scripting error (all garden variety, non rocket science stuff that MS should have had a handle on 10 years ago). MS appears to have pinned the the blame on an unnamed outsourcing partner who managed the site.
Conflicting advise - what is a person to do?
One minute we face being stretched on the rack, and tossed off internet banking sites if we don't guard our PIN numbers with our lives. And austere regulators urge extreme caution and demand adherence with oftentimes draconian PIN phobic codes and laws.
But lest we get complacent and actually know what is expected of us, the advise keeps changing, and even the experts disagree. Little wonder well-meaning folk are confused.
PIN fright night
The latest quirk is that a 'senior senior programme manager' for security policy at Microsoft, told a high level Australian security crowd that the security industry had been 'giving out the wrong advice to users by telling them not to write down their passwords'.
He apparently expressed the radical view that password policy should in fact require that you write down your passwords - and keep that precious piece of paper safe - as otherwise common sense dictates that you will use the same easy to recall password for everything, weakening your overall security posture.
While these sentiments, brave and compelling as they are, do indeed represent the current reality, don't go PIN skinny dipping just yet. Remember those evil regulators, and those pesky codes and laws that dictate otherwise?
For those of you not dipping daily in security minutae, it is worth explaining that passwords are the weak link in almost all security solutions- however high tech.
As one delegate at this event pointed out, two- factor authentication - heralded as the ultimate solution that will save us all from impersonators and identity thieves - is often easily defeated by folk (he mentioned a government minister as an example) who write the PIN number that protects the devise -such as a USB token - on a piece of paper and 'tape it to the back of the token'.
Saviour on the hill?
Will biometrics save the day - iris scans, fingerprinting and handprints, or voice recognition? These technologies hold enormous promise, but constant fudding and ludicrous over-hype has left many a potential adopter wary.
Meanwhile, e-Bay is none too enamoured with two factor authentication, although its top security honcho Howard Schmidt is road showing explaining how critical it all is.
Strange times.
Anti-virus vendors square off
McAfee CEO Gene Hodges has been out and about, talking the talk, after pleasing Wall Street analysts with decent first quarter results.
He shared his views about the threat posed by Microsoft to security vendors everywhere (only really dangerous in the consumer space), and took time to disparage his more traditional competitors. Symantec, by his way of thinking, bought storage powerhouse Veritas simply to try to “get out of Microsoft's way”.
Alas, this would be a flawed strategy, per Mr Hodges, as 'their (Symantec's) data integrity strategy will have some benefits to customers, especially in the area of compliance. But in the broad sweep of protecting network intrusions, this was not a great leap forward.’ Ouch.
He then waxes lyrical about the threat to us all from hackers. A crushingly insightful observation that clearly puts Symantec in its place.
MS to crush RIM and enable the 'new world of work'
Bill Gates and Steve Ballmer have also been on the circuit, talking about feisty new mobile product offerings that will kill the Blackberry, and enable us work harder and better, in the buzz word infected 'new world of work'.
The good news is a feature to remotely wipe mobiles clean of sensitive data - to deal with that "taxi scenario" - where users leave MI5 top secret laptops and jewel infested PDAs in cabs, etc.
Ballmer quipped, as hard core techies are wont to do, that the new world of work comprises ' these frightening creatures, formerly known as simply employees... now repositioned as free range information workers. And they are running amok, accessing networks remotely and gleefully sharing sensitive company information from their favorite cushy chair at Starbucks'.
And later on, the poor user gets it in the neck once again...'
these spoiled brats of business make more and more of their diva-like demands on IT pros and developers'...and in the same vein (in the voiceover from ' Ms Bee' - amidst her 'carefully researched list of the top five most requested requests from information workers' :
'I'm tired of having to bring into IT every laptop I ever want to use to connect remotely to the company network, like the one I use on my unsecured, non-firewalled home wireless network my teenage son's delinquent friend manages for me. Can't IT just lighten up on this? (Laughter.) I know it's just me connecting to the network'.
Thereafter followed the usual dose of Ballmer Linux bashing, and product evangelizing....with a careful nod to security: ' you'll see us continue to invest in security as a job one priority…We've got a lot of new technologies coming in the security area'.
But when will we see the poor user get a tad more respect from the big guys? Don't hold your breath.
' |
