I’m a Bruce Schneier fan, and read his blog every day. He usually writes interesting stuff with regards to computer security and security in general, and he finds the most interesting articles about security…and then, of course, we can’t forget his friday squid posts :)
Today he found two fun articles about security, which I’ve decided to comment a bit on.
The first one he calls Bad Security: Everyone Does It and is a post by George Ou on ZDNet, talking about the Navy Federal Bank’s ignorance about security and SSL use.
George posted in April 27th about the american banks that fail in their use of security for the loging in of users into their electronic banking systems, post in which he names names, including American Express, Bank of America and a bunch of others. The insecure practices of these banks that he points out are invalid SSL Digital Certificates (which means you don’t know if you are really at the bank’s site or not, because the URL in the certificate doesn’t match the URL you are actually trying to get to) and non-SSL login forms (which means anybody can intercept your username/password and get into your account).
Now…what’s the problem with these two problems? Well…if the SSL Digital Certificate used by your online bank is borked, as is the case of American Express (where the Certificate is issued for a248.e.akamai.net when you try to reach home.americanexpress.com), you can’t be sure that you are actually in the website you are supposed to be in. That means that phishers can mess up a DNS server and have you believe that www.wewantyourpassword.com is actually home.americanexpress.com, and when you try to log into your account, they save your user and password for later use. What is this later use? Well…how about stealing all your money from the bank without moving from their bedrooms? If a phisher gets your user/password he can impersonate you at the bank and move all your money to another account and you are broke. Think of your user/password combination as if it were your credit or debit card and your PIN…once a thief has those two things, he can get your money and there’s very little you can do about it. Even worse, in ATMs there’s usually a limit of how much you can withdraw each day (at least in Mexico there is), while online banking allows you to move as much money as you have in your account or your credit line.
And what about the non-SSL login forms? Exactly the same problem…if you log into your bank account through a non-secure form, your password and username are transmitted in plain text, which anybody who has a packet reading program (there are tons of those and they are perfectly legal…we security people use them to do packet analisis for protection of networks, among other things) can actually read your username and password…and we go back to the same scenario as before…your empty bank account.
In his post of May 16th, George re-takes the subject, after one of his readers pointed him to the explanation that the Navy Federal Bank has on their website about the “security” meassures on their website. George was so shocked by the ignorance demonstrated by this so-called explaination that he answered to it point by point…and it’s well worth reading.
If your bank is listed in Ou’s first post, I’d recommend you to stop using their online banking system *immediately* and send a letter to your bank telling them that their online banking system is insecure and that you don’t like that one bit.
The second post by Shneier has nothing to do with banks, but it has to do with security…or lack therof in the risks that Windows’ hidden features imply.
This one points to a post by Roger A. Grimes in InfoWorld, called Wrestling with Windows’ hidden “features” and talks about one of the many over-integrated features in windows, which allows you to run a program from Internet Explorer if said program is named as a website…that is, if you have a shortcut on your desktop called www.aol.com that points to notepad.exe, when you type www.aol.com in the address bar of Internet Explorer, instead of going to aol’s site, it’ll run the shortcut on your desktop and execute notepad.exe.
Now, this isn’t exploitable remotely, but it’s still a “feature” that is the result of the integration attempted by Microsoft between their OS and the Net. I, personally, didn’t know about the existance of this that somebody said is part of windows since Win98, and neither did Grimes…I wonder…how many of these kind of “features” are lurking in windows that *could* be used by a remote attacker? Or that a local attacker could use for privilege escalation?
Featuritis is a disease that a lot of software suffers, not only Windows (tho Microsoft’s software seems to suffer a rather severe case of this disease), and we, the users, should try to be aware of the possible security implications of all of the features that bridge our computers to the Net, which are the ones that are more potentially dangerous.
Technorati Tags: security, bad security, zdnet, bruce schneier, banks bad security, online banking, navy federal bank, american express, bank of america, windows security, george ou, roger a. grimes
Tags: Thoughts
If you enjoyed this post, make sure you subscribe to my RSS feed!!
