Peter's Blog

Today I’ve read article on Polish security portal Niebezpiecznik.pl about a guy who was searching for information about his debtor and accidentally found a file with list of over 1000 debtors of PKO BP (Polish bank), more here (unfortunately only in Polish). First he was accused that he obtained this file illegally by breaking into bank’s network, but police found no evidence for that and file was indeed indexed by search engines. So after charges have been dropped bank’s spokesman informed general public that this file was, as he called it, “deep hide” and was indexed just after 4 years. Nice explanation. I believe this “deep hide” was some complicated folder structure like teenagers are using to hide porn from the eye of their parents, example below:
C:\Program Files\Microsoft Office\Office12\Document Parts\1033\hot_teenage_girls

Yep, this is indeed security at its best:) And let me use nasty comparison here, this time bank performed deep… throat.

Looks like really every program can be harm to your computer these days. I’m reading US CERT reports regularly and yesterday I’ve read this one. Long story short software included with the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access. It’s very serious as attacker can gain complete access to machine (however with privileges of currently logged user, so if you’re not using admin account all the time it’s not so serious, but how many Windows users do that). Software leaves possibility of attack on TCP port 7777 and after gaining access such activities are possible: ability to list directories, send and receive files, and execute programs. Read more in the original report. Who would even suppose that software which shows you progress of charging your batteries can bring such vulnerability? This happens when developers don’t pay attention to security, would it ever change? Ehh.

Bruce Schneier is the person well known to everybody interested in IT security. Recently he published blog post about why two-factor authentication is not solving all security problems. For those who don’t know what this term means, two-factor authentication is basically system where first you’re giving your “constant” password (password which doesn’t change), then if you’ve provided correct password system is sending you another one which is generated for you just for this single use (this password can be generated also by some small device provided to you by system admin). When you’ll provide valid second password system would let you in. Mr. Schneier is writing that it’s not as safe as many people used to think, because it can be intercepted (for details read his post), so he suggest to use transaction based authentication, instead of session.

And here come my bank which is using transaction based authentication, but only partially. How it goes, when I’m going to make a money transfer:
1. I’m logging in to my bank account (using “constant” password) and fill information about transaction into web form.
2. After submitting a web form, bank is sending me one-time password via text message to my mobile.
3. I’m filling this one time password along with my main password into web form and my transaction is being processed.
Problem is that when I’ll authorize one transaction this way. Every other transaction during this session would require only “constant” password to be provided. So, if somebody would want to steal my money, he just needs to use one of the techniques described by Bruce Schneier and wait till I make my first transaction, then he is free to do anything as to intercept main password is not big challenge.

I hope that my bank’s admins would rebuild this procedure to comply with good security practice which is transaction based authentication. Till then I must be double careful:(

Just a quick note. If you are, like me, using WordPress for your blog then you should update it to version 2.8.4 asap. Read more here.

This is the title of an article from wired.com, which happens to be my favorite magazine. But this particular article is trash for me. Mainly it’s about how netbooks (like Asus EEE PC) are vulnerable for network attacks, because they’re have no security built-in. Author says that most of such computers have no antivirus installed (but how many notebooks or PCs have?) or users are simply turning them off (antivirus apps), because netbooks have too low performance to handle normal apps and antivirus at the same time (what a bullshit). Of course there is Symantec mentioned (commercial?), and I can agree that most of netbooks would not handle Symantec heavy security package. But even my Core 2 Duo regular laptop with 2GB of RAM had problems with Symantec. And it looks like Symantec knew well about the problem, because they’ve returned me money spent on Norton 360 without even asking why. But please, there are better security apps than Symantec and they don’t need such powerful hardware. Second thing if somebody is so stupid to turn off his firewall and antivirus, well, he deserves what he would get.

Another thing. He writes about corporate users that they would not want it as it’s non secure. Well, I’m able to find better reasons why corporate users don’t want it than low security. And I believe normal admin would not let such hardware to his network without proper security, same as with notebooks or regular PCs. I really don’t understand what he is talking about, same as these “experts”. My company’s Dell when I’ve unpacked it hasn’t got any antivirus software as well and it was far more expensive piece of hardware than mentioned by author 300$. And again old phrase, netbook is bad because it can’t handle software which is able to protect data from being stolen. Wow, it really looks that you need to have very powerful piece of hardware to be able to secure your data. What a crap.

OK, let’s calm down a little. At the end of this text there is mentioned that maybe it’s not so bad, because in most cases there is nothing to steal from personal computers. Well how would you know. They’re saying me that typical teenager who is using facebook has no interesting and valuable data on his hard drive? They’ve just ruined my world. According to comments under this text there is not only me angry about it. Still I think that it’s some kind of joke from Wired, to show us how some people could think. How some “experts” are not worth a penny. At least I want to believe that.

Uff. Long time there was no such long text of mine. I hope that in spite that I’m a little mad right now, it’s still understandable. And don’t worry, I’m still Wired fan, and would extend my subscription:)