New 'Protect Your PC For Free: No-cost Anti-Virus and Other Software' discussion

optiMISER_3

Found this quote from a security bulletin http://www.caida.org/research/security/witty/):

It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.

The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

I think the reference to "making them financially liable" is with regards to actually holding people responsible in criminal or civil law for damage arising from attacks carried out from their networks, not just schemes like the banking code, but this debate has relevance to the banking code and how it will be interpreted as well.

optiMISER_3

I guess the professionals in the quote I've given above are saying that end users should install virus and firewall software, but that after that they shouldn't be held responsible for anything.

But as things stand if you just do that without understanding anything the fact is you won't be secure; you may be indemnified.

As I said above, the problem I believe is that you can be much more secure with more understanding and caution (say 60%) and no virus/firewall software than with little understanding (say 10%) and virus/firewall software running.

Of course it is better to have both but virus software in particular is so resource intensive.

For those not running virus software and personal firewalls - i.e those who feel they have enough control without it, then under the above thinking (and I think the banking code), the onus will be on them to prove that they have exercised reasonable care, which no doubt will be very difficult as you are in effect putting yourself forward as an expert.

optiMISER_3

Mind you, why should end users have to pay extra for security subscriptions? If buying an OS, should it not be guaranteed to be as secure as possible out of the box, with automatic security updates being enough to keep up with the pace?

For those using Linux the onus would be on them unless paying for a particular distro with security support linked in.

optiMISER_3

Another idea I had was for banks to issue a boot up cd which could make any computer able to boot from cd a secure banking terminal. (HD would be not mounted, BIOS virus would be the only concern but it could be checked for? - can't remember if any can incorporate keyloggers and dns redirects anyway?). Someone else on this thread had that idea too:


http://www.theregister.co.uk/2008/04/04/banking_code_2008/comments/

Good thread on the banking code issue, if a bit technical (including a discussion about progressive PKI/ identity card use in Bulgaria which really could be used alot more for email/signing things online, and tied in with the government's anti terror efforts - they may as well make it useful for other things too).

They probably don't want to do anything like this because although it would make systems more secure they would have less chance to blame users.

Also it really does seem that the way it is phrased at the moment it is going to force you to use Windows, and an up to date version - so yes when Microsoft says you have to transfer to Vista etc you will have to if you want to use online banking.

Making you have to use up to date Windows and all the associated AV software is a very big money saving issue as you'll need to buy the new software and improved hardware to support it! (The irony is a minimal, secure system just for banking could be created either on my eepc idea or using a boot cd)

This BBC Linux blogger says his bank explicitly won't let him use Linux for security reasons:

http://www.bbc.co.uk/blogs/bbcinternet/2008/06/linux_ubuntu_blog.html

(see number 6)
Oh, this is horribly ironic. I'm not one of those that thinks Linux is the security panacea, and new users should really take care with it instead of having that attitude, but it is shocking given all the known flaws in Windows that they can come out with something like this.

And what about the banks side of things? How can Egg be doing right - they still ask you for DOB, name, something else easy to get I can't remember what (and what is the point putting those in every time??) and then they ask for your password (limited to something stupidly short) in full (same password every time. They have no card authentication system so anyone who has pass, and the other details can pay anything out of that account. Horrendous - they can make their systems so that damage is minimised even if a client's system is compromised - how far are their obligations in this regard? They should have to do more than say, Egg are doing.

And hten there is the coop who as for a security name (or something like that, obviously not a password) on sign up for a credit card and then go and make that the verified by visa password automatically!! Absolutely crazy, it should be a randomised password and you should have to set it up if you want it! Then for their internet banking again you have to phone someone and tell them your new pin and five pieces of security info that you are going to use as passwords to log on??? Aside from the fact that the person on the other end of the phone has all of that info, how on earth do you give a good randomised password with special characters to log on with in that case? Over the phone. Even if you choose phrases, what about spaces and CAPS etc?? Not that they'd make it clear that they are to be used as passwords or what make good password qualities, I mean they are training users to be inept in security terms. I think I like the idea of having five passwords that rotate at random though.

By the way why on earth does anyone think it makes it more secure having to phone to create a new payee. It could be anyone on the phone with the details (all the stupid memorable phrases - I bet most people use the same things for different companies). A system like the card reader with one time auth codes is just as good, although probably jsut as bad.

Pity I can't see anyone still discussing this - either on this thread, and there was one other on the banking code but seems to have fizzled out. On a wider scale haven't seen any campaign or anything. I suppose CHIP and PIN was introduced not for the purposes of increasing security but to shift liablility and we all accepted it. This is just the same.

I did see a reference on that register thread about an EU directive that might put the burden of proof back on the banks, but they haven't changed the code again yet.

[Deleted User]

optiMISER wrote: »

Another idea I had was for banks to issue a boot up cd which could make any computer able to boot from cd a secure banking terminal. (HD would be not mounted, BIOS virus would be the only concern but it could be checked for? - can't remember if any can incorporate keyloggers and dns redirects anyway?). Someone else on this thread had that idea too:

As I said in another thread, people complain enough at having to use keypads let alone use a different operating system. Not to mention that this 'live cd' you speak of would have strips torn off it within about an hour of it being released and every vunerability in it would be discovered, then what? Reissue CD's to people weekly?

Making you have to use up to date Windows and all the associated AV software is a very big money saving issue as you'll need to buy the new software and improved hardware to support it! (The irony is a minimal, secure system just for banking could be created either on my eepc idea or using a boot cd)

Whether it's Linux, Windows or OS-X doesn't matter, if someone is duped by a phising email then you can have all of the security software in the world and it's not going to make a difference.

By the way why on earth does anyone think it makes it more secure having to phone to create a new payee. It could be anyone on the phone with the details (all the stupid memorable phrases - I bet most people use the same things for different companies). A system like the card reader with one time auth codes is just as good, although probably jsut as bad.

Well, we could all go into the branch with two forms of photographic ID and a letter from our mum's to set up a new payee, I bet that would curve the problem. As long as the bank's policies are compliant with the requirements of the DPA then I'm content.

I suppose CHIP and PIN was introduced not for the purposes of increasing security but to shift liablility and we all accepted it. This is just the same.

You can't deny that a PIN is more secure than a signature. If you find a card, then half an hour with some tracing paper and you'd be able to copy the signature well enough to convince the large majority of shopkeepers. I mean, how thoroughly were they ever checked? A quick glance and that was it.

superscaper

anewhope wrote: »

You can't deny that a PIN is more secure than a signature. If you find a card, then half an hour with some tracing paper and you'd be able to copy the signature well enough to convince the large majority of shopkeepers. I mean, how thoroughly were they ever checked? A quick glance and that was it.

I couldn't even get my own signatures to match (extremely bad handwriting). I don't think they ever really checked signatures at all.

optiMISER_3

As I said in another thread, people complain enough at having to use keypads let alone use a different operating system. Not to mention that this 'live cd' you speak of would have strips torn off it within about an hour of it being released and every vunerability in it would be discovered, then what? Reissue CD's to people weekly?

Anewhope, if the bank issued a secure system for free then I wouldn't have a problem if less wise people chose not to use it on account of minor inconvenience. A live CD need not mean getting to grips with Linux - they could even get a special licence from Microsoft and base the cd on Windows. There would be hardware compatibility issues but requiring use of wired network cards would help.

I think I have discussed this on these forums in more details somewhere else, or maybe it wasn't on here. I wouldn't expect you to understand the idea about the Live CD from what little I wrote above (I think the guy in that register forum gave a better account and I think I've seen some pretty good ideas on it somewhere but forget the link). The idea would be that all the banks in the banking code develop it together. They make a really secure, locked down system that only is designed to work with their websites (they wouldn't even have to be websites, it could be custom client-server software). They then load it with all of their server details and public keys. They should be able to prevent any other web or internet access on it, so the holes wouldn't matter so much as they'd only be visiting trusted internet locations. You would I thinkn be less susceptible to man in the middle attacks as teh public keys are already on the CD and could be used to establish a connection rather than trying to set a secure session from scratch (I'd need to think about this more, my understanding of crytpography and its use in client/server software is not as good as it should be), so even if any of the networks along the way were insecure it wouldn't matter. The big risk is if the CD is intercepted and modified along the way (loaded with false public keys and servers), but with the banks secure distribution channels (branches) it shouldn't be too big an issue.

Anyway, that is just one idea, the main point is that the banks aren't really doing all they could and are putting more onto the customer.

Whether it's Linux, Windows or OS-X doesn't matter, if someone is duped by a phising email then you can have all of the security software in the world and it's not going to make a difference.

I believe this is what I said in some of my earlier posts, I think I agree with you. The banking code also agrees. So what is your point? My point was that they are saying in addition to your not giving your details away to a phising email you also must run up to date anti-virus software - i.e. that is the banks ham-fisted way of saying your software system must be secure. I say that virus software in and of itself does not make a system secure and the banks could develop systems that are more secure by default. If the banks could develop a live cd as above, or a special terminal pc, and make it quite clear to people that they never enter their passwords anywhere else, this might reduce phishing as well as the chance of man in the middle attacks, keyloggers etc.

Well, we could all go into the branch with two forms of photographic ID and a letter from our mum's to set up a new payee, I bet that would curve the problem. As long as the bank's policies are compliant with the requirements of the DPA then I'm content.

The particular problem that I was pointing out at this stage was simply that people in charge of security systems regard telephone identity verifiication as more secure than online identity verification, but if it uses the same information (and that's all it could do in the final analysis) it isn't, you'd just have a telephone record of the voice instead of an IP address for investigation, that's all. By the way, The Data Protection Act is potentially good but the ICO is a joke; I am sure if their systems were ever put to the test they'd fail to be compliant with the Act, and they seem to have no teeth whatsoever where it counts, they are just happy to make sure ever more people pays their £35 a year registration fee.

You can't deny that a PIN is more secure than a signature. If you find a card, then half an hour with some tracing paper and you'd be able to copy the signature well enough to convince the large majority of shopkeepers. I mean, how thoroughly were they ever checked? A quick glance and that was it.

OK, you do have a point here, but I did say:

I suppose CHIP and PIN was introduced not for the purposes of increasing security but to shift liablility and we all accepted it.

I should have been clearer - I meant we all accepted the shift in liability. We could have accepted the CHIP and PIN as an inherently more secure system, but rejected the banks telling us it was 100% foolproof and therefore it must be our fault if anything went wrong.

Ice_2

I am using threatfire at the moment
http://www.threatfire.com/

optiMISER_3

The register live cd guy had it right - I was trying to reinvent the wheel I think. The live CD could use VPN to connect to the banks systems. All their (banking code banks) different VPNs could be loaded onto the CD, with you having to use your password to connect.

We are talking about internet banking, not necessarily web banking.

optiMISER_3

Threatfire looks good if it works - of course this behavioural stuff is the promised land for virus software. The fact that a virus has to be defined before it can be caught has been argued to render AV next to useless. The cynics say that behavioural algorythms could have been much better if as much money was put into them, but more money is put into defs because they require more constant updates, which enable the more profitable subscription system.

Whether such radical software would fulfil the requirements of the banking code or not . . .

Even Threatfire itself suggests it should be used alongside other AV.