On 6/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
On Wed, 27 Jun 2007 22:01:33 CDT, Dennis Henderson said: > Can anyone explain how getting pnwed by a keylogger or a trojan is not their > fault? Do we have to argue what "fault" is? I hope not, becuase that could > take days... :) Hmm.. there was a bunch of Italian websites serving up exploits pretty recently. Who's fault is it if you visit some presumably trustable and legitimate website that you've been visiting for *years*, and that morning they got hacked and send your copy of IE an exploit for a yet-unpatched vulnerability?
Yes and I inlcluded 0days as a vector. Or even better - a 3rd party site that does banner ads and the like is the
one that got hacked. So you visit www.snopes.com, and you find out the hard way that www.burstnet.com was pwned. Care to explain to me how *THAT* is the fault of any Joe Sixpack? Remember that if you say it's their fault, you *also* need to provide *workable* advice on how they were supposed to prevent it. Good luck explaining noscript.net to Joe Sixpack, let me know how that works out for you...
So Valdis, you got pwned on snopes? :) So tell me what steps do you take to make sure your online banking experience is a safe one? If you don't do online banking, then please don't comment further in this thread. Is it so beneath you to provide positive advice or commentary on *any* topic? Goes right back the the responsibility of doing online banking. People who are clueless about Internet risks should not do their banking online. If they cannot take the time to get/keep their computer in shape, and perhaps read about how to set their browser security to appropriate levels and know the signs of their companies real website as opposed to a fake one, then they share some responsibility in their potential loss. Dont download every free tool and software you can get your hands on. Read the EULA's when you do. These are basic bits of information that can help people stay out of trouble. Make Fergie happy, run TrendsAV. Patch to the hilt. Run a firewall. Learn how to tell if your actually on your bank's site. Its really not that hard given all the resources that browsers come with these days. Dont click on any and all links in emails especially if they're from your bank or financial institution. If your bank sends you emails with links, find another bank. These are basic bits of information that can help people stay out of trouble. Sounds clueless? Well to clueless people these things are probably sage advice. Wont remove the risk, but it can reduce it dramatically. 0days are still a minor vector compared to what's keeping the online banking fraud cartels alive.
Does anyone have the balls to admit that they have been pwned thru no
fault
of their own? I would love to hear that story.
There's this security person by the name of Raven Adler. I suggest you ask her who's fault it was she got nailed by a MacOSX 0-day in front of everybody, and how things turned out when she went to talk to Apple about it... Unlike you, I dont want to be argumentative about every little topic, but IIRC, her box was probably already pwned when she got there and someone scanned it, and found the pwnage while she was presenting. She mentioned that her boyfirend was using the laptop. It probably got pwned due to his surfing habit. Yes it probably was a 0day, but the more a user strays to the dark side of the Internet, the more likely they are to visit a site with "free software" or nifty little iframes and suffer the results of the "other" stuff that comes with it. So banks should just happily pay out lost money due to the habits and lack of responsibility of the customer? It will eventually come to a head when banks get tired of losing money due to the stupidity of their customers. To bring this back to the original purpose of the thread, I am not a proponent of wanting to inspect every persons computer that reports fraud. I am more a proponent of having customers do preventative things up front that will reduce the incidence of reported fraud in the first place. Or not do stupid things that can bring about fraud. I've looked referrer logs and saw a customer's personal portal that has a link to my bank and the link text is their friggin userid. That person is one that should lose out on any fraud loss challenge. I've even seen portal pages where they have the id and a hint as to what the password is.. These customers get locked out and when they call in, we force them to remove that info before we let them back in. If they then fire us, we say sorry, see you later, but our overall risk probably just went down a tick. Anyway, peace and love!
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
