XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
Mada R Perdhana writes: How interesting. It looks pretty much like snake-oil, a scam intended to scare folks who don't know much about security, to me. The problems start with their lack of presence: the main bits of presence are a FaceBook page, a twitter account, and a Yahoo Group with barely coherent writing about their content. They do, though, do the scam-focused thing: waffle vaguely about security issues, claim (but not prove) they are more secure, then tell you that you are a bad person if you don't instantly convince your friends to use their software. They do have an email address, apparently attached to some Google Apps hosting, and a website with links to their 2008 security forum, and a copy of the same information about security (eg: none) as their FaceBook page provides. They start with the *technical* issues by claiming that "techniques of cracking the SSL implementation" are widespread, but provide no evidence about what those techniques are - or why they are, for example, not being widely reported since that would be huge security news. If we generously assume that they mean that attackers are running software on your machine to intercept content *without* having to violate the cryptographic security of the SSL/TLS protocol then they have a huge burden of proof in the form of demonstrating their software actually does anything. Which, of course, they don't deliver. Meanwhile, if we look to their writing on the facebook "page" they have some excellent advice for you: you can keep the software safe by keeping the original zip file around, and if you ever have a doubt (sic) you can just extract the executable again. Because, y'know, an attacker would never, ever think of being able to attack a bit of software every time it ran, or to fiddle with an executable inside a zip file. That would be, y'know, hard! They also explain that in the next couple of versions they will be working to fix security problems like hijacking of your laptop - so, y'know, if this issue has not been addressed in this version then, hey, apparently our generous assumption earlier was inaccurate. They *can't* be claiming that they secure the system against local attacks, leaving *only* that these hackers are breaking the SSL/TLS protocol. Oh, well... Their public don't help, either. The top hits contain claims like this: As you know, break-ins money can through hypnosis, ATM card fraud, and phishing. Phishing is a cunning technique to obtain sensitive information while transacting through Internet Banking. They stole your information such as the username, password, credit card numbers and so on-depending on the form of phising I know that one of my huge security concerns, which a secure web browser could help with, is that I might be subject to hypnosis or ATM card fraud! Those damn hackers and their hypnotic virus powers! So, MRP: this looks convincingly like something that is at best snake-oil, and at worst outright fraud. Care to respond? Daniel > Try XecureBrowser, it's a browser design for ibank transaction, > protect from ssl injection or anything which relate with ibank crime > type. > > regards, > mrp > > On 11/10/10, Jeremy Visser wrote: >> Jim Donovan said: >>> Commonwealth opens extra windows but only logs off in one of them; >>> you have to close the others by hand. Not that they will work after >>> logoff but it's lousy security. >> >> I don't know what browser you use, but in Chromium I just typed >> 'netbank.com.au', logged in, and not a single browser window was opened. >> The NetBank interface just opened in the same browser window. >> >> > > > -- > Linkedin : http://id.linkedin.com/in/mrpbpp > PGP ID : 0xDC3A483A > PGP Fingerprint : FCBE 697C 3C47 89D2 C28F 6C94 E607 7E99 DC3A 483A > See http://www.keyserver.net or any PGP keyserver for public key > > "Never Trust an Operating System You don't have the Source for..." > "Closed Source for device Driver are ILLEGAL and not Ethical... act!" > "Isn't it, MS Windows a real multitasking OS?, Why? 'Cause It can boot and > crash simultaneously!" -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
On Thu, November 11, 2010 11:05 am, Daniel Pittman wrote: > I know that one of my huge security concerns, which a secure web browser > could help with, is that I might be subject to hypnosis or ATM card fraud! > Those > damn hackers and their hypnotic virus powers! > > > So, MRP: this looks convincingly like something that is at best > snake-oil, and at worst outright fraud. Care to respond? Daniel, did you the story of of US where an older (and apparently very wealthy) PC owner paid USD6m over 6 years ? http://www.nytimes.com/2010/11/09/nyregion/09fraud.html?_r=1 -- Mr. Davidson worried that the music he had composed and saved on the computer could be lost. The owner of the shop, Vickram Bedi, 36, confirmed that there was a virus on Mr. Davidsons computer, a virus Mr. Bedi said was so troublesome that it had also damaged the shops computers, officials said. That was only the beginning. Over time, prosecutors said, Mr. Bedi told Mr. Davidson about an elaborate international conspiracy that had attacked Mr. Davidsons computer and was threatening Mr. Davidson and his family. The conspiracy allegedly involved a mysterious hard drive in a remote village of Honduras and a plot to infiltrate the United States government by Polish priests linked to Opus Dei. Mr. Bedi persuaded Mr. Davidson to pay the computer shop not only for data retrieval, but for personal protection, the authorities said. It was, of course, a fraud, officials said. For more than six years, the computer shop, Datalink Computer Products, regularly charged Mr. Davidsons credit card accounts. The charges totaled more than $6 million, according to the office of the Westchester County district attorney, Janet DiFiore. -- -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
I don't know about the XecureBrowser itself, but secure browser operating systems is a huge research area at present. SSL *has* been cracked --- there're a couple of known timing and man-in-the-middle attacks --- but if you use good keys, and disable attacking sites (they'd be pretty obvious: see the paper http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf for the classic explanation of one such attack -- there are a couple more) you should be safe for now. For secure browsers, see the recent paper on the Illinois browser operating system: http://www.usenix.org/events/osdi10/tech/full_papers/Tang.pdf Peter C -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
Daniel Pittman wrote: > Mada R Perdhana writes: > > How interesting. It looks pretty much like snake-oil, a scam intended to > scare folks who don't know much about security, to me. I agree. One thing I like to do is use Firefox's profile manager to set up a profile which I only use for web banking. I'm in Shelbyville where they call firefox iceweasel and I launch my banking firefox profile using: /usr/bin/iceweasel -no-remote -P Banking If someone runs that and doesn't already have a banking profile it will ask you to create one. Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
I think, it is too careless if this is just a scam, because the developers also threw a request to the public (the information security community) to perform tests on their application. from existing web (https://www.xecureit.com/xb/), we could also seen that they had an affiliation with ISACA and CISSP certification, which in my personal opinion it is to reckless to "drag" this two bid name into, since it would make a big reaction from the information security communities.May be some of security experts in here could also do some test with that thing, to prove whether ,xb just a scam or it is really works to secure ib transaction. anyway, again.. everything returns to the user, to determine which are the most secure (or convenience?) way to conduct an ib transactions. regards, On Thu, Nov 11, 2010 at 7:05 AM, Daniel Pittman wrote: > Mada R Perdhana writes: > > How interesting. It looks pretty much like snake-oil, a scam intended to > scare folks who don't know much about security, to me. > > > The problems start with their lack of presence: the main bits of presence > are a FaceBook page, a twitter account, and a Yahoo Group with barely > coherent writing about their content. > > They do, though, do the scam-focused thing: waffle vaguely about security > issues, claim (but not prove) they are more secure, then tell you that you > are a bad person if you don't instantly convince your friends to use their > software. > > > They do have an email address, apparently attached to some Google Apps > hosting, and a website with links to their 2008 security forum, and a copy of > the same information about security (eg: none) as their FaceBook page > provides. > > > They start with the *technical* issues by claiming that "techniques of > cracking the SSL implementation" are widespread, but provide no evidence about > what those techniques are - or why they are, for example, not being widely > reported since that would be huge security news. > > If we generously assume that they mean that attackers are running software on > your machine to intercept content *without* having to violate the > cryptographic security of the SSL/TLS protocol then they have a huge burden of > proof in the form of demonstrating their software actually does anything. > > Which, of course, they don't deliver. > > > Meanwhile, if we look to their writing on the facebook "page" they have some > excellent advice for you: you can keep the software safe by keeping the > original zip file around, and if you ever have a doubt (sic) you can just > extract the executable again. > > Because, y'know, an attacker would never, ever think of being able to attack a > bit of software every time it ran, or to fiddle with an executable inside a > zip file. That would be, y'know, hard! > > > > They also explain that in the next couple of versions they will be working to > fix security problems like hijacking of your laptop - so, y'know, if this > issue has not been addressed in this version then, hey, apparently our > generous assumption earlier was inaccurate. > > They *can't* be claiming that they secure the system against local attacks, > leaving *only* that these hackers are breaking the SSL/TLS protocol. Oh, > well... > > > Their public don't help, either. The top hits contain claims like this: > > As you know, break-ins money can through hypnosis, ATM card fraud, and > phishing. Phishing is a cunning technique to obtain sensitive information > while transacting through Internet Banking. They stole your information > such as the username, password, credit card numbers and so on-depending on > the form of phising > > I know that one of my huge security concerns, which a secure web browser could > help with, is that I might be subject to hypnosis or ATM card fraud! Those > damn hackers and their hypnotic virus powers! > > > So, MRP: this looks convincingly like something that is at best snake-oil, and > at worst outright fraud. Care to respond? > > Daniel > > >> Try XecureBrowser, it's a browser design for ibank transaction, >> protect from ssl injection or anything which relate with ibank crime >> type. >> >> regards, >> mrp >> >> On 11/10/10, Jeremy Visser wrote: >>> Jim Donovan said: Commonwealth opens extra windows but only logs off in one of them; you have to close the others by hand. Not that they will work after logoff but it's lousy security. >>> >>> I don't know what browser you use, but in Chromium I just typed >>> 'netbank.com.au', logged in, and not a single browser window was opened. >>> The NetBank interface just opened in the same browser window. >>> >>> >> >> >> -- >> Linkedin : http://id.linkedin.com/in/mrpbpp >> PGP ID : 0xDC3A483A >> PGP Fingerprint : FCBE 697C 3C47 89D2 C28F 6C94 E607 7E99 DC3A 483A >> See http://www.keyserver.net or any PGP keyserver for public key >> >> "Never Trust an Operating System You don't have the Source for..." >> "Closed Source for device Driver are ILLEGAL a
Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
On 11/11/10 13:29, Erik de Castro Lopo wrote: One thing I like to do is use Firefox's profile manager to set up a profile which I only use for web banking. Nice idea. Do you do anything special on that profile or does it just provide isolation? Scott -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
Scott Finneran wrote: > On 11/11/10 13:29, Erik de Castro Lopo wrote: > > > One thing I like to do is use Firefox's profile manager to set up > > a profile which I only use for web banking. > > Nice idea. Do you do anything special on that profile or does it just provide > isolation? The important thing about this profile is that there are no extraneous plugins. I also set this profile to "Never remember history", suggest "Nothing" on the location bar in the Privacy settings and "Never remember passwords" in the Security settings. Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
You might even want to as far as creating another user to run the bancking browser as. I'd trust OS enforced separation a little more than application level separation. You can use other levels of isolation as well -- e.g. selinux sandbox, VMs (virtualbox or other) etc. Sometimes it's all to nought though as the weakist link in the chain is people. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
