Previous month:
August 2010
Next month:
October 2010

September 2010

Standards and laws affecting security at IISC 2010

I was invited to participate in a panel at INTERPOL's first Information Security Conference (IISC). The panel topic  was "standards and laws affecting security". Each panelist gave a short, formal presentation of a panel topic .I spoke about public-private partnerships and policies that affect security. This seems off-topic unless you are familiar with how policies developed by the ICANN community affect law enforcment efforts to combat electronic crime. My presentation considers two public-private partnerships - the Internet and ICANN - and the challenges these partnerships face. I then discuss I how ICANN's multi-stakeholder policy development process and resulting policies affects law enforcement, and how law enforcement can influence policy. 

Dave_at_iisc

The hot topics at IISC were information sharing, expanding communications channels, and creating or reinforcing relationships not only among law enforcement but between LE and the private sector. Kudos to INTERPOL and the host Hong Kong Police for adding yet another venue where folks who are struggling to find ways to improve security and reduce crime can collaborate.


Turn your old laptop into a personal bank teller

Malware - especially the drive-by trojan download kind exemplified by Zeus - causes widespread anxiety among users who want to bank online but fear identity theft. Criminals infect dozens, hundreds, perhaps thousands of web pages each day with malware, then wait for that one fateful mouse click that costs you your identity or empties your checking account. They morph malware frequently enough that antivirus software are hard pressed to protect you and your computer from threat.

The most common recommendation you'll find to protect yourself from identity theft is the tired mantra, "don't click on suspicious hyperlinks". That's great advice, but for the simple problem of knowing how to distinguish a suspicious link from a legitimate one. The smart criminals make such distinctions hard for the average user in phishing emails or malicious links they inject into web sites they've compromised or host.

What measures can you take to bank safely online when antimalware and antivirus measures can't keep pace and the criminals set their traps so cleverly that it's a only a matter of time before you make that fatal wrong step?

For now, never use a mobile phone or device to bank online

2013 begins on the tail - or possibly, the onset - of what dozens of hysterical security vendors claim as the era of mobile malware (1, 2, 3...). A 12 year old could fill a hundred blog posts with tales of mobile malware. Immunity's Dave Aitel warned, DO NOT use your phone to bank online or to deposit checks to your account" but in the same column, several security experts suggest ways that you can safely bank online from your mobile device.

Banking Others may be comfortable with recommending that the risk of banking from a mobile device is low enough given the convenience. Given the stakes, not only for personal banking but for situations where employees or government officials (think in terms of tax collectors for small municipalities) might choose convenience over risk, a prudent course is to assume that virtually any device that is used for general Internet or web use is unacceptable.  

Here's what I suggest.

Hire a personal bank teller

More accurately, create a personal teller using a PC/laptop that's collecting dust in the corner of your home office. Any lappie that can connect to your home network, run Windows XP and a browser will do because you are going to configure this system to do one and only one task: open a browser window to your online banking web site so you can bank safely. By configuring this laptop so that it is exclusively for banking, you greatly reduce the likelihood you'll fall prey to a thief.

Begin by erasing and reformatting the hard drive [1,2]. Reinstall the Windows operating system from the media that came with your PC/laptop. Connect to the Internet to update your version of Windows and Internet Explorer so that you are "patch current", but do nothing else while connected. Seriously: nothing!

Open Internet Explorer. From the Tools menu, choose Internet Options. Set your online banking web page as the home page. You should then never submit or click on a URL in this  browser on this laptop again. If you want to use Firefox, then open IE and type (don't search or click) " http://www.mozilla.org/en-US/firefox/new/". While this is perhaps overly cautious, but it will help you establish the mindset for online banking: Trust No URL.

(If you have other computers on your home network, disable sharing and enable Windows Firewall. This isn't a full-blown mitigation strategy for hardening Windows XP; for this, you'd need to invest a bit more time. Whether your "came with" Windows OS version was XP or 7 will affect the additional effort you require but this is a "one time" effort.)

The configuration of your personal bank teller is complete. When you launch IE, you will automatically connect to your online banking web page. Hello, personal bank teller!

Use this PC/laptop for online banking... and nothing else!

Do not install any software on this PC/laptop. Do not add this PC/laptop to a domain or workgroup. Never, ever visit any other site from this PC/laptop. Never check mail or run any other application from this laptop. If you follow these guidelines, you can bank with greater confidence that you've kept the criminals at bay.

If you don't have the OEM disks or a spare copy of Windows to install, try a Linux OS and use Firefox [3,4]. The installation for most Linux OSs is straightforward. More importantly, if you are familiar with Firefo, you really don't have to know anything about Linux, as you are only going to use a browser that's familiar to you. The icon's the same, the UI is very similar, and seriously, this alternative is not nearly as intimidating as you imagine.

Before you scoff at this suggestion, weigh the cost of investing 30 minutes to create a personal bank teller from deprecated hardware against the threat of identity theft. As a side benefit, by using the lappie rather than junking it, you're thinking green.

[Note that while focus on Windows here, Mac users are not impervious to phishing and identity theft and can build a personal teller in a similar manner.]