http://www.singe.za.net/blog/ Dominic White - .tHE pRODUCT - Security & Privacy Blog en Serendipity - http://www.s9y.org/ webmaster@singe.rucus.net webmaster@singe.rucus.net 2160 Thu, 01 Jan 1970 00:00:00 GMT http://singe.za.net/pics/links/tHEpRODUCT-blue.gif http://www.singe.za.net/blog/ 120 29 http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#c13845 http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1045 nospam@example.com (Alapan) There are two useful attacks - firstly a potential for a man in the middle attack, since you have access to input in cleartext, and you can intercept messages and perhaps even do a really interesting phishing site. Secondly, if you have access to a wide range of financial records, it is much easier to target victims. Sat, 04 Feb 2012 08:42:43 +0200 http://www.singe.za.net/blog/archives/1045-guid.html#c13845 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/954-Why-I-think-the-Quality-Vacation-Club-is-a-Dubious-Organisation.html#c13843 http://www.singe.za.net/blog/archives/954-Why-I-think-the-Quality-Vacation-Club-is-a-Dubious-Organisation.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=954 nospam@example.com (Vivienne) If you would like to purchase my points for next to NOTHING, please do not hesitate to contact. Can never get accommodation and will never use them. Fri, 03 Feb 2012 16:36:40 +0200 http://www.singe.za.net/blog/archives/954-guid.html#c13843 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#c13842 http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1045 nospam@example.com (Dominic White) I think given that places like 22seven feel they can build an entire business model out of access to your financial records alone, there is value to having access to the records alone, without the ability to transact. That said, any hacker will tell you, once you're in, it's often only a matter of time until you get all the way in. The banks haven't focused much testing on assuming basic access without OTP, that is a new test case they need to pummel a bit harder before I'll trust it. Fri, 03 Feb 2012 09:00:56 +0200 http://www.singe.za.net/blog/archives/1045-guid.html#c13842 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#c13841 http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1045 nospam@example.com (helium) Sure, that is true, but what I'm saying is that coming from a potential hackers' perspective, it's just not worth stealing someone's internet banking details without a means to their OTP. I would be better off stealing a CC number or carrying out a phishing attack. Fri, 03 Feb 2012 00:04:27 +0200 http://www.singe.za.net/blog/archives/1045-guid.html#c13841 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#c13840 http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1045 nospam@example.com (marco) The difference is that, should you experience CC fraud, you don't carry the risk. If someone skims your card at a restaurant tonight and it's used to purchased iPads in Malaysia tomorrow, you'll be refunded (subject to a few conditions such a prompt notification). With 22seven, the risk is all yours, as has been pointed out numerous times. Thu, 02 Feb 2012 21:23:30 +0200 http://www.singe.za.net/blog/archives/1045-guid.html#c13840 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#c13839 http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1045 nospam@example.com (helium) I don't know what all this fuss is about with 22seven or yodlee being hacked. You do realise that if you have ever given your credit card number online that it could be stored somewhere in a random database? The only difference is that with 22seven, even if you're details are comprimised, you still cannot transact without a OTP. I actually think that the biggest risk they face are from phisers posing to be 22seven, but this is the same problem that banks themselve face. Thu, 02 Feb 2012 20:44:08 +0200 http://www.singe.za.net/blog/archives/1045-guid.html#c13839 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#c13838 http://www.singe.za.net/blog/archives/1045-Internet-Banking,-22seven-Security-Fallacies.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1045 nospam@example.com (Alapan) A good analysis; and I would like to add one more point. The mere fact you are giving away your credentials to another party, leaves you without the protections that are inherent in the banking system in South Africa. For example, if there is a fradulent transaction (which does not have to originated due to Yoddle/22seven), the bank can simply claim that there is no proof that their systems were compromised (and here, I am taking the wider view of "system" to include things such as POS devices, ATM scams etc) and it is due to credential sharing. Interoperability via export and import as you suggest is, IMO the only safe option. Off course that still leaves the issue of data privacy ... Thu, 02 Feb 2012 19:23:18 +0200 http://www.singe.za.net/blog/archives/1045-guid.html#c13838 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1044-How-to-root-a-Motorola-Atrix-4G-on-2.3.4.html#c13836 http://www.singe.za.net/blog/archives/1044-How-to-root-a-Motorola-Atrix-4G-on-2.3.4.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1044 nospam@example.com (Dominic White) Granted, it's not easy to the common person. If someone finds grabbing the SDK hard, then they're probably not going to be writing malware for the platform. I meant "technically easy". This is the sort of thing that could get bundled into a malicious app, that with the right permissions could win. Read up on IOS jailbreaks, and you'll see the difference: https://trailofbits.files.wordpress.com/2011/08/ios-security-evaluation.pdf https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf http://pod2g-ios.blogspot.com/2012/01/details-on-corona.html https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c Compare that to say: https://media.blackhat.com/bh-ad-11/Oi/bh-ad-11-Oi-Android_Rootkit-Slides.pdf If you have root in Android you can do significantly more than in IOS. Also, getting root is harder in IOS. Fri, 27 Jan 2012 15:25:36 +0200 http://www.singe.za.net/blog/archives/1044-guid.html#c13836 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1044-How-to-root-a-Motorola-Atrix-4G-on-2.3.4.html#c13835 http://www.singe.za.net/blog/archives/1044-How-to-root-a-Motorola-Atrix-4G-on-2.3.4.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1044 nospam@example.com (Allen Baranov) How is your 9 step process including downloading an SDK and connecting the phone to a PC while the phone is in debug mode be termed "0nwed so easily" ? There are a lot of hoops that have to be jumped through to get the phone rooted. And even so, this doesn't mean that the phone is available to an attacker. It just means that the phone is no longer hobbled. Mon, 23 Jan 2012 13:37:46 +0200 http://www.singe.za.net/blog/archives/1044-guid.html#c13835 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1044-How-to-root-a-Motorola-Atrix-4G-on-2.3.4.html#c13833 http://www.singe.za.net/blog/archives/1044-How-to-root-a-Motorola-Atrix-4G-on-2.3.4.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1044 nospam@example.com (Craig Swan) Love all the stracraft references :) Mon, 16 Jan 2012 15:49:27 +0200 http://www.singe.za.net/blog/archives/1044-guid.html#c13833 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1042-Timesheets-Youre-doing-it-wrong.html#c13832 http://www.singe.za.net/blog/archives/1042-Timesheets-Youre-doing-it-wrong.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1042 nospam@example.com (Dominic White) Wogan, I have only ever worked for consultancies, so this isn't coming from a place apart from what you mention. Absolutely, if you sell the work to clients and an hourly basis, then timesheets end up as a necessary evil. However, there are many more ways to structure your contracts, the most obvious being on a fixed price deliverable basis (this is where the industry is going for IT projects due to overruns in what I've seen). There are also ways to you can bill by day. Either way, if the way you're selling projects to clients forces you into poor workforce management techniques, you need to fix that. You should manage your staff to produce an excellent deliverable within cost-effective timeframes, and the client should expect an excellent deliverable, not force you to manage on a per-hour basis. On to your next point, you are re-enforcing my point about timesheets used as a management technique. If your staff's use of their time is both understood and structured by a timesheet, then the manager is failing to have proper conversations with their team and instead using the timesheet as a crutch. As for your final point, using timesheets to cover-your-ass implies a wholly unhealthy culture already. The idea that you need to waste time to prevent others sniping your time into more wastage implies a manager has failed to protect their team from others, or is asking their team to engage in bad work. Sun, 08 Jan 2012 20:36:48 +0200 http://www.singe.za.net/blog/archives/1042-guid.html#c13832 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/1014-Killing-the-Evercookie.html#c13827 http://www.singe.za.net/blog/archives/1014-Killing-the-Evercookie.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=1014 nospam@example.com (al) any chance you could make a post on your recommended privacy and security setup for Firefox? i've been using about:config and a user.js file for some settings like dom.storage.enabled=false but would be cool to see an article by someone who knows this stuff well. Wed, 28 Dec 2011 21:11:54 +0200 http://www.singe.za.net/blog/archives/1014-guid.html#c13827 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/798-Telkom,-JM-Attorneys,-Meiring-Company-Inc..html#c13823 http://www.singe.za.net/blog/archives/798-Telkom,-JM-Attorneys,-Meiring-Company-Inc..html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=798 nospam@example.com (Michelle) I've just added this to www.hellopeter.com: "Health & Racquet was liqidated in 2000. Assuming your records regarding my alleged debt is accurate (which I doubt), The Prescription Act, No. 68 of 1969 covers the extinction of debts by prescription and are specifically dealt with in sections 10 to 13 of the aforesaid Act. Section 11 (d) states "save where an Act of Parliament provides otherwise, three years in respect of any other debt" So you would have had up to 2003 to collect any alleged debt. It's now 2011, nearly 2012. THIS IS LAW - WHICH AS ATTORNEY'S YOU SHOULD KNOW!!!" Let's hope everyone else who's receiving these sms's starts throwing the Law back at them too. Thu, 22 Dec 2011 12:07:33 +0200 http://www.singe.za.net/blog/archives/798-guid.html#c13823 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/954-Why-I-think-the-Quality-Vacation-Club-is-a-Dubious-Organisation.html#c13817 http://www.singe.za.net/blog/archives/954-Why-I-think-the-Quality-Vacation-Club-is-a-Dubious-Organisation.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=954 nospam@example.com (Bridgett Johnstone) I have been with QVC for approximately 15 years. Could you please advise how I can cancell as the fees are becoming too much. I am going on pension shortly and would like to cut down on my expenses. At the present moment I have 45 units with them, which in real life means 4,500 points. Mon, 12 Dec 2011 10:22:39 +0200 http://www.singe.za.net/blog/archives/954-guid.html#c13817 http://creativecommons.org/licenses/by-nc-sa/3.0/ http://www.singe.za.net/blog/archives/948-Youve-won-a-car-Scam-Carlswald-Design-Quarter.html#c13816 http://www.singe.za.net/blog/archives/948-Youve-won-a-car-Scam-Carlswald-Design-Quarter.html#comments http://www.singe.za.net/blog/wfwcomment.php?cid=948 nospam@example.com (Terry Rogan) I received exactly the same letter that you received after entering a raffle for a children's home which was held at Benmore Shopping Centre. I check that there was a fundraising number and that it was a registered charity, but this money is also obviously going into their kitty. Wed, 07 Dec 2011 13:58:16 +0200 http://www.singe.za.net/blog/archives/948-guid.html#c13816 http://creativecommons.org/licenses/by-nc-sa/3.0/