I think I need to reveal a little more about that month zero malware. In constructing my filters I go through several dozen malware samples per week. What I have noticed for the really bad stuff is they change their binaries by twiddling variable names, etcetera, every 4-8 hours up to every 2-3 days. The older sample has risen slowly to 10/40 or if you are lucky to 20/40 at the end of week one. The problem is the new sample drops it right back down to about 6/40 again. Every few weeks they don’t just twiddle variable names or change the loops or what ever. They replace the old code with entirely new code that generally drops the detection rate right back down to the cellar (0/40) again. I hope that Blade can handle it. But I have learned to be very cautious when something is posed as something that will save the world. My PAC filter will not save the world; it is just one more onion layer of securiity that is easily disabled.
The only thing that surprises me is that nobody has done it yet.

Also, any authentication that could depend on something EXTERNAL to the PC that the hacker cannot alter (time based perhaps) would also be helpful. But if it is on the PC it is like Phil Zimmerman’s Bassomatic algorithm – something that can eventually be cracked. I don’t use Bassomatic. I use TwoFish. The problem is I have almost nobody to use the OpenPGP encryption with. Instead we have Sarah Palin using a sloppily set up web-mail account with no encryption. We have President Obama with a Twitter account that some unemployed frenchman accessed. I should add one more thing – my login hint for Windows which I almost never use is “locked out”. It has nothing to do with the password.

Like or Dislike: 1  0

Law #10: Technology is not a panacea

No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.

The rest of the laws are very important as well!
http://itknowledgeexchange.techtarget.com/security-corner/10-immutable-laws-of-security

Like or Dislike: 2  0

1. A Macintosh or a Linux machine?
2. Firefox with the NoScript add-on?
3. If desired my filters but these other things come first? I must say I get a chuckle out of ClamAV pre-selecting Unix for my submissions. Other than the rootkits with their substitute ps, ls, and other system commands I just don’t see any Unix / Mac malware. It is supposedly there but every attempt I have made to get it has failed miserably except for two. There was that humorous one from when Apache was in /usr/local written in PERL. There are also those toolbars that don’t uninstall completely and leave a resident JavaScript running in Firefox. Now you know one of the things my filters prevents. I suspect Blade would say nothing about them. You have to blow away the Firefox config and start over.

I strongly suspect if the bank employee had been using either a Macintosh or Linux the way I specified we would not be reading this and there would be no need for any comments. This isn’t a chortling by me. I am sitting on Windows malware samples that NAV, Microsoft’s AV, and other AV programs can not detect. The files have an extension of “.BAD” tacked onto the end of them. Yes, I DO give them to the AV companies. But the AV companies are now too busy just taking care of the worms first. At one time they had enough time for the trojans but now they just don’t get around to most of them any more. I challenge the Blade designers with the encrypted scripts that have at most a 3/40 AV engine detection at VirusTotal (actually, it is normally ZERO) to see just how well BLADE stacks up against those encrypted scripts. Now you know why I say Firefox PLUS NoScript. The malware behind these nasty scripts is not “day zero”. It is now either “week two” or “month zero”. There is so much headed towards the AV companies that is the best they can do now. If Blade works it has to be doing something else to detect it but I think the real world use of Blade may turn up glaring security holes. Look at all of the other things that came before it that were going to save the world that have never saw the light of day.

Finally, I don’t think this bank can wait for Blade. They need something and they need it NOW! They also need it on their employee’s computers that are used from home. Note it was not the end users that caused the problem here – it was the Credit Union itself. It was an infected employee’s computer that caused the problem, not some customer.

Like or Dislike: 3  0

You wouldn’t catch a library commission with this type of shitty security.

Like or Dislike: 0  4

“Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore“

We tend to take the programs and utilities we run for granted. We trust them to work as advertised and not harm our systems or corrupt our data. What we often don’t consider is that our computer is being controlled by the programs it’s running and those in control of it are the programmers who wrote the software. This isn’t a problem with normal software since we tell it when to run, what data to manipulate, and when to quit; we are able to exercise a measure of control. We still “own” our computer. With malware, “To run or not to run, that is the question” and those are our only two options.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.

Game over man! Game over! ;P

Like or Dislike: 3  0

Pete, please dont attack me on a personal basis, you mentioned “partially sighted” users not blind users and I did my best to answer as honestly and factually as possible while ignoring your sarcastic PR comment. I am the inventor of PassWindow, not a sales guy and I try to keep my opinions as impartial and factual as possible by always trying to mention other types of solutions which solve similar issues. If you believe I am wrong about a specific authentication fact please raise it, articulate your reasons and I will do you the courtesy of addressing it as honestly as I can. I think we are all here to try to solve a serious IT security problem Brian is trying to highlight and I don’t think I am wrong to raise possible solutions where relevant including my own.

You mentioned “too much automation” and I agree which is why I deliberately set out to put a simple human physical action into the authentication process to limit the automation of an electronic attack and ensure a user is present and aware by the inherent nature of the process exactly what is requesting authentication. Better risk modelling will help but like spammers the attackers do their own risk modelling and adjust their attack behaviour appropriately to evade the filters, it appears they were enacting this risk monitoring evasion technique in the article above with many smaller transfers to multiple local mules before bouncing the money overseas. Tightly controlled automated transaction monitoring also poses a new risk to the business if false positive transaction locking ends up costing the business. There is no one solution but a more comprehensive suite of solutions would go a long way to reducing the problem.

Hot debate. What do you think? 7  4