http://www.smh.com.au/business/sony-eyes-online-australian-banking-20110728-1i1iu.html
I just read the above article about Sony eyeing the Australian market to launch an online bank. The article outlines how Sony, through it's rich technological pedigree, had developed exceptional expertise in "low cost management of a branchless bank with an edge on interest and fees".
This sounds good to me. Offer me a competitive online service with greater interest and lower fees! Why not?
But wait a minute, what about the millions of user accounts that were recently compromised through an attack on their PlayStation network gaming service? How is an online gaming account different to an online banking account?
This begs the question: what will Sony offer me in the form of security to secure and protect my new account?
After the recent breaches with Sony, RSA, Lockheed Martin and even Citigroup it is clear to see that having hope in a reputed and respected brand is no longer enough!
It's great that companies want to offer me a competitive online service (banking, trading, social networking etc), but please, please, please, please, also offer me competitive online peace of mind!
Tuesday, August 2, 2011
Guess who's back?
After many, many months of laying low, I am back!
I do apologise for the hiatus, but the past year has been a crazy one! I have been flat out working with the world's premier cybercrime fighting superheros on a coordinated approach to fighting global cybercrime!
Yes, this approach not only involves revolutionary security technologies, but also involves all other key stakeholders including law enforcement, enterprise, media and most importantly, the consumer! This approach looks at practically bridging the gap between what the industry is researching and developing (hey, even I don't understand most of their technical gibberish), what the bad guys are doing, what the media is relaying, what law enforcement is doing and what consumers understand of all this.
Anyways, more on this later...
So why am I back?
Well apparently some followers were suffering from withdrawal symptoms since my disappearance. Yes, I too was very surprised to learn that people were actually reading my posts! In addition, the emails clearly illustrated that people were becoming increasingly more concerned with the proliferation of cybercrime. It seemed that their emails were becoming more and more dire as a deeper feeling of sombre helplessness set in.
As such, I am back to share my weird and wonderful thoughts on fighting cybercrime with the world!
So let's continue on our quest to free the world of cybercrime. Let's continue on our journey to find online peace of mind!
I do apologise for the hiatus, but the past year has been a crazy one! I have been flat out working with the world's premier cybercrime fighting superheros on a coordinated approach to fighting global cybercrime!
Yes, this approach not only involves revolutionary security technologies, but also involves all other key stakeholders including law enforcement, enterprise, media and most importantly, the consumer! This approach looks at practically bridging the gap between what the industry is researching and developing (hey, even I don't understand most of their technical gibberish), what the bad guys are doing, what the media is relaying, what law enforcement is doing and what consumers understand of all this.
Anyways, more on this later...
So why am I back?
Well apparently some followers were suffering from withdrawal symptoms since my disappearance. Yes, I too was very surprised to learn that people were actually reading my posts! In addition, the emails clearly illustrated that people were becoming increasingly more concerned with the proliferation of cybercrime. It seemed that their emails were becoming more and more dire as a deeper feeling of sombre helplessness set in.
As such, I am back to share my weird and wonderful thoughts on fighting cybercrime with the world!
So let's continue on our quest to free the world of cybercrime. Let's continue on our journey to find online peace of mind!
Wednesday, August 25, 2010
Zeus strikes once again!
OUCH!!!
http://news.cnet.com/8301-27080_3-20013246-245.html
How much more must consumers and financial institutions suffer? How much more money must we lose to these cyber criminals? How much longer will financial institutions bury their heads in the sand and reassure consumers that their banking systems are safe to use?
I get sooooooooooooooo frustrated when i see such attacks time and time again as I believe that they are easily avoidable.
How?
Three-prong approach!
1) Financial institutions must finally show the initiative to deploy security systems that not only protect their back end systems, but also the weakest link in their security chains - the end user when they login to their internet banking systems!
2) Users must be given access to security technologies that protect their confidential information (usernames, passwords, one-time-token passwords, personal details, bank account access) even if their computer is compromised with malware such as keyloggers, trojans, spyware etc. Such technology must be fool-proof as many users out there don't even know what a firewall is let alone how to spot a phishing attack or how to identify code injection caused by cross-site-scripting techniques.
3) There must be a coordinated approach by industry and low enforcement to raise consumer awareness, develop systems that educate, nurture and encourage safe browsing habits, and greater information-sharing initiatives between industry and law enforcement to help the good guys defeat the bad guys!
Does your bank use state-of-the art security?? So what, who cares!!!!
When was the last time you read about a bank's back-end systems being directly compromised? You never read about this as the banks have invested huge amounts of resources in securing their back-end systems. Bank back-ends are robust and built like sherman tanks and the cyber criminals know that it is easier to enter into the enemy's sherman tank on the back of the unsuspecting tank driver than it is to try to break in through the many layers of solid iron and steel!
Well the same applies in the cyber world! Cyber criminals know it's much easier to ride on the back of an unsuspecting online banking user than it is to attack the bank directly. And as the above article shows, they are reaping huge "rewards" for their work.
It is not until the banks secure the weakest link (ie, the unsuspecting internet banking user) that they can effectively protect their customers from such threats! All they really need to do is deploy a small app (few mb in size) that can verify the security health of the user's computing device, suspend any known malware in real-time and secure the transaction by locking down the session so it cannot be penetrated or intercepted by the criminals or any malware present onthe device (such as the zeus trojan).
Sounds like rocket science, but it is very simple to deploy and end users are then protected, regardless of their technical ability.
So what now?
It's about time that consumers began demanding better security services that included their computing devices in the entire security chain. Such services exist and are not expensive at all.
Also, it's about time financial institutions started thinking about the end user and taking steps to secure the end user's online identity and hard-earned cash. It's no longer good enough to simply reimburse a user for any amounts stolen by a cyber criminals. STOP the theft altogether and protect the user's online identity!
PLEASE PLEASE PLEASE give us online peace of mind!
http://news.cnet.com/8301-27080_3-20013246-245.html
How much more must consumers and financial institutions suffer? How much more money must we lose to these cyber criminals? How much longer will financial institutions bury their heads in the sand and reassure consumers that their banking systems are safe to use?
I get sooooooooooooooo frustrated when i see such attacks time and time again as I believe that they are easily avoidable.
How?
Three-prong approach!
1) Financial institutions must finally show the initiative to deploy security systems that not only protect their back end systems, but also the weakest link in their security chains - the end user when they login to their internet banking systems!
2) Users must be given access to security technologies that protect their confidential information (usernames, passwords, one-time-token passwords, personal details, bank account access) even if their computer is compromised with malware such as keyloggers, trojans, spyware etc. Such technology must be fool-proof as many users out there don't even know what a firewall is let alone how to spot a phishing attack or how to identify code injection caused by cross-site-scripting techniques.
3) There must be a coordinated approach by industry and low enforcement to raise consumer awareness, develop systems that educate, nurture and encourage safe browsing habits, and greater information-sharing initiatives between industry and law enforcement to help the good guys defeat the bad guys!
Does your bank use state-of-the art security?? So what, who cares!!!!
When was the last time you read about a bank's back-end systems being directly compromised? You never read about this as the banks have invested huge amounts of resources in securing their back-end systems. Bank back-ends are robust and built like sherman tanks and the cyber criminals know that it is easier to enter into the enemy's sherman tank on the back of the unsuspecting tank driver than it is to try to break in through the many layers of solid iron and steel!
Well the same applies in the cyber world! Cyber criminals know it's much easier to ride on the back of an unsuspecting online banking user than it is to attack the bank directly. And as the above article shows, they are reaping huge "rewards" for their work.
It is not until the banks secure the weakest link (ie, the unsuspecting internet banking user) that they can effectively protect their customers from such threats! All they really need to do is deploy a small app (few mb in size) that can verify the security health of the user's computing device, suspend any known malware in real-time and secure the transaction by locking down the session so it cannot be penetrated or intercepted by the criminals or any malware present onthe device (such as the zeus trojan).
Sounds like rocket science, but it is very simple to deploy and end users are then protected, regardless of their technical ability.
So what now?
It's about time that consumers began demanding better security services that included their computing devices in the entire security chain. Such services exist and are not expensive at all.
Also, it's about time financial institutions started thinking about the end user and taking steps to secure the end user's online identity and hard-earned cash. It's no longer good enough to simply reimburse a user for any amounts stolen by a cyber criminals. STOP the theft altogether and protect the user's online identity!
PLEASE PLEASE PLEASE give us online peace of mind!
Monday, January 18, 2010
Yes, gmail is still GREAT email!
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
Although the recent attack on the Googliath of internet email, gmail, was nothing more than a few gmail accounts being compromised through “phishing scams or malware placed on the users’ computers” and not through holes in Google's security systems, it still made headlines worldwide.
How? Well think of it like this. You can have the most sophisticated traditional security systems protecting your house, but if you allow an intruder in through a window or door, then all of your traditional security systems render themselves useless in protecting you from the intruder once he’s inside your house. No traditional perimeter or network security systems (windows, doors, grilles, locks, guard dog, CCTV, door camera) can help you once you have allowed (authenticated) the intruder into your living room, right?
Well the same principle applies to our cyber world too! No matter how comprehensive your traditional perimeter or network security systems are (firewall, cryptic username/password, SMS/token authentication tools, antivirus/antispyware scanners, url/phishing filters), they are all helpless if you allow the malware (intruder) to enter into your living room (pc) through a window or door (installing/activating/authenticating the malware on your pc).
In an ideal world, there would exist another much more sophisticated system that would be intelligent enough to protect you from your own self. A system that would be intelligent enough to automatically and instantly determine that the intruder was NOT legitimate and then kill/freeze/suspend/disable him should he manage to enter into your house! Imagine that! Sounds like something from a futuristic sci-fi flick, huh? Bad guy disguised himself and bypassed CCTV, door camera, window grilles and guard dog, only to be then killed/frozen/suspended/disabled in real time by a sophisticated system as soon as he entered your house!
Well although such systems do not exist to protect our domestic world (I am told that a shot gun is not an acceptable system), they DO exist to protect our cyber world!
Yes, that’s right! There is a system out there that still protects your online identity and confidential information in the event that you accidently activate malware on your pc. This system will protect you from malware such as Trojans, viruses, worms and rootkits, as well as phisihing/pharming and MITM/MITB attacks. This means that even if one of these nasties did manage to get onto your pc, your online identity, usernames/passwords, credentials, banking transactions etc will always remain safe and secure from the hacker.
Oh, and surprisingly this system costs much less than my monthly mobile phone recharge and is very simple to install and use. No wonder many high-profile financial institutions are rolling out this system to their online bankers free of charge.
It’s what they refer to as online peace of mind!
Friday, November 13, 2009
$100m for a few weeks worth of work? No wonder they are switching to the dark side!
http://www.eweek.com/c/a/Security/FBI-Online-Banking-Attacks-Reach-100-Million-Mark-785125/
I was just catching up on my weekly fix of cyber crime bedtime reading and i came across the above article which states that the FBI is warning mid-sized businesses, government departments and academic institutions against emerging cyber theft attacks. The article also states that in the past few weeks a total of $100m was stolen in the US alone, making one wonder what the real cost of cybercrime was on a global scale. I’d hate to think what the annual figure would amount to when one included Europe, Asia, Oceania and the rest of the Americas.
However, the thing that i found most interesting was the fact that the victims of these latest attacks were all businesses or institutions that one would imagine had solid security systems, tools and policies in place. The latest victims included mid-sized businesses, schools and even municipal government departments! That's right, the cyber crims were now targeting those with some serious savings in the bank (one would assume) and were no longer just focusing on easy-to-exploit home internet users who weren’t technically savvy or who had limited security systems in place!
Organisations of such size usually employ multiple layers of traditional security, including gateway devices (firewalls, UTMs, IDS/IPS, anti-spam devices etc), endpoint anti-virus software and even in-the-cloud filtering services (web and email malware, content etc). In addition, these security services are usually deployed and managed by technically-competent professionals or outsource partners.
So where’s the hole in these security systems?
Quite simply, they don’t secure internet-based transactions, but rather scan or filter for known threats in web-based traffic or on computer hard-drives! Yes, they are good at protecting organisations from KNOWN malware, but they fail in protecting organisations from self-induced threats, such as end users actioning phishing emails or executing sophisticated malware attached/embedded in an email/webpage (rootkits, Trojans etc). Once the user self-induces infection, then the malware will happily reside on their machine and do its nasty work undetected.
So what’s the solution?
Organisations (and anyone else using the internet for online transactions such as online trading, online shopping and online banking) should deploy transactional security services that not only scan computers for known and unknown malware, but also secure online transactions via sophisticated isolation and lockdown mechanisms. In doing so, any malware which has been self-induced by the user or which has slipped through the existing security systems will remain isolated from online transactions. Thus, even if your computer is infected, the malware will be unable to penetrate the online session or intercept information being exchanged, rendering it useless. In addition, the security solution would alert you to the fact that known malware or suspicious applications were running on your machine.
I sleep much better knowing that my family’s computers are protected with a security solution that secures internet-based transactions from attacks such as phishing, pharming, man-in-the-middle, man-in-the-browser, DNS poisoning, Trojans, spyware, adware, keyloggers and rootkits. Even better, this security service operates with all internet browsers and costs me less than a dinner-for-two at a fast food restaurant.
I call it online peace of mind.
Monday, October 19, 2009
Ouch! That’s just adding insult to injury!
http://voices.washingtonpost.com/securityfix/2009/10/zeus_trojan_turns_smash_grab_i.html
I just read the above article about a nasty variant of the Zeus Trojan that not only steals your hard-earned (or raised) cash, but then also goes on to kill your computer. In layman’s terms, this is a nasty “double-whammy” Trojan and not only is the victim left without an operational computer, they probably also no longer have any savings left in their bank account to be able to repair the computer or buy a replacement. Ouch!
Although we have seen the nasty Zeus Trojan on the internet crime scene for some time and although we have read about other cases where victims have been robbed of hundreds of thousands of dollars (our above example lost US$87,000!), this is the first time we have seen Zeus coupled with a “KOS”(kill operating system) command that basically does as its name implies; kills your operating system!
I have seen only three “transactional security” technologies available globally that have the smarts to “lock-down” your online transaction session and stop any malware on your computer from stealing your confidential information (such as password, online ID etc) and passing it on to the cyber criminals.
1) The first such technology is a simple browser plug-in (add-on?) out of Israel which only works with internet explorer and firefox (that there is a problem in itself since i prefer to use two other browsers, and as such, I will not be protected from the onset if I continue to use my browsers of choice). The other fundamental issue with this technology is that although it protects your online session, it doesn’t care for the state of the forensics running deep within your computer hardware and operating system. Hence, it wouldn’t have ever alerted you to the fact Zeus was on your computer, and although it might have saved you from the online theft, you probably wouldn’t be reading this blog since your computer is RIP in computer cemetery as a result of the KOS attack.
2) The second technology is a sand-box browser offering out of the USA which protects you during online transactions, so long as you use the safe browser they provide you with (once again this is an issue for me since I prefer using only two browsers and I really cant be bothered changing browsers while I’m online just to check my bank balance or pay a bill). Oh, in addition this offering will also fail to alert you of the Zeus infection since it simply assumes your computer is always infected. Yes, it would’ve saved you from the online theft if you were infected with Zeus, but your computer would also be RIP in computer heaven as we speak.
3) The third technology not only offers secure “lock down” transactions, it does so regardless of which browser you use. Yes, you are free to use them all - internet explorer, firefox, chrome, opera, safari, avant etc. Oh, and this clever technology also contains a kernel forensics engine which in a matter of seconds interrogates everything running on your computer (yes, i said SECONDS, not HOURS) and kills anything unauthorized or malicious while alerting you to the threat and providing you with relevant info on how to remove the threat from your computer. So in the above case, this technology would have alerted you to the fact that Zeus was running, informed you of the removal process, killed the process in real-time and protected you during your online transaction. In layman’s terms, you’d still have your savings in your bank account as well as your beloved computer..
Now that’s what we call online peace of mind.
Thursday, October 15, 2009
We want REALISTIC options!
http://www.crn.com.au/News/157767,nsw-police-dont-use-windows-for-internet-banking.aspx#comments
Just read the above article and though to myself "geez, how bloody annoying would it be to have to load up another OS just for online transactions!".
Recommendations such as using a more secure OS or using a sandbox web browser are great in theory, but there's always a big disconnect between theoretical greatness and practical implementation.
Yes, theoretically speaking its safer to not talk on my mobile phone, but let's face it, it's more practical than pulling over to slot a 50c coin into a public telephone that probably doesnt even work! Yes conventional ovens are safer than microwave ovens, but sometimes even 2 minutes is too long to wait for my dinner!
Similarly, at the end of the day we all want to continue to exercise our full right to browse the web in what ever fashion we are used to.. I want to use my new windows 7 OS (why else would i pay for an upgrade?)! I want to use any damn browser I feel like using (i change browsers based on my moods)! I dont want to boot up a new OS or open a new browser just to check my online bank balance or pay a bill!
All i want is something that protects me while I am online. Something that will ensure my money stays where i put it - in MY bank account. I don't want to change the WAY i transact online. I only want online peace of mind.
Subscribe to:
Posts (Atom)