Password Security

[JConLine]

I have been reading, with interest, the discussion on Tor. But most of the posters agree that private data should not be entered into web forms due to the insecurity of the exit node. So my question is what is the best way to enter login data into a web form, say PayPal?

I currently use LInux with a LInux VM and Tor with the Tor Button, but this is for browsing only. If entering login data I use a separate browser, Linux, and KeePass; I drag 'n' drop any login data. Is there a better way to handle login data?

I don't use online banking but I have a good friend who does and she currently uses XP, IE, and enters her login data by keyboard with each login. Would a LInux VM, used only for Banking, be more secure than what she is now doing? How would you advise her?

Thanks,

Jim

There's no point in using a proxy if Paypal already has your credit card...
If you know how a valid EV cert looks like (more details + screenshot for PayPal http://en.wikipedia.org/wiki/Extended_validation ) Tor exit nodes, other proxies or insecure wifi don't pose an additional risk.

About dragging and dropping passwords: This only helps against a limited set of simple local malware. Modern bank trojans and Man or "Boy in the Browser" attacks will not be thwarted. Of course those are largely targeted at Windows and browsers running under a Windows OS. A VM running within an infected system only offers limited protection. Keyloggers, screencaptures etc will obviously still work. However, in such environment copy and pasting passwords instead of typing them does make a difference.

I'd advise her to use a live cd for online banking. It's easier and more secure but she needs to reboot her computer.

[JConLine]

If I may ask, what would be your login strategy for PayPal?

Jim

[MrBrian]

Quote:

Originally Posted by katio

I'd advise her to use a live cd for online banking.

One such live cd is Lightweight Portable Security.

Quote:

Originally Posted by JConLine

If I may ask, what would be your login strategy for PayPal?

Jim

Reboot into the live environment, open the browser, enter paypal.com manually, check the certificate, find that sticky note with the password I can impossibly remember, enter my credentials, make the transaction, log out and immediately reboot again.

One thing to keep in mind is that live cds aren't updated that often. A few months after their release they will have serious vulnerabilities in the OS and browser!
That means you should never visit untrusted sites with it. However not being Windows reduces the risk dramatically.
Theoretically there's the risk that someone makes a MITM, installs a keylogger and then redirects you to the real site. Being on a trusted network renders this not only improbable but pretty much impossible. It could only really work in a very targeted scenario.

The most secure option would be to keep a separate physical system where you install Linux (hardened with Apparmor/SELinux and whatever you fancy) which you keep updated and which you only use for online banking.

I don't want to alienate you. If you know a bit about security and have it configured securely the chances that your primary OS are infected are already minuscule. Finally let's not forget what the actual risk is we are dealing with: In most cases of online fraud you aren't liable.

[JConLine]

Thanks for the information.

It's not so much the monetary loss but the compromise of personal id info with the possibility of identity theft; then the ongoing problems that result.

I'm going to pass your advice on to my online banking friend.

Jim

[Creer]

Quote:

Originally Posted by katio

(...)
Theoretically there's the risk that someone makes a MITM, installs a keylogger and then redirects you to the real site. Being on a trusted network renders this not only improbable but pretty much impossible. It could only really work in a very targeted scenario.
(...)

I think it's also worth to mention that in latest IE9 RC browser MS takes care about mixed content on the websites:
http://ie.microsoft.com/testdrive/Br...t/Default.html

Quote:

Originally Posted by Creer

I think it's also worth to mention that in latest IE9 RC browser MS takes care about mixed content on the websites:
http://ie.microsoft.com/testdrive/Br...t/Default.html

The message you have entered is too short. Please lengthen your message to at least 5 characters.

[Creer]

Interesting since I don't see any "security warning" pop-up like in your case from my Firefox (3.6.13).
Below is a screen from IE9 after enter login/pass:

Quote:

Originally Posted by Creer

Interesting since I don't see any "security warning" pop-up like in your case from my Firefox (3.6.13).
Below is a screen from IE9 after enter login/pass:

This only pops up the first time you encounter such a site unless you tick that checkbox. However, on a Live CD every reboot is like a fresh install so you'd see that warning

I know IE9 doesn't show it but I honestly have no idea why the site serves you the script over https too and then tells you there's mixed content on the site. It must be a bug or else that would be some sneaky cheating just to make their competition look bad.
But based on the track record MS has in the browser space I'm drawn to conclude the worst

Actually the problem isn't the image but the javascript file:
http://ie.microsoft.com/testdrive/br...sPageIsEvil.js the problem is:
https://ie.microsoft.com/testdrive/b...sPageIsEvil.js works too, it's trusted because it's signed/certified.
The script reverences to the image file over http so a browser will complain about that too
however the image itself as I've shown is reachable over https too
and forced https will try to fetch it over https, else it fails, if it's https you are secure...

https can't protect you against a "compromised" webserver...

That's security 101, and they can't even get it right on a demo website
FAIL

[Sadeghi85]

Quote:

Originally Posted by katio

I know IE9 doesn't show it but I honestly have no idea why the site serves you the script over https too and then tells you there's mixed content on the site. It must be a bug or else that would be some sneaky cheating just to make their competition look bad.
But based on the track record MS has in the browser space I'm drawn to conclude the worst

They shouldn't have put the image on the https site, but I guess that's because the https and http contents are on the same server, I'd say it was unintentional, they just didn't think about "forced https".

Quote:

Originally Posted by katio

FAIL

Though I wonder what would happen if for example an EV certified site (or any for that matter) embedded content from another https domain?
I'd expect it to get flagged the same (i.e. not show the padlock/company name) but it would be nice to verify that. I'd just need a valid cert for that...