Secure Banking - a little german Software

http://www.secure-banking.net/

how good is this one? i saw only a german version.

 

software for paranoids

 

...and Germans. I didn't see anything in English on that page.

 

Then there should be plenty of interest on Wilders.

 

The movie is a must see for Sandboxie users, it clearly shows at 2.18 that Sandboxie is not designed to protect against keyloggers.

 

Perhaps you could translate that "must see" part. I know how to ask for beer and brats and where the bathroom is, but I didn't hear any mention of those necessities in that video

I would like to know what the deal is.

Sul.

 

hi

There is no solution that provides a robust security against online banking/shopping.
Even with a clean host, and an armada of security softs, there is no vaccine against client/server sides attacks (XSS/CSRF/MITM and co).
For the paranoids, can also be noticed other made in Germany solutions like
-G Data BankGuard http://www.gdatasoftware.co.uk/onli...op/23-private-user/1790-g-data-bankguard.html
http://www.gdata-bankguard.com/

-Bankix, an Ubuntu based LiveCD
http://www.heise.de/ct/projekte/Sicheres-Online-Banking-mit-Bankix-284099.html

For the rest, this kind of toppic have already been covered and circumscribed on this board
https://www.wilderssecurity.com/showthread.php?t=323371

The most important is not the choice of the security software we use, but what kind of defense and authentication factors the Bank uses to secure the transaction.

rgds

 

Yep, I like the offline calculator which needs your debit card as token and uses your pin (off-line) to provide a private key. This key is hashed using the on-screen displayed (public) key to generate a second key. This key is used as a hash with the total submitted sum of money. The encryption key generated on the offline calculator is your final transaction key you have to enter on screen.

The calculator is time bound, so when some one should capture all my data, duplicating this sequence would result in different hashes. and invalid confirmation key

 

That's why many Sandboxie users have a separate Anti-Keylogging Application...

 

Yep but a lot of SBIE users don't know it is not designed against keyloggers. They think it is the panacee for every threat. Some security 'experts' also don't know either, Tzuk had to ask to remove Sandboxie from ongoing keylogger test.

 

Since I don't know what that video actually said about keyloggers and SBIE, let me ask.

If a sandbox restricts processes that are allowed to run, and restricts processes allowed network access, to say the browser only, are you/it saying that does not work?

My tests show it to work very well. Interested to know. I will assume, until proven otherwise, that the "insecure" part of this is referring to the default settings that would not prevent a keylogger, and not the fact that SBIE cannot stop keyloggers with custom settings.

Sul.

 

exactly sul ,got to go under the hood and dirty your hands,like fixing you truck

 

That keylogger in the movie runs from outside the sandbox where the browser runs in.

Since you are a SBIE expert, I believe your word for it that there is a way to configure Sandboxie kicking out programs (running outside the sandbox) which hook system table/API's. Does it has a build-in whitelist (like anti-rootkit programs have), so it does not unhook the wrong programs from outside the sandbox?

As far as I know Sandboxie is designed to keep things from within the sandbox reaching the real system, not the other way around.

 

The real issue here is how did the keylogger get into the system? All my internet facing applications are sandboxed and configured to run under full EMET protections (and they always run with LUA) I also have very strict file/registry access rules and rules governing which applications may connect to which IP address (I create individual update rules for each program in my firewall). If you're relying solely on Sandboxie (Or any single layer for that matter) you're doing it wrong IMHO.

 

hi
I am agree with Kees statements.
HIPS like Sandboxie or DW as others HIPS are vulnerable to most client/server sides attacks/threats.

There is no need to break the host perimeter (this could be a sandbox, a VM, a behavioural blocker, a firewall etc), because the threat vector is a language (java script for instance).
Therefore an infected or vulnerable web server site only needs to interacts with the client application (browser, IM, Mail etc), that does not need it writes something on disk.

More than 5 years ago i have already demonstrated this with DefenseWall or KAV 6.0 http://kavtest.over-blog.com/article-3557415.html
http://security.over-blog.com/article-2945565.html
And currents threats are much more sophisticated...as a very simple info page users can take a look at at Trusteer overview http://www.trusteer.com/Solutions/man-in-the-browser-mitb

Here again, all these secure banking solutions are not a panacea; as any security/privacy liveCD appears more interesting: choose the right bank, use hardened browser settings, encrypt sockets, use a virtual keyboard or device and do not trust any merchant/bank that is not PCI DSS certified
https://www.pcisecuritystandards.org/
Software as Security is a lost game.

rgds

 

Very interested, but not completely understanding.

If a system starts clean (ie. fresh install) there are two scenarios I have used very effectively.

Scenario 1
All browsers are let to Low IL, and all downloads go to "downloads" directory, which also has Low IL. Downloads directory is also forced into "downloads sandbox", with no outbound network comms allowed.

Scenario 2
All browsers are each forced into thier own sandbox. Each "browser sandbox" has the simple rules which state only the browser may run, and only the browser may have network comms. All downloads go to "downloads" directory, which is forced to run in "downloads sandbox", with outbound network comms allowed.

I think what is being said is that sandboxie does not keep host keyloggers (or whatever) from accessing the sandboxed processes. The worry is that a host keylogger could access a banking session that is sandboxed. Is that correct?

I have never looked at this side of the equation because, quite frankly, I don't see that as a possibility, at all. Well, for me anyway. For that to happen, you have to get something onto the system. My security setup is 100% "containment". Whatever is touching the internet that could pose a risk (media player, browser, email, etc) is either restricted to Low IL or sandboxed, or both. First it must escape this containment, which I haven't seen happen in any test I have done.

There is always the concern that a sandbox which is persistent could have keyloggers etc within it. Sensitive actions like banking IMO require a clean sandboxe prior to the secure activities happening, which is quite easy to do by deleting the sandbox.

Without the host having a keylogger, and assuming nothing can escape sandboxie, there is no issue. I assume nothing escapes sandboxie, or there would be a huge uproar about it, which I haven't seen yet.

How does this video suppose one protects itself then? If the user of sandboxie starts with a dirty system, well, not much you can do lol. But if the user of sandboxie starts with a clean system, and always browses sandboxed and only installs apps from clean sources, how do they claim there is going to be a problem? Or, are they assuming everyone will get a host based exploit which sandboxie can't mitigate? I see the threat perhaps, but don't understand a philosophy that says "once your host is exploited you lose" because the purpose of apps like sandboxie is to not let that happen.

It always comes down to the user. Perhaps they figure that most sandboxie users download and install what they want, on the real system. That is probably what happens for a good percentage of sandboxie users.

I am not saying there isn't a concern. Maybe there is. I just want to understand the claim first of why sandboxie may not be as safe as presumed, and how the host is supposed to get owned.

Sul.

 

I'm also puzzled as to how a keylogger posses a threat for a properly secured system. How does it install and/or execute on a whitelisted setup? For scripting threats, well, there's Firefox w/NoScript.

 

This article a bit dated but gets across the main points.

http://www.securelist.com/en/analysis?pubid=204791931

Also checkout this current Wilders thread:

https://www.wilderssecurity.com/showthread.php?t=331960

 

Correct and of course all data formats containing code, like javascript, pdf, flash, xml etc could intrude sandboxed in-session browsing. In session browsing still allows side by side intrusion (allthough your low rights containers or no-script like blocking make this harder to accomplish).

I trust the off-line token calculator which calculates a public private encryption key and transaction authorisation which is used by my bank

 

I wouldn't trust so much in two-factor authorization. It can be defeated with Man-in-the-browser attack.

 

Hey folks,

I just got an email, that a discussion about my software is taking place here.
So I'd like to join and answer some questions. (if there are any)

First of all, "Secure Banking" is not designed to replace any kind of anti-virus software.
The majority of online-banking customers manage their transactions within the webbrowser and do not use any special boot-cds (or other environments) or any special hardware equipment, because banking via webbrowser is the fastest and easiest solution. (But gosh, truly not the safest one)
"Secure Banking" is designed exactly for this kind of online-banking users, because the installation is very easy and the application does not need any further settings or advanced computer knowledge.

So if you use a boot-cd + special hardware equipment, it would be quite paranoid to use this software (as already mentioned here ). Otherwise it is the perfect addition.

Best regards from Austria,
Niklas

P.S. I need to brush up my English skills.

 

Will be your software and website translated to English someday?

 

Three factor authorisation with out of bound transaction verification. Banking with GPO hardened/naked IE9 with no add-ons/third party allowed, all settings (like proxy and connections) unable to change by user and the obvious hardening extras (object caching protection, restrict active X install, do not save encrypted to disk, check for server revokation, prevent ignoring certificate errors, etc). Using Chrome for normal browsing.

But yes, I realise all these precautions are futile.

 

I would have questions. But then again, I always have questions lol.

Seriously though, while I have a lot of trust developed in SBIE, I don't pretend the world is all rosy and bury my head in the sand. The "general" ideas floating around in this particular thread merit a more detailed conversation IMO. Note I am not out to prove anything here. I just want to know more specifics, so that I can examine my own practices and decide where possible flaws might exist.

But so far we have a vague idea that a tool such as SBIE is not enough, and that your tool might be, etc etc. But can we be more specific? I apologize, but I am basing this off 3rd or 4th hand information, as sadly I never did learn much more than how to ask for beer in german. And to think I have quite a bit of german blood too

Sul.

 

@Niklas

apart from price and an English translation, what are the main differences between your program and GData's BankGuard?

http://www.gdatasoftware.co.uk/abou...ticle/2720-g-data-bankguard-makes-online.html

BankGuard detects supposedly over 99% of banking trojans; any internal/external testing of Secure Banking?