Banks and othe major institutions

Discussion in 'other anti-malware software' started by toploader, Aug 23, 2005.

Thread Status:
Not open for further replies.
  1. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    do you ever wonder what the big players are running on their machines to stop viruses, trojans, keyloggers and other spyware? is their security software any better than ours or are they wide open?

    these guys have got to get it right every day or they stand to lose hundreds of millions (of our money)

    do you trust your bank to keep your money secure? is your bank account safe from cybertheft? or is the internet making banking too risky?

    this link has already been posted but it makes sobering reading....
    http://news.com.com/ID theft ring hits 50 banks, firm says/2100-7349_3-5823591.html
     
  2. Trekk

    Trekk Registered Member

    Joined:
    Aug 16, 2005
    Posts:
    90
    Location:
    Ohio
    After 17 years of Consulting, I have noticed most large Banks use nothing but Anti-Virus on their desktops. Spyware and things of that nature are blocked at the firewall, or filtered out on the Exchange server etc. The only time a desktop tool is used is when the one slipped by due to an outdated engine or dat file.
     
  3. trickyricky

    trickyricky Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    475
    Location:
    London, UK
    WHich suggests that the sysadmins who look after bank systems are completely up to date and totally on the ball. Otherwise, heaven help us all. If the banks and other major institutions can't protect their data, which is mostly our data, then we're all doomed.

    And people wonder why loads of folks in IT are opposed to ID cards... It's not the cards per se that we're opposed to, but the database that supports the cards that we're extremely anxious about. [shudder]
     
  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi Trekk - i hope their firewalls are good :D

    in this instance i guess i'm more concerned with their mainframes (which is where i presume they keep the account details we access when we log on)

    i remember reading an article (last year i think) where hackers were extorting money from banks by threatening to reveal that bank security is useless - i wonder if the banks have got their act together or are paying hush money.

    let's face it if the bank's are getting hit and money is being stolen then they are unlikely to tell us cos it would cause serious confidence issues.
     
  5. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    you have more faith in the banks than i do ricky

    i agree on id cards, the last thing i want is a government database with all my personal details on it - identity theft is a big enough problem already.

    http://today.reuters.com/news/NewsA..._SCH354560_RTRIDST_0_USREPORT-AIRFORCE-DC.XML
     
  6. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    About 6months ago, when I looked up the term 'Intrusion Prevention System', it mostly came back with Enterprise IPS's...many of which were selling for well over the $100,000 mark.

    The firewalls were part of that IPS
     
  7. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i wonder if they do free versions? :D
     
  8. Rushed4Time

    Rushed4Time Registered Member

    Joined:
    Aug 3, 2005
    Posts:
    13
    I have two relatives that work at the same large office in the corporate building for a HUGE bank (huge here, anyway).

    I was less than impressed last week when they casually mentioned about how "something pretty bad" had brought their ENTIRE computer system to a screeching halt for the better part of a day.

    Even less impressed when I realized it's my bank!

    Thinking I'll start stocking up on those Visa Gift cards - I'd rather risk losing a little more cash and lessen my chances of losing it all when my identity is stolen. Though I'm making myself safter by blowing through my credit buying fancy computer stuff. Then they won't bother with me, I've got it all maxed out on fancy computer goodies!
     
  9. Rushed4Time

    Rushed4Time Registered Member

    Joined:
    Aug 3, 2005
    Posts:
    13
    Hmm, sounds like the perfect compliment to ShadowUser...as in those two would be ALL anyone would need!

    wondering if a bunch of us got a collection and paid for one, would they let oh, say 1,000 of us use the same version! LOL
     
  10. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi Rushed, yeah banks are like ducks - they glide across the water serenely but underneath they are paddling like mad - i don't even want to think how many hackers are looking at my bank details right now.

    ideally one should have a zero overdraft limit so that any unauthorised withdrawal will be refused and no more than 1$ in the account at any one time.

    keep all your money in a moneybelt wrapped round a rotweiler :D
     
  11. Trekk

    Trekk Registered Member

    Joined:
    Aug 16, 2005
    Posts:
    90
    Location:
    Ohio
    Host Based IPS is actually what I am working on this very moment. I am working as a consultant for a large automobile manufacturer and they are looking at products that cost in excess of 200k to safegaurd against this problem. I can also tell you companies that utilize mainframe systems almost always keep them on a seperate segment of the network behind internal firewalls using only IP to communicate with them.

    Trekk
     
  12. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    With Windows XP's open implementation of the TCP/IP stack (as compared with its closed Win9x version), you could craft IP packets to "hack" into any network anywhere, given the right information. What many people do not seem to understand is that, if the "right" person can access it remotely, then anyone posing as the "right" person, can access it remotely too. XP gives them the wherewithal to do exactly that, given the required information.

    We should not give remote access to anything that is that mission critical. Someone, somewhere, has to go into a REAL vault, which is protected by IRIS scanners and DNA profilers. Mind you, if the film "Gattaca" ( http://www.amazon.com/exec/obidos/t...1/102-1591233-3608940?v=glance&s=dvd&n=507846 ) is anything to go by, even that wouldn't be enough!

    On a related matter, I am of the mind that is for an international DNA database to be set up, and all human beings' details entered. Most crimes would become much easier to solve, but I think present-day corrupt politicians would not like that very much! You wouldn't need ID cards, just a pin prick to ID your blood's DNA. You would experience a tiny "yowch" as you go into your office each morning!
     
  13. Trekk

    Trekk Registered Member

    Joined:
    Aug 16, 2005
    Posts:
    90
    Location:
    Ohio
    We use smart cards and a new PKI :) When utilized with a passcode, the two prove to be quite safe against unauthorized entry.
     
  14. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks for the feedback Trekk
    i do hope their computer is more secure than the US Military :D

    i am posting the text of a link cos it won't let me link to it

    Daily Telegraph
    US army computers 'shut down by hacker'
    By Catriona Davies
    (Filed: 28/07/2005)

    A Briton facing extradition to America for perpetrating "the biggest computer hack of all time" left a message criticising American foreign policy on an army computer, a court heard yesterday. Gary McKinnon, 39, is accused of accessing 97 US government computers, causing damage estimated at $700,000 (£370,000).

    An extradition hearing at Bow Street magistrates' court was told that McKinnon, of Wood Green, north London, deleted files that shut down more than 2,000 computers in the US army's military district of Washington for 24 hours "significantly disrupting governmental function". It was claimed he left a note on an army computer in 2002 saying US foreign policy was "akin to government-sponsored terrorism". The note allegedly said: "It was not a mistake that there was a huge security stand down on September 11 last year. I am Solo. I will continue to disrupt at the highest levels."

    McKinnon is accused of 20 counts relating to the American army, navy and air force, Nasa and the Department of Defence. One allegation is that he deleted files and logs from computers at the US Naval Weapons Station Earle at a critical time after the Twin Towers attacks, rendering the base's network of 300 computers inoperable.

    Mark Summers, for the American government, said: "The defendant was acting from his own computer in London. He effectively owned those computers by virtue of the software he had transmitted. His conduct was intentional and calculated to influence and affect the US government by intimidation and coercion."

    It is also alleged that McKinnon obtained secret passwords or information which might become "indirectly useful to an enemy", and interfered with maritime navigation facilities in New Jersey. When McKinnon was indicted, Paul McNulty, the US attorney for the Eastern District of Virginia, said: "Mr McKinnon is charged with the biggest computer hack of all time."

    The hearing was adjourned until Oct 18.
     
  15. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707

    a little prick is a big assault as far as i'm concerned Graphic - no one gets my bodily fluids - all someone has to do is get a couple of my skin cells and before you know it they have multiplied them in a culture dish and scattered them all over a scene of crime - and muggings takes the rap - but your honour i was no where near MegaBank - but you were Toploader - see we have your DNA prints all over the place - take him down - 50 years!!
     
  16. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    It's worse than that, Toploader. They'll be able to correlate your whereabouts using a GPS tracking device implanted into your body. So, they'll be able to prove in court that the DNA evidence may have been planted, unless someone had cloned you. Then, it would be very difficult to say you didn't do the crime because of a GPS alibi, since your clone did it, and there was no way of telling if you were your clone or the "real McCoy". In fact, they couldn't even tell who was in court in front of them at that time. Jeez, my head is already reeling! :eek: o_O ;)

    As soon as cloning becomes a reality (and we're not that far off), the repercussions in terms of criminality are too much to consider! Let me off the planet, please!
     
  17. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i was thinking of setting up a clone agency graphic - you get a guy who wants to expand his business from one store to say twenty. now he can either pay 19 more managers to run his other stores or he can come to me and i will clone off 19 copies of him to run the stores - that way it all remains in the "family" - i could clone off an extra copy of him to manage his own store while he sits on a yacht in the Carribean entertaining a bevy of "swimsuit models" (who could also be cloned) talking to his clone managers via satellite phone.

    an extra copy of him could be lying in cold pac for spare parts

    the future is gonna get complicated :D
     
    Last edited: Aug 25, 2005
  18. Trekk

    Trekk Registered Member

    Joined:
    Aug 16, 2005
    Posts:
    90
    Location:
    Ohio

    They arent hack proof, you just dont hear about the ones that get in. The only way to be 100 percent hack proof, is to unplug, lock your system in a vault, and bury it a few thousand feet underground. Even then, some lil rich kid hacker with parental financing will find a way into it ?:)


    Trekk
     
  19. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    The link to the US hack story is http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2005/07/28/nhack28.xml and I am surprised that this wasn't more widely reported. It is described as the biggest hack of all time. The trial continues on October 18th. If Gary can do this, then internet banking is definitely a non-starter - period. It seems that, no matter how hard M$ try to patch up their server products, they are always vulnerable to yet another piece of ingenuity. It must be something intrinsic to the design of their systems.

    The same is true of Linux - flawed by design. My first ever taste of Unix showed me how to inject an application into a remote workstation's workspace, so that it appeared on their screen as a running process. They thought that this was impressive and "good". I thought that this was foolish and dangerous.

    Apple macs never had much trouble from hackers, until Mac OSX came out. Now I get advisories from Secunia and CERT, citing, amongst others, Apple loopholes. Duuurrrr, I wonder why...

    P.S. Thanks for staying on this one, Toploader. :cool:
     
  20. Trekk

    Trekk Registered Member

    Joined:
    Aug 16, 2005
    Posts:
    90
    Location:
    Ohio
    People will always try to hack into unhackable systems. If it was written by a human, it can be cracked by a human. There is always someone smarter out there :)
     
  21. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    There's a great interview with Gary here
     
    Last edited by a moderator: Dec 20, 2005
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    TCP/IP is an open standard, so any implementation of it is going to be open to some extent. However Win9x's implementation had some major flaws (Ping of Death, Smurf attacks anyone?) so it can hardly be said to be an improvement on WinNT/2K/XP.

    As for "hacking" (by which I presume you mean gaining unauthorised access, rather than just trying a Denial-of-Service attack), most methods involve exploiting vulnerabilities within applications, not TCP/IP itself.

    In my view, a technically-aware user is going to have a far higher level of security on their PC that the vast majority of institutions because (a) they don't have to restrict themselves to solutions which offer centralised installation/configuration/reporting and (b) they don't have to leave their PC open to any central management or monitoring tools (while often used for security, they can themselves present a serious vulnerability if compromised by an attacker).
     
  23. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, toploader

    Why not, the have used worse.

    Considering who they used to the build the "Defence" [re:September 03_39]


    Take Care,
    TheQuest :cool:
     
  24. Trekk

    Trekk Registered Member

    Joined:
    Aug 16, 2005
    Posts:
    90
    Location:
    Ohio
    People are mostly afraid to employ hackers. If you dont understand what they are doing, how can you be sure they arent doing it to you?
     
  25. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    The computers really belong in a secure private network.
     
    Last edited by a moderator: Dec 20, 2005
Loading...
Thread Status:
Not open for further replies.