Comment requested on proposed setup

Discussion in 'other security issues & news' started by bellyman, May 8, 2005.

Thread Status:
Not open for further replies.
  1. bellyman

    bellyman Registered Member

    Joined:
    May 7, 2005
    Posts:
    5
    Location:
    Brisbane Australia
    My main concern is Internet Banking.
    The banks have protected themselves but have left a black hole where customer security should be in order to limit their liability. In the event of a loss of any size they can then point to a lack of security by the customer.
    This is a difficult area and many people have differing views on what is the right way to lock down a system.
    Currently I have a desktop and a laptop, single port Alcatel Speed Touch ADSL modem and Zone Alarm Pro, WinASO,Spybot, SpywareBlaster, SpywareGuard.
    I intend establishing.....
    Home network behind a Linksys WAG54G Wireless Router ADSL 2/2+Modem.
    (Overkill on the modem but I want ADSL2+ when available)
    With Zone Alarm Pro this gives me hardware and software modems.
    The laptop has sensitive information...banking, private correspondence, legal papers etc.
    The two desktops have the remaining programs and files.
    My intention is to do my periodic Internet Banking and then physically disconnect the laptop from the network until the next session.
    Maybe that is unnecessary but it does slam the door and the online exposure is minimal.
    The only problem I see here is incorrect settings in either firewall.....and I am not underestimating that Black Science.
    I am hoping that this will render most of the Security program add-ons ...Port Explorer, WinPatrol, TrojanGuard et al largely unnecessary.
    Speaking off the top of my head here because my understanding is minimal, I would like to close all ports on the laptop except that required for banking access.
    Is that possible and how would I determine that?
    Could some member point me to a good source for understanding ports?
    This is a very rough draft of my take on the possibilities and any input would be welcome.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Bellyman, welcome to Wilders.

    As your post is in regards to security software, I have shifted it here where it should receive better attention.

    You may want to take a look here. As well there are discussions on security software here and even more here.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
    Last edited: May 12, 2005
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    bellyman,

    Following up on Blackspear..., are the programs that you mention in your post
    all that you currently run?

    The reason I ask is that it seems focused on dealing with adware. My personal approach, described in one of the threads given by Blackspear and, for a bare bones configuration, listed here, I actually skip adware treatment altogether and am more aggressive in handling this up front by nailing the trojan downloaders and having some form of registry/process/pre-emptive behavioral screening. This scheme does not have to involve a large number of heavy running processes, nor is it overly expensive to implement. In my own case, one of my home machines is used extensive for banking, etc., and it's on the local LAN 24/7. Absolutely no issues over the past few years, of course that machine does not see a lot of random surfing either :)

    Blue
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I think this is ideal, and I have a friend who does just that. The security is:

    1) a firewall - controls all inbound/outbound traffic

    2) FreezeX - works on White List principle: no unauthorized executable (trojan, etc) will run

    3) Deep Freeze - locks down C:\ so that if by chance something does get into the system, it is removed on reboot.

    4) All data backed up to an external USB hard drive which is stored in a different location. Passwords are stored on the external HD and not the laptop.

    We set this up about a year ago and she has been very happy with it.

    It does.

    With your rule set properly configured, you are alerted for any unauthorized inbound/outbound traffic on any port.

    Set up 2 browser rules for both HTTP (port 80) for normal web sites and HTTPS (port 443) for secure websites.

    In the HTTPS rule you enter the IP addresses for your secure sites (banking and any others where you do transactions). This prevents any pharming of those sites, for your firewall will alert if the site you have clicked on (your-bank.com) attempts to connect to an address not in your custom list.

    Plenty of good information online. Search for: protocol, TCP, UDP, port, DNS - this will get you started. Your firewall help file would be a good place to start for the basics. I am almost finished writing a rule set tutorial. If you want to send me a PM I can notify you when it is finished.

    Good success in your endeavors,

    -rich
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Bellyman: You are absolutely right about the banks. I do fraud prevention for a living, and a couple years ago I heard banks taking responsiblity for their own break-ins, but now I hear a lot of victims calling in telling me that the bank just told them they should have had better security on their home computer. Although the banks do still help, I would say that you should definitely follow the links that Blackspear posted.

    At the very least I would get ProcessGuard (which will keep things like keyloggers and worse from working), a good antivirus (NOD32 or a Kaspersky based one), firewall (Look n Stop & Outpost are both great, and allow almost no bypass), and harden your sytem as much as possible (see my sig, WWDC will also close all system ports. This is one of the most important, and most overlooked, steps IMO.) You may also want to consider something like Prevx (be sure to read the site to understand how it works) and a registry monitor (MJ's is light, WinPatrol and RegDefend are very well regarded, RegRun is great but the Gold version is a bit spendy.)

    Something like DeepFreeze, ShadowUser/ShadowSurfer, or Raxco FirstDefense are great, but no substitute for the rest, IMO, because they won't prevent keyloggers, remote access trojans, and the like from infecting you during a session, only allow you to easily remove them by ending the session/rebooting.
     
  6. bellyman

    bellyman Registered Member

    Joined:
    May 7, 2005
    Posts:
    5
    Location:
    Brisbane Australia
    Thank you all for your replies.
    I am amazed at the effort some people put into making their information available to the general readership.

     
  7. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I'm not that afraid of online banking fraud. Naive perhaps, but the online banking setup in The Netherlands feels quite secure. Best safeguard is that every transaction has to be verified by entering a one time password. Every account owner either has a calculator with smart card and pincode or a physical list with one time passwords for more than one transaction (a TAN-code list). Even sms authentication (otp via mobile phones) is possible.

    This way the current attacks (like phishing) are just not feasible in our country. Of course there's a penalty, this is quite an expensive security measure. But our banks seem to do well in this respect, cost of a bank account amount to only a few Euro's per year.
    You may hack my pc, steal my tan code list, or my calculator, you cannot get at my transactions: the use of strong authentication requires both something you know (password, pincode) and something you have (a token: a TAN code list, a calculator or a mobile phone with a predefined number). So unless I am not carefull with my knowledge, online banking is safe.

    To come back at the first post: if a bank claims that I was not carefull, they have to prove that I messed about with my password or pincode AND that I messed about with my token.
     
  8. bellyman

    bellyman Registered Member

    Joined:
    May 7, 2005
    Posts:
    5
    Location:
    Brisbane Australia
    Hi Meneer....sounds like the Netherlands have a reasonable system.
    I can only report on my patch.....Australia.....where our Banks are more intent on ripping the customer off. Having managed to lure customers to free internet banking the Commonwealth Bank recently introduced 50 cents a transaction charge. A BPay transaction is supposed to take 24 hours....but no guarantee. Recently I incurred an $85 dollar penalty for a late payment for a share transaction....the BPay was effected a day early but it took 5 days....and I incurred a fee both ends.
    I received a $183,000 telephone bill from Telstra about 4 months ago....that is NOT a misprint. Telstra thought it a big yawn....did not even post a correction.....as all agreed the amount was clearly ridiculous.
    Problem was attended to....but suppose the amount I claimed was in error was say $207.35?
    Hard to maintain a warm fuzzy feeling for computer operators and/or the system.
    On a brighter note the National Bank? are about to require a mobile phone to operate Internet Banking whereby they SMS a one time 4 letter code which you enter onscreen to complete the transaction....not certain if there is to be a fee involved for the SMS but I will accept bets.
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Sometimes at my work we have to do conference calls with the customer and their bank for the bank to verify the customer's identity, and I've had more than a few of these calls result in the banker making changes to the customer's account without the customer giving anything more than the credit/debit card number and publicly available information (like name & address).. so consider yourself lucky, meneer. ;) Here in the States, your best bet is usually going with a credit union, but that's not 100% either (just like most things.)
     
    Last edited: May 12, 2005
  10. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
    Here in Belgium we connect to the netbanking of our bank and enter the password,
    but before entering our accounts we've to insert a diskette from where the verification is done.
    On acceptance you can enter the netbanking. :)

    You can also put that verification on your HD, but that means a security risk. IMO

    For every transaction we've to input our password.
    Every 6 months we've to change our password and the new data is written to the diskette (with backup diskette).
    If you don't change the password within a certain time, it expires and you no longer can get access. :doubt:

    So I think this is a pretty much secure system. ;)
     
  11. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    My most recent systems don't have diskette drives, I'm too modern for belgium I suppose... (no way, you're way ahead of us with your elecronic ID card :))
     
Loading...
Thread Status:
Not open for further replies.