Secure Banking - a little german Software

Discussion in 'other anti-malware software' started by testsoso, Sep 12, 2012.

Thread Status:
Not open for further replies.
  1. testsoso

    testsoso Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    137
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    software for paranoids
     
  3. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    ...and Germans. I didn't see anything in English on that page.
     
  4. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    439
    Then there should be plenty of interest on Wilders.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The movie is a must see for Sandboxie users, it clearly shows at 2.18 that Sandboxie is not designed to protect against keyloggers.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Perhaps you could translate that "must see" part. I know how to ask for beer and brats and where the bathroom is, but I didn't hear any mention of those necessities in that video :D

    I would like to know what the deal is.

    Sul.
     
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    There is no solution that provides a robust security against online banking/shopping.
    Even with a clean host, and an armada of security softs, there is no vaccine against client/server sides attacks (XSS/CSRF/MITM and co).
    For the paranoids, can also be noticed other made in Germany solutions like
    -G Data BankGuard http://www.gdatasoftware.co.uk/onli...op/23-private-user/1790-g-data-bankguard.html
    http://www.gdata-bankguard.com/

    -Bankix, an Ubuntu based LiveCD
    http://www.heise.de/ct/projekte/Sicheres-Online-Banking-mit-Bankix-284099.html

    For the rest, this kind of toppic have already been covered and circumscribed on this board
    https://www.wilderssecurity.com/showthread.php?t=323371

    The most important is not the choice of the security software we use, but what kind of defense and authentication factors the Bank uses to secure the transaction.

    rgds
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, I like the offline calculator which needs your debit card as token and uses your pin (off-line) to provide a private key. This key is hashed using the on-screen displayed (public) key to generate a second key. This key is used as a hash with the total submitted sum of money. The encryption key generated on the offline calculator is your final transaction key you have to enter on screen.

    The calculator is time bound, so when some one should capture all my data, duplicating this sequence would result in different hashes. :D and invalid confirmation key
     
  9. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    That's why many Sandboxie users have a separate Anti-Keylogging Application...;) :cool:
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep but a lot of SBIE users don't know it is not designed against keyloggers. They think it is the panacee for every threat. Some security 'experts' also don't know either, Tzuk had to ask to remove Sandboxie from ongoing keylogger test.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Since I don't know what that video actually said about keyloggers and SBIE, let me ask.

    If a sandbox restricts processes that are allowed to run, and restricts processes allowed network access, to say the browser only, are you/it saying that does not work?

    My tests show it to work very well. Interested to know. I will assume, until proven otherwise, that the "insecure" part of this is referring to the default settings that would not prevent a keylogger, and not the fact that SBIE cannot stop keyloggers with custom settings.

    Sul.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    exactly sul ,got to go under the hood and dirty your hands,like fixing you truck
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    That keylogger in the movie runs from outside the sandbox where the browser runs in.

    Since you are a SBIE expert, I believe your word for it that there is a way to configure Sandboxie kicking out programs (running outside the sandbox) which hook system table/API's. Does it has a build-in whitelist (like anti-rootkit programs have), so it does not unhook the wrong programs from outside the sandbox?

    As far as I know Sandboxie is designed to keep things from within the sandbox reaching the real system, not the other way around.
     
    Last edited: Sep 15, 2012
  14. Tomwa

    Tomwa Registered Member

    Joined:
    Feb 3, 2010
    Posts:
    162
    The real issue here is how did the keylogger get into the system? All my internet facing applications are sandboxed and configured to run under full EMET protections (and they always run with LUA) I also have very strict file/registry access rules and rules governing which applications may connect to which IP address (I create individual update rules for each program in my firewall). If you're relying solely on Sandboxie (Or any single layer for that matter) you're doing it wrong IMHO.
     
  15. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi
    I am agree with Kees statements.
    HIPS like Sandboxie or DW as others HIPS are vulnerable to most client/server sides attacks/threats.

    There is no need to break the host perimeter (this could be a sandbox, a VM, a behavioural blocker, a firewall etc), because the threat vector is a language (java script for instance).
    Therefore an infected or vulnerable web server site only needs to interacts with the client application (browser, IM, Mail etc), that does not need it writes something on disk.

    More than 5 years ago i have already demonstrated this with DefenseWall or KAV 6.0 http://kavtest.over-blog.com/article-3557415.html
    http://security.over-blog.com/article-2945565.html
    And currents threats are much more sophisticated...as a very simple info page users can take a look at at Trusteer overview http://www.trusteer.com/Solutions/man-in-the-browser-mitb

    Here again, all these secure banking solutions are not a panacea; as any security/privacy liveCD appears more interesting: choose the right bank, use hardened browser settings, encrypt sockets, use a virtual keyboard or device and do not trust any merchant/bank that is not PCI DSS certified
    https://www.pcisecuritystandards.org/
    Software as Security is a lost game.

    rgds
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Very interested, but not completely understanding.

    If a system starts clean (ie. fresh install) there are two scenarios I have used very effectively.

    Scenario 1
    All browsers are let to Low IL, and all downloads go to "downloads" directory, which also has Low IL. Downloads directory is also forced into "downloads sandbox", with no outbound network comms allowed.

    Scenario 2
    All browsers are each forced into thier own sandbox. Each "browser sandbox" has the simple rules which state only the browser may run, and only the browser may have network comms. All downloads go to "downloads" directory, which is forced to run in "downloads sandbox", with outbound network comms allowed.

    I think what is being said is that sandboxie does not keep host keyloggers (or whatever) from accessing the sandboxed processes. The worry is that a host keylogger could access a banking session that is sandboxed. Is that correct?

    I have never looked at this side of the equation because, quite frankly, I don't see that as a possibility, at all. Well, for me anyway. For that to happen, you have to get something onto the system. My security setup is 100% "containment". Whatever is touching the internet that could pose a risk (media player, browser, email, etc) is either restricted to Low IL or sandboxed, or both. First it must escape this containment, which I haven't seen happen in any test I have done.

    There is always the concern that a sandbox which is persistent could have keyloggers etc within it. Sensitive actions like banking IMO require a clean sandboxe prior to the secure activities happening, which is quite easy to do by deleting the sandbox.

    Without the host having a keylogger, and assuming nothing can escape sandboxie, there is no issue. I assume nothing escapes sandboxie, or there would be a huge uproar about it, which I haven't seen yet.

    How does this video suppose one protects itself then? If the user of sandboxie starts with a dirty system, well, not much you can do lol. But if the user of sandboxie starts with a clean system, and always browses sandboxed and only installs apps from clean sources, how do they claim there is going to be a problem? Or, are they assuming everyone will get a host based exploit which sandboxie can't mitigate? I see the threat perhaps, but don't understand a philosophy that says "once your host is exploited you lose" because the purpose of apps like sandboxie is to not let that happen.

    It always comes down to the user. Perhaps they figure that most sandboxie users download and install what they want, on the real system. That is probably what happens for a good percentage of sandboxie users.

    I am not saying there isn't a concern. Maybe there is. I just want to understand the claim first of why sandboxie may not be as safe as presumed, and how the host is supposed to get owned.

    Sul.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I'm also puzzled as to how a keylogger posses a threat for a properly secured system. How does it install and/or execute on a whitelisted setup? For scripting threats, well, there's Firefox w/NoScript.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Last edited: Sep 16, 2012
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Correct and of course all data formats containing code, like javascript, pdf, flash, xml etc could intrude sandboxed in-session browsing. In session browsing still allows side by side intrusion (allthough your low rights containers or no-script like blocking make this harder to accomplish).

    I trust the off-line token calculator which calculates a public private encryption key and transaction authorisation which is used by my bank
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I wouldn't trust so much in two-factor authorization. It can be defeated with Man-in-the-browser attack.
     
  21. SecureBanking

    SecureBanking Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    17
    Hey folks,

    I just got an email, that a discussion about my software is taking place here.
    So I'd like to join and answer some questions. (if there are any)

    First of all, "Secure Banking" is not designed to replace any kind of anti-virus software.
    The majority of online-banking customers manage their transactions within the webbrowser and do not use any special boot-cds (or other environments) or any special hardware equipment, because banking via webbrowser is the fastest and easiest solution. (But gosh, truly not the safest one)
    "Secure Banking" is designed exactly for this kind of online-banking users, because the installation is very easy and the application does not need any further settings or advanced computer knowledge.

    So if you use a boot-cd + special hardware equipment, it would be quite paranoid to use this software (as already mentioned here :p). Otherwise it is the perfect addition.

    Best regards from Austria,
    Niklas

    P.S. I need to brush up my English skills. :p
     
  22. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    Will be your software and website translated to English someday?
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Three factor authorisation with out of bound transaction verification. Banking with GPO hardened/naked IE9 with no add-ons/third party allowed, all settings (like proxy and connections) unable to change by user and the obvious hardening extras (object caching protection, restrict active X install, do not save encrypted to disk, check for server revokation, prevent ignoring certificate errors, etc). Using Chrome for normal browsing.

    But yes, I realise all these precautions are futile. :D
     
    Last edited: Sep 16, 2012
  24. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I would have questions. But then again, I always have questions lol.

    Seriously though, while I have a lot of trust developed in SBIE, I don't pretend the world is all rosy and bury my head in the sand. The "general" ideas floating around in this particular thread merit a more detailed conversation IMO. Note I am not out to prove anything here. I just want to know more specifics, so that I can examine my own practices and decide where possible flaws might exist.

    But so far we have a vague idea that a tool such as SBIE is not enough, and that your tool might be, etc etc. But can we be more specific? I apologize, but I am basing this off 3rd or 4th hand information, as sadly I never did learn much more than how to ask for beer in german. And to think I have quite a bit of german blood too ;)

    Sul.
     
  25. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Last edited: Sep 17, 2012
Loading...
Thread Status:
Not open for further replies.