[clug] Dangerous Dave's talk

[Scott Ferguson]

On 06/03/15 10:08, Bob Edwards wrote:
> On 06/03/15 07:54, Scott Ferguson wrote:
>> Please don't top post
>>
>>
>> On 05/03/15 23:21, Dodgy Dave wrote:
>>> I think a more engineering approach is to assess the risks (write them
>>> down), and then attempt to mitigate/cover those risks one by one,
>>> assessing them for strengths and weaknesses. Pretty boring, but quite
>>> likely to give the best outcomes in the end.
>>>
>>> For each 'solution' element, what are the risks that it covers, and how
>>> well? Are there better ways to do the same thing? Are the risks real, or
>>> just 'tin foil' material? Are they practical? At what 'cost' or level of
>>> difficulty, etc
>>
>> I think Hal has clearly indicated the problems with the VM approach, as
>> have I with the LiveCD and using an OS on a removable device.
>>
>> If you have specific points you disagree with please indicate which ones
>> and I'm happy to demonstrate my reasoning.
>>
>> I'm not sure why you prefer an "engineering" approach (or what you mean
>> by it from a "software" engineering point of view).
>>
>> IMO the proper approach is from a risk management and security
>> engineering one. From a risk management point of view it's important to
>> consider not just the "chance" of something going wrong - but the impact
>> "if" something goes wrong otherwise you run the risk of dismissing
>> possible risks as "tin foil" (ignorance based risk assessment) simply
>> because while "it might be possible" "it hasn't happened yet"*1.
>>  From a security engineering approach - minimise exposure, which has
>> already been done if only using the "device" (be it VM/chroot/removable
>> device) for banking, and, *change control* - don't do it if you can't
>> make a compelling argument in favor of the change that has been
>> thoroughly thought through (do you really need to do online banking?
>> which scripts are necessary to run on the bank site? would a debit card
>> be better than a credit card, etc).
> 
> I sometimes wonder why the (disproportionate?) interest in online
> banking vs. other online activities where rich metadata is being
> freely given to foreign-controlled entities? Is guarding online
> banking a privacy issue or a theft issue?

Good point Bob.

Both, theft and privacy. The latter (ID theft) can lead to financial losses.

I 'suspect' it's simpler for (some?) people to access the potential loss
when it's translated into money. I'd also note that some people might be
shocked at how much personal data the banks have access to - and how
widely it's distributed. e.g. Woolworth's data mining service station,
credit card, and checkout data to determine an "untapped" market on
Saturday mornings of fathers buying petrol, nappies and milk (actual
case). Also Ffffacebook's affiliation with a company that processes
loyalty programs for pharmacists, and that company combining the data
with credit card purchases. My point being that a unique key indicator
is required for personal information to be used to "invade privacy"[*1]
- and our bank accounts are a great key indicator.


[*1] I've written enough about the unrealistic expectation of privacy
once we, or our electronic agents, venture out of our homes.


> 
> If the latter, can anyone point to an instance where an Australian
> bank has not ended up re-imbursing the loss(es)? Certainly, there
> are convenience issues at play, and the story probably differs for
> a business banking breach vs. a personal banking breach, but does
> anyone know of cases where the eventual outcome was a loss to the
> customer, where the customer had taken "reasonable" steps to protect
> their online activities?

I can't give an instance of a bank not paying out - though I know of one
where it took the company several months to get the bank to refund money
lost due to a phishing scam. I do know of several people who were stung
small amounts and decided not to pursue it. There was a scam a couple of
years ago (one trick to quick weight loss - or similar) where people
"thought" there was a one-time bill of a couple of dollars but the
scammers billed every month - most people who fell for it failed to
chase the banks; and like a number of similar scams the amount debited
was too small for the police to become involved.

"Reasonable" steps to secure is not dissimilar to getting an insurance
payment for car theft - generally (from my limited knowledge of cases)
you don't have to demonstrate anything, as long as you tick the right
boxes you'll get paid. However if the bank/insurance company does query
the reimbursement/payment it can be very difficult to "prove" you did
the right thing.

> 
> Or is "online banking" simply a metaphor for a whole range of online
> activities that are desired to be kept private?

Again - in my limited experience, I strongly suspect the latter (but I'm
very cynical). Whenever I ask for an example of a compelling reason why
Australians need private (a metaphor for secret?) internet
communications they can't/won't give one. I 'can' think of a couple -
business, reading Wikileaks if you work for Defence.

> 
> cheers,
> 
> Bob Edwards.
> 
>>
>> i.e. Q. Can a VM be secured against host-based exploits? A. No.
>> Q. Is a Live CD secure against exploits? A. No (to be as secure as
>> possible it must be as updated as possible).
>>
>>
>> *1 As the bloke who jumped off the tenth floor said as he passed the
>> fifth - "so far so good".
>>
>>
>> Rather than re-invent the wheel I'd just suggest the people read Brian
>> Krebs advice.
>>
>> HTH
>>
>> Kind regards (in security solidarity).
>>
>>>
>>> DD
>>>
>>> On 05/03/15 07:37, Hal Ashburner wrote:> On 4 March 2015 at 21:43, Scott
>>> Ferguson <scott.ferguson.clug at gmail.com> wrote:
>>>>
>>>>> A live CD is better - *if* kept updated. An OS installed to a USB
>>>>> Key is
>>>>> (possibly?) not quite as secure as a Live CD, but is easier to keep
>>> updated.
>>>>>
>>>>
>>>> What about an SD card that you enable as writable only to do updates
>>>> with that big hardware switch on the side of it?
>>>>
>>>
>>>
>>>
>>> On 05/03/15 07:37, Hal Ashburner wrote:> On 4 March 2015 at 21:43, Scott
>>> Ferguson <scott.ferguson.clug at gmail.com> wrote:
>>>>
>>>>> A live CD is better - *if* kept updated. An OS installed to a USB
>>>>> Key is
>>>>> (possibly?) not quite as secure as a Live CD, but is easier to keep
>>> updated.
>>>>>
>>>>
>>>> What about an SD card that you enable as writable only to do updates
>>>> with that big hardware switch on the side of it?
>>>>
>>>
>>>
>>
>>
>> ---
>>
>> "The pure and simple truth is never pure and rarely simple" ~ some dead
>> person
>>
>