Tuesday, August 18, 2009

Web Insecurity Part Deaux (Don't...Trust It)













Trust No One







The Internet is like the Wild West. It used to be that you could protect yourself from the vast majority of malicious software and other Internet security threats by simply watching the sites you visited. Going to ‘freepiratedsoftware.com’ could very likely end up infecting or compromising your system while a site like Amazon.com, or CNN.com could be trusted.



That no longer seems to be the case.

Trusted, legitimate sites are
being compromised more frequently resulting in users unwittingly
downloading malicious software and infecting their computers.


One of
the most recent cases was the site of a major British music producer being compromised for a few days before having the malicious software removed.



What does that mean to you? Well, mainly it means that you can trust
no one absolutely
. Certainly your odds of being compromised or infected
while visiting a major, legitimate web site are significantly smaller
than if you were to visit a site like ‘freepiratedsoftware.com’, but
the burden of watching your back and protecting your data falls
on….well, you.



Tony Bradley is an information security and unified
communications expert with more than a decade of enterprise IT
experience. He tweets as
@PCSecurityNews
and provides tips, advice and reviews on information security and unified communications technologies on his site at tonybradley.com.



Editor's Note:  The fly is to the spider what credit and debit card data is to the hacker.  Not coincidentally, they both use the web to capture their prey.  I'm glad that word is finally starting to get out
that the web cannot be trusted.  Not even (sic) "trusted/legitimate
sites.  Not even for a second. 

What does this mean?  It means that
HomeATM's approach to an E-Commerce E-Cosystem was "spot on."  Myriad
attacks designed to steal your financial data have cropped up over the
last 6 months and flaws in browsers
cannot prevent these "types" of attacks from occurring.  You can focus on "detection" but you cannot prevent it.

I was going to say that  it will get worse before it gets better, but the fact is it won't get better...it'll just get worse. 

And
then, one day, everyone will see what I've been espousing for 17 months
on this blog.  The web is not safe and in order to conduct secure
financial transactions, they MUST be done outside the browser space. 
Plain and simply put, a browser cannot be secured.  Not with https, SSL
or even
EV SSL, which was exposed as "not being spoof proof" at the recent BlackHat conference a couple weeks back. 

Has
anyone else noticed that the focus has gone from "PREVENTION" to
"DETECTION?"  Want detection?  I detect that "typing" is the "cause"
and the "effect" is hacking. 
Eliminate TYPING and you'll
eliminate the effect is has on financial fraud because pick and pecking your credit
or debit card data into a box at a merchant checkout website is exactly
the "type" of behavior hackers love.  

















Reblog this post [with Zemanta]

Disqus for ePayment News