How safe are websites that require credit card info?

data,

they

For some of it sure. For more it is a matter of proving that something can be done. Recently it is about building distributed systems (botnets) to do some task that is not legitimate. Also much is now about direct financial assaults, and distributed denial of service attacks.

?-)

Reply to
josephkk
Loading thread data ...

Too simplistic. Once everybody accepts fraud occurred, that's the answer, but...

Try to get an answer to this question: "is it up to the bank to prove there wasn't fraud, or is it up to me to prove there was fraud?".

If you get an answer from a bank, we would all like to know.

Reply to
Tom Gardner

Precisely, and I use LPS for that reason.

The next issue is attacking via DNS, e.g. by changing the selected DNS server, or by other methods. Difficult to detect and impossible for a mortal user to correct.

Reply to
Tom Gardner

Yes, as soon as someone has posession of the computer, it's game over.

Details are sparse in the VirtualBox documentation, but other vm sites give a fairly complete picture of what is happening.

When you are running a browser and an editor, the keystrokes and mouse clicks intended for the browser do not go to the editor and vice-versa, otherwise the system would be in complete chaos.

Virtual mode is similar but much more complex. When VirtualBox loads a vm, it takes over the keyboard and mouse, most interrupts, and a whole pile of other functions in the host. It is aided by special functions in the cpu that assist virtualization. The result is vm's are completely isolated from each other and from the host. They have their own memory that is completely separate, their own virtual keyboard and mouse, their own graphics and audio, their own disk access, and so on.

The result is I can be copying multi-gigabyte files over the LAN to the backup computer in Ubuntu, downloading a gigabyte file in the main browsing vm, routing a pcb in another vm, and paying bills in the banking vm. These operations are all completely separate from each other and appear to be happening simultaneously.

If a keylogger managed to get installed in Ubuntu, it would only respond to the keyboard when Ubuntu has the focus. When the banking vm has the focus, Ubuntu does not see any keystrokes. For example, I have a number of hotkeys in Ubuntu. When a vm has the focus, none of them work.

The passwords are long random strings from Steve Gibson's Ultra High Security Password Generator:

formatting link

They are downloaded in the browsing vm, then copied to the Ubuntu Desktop and from there directly into the Sticky password window via cut and paste. The usernames are transferred the same way.

I'm fairly certain there is no way a keylogger could get installed in the banking vm. It is completely isolated from the rest of the vm's and never goes to any other site except the financial ones.

I do not use AV programs since they are not reliable. Instead, I use the System File Checker from Win98. This is completely different from the later versions and allows you to check for new or deleted files or files that have been changed anywhere on the disk. I also use the Rootkit Revealer utilities from Sysinternals and other sources. These verify that no changes have been made to the system since it was installed.

It would take an immense effort to try. They are not stupid to waste their time for a negligible number of victims. They will go after the hundreds of millions of easy victims who never update their computers or servers.

That was my first choice, but the bank computer lumps all accounts that have the same name and address into one block so they are all visible when you log on. So I asked if they could block an account instead, and they said "Sure."

Now you can see the blocked accounts but can't do anything with them.

Reply to
Tom Swift

We are very close to an agreement on the punishment! I was going to suggest the big 10 lb. sledge hammer then the branch lopping shears. But on second thought, I think leaving them on after the 10 lb. sledge hammer is more punishment. Mikek

--
This email is free from viruses and malware because avast! Antivirus protection is active. 
http://www.avast.com
Reply to
amdx

Well, you can do lookups over some longish time period, and put one of the IP addresses into your hosts file.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
 Click to see the full signature
Reply to
Phil Hobbs

For those who don't know about DNS attacks, please see Wikipedia's article on DNS spoofing at

formatting link

Firefox has a several dozen extensions that allow you to verify the ssl certificate on a banking site has not changed.

I used to use it but it got to be a pain. Turns out banks change their certificates all the time.

You can get the ip address of a bank by entering the url here:

formatting link

Save it and compare to the ip address when you log on. They should be the same.

Reply to
Tom Swift

Correction: BEFORE you log on.

Reply to
Tom Swift

Depends on what level it was hooked in at. The Linux kernel is still managing all the USB devices under the covers, so a kernel-level hook would collect everything, ISTM.

When the banking vm has the

Ubuntu's _shell_ doesn't see any keystrokes. The kernel certainly does.

For example, I have a number

Not even the ones that bring up the shell from the VM? Or do you have to shut down the VM to get back to the shell? (Don't think so.)

And in any case, the VM is seeing only a virtualized keyboard, so some Linux kernel process has to be doing the virtualizing.

And you're sure nobody hooks the clipboard APIs? They have to be shared for that to work.

Except that it isn't, as above.

Again, one hopes. It just takes one guy somewhere, and the script is out there forever.

That's a reasonable compromise.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
 Click to see the full signature
Reply to
Phil Hobbs

That reminds me of not too long ago when I went to log in on a site to collect on a gift from my employer. It took me

3 times to get the correct site with the same exact Link.

First it was a site up for sale, one of those places that wants to sell you NAMES and web space.

Second try, same Link, try to get me to set up a gift for some one and collect money from me. Totally not the site I wanted but the same exact LINK!

Third time, same Link, finally got me where I was suppose to be.

I asked about it at work and they checked into and found it also did it for them too. I never did find out the end resolve but I did get my package, which is all that mattered. :)

I don't know what browser they used to check this but I was using FF when I did it.

Jamie

Reply to
Maynard A. Philbrook Jr.

  1. I am using the PS/2 interface for the keyboard, not the USB.
  2. What prevents VirtualBox from hooking in ahead of any keylogger?
  3. How did we decide a keylogger could install itself in Ubuntu when I never use it to browse the web and it is behind a NAT router with a Stateful Firewall?

And VirtualBox prevents them from going anywhere.

I'm not sure what you mean to "bring up the shell from the VM". I have to return to the Ubuntu Desktop to issue any commands from the keyboard.

I can click on the bottom status bar to open an existing program, or on any of the menu items or program icons on the top row to start a program. But VirtualBox knows where the cursor is and sends the mouse click to the appropriate destination.

That's what VirtualBox does.

The malware would have to be loaded in the vm and running. There is no way for it to get installed since the banking vm never goes anywhere except to financial sites, and I monitor carefully for any added or changed files.

The browsing vm could get infected, but there is no way for malware to cross over from the browsing vm to the banking vm. I would quickly detect it and overwrite the infected VDI files from the backup. The browsing vm has no access to the backup files so there is no way they can get infected.

The banking vm is not loaded all the time - only for brief periods when I need to pay bills or buy something. Any malware is going to have an extremely difficult time installing itself in a vm that is not running.

And how could it find out which vm I am using for banking? It is not named "Banking.vdi"

How could malware cross over from the browsing vm to the banking vm?

Any malware would have to get past Proxomitron in the browsing vm and my file monitoring procedures. Then it would have to install itself in the banking vm and again evade my procedures.

There are dozens of ubuntu installations and VirtualBox versions which would require significant effort to code for. Again, it is pointless to waste time on such an insignificant number of potential victims when there is far more money to be made in attacking the huge number of easy victims.

No criminal is going to waste his time and valuable resources trying to detect potential vm's running in VirtualBox and try to install malware to deal with such a miniscule target.

I'm sure any such attack would be well documented in the major sites. When it happens I'll post.

Reply to
Tom Swift

Irrelevant. The Linux kernel controls both.

Nothing, but OTOH nothing prevents an unpatched Windows system from remaining untouched--you just have to be sufficiently lucky. Dunno about you, but my lucky rabbit's foot isn't that good.

You do use it, unless you're rebooting another OS. You use less of it, but AFAICT you have no reason to conclude that the part you are using is invulnerable. Live CDs are pretty well bulletproof, unless the baddies have hacked the build server or the MD5 checksum on the ISO file.

VirtualBox has no control whatsoever over what happens before it gets them. A hook earlier in the chain could pwn everything you type, ISTM. (I'm not a Linux kernel hacker, of course, but AFAICT neither are you.)

But how do you do that--with a magic wand? No, you do it with the keyboard and/or mouse. My point.

But it isn't the first piece of code to see those clicks--the Linux kernel is.

You don't seem to have a very clear idea of what is actually going on. VirtualBox is software, which depends on the Linux kernel for services including keyboard, mouse, video, and network. No?

No it wouldn't, it would have to be hooked into the Linux kernel, upstream of anything VirtualBox could ever see.

We hope. Your rationale doesn't prove any such thing.

But that isn't the issue. All that has to happen is for a keylogger to get installed early enough in the chain that it sees what is passed by the kernel to VirtualBox. I don't know if this is possible, but I'm pretty sure by now that you don't know that it's impossible.

It doesn't need to.

It doesn't need to.

Nope. Just in the host system's kernel. Your procedures on the VM are irrelevant to that line of attack.

All it takes is for one guy to take it as a personal challenge, and the script is out there forever. It isn't like housebreaking, where each individual door lock has to be picked separately.

Good luck. We're really all in the same boat here--I just think your confidence may be misplaced now, and will very likely be misplaced sometime in the future. Myself, I'm far more confident that malware will never be able to corrupt a live CD. (Though I could be wrong about that too!)

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
 Click to see the full signature
Reply to
Phil Hobbs

they do, but it's not usually a direct path.

Nah, the host system keeps running, if Virtualbox did that the system would be in complete chaos.

No. Their virtual keyboard and mouse are slaved off the host system. anything that can capture or inject keyboard or mouse action on the host can effect the virtual system. eg: I can run a VM on machine A and connect to it using VNC from machine B, if the VM was communicating directly with the host hardware that wouldn't work.

Not entirely their own. screenshot on the host will capture the screen of the vm.

untrue. install a macro recorder and watch it continue to record events while the VM has focus. eg: "gnee"

If you want to be safe connect your keyboard directly to the VM, I think you need to focus the VM and then hold the command key while plugging it in. but, if libusb has also been compromised that won't work either..

I think you've mistaken marketing hype for technical specifications.

--
umop apisdn 


--- news://freenews.netfront.net/ - complaints: news@netfront.net ---
Reply to
Jasen Betts

is

You still haven't explained how malware can find Ubuntu, download and install itself, then get past VirtualBox to copy the logon information.

How can malware find Ubuntu in the first place? The router is the only thing that knows where it is.

When I go to security sites, the only information they have is the standard user string which I have modified, the screen size, some other miscellaneous info, and if I have Flash or Java fonts. For example, see

formatting link

There is nothing there to indicate I am running XP in a vm with Ubuntu as a host.

It has no email, LAN, or USB. Most of the Windows functions are disabled or nonexistent. It has none of the programs like Flash and others that are the main entry points for infection. In order to get infected, it has to be exposed to a source that has the malware, that can install itself without adding or changing any files.

I'd say the probability is fairly low.

You still haven't explained how a keylogger could install itself in Ubuntu.

Also, I have not seen any malware on any of the security sites that can get to a vm.

Show how a keylogger can install itself in Ubuntu.

I believe in multiple layers of defense and the effort it would take to get past them. I don't believe the process is perfect, I just think the probabilities are very low. I believe the risk is far lower than with most people that do their banking and general browsing in the same OS.

The final barrier is to limit the amount of money at risk by keeping most of the funds in blocked or secure accounts. Very few people do that.

Reply to
Tom Swift

Nope. It runs the NIC, keyboard, etc. Plus it has to install patches and do other networky things. So it could potentially pick up malware somewhere along the line that could subvert its kernel.

If you insist that your system is secure, that's fine with me. It probably is, too, but your argument doesn't prove it.

Probably so, but unless I'm suffering from galloping ear wax, you've been claiming that it's invulnerable on the level of a live CD. I seriously doubt that.

I don't have to explain--I'm not a malware writer. I don't know in any very great detail how malware installs itself on Windows either. Do you?

Again, the burden of proof isn't on me, because I'm not the one making the grand claims about his security strategy. A DDNS poisoning or MITM attack leading to a compromised update repository, perhaps.

Well, count me as one. I suspect that there are more of us than you might think.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
 Click to see the full signature
Reply to
Phil Hobbs

The NIC and keyboard are not connected to the web. Updates are through secure sites and managed by the Update Manager. The update process is highly secure. I do not download software that is not in the Synaptic Package Manager, which is a secure source.

There is no indication that Ubuntu exists on the web. It does not respond to port scans. I do not use it for browsing.

I have never said it is secure. I have only said it has low risk or a low probability of being compromised.

I have never claimed that it is invulnerable. I have only stated the probablility of infection is low. I have asked you to show how a keylogger could infect Ubuntu and capture the logon information from a vm. This is a key point. If there is no infection in Ubuntu, the only remaining path is from an infected browsing vm to the banking vm. I think the probability of that happening is very low, and since I anticipate the risk in the browsing vm, I am especially alert to any possibility of infection. Since it takes only about 45 seconds to overwrite the browsing VDI, I use the backup often whenever I have the slightest suspicion that anything could be wrong.

I still ask how Ubuntu could be infected if it is not used to browse the web and does not appear in port scans or information provided by Windows.

This is a key point. If Ubuntu could be infected, then there is increased risk of compromising Windows. But if malware can't even find Ubuntu, how can it download and install a keylogger?

I am very interested to study the methods that malware uses to infect a computer. There are zillions of ways and it is to my mind impossible to prevent an infection. I focus on

  1. avoiding the conditions that can lead to an infection. This means eliminating the Microsoft, Oracle and Adobe software that is most vulnerable, such as Outlook, Acrobat, Office, Java and so on.
  2. terminate, disable or remove most Windows functions and services that are not needed, such as ActiveX, .NET, USB, LAN, etc. I have a full list of services to disable that I go through on each new installation.
  3. use a plain ascii email client. This eliminates phishing attacks and disables malware embedded in html, pdf and jpg files, and IFRAME and javascript browser captures.
  4. abandon AV software. This has proven useless against most infections.
  5. use features in Proxomitron to eliminate IFRAME attacks and other methods criminals use to download malware.
  6. use improved methods to detect new or changed files and possible rootkits.
  7. be on the alert for new methods of infection, such as storing malware in the Registry. Currently, this is impossible to detect.
  8. detect DNS poisoning by monitoring the ip address of financial sites.
  9. detect new or changed site certificates used by banks. This works but can be quite painful when banks change their certificates often.
  10. put as many roadblocks as possible to prevent infection, and to prevent the spread if it occurs.
  11. establish a secure backup procedure that is quick and painless and invulnerable to malware infections in Windows. Use it to quickly restore VDI files that have been corrupted due to a crash or software that won't uninstall.
  12. Use blocked accounts to minimize damage in the event of an infection.

I am not making grandiose claims of invulnerability. I am claiming the risks are low enough to be acceptable for everyday use.

DNS poisoning can be caught by comparing the ip address before logging on.

A MITM attack can be detected by checking the certificate of a banking site before logging on.

I would hope so. I think there needs to be more discussions on how to minimize the risk of infection, how to detect and eliminate infection once it has occurred, and how to minimize the risk to bank accounts.

Reply to
Tom Swift

Correction: I just timed it. It takes 19 seconds to copy the browsing VDI to or from the backup.

Downloading the latest data files such as email and newsgroup postings, LTspice files, my copious notes in plain ascii, and other miscellaneous files takes only a few seconds. I use Microsoft's RoboCopy version 026 which is available on the web. It is blindingly fast.

With VirtualBox, backups are fast and easy.

And secure. There is no way that ransomware can reach the backup drive.

Reply to
Tom Swift

Have it your way. You'll probably be fine, but your argument is still full of holes.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
 Click to see the full signature
Reply to
Phil Hobbs

I wish you would point out exactly where they are so they can be fixed.

You claimed a keylogger could infect Ubuntu and capture the logon info.

  1. Ubuntu does not exist as far as the web is concerned. It does not respond to port scans. It does not show up in Panopticlick. I do not use it to browse the web. I do not use it for email or newsgroups. It is installed and updated from a secure source. It runs behind a NAT router with a stateful firewall.

How can Ubuntu be infected if it has no connection to the web and nobody can find it?

  1. Even if Ubuntu somehow got infected, it has no access to the memory in the banking vm. How can it capture the logon info?

I do admit the browsing vm is at risk for infection since it does connect to potential malware-infected sites. However, I rely on easy detection and fast repair of infected files.

  1. The banking vm is normally not running. If the browsing vm did get infected, there is no malware that can detect VirtualBox, cross over and run in Ubuntu, find that the banking vm exists, and infect it. There are so many barriers to this that the probability is near zero. If such malware were created, it would soon be on the VirtualBox forums with methods to stop it.

Where are the holes? Please give some plausible and realistic suggestions and not hypothetical issues with near-zero probability.

For example, the Live CD is not a perfect answer. You need to enter the urls to the banking sites manually. If you type them in, you are at risk for typos that can lead to malware sites. You also need to copy the urls and logon info on paper, which can be lost or stolen. If you store the information on USB, the USB stick could be lost, stolen or copied.

Also, it takes so long to load the Live CD that you would not be inclined to do it often. This reduces the chance you would log on to your accounts and notice money is missing or your credit cards have been compromised.

Nothing is perfect when software is involved. My approach offers an accepable low risk with fast access and minimum hassle. It does not suffer from the problems with a Live CD.

I could give you the banking vdi file with instructions on how to install it in VirtualBox. That would do you no good whatsoever, since you would not know how to activate Sticky and could not access the financial sites. Obviously, I can make as many backups of the banking VDI and put them wherever I want to minimize the risk of loss.

That eliminates the major problems with a Live CD.

Reply to
Tom Swift

Once again, you just *have* to prove what a moron you really are. The average idiot is smart enough to hide it from others, rather than telling everyone on the street. Repeatedly.

Reply to
krw

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.