[4406] in WWW Security List Archive
RE: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Brian Toole)
Fri Feb 14 00:01:15 1997
From: Brian Toole <btoole@oakmanor.com>
To: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Thu, 13 Feb 1997 21:22:00 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
Well, Symantec thinks it has a band-aid for the symptom,
encrypt the files you don't want stolen when your system
is broken into.
http://www.pcweek.com/news/0210/13esym.html
I'm not so sure I'm comfortable with the line of reasoning
behind this marketing effort. While there is nothing wrong
with data encryption itself, arguing that this makes you
"safe" from the big bad hacker seems somewhat dubious.
This is tantamount to saying "well, I don't lock my door
because everything valuable is secured anyway", and
then being upset when someone steals the safe and burns
down the house on the way out.
Over simplification of the problem, and the resultant
false sense of security that this type of stopgap measure
provides is almost as big a risk as the hack itself (IMHO).
--Brian
> -----Original Message-----
> From: Kevin J Mcmahon
> Sent: Tuesday, February 11, 1997 9:12 AM
>
> [snip]
>
> However, there is still the larger issue of the
> fact that a piece of malicious code can be written to modify the
> system in
> any way that it chooses (at least on DOS/Win3.1, Win95, Mac etc.).
> Imagine
> a virus that re-enables Java/Javascript (and ActiveX for IE) on your
> browser, then inserts an envelope around your 'home' URL. The next
> time
> you startup your browser the home page is loaded via a hacked site
> that
> contains even more malicious software. The payload for this
> virus/trojan
> horse would be fairly small and once the hacked web site is accessed
> more
> malicious things can be done (like the Quicken hack) based on what
> applications you have running on your system.
>
> Kevin J. McMahon
> MCI Technical Security
>
