As is often the case, the comments are as valuable as the article...
http://it.slashdot.org/article.pl?sid=06/11/27/0546230&from=rss
Defeating Virtual Keyboards and Phishing Banks
Posted by Zonk on Monday November 27, @12:46AM from the sounds-like-a-full-night dept. Security IT
An anonymous reader writes "Noam Rathaus writes on the SecuriTeam Blogs how most Image Click-Me virtual keyboards schemes used by banks to fight phishing trojan horses can be easily broken, even (and especially) when encryption is used. He then discusses how screenshots of the pointer location are over-kill, and describes how to kick these security measures out of the way."
From the article: "Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered"
Geeky, very geeky
http://digg.com/programming/A_Web_Based_Operating_System_eyeOS
A Web Based Operating System - eyeOS
HoopsHo submitted by HoopsHo 16 hours 24 minutes ago (via www.eyeos.info/ )
This days I have been reading about a possible Google WebOS and came across EyeOS, a free (open source) web operating system that handles a web office, PIM, games, etc, and can be installed in any server with PHP. It entirely runs inside the browser. Can be downloaded from eyeos.org.
No comments:
Post a Comment