Surprise
Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.
People need to give themselves a shake and stop using MS products!
Crypto weakness leaves online banking apps open to attack
Flaws in the way web applications handle encrypted session cookies might leave online banking accounts open to attack. The security risk stems from a cryptographic weakness in web applications developed using Microsoft's ASP.Net framework. ASP.Net uses the US government-approved AES encryption algorithm to secure the cookies …
-
-
Tuesday 14th September 2010 11:15 GMT bolccg
Hmm
Yes, so they can all migrate en masse to some other product which will then become the main focus of attention for black and white hats alike, generating a bunch of articles on the topic and leading you, presumably, to suggest everyone ditches that, too?
Good grief. Also, to be pedantic, the articles aren't "always" about MS anyway.
-
Tuesday 14th September 2010 11:15 GMT No, I will not fix your computer
Numpty
More silver cars are stolen than any other car, however pink cars are rarely ever stolen.
Does this mean;
A. Silver is a very common colour for a car (and pink uncommon)
B. Silver cars are more vulnerable
Of course there is also option C which is the fact that twockers don't want to be seen in a pink car, but if you let that distract you from the point of the analogy then there's really no hope for you.
Apache 2.0 has 29 open vulnerbilities, IIS 7 only has 3, what does this mean? red top readers that don't think for themselves need not apply.
-
Tuesday 14th September 2010 12:03 GMT Anonymous Coward
1 +1 = 5?
Your argument would be ok if MS crap-ware made-up a majority of internet-facing servers.
But it doesn't. If you just take web servers for example, Apache is the most prevalent by far. And yet, exploits against MS's http server FAR outstrips that of apache and indeed all other web servers combined. There are more bugs found in MS http and email servers every month than are found in all the rest in a year.
Your maths just doesn't add up. So who's the numpty here?
Face it - most MS software is the buggiest pile of steaming rubbish that has ever been made. And it seems to be getting worse by the day.
-
Tuesday 14th September 2010 13:26 GMT CD001
*sighs*
We're talking web servers here Windows/ISS is NOT the dominant environment for web servers. The regular claims that everyone targets Windows because it has the majority install base does not apply when talking about the web. It even says in the article that it's a software setup used on 25% of web servers... though I suspect it's very slightly less than that.
If the ubiquity argument was to hold water we'd hear endless reports of serious, exploitable vulnerabilities in Unix-a-like systems running Apache - the LAMP stack in particular. They're not unheard of, true, especially when you factor in dependant libraries (like OpenSSL) or application vulnerabilities as well... but they're generally either less severe or very difficult to exploit.
> Apache 2.0 has 29 open vulnerbilities, IIS 7 only has 3, what does this mean?
It means you're good at pulling meaningless numbers out of thin air? Severity and ease of exploit on those vulns please.
"A car has 29 vulnerabilities, all of them involve breaking into it using a large sledgehammer - while another car has only 3 vulnerabilities, one of which is that there's a 50% chance of the engine exploding in a massive fireball when the ignition is started" - which car would you rather have?
I'm not saying that IS the case with Apache vs IIS - just that giving a count of vulnerabilities is meaningless sensationalism.
-
Tuesday 14th September 2010 16:04 GMT Tigra 07
Vulnerabilities in cars
"A car has 29 vulnerabilities, all of them involve breaking into it using a large sledgehammer - while another car has only 3 vulnerabilities, one of which is that there's a 50% chance of the engine exploding in a massive fireball when the ignition is started" - which car would you rather have?"
The correct answer is the one that isn't a Toyota
-
-
-
-
Tuesday 14th September 2010 12:35 GMT Loyal Commenter
...also...
To shoot your argument down in flames, using the cunningly hidden search button up there in the top-right and entereing the word 'explot', gives me a whole bunch of articles, varioulsy about Adobe, Apple, Facebook and Symantec, and about teh same number as any of those about MS. Putting in the phrase 'Security Problems' returns, as far as I can see, a single result about MS in the first page of results, as does 'Security Issues'.
Maybe, if you did a little fact-checking before spouting off, you'd see that the perrenial problem of computer security actually affects pretty much all computer software, to some degree or another. This is due to the simple facts that the same basic design and coding principles are common to most, if not all computer languages (albeit some are better than others at preventing silly mistakes), and that human programmers are fallible.
It probably says more that although MS are a larger company (in terms of market share and in various other ways) than the likes of Apple, and Adobe, there seem to actually be roughly the same number of articles discussing security holes for all three of these companies.
Sorry to piss on your bonfire and all...
-
-
Tuesday 14th September 2010 10:54 GMT JaitcH
Naturally the customers will get to pay for the banks weaknesses
The banks continue, mistakenly, to think very highly of their on-line systems security but when it comes to undoing fraud they get offensive and accuse their clients of various misdeeds.
My bank has part of the solution. I was able, using a branch terminal, to adjust my profile do the countries my Debit Card will work in, together with disabling the ability to transfer money other than to my other accounts.
I always use portable-versions of software so the risk of using public computers is minimised. I also only transfer cash from my main account to the ATM account minutes before I access the money. It is a pity that smart-phone Apps have not been developed by banks as additional verification would be possible.
The last technique I use to identify my withdrawals is NOT use round numbers, such as GBP1000, instead I would withdraw GBP990, habitually, whereas fraud artists usually go for the highest amounts.
Another weakness are the 'independent' ATM's - I always use a bank ATM after making sure it has no suspicious attachments to the card slot or the face of the machine.
Until banks accept they are not infallible they remain part of the fraud equation.
-
Tuesday 14th September 2010 11:15 GMT Jolyon Ralph
Misleading headline
"online banking apps" aren't directly at risk, as this new attack won't get around SSL encryption.
Although, of course, if you can use this to access personal details for people on a non SSL website, and they share these passwords with (for example) their paypal account, then it could be a danger. But most banking sites now not only use SSL, but use card authentication devices and/or multiple passwords/pass keys to avoid just this very problem. Paypal is a bit behind the times with login security.
-
Tuesday 14th September 2010 12:04 GMT Anonymous Coward
Misleading content
The "hack" requires the target system to be using AES128 in order to work effectively, I cant remember the last time I used less then 256.
Also switching the cryptographic provider to anything other then Rijndael (a number of others are supported out of the box and any cypher imaginable can be plugged in to the framework) would be of help, if they don't know the cypher they are attempting to grab the key for then the attack will fail.
-
Tuesday 14th September 2010 17:41 GMT Daniel B.
Switching cyphers?
That's "security by obscurity", and depending on that isn't secure at all.
I know about the "encrypted tickets", though I only use them for session identification. No real loss if someone decrypts a cookie; the really sensitive stuff I send using an AES128-encrypted message, signed with a RSA-2048 key and the secret AES key is also encrypted with RSA-2048. So the "secure transfer" stuff is actually secure, but that's because I take an extra security step instead of using MS' "secure tickets". Meh.
-
-
-
Tuesday 14th September 2010 14:06 GMT K. Adams
"Padding Oracle", not "Oracle"
The word "Oracle" (or "oracle"), as used in the context of this article relates to the cyptologic principle known as the "random oracle," which is an abstract/mathematical construct that responds in a truly random fashion to each possible input, with the constraint that if a given input is duplicated, the resulting output is also duplicated. More detailed information on cryptologic random oracles can be found on Wikipedia, here:
-- http://en.wikipedia.org/wiki/Random_oracle
More generally, an "oracle machine" is a mathematical "black box" which is used to study whether a given input to a construct will map to a given output, in an effort to learn the operational functions or bahaviors contained within the construct. More detailed information on general oracle machines can also be read here:
-- http://en.wikipedia.org/wiki/Oracle_machine
Both concepts are related to decision theory:
-- http://en.wikipedia.org/wiki/Decision_problem
-
This topic is closed for new posts.
Biting the hand that feeds IT
