Idlemind - nickcoster.com
Future gazing from a quiet corner of cyberspace.

I wanted to talk a bit about spyware. This is not a new topic in itself. Spyware has been around for some years now. Really ever since web browsers allowed the use of cookies that allowed someone else to watch where you have been surfing I there has been a threat to our online privacy.

But although privacy is important that is not the real threat. There is a real danger that spyware has already found its way onto your computer. Over the last three years there has been a very dangerous convergence between organized crime and the writers and creators of these online nasties. (more…)

Well I don’t know what caused to problem in the first place, but the ‘puter is back online. These days loading up WinXP on to a cleanly formatted hard drive is just the very beginning of the process and was the easy part. The next step is locking down the system from external nasties, before I connect to the net.

This is really important, since the out of the box WinXP installation is full of well exploited security exploits. The Internet Storm Center tracks the average time before an unpatched system is exploited by the white noise of port scanning and exploit hunting viruses. It is currently tracking at about 23 minutes.
(more…)

I was going through some notes and found a brain dump of ideas about online banking, security and customer behaviour. I though that is would be worthwhile posting it here for safe keeping:

Nicks thoughts on future trends.

• Customers will want to do more for themselves and from more locations at any time of the day or night.
• As a mass market group customers will continue to very slow to learn about security risks and even slower to change their behaviour.

(more…)

I have just posted the comment below in response to this article

Bruce Schneier’s article http://www.schneier.com/essay-083.html implies that two-factor authentication is too out dated to be of any real use.

I believe that this is a very dangerous argument to be promoting, particularly since the existing username and password security that every service currently uses is not enough and criminals are easily compromising this fact already. In my experience the biggest hurdle is the get organisations to spend any money on any more advanced security solution.

Although second factor authentication using one-use changing passwords from a token device or from an SMS, can be compromised by some increasingly sophisticated attacks, they do stop most of the common existing ones. Key stroke loggers, standard phishing and other methods of just stealing static passwords can currently be used to passively generate databases of stolen login details. They become obsolete with the implementation of second factor authentication.

I also believe that online businesses are at the threshold of a new phase of development where the old username and password combination will be complemented with increasingly sophisticated levels of security solutions. These businesses must invest in these solutions and their customers must be given a choice over the usage of them. The penalty for choosing not to use them may be limited functionality or increased costs elsewhere.

Second factor authentication will not be the final solution for online security but it is the most mature solution for the next phase of security developments.

Well nearly a year ago Bill Gates announced that he was going to stop spam in it’s track within just a few year. Big words I though at the time. I was also nervous about what the solution may entail, ie Microsoft making changes to it’s software ensure that only email from Microsoft system to Microsoft system would be authenticated and therefore anything else would be treated as suspect.

I looks like Bill has discovered bigger phish to phry. In an interview in Germany regarding security Bill Gates has lost some of his optimism about defeating spam although still believes that there will be a spam free future. His attentions have turned to the promotion of the newer security threats like phishing. This time he is talking a lot about collaboration, which I agree, had to be the case.

In Australia I have seen different industries (ie ISP and financial) all scrambling collaborating amongst themselves but not engaging each other. This should be a great way of getting messages about security out to customers (again both ISP and Financial services). The banks could identify the messages that they need their customers to hear and then work with ISP’s to help distribute these messages. After email and general browsing, the use of online banking is the biggest driver of online take up so there should be a shared interest in getting customers online and feeling safe about using online banking services.

For myself, I have also had to back track from my earlier bravado. My old email account nick@bigpond.com is dead and gone, swallowed by the deluge of spam that it received. Even though I had a multi-layered defence to wipe out the worst of it, too much time was wasted in the fight.