D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Secure web browsing with live distro

 

george wrote:
>
> What a simple idea and so bleeding obvious. 

Which is why lots of people have had it.

> And what a way to sell a Linux
> intro to the unwashed masses.
> 
> http://www.itwire.com.au/content/view/13292/53/

Whilst I like the idea - I can think of one downside.

The main reason Windows viruses don't try to mess with the BIOS is that
there is nowt to gain, and an infected host to lose from ones botnet.

As soon a booting from an alternative media is widespread for banking,
some of the bots will try to hijack the BIOS so they can steal data from
the other operating system (or listen to the network traffic), or hijack
the router for similar (router meddling has the same downsides as BIOS
meddling for the abuser).

Indeed subverting routers with Javascript has already been done, at
least as a proof of concept. The Javascript looked for routers, at the
manufacturers default IP address, with the manufacturers default
username/password (default passwords are a stupid idea! See Oracle and
"change on install" story). It would then login and change your routers
settings, which with things like DNS makes for a powerful kind of
phishing. So visiting a website with such Javascript led to exploit.

I'm also surprised how many people don't know that by default IE allows
the copying of clipboard content by Javascript. Think about it the next
time you are about to cut and paste a password into a webpage in IE.
Then again Firefox makes enabling this functionality on a per site basis
 difficult as there is no built in GUI for it, where as IE makes it
relatively easy (although I think attempting to secure IE is a futile
activity).









Attachment: signature.asc
Description: OpenPGP digital signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html