RE: DNS Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



but if a bank employee is involved in the taking of funds, then there is
somewhat of a trail. if the employee where to "change" the root dns servers,
there would be some trail of this with the service that the bank uses for
this setup.. this would be pretty easy to resolve, and the customer would
have protection (although suffer a hassle) as the bank would back up the
funds that were stolen...

the issue of dns poisoning would also be resolved in a matter of time, but
unfortunately, there might be multiple customers who are impacted...

after thinking on this for awhile, the only thing that i can really think of
to make a site "safe" is for you the customer to get your behind into a
physical setup/location/building when you initially setup the online
account!!! and then you should only use sites that incorporate multi-pass
(two factor) security processes. (although this has it's own set of
issues!!)

for my own $0.02 worth, i find myself going to different parts of a site to
see if i get links that return me back to where i should be prior to
inserting my login information... but this implies that you know what a
site's structure should be!





-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Mikkel L. Ellertson
Sent: Saturday, July 26, 2008 6:01 AM
To: For users of Fedora
Subject: Re: DNS Attacks


Björn Persson wrote:
> Les Mikesell wrote:
>> You aren't paranoid enough.  What if the spoofer is also a system
>> administrator at the bank with access to a copy of the real certificate
>> that he installs on the machine he's tricked your dns into reaching -
>> with the expected name that you'll still see.
>
> Then the bank has failed to protect its secret key. I expect banks to have
> rigorous security routines to control who can access sensitive systems,
and
> to be able to check afterwards who did what.
>
> Could you elaborate on how whois guards against malicious system
> administrators? Do you think security could be improved by having browsers
> and other programs make whois queries automatically?
>
> Björn Persson
>
Also, if it is the a system administrator at the bank, what is to
prevent him from just changing the real name servers? Or putting in
a program on the bank's web server to capture the username and
password when you enter them? Lets face it, if a bank employee wants
to embezzle money from the bank, there is not much we as costumers
can do about it.

Mikkel
--

   Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux