North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: OT: Re: User negligence?

  • From: Alex Rubenstein
  • Date: Sun Jul 27 01:50:10 2003

I think there is confusion here.

The banks are making the claim, that, if you the user, has an infected PC,
that is compromised by an 3lit3 h4x0r, and your password to your bank
account is compromised, then the bank is not responsible.

That is what you are saying, Sean?


On Sun, 27 Jul 2003, Len Rose wrote:

>
> Sean,
>
> I humbly disagree. It is not user negligence, but rather neglgence on
> behalf of the entity's systems team, or perhaps the entity's failure
> to support their own systems team by hiring competent staff instead
> of relying on people who play office politik or look nice in a suit
> and tie. User's are not expected to be secure their machines, or
> even barely know more than how to use a handful of applications.
> In the bank's case hopefully they are supposed to be financial experts.
>
> One can also  blame the entity for basing their operations on a joke
> operating system of course (tired argument).
>
> Not calling it a breach of security is simply.. ridiculous. It is a
> most flagrant breach of security if they can't even secure their own
> internal networks and systems. Host level security should be the
> easiest thing to accomplish given competent systems staff.
>
> The entity should have had a team in place that protected systems,
> disabled vulnerable services running on the joke operating system,
> and that stayed on top of any threat no matter what day of the week
> it happened to be.
>
> Nothing like berating the obvious.
>
> This is off topic and I'm not going to pursue this further on
> this list.
>
> Len
>
> Sean Donelan said:
>
> > Unfortunately there are a lot, and growing number, of self-infected PCs
> > on the net.  As the banks point out, this is not a breach of the bank's
> > security. Nor is it a breach of the ISP's security.  The user infects
> > his PC with a trojan and then the criminal uses the PC to transfer money
> > from the user's account, with the user's own password.
> > http://www.iol.co.za/index.php?click_id=13&art_id=qw1059039360281B215&set_id=1
> > "The fact that hackers got access to bank customer's accounts was not due
> > to inadequate security at the bank, but due to "user negligence", an
> > e-commerce company said on Thursday.
> > [...]
> > "Consumers should be vigilant when opening emails. If they receive strange
> > emails, or emails from people or companies they do not know, it is better
> > not to open the mail - especially attachments. These intrusions were
> > clearly not a result of any vulnerability in Absa's Internet security."
>

-- Alex Rubenstein, AR97, K2AHR, [email protected], latency, Al Reuben --
--    Net Access Corporation, 800-NET-ME-36, http://www.nac.net   --