Skype hack (at last?)

I'm conscious that my blog postings now resemble a London bus - you wait for ages, then three come along at once - but I had to share this with you.

Ruben Unteregger wrote a Skype phone call Trojan three years ago, then a few days ago he released the source code. Now, unsurprisingly, something very similar has appeared in the wild. I continue to be pleased that we don't allow Skype (or any real time protocols in fact) in our business.

How safe is your online bank?

When Which? Computing asked me to help evaluate online banking services, I expected to find very similar results amongst the ten banks they selected. However, as their press release says, there were some pretty big differences. Although we only looked at the visible security measures in place, some banks appeared to offer little to help defend against simple keyloggers.

I know that there are some sophisticated banking Trojans around, using man-in-the-browser attacks, but surely that's not an excuse to ignore defending against simpler malware and physical keyloggers?

Obviously banks need to balance good security against usability, being concerned that consumers may be put off by complex authentication processes. But with the vast increase in the number of Trojans, and more and more people using public WiFi and shared computers, Barclays' approach of using a PINsentry device seems like the most secure option.

After the goldrush

Well here we are, a couple of weeks after Infosecurity Europe, and sure enough I was right. More silver bullets from all the vendors. If you want the video version of my thoughts look here: http://tinyurl.com/5rcfgt and if you're interested in my opinions on the real future of hacking, then look at this: http://tinyurl.com/63r4lb Despite my compaints about vendors, Infosec was a terrific place to meet friends old and new, as usual.

Meanwhile my thoughts are turning to the rash of drive-by web sites, innocently offering to infect your inadequately protected PC with all kinds of malware courtesy of JavaScript. The recent plague of infected sites has led me to once again extol the virtues of Firefox coupled with the NoScript plug in. Used intelligently, this really does provide trouble-free web browsing and is an essential addition to conventional anti-virus and personal firewall protection. If you haven't tried NoScript, I thoroughly recommend that you do - be patient while you teach it the trusted sites and you'll fall in love with it.