EU cyber security agency ENISA; “Assume all PCs infected”

“Assume all PCs are infected. The attacks used Zeus, which is a Do-It-Yourself virus kit available for around a thousand EUROs. Zeus has been an off the shelf virus around since 2007 and the detection rate is low . For a bank, in the current situation it is safer to assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal with this.”

If the banks cannot trust that other OS, why should users? I recommend Debian GNU/Linux, an operating system that works for you rather than for criminals.

see Flash note: EU cyber security agency ENISA; “High Roller” online bank robberies reveal security gaps — ENISA.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

3 Responses to EU cyber security agency ENISA; “Assume all PCs infected”

  1. oiaohm says:

    Really lets be serous about this. Running Linux does not magically stop attackers completely.

    Lot of banks really should be shot. Lets cover some basics here.

    For your on-line accounts you should have a trusted device ie token device. sms and in phone not really valid since banking can be happening from the phone.

    So its a simple rule if you need only 1 device todo a banking transaction it might not be secure. If it a computer that can be running anything else its not secure this define of computer includes smart phone.

    A standard for tokens would be great. Insert token device to usb port. Have transaction information send to token have token display that information if approve send back encrypted approval of that information.

    The transaction information includes what signing key to use. Of course make the device non readable and only have to have keys added to it.

    This would truly make a proper electronic money key. The raw information sent to the device is out of the attackers reach and since the transaction information is encrypted by the device attacker could not change the transaction.

    Reality this could be done. Cost would be about 60 dollars a person in small volume orders. Remember the key could contain multi signing. So one key every bank you deal with.

    Also up dates could be applied as security requires.

    Its not hard to design bullet proof security. Its lack of will to spend the money to deploy it.

  2. Linux Apostate wrote, “The Zeus trojan exists on Android/Linux as well.”

    Yes, but it only works if the guy has an infected PC running that other OS. That’s another good reason to chuck M$.

  3. Linux Apostate says:

    “Not trusting client-side software” is surely a basic security precaution that every bank should use. A bit like asking customers for ID before allowing them to withdraw money.

    btw. The Zeus trojan exists on Android/Linux as well.

Leave a Reply