From: Digest To: "OS/2GenAu Digest" Date: Mon, 13 Dec 2004 00:01:07 EST-10EDT,10,-1,0,7200,3,-1,0,7200,3600 Subject: [os2genau_digest] No. 1001 Reply-To: X-List-Unsubscribe: www.os2site.com/list/ ************************************************** Sunday 12 December 2004 Number 1001 ************************************************** Subjects for today 1 Re: Browser vulnerability report by Secunia Window Injection : Gavin Miller 2 Telstra have fixed Webmail ! : Ed Durrant 3 Re: Browser vulnerability report by Secunia Window Injection : Ken Laurie 4 Re: Telstra have fixed Webmail ! : Chris Graham [WarpSpeed]" 5 Re: Telstra have fixed Webmail ! : Ken Laurie 6 Re: No. 1000 : Kev 7 Re: No. 1000 : Ian Manners" 8 Re: ECD's? : Chris_neeson 9 Re: Telstra have fixed Webmail ! : Kris Steenhaut **= Email 1 ==========================** Date: Sun, 12 Dec 2004 10:48:18 +1100 From: Gavin Miller Subject: Re: Browser vulnerability report by Secunia Window Injection Hey Ken, Mmm... Interesting. I seems it's not a dongle after all. The bank refers it as a "Security Token" which I assumed to be a dongle of some type. It generates a 6 digit "Authentication Key" as the bank puts it, so I guess it's using the method you described. Still need to use the pin and pasword that was previously arranged with the bank. I'll send you some pics off list of the two models being offered. It doesn't appear to attatch to the computer at all. Cheers G Ken Laurie wrote: > Hi Gavin > > All the dongles I am familiar with use a combination of a pin and a > generated number to create a onetime password. This is called two > factor authentication, something you have (the dongle) and something > you know (the pin). Usually the password is sent to the server which > uses a security server such as LDAP to authenticate you. Even if > somebody did manage to get your account or userid and your pin, they > would need your dongle to authenticate. The dongle and the server at > the other end are sychronised by the initial number on the dongle and > the serial number of the dongle. Using this information and the > appropriate algorithm the server can calculate the next number > generated by the dongle. The number is normally only good for 60 > seconds, give or take a bit for delays in getting across the network etc. > > This is a good secure method of authentication. It also means that if > you use online banking from other than your own pc the information > captured in cache or cookies etc cannot be used to access your account. > > regards > Ken > > Gavin Miller wrote: > >> I sent an e-mail to my bank informing them that javascript popups, >> popups in general, and cookies are not secure and that they, as a >> banking institution, should be looking at alternative and more secure >> methods such as a secure server. My bank offers a dongle that you >> can perchase and register as an added login password. It generates a >> different code each time you use it. I assume this code is stored in >> a cookie or file somewhere, and if so defeats the purpose of an extra >> security measure. >> >> Cheers >> G >> >> Ken Laurie wrote: >> >>> Hi John >>> >>> Yes bad coding practices strikes again. Some of these web site >>> designers/programmers (I use the words lightly) need to wake up and >>> really look at what problems they are causing. I have been in IT for >>> 28 years and I could go on about this for ages but I won't. >>> >>> regards >>> Ken >>> >>> John Angelico wrote: >>> >>>> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote: >>>> >>>> >>>> >>>>> Hi John >>>>> >>>> >>>> >>>> >>>> >>>> Hi Ken. >>>> >>>> >>>> >>>>> Remember this vulnerability is for all web browsers and you are >>>>> only 'secure' because you are not allowing the web site being used >>>>> to demonstrate the vulnerability to open a popup. If you use >>>>> Citibank then you would need to allow it to open popups and would >>>>> then have the vulnerability. >>>>> >>>> >>>> >>>> >>>> >>>> Hmm, interesting. >>>> >>>> Once of my bank sites doesn't open popups (one page for login then >>>> same page >>>> for activities), and the other opens another page where I login, >>>> and that's >>>> all. >>>> >>>> >>>> >>>>> The best defense for this vulnerability, until it is resolved, is >>>>> when visiting trusted sites that you permit to open popups (such >>>>> as most bank sites) not to visit other sites at the same time. >>>> >>>> >>>> >>>> >>>> I would be mounting a challenge to Citibank about popups. >>>> >>>> I would refer them to Jakob Neilsen's site: useit dot com on usability >>>> guidelines >>>> or a less polite rant style page like: >>>> http://members.optusnet dot com dot au/~night.owl/morons.html >>>> where yes, he has an attitude, but he puts a lot into it about >>>> better web >>>> authoring. >>>> >>>> >>>> >>>>> I tend to have the habit of only doing my banking without any >>>>> other sites open. My advice to all is to make sure they have no >>>>> other web sites open when doing their banking, even if this >>>>> vulnerability is resolved. >>>>> >>>> >>>> >>>> >>>> >>>> Yes, it's a good "paranoia habit" to get into - like hiding your >>>> hand as you >>>> punch in your PIN at an ATM. >>>> I ALWAYS close the tab or window or browser session of my banking >>>> page when >>>> finished too. >>>> >>>> >>>> Best regards >>>> John Angelico >>>> OS/2 SIG >>>> os2 at melbpc dot org dot au or talldad at kepl dot com dot au >>>> ___________________ >>>> >>>> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico >>>> ... "Daddy, when will I be old enough to delete Windows?" > >>>> >>>> > >>>> >>>> >>>> >>> >>> [attachments have been removed] >>> >>> >>> >>> > >> >> > >> > > > > ---------------------------------------------------------------------------------- **= Email 2 ==========================** Date: Sun, 12 Dec 2004 11:08:50 +1100 From: Ed Durrant Subject: Telstra have fixed Webmail ! Hi All, Good news - Telstra have fixed access to their Webmail system, which from earlier this week was only accessible from Microsoft IE browser is now once more fully accessible from IBM Web Browser, Mozilla and Opera/2 !! I haven't as yet had a reply to my complaint however it seems my complaint, along with I suspect a lot of other people's have moved them into action. Good on TELSTRA ! Cheers/2 Ed. ---------------------------------------------------------------------------------- **= Email 3 ==========================** Date: Sun, 12 Dec 2004 12:02:19 +1100 From: Ken Laurie Subject: Re: Browser vulnerability report by Secunia Window Injection Hi Gavin Depends on who you speak to as to what they want to call it. Some refer to it as a dongle others a security token or fob. Either way these are the best type of security to use in these circumstances. Even if somebody did get the one-time password it would be useless to them. What happens with these devices is they display say a 6 digit number which changes, normally every 60 seconds. When you log on to your bank site they request your userid and then in the password field you would enter your pin and the current 6 digit number. This is then checked at the security server and if all is OK you get access. The batteries in these devices usually last for three years, so after three years you would need to get a new one and re-sync everything to gain access. One inconvenience every three years is worthwhile considering the extra security you get from using these devices. I use both a hardware one, similar to what is being offered, and a software one to access the environment at work. The software one basically emulates a hardware device, it is just limited to the one PC instead of being able to use any PC. What makes it even worse is there is only a windoze software device. regards Ken Gavin Miller wrote: > Hey Ken, > > Mmm... Interesting. I seems it's not a dongle after all. The bank > refers it as a "Security Token" which I assumed to be a dongle of some > type. It generates a 6 digit "Authentication Key" as the bank puts > it, so I guess it's using the method you described. Still need to use > the pin and pasword that was previously arranged with the bank. I'll > send you some pics off list of the two models being offered. It > doesn't appear to attatch to the computer at all. > > Cheers > G > > Ken Laurie wrote: > >> Hi Gavin >> >> All the dongles I am familiar with use a combination of a pin and a >> generated number to create a onetime password. This is called two >> factor authentication, something you have (the dongle) and something >> you know (the pin). Usually the password is sent to the server which >> uses a security server such as LDAP to authenticate you. Even if >> somebody did manage to get your account or userid and your pin, they >> would need your dongle to authenticate. The dongle and the server at >> the other end are sychronised by the initial number on the dongle and >> the serial number of the dongle. Using this information and the >> appropriate algorithm the server can calculate the next number >> generated by the dongle. The number is normally only good for 60 >> seconds, give or take a bit for delays in getting across the network >> etc. >> >> This is a good secure method of authentication. It also means that if >> you use online banking from other than your own pc the information >> captured in cache or cookies etc cannot be used to access your account. >> >> regards >> Ken >> >> Gavin Miller wrote: >> >>> I sent an e-mail to my bank informing them that javascript popups, >>> popups in general, and cookies are not secure and that they, as a >>> banking institution, should be looking at alternative and more >>> secure methods such as a secure server. My bank offers a dongle >>> that you can perchase and register as an added login password. It >>> generates a different code each time you use it. I assume this code >>> is stored in a cookie or file somewhere, and if so defeats the >>> purpose of an extra security measure. >>> >>> Cheers >>> G >>> >>> Ken Laurie wrote: >>> >>>> Hi John >>>> >>>> Yes bad coding practices strikes again. Some of these web site >>>> designers/programmers (I use the words lightly) need to wake up and >>>> really look at what problems they are causing. I have been in IT >>>> for 28 years and I could go on about this for ages but I won't. >>>> >>>> regards >>>> Ken >>>> >>>> John Angelico wrote: >>>> >>>>> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote: >>>>> >>>>> >>>>> >>>>>> Hi John >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Hi Ken. >>>>> >>>>> >>>>> >>>>>> Remember this vulnerability is for all web browsers and you are >>>>>> only 'secure' because you are not allowing the web site being >>>>>> used to demonstrate the vulnerability to open a popup. If you use >>>>>> Citibank then you would need to allow it to open popups and would >>>>>> then have the vulnerability. >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Hmm, interesting. >>>>> >>>>> Once of my bank sites doesn't open popups (one page for login then >>>>> same page >>>>> for activities), and the other opens another page where I login, >>>>> and that's >>>>> all. >>>>> >>>>> >>>>> >>>>>> The best defense for this vulnerability, until it is resolved, is >>>>>> when visiting trusted sites that you permit to open popups (such >>>>>> as most bank sites) not to visit other sites at the same time. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> I would be mounting a challenge to Citibank about popups. >>>>> >>>>> I would refer them to Jakob Neilsen's site: useit dot com on usability >>>>> guidelines >>>>> or a less polite rant style page like: >>>>> http://members.optusnet dot com dot au/~night.owl/morons.html >>>>> where yes, he has an attitude, but he puts a lot into it about >>>>> better web >>>>> authoring. >>>>> >>>>> >>>>> >>>>>> I tend to have the habit of only doing my banking without any >>>>>> other sites open. My advice to all is to make sure they have no >>>>>> other web sites open when doing their banking, even if this >>>>>> vulnerability is resolved. >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Yes, it's a good "paranoia habit" to get into - like hiding your >>>>> hand as you >>>>> punch in your PIN at an ATM. >>>>> I ALWAYS close the tab or window or browser session of my banking >>>>> page when >>>>> finished too. >>>>> >>>>> >>>>> Best regards >>>>> John Angelico >>>>> OS/2 SIG >>>>> os2 at melbpc dot org dot au or talldad at kepl dot com dot au >>>>> ___________________ >>>>> >>>>> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John >>>>> Angelico >>>>> ... "Daddy, when will I be old enough to delete Windows?" >> >>>>> >>>>> >> >>>>> >>>>> >>>>> >>>> >>>> [attachments have been removed] > >>>> >>>> > >>>> >>>> >>> >>> >>> > >> >> > >> >> > > > ---------------------------------------------------------------------------------- **= Email 4 ==========================** Date: Sun, 12 Dec 2004 17:29:29 +1100 (EDT) From: "Chris Graham [WarpSpeed]" Subject: Re: Telstra have fixed Webmail ! On Sun, 12 Dec 2004 11:08:50 +1100, Ed Durrant wrote: >Hi All, > > Good news - Telstra have fixed access to their Webmail >system, which from earlier this week was only accessible >from Microsoft IE browser is now once more fully accessible >from IBM Web Browser, Mozilla and Opera/2 !! > > I haven't as yet had a reply to my complaint however it >seems my complaint, along with I suspect a lot of other >people's have moved them into action. > > Good on TELSTRA ! Not really, they should not have been able to have put it into production to start with. -Chris WarpSpeed Computers - The Graham Utilities for OS/2. Voice: +61-3-9307-0344 Internet: chrisg at warpspeed dot com dot au FAX: +61-3-9307-0633 Web Page: http://www.warpspeed dot com dot au Postal: WarpSpeed Computers, PO Box 212, Brunswick, VIC 3056, AUSTRALIA ---------------------------------------------------------------------------------- **= Email 5 ==========================** Date: Sun, 12 Dec 2004 18:38:49 +1100 From: Ken Laurie Subject: Re: Telstra have fixed Webmail ! Hi Chris Now come on. Telstra know that the only people the surf the web and send and receive email use windows and iexploder. Telstra can't be expected to set up their environment so that any web browser or mail reader can work. Sarcasm abounds. regards Ken Chris Graham [WarpSpeed] wrote: >On Sun, 12 Dec 2004 11:08:50 +1100, Ed Durrant wrote: > > > >>Hi All, >> >> Good news - Telstra have fixed access to their Webmail >>system, which from earlier this week was only accessible >> >> >>from Microsoft IE browser is now once more fully accessible >>from IBM Web Browser, Mozilla and Opera/2 !! > > >> I haven't as yet had a reply to my complaint however it >>seems my complaint, along with I suspect a lot of other >>people's have moved them into action. >> >> Good on TELSTRA ! >> >> > >Not really, they should not have been able to have put it into production >to start with. > >-Chris > >WarpSpeed Computers - The Graham Utilities for OS/2. >Voice: +61-3-9307-0344 Internet: chrisg at warpspeed dot com dot au >FAX: +61-3-9307-0633 Web Page: http://www.warpspeed dot com dot au >Postal: WarpSpeed Computers, PO Box 212, Brunswick, VIC 3056, AUSTRALIA > > > > > > [attachments have been removed] ---------------------------------------------------------------------------------- **= Email 6 ==========================** Date: Sun, 12 Dec 2004 16:12:00 +0800 From: Kev Subject: Re: No. 1000 Hi Ian Congratulations on running the best, friendliest, most helpful and most informative eCS - OS/2 list in Oz. At least another 1000 to go. Cheers Kev Downes Ian Manners wrote: > On Sun, 12 Dec 2004 00:01:09 EST-10EDT,10,-1,0,7200,3,-1,0,7200,3600, Digest wrote: > >>************************************************** >>Saturday 11 December 2004 >> Number 1000 >>************************************************** >> >>Subjects for today > > > Whaho, Number 1000 ! = 1000 days of posting on this list, > This number doesnt include days that there were no postings to the list. > > Cheers > Ian Manners > http://www.os2site dot com/ > > Help stamp out, eliminate and abolish redundancy! > > > > ---------------------------------------------------------------------------------- **= Email 7 ==========================** Date: Sun, 12 Dec 2004 21:16:52 +1100 (EDT) From: "Ian Manners" Subject: Re: No. 1000 Hi Kev I just host it :-) Thanks John, Bob, Ed, and everyone one this list, because its the people on the list that make the list :-) > Congratulations on running the best, friendliest, most helpful and most > informative eCS - OS/2 list in Oz. At least another 1000 to go. Cheers Ian Manners http://www.os2site dot com/ "I have six locks on my door all in a row. When I go out, I lock every other one. I figure no matter how long somebody stands there picking the locks, they are always locking three." -- Elayne Boosler ---------------------------------------------------------------------------------- **= Email 8 ==========================** Date: Sun, 12 Dec 2004 07:23:15 -0500 From: Chris_neeson Subject: Re: ECD's? Good Grief! Regards? Chris ------ Paul replied --------- A CD that has both audio & data tracks. Generally the data tracks are multimedia files - film clips or such. os2cdrom.dmd included with eCS 1.2 doesn't appear to be able to handle them... ------- to Chris' question ----------- > Actually, what is an 'enhanced' CD? > ( while this topic is within recent memory ). ---------------------------------------------------------------------------------- **= Email 9 ==========================** Date: Sun, 12 Dec 2004 13:49:27 +0100 From: Kris Steenhaut Subject: Re: Telstra have fixed Webmail ! Ken Laurie schreef: > Hi Chris > > Now come on. Telstra know that the only people the surf the web and > send and receive email use windows and iexploder. Telstra can't be > expected to set up their environment so that any web browser or mail > reader can work. Yes they can be expected that. For the good reason they are expected to comply to html and javascript standards. The reason why only the I E could see the Telstra pages was because there were errors and errors in their scripts, at which the IE _failed_ to react properly. And that is exactly one of the reasons why the IE is the most unsafe of programs you can think of. -- Groeten uit Gent, Kris ----------------------------------------------------------------------------------