man-in-the-middle

A bank that guarantees its online users safety and security has direct evidence that its Web-based banking system may not be 100 percent bullet-proof.

Should that bank tell its customers? And if it doesn't, is it misleading, or even worse, lying, to them?

Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon. Instead of having its customers log in with just a user name and password, these new schemes require some third bit of information.

Some banks choose to issue their customers a cryptographic hardware token (a … Read more

On this week's Security Bites podcast, I asked Robert Hansen, aka RSnake, the security researcher who disclosed the man-in-the-middle attack on the Google Desktop last week, what readers can do to avoid becoming a victim.

Hansen said: "They could turn off the integration between Google Desktop and the Web. Or they could wait for a patch to come out, which I'm sure there will be. Or my favorite answer is to uninstall the Google Desktop entirely.

"I'm not exactly quick to tell people to stop using applications, but Google Desktop's had, like I said (… Read more

Security researcher Robert Hansen, aka RSnake, has published details of a new attack on Google Desktop. Basically, Hansen found a man-in-the-middle attack, this time placing an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of other programs on the desktop.

The attack scenario plays out like this: a user of Google Desktop makes a search query that is intercepted by an attacker. The attacker then injects Javascript that creates an invisible IFrame on the target URL page as well as makes the … Read more