A couple more signs the end of the company is neigh:
11) The CEO trades in his Range Rover for a Mitsubishi sedan
12) The CEO conveniently manages to negotiate a transfer for himself to another division
13) The Company has "payment freezes" when suppliers don't get paid for a couple of months before the close of the financial year.
One thing Schneier fails to mention is that the man in the middle attack can be defeated by either:
1. Requiring a one time password (OTP) for each on-line transaction
2. "Signing" each transaction. For example the account number and the ammount of the transaction are encrypted using the key inside the token.
Using either of these methods with hardware tokens can defeat the man in the middle attack. Spyware / Trojans can record and playback the captured information but it won't do them anygood. In the first case the intercepted one time password can only be used for one transaction. The man in the middle may be able to modify the transaction - e.g redirect it to a different account. The second case gets around this issue as the transaction information is encrypted so that the man in the middle can't modify details of the transaction. In both cases the man in the middle can't make any additional transactions.
Slashdot Mirror
A couple more signs the end of the company is neigh: 11) The CEO trades in his Range Rover for a Mitsubishi sedan 12) The CEO conveniently manages to negotiate a transfer for himself to another division 13) The Company has "payment freezes" when suppliers don't get paid for a couple of months before the close of the financial year.
One thing Schneier fails to mention is that the man in the middle attack can be defeated by either: 1. Requiring a one time password (OTP) for each on-line transaction 2. "Signing" each transaction. For example the account number and the ammount of the transaction are encrypted using the key inside the token. Using either of these methods with hardware tokens can defeat the man in the middle attack. Spyware / Trojans can record and playback the captured information but it won't do them anygood. In the first case the intercepted one time password can only be used for one transaction. The man in the middle may be able to modify the transaction - e.g redirect it to a different account. The second case gets around this issue as the transaction information is encrypted so that the man in the middle can't modify details of the transaction. In both cases the man in the middle can't make any additional transactions.