SGI: Security

Making Irix safe for Internet Banking

Hi,

I currently Internet Banking from my Xp PC (nod32,router and firewalled) and was wondering if It could be safer under Irix or turn another PC into an up to date Linux box?

The XP machine is used by all and even though I can tell them what to watch out for I rather not risk it anymore.

Only I use my SGI machines and are connected to the net via a router, but it's a system I know much less about than XP (even though I had one a while :0) ) so I not worried about local exploits only remote access exploits that can install "naughty" software on my machine.

Chances seem pretty slim on my SGI boxes being exploited but I would like any input you guys might have.

Wise or Not?

Cheers
of course irix is the better choice by far.
there's no spyware, adware, virus, trojan whatsoever.
further if you're the only user it's the better bet anyway.
if you're really concerned run the browser as some very restricted user only used for that.
you could also use a proxy to suppress several information transmitted normally and you could tweak some stuff inside the browser. mozilla's about:config for example.

_________________
r-a-c.de
Hello indy_tigger,
I'm running IRIX 6.5.27, and I use this box for all my e-banking (I come from Switzerland ;-) ). Maybe I'm a bit naive, but since your transactions are encrypted (ssl, https,...), and you box is secured (the unused ports are close), I don't think you have much to fear, do you?
Of course, as always, if someone really wants to bother you...
Hope this helps,
PB

_________________
Octane R14k 600MHz, V6, 2048 MB RAM, 73GB HD0, 18GB HD1, 73GB HD2
Thanks for the replies, I was pretty much convinced before.

I've install ipfilter and I'm going to lock down all the ports apart from http 80 as I don't need them open apart from sharity (what ever ports it uses)

Thanks
indy_tigger wrote:
Thanks for the replies, I was pretty much convinced before.

I've install ipfilter and I'm going to lock down all the ports apart from http 80 as I don't need them open apart from sharity (what ever ports it uses)

Thanks


And what about https?

PB

_________________
Octane R14k 600MHz, V6, 2048 MB RAM, 73GB HD0, 18GB HD1, 73GB HD2
Yep https to, thanks for the heads up.

What start up file would I add the command to load the rule set? can I have them loaded before I get to the visual login so that all the accounts have them?

I've not read all of the ipf man file, but is there any way I could allow only traffic thats been ask for on a port?.

ie firefox uses 80,443 etc but I only want those ports open for apps I allow (not just leave them open as I have now) basicly I'd want them not showing on a port scan, is ipfliter able to do this?

Cheers
indy_tigger wrote:
Yep https to, thanks for the heads up.

What start up file would I add the command to load the rule set? can I have them loaded before I get to the visual login so that all the accounts have them?



Some pointers :
http://stuff.mit.edu/afs/sipb/service/i ... STALL.IRIX
http://docs.hp.com/en/B9901-90009/ch01s08.html
http://techpubs.sgi.com/library/tpl/cgi ... 936-PARENT

I would start having a glance at those pages, just to have some good ideas.

Hope this helps,
PB

_________________
Octane R14k 600MHz, V6, 2048 MB RAM, 73GB HD0, 18GB HD1, 73GB HD2
If you really want to be paranoid you can use open source security tools, tcpdump, ethereal, etc..
( http://www.phptr.com/bookstore/product.asp?isbn=0321194438&rl=1 ) and also "attack" your own machine, turn off telnet for starters and use ssh for logins..

At least one bank here offers a service to send via SMS a (RSA?) key to be typed in before login completes(aka one time password). All banks here offer tokens (little LCD to put on your key ring), which are sync'd to a (RSA?) server.

User knows something(password/PIN) and user has physical posession of something (token, phone, etc) is safer than just user knows something..
Banks need to shoulder at least partial responsibility on managing ID theft.
Ask your bank what they use or switch to a bank that offers a more secure service if you need.

Regan

_________________
:Onyx2R: :Onyx2R: :0300: :0300: :0300: :O200: :Octane: :Octane: :O2: :O2: :Indigo2IMP: :Indy: :Indy: :Indy: :Indy: :Indy: :Indy: :Indy: :Indy:
:hpserv: J5600, 2 x SUN, 2 x Mac, 3 x Alpha, 2 x RS/6000
Thanks for the replies guys, I've got ipfilter working and he seems to work well.

I've got some port scanning software (like superscan 4) and the machine did not show up so ipfilter seems OK

Cheers