I know that when developing software for Windows Vista, several companies out there are still adding something like "If UAC is turned on, you will want to ... <insert steps to turn off UAC here>" in their manuals.
Here is something worse that I had the fun of working with last week, Credit card processing software. The software connects using a socket to a port at the bank and allows a company to process credit card transactions. Pretty simple, really. However, even the banks can't seem to get security right on such a simple application. (So far, a week's worth of work in our labs could yield a similar product with proper security - it isn't rocket science...)
From my day of working with the installer, application and tech support - the application fails the following of my security checks (and we haven't even been able to get it running yet on the system - and the Bank support is dumfounded about it, of course...)
-
The support person on the phone asked me to allow users to read and write the whole program directory. (It self-updates apparently, and stores all of its transaction files in the same directory.
-
I asked if I should open TCP or UDP port xxx on the corporate firewall for the application to communicate. The result was: "Just to be safe, open them both." another technician said "It shouldn't matter" and a third seemed to know just TCP.
The first issue is Windows programming 101. Directory permissions (and almost every resource controlled with a HANDLE) are set up to secure data and the operating system. In this case, the program data itself. A malicious user could, when the program directory is marked read/write - add a new .EXE that would create a keyboard hook, launch the real .EXE and - have access to ALL the credit card data entered. The accounting department would never know it happened, and nor would the directors of the company (who signed the "we are responsible for all transactions" contract...)
Now the network traffic isn't such a problem. There has only been one instance that I can recall of a staff member port-scanning a firewall to see what ports they could connect outward with and use that port to proxy web traffic. But still, a bank should know the absolute minimum configuration without any question. The software already has some requirements that make it seem like they are paying attention, claiming within the documentation that both antivirus and a firewall are necessary.
I guess you have to use them. You have to detune your system, end of discussion. I can't receive credit card numbers and process them without having some bank connection. And, I have to de-tune my systems to allow unsecured access to the programs, yet even sign a document saying that I will keep everything secure.
Banks: 1, Customers: 0