Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-05-2007, 11:33 AM   #21
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
cute fuzzy bunny's Avatar
 
Join Date: Dec 2003
Location: Losing my whump
Posts: 22,697
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Internet security is a rather tenuous thing, even in your own home.

Many cable and DSL modems can be put into a 'promiscuous mode' (hey, I didnt name it) by a reasonably skilled hacking type and all the data sent and received in the neighborhood/area may possibly be captured for later analysis. Outside of your little loop of the 'net, your data passes through dozens of accessibility points where the data could be tapped off.

The good news is that as pointed out, SSL (the little padlock when using an HTTPS: connection) is fairly secure although a number of agencies (like the NSA) likely have real-time SSL busting tools and its long rumored that Broadcom has produced a real-time SSL decryption system that is in use by a number of law enforcement agencies and perhaps even large corporations that handle sensitive data. Outside of funny hardware, a skilled person using todays high power PC's could conceivably crack a captured SSL stream between a few hours and a month or so. Heck, in a public challenge some guys did it in a month about 11 years ago using the computing power available then. Remember when a Pentium 133 was a big deal?

The bad news is that a "man in the middle" attack where a naughty coffee shop was proxying your connections through a 3rd party that acted like your target web site (say vanguard) while passing along your keystrokes and vanguards responses could conceivably (and without great complications) capture your username and password. Basically you'd have a nice secure SSL connection to the "man in the middle" and the MITM would have a nice secure SSL connection to vanguard.

There are bootable read-only USB/CD/DVD images, usually using LINUX although i've seen one using XP, which boot to a fairly unassailable image, connect to an external hard proxy using a secure protocol, optionally route through a series of anonymous proxies (TOR is common) and give the public user some measure of security...or a home user a great deal of security.

In short, I wouldnt use a public computer for any purpose that you wouldnt describe to your mother, your wife, and the local judge while carrying a large white cardboard sign containing the passed information. I would use my own computer judiciously on a public network operated by someone I know that has a lot to lose if it were found that they were tampering with the data. In other words, "Bobs java house" in Singapore would lose out to Starbucks in San Francisco. I would never log into a bank/financial web site or pass significant personal information unless I was using my own machine in my own home on my own network or at a well-trusted 3rd parties network.

As an aside, since I know many people do it, I would consider some unknown "neighbors" open wireless connection to be a very plausible "MITM".

When I left my fortune 500 company 6 years ago, we were often reading peoples email, logging which web sites they went to, evaluating the information that went through our proxies to external sources, and enjoying dozens of daily attempts to intercept or break into the network. And that was when we had tools that were comparatively simple to todays offerings.

So in short Al, I'd wait a few more days to do my rebalancing instead of doing it from a public network inside a coffee house. In fact, i'd wait a long dang time to do it.
__________________

__________________
Be fearful when others are greedy, and greedy when others are fearful. Just another form of "buy low, sell high" for those who have trouble with things. This rule is not universal. Do not buy a 1973 Pinto because everyone else is afraid of it.
cute fuzzy bunny is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-05-2007, 12:02 PM   #22
Thinks s/he gets paid by the post
cube_rat's Avatar
 
Join Date: Jul 2005
Posts: 1,466
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Thank you, ahem...El Guapo for a such great answer!

I've done a lot of reading on prime numbers and the huge impact on E Commerce security and frankly it's not the secure sites itself that's the issue, it's the man in the middle as you put it, culling information along the way.
__________________

__________________
fuzzy? cute?
cube_rat is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-05-2007, 12:12 PM   #23
Thinks s/he gets paid by the post
SecondCor521's Avatar
 
Join Date: Jun 2006
Location: Boise
Posts: 2,402
Re: Access Vanguard from Wireless Connection at Coffee Shop???

I think there are two kinds of errors to be made here. I think they're called Type I and Type II errors but I can't remember where I remember that terminology from.

1. Not taking security precaution X when you should have. Gain: Not having to spend the time taking the security precaution. Loss: Identity theft, or whatever.
2. Taking security precaution X when you didn't need to. Gain: Feeling secure. Loss: The time of your life you spent taking an unneeded security precaution.

The point is there is a tradeoff, and most people here have not discussed the drawbacks of committing a bunch of errors of the second kind above in an endless pursuit to avoid making a single error of the first type. Personally I justify my current security practices by evaluating the gain and losses above multiplied by their prospective likelihoods. Although identity theft is a problem, I don't fear it very much because I can and do check my account balances regularly if not daily, so I feel I could quickly catch any problems to minimize the damage; also, I judge the likelihood of the event to be quite small compared to the probability of my transactions and balances and passwords going through un-hacked.

For those of you who do all this security, do you also buy airplane crash insurance from the kiosks in the airport?

2Cor521
__________________
"At times the world can seem an unfriendly and sinister place, but believe us when we say there is much more good in it than bad. All you have to do is look hard enough, and what might seem to be a series of unfortunate events, may in fact be the first steps of a journey." Violet Baudelaire.
SecondCor521 is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-05-2007, 12:34 PM   #24
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
cute fuzzy bunny's Avatar
 
Join Date: Dec 2003
Location: Losing my whump
Posts: 22,697
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Its neither time consuming nor expensive to keep yourself 99% secure. The point is to not make it too easy for any bad actors and to be aware of what is free and clear to see. Your point about not going overboard is well taken. Most people are simply not that interesting

Email and non encrypted web page transactions are all sent clear text. Encrypted wireless and SSL connections can be fooled and decoded.

Do's:

- Use your own computer and internet connection at home when transmitting sensitive information
- Use virus/firewall software you can get for free with a new computer or from your ISP or via freeware/trial offers
- Use an inexpensive or free-after-rebate router that incorporates NAT and a half decent firewall on your broadband connection. Enable wireless encryption (WPA or better, not WEP), change the router name and password.
- Update your operating system with the latest patches from the manufacturer

Donts:

- Use public computers or "open" networks to transmit sensitive information

- Connect to a network without any firewall or virus protection

- Leave your network "open" or set to defaults

- Click on links from emails or through 3rd party sites (phishing opportunity)
__________________
Be fearful when others are greedy, and greedy when others are fearful. Just another form of "buy low, sell high" for those who have trouble with things. This rule is not universal. Do not buy a 1973 Pinto because everyone else is afraid of it.
cute fuzzy bunny is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-05-2007, 12:36 PM   #25
Thinks s/he gets paid by the post
wabmester's Avatar
 
Join Date: Dec 2003
Posts: 4,459
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by El Guapo
The bad news is that a "man in the middle" attack where a naughty coffee shop was proxying your connections through a 3rd party that acted like your target web site (say vanguard) while passing along your keystrokes and vanguards responses could conceivably (and without great complications) capture your username and password. Basically you'd have a nice secure SSL connection to the "man in the middle" and the MITM would have a nice secure SSL connection to vanguard.
Well, there's security and there's paranoia.

First, Vanguard and others have added various security measures to protect against spoofing. I'm sure everybody has seen the new two-step login that displays your own special picture and phrase at the second step, for example.

Second, cybercrooks get plenty of what they're looking for from easy targets, so most of them don't even bother with decryption. They go after the low-hanging fruit.

Finally, if a crook is really targeting you, you are probably doomed. It's much easier to go through your trash, steal your mail, or place a phone call to you pretending to be a trusted agent than it is to do any tricky cybersnooping.
__________________
wabmester is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-05-2007, 12:56 PM   #26
Thinks s/he gets paid by the post
cube_rat's Avatar
 
Join Date: Jul 2005
Posts: 1,466
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by wab
Well, there's security and there's paranoia.
Ms. Paranoia here...
__________________
fuzzy? cute?
cube_rat is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-05-2007, 02:25 PM   #27
Thinks s/he gets paid by the post
wabmester's Avatar
 
Join Date: Dec 2003
Posts: 4,459
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by cube_rat
Ms. Paranoia here...
Just because you're paranoid doesn't mean that I'm not stalking you.

I had to double-check on El Guapo's proposed man-in-the-middle attack, but I'm 99% certain that it's not possible.

Both SSL and HTTPS are specifically designed to withstand that sort of replay attack.

If it is possible, I want to learn how to do it!
__________________
wabmester is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-06-2007, 09:13 AM   #28
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
cute fuzzy bunny's Avatar
 
Join Date: Dec 2003
Location: Losing my whump
Posts: 22,697
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Oh its quite possible, and doesnt even require a lot of imagination!

But then again, I did get that SIDS monitor to work with no trouble and you made a lawn ornament out of yours!

I'll give you the short version...very short as Mr Gabriel has just announced his desire to get out of bed before he does it himself, which is usually followed by a thump.

You sit in shop, type www.vanguard.com. MITM sees the request, repeats it to vanguard. Sends you the resulting page. You click on 'log in'. It clicks on login and sets up an SSL connection with YOU, then one with vanguard. You form fill the SSL page between you and the MITM with your username. It form fills the SSL page with vanguard with your username. vanguard sends the picture you chose and prompts for password. MITM shows you the same page and prompts for your password. You type it in, MITM fills it in. MITM thereafter just passes keystrokes and data back and forth after storing your username and password.

Obviously not that simple, but then again I had 20 seconds to put it in.

Paranoia is bad, but so is not knowing how much of your information is sent clear text or wide open. Knowledge is power.
__________________
Be fearful when others are greedy, and greedy when others are fearful. Just another form of "buy low, sell high" for those who have trouble with things. This rule is not universal. Do not buy a 1973 Pinto because everyone else is afraid of it.
cute fuzzy bunny is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-06-2007, 09:48 AM   #29
Recycles dryer sheets
 
Join Date: Aug 2006
Posts: 53
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by El Guapo
Obviously not that simple, but then again I had 20 seconds to put it in.
Yes, not quite that simple. In your example the MITM would have to have an SSL certificate for www.vanguard.com that's signed by someone your browser trusts. That's no easy task, and I have no recent memory of any of the root CA keys being comprimised.

It's not impossible of course, but the probability of this attack is low enough that I don't generally worry about it.
__________________
mja is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-06-2007, 11:00 AM   #30
Thinks s/he gets paid by the post
lazygood4nothinbum's Avatar
 
Join Date: Feb 2006
Posts: 3,895
Re: Access Vanguard from Wireless Connection at Coffee Shop???

really good info here and there was another similar post earlier. have a question:

for those frequently on the road, could an institution set up a system whereby you utilize a username and password to see your accounts on a read-only basis without being able to access them online, but then you call in and manipulate your accounts either by voice or a touchtone phone? would that add a layer of security or am i just being unbelievably paranoid?
__________________
"off with their heads"~~dr. joseph-ignace guillotin

"life should begin with age and its privileges and accumulations, and end with youth and its capacity to splendidly enjoy such advantages."~~mark twain - letter to edward kimmitt 1901
lazygood4nothinbum is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-06-2007, 11:07 AM   #31
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,197
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Why in the world would I have a need to look at my ever-changing Vanguard numbers at any place other than at home where it is as safe as it can be?
I decided not to use the Internet at the coffee shop when our Internet connection at home was out, and it cost me about $250. If I'd done my rebalancing there, it would have happened before yesterday's .6% drop.

I realize I'm not being fair, because the market could just as well have gone up.
__________________
Al
TromboneAl is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-06-2007, 12:54 PM   #32
Thinks s/he gets paid by the post
wabmester's Avatar
 
Join Date: Dec 2003
Posts: 4,459
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by mja
Yes, not quite that simple. In your example the MITM would have to have an SSL certificate for www.vanguard.com that's signed by someone your browser trusts. That's no easy task, and I have no recent memory of any of the root CA keys being comprimised.

It's not impossible of course, but the probability of this attack is low enough that I don't generally worry about it.
Right, I believe the attack is prevented on at least two levels: the signed certs, and encrypted source and destination address info. You can't simply "replay" the packets.
__________________
wabmester is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-06-2007, 06:04 PM   #33
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
cute fuzzy bunny's Avatar
 
Join Date: Dec 2003
Location: Losing my whump
Posts: 22,697
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Thats because what i'm thinking involves neither the need for properly signed certs or replaying packets.

Remember in this case the in-house network is a controlled "fish bowl". You own the network, the proxy, the 'server' and all of the rest of it.

You would be nothing other than a client to the vanguard server externally, and it wouldnt see you as anything other than another client.

Being able to fool a laptop in that controlled fish bowl to think it was talking to vanguard with all the right stuff is not trivial but not that complicated either. Not something anyone would likely bother to do since the most fun thing they could do with your info is sell all your holdings and having a check sent to your house. Not a lot of fun at tax time, but not the end of the world.

But once again, the point isnt to argue the fine bits of what can and cant be done. The question was if it was worth using a coffee shop network to do financial transactions or wait a few days, and is SSL solid enough that your transactions would be fully secure.

I think its worth waiting a few days, and I think its worthwhile knowing that its not that hard to crack or spoof a "secure transaction" or "secure session".

But we do live in a wonderful environment of security by obscurity and lots of people with better things to do with their lives. That's helpful to people who wont spend a few dollars, take a few minutes of time and employ a few common sense rules to keep their identity and information safe.
__________________
Be fearful when others are greedy, and greedy when others are fearful. Just another form of "buy low, sell high" for those who have trouble with things. This rule is not universal. Do not buy a 1973 Pinto because everyone else is afraid of it.
cute fuzzy bunny is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-06-2007, 07:31 PM   #34
Moderator Emeritus
Nords's Avatar
 
Join Date: Dec 2002
Location: Oahu
Posts: 26,616
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by El Guapo
But we do live in a wonderful environment of security by obscurity and lots of people with better things to do with their lives. That's helpful to people who wont spend a few dollars, take a few minutes of time and employ a few common sense rules to keep their identity and information safe.
Hey, those coffee shop employees have to supplement their income somehow. The Starbucks stock options at their compensation level won't do it.

Keystroke loggers or a few extra pieces of network gear, one or two "extra special" customers a month who unknowingly leave their personal data with you, and either selling the info to a hacker or doing 3-4 illicit transactions of your own that hopefully won't be traced back to you before you relocate every 6-12 months.

I'll never look at an ordinary ol' barrista again without wondering...
__________________
*
*

The book written on E-R.org, "The Military Guide to Financial Independence and Retirement", on sale now! For more info see "About Me" in my profile.
I don't spend much time here anymore, so please send me a PM. Thanks.
Nords is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-07-2007, 01:29 AM   #35
Thinks s/he gets paid by the post
wabmester's Avatar
 
Join Date: Dec 2003
Posts: 4,459
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by El Guapo
Being able to fool a laptop in that controlled fish bowl to think it was talking to vanguard with all the right stuff is not trivial but not that complicated either. Not something anyone would likely bother to do since the most fun thing they could do with your info is sell all your holdings and having a check sent to your house.
The damage they could do is much worse than that.

"Evil Twin" attacks are definitely out there, but I'm not aware of any that compromises SSL/HTTPS. If you know of a vulnerability, even theoretical, I would like to know. I'd probably stop using hotspots.

This is the closest I could find to what you're suggesting:

Web Form Security and the Middle Man

This doesn't compromise HTTPS, but it could fool a user who wasn't paying attention.
__________________
wabmester is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-07-2007, 08:39 AM   #36
Recycles dryer sheets
 
Join Date: Aug 2006
Posts: 53
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by lazygood4nothinbum
for those frequently on the road, could an institution set up a system whereby you utilize a username and password to see your accounts on a read-only basis without being able to access them online, but then you call in and manipulate your accounts either by voice or a touchtone phone? would that add a layer of security or am i just being unbelievably paranoid?
It's not quite what you're looking for, but I know Fidelity allows you to grant another person (who must also be a Fidelity customer) "Inquiry Access" to your account. It gives the other person the ability to see balance and holding information, but not to place trades, etc.

I agree that it might be useful to set up an alternate name/password with read-only access that you could use from "less-trusted" locations. I wouldn't mind if more companies provided that feature.
__________________
mja is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-07-2007, 05:23 PM   #37
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
cute fuzzy bunny's Avatar
 
Join Date: Dec 2003
Location: Losing my whump
Posts: 22,697
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Thats pretty much it Wab...you dont have to play middleman, just fool a fool. Good thing nobody would go through the trouble, but nice to know whats feasible.

Some russian mob dudes (allegedly!) around here came up with a pretty funny MITM. They made up their own credit card boxes, stuck them on over the gas pumps credit card slot in the wee hours of the morning, then came back the next day and pulled them off. In the meanwhile hundreds of people stuck their credit cards and atm cards into the bogus stuck on slots and had their #'s and pins swiped.

I suppose if someone goes through that much trouble to collect some info, and a bunch of people are dumb enough to stick their cards into it, maybe we should be a little more paranoid...
__________________
Be fearful when others are greedy, and greedy when others are fearful. Just another form of "buy low, sell high" for those who have trouble with things. This rule is not universal. Do not buy a 1973 Pinto because everyone else is afraid of it.
cute fuzzy bunny is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-08-2007, 12:17 AM   #38
Moderator Emeritus
Nords's Avatar
 
Join Date: Dec 2002
Location: Oahu
Posts: 26,616
Re: Access Vanguard from Wireless Connection at Coffee Shop???

Quote:
Originally Posted by El Guapo
Some russian mob dudes (allegedly!) around here came up with a pretty funny MITM. They made up their own credit card boxes, stuck them on over the gas pumps credit card slot in the wee hours of the morning, then came back the next day and pulled them off. In the meanwhile hundreds of people stuck their credit cards and atm cards into the bogus stuck on slots and had their #'s and pins swiped.
I've heard that story told as a "portable ATM".

The "entrepreneurs" wheeled it into a busy open-air mall and left it there, plastered with all the popular local bank logos. At the end of the day they'd take it away for "servicing". Withdrawal attempts were met with apologies ("Out of cash, sorry!") but of course every ATM card & PIN was recorded by the machine. What really surprised the authorities was the number of people depositing checks & cash in an ATM that only had a bank's logo on it.

I'm not looking for a job but...
__________________
*
*

The book written on E-R.org, "The Military Guide to Financial Independence and Retirement", on sale now! For more info see "About Me" in my profile.
I don't spend much time here anymore, so please send me a PM. Thanks.
Nords is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-08-2007, 10:14 AM   #39
Thinks s/he gets paid by the post
SecondCor521's Avatar
 
Join Date: Jun 2006
Location: Boise
Posts: 2,402
Re: Access Vanguard from Wireless Connection at Coffee Shop???

I think that "Catch Me If You Can" Frank Abagnale Jr. told a story in his book about dressing up as a security guard type and standing outside of a bank night deposit box with one of those bank deposit bags, and informing all the people who drove up that the night deposit box was broken but they could leave their deposits with him. Worked quite well.

2Cor521
__________________
"At times the world can seem an unfriendly and sinister place, but believe us when we say there is much more good in it than bad. All you have to do is look hard enough, and what might seem to be a series of unfortunate events, may in fact be the first steps of a journey." Violet Baudelaire.
SecondCor521 is offline   Reply With Quote
Re: Access Vanguard from Wireless Connection at Coffee Shop???
Old 01-08-2007, 01:25 PM   #40
Full time employment: Posting here.
 
Join Date: Sep 2006
Posts: 608
Re: Access Vanguard from Wireless Connection at Coffee Shop???


How much less would you be concerned about keystroke loggers and the
like in a public computer area at a library of a major public university ?

__________________

__________________
JohnEyles is offline   Reply With Quote
Reply

Tags
vanguard


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Opions on Vanguard recommendations yak651 Young Dreamers 13 04-03-2007 12:23 AM
Phoning Vanguard from Bangkok... Lancelot FIRE and Money 7 11-13-2006 07:56 PM
Help about public wireless access and security MJ Other topics 11 08-16-2006 03:04 PM
Nice deal on a decent 802.11g 54Mb/s router - ~$15 bucks cute fuzzy bunny Other topics 20 02-21-2006 08:52 PM

 

 
All times are GMT -6. The time now is 10:44 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.