Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Be careful managing assets, accounts, money, over the internet on wireless
Old 05-09-2007, 03:44 AM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Be careful managing assets, accounts, money, over the internet on wireless

As technology is leveraged in different (and new ways), new security threats emerge. Wireless technology has introduced a new form of threat that you might expose yourself to at home, and definitely on the road.

At home if you use a wireless router, harden the configuration and use WPA or WPA2 for an encrypted connection.

Your notebook, you had better secure it with proper access control. Windows Vista is (can be made) more secure technology than previous versions of windows.

On the road, always only use a connection that uses WPA or WPA2 (today... more secure will emerge). Also with wireless, you had better make sure you know the network that you use and that it is trusted! DO NOT just connect on an unknown net and use it. There is a technique called man in the middle where someone can (basically wiretap). Even if you use SSL, there are ways to fool you if you are not on guard (with man in the middle). Criminals will soon be trolling near hot spots to try to get into you laptop and/or put out an alternate network to attempt to get in the middle and gather information. You can see where businesses are being targeted. This is what happened to TJX (i.e. Marshalls) according to the Wall Street Journal.

This is real. Protect yourself! Wireless networks are convenient, but unless everything in the chain is secure and you laptop is secure... you could be compromised. The threats seems to be a shifting landscape as new technology and capabilities are employed. Often the people that setup the networks are not security specialist and are not aware of emerging threats. They can setup the technology, but do not employ security in depth.

Sorry about the scare... but better to be safe than sorry.
__________________

__________________
chinaco is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-09-2007, 12:20 PM   #2
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
kcowan's Avatar
 
Join Date: Jul 2006
Location: Pacific latitude 20/49
Posts: 5,705
Send a message via Skype™ to kcowan
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by chinaco
Even if you use SSL, there are ways to fool you if you are not on guard (with man in the middle)...
I have always believed that, as long as the site I am accessing is https (SSL), then the information that passes is encrypted and would require a high-level of espionage to crack the code. Such is the case for all my financial sites.

I know that emails are often in the clear but the crooks are welcome to see that stuff. I know they steal email addresss and sell them for Spam but I consider that to be one of the costs of WiFi convenience.
__________________

__________________
For the fun of it...Keith
kcowan is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-09-2007, 06:33 PM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by kcowan
I have always believed that, as long as the site I am accessing is https (SSL), then the information that passes is encrypted and would require a high-level of espionage to crack the code. Such is the case for all my financial sites.

I know that emails are often in the clear but the crooks are welcome to see that stuff. I know they steal email addresss and sell them for Spam but I consider that to be one of the costs of WiFi convenience.
What you stated is true... If the scenario played out as you stated it.

It is possible for someone to trick you and get in the middle between you and the intended site. If they control the network you are on, they could setup an ssl session with their proxy and terminate your SSL session with the proxy, sniff the traffic, establish an ssl session with the target site via the proxy and send your original request along. See this link: http://en.wikipedia.org/wiki/Man_in_the_middle_attack

Or if the criminal is on the network, they can attempt to gain access to your laptop, download a key logger and have it send back the raw key strokes you enter over the wireless network to a site that just captures the stream.

There are many other techniques to attack you PC and steal information... It is scary.

So yes, if you have everything bolted down absolutely tight and are very very careful, you might ward off an attempt. But most people are fairly careless (or ignorant or both) and do not have their computer properly secured.

__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-09-2007, 07:23 PM   #4
Recycles dryer sheets
 
Join Date: May 2007
Posts: 137
Re: Be careful managing assets, accounts, money, over the internet on wireless

Two of the financial institutions I deal with have went to a new security program that IDs the computer you are using. If the computer ID is different from the one in their system you have to answer some security questions. At the end of the security questions they give a warning to you on the use of internet cafe computers. We also have an account with a German bank that requires the standard stuff ID and password but also the input of a group of numbers. They send you the numbers in the mail and they can only be used once. It is a hassle but secure.
__________________
Freein05 is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-09-2007, 09:55 PM   #5
Full time employment: Posting here.
 
Join Date: Jan 2007
Posts: 582
Re: Be careful managing assets, accounts, money, over the internet on wireless

So when you're not at home, and out using your wireless connection at a coffee shop or wherever, is it ok as long as you're doing generic web surfing (nothing requiring passwords)?
__________________

WM is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-09-2007, 10:15 PM   #6
Recycles dryer sheets
 
Join Date: Aug 2006
Posts: 53
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by chinaco
It is possible for someone to trick you and get in the middle between you and the intended site. If they control the network you are on, they could setup an ssl session with their proxy and terminate your SSL session with the proxy, sniff the traffic, establish an ssl session with the target site via the proxy and send your original request along. See this link: http://en.wikipedia.org/wiki/Man_in_the_middle_attack
Only if you're willing to ignore warnings about unverified certificates. sslmitm presents a self-signed certificate; though it does have the proper address in it, you'll still get a warning in your browser.

I suppose it's still good to remind folks not to blithely ignore certificate warnings.
__________________
mja is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 04:18 AM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by WM
So when you're not at home, and out using your wireless connection at a coffee shop or wherever, is it ok as long as you're doing generic web surfing (nothing requiring passwords)?
Forget man the man in the middle attack for a minute. If you computer is not properly secured on that network or for that matter on the internet someone can break in. I am not sure you are any more at risk on a wifi link than the internet. But, if you happen to be in an area where someone is trolling, they could focus on you since you are a refined target (rather than just casting a broad net).


Quote:
Originally Posted by mja
Only if you're willing to ignore warnings about unverified certificates. sslmitm presents a self-signed certificate; though it does have the proper address in it, you'll still get a warning in your browser.

I suppose it's still good to remind folks not to blithely ignore certificate warnings.
You are mistaken if you think the general public has the least understanding of the vulnerabilities of the technology. On the cert warning... yes if an attacker approached it that way, you would see the warning. Hopefully the victim is aware and understands what it means in the days of blocking popups and other crap (it is wasy to get distracted). People make mistakes!

There are sophisitcated ways to have a valid cert that will not throw a warning! You would really have to be watching to catch it. Here is an example. An overseas location where expats gather for coffee and social chat. It has a wifi hotspot. Many people do their money transfers there. If the connection to that router is not secured, someone could target people for an attack on the network and compromise your computer and just wait for phone home messages. A more sophisticated approach, would be to get next door and create a second wifi signal. Hopefully some people will select it. Now that person is on their network before the onramp to the internet. They can employ a variety of technologies to trick you and get in the middle.

This is an area where it pays to be paranoid. Do not assume the network is safe!

It would be more safe if the cafe owner issued you a temporary key to get on their network and it was encrypted using WPA2. At least then if owner was not corrupt, you would have some assurance of a safe onramp to the internet.
__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 07:15 AM   #8
Thinks s/he gets paid by the post
teejayevans's Avatar
 
Join Date: Sep 2006
Posts: 1,219
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by mja
Only if you're willing to ignore warnings about unverified certificates. sslmitm presents a self-signed certificate; though it does have the proper address in it, you'll still get a warning in your browser.
I suppose it's still good to remind folks not to blithely ignore certificate warnings.
Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.
How would you know you ask? Because you would get a fake error telling you to try
later, obviously it can't actually log you in. Run to another internet spot and login
and change your password. You can also run pathping before you try to login to
the site, example: pathping -q 1 google.com
Save the routing in a file, when at a hotspot, rerun, check the route, especially the
last couple of hops.
TJ
__________________
teejayevans is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 07:46 AM   #9
Recycles dryer sheets
 
Join Date: Aug 2006
Posts: 53
Re: Be careful managing assets, accounts, money, over the internet on wireless

If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.

If you disagree with that, please provide some proof.
__________________
mja is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 01:00 PM   #10
Recycles dryer sheets
figner's Avatar
 
Join Date: Jan 2007
Location: Los Angeles area
Posts: 329
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by mja
If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.
mja, that is my understanding as well, provided that Fidelity's servers have not been compromised. Unless there's a new weakness in the encryption protocols I haven't heard about yet. (The Early Retirement Forum, home of 0day exploits...)

__________________
figner is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 01:13 PM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
kcowan's Avatar
 
Join Date: Jul 2006
Location: Pacific latitude 20/49
Posts: 5,705
Send a message via Skype™ to kcowan
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by teejayevans
Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.
I am pretty sure that IE7 has a phishing alert that pops up on any site that is not what the URL was initially aimed at. I have seen it work for bogus Paypal requests.
__________________
For the fun of it...Keith
kcowan is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 02:00 PM   #12
Thinks s/he gets paid by the post
teejayevans's Avatar
 
Join Date: Sep 2006
Posts: 1,219
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by kcowan
I am pretty sure that IE7 has a phishing alert that pops up on any site that is not what the URL was initially aimed at. I have seen it work for bogus Paypal requests.
Won't work...
When attach to the network, the network gives you DNS servers, those DNS servers
are not root servers, they are local to that network/domain.
So now I create a DNS server that returns 1.1.1.1 for www.fidelity.com
IE doesn't know what the real address is and doesn't care. 1.1.1.1 is a fake
fidelity site, when the secure connection is made, its to 1.1.1.1, so no one will
see what your are sending to 1.1.1.1, but that doesn't matter much does it?

The phishing is when you have a link, which has the title that you see and the
actual link you don't, like this:
<a href="http://www.google.com">http://www.ask.com</a>

if you create a file called tst.html with that line it and open it with
IE you'll see what I mean (IE 6 doesn't complain BTW)
Understand?
TJ
__________________
teejayevans is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 02:04 PM   #13
Thinks s/he gets paid by the post
teejayevans's Avatar
 
Join Date: Sep 2006
Posts: 1,219
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by mja
If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.

If you disagree with that, please provide some proof.
see append above, you don't directly go to www.fidelity.com
The gateway can route you to a bogus server
The DNS server can give you the wrong address, see my other append

Its like if you make a phone call to a friend's home, but they have autoforwarding
on and it ends up at work. You think you are talking to your friend at home, but they
are at work. Now imagine they have a twin who sounds just like him/her, unless
you ask some personal questions, you would not know who you are talking to?
For example, what's my account balance? Your real friend will know, your friends
twin will not. The security only prevents other people from listening to the
conversation.
TJ
__________________
teejayevans is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 02:23 PM   #14
Recycles dryer sheets
 
Join Date: Aug 2006
Posts: 53
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by teejayevans
see append above, you don't directly go to www.fidelity.com
The gateway can route you to a bogus server
The DNS server can give you the wrong address, see my other append
Yes, DNS can give you the wrong IP address, but the certificate still wont verify, because the MITM doesn't have fidelity's private key.
__________________
mja is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 02:45 PM   #15
Recycles dryer sheets
 
Join Date: Mar 2007
Posts: 160
Re: Be careful managing assets, accounts, money, over the internet on wireless

Heavens knows, I am barely computer literate, knowing only enough to have a firewall, anti-virus software up to date, stay off of porn sites, etc. And I never put sensitive info into an email, etc. But I do access the secured sites for our brokerage and bank accounts, etc.

But some of this discussion reminds me of the time I helped our local food coop get a mortgage way back when. They didn't have what the bank wanted for a downpayment, so I handed over a CD of mine to the bank to hold and the bank held it for collateral. The inevitable happened, the food coop went belly up and the building went into foreclosure.

My attorney was full of gloom and doom, relating to me all the liability danger I faced, all the bank could do to get money out of me, etc., until it looked like we'd be out in the street with the shirts on our backs.

So I said to him, " I recognize that the bank CAN do all that, and I recognize that I am in a dangerous position and that you need to warn me of all the negative possibilities. But what do you think will ACTUALLY happen? What will the bank ACTUALLY do?". And he said, "oh, they will just keep your CD". And that is what happened.

I realize that all these dangers exist, but of any given transactions done over wireless using your own laptop in an internet cafe or other location in Europe or anywhere else, what percentage risk is there of interception and compromising of your financial accounts?

Are we talking getting struck by lightning here? Mugged on the street in daylight? or are we talking about taking a stroll outside the Green Zone in Iraq, or deciding on walking out for pizza late at night in a gang infested neighborhood?

I'm willing to take limited risk, but not risk that is likely I'll lose. Before we leave for Europe, I expect to talk to our broker, let him know where we'll be, and that I'll let him know if we intend any unusual spending. So if he sees any unusual activity, he can email us and ask. Wouldn't that be sufficient?

I don't want to go two months without checking on finances, and since internet cafes and wireless will be probably our only access, how much should I worry? I know this stuff happens, but how prevalent is it? Not what somebody COULD do, but what someone is likely TO do. Thanks.

LooseChickens
__________________
loosechickens is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 04:33 PM   #16
Thinks s/he gets paid by the post
teejayevans's Avatar
 
Join Date: Sep 2006
Posts: 1,219
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by mja
Yes, DNS can give you the wrong IP address, but the certificate still wont verify, because the MITM doesn't have fidelity's private key.
Its not Man in the middle attack, its the man on the other end is not who you
think it is.
TJ
__________________
teejayevans is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 04:42 PM   #17
Thinks s/he gets paid by the post
teejayevans's Avatar
 
Join Date: Sep 2006
Posts: 1,219
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by loosechickens
Are we talking getting struck by lightning here? Mugged on the street in daylight? or are we talking about taking a stroll outside the Green Zone in Iraq, or deciding on walking out for pizza late at night in a gang infested neighborhood?
Chances are extremely low if you stick to internet cafes.
Chances are much higher if you just attach to a random hot spots.
Like I said before, a simple pathping command will let you know if
this is the case. If you login you are fine, if you get an error message
like "system unavailable try again later", double check with pathping,
if its just a couple of hops, find another hotspot and change your
password. Thats all.
TJ
TJ

__________________
teejayevans is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 05:49 PM   #18
Recycles dryer sheets
 
Join Date: Mar 2007
Posts: 160
Re: Be careful managing assets, accounts, money, over the internet on wireless

thanks, TJ......sometimes it's hard to discern between the real and present danger and the danger that "might" happen or "did" happen to somebody, sometime. Especially when you're not any kind of a computer expert. much appreciated.

LooseChickens
__________________
loosechickens is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 05:57 PM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by teejayevans
Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.

And then, they could issue a redirect to send you to the real home page after they capture the info. This is part of the reason the VG split the login id and the PW page apart. But, I think some newer browser can be set to warn on the redirect to a different site


Quote:
Originally Posted by mja
If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.

If you disagree with that, please provide some proof.
If it is their cert, I would think you would be OK. As someone said earlier unless they were compromised.

My point on MITM is that a different cert could be used to terminate your connection/ssl session at a proxy and the proxy could establish a different ssl connection with the real site. In otherwords, you might not be using their cert. How often do you check (actually look) to validate the cert on your side?



---------------------------

My point on the topic was: Do not take security for granted. There are ever emerging threats and cleaver techniques to trick people and/or compromise you computer.



__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 06:46 PM   #20
Recycles dryer sheets
 
Join Date: May 2007
Posts: 137
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by teejayevans
Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.
How would you know you ask? Because you would get a fake error telling you to try
later, obviously it can't actually log you in. Run to another internet spot and login
and change your password. You can also run pathping before you try to login to
the site, example: pathping -q 1 google.com
Save the routing in a file, when at a hotspot, rerun, check the route, especially the
last couple of hops.
TJ

My credit union has on the page where you put your password a box that has an additional phrase you have gave them. If you don't see this phrase you are not on their web site. This helps to prevent you from loging on to a false web page.
__________________

__________________
Freein05 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


 

 
All times are GMT -6. The time now is 08:35 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.