Be careful managing assets, accounts, money, over the internet on wireless

[donheff]

You may still run into the occasional web site that's been customized for IE and simply won't work well with Firefox. I wind up using IE a couple times a month, but I try to keep that to a minimum and visit only sites I trust (i.e. www.fidelity.com, but not www.funwithsheep.com )

There is a Firefox extension that lets you open a link in an IE tab. It is convenient but, of course, uses the IE engine exposing you its vulnerabilities.

 

[figner]

True enough on the CA and the warning. Some exploits get complicated enough that they are theoretically possible... but would be complicated to attempted against individuals. Rather, the criminals go after the large data store by attacking the site.

I'm curious which exploits you're referring to? Feel free to PM me if this is getting too esoteric for the thread. I can think of one off the top of my head, but don't think it's likely enough to warrant worrying about.

The CA can check can be circumvented if the attacker can get control of the person's computer. For example, on a rogue WI-FI network (If someone accidentally selected it instead of the intended cafe connection)... The rogue network could employ an internal CA and proxy server. The Hacker could get on someone's computer, then import a new CA in the browser CA list. Then the browser could validate against the internal CA server and not through the warning. Most of this technology could be setup on a single laptop. It is a bit complicated.

That again assumes that the user's system is vulnerable. Taking the steps I listed before will generally protect you from attackers. Of course, any system is hackable given enough resources, but it's a lot like home security - if you make yourself a difficult enough target, chances are an attacker will move on to an easier job.

I agree that if you're going to target an individual, it's probably much easier to use social engineering. And also much more profitable to target corporate sites which process lots of user data.

 

[pedorrero]

I just finished "Stealing Your Life" (?) by Frank Abagnale (hero and author of "Catch Me If You Can", although DiCaprio looks a lot better than the real thing...) Abagnale covers a lot of the scams of the modern world. Particularly disturbing is the near lack of accountability the financial institutions have if something goes wrong electronically. Read the book for details, or the dense contract verbiage if you dare. Apparently, if you don't use software provided by the bank/brokerage/etc., you can be SOL if you get your identity lifted.

I'm certainly no expert, but the gist of what I read is that most scamming is done by deception rather than interception. It's much more productive to set up a bogus web site, or skim credit and debit cards at a restaurant or via a phony ATM unit, because you're getting the victim to come to you. Just consider the concept of putting in a sniffer to sift through reams of internet traffic. Sure, it could happen, but the probability of getting anything useful is probably very, very low. It may work in spy movies, or for the NSA, but for Joe Hacker, quite frankly, unlikley he's written code to search through random packets for a credit card # which probably was SSL or other encrypted going past, anyway. OTOH, keystroke logging would be a definite worry. I would never do personal financial transactions at a public internet terminal. I would be somewhat, but less, paranoid using my PC on somebody else's network.

 

[figner]

I'm certainly no expert, but the gist of what I read is that most scamming is done by deception rather than interception.

Yeah, that would be my guess too. You probably just need a tiny response rate to your "Make money fast" or phishing spam to rake in the bucks. And I seem to remember that relatively recently, you could google for credit card numbers (maybe using common prefixes) and come up with a lot of valid ones.

That Abagnale book sounds interesting, it's now on my to-read list.

 

[chinaco]

I'm curious which exploits you're referring to? Feel free to PM me if this is getting too esoteric for the thread. I can think of one off the top of my head, but don't think it's likely enough to warrant worrying about.

That again assumes that the user's system is vulnerable. Taking the steps I listed before will generally protect you from attackers. Of course, any system is hackable given enough resources, but it's a lot like home security - if you make yourself a difficult enough target, chances are an attacker will move on to an easier job.

I agree that if you're going to target an individual, it's probably much easier to use social engineering. And also much more profitable to target corporate sites which process lots of user data.

Yup... almost exploit all require the system to be vulnerable in some way, or to trick someone, or both.

 

[mja]

Its not Man in the middle attack, its the man on the other end is not who you
think it is.
TJ

Dude, that doesn't matter. I said I would attempt to directly access https://www.fidelity.com
They can point that to any IP address they want, but they (given no compromise of fidelity's key, or one of the root CAs) can't present a certificate that my browser will accept without presenting a warning.

 

[mja]

And then, they could issue a redirect to send you to the real home page after they capture the info. This is part of the reason the VG split the login id and the PW page apart. But, I think some newer browser can be set to warn on the redirect to a different site

That's why I access fidelity (et al) by going to https://www.fidelity.com instead of http://www.fidelity.com
There will be no redirect trickery since I'm not going to proceed to login after I get an unverified cert.

If it is their cert, I would think you would be OK. As someone said earlier unless they were compromised.

My point on MITM is that a different cert could be used to terminate your connection/ssl session at a proxy and the proxy could establish a different ssl connection with the real site. In otherwords, you might not be using their cert. How often do you check (actually look) to validate the cert on your side?

I'll know immediately that they're not using fidelity's cert. My browser will pop up a message saying it was unable to verify the identity of the site. How often do I actually look at the cert on my side? If I get an "unable to verify" when talking to a financial site, *every time*.

My point on the topic was: Do not take security for granted. There are ever emerging threats and cleaver techniques to trick people and/or compromise you computer.

An important and valid point. I'm just saying that it's possible to do this safely, and to point out that SSL used properly hasn't been compromised in the way you stated.

 

[Islandboy]

To get around MITM attacks, many financial websites now present a picture that tells the client that this is not a fake website. The picture is assigned to the client when he register. I think this is a clever and cheap way to get around the MITM.

 

[chinaco]

To get around MITM attacks, many financial websites now present a picture that tells the client that this is not a fake website. The picture is assigned to the client when he register. I think this is a clever and cheap way to get around the MITM.

That does not guard against MITM. You are thinking about phishing and/or fake site.

MITM is basically like a wiretap... listening in! Although, they could take some form of control/alter since they have your http request.

 

[Traveler]

My Fidelity account was hacked two weeks ago. Don't know how. It could have been via WiFi. Apparently someone was able to duplicate my keystrokes for ID and password and get access to my accounts. Fidelity's fraud unit caught it almost immediately and phoned me at home. All my assets were frozen temporarily while Fidelity transferred everything to new accounts.

I'm no longer trading on-line. The only thing I can do now on my Fidelity site is check balances. From now on I'm going into the nearest Fidelity office to trade or doing transactions over the phone. Otherwise, too risky.

 

[chinaco]

My Fidelity account was hacked two weeks ago. Don't know how. It could have been via WiFi. Apparently someone was able to duplicate my keystrokes for ID and password and get access to my accounts. Fidelity's fraud unit caught it almost immediately and phoned me at home. All my assets were frozen temporarily while Fidelity transferred everything to new accounts.

I'm no longer trading on-line. The only thing I can do now on my Fidelity site is check balances. From now on I'm going into the nearest Fidelity office to trade or doing transactions over the phone. Otherwise, too risky.

You might want to check your PC for a key logger.

http://en.wikipedia.org/wiki/Keystroke_logging

 

[safari]

chinaco, your tag line is:

Memorable Moments at Paris Island

Actually, it should be 'Parris Island,' not 'Paris Island.'

Graduate of platoon 160, MCRD Parris Island, September, 1975.

 

[chinaco]

chinaco, your tag line is:

Memorable Moments at Paris Island

Actually, it should be 'Parris Island,' not 'Paris Island.'

Graduate of platoon 160, MCRD Parris Island, September, 1975.

You are correct. Thanks. I updated it.

Platoon 174, A company. Arrived on the yellow foot prints in July '75

 

[Islandboy]

My Fidelity account was hacked two weeks ago. Don't know how. It could have been via WiFi. Apparently someone was able to duplicate my keystrokes for ID and password and get access to my accounts. Fidelity's fraud unit caught it almost immediately and phoned me at home. All my assets were frozen temporarily while Fidelity transferred everything to new accounts.

I'm no longer trading on-line. The only thing I can do now on my Fidelity site is check balances. From now on I'm going into the nearest Fidelity office to trade or doing transactions over the phone. Otherwise, too risky.

It is amazing that Fidelity still only requires the minimum for signing on : userid and password. When are they going to start catching up with better security ?

 

[safari]

Platoon 174, A company. Arrived on the yellow foot prints in July '75

I arrived there on 30 May 1975, got formed into A Company, Platoon 157. Then at the end of 1st phase I broke my foot, got sent to MRP (Medical Rehabilitation Platoon -- which was right next to Motivation (remember that? ) A couple of weeks into MRP my foot was healed enough that they let me and a few others go to the rifle range each day for 2 weeks for rifle qualification. Then after a total of 4 weeks at MRP I got put in Platoon 172 for the rest of 2nd phase. When Platoon 172 went to the rifle range (which I had already done) they put me ahead to Platoon 160 to do 3rd phase. I graduated with Platoon 160 on 12 September 1975. By the way, you have probably guessed that I'm pretty good with dates! I think that for the couple of weeks or so I was with Platoon 172 we were probably in the same series. Small world!!!

By the way, in April 2000 I happened to be in SC and visited Parris Island for the first time since leaving in 1975. Seeing the place after 25 years was really cool. The old WWII-era white receiving and forming barracks were all gone, but our A company red brick barracks next to the Grinder were still there and still being used. I also got out to the old gas chamber. No one was around at the time, but it was obvious that it was still being used. The whole placed seemed smaller than I remembered since the last time I was there I marched or ran everywhere instead of driving around in a car. I was lucky I visited when I did because after 9/11 I think it is difficult for a civilian to go on base. I visited in the afternoon and then about 5:30 AM the next morning (spent the night in Beaufort) I arrived at the gate hoping to see all the platoons doing morning PT. At first the guard wouldn't let me on base because it was too early for visitors but I told him I had graduated there 25 years earlier and just wanted to see the recruits doing morning PT so he let me on base.

 

[safari]

It is amazing that Fidelity still only requires the minimum for signing on : userid and password. When are they going to start catching up with better security ?

Schwab is the same. A few days ago I sent them an e-mail asking them to implement better security. Many banks do better now and require more than just a user id and password.

 

[chinaco]

I arrived there on 30 May 1975, got formed into A Company, Platoon 157.

...

Then after a total of 4 weeks at MRP I got put in Platoon 172 for the rest of 2nd phase. When Platoon 172 went to the rifle range (which I had already done) they put me ahead to Platoon 160 to do 3rd phase. I graduated with Platoon 160 on 12 September 1975. By the way, you have probably guessed that I'm pretty good with dates! Smiley I think that for the couple of weeks or so I was with Platoon 172 we were probably in the same series. Small world!!!

Yes indeed, a small world. I remember the rifle range well. I left PI in early Oct. Went home for a week, then on to NAS Millington in Tennessee for training. I was an air winger. On from there to MCAS New River (Camp Lejeune) in Jax NC. Two med floats (USS GUAM) and home after 4 years.

 

[chinaco]

It is amazing that Fidelity still only requires the minimum for signing on : userid and password. When are they going to start catching up with better security ?

Security is advancing for authentication.

Here is a good link that describes it.

http://www.cs.cornell.edu/Courses/cs513/2005fa/NNLauthPeople.html


Some financial institutions are moving to two-factor authentication. Something you know (password) and Something you have (an authentication mechanism)... they are implemented in a variety of ways. But typically in the more secure mechanisms there is a randomly generated security token.

http://www.tech-faq.com/two-factor-authentication.shtml

Two factor can be implemented in a number of ways...

Here is a link to RSA's solution.

http://www.rsa.com/node.aspx?id=1156

I think some companies also allow you implement a security measure that requires a known third-party to verify your signature (your bank for example) before they will release funds.

The RSA two factor will increase security substantially. But there is a cost to implementing it. Plus you would need to carry the key fob around.

 

[saluki9]

The RSA two factor will increase security substantially. But there is a cost to implementing it. Plus you would need to carry the key fob around.

our company uses the token that is shaped like a credit card. It fits in the wallet just like any other card which makes it very handy

 

[chinaco]

our company uses the token that is shaped like a credit card. It fits in the wallet just like any other card which makes it very handy

Yes. I have seen several credit card style implementations. Some automatically generate a random large number that is the key. Others are just a plastic card with something that you need to interpret (not electronically generated). Some of the keys are a usb implementation that you plug into your computer.

I like the key generation model. I should be able to use that with a voice call also.

The problem is if you wind up with several of these devices. It could get cumbersome to keep up with.... The solution generates a new problem.

 

[safari]

Yes indeed, a small world. I remember the rifle range well. I left PI in early Oct. Went home for a week, then on to NAS Millington in Tennessee for training. I was an air winger. On from there to MCAS New River (Camp Lejeune) in Jax NC. Two med floats (USS GUAM) and home after 4 years.

Well, the world is getting even smaller. After I left Parris Island, I also, got a week off and went home. Then I went to NAS Millington too. We were there at the same time. I was in MATSG-90, MATSS-901. I was there longer than you though because I stayed at NAS Millington until May 1978.

 

[chinaco]

Well, the world is getting even smaller. After I left Parris Island, I also, got a week off and went home. Then I went to NAS Millington too. We were there at the same time. I was in MATSG-90, MATSS-901. I was there longer than you though because I stayed at NAS Millington until May 1978.

I originally was slated to be a tin bender on airframes. When I arrived at NAS Millington and was being processed for school... I was informed that I did fairly well on the math portion of a test and they needed some people to qualify for Navigator school in NAS Corpus Christi. I thought that sounded kinda interesting so I said OK. I waited around for several months... there were some delays. I got impatient and talked to the Gunny. He indicated that there were some opening in Avionics school. I went to Naval AE school. I was an avionic technician. I was in Millington for about 8 months total... about three or four of those months were just waiting around. Then on to New River to HMM264.... Worked on Boeing CH46F and E model helicopter. Those things are still being used. I see them moving troops and equipment around in Iraq on the news.

 

[cute fuzzy bunny]

http://blogs.zdnet.com/security/?p=19

Nice little handheld device that can be carried into a coffee shop and raid all the wifi enabled devices within range...

 

[kumquat]

As the information security guy (until June 1) of a large corporation, I'll suggest that most of these announcements are BS.

Many times, cosultants have told me how their guys will break in to our networks (we do pn-testing). Whenever I suggest no results, no fee, they run like a CFB.

 

[chinaco]

As the information security guy (until June 1) of a large corporation, I'll suggest that most of these announcements are BS.

Not sure of which announcements you are referring (as BS). The post from Bunny about the hand held is a fact. Those devices exist...

There are many possible ways (exploits) to pen a corporate network. If a company has a very active/pro-active security program... they might have things in good shape (today). But as new implementations occur (new technology or new implementations of existing technology), improper implementations and/or inherent flaws in the technology open up cracks in the defense in depth security implementation (if it exists).

Many times, cosultants have told me how their guys will break in to our networks (we do pn-testing). Whenever I suggest no results, no fee, they run like a CFB.

Your statement, while a clever quip, is faulty in logic. Of course they would not do it free. As you should know, external security companies do pen tests to verify (audit) that people have implemented (are using) technology properly and/or implementation drift has not opened up holes. Their work is the validation. No company is going to checkout your corporate implementation for free.

-------------------------------------

This is a very real problem... not BS.