Is security on the web really possible?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

Is security on the web really possible?

Postby CountryBoy » Thu Jul 25, 2013 1:15 pm

Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:

http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
User avatar
CountryBoy
 
Posts: 1435
Joined: Wed Feb 28, 2007 11:21 am
Location: NY

Re: Is security on the web really possible?

Postby Sidney » Thu Jul 25, 2013 1:23 pm

I'm not technical enough to comment on the technical remedies needed. However, it is my opinion that if there are remedies to really button this up tight, it probably would involve inconveniences that the typical consumer would not accept.
I always wanted to be a procrastinator.
Sidney
 
Posts: 5807
Joined: Thu Mar 08, 2007 7:06 pm

Re: Is security on the web really possible?

Postby VictoriaF » Thu Jul 25, 2013 1:34 pm

Absolute security is not available anywhere. In comparison to the brick-and-mortar environment, the Web poses some new threats and requires some new safeguards. In the referenced case, the target was financial institutions rather than consumer systems. One way to protect oneself from such events is to keep funds in multiple institutions. The pursuit of simplicity indicates keeping all funds in, e.g., Vanguard; the desire for security suggests diversifying assets among, e.g., Vanguard, Fidelity, and TIAA-CREF.

Victoria
Last edited by VictoriaF on Thu Jul 25, 2013 1:39 pm, edited 2 times in total.
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
VictoriaF
 
Posts: 12377
Joined: Tue Feb 27, 2007 8:27 am
Location: Black Swan Lake

Re: Is security on the web really possible?

Postby rjsob58 » Thu Jul 25, 2013 1:37 pm

By "one can protect oneself" do you mean you, as an individual? If so, then no except maybe to go to a strictly cash, "off the grid" lifestyle. The only other way I can think of would be to disperse all your assets among a lot of different accounts so that no one account holds a significant portion of your assets, thus limiting your exposure to any single hacking incident. You could also reduce your credit limits on all your credit cards, again limiting your exposure to loss from a single incident.
rjsob58
 
Posts: 76
Joined: Thu Mar 14, 2013 11:50 am

Re: Is security on the web really possible?

Postby Epsilon Delta » Thu Jul 25, 2013 4:26 pm

In the real world limiting losses to theft is done by a combination of making theft technically difficult* and catching and punishing thieves after the fact. Here we have a case of catching and punishing thieves. Many people believe that the web is not part of the real world, but they are wrong.

* Using locks, armed guards etc.
User avatar
Epsilon Delta
 
Posts: 3440
Joined: Thu Apr 28, 2011 8:00 pm

Re: Is security on the web really possible?

Postby Ged » Thu Jul 25, 2013 4:35 pm

Sidney wrote:I'm not technical enough to comment on the technical remedies needed. However, it is my opinion that if there are remedies to really button this up tight, it probably would involve inconveniences that the typical consumer would not accept.


It is truism that a perfectly secure system would have provisions so onerous that it would be unusable.

The best you can hope for is to make it financially unattractive; that is the cost to build an effective attack would be higher than the benefit.
What do we want? Evidence driven change. | When do we want it? After peer review.
User avatar
Ged
 
Posts: 2095
Joined: Mon May 13, 2013 2:48 pm
Location: Roke

Re: Is security on the web really possible?

Postby telemark » Thu Jul 25, 2013 5:35 pm

The attack is on the computers that store card information and process transactions, so if you own credit or debit cards you are vulnerable, whether or not you use the web. Read the fine print on your card agreements, and keep an eye on your credit card transactions: using the web lets you do this more often.
User avatar
telemark
 
Posts: 960
Joined: Sat Aug 11, 2012 7:35 am

Re: Is security on the web really possible?

Postby Sidney » Thu Jul 25, 2013 5:45 pm

telemark wrote:keep an eye on your credit card transactions: using the web lets you do this more often.

I try to do this weekly. Since I have to go in once a month to pay the bill, that is only 3 extra times per month. Takes seconds; worth it.
I always wanted to be a procrastinator.
Sidney
 
Posts: 5807
Joined: Thu Mar 08, 2007 7:06 pm

Re: Is security on the web really possible?

Postby greg24 » Thu Jul 25, 2013 5:46 pm

There is always a risk. As there is risk in most things in life.
User avatar
greg24
 
Posts: 2162
Joined: Tue Feb 20, 2007 11:34 am

Re: Is security on the web really possible?

Postby mnaspbh » Thu Jul 25, 2013 11:35 pm

CountryBoy wrote:Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:

http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp


If all of the breaches were caused by SQL injection attacks, then the targeted systems were being run by people who don't really understand computer security, or who were just lazy. SQL injection is a very very old technique with easy-to-apply and well-established ways of preventing it.

One easy way to identify companies that really don't understand computer security (or SQL injection attacks and their content-escaping-based cousins): do they prohibit using a single quote, double quote, or dollar sign in a password? If so, they don't get it, and it's probably best to avoid using their services.

(sorry to say that Vanguard's advice on "creating a strong password" is so-so, and the section on "security questions" is really bad)
mnaspbh
 
Posts: 58
Joined: Fri Sep 09, 2011 1:26 pm

Re: Is security on the web really possible?

Postby Watty » Fri Jul 26, 2013 12:31 am

greg24 wrote:There is always a risk. As there is risk in most things in life.


You also need to consider who is taking the risk.

Things like using credit cards on the internet is secure enough that the card issuing company is willing to take the risk in exchange for all the money they make on the credit cards. Other than then inconvenience I have very little monetary risk when I buy something on the internet with my credit card.
User avatar
Watty
 
Posts: 4708
Joined: Wed Oct 10, 2007 4:55 pm

Re: Is security on the web really possible?

Postby JMacDonald » Fri Jul 26, 2013 9:34 am

Here is an article about this problem: http://www.latimes.com/business/la-fi-p ... 8913.story
Nearly every incident of online espionage in 2012 involved some sort of a phishing attack, according to a survey compiled by Verizon Communications Inc., the nation's largest wireless carrier.
Best Wishes, | Joe
User avatar
JMacDonald
 
Posts: 1583
Joined: Mon Feb 19, 2007 6:53 pm

Re: Is security on the web really possible?

Postby Mudpuppy » Sat Jul 27, 2013 2:48 am

CountryBoy wrote:Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:

http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp

The first step towards implementing a computer security plan is to accept that you cannot protect against everything. This doesn't mean you should give up and employ absolutely no security measures however. It just means you need to a) make priorities about what you want to secure and b) develop a security plan that encompasses prevention, detection, and response. Then you need to circle back to the first step and realize that no plan will be perfect, but having some plan is better than having no plan.
Mudpuppy
 
Posts: 2690
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Is security on the web really possible?

Postby lostInFinance » Sat Jul 27, 2013 11:04 pm

I think a discussion of the technical issues really misses the point. I bet if your account was hacked and you didn't do something completely stupid, like make your password password, Vanguard will almost certainly absorb the loss. The cost of making you whole is almost certainly less than the bad publicity if the public becomes afraid of holding mutual funds. In all these computer security threads, despite the alleged severity of the threat, no one has been able to find a single real life example of an individual having un-reimbursed losses due to computer fraud with their mutual funds. And the idea of diversifying between Vanguard and Fidelity strikes me as near tin foil hat thinking.
lostInFinance
 
Posts: 218
Joined: Sun Mar 03, 2013 4:57 pm

No

Postby davebarnes » Sun Jul 28, 2013 5:31 pm

Is security on the web really possible?
No
Relax and enjoy the ride.
A nerd living in Denver
User avatar
davebarnes
 
Posts: 422
Joined: Wed Jan 02, 2008 8:06 pm
Location: Berkeley, Denver, Colorado USA

Re: Is security on the web really possible?

Postby prudent » Sun Jul 28, 2013 6:04 pm

Not possible to have absolute security. You have brilliant programmers being paid a lot of money to do this kind of thing, and organized crime has lots of time and resources. They can co-opt insiders for information, try to plant their own people in jobs with access to data and that's beyond just using SQL injection attacks. The fact that SQL injection still works shows that the companies responsible for safeguarding data are not good at it. It's just about impossible to write bulletproof software that is complex. I think this problem will only get worse. Only when the financial losses are so painful that companies put more money into security will it get better. At the moment it comes down to a cost-benefit analysis, and the cost of losses do not justify paying more to improve security systematically. Sure, known vulnerabilities are going to be corrected, but it's like an arms race.
User avatar
prudent
 
Posts: 1246
Joined: Fri May 20, 2011 3:50 pm

Re: Is security on the web really possible?

Postby kwan2 » Sun Jul 28, 2013 9:06 pm

i've been reading up on SSL, Tor, VPNs, OpenVPN, I would say, the question would be from whom.
http://yro.slashdot.org/story/10/03/26/1334254/Government-Could-Forge-SSL-Certificates

it appears somewhat trivial for a government to get fake CA authority, with or w/o a warrant. so SSL, can't get secure.

i did install certificate patrol on FF, though, i'm not sure i understand it all. and changed to opera for flash and gmail, as chrome uses IE's certificates, which apparently are more dubious.

Tor is slow, but the endpoints are worldwide, so if more ppl use it, maybe it would get faster someday, maybe post-snowden, more ppl will grow its nodes.

see:eff.org for fun, i am 1 in 3 million /uniquely identifable with 21 bits of information
https://panopticlick.eff.org/index.php? ... log&js=yes :sharebeer

:beer
The best lack all conviction, while the worst | Are full of passionate intensity-Yeats 1919;Out of every fruition of success,no matter what, comes forth something to make a new effort necessary -Whitman
User avatar
kwan2
 
Posts: 245
Joined: Thu Jun 14, 2012 10:13 pm

Re: Is security on the web really possible?

Postby Epsilon Delta » Sun Jul 28, 2013 10:41 pm

kwan2 wrote:it appears somewhat trivial for a government to get fake CA authority, with or w/o a warrant. so SSL, can't get secure.

Lots of things are trivial for a government.

If you're worried about a government targeting you, you're probably not going to be able to stay secure even with extreme technical measures. If you're worried about it in a more general way you're best bet it to get involved politically.
User avatar
Epsilon Delta
 
Posts: 3440
Joined: Thu Apr 28, 2011 8:00 pm


Return to Personal Consumer Issues

Who is online

Users browsing this forum: Bill Bernstein, jstat, Juniper and 50 guests