Computer security -- a paradigm shift?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
killjoy2012
Posts: 1329
Joined: Wed Sep 26, 2012 5:30 pm

Re: Computer security -- a paradigm shift?

Post by killjoy2012 »

stan1 wrote:Target was using just such a tool, FireEye -- a technology developed with assistance from the CIA that tricks malware into running in a virtual machine so it can be monitored. Target's first tier support in India noticed the attack and notified headquarters in Minneapolis. Minneapolis didn't act (haven't seen an article yet that says why, other than to speculate that the attack happened during the Thanksgiving weekend when there would have been minimal manning at Headquarters and that some at Target might still have been skeptical of the FireEye capability).
Security tools like FireEye will fail too, soon, for the same reason that AV is pretty much dead - same root cause.
lightheir wrote: It is likely that now and in the future, your data will be safer on the cloud than on a home computer then on your home computer with an active online connection.

Corporations of all sizes are already discovering this, and offsourcing a lot of functions like email and office-type apps to Google etc. so they can handle the security rather than attempting to do it in-house with a homebrewed solution. .
I'm not sure what your source is, or how you claim this as fact, but no company is moving their critical data to the cloud for the primary purpose of enhancing security. It's called faster, cheaper, cooler - often, at the cost of security. Do you really think Google has a good security track record? You can start reading here: http://en.wikipedia.org/wiki/Operation_Aurora#History

BlueEars wrote: Maybe I haven't quite woken up this morning (8:30am PST) but isn't the true data just login's and passwords? My banks and Vanguard house the critical data.

I doubt the hackers want to steal my spreadsheets although I'm rather proud of them. They are backed up to my personal cloud e.g. removable disk and memory stick.

Why should a chrome book protect my critical login's and passwords any better then Windows 7 with something like LastPass? It's an interesting thought though.
It's true - Bad Guys have different motives with regard to corporate hacking vs. individuals. The latter is generally more about cyber crime and making a quick buck... whereas the former is more about espionage and stealing IP. I wouldn't argue that a Chromebook is necessarily more secure than a Win7 machine, but you should consider all risks. One newer risk making an appearance in both the corporate and personal space is Cryptolocker - what would you do? http://en.wikipedia.org/wiki/Cryptolocker
patrick wrote: Firewalling off all incoming ports is the default setting for home versions of Windows -- even the obsolete Windows XP with SP2 (released in 2004!) did this. The router, if you use one, is a second level of firewall. UPNP opening ports from inside the home network should only happen if running local software that needs to take incoming connections, and only a problem if the local software is insecure too. UPNP opening ports from outside the home network won't be allowed unless the router is very very bad, which many routers are but not the majority of home users.
While what you state is accurate and helpful in the case of a direct hack attack against your home/work network, it does nothing to protect you from a phish/spearphish or if you visit compromised website/watering hole. Once malware is installed on an internal host (through an email attachment, comp'd website, etc.), odds are your home firewall allows HTTP/HTTPs (or all) traffic outbound to the Internet. The malware installs, heartbeats home, and you're done. Think an outbound proxy server saves you from that at work - think again.
Last edited by killjoy2012 on Tue May 13, 2014 10:46 pm, edited 1 time in total.
longview
Posts: 385
Joined: Wed Mar 19, 2008 5:26 am

Re: Computer security -- a paradigm shift?

Post by longview »

killjoy2012 wrote: While what you state is accurate and helpful in the case of a direct hack attack against your home/work network, it does nothing to protect you from a phish/spearphish or if you visit compromised website/watering hole. Once malware is installed on an internal host (through an email attachment, comp'd website, etc.), odds are your home firewall allows HTTP/HTTPs (or all) traffic outbound to the Internet. The malware installs, heartbeats home, and you're done. Think an outbound proxy server saves you from that at work - think again.
Is there any app that can conveniently monitor your traffic in/out and show you suspicious logs? If all my windows were closes down and I saw a byte coming out every 20 minutes it would be good to know.

Heck, I'd install a box and app between my modem and the hardline for this purpose.
(To color my comments: my situation is ER trying to make a large portfolio that is 99% taxable last 45 years)
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

No privacy in Privacy Conference

Post by VictoriaF »

Here is an example of how cyber security may go awry.

I have signed for PrivacyCon, a conference organized by the Federal Trade Commission (FTC). Earlier today, I received an email with the details. Among other things, the message suggested to come early because over 500 people have signed up and the room capacity is only 400.

What's a problem? The problem is that the "To" field of the message contained all 500+ email addresses! The privacy of the attendees, who include members of military and government, has been violated. The FTC has made two attempts to recall the message, but it was too late.

Update: The FTC has sent a message asking the recipients to delete the message with all email addresses.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
SimonJester
Posts: 2500
Joined: Tue Aug 16, 2011 12:39 pm

Re: No privacy in Privacy Conference

Post by SimonJester »

VictoriaF wrote:Here is an example of how cyber security may go awry.

I have signed for PrivacyCon, a conference organized by the Federal Trade Commission (FTC). Earlier today, I received an email with the details. Among other things, the message suggested to come early because over 500 people have signed up and the room capacity is only 400.

What's a problem? The problem is that the "To" field of the message contained all 500+ email addresses! The privacy of the attendees, who include members of military and government, has been violated. The FTC has made two attempts to recall the message, but it was too late.

Update: The FTC has sent a message asking the recipients to delete the message with all email addresses.

Victoria
Oops! Wow what a blunder, would have been better if it kicked off multiple reply to all messages with "why did you email me this", followed by dozens upon dozens of replay to all emails telling people to stop replying to all!
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: No privacy in Privacy Conference

Post by VictoriaF »

SimonJester wrote:
VictoriaF wrote:Here is an example of how cyber security may go awry.

I have signed for PrivacyCon, a conference organized by the Federal Trade Commission (FTC). Earlier today, I received an email with the details. Among other things, the message suggested to come early because over 500 people have signed up and the room capacity is only 400.

What's a problem? The problem is that the "To" field of the message contained all 500+ email addresses! The privacy of the attendees, who include members of military and government, has been violated. The FTC has made two attempts to recall the message, but it was too late.

Update: The FTC has sent a message asking the recipients to delete the message with all email addresses.

Victoria
Oops! Wow what a blunder, would have been better if it kicked off multiple reply to all messages with "why did you email me this", followed by dozens upon dozens of replay to all emails telling people to stop replying to all!
One person did exactly what you describe, i.e., sent a Reply All to 500+ people. He has a long signature indicating that he is in marketing for a Northern Virginia contractor. I am wondering if he used his indignation as a marketing tool.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
DiamondplateDave
Posts: 209
Joined: Sat Jun 06, 2015 10:23 pm

Re: No privacy in Privacy Conference

Post by DiamondplateDave »

SimonJester wrote: Oops! Wow what a blunder, would have been better if it kicked off multiple reply to all messages with "why did you email me this", followed by dozens upon dozens of replay to all emails telling people to stop replying to all!
I actually saw this happen. It snowballed and made the email list useless. One person emailed all with a "please unsubscribe me" request; then two more, then many got tired of the barrage. I still cringe when I see people sending out emails with the addys visible. 500 recipients....350 Windows machines....10 will be infected with something in the next year that harvests the address book...
Then, there was a time my work IT department sent out a virus warning...with a live link to the virus. :oops:
Post Reply