Is security on the web really possible?
- CountryBoy
- Posts: 1777
- Joined: Wed Feb 28, 2007 9:21 am
- Location: NY
Is security on the web really possible?
Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:
http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
Re: Is security on the web really possible?
I'm not technical enough to comment on the technical remedies needed. However, it is my opinion that if there are remedies to really button this up tight, it probably would involve inconveniences that the typical consumer would not accept.
I always wanted to be a procrastinator.
Re: Is security on the web really possible?
Absolute security is not available anywhere. In comparison to the brick-and-mortar environment, the Web poses some new threats and requires some new safeguards. In the referenced case, the target was financial institutions rather than consumer systems. One way to protect oneself from such events is to keep funds in multiple institutions. The pursuit of simplicity indicates keeping all funds in, e.g., Vanguard; the desire for security suggests diversifying assets among, e.g., Vanguard, Fidelity, and TIAA-CREF.
Victoria
Victoria
Last edited by VictoriaF on Thu Jul 25, 2013 12:39 pm, edited 2 times in total.
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: Is security on the web really possible?
By "one can protect oneself" do you mean you, as an individual? If so, then no except maybe to go to a strictly cash, "off the grid" lifestyle. The only other way I can think of would be to disperse all your assets among a lot of different accounts so that no one account holds a significant portion of your assets, thus limiting your exposure to any single hacking incident. You could also reduce your credit limits on all your credit cards, again limiting your exposure to loss from a single incident.
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Is security on the web really possible?
In the real world limiting losses to theft is done by a combination of making theft technically difficult* and catching and punishing thieves after the fact. Here we have a case of catching and punishing thieves. Many people believe that the web is not part of the real world, but they are wrong.
* Using locks, armed guards etc.
* Using locks, armed guards etc.
Re: Is security on the web really possible?
It is truism that a perfectly secure system would have provisions so onerous that it would be unusable.Sidney wrote:I'm not technical enough to comment on the technical remedies needed. However, it is my opinion that if there are remedies to really button this up tight, it probably would involve inconveniences that the typical consumer would not accept.
The best you can hope for is to make it financially unattractive; that is the cost to build an effective attack would be higher than the benefit.
Re: Is security on the web really possible?
The attack is on the computers that store card information and process transactions, so if you own credit or debit cards you are vulnerable, whether or not you use the web. Read the fine print on your card agreements, and keep an eye on your credit card transactions: using the web lets you do this more often.
Re: Is security on the web really possible?
I try to do this weekly. Since I have to go in once a month to pay the bill, that is only 3 extra times per month. Takes seconds; worth it.telemark wrote:keep an eye on your credit card transactions: using the web lets you do this more often.
I always wanted to be a procrastinator.
Re: Is security on the web really possible?
There is always a risk. As there is risk in most things in life.
Re: Is security on the web really possible?
If all of the breaches were caused by SQL injection attacks, then the targeted systems were being run by people who don't really understand computer security, or who were just lazy. SQL injection is a very very old technique with easy-to-apply and well-established ways of preventing it.CountryBoy wrote:Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:
http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
One easy way to identify companies that really don't understand computer security (or SQL injection attacks and their content-escaping-based cousins): do they prohibit using a single quote, double quote, or dollar sign in a password? If so, they don't get it, and it's probably best to avoid using their services.
(sorry to say that Vanguard's advice on "creating a strong password" is so-so, and the section on "security questions" is really bad)
Re: Is security on the web really possible?
You also need to consider who is taking the risk.greg24 wrote:There is always a risk. As there is risk in most things in life.
Things like using credit cards on the internet is secure enough that the card issuing company is willing to take the risk in exchange for all the money they make on the credit cards. Other than then inconvenience I have very little monetary risk when I buy something on the internet with my credit card.
- JMacDonald
- Posts: 2386
- Joined: Mon Feb 19, 2007 4:53 pm
Re: Is security on the web really possible?
Here is an article about this problem: http://www.latimes.com/business/la-fi-p ... 8913.story
Nearly every incident of online espionage in 2012 involved some sort of a phishing attack, according to a survey compiled by Verizon Communications Inc., the nation's largest wireless carrier.
Best Wishes, |
Joe
Re: Is security on the web really possible?
The first step towards implementing a computer security plan is to accept that you cannot protect against everything. This doesn't mean you should give up and employ absolutely no security measures however. It just means you need to a) make priorities about what you want to secure and b) develop a security plan that encompasses prevention, detection, and response. Then you need to circle back to the first step and realize that no plan will be perfect, but having some plan is better than having no plan.CountryBoy wrote:Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:
http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
-
- Posts: 218
- Joined: Sun Mar 03, 2013 2:57 pm
Re: Is security on the web really possible?
I think a discussion of the technical issues really misses the point. I bet if your account was hacked and you didn't do something completely stupid, like make your password password, Vanguard will almost certainly absorb the loss. The cost of making you whole is almost certainly less than the bad publicity if the public becomes afraid of holding mutual funds. In all these computer security threads, despite the alleged severity of the threat, no one has been able to find a single real life example of an individual having un-reimbursed losses due to computer fraud with their mutual funds. And the idea of diversifying between Vanguard and Fidelity strikes me as near tin foil hat thinking.
-
- Posts: 542
- Joined: Wed Jan 02, 2008 6:06 pm
- Location: Berkeley, Denver, Colorado USA
Re: Is security on the web really possible?
Not possible to have absolute security. You have brilliant programmers being paid a lot of money to do this kind of thing, and organized crime has lots of time and resources. They can co-opt insiders for information, try to plant their own people in jobs with access to data and that's beyond just using SQL injection attacks. The fact that SQL injection still works shows that the companies responsible for safeguarding data are not good at it. It's just about impossible to write bulletproof software that is complex. I think this problem will only get worse. Only when the financial losses are so painful that companies put more money into security will it get better. At the moment it comes down to a cost-benefit analysis, and the cost of losses do not justify paying more to improve security systematically. Sure, known vulnerabilities are going to be corrected, but it's like an arms race.
Re: Is security on the web really possible?
i've been reading up on SSL, Tor, VPNs, OpenVPN, I would say, the question would be from whom.
http://yro.slashdot.org/story/10/03/26/ ... rtificates
it appears somewhat trivial for a government to get fake CA authority, with or w/o a warrant. so SSL, can't get secure.
i did install certificate patrol on FF, though, i'm not sure i understand it all. and changed to opera for flash and gmail, as chrome uses IE's certificates, which apparently are more dubious.
Tor is slow, but the endpoints are worldwide, so if more ppl use it, maybe it would get faster someday, maybe post-snowden, more ppl will grow its nodes.
see:eff.org for fun, i am 1 in 3 million /uniquely identifable with 21 bits of information
https://panopticlick.eff.org/index.php? ... log&js=yes :sharebeer
:beer
http://yro.slashdot.org/story/10/03/26/ ... rtificates
it appears somewhat trivial for a government to get fake CA authority, with or w/o a warrant. so SSL, can't get secure.
i did install certificate patrol on FF, though, i'm not sure i understand it all. and changed to opera for flash and gmail, as chrome uses IE's certificates, which apparently are more dubious.
Tor is slow, but the endpoints are worldwide, so if more ppl use it, maybe it would get faster someday, maybe post-snowden, more ppl will grow its nodes.
see:eff.org for fun, i am 1 in 3 million /uniquely identifable with 21 bits of information
https://panopticlick.eff.org/index.php? ... log&js=yes :sharebeer
:beer
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Is security on the web really possible?
Lots of things are trivial for a government.kwan2 wrote:it appears somewhat trivial for a government to get fake CA authority, with or w/o a warrant. so SSL, can't get secure.
If you're worried about a government targeting you, you're probably not going to be able to stay secure even with extreme technical measures. If you're worried about it in a more general way you're best bet it to get involved politically.