Computer security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
dave1054
Posts: 128
Joined: Wed Apr 01, 2009 7:50 am

Computer security

Post by dave1054 » Tue Mar 19, 2019 10:11 am

Always lived in single family house with large lots and only slightly concerned about hacking. Maybe I was wrong. Now moving to big city in multiunit complex.

Is it “safe” to do online banking and Vanguard investments via wifi secure network or better to hardwire directly from internet port into desktop or laptop? This assumes I have all the other safeguards (antivirus) on computer.

Not mentally ready to do anything on iphone. What is safest option for secure online transactions? Thank you.

quantAndHold
Posts: 3438
Joined: Thu Sep 17, 2015 10:39 pm

Re: Computer security

Post by quantAndHold » Tue Mar 19, 2019 10:20 am

You need to do two things to secure your WiFi.

1. Use a strong password on your WiFi.
2. Set a strong password for the admin user on your modem/router.

If you do both of those things, your security will be roughly equivalent to your security using wired ethernet. The easiest way into your computer won’t be from a guy in the next apartment hacking into your WiFi, it will be a guy in Russia serving up links to bad websites.

The iPhone is probably more secure than your laptop. But the laptop is easier to use, so I wouldn’t worry about it.

User avatar
jpsfranks
Posts: 991
Joined: Sun Aug 26, 2007 11:45 pm

Re: Computer security

Post by jpsfranks » Tue Mar 19, 2019 10:28 am

Traffic to a site that is encrypted (i.e. typically shown by browsers as lock icon in a browser address bar) is as safe as anything can be on the internet whether over wifi or not. Note that the lock in your browser is entirely separate from the "encryption" on a wifi network (e.g. WPA2), which is not generally trustworthy, and even to the extent that it is it is not private from anyone else on the network (i.e. your neighbors in the complex on the same network).

For the unencrypted traffic (no lock in the browser) it's marginally safer to be wired in that you aren't broadcasting the data to all your neighbors, but even when wired you don't really have any idea who has access to read that data between you and the destination anyway, so it really comes down to that you shouldn't be doing anything sensitive that isn't encrypted (the browser lock), whether wired or over wifi.

It's almost certain that the most sensitive sites you visit (e.g. banks etc.) are already exclusively encrypted, and it's increasingly common for all sites to use encryption. It's a bit harder to know with device apps outside the browser whether they are using encryption since there is no lock to see, you sort of have to trust the apps that you use unless you know how to monitor their traffic.

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Tue Mar 19, 2019 10:59 am

There are multiple layers to your question, but in general the move to the city does not necessarily increase your risk of being hacked.

First, there is computer security. All the encrypted traffic in the world is compromised if the source is infected. Keep your computer from which you’re accessing sensitive information up-to-date on software patches, run a quality anti-virus software, and don’t install needless software. Email is a common attack vector. Do not click links or open attachments you do not recognize, regardless of the source.

Next is the wireless network, which seems to be the heart of your question. You should absolutely use a strong password (20+ characters... basically a sentence as a password) with good encryption (WPA2, NOT WEP). If your wireless router has WPS functionality, disable it, or preferably get a wireless router without it. You should also change the administrator password on the router. MAC address filtering is also a good control to use on the router.

Next, as another poster mentioned, make sure you’re only transmitting sensitive information to websites that are encrypted with TLS. Note, malicious websites can also be encrypted with TLS, so looking for a “green lock” icon is not sufficient. Make sure you are connecting to the desired site.

Lastly, the best protection is at the account level. Make sure access to your account is controlled with a username and strong password that you have not re-used elsewhere. Enable multi-factor authentication which requires a text or token in addition to your password before access to the account is granted.

This is a good starting point.

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Tue Mar 19, 2019 11:19 am

quantAndHold wrote:
Tue Mar 19, 2019 10:20 am
You need to do two things to secure your WiFi.

1. Use a strong password on your WiFi.
2. Set a strong password for the admin user on your modem/router.

If you do both of those things, your security will be roughly equivalent to your security using wired ethernet. The easiest way into your computer won’t be from a guy in the next apartment hacking into your WiFi, it will be a guy in Russia serving up links to bad websites.

The iPhone is probably more secure than your laptop. But the laptop is easier to use, so I wouldn’t worry about it.
These are some strong claims! I disagree with those two items making wireless as secure as a hardwire.
Did you know a strong WEP password can be cracked in minutes, or that WPS enables attackers to bypass your wireless authentication with a 4-digit PIN?

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Tue Mar 19, 2019 11:26 am

jpsfranks wrote:
Tue Mar 19, 2019 10:28 am
Traffic to a site that is encrypted (i.e. typically shown by browsers as lock icon in a browser address bar) is as safe as anything can be on the internet whether over wifi or not.
I disagree with your statement. If I perform a "man-in-the-middle" attack, you would see a green lock icon to the site you connect (mine), but I would capture all of your traffic. :happy

User avatar
jpsfranks
Posts: 991
Joined: Sun Aug 26, 2007 11:45 pm

Re: Computer security

Post by jpsfranks » Tue Mar 19, 2019 11:35 am

dream_chaser wrote:
Tue Mar 19, 2019 11:26 am
jpsfranks wrote:
Tue Mar 19, 2019 10:28 am
Traffic to a site that is encrypted (i.e. typically shown by browsers as lock icon in a browser address bar) is as safe as anything can be on the internet whether over wifi or not.
I disagree with your statement. If I perform a "man-in-the-middle" attack, you would see a green lock icon to the site you connect (mine), but I would capture all of your traffic. :happy
Unless the user's computer is otherwise compromised (i.e. a rogue certificate authority installed) or the destination server is compromised (i.e. private keys stolen) then you should not be able to perform a man in the middle attack with a lock icon displayed. Without one of the previous conditions, or unless the user just types in the wrong address in the first place, you should not as a man in the middle be able to establish a TLS handshake with the browser. If you could all internet security would break down as any network device anywhere along the route between the client and the server could steal all the users traffic.

That being said I do not mean to imply that nothing malicious can occur with the TLS lock icon, I just mean to say that if that is place it should be regarded as as secure as a wired connection for all intents and purposes, which was the original point of OP's question I believe.

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Tue Mar 19, 2019 12:20 pm

jpsfranks wrote:
Tue Mar 19, 2019 11:35 am
dream_chaser wrote:
Tue Mar 19, 2019 11:26 am
jpsfranks wrote:
Tue Mar 19, 2019 10:28 am
Traffic to a site that is encrypted (i.e. typically shown by browsers as lock icon in a browser address bar) is as safe as anything can be on the internet whether over wifi or not.
I disagree with your statement. If I perform a "man-in-the-middle" attack, you would see a green lock icon to the site you connect (mine), but I would capture all of your traffic. :happy
Unless the user's computer is otherwise compromised (i.e. a rogue certificate authority installed) or the destination server is compromised (i.e. private keys stolen) then you should not be able to perform a man in the middle attack with a lock icon displayed. Without one of the previous conditions, or unless the user just types in the wrong address in the first place, you should not as a man in the middle be able to establish a TLS handshake with the browser. If you could all internet security would break down as any network device anywhere along the route between the client and the server could steal all the users traffic.
Right, you mentioned three ways a MitM attack (information stealing) could be perpetuated while a "green lock" icon is displayed in the browser. DNS spoofing and ARP poisoning are others.

I always caution folks that a green lock is not indicative of a safe session. At the very least you should verify the green lock AND the URL of the site.
:happy

michaelingp
Posts: 217
Joined: Tue Jan 17, 2017 8:46 pm

Re: Computer security

Post by michaelingp » Tue Mar 19, 2019 12:31 pm

dave1054 wrote:
Tue Mar 19, 2019 10:11 am


Is it “safe” to do online banking and Vanguard investments via wifi secure network or better to hardwire directly from internet port into desktop or laptop? This assumes I have all the other safeguards (antivirus) on computer.

Actually, the most important safeguard on a computer is *you*. I only have anecdotal evidence, but it seems to me the biggest hacking threat (percentage of successful attacks) that we all face is phishing. You need to be really aware (Internet spidey sense) when dealing with email attachments and links. Take regular disk-level backups, so when (not if) you accidentally click on something you should not have, you can restore to a safe place. If something happens, like a noisy browser pop-up telling you that something is wrong and you should call a certain number to fix it, call your computer security person instead.

Topic Author
dave1054
Posts: 128
Joined: Wed Apr 01, 2009 7:50 am

Re: Computer security

Post by dave1054 » Tue Mar 19, 2019 12:55 pm

Wow. No clear cut foolproof way to secure my computer according to contrarian views on this post.

BTW, does 2 step authentication on Vanguard provide almost foolproof security?

Any anecdotal evidence that Windows 10 or Apple is better in regard to security of computer and internet?

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Tue Mar 19, 2019 1:11 pm

dave1054 wrote:
Tue Mar 19, 2019 12:55 pm
Wow. No clear cut foolproof way to secure my computer according to contrarian views on this post.

BTW, does 2 step authentication on Vanguard provide almost foolproof security?

Any anecdotal evidence that Windows 10 or Apple is better in regard to security of computer and internet?
Two-factor authentication at vanguard.com is a strong security control, and you should enable it. Obviously, that will not help on other financial or sensitive websites.

There are overwhelmingly more threats to a Windows operating system than a MacOS.

jebmke
Posts: 9782
Joined: Thu Apr 05, 2007 2:44 pm

Re: Computer security

Post by jebmke » Tue Mar 19, 2019 1:31 pm

dream_chaser wrote:
Tue Mar 19, 2019 1:11 pm
There are overwhelmingly more threats to a Windows operating system
Windows is such a large share that it represents a huge target. This is why I do most of my financial "stuff" in a Linux VM. The VM is only open for a brief period and I restore it to a clean snapshot after every session.
When you discover that you are riding a dead horse, the best strategy is to dismount.

gtd98765
Posts: 421
Joined: Sun Jan 08, 2017 4:15 am

Re: Computer security

Post by gtd98765 » Tue Mar 19, 2019 7:12 pm

dream_chaser wrote:
Tue Mar 19, 2019 11:19 am

These are some strong claims! I disagree with those two items making wireless as secure as a hardwire.
Did you know a strong WEP password can be cracked in minutes, or that WPS enables attackers to bypass your wireless authentication with a 4-digit PIN?
I disagree. WEP was superseded in 2004 (https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy) so is not really relevant. Any router made in the last 10 - 15 years will have WPA2, which is much more secure; many routers have been updated to withstand the KRACK attack announced in 2017; I have not heard that KRACK attacks are actually being used in the wild (https://www.cloudflare.com/learning/sec ... ck-attack/); all major operating systems have been updated to withstand it. I do agree that WPS should not be used.

For all practical purposes, an updated router using WPA2 with wifi is effectively as secure as using an ethernet connection for the vast majority of users. Giving people the impression that computer security is too hard, or that nothing works well enough will just encourage them to go without, which really does put them at risk.

Edit: fixed typo, replaced "browser" with "router" in sentence 3
Last edited by gtd98765 on Tue Mar 19, 2019 9:37 pm, edited 1 time in total.

quantAndHold
Posts: 3438
Joined: Thu Sep 17, 2015 10:39 pm

Re: Computer security

Post by quantAndHold » Tue Mar 19, 2019 9:18 pm

dream_chaser wrote:
Tue Mar 19, 2019 11:19 am
quantAndHold wrote:
Tue Mar 19, 2019 10:20 am
You need to do two things to secure your WiFi.

1. Use a strong password on your WiFi.
2. Set a strong password for the admin user on your modem/router.

If you do both of those things, your security will be roughly equivalent to your security using wired ethernet. The easiest way into your computer won’t be from a guy in the next apartment hacking into your WiFi, it will be a guy in Russia serving up links to bad websites.

The iPhone is probably more secure than your laptop. But the laptop is easier to use, so I wouldn’t worry about it.
These are some strong claims! I disagree with those two items making wireless as secure as a hardwire.
Did you know a strong WEP password can be cracked in minutes, or that WPS enables attackers to bypass your wireless authentication with a 4-digit PIN?
Yes, I know all about WEP. Before I retired, I did wireless security for a living, and I’ve hacked my share of WiFi. Modern modem/routers, by default, don’t use WEP or WPS. A user would have to change the default settings to let their neighbor into their WiFi.

There’s also the fact that the vast majority of internet traffic today is encrypted, even on sites like bogleheads, where the data being protected isn’t particularly sensitive.

If your computer equipment is properly secured, someone hacking your WiFi will get access to your WiFi, but they won’t have access to your computer. Computer security is defense in depth, and we want to keep people out of the network, but even if someone got onto the WiFi, there would need to be some other misconfiguration for them to score anything other than some free WiFi.

Honestly, nothing is 100% secure. The much more likely way someone is going to get hacked, though, is through clicking on bad links or phishing. Running a wire just adds inconvenience and gives a false sense of security.

quantAndHold
Posts: 3438
Joined: Thu Sep 17, 2015 10:39 pm

Re: Computer security

Post by quantAndHold » Tue Mar 19, 2019 9:30 pm

dave1054 wrote:
Tue Mar 19, 2019 12:55 pm
Wow. No clear cut foolproof way to secure my computer according to contrarian views on this post.

BTW, does 2 step authentication on Vanguard provide almost foolproof security?

Any anecdotal evidence that Windows 10 or Apple is better in regard to security of computer and internet?
Yes to using 2 factor authentication on all of your important accounts. There’s attacks on it, but it is *much* more secure than going without 2 factor. Also definitely use 2 factor on the email account you use for your important accounts.

Windows vs Apple (vs Linux, etc) is less important than keeping everything patched and up to date on whatever operating system you do use. Windows has more users, so it gets attacked more often, but there are plenty of attacks against the others as well. If you do use windows, use a non-Microsoft browser. Firefox and Chrome both have a better track record than Microsoft of being proactive about distributing bug fixes quickly.

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Tue Mar 19, 2019 11:31 pm

gtd98765 wrote:
Tue Mar 19, 2019 7:12 pm
dream_chaser wrote:
Tue Mar 19, 2019 11:19 am

These are some strong claims! I disagree with those two items making wireless as secure as a hardwire.
Did you know a strong WEP password can be cracked in minutes, or that WPS enables attackers to bypass your wireless authentication with a 4-digit PIN?
I disagree. WEP was superseded in 2004 (https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy) so is not really relevant. Any router made in the last 10 - 15 years will have WPA2, which is much more secure; many routers have been updated to withstand the KRACK attack announced in 2017; I have not heard that KRACK attacks are actually being used in the wild (https://www.cloudflare.com/learning/sec ... ck-attack/); all major operating systems have been updated to withstand it. I do agree that WPS should not be used.

For all practical purposes, an updated router using WPA2 with wifi is effectively as secure as using an ethernet connection for the vast majority of users. Giving people the impression that computer security is too hard, or that nothing works well enough will just encourage them to go without, which really does put them at risk.

Edit: fixed typo, replaced "browser" with "router" in sentence 3
What comment of mine do you disagree with? I don't see any mention of the OP using a specific age of router. WEP is indeed an old encryption technology (still in use on many routers today), but my comment about the ability for it to be hacked in minutes was in response to the poster whose advice was to set a password on WiFi which would then be as secure as a wire, which is simply not true. This is why I recommended WPA2, which is not without its flaws, but still the best thing going for the consumer market today.

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Tue Mar 19, 2019 11:40 pm

quantAndHold wrote:
Tue Mar 19, 2019 9:18 pm
dream_chaser wrote:
Tue Mar 19, 2019 11:19 am
quantAndHold wrote:
Tue Mar 19, 2019 10:20 am
You need to do two things to secure your WiFi.

1. Use a strong password on your WiFi.
2. Set a strong password for the admin user on your modem/router.

If you do both of those things, your security will be roughly equivalent to your security using wired ethernet. The easiest way into your computer won’t be from a guy in the next apartment hacking into your WiFi, it will be a guy in Russia serving up links to bad websites.

The iPhone is probably more secure than your laptop. But the laptop is easier to use, so I wouldn’t worry about it.
These are some strong claims! I disagree with those two items making wireless as secure as a hardwire.
Did you know a strong WEP password can be cracked in minutes, or that WPS enables attackers to bypass your wireless authentication with a 4-digit PIN?
Yes, I know all about WEP. Before I retired, I did wireless security for a living, and I’ve hacked my share of WiFi. Modern modem/routers, by default, don’t use WEP or WPS. A user would have to change the default settings to let their neighbor into their WiFi.

There’s also the fact that the vast majority of internet traffic today is encrypted, even on sites like bogleheads, where the data being protected isn’t particularly sensitive.

If your computer equipment is properly secured, someone hacking your WiFi will get access to your WiFi, but they won’t have access to your computer. Computer security is defense in depth, and we want to keep people out of the network, but even if someone got onto the WiFi, there would need to be some other misconfiguration for them to score anything other than some free WiFi.

Honestly, nothing is 100% secure. The much more likely way someone is going to get hacked, though, is through clicking on bad links or phishing. Running a wire just adds inconvenience and gives a false sense of security.
From what I've seen recently, routers with WPS are still commonly installed, typically when you rent a provider's equipment.

If a malicious actor is on your network, you have big problems. It does not take a misconfiguration of your computer to be vulnerable - Microsoft releases security patches every month to fix vulnerable software.

I agree nothing is 100% secure, but I'll stand by my comment that merely adding a password to a wifi network does not make it as secure as a physical wire.

quantAndHold
Posts: 3438
Joined: Thu Sep 17, 2015 10:39 pm

Re: Computer security

Post by quantAndHold » Wed Mar 20, 2019 12:05 am

dream_chaser wrote:
Tue Mar 19, 2019 11:31 pm
gtd98765 wrote:
Tue Mar 19, 2019 7:12 pm
dream_chaser wrote:
Tue Mar 19, 2019 11:19 am

These are some strong claims! I disagree with those two items making wireless as secure as a hardwire.
Did you know a strong WEP password can be cracked in minutes, or that WPS enables attackers to bypass your wireless authentication with a 4-digit PIN?
I disagree. WEP was superseded in 2004 (https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy) so is not really relevant. Any router made in the last 10 - 15 years will have WPA2, which is much more secure; many routers have been updated to withstand the KRACK attack announced in 2017; I have not heard that KRACK attacks are actually being used in the wild (https://www.cloudflare.com/learning/sec ... ck-attack/); all major operating systems have been updated to withstand it. I do agree that WPS should not be used.

For all practical purposes, an updated router using WPA2 with wifi is effectively as secure as using an ethernet connection for the vast majority of users. Giving people the impression that computer security is too hard, or that nothing works well enough will just encourage them to go without, which really does put them at risk.

Edit: fixed typo, replaced "browser" with "router" in sentence 3
What comment of mine do you disagree with? I don't see any mention of the OP using a specific age of router. WEP is indeed an old encryption technology (still in use on many routers today), but my comment about the ability for it to be hacked in minutes was in response to the poster whose advice was to set a password on WiFi which would then be as secure as a wire, which is simply not true. This is why I recommended WPA2, which is not without its flaws, but still the best thing going for the consumer market today.
The router that my cable company gave me doesn’t even have WEP. Or WPS, for that matter.

Cunobelinus
Posts: 217
Joined: Tue Dec 04, 2012 5:31 pm

Re: Computer security

Post by Cunobelinus » Wed Mar 20, 2019 1:08 am

dave1054 wrote:
Tue Mar 19, 2019 10:11 am
Always lived in single family house with large lots and only slightly concerned about hacking. Maybe I was wrong. Now moving to big city in multiunit complex.

Is it “safe” to do online banking and Vanguard investments via wifi secure network or better to hardwire directly from internet port into desktop or laptop? This assumes I have all the other safeguards (antivirus) on computer.

Not mentally ready to do anything on iphone. What is safest option for secure online transactions? Thank you.
1. Keep your computer up to date with automatic updates/reboots.
2. Keep your router up to date with updates/reboots.
3. Use a strong password and encryption scheme for your wireless network (WPA2 + a long string of random characters, 20+ is reasonable)
4. Change all default passwords immediately. If it connects to the internet, type the product name into google and "default login and password"
5. Don't click on links in e-mails. Deliberately/manually go to the website instead -- as in, type it in. Don't trust that www.financialinstitution.co.m is the proper site if provided in a link.
6. Don't click on links in e-mails. Yes, again. This is somehow still permitted in most e-mail clients, despite the huge amount of compromises that occur this way.
7. Routine malware/antivirus scans may be beneficial for you. I assume you're using Windows. I believe Windows Defender is actually a pretty good product.
8. Sign up for haveibeenpwned.com
9. Don't use the same password with more than one account/website.

Steps 1-4 should address your question about whether or not it's "safe" to do online banking. The rest are good computer practices.

I also assume that you're not being targeted by a sophisticated organization. Someone will always chime in and say, "if some three-letter/country/criminal organization is targeting you then none of this is useful!"

If this still doesn't make you feel any better, then just plug in to your router. But all of the above steps are important regardless of whether or not you plug in to your router via a cat-5 cable.

gtd98765
Posts: 421
Joined: Sun Jan 08, 2017 4:15 am

Re: Computer security

Post by gtd98765 » Wed Mar 20, 2019 9:02 am

dream_chaser wrote:
Tue Mar 19, 2019 11:31 pm
gtd98765 wrote:
Tue Mar 19, 2019 7:12 pm
dream_chaser wrote:
Tue Mar 19, 2019 11:19 am

These are some strong claims! I disagree with those two items making wireless as secure as a hardwire.
Did you know a strong WEP password can be cracked in minutes, or that WPS enables attackers to bypass your wireless authentication with a 4-digit PIN?
I disagree. WEP was superseded in 2004 (https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy) so is not really relevant. Any router made in the last 10 - 15 years will have WPA2, which is much more secure; many routers have been updated to withstand the KRACK attack announced in 2017; I have not heard that KRACK attacks are actually being used in the wild (https://www.cloudflare.com/learning/sec ... ck-attack/); all major operating systems have been updated to withstand it. I do agree that WPS should not be used.

For all practical purposes, an updated router using WPA2 with wifi is effectively as secure as using an ethernet connection for the vast majority of users. Giving people the impression that computer security is too hard, or that nothing works well enough will just encourage them to go without, which really does put them at risk.

Edit: fixed typo, replaced "browser" with "router" in sentence 3
What comment of mine do you disagree with? I don't see any mention of the OP using a specific age of router. WEP is indeed an old encryption technology (still in use on many routers today), but my comment about the ability for it to be hacked in minutes was in response to the poster whose advice was to set a password on WiFi which would then be as secure as a wire, which is simply not true. This is why I recommended WPA2, which is not without its flaws, but still the best thing going for the consumer market today.
I read your comment as implying that wifi was insecure due to the cracking of WEP, and that wifi should therefore not be used. That is what I disagree with. If I misinterpreted I apologize.

rich126
Posts: 870
Joined: Thu Mar 01, 2018 4:56 pm

Re: Computer security

Post by rich126 » Wed Mar 20, 2019 10:40 am

There isn't perfect computer security unless you don't use one.

If you use any public wi-fi network you are taking risks. First, do you ever know if you are connection to the place of business's access point or to someone who set up an access point and is simply relaying your traffic to the Internet but in the meantime is observing/capturing your traffic?

Is the data encrypted on your system? How is it encrypted? Many systems encrypt data on the hard drive but then it is unencrypted when you log on so from that point on, your data is not protected. If you use some kind of individual file encryption that isn't always true.

Most hacking now will come from either getting people to click on links, go to compromised web pages, etc. If often requires you to do something that causes a program to run on your system. Or they target insecure web pages and can intercept or put something on your computer that way.

Minimizing use of public wi-fi is certainly a good idea, Encrypting the hard drive so if you lose the device when it isn't on, the data is protected is good. Using a VPN is good although you are trusting the people who run the VPN.

If you are using your cell phone for stuff, it is more secure using the cell connection and not using the WiFi. Partly because it is more expensive & difficult to intercept cellular data than wi-fi (with something like a pineapple https://www.wifipineapple.com/ it makes it easy).

And obviously WEP should never be used.

Passwords should be long with special characters used. I'd much rather have someone use a long password and write it down, than use something easily remembered but short.

And, of course, much of the hacking takes place outside of your control. Someone targets a server of a business you used and gave personal data to. There isn't much you can do about that except use long passwords. For those that aren't computer people, systems do not store the actual password but instead something called a "hash" of a password. This is a very long value that is supposedly unique for every different input. However hackers create things called Rainbow tables which are tables of passwords and their associated hash value. So of course they will precompute all dictionary words and other combinations of numbers and words that people commonly use. However they can't precompute everything and the longer and more complex the password, the less likely they will have it. And if they try brute forcing a password, that will take a very long time for a complex password.

I see people using laptops on airplanes and that increases risk because you have little privacy and it is easy to watch the user type in a password or read their emails, etc. Or watch someone pull out their phone and type in their password.

What you do depends on your comfort level with risk. I use online banking, brokerages, etc. all the time and seldom worry about it. I'm more concerned if I'm overseas, or have to use a public access point. If I'm in Europe I have no problems using Netflix but I'd rarely would ever log into a bank or make any kind of financial transaction with my tablet or phone via wi-fi.

ccieemeritus
Posts: 628
Joined: Thu Mar 06, 2014 10:43 pm

Re: Computer security

Post by ccieemeritus » Wed Mar 20, 2019 12:06 pm

My security rules of thumb:

1) use a password manager (1Password bought outright in my case).

2) Have a different password on each account.

3) “Financial” accounts get 2-factor authentication enabled.

squirm
Posts: 1884
Joined: Sat Mar 19, 2011 11:53 am

Re: Computer security

Post by squirm » Wed Mar 20, 2019 3:31 pm

dave1054 wrote:
Tue Mar 19, 2019 12:55 pm
Wow. No clear cut foolproof way to secure my computer according to contrarian views on this post.

BTW, does 2 step authentication on Vanguard provide almost foolproof security?

Any anecdotal evidence that Windows 10 or Apple is better in regard to security of computer and internet?
In other words,
Keep your computer up to date, use strong passwords or a manager, use 2fa and don't visit suspicious websites and emails. You'll be fine.

2015
Posts: 2906
Joined: Mon Feb 10, 2014 2:32 pm

Re: Computer security

Post by 2015 » Wed Mar 20, 2019 7:32 pm

I run this free application every time I am about do anything sensitive on my computer. Let's me know if anyone has breached my network:

https://www.softperfect.com/products/wifiguard/
SoftPerfect WiFi Guard is an essential tool for everyone running a small wireless network and striving to keep it safe and secure. Generally, modern Wi-Fi networks are well protected, but there are a number of weaknesses that can compromise your Wi-Fi password; this includes vulnerabilities in encryption and brute force attacks. As a result, someone can gain unauthorised access to your Internet connection and LAN and exploit them while staying unnoticed.

Perhaps, you can say: “No big deal, I have unlimited Internet traffic!”, but what about someone reading your personal emails, stealing private information or breaking the law online while using your Internet connection?

Here comes our little application: it will alert you if your network is used without your knowledge. WiFi Guard is a specialised network scanner that runs through your network at set intervals and reports immediately if it has found any new, unknown or unrecognised connected devices that could possibly belong to an intruder.

rich126
Posts: 870
Joined: Thu Mar 01, 2018 4:56 pm

Re: Computer security

Post by rich126 » Thu Mar 21, 2019 1:01 pm

Apparently I was wrong, not everyone knows how to store passwords.
Facebook revealed on Thursday it didn't properly mask the passwords of hundreds of millions of its users and stored them in an internal database that could be accessed by its staff.

Keeping passwords hashed, or encrypted, is widely regarded as fundamental to cybersecurity, as passwords exist to for users to authenticate their identity without others knowing how. Encrypting passwords is Security 101
https://www.cnn.com/2019/03/21/tech/fac ... index.html

That is almost beyond belief.

lazydavid
Posts: 2536
Joined: Wed Apr 06, 2016 1:37 pm

Re: Computer security

Post by lazydavid » Thu Mar 21, 2019 1:30 pm

Couple of corrections:
rich126 wrote:
Wed Mar 20, 2019 10:40 am
If you use any public wi-fi network you are taking risks. First, do you ever know if you are connection to the place of business's access point or to someone who set up an access point and is simply relaying your traffic to the Internet but in the meantime is observing/capturing your traffic?
This dramatically overstates the risk. The overwhelming majority of sites now use TLS. This includes essentially all sites that handle sensitive information. Look up in your address bar now, even bogleheads enforces HTTPS, and everything you post is fully public.

If you've set yourself up on public wifi as a relay and my PC thinks you're the default gateway, you can absolutely see that I'm going to vanguard.com, along with the amount of data transmitted and the length of the session. But that's it. You don't get to see my login information, balance, or what I'm doing on the site.

In order for you to be able to pretend to be vanguard.com, my system has to already be compromised and trust a CA certificate that you possess.
rich126 wrote:
Wed Mar 20, 2019 10:40 am
And, of course, much of the hacking takes place outside of your control. Someone targets a server of a business you used and gave personal data to. There isn't much you can do about that except use long passwords. For those that aren't computer people, systems do not store the actual password but instead something called a "hash" of a password. This is a very long value that is supposedly unique for every different input. However hackers create things called Rainbow tables which are tables of passwords and their associated hash value. So of course they will precompute all dictionary words and other combinations of numbers and words that people commonly use. However they can't precompute everything and the longer and more complex the password, the less likely they will have it. And if they try brute forcing a password, that will take a very long time for a complex password.
Rainbow tables only work for unsalted hashes. Most services by this point will be salting their hashes, which has been best practice for nearly two decades. This means that to do a precomputation attack, you need to generate a new, unique set of rainbow tables for every single account. At that point, brute forcing the password is actually more efficient, though still nearly impossible for a sufficiently long/complex password.

RetiredAL
Posts: 429
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Computer security

Post by RetiredAL » Thu Mar 21, 2019 1:39 pm

rich126 wrote:
Thu Mar 21, 2019 1:01 pm
Apparently I was wrong, not everyone knows how to store passwords.
Facebook revealed on Thursday it didn't properly mask the passwords of hundreds of millions of its users and stored them in an internal database that could be accessed by its staff.

Keeping passwords hashed, or encrypted, is widely regarded as fundamental to cybersecurity, as passwords exist to for users to authenticate their identity without others knowing how. Encrypting passwords is Security 101
https://www.cnn.com/2019/03/21/tech/fac ... index.html

That is almost beyond belief.
A good reason to never use one site as a login validator ( IE, logon using FB ) to another site.

BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Computer security

Post by BYUvol » Thu Mar 21, 2019 2:32 pm

lazydavid wrote:
Thu Mar 21, 2019 1:30 pm
Couple of corrections:
rich126 wrote:
Wed Mar 20, 2019 10:40 am
If you use any public wi-fi network you are taking risks. First, do you ever know if you are connection to the place of business's access point or to someone who set up an access point and is simply relaying your traffic to the Internet but in the meantime is observing/capturing your traffic?
This dramatically overstates the risk. The overwhelming majority of sites now use TLS. This includes essentially all sites that handle sensitive information. Look up in your address bar now, even bogleheads enforces HTTPS, and everything you post is fully public.

If you've set yourself up on public wifi as a relay and my PC thinks you're the default gateway, you can absolutely see that I'm going to vanguard.com, along with the amount of data transmitted and the length of the session. But that's it. You don't get to see my login information, balance, or what I'm doing on the site.

My opinion is that they did not overstate the risks. I am not as an expert, but I have taken graduate-level courses on encryption and works with tools that break PKI on a daily basis. With off-the-shelf components and open-source tools I could set up an access point capable of deep packet inspection for less than $500. Now like all risks, users of wireless networks have the choice to 1) avoid the risk (don't use public wifi), 2) mitigate the risk (use a VPN), 3) insure the risk (cyber policies are no longer business only, you can get a personal policy), or 4) simply accept the risk. I don't advocate for either choice, because like investing, everyone has their own personal risk tolerance, but I do think it is a good idea to understand the risk.

bryanm
Posts: 207
Joined: Mon Aug 13, 2018 3:48 pm

Re: Computer security

Post by bryanm » Thu Mar 21, 2019 3:13 pm

BYUvol wrote:
Thu Mar 21, 2019 2:32 pm
lazydavid wrote:
Thu Mar 21, 2019 1:30 pm
Couple of corrections:
rich126 wrote:
Wed Mar 20, 2019 10:40 am
If you use any public wi-fi network you are taking risks. First, do you ever know if you are connection to the place of business's access point or to someone who set up an access point and is simply relaying your traffic to the Internet but in the meantime is observing/capturing your traffic?
This dramatically overstates the risk. The overwhelming majority of sites now use TLS. This includes essentially all sites that handle sensitive information. Look up in your address bar now, even bogleheads enforces HTTPS, and everything you post is fully public.

If you've set yourself up on public wifi as a relay and my PC thinks you're the default gateway, you can absolutely see that I'm going to vanguard.com, along with the amount of data transmitted and the length of the session. But that's it. You don't get to see my login information, balance, or what I'm doing on the site.

My opinion is that they did not overstate the risks. I am not as an expert, but I have taken graduate-level courses on encryption and works with tools that break PKI on a daily basis. With off-the-shelf components and open-source tools I could set up an access point capable of deep packet inspection for less than $500. Now like all risks, users of wireless networks have the choice to 1) avoid the risk (don't use public wifi), 2) mitigate the risk (use a VPN), 3) insure the risk (cyber policies are no longer business only, you can get a personal policy), or 4) simply accept the risk. I don't advocate for either choice, because like investing, everyone has their own personal risk tolerance, but I do think it is a good idea to understand the risk.
It's interesting that you cite a VPN as mitigating the risk. Is a VPN's security really any better than TLS? (As far as I know, it's not. In fact, OpenVPN uses TLS.) If you set up an AP w/ DPI, you would see encrypted traffic. You say you can "break PKI": I question that claim. You might be able to spoof a website using a similar-looking address, but someone typing in "vanguard.com" is going to get an HSTS site with encrypted traffic that I doubt any public technology can break. The best "off-the-shelf" software collection that I'm aware of is Kali Linux, and nothing in there is going to break TLS. It just tries to bypass it.

investor4life
Posts: 184
Joined: Fri Oct 08, 2010 9:45 am

Re: Computer security

Post by investor4life » Thu Mar 21, 2019 3:36 pm

A couple easy safeguards on Wi-Fi. Disable broadcast of your SDID or at least pick one that does not reveal your identity. (“Virus” is a good choice :D )

ivk5
Posts: 950
Joined: Thu Sep 22, 2016 9:05 am

Re: Computer security

Post by ivk5 » Thu Mar 21, 2019 3:48 pm

investor4life wrote:
Thu Mar 21, 2019 3:36 pm
A couple easy safeguards on Wi-Fi. Disable broadcast of your SDID or at least pick one that does not reveal your identity. (“Virus” is a good choice :D )
Result: your devices that have stored the non-broadcast SSID are constantly pinging for it everywhere you go, announcing to the world (a) the SSID of your trusted network, and (b) that your client device will automatically attempt to connect to a network with that SSID.

NB when you disable SSID broadcast, the rest of the beacon frame is still sent, just with null SSID.

lazydavid
Posts: 2536
Joined: Wed Apr 06, 2016 1:37 pm

Re: Computer security

Post by lazydavid » Thu Mar 21, 2019 5:40 pm

BYUvol wrote:
Thu Mar 21, 2019 2:32 pm
My opinion is that they did not overstate the risks. I am not as an expert, but I have taken graduate-level courses on encryption and works with tools that break PKI on a daily basis. With off-the-shelf components and open-source tools I could set up an access point capable of deep packet inspection for less than $500. Now like all risks, users of wireless networks have the choice to 1) avoid the risk (don't use public wifi), 2) mitigate the risk (use a VPN), 3) insure the risk (cyber policies are no longer business only, you can get a personal policy), or 4) simply accept the risk. I don't advocate for either choice, because like investing, everyone has their own personal risk tolerance, but I do think it is a good idea to understand the risk.
We'll have to agree to disagree. Since we're sharing credentials :mrgreen: I have 25 years in IT, almost all of it in Financials, with a heavy emphasis on security. I hold a Masters degree in InfoSec and a host of security certifications including 4 from GIAC. One of these is specifically on hacking techniques and leveraging exploits. I've built and maintained firewalls, proxies, web application firewalls, XML security gateways, and VPN concentrators from a wide range of vendors.

Not to put too fine a point on it, this claim beggars belief. If breaking PKI could be done for $500 without also requiring the endpoint to be compromised, everyone would be doing it, and the entire internet would be completely unusable for anything even remotely sensitive.

BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Computer security

Post by BYUvol » Thu Mar 21, 2019 6:53 pm

bryanm wrote:
Thu Mar 21, 2019 3:13 pm


It's interesting that you cite a VPN as mitigating the risk. Is a VPN's security really any better than TLS? (As far as I know, it's not. In fact, OpenVPN uses TLS.) If you set up an AP w/ DPI, you would see encrypted traffic. You say you can "break PKI": I question that claim. You might be able to spoof a website using a similar-looking address, but someone typing in "vanguard.com" is going to get an HSTS site with encrypted traffic that I doubt any public technology can break. The best "off-the-shelf" software collection that I'm aware of is Kali Linux, and nothing in there is going to break TLS. It just tries to bypass it.
A VPN is a control for the specific risk mentioned, a malicious actor controlling the wireless access point and the tampering that enables them. I never made any attempt to claim that a VPN was a superior control than TLS.

DPI "breaks PKI" in the sense that as neither Alice nor Bob, I can see the plaintext of encrypted traffic traversing my network, something that is required by regulation in my industry. pfSense will get you DPI and packet capturing, you can throw that on a NUC, set the SSID as "FreeATTWifi" and at less than $500 you will be able to see credit card information. We can get into semantics over the meaning of the word "break", but the fact is that just because you have the green lock in your browser, doesn't mean your communications aren't being eavesdropped by someone with access to the AP, and that the easiest way I can think to counter that specific threat is with a VPN. If someone chooses to accept the risk, that's a totally valid decision if they are willing to live with the rammifications. I personally had a friend get their bank account emptied from accessing it on an open WiFi in a residential neighborhood.

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Thu Mar 21, 2019 7:05 pm

lazydavid wrote:
Thu Mar 21, 2019 1:30 pm
Couple of corrections:
rich126 wrote:
Wed Mar 20, 2019 10:40 am
If you use any public wi-fi network you are taking risks. First, do you ever know if you are connection to the place of business's access point or to someone who set up an access point and is simply relaying your traffic to the Internet but in the meantime is observing/capturing your traffic?
This dramatically overstates the risk. The overwhelming majority of sites now use TLS. This includes essentially all sites that handle sensitive information. Look up in your address bar now, even bogleheads enforces HTTPS, and everything you post is fully public.

If you've set yourself up on public wifi as a relay and my PC thinks you're the default gateway, you can absolutely see that I'm going to vanguard.com, along with the amount of data transmitted and the length of the session. But that's it. You don't get to see my login information, balance, or what I'm doing on the site.

In order for you to be able to pretend to be vanguard.com, my system has to already be compromised and trust a CA certificate that you possess.

rich126 hardly overstated the risk.
If you connect to my access point thinking it's starbucks, you've got problems. Remote shell, keylogger, etc. TLS encryption to a website is irrelevant at that point.

:oops:

User avatar
jpsfranks
Posts: 991
Joined: Sun Aug 26, 2007 11:45 pm

Re: Computer security

Post by jpsfranks » Thu Mar 21, 2019 7:11 pm

BYUvol wrote:
Thu Mar 21, 2019 6:53 pm
DPI "breaks PKI" in the sense that as neither Alice nor Bob, I can see the plaintext of encrypted traffic traversing my network, something that is required by regulation in my industry. pfSense will get you DPI and packet capturing, you can throw that on a NUC, set the SSID as "FreeATTWifi" and at less than $500 you will be able to see credit card information. We can get into semantics over the meaning of the word "break", but the fact is that just because you have the green lock in your browser, doesn't mean your communications aren't being eavesdropped by someone with access to the AP, and that the easiest way I can think to counter that specific threat is with a VPN. If someone chooses to accept the risk, that's a totally valid decision if they are willing to live with the rammifications. I personally had a friend get their bank account emptied from accessing it on an open WiFi in a residential neighborhood.
This is simply not true. You cannot decrypt TLS encrypted application data using any generally known methods. As a previous poster said this would mean that public key encryption as we know it would be essentially useless, not just when connected to a wifi network but everywhere.

BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Computer security

Post by BYUvol » Thu Mar 21, 2019 7:32 pm

jpsfranks wrote:
Thu Mar 21, 2019 7:11 pm
BYUvol wrote:
Thu Mar 21, 2019 6:53 pm
DPI "breaks PKI" in the sense that as neither Alice nor Bob, I can see the plaintext of encrypted traffic traversing my network, something that is required by regulation in my industry. pfSense will get you DPI and packet capturing, you can throw that on a NUC, set the SSID as "FreeATTWifi" and at less than $500 you will be able to see credit card information. We can get into semantics over the meaning of the word "break", but the fact is that just because you have the green lock in your browser, doesn't mean your communications aren't being eavesdropped by someone with access to the AP, and that the easiest way I can think to counter that specific threat is with a VPN. If someone chooses to accept the risk, that's a totally valid decision if they are willing to live with the rammifications. I personally had a friend get their bank account emptied from accessing it on an open WiFi in a residential neighborhood.
This is simply not true. You cannot decrypt TLS encrypted application data using any generally known methods. As a previous poster said this would mean that public key encryption as we know it would be essentially useless, not just when connected to a wifi network but everywhere.
If you choose to disbelieve what I am saying, that's your prerogative, but I am stating as a statement of fact that every day I see the content of encrypted communications as part of my job function. There is a reason banks are nervous about TLS 1.3, because it would disable current implementations of DPI. See https://www.cyberscoop.com/tls-1-3-weak ... stry-ietf/ or if you are more technically inclined straight from the horse mouth: https://tools.ietf.org/id/draft-camwing ... es-00.html

bryanm
Posts: 207
Joined: Mon Aug 13, 2018 3:48 pm

Re: Computer security

Post by bryanm » Thu Mar 21, 2019 7:59 pm

BYUvol wrote:
Thu Mar 21, 2019 7:32 pm
jpsfranks wrote:
Thu Mar 21, 2019 7:11 pm
BYUvol wrote:
Thu Mar 21, 2019 6:53 pm
DPI "breaks PKI" in the sense that as neither Alice nor Bob, I can see the plaintext of encrypted traffic traversing my network, something that is required by regulation in my industry. pfSense will get you DPI and packet capturing, you can throw that on a NUC, set the SSID as "FreeATTWifi" and at less than $500 you will be able to see credit card information. We can get into semantics over the meaning of the word "break", but the fact is that just because you have the green lock in your browser, doesn't mean your communications aren't being eavesdropped by someone with access to the AP, and that the easiest way I can think to counter that specific threat is with a VPN. If someone chooses to accept the risk, that's a totally valid decision if they are willing to live with the rammifications. I personally had a friend get their bank account emptied from accessing it on an open WiFi in a residential neighborhood.
This is simply not true. You cannot decrypt TLS encrypted application data using any generally known methods. As a previous poster said this would mean that public key encryption as we know it would be essentially useless, not just when connected to a wifi network but everywhere.
If you choose to disbelieve what I am saying, that's your prerogative, but I am stating as a statement of fact that every day I see the content of encrypted communications as part of my job function. There is a reason banks are nervous about TLS 1.3, because it would disable current implementations of DPI. See https://www.cyberscoop.com/tls-1-3-weak ... stry-ietf/ or if you are more technically inclined straight from the horse mouth: https://tools.ietf.org/id/draft-camwing ... es-00.html
I don't think anyone is disputing that you can see encrypted traffic flowing by. The thing I'm confused about is why that's different from a VPN. If I connect to your Wifi, and use a VPN, you would see the encrypted traffic of my VPN flowing by. Both VPN and HTTPS traffic is TLS, so there really no difference. Connecting to an HTTPS site is like a "mini VPN" to that site. (Yes, VPN traffic to HTTPS would be doubly encrypted, but it doesn't matter because that's like having two locks with the same key--if you can break one you can break both).

The point of encryption is that it doesn't matter who sees it. Only the recipient can understand it. Both VPN and HTTPS provide that guarantee.

Edit: I may be misunderstanding your post. If you mean that you see the decrypted version of encrypted communications, then I must assume that you have the decryption key. On my corporate network, for example, our computers come pre-installed with a company cert. The router replaces all website certs with the company cert, meaning my company is basically a MITM between me and the site. In that instance, yes, you can see traffic. But that only applies if you have a pre-trusted cert on the computer. It doesn't work for a random PC at a coffee shop.

BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Computer security

Post by BYUvol » Thu Mar 21, 2019 8:53 pm

bryanm wrote:
Thu Mar 21, 2019 7:59 pm
BYUvol wrote:
Thu Mar 21, 2019 7:32 pm
jpsfranks wrote:
Thu Mar 21, 2019 7:11 pm
BYUvol wrote:
Thu Mar 21, 2019 6:53 pm
DPI "breaks PKI" in the sense that as neither Alice nor Bob, I can see the plaintext of encrypted traffic traversing my network, something that is required by regulation in my industry. pfSense will get you DPI and packet capturing, you can throw that on a NUC, set the SSID as "FreeATTWifi" and at less than $500 you will be able to see credit card information. We can get into semantics over the meaning of the word "break", but the fact is that just because you have the green lock in your browser, doesn't mean your communications aren't being eavesdropped by someone with access to the AP, and that the easiest way I can think to counter that specific threat is with a VPN. If someone chooses to accept the risk, that's a totally valid decision if they are willing to live with the rammifications. I personally had a friend get their bank account emptied from accessing it on an open WiFi in a residential neighborhood.
This is simply not true. You cannot decrypt TLS encrypted application data using any generally known methods. As a previous poster said this would mean that public key encryption as we know it would be essentially useless, not just when connected to a wifi network but everywhere.
If you choose to disbelieve what I am saying, that's your prerogative, but I am stating as a statement of fact that every day I see the content of encrypted communications as part of my job function. There is a reason banks are nervous about TLS 1.3, because it would disable current implementations of DPI. See https://www.cyberscoop.com/tls-1-3-weak ... stry-ietf/ or if you are more technically inclined straight from the horse mouth: https://tools.ietf.org/id/draft-camwing ... es-00.html
I don't think anyone is disputing that you can see encrypted traffic flowing by. The thing I'm confused about is why that's different from a VPN. If I connect to your Wifi, and use a VPN, you would see the encrypted traffic of my VPN flowing by. Both VPN and HTTPS traffic is TLS, so there really no difference. Connecting to an HTTPS site is like a "mini VPN" to that site. (Yes, VPN traffic to HTTPS would be doubly encrypted, but it doesn't matter because that's like having two locks with the same key--if you can break one you can break both).

The point of encryption is that it doesn't matter who sees it. Only the recipient can understand it. Both VPN and HTTPS provide that guarantee.

Edit: I may be misunderstanding your post. If you mean that you see the decrypted version of encrypted communications, then I must assume that you have the decryption key. On my corporate network, for example, our computers come pre-installed with a company cert. The router replaces all website certs with the company cert, meaning my company is basically a MITM between me and the site. In that instance, yes, you can see traffic. But that only applies if you have a pre-trusted cert on the computer. It doesn't work for a random PC at a coffee shop.
I think we're straying off-topic to the point that it would be difficult to tie this back into consumer issues, but I will say that TLS relies on asymmetric encryption which is fundamentally different than the symmetric encryption that performs the bulk of the tunneling encryption in VPNs. So in my estimation, the controls are complimentary rather than redundant.

Dead Man Walking
Posts: 885
Joined: Wed Nov 07, 2007 6:51 pm

Re: Computer security

Post by Dead Man Walking » Thu Mar 21, 2019 9:21 pm

You fellas have managed to scare the hell out of a paranoid old man. My WiFi can not be accessed beyond my property line and I never use public WiFi. Am I still vulnerable?

DMW

gtd98765
Posts: 421
Joined: Sun Jan 08, 2017 4:15 am

Re: Computer security

Post by gtd98765 » Thu Mar 21, 2019 9:40 pm

delete
Last edited by gtd98765 on Thu Mar 21, 2019 9:41 pm, edited 1 time in total.

gtd98765
Posts: 421
Joined: Sun Jan 08, 2017 4:15 am

Re: Computer security

Post by gtd98765 » Thu Mar 21, 2019 9:41 pm

Dead Man Walking wrote:
Thu Mar 21, 2019 9:21 pm
You fellas have managed to scare the hell out of a paranoid old man. My WiFi can not be accessed beyond my property line and I never use public WiFi. Am I still vulnerable?

DMW
If you have a relatively modern router less than five years old and use the wifi password that comes with it (which is almost certainly using WPA2 encryption) you are fine.

The bigger concern should be avoiding visiting sketchy web sites or clicking on email links to financial web sites that might be spoofed.

megabad
Posts: 2460
Joined: Fri Jun 01, 2018 4:00 pm

Re: Computer security

Post by megabad » Thu Mar 21, 2019 9:54 pm

dave1054 wrote:
Tue Mar 19, 2019 10:11 am
Always lived in single family house with large lots and only slightly concerned about hacking. Maybe I was wrong. Now moving to big city in multiunit complex.

Is it “safe” to do online banking and Vanguard investments via wifi secure network or better to hardwire directly from internet port into desktop or laptop? This assumes I have all the other safeguards (antivirus) on computer.

Not mentally ready to do anything on iphone. What is safest option for secure online transactions? Thank you.
To directly answer your question—yes, I think it is almost certainly more secure to hard wire to the internet as this would likely necessitate a physical interaction with your network if you are worried about a physical on site hack attempt. However, I would venture that you are more likely tone virtually hacked anyway. I just use a randomly generated 30 character password with WPA2 security and then ban all unknown MAC addresses at the router. Makes far more sense to be worried about virtual and identity hacking to me. This would mean that i feel more strongly that a more important safety measure is using a dedicated laptop for financial activity, freezing credit, using cell phone porting PIN, using 2 or 3 factor authent for Vanguard and other key sites, etc.

lazydavid
Posts: 2536
Joined: Wed Apr 06, 2016 1:37 pm

Re: Computer security

Post by lazydavid » Fri Mar 22, 2019 5:19 am

BYUvol wrote:
Thu Mar 21, 2019 7:32 pm
jpsfranks wrote:
Thu Mar 21, 2019 7:11 pm
BYUvol wrote:
Thu Mar 21, 2019 6:53 pm
DPI "breaks PKI" in the sense that as neither Alice nor Bob, I can see the plaintext of encrypted traffic traversing my network, something that is required by regulation in my industry. pfSense will get you DPI and packet capturing, you can throw that on a NUC, set the SSID as "FreeATTWifi" and at less than $500 you will be able to see credit card information. We can get into semantics over the meaning of the word "break", but the fact is that just because you have the green lock in your browser, doesn't mean your communications aren't being eavesdropped by someone with access to the AP, and that the easiest way I can think to counter that specific threat is with a VPN. If someone chooses to accept the risk, that's a totally valid decision if they are willing to live with the rammifications. I personally had a friend get their bank account emptied from accessing it on an open WiFi in a residential neighborhood.
This is simply not true. You cannot decrypt TLS encrypted application data using any generally known methods. As a previous poster said this would mean that public key encryption as we know it would be essentially useless, not just when connected to a wifi network but everywhere.
If you choose to disbelieve what I am saying, that's your prerogative, but I am stating as a statement of fact that every day I see the content of encrypted communications as part of my job function. There is a reason banks are nervous about TLS 1.3, because it would disable current implementations of DPI. See https://www.cyberscoop.com/tls-1-3-weak ... stry-ietf/ or if you are more technically inclined straight from the horse mouth: https://tools.ietf.org/id/draft-camwing ... es-00.html
You are talking about two completely different things here. This is not deep packet inspection, it is a corporate-sanctioned proxy, or "middle box". And the reason it works is because every computer in the corporation has been configured by policy to trust the intermediate CA cert that the proxy uses to forge certificates of real websites, and also to use the proxy for all web traffic.

The way these systems work is the client makes an SSL/TLS connection to the proxy, the proxy terminates that connection and makes a new connection to the remote website. The client still sees the green lock in their icon, because it received a certificate for that domain from a CA that it trusts. Those last six words are the important part, and the part I think you don't understand. This configuration works because the same people that own and operate the proxy also have complete control over the endpoints, and can direct those endpoints to trust the proxy explicitly. From the IETF link you posted:
For the outbound session scenario, MITM is enabled by generating a local root certificate and an accompanying (local) public/private key pair. The local root certificate is installed on the inside entities for which TLS traffic is to be inspected, and the network security device(s) store a copy of the private key. During the TLS handshake, the network security device (hereafter referred to as a TLS proxy) modifies the certificate provided by the (outside) server and (re)signs it with the private key from the local root certificate. From here on, the TLS proxy has visibility into further exchanges between the client and server which enables it to decrypt and inspect subsequent network traffic.
In your rogue AP example, you do NOT have complete control over the endpoint, and you can NOT force it to install your CA certificate as trusted. That's my entire point.
Last edited by lazydavid on Fri Mar 22, 2019 5:35 am, edited 1 time in total.

lazydavid
Posts: 2536
Joined: Wed Apr 06, 2016 1:37 pm

Re: Computer security

Post by lazydavid » Fri Mar 22, 2019 5:31 am

dream_chaser wrote:
Thu Mar 21, 2019 7:05 pm
rich126 hardly overstated the risk.
If you connect to my access point thinking it's starbucks, you've got problems. Remote shell, keylogger, etc. TLS encryption to a website is irrelevant at that point.

:oops:
he absolutely did. If you can remotely install a shell or keylogger on my machine, you can do that at any time and don't have to be the AP. That would mean my machine has an open remote code execution vulnerability that you've exploited. And you're correct that TLS would be irrelevant at that point. Why intercept my traffic when you already own the machine it's coming from? Just monitor it directly. But we're getting WAY far afield here. Absent said RCE, if I connect to your AP and try to make a TLS connection to bogleheads, either you're going to let it through or you won't. Perhaps you'll try an HTTP downgrade attack, since bogleheads doesn't have HSTS configured. But then I won't see the lock. If I go to a site that does use HSTS (such as any website that I am responsible for operating), then even if I manually type HTTP:// into the address bar, every modern browser will automatically upgrade the request and will refuse any attempts at a protocol downgrade.

dream_chaser
Posts: 36
Joined: Tue Nov 03, 2015 12:35 pm

Re: Computer security

Post by dream_chaser » Fri Mar 22, 2019 7:56 am

lazydavid wrote:
Fri Mar 22, 2019 5:31 am
dream_chaser wrote:
Thu Mar 21, 2019 7:05 pm
rich126 hardly overstated the risk.
If you connect to my access point thinking it's starbucks, you've got problems. Remote shell, keylogger, etc. TLS encryption to a website is irrelevant at that point.

:oops:
he absolutely did. If you can remotely install a shell or keylogger on my machine, you can do that at any time and don't have to be the AP. That would mean my machine has an open remote code execution vulnerability that you've exploited. And you're correct that TLS would be irrelevant at that point. Why intercept my traffic when you already own the machine it's coming from? Just monitor it directly. But we're getting WAY far afield here. Absent said RCE, if I connect to your AP and try to make a TLS connection to bogleheads, either you're going to let it through or you won't. Perhaps you'll try an HTTP downgrade attack, since bogleheads doesn't have HSTS configured. But then I won't see the lock. If I go to a site that does use HSTS (such as any website that I am responsible for operating), then even if I manually type HTTP:// into the address bar, every modern browser will automatically upgrade the request and will refuse any attempts at a protocol downgrade.
Starbucks was actually a terrible example on my part, as it is public wifi, but the advice to avoid public wifi because you don't fully know who/what you're connecting to is sage advice. If you keep your banking limited to your personal wireless network that has been configured properly, there is vastly lower risk than banking over a public access point. I can't (through the network) install a remote shell on your machine on your (properly secured) home network.

bob60014
Posts: 1201
Joined: Mon Jul 31, 2017 8:59 pm
Location: The Land Beyond ORD

Re: Computer security

Post by bob60014 » Fri Mar 22, 2019 8:35 am

Yikes.....I'm going back to two cans and a string!

> -------------------------- <

bryanm
Posts: 207
Joined: Mon Aug 13, 2018 3:48 pm

Re: Computer security

Post by bryanm » Fri Mar 22, 2019 10:38 am

For anyone reading this thread any getting bogged down in all the acronyms and security mumbo-jumbo, please do not be scared. No security is perfect. Russia could be watching over your shoulder on a secret 1mm camera embedded into your earlobe! But they probably aren't.

The security concerns about wifi are largely a thing of the past. Today, password security is much more important. If you hear something surprising that makes you scared to use the internet, it's probably not completely true. There are scary things going on sometimes, but they're really deep into the technical weeds. They also tend to get fixed quickly. (For techies, think the Heartbleed bug.)

Nothing is perfect, but the internet when used properly is a fairly secure place these days for normal folks.

(None of this applies to hackers/phreakers/leakers/Edward Snowden types/internet security gurus, etc. It's purely for normal folks going about their business.)

michaelingp
Posts: 217
Joined: Tue Jan 17, 2017 8:46 pm

Re: Computer security

Post by michaelingp » Fri Mar 22, 2019 8:49 pm

bryanm wrote:
Fri Mar 22, 2019 10:38 am
For anyone reading this thread any getting bogged down in all the acronyms and security mumbo-jumbo, please do not be scared.
As my psychiatrist friend is fond of saying, "A bit of anxiety is not a bad thing." I would change this to, "do not be scared, but do be observant", the same way you should be observant when, say, you're riding the subway in a foreign country (or in the U.S. I guess). I call this "Internet street sense." I have seen people fooled by spear phishing attacks that I've never been able to figure how the criminal got the information used to trick the recipient. A friend almost lost $27,000 except that the account she was going to send the money to had been closed.

teamDE
Posts: 265
Joined: Tue Jun 28, 2016 9:16 pm

Re: Computer security

Post by teamDE » Fri Mar 22, 2019 9:53 pm

DO. NOT. REUSE. PASSWORDS.

TerryDMillerMBA
Posts: 115
Joined: Tue Jul 05, 2011 8:32 pm

Re: Computer security

Post by TerryDMillerMBA » Fri Mar 22, 2019 10:38 pm

michaelingp wrote:
Fri Mar 22, 2019 8:49 pm
bryanm wrote:
Fri Mar 22, 2019 10:38 am
For anyone reading this thread any getting bogged down in all the acronyms and security mumbo-jumbo, please do not be scared.
I've never been able to figure how the criminal got the information used to trick the recipient.
Many of them are just guesses, and out of the tens of thousands that they send out, it's going to match up for some people.

I received one phishing scam about my Bank of America account, for example. I have never dealt with them in my whole life. But MANY of the other recipients have had dealings past and present with Bank of America.

Post Reply