Home Current News News Archive Shop/Advertise Ridecamp Classified Events Learn/AERC
Endurance.Net Home Ridecamp Archives
ridecamp@endurance.net
[Archives Index]   [Date Index]   [Thread Index]   [Author Index]   [Subject Index]

RE: [RC] Whats New with SERA - Teri

I have used paypal for all of my web site accounts that do not carry credit
cards.  I also use it myself.  I purchase things over the internet.  I have
never had any funds stolen.  I have however had my identity stolen at the
bank I used by a bank employee.  Checks are not safe.  There are thieves
everywhere and they work everywhere.  Just because you drop your check at
the post office does not mean nothing will happen.  I know an employee that
works at the post office right now that is a drug addict.  Have I reported
it yes.  Did he take a drug test, yes.  There is no resolution to this
matter.  Just watch your money.  I do because banks are human and make
mistakes also.

I hate to differ with you David on the Windows OS, but it is known
throughout that it has the most holes for hackers and secuirty, I agree with
Truman on this.

Teri

-----Original Message-----
From: ridecamp-owner@xxxxxxxxxxxxxxxxx
[mailto:ridecamp-owner@xxxxxxxxxxxxxxxxx]On Behalf Of David LeBlanc
Sent: Saturday, February 07, 2004 6:36 PM
To: 'Truman Prevatt'; 'Ride Camp'
Subject: RE: [RC] Whats New with SERA


Truman Prevatt said:

      There are always inherent risk with using the internet for commerce.
There is an inherent risk in using a credit card for a payment and there is
an inherent risk of using a check.

[dcl]
Security is about managing risk, not about eliminating it, so you're correct
that there is always a risk, and the real point is the relative risk with
respect to the asset being protected, how well it is protected, and the
threat level against the asset.

Credit cards and checks both have safeguards in place against fraud (though
to different levels).

      While you are signed on the internet a hacker can get any
information you have stored in your computer - username and password to any
site.

[dcl]
If your system is compromised, yes. If you run a virus (more accurately a
trojan), then it's true that anything stored on your system can be revealed.
However, that isn't the only angle of attack. I can go directly to a web
site and see if I can get into your account. I don't have to always
compromise your system. There's also the risk that the server on the other
end is compromised.

The windows operating system is the most vulnerable OS out there.

[dcl]
This isn't accurate. It is certainly the most attacked system out there due
to the numbers of systems available. UNIX and Linux systems are also highly
vulnerable. Macs are open to attack. AOL users are subject to specialized
attacks. If you expose an unpatched system, regardless of operating system,
to the internet, it will probably get hacked. The key is to a) stay up to
date on patches, b) use good sense (don't open attachments you aren't
expecting - the current worm uses NO security hole other than user error),
and c) enable a firewall on internet-exposed systems. This advice is just as
valid whether you're running Windows, Linux, UNIX, Mac, etc.

They can then go to the site, e.g. amazon.com and check our your history
and download other information. They can hack into a banks files and get all
the credit card numbers and information for the bank and use those numbers -
that's actually been done.  A hacker can install in you computer a
background program to capture and report back on you keystrokes. So while
you are buying something online, the link between you and the merchant is
encrypted and secure, but the hacker knows what you are sending and you
credit card information can be derived from that.

[dcl] Yes, all of these things can and have happened. This assumes that your
system is compromised, and there are people who operate this way. Other
people use different attack methods. For example, user-chosen passwords are
going to be vulnerable to a simple dictionary attack unless there are
password filters in place to prevent this. If I can gather the e-mail
addresses of enough PayPal users, I can then launch a pure dictionary attack
against them, and I'll harvest a few accounts. This is an extraordinarily
low bar - far lower than having to install a keystroke logger, hoping that
it stays there and that someone else doesn't take over the same system in
the mean time.

This is a particular problem with windows and this is why things like
firewalls are important and virus checkers are importnat.

[dcl] Absolutely not. Keystroke loggers (also known as rootkits) predate
what we think of as Windows (say Windows 3.0). In fact, it has only been
recently that rootkits have reached the same level of sophistication on
Windows systems as have been available on UNIX and Linux systems for years.
They have caught up, though, so Windows systems are now subject to the same
types of threats as non-Windows systems have been subject to since the 80's.

      In the mid 1990, a hacker broke into the payroll computer network in
the Pentagon and was trying to move funds around. He was initially
sucessful, but was caught.

I know someone who did a white-hat penetration test on a large bank and
moved very large amounts of money around. I know lots of people who test
network security for a living (I have done this myself) and some of the
stories are horrendous. There's a lower correlation between operating system
and security than between how good the operator is and security.

For example, if my Linux system were exposed to the Internet, it would get
hacked in minutes. OTOH, I designed (and in OpenHack 1 and 2 configured
personally) the security of the Windows systems used in eWeek's OpenHack 1,
2 and 4 contests, and they emerged without a scratch in every case. I'm
simply better at securing Windows than Linux.

      While there are inherent risk with any movement of funds by
electronic means, I suspect the risk with PayPal are no greater than having
a bank card with Chase and a lot less risk than having your credit card
number stored in your windows computer.

[dcl]
IMHO, the risk of using PayPal is high enough that I will not use it. The
user name for the account is public knowledge, and user-chosen passwords
tend to be very weak. There's a serious risk here even if your system isn't
compromised. This is why I think the advice to:

1) Use an account to back PayPal that is completely unassociated with
anything else.
2) Do not keep more funds in that account than absolutely neccesary.
3) If you receive funds via PayPal, transfer them immediately to another
account.

Is very solid advice. It's a risky system with inherently weak
authentication methods. If you choose to use the system, mitigate the risk
by reducing the value of the asset to something you don't mind losing.
Personally, the trouble involved in mitigating the risk outweighs the
convenience of the service, and I'd rather use other methods - especially
for something like a membership I pay for once a year. YMMV, and if you do
something else I hope it works out well.

      Ten years algo there were significant risk. Today with the newer
technology the risk is much lower. However, nothing is totally risk free
including paying by check.

[dcl]
Very true - taking a shower and driving to work are probably some of the
riskiest things we do, and we don't typically worry about it. For example,
there's a risk associated with putting outbound checks in your mailbox. I
mitigate that by dropping them at the Post Offfice.



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ridecamp is a service of Endurance Net, http://www.endurance.net.
Information, Policy, Disclaimer: http://www.endurance.net/Ridecamp
Subscribe/Unsubscribe http://www.endurance.net/ridecamp/logon.asp

Ride Long and Ride Safe!!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ridecamp is a service of Endurance Net, http://www.endurance.net.
Information, Policy, Disclaimer: http://www.endurance.net/Ridecamp
Subscribe/Unsubscribe http://www.endurance.net/ridecamp/logon.asp

Ride Long and Ride Safe!!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Replies
RE: [RC] Whats New with SERA, David LeBlanc