Warning to ebay sellers - a cautionary tale

that's what you get for dealing with commies.

I am exceedingly paranoid about protecting security of my logins to important websites, like banks or ebay. I would, for example, never, ever log onto anything of importance from any computer that I did not own.

i

I always use an encrypted proxy when I'm using a public Wifi and doing anything more than reading the news. In China too (it also allows me to tunnel under the great firewall and pop up in the US, Canada, Western Europe etc. It's not free, but inexpensive insurance.

Best regards, Spehro Pefhany

Or left unattended for any length of time. There are easily available programs that can turn on the camera or microphone of a computer or cell phone without your knowlege, stream video, record and send audio etc. etc. (and stealing passwords would be no problem, of course). Some governments have admitted using them, they're cheap enough for half-ass hackers, you have to assume that it's a possibility that any government or any hacker will try to use such software.

Lawyers even suggest removing the batteries from cell phones and removing computers if you have something really confidential to discuss.

In an emergency, if you have to log into a bank or whatever be sure to go and change the password as soon as possible afterward from a secure machine.

Best regards, Spehro Pefhany

use your favorite search engine to look up "advanced persistent threat". There is a good reason to not keep sensitive information on any device connected to public media

Yes, good list.

I also do not use Microsoft Windows.

i i

My own shorthand is that it is likely impossible for an individual of limited means, like me, to guard against a real APT, but nevertheless, I do try.

I never use Wnidows, SSH everywhere, everything sensitive is encrypted, laptop is encrypted, etc.

i

Not just in China. A couple of years ago, they hijacked the free WiFi that our local library provides in a nearby shopping mall. What actually happened is that the phone company decided to go into the pay WiFi business at that location, so they pressured the mall owners to kick out the free service. But when the free access points disappeared, some enterprising soul used the old name and set up his own access point. Problem was: That new point got you onto the Internet through a broken domain name service. And perhaps some other broken services as well (like bogus SSL certificate servers, etc.). The end result was that anyone not watching what they were doing could be connecting to a service that could divert them through some man-in-the-middle attack without realizing it.

The only difference is that in China, the government is in this racket. However, I doubt that they (the gov't) would tip their hand, so to speak, just to snag some PayPal revenue. Its probably just local organized crime (like in our mall).

Knowing the Chinese, probably not all that organized.

The basic defense against APTs is an airgap-isolated computer or computer network where one does the work, and a separate computer for the internet. Keep essentially nothing on the connected computer. Sneakernet files between as needed, delete files when no longer needed. In other words, keep the connected computer sterile.

Even if something manages to get onto the isolated systems, it won't do them any good, because the APT will have no way to contact the mothership.

Using Linux helps a lot, but is useless if the threat is targeted on you by name. But the isolated system is pretty effective even then, unless someone can get physical access.

Joe Gwinn

Sounds very fun, except that it real life, I do need to use the Internet.

I cannot make money from an isolated system.

i

Good if you're fixed in space (if not time), but not a helluva lotta good if you have to travel and have access to a great many files and bit of crucial information. Especially across borders.

The current thinking is it's only safe to cross borders with a "forensically clean" laptop. Here's the US rules, other countries may or may not be as bad, but it's plenty bad enough:

Best regards, Spehro Pefhany

He used wifi, so he must have had his own computer. But Wifi can be snooped, especially at hotels and open sites.

The question is whether he could use ssh to connect to a home computer (preferably some flavor of unix) so all transactions would be protected from snooping -- or whether the use of encryption in China would be illegal and get him arrested as a spy.

Good Luck, DoN.

I use 128 bit AES encryption often in China, US etc. for VPN and in practice there is no problem, at least for an ordinary non-spy businessman or tourist.

It's illegal to sell imported encryption technology without authorization (penalty is related to how much money you made by breaking the law). China has key disclosure laws along the lines of the UK, Canada and other countries, which may not be constitutional in the US, depending on the interpretation of the 5th Ammendment (they'll try though).

I would not bet my life on the idea that the US, Chinese or any other government could not pierce that level of security one way or another anyway if they really wanted to, of course, but it minimizes the liklihood of the kind of petty criminal activity that is under discussion here without causing much inconvenience or expense.

I've heard of people getting snooped while leeching wifi at Starbucks or McDonald's, for example. A free download and any moron script kiddie apparently can do it:

..and, at random from a google search, here is a claimed spyware for cell phones (no idea if this one is legitimate (whatever that means)

_Millions_ of both of the above are said to have been downloaded. Take care out there!

Best regards, Spehro Pefhany

But you do not need for everything to be connected to the internet. For example I use a tax program for my income taxes. I use a flash drive for that program and only plug in the flash drive when actually using the program. And powering down the internet connection box when doing my taxes has me isolated from the internet. I also power down my computer when I am not using it.

I realize that this is not fool proof, but it is kind of like having something padlocked. Does not make your stuff safe, but does encourage thieves to go find an easier place to rob.

Dan

A lot of things work fine, off the internet. One of my customers, years ago. Used some software for his finances and accounting. Local stand alone system, no internet. And no anti virus. Not needed. Neither the net, nor the antivirus were needed.

Christopher A. Young Learn more about Jesus

.

But you do not need for everything to be connected to the internet. For example I use a tax program for my income taxes. I use a flash drive for that program and only plug in the flash drive when actually using the program. And powering down the internet connection box when doing my taxes has me isolated from the internet. I also power down my computer when I am not using it.

I realize that this is not fool proof, but it is kind of like having something padlocked. Does not make your stuff safe, but does encourage thieves to go find an easier place to rob.

Dan

A virus can enter the system by the user plugging in an infected flash drive, and once in can transmit itself and data to other computers via the exchange of infected flash drives. The internet only speeds things up.

I have actually seen this occur- a virus on an infected flash drive that someone gave me, and my antivirus program caught it.

A much more professional virus transmitted in a similar way was reportedly used a couple of years ago in a scheme to deliberately cause severe damage to some equipment in one of Iran's civilian nuclear installations. The French Navy, Lockheed Martin, IBM and others who should have far better security than your average user have reportedly been hit by flash drive transmitted viruses.

Short of actually typing everything into the computer yourself and printing things out on paper to take data out, I don't think you can ever be 100% sure the system is really isolated in the long run.

Yeah yeah, and the Pentagon got hit by a flash drive they picked up in the parking lot and plugged in just to see who lost it.

But if the drive never leaves the owner's possession it should be save. (unless infected by HIS system).

Personally, were I doing all this I'd break off my accounting and personal stuff to a completely separate computer - nor run it on a server.

There is no way to stop an intelligence agency, but for ordinary people or business protecting themselves against having money stolen, there are economically reasonable defenses.

The difference is that most hackers are in it for the money. In short, hacking is their business, so if you make yourself unprofitable, you'll be largely immune.

An intelligence agency is not in it for the money, and in fact money is no limitation for them. In the above story, the objective was to cripple the Iranian nuclear program, at least for a few years, and there was no need to get data out or to remotely control things, so there was no need for communications.

Joe Gwinn