Warning to ebay sellers - a cautionary tale

One of my customers has a good-sized business selling on ebay - at any time he has thousands of auctions in progress, and he's been making a
very healthy living for himself and a half-dozen employees for several years.
Recently, he was travelling in China visiting suppliers. He used the hotel wifi (I forget which hotel, but one of the major chains) to do some ebay business. Someone hijacked his ebay account and put up hundreds of auctions that looked legit, but with a rogue paypal account.
When he got back to his office this week, my guy found tons of email from "his" customers looking for shipments from auctions they had won and paid for. I'm sure this will be worked out between ebay and paypal, but still, it's a cautionary tale.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

that's what you get for dealing with commies.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I am exceedingly paranoid about protecting security of my logins to important websites, like banks or ebay. I would, for example, never, ever log onto anything of importance from any computer that I did not own.
i
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 11 Apr 2012 21:42:24 -0500, the renowned Ignoramus32726

Or left unattended for any length of time. There are easily available programs that can turn on the camera or microphone of a computer or cell phone without your knowlege, stream video, record and send audio etc. etc. (and stealing passwords would be no problem, of course). Some governments have admitted using them, they're cheap enough for half-ass hackers, you have to assume that it's a possibility that any government or any hacker will try to use such software.
Lawyers even suggest removing the batteries from cell phones and removing computers if you have something really confidential to discuss.
In an emergency, if you have to log into a bank or whatever be sure to go and change the password as soon as possible afterward from a secure machine.
Best regards, Spehro Pefhany
--
"it's the network..." "The Journey is the reward"
snipped-for-privacy@interlog.com Info for manufacturers: http://www.trexon.com
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/11/2012 8:19 PM, Spehro Pefhany wrote:

use your favorite search engine to look up "advanced persistent threat". There is a good reason to not keep sensitive information on any device connected to public media
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

My own shorthand is that it is likely impossible for an individual of limited means, like me, to guard against a real APT, but nevertheless, I do try.
I never use Wnidows, SSH everywhere, everything sensitive is encrypted, laptop is encrypted, etc.
i
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The basic defense against APTs is an airgap-isolated computer or computer network where one does the work, and a separate computer for the internet. Keep essentially nothing on the connected computer. Sneakernet files between as needed, delete files when no longer needed. In other words, keep the connected computer sterile.
Even if something manages to get onto the isolated systems, it won't do them any good, because the APT will have no way to contact the mothership.
Using Linux helps a lot, but is useless if the threat is targeted on you by name. But the isolated system is pretty effective even then, unless someone can get physical access.
Joe Gwinn
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Sounds very fun, except that it real life, I do need to use the Internet.

I cannot make money from an isolated system.
i
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Apr 12, 10:54pm, Ignoramus26859 <ignoramus26...@NOSPAM. 26859.invalid> wrote:>

But you do not need for everything to be connected to the internet. For example I use a tax program for my income taxes. I use a flash drive for that program and only plug in the flash drive when actually using the program. And powering down the internet connection box when doing my taxes has me isolated from the internet. I also power down my computer when I am not using it.
I realize that this is not fool proof, but it is kind of like having something padlocked. Does not make your stuff safe, but does encourage thieves to go find an easier place to rob.
Dan
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
A lot of things work fine, off the internet. One of my customers, years ago. Used some software for his finances and accounting. Local stand alone system, no internet. And no anti virus. Not needed. Neither the net, nor the antivirus were needed.
Christopher A. Young Learn more about Jesus www.lds.org .
But you do not need for everything to be connected to the internet. For example I use a tax program for my income taxes. I use a flash drive for that program and only plug in the flash drive when actually using the program. And powering down the internet connection box when doing my taxes has me isolated from the internet. I also power down my computer when I am not using it.
I realize that this is not fool proof, but it is kind of like having something padlocked. Does not make your stuff safe, but does encourage thieves to go find an easier place to rob.
Dan
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Fri, 13 Apr 2012 10:11:21 -0400, "Stormin Mormon"

A virus can enter the system by the user plugging in an infected flash drive, and once in can transmit itself and data to other computers via the exchange of infected flash drives. The internet only speeds things up.
I have actually seen this occur- a virus on an infected flash drive that someone gave me, and my antivirus program caught it.
A much more professional virus transmitted in a similar way was reportedly used a couple of years ago in a scheme to deliberately cause severe damage to some equipment in one of Iran's civilian nuclear installations. The French Navy, Lockheed Martin, IBM and others who should have far better security than your average user have reportedly been hit by flash drive transmitted viruses.     
http://en.wikipedia.org/wiki/Stuxnet http://www.pcworld.com/article/159224/conficker_worm_sinks_french_navy_network.html http://nakedsecurity.sophos.com/2010/05/21/ibm-distributes-usb-malware-cocktail-auscert-security-conference /
Short of actually typing everything into the computer yourself and printing things out on paper to take data out, I don't think you can ever be 100% sure the system is really isolated in the long run.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/13/2012 10:14 AM, Spehro Pefhany wrote:

http://www.pcworld.com/article/159224/conficker_worm_sinks_french_navy_network.html
http://nakedsecurity.sophos.com/2010/05/21/ibm-distributes-usb-malware-cocktail-auscert-security-conference /
Yeah yeah, and the Pentagon got hit by a flash drive they picked up in the parking lot and plugged in just to see who lost it.
But if the drive never leaves the owner's possession it should be save. (unless infected by HIS system).
Personally, were I doing all this I'd break off my accounting and personal stuff to a completely separate computer - nor run it on a server.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Presumably the flash drive is being used to transmit data to and from another (less secure system). If you use a new (known safe) flash drive every time and only transmit data out of the secure system you should be okay.
Anything else has vulnerabilities, even to script kiddies. Imagine the second computer is seething with viruses, and it contaminates the flash drive as soon as you insert it. Try to format it on the virus-laden computer and it loads it with the virus at the same time. Stick it in the secure computer to format it and it infects the secure computer.

That sure helps.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The point was to prevent loss of data (even when infected), not to prevent infection. Nothing is perfect, but there are things one can do to sharply reduce the potential loss.
Joe Gwinn
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

You can have a secure PC or network without Net access (my HDTV recorder), a less secure one behind a firewall, and a stand-alone Honeypot to trap and reveal threats. I use this one for both of the latter, by visiting software download sites only after making a C: backup.
The Microsoft Update Catalog contains updates that you can download to an on-line PC and install on the off-line ones. http://catalog.update.microsoft.com/v7/site/FaqGeneric.aspx
jsw
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

There is no way to stop an intelligence agency, but for ordinary people or business protecting themselves against having money stolen, there are economically reasonable defenses.
The difference is that most hackers are in it for the money. In short, hacking is their business, so if you make yourself unprofitable, you'll be largely immune.
An intelligence agency is not in it for the money, and in fact money is no limitation for them. In the above story, the objective was to cripple the Iranian nuclear program, at least for a few years, and there was no need to get data out or to remotely control things, so there was no need for communications.
Joe Gwinn
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I believe the Iranians had their centrifuges hosed by a virus that used this path. Stuxnet comes to mind.
Wes
-- "Additionally as a security officer, I carry a gun to protect government officials but my life isn't worth protecting at home in their eyes." Dick Anthony Heller
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I recall reading the same thing.
i
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thu, 12 Apr 2012 21:54:14 -0500, Ignoramus26859

How about two physical switches and two computers? One system is connected to the Internet for online transactions for your business. Modem is physically switchable to OFF.
Keep financial info on the disconnected system. System is physically switchable to grab info from Internet connected system ONLY when modem is turned off. Turn modem switch off and interconnect switch on, transfer data, toggle both switches.
-- Happiness is not a station you arrive at, but a manner of traveling. -- Margaret Lee Runbeck
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thu, 12 Apr 2012 22:13:47 -0400, the renowned Joseph Gwinn

Good if you're fixed in space (if not time), but not a helluva lotta good if you have to travel and have access to a great many files and bit of crucial information. Especially across borders.
The current thinking is it's only safe to cross borders with a "forensically clean" laptop. Here's the US rules, other countries may or may not be as bad, but it's plenty bad enough:
http://www.cbp.gov/linkhandler/cgov/travel/admissibility/elec_mbsa.ctt/elec_mbsa.pdf
Best regards, Spehro Pefhany
--
"it's the network..." "The Journey is the reward"
snipped-for-privacy@interlog.com Info for manufacturers: http://www.trexon.com
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.