Thursday, April 1, 2010

The Fragile Web

Stay secure over the Internet is almost virtually impossible. Even though total security is completely impossible, there are ways to minimize the risks. Prevention is half of the equation, the other half must be secure practices. As more exposure we get as computer users, the more security driven most of us become. If you are not worried about privacy because you use Linux or MAC, you still must be. Non-encrypted communication, social engineering and online scams don’t discriminate Operating Systems thus making you even as vulnerable than Windows users.

It is harder to stay secure in the 21st century digital era because there are more flexibility options, and more temptations over the Internet. Having a non-encrypted connection might expose your data to the wrong eyes risking your privacy even though you might think you are safe enough by having an up-to-date Antivirus installed on your computer and scan it everyday. Also, having IDS on your home computer might not help a lot as well as a corporate firewall. I think leveling the risks with cost is the best way to implement security. Why wasting a lot of money for professional use if the threats are not potentially important in a home environment than in a corporate which contains top secret information?

By leveling risks with cost determines if you really should spend money and time on implementing such system. Having a personal firewall might only help if the user is security conscious and is willing to spend time and effort on checking every process and communication that is going through your computer every time a pop up window appears. It is worthless to have top of the notch technology if the user is not going to spend time on checking, and in this case, a user has to spend time and effort setting up firewall rules in order to minimize risks and false positives on a system.

Also, it is worth to mention that not only a personal firewall and an up-to date anti-virus and anti-spyware are needed. It is also recommended for those who do transactions on-line and send important e-mails to use an encrypted connection. The uses of VPNs are widely known for companies, but what about home users? Is it not the same, if not similar risk in a corporate and a home user who is managing his online banking? It only takes someone to make a targeted attack on you to have your identity stolen. The best way to prevent this is “abstinence”. Try to not do financial stuff online. That way, corporations will likely change their online policies and try to improve the system so more people could use it. It all comes down to money. This method will negociate with corporations thus making them change their strategy. For example, Verizon (Slashdot website) will charge an extra $25 to make online payments more secure. I agree with their strategy over the phone using a one-time password for purchase confirmation, but I don’t agree by paying more to get a security improvement they should done in the first place. Security must be provided with service at same rate.

Even though paying with phone password confirmation might seem a more secure way to do online payments, there are risks in phones as well. The only risk I can think of about phones is that users can put personal information about contacts. If the phone is lost or stolen, important sensible information can be gathered. For example, blackberries can not only be traced with a built-in GPS system but also the Facebook application does not time out after an X minutes or even days of inactivity. That means, the user might have facebook application logged in for weeks or even months and if the phone is lost/stolen, and a bunch of other (internal) information can be taken from and about your contacts. When technology increases and goes mobile, that is when the consumer must be more aware of risks because now information is not only wired, communicated into encrypted and non-encrypted information. Now information is also being transmitted over the air (highly non-encrypted) and it can be eavesdropped by any person. That is when Man-in-the-middle attacks come into place.

Not only on phones, but also other communication medium over the air is vulnerable and susceptible for an attack. Even though many people might think Man-in-the-Middle attacks might take a tremendously amount of effort, there is still an easy way to pull it off. That way is by ARP poisoning using an open source tool called Cain & Abel. (irongeek website). With this method, it is very easy for a knowledge (hacker?) person to get his stuff dirty on your personal information in places known as cyber-cafes, airports, Mc Donald’s and some convenience stores.

Having the best flexibility possible, the most secure possible is impossible. You can not have both. While some people prefer convenience and flexibility over security, a wiser choice might be to try to achieve both at a certain level to minimize the risks of being hacked. In this high-tech world, doing our everyday chores while going mobile might seem dangerous. This is the time to think wisely about our decisions. Come on! We can do better America!!


Sources
Verizon Strategy: http://games.slashdot.org/story/10/03/22/2141205/Verizon-Set-To-Launch-Mobile-Payment-Service?art_pos=1

Cain & Abel: http://www.irongeek.com/i.php?page=videos/using-cain-to-do-a-man-in-the-middle-attack-by-arp-poisoning

No comments:

Post a Comment

Your thoughts are a goldmine which flourishes within our ever-changing society. Please, post your ideas, constructive feedbacks and clarifications here: