Mon Jun 02, 2008 8:55 pm
Computer Security 101
To understand data security, its often helpful to look at it terms of what information is transferred/stored where, and how an attacker could obtain this information, and how they could use it to obtain your identity.
There is no such thing as absolute computer security, rather its a case of how much effort you want to put into blocking various vectors of attack, vs how much effort the attacker is willing to put into obtaining your information. Choose the level of paranoia you are comfortable with.
When you register, your details are transmitted over the wire, and stored in the ESK database. Your profile data is publically available, but unless you tick the box, it is not publically available.
Your IP address is not publically available, but it is transmitted over the wire every time you view a website, and is stored on the ESK database next to every post.
As for attack vectors, OSAs options would include:
1. Cross site scripting attacks. Posting some javascript code in a posting, which submits your cookie information (IP and username) to an external website. - Part of the reason for the funny [tag] syntax used when making your posts here is to avoid this sort of attack. And as a a fairly well used piece of open source software, security issues like this would have been given quite a bit of attention, and browsers have additional safeguards, but future security bugs and exploits are potentially possible - google for "sammy is my hero" for an interesting story - disabling javascript in your browser will void any such attacks.
2. Infiltrate ISPs or backbone providers and monitor traffic over the wire. Governments supposedly do this, but ISPs should generally consider this data as commercially confidential to outsiders - This would revel your IP, the websites you visited, and potentially any data sent over the wire that they managed to capture - Using https, proxies and/or tor will encript traffic over the wire, and make it mathematically unreadable to a 3rd party listener.
3. Directly comprise the ESK webserver. This would either require finding an exploit in the software running on the server (its linux so its fairly secure), or knowledge of the server login details. A brute force attack (attempting every alphanumeric login combination) would take a very long time, and would be logged and noticed by the server admins.
4. Comprise an individual, or machine, that happens to have server access to the ESK server. Either by accessing their computer, or though social engineering or intimidation. - This would expose the email addresses, private messages and IPs - not really much you can do about these last two, other than trust the admins. Signing up with a separate email address and deleting private messages with sensitive information in them would minimise the amount of useful data stored on the server.
5. Fake a user login into this site. It would require your username and password, but chances are that your own password is less secure than the one on the server (such as a word in the dictionary), or may be the same as used elsewhere (and they have somehow discovered that one). Once they are logged in as you, they can see everything you can see.
5. Social Engineering, which is the non-techie way of getting information. Essentially it involves pretending to be somebody else and asking seeming innocent questions to extract the desired information - be on guard to survey questions asking you for your password in exchange for a chocolate bar.
So once they have this data what can they do,
Your ISP will either give you a static IP, or a dynamic one (such as on a modem - changes every time you log in). The RIAA have been trying to ask ISPs for personal details when given an IP list, not sure about the UK now, but I think they now need to bring a John Doe law suit in the US before the ISP is forced to hand over the data.
Your email, means they can spam you. And also whois the domain you have your email hosted with (which is more an issue for personally hosted servers).
If you use the same nick as on other forums, or post personal information elsewhere on the internet, it may be possible to locate this information and cross-reference it with clues from elsewhere to piece together your identity.
If they try to directly access your IP address, and you have an ADSL router, they will only see the router and not have permission to send it any commands. If your machines IP is directly accessible (ie a USB ADSL modem), then its worth getting a firewall installed (or not using windows - ie Linux or OSX), Windows XP SP2 has a firewall by default.
For email, I STRONGLY recommend against using Outlook Express, its hopelessly insecure, and likely to get your computer infected with a virus. Use big outlook, or Mozilla Thunderbird.
As for web browsers, IE7 and IE8 have slightly improved security measures over IE6. But I would recommend Firefox, even if not just for the security, but for all the really, really useful extensions and add-ons that make web-browsing so much better. (Also as a web developer, having to support IE6 in websites is a real nuisance, but until everyone stops using it, its holding back the state and ease of web-development)
Again its largely a question of general awareness, combined with the amount of effort you want to put into maintaining your desired level of paranoia, vs the value of the information you want to protect (both from your viewpoint and theirs), and the amount of effort they want to go to in order to have a chance of obtaining it.
This is the quick website-security 101 posting. Hopefully enough details to chew on, but don't take it as a definitive guide. Any questions, either ask away or simply google for them.
PS. If I have gotten anything wrong, missed something important out, or stated it in a way that might be misinterpreted by a non-techie, then please comment.
PPS. I have made this thread sticky, so if anybody has any other links, guides or howto's on staying safe on-line, or other relivant questions or answers, please post them here for reference.
There is no such thing as absolute computer security, rather its a case of how much effort you want to put into blocking various vectors of attack, vs how much effort the attacker is willing to put into obtaining your information. Choose the level of paranoia you are comfortable with.
When you register, your details are transmitted over the wire, and stored in the ESK database. Your profile data is publically available, but unless you tick the box, it is not publically available.
Your IP address is not publically available, but it is transmitted over the wire every time you view a website, and is stored on the ESK database next to every post.
As for attack vectors, OSAs options would include:
1. Cross site scripting attacks. Posting some javascript code in a posting, which submits your cookie information (IP and username) to an external website. - Part of the reason for the funny [tag] syntax used when making your posts here is to avoid this sort of attack. And as a a fairly well used piece of open source software, security issues like this would have been given quite a bit of attention, and browsers have additional safeguards, but future security bugs and exploits are potentially possible - google for "sammy is my hero" for an interesting story - disabling javascript in your browser will void any such attacks.
2. Infiltrate ISPs or backbone providers and monitor traffic over the wire. Governments supposedly do this, but ISPs should generally consider this data as commercially confidential to outsiders - This would revel your IP, the websites you visited, and potentially any data sent over the wire that they managed to capture - Using https, proxies and/or tor will encript traffic over the wire, and make it mathematically unreadable to a 3rd party listener.
3. Directly comprise the ESK webserver. This would either require finding an exploit in the software running on the server (its linux so its fairly secure), or knowledge of the server login details. A brute force attack (attempting every alphanumeric login combination) would take a very long time, and would be logged and noticed by the server admins.
4. Comprise an individual, or machine, that happens to have server access to the ESK server. Either by accessing their computer, or though social engineering or intimidation. - This would expose the email addresses, private messages and IPs - not really much you can do about these last two, other than trust the admins. Signing up with a separate email address and deleting private messages with sensitive information in them would minimise the amount of useful data stored on the server.
5. Fake a user login into this site. It would require your username and password, but chances are that your own password is less secure than the one on the server (such as a word in the dictionary), or may be the same as used elsewhere (and they have somehow discovered that one). Once they are logged in as you, they can see everything you can see.
5. Social Engineering, which is the non-techie way of getting information. Essentially it involves pretending to be somebody else and asking seeming innocent questions to extract the desired information - be on guard to survey questions asking you for your password in exchange for a chocolate bar.
So once they have this data what can they do,
Your ISP will either give you a static IP, or a dynamic one (such as on a modem - changes every time you log in). The RIAA have been trying to ask ISPs for personal details when given an IP list, not sure about the UK now, but I think they now need to bring a John Doe law suit in the US before the ISP is forced to hand over the data.
Your email, means they can spam you. And also whois the domain you have your email hosted with (which is more an issue for personally hosted servers).
If you use the same nick as on other forums, or post personal information elsewhere on the internet, it may be possible to locate this information and cross-reference it with clues from elsewhere to piece together your identity.
If they try to directly access your IP address, and you have an ADSL router, they will only see the router and not have permission to send it any commands. If your machines IP is directly accessible (ie a USB ADSL modem), then its worth getting a firewall installed (or not using windows - ie Linux or OSX), Windows XP SP2 has a firewall by default.
For email, I STRONGLY recommend against using Outlook Express, its hopelessly insecure, and likely to get your computer infected with a virus. Use big outlook, or Mozilla Thunderbird.
As for web browsers, IE7 and IE8 have slightly improved security measures over IE6. But I would recommend Firefox, even if not just for the security, but for all the really, really useful extensions and add-ons that make web-browsing so much better. (Also as a web developer, having to support IE6 in websites is a real nuisance, but until everyone stops using it, its holding back the state and ease of web-development)
Again its largely a question of general awareness, combined with the amount of effort you want to put into maintaining your desired level of paranoia, vs the value of the information you want to protect (both from your viewpoint and theirs), and the amount of effort they want to go to in order to have a chance of obtaining it.
This is the quick website-security 101 posting. Hopefully enough details to chew on, but don't take it as a definitive guide. Any questions, either ask away or simply google for them.
PS. If I have gotten anything wrong, missed something important out, or stated it in a way that might be misinterpreted by a non-techie, then please comment.
PPS. I have made this thread sticky, so if anybody has any other links, guides or howto's on staying safe on-line, or other relivant questions or answers, please post them here for reference.
Freedom is a choice. Choose to be yourself, choose to speak your truth and do so with compassion. And above all else, choose to be not afraid. If I can't dance, its not my revolution.
