[AT] OT - unsecured servers

Spencer Yost spencer at rdfarms.com
Thu Jan 2 19:16:12 PST 2020 

Just to be clear, VPNs are primarily used to anonymize you. In other words:  hide origin and identity. While the traffic between you and the VPN service is indeed secure(provided the service is legit and well configured); after it leaves a VPN service your traffic is no different than when leaving your  ISP.

I generally recommend them for people who have enough tech savvy to set them up and use them. And I am not knocking  anonymity - there is something to be said for that.   the services also  provide some additional features such as compression to improve your bandwidth, etc  Also, regardless of it’s limitations it’s more secure than a coffee shop.  But make no mistake:  If you really are worried about a man in the middle attacks(or any of the other attacks I mentioned) VPNs are not a solution.

In other words, VPNs are the cats meow when used between you and your endpoint(e.g. connecting to your employer’s  internal networks).  If the service is not your endpoint your risk profile is only marginally improved.

If your are serious about anonymity you should look into the TOR network.

https://www.torproject.org/

Spencer

Sent from my iPhone

> On Jan 2, 2020, at 9:21 AM, Easley, Greg A. <EasleyG at health.missouri.edu> wrote:
> 
> Very good advice there.
> 
> I would add one thing to that - purchase a subscription to one of the commercial VPN services.
> 
> 
> Greg
> 
> -----Original Message-----
> From: AT [mailto:at-bounces at lists.antique-tractor.com] On Behalf Of Spencer Yost
> Sent: Tuesday, December 31, 2019 9:13 PM
> To: Antique Tractor Email Discussion Group
> Subject: Re: [AT] OT - unsecured servers
> 
> Since cybersecurity is my line of work, I’ll jump in.  Do these things:
> 
> 
> Always manually type the url - never click off an email or some other source.
> 2FA is always awesome(everyone should do this whenever available).
> Close the browser, or at least each browser tab, when you are done.
> Private browsing tabs with cookies blocked are great too but some sites don’t have authentication procedures that behave well with private tabs or cookies blocked so this is hit or miss.
> 
> As an added bonus always clear the cookies, cache, and local storage related to the website before you close the browser.  This will prevent any near-future malware infection from taking advantage of an valid session.
> 
> The lack of a secure private Internet connection should not be too much of a concern. The fact of the matter remains that after your traffic leaves your ISP at your home it’s on a public network as well. Between the HTTPS protocol and the steps above you should be fine.
> 
> The primary concerns are XSS and CRSF attacks(I’ll let you look them up). Both requires malware (or attempt to trick you into redirecting your attempts to login) and/or an active session for to take advantage of you.   So by following those steps you will thwart them.
> 
> 2FA helps to thwart password cracking success.   That means even if someone has cracked your password (usually they have cracked a bunch because the site uses a digest hash that was weak - or worse the idiot site stores the password in plain text) they can’t log in without you knowing and confirming.
> 
> Of course, if you are already infected, school is out anyways and you have already been compromised and your money is probably already gone.   If it’s still there, you are good.
> 
> Waiting for the ball to drop.....
> 
> Spencer
> 
> 
> 
> Sent from my iPhone
> 
>> On Dec 31, 2019, at 8:38 PM, Mike M <meulenms at gmx.com> wrote:
>> 
>> Hi and Happy New Year,
>> Going on vacation for a while in the Keys. I found out too late that 
>> the place does not have wi-fi. I have some banking items to take care 
>> of and am leery of taking care of it over an unsecured connection. 
>> This is time sensitive and needs to be done. My banks both use 2 step 
>> authentication does that help at all?
>> 
>> Regards,
>> Mike M
>> 
>> _______________________________________________
>> AT mailing list
>> AT at lists.antique-tractor.com
>> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
>> 
> 
> _______________________________________________
> AT mailing list
> AT at lists.antique-tractor.com
> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
> _______________________________________________
> AT mailing list
> AT at lists.antique-tractor.com
> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.antique-tractor.com/pipermail/at-antique-tractor.com/attachments/20200102/9f268d88/attachment.htm>

More information about the AT mailing list