IB Secure Device

[jimrockford]

Quote from GTS:

Jim, you don't know me so it would be really hard for me to be insulted by what you think you know about me or my thought process. It sounds like you are making many incorrect assumptions which is ok, this thread isnt about you (or me). It also sounds like you are not very technically savvy and perhaps are not the best person to weigh in on this since you don't have a sound foundation to comment intelligently.

Suffice it to say I don't need a wake-up call, I am in the IT security field and I stand by my statements. If you think this is a rampant problem then by all means go to town with with ten ways til Sunday of protecting yourself. I'm not saying it isnt a real threat but some of the posts in this thread are bordering on ludicrious.

Please let me know the first time you hear about a custom malicious program being developed to interface with the TWS API, I won't hold my breath. In the meantime I will continue to make sure that a hacker doesn't get control of my machine in the first place rather than trying to defend against what happens after he does.

So we should believe your risk assessment, because you are in the IT security field. Is it your belief that everybody having credentials equal to your own, or greater than your own, agrees with your risk assessment? If yes, then doesn't this conflict with other professional viewpoints already previously expressed in this thread? If no, then doesn't disagreement between the experts undermine your argument that we can rely on your credentials and reassuring words?

Another issue: Your posting could be interpreted to say that a hacker cannot loot an IB customer's brokerage account, unless he gets control of the customer's machine using a custom malicious program developed to interface with the API. I don't believe it was your intent to make such a statement. I suggest you clarify so that people who do rely on your credentials won't misunderstand you.

 

[SL65]

Quote from GTS:

Suffice it to say I don't need a wake-up call, I am in the IT security field and I stand by my statements.

It has been longstanding mantra in the IT security field to have multiple layers of security. I used the term layer in my original post to indicate that it is useful in *addition* to the STP device. For example, it's already been pointed out that after you login in the morning with the STP device that a trojan can place trades unhindered thru the GUI or API for the rest of the day till you logout.

An individual has complete control over their computing environment.

I don't have control over bugs in my operating system. I don't have control over whether my antivirus vendor actually knows about all of the viruses in use. The list goes on and on.

I used to believe that if a new virus came out I'd be vulnerable for only a short time before my antivirus vendor sent out an update. I'm told that security experts now believe that criminals have built up an inventory of sparingly-used trojans that they can use in targeted for-profit attacks. If they use them opportunistically, the trojans may never be added to the antivirus databases. The world is changing.

 

[NickPhil]

IB Salvatore,

You can realize that many of your customers have severe security concerns by using IB and TWS.

For sure, IB knows the security risks; and for sure, IB also knows that any effort your customers can make to shield their tradestations with HW and SW routers anti-spyware, antivirus, etc, will not be sufficient.

I insist that the absolute protection that IB could provide is the “fraud protection guarantee” that some of your competitors already offer to their customers.

In case IB is not willing to follow this direction, please provide us viable solutions.

It would be very disappointing to realize that the whole effort is to hide the problem under the carpet.

 

[GTS]

Quote from jimrockford:

So we should believe your risk assessment, because you are in the IT security field. Is it your belief that everybody having credentials equal to your own, or greater than your own, agrees with your risk assessment? If yes, then doesn't this conflict with other professional viewpoints already previously expressed in this thread? If no, then doesn't disagreement between the experts undermine your argument that we can rely on your credentials and reassuring words?

Jim, you don't know the validity of my credentials any more then other posters on this thread so really the burden is on you to investigate any statements made and come to your own conclusions. If you routinely rely on anonymous internet postings as the primary basis for making important decisions then you get what you deserve. Again - personal responsibility.

Frankly I find your passive aggressive posting style rather juvenile and I'm not talking just about this one thread. I will not be drawn into your little game where you dictate the argument and attempt to control the discussion.

More security is a good thing but security is always a trade-off between reducing risk vs. cost, convenience, etc.

IB is taking a positive step with this announcement. Asking them to implement umpteen additional different measures to prevent a hacker from doing things to your account after they have gotten control of your machine with TWS already logged in is not the right approach to the problem.

The right approach is to prevent a hacker from ever getting control of your machine in the first place which is not such an impossible task as implied by an earlier poster.

SL65, there are always new malware coming out and there are exploits that haven't been published but how would any of that affect your trading machine? You do have a hardware firewall that is blocking all unsolicited incoming traffic, right? You don't use your trading computer for email or browsing random web sites do you? Basic stuff here, not rocket science. Now, how did the hacker get the trojan on your machine so that they could hijack your TWS session?

 

[deviltrader]

Regarding the API backdoor potential problem. There are other applications that allow third-party (external) software to attach to the application via a public API, but the user can disable the API. Hence, no external apps -- either legitimate or trojans -- would work. Is this possible with TWS? I don't use any external apps with TWS, so I wouldn't mind disabling the public API so a trojan couldn't manipulate it. Furthermore, the TWS API should have some sort of authentication so that only approved apps can use it (maybe it already does, I don't know).

 

[trader225]

Quote from deviltrader:

Regarding the API backdoor potential problem. There are other applications that allow third-party (external) software to attach to the application via a public API, but the user can disable the API. Hence, no external apps -- either legitimate or trojans -- would work. Is this possible with TWS? I don't use any external apps with TWS, so I wouldn't mind disabling the public API so a trojan couldn't manipulate it. Furthermore, the TWS API should have some sort of authentication so that only approved apps can use it (maybe it already does, I don't know).

With tws, you have to explicity enable the API via the "options."

 

[crazy_trader]

Isn't all these option are save in settings.xml? If so, it is possible to change the setting by opening up settings.xml.

 

[SL65]

Quote from GTS:

SL65, there are always new malware coming out and there are exploits that haven't been published but how would any of that affect your trading machine? You do have a hardware firewall that is blocking all unsolicited incoming traffic, right? You don't use your trading computer for email or browsing random web sites do you? Basic stuff here, not rocket science. Now, how did the hacker get the trojan on your machine so that they could hijack your TWS session?

I'm an API user and good with technology so I can hope to implement your countermeasures correctly and can justify dedicated hardware. But don't your countermeasures raise the bar a bit too high for the rest of IB's customer base, most of whom aren't as sophisticated as EliteTrader members?

Anyway, off the top of my head here are some ways a trojan could be installed:
- Hackers compromised my desktop and used it to access my trading machine
- I made a mistake in my firewall config and left open some ports
- Bug in trading or quote software on my trading machine
- Bug in OS on trading machine
- Wireless net encryption key broken
- One of Rumsfeld's Unknown Unknowns

Security professionals advise layered security so that when one system breaks (or you screw it up) other systems are there to prevent disaster.

This doesn't mean you lower your guard on the network and server security. In my more paranoid moments I imagine that there's a hacker watching my system and trading ahead of me. That alone is enough incentive to keep trojans off my system!

Why are you making this a referendum on personal responsibility? If the posters here are fearful and asking for more security (presumably in lieu of some gee-wiz feature) that seems to me to be a very responsible act. Don't assume Jim, I or others want this so they can avoid other security practices.

Is this the first case in recorded history of users asking for more security and a security guy saying it's not necessary?

 

[SL65]

Quote from crazy_trader:

Isn't all these option are save in settings.xml? If so, it is possible to change the setting by opening up settings.xml.

I believe you're right.

We should keep in mind that the GUI can also be controlled by a trojan so we shouldn't focus just on the API.

 

[jimrockford]

Quote from GTS:

Jim, you don't know the validity of my credentials any more then other posters on this thread so really the burden is on you to investigate any statements made and come to your own conclusions. If you routinely rely on anonymous internet postings as the primary basis for making important decisions then you get what you deserve. Again - personal responsibility.

Frankly I find your passive aggressive posting style rather juvenile and I'm not talking just about this one thread. I will not be drawn into your little game where you dictate the argument and attempt to control the discussion.

More security is a good thing but security is always a trade-off between reducing risk vs. cost, convenience, etc.

IB is taking a positive step with this announcement. Asking them to implement umpteen additional different measures to prevent a hacker from doing things to your account after they have gotten control of your machine with TWS already logged in is not the right approach to the problem.

The right approach is to prevent a hacker from ever getting control of your machine in the first place which is not such an impossible task as implied by an earlier poster.

SL65, there are always new malware coming out and there are exploits that haven't been published but how would any of that affect your trading machine? You do have a hardware firewall that is blocking all unsolicited incoming traffic, right? You don't use your trading computer for email or browsing random web sites do you? Basic stuff here, not rocket science. Now, how did the hacker get the trojan on your machine so that they could hijack your TWS session?

GTS,

I thought it was well established, among IT security professionals, that the best approach is to use multiple layers of protection, in case something goes wrong with any one of the layers. You argue that we should rely on only one layer, and assume that we can prevent anything from going wrong with that one layer. You argue that we should assume we can, always and infallibly, prevent a hacker from taking control of our trading machine; and that we should not make any attempt to protect against a hacker who has done so.

I'm sorry, but I have zero confidence in your assurances, and I agree with the others that multiple layers of security are needed, and that security measures should attempt to protect a customer even after a hacker seizes control of the customer's machine.

I think that if you could support your argument on the basis of true expertise, you would not need to descend to personal criticism, name-calling, and childish accusations.

You also, as to the topic, misunderstood me. I do not, as you suggest, "routinely rely on anonymous internet postings as the primary basis for making important decisions". I instead questioned your own argument that we should rely on your credentials as the basis for accepting your recommendations.

I think I posed some important and challenging questions, which you have not addressed. I am sure many of us would appreciate it if you could re-read my previous posting and address the questions I raised about your credentials and your risk assessment. I presume you have ignored my questions, because the weakness of your position leaves you unable to answer them.

Quote from jimrockford:

So we should believe your risk assessment, because you are in the IT security field. Is it your belief that everybody having credentials equal to your own, or greater than your own, agrees with your risk assessment? If yes, then doesn't this conflict with other professional viewpoints already previously expressed in this thread? If no, then doesn't disagreement between the experts undermine your argument that we can rely on your credentials and reassuring words?

Another issue: Your posting could be interpreted to say that a hacker cannot loot an IB customer's brokerage account, unless he gets control of the customer's machine using a custom malicious program developed to interface with the API. I don't believe it was your intent to make such a statement. I suggest you clarify so that people who do rely on your credentials won't misunderstand you.