Compromised email address

Jamesaritchie · Feb 22, 2011

Medievalist said:
The only secure computer is one that isn't connected to the Internet. All platforms are vulnerable, it's just a matter of opportunity.

Just what I needed to hear. It seems anything online or connected to teh Internet is at risk. Well, at least his Windows work machine is safe, since it isn't connected to the Internet.

Answer me this. For an extra twenty bucks per month, my Internet provider offers business class e-mail setup, along with several business tool. It isn't accessible through any website, or through any computer that doesn't have the proper software installed. I could only use it through my PC and my laptop, which isn't much of a drawback.

I don't store a password on my computer, and they claim much higher security than any web-based e-mail, plus offer what amounts to damages should the account be hacked through them.

Are they right about the better security, as long as I do my part?

Deleted member 42 · Feb 22, 2011

Jamesaritchie said:
Are they right about the better security, as long as I do my part?

No, not really.

If you're running really good anti-malware security and you keep it updated, and you're paranoid about downloading software or clicking links, and you have a strong password, they can't really do anything for you that any other mail provider can.

I would avoid hotmail. I would avoid muti authentication systems--i.e. don't log into to service X by using your Facebook account.

I would also avoid using I.E. whenever possible.

I would not use my Admin account as my regular account.

With respect to security-- Microsoft's own free security suite and a healthy level of paranoia seem to be the best options currently for Windows 7. Remember that installing multiple security/antivirus/malware apps can cause them to step on each other, and create vulnerabilities.

I would also have a locked non-writeable media emergency boot disc that you've checked to make sure it works, so in an emergency you can boot and scan.

Jamesaritchie · Feb 22, 2011

Medievalist said:
No, not really.

If you're running really good anti-malware security and you keep it updated, and you're paranoid about downloading software or clicking links, and you have a strong password, they can't really do anything for you that any other mail provider can.

I would avoid hotmail. I would avoid muti authentication systems--i.e. don't log into to service X by using your Facebook account.

I would also avoid using I.E. whenever possible.

I would not use my Admin account as my regular account.

With respect to security-- Microsoft's own free security suite and a healthy level of paranoia seem to be the best options currently for Windows 7. Remember that installing multiple security/antivirus/malware apps can cause them to step on each other, and create vulnerabilities.

I would also have a locked non-writeable media emergency boot disc that you've checked to make sure it works, so in an emergency you can boot and scan.

Thanks. I do all these things except I do use my Admin account as my regular account. This is easily changed, so I'll do that.

I do use the paid version of Norton, rather than Microsoft's security suite. Is the Microsoft version better?

alleycat · Feb 22, 2011

Jamesaritchie said:
I do use the paid version of Norton, rather than Microsoft's security suite. Is the Microsoft version better?

Just a personal recommendation. I used Norton for a number of years, but I switched to Kaspersky and I think it's better. Like most security suites, you have to tame it a bit by setting scan and update times, but it's done a good job for me for the past three or four years.

Jamesaritchie · Feb 22, 2011

alleycat said:
Just a personal recommendation. I used Norton for a number of years, but I switched to Kaspersky and I think it's better. Like most security suites, you have to tame it a bit by setting scan and update times, but it's done a good job for me for the past three or four years.

Thanks. That's a new one to me, but I'll definitely take a look at it.

BradCarsten · Feb 22, 2011

Jamesaritchie said:
This is a possibility. I usually use a different password for each site or purpose, but I did use that particular password at a couple of other sites because they were related, and I was bouncing back and forth between sites and the Google e-mail.

I have a friend who got frustrated with the lack of security in Windows, , and the lack of software use in Ubuntu, so instead of adding Ubuntu to his main computer, he sat up two computers at his work station, one for Windows and one for Ubuntu. The same keyboard is connected to both, and he toggles back and forth as needed.

It's a bit crowded, but it works very well for him. I have a spare computer tucked away, and I've thought about doing the same thing.

I dual boot windows and ubuntu - so I do all my daily work in ubuntu, then when I want to access some software that doesnt run I reboot into windows.

ubuntu and security:
There have been fewer than 30 known viruses/worms/Trojans for linux- none of these are a problem any more.

as a default Ubuntu install opens zero ports to the outside world, so a firewall is redundant.

It is far less likely that you will pick up something by surfing and regular downloads. Unfortunately you are still vulnerable to other forms of attack, such as someone tricking you into entering your password into a fake website etc.

here is some very good advice on os security

This advice is fairly generic and applies to almost any OS. These simple steps offer a solid foundation that you should be able to implement almost immediately.

Enforce strong passwords http://en.wikipedia.org/wiki/Password_strength

In general, do not write your passwords down, and if you must, keep them in a secure place (Do not put them on a sticky note attached to your monitor for example).

Limit root access (create a user account with limited privileges, so that a program will not have the authority to get to your data)

Physical access (physical access = big security hole). Physical access allows root access to your system (in other words, someone physically booting into your system)

Do not install software or add repositories from untrusted sources

Take care not to let the "need" to run the newest/latest/greatest compromise security.

Keep your system up to date. Updates, particularly security updates, bring you the newest and latest fixes. (this applies to apps also- such as adobe reader, internet explorer- make sure you have the latest versions running)

let me add - add a no script plugins to whichever browser you are using and backup often.

Jamesaritchie · Feb 22, 2011

ave said:
I dual boot windows and ubuntu - so I do all my daily work in ubuntu, then when I want to access some software that doesnt run I reboot into windows.

ubuntu and security:
There have been fewer than 30 known viruses/worms/Trojans for linux- none of these are a problem any more.

It is far less likely that you will pick up something by surfing and regular downloads. Unfortunately you are still vulnerable to other forms of attack, such as someone tricking you into entering your password into a fake website etc.

here is some very good advice on os security

I undrstand almost all of this, but I'm clueless about add a no script plugins to whichever browser you are using.

alleycat · Feb 22, 2011

Jamesaritchie said:
I undrstand almost all of this, but I'm clueless about add a no script plugins to whichever browser you are using.

It's mostly a plug-in (add-on) for Firefox and other non-IE browsers. I think there is something along these lines that can also be done in IE, but I've forgotten.

In Firefox, there are all sorts of third-party add-ons, and No Scripts is one of them. There might be other "no scripts" add-ons besides that one.

No Scripts just makes it easy to decide whether scripts run at any particular website. You have several options (always allow, temporarily allow, etc.). It adds an extra layer of security, as there can be malware scripts.

benbradley · Feb 22, 2011

Jamesaritchie said:
I undrstand almost all of this, but I'm clueless about add a no script plugins to whichever browser you are using.

This:
http://noscript.net/
It's actually a bit annoying, as you have to "allow" most every new site you go to, if you decide you trust it. But it saves from lots of auto-forwards that you wouldn't otherwise see., and all the java and javascript stuff (these are PROGRAMMING LANGUAGES your browser runs to render many or most modern webpages thesedays).

Read URL's carefully. If it's a series of numbers (decimal IP address like 123.45.67.224) or a ".ru" or ".ro" or ".hk" or ".cn" it COULD be okay, but I'd tend not to trust it. Yeah, I have biases against certain areas of the cyberworld.

alleycat · Feb 22, 2011

Jamesaritchie said:
Thanks. That's a new one to me, but I'll definitely take a look at it.

It used to be that a lot of the upper level security folks (the people who actually write some of the anti-malware software) recommended Kaspersky for home use. It's not as well-known as Norton and McAfee.

Like most Internet security software, it does not play well with others. You'd need to completely remove Norton before loading Kaspersky if you decide to go with it.

I noticed there were some less than 5-star reviews on Amazon for the 2010 version, but I think most of them had to do with people not knowing how to change some of the settings. If you don't tell it when, it will update the malware database on your computer intermittently during the day (I have mine set to update at 2:00 in the morning)--this can be a bit annoying. I haven't had any more problem with 2010 than I did with 2009.

Of course, most "on guard" security software uses more memory and CPU than many other programs, but that's just the price we pay. If you have a fairly new computer with one of the newer operating systems (XP to Seven), you shouldn't have a problem.

Jamesaritchie · Feb 22, 2011

Has anyone seen the Denny's commercial where the two customers are trying to decide all the options that have with teh new $2, $4, $6, and $8 dollar meals? In the end, one of them holds his hands up to his head and makes a sound like his brain just exploded.

Right now, I feel like a Denny's commercial.

BradCarsten · Feb 23, 2011

a large percentage of malware spreads through usb devices, like flash drives. Im not sure if windows 7 has fixed this- (I dont have 7) but xp is certainly vulnerable.

I came across some advice a while back, to add a small extra layer of security to your system that I found very useful and perhaps someone else will as well

here is a simple test you can perform to see how vulnerable your pc is to attacks.

hackers exploit the autorun feature in windows- im going to demonstrate this by auto executing mspaint- that terrible paint program that ships with windows.

1) what you need to do is open notepad

2) copy and paste the following text

[autorun]
action=Testing autoplay: Run paint from usbdrive
open=mspaint.exe
shell\FromFlash=Testing context: run paint from usbdrive
shell\FromFlash\command=mspaint.exe
shell=FromFlash
icon=mspaint.exe
label=Testing AutoRun Stuff

3) select file/save as
- save the file to the root directory of your flash drive
- under "save as type" select "all files"
- call the file autorun.inf

4) now go into c:\windows\system32 and scroll down till you find mspaint.exe copy that file and paste it onto your flash drive (in the same directory that you created the autorun.inf file)

what we have done is create a autorun file the will open up mspaint when you insert your flash drive.

5) eject your flash drive, and plug it back in

6) go to start/my computer, and double click your flash drive

ms paint should open.

you can also mess around with that "what would you like to do" window that opens when you insert a flash drive and see how easy it is to run paint

now imagine that was some kind of malware- as soon as you double clicked, your computer would be infected.

this is scary.

if anyone is interested there is a hack to disable this autorun

1) open notepad

paste the following text

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYSoesNotExist"

file\save as

- save the file to your desktop
- under "save as type" select "all files"
- call the file something.reg

double click on the file and it will ask you if you want to add the entry to the registry- click yes

now perform the test with your flashdrive again- when you double click mspaint should no longer start up.

NOTE: im not sure what all the implications of disabling autorun are, I have had no problems; the blogs out there dont mention any problems, but if you have something that specifically relies on autorun, you should do a little research first.

reference 1
reference 2

benbradley · Feb 23, 2011

I though the autorun feature would run on step 5) when you plug it in - that's what happens (or happened, before I fixed it) with CD's.

Yes, I have autorun turned off on my XP system, did it by following post #2 here (this is a lot easier than editing the registry):

http://club.myce.com/f3/disable-usb-autostart-windows-xp-2000-a-137650/

Ignore post #3, or read it as "Don't you want your computer to run any random unknown software that might be on a CD or flash drive you've never seen before?" No, you don't.

When you run Windows Explorer or do "Save As..." the flash drive or CD you just put in is still there or "recognized" without running whatever Autorun thing is on it.

jaksen · Feb 23, 2011

Mumut said:
I suppose this has happened to a few AW'ers over the years. A few days ago I started to receive phone calls telling me friends had received emails, apparently from me. asking for money. The content of the email is that I've been mugged and robbed at gunpoint in Wales but I've managed to make it to the embassy (an Australian embassy in Wales?). I need cash for immediate accommodation etc.

Actually I was in Wales a few weeks ago (but survived the experience unscathed). And it could be considered a somewhat funny story. But it's not. Over the past months I've sent emails to 8,000 libraries and 5,000 high schools in the USA to introduce my book 'The Guardian of the Gate'. If they have all received this email it will make me look very unprofessional. I'm not all that happy to have to send each one a second email explaining the mess.

The reason I'm telling this here, is that things became very 'interesting' this morning. My email account was with Gmail. They don't ask for personal information so you have to fill in a form (using some other email address) which is matched by a computer and a reply email sent out. Because I don't use any of the bells and whistles in Gmail I was told there was not enough information to let me in so I could change my password and take control again. Luckily I realised I'd have given my wife's email address as backup so when I tried again I was let in.

In the list of emails were all my failed attempts to change the password - and in the data were other email addresses and information concerning a film website which had been emailing me. I don't know if this is a clue to the thief. I handed over the information to the police and to see the details made me feel uneasy. But what happened next had me really worried. An entry had been added to the list of emails received. It was from a few minutes back, while I was logged in, and it was someone trying to have the password changed again. The fraud was trying to get back in again. That was really scary.

I cancelled my account with Gmail immediately. I don't mind writing suspense but I can't hack it when it happens to me. So in future I'll be changing all my passwords on a frequent basis and I'll be using randon sets of mixed numbers and letters, lower and upper case. And I hope to heaven it doesn't happen again.

Exactly same thing happened to me back in the fall, except I was stuck in London (I live in the US) and needed money to get back. (All lies.) An email with this info was sent to about half the people in my email address book. They asked these people for money so I could 'get back home.'

Apparently I was 'phished' or teased onto a site where I wrote in my gmail password and someone grabbed it. I now double-triple check to make sure I am on the correct page when I sign in to gmail.

How I fixed things? I wrote to gmail in a polite but outraged manner. ( I used an old hotmail acct.) They at first wanted 'proof' who I was. I was one of the first users of gmail and I knew exactly who had 'invited me.' His name, phone and address. I also knew exactly what my last legit. email entailed.

Within minutes I had my account back and I saw numerous changes made to it, as you did yours. I removed all that crap and made up a new pw. I keep no cc numbers on my acct (in old emails) or anything worth much to anybody, except all the names in my address book.

I then emailed those people who had been 'scammed,' but luckily they all know how poor I am and what the heck would Diane be doing in London?? No one replied to the scammer with funds or money.

I use different passwords everywhere I go on the net. I change them all the time. When you need to answer a security question, I make up stupid questions of my own and ridiculous answers. I still got phished.

I used to be paranoidally/insanely/ridiculously careful on the net. Now I am ten times more so.

BradCarsten · Feb 23, 2011

benbradley said:
I though the autorun feature would run on step 5) when you plug it in - that's what happens (or happened, before I fixed it) with CD's.

Yes, I have autorun turned off on my XP system, did it by following post #2 here (this is a lot easier than editing the registry):

http://club.myce.com/f3/disable-usb-autostart-windows-xp-2000-a-137650/

Ignore post #3, or read it as "Don't you want your computer to run any random unknown software that might be on a CD or flash drive you've never seen before?" No, you don't.

When you run Windows Explorer or do "Save As..." the flash drive or CD you just put in is still there or "recognized" without running whatever Autorun thing is on it.

correct me if im wrong, but this seems to disable autoplay, not autorun

I would be interested to know if the mspaint test still runs on your system after diabling autoplay. specifically the one where you double click your flash drive directory in "my computer"

Stitch · Feb 24, 2011

Sorry to jump in, but on the subject of Linux, I'd like to push for a variant called Mint. It's available here: http://www.linuxmint.com/

It's based on Ubuntu, so it gets all the security updates that Ubuntu does. Its layout is a lot more familiar to Windows users as most buttons and menus are basically in the same places as in Windows. I recommend it to anyone who wants to switch over from Windows.

Synovia · Mar 4, 2011

ave said:
ubuntu and security:
There have been fewer than 30 known viruses/worms/Trojans for linux- none of these are a problem any more.

And there have been thousands of holes in Apache, inetd, etc. There's nothing LESS secure than a poorly patched/configured linux/unix box.

A couple of years ago I put up a bare linux box (didn't know what I was doing at the time). I got a call from my cable company 45 minutes later because the machine was performing DOS attacks against a variety of infrastructure sites.

As far as antivirus on windows boxes, I honestly think Microsoft Security Essentials is the best thing out there. It seems to find much more than Norton/AVG/Kapersky, and is significantly less resource intensive. And it hurts me to say that, being a unix guy.

AlexPiper · Mar 4, 2011

Synovia said:
And there have been thousands of holes in Apache, inetd, etc. There's nothing LESS secure than a poorly patched/configured linux/unix box.

I don't think that's necessarily true. The vulnerability is less Linux, and more that poorly patched/configured Linux boxes are more visible, as the majority of them are someone tossing a RedHat CD on a colocated server. A poorly patched Windows box is still, 90% of the time, behind a home router and thus NAT'd all to heck and back, not open to the general Internet for incoming traffic.

Vulnerability is directly related to how much of the system is visible to the Internet, with an inverse correlation as to how much time you've spent securing it. A machine with no Internet connectivity at all isn't going to get 'pwned,' obviously. One that's behind a solid firewall and not reachable /incoming/ by other machines is going to require more user action (going to a webpage or whatever), because you won't just have something hitting your available services. A machine that's got a static dedicated IP and no firewall -- i.e., a server? -- you'd better keep an eye on.

Every service you open up to the world on your machine is one more thing you'd better be watching for vulnerabilities in. If you run Apache, you'd better keep an eye on Apache security notices. If you run PHP in your Apache install, keep an eye on those, too. If you run MySQL for database stuff, keep an eye on MySQL patches and security notices. Etc.

This is true of Windows, Mac OS X and Linux. Your OS doesn't matter; you still have to watch whatever you make available to the world.

kuwisdelu · Mar 5, 2011

AlexPiper said:
Every service you open up to the world on your machine is one more thing you'd better be watching for vulnerabilities in. If you run Apache, you'd better keep an eye on Apache security notices. If you run PHP in your Apache install, keep an eye on those, too. If you run MySQL for database stuff, keep an eye on MySQL patches and security notices. Etc.

And the average user won't be running that stuff anyway.

They will, however, be running stuff like Flash, Java, etc., which are also security holes regardless of OS, and it's likewise wise to keep those updated and secure. This stuff really doesn't have to do with OS so much as what vulnerable 3rd party software you have interacting with the internet a lot. (Well, 1st party software, too, obviously, but that just goes back to OS security.)

ejket · Mar 5, 2011

AlexPiper said:
Vulnerability is directly related to how much of the system is visible to the Internet

I always liked this place for checking my visibility.

Deleted member 42 · Mar 5, 2011

The greatest single vulnerability in any system is the user.

Matera the Mad · Mar 6, 2011

^ said it all

kuwisdelu · Mar 6, 2011

Nothing can protect your system from an angry bear.

Compromised email address

Jamesaritchie

Deleted member 42

Jamesaritchie

alleycat

Still around

Jamesaritchie

BradCarsten

practical experience, FTW

Jamesaritchie

alleycat

Still around

benbradley

It's a doggy dog world

alleycat

Still around

Jamesaritchie

BradCarsten

practical experience, FTW

benbradley

It's a doggy dog world

jaksen

Caped Codder

BradCarsten

practical experience, FTW

Stitch

what happens on FB, stays on ... wait

Synovia

practical experience, FTW

AlexPiper

Wayward Wordsmith

kuwisdelu

Revolutionize the World

ejket

Noobus Perpetuus

Deleted member 42

Matera the Mad

Bartender, gimme a Linux Mint

kuwisdelu

Revolutionize the World