Look up pobox.com. They are a mail forwarder. You create an account (NOT free) and you then get three email addresses (addr1@pobox.com, addr2@pobox.com, addr3@pobox.com) that will all transfer to YOUR email (regular) account. You can use one permanently and then use the other two for stuff. Like give one to a website as your email address. Get the email from them in your regular email accound, click the verify link and then go on POBOX and get rid (change) that one address. Your idea is good too as long as you don't have to give yahoo, google or hotmail your real email adress so they can sell it.
I still believe that YOU get what you pay for. There is no free lunch! Companies that give you their services for free and still make a fortune in profits? Some sounds wrong there, doesn't it? I once had to deal with an idiot online that kept insisting that the Internet was FREE!!! I had a hard time convincing him that it wasn't. I mean, someone has to pay for the Internet connection (in this case, his parents - so not 'free' already). What about the ads? "Who cares about them??!" Well, you will since you go out to buy things and the cost of those things has advertising dollars connected to the cost. Young people, you can't get them to think, can you?? HA.
Servers, switches, IP addresses, Hosting costs are never free so why would someone put up a free Internet service unless there was money in it for them somewhere....
 | Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years. Thanks, CNET Support |
General discussion
Computer security, am I just being too paranoid?
Computer security, am I just being too paranoid?
I'm a novice when it comes to working with a PC but do know enough to
be really dangerous. Today, with our PCs being so vulnerable to cyber
attacks, hackers, and Trojan viruses, I, at times, feel a little
paranoid about what I put on my PC's hard drive that may be both
personal and financial in nature. I do run with Windows 7, have the
Windows firewall activated, and am using the Webroot AntiVirus software
but still feel like someone is looking over my shoulder. Aside from
the viruses that we can get when downloading items from the Internet
to opening an attachment in an e-mail, is there any way for a novice
to determine if their PC has been invaded by a genuine hacker who may
be watching my every move? Or am I watching too much TV? Any
recommendations or best practices you could afford me would be
greatly appreciated.
- Submitted by: Al H. of San Antonio, TX
Discussion is locked
61 - 90 of 74 Posts
- Collapse
- Collapse -
- Collapse -
One thing I tell people is that SECURITY is like one side of a teeter-totter. The other side is ease of use (convenience). The more you push down on the side of security, up pops the ease-of-use factor. You push down on the ease of use side and security pops up. The trouble with the analogy is that people think there should be a "balance" between ease of use and security. WRONG! There has to be a limiter on the teeter-totter that limits how much security you can do away with. Security has to win unless you have absolutely nothing to lose (and a credit rating or criminal record is nothing to mess around with).
- Collapse -
First of all, nobody here, including you, is paranoid. We are all stating the facts. There have been issues of malware and "viruses" from a time long before there were any personal computers. What has happened, after the World Wide Web made even having a personal computer popular, people started making malware not to just joke around or to "prove something" to the rest of the world that they had technical abilities, but to actually start making money. The Internet originally was for the military types. You had .MIL, .COM, .EDU, .GOV, .NET and others to differentiate what was represented on this Internet at the time. I first got a message (SMTP) onto the Internet in the 1980's using a mainframe. There was simply not a lot to do out there. Getting on the Internet was a major issue. You had to install your own TCP/IP stack. You had to have modems and telephone lines to transmit TTY protocol. Not for the average person and you had to go directly to govenment agencies to get a TCP/IP address range. Today, with the WWW, everyone just about has access to a computer and the Internet. So, this means that the criminal element now has a way to not only show off how brilliant they are but to make money doing it.
The part that scares me is that, in the old days, there were almost no programmers out there. I learned BASIC back in 1967 in high school. I was the only one in a high school with 6,000 students who connected with a computer since nobody knew what to do with the equipment when it came in. If it involved pushing buttons, I was IN.
So, today we have everyone trying to be a programmer. Some people are good at it; some aren't. But I have seen a lot of scary design out there. No security. Passwords are kept in a file somewhere, ripe for the picking. Everyone is more interested in getting things done simply and quickly and security has usually fallen by the wayside. It isn't so much the user, is what I'm saying. It is the content providers that need to get their act in gear and embrace security as part of everything that you do. I already conversed with a programmer who is creating systems for dentists and doctors and doesn't really know about HIPAA laws and doesn't consider putting the records of patients up on a public cloud site to be a security problem or a violation. How does this affect us normal folk? Does anyone think about your medical records being put up where employees of some advertising-related public website that reads everythinfg that goes up on that site? I mean, that is bad enough (can't get a job because everone thinks your "illness" might affect your work...). How about people putting your credit card info up on a public website that takes no responsibility (according to the TOS) for your data security?
These are the things that scare the hell out of me today. Not someone putting a tracking cookie on my computer. In the old days, malware wiped off your hard drive. By today's standards that would be a joke unless someone is keeping critical information and forgot to back it up or the downtime it would cause.
So, paranoia, in a day when all malware seems to be directed at making money for someone else at your expense, is well worth it to have. At least a little of paranoia is a good thing.
What people need to realize is that any level of security is going to be inconvenient. It used to be that anti-virus software slowed down your computer. In some cases, it might still do that. But what is the alternative? The really isn't any, is there? I here people (like my old boss) say that "a/v slows down my computer", or "I don't believe that there is such a thing as a computer virus" or "I can just be very careful and then I won't need any security software". Well, my boss brought his laptop in from home and plugged it into the enterprise network. In a few minutes a MAJOR county government was down at an estimated cost of $10 million. Just one laptop did this. Not everyone is even going to remember the NIMDA virus (and someone else did the same thing and brought in the SQL Slammer virus). But is sure cost taxpayers a lot of money. So now we have new rules. You HAVE to use certain software or you don't get to connect (and some flagrantly violate the rules even today - I have an Apple and there is no such thing as Apple malware...) Wrong.
So, my concerns today is outright theft but also loss of salaries and revenue becuase some major corporation has to shut down while fighting malware that was brought in by some self-centered idiot. It's a dog-eat-dog world out there but computer crime is still on the rise. We read about it like every other week. Exposing passwords, government communication, account numbers. Someone has to pay to clean all of that up. And that someone is all of us.
So take this all into consideration when planning on how you will use your computer and your internet connection. If you are worried, you have every right to be worried. There is plenty of software out there and, you know, no one piece of software can guarantee that something new won't come along and ruin your day. Don't just give up. All you can do is make your computer and its netwrk connection as safe as possible. Look at what software is out there and try them out, when you can. Find something you like that doesn't take a lot to manage. Look at its reputation out there especially RECENTLY (1 year ago is not recent, sorry). Try to use something that, while probably signature based, also has a heuristic side that can detect strange things they have not seen before but know it is up to no good. Read up on your OS and look at the NIST government web site to see what is really out there. Don't assume Apple nor LINUX is bullet proof as the research says you would be wrong. That is, don't listen to HYPE or things you read from us ordinary people. See for yourself. The web makes research easy. We had a discussion on one of these blogs about security in Windows vs Apple. Fan bois on both sides. Someone ended the conversation with a link to NIST that showed that the eight top vulnerabilities in the U.S. were on APPLE Mac OS. There really is no such thing as absolute safety. Maybe a power failure? So, while I value everyone's opinions, you are going to see that there is a wild distribution of opinions. Don't even believe MY OPIONIONS. How do you know that I know anything about data security? The best thing you can do is figure out what scares you and do some research.
Talk to your bank about their security methods and the regulations they have to follow. They will have someone you can talk to who can explain it so you understand. If your account is hacked? What happens next? How much do you lose, if anything? It may not be as bad as you are thinking. Some banks have an online guarantee. (Think of how much money the bank is saving by having ATMs and online banking? They can afford to make this area attractive as opposed to opening more branches.
Stick with well known things. Not just in your banking (avoid the bank of Nigeria, especially if they send you email), but also with your software. People can bad-mouth software because they had a bad expierience at one time or another but things change. If you work from home, see if you can take home big-boy security software (you don't ask, you don't get). Speak with people who are not just in IT but who maybe on your company's data security staff. Find out what they use at work. Try not to use redundant resident software. One anti-virus software resident is enough but realize that they don't do EVERYTHING well. You might want to look at good anti-spyware software, a GOOD registry cleaner and general fixer-upper. I hear that there is a lot of new Identity-Theft protection out there but I personally don't know much about it but YOU CAN DO THE RESEARCH too. That's why we have FREE internet searches. To find software to protect us from FREE Internet sites. (I love it!).
Read about the OS that you are using. Doesn't matter what it is or what version. Find out the best way to configure it for security. You can always tell when the security software load is "too much" for your taste and back down a bit. Just remember that you are compromising a bit of security when you do that. Security doesn't come cheap. You pay for it with a certain amount of inconvenience.
- Collapse -
It has been stated that aprox. every 10 seconds you leave your computer running without anti virus, someone, or something, will try and plant a malicious virus. The fear is real, but windows fire wall alone cant do a thing for you but potentially notify you that there is a problem in the first place.You should always have your fire wall on, unless you have a specific reason not to, and you should also have a good antivirus! NO im not saying the most expensive, im saying the most efficient, which depending on your expertise may be different from one person to the next.
If you consider yourself to be the average computer user, than i would suggest something like ESET, or despite my own personal problems with them, Norton.
If you feel you have a slightly better understanding of computers than most, than i would suggest the free option, windows security essentials. I would not suggest this to the average user do to its somewhat regular inability to remove malware. On the other hand, it is MUCH better at identifying the problems.
YA, downloading things can be bad, but just avoid sites like softpedia, or fileshare, where people can name things whatever they want. look for more reputable websites, and unless it offers bittorrent, try to avoid using third-party threads. To be honest, you will have more problems from things like popups, and trick "download here" ADs than anything else.
Going as far as to turn off your computer after each sitting is a bit much if its not a laptop, and can be very nerve raking. If something wants to get to your computer, it is likely already linked to your network and will sneak in when it gets the chance. If it is a desk top, make sure it has a sleep mode, or turns off the monitors eventually, and just turn it off once or twice a week, or as necessary. Remember to defrag! i suggest Auslogics.
Like i hope i have expressed, ya, there is stuff to be afraid of, but its like driving a car. something might happen, and ya you might have to replace some parts along the way, but if you have insurance and everyone was waring there seatbelts, than the important things are safe, and the rest will be repaired in time.
- Collapse -
- Collapse -
People seem to forget a few things. There are two types of virus programs: Reactive and Proactive. We've been hit by viruses when running Norton and other virus scanners were able to pick it up faster. If there is a virus that hasn't been discovered, what protection is there?
The I.T. guy at work installed another commercial program recommended by one of the comuter magazines for P.C. and a virus wiped my computer clean at work this week so I'm vulnerable at work and the I.T. guy is an outside paid consultant.
One year Windows had 60 vulnerabilities.
I read in the news today that PNC and Chase had some overseas hacking attempts. PNC took their online banking offline. If they were hacked, would they tell you?
http://www.cnbc.com/id/49122362/BofA_JPMorgan_Citi_Repeatedly_Hacked_by_Iran_Sources
In fact your own news story says:
Hacker claims breach of 79 banks, releases customer data
http://news.cnet.com/8301-1009_3-57455693-83/hacker-claims-breach-of-79-banks-releases-customer-data/
If my credit card is stolen, there is a law that says I am liable for the first fifty dollars. What protection is there if your money is taken out of your account? If the banks and the government believed in internet security then why aren't customes given equal protection?
- Collapse -
This is the group Loft that testified before a congressional Committee about computer security back in 1998. They essentially said after 19 and 48 minutes that Computer Security doesn't exist. They've also said that the Internet wasn't designed for e-commerce and that the internet was 20 years old at the time and that it was being made to do what it wasn't designed to do. At 20 minutes, they give you a couple of analogies as to why we're not getting alerts to security problems.
What has really changed in the last 14 years? I may be the minority but I still believe that some work has been made but I don't believe that security is really adequate so in that sense, while they have raised the bar on security, I don't believe security really exists.
I was talking to a friend who travels the world and her credit card is not good in Africa. Why is that? It is because the same system isn't secure.
When I grew up, I had free checking. There are few banks that offer free checking anymore. They want you to use the internet to do online bill pay so essentially you replace a teller which makes doing business cheaper for the bank. The problem is there is no insurance offered to me if my money is stolen electronically. The banks say that their system is safe but I've had my computer broken into. If my credit card is stolen, I am liable for the first $50 dollars by law. There is no such law limiting my liability for losing my money online for having my account information stolen. And if you read the news every day on google, there are news stories about systems being taken advantage of every day so I'm not confident in the safety of adopting what people are being told is safe because I don't believe it is.
- Collapse -
The Internet was designed with a certain amount of commerce in mind; maybe not really eCommerce. After all, ".COM" was one of the original divisions. It was mostly .MIL but .MIL had to talk to .GOV to get the funding, .MIL had to talk to .EDU to get the research done, .COM to build their stuff.
Security will never be 100% on the Internet. After all, it was never 100% on the personal computer nor on the mainframe. Security is never 100% anywhere. All you can do is make it the best that you can, accept the risks that are still there and remember that security will cost you in terms of ease-of-use and/or convenience
I think you are wrong on the banking. I have FREE CHECKING at Wells (of course, I have to do direct deposit of my pay but that is fine by me). The don't charge me a lot of fees. I lost a checkbook and they did all of the security handovers to get me up on a new account and charged me NOTHING! They even called all of the people I have automatic bill payments with (not the bank's). If something happens with electronics, I am covered 100%. The only thing they don't cover is identity theft. I don't read the news on Google because it is NOT safe. Or haven't you been reading all of their terms and privacy stuff?
Having said all that, you are basically correct that nothing is 100% safe. But you still lock your car door because the thief may spot someone else who left their car door unlocked nearby. You still turn on the alarm becuase an amateur thief may not want to mess with a noisy alarm and move on. All you can do is make it more difficult for someone to break into your computer (while making it more difficult for YOU at the same time). But you sure don't want to leave the keys sitting out there in the open.
- Collapse -
The internet was started on mainframes and the public wasn't allowed to join in the beginning. It was the early 90's when colleges were allowed to join so if they had commerce in mind, they didn't have you and me in mind because we weren't allowed to join.
In order to get free checking, a lot of banks want us to have $1,500 in our account.
Encryption can be defeated with keyloggers. These keyloggers can be bought on the internet, it has been advertised on ABC news and the makers claim that all the major programs like Norton can't detect it because it is so low level. The system registry can be changed by any program which makes the user not be in control anymore so if you aren't in control then security goes out the window. Windows 7 does a little to change that but people are still running XP.
The department of Homeland Security put out a press release saying that computers from overseas are coming in with backdoors and malware. We have a computer with Norton security and our computer got attacked so I had to get a new hard drive. What would have happened if I had online banking? I would have been the victim of identity theft which you say is not covered by most banks which is again a reason not to trust computer security. Our computer at work was running a different commercial program and it got attacked and my co-worker does all his online banking from my computer.
Computers have hundreds and thousands of files for their operating systems and associated programs. There can be 300 processes running in the computer at any one time. This makes it difficult for the the user to know which one is legitimate and which one is not legitimate and even legitimate programs can be updated or taken over by a virus so how is the average user supposed to know when they didn't write the operating system? You can't know.
In order for a car to be safe, it needs Lowjack and the major parts need to be etched with a serial number in acid which is what the major car dealers do to insure it. Malware can't be tracked on their end. Keyloggers can't be etched on their end which is why banks will never insure online transactions.
- Collapse -
Some of that is just not true. For banking, many have 100% guarantees to replace all funds lost:
https://www.wellsfargo.com/privacy_security/online/guarantee
As I said, I also have free checking just for having direct deposit. It used to be $1500 but that was checking + savings accounts.As for a car to be "safe", all I need is insurance. But I also have lojack.
How can encryption be defeated with keyloggers? It doesn't really work that way. There really isn't a password all of the time. If we are talking about file encryption, I usually encrypt with a certificate. Whole disk encrytion is most secure when you have a boot password. Windows isn't running. Besides, it isn't enough to have a password. There is also an encryption key. Unless of course, you are talking about "cheap" encryption that only uses a password. I used a passphrase for PGP that was 154 characters and was NEVER typed in.
What I've said before is that there is a cost of all security. Ease of use, convenience and $$ are all part of that cost. But you should not spend more money than what you are protecting. Since my bank gives me a 100% guarantee, I can choose to use their website. Since I usually use Roboform. I rarely ever type in a password so keyloggers are useless. I also don't have a lot of money in the bank itself. Actually, keeping the password in your browser is a bit safer than typing it in over and over. It is still not safe in the case where the password is stored unencrypted or someone just steals your PC.
So, in a way, you are correct. Nothing is 100% safe BUT, that doesn't mean you can just leave your PC wide open. The more difficult you make it, the safer you are even if you can never get to 100%. So, each of us gets to decide what they want to keep on their computer and what they want to do with their computer. The difference will always be "who owns" the data? Most people working in a business think they own the data and therefore can do what they want with it. Actually, the owner of the data may be the people represented by the data. For example, a doctor can't legally stick their patients' data all over the Internet. There are laws (HIPAA) against that. And would you want to use a credit card? Where does the store (even "Brick-and-Mortar") keep your data? Is it encrypted? Is it on the Internet? Can it be seen by employees who have not had a background check?
All you can do is try to reduce your risk exposure. To do this properly, you have to be both smart and paranoid.
- Collapse -
How can encryption be defeated with keyloggers?
Sinister New Spyware Threats Emerge
http://abcnews.go.com/Technology/PCWorld/story?id=1029067
[Quote]Windows XP uses the Protected Storage area to record sensitive information, such as your browser's AutoComplete histories for URLs, passwords that you instruct IE to save and enter automatically, and data you submit to Web sites on SSL-protected forms. The Trojan horse reads this information--including "search terms, stuff you enter in forms, passwords, everything you enter at a bank," according to Eric Sites, Sunbelt's vice president of research and development--and then forwards the data to the server. [EndQuote]
-Ibid.
[Quote]This is no mere keylogger, Sites adds. "A normal keylogger records anything that is on your computer. This thing attacks anything that you filled out in Web forms, so it has your credit card number, the expiration date, the security code, [and] your address; and it tracks every Web address that [you've entered] a username and password [into]." "It's totally geared for stealing users' accounts and identity information--everything [the criminals] need to get new credit cards in your name and empty out your bank accounts," Sites adds. [EndQuote]
-Ibid.
[Quote]Is Spytector detected by antivirus applications? Spytector shouldn't be detected by antivirus programs. Spytector is a commercial legitimate keylogger (spy software) and our customers should be able to use it on their computers in the same time with other security applications. The full version of Spytector will be undetected when scanned (RightClick -> Scan) with the following antiviruses: Norton AV, Kaspersky AV, McAfee, Panda, AVG, Avast, TrendMicro. [EndQuote]
http://www.spytector.com/faq.html
This is just an example of one of the many keyloggers that can't be detected by security for sale on the internet. I'm sure there are warnings about legal and illegal use on them.
- Collapse -
as criminals can ride the SSL session into whatever you are logging into, and take it over from there with little indication that they have robbed the session. Your best bet in defeating this kind of threat is using Trusteer's Rapport. Now I'm sure you can find information about work arounds to Rapport's features, but that company does its homework, and puts a HUGE effort toward locking down the browser in IE and FireFox. I get updates regularly to the Rapport kernel; so I know they are working dilligently to keep one step ahead, and definitly no more that a short time, behind a criminal crack to their console.
I've never read whether Chrome can defeat session riding, but I suspect the criminal can complete this attack even in the "sandbox", that Chrome uses. It makes little difference if the attack happens in this mitigation or not, so I doubt Chrome can protect you in these instances, unless you close the browser, run CCleaner, and then reopen the Chrome browser and loggon to the web site(preferably with a password manager). As long as you are in an SSL session, Rapport is supposed to protect against keylogging, video, and screen capture. I like to use Keyscrambler, so I have to turn off the anti-keylogger in Rapport, but Trusteer has a verifiable reputation in defeating this attack, even if you are infected. Keyscrambler will flunk screen capture tests, but Rapport can still cover that area, if I'm not mistaken. My last AKLT test confirmed this.
I like keyscrambler, because I'm not always in an SSL session when logging onto my LastPass manager, so the keyloggers can't capture my consol password.
- Collapse -
Thank you for the tip! I will look into that.
What is to prevent someone from disabling or uninstalling the program 'keyscrambler', changing the registry and amending or changing the kernal or circumventing it in some way? What is to prevent them from running CC Cleaner and treat keyscrambler as a virus and removing it?
- Collapse -
I believe it was coded for kernel level access several years ago, so is if fairly resistant to meddling.
I've only run into one type of malware that apparently could turn it off, but the tray icon turns red, and so does the typing bar indicator - so you don't have to be particularly observant to notice the change. I've only run into this once - I was running as a limited user, and running CCleaner took care of the problem. This new malware can run with very little privileges now, and can commit some mischief that would throw off the totally uninitiated. For instance, I ran into one, on my honey pot lab, that could remove the short cut for CCleaner on the desktop, and also the icon that made it readily recognizable in the programs start list. I ran the applet from that list despite the icon missing, which got rid of the malware, and replaced both the icon and the short-cut.
I almost feel that one can now get away with no anti-malware now, as long as you are running as limited user, on the NT5 or NT6 Windows kernel; and use tools like Secunia PSI, File-Hippo Update Checker, or CNET's update email alerts. But I still recommend using LastPass or similar password manager, and Rapport as minimum. I do really like MBAM's malicious IP address blocker though; it works on the limited account as well - (paid version).
CCleaner is not a virus remover Per-se; what happens is, that when you run as a restricted user on the Windows account control, the malware cannot "jump" out of the temp folders where they operate, unless you click on a fake alert, UAC prompt, or allow a reboot where the malware could inject into the startup folder and survive until next session. CCleaner also cleans that startup area, so this won't happen if you run it before reboot, log-off, or shutdown. This does not include instances where there was a vulnerability in a plug-in to, or the browser itself. Any vulnerable app can get you pwned; but that is why I push using update tools like the ones mentioned here. Malware cannot install on a limited account without these factors or user intervention. The user needs to know not to click on ANYTHING suspicious happening during sessions.
Keyscrambler is an installed program, and in fact is running in the kernel space, so it survives, even during reboots. Unless you give the virus/malware the privileges it needs to pwn you PC, it will never survive CCleaner's wipe. You do have to have certain things checked for this to work, of course. All of the mentioned companies are building more resistance to meddling by malware on update after update, so they seem to be keeping up to, or ahead of the game, in most instances.
CNET Forums
Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Roadshow Autos
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic