Compromised Email Account

[Katsmeow]

On passwords..

I remember two passwords. One for my password keeper and one for my email accounts. All other passwords, I use a random generator by my password keeper to create secure passwords. Also, now even with my user ids, a portion of that is randomly generated for safety.

For me, trying to remember password combinations that are safe is just too taxing on the brain when some require special characters, and some do not, and once you have one in memory, the password may expire.

The thing that has been stopping me from using the password generator is that I don't always want to look at passwords from my home computer. I may log in from my office notebook or from my own notebook when I leave town.

Roboform is nice and I use the one that can be used on one computer. They have a couple of other options. You can get Roboform everywhere which you can use on any computer since the password info is uploaded. DH and I both feel uncomfortable with our passwords being uploaded somewhere although maybe we are being unreasonable.

You can also get Roboform 2Go which lets you put the Roboform data on a USB drive and then you plug that into any computer you use. What I don't like about that (beyond buying a new program) is what if you lose the USB drive? On the other hand, it isn't useful to anyone if they don't have your master password. So...just not sure which way to go on that.

 

[easysurfer]

The thing that has been stopping me from using the password generator is that I don't always want to look at passwords from my home computer. I may log in from my office notebook or from my own notebook when I leave town.

Roboform is nice and I use the one that can be used on one computer. They have a couple of other options. You can get Roboform everywhere which you can use on any computer since the password info is uploaded. DH and I both feel uncomfortable with our passwords being uploaded somewhere although maybe we are being unreasonable.

You can also get Roboform 2Go which lets you put the Roboform data on a USB drive and then you plug that into any computer you use. What I don't like about that (beyond buying a new program) is what if you lose the USB drive? On the other hand, it isn't useful to anyone if they don't have your master password. So...just not sure which way to go on that.

I guess either solution is still not ideal. When I travel, I do have to bring my password file (encrypted) on a USB drive, similar to like what you describe for Roboform 2Go.

 

[donheff]

Originally Posted by Nords
... You would think that the login module would lock out an IP address after the first 10 attempts.

Agree there should always be some sort of quantity limit. When I've designed password systems, I've generally incorporated a timer such that any password entered within X seconds of a prior failed entry is automatically rejected.

I doubt many, if any, sites are susceptible to direct brute force attacks. They will lock out after a few tries. Dictionary and other brute force attacks are made against encrypted password files in possession of the attackers. Then the attackers use the decrypted IDs and passwords to logon to the account. The attackers use various methods to compromise the parent server to gain access to the password file.

 

[MBAustin]

I guess either solution is still not ideal. When I travel, I do have to bring my password file (encrypted) on a USB drive, similar to like what you describe for Roboform 2Go.

I've been using Passpack for several years, it's free and can be used just through a web browser. I was initially concerned about the security but read up on their encryption strategy and was satisfied it was strong enough. Just for paranoia, I don't store the URLs or actual name of financial institutions. It has a strong random password generator built in as well.

I also put a printout of the access information in our safe deposit box for DH.

 

[Rowdy]

One more piece of software that may be helpful, free from download.com. I have been using KeyScrambler for the last few years. Here's the description of how it works:

"The advanced key-encryption method keeps your keystrokes scrambled and indecipherable while they travel from your keyboard to the destination app."

 

[easysurfer]

I also use KeyScrambler along with software called "SnoopFree Privacy Shield" for an extra measure of security. The first to scramble my keystrokes and the latter to flag any. SnoopFree only works up to XP (not Win 7). I'm not sure about KeyScrambler.

 

[Nords]

As usual, XKCD has the answer:

 

[eridanus]

Might a keylogger show up on a netstat -b run, or am I thinking wrong?

It probably would, yes, if there was a continuous connection. If the upload is at specific times, then you'd have to get lucky to run netstat at the same time as the upload.

 

[Rustward]

Have not used it in several years, but I believe the Zone Alarm firewall could help with this.

 

[ERD50]

It probably would, yes, if there was a continuous connection. If the upload is at specific times, then you'd have to get lucky to run netstat at the same time as the upload.

Little Snitch will do this on the Mac - not sure if there is an equivalent for Windows/Linux.

Little Snitch - Wikipedia, the free encyclopedia

If an application or process attempts to establish an outgoing internet connection Little Snitch prevents the connection. A dialog is presented which allows one to deny or permit the connection on a one-time or permanent basis. The dialog allows one to restrict the parameters of the connection, restricting it to a specific port, protocol or domain. An integral network monitor allows one to see ongoing traffic in real time with domain names and traffic direction displayed.

-ERD50

 

[donheff]

Little Snitch will do this on the Mac - not sure if there is an equivalent for Windows/Linux.

Little Snitch - Wikipedia, the free encyclopedia



-ERD50

Yeah, but does any of this prevent a trojan communicating over port 80 (http) or 443 (https)? I think that is how most malware phones home to the mother ship.

 

[Rustward]

Yeah, but does any of this prevent a trojan communicating over port 80 (http) or 443 (https)? I think that is how most malware phones home to the mother ship.

According to ERD50's quote, it does.

Zone Alarm does. By default, no applications are allowed out. You must enable each one. Zone Alarm remembers the settings, and also gives you a "starter set" of known well-behaved applications at install time.

 

[donheff]

According to ERD50's quote, it does.

Zone Alarm does. By default, no applications are allowed out. You must enable each one. Zone Alarm remembers the settings, and also gives you a "starter set" of known well-behaved applications at install time.

I used zone alarm many years ago and IIRC you OK outbound connections from your PC on 80 and 443 because you do it all the time. What ZA prevented was communications on other ports which used to be a problem. But all the bad guys have found nifty tricks to establish two way communication over port 80. The trojan phones home and picks up its instructions over the permitted/expected return packets at preset high ports. It may be that some of these firewalls can be pretty sophisticated about what apps as going out on port 80 but, if so, the trojan writers would simply mimick internet Explorer connections. If you are not going to open ports 80 and 443 outbound why have an Internet connection at all?

 

[ERD50]

I used zone alarm many years ago and IIRC you OK outbound connections from your PC on 80 and 443 because you do it all the time. ... but, if so, the trojan writers would simply mimick internet Explorer connections. If you are not going to open ports 80 and 443 outbound why have an Internet connection at all?

I don't know enough about how computers use these ports to say. But at least on the Mac, with 'Little Snitch', I wonder how easy it is for some malware to get installed and mimic the installed browser?

Perhaps M Paquette could comment on this, he had some interesting insight on how the Mac OS had some very tough protection against key loggers.

-ERD50

 

[M Paquette]

I don't know enough about how computers use these ports to say. But at least on the Mac, with 'Little Snitch', I wonder how easy it is for some malware to get installed and mimic the installed browser?

Perhaps M Paquette could comment on this, he had some interesting insight on how the Mac OS had some very tough protection against key loggers.

-ERD50

It's fairly hard to do. The system uses both signed applications, a means of cryptographically verifying that an application is what it says it is and is uncorrupted, and a thing called the Application Firewall in addition to the standard IP firewall.

http://support.apple.com/kb/HT1810

Little Snitch sits atop the built in firewalls, and programs the firewalls per your settings. It uses the firewall triggers to produce its reports.

 

[donheff]

It's fairly hard to do. The system uses both signed applications, a means of cryptographically verifying that an application is what it says it is and is uncorrupted, and a thing called the Application Firewall in addition to the standard IP firewall.

Mac OS X v10.5, 10.6: About the Application Firewall

Little Snitch sits atop the built in firewalls, and programs the firewalls per your settings. It uses the firewall triggers to produce its reports.

That is a pretty sophisticated setup. Does Zone Alarm do that nowadays or does it just close off outbound ports you select? It would seem that a defense that verifies apps would be a pretty good defense against keyloggers.