In this golden era of technology, I wonder if everyone on the net still feels safe entering his/her passwords and credit card numbers on online forms even if they claim to be SSL-protected. For those wondering what the hell am I talking about, please care to revisit this thread to clarify things: http://www.warboards.org/showthread.php?t=32304

To start off, I'm going to explain why I feel unsafe on my Windows platform while on the net these days. A few days ago, I joined this discussion about Bluemicrobyte's World of Warcraft account being hacked, and Modred and hammocksleeper came into a reasonable conclusion that keyloggers may have been the culprit after they have examined Bluemicrobyte's log file attachment. Now, what I'm talking about is that the guy had Norton Security and Anti-Virus
programs installed in good shape on his PC, and I wonder how the keylogger got past that tough bridge of security. Now it's time to get talking. Do you, as an online activist, still feel safe being online and entering sensitive information on the net even if you know you have the toughest security material at the back of your PC?

I personally don't feel safe with Windows XP anymore. That's why I switched to Ubuntu even if I had tough security solutions installed on my PC, and even if I had to take real baby steps.

Now, the question is--- do you?

I havent actually thought about this very much. I generally use the excuse of buying something as an excuse to go to town (live about 65 miles from a major town that has decent shopping.)

I have considered getting on of those Visa/Master Card type cards where you can load up a specific amount of money on it and use that for the internet. That way if my computer's compromised, I only lose the amount of money still on the card.

As to other things, I don't do any banking online or bill paying and I'm still old fashioned enough I keep my checkbook using the paper register rather then Quicken or something like that. The only passwords of mine that can be compromised are the ones I have to sites like this.

So I guess my answer to your question would be: No I don't trust sensitive information to the net or my computer.

I havent actually thought about this very much. I generally use the excuse of buying something as an excuse to go to town (live about 65 miles from a major town that has decent shopping.)

I have considered getting on of those Visa/Master Card type cards where you can load up a specific amount of money on it and use that for the internet. That way if my computer's compromised, I only lose the amount of money still on the card.

As to other things, I don't do any banking online or bill paying and I'm still old fashioned enough I keep my checkbook using the paper register rather then Quicken or something like that. The only passwords of mine that can be compromised are the ones I have to sites like this.

So I guess my answer to your question would be: No I don't trust sensitive information to the net or my computer.

Yeah. That made me think that sometimes, it still is better to use old fashioned methods of storage sensitive info.

The caveat to being slightly old fashioned is that my bank, mortgage company, utilities and other creditors are not so old fashioned. They are completely computerized so all my sesitive information is on a computer somewhere and vulnerable to hackers.

So I'm not sure nowadays keeping your info off your personal computer is much deterrent to those that would make use of it maliciously. No telling how many other hard drives across the nation and the world might already have it:cuss:

I'm pretty sure I'd be extremely upset about that if I thought on it too long.

In the last 4 years I have been notified by the VA three times that my records may have been compromised (they wouldn't say if they definately were or not) and that I should be vigilant about any activity that related to my SSN and check to see if any new credit cards had been taken out using it.

The thing is that, everything is connected, in one way or another, to the net. Meaning, everything is vulnerable to hacking, most especially low-end banks, or old fashioned systems of which are not very secure.

But this is overkill.

And so is switching to ubuntu.

First off, having just AV software is not enough to protect yourself, and norton is a joke unless you've got their corporate edition (which I understand is very nice).

Secondly: Every windows computer should have a good AV solution -- such as Avast, AVG, Kapersky*, etc...

Thirdly: Along with the AV program, a computer also requires a good anti-malware solution. But the good news is that, if you've got a legit windows, you get the really awesome Windows Defender for free. Which would've got bmb's keylogger.

Going to stop counting here; The last thing you'd need is a very good software-based firewall, such as Kerio or something. In this way, you will know every single thing trying to connect out as opposed to in.

To give up and be super paranoid is pretty lame.

You would never walk outside during winter in your sleepwear would you? You'd never drive a car without breaks!

The problem is that people don't realize that purchasing a computer means more then just "plugging it in" -- hell, even mac and linux users can still fall to phishing scams!

-Neo

Going to stop counting here; The last thing you'd need is a very good software-based firewall, such as Kerio or something. In this way, you will know every single thing trying to connect out as opposed to in.

trust in software (http://www.securityfocus.com/infocus/1840) may very well (http://www.mg.co.za/articlePage.aspx?articleid=275381&area=/insight/insight_tech/firewalls) be misplaced (http://arstechnica.com/news.ars/post/20070513-symantec-malware-can-hijack-windows-update.html). really, false security is bad. so is spreading it. software firewalls are only good for keeping well-behaved apps under control -- and they are under control to begin with.


what can be done to not have stuff sploited back and forth, then? the most efficient ways, such as disabling of javascript, hit convenience hard. and to some, using a more secure-by-design OS is a big inconvenience, too. a more manageable solution for now is to use a more obscure browser (but remember that security by obscurity is no security), and to not run it as administrator/root. obviously sane practices help here, too: to not run unverified executables is a great habit.

I read on Slashdot (http://it.slashdot.org/article.pl?sid=07/12/18/170241) a few days ago that Vista is slightly more secure than a Mac right now, depending on your OS...but do I feel safe?
Honestly, yes, because my router has 2 firewalls, and my PC has 3 with once-weekly down-and-dirty sweeps of all of my disks. And I do check the registry every so often, to make sure everything looks okay. But on top of that, I keep very few documents on my HD's, back important things up to a flash drive, and do a lot of things on paper, printing out two, even three copies of everything.
Maybe not perfect, but in this day and age, online banking and taxes is...frightening.

-DocTera

Years ago, I was simply playing StarCraft online. On one of the game channels, some guy was advertising hacks on his website for Diablo II. Me being young, noob, bored and curious, I wondered into his website. Just simply visiting it. I told him through StarCraft how bad his hacks were. He replied to me through a whisper. Minutes later, he whispered me again saying something like "Cya [my name], [profanity]", next three seconds later, my game close immediately, an error poped up, and my computer reseted. When it tried to boot back on, it froze with an error message, making my computer unusable, until I reformatted it. I had Norton at the time too with a firewall on XP home. Who would've known that would happen over battle.net? I never had a hack situation that sever again.

Not saying the the internet is no less vulnerable then real-life. Even crooks, smart enough, can rob a bank with tight security. But the computer thing and the real life scenarios are somewhat rare. There will always be masterminds or something near that. Should anyone feel completely safe? No, it's a bit ignorant. Does everyone feel safe enough to continue their whatever lives, yes. Unless your really unlucky...

But this is overkill.

And so is switching to ubuntu.

First off, having just AV software is not enough to protect yourself, and norton is a joke unless you've got their corporate edition (which I understand is very nice).

Secondly: Every windows computer should have a good AV solution -- such as Avast, AVG, Kapersky*, etc...

Thirdly: Along with the AV program, a computer also requires a good anti-malware solution. But the good news is that, if you've got a legit windows, you get the really awesome Windows Defender for free. Which would've got bmb's keylogger.

Going to stop counting here; The last thing you'd need is a very good software-based firewall, such as Kerio or something. In this way, you will know every single thing trying to connect out as opposed to in.

To give up and be super paranoid is pretty lame.

You would never walk outside during winter in your sleepwear would you? You'd never drive a car without breaks!

The problem is that people don't realize that purchasing a computer means more then just "plugging it in" -- hell, even mac and linux users can still fall to phishing scams!

-Neo

I do say sir, I am glad someone agrees that norton is a joke, and while two of your ideas are extremely useful, software firewalls, can be circumvented by malware. I instead recommend using a router, since all routers also provide a firewall . (http://thisweekintech.com/sn3) but the more you use yeah the healthier it is.

as for the question, yes I do feel rather safe, i have my router, which covers a lot, then I have avg, as well as windows defender, a amazing program might I add. Couple that with hi-jack this scans from time to time, and I am all warm and fuzzy in my windows vista shell.

I think I have to agree with Neo a bit. About overkill. And somehwhat with Seal about about the most safe practices being the most inconvient (at least that it what I got out of part of your post).

Since I replied to this thread I started doing some checking on my own personal stuff and found something quite disturbing (but not unexpected, really). Virtually everything to do with my personal finances and personal information can be accessed by me through my computer. By proxy that means others can access it through whatever computers the information is stored on.

Whether I choose to use my computer to access this info or not, it is still not safe unless the systems it resides are safe. I think being able to do business over the computer is a great and convient thing, but doing everything possible to try and "bulletproof" your personal computer is probably is a good thing. Even if some of the measures are inconvient or spill over into the "overkill" catagory. All that would need to happen is for you to get unlucky once, whether through or own PC or through the systems that already have your information, and you are in the hurt locker.

I was toying with the idea recently, of maybe going to online bill pay and online banking but after reading this thread, it made me sit down and really think (Thanks to Frank for starting the thread, by the way). Until I investigate this more I don't think I will. Based on the theory that it's one less opening that someone can use to screw with me. The methods I use now are old fashioned and fairly inconvient but I'm used to them. I can hold off until I have more knowledge.

I read on Slashdot (http://it.slashdot.org/article.pl?sid=07/12/18/170241) a few days ago that Vista is slightly more secure than a Mac right now, depending on your OS...but do I feel safe?
Honestly, yes, because my router has 2 firewalls, and my PC has 3 with once-weekly down-and-dirty sweeps of all of my disks. And I do check the registry every so often, to make sure everything looks okay. But on top of that, I keep very few documents on my HD's, back important things up to a flash drive, and do a lot of things on paper, printing out two, even three copies of everything. Maybe not perfect, but in this day and age, online banking and taxes is...frightening. -DocTera
you should know that slashdot ran (http://it.slashdot.org/article.pl?sid=07/12/21/1420256) a followup to that. vulnerability counts are not relevant the way analysts tend to use them, due to the vulnerabilities just not being comparable one to one: severity levels are not considered, besides the severity criteria varies from platform to platform.

i rather have patches to things before they get exploited. because of that the more vulnerabilities are found and fixed the better the situation is.

Ok, enough fantasies boys.

I still do not believe BMB's WoW password was taken by a keylogger.

Point one: BMB's statement
The first thought that comes to mind is a keylogger -- but I run a secure system; I have Norton (A/V and firewall) running all the time, and I frequently scan with Spybot, AdAware, and Windows Defender (and of course system cleaners, but those don't do viruses).
This statement was made on the 16th of December 2007.

Point two: This is the date stamp from the page that "claims" to offer advice on the removal of the cisvc.exe security vulnerability located here. (http://www.2-spyware.com/file-cisvc-exe.html)
Information added: 30/06/04
Information updated: 25/10/05


Now if BMB was running norton, spybot, adaware etc. Then I don't think spyware that is now almost four years old is the cause.

Now if this wasn't it, and there is no evidence to suggest it was apart from people's speculations, then it rules out this keylogger.
If there is no evidence to suggest a different keylogger (and there isn't) then that pretty much rules out keyloggers all together in this instance.



Point being in the end people hacking people's passwords and stuff is very very rare, if it wasn't internet banking would be illegal. So would many other things.
Having been passionately in to computers for the last 20 years I know full well that for every one hacking story that appears in the papers that ten thousand new "I know this guy who hacked...." stories appear as well.

I have used my credit card online for years, I have used internet banking for years, I have never had any issues.

Alright first off.

Router Firewalls are only effective against outside attacks. They do nothing if your computer initiates the contact itself (thus, anything malicious on your computer getting out isn't going to be stopped by the router).

At least this is how I understand it, I mean, how's the nat router you use supposed to realize that that outgoing request is really bad? This is where software firewalls come into play.

Secondly, if your going to be so damned picky about software firewalls then what about SmoothWall on a dedicated machine?

I figure if you are the target of someone with such good software that could bypass corporate level secure firewalls (since apparently none of them work), then you're in deep shit as it is.

But to claim that software firewalls are completely worthless is a bunch of bullshit.

Of course a firewall on it's own isn't going to stop everything completely -- it's not it's job to scan programs, or to protect your system processes in real time.

And seal, lovely links. Do we know which firewalls this magazine tested? What about GRC? http://www.grc.com/lt/scoreboard.htm

Meh, I can't really find anything better, but linking me/us to articles that are 2 years out of date, or articles with no sources besides some "test" some "magazine" did without seeing the results for ourselves isn't helpful.

There are software firewalls out there that are good at what they do, and some are bad. But to turn around and claim they are pointless is being folly.

Sorry, I'm more willing to trust someone like Steve Gibson, then some random articles about firewalls being pointless :(

-Neo

Yeah, thanks for those points neo. That helped me a lot.

Back to the topic:
Guys (and gals), it isn't just keyloggers and viruses we are talking about here, we are also talking about phishing, identity theft, and sites that can harm you which are outside the control of your firewall, AV software, and even your anti malware. Why? Because these sites are not potentially harmful, unless someone triggers malice on it and use it for evil. I'm talking about things like AOLSTALKER (http://www.aolstalker.com), Google Hacking (http://en.wikipedia.org/wiki/Google_Hacking), and things related to use of non-malicious software to give out a malicious output. For example, any user can get as much knowledge about your IP address by simply using WHOIS servers, or by using PHP/Java XHTML Forward Scripts. I'm referring to this site : www.projectip.com

That's why (now that I thought about it) even if I switch OS's due to some paranoia or something, you just can't stay away from harm, or stay safe. :-/

The point is how easily you where fooled.
BMB mentions he lost is WoW account, some one else mentions a security vulnerability that is now 3 and a half years old and people start carrying on like the sky is falling.

90% of everything you hear about computer hacking, identity theft or any other form of computer crime is crap. Because its generated by people that like to stir up a bit of pointless panic.

This thread is a perfect example of that panic mongering because there is no evidence to show that any type of hacking took place but still your here carrying on like hackers are about to take over the world.

For every one real occurrence of a crime carried out on a computer, 10000 people just like you will make a thread on a forum some where just like this one.

The point is how easily you where fooled.
BMB mentions he lost is WoW account, some one else mentions a security vulnerability that is now 3 and a half years old and people start carrying on like the sky is falling.

90% of everything you hear about computer hacking, identity theft or any other form of computer crime is crap. Because its generated by people that like to stir up a bit of pointless panic.

This thread is a perfect example of that panic mongering because there is no evidence to show that any type of hacking took place but still your here carrying on like hackers are about to take over the world.

For every one real occurrence of a crime carried out on a computer, 10000 people just like you will make a thread on a forum some where just like this one.

Don't lecture me. Nothing I said contradicts the truth. Besides, neo and seal already made your point earlier so there's no point in repeating them.

thx

Don't lecture me. Nothing I said contradicts the truth. Besides, neo and seal already made your point earlier so there's no point in repeating them.

thx
As I said before if you don't like people responding to your posts then don't make them.
And I am not lecturing you, simply addressing the overinflated points your trying to make.

Your primary point is that the risk of identity theft and the loss of network security is now critical.

My point is that this notion is a blown out overdone fantasy, I couldn't in good conscious ignore it. And if you intend to carry on with this nonsense, I intend to carry on debating against it.

As I said before if you don't like people responding to your posts then don't make them.
And I am not lecturing you, simply addressing the overinflated points your trying to make.

Your primary point is that the risk of identity theft and the loss of network security is now critical.

My point is that this notion is a blown out overdone fantasy, I couldn't in good conscious ignore it. And if you intend to carry on with this nonsense, I intend to carry on debating against it.

Fine. If you find my points over inflated and don't want to believe in them because you have a different view of things, it is much simpler not to respond at all than to push things you want others to switch to and believe. The only point I am making is how dangerous it is just to merely open up your browser. Take this website (http://www.ip2location.com/demo.aspx) for example. It can track your location, and the owner of that IP, even pin point the exact location of that user. So if this is still inconcrete evidence, I suggest you do a little bit more research.

If you find my points over inflated and don't want to believe in them because you have a different view of things, it is much simpler not to respond at all than to push things you want others to switch to and believe.
Well, that wouldn't be a debate then would it?
Welcome to the IR!
The only point I am making is how dangerous it is just to merely open up your browser. Take this website for example. It can track your location, and the owner of that IP, even pin point the exact location of that user.
Umm, dude, that website got me wrong by 5000 miles, it said I was in Sydney but I live in Perth.
Things are not as bad as you are making out.

Well, that wouldn't be a debate then would it?
Welcome to the IR!
I'm just trying to avoid debates that we can never end because we can never agree on. ;)

Umm, dude, that website got me wrong by 5000 miles, it said I was in Sydney but I live in Perth.
Things are not as bad as you are making out.

Dude, it won't actually detect your exact peer. It will only detect the source of connection, or where you ISP is connecting from. ;)

And for the season of christmas, happy holidays pal. It's been nice talking with you ;).

Dude, it won't actually detect your exact peer. It will only detect the source of connection, or where you ISP is connecting from.
Thats true isn't it, and I guess that proves your last point wrong. That some one can work out where I am with in 5000 miles really doesn't seem that threatening.
Do you have anything new to add or not?
I'm just trying to avoid debates that we can never end because we can never agree on.
If you prefer to avoid debates why post in the IR? This forum is for debating.

If you have some thing new to add, go for it, but there is no point rambling on with nothing.

delicious omnislashing, here.

Secondly, if your going to be so damned picky about software firewalls then what about SmoothWall on a dedicated machine?
the same thing as a hardware firewall.

I figure if you are the target of someone with such good software that could bypass corporate level secure firewalls (since apparently none of them work), then you're in deep shit as it is.
software firewalls run on the potentially compromised device, as such they are not trustworthy -- nothing residing on a compromised device is trustworthy.

But to claim that software firewalls are completely worthless is a bunch of bullshit.

Of course a firewall on it's own isn't going to stop everything completely -- it's not it's job to scan programs, or to protect your system processes in real time.

And seal, lovely links. Do we know which firewalls this magazine tested? What about GRC? http://www.grc.com/lt/scoreboard.htm

Meh, I can't really find anything better, but linking me/us to articles that are 2 years out of date, or articles with no sources besides some "test" some "magazine" did without seeing the results for ourselves isn't helpful

my approach may be flawed indeed. i'm though advocating the fundamentals of computer security, especially concerning software trustworthiness on a compromised device.

a software firewall does not stop transmissions out, be it through the fundamental ability of fooling or disabling the software, or the more convenient way using channels thought to be benign, such as encrypted http.

also, in those two years the fundamentals of firewalling have not changed, so that's moot.

There are software firewalls out there that are good at what they do, and some are bad. But to turn around and claim they are pointless is being folly.
some are good, some are bad, yadda yadda. the quality does not change the flawed fundamentals: the software firewall runs on the potentially compromised machine.


to avoid sensitive data leaking out, it's always easier to not get compromised. firewalls can provide bandage to benign server processes' exploitation, but does not protect against the prime way to getting hold of a victim computer: the web browser. i'd (in my infinite wisdom) say that firewalls do not protect, firewalls control.

Toucan you'd be surprised how many people fall for phishing attempts on the web, which is where some good security software can help.

And seal, I'm not sure what your saying. I mean, in this hypothetical, there is an infected computer that not only has a random trojan, worm or other piece of malicious software, but also (incorporated with, or another) program that can bypass/circumvent/nullify any software firewall.

This is unrealistic, it is doubtful you will find some program that somehow, not only bypasses any sort of security programs running (AV, Real-Time Watchdogs, etc...) and then nullify a firewall, and make it all pointless.

Yes it's true that software-based firewalls are very prone to attack, and may or may not ever work as they should, but even in that article (or one of them) you linked to mentioned that it's also up to the user to be proactive -- don't set auto-rules, and such. Make sure you know whats going on.

The only reason I brought up firewalls was because we've got the uber-paranoid people here and it's not a bad idea to run a firewall in conjunction with other security programs.

Hell, I don't even use a firewall, so pfft :p

-Neo