Clandestine Keylogging Can Be Major Problem

[phuket Mike]

Some excellent advice already on this thread. One tip if you have an email account you've had for a while try searching for it in Google and also if you have been using the same password for a while try the same. One of my old email addresses and password is listed on a hackers site, more worryingly another hosted in the Arab World.

I'm have the names of these sites that contain lists of usernames, email addresses and passwords but I will not list them here, the best way to check is to google your information. Of course if you do get any hits I would recommend deleting that email address completely.

[brahmburgers]

brahmburgers, it just occurred to me that in a case as serious as yours you should completely reformat you hard disk and re-install windows and all application programs from scratch. Backup all your data first, of course.

The first application you re-install should be an anti-virus program and you use it to scan every application before you re-install it and scan all data files.

I have re-formatted, and had a new (non pirateware) anti-virus installed, plus a few other security software incl anti-keylogger. Note, even when you're backing up data for getting your hard drive formatted, you may be unwittingly loading up malware from your backed up data. Even so, I now seem to be clear of the recent problem, but not 100%.

However, yesterday (2 weeks after being clear) I got a slew of emails from amazon.co.uk which showed a bunch of unauthorized purchases on my Amazon account. I was alarmed, and contacted Amazon support. After awhile, it was surmised my account had not been breached. Instead, it was some a**hole emailing me with 15 bogus emails purportedly from Amazon. All the emails came withing minutes, and one said there was a problem with my Amazon account, and requested user name and password to fix it. That, apparently, is the game the thief was playing. I mention this, in order to warn others of yet another ruse that might come their way.

It's mind-boggling how many rip-offs are out there, and the incredible # of ruses they use to try and steal from others. From now on, I will keep my online transactions to an absolute minimum. I won't do any transaction online FOR ANYTHING unless I feel I have no other choice. It's too bad, because if an increasing # of people are as spooked as me (from doing any transactions online) then that will put a dent on online business dealings. The internet can be a powerful engine for commerce, but if there are millions of thieves out there scamming the system, then that muddies it for everyone.

[Puccini]

...it was some a**hole emailing me with 15 bogus emails purportedly from Amazon. All the emails came withing minutes, and one said there was a problem with my Amazon account, and requested user name and password to fix it. That, apparently, is the game the thief was playing.

This game is called phishing. Some of these phishing emails give a link to a website that looks identical to that of your bank or an online shop you use, where you are asked to put in your username and password for verification or to solve an alleged problem. Extremely dangerous.

...if an increasing # of people are as spooked as me (from doing any transactions online) then that will put a dent on online business dealings...

You are absolutely right. The more scammers there are, the less people will want to use online shops and online banking. Banks, at least, take pains to make the login safer; most online shops can't be bothered. Sometimes I wonder where all this will end.

[Crushdepth]

Firstly, these tools are software, and any software can be broken into.

Secondly, being "password storage" tools, they are prime targets for criminals.

If you really need to store your passwords in a file, use a simple text editor like notepad, textpad, etc. and write your accounts and passwords in there.

Then zip or rar the file and set a password, and store the zipped file on a USB stick.

Additional security can be achieved by zipping the file a second time with another password.

Don't forget to delete the unzipped version!

Sorry this is really bad advice.

Firstly, there is *no* defence against keystroke loggers. If you are using someone else's computer (especially at an internet cafe), you have no absolutely no idea what is on it and you are therefore vulnerable to both hardware and software loggers and there's a fairly high chance the machine will contain malware.

Secondly, quality password managers are an excellent idea because they use industrial strength encryption which is considered unbreakable by everyone but the tinfoil hat brigade. If you are serious about password security (and frankly most people aren't) you need a long random and different password for every single log on you have. There's no way you can remember it all, so the only real option is to use a password manager that will generate, store and strongly encrypt these for you. A good choice is Password safe, designed by Bruce Schneier who has a fairly impressive track record on computer security and encryption matters. You can install it on a flash drive if you want.

I have seen some horrible examples of what can happen if you have poor password security, particularly where people use the same password across multiple sites. One open source project I work with had an attacker break into their website and capture the password hashes from the database. He ran an offline brute force attack against the hashes for 20,000 accounts and recovered a lot of passwords, including some administrator accounts.

Some of the admins had access to the code repository on Sourceforge and had used the same passwords for their accounts there. The attacker submitted some poisoned code to Sourceforge using one of the compromised accounts. The next time the project released a new version of the software everyone downloaded and installed it. From there the attacker had access to nearly every single website run by the community, their email accounts and god knows what else. It took *years* to sort out the mess and bring it under control.

Get a decent password manager. If you inhabit internet cafes, it's also a good idea to carry a bootable Linux CD or flash drive, that will at least eliminate the problem of malware when using some infested Windows machine. Or better, get a netbook and carry it with you.