Monday, January 07, 2008

Computer Fears and Questions




I’m reading a book of fiction which notes various ways and means to access private information on computers. I find this somewhat disconcerting. Not only that, it’s distracting me from the story.

Questions:

1. Do legitimate programs exist that are able to discover passwords? Programs that the general public can download and use? (I don’t want one. I just don’t like the thought of them existing.)

2. Are e-mail messages one sends, receives and delete stored somewhere in cyberspace and/or on the computer itself? Can they be accessed and read even though deleted?

3. When you clear your cache, is it REALLY emptied?

4. How safe (and private) is it to store files at a web site designed specifically for that purpose? (i.e. Yahoo Briefcase.) I figure if my hard drive unexpectedly kicks the bucket, at least I’d have access to those files.

As for my privacy concerns, I’m not expecting a computer forensic team to bust through my door (I haven’t committed any crime as far as I know) nor do I think my kids give a rip as to what’s on my computer.

BUT….hell, yes, I have stuff on this thing I consider personal and private. And I’m not referring to “dicey downloads.” That’s not my thing.

If anyone can answer any of these questions, I’d appreciate it.

Or share your own questions and concerns.

MAKE ME EVEN MORE PARANOID…

22 comments:

Shari said...

Hackers probably wrote that book. I'm going to have to see what other tech savvy people comment abotu this.

How about this? Front doors get double locks. Back door? One lock. Why? Potential burglers are more "hidden" in back and break in more. Does that make sense? Gotta bring that up to Hubby...but then he'd probably say that the dog chain should do the trick.

oreneta said...

I always figure that if anyone really wants to, they can get into anything I have on the computer or stored in cyberspace, I don't have the budget to purchase or maintain a serious anti-hacker system, nor the time to watch it regularly...I don't put anything up I wouldn't be willing to stand up beside in public.

Bec said...

My grandfather used to say, "don't write anything down that you wouldn't want anyone to read." (I ignored this advice, obviously.) But maybe the same reasoning applies here: don't record anything on your computer...

bjkeefe said...

Beth:

I have a fair amount of experience with computers, so I'll take a whack at some answers.

Short answers:

1. Yes.
2. Yes, sometimes, to both questions.
3. Sort of.
4. Pretty safe for at least two reasons.

But keep in mind that computer skillz are often exaggerated in works of fiction. (Sorry. As Doghouse Riley would say, I should've warned you to sit down before I said that.)

1. Yes, there are programs that can discover passwords. There are at least two kinds, in fact. The first are those that work from the outside, and attempt to "crack" the password in an automated, brute-force fashion. The second are those that stealthily install themselves on your computer, record your keystrokes to a hidden file, and then upload that file to another place where the blackhats can look at it and try to pick out what bit of typing represents the entry of a password.

The first sort are generally not something you need to worry about in the context of, say, logging into your blog. Generally, the blackhats need access to other parts of the server (or your own machine) to make any headway on this approach. I won't go into more detail here, unless you want me to.

The second type, the so-called "keyboard sniffers," are more worrisome, especially if you use a Windows machine. If you don't, chances are very good that you can skip the next paragraph.

As I'm sure you've heard, Windows machines are not especially secure, even with up-to-date anti-malware software installed and running. However, even if you do use Windows and aren't ready to change to a Mac or Linux box, there are a lot of things you can do to alleviate worries. First, keep your anti-virus and anti-spyware software up to date. These programs aren't perfect, but they're way better than nothing. Second, practice safe habits. You probably already know these, but for the record: don't visit web sites that feature offers too good to be true, and especially don't download anything from such sites, such as screensavers or programs that purport to "test your computer's security" or "boost your computer's performance." There are plenty of reputable repositories of free software out there, and plenty of trustworthy web sites that do, in fact, test your computer's security and performance without malicious side effects. Feel free to ask for recommendations, if you want them.

There's a third potential hole regarding password security: if you use a wireless connection to the Internet, a blackhat can eavesdrop on your transmissions. Some passwords are sent in encrypted form (the ones you enter on a secure Web page, for example); some are not (the login sequence sent to some email services, for example). Here, you can increase your safety by preferring Web-based email access when on the road, and by being skeptical about free connection services offered in places like airports. The odds are good that your local coffee shop is safe, but the potential always exists that someone three tables over could be snooping. Wireless connections are inherently less secure, just as with cell phones compared to land lines. The good news is the transmission range is very limited.

In general, although you should be aware of the existence of password crackers and password sniffers, you needn't be paralyzed with fear. The following practices will add a lot of security. I'm sure you've heard of most of them, but I'll repeat them for the record. Note that they are general to computer security, especially in the sense of preventing malware from being installed, and keyboard sniffers are a form of malware.

Zeroth, keep your system up to date. More on this below.

First, use a password that has mixed case plus some non-alphabetic passwords. This has the fringe benefit of also preventing a human from easily guessing your password from knowing something about you, like the names of your kids or pets or hometown. For extra security, change this password from time to time, and use different passwords for different applications.

Second, be leery of dubious web sites, especially as noted in the Windows-specific paragraph above.

Third, be leery of attachments sent by email or IM. This applies even if the sender seems to be someone you know -- it's easy enough for a return address to be spoofed, and it's easy enough to infect a machine and use it to send out malicious attachments using that machine's address book. If you're at all uncertain about an attachment, contact the sender and ask about it before opening it. If you run Windows, don't open any attachment that has the extension .EXE unless you're absolutely certain about the provenance of the attachment. Also, avoid e-greeting cards like the plague that they are.

Fourth, be leery of links in email messages, again, even if apparently sent by a friend. Let your mouse hover over the link and note the URL in the status bar of your email program (or browser, if you use Web-based email). If the message containing a link is from a friend, you can probably also tell from the context whether the message sounds like your friend's voice and whether the link seems plausible. The ones to watch out for most in this case are emails that purport to come from banks, eBay, PayPal, and the like, that ask you to follow the link because there is some problem with your account.

Fifth, be leery of web sites that say you need to install additional software, say, to view a video, especially if that site offers to install the new software on the spot. This is a new method of attack that is growing in popularity. If you're bent on watching that video, it's better to leave the site and obtain the new required software elsewhere, and then revisit the first site.

2. Email messages freshly deleted on your own computer are usually accessible to someone who has the proper recovery tools, as are all other files. This is because a file that is "deleted" is really only marked as such in what you might think of as a master index; i.e., the disk space occupied by the message file is marked as available for reuse, but the actual contents are still on the disk. The chances of accessibility degrade over time as you create and delete other files, thereby increasing the chances that the space occupied by the "deleted" message will be overwritten.

If you're paranoid about this, there are "secure delete" and "disk scrubbing" programs available. Details on request. Generally speaking, if you prevent others from access to your machine, you don't have to worry about this.

Email out on the Web, if deleted, is potentially recoverable, as well. There is less of a concern about someone using file recovery tools on a Web server, since those disks get overwritten so frequently, but that's one way. Another way, more likely, is that your message might continue to exist on a backup tape or disk. I don't know the exact procedures used by ISPs and Web mail providers, but I would guess that, over time, such backups are themselves overwritten as the backup media are reused.

3. I presume you're speaking about disk cache here -- cache in RAM is almost certainly cleared as soon as you launch other programs and open other files, and is definitely cleared by logging out and/or rebooting. There's no easy way to access RAM cache in any case; if someone were able to do this, your computer would have to have been hugely compromised in other ways.

As to disk cache, the same reasoning applies as with deleted files. Generally, the space on disk that held the cache is marked as available, but the contents of the cache are there, at least for a while, and available to someone with disk recovery tools. Unless you do things on the Web that I can't imagine, I'd say this is a minor worry. Anyone this interested in your surfing habits would probably find it easier to snoop in other ways. Also, preventing access to your machine pretty much covers you.

4. I don't know about Yahoo Briefcase specifically, but most online storage services use encryption to augment the security of your data. Encryption is not perfect, but the standard tools used these days are pretty good. Breaking such encryption requires a ton of dedicated high-end computing power and lots of time, typically on the scale of months, at least.

The second reason to feel safe in this area is a statistical argument. J. Random Blackhat has very close to zero chance of stumbling across your files, just by virtue of the sheer amount of data out there. You're basically in the situation of parking your car in a lot in which everyone else in a stadium has also parked. A car thief is unlikely even to try the door on your car, just because there are so many others to try. If your car is locked (encrypted), the odds get even better -- even if he does try your door, it makes sense for him to move along and look for an easier target. You really only need to worry about encrypted files stored online if you have reason to believe that someone is after your files specifically, and that someone has unusual resources at his disposal.

You are correct to be more worried about the consequences of losing your data due to your hard disk failing than to an online snooper, especially if your data is stored in encrypted form. The only realistic hole is if someone gets your password to the data storage site. See #1 above.

In closing:

(pause for ironic applause)

Let me first apologize for a comment longer than the original post. Ask me the time, and I tell you how to build a watch.

The summary of all of the above is this: You're pretty safe with respect to all of the concerns you raise if you pick good passwords. You can greatly enhance your security by keeping your system up to date with security patches. This includes the above-mentioned anti-malware software if you run Windows. It also includes (for Windows and all others) operating system patches and patches for third-party software, especially browsers and other programs that interact with the Web, like media players.

You can boost your awareness of the latest threats by picking a good computer security blog and reading it regularly. I recommend Brian Krebs's blog. I'm sure there are plenty of others, but Krebs seems to be on top of a lot of the news of most interest to regular users, and he writes at a level that prevents excessive eye-glazing. I subscribe to his feed; you've probably seen me refer to him on my own blog, especially when he reports on a matter that I think is of particular interest to a wide audience.

For all operating systems: Use a regular, non-administrator account for your day-to-day work. Log in as administrator only when you need to, say, to install software or drivers. This way, even if malware creeps in, the chances are good that it won't be able to install the way it wants to.

Windows-specific: If you're really concerned about privacy and computer security, don't use a Windows machine. If this is a deal-breaker, you can be pretty safe by avoiding the use of Internet Explorer and Outlook (or Outlook Express). Prefer Firefox and Thunderbird. The latter are better designed, more frequently patched, and have less access to interaction with low-level aspects of the operating system. Use Internet Explorer only to visit Microsoft's site and, possibly, a few other trusted sites that require special access to your machine, like Crucial (the memory upgrade advisor) and various security-testing web sites.

The bottom line is this: If you're truly paranoid, keep in mind that there is always a chance that someone could access your data, either on your home machine, your online storage sites, or while in transmission. But a well-maintained system combined with a modicum of common sense employed while surfing, IMing, and dealing with email means you're probably okay. You'll never be 100% secure if your machine is connected to other machines, or if other people can gain physical access to your machine, but there are few guarantees in any aspect of life.

bjkeefe said...

Erratum:

The sentence in my previous comment that reads First, use a password that has mixed case plus some non-alphabetic passwords should have as its last word characters.

Beth said...

shari:
Take a look at Brendan's comment! He is THE MAN!

oreneta:
Well, I'd stand up in public with some of the stuff I have on my computer, but I wouldn't be too thrilled to do it. And some stuff I consider just mine, you know? A privacy thing...

bec:
I may do some deleting but after reading Brendan's comment, it's still there - somewhere...

brendan:
I love you! You're amazing!
I read every word of your comment/essay (with my son reading over my shoulder) and printed it. (Bet others do, too.)
Thank God I use a Mac - much reassurance right there. I will be taking your advice as to passwords and heeding your other warnings. Have also bookmarked Brian Kreb's blog (I trust your link...)
Thank you so much!
Confession - I was hoping you'd check in and help but never expected this!

Sherry said...

I don't know a great deal about computers but I do know that even when you erase/delete things from your computer, they can be retrieved by people who know how to do that.

Sherry said...

Brendan you are a marvel!!! I love that you know all this. I'm in the market for a new computer and I'm (gulp) already using Windows et al...not going that route again after all you've said!! Thanks!!!

bjkeefe said...

Thanks for the kudos, Beth and Sherry, not to mention your willingness to wade through excessive verbiage.

bjkeefe said...

Beth said: Have also bookmarked Brian Kreb's blog (I trust your link...)

Yes, the irony of offering a link after all of my earlier fear-mongering did not escape me, even as I typed it in.

Mrs. G. said...

I expect no protection or privacy on the internet. Isn't that sad and creepy?

Anonymous said...

Wow, I didn't have a clue, until I read your comments. I feel like I completed a class in computed security today, on your blog. What a great topic. Good stuff to know. Good stuff to pay attention to. Thanks for bringing it up.
XOXOXO
Now go back to you book.

Angel said...

ya know..I hate to read "fiction" books like that, cuz I always think there is some truth to it, ya know? I don't really know a whole lot about computers...I like to be blissfully ignorant!!

Shari said...

I did say I was hoping for some tech savvy person to comment...:) Thanks Brendan. I did hear that if someone deleted a blog, spammers can hang on to it somehow. Cyberspace is just like a whole new universe out there, huh? Ugh. I also heard that you have to be careful what you write, like Oreneta said-if you don't want it read, don't write it, type it, print it, publish it, whatever. Comes back to bite you in the you know where.

Shari said...

Oh, sorry. That was becspeak who wrote that about being careful what you write.

robkroese said...

Looks like you've already gotten some answers, but here goes:

1. Yes, depending on what you mean. But it's very hard to crack a strong password over an encrypted (SSL) connection.
2. Yes, technically. Any data that is deleted on a computer is really just "marked" for deletion, not actually destroyed (until it gets overwritten). There are programs that will scrub your data though.
3. No, for basically the same reason.
4. Don't know, but probably pretty safe and private (if you don't mind Yahoo! seeing your stuff).

Unknown said...

Dang. I'm going to have to sit down with a cup of coffee and a muffin in the morning to read all those responses. Man. Some people really took these questions seriously. I just thought most people wrote smarmy, sarcastic, encouraging or funny stuff. With periodic spam and flame comments. This stuff is actually useful.

Anonymous said...

When I use gmail they throw me adds that pick up on the subject matter of my emails. WAY CREEPY!

They say that everything on your computer or internet is visible if someone really wanted to know stuff about you. I try and keep this in mind but I don't want to be paranoid. I mean, heck - someone could just as easily rifle through my file cabinet and personal journals, my mail, my garbage...but I'm not going to lose sleep over it. If you haven't committed any crimes then so what? My life is my life-pimples and all.

Gary said...

Great questions Beth. I sort of feared looking at the answers, but am glad I did.

Brendan - you da man!!

Very useful.

contemporary themes said...

Very good to know.

Princess Pointful said...

It's easy for me to get paranoid... but then I realize that most people really don't give much of a crap about my decidedly unglamourous life!

Patti said...

When my daughter was a middle schooler (8-10 years ago), she spent a summer having fun with restoring all my deleted emails. The spacing was off, but they were very easy to decipher. Since then, I just assume everything is out there.