[Webinar] Streamline your web hosting managementRegister Today


Trojans, Keyloggers Problem..

Posted on 2004-05-03
Medium Priority
Last Modified: 2013-12-04
Hello.  If a user has managed to sneak away my password using a keylogger how am I still able to protect my email.

All the user has to do is to login to my pop3 email server and bingo, since he has the username and password all he has to do is download.

There must be a way to install a personal certificate on my local pc, which allows only my pc to be able to download the email from my pop3 server, the server will check to see which computer is requesting mail from the pop3 server check the certificate to see if it matches the credentials on the server, authorize the username and password and then allow me to download the email... This will allow me to download the email only from my computer for which i install the certificate and no other computer, even if they have my username and password they cannot login to my pop3.  

THey can of-course telnet but my isp has disabled the telnet port already.

Bascially I am looking for just a more secure way of rcvding email, for fear that somebody else is using a program like eblaster or something to get my emaisl.. I have the latest version of norton and also have a hardware  firewall, but that is still not good enough.

I also want to find out if there is a way to use a screen name like aol has.. I.e. my email add is xxx1@servername.com  but my login to my pop3 is xxx987 or something different from my email add, so this way it is more difficult for a hacker to attempt to guess my password, since the username is completley different.  My isp says they don't know about this. but I am sure one of the above options must be available.

Question by:Ricky11

Author Comment

ID: 10975473
and of-course i do change my password often, but still does not solve my problem.

Accepted Solution

IceRaven earned 1000 total points
ID: 10975808
Hi Ricky11,

The POP3 Protocol uses password authentication (plaintext).  So if you want to use pop3 then you have to use a password and your email username and password is going to travel unencrypted over the internet.  There are other ways to get email, which encrypt the password and use web based interface eg. www.hushmail.com However the only way that you are going to get the type of security you are asking for is by running your own maill server in my opinion.  You could set the server so you were the only one able to check email, either by PKI (Certificates) or by assigning your computer an IP address that is the only IP addresss that can access port 110.  

As for using a "screen name"  just use a possword impossible to guess or brute force.

eg.  IWishIhadLotsandLostsof$IreallyReallydo!

or somthing like that.  YOu can't brute force it, can't guess it.. you would need to know it, so as long as you typed it in on a computer that was clean from keyloggers/ in a room that didn't have a camera focused on your keyboard, some time of hardware intercepter on your keyboard... I could go on and on and on.... I realise I could probably write an essay on this subject but here is a short answer for the long ramble I have just given.

Option 1. Run your own mail Server
Option 2. Clean your computer of key loggers and use hushmail.

LVL 12

Expert Comment

ID: 10976265
Not answering your question, but to secure you in the future....

Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

LVL 38

Expert Comment

by:Rich Rumble
ID: 10983134
Webmail is a very secure way to connect to your ISP email's, uses HttpS, there is no plain-text over the HTTPS connection if your ISP has it configured. If they only offer Pop3 .... there will be plain-text all over the place. Be sure your Computer doesn't have a key-logger or a "Fake GINA" McAfee is able to detect the most popular k-loggers and an altered GINA. Natuarlly better usernames and passwords are a must, but if you have a keylogger, you could have the worlds best pass and username and still get your email stolen. TDS3 is also a superb program at detecting mal-ware. If you have a cable modem or DSL connection, the only way your info can be sniffed is if they are your neighbor (actually that may or may not be true for DSl.. not sure) or in your neighborhood pretty much. If you run wire-less at your home, your broadcasting your traffic anyway, and anyone can sniff that if they are with-in a certain distance. Your isp or pop3 provider would need to provide a secure means for DL'ing you email, there is nothing you can do on your own to MAKE your mail provider send encrypted email to you, and vice versa. Again it would need to start with them (the ISP).

If you are running your own... then depending on what program you run for mail, then yes you can use a cert or PGP key for mail.

Author Comment

ID: 10984147
Thanks Guys.. Although I am still not satisfied..

I know emails are like postcards, but there has to be a better solution for an average user to check email securerly.

No matter if you are using hushmail or sending data thourhg https a trojan will still pick up the keystrokes and send them off, I have tested Mcafee, Norton and various others, not all of them detect varients of Eblaster, and some of the others out there.  But that is not the problem, I am not concered about protecting my computer/server before I get infected, I want to know even though *if* i am infected and *if* the hacker has managed to steal my username and password they should not be able to check my mail.  I am interested in PKI and am going to check it out to see if my isp could do something with that.  IceRaven thanks for that.

I will be back.

LVL 12

Expert Comment

ID: 10987596
>" I am interested in PKI and am going to check it out to see if my isp could do something with that."

An Introduction to the Windows 2000 Public-Key Infrastructure - Official white paper from Microsoft that introduces PKI on Windows 2000. Focus is on the design of PKI and the differences between Enterprise Certificate Authorities and stand-alone Certificate Authorities. 20 pages.
Certificate Autoenrollment in Windows XP - With Windows XP it is now possible to autoenroll certificates to users. This reduces the normally high costs of building and maintaining a PKI infrastructure. The entire life cycle of the certificates can be managed including enrollment, renewal and deletion of expired and revoked certificates. To gain this new feature you need a .Net Schema, updates to your Group Policies and a Windows .Net Server 2003 Enterprise Edition as an Enterprise Certificate Authority. 46 pages.
Microsoft Windows 2000 Public Key Infrastructure - White paper from Microsoft concerning the basic functionality in PKI, and what technologies in Windows 2000 that are able to use PKI. 27 pages.
Step-by-Step Guide to Administering Certificate Services - Nice introduction from Microsoft on Certificate Authorities. In this document you find simple practises where you install a stand-alone CA, do a backup and restore of it, issue certificates, revoke certificates and publish CRLs (Certificate Revocation Lists). 10 pages.
Step-by-Step Guide to Public Key Features in Outlook Express 5.0 and Above - Short white paper from Microsoft on configuration ofOutlook Express 5.0 with regards to the use of certificates and encryption/signing of mails. 2 pages.
Step-by-Step Guide to Public Key Features of Outlook 2000 - If you want to send encrypted/signed mail with Outlook 2000 here's an explanation of the client side setup. 3 pages.
How to Digitally Sign and Encrypt Messages in Outlook Express

Step-by-Step Guide to Public Key-Based Client Authentication in Internet Explorer - Nice little overview from Microsoft going through the configuration of IE when you want certificate based authentication using TLS/SSL. Only the client side is described here. 2 pages.
Windows 2000 Server and Key Management Server Interoperability - White paper from Microsoft on the integration of PKI and Exchange 5.5 / Exchange 2000. Thorough description of using the Key Management component on exchange to enable encryption and signing of emails. 40 pages.
Windows XP Wireless Deployment Technology and Component Overview - This official Microsoft paper addresses Wireless technologies. It sums up the processes of connecting, authenticating and encrypting, and goes into different technologies such as RADIUS/IAS, EAP and certificates. 41 pages.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month9 days, 14 hours left to enroll

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question