[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Trojans, Keyloggers Problem..

Posted on 2004-05-03
6
Medium Priority
?
348 Views
Last Modified: 2013-12-04
Hello.  If a user has managed to sneak away my password using a keylogger how am I still able to protect my email.

All the user has to do is to login to my pop3 email server and bingo, since he has the username and password all he has to do is download.

There must be a way to install a personal certificate on my local pc, which allows only my pc to be able to download the email from my pop3 server, the server will check to see which computer is requesting mail from the pop3 server check the certificate to see if it matches the credentials on the server, authorize the username and password and then allow me to download the email... This will allow me to download the email only from my computer for which i install the certificate and no other computer, even if they have my username and password they cannot login to my pop3.  

THey can of-course telnet but my isp has disabled the telnet port already.

Bascially I am looking for just a more secure way of rcvding email, for fear that somebody else is using a program like eblaster or something to get my emaisl.. I have the latest version of norton and also have a hardware  firewall, but that is still not good enough.

I also want to find out if there is a way to use a screen name like aol has.. I.e. my email add is xxx1@servername.com  but my login to my pop3 is xxx987 or something different from my email add, so this way it is more difficult for a hacker to attempt to guess my password, since the username is completley different.  My isp says they don't know about this. but I am sure one of the above options must be available.

THanks.
0
Comment
Question by:Ricky11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 

Author Comment

by:Ricky11
ID: 10975473
and of-course i do change my password often, but still does not solve my problem.
0
 
LVL 7

Accepted Solution

by:
IceRaven earned 1000 total points
ID: 10975808
Hi Ricky11,

The POP3 Protocol uses password authentication (plaintext).  So if you want to use pop3 then you have to use a password and your email username and password is going to travel unencrypted over the internet.  There are other ways to get email, which encrypt the password and use web based interface eg. www.hushmail.com However the only way that you are going to get the type of security you are asking for is by running your own maill server in my opinion.  You could set the server so you were the only one able to check email, either by PKI (Certificates) or by assigning your computer an IP address that is the only IP addresss that can access port 110.  

As for using a "screen name"  just use a possword impossible to guess or brute force.

eg.  IWishIhadLotsandLostsof$IreallyReallydo!

or somthing like that.  YOu can't brute force it, can't guess it.. you would need to know it, so as long as you typed it in on a computer that was clean from keyloggers/ in a room that didn't have a camera focused on your keyboard, some time of hardware intercepter on your keyboard... I could go on and on and on.... I realise I could probably write an essay on this subject but here is a short answer for the long ramble I have just given.

Option 1. Run your own mail Server
Option 2. Clean your computer of key loggers and use hushmail.

Cheers,
IceRaven
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10976265
Not answering your question, but to secure you in the future....

Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10983134
Webmail is a very secure way to connect to your ISP email's, uses HttpS, there is no plain-text over the HTTPS connection if your ISP has it configured. If they only offer Pop3 .... there will be plain-text all over the place. Be sure your Computer doesn't have a key-logger or a "Fake GINA" McAfee is able to detect the most popular k-loggers and an altered GINA. Natuarlly better usernames and passwords are a must, but if you have a keylogger, you could have the worlds best pass and username and still get your email stolen. TDS3 is also a superb program at detecting mal-ware. If you have a cable modem or DSL connection, the only way your info can be sniffed is if they are your neighbor (actually that may or may not be true for DSl.. not sure) or in your neighborhood pretty much. If you run wire-less at your home, your broadcasting your traffic anyway, and anyone can sniff that if they are with-in a certain distance. Your isp or pop3 provider would need to provide a secure means for DL'ing you email, there is nothing you can do on your own to MAKE your mail provider send encrypted email to you, and vice versa. Again it would need to start with them (the ISP).

If you are running your own... then depending on what program you run for mail, then yes you can use a cert or PGP key for mail.
http://www.pgp.com/
-rich
0
 

Author Comment

by:Ricky11
ID: 10984147
Thanks Guys.. Although I am still not satisfied..

I know emails are like postcards, but there has to be a better solution for an average user to check email securerly.

No matter if you are using hushmail or sending data thourhg https a trojan will still pick up the keystrokes and send them off, I have tested Mcafee, Norton and various others, not all of them detect varients of Eblaster, and some of the others out there.  But that is not the problem, I am not concered about protecting my computer/server before I get infected, I want to know even though *if* i am infected and *if* the hacker has managed to steal my username and password they should not be able to check my mail.  I am interested in PKI and am going to check it out to see if my isp could do something with that.  IceRaven thanks for that.

I will be back.

Thanks.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10987596
>" I am interested in PKI and am going to check it out to see if my isp could do something with that."


An Introduction to the Windows 2000 Public-Key Infrastructure - Official white paper from Microsoft that introduces PKI on Windows 2000. Focus is on the design of PKI and the differences between Enterprise Certificate Authorities and stand-alone Certificate Authorities. 20 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/pkiintro.asp 
 
Certificate Autoenrollment in Windows XP - With Windows XP it is now possible to autoenroll certificates to users. This reduces the normally high costs of building and maintaining a PKI infrastructure. The entire life cycle of the certificates can be managed including enrollment, renewal and deletion of expired and revoked certificates. To gain this new feature you need a .Net Schema, updates to your Group Policies and a Windows .Net Server 2003 Enterprise Edition as an Enterprise Certificate Authority. 46 pages.
http://www.microsoft.com/windowsxp/pro/techinfo/administration/autoenroll/default.asp 
 
Microsoft Windows 2000 Public Key Infrastructure - White paper from Microsoft concerning the basic functionality in PKI, and what technologies in Windows 2000 that are able to use PKI. 27 pages.
http://www.microsoft.com/windows2000/techinfo/planning/security/pki.asp 
 
Step-by-Step Guide to Administering Certificate Services - Nice introduction from Microsoft on Certificate Authorities. In this document you find simple practises where you install a stand-alone CA, do a backup and restore of it, issue certificates, revoke certificates and publish CRLs (Certificate Revocation Lists). 10 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/pubkeyox.asp 
 
Step-by-Step Guide to Public Key Features in Outlook Express 5.0 and Above - Short white paper from Microsoft on configuration ofOutlook Express 5.0 with regards to the use of certificates and encryption/signing of mails. 2 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/pubkeyox.asp
 
Step-by-Step Guide to Public Key Features of Outlook 2000 - If you want to send encrypted/signed mail with Outlook 2000 here's an explanation of the client side setup. 3 pages.
http://www.microsoft.com/windows2000/techinfo/planning/security/pubkeyol2000.asp 
 
How to Digitally Sign and Encrypt Messages in Outlook Express
http://support.microsoft.com/default.aspx?scid=kb;en-us;168726

Step-by-Step Guide to Public Key-Based Client Authentication in Internet Explorer - Nice little overview from Microsoft going through the configuration of IE when you want certificate based authentication using TLS/SSL. Only the client side is described here. 2 pages.
http://www.microsoft.com/windows2000/techinfo/planning/security/pubkeyie.asp 
 
Windows 2000 Server and Key Management Server Interoperability - White paper from Microsoft on the integration of PKI and Exchange 5.5 / Exchange 2000. Thorough description of using the Key Management component on exchange to enable encryption and signing of emails. 40 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/exchange/exchange2000/maintain/optimize/win2kms.asp 
 
Windows XP Wireless Deployment Technology and Component Overview - This official Microsoft paper addresses Wireless technologies. It sums up the processes of connecting, authenticating and encrypting, and goes into different technologies such as RADIUS/IAS, EAP and certificates. 41 pages.
http://www.microsoft.com/windowsxp/pro/techinfo/administration/networking/default.asp
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question