Knowledge equals paranoia *UPDATED*

(iPad wiped all my hyperlinks, so if you’re interested in the security programs I mention, you’ll have to search then yourself.)

A friend’s email got hacked. This led to a discussion with a very knowledgeable person about the risks she now faces. Upon realizing she was hacked, she immediately changed her email password and assumed her troubles were over. He told her the contrary was true:  her troubles had just begun.

She told him she had run a full virus check and it came up clean, so she shouldn’t have troubles. He told her that virus checkers, no matter how good, are just a superficial panacea.

The real problem, he said, is keystroke logging malware that lodges deep in the operating system. This means that every time you log into a website, the logger tracks and records your user name and password, and then delivers the data to the hacker. The hacker can then process that information to access your accounts and — voila! — your identity is compromised.  He can also sell it far and wide. Everything is at risk, from bank accounts to your Facebook page.

There are some ways to protect yourself. When it comes to email security, the best thing is two-step verification. If you log onto a computer that you haven’t authorized as a trusted computer, the double verify system sends you a numerical text message. Even if a hacker has both your user name and password, if he doesn’t have your cell phone, he can’t get into your email.

To prevent problems in the first place, you should have a good anti-virus software. Recently, for Microsoft users, several computer gurus have recommended Microsoft Security Essentials to me, which they say is the best and, as an added bonus, is free. You can also keep your computer away from dangerous websites by having your router pass through OpenDNS, which blocks your computer from accessing dangerous sites.

But if you’ve already got a keystroke logger buried in your operating system, you’re out of luck. Most virus checkers can’t find this type of malware, because it’s buried too deeply in your operating system, not to mention that it can actually look innocuous at a code level. Serious computer security people have two computers, one of which is for fun, and one of which is dedicated solely to secure information. They keep their passwords on a flash drive. When they need a password, they plug in the flash drive and then cut-and-paste, so that there are never keystrokes.

With all this in mind, the knowledgeable person told my friend that, because she knows she’s been compromised, she should junk her computer entirely. He thinks that even reinstalling the operating system is insufficient.

Another party to the conversation said this was all overkill. He said that the likelihood of a hacker taking the time to ferret out your information from all the information he selects is minuscule. Further, if he does, most institutions will notice strange behavior and contact you immediately. Ultimately, he felt the risks from hacking were too small to justify the draconian solution of throwing away a computer and starting anew.

As for me, I got totally paranoid from this conversation. I know I don’t have a virus, but I have no way of knowing if I have caught keystroke logger malware. I’m going to change my passwords, but if there’s a keystroke logger, that’s a wasted effort. I’m in a perpetual loop of paranoia and vulnerability.

This paranoia loop — which was triggered by an information dump from someone with more information than I have — irresistibly brought to mind the way we deal with politics in America. Last night, at dinner, Democrat said that Obama, during the his first term, did the best job possible with the hand he’d been dealt. She did not know that Reagan had a rougher economic hand and achieved a better economic outcome. In her limited information universe, Obama was the best.

Fiscal cliff? Going over it may be a plunge from which the economy never recovers, or it may be an illusory line and we discover, once we’ve crossed, that nothing has changed. Since my understand of economics is simple — you cannot spend more than you have or borrow more than you can repay — I foresee catastrophe. Others say a national economy is not a household, and that my analysis isn’t just simple, it’s idiotic and stifles our country’s economic potential.

The same thing happens with the way Americans approach the risk from Islamism. Those of us steeped in information about Islamic doctrine, worldwide terrorist attacks, and Islamic rhetoric see a very high risk. Those who accept that Islam is a religion of peace and think that it’s just a coincidence that all terrorists and would-be terrorists happen to be Muslims, believe are risks are low, and that we are just paranoid, loony conspiracy theorists.

This paranoia runs the other way too. Progressives are convinced that we are cooking ourselves and that the world will melt. We think they’re overreacting to, and taking unreasonable responsibility for, a natural phenomenon that has happened repeatedly since earth’s creation.

Quite obviously, people’s perception of risk is going to affect the steps they take to protect against those perceived risks. The big question, then, is whether the paranoid informed people or the relaxed uninformed people had a better read of the situation. Have we over educated ourselves about risk to the point of dysfunction and overblown reactions? Or have they gone beyond a reasonable assessment of actual risk to a denial so overwhelming that they are incapable of defending against a genuine enemy? Do we change our passwords or junk the whole computer?

As for me, right now, I’m just going to change my passwords and put them onto LastPass, so as to minimize the keystrokes I enter. I’m also going to remind myself that a hacker who collects trillions of keystrokes from millions of computers can’t possibly process that info, and that the odds are I won’t be processed.

UPDATE: A friend who knows more about computers and programming than anyone I have ever met says that an excellent way to protect oneself is to use Google Chrome. He says that Adobe flash is now a primary vehicle for malware. Chrome doesn’t use flash, thereby avoiding that risk. I like Firefox, and don’t like Chrome, but I’m not so stubborn that I won’t recognize a reasonable trade off and learn to live with a different browser.

Be Sociable, Share!

Comments

  1. MorowbieJukes says

    And the inverse of “knowledge equals paraonoia” is “ignorance is bliss”, the bliss lasting up to that very last instant before the Titantic strikes the iceberg.  Knowledge of course permits one to see the iceberg in the distance and steer the ship away.
     
     

  2. Spartacus says

    1) Junking the whole machine is serious overkill.  Take the hard drive out to the range and drill it with a .30-06 and some Tannerite if you really need a sense of closure, but repaving the hard drive with zeroes should do the trick, and save you $80 (although it’s significantly less dramatic and less fun).
     
    2) On Firefox, I have recently started using the NoScript add-on (Tools -> Add-Ons…).  Handy: it turns JavaScript off by default, although you can add specific websites (and component parts thereof from different domains, e.g. bookwormroom.com has a wordpress.com component) to a permanent “trusted” list, or just a temporary one, depending on how much content from each site you really want to see and how much you trust it.  Bonus: you no longer have to wait for a cascading pyramid of domains comprising what seems like about half of the entire Internet to respond in order to load one stinking web page.  Drudge, for example, loads many times faster.
     
    3) Also for Firefox, I would note that Flash can be disabled (also at Tools -> Add-Ons…).

  3. nuqlv9ol7u says

     Computing security is not much different from home security. The user is the most important layer. If you do not practice safe computing, everything else will have limited effectiveness. If you are infected, you can format the hard drive or re-create the partitions. A boot sector virus can be cleaned, but it is not going to affect anything else. You should check the BIOS, and make sure you are only booting from the hard drive.

    Most hackers are not very interested in an individual user. Their time would be more profitable hacking into large databases. They are interested in turning an individual computer into a zombie or bot. They use zombie computers to attack other computers.

    Anti-virus software does not protect the user from stupid. I use KeePass for password management, but a Word document would also work. Do not name it something obvious, and nobody is going to find it. I think anything online will be hacked at some point. If financial companies are being hacked, online password management sites will be also.

    I use a different password for every site, and I use unique usernames where possible. I have multiple Gmail and Yahoo email accounts, and these also have gibberish for names. If somebody gets your usual password and email address, they will begin trying to logon to bank websites until they find yours.  Whoever said to junk the whole computer is an idiot. There are numerous detect and repair disks available. You can create a boot disk using a CD or USB thumb drive. You boot from it, and you scan the hard drive. There are other utilities to fix other problems.

    Chrome does use flash. It is included in the browser, and Google has customized it to make it safer.

  4. MacG says

    I have Norton Enterprise and I could not get rid of a win32 somethingorother virus.  I ran the free Avast!’s boot time scanner and it found it and quarantined it,  I have no idea if I have a key logger or not but did find a church key for my lager :)

  5. jnb says

    One of the best programs for all kinds of malware removal is Malwarebytes Anti-Malware.  This is the program  anti-virus programs recommend for the removal of  super-nasties. That’s how I found out about it. There is a free version (or at least there used to be), and a purchase version, which, in my opinion,  is worth every penny. It has removed junk from my computers that other programs didn’t detect.  It is NOT an anti-virus program.  It is specifically designed to remove malware, so you use it in conjunction with and not in place of an anti-virus program.
    Another place to go if you have a problem is bleepingcomputer.com. (Just imagine what this site would be named if Joe Biden ran it .) Lots of good help and info on malware removal, including rootkits, a particularly nasty variety of maliciousness that inserts itself into your operating system, making it invisible to ordinary anti-virus programs. Malwarebytes can take out some of these, but apparently no program gets them all. 
    One purpose of a rootkit is to allow your computer to be taken over, and they do this by periodically “phoning home.”  Malwarebytes Pro (the purchase version) has a feature which will alert you to unauthorized outgoing messages. This is one clue that you may have a rootkit in your system trying to contact its home base.  Guess how I know this!
    Keyloggers also typically “phone home” periodically.  
    (I have a small business, and so I asked for and got a slightly cheaper corporate rate for several computers. I don’t know whether or not they  still do that, but it is worth a try.)
     
     
     
     

Leave a Reply