U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Computers
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search

Search Forums  (Advanced)
 
Old 11-03-2011, 05:40 PM
 
Location: FOUO
149 posts, read 448,021 times
Reputation: 121

Advertisements

Hello. I've discovered that transferring data from a public computer to a private one via USB flash drive is very risky. Is self e-mailing a safe alternative? Most e-mail providers filter mail and can detect/remove security threats like viruses and spyware.
Rate this post positively Reply With Quote Quick reply to this message

 
Old 11-04-2011, 09:29 AM
 
Location: SoCal
6,280 posts, read 10,560,292 times
Reputation: 6518
I still wouldn't trust the e-mail provider's filter. We have anti-virus/anti-malware on all our computers - even the Mac. When it becomes available for an iPad I'll have it there, too, since I connect using wireless. That way we - not some third party - are controlling our protection.
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-05-2011, 02:17 AM
 
Location: Mableton, GA USA (NW Atlanta suburb, 4 miles OTP)
11,333 posts, read 23,897,996 times
Reputation: 3956
Quote:
Originally Posted by CornerstoneEagle04 View Post
Hello. I've discovered that transferring data from a public computer to a private one via USB flash drive is very risky. Is self e-mailing a safe alternative? Most e-mail providers filter mail and can detect/remove security threats like viruses and spyware.
It depends on the files being sent. Text files (as in notepad documents, not Word documents), bitmap images like GIFs/JPGs/PNGs, and other similar files that don't or can't have embedded executable content are perfectly safe to send.

If you're that paranoid, try booting from a Linux LiveCD or something before viewing the files in question. That way you're in an operating system which is unlikely to be infected by common malware, and you're running it in such a way that any contamination will not easily spread.
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-05-2011, 09:07 AM
 
Location: The DMV
5,334 posts, read 9,307,627 times
Reputation: 6345
Quote:
Originally Posted by CornerstoneEagle04 View Post
Hello. I've discovered that transferring data from a public computer to a private one via USB flash drive is very risky. Is self e-mailing a safe alternative? Most e-mail providers filter mail and can detect/remove security threats like viruses and spyware.
Using your private email account on a public system is probably not a good idea since you have no idea if there's a rootkit or keylogger on that computer. So in essence, by accessing your email, you may have just given up your credentials.

Nothing is ever 100% with regards to security (outside of avoidance). so everything is always relative.

Between using a USB or sending it via personal email. I'd probably still opt for the USB option as long as I have IPS/AV protection on my home computer. This would allow me to scan the data on the USB before its allowed to be transferred to the home PC.


Quote:
Originally Posted by rcsteiner View Post
It depends on the files being sent. Text files (as in notepad documents, not Word documents), bitmap images like GIFs/JPGs/PNGs, and other similar files that don't or can't have embedded executable content are perfectly safe to send.

If you're that paranoid, try booting from a Linux LiveCD or something before viewing the files in question. That way you're in an operating system which is unlikely to be infected by common malware, and you're running it in such a way that any contamination will not easily spread.
Just about all files can be used as covert channels. And image files are even easier to use with stego tools. The only real way to tell would be to compare it to a hash.
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-06-2011, 06:52 PM
 
Location: Mableton, GA USA (NW Atlanta suburb, 4 miles OTP)
11,333 posts, read 23,897,996 times
Reputation: 3956
Quote:
Originally Posted by macroy View Post
Just about all files can be used as covert channels. And image files are even easier to use with stego tools. The only real way to tell would be to compare it to a hash.
Embedded data is probably not a concern for most users as long as there isn't an execution vector. You're right, tho, that just about all files can be used to transport information in a covert manner.
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-07-2011, 12:28 PM
 
80 posts, read 135,380 times
Reputation: 65
Quote:
Originally Posted by macroy View Post
Using your private email account on a public system is probably not a good idea since you have no idea if there's a rootkit or keylogger on that computer. So in essence, by accessing your email, you may have just given up your credentials.
Very true. Some e-mail services offer ways to circumvent this however. Fastmail has offered one-time password listings for years and years; Gmail just implemented one-time SMS passwords, etc. Use them!
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-07-2011, 06:39 PM
 
Location: FOUO
149 posts, read 448,021 times
Reputation: 121
Quote:
Originally Posted by oddstray
I still wouldn't trust the e-mail provider's filter.
Why? They are more reliable than the ones used by public network administrators (I’ll explain further on).


Quote:
Originally Posted by oddstray
We have anti-virus/anti-malware on all our computers - even the Mac. When it becomes available for an iPad I'll have it there, too, since I connect using wireless. That way we - not some third party - are controlling our protection.
Question: of all the network options available, is wireless the least secure/most vulnerable to viruses/malware?


Quote:
Originally Posted by rcsteiner
It depends on the files being sent. Text files (as in notepad documents, not Word documents), bitmap images like GIFs/JPGs/PNGs, and other similar files that don't or can't have embedded executable content are perfectly safe to send.
What are the files that have embedded executable content? I take it that Word, Excel and PowerPoint files are among these?


Quote:
Originally Posted by rcsteiner
If you're that paranoid, try booting from a Linux LiveCD or something before viewing the files in question. That way you're in an operating system which is unlikely to be infected by common malware, and you're running it in such a way that any contamination will not easily spread.
Will I need to install Linux as the primary OS on my computer in order to make a Linux LiveCD?


If so, there are two hang-ups: 1) To run Windows 7 inside Linux (which is what I would do), I would have to purchase special software that is outside my budget; and 2) I don't know which Windows applications I'd have to sacrifice in order to make Linux work (or whether any needed applications would be non-replaceable).

Quote:
Originally Posted by macroy
Using your private email account on a public system is probably not a good idea since you have no idea if there's a rootkit or keylogger on that computer. So in essence, by accessing your email, you may have just given up your credentials.
Even on a secure (https://) site?


Quote:
Originally Posted by macroy
Between using a USB or sending it via personal email. I'd probably still opt for the USB option as long as I have IPS/AV protection on my home computer. This would allow me to scan the data on the USB before its allowed to be transferred to the home PC.
But the problem with that, is that if the antivirus definitions on the home PC are not up to date, and the USB flash drive is infected with a new virus (picked up from another computer), then the home PC will get infected. At that point, a user may not know a virus has been planted on his/her computer until the system crashes (blue screen) or the AV definitions are updated. All it takes is one slip-up.

But the e-mail circumvention method comes with an added security measure not available using the USB flash drive option. With the e-mail method, if you transfer the files to your home PC or laptop prematurely (i.e. before AV definitions are updated), the chances of a virus or malware infection occurring are significantly lower than if you were to use the USB option. This is because e-mail providers scan all incoming and outgoing e-mail traffic with AV programs, which tend to be more effective than those used by public network administrators.
One of the reasons why is because e-mail providers, due to being responsible for safeguarding more personal info than public network administrators, are more likely to be sued by users who’ve been hacked/had their info stolen. For them, updating AV definitions is not just a good idea – it’s damage control.

Also, what is IPS protection?

Quote:
Originally Posted by macroy
Just about all files can be used as covert channels. And image files are even easier to use with stego tools. The only real way to tell would be to compare it to a hash.
What is a hash, exactly?


Quote:
Originally Posted by rcsteiner
Embedded data is probably not a concern for most users as long as there isn't an execution vector. You're right, tho, that just about all files can be used to transport information in a covert manner.
What is an execution vector?

Quote:
Originally Posted by macroy
Using your private email account on a public system is probably not a good idea since you have no idea if there's a rootkit or keylogger on that computer. So in essence, by accessing your email, you may have just given up your credentials.
Quote:
Originally Posted by tobisara
Very true. Some e-mail services offer ways to circumvent this however. Fastmail has offered one-time password listings for years and years; Gmail just implemented one-time SMS passwords, etc. Use them!
But is that more secure than logging in using a secure connection? For example, how would signing into <https://www.mail.google.com> using the standard sign-in method be any riskier than using a one-time password for <http://www.mail.google.com>? Are these e-mail providers saying that their secure sites are not effective in safeguarding password information?


Currently I’m trying to figure out how to save passwords into an HTML file on my thumb drive, without having to use Adobe RoboHelp (or any similar program I’d have to pay for). Copying and pasting passwords from an HTML file (on a thumb drive) into a public computer web browser would be the most secure sign-in method, in my opinion.
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-07-2011, 09:04 PM
 
Location: Mableton, GA USA (NW Atlanta suburb, 4 miles OTP)
11,333 posts, read 23,897,996 times
Reputation: 3956
Quote:
Originally Posted by CornerstoneEagle04 View Post

Question: of all the network options available, is wireless the least secure/most vulnerable to viruses/malware?
The type of network connection really doesn't matter.

Quote:
What are the files that have embedded executable content? I take it that Word, Excel and PowerPoint files are among these?
Word documents and files created by other similar applications can contain embedded macros, yes. Macro viruses were quite common once upon a time, and might still be.

Quote:
Will I need to install Linux as the primary OS on my computer in order to make a Linux LiveCD?
A LiveCD is a CD that you burn and boot from. No need to install Linux at all ... it's a quick and dirty way to run an OS without a need for installation.

Live CD - Wikipedia, the free encyclopedia

Linux variants like Ubuntu, Knoppix, Puppy, and others are completely self-contained and can be booted from a CD and run completely in memory. No disk needed. That makes it completely isolated from the Windows installation on the machine you're booting it on. You can then use it to access any hard drives and grab (and hopefully view) files.

Since you aren't in Windows, you won't be subjected to the wiles of Windows malware.

Quote:
What is a hash, exactly?
He may be referring to using a checksum, CRC, or other mathematical means to see if a file has changed.

You perform the operation before you do something with the file, and then again afterwards. If the generated CRC or checksum value is different, something has changed in the file. Many DOS anti-virus programs used to do that for all files on a given system ... it made it easier to detect unauthorized changes. Systems these days are more complex, so I don't know how commonly that is done anymore.

Quote:
What is an execution vector?
Sorry ... it's a way to "run" a program, or a macro, or some sort of executable material residing in a file. If the macro or code can't be run, it won't activate and be harmful.
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-08-2011, 03:08 AM
 
80 posts, read 135,380 times
Reputation: 65
Quote:
Originally Posted by CornerstoneEagle04 View Post

But is that more secure than logging in using a secure connection? For example, how would signing into <https://www.mail.google.com> using the standard sign-in method be any riskier than using a one-time password for <http://www.mail.google.com>? Are these e-mail providers saying that their secure sites are not effective in safeguarding password information?

The potential security breach does not lie in somebody grabbing the password off their site or from listening off the connection (which would be impossible in case HTTPS/SSL is used). The potential security breach is in some hacker grabbing your password with a keyboard listener or similar on the computer you are logging in from.

If you used your standard password, the hacker could just use your credentials and login from his own computer. If you used a one time password the hacker will have no such luck since it voids immediately when it is used.
Rate this post positively Reply With Quote Quick reply to this message
 
Old 11-08-2011, 06:16 AM
 
Location: The DMV
5,334 posts, read 9,307,627 times
Reputation: 6345
Quote:
Originally Posted by CornerstoneEagle04 View Post

But the problem with that, is that if the antivirus definitions on the home PC are not up to date, and the USB flash drive is infected with a new virus (picked up from another computer), then the home PC will get infected. At that point, a user may not know a virus has been planted on his/her computer until the system crashes (blue screen) or the AV definitions are updated. All it takes is one slip-up.

But the e-mail circumvention method comes with an added security measure not available using the USB flash drive option. With the e-mail method, if you transfer the files to your home PC or laptop prematurely (i.e. before AV definitions are updated), the chances of a virus or malware infection occurring are significantly lower than if you were to use the USB option. This is because e-mail providers scan all incoming and outgoing e-mail traffic with AV programs, which tend to be more effective than those used by public network administrators.
One of the reasons why is because e-mail providers, due to being responsible for safeguarding more personal info than public network administrators, are more likely to be sued by users who’ve been hacked/had their info stolen. For them, updating AV definitions is not just a good idea – it’s damage control.

Hence my comment on security being "relative". We can go around in circles on why one is better than the other in different scenarios. Yes - not having the latest updates/patches would increase your vulnerability. And if that malicious code attacks an 'unknown' vulnerability, then you're basically toast either way.

Currently I’m trying to figure out how to save passwords into an HTML file on my thumb drive, without having to use Adobe RoboHelp (or any similar program I’d have to pay for). Copying and pasting passwords from an HTML file (on a thumb drive) into a public computer web browser would be the most secure sign-in method, in my opinion.
Most secure in what sense? Again, it's all relative. I personally have an issue putting any confidential information onto an "unknown" machine. Take your example above, there may be an app that will make a copy of said USB. Now your passwords have been exposed. Or, when you enter it into that browser, a keylogger can grab it. Or, since that computer is on an "unknown" network - there may be a sniffer, or even a SSL proxy - which would offset any TLS controls.

Other than the first issue - none of this has to do with how you store your passwords (btw - why not use a password app like keepass on your phone?).

Someone mentioned one-time passwords. Which I would definitely use if you have that option.
However, even with that - there's still the potential of session hijacking.

And guess what - those last two examples could potentially happen even if you used your own laptop on a public network.

Not saying these are all going on at every public wifi hotspot or public terminal. But just to show that there really are no controls that will provide "100%" security. It just comes down to what is acceptable for the task at hand. I personally wouldn't think twice about logging on to a forum at a public terminal... the risk is minimal to me. However, online banking at Panera? Even with my own laptop? not gonna happen.
Rate this post positively Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.


Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Computers

All times are GMT -6.

© 2005-2021, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Contact Us - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37 - Top