Having had my Comcast webmail hijacked by spammers has heightened my awareness of simple things anyone can do to improve the security of their computers. At the risk of boring tech-savvy readers, I'll cover a few basics.

Knowledgeable reader I.Z. suggested the hijacking was probably the result of my lapses rather than Comcast's:

While railing against Comcast can be cathartic, in all likelihood, this "hacking" was preventable - by you. Access to your account was obtained by acquiring your credentials. This probably happened in one of several ways:

1. keylogger - recording your activities locally, on your PC

2. brute force - use of combinations/permutations of alphanumerics to guess a valid match

3. unencrypted transmission of credentials, in particular over public wireless networks

4. session hijacking - again, usually over open public wireless

The are other scenarios, but ones above are much more frequent and require fairly little skill/knowledge.

You can probably make a case against Comcast because they don't have the infrastructure in place to detect a brute force attack, or a configuration/systems management policy to mitigate it (by locking out your account after a pattern of failed attempts).

Personally, I would reckon such obvious mitigation to be the responsibility of a monopoly, but I grant the primary point, which is that I enabled the hijack via poor security habits. (How difficult is it for network software to track that an email account is being hit with hundreds or thousands of login passwords?)

Since I don't access the web on public wireless networks, and I'm behind a router firewall and a software firewall, it seems most likely that the attack was a brute-force capture of my password, which was weak.

So here are the basic security measures to take:

1. Don't log onto password-protected accounts or sites while on a public wireless network.

2. Strengthen your passwords. Mix in capital and lower-case letters, numbers and special characters if the site allows them; avoid words found in dictionaries.

3. Connect to the web behind a router with a built-in firewall, or a hardware firewall, and also maintain a software firewall.

A tech with 30 years of experience said that in his experience anti-virus/anti-malware software did not really "fix" the security problem--every computer he'd run across that had been infected had Norton, McAfee, etc. running. His recommendation was to maintain a firewall and keep a backup of your hard drive which could be reloaded if your computer became infected.

I.Z. offered these additional suggestions:

These are my opinions, not facts. I am not a formal data security professional, academic, etc., and I base this on practical experience. That said:

I think the battle against virus infection via prevention is futile. This will remain so until the general user population is sufficiently educated to recognize problems. This won't happen until the industry matures (think of pace of change in consumer tech v. a plumber's toolset). Even then it isn't guaranteed. (consider use of symbols on microwave user interfaces, or same on POS terminals in fast food restaurants.)

Most viruses are spread now either via email/spam, or through advertisement content that isn't thoroughly checked. You could go to a legitimate mainstream news site and pick up something.

In any case, I think base assumption to be made is virus problems will take place (much as hard drives will fail). The approach, then, should be on minimizing losses, in particular recovery time.

My suggestion, for people who aren't close enough to the subject matter to have developed a sixth sense, is to use virtual machines as Internet browser appliances. Think of this as a disposable rubber glove (or a condom - may be a more appropriate analogy). The virtual machine is executed by VMWare Player (free for personal use), the operating system within it contains the necessary components for typical browsing - browser and various plugins. The host operating system is insulated against activity inside the VM. The VM files (virtual disk) are easily backed to a golden image and copied over in case of anything suspicious inside the VM.

In other words - no effort is spent on diagnosing the specific nature of the problem; identify fault, spin down the VM, copy back a few files comprising the original golden image, spin the VM back up.

It is fairly straightforward to permit a DMZ for file-sharing between the VM instance and host OS (that would have software to operate on files exchanged via the Internet).

There are also some obvious gotchas: the dominant OS is still some form of Windows, so this likely has to be the basis for the VM browsing appliance, else it's foreign, something new to learn and rejected. Formally, a separate license for this additional instance of Windows is required.

Regardless, this is probably beyond most users' capabilities to set up.

The concept goes against the general industry as it marginalizes the role of AV software (therefore AV software developers and servicers, like geeksquad), not to mention perceived hardware obsolescence (that drives PC and software sales). I don't see anyone able to monetize this (thereby making it simple enough to become widespread) save the Google approach.

The "righteous" path would probably be investing the effort to create a Linux-based appliance in VMWare format, perhaps in the guise of a virtual Android device.

None of this helps the task of password selection, avoidance of unencrypted transmission across untrusted transport (or the inherent risks involved even when transmission is encrypted). A strong password includes A-Za-z0-9 and special characters. These usually end up being too complicated and so written down (and then lost). My suggestion is to pick a phrase and a simple algorithm that cherry-picks characters from the phrase (as simple as first letter of every word) and tack on a "#1!" or similar.

From here, you can start trending toward paranoia by cycling the VM every so often regardless of function (i.e., delete and restore from golden image). Change your passwords every so often, etc. It really depends on your exposure to the Internet. The password change recommendation only applies to Internet-exposed credentials. I don't agree with the policy of rapid-cycling strong passwords that are used on trusted networks.

Hope this helps.

Thank you, I.Z. for these suggestions.

I should also mention that my experience with the major AV software vendors has been poor. Basically the McAfee tech I chatted with online suggested running their free scan tool. That didn't turn up any virus, and McAfee's tech support response via email was along the lines of, "gosh, you must have a virus we don't know about, there are thousands of them out there, but we do have a nifty virus-removal service for $89 a pop."

Uh, remind me why am I paying for your AV software?

Neither tech thought of webmail as the source of the hijacked email.

Norton took three minutes to scan a two-line email (multiply that times 50+ emails a day), so that was dumped post-haste. The Norton "removal" tool tagged my Word and Excel executables as "bad" and deleted them. Great job, Norton!

While I have read about harmful files being loaded from malicious adverts and other passive files (hence all those warnings about ActiveX), my impression is the standard way people get malware is via an executable file that they click on.

Between a firewall, strong passwords (that you write down somewhere that you can find again, heh) not clicking on executables from unknown sources and not logging onto password-protected sites from public wireless networks, then I think the risk of being hijacked/hacked can be significantly reduced.

I remain a beginning student of security, and hope this entry spurs you to at least strengthen any weak passwords you might still be using. Common sense suggests avoiding using one password for all your accounts and logins.

Lagniappe/bonus paranoia: I also deleted all contacts lists from webmail accounts. The inconvenience of entering an email address is a modest payment for the peace of mind that comes from knowing that any future hijacking will not yield up a contacts list to exploit.


If you would like to post a comment where others can read it, please go to DailyJava.net, (registering only takes a moment), select Of Two Minds-Charles Smith, and then go to The daily topic. To see other readers recent comments, go to New Posts.



Order Survival+: Structuring Prosperity for Yourself and the Nation and/or Survival+ The Primer from your local bookseller or from amazon.com or in ebook and Kindle formats. A 20% discount is available from the publisher.

Of Two Minds is now available via Kindle: Of Two Minds blog-Kindle

"This guy is THE leading visionary on reality. He routinely discusses things which no one else has talked about, yet, turn out to be quite relevant months later."
--Walt Howard, commenting about CHS on another blog.

Your readership is greatly appreciated with or without a donation.

For more on this subject and a wide array of other topics, please visit my weblog.