Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: ID Lock Not Working

  1. #11
    rschoner Guest

    Default Re: Hmmmmm, it works here

    No luck. I shut it down and restarted and logged on to MajorGeeks without a warning. The URL for the login has a php in the address---don't know what that means in terms of security. It did warn me when I logged on to a photography site: dpreview.com. Maybe it's not a big deal.I have Major Geeks in my Privacy List with cookies allowed (but so does dpreview.com). Does that have abything to do with it?Thanks for following this.Bob Schoner

  2. #12
    billc Guest

    Default Re: Hmmmmm, it works here

    By chance, do you have Major Geeks in your ID Lock Trusted Sites list?

  3. #13
    rschoner Guest

    Default Re: Hmmmmm, it works here

    No it is not a trusted site. I had to log back in to this forum topost this reply and got the alert/warning so it works here. I just posted on the Major Geeks software forum asking if it was a secure site, so I'll see what they say.I may be overreacting but the engineer in me wants to know why. :-).BTW, I can't register (can't force it either). Posted that on the Installation forum but got no response. Is this a "biggie"?Thanks for following up.Bob Schoner

  4. #14
    billc Guest

    Default Re: Hmmmmm, it works here

    Well I too wanted to know what the heck was happening. I think I know now. When I viewed the source code for the Major Geek Forum, I discovered a vb script in the password logon that takes your password and encrypts it into a md5hash encryption. So the long and short of it is that the logon is encrypted although the page is not a secure page per se. All is well with your ZAP. This was an interesting mystery to me.

    About the registration, give it a couple days and try again. Sometimes the servers are having a bad day. Besides, registration is no biggie at all, so worry not.

  5. #15
    rschoner Guest

    Default Re: Hmmmmm, it works here

    Hi,Thanks for the effort you went to for follow up. If you don't mind my asking, how does ZA know the password is encrypted? I can understand it looking for the "s" in https but digging down into the code seems a little much for a relatively inexpensive piece of software.As for the registration, I don't think it's a ZA server problem; I have been trying several times over the past 10 or so days and no luck. I think I will send them an e-mail.Thanks Again,Bob Schoner

  6. #16
    billc Guest

    Default Re: Hmmmmm, it works here

    Zone Alarm inspects the data that goes out in every packet and compares it to that which you have placed in your ID Lock. If it 'sees' the password as you have entered it, you'll get an alert. If it only sees gibberish like *^%*#**+* going out then it can not read the encryption and neither can would be hackers. It is not the HTTPS that ZA looks for but rather the data itself...all of it. That's why you can put your password in the middle body of an e-mail and you'll get an alert. Make sense?

  7. #17
    rschoner Guest

    Default Re: Hmmmmm, it works here

    I guess what your saying is that the remote site somehow tells my computer to encrypt the password and it knows the encryption method so it can decrypt it on the other end. So if I were a really clever hacker/password thief I would have my malware send the info to a "secure" site and ZA would let it go?Again, thanks for staying with me on this. I hope I'm not taking too much of your time, but this security stuff is new to me and I find it fascinating.Thanks again,Bob Schoner

  8. #18
    billc Guest

    Default Re: Hmmmmm, it works here

    You've got the general gist of things. The encryption is done in a manor similar to the way it is done on a secure site. Both send data out from your computer after it has been encrypted. And to answer your question, yes....if a hacker got a program into your machine, it harvested your data, encrypted it, then you would not get a ID Lock alert when it was trying to be sent out. BUT....you would get a ZAP Program Alert saying "xyz.exe" application was trying to connect to the internet. So you have another secure level to prevent a nefarious program from send information out to the internet. With careful computing and a firewall, hopefully nothing will ever get in to begin with.

    Please don't be offended, but unless you have something extraordinary on your computer, hackers will go after a bigger pay-off. Rarely would the "average" user ( like me )be 'targeted'.

  9. #19
    crb Guest

    Default Re: Hmmmmm, it works here

    I have been looking at this thread. I too have been confused by MyVault as it seemed not to be working.
    1/ Details on entering my bank web site (https): ZA does not intercept the access details that are in the vault. You have explained this as the web site probably encrypting these details on my PC so they are never transmitted unencrypted. This would seem to include the answers to the various security questions they raise (eg mothers maiden name). This was disconcerting but now that I understand it, it is fine. However, it raises a serious question - should I be spoofed onto a pretend bank login screen then my details would be trapped by ZA - but only so long as the spoof site transmits the data unencrypted. Because of programs like ZA, it would seem remote that the spoof site would not do some form of encryption. Encoding even at the trivial level would bypass ZA checks - eg just adding '1' to each digit would suffice.

    For this reason might it be reasonable to suggest that ZA is checking for Vault details at the wrong place. I wonder if the check would be more suitably performed by the browser - where it can check on characters actually entered into fields. Then when codes are discovered they can be checked against a list of trusted web addresses. If this is a valid argument, then ZA is the wrong application for Vault checking on web sites.

    2/ Email. ZA has detected some security info being sent by email (inherently unencrypted). I have encountered 2 different types of problem.
    2A/ Some security info may legitimately be sent by email, in a non secure context quite frequently. In my case the example is my mother's maiden name. This is a common name, so I often use the name in emails to quite different people. ZA picks this up which is irritating (given the frequency). I found the alert from ZA quite unhelpful. It tells me where the message is going - as an IP address. It tells me the application sending the info - in my case my virus scanner (which has a very unhelpful process name). It does tell me the name of the Vault key being sent. What it does not do is tell me the sentence being sent. This is what I really need to see to decide whether to accept or deny. The other useful info would be the email recipient address.
    2B/ I have had some very odd alerts. Best example is for my PIN number. Only 4 chars. Now the email I sent did not contain these characters of my PIN. This has happened a number of times. It occurred to me that the characters were included in the email - at a formatting level and not in the body of the text. This has happened so frequently that I have had to remove the vault item for the database - which seems to defeat the purpose. False positives are a very dangerous thing to have around. The one email can also generate 4 different ZA error messages (all actually the same text) which is both confusing and boring.
    2C/ I put some free text into a spreadsheet and than emailed that. The vaulted items were not detected.

    3/ The ZA help system does not provide any useful info on how the system works and how to understand it and its weaknesses.

    4/ How do you rate the system?

    crb

  10. #20
    billc Guest

    Default Re: Hmmmmm, it works here

    Let me see if I can shed some light. I think you see now that secure sites (HTTPS) is encrypted when it leaves your computer and thus will not trigger a ZA ID Lock Alert.And I'd have to say that if a 'spoofed' site also used encryption, that ZA would not catch it. But as you know, most 'spoofed' sites are presented to you in an e-mail. The lesson here is always go to the site in question by typing in the URL rather than clicking on an e-mail link. My belief is that 80% of all the bad stuff arrives via e-mail.

    Your thought about adding a "1" in front of say a credit card number is not good enough to fool ZAP. Try sending yourself something via e-mail that is in your ID lock, but add a "1" in front of the string and you'll see what I mean.

    And indeed there can be false positives if something very innocent is being sent but contains an item in your ID Lock. At this point I'd like to suggest you use a PIN with more characters including a mix of letters and numbers. And I tested something I've never tested before. I typed something that was in my ID Lock into Notepad, saved it as a text file, then e-mailed the .txt file to myself and I did get a ZAP ID Lock alert. I'm not sure why you didn't in your example unless the file format was not in plain text.

    The system is not perfect but does add an additional layer of protection and thus peace of mind. IMO, the truth is you should never allow anything into your computer that will steal information. And with very rare exceptions, people 'allow' things in by practicing "unsafe computing". I hope this is useful to you.

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •