Hackability while computer is sleeping

[Stevekir]

Is a computer sleeping less vulnerable to hacking (via the Internet rather than from malware already installed)?

 

[D3LL]

Is a computer sleeping less vulnerable to hacking (via the Internet rather than from malware already installed)?

There's not really a lot a hacker can do though the LAN would stay active. Your best off shutting down as it can depend on the exploit used.

 

[Stevekir]

Or probably better still would be to disconnect the desktop computer to router's ethernet cable whenwork is done on a sensitive file such as my spreadsheet of passwords, names etc. which are stored on an encrypted USB stick. (I don't have a LAN.)

 

[Alejandro85]

99% of the time, "hacking" happens from the inside, that is, it's always caused by malicious software running on the target machine. That in turn frequently enters by user error (downloading something that they should not, falling to phishing or social enginering) or by exploting a vulnerability in local software (typically, the browser or a plugin).
Remote exploits on home or corporate computers are quite rare, mostly because they are almost always behind some form of NAT and never reachable from internet, and also sometimes under some firewall. Having a port forwarding and a proper, vulnerable program listening there is pretty much the only way to get hacked from internet, which is unlikely (but possible).

Other than that, having an internet connection is by no means more insecure than having no connection at all. Leaving the computer turned on the whole time doesn't exposes to anything more than powering off, and suspending it during the night achieves nothing in terms of security.
And if you have some risky software listening on the public internet, you may want to take the usual precautions anyway, rather than relying on powering off.

Or probably better still would be to disconnect the desktop computer to router's ethernet cable whenwork is done on a sensitive file such as my spreadsheet of passwords, names etc. which are stored on an encrypted USB stick. (I don't have a LAN.)

That's pointless. As data stealing almost always is caused from software running on your own computer, it can just steal the sensitive files when you unencrypt them and send them away when you reconnect to internet. Or it can just take the encryption key and decrypt the whole thing on its own when you plug the USB. If you want security, work on preventing the nasty things from entering in the first place.
BTW, don't use a normal spreadsheet to remember passwords or any sensitive information. That's what password managers are designed to do.

 

[Stevekir]

99% of the time, "hacking" happens from the inside, that is, it's always caused by malicious software running on the target machine. That in turn frequently enters by user error (downloading something that they should not, falling to phishing or social enginering) or by exploting a vulnerability in local software (typically, the browser or a plugin).
........

Or probably better still would be to disconnect the desktop computer to router's ethernet cable whenwork is done on a sensitive file such as my spreadsheet of passwords, names etc. which are stored on an encrypted USB stick. (I don't have a LAN.)

That's pointless. As data stealing almost always is caused from software running on your own computer, it can just steal the sensitive files when you unencrypt them and send them away when you reconnect to internet. Or it can just take the encryption key and decrypt the whole thing on its own when you plug the USB. If you want security, work on preventing the nasty things from entering in the first place.
BTW, don't use a normal spreadsheet to remember passwords or any sensitive information. That's what password managers are designed to do.

That's really informative. I had thought that once connected to the Internet I would be attracting lots of people or remote machines online immediately whisking info out and away in a flash. I had thought that was my greatest risk. I knew about steps to prevent malware and have this (eg. Antivirus software, not visiting dodgy sites or replying to doubtful emails with attachments.)

On Password Managers (which I have never come across, thanks for mentioning it), I found this on another forum:

"You can use TrueCrypt to encrypt your documents, as opposed to buying some expensive encryption software. If you're looking for something to keep passwords online an alternative of 1Password is Lastpass. To be honest, TrueCrypt is, in my opinion, an essential app. Create an encrypted disk image and drop your tax documents which might have things like your SSN (or equivalent). You can even hide documents within the container itself so if you're in a compromising situation, you can give a duress password."
​

My excel spreadsheet is in a Courier USB which claims 256 bit AES Hardware encryption. I suppose that while that is in my desk drawer it is safe, possibly as safe as a good PW Manager. (Yes?)

But I see two weaknesses:

a) My encrypted spreadsheet once decrypted to allow use would be open to attack from malware already sitting on my machine ready to pounce; and

b) If my encrypted USB were stolen I would be in trouble.

On the other hand, a PW Manager would probably also suffer from a), although probably not from b) unless the computer was stolen.

What do you think I should do? (I am not on a network, just me alone on a desktop). I'm not paranoid but I do have stuff to guard.

Thanks for your help.

 

[Alejandro85]

My excel spreadsheet is in a Courier USB which claims 256 bit AES Hardware encryption. I suppose that while that is in my desk drawer it is safe, possibly as safe as a good PW Manager. (Yes?)

That does little to achieve security, as it's encrypted/decrypted by the firmware itself (most current HDs actually do this), it doesn't ask for a password or anything like that, so the computer can always access the raw data. Keeping it unplugged it's safe because the computer has no chance of accessing it at all (like keeping the computer powered off, safe but useless).
A password manager (like KeePass) or a dedicated encryption program (like TrueCrypt) are better because it can prevent access to the data at all times, as you have to provide the password to decrypt and can remove the raw data from memory at any time.

a) My encrypted spreadsheet once decrypted to allow use would be open to attack from malware already sitting on my machine ready to pounce

This is true and a real menace. The thing is, at some point in time the data must be decrypted and at that point a software running on the box with the proper access could access it. That has an important implication: if a computer is compromised, do not do confidential things on it, always ensure that the PC is clean before important things.
The adventage that security software has is that Excel doesn't cares about data privacy, it just loads into memory and uses it as it needs, but a password manager tries to have plain-text passwords as little as possible and actively clears the memory and clipboard of passwords when done. As such, while not immune to malicious software, it tries to minimize risks.

b) If my encrypted USB were stolen I would be in trouble.

Also true, as any computer will access the data by simply plugging it. An encrypted file with a proper software can still be stolen, but without the password it's extremely difficult to extract the data out of it. Here comes the importance of having good passwords, if anyone can guess it then encryption can be trivially be bypassed.

By ensuring that the computer is clean and important data is encrypted (specially on portable media) the security is pretty good overall, even if the USB or the whole computer falls into bad hands. And unless you host a server on your computer, having an internet connection won't hurt anything if the computer don't has malicious software.

 

[Stevekir]

You latest post is again very interesting and informative. I am pursuing the Pasword Manager route. But I am confused about my encryptable USB stick.

I said :” b) If my encrypted USB were stolen I would be in trouble.”

I thought that the trouble would be confined to the inconvenience of not being able to use it and therefore being unable to access my sites etc. But :

At the end of your post you said “…as any computer will access the data by simply plugging it [in].”

If true, it is certainly unsafe. But the blurb about the Integral Courier encrypted USB stick claims that it uses hardware encryption. I assumed that means the (claimed hardware) code used to decrypt and encrypt my data, along with the password, are both inside the USB stick and therefore does not rely on any such code inside my computer, and therefore I assumed that it would be very hard to break.

You also said “An encrypted file with a proper software can still be stolen, but without the password it's extremely difficult to extract the data out of it.” This could mean the opposite: that my Courier USB is very safe if stolen.

-- So, the key question is, is the data in my Courier USB very safe if stolen (assuming a strong PW)?

[FONT=&quot]Thanks for the help.

[FONT=&quot]EDIT: BTW, I am not on a network, just a s[FONT=&quot]tandalone desktop computer.[/FONT][/FONT]
[/FONT]