Norton Firewall Private Information Alert

Discussion in 'other firewalls' started by klhendrick, Dec 24, 2004.

Thread Status:
Not open for further replies.
  1. klhendrick

    klhendrick Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    4
    On December 17th I started getting "Private Information Alerts" from my Norton Personal Firewall. The Alert indicates "High Risk" and states "Your computer is attempting to send Private Information over the internet". In the details it indicates:

    Sending To: "http://oe.bay3.msnmail.hotmail.com/cgi- bin/hmdata/<remove> at msn.com/folders/ACTIVE/MSG11033XXXXX.7" (the X's are the last five digits of one of my credit cards)

    Category: Credit Card

    Information Blocked: XXXXX (the last five digits from one of my credit cards)

    I had my Firewall set on Medium security, so these attempts were always blocked, but only after giving me an alert. I have changed the setting to Advanced security, so at least I am not getting the alerts. However, the attempts are continuing, but are automatically blocked.

    These attempts have been occurring at least every 20 minutes and sometimes more often.

    I have done scans of all my computer's hard drives with Norton Systemworks and Ad-aware both of which indicate they are clean.

    These attempts to send private information are originating from within my computer. Even though I am no longer getting the alerts, the attempts continue to occur according to my Firewall log. Fortunately, my firewall is blocking these ongoing attempts.

    Can anyone advise me on how to identify the source and eliminate it?
     
    Last edited by a moderator: Dec 24, 2004
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    I am surprised that Norton doesn't tell you which program is attempting to connect outbound.. You might double check the logs again.. Not much help I'm afraid though... :doubt:
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
  5. klhendrick

    klhendrick Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    4
    I want to thank everyone who responded to this Post. Only one suggestion provided a solution. Thanks to Ronjor for suggesting Pest Scan. It identified 13 "Pests" all of which could be deleted. All other suggestions produced a clean scan.

    Ken Hendrick
     
  6. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Can I also suggest you always encrypt your personal data such as card numbers. There are many free progs around to do this.
    Gordon
     
  7. zog_2005

    zog_2005 Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1
    klhendrick,

    Its looks like this is a false positive. It appears to be a coincidence that the msn.com/folders/ACTIVE/MSG11033XXXXX.7 which may be regular hotmail traffic happened to match the last 5 digits of your credit card. You may want to increase the number of credit card digits configured in norton's private information configuration.

    The 13 pests is probably again just another coincidence.

    Btw... if you want to find out which app was sending the info, you could look for entries in the NIS connection log going to the same URL as that mentioned in the private information alert.
     
  8. klhendrick

    klhendrick Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    4
    Btw,

    Thanks for your feedback. I was about to change the number of digits in my privacy settings as suggested, but as I am sure you intended, it would then let the messages out. These attempts are still occurring. I'm not ready to do that. I don't think the last five digits matching one of my credit cards is a coincidence. These attempts began at the same time that I received what appears to be a bogus email from Barnesandnoble.com. This email was received on December 17th. When I opened it, it read "Message could not be displayed". About that same time is when I started getting the "Private Information Alerts". If I delete the email, it ALWAYS reappears as an unread email with the same date of origin whenever I go back into my Inbox. I think there is a connection between the two, but I haven't been able to figure it out. I have sent all of the available information on both issues to "Abuse@MSN.com" and I believe they are researching it. At least they came back and asked for more information.

    If this gets figured out, I will post what I learned on this thread.

    Ken Hendrick
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
    I would ask the credit card company for a new account number as well.
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The main problem with "private information" monitoring is that it cannot work if private information is sent out in encrypted form (a number of trojans encrypt their data and https connections can be used in a similar fashion - see The Dangers of HTTPS for more details). As such it can give a false sense of security compared to a layered defence including firewall, webfiltering, antivirus/antitrojan scanners and process monitoring software.
     
  11. klhendrick

    klhendrick Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    4
    Ronjor and Paranoid 2K,

    Thanks for the additional information. Getting a replacement credit card number is so simple and obvious, I completely overlooked it. Thanks for looking over my shoulder. Proxomitron looks like a must part of a secure computer.

    Ken
     
Loading...
Thread Status:
Not open for further replies.