Security Fix Live
Friday, December 9, 2005; 11:00 AM
Security Fix blogger Brian Krebs answered your questions about the latest online threats and offers ways to protect yourself and your personal information.
A transcript follows.
Brian Krebs: Hello, everyone. Thanks for joining me today in what will be the first of many Live Online Friday chats for Security Fix. We already have quite a few questions in the hopper, but please don't let that discourage you from sending me additional questions, as the good ones I can't answer during this hour I can probably answer in the blog.
Annapolis, MD: Hi Brian! Thanks for taking my question. I've had several different problems (viruses, malware, etc) over the last year and am looking for a long-term fix. I have three users on the home computer. Is there any way to insulate a user's downloads so that it wouldn't affect everyone else (so bad programs would see only one drive even though the user is using a portion of the drive). That way (I think) it would be easier to fix an isolated problem and protect other files from corruption.
Thanks for your help!
Brian Krebs: One of the most effective way to reduce the amount of crap that ends up on your Windows machine is to create and regularly use a limited user account that is not permitted to install software. That way, when you're browsing the Web and you happen upon a site that wants to install its adware or whatever, it won't be able to because the account you're using does not have install privileges.
This is a particularly useful option when you have multiple users of the same machine, especially kids who click on and download anything they please from anywhere on the Web. When you need to install a new program, you can either switch users to do so, or right click on the program, select "run as" and then type in the name of the account that has administrator (this account has rights to do anything on the machine) and the password and there you go.
In practice, however, running Windows from a limited user account can be somewhat tedious, especially if you're trying to set up new limited user accounts after you've installed a ton of different programs and have zillions of settings and files located all over the system in various folders that you may or may not be able to see or access as a limited user. Other programs simply don't run or work well (or they complain they're not working when they are and vice-versa). These problems aren't insurmountable, and with a little know-how, they are easily sidestepped. Anyway, Aaron Margosis over at Microsoft runs the "Non-Admin Blog" which contains quite a bit of helpful advice for getting things configured so that using a limited user account for day-to-day computer use is not such a pain.
To your question about physically separating data on different drives, I have always taken the approach of separating out data from installed programs and Windows system files, wherever possible. When I set up a new PC, I use the Windows installation program to create a separate partition (usually around 20 gigs in size) to hold all of my installed programs and Windows itself. Then, when I'm running Windows, I change the default places where Windows likes to store all kinds of user data (My Documents, My Music, Pictures, blah, blah), pointing them from C:\Documents and Settings\User\ to the data partition on D:. By the way, you can accomplish this last trick in Windows XP by doing Start> right click My Documents> Properties> Move.
Alternately, you might consider getting a Mac?
Atlanta, GA: There are quite a few new security products that are trying to detect anomalies, or suspicious behavior, rather than using definitions. I recently tested one of these solutions, but it left my test box so corrupted that it would not boot. I think that this will be a great step forward for preventing infection, but has anybody done it right yet?
Brian Krebs: The major anti-virus companies all say they can detect files or programs that initiate suspicious activity on a computer, they call it "heuristics". But for the most part, they all pretty much stink at this. The reason is that it is very easy when you are trying to detect bad behaviors (vs. bad identities) to mistake a good or benign activity started by some process or program as malicious, a problem known as a "false positive." Security vendors will do almost anything to avoid raising flags that turn out to be false positives, because it wastes a lot of the company and the customers' time and money and creates a confusing and frustrating experience for the user. So, they tend to talk a lot about behavior detection, but few actually do it well.
Yesterday, I had the pleasure of checking out the paid version of Kerio firewall, which includes some pretty advanced methods of bad behavior blocking without introducing too many false positives. I'm sure there are other products that do this and do it well, but I haven't heard of them if they exist in the consumer space.
Bordeaux, France: I've got Mozilla Firefox, and just recently it seems adware has gotten into my pc. Now every time I surf the web, or even when firefox is closed, it opens random ad pages for all sorts of different products. This happens every 4 or 5 minutes and makes life extremely difficult. I already have windows antispyware but that doesn't seem to find the problem. Any suggestions?
Brian Krebs: The Web browser is but just one of the ways spyware and adware can end up on your Windows machine. Just as often, it is bundled with other "free" applications and games available for download from an ungodly number of sleazy sites out there. Try scanning your machine with the Web based version of Microsoft's anti-spyware/anti-virus tool.
If that doesn't work, check out some of the tools we reviewed in our Video Guides to Securing Your PC.
It may just be that you have some advanced spyware/adware on your computer that is very difficult to remove. A product called "A Better Internet," or "Aurora" (nail.exe) from Direct Revenue fits this category quite well, and it is pretty prolific. This type of sleazeware uses not only rootkit techniques to hide on the user's machine (even from anti-spyware apps), but also employs what I call "sentinel" programs whose only job is to make sure that if the user or a program shuts down the spyware program, the sentinel can revive it. Shutting down two such system processes simultaneously is well nigh impossible.
Branford, CT: Complained to Comcast that browsing was slowed dramatically and pionging was impossible. They suggested PC-Cillin 2006's firewall was to blame. Disconnected the firewall and all returned to normal--fast browsing, high-speed pinging. Reported it to Trend Mico but no answer. Have you hear about this, and are you able to suggest a remedy? I'd like to have the protection of a firewall.
Brian Krebs: Gasp! One technology company blaming another for their own problems? That's the oldest trick in the book. It's called transferring the cost of customer support somewhere else. Why can't Trend and Comcast play nice together? I have no idea. But there are other firewalls out there that work just fine, and are free! Check out this blog post for other firewall ideas (note that Symantec is no longer distributing Sygate).
Kensington, MD: I opened an email about a week ago and it didn't open in the usual way, but rather went straight to a "reply" page with the sender's email address in the "send to" box. Then I heard a whole bunch of "activity" noise coming out of my computer, like it sounds when it's processing a lot of new information (as in a new program installation). I can't describe precisely the other funky aspects around this time, but it felt like there were some "sleight of hand" things going on that maybe I wasn't supposed to notice--or was it my imagination? Note, however, that I do have Norton Antivirus running, and a firewall. Anyway, I've been afraid to turn my computer off since and have looked into how to restart in safe mode and look for a malicious invader--yet I'm reluctant to try this myself in case I screw it up from not knowing what I'm doing. I'm not a technophobe but I don't like to try things unless I know the instructions are clear and airtight. Overreaction, or healthy precaution? Your thoughts?
Brian Krebs: Just because you're paranoid doesn't mean everyone isn't out to get you. Seriously, though, it pays to maintain a healthy state of paranoia when you're using a Windows PC hooked up to the 'Net. If you're doing all the recommend security things - maintaining an anti-virus scanner (you do have it configured to scan incoming e-mail, correct?), using a firewall, keeping your box up to date on patches, and not clicking on random links or files sent to you via e-mail and/or instant message, you're probably fine.
That said, when was the last time you ran a full system anti-virus or anti-spyware scan? It wouldn't hurt to go on over to Microsoft's Onecare Live site and let it scan your PC for viruses, spyware threats, etc. I like this idea because the scan is being initiated from a source other than you machine, which - if already compromised - might not be able to show you what's really going on.
By the way, does this e-mail weirdness you mention happen all the time or just this once? I hate to say it, but Microsoft's solution to every Windows problem - Reboot! - may be just what your system needs.
Bethesda, MD: My Norton Anti-virus subscription is up, and I'm trying to decide best course of action for PC protection. We also subscribe to AOL security edition, and I've heard that having too many different types of protection can actually be a problem. What is the best way to protect my PC? Should I renew my Norton subscription, use the AOL security or can using both provide more protection?
Brian Krebs: I have used many different types of anti-virus products over the years, and they all have their relative strengths and weaknesses. Some of the all-in-one suites that offer firewall, anti-virus and anti-spyware protection seem a bit bloated and at least in my experience can often make your blazing 3.0 gigahertz machine feel like about half that speed. That isn't totally fair, because some of the companies you mentioned who make those products are getting better are reducing the footprint and size of their products. Still, I do feel that products that try to solve all of your security needs in one application often come up short on one or more of those constituent components.
As I lamented in a previous blog post , there is currently no authoritative source to turn to for research on how the various anti-virus products rate in cleaning up a PC after it is infected with something, which is of course just one facet of what these products do. It would be nicer, of course, if they simply didn't allow nasty viruses and worms on your machine in the first place, but most anti-virus programs suffer from a singular weakness: they depend on updated signatures that allow them to spot the latest viruses, and in many cases the bad guys update their viruses several hours before the anti-virus companies do, so there is this window of time where viruses (especially e-mail borne ones) can slip through your e-mail virus scanner unnoticed.
All of that said, for most home Windows users, however, I would say just having some kind of anti-virus installed and current is the most important thing. I'd rather not sit here and tell you which products I like and which ones I think are a complete waste of money. There are a few places you can go to compare how the anti-virus software makers fare in responding to the latest virus outbreaks. None of them do really well; there appear to be varying degrees of mediocrity. Anyway, check out AV-Comparatives.org for some test results (to your question, I think AOL uses McAfee as their virus product, but don't quote me on that.)
Brian Krebs: Just a follow-up point to make on the question from Bethesda about anti-virus products. It is generally a very bad idea to attempt to run two anti-virus products on a Windows machine simultaneously. Most anti-virus products will fight for control over the users' machine, a battle that will create some serious system speed and other compatibility problems if the user tries to have two anti-virus programs watch over his/her Windows box.
Arlington, VA: Are you related to Joe Krebs of NBC4? You look like him.
Brian Krebs: Geez. I get this question all the time, so I may as well get it out of the way: Yes, Joe Krebs is a cousin of mine. And I'm sure he appreciates the compliment ; )
Gaithersburg, MD: It appears that more worms/viruses are attacking the major virus protection programs, such as Symantec and McAfee. Do you have alternatives to these that are as effective or better? Thanks!
Brian Krebs: This is true. In fact, the majority of e-mail worms contain functionality that allows them to shut down a long list of anti-virus and firewall products. The trick is not letting those nasties get installed onto your machine in the first place. Whichever anti-virus product you use, check the vendor's site for tips on configuring it to scan incoming e-mail. But even more importantly (for reasons I've just described) you can't always trust that just because your anti-virus product says an e-mail attachment isn't a virus or worm -- that it really isn't. Use common sense and caution when opening attachments and clicking on links. If someone sent you a link or file in email or instant message that you weren't expecting - even if it comes from someone you know -- just send a quick note back to them or call them and ask whether they meant to send you something.
Remember, it is usually far easier to prevent security problems on your machine than to clean them up.
Apache Junction, Arizona: I have Windows XP and outlook and am wondering if there is a way to just recieve e-mails addressed to me only instead of what I'm getting now, close names and sometimes not even close. George
Brian Krebs: A lot of e-mail software includes built-in tools you can use to filter out junk e-mail. Microsoft has posted instructions on how to filter spam and adult content using its Outlook and Outlook Express software.
For the hardcore spam blockers, there are also several services you can subscribe to that help block unwanted e-mail, such as Spam Cop.
MacDevCenter.com has some good tips for Mac users to help cut down on spam.
Brian Krebs: We've gotten a few questions from readers wanting to know how to get rid of a nasty brand of spyware called Better Internet/Aurora or found by antivirus or anti-spyware apps (but not deleted) as nail.exe or some variation of "SPYW_BISPY.A" My colleague at the paper Rob Pegaroro guest blogged about a method he came up with to remove this tenacious software, but some people complained it didn't work for them. I have been told (but not tested) this solution will successfully remove this piece of spyware.
Washington, DC: I have also heard that Sony has embedded some sort of hacker software on its music CD's that can damage computers. What is Sony doing? Should I toss any CDs produced by Sony/BMG?
washingtonpost.com: Sony Issues Tool to Remove Flawed Software (December 7, 2005)
Brian Krebs: Well, Sony has a lot of work to do to get back into the good graces of thousands -- if not millions - of customers and former customers. The company this year experimented with anti-piracy software (known as XCP or extended copy protection) on about 52 different titles, so that when Windows users listened to the music CDs in their computers, the software automagically installed itself. Several million of these discs were sold in stores. When it was discovered that the software behaved like malware in an attempt to hide from the user and remain on the users' system, security researchers began looking for flaws, and find them they did. Sony issued a patch to remove the file-hiding capabilities of the software, which by that time was being used by viruses to hide on the user's PC. Researchers soon found serious security holes not only in the underlying program itself, but in the patch Sony released to get rid of its program's file-hiding feature. Earlier this week, Sony finally issued a program designed to entirely remove the XCP software from users' machines. A list of the titles that contained this flawed software is here .
The company also is dealing with a very similar security mess with another anti-piracy technology it uses from SunnCommm Technologies. A list of affected CD titles is here.
Only time will tell if there are other anti-piracy programs in use out there that have these types of flaws. I know for my money I won't be buying any CDs that appear to contain any type of copy-protection technologies (most, to their credit, say so on the product's external wrapping or spine.)
Fairfax, VA: FHS Class of 1990 RULES!
How often should I scan for viruses?
Brian Krebs: Nice to see a former high school classmate reading the blog ;) This question also comes in a lot. I'd say scheduling an automated scan once a week (I have mine set to start at 3 a.m.) is fine. But scanning all downloads and any e-mail attachments you decide (judiciously) to open is a must.
Brian Krebs: Well, folks, that's about all I've got time for today. I have forgotten how long it takes to read and respond to all of these questions. We received more than 50 questions today, so to all of you who asked great questions but didn't get answers, please don't get discouraged: some are complicated and require a little research. For those that I can answer/research, I will post my responses or findings either in the blog or the next time I do this chat (which will be the Friday before Christmas). Thank you all for making this first Security Fix Live chat a great success and a lot of fun. And in the meantime, consider dropping by Security Fix regularly and maybe even leaving your feedback/comments on the blog.
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.