Transcript
Security Fix Live
Friday, December 23, 2005; 11:00 AM
Security Fix blogger Brian Krebs was online to answer your questions about the latest computer security threats and offer ways to protect yourself and your personal information.
Transcript: Security Fix Live (Dec. 9, 2005)
 |
____________________
Brian Krebs: Hi everyone, and thank you for joining me today. Though it is the Friday before Christmas, we have a surprising number of people dropping questions in the hopper, so I'll try to get to as many as I can. But by all means, if you have a question, please send it my way: I'll pick the best questions I can find and make every effort to answer them.
_______________________
washingtonpost.com: Give the Gift of Security (Washington, Dec. 22)
_______________________
Mississauga, Ontario, Canada: Hi Brian,
I have Yahoo Popup Blocker and Anti-spy installed on my computer, still I find some Tracking Cookies reappearing, such as:
Advertising.com
AtlasDMT.com
DoubleClik
Edge.ru4
QuestionMarket.com
Are they a security hazard and how can I remove them permanently?
Thanks for your help.
Brian Krebs: Hi, Mississauga, and thanks for your question. In the grand scheme of things, cookies area really the last thing security-wise you should be concerned about. Essentially, a cookie is just a placeholder that allows a Web site to know that you've been there before; if they want they can store other information about your browser settings, and on really fancy sites some encrypted information. But for the most part, cookies are harmless.
Some people a long time ago made a lot of noise about the privacy dangers of cookies, and somehow that myth has lived on to today. Ok, if you're the kind of person that avoids getting shoppers' discount cards at the supermarket and at CVS because you absolutely can't stand the thought of marketers knowing what kind of toothpaste and personal hygiene products you buy, then maybe you should worry about cookies. Now, if the person using the computer spends a lot of time at porn sites, then there will undoubtedly be plenty of cookies in there from places like sextracker.com and the like, but that's another story.
But the short answer is that if your anti-spyware programs are turning up nothing but cookies, then you're doing a lot of things right security-wise. And yes, those cookies are safe to delete, but they will probably come back again. DoubleClick.com and Advertising.com run a large share of the Web's banner ads, and it's pretty hard not to visit a site that runs one of their ads, which try to place the cookies on your machine.
_______________________
Tijuana, Baja California, Mexico, : Would you please give some advice on whether it is possible to simultaneously run different anti-spyware programs without conflicts. Also, what are the possibilities of running different anti-virus programs?
Brian Krebs: Wow. Are you really in Tijuana, or are you just making that up to sound exotic? Because I'm so sick of the chilly weather and dirty brown snow around here that I am having visions (read: hallucinations) of warmer climes and palm trees, and your taunting question from Baja is killing me.
Seriously, though, it's absolutely possible to have different anti-spyware programs on your machine at once: just don't run them at the same time. That is, don't run scans with Ad-Adware at the same time you're scanning your PC with Spybot Search and Destroy: it will bog your PC down and both programs warn of untold disaster if you attempt to do so.
I have found that deleting any items found, emptying the Windows recycle bin, clearing the cache and restarting are the best methods for avoiding problems between scans from different anti-spyware apps, thought I mention those only as a tip in case one of the anti-spyware programs is giving you trouble or finding files you think you already deleted with a prior scan with another product.
_______________________
Knoxville, Tenn.: I have been the recipient of weekly e-mail with virus W32.Mytob!gen. Norton kicks it out but can't repair file. Suggestions?
Brian Krebs: Well, Knoxville, be glad Norton is flagged the emails as infected. Here's the solution: don't open the mail: You don't want to "repair" the file anyway -- just delete it.
If you didn't click on the infected attachment, these messages should not pose a threat. They are annoying, yes, and you can configure your e-mail program to filter out (or delete) all files with attachments like .exe, .zip, or .rar, which account for the majority of e-mail borne viruses and worms.
_______________________
Alexandria, Va.: Some months back I renewed my Norton Antivirus 2004 subscription and lately I've been getting pop-up messages that my system isn't protected and opened up a line that says a system error occurred and to uninstall and reinstall Norton. If I do uninstall it I'm wanting to ensure that there is something that I can click on to ensure that I'm reinstalling it. I've only had a computer for over a year and am not too knowledgeable about computers.
Brian Krebs: You know, Alexandria, I had a similar problem with my Stepmother's computer (granted it is a Windows 98 box) running Norton Internet Security 2003. She had renewed it on time and still had several months left in her subscription, but the dang thing kept giving errors and complaining that it needed to be reinstalled.
If you haven't already done so, you should check out Symantec's extensive online support pages, as they have quite a few documents that detail what to do when faced with certain error messages.
This one might be the exact page
you're looking for, but then maybe not.
I spent a couple of hours on my Stepmom's PC, trying to get the thing working again, but to no avail. I ended up completely removing the program and installing Zone Alarm (free) and AVG anti-virus (also free). No complaints yet.
_______________________
Potomac, Md.: Do you really think novice users, using a limited account, would be able to install software as 'Administrator' to the 'Shared Documents' folder? I think that is a tall order. I'm a desktop support provider to home and office users, and I'm not convinced that this is a realistic and practical solution that you recommend.
Brian Krebs: Thank you for your question, which I feel is an important one. I debated quite a bit whether to give this advice to readers, because as you mention -- it goes a bit beyond the "use a firewall, anti-virus, and patch" standard advice that everyone gives.
The simple fact is that if Windows users got in the habit of browsing the Web and using their computers with a limited account, they would not have to worry about spyware, viruses, worms, etc.
Now, I will grant you that Microsoft (and especially third-party software makers) haven't made it a cake-walk for users to do this, as there are plenty of titles that require administrator access to run when they really don't need that level of access. Microsoft is trying to fix this problem with Windows Vista, the next version of its operating system (which will essentially lie to those programs that say they need access, tricking them into thinking they actually do have admin access when they don't).
But in the end, you cannot save users from themselves. For example, in cases where children have access to the machine, running a limited account is a must for someone who doesn't want to spend their entire life trying to regain control over their machine. Kids can and will click on and install everything -- including e-mail worms, instant message worms, cute little games that include tons of spyware, etc.
Is it a perfect solution? Absolutely not. Is it going to require the average user to learn more about how their computer operates? Probably. Is that a bad thing? I don't think so. Will people criticize the advice I give no matter what I do? You can count on it.
_______________________
Reston, Va.: Hi Brian, I am running Win XP SP2 home edition and have already set up an admin and a limited user account as you have mentioned in your blog. I have most of my files on a separate Hard Drive - D:- . Now that I've created a limited user account, I only have read access to the files on the Ddrive, plus anything on C: not under Documents and Settings-myusername. I can't edit any of the existing files on D:, only save them as a new file name. Do you know how I can get around this limitation? Thanks.
Brian Krebs: Yes, this is one of the things you can run into when running limited accounts, as I alluded to in the answer directly above this one.
One solution is to change the file permissions on the drive/folders you want to access.
Try this: Log in as the administrator. Open up Windows Explorer, and right click on the "D:" drive, and select "Properties." Click on the "Security" tab, and then under the "Group or user names" box, click on the name of the limited user account. If all of the boxes on the left below aren't checked, check them, then hit "Apply."
If that doesn't work, or if you don't see the name of the limited user in the "Group or user names" box, click on the advanced tab, then the "Add" button, and on the next box that pops up, click on "advanced" again. Then select "Find now" from the option on the right of the next box, which should list all of the hidden and non-hidden accounts on the system. Select the user name you want to grant access to, then hit "Ok," then "Ok" again, and that should give allow you to grant extremely specific powers to that user for that drive. Just select the boxes you want to grant, and hit "apply" and "ok" and that should do it.
If that does not work, drop me another question in the queue with your contact info.
Oh, and if you've taken my advice (for better or worse), and are having trouble running certain already-installed programs under your limited user account, check out Yes, this is one of the things you can run into when running limited accounts. The answer is to change the file permissions on the drive/folders you want to access.
Another solution while logged in as administrator is to use the
in a Windows command prompt. Using this command, you can grant access to specicic folders to all user accounts on the system. To do this:
--Open a command prompt (click on "Start," "Run," then type "Command" or "Cmd".
--If the folder you want to grant access to is at "C:Program Files\iTunes," then at the prompt that pops up, type:
cacls "Program Files\iTunes"/e/t/p users:c
Oh, and if you've taken my advice (for better or worse), and are having trouble running certain already-installed programs under your limited user account, check out this advice from Microsoft - which has a long list of offending programs and some advice on what to do about them. (this advice from Microsoft) - which includes a long list of offending programs and some advice on what to do about them.
I know this sounds like a lot to take in at first. But if you spend a short amount of time using and configuring the limited account, you can kiss most of your other security concerns goodbye for the most part.
_______________________
Bethesda, Md.: Thanks for taking my question. Your Security Fix blogs are very helpful. I have a wireless 802.11g network here at home with a Linksys 2.4GHz (WRT54g) router. For security, I use WEP 256 bit encryption and use MAC filtering to allow only the PC's in my house to access the router. Plus, I change the login name and password to the router every couple months. Are there any other security issues I should be concerned about with my a wireless network. Thanks again and Happy Holidays!
washingtonpost.com: Blog: Security Fix
Brian Krebs: Hello, Bethesda, thanks for your question. I run the very same router here at home, albeit with different "firmware" than the software that ships with the router.
Not sure what version of the WRT54G you are running, but if it supports WPA in addition to WEP, you might consider setting it up to run that instead -- as it's quite a bit more secure.
A few months back I blogged about a firmware upgrade that fixed a slew of security problems (none of which were being exploited at the time, but you never know). Check out
to ensure you're up-to-date there.
Changing the password every 90 days is good, but probably unnecessary. Just make sure you don't use your username as your password, pick a strong password, make sure the option to allow router configuration from the Internet is unchecked, and you should be okay.
MAC filtering is good, but not bulletproof; same with WPA. However, if you're doing all the things we mentioned already, you are far ahead of the pack and shouldn't have to worry about some random person accessing your wireless network; the interlopers will just move on to your neighbor's unencrypted wi-fi connection.
_______________________
Washington, D.C.: I've gotten the TrojanVundo on my system which Symantic detects but cannot quarantine or delete so it is perpetually warning me. I tried running the removal tool from Symantic but even though it says the removal was successful it still detects the virus every time I turn on the computer. I saw on some message boards a long manual sequence of instructions to remove it but I'm afraid to do something that is not an 'official' solution.
Brian Krebs: Trojan Vundo is another one of those nasties that can be a real pain to get rid of. For better or for worse, those user-driven message boards are often the source of instructions on how to deal with a lot of malware out there today, as they really are on the front lines of this problem. The good news is that if you have the patience and care to follow those instructions, you can often fix the problem yourself. I haven't dealt with this Vundo problem myself, but I understand it is quite tenacious.
I have Googled this problem for a bit and found that many other users also have run Symantec's Vundo removal tool, only to find it does not completely remove the threat. Many users appear to have had success with a method
. Your mileage may vary.
Remember: Google (search) is your friend!
_______________________
Alexandria, Va.: I run my home wi-fi through a Linksys 2.4GHz (WRT54g) and Comcast cable modem service. While trying to add my wife's laptop to the network, I somehow lost my connection on my primary laptop (and never was able to configure my wife's laptop.) My wi-fi card in the laptop seems to connect to the router, but I cannot then connect to the Internet. When hard wired to the router I am able to connect easily. Is there a quick fix to enable my laptop to wirelessly communicate w/the Internet, or do you think I need to reset the Linksys 2.4GHz (WRT54g) and start over from scratch?
Brian Krebs: Make sure you don't have MAC filtering enabled, as that can cause your WIFI card to get an Internet address from the router but not be able to access the Web. If you do have MAC filtering enabled, enter the MAC address of the wireless card (open a command prompt -- see above if you don't know how to do that) and tyep "ipconfig/all" without the quotes, and look for the information next to "Physical Address."
Are you using encryption? Are any of the encryption options enabled? You didn't say anything about that, but a misconfigured WEP or WPA wireless encryption could account for your troubles as well.
Other than that, every wireless router maker includes in their instructions advice that you should not try to administer the router or wireless cards from a laptop. You should take care of the router administration from the computer that is physically connected to the router.
That said, if you still can't figure it out, resetting the router is a good idea. You can usually do this by inserting a pencil or a paper clip into a tiny hold in the back of the router and holding it down for about 10 seconds. Note that this will reset ALL of the router's settings to factor defaults.
_______________________
Brian Krebs: Got this note from a reader. I have tested this (free) program and it works as advertised. It basically let's you run a browser (Firefox, IE, et. al) without having those browsers affect the rest of your system in any way.
Fairfax, Va.: Brian,
Just a note that one possible way to deal with the malware issue is VMware Technology Network
It is a browser app that runs using the vmware player, just a thought.
_______________________
washingtonpost.com: VMware Technology Network
_______________________
Silver Spring, Md.: Brian -- If rootkits are good at hiding viruses and other malware, then how can a rootkit itself be detected? Are Symantec, McAfee, etc. up to the challenge?
Many thanks for your column -- I consider it essential reading.
Brian Krebs: Good question, Silver Spring. Rootkits represent the eternal cat and mouse game between security researchers, hackers, crackers and security companies. It is a game of constant one-upmanship, where as soon as the security companies/researchers figure out a method to detect one rootkit, the author will modify the technique slightly to get around those detection techniques. This dynamic is indicative of the activity related to all other types of Internet threats, by the way.
Some of the detectors work by trying to find files that use various tricks to hide or load in system memory. Other, more nefarious and complex rootkits try to modify the foundations of the operating system, and those are on some levels much harder to detect and remove.
The major anti-virus companies are pretty good at detecting well-known rootkits like Hacker Defender, for example. But even that piece of malware is created and maintained by a guy who offers a subscription service for people who want their rootkits and malware to receive anit-anti-virus updates, so you see the problem there.
At any rate, it's important not to get too hung up on rootkits, as they are mainly a tool used to increase/prolong the damage once an attacker or malware has already taken up residence on your machine. Whether the anti-virus companies do a good job in the long run of detecting these threats remains to be seen. I believe rootkits will play a much bigger role in malware in the year to come.
_______________________
Champaign, Ill.: Hi Brian,
"Is it a perfect solution? Absolutely not. Is it going to require the average user to learn more about how their computer operates? Probably. Is that a bad thing? I don't think so. Will people criticize the advice I give no matter what I do? You can count on it."
That was Rumsfeld-ian! Thanks for your blog and chat.
Brian Krebs: Ooh, really? I don't know whether to be offended or flattered. Yes, I was trying to be diplomatic, and I realize now it probably sounded like a government-ese response. Thanks for your observation!
_______________________
Brian Krebs: So it's been a nice, long (90 minute) chat. Thanks to everyone for your questions and for all those who simply tuned in to read the chat. I'm sorry I couldn't get to each of the questions, but hopefully I can answer some of remaining better ones in our next chat on Friday Jan. 6. Until then, everyone please have a wonderful holiday and a very prosperous New Year. Be safe out there!
_______________________
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
