Security Fix Live

Security Fix blogger Brian Krebs will be online to answer your questions about the latest computer security threats and offer ways to protect yourself and your personal information.

A transcript follows .

____________________

Brian Krebs: Good morning, everyone, and thanks for joining us for Security Fix Live. We're a little light on questions today (maybe it's because of the holiday weekend - our parking lot was about half full today) so if you have a security question you're dying to have answered, now would be an excellent time to submit it.

_______________________

Warrenton, Virginia: I want to clear up a few incorrect statements in your article this morning on the Mac trojan. It does not exploit a bug at all but uses social engineering to propagate. You have to double click on the file TWICE before it will run.

Now for my question. You cover many complex technical issues. Do you have a background in computer security or programming? If not, how do you know you are reporting facts and not spreading FUD which, your article this morning appears to be doing?

Brian Krebs: This comment refers to a blog post that I put up yesterday on Security Fix that addressed two different issues relating to Mac security. The first part of that post was about a new piece of malware targeting users of Apple's Mac OS X operating system.

The second part of that post dealt with a separate issue about a series of patches Apple issued on Tuesday. I had intended to release that post as a standalone entry when I heard about the Mac OS X threat. When I wrote about a "bug" in OS X, it was in that portion of the blog post where I was talking about the new patches, not the new malware targeting Macs.

Nowhere in that post did I say that this new malware takes advantage of a vulnerability in Mac OS X. It is mainly a "social engineering" attack that tries to get the user to execute and spread the threat to other systems, much in the same way that most Windows threats propogate.

_______________________

Mount Airy, Md.: So much is being made of the Mac OS worm -- but come on, three or four specific steps have to happen and you have to enter an admin password. Anyone that launches an application and then is asked for, and enters, an admin password deserves what they get. Also, there are no reports of this worm actually being passed around.

Brian Krebs: This Mac OS X Trojan does not pose much of a threat to anyone. It is remarkable, however, because it is the first threat targeting Mac OS X. We've received a ton of comments from Mac users who feel very strongly that the media has overhyped this threat, but the fact is that "firsts" of any kind in the security arena always receive a lot of attention.

The reason this one received so much attention is that it introduces the possibility that this could be the start of a series of attacks on Mac users. Today,

another Mac threat

-- this one a "proof of concept" worm -- was submitted to anti-virus makers, and it DOES attack a vulnerability in OS X and spreads via Bluetooth. This new threat isn't much of a threat either, since it's not spreading at all. But it does further the notion that the security honeymoon may be over for Mac users.

_______________________

Virus != Trojan: Why does the headline call this program a virus when the article seems to make it clear that it's a trojan, not a virus? Two different things, with different ways to avoid them. It only confuses the users I support to see newspaper articles calling every kind of malware a "virus."

Brian Krebs: I don't know: I didn't write the headline. I'm guessing it's because "Trojan Horse Targeting Macs" doesn't fit on one line and because many, many users would not know what a Trojan Horse was, at least in the computer sense. I can't argue with the underlying thrust of your comment, however.

_______________________

Anonymous: Could someone please for the love of god take out a full front page add in every newspaper telling peple with wireless access points to at least do something to secure them. In apartment communities you can find dozens that have no protection on them what so ever.

Brian Krebs: Ah! A non-hey-you-Mac-basher question:

That's not a bad idea. If you ever take up a collection for such an ad, let me know and I'll help get the word out.

Seriously, though, you are correct. Waaaaay too many people plug in their wireless routers and never secure them. That is probably because the wireless router makers and various hardware manufacturers haven't traditionally made it a cake walk for users to configure this stuff securely. A very close friend of mine remarked just yesterday in fact that he uses his neighbor's wireless connection regularly to avoid paying for high-speed Internet. He does this even after I demonstrated for him how I could sit on the wireless network and intercept all of the traffic that was flowing between his iBook at the neighbor's router (for all you lawyers out there, I demoed this on our own wireless network, not the neighbor's.) That reminds me, I have to see about finishing up that how-to-secure-your-wireless-network tutorial.

_______________________

NY, NY: Your response to VA is full of it.

You should read your own article that was sent out today. You claim to be waiting for Apple to response to this bug. That article was solely on the Worm (or for those who don't want the FUD) the trojan.

Brian Krebs: Maybe you're not aware of this, but "bug" can be used to describe both a software flaw and a piece of malware. Perhaps there was a better term to use, but I think you are confused about this. In case anyone else is confused, here are the quotes directly from the article:

"Apple released a statement yesterday warning users to download files from only companies they have confidence in. "Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust," read the statement. Apple's Web site yesterday afternoon did not appear to give Mac users any notice of the bug, and a spokesman was uncertain whether the company would update its operating system in response to this specific threat."

"One software expert who examined the bug's code yesterday downplayed its author's programming abilities as "lame."

I thought it was clear that when we said "bug" we were talking about this new threat, not a flaw in the operating system, but I guess it wasn't clear to everyone.

_______________________

Irving,TX: Should reports like yours cause me to reassses a need for some sort of "virus protection" for my Mac since there seems to be a heightened interest in attack on the Mac? Because of the reputation of the Mac, I have never installed any kind of "security" protection.

Brian Krebs: I don't think either of the threats designed to target Macs that I've written about in the last 24 hours are anything to worry about. However, I do believe these will be the first of many threats targeting OS X users, in large part because this is a community that is not accustomed to dealing with security threats, and thus perhaps (from the attacker's viewpoint) less informed about how to secure their computers and how to avoid potential threats.

That said, I don't think Mac users need to run out and buy anti-virus software. The OS X platform is set up so that it a certain number of things need to happen first before the user can infect his/her machine with something. As such, as long as users maintain a healthy awareness of the potential threat and keep their machines up to date with the latest patches, that should suffice for the time being, in my opinion.

_______________________

Oklahoma City: Can this really be classified as a virus since it doesn't self-propagate externally? It seems to be more of a Trojan as it doesn't exploit any security holes and only attempts to spread itself via iChat. I think it is more of a "proof of concept" that simply shows it can be done, but opens the door to future attacks.

Brian Krebs: I sort of answered this question already, but it deserves a better, more thorough response, because it raises an important and evolving issue.

The headline that links to the story on the washingtonpost.com home page has been changed to "Online Threat Targets Macs." My editor tells me there was quite a lively discussion about this in the newsroom of the Washington Post downtown last night about this very issue.

Here's what he had to say:

"Editors at the print Post say that before the headline was put on the story, they had an extensive discussion over what this threat should be called and came to a consensus that in terms of the newspaper's usage style, any self-propagating online threat has always been referred to by The Post generically as a "virus." However, the issue will be revisited in the near future and the paper's style rules, which are a living and breathing entity, could be amended at some point."

_______________________

Mac User in Glover Park: Good grief! Instead of responding to tech nerds who seem to be looking for the slightest misstatement on your part to take a chunk out of your hide, can you please answer one simple question: I do not use iChat. Am I at risk?

Brian Krebs: The answer is no, at least not from the OSX/Leap.A trojan. That is not to say that we won't see additional threats in the future trying to spread over iChat. In fact, if the trend on Windows systems is any indicator of the way that future malware might spread to Mac systems, that would be the most likely vehicle.

Again, the best piece of advice I can give is the same advice we give to Windows users: be cautious of clicking on links that arrive in e-mail and instant message. I don't think it is unreasonable to caution Mac users to follow this basic security advice.

_______________________

Brian Krebs: By the way, I should note here as well that the cover story for this Sunday's Washington Post Magazine -- "Invasion of the Computer Snatchers" -- was inadvertently published on the site 24 hours early. It has been replaced with a blog entry explaining what happened. The story will be back online aroun 5 p.m. ET today, and reachable via this link . Until then, that link will redirect to the blog.

_______________________

Atlanta, Ga: I am new to the computer world. Looking at what I have seen so far, internet security is going to be the big "unknown". I use internet banking but my bank this week had security problems with debit cards. If people are smart enough to design computers and software, why can't someone produce products that can really protect us?

Brian Krebs: Good question, Atlanta. The answer has to do with trade-offs. Security is all about trade-offs: when you increase the safety and security of any system - a device, a process, or a network -- you almost always decrease its utility or usefulness. That is because in designing software, the more features you add, the more computer code you create. Computer code is written by humans (for the most part, although there is some automation involved in some cases) and humans make mistakes. Many programs and indeed operating systems that all of these programs sit on top of contain many millions of lines of code. Most commercial software is thought to contain between 10 and 20 errors for every 1,000 lines of code.

Many of these errors are easy to spot and are the result of sloppy programming. Other errors are much harder to spot and only reveal themselves when run in conjunction with other third-party software that interacts with the underlying code in a way that maybe the designers had not anticipated. In most cases, this results from the fact that commercial software programmers do not think like virus writers and other online criminals, who tend to seek out and exploit these unusual occurances that can often lead to catastrophic result from a security perspective.

So, getting back to your question -- it is possible to write secure code, but that often makes the learning curve on using that software a bit higher because it requires users to take more steps. Since software designers tend to construct their code so that it is user-friendly, they tend to add more features and more code, and thus more errors.

I hope that makes sense. I'm writing like a banshee to try and get to some more questions before we run out of time.

_______________________

Astoria, New York: For the second time in less than 2 years, I am the victim of idenity theft. I have norton on my home computer and am very good about updating it every day and running it every night. I also have anti-spyware and other protections. What else can I do? I am thinking they are getting this information not from my computer, but from the banks, in which case I have no control, but I do want to take all the precautions I can at home. Thanks,

Brian Krebs: It's difficult to give you a definitive answer for a variety of reasons. One, you didn't say what you mean by "identity theft." Was it someone stole you credit card number? That's more along the lines of "identity fraud," and -- while disturbing and annoying -- doesn't usually cost the victim much. ID theft where someone really steals your identity by co-opting your Social Security number and opening bank accounts or obtaining home loans in your name -- and this happens to thousands of people each year -- is a far more destructive and insidious type of crime that leaves long-lasting scars on its victims.

Lots and lots of people and entities beyond your control have access to your personal and financial data. It takes just one of those people to decide to misuse the trust that's been placed in them to cause problems for many people.

If you're talking about credit card fraud, it could be that an online merchant you did business with got hacked and their customer database was stolen. It could be that a waiter at a restaurant you ate at swiped your credit card number and used it to make unauthorized purchases. Maybe someone found your credit card number on a receipt that some merchant threw out in the trash. There are plenty of ways someone could obtain your credit card number that dont'involve your computer or how secure it is.

_______________________

Brian Krebs: I'd love to answer questions all day, but I am out of time. Thanks to everyone who submitted questions; I am sorry I could not get to more of them. Please join us for the next Security Fix Live chat on March 3. Also, check out the "Invasion of the Computer Snatchers" story at this link after it goes live at 5 p.m. ET today, for a look at what is really driving the adware and spyware epidemic.

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.