Brian Krebs
Security Fix Blogger
Friday, May 12, 2006; 11:00 AM
A transcript follows.
____________________
Brian Krebs: Good morning, Security Fix readers, and thanks for joining us for another of our bi-weekly Security Fix Live Online chats. We've got a fair numbre of questions queued up already, but don't let that stop you from submitting your own. So, without further ado, I'll get right to the questions.
_______________________
Buxton, NC: I've heard recently that M$ has put out a security patch that identifies bootleg OS's and brands the screen with a notice that cant be removed unless a licenced OS is installed? fact or fiction?
tindy
Brian Krebs: You are referring to Microsoft's expansion of its Windows Genuine Advantage program to identify machines running potentially pirated versions of its software. You can read more about the expansion of this program in a blog post I did last week.
If you're running an unlicensed copy of Windows or one that is powered by a serial number known to be pirated (i.e. pasted on some virus and spyware-laden "Crackz" or "Serialz" site), the Genuine Advantage tool will alert you that you're running a pirated version of windows via a pop up on from your system tray. You can close that notice, but it pop up again periodically until you contact Microsoft to resolve the issue or re-install with a licensed copy of Windows. Microsoft claims its tool cannot be removed, although no doubt it will only a matter of time before some clever hacker publicly posts some information about how to get rid of the program.
It's worth mentioning that previously, you only were required to download the piracy scanning tool if you downloaded something directly from Microsoft's Web site, including its Windows Update patches page. The expansion of this program means Microsoft will ask you to download the scanning tool through Automatic Updates as well, if you have that configured to download and install updates. Microsoft *says* users can decline this installation, but many people have complained that the tool was installed without their approval.
_______________________
Annandale, VA: Thanks for the chats and the blog, I have learned much about computer security!
My question: I recently installed a Netgear Wireless Range Extender Kit to my Linksys router (the wireless laptop cards are Netgear). It works great. The problem is, I can't access the Netgear web admin, so my wireless network is completely unsecured. The manual says I need to change my computer's IP address to the router's IP subnet. I also need to obtain my ISP's DHCP server address (I'm connected by cable). How do I get these two pieces of information? I tried Google and what I tried did not work.
Thanks in advance for any help you can give!
Brian Krebs: A couple of things I'm not certain about your setup: Is your Linksys router also a wireless router? And you can access the Internet but not the admin page? My guess is that somehow your two devices are assigning parts of your network to different subnets, but you haven't given me enough information to know for sure.
To your question, if you're running Windows, to find out your internal address (the address assigned via DHCP from the router, open a command prompt (click "Start," "Run," and then type "command" (w/out the quotes). That should open up a black text console. Type "ipconfig/all" without the quotes and that should display all of the information about your network settings. If you ever want to know the Internet address assigned to you by your ISP, check out www.whatismyip.com
Not sure why you'd need your ISPs DHCP server address (maybe you need the ISP's DNS addresses: those are listed in the results of the "ipconfig" command mentioned above).
More likely, you need to make sure your Linksys router and the Wireless Range Extender Kit are on the same subnet. You can manually assign any of your connected wireless and wired devices a "static" IP address that does not change. You may need to do that with either your router or the Wireless Extender thingee.
I've not used this product before, but according a CNET review of this thing, You can configure it with the integrated access point to function either as an access point to extend your wireless network or as a full-fledged wireless router. "When configured as a router, the device touts an array of advanced networking features, including DHCP services, content filtering that blocks access to specific Web sites based on keyword or domain name, dynamic DNS, and port triggering, which can help you play games over the Internet."
So again, I have no idea whether you are using the Netgear Kit as your primary Wireless router or whether the Linksys device functions as such, I can't offer a whole lot more advice.
_______________________
Rockville, MD: I'm confused about browser security. I hear people say Firefox is safer, but it seems like i'm getting updates from them all the time now to fix their security problems. Is Firefox really more secure? Is the new version of IE more secure? More secure than Firefox, or just more secure than previous versions?
Brian Krebs: How many patches a company issues to fix security flaws in its products is hardly a measure of how secure or insecure they are: Apple just released patches to fix 43 different problems in its software, but it's rare to see attacks against that OS. However, when a company takes a long, long time to fix known security flaws in its products, that's a major concern.
The problem with Internet Explorer has been and continues to be its tight integration with the Windows operating system. Using things like ActiveX controls and Active scripting, IE can be made to do and install all kinds of things, and the bad guys have taken full advantage of this. While Microsoft has gotten better about fixing browser flaws more quickly, it is still the case that it is hard to find more than a few weeks of time in the past few years when IE hasn't been vulnerable to a known security flaw - and in many cases the means for exploiting that flaw having been publicly posted online.
That is not to say that there haven't been incidents with spyware being installed via security flaws in Firefox: there have. But in my opinion, if the browser you use to regularly cruise the 'Net is IE, you're asking for trouble. Yes, there are ways to lock it down by fiddling with the browser's "Internet Zone," and "Local computer zone," and all that nonsense; Just download and use Firefox.
Will the bad guys start to target Firefox users as more people switch to that browser? Probably. Are you safer in the meantime with Firefox? From where I sit, yes.
_______________________
Vienna, Va.: In looking at my Norton Security log once and a while I notice clumps of activity from: coauthor(1529), ingreslock(1524), ms-sna-base(1478), orasrv(1525)and others. By any chance do you know of a resource I could use to identify what these are?
Brian Krebs: Check out this listing from IANA that maps common port numbers (those numbers you list in parentheses in your question are port numbers) to known computer services. A "port" on your computer is a like a parking space in a parking lot where each of the slots are assigned. Port 80 is reserved for http connections (Web browser), Port 25 is used by e-mail clients.
SysInternals has some very powerful, free tools that allow you to figure out what services and programs are doing on your machine. Process Explorer is one of my favorites: This baby even tells you which company made the program, in addition to the name of the executable it uses (.exe), port number used and process ID number, as well as how much CPU power the program is drawing. Download Process Explorer here . Good luck.
_______________________
Milwaukee, Wisc.: A friend of mine has the following on his computer: Adware Sheriff spyware.
In addition, his anti-virus software has expired. Any suggestions regarding good anti-virus/anti-spam software and the removal of this program?
Brian Krebs: Hi Milwaukee. Sorry to hear about the bogus anti-spyware spyware infection your friend has. I blogged about this particular breed of nasty a few weeks ago. The instructions your friend needs to remove this thing are here (scroll down to the area under "Removal Instructions."
_______________________
Silver Spring, Md.: Brian, I know you mean protect your private information from hacker, etc., but how can we protect our private information from a government gone wild?
Brian Krebs: You can't.
Haha, just kidding. Sort of. Your best bet if you're the paranoid type (like Yours Truly) is to read up on and then religiously use encryption for your e-mail communication. PGP Corp. used to distribute a really nice, free encryption package, but sadly enough they decided to stop doing that a while back. But there are still a couple of free options. I'd recommend GPG4Win a free open-source encryption program. It may take a while to get the hang of it, but once you do, it's like riding a bike.
For anonymouse Web browsing, you could always use public proxies (there are tons of lists posted online) but the problem with that is you really don't know whose machines you are proxying through, so...). One program I have used quite a bit when browsing sites that I'd rather didn't know my home IP address is called Tor, which uses a couple of downloadable programs to bounce your Web browser traffic through a bunch of different Internet servers that encrypts the traffic at every step of the way. And because each server in the Tor network sees no more than one hop in the circuit, neither an eavesdropper nor a compromised server can use traffic analysis to link the connection's source and destination (that last bit is straight from the How Tor Works page. Tor is great, but it can be a tad slow at times. But if you're really paranoid, you probably don't mind waiting a few more seconds for that Web page to load.
Be safe out there. And remember, just because you're paranoid doesn't mean everyone isn't out to get you!
_______________________
Natick, Mass.: I have two anti-spyware programs: Spybot and Microsoft's program. Spybot frequently finds spyware. Microsoft's program has never found anything. I can run Microsoft's program first and after not finding anything run Spybot and it frequently finds somthing. Microsoft's program has gotten such good reviews in the past. What am I to think?
Brian Krebs: I have found Microsoft's beta anti-spyware program (now called Windows Defender) to be fairly effective at finding and eliminating spyware, but fighting spyware on Windows machines that are not properly secured (browsing under limited-user accounts, patched fully, etc.) has always been about using multiple anti-spyware tools. It has been my experience that some anti-spyware programs will catch things that others don't. Since most anti-spyware programs are on-demand scanners, it usually doesn't hurt to have more than one anti-spyware program on your machine. It's not like installing two different active anti-virus programs on your machine: the anti-spyware tools generally won't try to strangle each other. That said, you shouldn't run two anti-spyware scans at the same time. Also, a second pass by a second anti-spyware program may find things you thought were deleted by the first scan of the first anti-spyware program if you haven't rebooted your machine between the two scans.
_______________________
Washington, D.C. RE: Mac security: I finally took everybody's advice and bought a Mac -- in my case, an iBook G4, O/S X.4 (Tiger). Pre-Intel, if that matters.
Other than purging cookies, ought I take some sort of precaution against viruses, trojans, worms and whatever bad things are out there?
Should I even bother to purge cookies? And is there a reason (or several) to prefer Firefox to Safari or vice-versa? Many thanks!
Brian Krebs: I've used Safari, and I can't count myself as a big fan. But of course lots of people love the browser. As you mentioned, there are always alternatives.
I get this question a lot about anti-virus on Mac machines, and I have to side with Walt Mossberg from the WSJ on this one: If you're the kind of person who lives in a decent neighborhood and is startled enough by the occasional property vandalism or burglary that you feel it is worthwhile to install a burglar alarm, then perhaps anti-virus on the Mac is the right move for you. You don't even have to pay for it if that's a concern: ClamAVX is a free anti-virus scanner for Mac.
As there are no pressing virus attacks against the Mac OS X operating system, having anti-virus for the Mac is more of a hedge or insurance against potential future outbreaks. That said, I do believe at some point Macs will be targeted more by virus writers and criminals, but that day may be a long time coming.
_______________________
Arlington, VA: I found SBWatchDog.exe on my sony laptop, is it harmful? how to remove it from the registry (WIN2K)? Thanks
Brian Krebs: From a quick Google search, it appears that program you mention is distributed with Sony laptops. A number of anti-malware sites claim the same thing, that it is a "Spyware utility installed by the manufacturers of some laptops (Sony) used to monitor browsing habits and send them back to whoever installed it - released by SoftBank." I couldn't verify that information offhand, but it wouldn't surprise me one iota if that's exactly what it was. We all remember Sony's grand experiment with dropping "rootkits" on PCs of people who played certain Sony music CDs on their machines. See Security Fix's Piracy Archive for more than a dozen stories on this debacle.
One great tool for taking back control over your Windows registry and what programs are allowed to start when Windows boots up is HijackThis! . If you're a complete computer newbie and don't know how diddly about mucking with the Windows registry, you should read these instructions before doing anything else.
Combined with Process Explorer, you can use HiJack this to better understand what programs are running on your machine and how to quash them. I have found these tools indispensible for regular maintenance on any Windows machine: over time, as you install, update and remove programs from your machine, you may find that remnants of other programs you've deleted are still hanging around, or certain drivers or processes you don't need are slowing the system bootup or shutdown time, or just dragging on your system's overall performance.
_______________________
Bethesda, MD - A Mac hack query: OK, so Macs are less vulnerable to viruses and so on. But what about getting hacked? When I switch from dial-up to DSL, and when I use Airport (wireless), what precautions should I take?
MTIA
Brian Krebs: Hi. There a gajillion resources for securing your Mac at this link here . Apple's own site also has a pretty decent PDF that contains a fair amount of documentation on Mac OS X security and is a great place to start.
For a nifty video guide to securing your Airport wireless router for Mac, check out the link in a blog post I wrote on this a few weeks ago. Macs may be more secure out-of-the-box, but you can intercept unsecured wireless communications between a Mac and a wireless router just as easily and with the same tools used to hijack communications between Windows machines and routers.
_______________________
Annandale, Va. (again): "So again, I have no idea whether you are using the Netgear Kit as your primary Wireless router or whether the Linksys device functions as such, I can't offer a whole lot more advice."
Thanks for your help! This is a great start. The Linksys is the primary wireless router, by the way.
(Hi to J. - I used to work with her in Old Town)
Brian Krebs: Good to know. Thanks for the follow up. Glad I was able to help (sort of ;).
_______________________
Brian Krebs: That's about all we've got time for today. A huge thanks to everyone who stopped by and submitted questions. Until next time, please drop by the Security Fix blog once a day and stay up-to-date on the latest computer and Internet security news.
_______________________
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.