Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, May 26, 2006; 11:00 AM

Security Fix blogger Brian Krebs was online to answer your questions about the latest computer security threats and offer ways to protect yourself and your personal information.

A transcript follows.


Brian Krebs: Hello everyone, and thanks for joining us for Security Fix Live. I am duly impressed with the number of questions we've received so far, given the long holiday weekend ahead of us, but I've managed to come up with some answers to a few of them while I was waiting for this chat to officially start, so feel free to submit any other questions you may have. I'll do my best to get to them in turn.


Melbourne, Australia: Great column, Brian. Keep it up. My question, at some point Microsoft managed to install .Net framework and according to events log .Net is onto my computer every morning when I boot up. I am not a web developer, just a bloke (intermediate level, I suppose)who is diligent about regular security maintenance (Norton Anti-Virus, Ad Aware, Spybot, Spyware Blaster, Windows Defender), but I seem to have acquired Microsoft .Net Framework as a user. If I uninstall, will I lose anything? They claim it facilitates updates and the like. Thanks.

Brian Krebs: Thanks, Melbourne. .Net is used by some Web-facing programs to increase their functionality, usability and general gee-wizziness. A lot of popular RSS readers require that you have .Net installed before you can install them, as do other Web-interactive programs. It could be that some program you installed had .Net bundled in with it. I wouldn't worry too much about having .Net on your machine: Just make sure it is patched like all of the rest of your Windows apps. A visit to the Microsoft Update site ( should clear up any questions on that front. Thanks for your question.


Fairfax, VA: Any chance that the FCC will declare AOL to be what it is: a virus? With two teenage kids downloading and AIM'ing regularly, I cannot seem to rid my hard drive of AOL files and offers. Uninstalling only seems to skim the surface; a search of the hard drive afterwards on the acronym "AOL" produces dozens and dozens of files that remain. I tried to update one of my anti-virus programs, and stopped when I found that it came with an AOL browser attached. This is beyond annoying, and must approach some kind of legal limit. Any suggestions?

Brian Krebs: Fairfax, I wouldn't hold your breath on the FCC. But to answer your question: Yes: the easiest way to keep someone else who has access to your PC from mucking it up is to set up your computer so that others can't download and install stuff anymore.

By restricting yourself and others to limited user accounts, your kids won't be able to install diddly. There is no more surefire way to avoid having things show up on your Windows PC without your permission. You should only use administrator privileges to do certain tasks, such as installing programs or tweaking system settings. Even most of those tasks can be done in limited user mode by right-clicking on the item you want to install and selecting "Run As" and picking the administrator account and then entering your password. Yes, setting up a PC for limited user accounts is quite a bit harder after everyone has put all their data and programs and whatnot on the machine, but it's makes a lot more sense in the long run to take the time to do it right. For some pointers on how to set up and use limited user accounts, see my past coverage of this topic .

Here's a quick and dirty trick you can do to set up administrator/non-administrator accounts on your machine. Chances are that the user account you are using on your machine at the moment is the all-powerful administrator account (it might be named something else, but if you go to Start, (Settings) Control Panel, and then User Accounts, you should see all of the accounts you have on the system. Chances are there are at least two accounts in there, one with administrator rights and another Guest account (which should be turned off: if it's not, turn it off). Assuming the main account is a administrator account (it will say so under the name), and that the only other account you have listed is an inactive Guest account, go ahead and create another administrator account, and assign it a password (not one your kids will guess but also one that you can safely remember (see our password primer for help here).

Next, go to the main menu and enable "Fast User Switching," which should allow you to have more than one accounts logged in at the same time, so you if you need to you can toggle back and forth between the admin account and the limited user account you're about to create (again, though, for most things the "Run As" trick I mentioned above should work from a limited user account.)

Once you've created the administrator account, change the account privileges of the one you are currently using; from the main User Accounts page, click on the admin account you're currently using and then click on the button that says "Change Account Type." Then switch it over to a limited account, and you should be all set. You will not be able to make any more changes to the system settings, however, until you log into the computer using the administrator account, so you'll notice a few of the options in the User Accounts menu are now no longer available to you.

If you want to try it out now, try going to your download folder or just download a piece of software and try to install it. It should fail. Now, if you right click on the file you downloaded and select "Run As" it will prompt you to select the account with administrator privileges and then for the password. Enter both and you should be able to install the program no problem.


Phoenixville, Pa.: A major security flaw in Symantec's programs (Norton?) was the subject of a piece in today's Philadelphia Inquirer business page (print edition, not found yet online). The only source cited was an unnamed research organization. Symantec execs said it is so new they have no immediate response, the story said. What is the problem, and how is Symantec addressing it? Or is the Inquirer wrong. I found no corresponding item on Symantec's web page.

Brian Krebs: The folks at eEye Digital Security pitched me yesterday on writing about that flaw, but I did not because I was busy with other stuff and because it would not be all that unusual as far as I can tell. I might have taken a different approach had they said people were actively exploiting this flaw. As it turns out, it doesn't appear that anyone outside of eEye and Symantec knows about it (although there's a reasonable chance that the bad guys independently discovered the same flaw and areusing it as we speak - but that kind of activity would not very likely go unnoticed.)

Security experts and especially security companies spend a great deal of time trying to find flaws in other peoples' security products. I'm not faulting them for that; they should. On some level, it's not hard to see why security companies research flaws in each others products (other than for competitive reasons); security software should protect you, not open you up to additional security risks.

However, software is software, and it's produced by humans who make mistakes. Security software is hardly immune to serious flaws, and anti-virus programs have had their fill of big time security holes (remember the Witty Worm that wrecked tens of thousands of computers?) Take a gander at vulnerability watching company Secunia's listing by vendor and you'll find plenty of recent fixes for serious security flaws in security software, not only Symantec's but many other big names out there, including McAfee, F-Secure, and plenty of others.

If there is an upside to this, the anti-virus companies do have excellent ways to update their products on-the-fly to fix security problems: all of them have some sort of auto-update feature that is used to download new virus definitions each day or several times a day. Most anti-virus companies now use that update process to ship product and security fixes as well, so no doubt when Symantec releases a fix for this flaw they will do so via that mechanism, though it may not trumpet the change. We'll see, hopefully they do ship a fix before any of the bad guys figures out how to exploit the flaw.


Bethesda, MD: When I enter personal information on a company's web site, what laws cover the protection of that information? Is the privacy policy on the web site actually legally binding for the company that posts it? Can they change the privacy policy and have it retroactively affect data submitted under the previous privacy policy? And are the laws affecting privacy typically local, state, or federal?

Brian Krebs: There are of course plenty of state laws that affect privacy, both online and offline. Indeed, it seems there are more state privacy laws added every day. On the federal level, the Federal Trade Commission has been the chief enforcer of privacy statutes, and has on occasion gone after companies for failing to live up to their privacy and security promises.

Companies can change their privacy policies and make them retroactive, but they are required by law to give customers adequate notice of such changes. And the FTC has indeed sued companies that failed to notify customers of privacy policy changes: notable cases include one in 2004 against Gateway Learning .

One of the first and most notable cases the FTC brought in this arena was in 2000 against a now-defunct company called , which decided it wanted to make money after it folded by changing its privacy policy so that it allowed it to sell its customer list to the highest bidder. The agency reasoned that since customers could no longer opt-in and give their affirmative approval to remain a customer (the company had since gone out of business), that the sale would violate its own privacy policy, and that indeed the company could not unilaterally change its privacy policy.

So, long answer short: Yes, companies are required to notify you when they change their privacy policy. And you can vote with your pocketbook and go somewhere else if you don't like the change, but good luck getting a company to expunge your data if you decide to stop doing business with them.


New York, NY: Recently spammers have been putting a domain name of mine in thousands of spam messages that they are sending. I see evidence of this in bounced messages that are returned to me. What can I do to stop or report this?

Brian Krebs: Sigh. It is very likely that your computer is infected with a mass-mailing computer worm -- one that probably itself arrived as an attachment in your e-mail inbox. Usually these things infect your machine and spread to others by enticing recipients to open the virus-laden attachment.

From what you described, it sounds like the activity of the Bagle worm, which has spawned hundreds of variants and typically uses Web sites affiliated with victim machines as a launching pad for future attacks (or merely as decoys to fool investigators trying to clean up sites that may be serving up new versions of the virus. See my story on how the Bagle worm fuels the spam business and affected a half dozen people with your same exact story.

For Spammers, Worm Turns a Profit

I don't know what kind of security setup you have there on your network/machine, but if you do have the Bagle virus or something similar (a la Netsky, Mydoom, etc), chances are you security software has been disabled. If you can get to security web sites no problem and to, you may be okay. Still, you didn't mention whether you're using anti-virus software that's up to date, a firewall, and whether you're patching regularly (I suspect you are not doing at least one of those things). Head on over to Microsoft's anti-malware scanner and let it scan your PC for bad stuff. Antivir Personal Classic Edition anti-virus is also free, as are AVG Free , AVAST ,and Etrust from Computer Associates. If you use a scanner or anti-virus and it finds Bagle or Netsky or one of these things, given what you've may be necessary to back up your data and reinstall the operating system. Many of these worms now come with hooks so deep that they're very difficult to banish from your PC once they gain a foothold. Good luck!


San Diego, CA: My current security software is about to expire so I'm going to be updating my myriad of security apps, and was hoping you'd have some insight into my picks or perhaps other recommendations. I plan on getting Kaspersky Anti-Virus 6.0, ZoneAlarm Pro Firewall, perhaps renewing my Webroot SpySweeper, and either GhostSurf 2006 Platinum or Anonymizer Anonymous Surfing. I'll be complimenting all of this with free secuity apps such as Adaware, Spybot search & destroy, Spyware Blaster, and perhaps Windows Defender. My question is whether you know of any compatibility problems between the aforementioned security apps and if you have any criticisms or suggestions to my picks. Thanks in advance.

Brian Krebs: San Diego, those apps you mention all appear to be in different families of Windows protection software, so shouldn't interfere with one another to my knowledge; but then again, I've not used GhostSurf or Anonymizer before, so I can speak for those products. Kaspersky's anti-virus is very good (I use NOD32 right now, which I'm very happy with).


Charlottesville, VA: A friend forwarded me a link to a new awareness campaign the Department of Homeland Security has launched. The materials contain very useful, straightforward information about cyber security. Sort of commandments for cyber security. Tell your readers to check out the link. Great job with your blog and Q&A sessions.

Brian Krebs: Wonderful. Thanks for the link Charlottesville. We can always use new resources.


Newland, N.C.: I have 3 hard drives sitting outside computer. One has no security and is used for surfing. One has lots of applications and is used for mostly offline stuff, graphics, fax, music, etc. The third drive is used for banking, government note purchses, medical info, credit card payments, online purchases.

Third drive has Norton, Pest patrol, Ghost thru a proxy server, Site Monitor, Socket Shield Monitor. With all of these running at once, speed is not fast, but the operations are not complex and security seems to be good as reports of exploits do not show invasion of computer.

Switching cables on the drives takes less than a minute and they are cool outside of case. Desk looks like that of a mad scientist but what the hell. Question is how can we, (you and I), make money on this cockymany concept. Would be better to have a switching box like A & B . Care to invest?

Evan Sax

Brian Krebs: Haha. Newland, if I had a dime for every time my desk looked like that of a mad scientist, I'd be sipping margaritas on some desert island somewhere now (still doing this chat, of course, just in better style.) Seriously, though: the concept of segmenting your operating system setup is hardly a novel one. I have two 160 Gig hard drives on my main PC, and each is divided into different partitions, with data on one, installed programs on another, and system backups on yet another. The idea being that if you have to reinstall the operating system or restore from a backup for whatever reason, it just makes it a bit less painful to do so. And I think they do sell switches that allow you to toggle between hard drives, but that may be a little overkill.


Cork, Ireland: My question is about compatibility between security apps: I already know that it is ill-advised to run multiple Anti-Virus apps on the same computer, but is this also true of Anti-Spyware apps? I have several Anti-Spyware apps running on my system (Webroot SpySweeper, Adaware SE Personal, Sypboy Search & Destroy, the anti-spyware integrated with ZoneAlarm Internet Security, Spyware Blaster, and soon Windows Defender) and have yet to see any compatibility problems, however I only have SpySweeper as the always active real-time anti-spyware app, the others I only scan with periodically. So would it be illadvised to allow multiple real-time anti-spyware apps to run simultaneously on the same system?

Brian Krebs: Short answer, yes, it's generally not a good idea to let any two real-time scanners run at the same time. Anti-virus and anti-spyware programs are probabaly different enough beasts for to get along well enough just fine in real time, but I see no real need to run two different real time anti-spyware scanners at the same time.

I'm going to refer you back to the answer I gave a few minutes ago to the gentleman who was complaining about his kids constantly monkeying with his system. Combine using a browser like Firefox with the changes I suggested he make with respect to limited user/administrator accounts, and I think you will find that the anti-spyware stuff is merely a nice layer of protection but not strictly necessary anymore. Just my two cents.


Cleveland Park: Brian, I love your blog, it is great. I just got a Comcast cable modem and want to purchase a wireless router for my apartment. Do you have any recommendations for what brand or features the router should have?

Brian Krebs: Thanks for the kind words, Cleveland Park. I use the Wireless-G Broadband Router from Linksys (model is WRT-54g), and have almost no complaints. I also use a custom version of the firmware from Sveasoft, which allows you to tweak dozens of settings on the router that you couldn't otherwise. The range is pretty decent, and the interface is fairly intuitive. But your mileage may vary.


Baltimore, MD: I've used Norton Internet Security on my two home PCs for years and read that Microsoft is going to offer a PC security service this summer. Should I consider switching?

Brian Krebs: Lots of people use Symantec's Norton anti-virus and security suite, which works fine enough I guess. I mean, I've used in in the past, but had so many troubles with renewing it, reinstalling it and finally removing it that I promised never to go back. Maybe they've fixed those problems, and maybe the product isn't as system resource intensive as it used to be. I can't offer any thoughts on their latest line of products, because I haven't used them. I tend to take the approach that the all-in-one suites usually do one of their tasks fairly well, but often fall short on the others.

To your question: I'm not sure I'd pay Microsoft to protect me from the problems it largely created on its own in the first place, but that's just me. Microsoft will no doubt due to its largess be able to offer a price that is most appealing out of all the pay-security services, so it is likely to gain some market share just because of the relatively low price point. But ask yourself, now that you're saddled with Microsoft's legacy of poor security, do you really want to reward them by paying them to protect you from those problems that never should have been there to begin with? For my money, the answer is no.


Michael of Middlesex, New Jersey: Our household computer was recently infected with a virus, when someone was able to impersonate our college-residing daughter's e-mail address. They sent an instant message, which we thought was her. The AOL security software was useless, and we are going through a pain-staking process (going on two weeks).

How can you avoid this type of problem?

Since AOL's software is supposed to prevent things, it begs the questions,"what failed?" and what recourse do I now have?

Brian Krebs: Instant messenger worms spread by tricking people into clicking on links that usually arrive from someone the victim knows or someone on their buddy list. But Instant message worms are hardly unique to AOL. They are rampant on other IM networks, including those run by MSN and Yahoo.

In the future, you can avoid this problem by refusing to willy-nilly click on every link someone sends you. If someone randomly sends you an instant message and says, haha check this out , take a second .breathe deeply, and then reply back: Hey, what is this? What are you asking me to look at? It may well be you get a reply that the person didn't know they sent you anything - which is generally a good indicator they themselves have infected their machines with an IM virus by clicking on one of these links. Heck, just a couple of months ago, a co-worker came up to me and proudly proclaimed that she resisted the urge to click on a link that arrived in an IM from her friend, and followed my advice and replied back asking what was so important: Turns out her friend hadn't meant to send the message, and that her friend had just clicked on a link that was sent to her.


Frankfurt upon Main, Germany: I'd like to know more about the so called "GinWui" trojan horse please. Thanks.

Vasantha Ramaswamy-Wolter

Brian Krebs: Check out the blog post I wrote last week about this very same topic.


East Lansing, MI: Goes Google Desktop retain a copy of your Hard Drive (for search purposes, of course) on its servers somewhere?

Brian Krebs: Not that I'm aware of. That would seem like an exceedingly bad idea on a number of levels. Still, it does an excellent job of indexing files on your machine. I've found it almost indispensable for finding certain files very quickly (especially e-mails, because Outlook takes forever and a day on my machine to search through all the messages in my inbox).

If you're the type of person who visits all kinds of iffy sites and view files that you'd rather other users of your computer never see, maybe Google Desktop is not the best program for you. It indexes EVERYTHING, and I've even had a couple of computer forensics guys tell me privately that Google Desktop is the answer to their prayers when it comes to finding damning evidence against someone whose computer has been seized by law enforcement for some crime or another. So, Internet bad guys, if you're reading, go get yourself a copy of Google Desktop please.


Brian Krebs: Wow. I can't believe we're out of time already. Thanks to everyone for your questions, and I'm sorry I could not get to more of them. Have a safe and happy Memorial Day weekend, and please make a habit of dropping by the Security Fix blog once a day to stay up to date on the latest Internet and computer security goings-on.


Editor's Note: moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. is not responsible for any content posted by third parties.

© 2006 The Washington Post Company