Security Fix Live
Friday, June 9, 2006; 11:00 AM
Security Fix blogger Brian Krebs was online to answer your questions about the latest computer security threats and offer ways to protect yourself and your personal information.
A transcript follows.
Brian Krebs: Good morning everyone, and happy Friday. Thanks for joining us again for another edition of Security Fix Live. I'll dive right into the questions.
Vienna, VA: Brian: I've got an iMac G5, running OSX 10.4.something, using the firewall & whatever other security features were built into Tiger. I use Safari, and my primary e-mail is thru MSN, which screens e-mail attachments for viruses. (My daughter uses Apple Mail on the same computer, and I also use Apple Mail but to a lesser extent.) Having heard about recent security glitches in OSX, would you advise adding an anti-virus and/or anti-spyware program? And if so, which one(s)? Thanks!!
Brian Krebs: Sounds like you have a pretty safe setup there, Vienna. I wouldn't worry too much. But it certainly couldn't hurt to take advantage of ClamXav, a free anti-virus program made specifically for Mac users. Check it out at this link here .
Elkins WV: Do you recommend that the 'GUEST' account on Windows XP be kept INACTIVE?
If so, WHY?
Brian Krebs: I recommend that you disable or delete any accounts that you never use; leaving inactive accounts lying around just leaves one more way that would-be attackers could potentially gain access to your machine. Most people do not use the Guest account, but you cannot delete it on Windows XP, so I just tell people to make sure it's turned off (By default, the Guest account is disabled in Windows XP Home Edition and in Windows XP Professional. In Windows XP Professional, you can enable or disable the Guest account when you log on as an Administrator. In Windows XP Home Edition, you must access the Administrator account from Safe Mode.)
Some people like to use the computer for their everyday activities under the Guest account, instead of creating a limited user account, and that works to a degree, I guess, but it's even more limited in terms of what it can do on the system than a limited user account (for how-to information on setting up a limited user account, check out this recent blog post .
Take a look at Microsoft's description of the limitations placed by default on the Guest account in Windows XP Home and Pro:
You do not require a password.
-You cannot install software or hardware.
-You cannot change the Guest account type.
-You cannot create a password for the account.
-You cannot change the Guest account picture.
-You cannot access the applications that have already been installed on the computer.
-You cannot access the files in the Shared Documents folder.
-You cannot access the files in the Guest profile.
At least with a limited account you can access applications that have already been installed on the computer, and you can get into the shared documents folder.
Hartford, WI.: I recently took my pc to Best Buy and had my data backed up by them before ultimately restoring my pc due to OS was corrupted by virus/spyware. My question is, won't the data they backed up possibly be infected & by me putting that data back on to my pc potentially bring me back to an infected state so to speak?
Brian Krebs: While it's certainly possible for that to happen (some viruses have been known to append themselves to EVERY file on the victim's machine) it's not likely; I would also hope that the folks at Best Buy scanned all of the data files with anti-virus BEFORE putting them back on your machine. If they simply gave you a CD-Rom or DVD with your backed up files on it, I'd strongly recommend scanning the files with an up-to-date anti-virus product. You...DO...have anti-virus on your newly-cleaned computer don't you?
Rosslyn, VA: Brian, while on the subject of pseudoblogs, I notice that a number of post.com blogs attract random jibberish from anonymous users, such as the last comment in this one -
Can you speculate on how these entries serve some spammer's bottom line? Assuming of course, they're not actually coded directives to various al Qaeda sleeper cells around the globe.
washingtonpost.com: Security Fix: Fake Blogs Use Security Fix to Support Bad Advice
Brian Krebs: At Washingtonpost.com, we maintain about two dozen blogs that are under constant siege from blog spammers, people who use automated software that helps them post links to their spam sites or whatever they're hawking into comments on our blog posts.
I spend at least 20 minutes a day cleaning up spammy comments and trackbacks that people place on SecurityFix. We are putting in place some procedures that should make this much less of a problem, but I'm not at liberty to discuss that until it's live.
To your question about that specific posts, it appears as though that person tried to post a comment that linked back to a site that offers quotes on auto insurance policies, or at least allows the visitor to offer their information and agree to be contacted by a set number of auto insurance salespeople. We have certain filters in place that either completely nix spammy posts like that or simply strip out spammy hyperlinks. It looks like the latter was in action on the post you pointed to in your question.
Washington, DC: Would it be _possible_ for ISPs to scan their customers' computers to look for bot/zombie (or whatever they're called) malware that hackers use to take over these computers to send out spam, do DOS attacks, etc.? Or, are the doorways into such malware encrypted or otherwise hidden so they can only be found by whoever put them there? (Notice and privacy concerns are issues, of course.) Other than getting everyone to keep their AV software up-to-date (and even that has limitations), my thought is to enlist ISPs to help w/ the bot/spam problem.
Brian Krebs: You raise a very important question. This has been one of my pet issues for a long time. Internet service providers can do a great deal to block malware from spreading around their networks by filtering out certain Web traffic that has no business traveling from one customer to the next, such as that which enables shared folders and files on Microsoft Windows computers. By filtering out this type of traffic alone, ISPs can dramatically cut down on the spread of viruses and worms amongst their customers.
Similarly, many ISPs now block electronic communications that travel on port 25, which is the address used by e-mail servers. Most ISPs rightly see no reason why their residential customers should be running e-mail servers on their systems, and in most cases a home computer that IS running a mail server is infected with a virus that is trying to use the machine to send out spam.
When it comes to botnet infections , those nasty invaders that let hackers take remote control over thousands of hacked computers simultaneously for a variety of nefarious purposes, ISPs are a bit more spotty in their approaches. Some are fairly good about zeroing in on customers who are quite obviously infected with some kind of botnet, especially if they are involved in a distributed-denial-of-service (DDoS) attack on a Web site. Some will go so far as to quarantine those customers and not permit them back onto the network until their machines are clean (this is an approach used by most colleges and universities and it essential to keeping large networks under control form a security perspective.). Unfortunately, too many ISPs do not take this kind of offensive approach to botnets unless they are forced to do so by another ISP (whose customers may be being attacked) or law enforcement (when a phishing site or other scam is found to be hosted off of a hacked customer's machine.)
The other issue here is that not enough ISPs do what they call "egress filtering," which prevents attackers from using hacked machines to spoof or fake their IP address when attacking others. With simple filtering rules in place, ISPs can simply drop any network traffic that does not originate from an Internet address that belongs to them, but you'd be surprised at how many ISPs don't take this simple but critical precaution.
DC: Is there an independent group you trust to give an honest report on the number (and severity) of browser vulnerabilities?
It seems like everyone says their browser is the best, but I see numbers all over the place to support both sides...and yes, statistics can easily be used to support any argument.
I'm wondering if there is a company browser vendors can agree that 'Company X' is the industry security audit group and they respect the number and severity of vulnerabilities reported by that group.
Brian Krebs: DC, rather than asking a company who may or may not have a horse in this race which browser they prefer, why not let the data speak for itself. I'm going to cut and paste below here something I wrote in the comments section of a recent blog post about new security updates for Firefox, wherein the usual back-and-forth jabbing between Firefox proponents and Internet Explorer defenders. I urged people to base their opinions about the relative security of the two browsers on real, hard data, not emotional responses.
I'd encourage anyone commenting on the security of IE vs. Firefox to have a look at the DATA on patches released by both that I compiled earlier this year.
The spreadsheets compare how long each browser was vulnerable to known vulnerabilities.
Here's what I found:
For at least 38 days in 2005, IE was vulnerable to unpatched critical security flaws that were being exploited actively by viruses, worms and spyware. For at least 256 days last year, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used.
For Firefox, there were about 35 days in 2005 where exploit code for a known vulnerability was available for an unpatched flaw, and zero days when a worm or virus was known to be taking advantage of an unpatched flaw.
The numbers were even worse in 2004 .
My two cents: all software has vulnerabilities: for me, the real clincher is how quickly the vendor addresses those problems when brought to their attention. For that reason, I favor Firefox, and use it almost exclusively -- unless I absolutely need to use IE for a site that I trust.
Sterling, VA: Sometimes in the middle of my screen, for no reason, a window come up for couple of seconds and goes away, it's not on a regular basis. It looks a little like itunes, but is not -- a little like we would imagine a ghost.
Brian Krebs: Next time that happens, hit Ctrl and the "Print Screen" keys at the same type, and cut and paste into a word processing document like Microsoft Word. That should take a snapshot of whatever it is that's popping up so you can take a closer look. I don't have enough information to diagnose your problem: it could be something as innocent as a pop-under advertisement, your anti-virus program saying it has updated its definitions, or it could be spyware related. When was the last time you ran an anti-virus scan on your entire PC? How about an anti-spyware scan?
Alexandria, Virginia: Hi,
I'm a network administrator for a gov't agency in D.C. With all our work to protect security, the biggest threat still is the uneducated employee or contractor who knowingly gives out information verbally or in writing, downloads from unsecure websites, or takes work home that is not encrypted or password protected (i.e. the current VA data theft scandal). I think this will continue to go on because there will always be people who unknowingly (or knowingly) do dumb things...Your opinion on security and how it might be better or worse in the future?
Brian Krebs: Hello Alexandria. Good question. I can't argue with any of your points. I would just add my reaction when I heard about the loss of personal data on more than 26 million veterans at the VA. I couldn't help but wonder how many other agencies had suffered crucial data losses like this one and DIDN'T detect it or have it reported? I understand from the articles I've read that this got reported to the VA higher-ups sort of by accident, and well after the actual incident occured.
Given that most federal agencies flunked their annual computer security tests for many years running now, this scale of data loss is really unsurprising, I am sad to say. One of the greatest threats to physical and network security is the user: human beings make mistakes, they make poor decisions, and they can be duplicitous and sneaky and abuse the trust placed in them. It seems to me one way to guard against this same exact problem from re-occurring would be for the agencies to get very, very strict about making sure employees never leave the building with such sensitive data, and that the data is kept in an encrypted form at all times when not in use. From what I read, this particular employee whose laptop was stolen had a history of taking the data home with him on his laptop, unencrypted. He has since been dismissed by the agency, but there is some question given the VA's history (they received an "F" for computer security the past four years running with one exception -- a D --) as to whether the repercussions from this incident shouldn't go all the way to the top.
Either way, the veterans at this point are the ones left holding the bag. So far the best advice has been for these current and former servicemen and women to pay $11.99 a month or however much it costs to have a credit bureau monitor their credit for signs of identity theft. But there are serious problems with this recommendation: for one thing, consider that there are three major credit bureaus, and not all of them keep the same records. Secondly, who's the big winner if everyone takes that advice? Why, the credit bureaus: imagine 26 million people paying $12 a month for credit monitoring services? That would be a $3.7 billion windfall for the credit bureaus. In my opionion (and this is just my personal opinion), the vets should not have to pay for this service directly.
cYB0rsP4Ce: Are you going to any conferences this year?
Brian Krebs: Yes, I went to CANSEC West in April and plan to attend Defcon and Blackhat in Las Vegas again this summer. I may attend other security conferences this year but haven't planned any so far (I will be back at Shmoocon again, but that's not being held until March of 2007).
Washington, D.C.: Windows administrators will be busy next week, as Microsoft plans to release a whopping 12 security patches for its products. The updates will include a fix for a widely reported vulnerability in Microsoft Word, as well as changes to the way Internet Explorer handles ActiveX that might cause headaches for some.
washingtonpost.com: Security Fix: Microsoft Plans 12 Security Updates Next Week
Hartford, WI.: Recently when I attempt to scan check my HD, upon reboot, it says cannot open the disk for direct access. Any advice on what's going on there? HD failing or ???
Brian Krebs: Microsoft has acknowledged your problem in an advisory, wherein it says it has noticed this behavior on Windows XP Home and XP Pro when you schedule the Chkdsk utility to run at startup. Microsoft says this happens on machines that do not have the latest Service Packs installed. You didn't say whether you were running XP with Service Pack 2.
I guess one way to avoid this is not allow checkdsk to run on startup -- But unfortunately this involved editing the Windows registry, which controls what programs start when Windows boots up. I say unforutnately because if you don't know what you are doing, **you can seriously mess up your machine.** If you do attempt to edit the registry (instructions for this hack are below), **make sure you read, understand and carry out all of the instructions** (might not hurt to print them out either) on how to back up and and restore the registry.
To change the registry settings so that Chkdsk does not run on startup, try:
1. Run the Registry Editor (regedt32.exe)
2. Under the HKEY_LOCAL_MACHINE subtree, go to the following subkey:
3. Change the BootExecute entry to:
autocheck autochk *
Exit your registry, you may need to restart or log out of Windows for the change to take effect.
Brian Krebs: Hard to believe, but it's been more than an hour and I'm out of time. Thanks to everyoen who submitted questions: I only wish I had time to get to more of them. Thanks for dropping by, and be sure to stop by the Security Fix blog once a day to stay up to date on the latest security goings-on, online threats and updates.
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.