Security Fix Live
Friday, September 1, 2006; 11:00 AM
A transcript follows .
Brian Krebs: Hello everyone, and thanks so much for joining us today for Security Fix Live, especially at the beginning of a long holiday weekend. With that, I will jump right in....
Lancaster, Pa.: I am an elder and travel a lot. How can I safely do online banking at Internet cafes?
Brian Krebs: You should consider either investing in a service that offers Virtual Private Networking or whether you really need to access such sensitive information over public (read: assumed hostile) wireless networks. With live CD distributions of custom made operating systems chock full of online attack tools that crackers can use to intercept traffic, it's never been easier for attackers to intercept and even modify wireless communications. Yes, at the coffeehouse, if you log on to your bank's site, it will be over secure sockets layer (SSL) technology, which encrypts the traffic so that even someone who intercepted it on the network would not be able to read it. But these same tools now come with point and click programs that allow bad guys to create their own fake SSL certificates, and it wouldn't be hard for someone who wanted to target you and your account to spoof a certificate for your bank in a so-called man-in-the-middle attack. I have seen these attacks in action, and they are not technically difficult to execute.
That said, the likelihood of someone going so far as to spoof a cert that mimics the one your bank serves is low, though not zero. But security is about trade-offs, and some people feel that using a VPN service is worth the peace of mind it gives them when they're accessing sensitive information on untrusted or unfamiliar networks. You will have to decide what it's worth to you.
Annapolis, Md.: Hi, Brian - Your discussion came up just at the right moment! I turned on my home computer last night and got a yellow "alert" icon (on my tool bar) about my email security being unprotected for Norton Anti-Virus. The "proposed fix" led me to a promotion for their Internet Security 2006 software. Is this just a way for Norton to make a quick buck or is my system really at risk without this new software? And if I'm already protected with Norton Anti-Virus, Synematec Firewall and Webroot Spy Sweeper, how do I get the current Norton alert icon changed back to a green "everything's fine" icon? (Should I just reload the program?) Thanks for your help!
Brian Krebs: Not sure what version of Norton AV you are using, but the program should allow you to scan incoming and outgoing e-mails for viruses, WITHOUT having to pay for additional services (assuming you are running an up-to-date version of NAV, that is, that your subscription is still valid). Check out this link for pointers on how to configure NAV to scan e-mail.
Matt in Arlington: Hi Brian, love your column.
I read a story earlier this week about a county government Web site that was hosting public information. After a while, their traffic got to be too much of a load for the site and they have had it down for several weeks. Is there any completely safe and secure way (and reasonably cost effective) to have information like that on a Web site?
Brian Krebs: Hi Matt, thanks for your question, although I'm assuming you meant to say the site was hosting "private" information on public citizens? I can't think of any good reason why a government site would want to do that. If you check out today's column in Security Fix, you'll see that the improper display of citizens' personal information on government web sites has led to the compromise of data on more than 2.1 million Americans over the 16 month period ending in May.
Rochester, Mass.: Brian, What's your take on the methodology Consumer Reports used to test AV suites? Sounds like a solid way to test for unknown attacks to me, especially with attacks getting so targeted? And as for targeted attacks, what's the scariest anecdote you can share there?
Brian Krebs: Hi Rochester. I wrote a column just the other day that examined both sides of the controversy over the Consumer Reports anti-virus tests.
As for scary anecdotes, my employer has not be immune to targeted attacks via e-mail, and that's about as close to home as it gets for me.
Falls Church, Va.: What would you recommend as a method of completely rendering private data unreadable on an old computer that I am about to discard? A software approach or just smashing the old hard drive with a hammer?
Brian Krebs: I would advocate both.
If you're serious about making sure the data is gone and cannot be easily recovered, you'd be wise to use one or more free or commercial tools available, and then drill a few holes in the thing. I wrote
on this a while back and offered some suggestions, but some of the more interesting (and amusing) suggestions came from the comments section below the article.
Washington, D.C.: What is your policy on removing comments from your blog?
Brian Krebs: The policy is very clearly stated at the bottom of the comments version of each blog post.
Junk/spam/malicious link comments are deleted with extreme prejudice. Personal or gratuitous character attacks on the author or against other commenters is grounds for removal, as are those that include profanity, racial slurs, or inappropriate material. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed.
These policies are designed in large part not to censor readers, but to lead to a more thoughtful discussion that everyone can feel comfortable participating in. As I think you can see from the breadth of views expressed on my blog, I am very judicious about removing comments.
(address withheld): Mr. Krebs, why isn't there an effective way to fight spammers? Why can't I just submit their IP or email address to some authority or activist organization and put them out of business? - crush them with spam, redirect all their spam back at them, spam, spam spam them?!
Brian Krebs: Nearly all spammers these days use comrpomised Windows PCs to forward spam for them. They bascially infect or have someone else infect the machines with a malicious program that turns them into spam relays that spammers can use to maintain anonymity. Basically, these guys operate networks of infected machines, called "botnets", and use them to spam. So, if you have a botnet of 30,000 computers, for example, and can send out 1 piece of spam from each infected PC every second, you could easily send millions of pieces of spam each day. Sure, the victim's ISP or the guys at Spamhaus and other anti-spam groups will eventually get around to blacklisting those individual PCs as known spammers, there is absolutely no shortage of new machines for these criminals to infect and recruit in future spam operations.
Oh, and by the way that "fight spam with spam" tactic was tried, and it resulted in a great deal of collateral damage for the internet community at large, and pushed the company managing the attacks out of business after spammers used their botnets to push the company off the Internet. See my
in The Washington Post about BlueSecurity's experiment in this area.
Anonymous: My employer says they are going to a biometrics system for a time clock. I say, no one needs my fingerprints except me and the police. What security risks are involved with this sort of thing?
Brian Krebs: I don't know anything about your employer, but I'm assuming for the moment that you work either for the military or for a defense contractor or biometrics or biotech company.
What is your concern here, exactly? That someone would have access to your fingerprints would do what with it? If the police already have your fingerprints, maybe that explains some of your concern. But consider how easy it would be for someone to get your fingerprints if they really wanted them. When was the last time you ate out at a restaurant? I'd guess your fingerprints were all over the water glass served at your table.
Falls Church, Va.: RE: the question above on the rules for comments on your blog. I've noticed that many people use made-up, throw-away names for their postings, which doesn't fit the stated policy. Other comment areas on the Post's website require us to use our "registered" name. But then again those other Post areas make us look like ignoramuses by removing the punctuation marks from our comments and by not letting us preview what we have written. On balance, I'm happier with your approach.
Brian Krebs: More comments on the comments.
Alexandria, Va.: Hi Brian,
I'm running Norton Internet Security 2006 on a Windows XP PC with 2.6GHz processor and 2 gigs of RAM - and it is strangling my computer! I've seen comments elsewhere commenting on the inefficiency of Norton's code. Are there more streamlined security suites available (AV and firewall)?
Brian Krebs: I've made no secret of my dislike for the amount of system resources that Norton's product suites consume, and I believe my colleage Rob Pegoraro has expressed similar concerns. In my opinion, security suites generally do a less impressive job on any one of their constituent tasks, and often end up consuming a lot more system resources than would separate programs made by separate companies. I would venture to say that just about any security product out there for Windows today would leave a smaller system footprint than NIS.
For free alternatives, AVG personal and AVAST work well, combined with something like ZoneAlarm. I prefer Eset's NOD32 for anti-virus because it is sleek ,quiet and doesn't bother me a whole lot, plus it updates very quickly. But your mileage may vary.
Arlington, Va.: I plan on buying a new laptop. From a security point of view, is it worth waiting for Vista to come out? Thanks
Brian Krebs: Excellent question Arlington. however, I don't have an easy answer for you. I'm tinkering with Vista at the moment, and I have to say that its constant pop-up warnings asking whether I really want to do this or that or make some system change are extremely annoying, and if left unchanged are probably going to either a) turn a lot of regular users off of Windows Vista, or b) get users even more accustomed to clicking "okay" to every single dialogue box that pops up, thereby effectively neutering the ostenisble point behind the prompts.
To your question, Vista is a system resource hungry OS. Running it with anything less than 2 gigs of RAM is painfully slow, or at least not close to ideal - given all the graphics intensive pretty knobs and wheels on the thing. Most laptops for sale these days come with about 512 MB worth of memory pre-installed. It will be interesting to see what happens when consumers get their new Vista laptops home and find that they need to spend another $200 just to make the system operate at acceptable speeds. Either that, or Vista equipped laptops will be very pricey due to the inclusion of so much extra hardware power to handle the demands of the OS. But again, we'll see.
(address witheld): Thanks very much for your comments, maybe I'll try a follow up. These spam messages all have email addresses to respond to, I don't think they're fake, why not spam spam spam them?
Brian Krebs: Replying to spam is the surest way to receive even more spam. Just hit the "delete" button, or ignore it.
Oxon Hill, Md.: Hi Brian. Thanks for taking questions. I have ZoneAlarm and McAfee and I've owned my PC for 3 years and been lucky enough to never get a virus, but I've had a few encounters with spyware and the like. My question is this. I'm becoming more and more concerned with viruses that are activated just by visiting a Web site. Is there any way to prevent that. I use the Firefox browser, but I know that doesn't mean I'm not vunerable.
I tend to stick to the same sites, but my kids are all over the place and they're 17+ now and in high school and college. I'm worried about their personal information being breached. Thanks.
Brian Krebs: I answer a variation of this question in nearly every chat, and I'm answering it again because it's vitally important for Windows users.
If you're using Windows and still running the machine and/or your browser under the all-powerful administrator account, you're asking for trouble and will almost certainly get it at some point.
It's not rocket surgery, and you can save yourself a world of headache by following this advice:
Warrenton, Va.: Brian, there has been some uproar over the Macbook wireless card columns you have written in the last month or so. Being an IT professional I can see some areas where it appears that if you had more knowledge of the technology you could probe a lot deeper than you did.
Can you tell your readers about your qualifications for writing a technology security column? Do you have any training or experience in the IT security field? If not, what sort of independent experts do you rely on to confirm the information provided to you?
Brian Krebs: Hi Warrenton. If you're asking whether I have any technical certifications, such as CISSP or an MIS or CS degree, I do not. What I do have is an deep and abiding interest in and curiousity about all things computer and Internet security related. Much of what I have learned has been through devouring technical texts on the subject, some serious and ongoing hands-on learning about how systems are secured and broken into.
I would love to be able to dig down into a knowledge of assembly language and/or C programming, but alas I don't have that. For the more techical stuff, I am fortunate enough to work for a company that opens a great many doors and provides access to some of the smartest and most thougtful people in the business. About a half-dozen of my best sources I keep in constant contact with via instant message, phone, e-mail and Internet relay chat, and am not shy about boucning ideas or questions off of them when I need to (as they would no doubt attest to if you asked). Whenever possible, I am share (sometimes sanitized) information that has been provided to me in the context of an exclusive or investigatory piece.
Anonymous: re: biometrics: i work in the hospitality industry, fingerprints to use a time clock seems excessive to me. i just think we have all kinds of personal info out there in the world and no control over it.
Brian Krebs: Wow. That's a first I've heard of it being used in the hospitality industry. I guess that's one way to make sure it's the employee punching the clock and not a co-worker, eh?
Not to make light of your concern, because I don't think it's entirely misplaced. We cannot seem to keep control over our personal information in this society, and when that problem migrates to biometric data on a society-wide scale, then we will have entered into a truly terrifying era for personal security and identity fraud.
Brian Krebs: Thank you all for the questions and comments; I'm only sad that I couldn't get to more of them before we ran out of time. Please join us again in two weeks time for the next Security Fix Live, and in the meantime please drop by the Security Fix Blog and join in our discussions there.
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.