Security Fix Blogger
Friday, October 20, 2006 11:00 AM
A transcript follows .
Brian Krebs: Happy Friday, everyone! We're a tad light on questions today, so please don't be shy about submitting something if you've got a security-related question or problem. With that, I'll dive right in.
Kensington, Md.: Brian,
Just hit a Web site and got back what appears to be a hack. Are your familiar with hacker group shown below? A quick google search did not provide me with enough info to know whether its something the webmaster needs to respond to quickly or, just as important to me, whether I need to be concerned about my system (a Win2K system with fairly robust protection.)
Whoops - it seems the Post won't accept the text from the site but it refers to "spykids ownz your system"
Brian Krebs: It's probably nothing more than an automated Web site defacement; it is unlikely that you have anything to worry about.
It's hard to believe that this kind of thing still goes on, but it's equivalent to gangs of youngsters running around spray painting their gang signs or slogans on buildings and walls. In most cases, this type of digital graffiti is done en masse, using software that looks for web sites running outdated software that criminals can use to break in and replace the home page with whatever they want. In some cases, the criminals actually use that access to create other mischief, but most times like I said it's nothing more than an automated defacement. For a good look at this kind of thing, check out the
Silver Spring, Md.: Brian,
Have you tried Internet Explorer 7 yet? Any thoughts? Should stubborn IE users (like my girlfriend) upgrade now, or should they wait to see if any initial bugs develop?
Yes, I have test-driven IE7, though I confess I haven't spent a whole lot of time cruising the back alleys of 'Net with it (more to come on that front, however.)
If you know someone who is stuck on IE, nudging them toward IE7 is a good idea. It includes protections against ActiveX attacks, and has other features that attempt to help protect users from themselves. It will no doubt have security flaws just like any other piece of software (there is some recent news that suggests one IE6 specific bug made its way into IE7) but for now it appears to be a significant step forward for Microsoft.
One note about installation: it failed on two PCs of mine when I tried to install it using the "run as" command in a limited user account. It will also attempt to validate your copy of Windows before installing.
Alexandria, Va.: Hello,
Microsoft is notorious for rushing products to market. It would seem that MS is pushing Vista to market well before it is ready. Not having been able to obtain a copy myself, I am not sure what to expect. Do you think Vista will be delayed again? If not do you think it will be ready or full of holes when it is released?
Brian Krebs: I have no doubt Vista will be full of holes. The bad guys may not find them right away, but that just takes time, and for a while Microsoft may enjoy a brief lull or drop in sucessful attacks if a significant number of customers move to Vista. That said, just as Service Pack 2 on Windows XP made it harder for certain classes of attacks to work correctly on those systems, Vista adds some new protections that may raise the bar for the bad guys.
My big question is not security exactly but usability in Vista. Will third-party driver makers get their stuff together by the time consumers start using Vista? If you install Vista on your existing machine and it doesn't recognize your keyboard (don't laugh, this happened to me with a Microsoft keyboard and mouse) that could be a problem. In the name of security, Vista also makes the user make a whole lot more decisions about whether he or she trusts or really meant to install or run a program. This is a tough problem for Microsoft to work around, but I'm afraid it will just groom a new generation of Windows users who blithely click "yes" to every prompt that pops up.
Merion Station, Pa.: Comment and two questions: I've found Lavasoft's Ad-Aware a useful tool. I have a paid version on my primary computer. When I went to the Lavasoft site to download the free version to a new "fun & games" computer, all I was able to find was their "personal firewall". I already have a good firewall. Have they discontinued the earlier product? Is there something better in your opinion?
Brian Krebs: I just visited the Lavasoft.de site and was sent to this link here to download a copy of Adware Personal, which appears to still be free and freely available for download.
Warrenton, Va.: Brian, I had read on a couple of the Microsoft IE developers blogs that IE 7 is a complete rewrite of the browser yet we see yesterday that there is a flaw in IE 7 that has existed in IE 6 for months which leads me to believe it is built on IE 6 code base. How well do you think Microsoft did in producing a secure browser? Secondly, would you recommend IE7 be used or do you still think Firefox is the best browser?
Brian Krebs: See my reply above to a similar question for answers to your first. On the issue of IE vs. Firefox or whatever, it's a good idea to upgrade to IE7 whether or not you or your family uses another browser for regular surfing.
I've been playing with IE7 and think it's pretty slick overall, but it's not as intuitive as it probably needs to be for most users who might want to adjust settings. For example, the menu options are hidden off to the side of the browser.
Strongsville, Ohio: Happy Friday to you, too. Since you're a computer security expert, would you be willing to give your $0.02 on electronic voting? Thanks
Brian Krebs: Sure. It's a bad idea.
Let me be clear: in theory, it's a nice idea. But the current systems adopted by many states and voting districts is based on a proprietary system that has been shown to be inherently insecure. Backers say, well, wait...the only way you could have election fraud would be if someone working in the polling station with access to the machines rigged things. No, that never happens.
To compound issues, the same people backing electronic voting are resisting calls for paper records of each vote. Having some sort of real-time accounting of the electronic records strikes me as essential to counteracting any attempt at election fraud. But then you're left with the question of well, if you're going to require a paper record, why the heck should we move to an electronic voting system in the first place? Good question.
Washington, D.C.: Do you feel the Microsoft's entry into the Anti-Virus market will hurt companies like Symantec and McAfee?
Brian Krebs: No, McAfee and Symantec will do just fine, thank you. If these companies go out of business anytime soon, it will be because they failed (again) to react quickly to the latest threat that emerges. You only need to look at Symantec's acquisition spree of late to know that they are trying to lessen their depenence on revenue from anti-virus software subscriptions. Reactive security (such as most current anti-virus software) is only so useful: what people desperately need is technology or services that can help them prevent problems in the first place.
Microsoft's offerings are geared toward people who want to install AV on multiple machines. Symantec and McAfee also are moving into that space, although their price point is not quite as low as Microsoft's.
I'd love to see Internet service providers getting into the business of better protecting their customers, and I think people would pay more for a managed solution. But alas, ISPs (especially the larger ones) are sort of like lumbering giants whose main business appears to be making sure the customer support line doesn't ring and cost them another $20 per call, so it's hard to see how they would make this work. But, I digress...
Mount Airy, Md.: We're thinking of using Postini's email filtering service for our corporate email. Do you have any experience or knowledge of Postini's email services?
Brian Krebs: I have used it for the past five years and think it works extraordinarily well. I like it because I often can go in there and fish out spam or phishing e-mails that I need quick access to for stories or intelligence on some new threat, plus it separates out e-mails that contain virus infected attachments, which is kind of nice, too.
A couple of gripes: it limit the number of exceptions you can create to 4,000 (these are the addresses of "approved senders"). You're laughing now, I can tell, but believe me that's not a large number. I can no longer allow additional approved senders until I delete some of the ones I've already approved. Also, as with any spam filtering system, you're going to need to check it pretty regularly, as legitimate mails that you want will get caught in the filter.
FHS Alumni 1981: Hi Brian, I've been using IE7 beta on a "test" machine for a few months with very few issues. However, I installed the final release yesterday on my "real" machine and, while I haven't encountered any major problems, I have noticed that when using the BACK button I don't really go anywhere for several clicks. When I use the drop down to see the history in the back button, it seems that there's an entry for each popup that's been blocked, and the actual page I was on previously is two or three items down. I hope I've explained this sufficiently for you to be able to offer an opinion. I noticed it most prevalently on IMDB. Love your column!
Brian Krebs: Go Rebels!
I'm not quite certain I understand your question, if there was one. But it may be that some sites don't work as well as they should with IE7, perhaps because they have not optimized the site to work with the new version. Weird that it lists pop-ups it has blocked in the history, though. I'd not noticed that.
Flash Headache: So if I upgrade to IE 7, will I FINALLY be able to install Adobe Flash 9.0 on a Microsoft browser on my computer? (Never had any problems installing on Firefox)
Brian Krebs: You poor thing. I feel your pain, I do. Just know you're not alone. If you do install IE7, will you promise to circle back in our next chat (two weeks from today) and tell us if it helped you fix the problem, which I've not been able to replicate on my end).
20782: I want to say thanks for your blog. Recently, you alerted me to updates for Office 2000 and I discovered it had been 3 years since I had installed any patches (bad me). I just wish Microsoft made it easier to keep track of updates as the automatic update I installled doesn't always work. One ?-Why should I bother upgrading to IE7 since Firefox is a superior browser? IE6 works fine for the limited amount of usage I need.
Brian Krebs: Thanks 20782; glad to know it was helpful.
Would you leave a loaded gun sitting on the table in a house with toddlers? Hopefully not. Okay, that's a little harsh, but think of it this way: lots of things on Windows use IE's built in rendering engine, and if you have a more secure version of the browser available, why not switch to it? This advice is especially aimed at households where more than one person uses the PC.
Charlottesville, Va.: I agree with you that ISPs should do a better job with security protection, and I add spam abuse too. Has anyone developed a set of security and spam protection metrics of what one should look for when comparing one ISP with other?
Brian Krebs: Great question, Charlottesville. I have been bugging a couple of big security outfits (who will remain nameless for the time being) to use their significant view of the Web and contacts with ISPs to create some kind of ISP survey and/or comparisons on this front. Alas, there isn't a lot to compare, really. A few ISPs like AOL Earthlink are doing a commendable job in at least trying to offer users security add-ons. But as for the major ISPs, fuggeddaboutit.
DC: Hi -- Here's my problem: I updated some of my software (including the Microsoft stuff) and my ZoneAlarm firewall software (I have the professional edition). Right after that, the WaPo stopped allowing me to post in any blogs on its site, telling me that I have to "set referrals" in my browser. I use the latest version of Firefox as my browser. I've communicated by email with the WaPo IT guy, who told me how to set the referrals. Turns out the referrals were set correctly anyway. My next stop on this train is to call Zone Labs and see if that's the problem. What do you think?
Brian Krebs: Hi D.C., thanks for your patience. Msg me privately again please and we'll see if we can't get to the bottom of this once and for all.
Bob, Baltimore: Is it me, or has there been a significant increase in spam and spyware distribution within the last month or so? If so, is this attributable to anything in particular?
Brian Krebs: It might be you, Bob.
Haha, just kidding (but seriously, it just might). It's hard to find a time in recent history when attacks from spyware, viruses, phishing, etc., have DECREASED.
Just out of curiousity, how is it that you perceive this increase? Is it because you're finding more unwanted junk on your computer?
In answer to your second question: there's a lot of money to be made in cybercrime, and there appears to be no shortage of inexperienced Internet users out there who venture forth online each day for the first time without even the common sense to look both ways before crossing the virtual street.
Anonymous: Brian: I have a problem with very tiny fonts that I can hardly read on my IE page. Also in Microsoft Word, when I type a letter the print is very small even though I try to use font size 12. Any suggestions.
Thank You, Frank.
Brian Krebs: HI FRANK. HOPEFULLY YOU CAN READ THIS (I'M NOT SHOUTING). THIS IS PROBABLY A DUMB QUESTION, BUT HAVE YOU TRIED ADJUSTING THE FONT SIZE WITHIN IE? IF NOT, GO TO "VIEW", THEN "TEXT SIZE," THEN PICK A LARGE SIZE THAN THE ONE THAT YOU CURRENTLY HAVE IT SET TO. IF YOU DON'T SEE AN IMMEDIATE CHANGE, TRY CLOSING OUT OF THE BROWSER COMPLETELY AND RESTARTING IT.
Falls Church: I just purchased a new computer I want to donate my old one is there software I can purchase that will wipe everything off the old one? Thanks
Brian Krebs: No need to purchase anything. Go download and run "Eraser," an effective and free harddriver wiping utility. Check it out here .
You might also get some mileage out of
we had a while back on this topic over at Security Fix.
Washington, D.C.: I'm trying IE 7 on a secondary system. I read all the details of Microsoft's Phishing Filter, and then some of the historical traffic on their IE Blog and other places.
How do you feel about the information stored? For me, the 'query stripped' URL isn't the primary privacy concern. It's -storing my IP address-. This sounds like a ridiculous requirement. They're not going to be able to identify and block phishing sites without knowing where -I- am? I don't like to mindlessly bash Microsoft, but this is ridiculous.
Note: while I use Firefox almost exclusively, certain sites require IE, which is why this is an issue for me.
Brian Krebs: If it bothers you, don't use it. Do you really think Redmond doesn't already know your IP address? What with the "Windows Genuine Advantage" anti-piracy program (which you basically have to agree to install in order to upgrade to IE7), Microsoft already knows what it needs to about your machine. See this blog post about WGA, and specifically these slides , which offer a rather stark view of Microsoft's outlook on its customer base.
Washington, D.C.: Electronic voting: while the geeks have valid concerns about potential holes in the technology, it's human error and/or perfidy that's the real issue. I'm a volunteer election -voting unit] judge in a Maryland county that didn't have the horrific problems of Montgomery or PG during the primary election. Things worked more or less flawlessly. I think there's a lot that could be done for the next generation of digital voting systems. For the time being, just adding verifiable paper trails would be the best solution, and would satisfy me that the machines are much less vulnerable to tampering than the human part of the system.
Note: calls for ditching the touch-screen machines and going back to other systems before next month's general election are patently ridiculous. There's no way that could be done effectively - it'd make the Montgomery fiasco look negligible.
Brian Krebs: More thoughts on electronic voting from people in the trenches.
Brian Krebs: Wow. We started this chat light on questions and got flooded shortly after I opened my big mouth about it. Thanks to everyone who submitted quesitons, and again I apologize for not being able to get to all of them. Thanks for dropping by, and please join in the discussion and community over at the Security Fix blog . Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.