Security Fix Blogger
Friday, November 17, 2006 11:00 AM
A transcript follows.
Brian Krebs: Good morning dear Security Fix readers, and Happy Friday to you all. I'm guessing by the paucity of questions in the queue that everyone is busy heading out of town in advance of the upcoming holiday week. If you've got a security-related question or a question about something I've covered in the blog or print, now's the time to fire away!
Cody, Wyo.: Hi Brian, I just read your article on "Supercerts" from November 8. I have a small website and I accept credit card orders from customers. I'm getting more concerned about security for my customers' personal data, especially their credit card information. I've taken all the security measures I can think of, including encryption of orders emailed to me. But if there's more I can do, I'll do it.
In your article, Bruce Schneier, the chief technology officer for Counterpane Internet Security, said the current SSL certification validation process is "laughable." In your opinion, is it worth the expense for me to get a SSL certificate from a reputable company like VeriSign -- or not? Thanks! John
washingtonpost.com: 'Supercerts' Aim to Highlight Legit Web Sites (Nov. 8, 2006)
Brian Krebs: Hi Cody. A couple of questions: I'm assuming that since you accept orders over the Web that you already have an SSL cert, is that correct? Great to hear that you're encrypting the data: it's an absolute must, but I would doubt many smaller online shops do that.
To your question about EV (super) SSL Certs, this is a functionality that is still in its infancy. Microsoft is
gunning to support them in IE7, and Mozilla isn't ready to talk yet about what it's plans are with respect to the
technology. No doubt they will all get there at some point, but keep in mind that these certs are likely to cost many, many times what normal SSL certs would cost, and the earlyl adopters will be mainly the banks and major (as in household-name) e-commerce companies.
I'm not even sure the SSL companies are even offering these yet. In any event, I would wait to see how the adoption plays out with these companies before even thinking any more about this. And even then, there is a good chance that phishers and scam artists will find clever ways to spoof the "proof" offered by these supercerts (i.e., overlaying a green border around the URL field so as to make visitors THINK they are on the bank's site.)
Arlington, Va.: Brian, Just over two years ago, I purchased McAfee AV 2005. It came with one year of virus signature updates. A year ago, I re-upped my subscription. A few weeks ago when my subscription expired, McAfee's website said they no longer support signatures for the product. But they did recommend I pay something like $40-50 for a security suite. (I have Zone Alarm and Defender, so I only needed AV.) Has AV 'detection engine' technology advanced so much in the past two years that my product was really out of date? Or do you think (I do) it was a conscious decision by McAfee to drop support? Perhaps they dropped support to focus their AV efforts on Vista? In the end, I downloaded the free version of AVG. My point is that software companies should realize they can keep getting money from happy customers running slightly older products, but may lose them if they attempt to force them into upgrade hassles -- there are too many competing (and often free) products out there.
Brian Krebs: Many companies phase out support for older versions of their software because of major changes to the software that are not forward compatible or because they simply do not want to incur the cost of supporting older versions. That surprises me to hear of for a 2005 version, but there you have it. I'm not going to speculate on their motives, but it perhaps they gambled that forcing users to "upgrade" would encourage existing users to stay on. Apparently, in your case, they guessed wrong.
My question to you would be, do you like the anti-virus-only service you've gotten from McAfee already? You say you already have all of these other security needs covered by third-party software, so it sounds like you're happy with your setup. I've made no bones about my dislike of security suites -- especially those made by Symantec and some of the larger anti-virus companies -- they keep promising faster and more sleek software....but it always seems to get fatter and slower (assuming you aren't going out and buying top of the line PCs every time you "upgrade".
I can't fault you one bit for doing what you did -- that is -- attempting to send a message to companies who do this by voting with your feet and moving to another product. Good for you.
Mechanicsville, Va.: What's your early read on Vista's security, as compared to Win XP SP2?
Brian Krebs: My early read is that many people who are thinking of upgrading their existing machines from Windows XP to Vista are in for a rude awakening. Vista is resource-hungry and demands some pretty powerful hardware that I'm guessing a vast majority of casual computer users (i.e. not gamers or PC enthusiasts) simply don't have. But that doesn't address your question about security, does it?
On security, it looks like Microsoft has done a fairly good job building a system that is quite a bit harder against malware and direct attacks. But it remains to be seen how well the system will protect users from themselves. I say this because some of the most successful and widespread attacks we are seeing today are social-engineering based, meaning they try to trick the user into taking some action that is not in their best interest or in the best interests of the security and integrity of their machine.
I'm willing to bet that for about 6 months to a year following Vista's release, we see a moderate decline in the number of attacks that succeed in circumventing Vista security at levels that could be disastrous for the user. During that lull, as more users upgrade to Vista, the bad guys will be whacking away at the system and learning ways around its defenses. Meanwhile, I would look for a marked increase in social engineering attacks against Windows users.
So I guess that's a long-winded way of saying that social engineering attacks will succeed no matter what, and in the end no amount of system security will stop the user from hosing his or her system. By default, Vista is set up so that the standard user account doesn't have full system level rights to do whatever he or she pleases on the computer. That's important, because with XP, the majority of users run as administrator, and that means when something takes advantage of a flaw your machine to gain access, it gains access at the level of administrator (assuming, again, that the victim is logged in under the default admin account.)
Sure, you can say, well, perhaps the keylogger or bot won't have root-level privileges to change system settings or do this or that. But what does a keylogger care if it has to run in memory at the level of the current (non-root) user? It doesn't. That user will probably go a long time without rebooting the machine, while the keylogger happily steals data when the user enters sensitive username, password and credit card data at e-commerce and bank sites.
Anyway, it should be an interesting to see how it plays out. Thanks for your question.
D.C.: Hi Brian - I appreciated your article on EV certs, they don't seem to be getting much traction in other media outlets so I applaud you for leading the pack. In reference to an earlier question, you are right the costs will be higher than that of SSL certs issued today, mainly due to the extra work the CAs will have to do in order to validate the business. I've been told that CAs expect to begin selling the first EV SSL certs in January or February. Site owners like your earlier emailer should expect to take a few weeks (at least) more beyond that date for the CA to complete the process review and issue the cert. Lastly - I agree scammers will try to find ways around EV SSL, but it wouldn't be as easy as painting the green border - that trick has long been shutdown by all browser vendors. EV has a few mechanisms built into it that should prevent spoofing at lower levels and the browsers appear to have closed holes on the higher levels.
Brian Krebs: Some more thoughts for the individual who posted the question about extended validation SSL certs:
Pasadena, Calif.: About a week ago I received an automatic notification from Microsoft for an upgrade for my IE7. Curious, I checked to see what that upgrade was and found a tool bar icon for One Care Advisor. Already equipped and quite satisfied with AVG, I saw no need for another anti-virus et al tool especially one that will soon have a fee attached to it. I unchecked the tool bar box hoping that will prevent any conflict of programs. Question 1: did that neutralize One Care. Question 2: How can I remove the One Care program if it downloaded to my machine. And Question 3: isn't there something unethical about MS's marketing practices here?
Brian Krebs: No, you can always access OneCare if you so choose to in the future by visiting the OneCare site. Someone please correct me if I'm wrong here, but I don't believe it downloads any OneCare items to your PC (especially if you ask the thing not to install the toolbar).
Not sure I see anything unethical in the toolbar itself. Now, if by that you mean anti-competitive...well, the jury
is still out. What should be interesting to watch will be how Microsoft markets its own anti-virus and security
services in Vista. It has said it will include links to other third-party AV products in its Vista Welcome screen,
but I've not seen the final product yet, only the latest beta.
Brian Krebs: A couple more thoughts on the question from the Mechanicsville reader.
One, even people who upgrade to Vista or buy new machines with Vista already on them, will probably still use other legacy Microsoft software, such as Office 2000, e.g. These are among the most-targeted Microsoft platforms (one need only look at the sheer number of zero-day vulnerabilities targeting PowerPoint, Word, Excel and other Office products this year).
Also, I would be remiss if I didn't use this opportunity to point readers to a tutorial I wrote on setting up Windows XP so that the default account is a non-admin account. See this blog post here.
Harker Heights, Tex.: Hello Brian, I have a HP Pavilion zd8000 laptop. It takes this computer forever to boot-up, and it frequently freezes while I am working. It even closed when I began typing this. This week I downloaded a program to clean the registry, and the program finds errors and corrects them. However, this computer still takes forever to boot-up, and it continues to freeze while I am working. Please, please, please offer some guidance. I am seriously considering buying a new laptop, but this one is only a year old. Help me, please. Michael
Brian Krebs: Hi Texas. I got a similar question this morning from a reader in Mississippi. Have you taken a look at a free tool called HiJackThis. It's an excellent utility that I would recommend everyone who uses Windows to download and use. Basically, it's a way for you to find out which programs try to load when Windows starts up. It's quite effective in helping to resolve spyware infestations, but it also lists all the third-party software plugins and perhaps the start-up remnances of older programs you've maybe long forgotten were on your machine.
By whittling down the number of programs that compete for resources when you boot up Windows, you can significantly speed up the startup.
One final note, bear in mind that HijackThis requires you to first download and install Microsoft Visual Basic Runtime 6.
Cody, Wyo.: To answer your question on the SSL certs, I believe my website host has an SSL cert, but I'm not sure how this all works -- my technical ignorance is showing here. I agree with you -- most small websites like mine do not encrypt order data. I'll take your advice, and just wait on this super cert thing. I've never had any problems with security breaches, and don't anticipate any.
Brian Krebs: Thanks for circling back, Wyoming. Also, see the thoughts from the other person who replied to your question.
Newland, N.C.: Can a keystroke reader detect a user name and password that I paste in with my mouse. They are sourced from a text file that has them imbedded in a paragraph of phoney language.
Brian Krebs: Thanks for your question Newland. There's a popular misconception about the way keyloggers work, and perhaps we need a better name for these devices, because the vast majority of what are termed "keyloggers" do not in fact record everything you type on your machine. Unless, of course you are talking about the "legal" keyloggers openly sold and marketed to suspicious husbands and wives or parents who want to spy on what their kids are doing online.
The reason is that for just one user, the amount of data recorded would easily reach into the double digits of megabytes each day or week. The criminals who deploy these things aren't interested in your online chat conversations or what you want to say in e-mail. Furthermore, recording and transmitting all that data would be infeasible.
Rather, what most keyloggers do is better described as "form grabbing." That is, they wait until you visit a site that asks for a username and password: generally these are https:// sites, those protected by SSL. Now, when you hit "submit", the keylogger will grab a copy of the information you are submitting and steal that. SSL does nothing to protect your information from being stolen if you have a keylogger on your machine.
You will see a lot of companies claiming that their approach to fighting keyloggers works best because you're either submitting your data on a virtual keyboard, or through mouse clicks and so on. From where I sit, those technologies are similarly vulnerable: at some point, you have to submit the data, and that's where the form-grabbers come in: they grab the data before as it is being submitted.
Also, most keyloggers, form-grabbers, whatever you want to call them, will by default go in and rip out any usernames and passwords you have asked to be stored in Internet Explorer. That's just standard practice.
Tampa, Fla.: I think my sister's PC has malware, but I can't find it. It started running very slowly, far slower than another PC of the same brand and configuration. It takes forever to boot up, open applications, change users, and shut down. It runs OK, though, once an application opens. It has Norton's full security suite, yet full scans reveal nothing. Same with Adaware, Spybot, and Windows Defender. She uses a 4-year old eMachines running XP SP2. It has 256 mb RAM and a 1 gHz processor. It ran fine until about a year ago--then slow as molasses. Any suggestions?
Brian Krebs: A couple of suggestions. 256 megs of ram is about the minimum you need to run XP. I'd suggest after you've considered the other steps, that if you don't plan on getting a new machine that you should order some additional ram (I think you'll find 1 gig of RAM would speed things up significantly).
But all the RAM in the world won't fix a machine that's been hobbled by spyware, viruses or simply just old programs with device drivers hanging on all over the system. I'm guessing she hasn't re-installed the operating system since the day she bought the computer, so one option might be to back up the data and reinstall, assuming she still has all of the install CDs, etc. That would give you an opportunity to set the machine up properly with the right limited user accounts (see above response for links on how to do that). Reinstalling is a royal pain, but it almost always solves all stability and slowness problems.
Also, I'd offer this advice to anyone: invest in a program that allows you to backup complete images of your hard drive. When you go to re-install, create a second (or third) partition that you want to keep all of your data on, and then make the C drive (the one you want to install windows on) the default installation drive. Set the size to perhaps 40 gigs if you have that much space, and install Windows and any progrms to that drive. Once you have your system set up, point the "My Documents" folder to a folder on the D or E drive, and save all data to those folders. Then, when you've got the system the way you want it, use your backup software to create an image of the C drive and save that on another partition (or better yet on an external hard drive). That way, if or when Windows starts acting up again, simply copy the original image back to the C drive, and you're back in business.
I know this sounds like a lot, but imaging software has saved my bacon on more than a few occasions. I recently had to restore an image when several programs on one of my PCs starting acting up and exhibiting strange behavior, and I was relieved to find that after restoring the image I only had to reinstall a couple of programs to bring the machine back to its previous, healthy state.
San Juan Capistrano, Calif.: What will be the security concerns of the future as we become more connected to a unified personal media device?
Brian Krebs: Eventually, they will not be too dissimlar to the problems we're facing with PCs today. The main saving grace for mobile platforms so far has been the dearth of OSes and architectures deployed on these systems, which seem to change with each new version of phones that come out.
Are we getting to the point where people need to go out and purchase some anti-virus product for their phones? I don't think so, and I hope we never get to that point. Most of the threats we have seen so far for mobiles are social-engineering based, in that they try to trick the user into opening some file, or something like that.
More scarily, I'd say the threat from malware designed to steal data from mobile devices is the one we should fear most. Many people keep their most intimate details, contacts, passwords, etc on their mobile devices and think little of securing that information against theft, loss, or malware. People have been warning of an impending doom for malware on mobile devices for years, and to date we haven't seen much in the way of widespread threats. I wouldn't discount those predictions: they will come true sooner or later.
Silver Spring, Md.: Is there still a use for the Netcraft Anti-Phishing toolbar with new versions of Firefox and IE 7 having anti-phishing tools? Thanks for your blog.
Brian Krebs: There is no harm in adding extra protection in addition to the anti-phishing features built into the browser. They work happily together side by side, and no one anti-phishing technology is going to catch them all.
Brian Krebs: That's all we've got time for today, dear readers. Thanks again for your questions, and I hope you'll join us again in two weeks for the next Security Fix Live. Meantime, stop by the Security Fix blog to stay abreast of the latest threats and what you can do to avoid them. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.