Security Fix Live

Security Fix blogger Brian Krebs was online Friday, Jan. 5 at 11 a.m. ET to provide advice on how to protect yourself and your personal information online.

A transcript follows.

____________________

Brian Krebs: Happy Friday, Security Fix readers, and welcome to this first Security Fix live chat of 2007. The questions are piling up pretty quickly, so I'll jump right into the fray here. Please remember, if you have a technical question about your computer or network setup, please try to give me as much information as possible about your system, such as operating system, make, model of computer, whether or not you're using up-to-date anti-virus, firewall software (what brand), that kind of thing.

_______________________

Washington, D.C.: My home computer is a Dell XP 280, using AOL, which I've had for 1 1/2 years. Often when I log off after the computer has idled for a while, I get this message: "Do you wish to disconnect while others are logged on to your computer?" Since I'm the only user of this computer, what should I make of this message?

Brian Krebs: Oooh, that doesn't sound good. It's tempting to say (especially since you are an AOL user, no offense, this is just based on experience) that your machine is compromised by a bot program that lets attackers control it from afar to send spam, viruses, etc. That's just one possibility. Do you use anti-virus, anti-spyware software and keep it updated? Do you regularly download patches from Microsoft?

I showed this question to a security expert and friend of mine, who shared that suspicion and said that it sounds like someone had established a remote network connection session with your computer.

However, it is also possible that this message is generated by accident by some third-party app on your machine that's not altogether evil.

Try this: go to Microsoft's site and download this free tool here (called psloggedon.exe) and follow the directions for it usage. It's designed to help you tell who is logged on to your computer.

Best of luck and do circle back to let us know what you found, thanks.

_______________________

Chantilly, Va.: Brian, Thanks for the info on setting up the limited account in the Windows setting. It was a bit daunting at first, getting all the desktop info over to the new account, and my Opera wasn't cooperating at first either. But, it's all set up and working well. I still get the occasional tracking cookie, but that's about it.

Brian Krebs: Great to hear Chantilly. Getting a limited user account set up can be a tad rocky at first, but it's worth it in the long run for Windows users.

_______________________

Islamabad, Pakistan: What can be done about a Windows XP that is pirated, especially when Microsoft knows it?

Brian Krebs:1. You can continue using the OS (in which case you may be prevented from downloading security updates and thus become yet another PC that gets infested with spyware or bot software that plagues the rest of the world with malware, spam, etc)

2. You can purchase a valid XP license. From Microsoft's forum:

Assuming you have a non-genuine version of Windows XP Professional installed, you can purchase a "Full Version" of Windows XP Professional and then use the Windows Product Key Update Tool: http://www.microsoft.com/genuine/selfhelp/PkuInstructions.aspx?displayLang=en

3. You can use another (free) operating system. There are plenty of free distributions around these days.

_______________________

HoCo, Md.: Hi Brian, Been following the "Month of Apple Bugs" story, and as a Mac user, I can't figure out whether I should care about it. As of this writing, four application (non-OS) bugs have been posted -- two for Quicktime, one for iPhoto and one for VLC. Is there ANY evidence that these bugs are being exploited in the wild? If so, the PR for that evidence has been pretty bad.

Brian Krebs: Hi Maryland. Yes, there is evidence that one of the Month of Apple Bugs bugs -- the second QuickTime one -- has been and perhaps still is being exploited in the wild. That one was the same bug/feature/whateveryouwantotcallit that was used in the worm that stole usernames and passwords from about 100,000 MySpace.com users late last year (see: this blog post for more info on that. Apple has been eerily silent on whether it plans to change QuickTime so that this can't happen again (this is another case of an ill-advised "feature, more on that in a post yesterday on a really unnecessary and insecure feature in Adobe)

As for the other three flaws, I am not aware of any active exploition. That doesn't mean people aren't using them for nefarious purposes, just that there is no evidence thus far that they are being abused.

_______________________

Bal Harbour, Fla.: My computer is infected with the "popcorn" virus. It cannot be removed via "Add/remove Programs". Can you suggest a "download" which will purge it from my Computer?

Brian Krebs: There are plenty of free virus removal tools available online. Check them out from this compilation here.

It's definitely an infestation, but it looks more like a the sleazy commercial variety rather than the malicious type of infection.

You might consider downloading the HijackThis tool to better control which programs launch when you boot up your PC. This site here appears to have a decent list of the executables (*.exes) that are associated with this Popcorn.net P2P adware menace. Use HiJack this to find those exes and prevent them from starting up and you *should* be okay. Good luck.

_______________________

Cody, Wyo.: Hi Brian, Happy 2007! BTW, I really loved your December 27 article about Jerry Ford, especially your reminiscences about the house you and he lived in. As you said, he was a good and decent man. We could use more of those in Washington, DC.

I've got a question about limited-user accounts. I've gone back and re-read your articles on the subject. A little background here: I have Windows XP Home on both my computers, which I use to run a little home-based business. I set up a limited-user account, but -- as you mentioned in your articles -- some applications don't work well under a limited-user account, especially with XP Home. For example, my word processor of choice is Corel's WordPerfect. But it just doesn't function well unless I'm using the administrator account.

So I've set up DropMyRights for all the applications I use which access the internet -- WordPerfect, FrontPage, my FTP software, Firefox, etc. And I faithfully and regularly scan my computer for viruses, spyware, and key logger malware. I think I know the answer, but my question is: Am I safe enough operating with just DropMyRights? From what you've said in your articles, I'd guess I would be safer using a limited-user account. But it would be a real hassle to go out looking for applications to replace all my existing ones. Thanks, Brian! As always, I really value your advice and guidance. John

Brian Krebs: Hi Cody, thanks for the kind words about my very first article in The Washington Post newspaper way back when.

It sounds like you are doing all the right things. I would say you have very little to worry about. Rest easy, my friend, but stay vigilant!

_______________________

Washington, D.C.: What is the difference between antivirus software and a firewall?

Brian Krebs: Thanks for the reminder that I really need to get that glossary of cyber security terms done and up on the blog.

A firewall is designed to let you gain control over whether anyone can see or communicate with your machine from outside of your Internet connection, and on what terms. Hardware and software firewalls both are designed to do this. Software firewalls usually go a step further and allow you much greater control over which software on your PC should be allowed to communicated with the wider Internet.

Anti-virus software is designed to detect if files contain potentially malicious code that could introduce security threats on your machine. It doesn't always work as quickly or as well or accurately as it should, but it's something of a necessary evil on Windows machines for most users, I'm afraid.

_______________________

Baltimore, Md.: Brian: I wrote during the last discussion about my problems downloading a new Norton antivirus product. Happy to report that Norton walked me through using the removal tool and have promised a credit to my credit card. Then I took another poster up on the suggestion to try BitDefender and have been quite happy with it. For an extra $5, they even sent me a CD in case I ever need to reload it. Weird side note: their live help is in Romania, of all places.

Brian Krebs: I think you're better off with Bitdefender. I've heard good things about them from several readers. Oh, and their tech support is in Romania because the company is based there.

_______________________

Clifton, Va.: BIO scan readers are available on laptops, they apparently scan your thumb/finger print and permit access on to one's system rather than the traditional username/password sign-on. Do you know how reliable these scanners are, and if there are know issues in using them such as inconsistency, failure, etc? Thanks for the forum!

Brian Krebs: Clifton -- Nice question. I've never used any of those devices, so I can't really tell you. I can tell you why I never would buy one, though: The truth is that while these programs might work to deter the casual person walking by your PC from logging on to your Windows machine, there is little that finger/thumb-scanning devices are going to do to prevent them from accessing data on it if someone has physical access to your computer.

All one needs to do to take complete control over a machine that they have physical access to (including resetting or stealing the admin password or destroying or copying data) is load one of several LiveCD version of Knoppix in the disc drive and select boot from CD instead of letting the operating system boot up. You still have to know how to use the tools on those Live distributions, but it's not that hard.

_______________________

Arlington, Va.: Brian, The new IE7 update has a number of conflicts with other software like HP Director, which it sends into the ether invisible zone. Have they fixed this problem? Are there other problems similar to this?

Brian Krebs: I'm not sure what the invisible zone is, exactly, but it doesn't sound good. More to the point, what about HP Director's behavior does IE7 prohibit? Is it just the presence of IE7 on the system that screws things up? If it's trouble using the browser to manage some portion of the HP Director software -- like an interface -- have you tried using another browser?

I've owned a few HP machines in my lifetime, and they often come loaded with a bunch of proprietary HP monitoring programs that seem to do little but take up space and memory on the machine.

That said, some Googling showed a few suggestions and possible solutions at this link and this forum here

_______________________

Haifa, Israel: Brian, Hi, 1) You have mentioned on Dec. 15 the new AVG7.5 Free Anti-Virus program. After downloading it, should the user "uninstall" his old 7.1 version, or just do nothing, supposing the Grisoft people delete its files upon discontinuation. Please advise your readers. By uninstalling, is there no danger of deleting files of the new version, which have the same as files of the about-to-be-discontinued version? Note: It seems this date was moved from Jan. 15 to February 18, 2007

(2) I have received a pop up, telling me "your computer is trying to contact www.xxxxxx.xxx", the address being completely unknown to me. Is this a warning about some ad-ware spying? What should your reader do about such pop-ups? My anti-adware program had found nothing wrong. TIA, R.P.

Brian Krebs: Near as I can tell, Israel, AVG 7.5 should remove any previous version before it upgrades your program, so there should be no need to uninstall the previous version. At this point, there doesn't appear to be any problem with uninstalling the old version before upgrading to the new, if that's what you want to do. I didn't know about them pushing back the end date for the older version: i'll have to investigate that, thanks.

The notice you're receiving about an outbound connection on the Web is probably a notice from your firewall software that a program is requesting access to the Internet. One thing you could do is just Google search for the address and see what comes up. If you've got McAfee's free SiteAdvisor add-on for IE or Firefox installed, it may also be able to give you some information about what site the program is trying to reach.

You didn't say which firewall program you are using, and it may be Windows firewall, since most firewall software will at least let you know which program (or executable name, i.e. someprogram123.exe) is requesting access. Often times that's the best clue as to whether or not it's okay to permit that connection. Process Explorer, free from Microsoft, is a good tool to use to get a handle on what system process are running and who made them. Good luck.

_______________________

Lancaster, Pa.: Hi Mr. Krebs: There seem to be so many security issues confronting today's computer user - both home and business. My question is this - besides regularly reading your superb articles, what is the best way to make sure we are protected from all the security risks and attacks on our computers?

Brian Krebs: Tired of worrying about spyware and other unwanted software showing up on your PC? Set your machine to run as a limited user account for everyday use. See the instructions here. I can almost guarantee that if you follow those directions and only use the administrator account when absolutely necessary, your anti-virus/anti-spyware programs will get awfully bored.

Other than that, try to get a feel for what "normal" performance on your machine means, in terms of memory usage, Internet connection speeds, etc. That's often the only way you'll know if something is out of whack or wrong on the machine. And of course the usual advice about using anti-virus, firewalls, patching and avoiding the Internet's red-light district are all necessary precautions for maintaining a healthy Windows PC.

_______________________

Rockville, Md.: I also have a limited account and when I tried to copy bookmarks from one to my new (admin) account I can not find the file. Is there a trick to this? It is called favorites, I think. This must be my morning to be dumb.

Brian Krebs: No, you're not dumb. Sometimes these things get complicated.

Depending on whether or not you set up the admin and limited accounts to be able to view each others' files, you may not be able to see the admin accounts' bookmarks.

Close out of Firefox altogether. Switch over to your admin account. If you don't have fast-user-switching enabled, log out of the limited account and log into your admin account, open Windows Explorer and navigate to:

C:\Documents and Settings\AdminUserAccountNameHere\Application Data\Mozilla\Firefox\Profiles\randomfirefoxaccountname.default

Copy both the "bookmarks.back" and "bookmarks.html" files.

With Explorer again navigate to \C:\Documents and Settings\All Users\Documents and paste those two files there, which should allow you to get at them in your limited account. If you did not make your limited accounts documents folder private, you *should* be able to open up the Firefox profile of the limited account while you're still logged on as the admin user (C:\Documents and Settings\LimitedUserAccountNameHere\Application Data\Mozilla\Firefox\Profiles\randomfirefoxaccountname.default) and replace the two files there.

Hope that helps.

_______________________

Canfield, Ohio: Brian, Regarding your first questioner: I know this is basic but, it is possible that this reader has followed your advice and set up a limited user account and is still logged on to to another account in addition to their admin account or another limited user account. If one merely switches accounts instead of logging out of all, then the problem the questioner experienced will occur.

Brian Krebs: Haha! Of course, Occam was onto something wasn't he? The mostly likely answer is most often the correct one. As Canfield notes, if you have taken my advice and are using a limited account for every computer usage, but forgot to log out of your admin account (or if you're in the admin account while also logged on under the limited account) you will get this message when you try to shut down. Thanks Canfield!

_______________________

North Bethesda, Md.: Brian: The instructions are "Just copy PsLoggedOn onto your executable path, and type "psloggedon". " and for some reason I want to go to "run" and get it to work that way. But it does not. I am drawing a blank on executable path. Can you help? I should know what to do.

Brian Krebs: Yup. There are several ways to do this, but probably the easiest is -- if can copy the exe file to the root directory (c:\), then just open up a command prompt (Start, Run, type "cmd") and then you can issue the psloggedon command along with any optional parameters.

If you can't copy files to the root directory (most likely because you are using a limited account), copy the psloggedon.exe file to your shared documents directory, then navigate to that directory in the command prompt (cd c:\documents and settings\all users\documents).

Alternatively, you could right click on the file and set the path variables, following the pretty straightforward instructions here.

_______________________

Vienna, Va.: Brian, Every now and then my computer slows down to the point that doing anything is laborious. If you go to task manager, it usually shows anywhere from 6-16 task manager windows running. Any ideas ?

Brian Krebs: Yes. Two free tools I've already mentioned in this very chat -- Process Explorer and HiJackThis -- should help you better understand what those tasks/processes are, and how to gain control over whether they run all the time or not.

_______________________

Rockville, Md.:"Hope that helps."

Quite a bit. Thanks!

Brian Krebs: Glad to know it helped, thanks for circling back!

_______________________

Arlington, Va.: Brian, Thanks for your blog posting on a vulnerability in Adobe Acrobat Reader, and special props to the posters who mentioned Foxit, a PDF reader with some printing issues but with some great features Adobe doesn't offer.

Brian Krebs: Thanks for the kind words, VA.

Arlington is referring this blog post from yesterday, Take Me to Your Reader.

_______________________

Brian Krebs: That's it folks. I'm out of time. Thanks to everyone who stopped by and to all those who submitted questions or comments. Please take a moment each day to drop by the Security Fix blog, or better yet add it to your RSS feed ( what the heck is RSS?) and stay abreast of the latest knowledge you need to stay secure online. Be safe out there!

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.