Security Fix Blogger
Friday, January 19, 2007 11:00 AM
A transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers, and thanks once again for joining us for another Security Fix Live online chat. We're a tad light on questions today, so if you've got a security or technology related question, fire away and I'll do my best to tackle it in the time that we have. As always, try to be as specific about your problem as possible, and let me know what operating system you're using, any security software, and any other details you can think of that may help me answer your question.
Fairfax City, Va.: Brian, I read your articles every day because the information is always useful and informative. The comments people leave are also useful if not only entertaining. As a result, I value your opinion because you obviously have your fingers on some parts of this Internet that I only wish I could begin to understand sometimes.
My question today is about the many places on the web that offer the promise of 'get rich quick' or 'earn residual income' by simply signing up to their "much researched and proven plans". I usually do not give any of these any thought or credence at all; figuring they are only ways for the 'author' or domain holder to make money with their false promises. However, there is one company (it is probably more than one) that even advertises on TV. The commercials are always the same - showing singles or couples who earn thousands of dollars a week and only work about 10 hours of it - but the website always changes. At the end of the ad, they instruct you to login to a website named something like 9abcdef.com or 3xyzpdq.com (these are made up names only to show that they always have a # followed by some unrelated word).
When I investigated one recently, the sites plan is to give the person a website filled links for people to purchase books or other products. They also have a bunch of Google ad-sense links and you are supposed to modify the page to use your new ID to earn the revenue. Do you know anything about these sites? They are obviously sounding too good to be true but their credibility goes up a little if they can advertise on TV. What are your thoughts? Thanks - Richard (sorry for the long post)
Brian Krebs: I'm not familiar with the specific offers you're referencing, but they do sound an awful lot like "work at home" schemes, which are *usually* in some way fraud-related. It wouldn't be the first time fraudsters have taken out TV ads (usually late at night). Most often, you will see this type of recruitment on online job boards and increasingly through instant messages and open communication technologies such as Skype. The randomized domain names you cite also are very typical of spam/scam artists, and should be an immediate red flag.
The most common type of work at home fraud schemes involved "reshipping" scams that can indeed make a person money, but more often than not wind up implicating the worker in scams that defraud innocent Americans or lead the US Postal Service Investigators or the FBI to their front door.
The way these kinds of scams usually work is these guys in Nigeria or Eastern Europe have a whole bunch of stolen credit cards that they're trying to turn into cash, so they buy up a whole bunch of pricey electronics that they can sell on eBay. The problem is that orders from those areas have such high rates of fraud and chargebacks that it's not worth it for retailers to ship to those areas, so they don't. So what the fraudsters in those areas do is enlist the help of people in places where retailers DO ship, like pretty much anywhere in the US. So, the scammers buy their merchandise and have it shipped to a "work at home" volunteer who lives in the US, and that person is instructed to ship the items to somewhere else. For their trouble, the worker is instructed to either cash an included check (which most often is fraudulent and bounces) or keep some of the ill-gotten items for themselves. Either way, this is aiding and abetting a fraud scam, and US citizens who get caught up in this web can serve real jail time if they get busted (they eventually do).
As always, the old adage "If it sounds too good to be true, it probably is" is a good one to live by, and that saying holds doubly true online.
New York, N.Y.: I write this from a New York Internet cafe. In order to ask this question, I had to sign in to the Washington Post with a preregistered email and password. How could someone steal that information from this computer (which fortunately would not cause much damage even if they could)?
Brian Krebs: Well, seeing as Washingtonpost.com does not use secure sockets layer (SSL: if we did, you'd see https://) at the login screen) logins, so any password you transmit to our site is done so "in the clear", meaning that anyone on the same network as you could sniff the user name and password no problem. Since you said you were in a New York internet cafe, I'm assuming it's wireless. That means, anyone in range of that wireless network with the right tools (which are very easy to find and use) could steal your credentials.
Internet connectivity: Hi Brian, I'm not sure if this is exactly security related, but if I leave my home computer on idle for just a few hours, when I go back to use it, it will not connect to the internet. I get something like 'internet connectivity not found error'. At that point, I have to reboot to be able to access the internet. The other computers on our router do not have this problem.
I checked for spyware or viruses and haven't found anything, and keep my antivirus/anti-spyware up to date. I also have the free version of Zone Alarm on my computer. I think the other computers just use the Windows Firewall. Could this be a personal firewall issue, or do you know what else may be causing this? It gets kind of annoying having to constantly reboot.
Brian Krebs: Hello. I have no idea what may be causing your problem, but in cases like this sometimes the best thing to do is try to figure things out by process of elimination.
In your case, you might try disabling or shutting down ZoneAlarm, and in its stead turn on the Windows firewall. If you do not experience a loss of connectivity within the timeframe that you would normally with ZoneAlarm turned on, then that suggests something about ZoneAlarm is not working properly. If that is the case, you might consider uninstalling and reinstalling ZoneAlarm.
Anyway, that's just a guess. It could be completely unrelated to ZoneAlarm. Please circle back to tell us if this helped you diagnose the problem. Good luck.
Arlington, Va.: Windows Defender stopped working on my Win2k laptop at the start of 2007. Why does MS do something like this if they claim that security is sooo important to them? What can I use in the mean time until I buy Vista and make MS happy!
Brian Krebs: Good day, Arlington. You went ahead and stole one of my blog post topics for today (well, you and one other person -- however, I may blog about it as well for people don't read these chats).
Indeed, it appears that Microsoft isn't interested in making Windows Defender backward compatible for Windows 2000 users. But I did a little digging, and it seems that a number of security forums point to these instructions, which apparently have enabled a number of people to get WD working on Win2k.
Which involves installing something called the "Orca Database editor." Instructions on how to install Orca are available over at Microsoft.com.
In answer to your other question -- rather than write them out by hand here -- I'll refer you over to this longish list over at BroadbandReports.com's security forum. Please circle back in today's chat or next time to let us know if you got WD working following those instructions. I plan later today to try them myself on an older machine with W2K installed.
Port Neches, Tex.: Please explain how a person who mistypes a web address ends up on a web site/portal that is comprised of nothing but links somewhat related to the mis-typed url? Do these sites pose a security risk to a Firefox user? How can there be so many of these domains out there? Seems like that is a lot of money tied up in domain registrations. Thanks, Bill.
Brian Krebs: Hello, Port Neches. Great question. Along with a colleague of mine at The Washington Post, I wrote a story last about the proliferation of these types of sites you describe, which reside at "domain parking" companies and generate tiny bits of income each time someone lands there because they're full of ads.
That's not the best answer, I know, but I'm trying to get to as many questions as possible today. Read this story to learn more about this practice.
To answer your question, they are mostly harmless, but so-called "typosquatters" have been known to use mis-spelled domain variants to push malware onto machines if users visit them with browsers (mostly Internet Explorer) that are not fully up to date on security patches.
Olympia, Wash.: Sometimes on the Washington Post website, my Mozilla browser will start to soak up the CPU, running almost 100 percent. What could be the cause of this? I don't notice it so much on other sites, but maybe because I like washingtonpost.com so much I spend more time there. Thanks.
Brian Krebs: Olympia -- Mozilla's Firefox browser still has a problem with what's known as a memory leak, which basically means that over time, as you open up multiple windows and tabs, the browser can consume more than its rightful share of system memory because it sometimes doesn't relinquish control over memory that it no longer needs.
A former colleague of mine asked me the other day why his Firefox browser was taking up almost all of the memory space on his system, which was pretty fast by most standards. I told him about the memory leak issue and said that it was far more of a problem on older versions of Firefox, and asked him to tell me what version he was using (to check, go to "Help" and "About Firefox"). Turns out he was running a version of Firefox that Mozilla no longer even supports (it was first released about two years ago and was woefully behind on security updates.
So I ask you: What version of Firefox are you using? Is it up to date? If so, check out the link above for tips on making this much less of an issue.
Fredericksburg, Va.: Brian, I appreciate the great information you provide on your chats. I have a simple question about e-mail addresses: Is there any truth in that adding a number of special character to your e-mail (i.e. firstname.lastname@example.org) will greatly reduce the likelihood of automated spam? Thanks and keep up the great work! JG
Brian Krebs: I suppose it's possible that it *could* reduce the level of spam you get by some (probably immeasurable) amount. But bear in mind that the biggest contributor to spam in your inbox is having your e-mail address show up on a Web site or an online forum of some kind. Site-scraping software lets spammers easily scoop e-mail addresses posted online.
Also, most people sign up for all kinds of "free" things and services online but never both to read the yadda-yadda fine-print, which sometimes says in essence "these free services are free because we reserve the right to sell your e-mail address to marketers or third-party affiliates."
While we're on the subject, next time you need to provide an e-mail address but don't want to give away a valuable one that you use and expose it to spam, check out this very cool service called "Dodgeit" that I just discovered today.
Basically, use any word you want and then add @dodgeit.com at the end when you go to register at some site. Then come back to dodgeit.com and enter that word and you can read your e-mail. But please don't sign up for sensitive services with Dodgeit.com -- anyone can read the e-mail you have sent there. I must have spent 30 minutes entering random words to see what people used this service for in the past. Want to see for yourself? Pick any word, type it into that box, and then hit submit.
Washington, D.C.: Is IE 7 still a beta product or is it fully tested? And, would you recommend upgrading to it or staying with 6.x until we're forced? Thanks!
Brian Krebs: The first non-beta (final release) version of IE7 was pushed out to Windows XP users in November 2006. If you choose to surf the Web with IE on a Windows XP computer, I'd highly recommend upgrading to IE7. See the data I presented a week ago that showed IE6 users were vulnerable to attack for 284 days in 2006.
If you're using an older version of Windows (IE7 doesn't run on anything older than Windows XP), I'd strongly urge you to stop using IE and switch to another browser.
Washington, D.C.: I got a new Macbook for Christmas, after many years with a Dell desktop. Do I need to be running a virus protection on the Mac? I consider myself a savvy computer user, I use Firefox and access the internet over a secure wireless connection, and I never download anything without knowing the source and the reason I'm downloading it. Thanks.
Brian Krebs: Color me jealous. Actually, I'm supposed to be getting my own Macbook very shortly.
I get this question almost every time I conduct a chat, and I always say the same thing: I've not used Macs enough to know whether it's possible to get them gummed up by visiting a lot of dodgy places online, but it's certainly not out of the question.
It is true that you hardly ever hear of Mac users having security problems, but I always wonder, well, how would the average Mac user even know if they have a security problem? As most don't use security software (other than maybe the built-in firewall).
You sound like you're pretty conscious about what you're doing and where you go online, but if you're concerned, you could always download and install ClamXAV a free anti-virus checker for Mac OS X users.
Louisville, Ky.: Hi Brian, I use the following protections for my home wireless network
1. SSID broadcast is off
2. Computers need a WEP key to connect.
3. I restrict access to the network to specific computers (by specifying their MAC addresses)
Does this make my network is "totally" secure, or could it still be breached? Thanks, Srikanth
Brian Krebs: No system is "totally secure," I don't care what you do to it. The setup you have is relatively secure, but it's far from perfect. For one thing, WEP security is a joke. It will deter casual passerby who might otherwise try to use your network for free wi-fi. But anyone who targets your system or wants to break in can crack your WEP key fairly easily (the tools and methods for doing this are freely available online. Heck, I recently saw a YouTube video that walks you through how to do it.)
These methods you mention are all ways to make a wireless network more secure, but they all can be defeated. If you are concerned about it, you might consider upgrading to a router that accommodates WPA or WPA2 encryption, which is more secure but also not by any means unbreakable. In the final analysis, wireless is a risk, period.
Washington, D.C.: I use a webmail address as my primary email address (easier than changing it). I saw your post about the lack of html security for email on windows machines. Am I stuck with this vulnerability as long as I use webmail? (I use juno and did see a way to set things up as text only; I suspect that it can't be done for webmail).
Brian Krebs: Webmail tends to be less of an issue with HTML. Many of the larger Webmail providers turn off images by default -- Hotmail does -- and I believe Gmail does as well. Not sure about Juno though. I wouldn't think of HTML-based e-mail as a vulnerability, per se. But it is an important vector for malware, and if you have the means to turn off HTML rendering in e-mail or Webmail, I'd recommend doing so.
Is IE 7 still a beta product or is it fully tested?: Brian, My XP machine would NOT run with IE7. I had to unload it and reload version 6.
Arlington, Va.: Brian- I heard a rumor but have been unable to substantiate it. I heard a minor got arrested, charged, and sentenced for using his neighbors unsecured wireless network. did you hear anything about this? is there a story that i can check out on this? is this just urban myth? Thanks.
washingtonpost.com: Using Neighbor's Wireless Link: Probation
Brian Krebs: Haven't heard anything about that, but it wouldn't surprise me. There was a guy in the US a couple of years ago who was arrested for stealing a neighbor's Wi-Fi signal. I'm sure there have been other cases, as some towns and cities are starting to enact some well-meaning but ultimately bone-headed laws on Wi-Fi usage.
Bear this in mind if you're the type of person who often uses someone else's Wi-Fi network without permission: A) it's not terribly hard to find someone who is using your network, particularly if they live down the street from you. B) It is most likely illegal. C) You have no idea what that person is doing on his or her network: For all you know, maybe they're running it in an open fashion for the expressed purpose of stealing information from people who steal from them. Remember, on any network -- wired or wireless -- passwords and other information (e-mails, instant messages, etc) transmitted in plain text (no SSL, https:// connection) can be snagged clear as day by anyone on the network.
Baltimore again re: IE 7: So it sounds like from your past articles about your research that it is safer, perhaps far safer, to use Firefox. Are there any drawbacks to Firefox use?
Brian Krebs: Yes, you can read about Firefox's memory leak problem, as described earlier in this chat. But other than that, I fell in love with Firefox b/c of the myriad add-ons or browser extensions that the user community has built and that make the browser a lot more fun to use. IE7 also has a few add-ons, but it lacks many of the more useful ones I've come to know on Firefox.
Jupiter, Fla.: I use the MSN network and they give you free Spy Sweeper. Now Windows Live OneCare wants to download the Windows Defender? Will that create a problem? I am quite happy with Spy Sweeper, but two may be better than one if there is no conflict. What do you advise?
Brian Krebs: I'd say give it a try. If it gives you any trouble, you can always uninstall Windows Defender by going to the the Add/Remove Programs list.
Rockville, Md.: Hi Brian, Last week you referred to a site called Secunia to check if we had the latest updates on common programs. I did the scan and the search showed that I did not have the latest update on Macromedia Flash Player, although I did update that back in the middle of December. Anyway I updated it again, but the scan still showed that I had the previous version. I cannot find the Flash Player program, neither in my 'Programs' nor in the Control Panel so that I could remove it and reinstall. Can you help??
Also, do I need Quicktime if I don't have a Mac? I believe it was installed as an original program when I bought the computer (about 2 months ago). I have been a longtime user of PCs, but only recently owned one (versus using an office-supplied one) and am not use to doing constant updates on programs and being watchful of security. Thanks for your help.
Brian Krebs: Rockville is referring to this blog post.
The older Flash component that Secunia flagged may be a plug-in that's installed in the browser. Check the very bottom of that lengthy blog post linked to the previous paragraph, and you'll see I've included some instructions for finding older plug-ins and removing them. Let me know if that doesn't work for you (brian dot krebs at washingtonpost dot com).
On Quicktime, I'd 86 that program if you don't need it. As Sunbelt Software CEO Alex Eckelberry likes to say, far too many computer makers these days ship so much extra software with their new retail PCs that it takes forever just to "de-crappify" a new machine after booting it up for the first time. My rule of thumb: If I don't need it, I get rid of it. As you say, just one more program that you have to patch every few months (in this case, Quicktime has several very serious vulnerabilities/design flaws that Apple still has not addressed with updates).
Fairfax, Va.: Brian, sorry for the non-security question. I have an error that's been popping up saying it cannot find flash.ocx. I know about the Flash player etc, but what is OCX? Thanks!
Brian Krebs: OCX is geek shorthand for ActiveX, a rather ill-conceived feature deeply woven into the Windows operating system. I'm not going to get on my hacktiveX soap box right now b/c I don't have the time. Anyway, your computer (or more likely, a Web site) is complaining that you don't have a particular Flash Active X plug-in installed that it wants you to have in order to rend some content (or do lord knows what else on your machine).
Atlanta, Ga.: Brian: I'm trying to help an elderly friend who knows even less about computers than I. Her problem is a flood of pop-ups that just don't stop. I checked and verified that the pop-up blocker on IE was enabled. She also has a Google toolbar, so I verified that it's pop-up blocker is enabled. Still, can't stop the pop-ups. My conclusion at this point is that her machine must be infected with some sort of malware. Would this be a reasonable assumption?
Brian Krebs: Yes. You can spend many, many hours trying to diagnose the problem, or you can spend perhaps a bit less time backing up any documents and pictures she'd like to keep and re-install the operating system.
Brian Krebs: Whoa! I went a half hour over my time slot! Thanks to everyone who joined us today in this chat. As usual, I was not able to get to all of the questions, but please feel free to drop me a line if your question is burning enough. I can be reached at brian dot krebs at washingtonpost dot com.
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.