Security Fix Live

Security Fix blogger Brian Krebs was online Friday, Feb. 2 at 11 a.m. ET to provide advice on how to protect yourself and your personal information online.

The transcript follows.

____________________

Brian Krebs: Happy Friday, dear Security Fix readers, and thanks once again for joining us for another Security Fix Live. If you've got a security or computer related question, please ask away and I will do my best to tackle it as best I can in the short time that we have. Remember, please, wherever possible, to include as much information about the system or software you having trouble with (operating system, whether or not you are using up to date antivirus, firewall, etc.)

_______________________

Laurel, Md.: Which OS is more secure - Vista or XP with SP2? Thank you, Jim

Brian Krebs: I can tell I'm going to get this question a lot going forward, but the truth is that it's too soon to say. Microsoft made some important security changes with Vista -- such as requiring the user to enter a password when installing software (which in theory should make it more obvious when some malicious software that the user does not want is trying to install itself), but the system also prompts the user quite a bit whether they really want to change some setting, and so it may also turn out that users get tired of constantly being nagged to approve this or that change that they turn off this feature or become inured to it, in which case it's kind of useless.

I've been using Vista for a while now, and while I find it pretty intuitive (for the most part -- Microsoft has inexplicably moved changed the location and names of certain basic settings tabs on the system), I wouldn't advise anyone to go out and buy it to upgrade right away (if at all). XP SP2 is an extremely stable version of Windows that has served me well for many years. Plus, all of my software works on it. I'm not sure I can say the same for Vista at this point.

Bottom line: using a firewall, anti-virus and setting up your XP2 system to run under a limited user account is still pretty darn safe.

_______________________

Chicago, Ill.: Will I need to re-install Norton Internet Security or will that be allowed after installing Vista Premium!!??

Brian Krebs: Chicago, when I upgraded one of my XP2 systems to Vista Ultimate, it treated it as a clean install. But pretty much most security software is going to need a Vista-specific version. Check Norton's support page: *I believe* they have a system in place for upgrading, though I don't know if there's an extra fee involved. This link here should help. Remember, there are free alternatives (AVG, AntiVir) if you've just purchased a Norton product and need to pay again to upgrade. Please circle back and let us know about your experience, thanks.

_______________________

Reston, Va.: How safe is it to let my browsers (FF or IE) save my passwords? It seems like a great convenience, especially considering different sites' password requirements, but it makes me nervous to save them. Are they vulnerable?

Brian Krebs: Very good question, Reston. The answer is it's not the safest practice, from where I stand. Mozilla still hasn't fixed a vulnerability in Firefox that could under some circumstances let Web sites see your stored passwords. If you are among the unlucky Windows users to have password stealing trojan or bot planted on your machine, the very first thing it will do is rip out any passwords you have stored in IE's laughably-named "protected storage" area.

Now, we all know how paranoid I am about this stuff, so maybe that informs my decision more than it would the average Joe. I use Firefox's password storage for relatively harmless passwords to sites that do not hold personal or financial information about me. I specifically do not store sensitive passwords to bank accounts or to any places that store my sensitive or financial data -- in either IE7 or Firefox. Sorry. I just don't trust 'em.

_______________________

Brian Krebs: Dangit, I meant to include in the response to the password storage question a link to Bruce Schneier's free password-safe program. I used the program a while back and found it to be very good (that reminds me I need to re-install it). There are links also to other free password management tools on that page, though I haven't used any of them, so do your homework first please.

_______________________

Atlanta, Ga.: I have a 802.11b wireless router at home broadcasting to two computers with 128 bit WEP encryption. WEP is the easiest to crack, but are there really people out there driving around our neighborhoods trying to do this? How important is it to upgrade my wireless router to one that uses more secure encryption? Thanks

Brian Krebs: It's not very likely at all that someone is going to randomly drive up to your home and try to crack your WEP key. Unless, of course, they have some reason for wanting to snoop on/break into YOUR NETWORK SPECIFICALLY. If you this possibility worries you, I'd say $50-$75 is worth the peace of mind to upgrade to a router that at least supports WPA (if you use an older external wireless card you may need to upgrade that as well).

_______________________

Clovis, Calif.: I'm pretty upset with computer manufacturers right now. We bought a new laptop 2 weeks ago. Vista came out and now that same laptop we ordered hasn't even shipped yet because they for FORCING us to have Vista on it even though we specified XP Pro. If this is how they are going to do it, then Microsoft is going to be slammed with a lot of complaint letters since some of us are business customers who don't have 100 percent of our software that works with Vista. I think it's wrong to force us into Vista right away.

Brian Krebs: Wow. That's pretty ridiculous, Clovis, I agree. Thanks for sharing this. If I were you, I'd be mad as hell. Please drop me a line at brian dot krebs at washingtonpost dot com and let me know which PC maker did this. Thanks.

_______________________

Arlington, Va.: Is Vista going to be capable of dealing with all of the date-change anomalies of the "Year 10000 Problem" that will occur on Dec. 31 of the year 9999, as the calendar rolls into the five-digit year of 10000? I ask because it seems unlikely that Microsoft will be able to complete another upgraded version of Windows before then.

Brian Krebs: Thanks, the levity Arlington. Who know's maybe they'll even have Service Pack 3 for Windows XP shipped by then as well.

_______________________

Cody, Wyo.: Hi Brian, I read recently -- can't remember where -- that most computers, even if they are diligently maintained, are going to eventually end up with unwanted spyware, viruses, adware, etc. The writer's recommendation was to get a new computer every few years, or at least reinstall the operating system. That seems radical to me. I use BitDefender for virus protection, Windows Defender for spyware protection, and Spy Cop for detecting key logging software. I have my computers set to scan every day. Also, I followed your recommendation to use the DropMyRights thing from Microsoft.

I know there's no such thing as 100 percent security on the internet today. So my question is do I really need to get a new computer every couple of years -- or reinstall the operating system? Thanks, Brian -- I love your columns! They've been a lifesaver for me. John

Brian Krebs: Hi Cody. I wrote the other day about how sometimes backing up your data and re-installing the operating system is the only sane and safe option for people who have spyware or virus infestations.

But that's not the same thing as saying such infestations are inevitable on a Windows computer. I don't think that's true at all. To the contrary -- if you set up the machine correctly in the first place -- you shouldn't have any problems at all. I haven't. But too many people don't want to be bothered with setting things up correctly when they unpack their shiny new PC: they want to go straight for the Web and start cruising. BZZZZT! Wrong move. The old adage "An ounce of prevention is worth a pound of cure" holds true generally with computer security as well.

_______________________

Baltimore, Md.: After about 1 year, my Verizon DSL (Westell 6100) modem started acting crazy. Red Internet light, no Internet light, blinking DSL light. I have spent about 25 hours on the phone with Verizon DSL tech support, AOL tech support, Microsoft PC Safety tech support and NOD32 (AntiVirus) tech support. I have uninstalled/reinstalled my NOD32 software, AOL software, modem firmware, installed new modem passwords etc, reconfigured registries, removed old modem and installed a new Westell 6100 modem, etc. Verizon has checked my lines and no problems, 860 kbps, 19/34 dB s/n ratio, etc. AND still my modem is knocking me offline with its christmas-tree-like blinking array of lights. What's going on?

Brian Krebs: No idea, Baltimore, sorry. Have you tried asking them to replace the modem? Just a thought.

_______________________

Bethel, Maine: If my computer had become a "zombie" and was being used to spread spam, wouldn't I see unusual activity indicated in the internet connection icon in the tray?

Brian Krebs: Maybe. But would you know enough about what kind of traffic levels constitute "usual" on your machine? Zombie machines -- or those that have been infected with a "bot" program that lets attackers control them remotely for various nefarious purposes -- are used for a number of purposes, not all spam related. But yes, seeing huge, unexplained spikes in the level of traffic leaving your machine would be one indicator of a bot infection.

_______________________

Wellesley, Mass.: As a Mac user, does Apple provide sufficient security and protection (and updates) that purchasing 3rd party enhancements are not necessary? If no, what software should one consider adding to their Mac system? What is the reason that Macs are less likely to be the target of virus and other types of attacks? Is it just that their market share is so small (less than 5 percent) or does Mac OS X (UNIX) provide better security?

Brian Krebs: Apple's systems have security flaws just like most other systems and software. Last year, Apple fixed dozens of very serious security holes -- some of the trivially exploitable to do bad things on systems -- but you didn't see bad guys going around attacking those flaws. That may change soon, especially with 25 or so Mac-specific software flaws detailed in the Month of Apple Bugs project, which included sample exploit code for each vulnerability. Most of those bugs remain unfixed, and Apple hasn't said much about the project or any of the flaws, so it's not entirely clear what users can or should do about any of them (although some of the MoAB bugs actually include workarounds -- and the Month of Apple Fixes project provides third-party, unofficials patches for many of them, although hardly any security experts recommend that you install them).

There are different schools of thought as to why the bad guys don't target Mac users en masse, when they obviously could if that was their intention. One camp makes the market share argument -- that Windows users make up a ridiculously large share of the world's computer users (it's probably about 92 percent Windows users and somewhere between 3-6 percent Mac users), that it just isn't worth their time to develop exploits and attack Mac users. In other words, they're making too much money ripping off Windows users to bother with the Mac crowd.

That's an alluring argument, but I'm not sure it's the whole story: Apple has made it harder for users to screw up their machines or otherwise do things that aren't in their best interests.

To your question, I think regardless of whether you're on a Mac or Windows, it's important to use a firewall (the one that comes with the Mac is fine) and to be very careful about what you install on your machine. Beyond that, there is free antivirus software available for OS X (ClamX).

_______________________

Mechanicsville, Va.: Re: Verizon DSL troubleshooting -- I found (as have many others) Verizon's DSL customer service to be worthless. A good alternative is to take advantage of the expertise to be found at http://www.dslreports.com/forum/ilec,vz

With the help of the forum, I isolated and fixed my own Verizon DSL problem and now enjoy rock solid service. Can't beat the price -- free!

Brian Krebs: Some opinions and advice from a reader to our friend in Baltimore with the screwy Verizon modem.

_______________________

Washington, D.C.: Am a big fan of your chats. Tying to help my mom out with her pc. In addition to the two free antivirus products you referenced earlier, what other free software should I load on a PC (e.g. firewall, etc)?? May thanks!

Brian Krebs: Thanks Washington. You should consider setting her up on a limited user account for everyday use. A firewall is a must: use the built-in Windows firewall at the very least, but ZoneAlarm and others offer free versions of their firewalls, which take a bit more configuring and patience. A hardware firewall such as those that ship with virtually all routers - wireless or not -- can help dramatically improve the security of a Windows network. Even if she isn't going to use the wireless part of it (you can turn off the wireless signal in the configuration panel), you will notice that the software firewall logs no longer have anything in them. That's because the hardware firewall is doing all the hard work. It's still important to run a software firewall, though, but it's designed to stop bad things that might have gotten on your machine from "phoning home" or downloading more bad stuff.

Also make sure she's set to receive and install security updates from Microsoft automatically.

_______________________

Baltimore, Md.: I did mention that I replaced the modem with a new one, of the same type (Westell 6100), as sent by Verizon DSL.

Brian Krebs: Yeah, sorry Baltimore, I missed that the first time through. Check out the advice from the reader from Mechanicsville, though. I've recommended the able folks at DSL Reports and if you're patient enough and follow the rules, they can usually help you figure out what's wrong.

_______________________

Burke, Va.:"It's not very likely at all that someone is going to randomly drive up to your home and try to crack your WEP key." Isn't that kind of like saying, "it's not likely that someone will try to break into my house, so I'll just put a $5 lock on the front door and not worry about deadbolting"? The point is that you want your home/computer secure IF someone tries to break in, and not just trust that it's unlikely that they'll try to.

Brian Krebs: Interesting perspective, Burke, thanks for writing. I always try to strike a balance with readers between giving them tips and news they can use and scaring them to death. I happen to believe it is unlikely that someone will go through the trouble of cracking your WEP key unless they are targeting you specifically to steal your data (i.e., they are going after Bob Smith because he has some data that they specifically want). Someone randomly robbing your home is not a very apt comparison, IMHO.

As I've said before, WEP is not very secure, and if people are going to use wireless they should upgrade to WPA or something stronger and stop worrying. Heck, even if you are using WPA, that can be hacked too. Fact is, using wireless introduces its own set of risks. But security is all about tradeoffs between risk and usability. If the tradeoff doesn't work for you -- don't use wireless.

_______________________

Brian Krebs: I'm out of time, everyone. Thanks so much for everyone who sent in questions or just dropped by to read. Please bookmark the Security Fix blog and come by regularly and maybe even participate in the discussion there as well.

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.