Security Fix Live
Friday, April 13, 2007; 11:00 AM
The transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers, and welcome to another edition of Security Fix Live. Questions are piling up already, but please don't let that discourage you from asking yours. Please remember to include as much information about your setup as possible (OS version, installed security software, or if it's a hardware issue the make and model, etc).
Spotsylvania, Va.:"Why don't people use a little common sense?" is the question that most often comes to mind when I hear of a security breach. I still use "snail mail" for all important transactions, such as tax filing and bill paying. In an effort to do my bit in combating spam, fraud and phishing, I forward all such communications, including the details header, to firstname.lastname@example.org and block the offending domain name with filters provided by my ISP.
Brian Krebs: A decent question, I guess, but it sort of presupposes that common sense in the real world translates perfectly to common sense online. In some respects it does, but for many computer users, that sense doesn't become common until they've developed some street smarts, as it were. That is, until they've learned the hard way how not to behave online.
Humans have a strange way of being trusting beings, especially when dealing with a field of knowledge that they have not yet mastered or know little about. Bad guys and scammers take advantage of this trust or naivete, and exploit it for their own gains. Sadly, this is the way it has always been with human nature, and it is unlikely to change.
Thousands of new computer users venture forth online each day, and for those individuals there is something of a learning curve when it comes to operating a (Windows) computer safely. That said, I believe that a large portion of the security problems arise when people ignore the best advice we can dole out. For example, despite that fact that downloading "cracks" to play pirated computer games is known to be a highly risky endeavor from a computer security perspective (the cracks sites are legendary for hurling a variety of Web browser exploits and trojans at any visitor, and the cracks and key generators are vastly trojaned) people do it because they figure "meh, there's nothing on my machine anyway, I don't do internet banking or shop online so what's the big deal?" Those are the very same folks whose machines are getting infected with software that turns them into spam-relaying zombies or unwitting hosts for phishing scam sites.
Just look at what some of the spammers are doing to make sure people can still click through or visit their spam sites to buy whatever crap they're selling? Spam persists because people buy stuff from it, plain and simple. Porn sites are another big source of exploits and infections (yes, just as in the real-world red-light districts, being naughty at the intersections of the Web's red-light district can leave your machine with a nasty little rash.)
Some people will always ignore best practices and all the best advice if it is inconvenient for them or it gets in the way of obtaining something they perceive as valuable. Security is all about trade-offs, and whether or not these types of Internet users understand the risks involved, they will indeed at some point trade their short-term happiness for long-term grief for themselves and for the Internet community at large.
*End soapbox rant*
Fort Lauderdale, Fla.: I recently installed Microsoft's Window's Vista Home Premium express upgrade to my new EMachine computer which I bought late November 2006. The result was a blown hard drive. EMachine is sending me a new hard drive to install. I was happy the way Windows XP performed. I am fearful about installing Microsoft's Window's Vista Home Premium again. Should I be?
Brian Krebs: It is unlikely that Vista "blew" your hard drive away. Hard drives fail all the time for a variety of reasons, and often without any obvious reason (such as physical or heat damage). I wouldn't worry too much about reinstalling Vista on the new drive.
I would, however, urge you (and everyone else reading this) to get some kind of backup system in place, using a program like Acronis or something else to semi-regularly make backup copies of your hard drive, in case things go South, as they almost invariably do at one point or another. I like to keep at least two images of my hard drive around, just in case, usually a month or so apart.
Anyway, I purchased a copy of Windows Vista Ultimate because I wanted to become familiar with the OS, but I really don't see what all the fuss is about, frankly. I'm planning to stick with my MacBook Pro and Windows XP Pro for a very long time.
Anonymous: How do I surf securely without having my information on the internet for people to see. When going on a website, I am not sure they are not keeping that info and pass it on to the next guy who wants to buy it or it is monitored by some hackers who steal that info. Also, we don't like to buy or do banking over the internet for fear of breaches.
Brian Krebs: If your goal is to maintain your anonymity while surfing online (I'm guessing yes as you declined to even use your city as your name) a nice program called TOR should server your needs just fine, although it can cause your surfing to be pretty sluggish at times. I believe the latest TOR bundle is called Vidalia; it is much easier for novices to use than the previous versions.
If your concern is whether to trust a Web site to handle your personal and financial data properly, I'm afraid that's a much harder piece of advice to give. I tend to stick to sites that I know and trust (Amazon, eBay, Newegg, and a handful of others). These companies have a great deal at stake if they lose control over or otherwise share their customer data with everyone. And they've had a lot of practice at building up some pretty major protections around their databases. Smaller mom and pop shops online? Not so much. Many will set up pretty insecure shopping cart systems or leave their back end databases exposed to common attacks: I've seen one too many horror stories with smaller random online merchants to truck much commerce with them.
I don't do online banking, but that's mainly because I'm uber-paranoid. That said, millions of people bank online without any problems. What's more, if your credit card number is stolen or your personal (not business) account is drained as a result of a keylogger or virus, in most cases your bank will reimburse you, provided you monitor your accounts for unusual or unauthorized activity.
Annandale, Va.: I bought a Gateway laptop a few months ago. It works very well, except the screensaver never comes on. Out of the box, it did not come on. I have played will all the screensaver settings -- minutes, passwords, etc. with no luck. I don't have anything constantly running on the machine, and have tried exiting out of all programs to get it to work. I installed a new screensaver and that, while it shows up under screensavers, does not work either. Any suggestions? Is this a serious problem?
Brian Krebs: Annandale, I had a similar problem with the screensaver on an HP laptop that I bought more than a year ago. The problem surfaced a couple of weeks after I purchased, and like you no matter which settings I tweaked nothing worked. I ended up sending it back to HP as it was still under warranty. I got it back within a week and the problem was fixed. You might consider sending it in for repair. Anyone else have suggestions?
Roswell, Ga.: Three different machines, all running XP Pro with SP 2. Like any heavy Windows user, reinstallation of the operating system and application software is often the solution to my security problems. Is there a way to save my cumulative patches so I can just reinstall them along with Windows to make the process a little less onerous and a little less dependent on MS's quirky servers?
Cody, Wyo.: Hi Brian, I checked the government website, http:/
" . . . if you decide to choose separate programs, you really only need one anti-virus program and one anti-spyware program. If you install more, you increase your risk for problems."
I know that's true for antivirus programs. But I've heard some folks say having a couple of anti-spyware programs on your computer is a good thing. What's your take on this? Thanks, as always, for your great articles and live discussions! John
Brian Krebs: Hi Cody. Some anti-spyware programs employ active protection mechanisms, in that -- like anti-virus -- they try to actively monitor your machine in real time for spyware threats. Having two of these real-time spyware programs running at once could cause problems, not to mention some serious sluggishness on your system.
From past chats, I know that you Cody already do this, but I'd like to remind people that running Windows under a limited user account for everyday use is the easiest way to avoid spyware, viruses, worms, keyloggers and all the rest. I've not had anti-spyware software installed on any of my machines for almost two years now. You simply won't need it if you stick with a limited user account.
Miami, Fla.: Does it make sense to install a wired router for added firewall protection for a single computer that is already running a software firewall?
Brian Krebs: This is probably the most common question I get in these chats, so I've cribbed my response from a past chat.
It's important to understand the distinction between hardware and software firewalls. Hardware firewalls -- the kind that come built-in to many wireless routers -- are good at blocking inbound traffic, but they typically don't do a lot by default to filter outgoing traffic, and as a result if something nasty does make it onto your machine, that program is free to "phone home" for updates, to send data out of your machine, etc. Software firewalls, like ZoneAlarm and others (you can find a number of free firewall tools listed here) allow you to choose which programs on your computer should be allowed to communicate with someone or something else online.
So, I advise Windows users to avail themselves of both a hardware and software firewall. If you use both, chances are you will not notice anything if you look in the software firewall's incoming logs -- that's because the hardware firewall takes care of that for the most part. What you will see when you install a software firewall are pop up alerts asking you whether you want to allow a certain file to access the web. If you don't know what that certain file or program name does, google it before proceeding so that you can make an informed choice about what's being allowed to communicate over the Web using your connection.
Arlington, Va.: Gateway PC, 512 MB, Windows ME, McAfee and AdAware: The latest McAfee Secutiry update has now bogged down my machine. Extremely slow when booting, and opening browsers, applications, etc. Runs ok once loaded, but not great. I've had no problems up until now. What gives, other than having a really crappy OS?
Brian Krebs: Why blame the operating system if you suspect a McAfee update screwed things up? Blame Microsoft if you want for having to run all these security programs in the first place, fine. But I'd be asking McAfee what gives.
Or, more likely, I'd be voting with my fingers and switching to another anti-virus option (AntiVir, a free anti-virus option, earned some stellar results against previously unknown attacks, and pretty much blew away the competition, according to new stats released by Shadowserver.org.
Arlington, Va.: I have a question about the future of computer security. I work at a consulting firm and a few of the IT guys say that things are changing dramatically and that security will see significant improvements in the next few years. They thought that biometric data was a big reason. Do you agree?
Brian Krebs: Perhaps the state of computer security will improve over the next few years. I sure hope it does, as it's hard to imagine how things could get worse. I think you're right, that the state of security will improve significantly, but so will the skill and motivation of cyber criminals.
The reason is that businesses and commerce will continue to move to the Web, and with it customers, and with that high value targets. The bad guys have their most success right now by social engineering or tricking people into taking actions that are not in their best interests or in the best interests of the security of their OS or personal data.
I don't care what kind of biometric gizmo or uber-secure software you design, educating people about online threats will only go so far: people will always get duped, and no amount of protection software or hardware is going to prevent that.
So, in short, no, I don't agree. One the purely technical/software side, the bad guys will always stay a step ahead of the good guys, mainly because the bad guys only have to find one way through your defenses, whereas good guys have to find and block them all (a near impossibility for modern software with zillions of lines of code, etc).
Washington, D.C.: Your link to TOR is massively screwed up; it looks like it got intermingled with a paragraph of text.
Brian Krebs: Sorry. That sometimes happens. We'll fix it. Thanks for the heads up.
Eugene, Ore.: Regarding wifi use both at home and at commercial hot spots, is a subscription to one of the VPN providers such as Jiwire adequate to ensure the security of my data from snoopers, sniffers, phishers, etc? Thanks for an extremely valuable column!
Brian Krebs: If you're using a VPN (virtual private network) to encrypt your traffic from end to end, you're way ahead of the pack and have little worry about in terms of eavesdroppers on a public network, in my opinion.
Fairfax, Va.: For a PC running Vista, besides an anti-virus program, does a router offer enough firewall protection or are programs like Norton's Internet suite necessary? Norton really seems to slow things down. Also, on a Mac, is any virus or forewall software necessary? Thanks
Brian Krebs: Microsoft recommends that Vista users run some kind of anti-virus software, so that's probably not a recommendation you want to ignore. See a previous answer and link above to resources on free anti-virus software. I've not tried Norton's most recent products, but I can think of several others I'd recommend before Norton.
Mac users should avail themselves of the built-in firewall, which does a decent job of the basic. See my answer above on hardware vs. software firewalls as well.
Gaithersburg, Md.: My laptop runs Windows XP Home with a FAT filesystem (that's the way it came). I have changed my account type to non-administrator. However, due to the virtually non-existent security this configuration offers, this account can still write to all the significant directories (Windows, Program Files, anything in Documents and Settings). Would converting to NTFS be worth the trouble, or is trying to lock down files in XP Home a lost cause anyway?
Brian Krebs: Hi Gaithersburg. You asked this question in the last Live Online and I want to make sure you get it answered, but I'm out of time for today. Message me at brian-dot-krebs-at-wpni-dot-com and I'll see if I can come up with an answer for you. Thanks.
Brian Krebs: That's about all we've got time for today. Thanks to everyone who stopped by and to all those who submitted questions. Please join us two weeks from now for our next chat. In the meantime, please drop by the Security Fix blog to stay up to date on latest security news and tips. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.