Security Fix Blogger
Friday, June 22, 2007 11:00 AM
Security Fix blogger Brian Krebs was online Friday, June 22 at 11 a.m. ET to provide advice on how to protect yourself and your personal information online.
A transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers, and welcome to another Security Fix Live. Please remember to tell me as much about your current system's setup and relavent security software/hardware when asking about conflicts, errors, strange behavior on your PC, etc.
Wash DC: Brian- I love your blog and your chats. About 3-5 times a day, my computer grinds to a halt. I have checked task manager, and services.exe is using up 97-100 percent of resources for ripples of about 15 secs. I mentioned this in passing to a network admin and he said it could be the periodical scans IT is doing. In googling services.exe I found that it -could- be a trojan. Any advice?
Thanks D.C. It sounds like the computer you're talking about is a work machine? Why not have them troubleshoot the problem?
Unfortunately, there are a number of viruses and pieces of spyware that adopt the same name as legitimate Windows systems processes. Services.exe is responsible for managing the startup of a bunch of different background programs/processes on Windows, but it could be that the file itself has become corrupted or something has injected itself into the process.
You didn't say whether your machine has up-to-date anti-spyware software on it or not? Anyway, it could be just that one particular application is not launching as it should, and therefore services.exe is repeatedly trying to restart the program. Perhaps checking the system event logs would offer some clues?
To get there, go to the System Control Panel, and then choose Administrative Tools, and then event viewer. You may see some messages there with a red "X" next to it; digging into those error messages may shed some light on the problem, if indeed it's a legit service that's having trouble starting.
It may be that the only way to fix the problem is to reinstall the operating system. Periodical scans from the IT dept. shouldn't cripple your PC. You should consider spending some time at an online support forum if your IT folks are no help (such as the DSL Reports Security Cleanup forum. Good luck.
Portland, Ore.: This doesn't pertain to online security, but are debit cards as risky as they seem to me? My credit union is forcing me to get one instead of a plain ATM card and I'm not happy about it. The ATM card can be used in limited places and only with a PIN. The debit card can be used the same way and with an easily-faked signature (or none at all if under $20). The money in my checking account gets put on hold for these transactions. If some thief starts using the card my money could be held hostage during the investigation and legitimate checks could bounce. I just don't understand why I should accept this less-safe card from my credit union.
washingtonpost.com: Security Fix: Smile, You're on Criminal Camera
Brian Krebs: Debit cards are somewhat more risky than credit cards in that fraudulent charges can become more difficult to dispute, particularly if you don't catch them quickly. Interestingly, the major card issuers are pushing more customers to switch to signature debit cards for transactions, by offering bonus programs and incentives like frequent flyer miles, grocery club points, etc. The interesting thing is that signature debit cards have a higher rate of fraud, so merchants must pay more to process those transactions that regular PIN debit or credit card purchases. This sort of pits the consumer's interests agains the merchant, but in many cases now banks are starting to say they will cover the costs of fraud 100 percent for signature debit transactions. Strange situation and confusing for a lot of consumers, no doubt.
I don't use debit cards because I don't like the idea of being hassled along the lines you describe. Why not simply get a credit card with a bonus plan that you like and pay it off every month with the money from your checking account?
Chandler, Ariz.: Brian - Circling back here. About two weeks ago I asked a question re: disk imaging software. You mentioned the Acronis product. It looks to be exactly what I was looking for. Next question, do you know if the Acronis disk partitioning package offers significantly more functionality than QTpartEd?
Brian Krebs: Hi Chandler, nice to see my advice was useful. That open-source partitioning tool you mentioned is functionally the same program -- it has a graphical interface that lets you chop the hard drive up in to separate, discrete chunks for storing data, other operating systems, etc.
I'm a little confused by your question, though, because it looks like QTpartED is a program designed to run on Linux systems, not Windows.
The nice thing about Arconis' drive image product is you can resize partitions on the fly, while you're running Windows. PartitionMagic and other programs do essentially the same thing.
For the second half of the equation here -- system backups -- there are free Windows drive imaging tools out there (I'm going to review one next week), but they generally lack a bootable disc that you can use to restore the image you made if things really go wrong and you can't start up your system.
Hope that helps.
Bill from Lansing, Mich.: Brian, I really enjoy your online discussions. They have been very informative, and sometimes very entertaining.
Could you clear up my misunderstanding about encryption on secure websites? When a secure website is accessed, the lock shows on by browser to indicate that my transmissions are encrypted, which are supposed to be available only to the receiving website, which decrypts them. I thought all encryptions had to have a common key between sender and receiver. How can a secure website that I access have the same key that my browser uses? If my transmission was intercepted by 'the bad guys', why would they not have the same capability to decrypt my message with all of my personal information?
Brian Krebs: Hi Bill, thanks for the comment and the question. You might want to read up a bit on secure sockets layer (SSL) technology, which is the encryption protocol used in https:// transactions like the ones you're referring to.
To waaaay oversimplify things, there are multiple "handshakes" or exchange of data that take place when your browser accepts a digital cert from a Web site, and during that process your machine and the web site exchange keys that contain random numbers that are unique to that transaction.
It's not as though an attacker could not crack an SSL key/session: It's just that there are far easier ways to eavesdrop on the data being served over SSL. The most common is to install a piece of malicious code on the user's computer. It doesn't matter what kind of SSL connection you're using then: some malware and popular keylogger programs can easily strip out passwords, usernames, credit card numbers, etc. from an SSL session when a victim enters data at an encrypted site, such as a bank web site or online merchant. Another way of hijacking SSL sessions is to hijack the domain name system server that the user relies upon to send e-mail, browse the web, etc.
So, I would worry less about someone intercepting your SSL traffic over the air than I would about making sure your PC is clean and free of malware.
Lincoln, Neb.: Our IT group won't allow us to establish a wireless network. Is there any wireless security that is 99.9 percent effective?
Brian Krebs: Effective? Or did you mean secure? No computer system or network is ever 100 percent secure, and I doubt any are 99.9 percent secure either. Many businesses choose not to implement wireless because it is just another gateway that has to be defended. If set up improperly, wireless can allow bad guys to get around carefully-erected digital defenses on a wired network.
Baltimore, Md.: Re the debit card question: It sounds like the poster's credit union is only making an ATM card available with a dual debit function. I don't think there is really anything to worry about as long as the poster just uses the card as an ATM card and keeps his PIN secret. If he loses it, he would notify the credit union immediately, I presume, whether it is an ATM or an ATM/debit card
Brian Krebs: More advice for the person with the debit/ATM card question. My apologies if I misunderstood the thrust of the question.
Rockville, Md.: Brian: When Windows Vista came out I upgraded to it and reinstalled my Word Perfect Office programs. Everything was fine. Last week Quattro Pro 10 stopped working. The error message was "Microsoft Visual C Runtime Error." I have checked for viruses, which can cause this error and did not find any. I get automatic Windows updates and was wondering if that might be the problem. But Corel says my software is too old to support and there is nothing on the Windows Knowledge base about Quattro. Should I give up and buy Microsoft Office?
I am getting an error screen every time I submit this - so I am doing it more than once to be sure you get it. Sorry if you get more than one.
Brian Krebs: I would start with the advice from Microsoft, here. I doubt Windows Update has anything to do with this problem. Also, some runtime problems can be generated by lingering files and processes. This might not help, but you might also try clearing out your "temp" directory (to get to that directory, click Start, then Run, and in the prompt type "%temp%" without the quotes).
Also, I'm going to take a wild guess here and say that you're visiting this site with Internet Explorer? Do you get the same annoying message if you browse with another browser, like Firefox or Opera? You might give those a whirl and find out.
You can buy the latest Microsoft Office, if you don't mind spending hundreds of dollars. Alternatively, you could download and use the free OpenOffice suite, which does pretty much everything MS Office can, and it's free!
Fairfax, Va.: My father-in-law's computer has recently become infected with a "trojan horse" virus. (He foolishly was employing no security software.) I have attempted to remove this virus using the AVG "scan" feature. It claims to "heal" the virus, but whenever I reboot his system it comes back. What can I do, outside of reformatting the whole hard drive and starting from scratch?
Brian Krebs: Gah! A Windows machine online indefinitely with no security protections whatsoever? Not even a firewall? That system is probably so many more kinds of owned by the bad guys than you can imagine. Chances are good that you may never get it clean.
I'm afraid it would be irresponsible and foolhardy of me to recommend anything other than a backup of data and resintall of the OS. Then you can set him up proper with a firewall, anti-virus and create a limited user account for the poor chap. I'm sorry if that wasn't the answer you were looking for.
Lexington, Ky.: How secure is Apple new Internet browser, Safari 3.0 beta compared to Firefox and IE 7?
Brian Krebs: Probably no more or less secure than Firefox. It's still probably more secure than IE. That's just my gut.
At any rate, it's beta software, so all bets are off (Apple is essentially warning you to expect bugs and the inevitable security holes).
Alexandria, Va.: I shared the concern of the debit card questioner. My bank replaced my ATM card with an ATM/VISA Debit card. After I complained, they sent me another plain ATM card. The person should contact his/her bank and do the same thing.
Brian Krebs: Yet more advice for our concerned reader in the post above.
Fairfax, Va.: Brian - great chat as always. I have a problem with XP, ITunes, and Quicktime. Hope you can provide advice. I have XP set up with limited user accounts. While in one of those accounts, up pops a Quicktime or ITunes window that says there's an important security update, etc. I click to install, and the limited user account prevents installation. Switch to the admin account, go to Quicktime or ITunes for the update, and it says "Your software is up to date". What's going on? I'm running Spybot plus keeping XP up to date, so it doesn't look like a spoof. I can't find anything about this on the Apple web site or through a Google search.
Brian Krebs: If I had a dime for every time iTunes or QuickTime threw up some problem like this with Limited User account setups, I'd be retired and living comfortably in the Bahamas now. iTunes is especially notorious for updates that bring massive numbers of system registry changes that play havoc with a system that employs different user accounts with different system privileges.
Just a guess, but you might try running Apple Software Updater in the limited account using the "Run as" Feature. Open up Windows Explorer and navigate to "C:\Program Files\Apple Software Update". Right click on softwareupdate.exe and select "Run as" and enter the username and password for an account on your machine that has administrative priveleges. Try the updater that way to see if it finishes the job or fixes this problem.
Alternatively, one way I have fixed problems like this in the past is to temporarily change the limited user account back to an admininistrator-level account, finish the update process or whatever is getting stuck, and then revert it back to a limited account. This is kind of a pain, because it forces you to log in and out and and in and out and in and out of various accounts, but it usually works nonetheless. Just don't forget to switch it back to a limited account. Good luck.
Portland, Ore.: I do have a credit card, which is why I find those aspects of the debit card unappealing. I would like to be able to get cash out when necessary--I enjoyed using my ATM card to pay for groceries and get a little cash out. So I am not sure I can do without the ATM aspects of the debit card, but I don't want one overall.
Brian Krebs: The dialogue about the ATM card continues.
Cheverly, Md.: I decided not to renew my subscription to McAfee and instead have added the free versions of AVG and AD-Aware and a spam blocker. Several sources of info (Cnet and PC Magazine) have dramatically different ratings for free security ware... whats your opinion.
Brian Krebs: Just use some kind of anti-virus software. They all fare differently in successive tests, with sometimes the free ones performing better at detecting new threats, and sometimes the pay/suite programs do better. The truth is, none of them do a great job. But AV is sort of a necessity on a Windows machine, so just get something and make sure you keep it up to date (or that it handles this task on its own, as most do). AVG is a fine free anti-virus program.
My advice on the anti-spyware stuff: 86 the ad-aware stuff, or keep it it you really want, but think hard about changing your system to use a limited user account. You won't ever have to deal with spyware/adware again, or most likely viruses or worms, for that matter. See my instructions here on how to do that.
Newllano, La.: On my notebook running wireless my connection was a lot slower than wired so in props for wireless chip I unchecked IPV6 and speed is good now what is IPV6?
Brian Krebs: I'm assuming you're running Windows Vista, which has support for IPV6 built in to the networking clients on all machines?
Anyway, IPV6 stands for Internet Protocol Version 6. It's an update to the standard IPV4 most widely in use today that's designed to address a number of Internet scalability (i.e., the eventual exhaustion of all available Internet addresses, which may happen within a few years if you believe the doom-and-gloomers) and some peripheral security improvements that not a lot of network owners (at least here in the US) fully support or have adopted yet.
Anyway, you can safely use IPV4 without IPV6 enabled, and if you're getting faster results by doing so, I say go for it. But thanks for your question: I'll have to go back and check my Vista installation and see if IPV6 is checked by default (I didn't think it was).
Brian Krebs: I mispoke earlier in my response about Acronis' product. Acronis TrueImage is for backing up the contents of a hard drive. Acronis DiskDirector is their disk-partitioning tool
Pittsburgh, Pa.: Brian,
A few weeks ago, my A drive quit working. Shortly after that, the computer refused to finish posting, sticking on the W2K Pro screen. Now it doesn't even get that far, just sits there looking for a MAC address. I'm assuming the motherboard is toast? Comments?
Brian Krebs: Youch. It sure sounds like a hardware problem, and dying motherboards are the the biggest pain because they require so much extra work and effort to fix.
My experience is that memory sticks are usually the culprit). Does the system pass a memory test? Do you have any other system memory cards you could swap in to see if that changes the situation? Wimpy power supplies can suprisingly cause plenty of hardware and posting problems, particularly if you have added peripherals that seriously tax the system's power resources.
Have you tried booting into the Windows installation CD to see if you can repair the operating system? Another thought: what happens if you disconnect the A drive? Perhaps something went haywire with that device and it's bringing the rest of the system down. Just spitballing here: this is one of those really-hard-to-diagnose-over-an-online-chat problems. Best of luck, Pittsburgh.
Ft Belvoir: Brian - I use MS Outlook on my home computer for email. When I reply to an email that was received in HTML, there is a lag between the time I type three or four words and when it appears on the screen. This has been a recent occurrence. Now I just change the formating to text when I reply. Any ideas what could be causing this?
Brian Krebs: I don't have OE here on my machine, but the program probably has a setting so that you can reply to HTML emails in plain text (alternatively, you could see if turning off HTML emails fixes the problem). Is that what you've done? My question is why would you want to return the e-mail in HTML format, unless for some reason you're adding some HTML in there? Disabling images in Outlook is a good idea from a security perspective as well (some people disagree with me on this advice, but there it is).
There are some potential other answers at this Google Groups listing.
Greenbelt, Md.: Hi Brian, Thanks as always for your blog. I had 3 questions for you:
1. I always do all my stuff on my home PC using a limited user account as you suggest. Could crap get on your machine, wait till you log in as admin and then do its dirty work?
2. Any updates on your Stonewall trial?
3. It looks like ZoneAlarm still does not have their free Vista firewall available yet. I guess what you tested was the security suite for Vista. Is that right?
Brian Krebs: The "Smoothwall" trial didn't go so smoothly. I've been meaning to get back around to that project but haven't found the time.
Re, question 1: It's very doubtful that would happen. I wouldn't lose any sleep over it.
Re: question 3: I'm struggling hard to understand why so many people are saying that Check Point hasn't yet released a version of the free Zone Alarm for Vista: The link is right there near the top of at this link here installed the free version of ZoneAlarm on my copy of Windows Vista. If it doesn't do the same for you, please let me know. I just tried the link again, and it appears to be still downloadable.
Fairfax, Va.: I apologize for this dumb question, but do you suggest leaving one's computer up and running all the time or shutting it down when done for the day?
Brian Krebs: Not a dumb question. Why not turn the machine off if you're not going to use it for hours and hours on end? Computers and monitors and other peripherals draw a lot of energy, and they create heat. You can probably shave a few bucks each month off your electrical bill just by turning your machine off when you're not using it.
Brian Krebs: Thanks to everyone for stopping by and/or for participating in this chat. I hope it was useful and informative. We'll do this again in a couple of weeks time. Meanwhile, please make it a habit to stop by the Security Fix blog once a day to keep abreast of the latest computer security news and tips. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.