Security Fix Live
Friday, July 6, 2007; 11:00 AM
A transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers, and welcome back to Security Fix Live. As always, please be kind enough in your questions to include any details relevant to your problem, such as installed security software, error messages, operating system version, that kind of thing.
Columbus, Ga.: Do we really need to bother "upping" our security online with our personal computers since somewhere down the line our bank or insurance company or some government agency over which we have no control is probably going to compromise us anyway?
Brian Krebs: Well, that strikes me as a somewhat fatalistic and backwards notion. Maybe we shouldn't have car insurance because eventually we're going to get in an accident eventually? Maybe we should all just give up on taking care of our health because we're all going to die at some point?
Here's the reality: Information stolen directly from your computer has a far greater chance of being used fradulently than the same information lost or stolen from a company you do business with. Recent studies have shown that a small percentage of corporate data breaches or losses actually result in identity theft or identity fraud. On the other hand, if the security of your PC is so low that you invite bad guys in to take control over it, I can almost guarantee that any sensitive data you store on that machine or transmit over the Web will be stolen and used for nefarious purposes.
Alexandria, Va.: Wi-fi security question: Free wi-fi seems to be more and more available, yet I keep reading that it's impossible to protect yourself from security breaches when you use it.
So my question for you is: Do you use it yourself? And are there new security tools coming up that will make it safer to user?
Brian Krebs: I have no problem using a public wi-fi terminal. But when I do, I'm usually just browsing the Web or checking some site. I almost never visit sites that require authentication or sensitive data using public (unfamiliar) wi-fi hotspots. If you do not control the network, you cannot trust it. Period. Plenty of people will say I'm overreaching on this perspective, and that's fine.
If you want peace of mind while using public wi-fi networks, you might consider investing in a virtual private network (VPN) solution, which encrypts your connection between your PC and the wireless router to prevent people from potentially snooping on your data as it whizzes by wirelessly. There are even free VPN solutions available now, such as this one.
Middletown, Del.: What is a "security certificate", who issues it, and why do I need it to visit some websites?
Brian Krebs: Web users normally encounter security certificates when they first visit a site that requires a Secure Sockets Layer (SSL) connection, which is designed to maintain an encrypted communications pipeline between the Web site and the user's browser. Typically, you'll see these certs at any site that requires you to submit personal or financial details.
Security certificates are issued by a variety of companies that are supposed to do some due diligence on verifying the identity the company seeking the certificate (although exactly how much verification actually takes place in this low-margin industry is the subject of some debate), and the certificate itself contains a great deal of information -- should you choose to examine it -- about who issued the cert, how long it is good for, the identity of the Web site you're visiting, that sort of thing. Unfortunately, much of the information contained in certs is not terribly easy for the average Web user to decipher.
Charleston, W.V.: Twice in as many days I have heard the sound of a squeaking hinge and a door slamming. What is it?
Brian Krebs: Umm...I'm going to take a wild guess here and say that you or someone in your place is using AOL's Instant Messenger software? That sound you're hearing is the sound AIM makes when one of your "buddies" signs off. I know this because about 5 different people within earshot of my cubicle at work for whatever reason haven't disabled the sound function in AIM, so we all get to hear the lovely sound of doors opening and slamming all day, along with the "boodaloop" noise that's made each time someone sends a message. Joy.
Quantico, Va.: Brian--Many Yahoo services seem to be slow or inaccessible this morning, even the main home page. I can't log into Yahoo Mail or Yahoo Jukebox most of the time, although they sometimes come up again for a couple of minutes. I don't think this is related to my office LAN, because I have no problems with Gmail or washpost or any other site. Are they having trouble?
Brian Krebs: No, it wasn't just you. Yahoo and its affiliated services appeared to have been down for a short period this morning, although everything seems to be just hunky-dory again.
Washington, D.C.: Brian, this is my first time actually submitting a question to your forum so I am not sure of the format for your questioning but here I go. Sometimes when I am online, I loose control of my mouse. Does this mean that someone else has taken control of my PC?
Brian Krebs: Please clarify what "lose control over my mouse" means. Are you saying that it moves around the screen on its own (other than the occasional mouse "drift" that sometimes happens, particularly in trackball-based mouse controllers).
It certainly *could* be the case that someone is remote-controlling your mouse -- some well-known malicious programs are designed to do just that. But it's highly unlikely. Most criminals who break into computers do so to steal information, and in order to that they usually need to lay low and not call attention to themselves.
Freising, Germany: I realize that this question is way off topic, but I've been puzzled for quite a while on how terrorist web sites manage to stay online for so long without the webmasters being caught. There must be significant computer skills involved in this.
The most well known was "irhabi007", a computer whiz who was finally caught.
Is the art of putting up anonymous and non-traceable web sites related at all with the techniques used by the authors of viruses?
Brian Krebs: Not off-topic at all. Part of the problem is that many times these sites are registered using stolen identities and stolen credit cards, so tracing the sites back to the people whose name is attached to the record leads nowhere.
Also, contacting Internet service providers, hosting companies and other responsible parties takes time, but more importantly it takes knowing the right person at those organizations to encourage them to take action quickly.
Some of the most pernicious phishing attacks and scam web sites on the 'Net today take advantage of so-called "fast-flux" networks. Basically, these rely on hundreds of compromised home PCs, which all host copies of a phishing site. Imagine how much work it takes to get just one of these machines taken offline. Now imagine doing that at 50 different ISPs.
Olney, Md.: Thanks for answering the question about open WiFi APs. Would logging on to a site using HTTPS provide any protection? The password should be encrypted along with all other traffic, right? I don't want to get into the strength of the encryption, just whether the username and password are encrypted if the login page is "secure".
Brian Krebs: Sure. But certificates can be spoofed as well. How many people, if they log on to a Web site over wireless and are presented with a prompt that says "hey, we don't recognize this certificate as legit, but if you want to go ahead and visit the site anyway, feel free" would click "cancel," instead of blithely clicking "okay"?
I can't say scientifically what percentage of folks would proceed, but just based on my observations of human nature and the average person's understanding of how Web site security and certificates work, I'd say more than half of folks would continue whether or not the cert checked out.
Greenbelt, Md.: Hi Brian, I had asked last time about ZoneAlarm firewall for Vista. I have tried your link as well as one downloaded from the Zonelabs website. Each time, the installation starts by asking the usual information and telling that it will be installed under Program Files. After that it keeps giving an error with Vmon.dll. I see the files getting copied, but there is nothing that happens that tells me that the installation is complete. If the restart the machine, I don't any ZoneAlarm program running.
I wonder what's happening and if you have heard of others having issues like this. I have to check the forums at ZoneLabs to see if others are seeing similar issues. Thanks. -Raghu
Brian Krebs: It seems you are not the only one having this problem, according to ZoneLabs' user forum. Check out that link for some suggestions on how to fix this problem. Good luck.
Alexandria, Va.: If I buy a Mac, do all my security problems go away?
Brian Krebs: Ah, would that it were that easy. You probably won't have much in the way of viruses or spyware to deal with on the Mac, but that doesn't mean the machine can't be hacked, or that you can't be socially-engineered or tricked into giving away personal information at a bogus site or installing some malicious piece of software.
Security is just as much about fortifying your machine and networks as it is a human challenge, meaning that more often than not foolish decisions cause people to muck up their machines more than any invasive program.
I have a Macbook Pro, and I absolutely love the thing. But when I head out to the back-to-back BlackHat/Defcon conferences at the end of the month in Vegas, I will be taking my Windows XP laptop and leaving the Macbook at home. Why? Quite simply, I know and understand a great deal more about securing my Windows box than I do the Mac. And, I know that there are a large number of people who are aggressively searching for vulnerabilities in Mac OS X and related software. Given Apple's track record with some security researchers, I'm willing to bet money that a reasonable number of them have found and are jealously guarding (i.e., not reporting to Apple) security vulnerabilities they've found in Apple's operating system.
Maybe it was just a nasty coincidence, but earlier this year at the Shmoocon hacker conference in Washington, D.C., my Mac had a system crash within less than a minute of joining one of the hacker convention's wireless networks. True, that sort of thing may be par for the course for people foolish enough to get on a wireless network at a hacker convention, but nevertheless it's had me spooked ever since.
Arlington, Va.: I just got a new MacBook, which has both the Mac OS and Windows XP installed on it. Do you have any recommendations for anti-virus software for the Mac OS side, and do I need separate protection for the XP side?
Brian Krebs: I'm guessing you have Bootcamp set up on that machine, so that you can boot either into OS X or Windows? At any rate, you should definitely get anti-virus protection for the Windows side, but that's not going to do anything for the Mac side. If you're looking for an anti-virus solution for the Mac, there are plenty available. One free option is ClamXav.
Poway, Calif.: Brian, I would appreciate it if you would list some of the free antivirus, antispam, firewall software/sites that you recommend. Thanks, Jaime
Brian Krebs: Free anti-virus:
Free Firewall Software:
Free Antispyware Tools:
In place of anti-spyware software, you'd be better off setting up your Windows system to run under a limited account for everday use. See these instructions for that.
Newllano, La.: I am running Vista Home Premium on a new Gateway notebook and the only problem I have had is with Quicktime, it crashes Firefox when I listen to a stream in FF with the QT plugin. Is there a answer to this problem?
Brian Krebs: Is your version of QuickTime up-to-date on patches? (the latest version is 7.1.6 -- to find out, go to "Help" and then "About Quicktime").
What happens when you save the stream onto your machine and view it with the QuickTime application itself?
You might try uninstalling and re-installing QT to see if that fixes the problem.
Arlington, Va.: It's actually a MacBook with Parallels which allows me to run both the Mac and Windows sides at the same time. Does that make a difference?
Brian Krebs: Nope. That's the exact setup I have on my Macbook: Vista running via Parallels on top of OS X. But you'll still need to protect Windows with its own anti-virus software, especially now that Parallels has made sharing of certain directories between the Mac and Windows the default.
Fairfax, Va.: Brian, Did a reload on my sister's computer, including a new hard drive. Sis didn't have the CD for the motherboard, so I needed to find the drivers. No markings on the motherboard as far as maker. Going in thru sys info I was able to find the chipset maker. Went to their website and downloaded what I thought should be the drivers for sound and video.
Mailed her the CD and have yet to hear anything back. Do you think I got everything she'll need?
Brian Krebs: Probably not. Installing motherboard drivers isn't rocket surgery, but it might not be the most intuitive thing for the average user. Getting all the system peripherals set up and working properly after a fresh install can be a real pain sometimes. Did you also set her up with some decent security software and perhaps a limited user account? I sure hope so.
Roebling, N.J.: Brian, Isn't it time we put some pressure on lawmakers to insist that ISPs police their own networks? They should be able to detect phishing and spam activity coming from their networks - much more easily than the recipients and even law enforcement agencies. At the least they could isolate the culprits and allow only "normal" activity.
Brian Krebs: We should, and I have argued for this in the past. However, I don't think it will ever happen, at least not until the stench from phishing, so many rotting computers and identity theft starts reeking so badly that it begins to permeate the nostrils of our policymakers and regulators.
Most major ISPs do have very busy abuse departments, but these guys are often the same people responsible for simply keeping the network running efficiently and in a cost-effective manner. I've heard anecdotes from ISP employees who say that rolling truck out to one customer's home or troubleshooting a PC problem with them costs the ISP more money that they will make from that customer in a year.
The other problem is that cutting off customers whose machines are clearly infected with something almost guarantees at least one (usually many) support calls, angry customers, etc.
One way to help change this whole screwed-up dynamic is to shine a big honkin' spotlight on the ISPs and hosting providers that are home to some of the worst and long-running offenders. There is some very good work going on at the moment that should lead us further toward that kind of real-time knowledge.
But the fundamental problem is that computer security is what economists like to call an "externality," meaning that its costs are diffuse and borne across society, such that no single entity or individual can do much to affect the overall security/insecurity of the ecosystem. Pollution is an externality, and people can do their part to keep their corner of the world tidy and clean, and recycle and all that good stuff. Same thing with security.
And you are right. Quite often, the only way to address externalities is to regulate them, so that all players are incurring the same costs, and no one actor experiences a market disadvantage for doing the proper thing. I sincerely hope that we don't have to have more government involvement in regulating the Internet, but I suspect that at some point -- if things continue along the trends we're seeing -- that will become unavoidable.
Washington, D.C.: Of course no computer is 100 percent invulnerable to security breaches, particularly ones that entail physical access to the machine, or trickery via social engineering. That said, we have yet to see the first example of "in-the-wild" viruses or spyware for Mac OS X. There are periodically "proof of concept" hacks that gain a bit of publicity, and underscore the theoretical vulnerability of OS X, but if you're running an OS X right now your risk of actual infection is about as close to zero as it can be without actually being there.
Brian Krebs: More perspective from the Mac-security minded.
Miami, Fla.: I just switched my ISP to ATT DSL (Bellsouth). Since I subscribe to their highest level of service, they automatically assigned me to a static IP address. Do you feel that this is leaving myself open to hackers? They will change me to a dynamic IP address upon request.
Brian Krebs: It doesn't matter. And I doubt that you have a true static IP address. Many broadband providers *appear* to give customers static IPs, because they can stay the same for very long periods, sometimes years. It all depends on the provider. Some of them force customers to "renew" their IP -- or fetch a new one -- after a certain time-out period.
Want to test whether you really have a static IP or not? Connect your network to a new wireless router, or temporarily change the computer's MAC address and reboot the system. Chances are, you will find that your ISP assigns you a new IP as well.
Kingstowne, Va.: Have you any experience with using a modified Hosts file? Do you recommend them for speeding up the browser?
Brian Krebs: This person is referring to the Windows Hosts file, a text file on all Windows computers that by default has nothing really meaningful in it but can be configured as a blacklist of Internet Web sites and addresses that the system is not allowed to visit. Malware and spyware sometimes hijacks this file with new entries that redirect Web browsers to certain Web sites.
I have toyed with a modified host file in the past, and it works fine, as far as that goes. But the problem with this approach -- as with all blacklist/whitelist approaches -- is that the universe of bad/malicious sites is constantly changing and evolving, and so maintaining a very effective hosts file can take some time.
Anyway, this site has some decent info on host file usage, as well as some suggested entries.
It may be worth noting here that if you're running the system under a limited user account, that account does not have rights to modify the hosts file....just in case you were looking for a solution to prevent someone or something from silently modifying your hosts file.
Brian Krebs: That's all that I have time for today, dear readers. A big thanks to everyone who stopped by and/or helped to make this chat a lively one. It may be several weeks before we host the next Security Fix Live, so in the meantime please stop by the Security Fix blog regularly to stay abreast of the latest security news and tips.
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.