washingtonpost.com
Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, August 10, 2007 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Aug. 10 at 11 a.m. ET to provide advice on how to protect yourself and your personal information online.

The transcript follows.

____________________

Brian Krebs: Good morning and Happy Friday, dear Security Fix readers. Thanks for joining me again after such a long hiatus. Please remember to include as much information about your system setup and installed security software before asking your questions. If your question involves an software error of some kind, the exact wording or error number helps a great deal. With that, I'll dive right in.

_______________________

Rockville, Md.: Hi Brian, I am regularly using a limited user account. However, after I installed Firefox, version 2.0.0.4, I get a message - "One or more files could not be updated. Please make sure all other applications are closed and that you have permission to modify files and then restart Firefox to try again." I then click "OK" and the browser opens up immediately. This "message does NOT occur when I use the administrator account, so I don't know what is happening.

I remember when I installed Firefox 2.0.0.4, I got the message that Java console 6.0.01 was not compatible with this version of Firefox and would be disabled. Subsequent updates 2.0.0.5 and 2.0.0.6 did not 'cure' the problem.

I have also noticed after the Firefox 2.0.0.4 installation that Windows Update downloads occur when I am logged on the limited user account; the updates occur on Tuesdays (patch day?), but I have set my computer to do automatic downloads of the updates (if there are any) at 1 a.m. Sunday mornings. I thought I had to be logged on as Administrator for these updates to occur? There are other programs I have tried to install, but I get the message that I had to have Administrator rights, so some programs do recognize that I should be in the Administrator account in order to download.

Any suggestions? FYI, I have Windows XP/SP2, the McAfee security suite and use Ad-aware and Spybot regularly on the computer I've owned since Dec 2, 2006.

On a non-related issue, I ran secunia (software inspector) and was informed that I had an old version of java.exe in C:/i386/java.exe and to remove it. I could not find java.exe there, so I deleted (under Administrator) the Java Platform that was installed when I got my computer. Secunia wouldn't 'work' after that; i.e. Secunia would scan, but not find ANY programs. I "restored" the Java Platform, but Secunia still does not 'work' neither under Administrator or limited user accounts. I have the latest version of Java and is indicated when I type "about:plugins" in the address heading of my browser. Would it help to completely uninstall all Java programs/components and reinstall the current version? I would have thought that 'restoring' the old Java platform would do the trick since removing it is all I did to 'disable' Secunia.

Any light you can shed would be most appreciated. thank you.

Brian Krebs: The Java console is incompatible with newer versions of Firefox, and this is a known issue. See this link here for a full explanation. It says:

The Java installer places a Java console extension in the Firefox program directory which is not visible in Tools -> Add-ons. The Java console included with JRE 6.0 and JRE 6 Update 1

is not compatible with Firefox 2.0.0.1 or later due to the manifest file setting the maximum version number to 2.0. This causes an 'Incompatible Add-ons" message when you upgrade

Firefox, telling you that Java Console version 6.0 or 6.0.01 has been disabled [11]. Java will still work so, if you don't use the Java console, there is no need to do anything.

Otherwise, you could install the Open Java Console extension, which provides a menu option on the Firefox Tools menu for opening the Java Console. This problem is fixed in Java 6 Update 2 according to Sun's bug report, but you will need to uninstall the earlier Java 6.0 or Java 6.0 Update 1 to prevent future incompatibility messages.

On your incomplete Firefox update issue, I found this other thread at Mozillazine that appears to apply to your problem, which has dogged many a Firefox release in the past, it seems. The issue may result from a firewall setting for Firefox that needs to be cleared and reset, or it may be related to an update setting in the browser. Anyway, check out this link here

On the Windows Update issue, here's my understanding of the way it works on a limited user account in XP2. If, as administrator you have set the machine to download and install updates automatically, they should do so just fine under a limited user account. But any other option requires user interaction, and thus won't show up under a limited user account.

I noticed this a while back on a system I had set up on a limited user account that I'd set to automagically download and install updates. It did so just fine while logged in under the limited user account, and I wondered why, when I'd never seen that happen on my main PC, which almost always runs on limited user. Then I realized that on my main PC I have it set to notify me when updates are ready, but to let me choose which ones to install and when.

So, I believe if you select an option that requires user interaction, updates won't install while you're using a limited user account. Someone please, please please correct me if I am wrong.

Finally, on the question about Secunia's Software advisor, I'm sure you know that it requires you to have a working copy of Java on your system. Have you removed all but the latest version of Java from the Windows Add/Remove Programs list? If no clues there, perhaps

try doing "Start," "Run," and then type "Cmd.exe" without the quotes. Then type "java -version," to see what version of Java you have installed. You might also check the Plug-ins in IE and Firefox to make sure they have the latest versions as well.

Wheh! Hope I answered all of your questions.

_______________________

Washington, D.C.: No question. Just wanted to let you know how helpful your advice is through the blogs and this chat. You sent me to my event viewer to troubleshoot a problem with an app trying to start and it was right on. Hooray for BK!

Brian Krebs: Thanks for the compliment, Washington. Very glad to hear that advice worked for you.

_______________________

Chantilly, Va.: Brian, had a problem with my W2K pc. It sometimes wouldn't see both hard drives on post. Sometimes it would boot all the way to the W2K splash screen and hang there.

After much checking in BIOS and other places, I was really upset. Called the guy at the computer store and asked him if my lithium battery on the motherboard could be the cause.

He said no way, has to be something else. I took the battery out, checked the voltage and put it back in. Well, whaddaya know? Computer boots like a champ every time.

Brian Krebs: Hrm. I'm inclined to agree with the guy at the computer store. But then again, I can't tell you how many times just the process of taking things apart and putting them back in somehow fixed the hardware problem. Most times when that happens to me, though, I've done three or four different things, so it's it's hard to pin down what might have fixed it. I'm glad to hear that in your case, you at least have some idea of what might have been the remedy.

_______________________

Arlington, Va.: For months, my spyware sweeps detected nothing on my computer whatsoever. Then this week, it pulls not one but TWO Trojan Horses off my system.

I use Webroot software, sweep for spyware daily, update product definitions daily, and use the Windows firewall. I realize that things will occasionally slip through the cracks, but given that two Trojan Horses made their way through all that within a matter of days, is there anything more I can do to secure my system?

Brian Krebs: I don't typically cover the product security space, so I wasn't aware that Webroot sold anti-virus software with its anti-spyware program, but a lookup on CNET showed that they recently partnered with Sophos anti-virus to do that. I'm assuming you're running some version of Webroot Spy Sweeper 5.2 with Antivirus or later? Otherwise, you should know that older versions of Webroot don't include anti-virus software, which believe it or not is different from anti-spyware software (they tend to look for malware in different places and in different shapes and sizes).

Trojan horse programs are not necessarily all-evil in and of themselves, although their presence on a system often indicates a more serious infection. Basically, they are designed to do what their name suggests: act as a vehicle for other malicious software. They're more or less used to wedge open the door to a system long enough for it to download other components that actually do the nasty deeds. So, just because your AV found a Trojan, doesn't mean your system is infected with malware. It may be that because of your firewall or other security settings, the Trojan wasn't able to download its payload.

In many cases, a Trojan will download to your machine through a browser flaw or -- probably most common - via malicious Javascript -- an unbelievably powerful Web application language that is widely used on the Web. Things like Flash player flaws and Java console bugs have also been used as vectors for Trojans and other nasties.

One of the most important pieces of advice I can give to Windows users is to turn off Javascript on sites unless you need it. Now, this is a hard thing to do on Internet Explorer, because it's sort of an all or nothing setting, which simply doesn't work because practically every site on the 'Net requires Javascript to be turned on. Firefox, however, has a nifty and essential Add-on called Noscript that allows the user to decide which sites should be allowed to load Javascript. So, by default, it says no Mr. Website, you can't load javascript. This takes a little getting used to, and sometimes a noscript user will scratch his head for a few minutes trying to figure out why some site isn't loading right, or why some form didn't submit correctly, and then remember that the site wasn't yet allowed to run Javascript. Trust me on this: things are waaaaaaaayyy too scary out there these days to just let javascript run willy-nilly on your browser anymore.

Keep your third-party apps patched and up-to-date. Check out Secunia's Software Inspector to get started here (requires Java).

Also, set up your machine to run as a limited user account for everyday use. See my tutorial on that for more info.

_______________________

Silver Spring, Md.: Brian, Could you publish an updated list of the latest versions of key programs, to make sure we're up to date with security patches? I'm thinking Adobe Reader, Adobe Flash/Shockwave, Java, and of course any program by Microsoft. Thanks!

Brian Krebs: Yep. I am going to be putting up another edition of the Security Fix Pop Quiz. But in the meantime, the aforementioned Secunia Software Inspector has a decent starting list. From their site:

Adobe Reader

AOL Instant Messenger

Apple Quicktime

Eudora

iTunes

Macromedia Flash Player

Microsoft Internet Explorer

Microsoft MSN Explorer

Microsoft Live Messenger

Microsoft Windows Media Player

Mozilla Firefox

Mozilla Thunderbird

Opera

Real One Player

RealPlayer

Skype

Sun Java JRE

Winamp

WinZip

Yahoo! Messenger

ZoneAlarm

_______________________

Chantilly, Va.: Brian, What's your opinion on external hard drives for storage and security? My thought is that since it would be a USB connect, it would be less susceptible to virus attacks and other problems usually had by hard drives in the computer. Your thoughts ?

Brian Krebs: I like them very much. In fact, my father-in-law very generously just gave me a 500 GB external drive that is firewire based, blazingly fast, and very useful (think large disk images and DVR'd movie files). In all, I now have nearly 2 terabytes of removable drive space. And I find I somehow use it all eventually.

But I'm not sure why you think being on USB or external would make it any less susceptible to being a host for malware? If your machine can see it as a readable and writable drive, so can most malware.

Having just returned from the back to back DEF CON and Black Hat security conferences, I am in the process of re-imaging my laptop, mainly because I don't really trust anyone and those cons can be a dangerous place. But I'm doing so with a previous disk image I saved to a removable drive. I can't emphasize how important it is for Windows users to invest a little time and money into a good backup solution for use in situations where things go terribly wrong, or a virus infection occurs. Just make sure you understand the fundamentals of backing up your system and restoring it before the disaster actually strikes (you might also want to be sure your backup boot disc can actually read from and see the removable drives, if that's where you store your images).

Hope that answers your question.

_______________________

Oakton, Va.: On the Firefox "cannot complete update" problem: in C:-Documents and Settings-(username)-Local Settings-Application Data-Mozilla-Firefox-Mozilla Firefox delete the updates folder, updates.xml and active-update.xml files This fixes the problem

Brian Krebs: That was one of the tips in the link that I forwarded on. Nice to hear it worked for you!

_______________________

Roswell, Ga.: Hi, Brian. In this chat on April 13 you pointed me to Heise Security as a source for a method to collect and apply cumulative Windows patches as an off-line batch. I thought I would report back on my experiences.

It was a good call, Brian. Briefly, Heise provides a script as freeware. Running the script downloads all relevant MS patches for your chosen OS and language and creates an ISO image of the update protocol and those collected patches. You burn an autorun CD of that ISO image and use the CD offline to update a new OS installation. (A complete update, even on a fast machine, can take several hours, particularly if the script has to install SP 2.)

It runs like clockwork, Brian. I used it repeatedly on my "sandbox" computer, checking regularly with Belarc Advisor, Spybot S and D, and Grisoft - complete updates with no baddies. I now use the Heise script regularly on my live machines.

Thanks for the tip, Brian. Your blog is both interesting and helpful.

Brian Krebs: I'm really glad you took the time to run through that, Roswell. I had a similar experience, and am glad you found it useful. If anyone is interested, the chat Roswell is referencing is here.

Also, all previous Security Fix Live chats are linked to from the Security Fix blog home page, at this link here.

_______________________

Manassas, Va.: There does not seem to be much in the media about security flaws as there used to be. As a whole, are companies getting better at fixing security flaws and/or not having such flaws in the first place? Perhaps what security flaws there are are not as serious as those in the past, and thus they do not merit as much media attention?

Brian Krebs: As Bill Lumburgh, the jerko boss from my favorite movie Office Space, would say: "Ummmmm, yeaah. I'm gonna hafta go ahead and and sorta disagree with you on that one."

I look around the media space and see more people, publications, and even the mainstream media, writing about security and software flaws than ever before. Now, I'll grant you, massive, wide-scale worm infections, like the Blaster worm, used to be front-page news, but they have become so common now, and there are so many different kinds of worms, that it's no longer such a big deal (companies generally understand very well how to cope with network worm attacks: those who do not quickly learn the hard way).

I also don't think companies are getting much better at writing secure software. There is simply no proof of that. In fact, the evidence indicates that they're getting worse. Or, at the very least, that more programmers are producing more code than ever before, while at the same time more security researchers are finding it beneficial (and profitable) to dig through this code and find flaws in it than ever before.

So, on the whole, I guess I wanna go ahead and sorta disagree with the entire premise of your question.

Teaching programmers to write software more securely is something we simply must do and must incorporate into our college curriculums (it is for the most part absent today in most schools). Perhaps as important, we need to be doing a much better job bringing a lot more of those responsible for cyber crime to justice.

_______________________

speaking of external drives: I'm moving overseas to the UK for school and though I'll be buying a laptop there, I plan on bringing over my external drive (I checked, I can use it on the 240 system with just a plug end converter). Are the chances any good it'll get fried by x-rays in my checked baggage, or am I expressing a worry many years dead?

Brian Krebs: I don't think the x-rays are what you have to worry about. Perhaps the machines they use in the checked-baggage area are more powerful than those they use when you walk through the security checkpoint (keep in mind laptops have to be scanned through those x-ray machines, and it doesn't harm them).

If I were you, I'd be more worried that my precious drive was going to get stolen from my checked bags than broken or fried. But that's just me. Why not simply pack it in with your carry-on?

_______________________

Bethesda, Md.: A number of years ago, I acquired an old work computer after the company went out of business. I used this computer for years at home, and it wasn't until 2005 that I finally upgraded to DSL.

The DSL connection went through a box (can't recall the technical name) which I could turn on and off, and I was told by reliable IT friends that that would provide a good enough security wall that I wouldn't need to get a separate firewall. As for spysweepers, I just used the Yahoo antispy program on my IE browser, and it never red-flagged anything.

I got rid of that computer about a year ago, and when transferring files off that old computer, I discovered a long-forgotten, long-buried document on my hard drive that contained personal information not for me but for a family member.

My question to you is, is there any danger that that information could have been discovered/stolen from my old computer, given the seemingly secondhand security measures I had in place?

Brian Krebs: Anything is possible, and I'd say given the more or less non-existent security measures that you just described having on your previous PC, the odds are much better than 50 percent that some kind of information-stealing nasty got on that computer. Typically, however, these types of things -- keyloggers, form-grabbers and such -- steal things like passwords stored in the browser or information when it is submitted in a Web page form.

_______________________

Cody, Wyo.: Hi Brian, Welcome back -- you were missed!

The other day a family member asked me an unusual security question I couldn't answer. He has an old version of Microsoft Word which he uses only rarely. And, for whatever reasons, he does not keep the program updated with security patches.

His question was two-part:

Do you have to be actually using the program to be vulnerable to an attack?

Or are you vulnerable simply by having the program on your computer, even if you're not using it?

Thanks, Brian! Keep cool -- I hear you're having a record heat wave back there. John

Brian Krebs: Thanks for the welcome back, Cody.

This is a good question because it applies not just to Word, but to all third party software. The answers are "no," and "sometimes yes" to your first and second questions, respectively.

Just because you don't often use a piece of software, that's not a good excuse to avoid updating it. We've seen plenty of attacks that take advantage of a setting in one program to leverage weaknesses in another to plant malware on a Windows machine, and these attacks are not as complex or as rare as they sound.

Maybe your family member goes to open what he thinks is a word document attached to an email sent (or apparently sent) from a friend or family member (this is a no-no, by the way, unless you were expecting said attachment/file). So, he dutifully clicks on the Word attachment and WHAM!, his machine is now owned by the bad guys.

I take it he's running Office 2000, the oldest version of Office still supported (barely) with security updates? Next time you're at his machine, do him a favor and mosey on over to the Microsoft Office Update site to apply the service packs and other updates. You may also need to have the installation CD handy, although I believe there is now an online installation that allows you to install updates CD-free.

_______________________

Washington, D.C.: We recently purchased a Toshiba laptop with Vista Home Premium. While we set the screensaver settings, the screensaver never comes on. Could there be a security issue interfering with the screen saver? How can I fix this? Thanks.

Brian Krebs: Please circle back in a future chat (two weeks from today) to let me know if this worked.

I saw an answer in an MS support forum about this. It appears to be a known conflict with the Toshiba's drivers and Vista's. Try this: head on over to Microsoft Update, and let it scan for updates. But you need to tell it to scan not just for security updates, but for "optional" updates as well. If you see an optional update for wireless devices there, install it (or them), reboot, and see if that fixes your screensaver problem.

Good luck.

_______________________

Baltimore, Md.: Where does a virus go?: Brian...for the first time since I have been running Bit Defender, it detected a virus a few weeks back. The report said disinfection failed, but that it was quarantined. At the risk of sounding simple, where does the virus get "parked," if you will on my hard drive so that it won't do any damage. (Can't recall the name of the virus, but it had "kill" in the same and an .exe suffix.)

Brian Krebs: Different anti-virus programs handle things differently, of course, but most try to banish viruses and other malware to a special quarantine folder. This is usually an area that is encrypted and protected with a password that is supposed to keep any nasties contained therein from doing any more damage on the host system. AV programs maintain these quarantines so that users can keep tabs on what crud has been banished, and also because occasionally AV will errantly detect and remove a non-malicious file (this is known as a false-positive). In either case, you have the option to restore or permanently delete the file from quarantine.

Try doing this: Empty the quarantine file. Then delete all of your temporary and temporary internet files. Empty the recycle bin. Restart the machine and run another AV scan. Pay attention to whether or not the nasty was detected in the system restore folder -- sometimes the built-in Windows System Restore function will cache viruses on the machine if they are present when the system snapshot is taken. If your AV finds it in those restore points, you will want to get rid of those restore points as well.

Wash, rinse, repeat.

Good luck

_______________________

Nashville, Tenn.: Hope I'm not too late with this question. I tried to close a Firefox tab but was delayed due to its contacting "ssl google analytics." Did a quick search and found that it was sending of my surfing history. There's 'how-to' info on blocking this by adding a handful of Google sites to my HOSTS file, located on my Win XP directory at c:-windows-system32-drivers-etc-hosts.

If true, this sounds like a good idea. Do you recommend it?

Brian Krebs: You could modify the hosts file, but that's liable to take a lot of effort and upkeep. Why not just use the "noscript" add-on for Firefox that I mentioned earlier? Last time I checked, Google Analytics uses Javascript calls to collect that type of information (as do most companies that buy and sell anonymized surfing data). With noscript, you have the power to permanently block such transactions.

Also, the AdBlock add-on has a some seriously advanced settings that you can use to put a stop to this sort of reporting activity.

_______________________

Richmond, Va.: Hi Brian, I don't know if this is a security-related question per se, but my Windows XP computer (with 512MBRAM, about 3.5 years old) has slowed down over the years. Task Manager routinely lists over 70 processes, even when I'm just on Firefox!

I'd like to get rid of some of these processes, but how do I know what is save to remove and what needs to run?

Oh, I should also mention I Verizon DSL so I use their provided anti-spy and anti-virus security suite.

Brian Krebs: Hi Richmond. I recommend these two tools in almost every chat, but I find them so essential to really knowing what's happening on a Windows machine that I don't mind mentioning them over and over again.

Why Microsoft hasn't revamped its lame Task Manager with a program called "Process Explorer" I have no clue. Microsoft bought the company that made the program, which is freely available from Microsoft Downloads. It tries to figure out which running processes are associated with which programs. It does a gajillion other things that you can use to tweak settings -- take some time to read the instructions and you'll be amazed at this little program.

The other program I find indispensable is HiJackThis!, available here. It lets you pick and choose which programs should be allowed to start up when Windows boots. I think you'll find after nixing some of those plug-ins and things like quicktime from starting at boot, you can significantly free up processing power and memory. Have fun.

_______________________

Password security: I have all my passwords in an Open Office Writer document. When I need to use one to access a secure site on Firefox, I cut and copy from the Writer document. How secure/non-secure is this practice? Should I keep the Writer document with my passwords on a thumb drive rather than my PC's hard drive?

Brian Krebs: Doooood. Stop storing your passwords in plaintext already. It's about the most insecure thing you can do.

You need Bruce Schneier's free and excellent Password Safe tool. Again, read the read-me and how-tos, but even these are pretty straightforward. I've recommended this tool to so many people, and even novices can use it easily.

_______________________

Brian Krebs: I'm out of time, people. A big shout of thanks to those who stopped by and to everyone who submitted questions. Please join us again in two weeks for another Security Fix live. Meantime, stop by the Security Fix blog daily to stay abreast of the latest security news, warnings and tips.

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.

View all comments that have been posted about this article.

© 2007 Washingtonpost.Newsweek Interactive