Security Fix Live

Network News

X Profile
View More Activity
Brian Krebs
Security Fix Blogger
Friday, August 31, 2007; 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Aug. 31 at 11 a.m. ET to provide advice on how to protect yourself and your personal information online.

A transcript follows.

____________________

Brian Krebs: Greetings, dear Security Fix readers. Welcome back to another Security Fix Live. As usual, please be as descriptive as possible when asking a question, including wherever possible any error messages, as well as some idea about your system setup, such as operating system, and other security software you may already have.

_______________________

Falls Church, Va.: Just to make sure I've got this straight: only users who fell for a phishing scheme at Monster.com and USAJobs are at risk, correct? If I have accounts on those sites but have not accessed them for months nor responded to any fraudulent ads or email, am I safe?

Brian Krebs: The reader is referring to the blog post I put up yesterday, and the original story.

In answer to your question, yes, you are correct. If you didn't respond to any of the phishing scams or open attachments mailed out in any of the job scams, you should be fine.

_______________________

Lincoln, Neb.: If I had just one computer could I connect to an external cable modem and a router for more security that just using the cable modem? Thanks

Brian Krebs: Certainly. In fact, I would recommend a router with a built-in hardware firewall to anyone using a broadband connection. Router-based firewalls do a fantastic job of blocking unwanted Internet traffic, so much so that any software -based firewalls installed on the machine (such as ZoneAlarm, or Sygate) won't see much in the way of externally-initiated traffic requests, because the router will simply drop that traffic before it gets to your machine.

Even so, I recommend that Windows users take advantage of both hardware and software firewalls, as hardware firewalls do a great job keeping stuff out, but they don't tell you when something already on your machine is requesting Internet access to send communications FROM your machine to another place online.

Checking the traffic logs on my hardware router, I can see hundreds of connections or probes from other machines on my cable provider's network simply dropped or ignored.

_______________________

San Diego, Calif.: Hi Brian,

What can you tell me about Secunia Personal Software Inspector. I have it running here on Secure Sockets Layer, according to Sygate firewall, but after three days all it does is sit here and divulge all my programs to it's offices without giving me any advice whatsoever. I was told I would get advice on programs, when I downloaded it, outdated and the like. Your column is important so keep it up, thanks.

Brian Krebs: The reader is asking about Secunia's Software Inspector service, which tries to figure out whether a myriad of applications on your machine are up to date with the latest software updates.

San Diego, do you have the latest version of Java on your machine? Because the Inspector requires you to have Java for it to produce results. And if Sygate is blocking the requests, obviously you won't see the results. So make sure those two things aren't the problem and report back, please.

_______________________

Arlington, Va.: Do you still recommend using Spy Catcher Express? I have Windows 2000 and I am having lots of problems with this software. Any other good anti-spyware. Thanks

Brian Krebs: I don't believe I have ever recommended Spy Catcher Express, which by the way doesn't appear to be sold anymore (it looks like it got completely panned in user reviews from CNet's Download.com).

Sunbelt Software's Counterspy isn't free, but it's probably one of the better commercial tools out there. What's the matter with AdAware and Spybot Search and Destroy? Both free, both quite good at detecting new threats.

Personally, I don't like to recommend anti-spyware software. I think it is more constructive and helpful to recommend that people change their system so that the Windows user account they browse the web with and use for everyday computer usage does not have rights to install software. At the very, very least, all Windows users should be using something like DropMyRights, to lower the privilege level of the browser. To take it a step further, ditch Internet Explorer altogether and use Firefox with the noscript add-on. If you'd prefer to guard against unknown vulnerabilities in other applications -- such as QuickTime, AIM, e-mail software etc. -- from being used to take over your machine, consider changing your everyday account to a limited user account.

Trust me on this: Follow the least of my recommendations in the last paragraph and you probably will have no need of anti-spyware software.

_______________________

Maine: Is this a hopeless cause? Windows XP, still on service pack 1, other critical updates not installed either. No up to date virus protection. What I can do to help someone get this computer back up and running properly. Right now they have trouble getting programs to download and install so even getting free virus protection software on there is difficult. If they have the disc is re-formatting the best option, if they don't, what can be done?

Brian Krebs: In my opinion, yes, it's a hopeless cause. If you have the install disc, you should absolutely reformat (I get the sense that this is a machine that a friend or family member has been using?). You could spend forever and a day trying (without success) to remove malware and be sure that the machine is clean, or you could just reinstall, apply the missing patches, install AV and set the system up to run under a limited User/drop my rights setup (see above for links to both), and be much better off.

If they don't have the formatting disc, as long as they have a proper license key from Microsoft, there's probably no harm in asking a friend if they could borrow an install disc.

Alternatively, you could ask the computer owner if they need the machine for anything more than Web browsing and e-mail? If not, you might consider setting them up with something like Debian (free), which is very easy to use, install and update. Even more alternatively, you could burn any one of several dozen Live Linux CD distributions, and just have them keep that in their CD-Rom drive and boot to it when they want to get online. Most of these CD-distros will even allow the user to access their MS Windows files (although, attempting to write to these NTFS files from a Live CDs distro is not advised). Most of those (knoppix, etc) come with with full featured browsers, chat clients, Open Office, CD/DVD burning utilities, etc. Good luck.

_______________________

Clifton, N.J.: I'm a Mac use rand use Intego anti virus. Does this protect windows Users from receiving malware from me?

Brian Krebs: Never heard of Intego, but then I'm not the world's biggest expert on anti-virus software for the Mac. One of the things I've always wondered is, if there are no real viruses, worms or Trojans actively attacking the Mac platform, just what do the anti-virus companies use as definitions? My suspicion is the bulk of the definitions files on AV software for the Mac uses snippets of generic Windows malware and/or proof-of-concept Mac viruses submitted to the anti-virus companies. Even, so it's an interesting situation.

To your question, no one anti-virus program will protect you from 100 percent of the threats, and actually few have shown to do better than detecting even 65 percent of the newest threats out there. Here's the sad reality: cyber crooks are releasing many thousands of virus, Trojan horse and worm variants each day, mainly to stay ahead of the AV companies, which still rely mostly on technology that requires crafting a new definition to detect each new virus.

So, it's impossible to say whether your Mac AV will prevent you from sending any malware to a Windows user. In most cases, AV is reactive: I.e., it will flag something when a malicious file is opened or accessed or actively scanned. So, probably the best you could do if you were really worried about this is to avoid downloading files from iffy places online, and then scan them with AV after you do. If the person you're sending the files to also scans it, the chances of anything getting passed along diminishes quite a bit, I'd say.

_______________________

Cody, Wyo.: Hi Brian, I've got a couple of questions sort of related to security. I'm running Windows XP home with SP2, and all the most recent updates. My computer is a 2 and 1/2-year old Gateway desktop.

First, I recently noticed in my Add/Remove Programs section at the Control Panel, I've got a zillion files for Windows XP security updates. Can I just delete them, or will that screw up Windows?

Second, I recently downloaded the beta version of Secunia's Personal Software Inspector (PSI). I absolutely love it -- it's far more thorough than their regular Software Inspector -- it scans for over 4,000 different applications.

Anyway, my computer came out pretty well except for one thing. PSI flagged as insecure a Norton antivirus file. I haven't used Norton for several years now, and thought I had uninstalled the program and all its components. The file in question is on a partition -- the D:- drive. The partition, set up by Gateway before I got the computer, is used only to restore the computer to its original configuration, if that becomes necessary. When I tried to go into the partition, I got a warning message saying:

"This area of your hard disk (or partition) contains files used for your system recovery. Do not delete or alter these files. Any change to this partition could prevent any recovery later."

So I just left it alone. My computer, when new, came with Norton Antivirus pre-installed. So I suspect the file PSI is flagging is from that. Do I need to be concerned about this file -- is my computer vulnerable to attack because it's there?

Thanks, Brian, as always for your great columns and advice. John

Brian Krebs: Hi John. Don't delete anything -- including Windows patches -- from Add/Remove Programs that you don't want to really remove from your machine. Not saying that Add/Remove always gets rid of programs 100 percent, but you certainly don't want to go around removing patches without a reason. If you'd rather not see all the updates when in Add/Remove programs, there should be a little check box that you can uncheck at the top of the A/P Window.

Not sure why Norton would be kicking files over to another partition, but then again Norton is one of those programs I alluded to above that is notorious for leaving all kinds of files behind when you try to remove the program from your machine. There is probably no harm in deleting that file and that file only from that drive. Or you could probably just leave it and be fine as well.

_______________________

La Mesa, Calif.: When you switch from IE7 to Firefox do you uninstall IE7? thanks for all your work in providing this info to the world

Brian Krebs: You don't need to uninstall IE, but that's certainly an option. I haven't, however, because some sites that I visit regularly simply don't load properly in non IE browsers (this is absolutely silly in this day and age but it's unfortunately all too common still). But even if you only use IE once in a blue moon, it's important to keep it updated with the latest patches, just like the rest of the Windows PC and other applications you have installed.

_______________________

Baltimore, Md.: What safety precautions can you offer to those who surf via WiFi? Is there a way to check what information the WiFi administrator is gathering from my wireless laptop?

Brian Krebs: I'm assuming your question is about surfing the Web on Wi-fi connections that you do not control, such as a public hotspot?

It is safe to assume that anything not sent over an https://connection can be intercepted and read by anyone on the network, not just the person who righfully owns or runs the network. That includes online chat conversations and any e-mail not sent over a persistent https://connection.

So, if you log into your work OWA email account and send mail, chances are if you look in the address bar you will see that the address you're at consistently maintains the https://, which means sending email that way will be encrypted.

Some Web mail providers use https://connections, but only for sending your password and username over the wire, after which time they switch to plain old http://. The danger here, as I wrote earlier this month, is that anyone on the network who bothered to sniff the network as you logged on, could snarf your session cookie and replay it, thereby interactively logging into your e-mail account. While it's an open question as to how likely it is that someone in your local coffeeshop would know about and be executing such an attack, at least now you know what's possible.

Among the free webmail providers, Gmail is the only major one I'm aware of that allows you to use persistent https://connections (you need to make sure you're logging in at https://www.gmail.com for to be sure).

There are some free and relatively inexpensive Virtual Private Network (VPN) solutions that encrypt all of the traffic that flows to and from your machine on a public network. I have been meaning to review some of these, so thanks for the reminder.

And, as always, be especially watchful on Wi-Fi networks for encryption certificate errors that may pop up when you are attempting to access an https://site: they could be a sign that someone on the network is trying to spoof that cert and redirect your traffic.

_______________________

Waverly, Tenn.: Thank you! I am a newcomer to Washingtonpost.com, and I thoroughly enjoy your articles.

Brian Krebs: Thanks for the kind words. I'm glad you find them useful.

_______________________

Brian Krebs: In my answer to the question above about wi-fi hotspot security, I mentioned but forgot to include a link to a story about a new tool released this month that automates the hijacking of freemail accounts over wifi. That story is here.

_______________________

Silver Spring, Md.: For those who need Internet Explod-Hrer I can recommend the IE Tab plugin in Firefox. It lets you switch rendering engines in a Firefox tab, and select URLs that always open using the IE engine.

Brian Krebs: Thank you, Silver Spring. I was not aware of this interesting plug-in for Firefox. It is available here.

_______________________

Melbourne, Australia: I have XP Pro with DropMyRights, Eset Nod32, Zone Alarm Pro, Ad-aware, Spyware Blaster and Windows Defender. I'm careful what I open and where I surf and as a result I -appear- to be virus free. But every now and then ONE of those aps, usually Spyware Blaster or Win Defender, turns up a trojan described as capable of capturing keystrokes or the like. My question is, why does only one application--a free one at that-- detect the trojan and the other (subscription) programs miss it? That doesn't inspire confidence in the others. Also, how effective is the free Windows Live Security Scan? It takes forever to run and never comes up with anything.

Brian Krebs: Sounds like you have a pretty good security setup there, Melbourne. Lots of people swear by the Windows malware scan, but it's never done me any good on machines that other malware-detecting software has found nasty stuff on.

It's important to keep in mind that while keystroke-logging and form-grabbing Trojans are extremely common, just because you have a Trojan on your machine doesn't necessarily mean you have a full-blown infection there. Trojans are quite often used to get the attacker's foot in the door, and to hold it open long enough to download additional malware.

Often times Anti-virus or anti-spyware software will label a Trojan as a keylogger if the Trojan is most often the first-stage downloader Trojan for a keystroke logger. But anti-virus software and firewall software often can prevent or at least alert the user that the Trojan is trying to install additional content. What's more, often times these Trojans are embedded in malicious or hacked Web pages and load silently through the use of Javascript. It's not uncommon for anti-virus software to find a cached Web page in your history or temporary internet folder that contains the viral/Trojan code, and label that as an infection, even though the Trojan may not have been successful in downloading anything.

That said, I noticed you didn't say anything about the browser. I'd recommend using Firefox, almost exclusively because of the add-on called Noscript which lets the user decide which sites should let Javascript run. Javascript is simply way too powerful a scripting language to allow across the board on a Web browser, yet there is no easy and user-friendly way of controlling this activity on Internet Explorer. My advice: download and use Firefox, install the noscript add-on, and chances are very good that -- provided your machine earns a clean bill of health before you install Firefox (and that you stay away from Internet Exploiter), your AV/anti-spyware programs will not find those random Trojans anymore.

_______________________

Falls Church, Va.: In reference to your response to the hotspot security question: What kind of specific "encryption certificate errors" would be signs of a spoofing attack or other meddling?

Brian Krebs: Hah! This is another thing I was in the midst of blogging about but totally spaced out on. This happened to me the other day while I was logging on to Hotmail. And this happened on my home network, not a wireless network. Nevertheless it was disconcerting. Microsoft chalked it up to a server configuration error.

Anyway, this was the error message that popped up in Firefox:

"Unable to verify the identity of www.windowslive-hotmail.com as a trusted site:

Possible reasons for this error:

-Your browser does not recognize the certificate authority that issued the site's cert.

-The site's certificate is incomplete due to a server misconfiguration.

-You are connected to a site pretending to be

www.windowslive-hotmail.com, possibly to obtain your confidential information."

Generally speaking, if you encounter one of these certificate errors while on a wi-fi hotspot, you'd be well-advised to disconnect, or at the very least do not continue to log in to the site you're trying to visit.

_______________________

also using a Mac -- frequent lost internet connections: every day, every hour, multiple times every hour my EMBARQ dsl connection drops out during page load or just whenever it feels like it. The bottom 2 buttons on network diagnostics turn to either yellow or red -- most often yellow -- and in 15-45 seconds or so USUALLY the green reappears. but it happens ALL THE TIME. I have seen tons of reported user problems at all the major mac communities and user boards -- referred to in many ways -- mainly as a dropped or stalled internet connection or that safari times out or stops loading -- but zero acknowledgments much less fixes from apple.

I have read also about some bug in os x having to do with network time outs or something called lookup. I am fed up it's infuriating -- it seems worse since upgrading to 10.4.x -- we did not seem to have these problems with 10.3.9. I read about wifi folks having similar problems but for sure with dsl. Is it overloaded embarq or is it os X?

Brian Krebs: My stepmother uses Embarq and she was told by one of their technicians that she had to install their Embarq software in order to use her DSL modem. I found, however, that that was not the case, and that the software was very kludy and contained a whole bunch of unnecessary crap apparently designed to steer the user to Internet Explorer and other software best left unused.

I'd love to know whether you as a Mac user were told to install some kind of Embarq software? My question would be: have you tried uninstalling it, and simply hooking the DSL ethernet line straight into your Mac?

_______________________

Fairfax, Va.: After recently upgrading Firefox (using admin. account) my user account without admin. rights kept warning that it could not install important files. No such warnings were given on the administrative account. I assume it was referring to the upgrade. I then uninstalled the account without administrative rights. After creating a new account without rights the Firefox warnings stopped. Is this an error or should one create new user accounts for web access after security upgrades to Windows, Firefox, etc?

I had assumed that all user accounts accessed the same programs. Do they only access programs and files that existed when the accounts were first installed?

Brian Krebs: I think I answered this question in the most recent chat. I believe the component that could not be downloaded/updated was a Java console, and that is a known compatibility problem that has yet to be resolved from Mozilla's end.

One thing that has worked for me in the past with installations that don't quite go right is to temporarily convert the limited user account into an administrator account, log off then log back on, fire up the program again so that it can update whatever it needs to update, and then close out and revert the account back to a limited user account. Not the most elegant solution, but it usually works. Just don't forget to convert the account back to a limtied user account before going back on the web and browsing, etc.

_______________________

Kingstowne, Va.: I'll soon be in the market for a new PC, and I'm up in the air about going to Vista, or sticking w/XP. From a security standpoint, assuming the first thing I do is install my router, anti-virus and anti-spyware software, can either OS be deemed more secure than the other? Do Norton and Webroot have working versions of their software for Vista? How long will MS continue to provide security patches for XP? Thanks.

Brian Krebs: Have you considered getting a Mac? Their lower-end laptops are affordable, slick, very light, and relatively maintenance-free. Even if you went for a more expensive Mac, by the time you discount all that you'll end up spending on security software, services and hardware for the Windows box, you might actually come out even.

Both Norton and Webroot have versions out for Vista now, yes.

My guess is MS will distribute patches for XP probably for another two to three years or so, maybe longer. They're getting ready in a few months to push out Service Pack 3 for XP, but don't expect it to add any new security protection for XP as did SP2: Microsoft would rather everyone pay to upgrade to Vista.

But I'd try not to get too hung up on security in XP vs. Vista. From what I've seen so far, the differences are minimal for most users. The main threats these days involve social engineering, i.e, tricking the user into doing something stupid or installing something that sickens their PC. You should probably be more concerned about whether or not the existing hardware and software licenses you have will work on Vista. Believe it or not, a lot of software and hardware drivers that worked on XP still are not available for Vista.

_______________________

Brian Krebs: That's all the time I've got today, dear readers. Thanks to all who stopped by and especially to those who submitted questions. Please join us in another two weeks for the next Security Fix Live. Until then, please stop by the Security Fix blog regularly to stay up on the latest security news and tips.

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.


© 2007 The Washington Post Company

Network News

X My Profile
View More Activity