Security Fix Live
Friday, September 28, 2007; 11:00 AM
The transcript follows.
Brian Krebs: Good morning and Happy Friday, dear Security Fix readers. In asking tech-support type questions, please try to be as specific in describing your setup and problem as possible. We're a tad light on questions today, so if you've got a nagging security question, please fire away!
WEP vs. WPA vs. WPA2: Brian- I'm running a wireless connection with FIOS. Can I get your opinion on WEP vs. WPA? Verizon recommends using WEP, but from everything I've read, WPA is more secure. Also, a password is needed to change the router information. If a hacker can get to the password, he can get to the router, regardless of whether it's WEP or WPA. Therefore, isn't the password the most important factor?
Brian Krebs: Yes, WPA is more secure (for home use, you'd select WPA-PSK). If you have the option, go with that over WEP.
You ask a good question, as I was recently investigating Verizon's FIOS offering and ran into a number of users who said they couldn't get WPA working with the Verizon router. Earlier this month, a Verizon FIOS rep knocked on my door and I asked her whether Verizon supported WPA and she said yes. Whether you can get a competent Verizon tech to help you set it up correctly if you have problems is another story.
There are two issues here: One is the password that you use to administer the wireless router, and the other is the passphrase you use as your WPA encryption key. For the router password, pick a good, strong password that does not show up in the dictionary (and not just password1). If you forget or lose the password, you can always reset the router. For the WPA key, pick a passphrase between 8 and 63 characters -- the longer the better. In place of passwords, I like to use passphrases. For example, take a line from your favorite movie or book, and maybe use the first and last letter of each word in the sentence for your passphrase.
But in answer to your question, yes, if someone is sitting outside your house and can guess or brute-force your router password, then the attacker can also turn off all of your security settings. So a strong router password is essential.
Jacksonville, Fla.: Hi Brian, Here's one for the WP. I have an RSS feed to the WP headlines (top leftmost on IE7, Windows XP with SP2) and periodically when I click on a headline this happens: the WP article begins to load and then I get a message "IE cannot open the Internet site" along with the www.wp string, for example wp-dyn, date of article, and ending up with AR2007092702498.html?nav=rss_email.components" and below that "operation aborted" When I click OK on the message, the browser tab closes. When I keep trying, eventually the link finally opens completely...and my suspicion is that one of the ads is causing the glitch. Also, after this operation is aborted, sometimes when I reopen my homepage, the lefthand column extends all the way across the screen (tho there is only text in the "normal" position)! Any clue?
Brian Krebs: I don't know what might be causing this problem for you, and it may well be an ad formatting issue. In any case, I've forwarded your question on to our excellent tech team, who may be able to diagnose the problem. If I get a reply before we wrap up this chat, I will include the answer below.
Prineville, Ore.: Brian - My solution to online security is to buy an inexpensive laptop strictly for the purpose of accessing my specific banking sites. I will do no web browsing or E-mails with it. Do you think it is worth it? Jim, Prineville, Ore.
Brian Krebs: I suppose that's one solution. It's akin to what we do here at Krebs manor. Essentially, while we have multiple computers in the house, we only do online shopping on one of the PCs that is fair locked down.
Rather than purchase a whole new PC for the task, I'd suggest simply downloading a "live CD" distribution of Linux -- take your pick, there are hundreds of them. I'd recommend Ubuntu Live for newbies.
Download the ISO image, burn it to a CD using your favorite disc-burning program, pop the disc into your machine and reboot (you may need to change the boot settings so that it checks for a bootable CD). Depending upon which distro you choose, things can be a bit more complicated if you're doing this over wireless on a laptop, but many of the newer live distributions pull up wireless pretty easily.
The beauty of live CDs is that #1, it's Linux, not Windows, so you eliminate most of the threat there. But also, when you power down the computer, nothing is stored on the hard drive after using a Live CD (unless you've somehow managed to explicitly save a file to the underlying hard drive, which I would NOT recommend from a live distro). Thus, assuming you have verified that the image for your live CD distro hasn't been tampered with -- most have instructions on how to verify that --- you can be sure that even if there is malware on the underlying machine, it won't be able to intercept your communications when you boot into the LIVE CD.
Fairfax, Va.: Brian, You've probably answered this before, but what is RSS?
Brian Krebs: It stands for "really simple syndication," and it's a handy way to read content from Web sites that you frequent without having to visit all them manually.
There are tons of RSS reader programs out there. Some of the best ones are free. I use "SharpReader" (requires you to have Microsoft .NET installed, as do many Windows-based readers), but there are also RSS readers that integrate with the browser or the desktop.
Think of RSS as a newspaper that instead of giving you the news from one source provides all the headlines from each of your favorite sites and blogs. To subscribe to a blog or RSS feed, simply drag the site's RSS icon into your reader, and it should ask you if you want to subscribe to it (although a few RSS readers require you to cut and paste the URL for the RSS feed into the reader to subscribe).
I used to wonder what all the fuss about RSS was, that is -- until I started using it. Now, I don't know how I previously managed stayed up to date without it.
20782: Always good info here. Thanks for the WPA info as FIOS just became available in my neighborhood and I will be switching from DISH.
My ?: I just noticed a virus in my virus vault of my free AVG antivirus. It's been there since July. Should I leave it or clear the vault? I still have 80 percent space left.
Brian Krebs: Er...why keep the nasties around? Just delete it.
Germantown, Md.: Why is it that Lavasoft Ad-Aware picks up 250-300 bad files (almost always tracking cookies) in a weekly scan, but a scan using Norton AV and/or Windows Defender performed just prior to the Ad-Aware scan picks up nothing or maybe one offending file. Is it that Ad-Aware is hypersensitive to the potential dangers of said cookies or that Norton or Microsoft are a bit too cavalier?
Brian Krebs: I suspect it's because Ad-Aware has always looked askew at tracking cookies, treating them as unwelcome guests that pose a privacy risk to the user. Say what you want about cookies -- which are usually placed by Web advertisers to recognize returning visitors -- but I've never paid them much mind. Many people will tell you to be worried about them, but simply put it is sometimes hard to use many Web sites with cookies turned off.
If Norton 360 doesn't flag them, then apparently Symantec does not view them as much of a threat either. I wouldn't say that's being cavalier; I believe that most Windows users have far more serious things to worry about than cookie files.
However, this may be a function of the fact that the anti-virus companies traditionally haven't focused as much on the spyware and adware stuff as much as they have the more overly malicious crap like viruses, worms and Trojan horse programs. There was a time when the AV vendors shied away from detecting adware programs as such, mainly because they were getting sued out the wazoo by the sleazy advertisers who sponsored the programs. That said, most of the AV companies have come around and now heartily detect browser hijackers, spyware and adware.
Arlington, Va.: What are your thought on the iPhone update/Ibrick debacle. Zdnet is reporting that some locked phones are becoming bricked as well. This has all the makings of a PR disaster for Apple. If people buy the phones, then apple should not intentionally try to break them. Its a very uncool move for a company who is based on being perceived as cool.
Brian Krebs: Thanks for the question, Arlington. I'm sort of on the fence about this. I'm not an iPhone owner myself (yet), but I can sympathize with people who pay $600 for a phone wanting to be able to use the device without restrictions.
Having said that, iPhone customers went into the purchase knowing full well that Apple was tying its service for the phones to AT&T. To make such a purchase based solely on the availability of a third-party hack that unlocks the phone for use on other networks seems foolish. I say this because Apple -- like most other electronics makers -- guarantees their products under warranty so long as consumers don't monkey with the innards of the device. Ignoring that caveat -- which by the way is usually displayed fairly prominently on product packaging -- is the surest way to void your warranty.
Now, did Apple design this latest iPhone security update specifically to punish people who had applied this unauthorized modification to the phone? It seems doubtful, but not beyond the realm of possibility for a company that seems to take customer loyalty for granted. But what really amazes me is that iPhone users seem to think Apple is behaving strangely in so many ways with respect to this much hyped device. Gasp! They lowered the price! How DARE they, when I paid $200 more for it! Apple should be sued!
Washington, D.C.: Regarding tracking cookies: it is pretty easy to block cookies from specified domains in your browser's settings. I have blocked cookies from about 60 ad-related domains in Firefox and haven't experienced any ill effects.
Brian Krebs: More thoughts on cookies. Mmmmmmmmm.
Boston, Mass.: Hi Brian: Some time ago I downloaded MS Net Framework. I don't use this - don't know what it is. Can I safely remove it and all of the updates? Thanks.
Brian Krebs: Some programs come with it bundled, and it may be required for the proper functioning of certain programs you have installed. However, if you're not sure, go ahead and uninstall it. You can always re-install it if you want to later. If a program that worked prior to .NET's removal stops working right after the uninstall, then you know what to do.
Washington, D.C.: My job is sending me to China for a year. I'm concerned about email security when I send messages to my family and friends; in particular, I am concerned about the Chinese government intercepting messages that mention sensitive religious or political subjects.
At the very least, I plan to use Gmail in a fully encrypted session. Still, I fear that the Gmail servers I might be connecting to in China are accessible to the Communist government. (I admit this seems unlikely, but it's not too hard to imagine.)
I wonder if you have any ideas for how I can reliably secure my email. One idea I had: a program which produces an encrypted text file that can then be attached to an email. A key requirement is that the solution be easy to use; my mother won't want to learn how to use a complicated new program.
Brian Krebs: Wow. What a fantastic question, thank you. You might want to consider whether you can really trust Google to keep your e-mail private while you're there. After all, Google is among several major Internet search companies that have altered their systems to accommodate Chinese censorship as a condition of doing business there. Read this New York Times story from last year to get a taste of what I mean here.
In theory, you should be able to secure your communications by establishing a virtual private network (VPN) connection back to a trusted network in the US. However, the old adage that if you don't control the host network then you can't vouch for its security and privacy seems very appropriate here. I think you can assume that the Chinese government IS at least trying to monitor your online use and communication as much as they possibly can, as that is a stated policy of the Chinese government.
Now, are there things you can do to try and thwart that? Absolutely. As for e-mail, I recommend reading up on encryption. One good, free source for e-mail encryption is Mozilla's Thunderbird e-mail software, combined with something like GnuPG and Enigmail. Check out this link for references, instructions, and links to all of those programs. Once you've set this up on your machine, it should not be hard to explain to your mom how to use it.
For anonymity (not privacy) in Web surfing, I'd recommend checking out Tor, newer versions of which are now fairly easy to use, even for Windows users.
Cookie tracking: Brian, I welcome all cookies when I'm surfing the web. When I close Opera, I have it set to delete all new cookies. No problem.
Brian Krebs: The cookie conversation continues....
Bethesda, Md.: Sometimes I receive spam that lists MY OWN E-MAIL ADDRESS as the sender (not my name, just the e-mail address). This always weirds me out, and makes me wonder if my e-mail system has been hacked. Or in your opinion, is this just a spammer trying to masquerade under someone's e-mail address? For the record, that piece of spam goes right to my junk mailbox.
Brian Krebs: Since I'm nearly out of time, I'm going to kill two birds with one stone here, as another reader asks: "I have a website and sometimes get mail from a spammer using my e-mail address. How can this be prevented?"
To the first question: Spammers harvest e-mail addresses obviously so they can have huge lists of people to send mail to. But the same automated programs used to blast out spam email typically use some random sampling of the addresses in the "To:" list as the "From" list. In this case, someone receives an e-mail that appears to have been sent by you, because it has your e-mail address in the forged e-mail "from:" header. Now, if that e-mail gets sent to an e-mail server that blocks it, refuses it, or does not recognize the address in the "To:" field, that server will sometimes send a reply message back to the address in the "from:" field. If that address is forged (i.e., yours), you will receive a message saying the email you tried to send couldn't be delivered. Of course, you didn't send it -- the spammer did -- but the e-mail server doesn't know any better (actually, there are ways that email server administrators can limit this kind of stupidity, but that's another story).
To the second question, you can limit the possibility of your e-mail address being harvested for spam runs by not posting your e-mail address on the Web, period. On your site, instead of simply listing your e-mail address for people to contact you, use the "mailto:" HTML feature and hyperlink your address so that when someone clicks on the link it launches their default e-mail reader. Alternatively, instead of listing your e-mail address as firstname.lastname@example.org, which spam bots will harvest in the blink of an eye, you can simply spell out your email address as yourname AT your ISP DOT COM (--that's what I do when I need to list my e-mail in this chat).
Chantilly, Va.: Brian, Aren't there standards that browsers and websites are supposed to comply with?
The reason I ask is that there are still quite a few sites that are not "Opera friendly", thus forcing me to use the dreaded IE. Opera's website says that it's compliant with all current standards, so there's the confusing issue.
Brian Krebs: There are no shortage of Web standards. Unfortunately, many Web site administrators simply ignore them, building features that are meant to render a certain way in one particular browser. This is usually because the admin learned to build IE-specific sites through some class instruction or more likely through some book or tutorial. Maybe they are enamored of some particular kind of IE-friendly style sheet or script -- who knows...the possible explanations are many.
But I've also seen this kind of behavior on corporate sites that really ought to know better in this day and age. Either way, sites that don't work properly in anything but Internet Exploder are still fairly common, unfortunately.
Barberton Ohio: Brian, in the previous live chat I had a problem with viewing new email under the limited user account with MS Office Enterprise 2007/Outlook. Thanks for the ideas for resolving this and it is now working fine.
Another question, I'm using an IBM Thinkpad T43 with Ad-Aware Plus, Avast, and PC Tools Spyware Doctor. I always log into the limited user account and if there is a "smart update" available for Spyware Doctor, I must log off the limited account and log in under the Admin account to install. Is there a way to install this from the limited account? By the way, Avast installs all database updates under the limited account. Thanks!
Brian Krebs: Glad to hear my previous advice helped, Ohio. There are a couple of options: One, is a program I've mentioned before called "Make Me Admin," which allows limited user accounts to temporarily become administrator without logging out. A link to the program and an explainer on it is available here.
Alternatively, you could launch Spyware Doctor using the "Run As" command, select an account with admin privileges, enter your password, and that should allow you to download the update. Honestly, though, if you're running your system under a limited user account for every day use and browsing, the anti-spyware software is probably unnecessary.
Alexandria, Va.: What I believe is a virus has my desktop in a circular re-boot (when I re-boot, it comes back to the same blackscreen telling me to do the same thing) Through the F1 button I can access the BIOS settings, etc. and when I hit F10 to try and get it go into recovery mode, I can't get back to my restore points. I have a lot of photos on my computer I would like to salvage.
How do I find someone reputable (and affordable) to help me treat this problem?
Brian Krebs: Ugh. I feel for you, Alexandria. You have a few options. The most expensive is to find a computer technician to help you, and even after spending a couple of hundred bucks they may not be able to do more for you other than backing up your photos and re-installing the operating system.
Before you do that, however, I'd recommend trying out a program that I recently discovered, called the Trinity Rescue Kit. What this kit does -- among other things -- is allows you to run up to four antivirus scans from four different AV vendors. The software uses your internet connection to download the latest virus updates and stores them in memory, and then runs the scans. If it finds any nasties, it should prompt you to delete them. Be aware that this can take many hours, so be patient.
It's also just about all you can expect to have happen if you bring your PC to "Big Buy" or any of the other geeks-on-the-road type places.
If you have access to another PC with a CD burner, download the image and burn it to a CD. For a quick and dirty tutorial on how to use this tool, check out/print out the text at this site. Then pop it into the CD tray of the sick PC, make sure it is set in the BIOS settings to boot from the CD first, and let it do its work.
Hope that helps! Good luck!
FIOS: The Verizon (Actiontec supplied) router is capable of running in WPA security mode. The problem is that it is not very stable in this mode. The wireless connection tends to drop you off of the network which doesn't happen in WEP mode. Any suggestions on what could cause that?
Verizon's solution is to claim the outer is faulty and to swap it out, but happens with every Actiontec I have had from them. You can use your own router, but to do this if you have their TV service you have to know how to set up their router as a bridge so that it can feed information to TV STBs over their MOCA interface. None of this is a satisfactory solution.
Brian Krebs: Very interesting and useful information. Thanks for passing this along.
Nashville, Tenn.: Re: Live CD Linux and security. Is this better than using Portable Firefox on a thumb drive? I've not done either but am thinking of doing so.
Brian Krebs: The Portable Firefox on a thumb/USB drive is nice from a portability and usability perspective, but to my mind it doesn't get around the question of the security of the underlying operating system you're using. That is, if you plug it into a machine that's already compromised, how is it going to stop malware/keyloggers that may be on that machine from, say, intercepting usernames/passwords? I don't think it would.
The beauty of the LIVE CD is that unless you specify otherwise, you're booting from a known, static operating system image that cannot be changed or written to.
Las Vegas, Nev.: Hi, and thanks for all the good info you provide. In trying to keep my computer locked down, I have created a limited user account which I use the most. The computer always boots to the admin account. How do I change the boot sequence to automatically boot to the limited account? Thanks
Brian Krebs: You need to change the way Windows logs on. Go to Start, Control Panel, then User Accounts. You should see an entry there for "Change the Way Users Log on/off." Select that and on the next screen, make sure the box next to "Use the Welcome screen" is checked. That way, when you boot up, it will give you the choice of which account you want to start after booting up. If you want the ability to switch quickly between the non-admin and admin account without first closing out open programs, select the "Use fast-user switching" as well.
Brian Krebs: I know a lot of readers responded to my initial complaint that we didn't have enough questions, and I'm only sorry that I don't have more time to get to them all. I will try to hold some of them over for our next Security Fix live in two weeks time. Until then, please consider dropping by the Security Fix blog regularly to stay on top of the latest security news and tips. Thanks to everyone who participated or just dropped by to read!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.