Security Fix Blogger
Friday, October 12, 2007 11:00 AM
The transcript follows.
Brian Krebs: Good morning and Happy Friday dear Security Fix readers. Time once again for another Security Fix Live! Please remember to include as much information as possible about your setup, any installed security software, any error messages, etc.
New York, N.Y.: Brian,
Is there any way that I can see what information is being transferred in and out via my network card, and what program is sending which information to which network addresses? I am using Windows XP.
Brian Krebs: Yes. There is an excellent, free tool called Wireshark that works on most computer operating systems, including Windows.
Windows users who want to use this software will need to install a set of programs called Winpcap, which allows the machine to set the network card into network sniffing mode. Winpcap is available for free at this link. Wireshark is downloadable here. Note that you may need to restart your PC after installing Winpcap and before installing Wireshark.
Satellite Beach, Fla.: In reference to Microsoft's stealth updates that were recently in the news: Since they did not have their customer's approval to make these updates, why aren't they being charged with illegally accessing these computers?
Brian Krebs: The reader is referring to a blog post from last month.
I am not a lawyer, so I can't really say whether Microsoft broke the law here, but given the complexity of end user licensing agreements that customers must agree to in order to use Windows, Microsoft is probably covered on this one (even if they weren't making a jury of your peers understand this stuff -- let alone experts -- might be an uphill battle.)
The update was sent to people who had already turned automatic updates on -- although Microsoft also installed this update on machines whose owners had specified that *they* wanted to choose when and if to install the updates that were downloaded.
Pretty much anyone can sue anyone for anything, so it's not beyond the realm of possibility that this could happen, especially given Microsoft's deep pockets.
Arlington: Hi Brian:
I am admittedly a paranoid internet user- I only get online from home.
I'll have to be in a Marriott in NY for 5 days next week. They have free WIRED internet in the room; is it safe for me to get online and do things like email and banking while I'm there?
I can't afford to go that long without checking my emails and other personal stuff, but am skittish about whether hooking up to the hotel network leaves me vulnerable to the bad stuff.
I have a laptop w/Vista Premium, Zonealarm free firewall, AVG anti-virus, Lavasoft, spybot, and log online with the "limited" user profile.
Thanks Brian. Hopefully you will ease my mind.
Brian Krebs: Hi Arlington. It sounds like you have a pretty good setup there on your machine. I think just being aware of the limitations of a wired network that you don't control is sufficient. For example, it is certainly possible that someone on a wired hotel network could be sniffing all the traffic going across the network looking for passwords, etc. Provided your machine is free from malware, and you are logging on to a Web site that requires and maintains an encrypted SSL (https:) connection, the traffic you are sending across the local network is going to look like gibberish to anyone sniffing the network. Take care, also,
if you spot any weirdness when you try to log on to a bank site or any other and you are presented with an error saying there is a problem with the site's encryption certificate: this could be a sign that someone is trying to redirect your traffic to a fake bank site.
Frankly, when I travel I am more paranoid about the physical security of my laptop (i.e., leaving it in the room while I am out). So paranoid in fact that while at a hacker conference this year in vegas, when I could not carry my laptop with me, I simply pulled out the hard drive and stuck it in a little safe carry caddy that fit into my pocket.
New York, N.Y.: Instead of fixes, patches, and duct tape, why don't you talk about a major breakthrough system that prevents hacking (all types) on enterprise networks. The system is completely transparent to all of the existing network vendors like the known malware S/W, besides the Net Management systems like the HP's Openview, IBM's Tivoli, etc and h/w like all the Cisco's etc. No latency either. There's a major metro NY data center now running 10 of there systems besides a friendly DHS of our northern neighbor. Robert
Brian Krebs: You might not have noticed, but I tend to write about ways that end users can protect themselves, and hardly any about the myriad hardware and software choices available to enterprises. A big part of that is probably because I don't have experience using or administering those larger systems.
I'm glad to hear you're getting a lot out of these products you mentioned. However, the only system I'm aware of that is immune from hacking of all types is one that is physically disconnected from the network, has a single user, and is buried 50 feet underground in a vault and guarded by swat team personnel and rabid dogs. Of course, that system isn't going to be very useful, but it sure will be secure (that is, apart from the one glaring security hole -- the user).
Roswell, Ga.: Hi Brian!
You and I chatted here about Heise Security's script-based Windows update method on April 13 and again on Aug. 10. A chat mate on Sept. 14 then expressed confusion about the Heise method, a technique that has attracted new interest since the plight of Autopatcher.
The American-British language barrier does make the Heise website (http://www.heise-security.co.uk/articles/80682) somewhat cryptic, but their script is useful and straightforward. I've used the method many times, and I humbly offer a brief Americanized "recipe" for the offline updating of Windows XP.
1 - Download Version 3.22 of Heise's freeware script as a ZIP file and save it.
2 - Create a folder called c:-Heise and unzip the downloaded script file to that folder.
3 - Navigate to c:-Heise-ctupdate30-exclude- and open the file named "exclude-list-wxp.txt" by double clicking it. Insert "835935" (without quotes) as a separate line into the text file and resave the file. (This step excludes Service Pack 2 from the update compilation and so prevents the compilation from exceeding the capacity of a standard 700 MB CD. If SP2 is needed, install it separately.)
4 -Double click the file "DownloadStarterGUI.exe." in the c:-Heise-ctupdate30- folder. Choose Windows XP, uncheck "German," check "English," and click "Start." This initiates the download of all required XP patches directly from Microsoft's servers.
5 -When the script announces, "Download/image creation successful," close the Heise windows. Use CD authoring software in ISO mode to burn the new image file in the c:-Heise-ctupdate30-iso- folder to a blank CD. For Windows XP in English, that file is named "wsusoffline-wxp-enu.iso." (Incidentally, the individual XP patch "exe" files, as downloaded from Microsoft, are collected in the c:-Heise-ctupdate30-client-wxp-enu- folder.)
6 -Insert the new autorun CD into the drive of the computer to be updated, click "Start" on the Heise pop-up menu, and do something fun while the script does the heavy lifting.
7 - After every "Patch Tuesday," go through this recipe again, starting with Step 4, to update your updates. Only new patches are downloaded, so downloads after the first one go much quicker.
I have never had a glitch with the Heise protocol, Brian, and I hope this little recipe is helpful. Not only is the script-driven offline method convenient for new Windows installations and routine updates, but the library it creates is also a valuable hedge against that awful day when Microsoft abandons support of XP in favor of a sexy new OS du jour.
Thanks again for your blog and your chats.
Brian Krebs: Roswell, thanks for following up on this. I'm sure other readers will find this information useful.
The reader is referencing several past chats, all available in our Security Fix Live archives, reachable here at the dates he mentioned, where we talked about a method for creating a Windows installation that includes all of the latest security updates.
No http connection: Hi Brian,
Immediately after I had FIOS installed for my internet connection (previously had DSL with no problems), I could only access secure (https) sites, but I could not access non-secure sites. I was finally able to correct the problem (no thanks to Verizon, who denied any culpability) by doing a system restore. Although system restore is kind of cool because it's like time traveling, I think it's more of a last resort type of option, which I would prefer not to use.
So, I'm still curious as to what may have caused this problem, and more importantly, how to correct it. Any thoughts?
Brian Krebs: Hrm. I can only speculate here, but sounds like the installation of Verizon's hardware and/or software
may have monkeyed with your Internet settings or the critical Windows system files that support networking. I was going to say that it was most likely the result of a firewall problem, as https://uses port 443 and regular Web browsing uses port 80, and it may have been that either a software or hardware firewall (Verizon's router?)was blocking port 80. But since you fixed the problem with a system restore, I'm leaning toward the Windows networking files.
I suppose it could also have been the effect of some poorly written malware that tries to hijack https://
sessions, and that the system restore pretty much nullified that nasty. Wouldn't hurt to run a full virus scan on the system just in case, making sure that the System restore files aren't excluded from said scan.
Washington, D.C.: Hi Brian -- this question is probably for Rob. But if you have an answer -- we have Microsoft Word and have lost the CD. Now, Word is acting up and won't work. It says please insert the CD. What to do, besides buying the software? Our son needs it for school. Thanks.
Brian Krebs: Of course, if you knew someone who had the CD that Windows was requesting, you could borrow it and probably fix things that way. But I'm guessing you already thought of that.
Rather than pay another small fortune to Microsoft to be able to continue to use a program you already paid for, you might consider installing OpenOffice, which is a free software suite that does pretty much everything Microsoft Office can do, including open and modify Microsoft Office files.
Fairfax, Va.: Brian - thanks for these chats, they are great. What's the feedback on MS Vista's built-in web filter? I turned it on to block just porn. Next thing I know it's blocking Ebay, WebMD, etc., etc. What a nightmare. My wife and kids begged me to turn it off and I did. I Googled, visited the MS web site, checked newsgroups, and found no useful information about why the filter doesn't seem to work right. Do you have any info on problems with it? What are some good alternatives?
Brian Krebs: Microsoft blocking eBay??? Say it ain't so :)
Seriously, though....I have reviewed a free service that uses your DNS settings and a third party filtering software bundled into one called OpenDNS. It's very easy to use, does a fairly exhaustive job at blocking porn sites while not blocking non-objectionable sites. The service has something like five or six settings that you can use as a sliding measure of what to block, including just porn, porn + lingerie sites, porn + lingerie + sexuality/hate speech sites, etc.
You might want to check out the review of OpenDNS that I wrote about this for Security Fix a few months back.
Oakland, Calif.: Hi, Brian,
We use multiple computers and they have been set with the MS Automatic Update feature at 3 a.m. However, we shut down the computers, so I have to go around and manually update the computers since they have not received the updates. I have full administrative privileges in 2-3 profiles but the Automatic Update Time Set is greyed out in the Control Panel. Any suggestions would be greatly appreciated on how to change the time. TIA
Brian Krebs: If the settings are greyed out (you cannot change them), then you are most likely on a network where group policies are in place, or you are not currently logged into an account with administrative privileges.
Since you said you have admin privileges, I'm leaning toward the centrally-enforced security policies. There are registry hacks that you can perform on an individual machine basis, but unless you are familiar with editing the registry, this could be a dangerous move. Even if you do succeed in changing the registry settings, there are ways that group policy settings can be rewritten to the machine upon reboot-relogin if they are changed. If you decide to edit the registry, I'd strongly advise you to make a backup copy of the registry and understand how to restore in the event that something goes wrong.
At any rate, Google for "automatic updates greyed out" and you should see several sites listing the registry hacks you need. Good luck.
Olney, Md.: Thanks for the tip about Wireshark. Can you tell me how it compares to Ethereal? I tried Ethereal once, but found that it was kind of hard to find the information I wanted.
Brian Krebs: Sure. Wireshark is basically Ethereal renamed and improved.
It depends on what you are looking for. If you have some specific traffic that you are trying to spot (i.e., you know the destination IP or sites) then you can create filters to alert you when said traffic appears.
Unfortunately, if you are not semi-familiar with what normal network traffic looks like, you are unlikely to be able to tell when you're looking at abnormal traffic.
You asked whether there was something you could use to watch (and I gathered capture) the traffic flowing through your network card. That's exactly what Wireshark does, and does very well.
If you want to add some brains to Wireshark -- i.e., something that tries to tell the regular traffic from suspicious packets -- you probably want to integrate it into something like Snort. Maybe something like WinSnort is more along the lines of what you're looking for? Keep in mind, even this software comes with a learning curve.
I'm not saying this is entry-level Windows users stuff: it's certainly not. But if you're not familiar with network sniffing and IDS basics, you should at least be willing to take some time to learn how it works and how to administer it, otherwise tools like these are unlikely to be useful to you. Unfortunately, this chat is not the best forum for walking you through that.
Washington: What is the likelihood that my employer will be able to read my personal e-mail if I'm using Squirrelmail webmail at work?
Brian Krebs: Very low. For better or for worse, Webmail is a fairly effective way of avoiding monitoring of employee email (assuming the https://connection is maintained for the entire time).
Washington, D.C.: Recently while using IE7, I've noticed problems with the computer going from my cable internet connection to trying to work off line. As soon as I click on Tools and unclick "Work Offline " every thing is fine, but then it will happen all over again. Any suggestions?
Brian Krebs: Um...you could try using a non-IE browser. That's what I do.
But to address your specific issue, try this, and please circle back with me in a future chat if you would to let us know whether this solved your problem:
In IE, go to "Tools," "Internet Options," and then click on the "Connections" tab. Then click on the button below that says "LAN Settings." My guess is somehow the box next to "Automatically detect settings" is checked. Uncheck it. Restart.
Hopefully that fixes things.
Oakland, Calif.: Thanks Brian. I have a outside contractor who is our network engineer to handle our 2003 servers and on a day to day basis I'm the part time IT guy. I appreciate your help on the Automatic Update issue.
Brian Krebs: Very welcome. Hope it helps. Do circle back and let me know?
Aspen, Colo.: Can any predictive, preventative measures be taken to protect my business website from a botnet attack?
Brian Krebs: From a botnet attack? Do you mean keep your site reachable and up if a criminal decides to try to take down your site with an army of thousands of zombies? No, not really. Short of signing up with some expensive services that provide ridiculous amounts of extra bandwidth.
If you mean to say protect it from becoming a zombie, make sure the software that supports the site is up to date on the latest security patches. This is especially important for any PHP scripts or components that may be included in your site.
Brian Krebs: That's all the time I've got today, dear readers. Thanks to all who came by to read or drop a question. We'll be having another chat in two weeks, so please join us again then. In the meantime, consider dropping by the Security Fix blog regularly. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.