Security Fix Live
Friday, January 11, 2008; 11:00 AM
The transcript follows.
Brian Krebs: Good morning, dear Security Fix readers, and Happy Friday. Welcome to the first Security Fix Live of 2008. Our apologies that this chat has been away for so long, but I'm anxious to field your questions, so if you've got a security or PC-related question, please fire away. Please try to include as much information about your setup as possible, as it helps immensely in answering your query.
Philadelphia, Pa.: Mr. Krebs, From professional and personal experience, I know that the efforts of malware writers cost U.S.-based business, non-profit and personal interests enormous amounts of time, money and productivity to put into place preventative measures as well as for post-attack recovery efforts. Has economic data been captured and published related to the impact of malware?
Individual efforts like yours via washpost.com and others are a great grassroots-oriented first step towards promoting safer computing and combating this threat. Are you aware of larger, institutional efforts to make the public aware of how malicious entities are using the computers in their homes to potentially harm our national well-being? I'm thinking of a 'Smokey the Bear' type of program. I have neither heard nor seen a single communication from our government on such matters.
Thank you for taking my questions.
Brian Krebs: Hello Philly. Welcome. Thanks for the kind words about the blog. Economic data about the cost of malware and online criminal activity is extremely hard to come by, or at least it's hard to get an accurate accounting of the cost. I tried to do this a few months back but was stymied by a lack of data, primarily because financial institutions are not required by law to disclose how much fraud is costing them. What's more, businesses are loathe to report fraud, for various reasons. In addition, a great many people who have been victims of fraud are not aware of it, and/or they do not report it either.
At any rate, the best estimates I've seen so far are the numbers I cite in that blog post, which peg the damage at around $100 billion a year. The number is in all likelihood far higher, and these estimates are mainly centered around the impact to US-based businesses and consumers.
The Dept. of Homeland Security ran a few public service announcements a couple of years back, but Smokey-the-Bear campaigns they were not. You are correct in that we need a consistent public awareness campaign about online fraud and what people can do to protect themselves and others online. The reason, as I've noted before, is that online fraud has its roots in insecurity on a per-PC basis:
That is, people tend to say, "Hey, I don't do online banking, I don't store sensitive info on my machine, so why would anyone want to hack into it, and furthermore, why would I care if anyone did?" This attitude betrays a fundamental lack of awareness about online crime: cyber crooks use hacked PCs to ply their trade, from using them to host malicious web sites to sending spam, etc.
This is, in essence, a public nuisance, a real pollution problem. People, through their lack of awareness, are helping to pollute the Internet with their insecure PCs. But who pays for this problem? We all do. That's why the pollution metaphor is so apt. And you are correct: We need a Woodsy-the-Owl, Give a Hoot, Don't Pollute-type campaign that teaches people how not to pollute the Internet. And it needs to happen beginning in elementary school and onwards.
New York: When I signed up with the Post online, I was told my "tracking cookie" information would be used to improve the online delivery of content by helping the Post to understand its readers and their reading habits better. Instead, I now notice highly focused targeted advertising. Does the Post lie about its use of tracking cookies?
Brian Krebs: Hello, New York. Thanks for the question. "Does the post lie about its use of tracking cookies?" I don't think so.
It is, as you say, a method by which to better serve you with more targeted advertisements. Ads help pay for the content on the site. But this is no different than any other major media site on the 'Net today.
Multiple Users on One Machine: My wife and I have separate limited user accounts as well as a separate computer administer account (that we do not typically use) on the same Dell desktop (using Windows XP). I know that ESET antivirus checks all files on the machine, but does the anti-spyware (Windows Defender) also check ALL accounts on the machine? The reason I ask is that sometimes I will see a pop-up (on the computer administer account) that says a sweep has not been run in 14 days. However, the spyware program runs a sweep (at least on my account) every day.
Brian Krebs: What you're running up against is the fact that the limited user account is....well, limited. That is, it's by design not permitted to view certain files that belong to the administrator. Namely, the files contained in Documents and Settings/adminusername. You can scan those if you want when you do regular maintenance type stuff on the PC. Alternatively, you could choose to the run the Msft scanner as admin (right click, "Run as," enter admin user/pass), but that's going to be a manual process each time, unless you go about changing the permissions on the program, which can get tricky.
I've said this before and I'll say it again: If you're using a limited user account for everyday use, you very likely have little to worry about in the way of spyware, at least spyware in the traditional sense of the word (pop-up serving, home-page hijacking type software). So, in short, I wouldn't worry too much about this. Keep on using the limited user account and you have little to worry about from spyware.
Fairfax, Va.: Brian, Bought a new wireless router to replace the one that died recently. Problem is, I can access the internet on the pc that is physically wired to the router, but I don't have the wireless internet available for my laptop. Ideas?
Brian Krebs: Well, without a bit more info, this is a toughie. Most laptops sold these days are configured to connect automatically to wireless networks, but sometimes this doesn't work quite right. When you go to Start, Control Panel, and open Network Connections, 2xclick on the wireless interface listing. Then search for wireless networks. Does it not find your network? What router are you using? Have you enabled encryption or any other type of filtering on the router?
Anonymous: My 5-year-old HP Notebook has grown increasingly slow, especially when going online. I wonder if it has been seized by a virus. But shouldn't my subscription to Norton protect me?
Brian Krebs: Er....maybe. Anti-virus software is generally pretty good at finding and squashing known viruses, but notoriously horrible at finding, detecting and stopping new ones - at least within the 24-48 hour period that it takes most vendors to ship out new signatures that detect the latest nasties. During that time frame you can hardly depend on anti-virus software to save you.
Five years, in my experience, is a pretty good run for an average Windows machine that's not set up with seriously paranoid settings. It's also about the average lifespan of PC in general. My advice: back up the data on the machine, make sure you have copies of any license codes for installed software, and re-install windows. Then, set it up to run under a limited user account, or at least use drop my rights for the Web browser. Or, treat yourself to a Mac, and worry a lot less.
Wireless Router Followup: Brian, It's not my laptop that's at fault, because I can see and log onto my neighbor's wireless across the street.
I went to the LinkSys site and there is a setup for the router on their website, which I will try with my neighbor's help. We tried to do the setup from the cd, but still no wireless after 3 or 4 tries.
Brian Krebs: Please tell me what kind of laptop you have, who makes it and model. I'm going to guess it's a Dell, but we'll see. Some laptops ship with the vendor's crappy wireless configuration suite, which duplicates the built-in wireless capabilities in Windows and mucks things up.
Try this. Open a command prompt (click Start, then Run). At the prompt, type c:\windows\system32\services.msc/s and hit enter. In the window the pops up, 2xclick on the entry labeled "Wireless Zero configuration". Make sure the listing next to "startup type" says automatic. If it doesn't change it. If the service is stopped (check "service status"), start it.
Kingstowne, Va.: re: Economic costs of malware
Don't forget to factor in all the benefits of malware, including jobs for web security persons, an entire industry dedicated to anti-malware, and media people to report on it.
It's not ALL bad ...
Brian Krebs: Touche. I wasn't so much complaining (where would I be now without all this mess?), as answering the reader's direct question. But of course, the malware industry generates huge profits for tons of companies, and gainfully employs millions on both sides of the battle.
Washington, D.C.: Brian,
You may have heard about this already, but most of us in the nonprofit or .org sector got hit with a trojan spam today. It's from "Ivete Foundation." Would you mind mentioning it in your blog, so the business of NGO's in the area isn't brought to a halt?
Brian Krebs: I will, thanks for the heads up, Washington.
In the meantime, Sunbelt Software has more about this on their blog.
Washington, D.C.: I know you advise that all Windows run a limited user account, not administrator. My question is, how easy is it to switch to a limited user account if I've already got a computer I've been using for a while and it's all set up under the default administrator account? Is this something that would be more practical to just set up on a new computer, which I probably won't buy for a couple of years?
Brian Krebs: Yes, it is infinitely easier to set up on a new machine, but not terribly difficult to change on an established PC. It's really just a matter of making sure you create another admin account on the system, protect it with a password, logging in as that administrator, then changing the rights of the account you normally use from admin to limited user. The precise steps to do so are listed at this post here.
Washington, D.C.: Touche nothing to Kingsdown. We have a massive criminal justice system that employs huge numbers of people building and staffing jails who are "gainfully employed" Doesn't mean society is better off because of crime. There are better uses for society's resources than having to worry about criminal behavior, whether physical or computer-based.
Brian Krebs: Wow. I really touched a nerve with this one. Let's not forget about the law enforcement folks, who have a next to impossible task, here.
Alexandria, Va.: Do you or any of the chatters know of any known hardware or software issues with the iTouch? After putting it into it's docking charger overnight, the next day the entire gizmo was dead. Couldn't get it to come to life again, either through the docking station or my laptop. Today, on a whim, I put it into the docking station and it sprung back to life. It's still under warranty, but it makes me nervous as I bought the more expensive 16 gig version.
Brian Krebs: Haven't heard of similar issues, but my iPod mini exhibited similar quirky behavior a few times, and each time it magically fixed itself. Sometimes just doing a reset on the device helps. On the ipod, you can do that by holding the clickwheel down at the top and the bottom of the wheel for about 10 seconds.
But seriously, you paid a lot for that device, and there's no reason it should be defective. If it's still under warranty, take it back to Apple and demand a replacement.
Speaking of wireless Internet: Brian,
Somewhere around me is a wireless account that is usually unsecured, tho it changes to secured every now and then. Sometimes my laptop will connect to this one instead of my own and I have to manually change it. My wireless is secure but I wonder if this unsecured wireless may be lurking out there trying to snag anything and everything.
Brian Krebs: Great point. You can set it so that the Windows laptop does not automagically connect to nearby, random wireless networks. I don't have my wireless windows laptop with me, but I believe in the wireless connection settings you can uncheck a box that says "automatically connect to non-preferred wireless networks" and that should fix it.
Rockville, Md.:"Don't forget to factor in all the benefits of malware, including jobs for web security persons, an entire industry dedicated to anti-malware, and media people to report on it. "
That is a fallacy. It is an economic loss. The people working web security would be working elsewhere doing something better for the world if there was no malware. The money a science lab sends to the anti-malware company could, instead, be going to find the cure for HIV. The money a college sends to the anti-malware company could, instead, be going towards educating poor teens.
There is a finite amount of money. Money spent to fight malware ISN'T going someplace else (and likely better).
Brian Krebs: More opinions on this highly-charged thread.
Phx AZ: I have an apple imac and wondering what is the best security for it. Not sure what all is on it now, apple wise. I am a windows user and Apples are a new world for me.
any suggestions.. thanks. jr
Brian Krebs: Turn on the built-in Apple firewall. Install software/security updates from Apple when your system tells you to. If you want anti-virus software, there's a free program in ClamAVx. Be careful about installing random software -- particular things like "video codecs". Enjoy.
Hermosa Beach, Calif.: Brian - First, thanks for all of the good info. I have an HP laptop that boots very slow. Went into MSCONFIG and turned off everything that I could, but not much improvement. My local (Mom and Pop, not big box...) computer store says the Norton is the culprit and recommend AVG. Your thoughts? Thanks
Brian Krebs: It's worth a shot. You will probably need to uninstall Norton, and then run Symantec's removal tool to make sure all of it uninstalls cleanly. Install AVG, or -- if you really want a great AV program that's super-light on system resources, I'd highly recommend ESET's NOD32, which I use on two of my systems and have been quite pleased with.
Hatboro, Pa.: Brian, Help! I tried to setup a Limed User Acct. and have lost my previous Administrator settings and the account with my name is the new Adm. and all other data under the old Adm. is gone. Can I do a System Restore? Please help! David
Brian Krebs: Please contact me at brian-dot-krebs-at-washingtonpost-dot-com.
but I believe in the wireless connection settings you can uncheck a box that says "automatically connect to non-preferred wireless networks" and that should fix it.: Brian, Can you be a little more specific as to where I go to do this?
Brian Krebs: Quick Google search turned up this article, which should help. Sorry, I'm running out of time in this chat.
Arlington, Va.: Brian, thanks for taking my question. When I use SpyBot to check for spyware and other nefarious PC invaders, I'm repeatedly getting warnings about two registry files: Microsoft.Windows.disableSystemRestore and Microsoft.Windows.Security_Center_disabled. I'm guessing that our IT staff has automatically disabled these functions so that they won't interfere with Symantec AntiVirus and our internet-based file backup system. Is this anything to worry about?
Brian Krebs: I've not run across those registry settings before, but I doubt they are anything to worry about and your suspicion is probably spot-on. Windows restore can often backup infected files that can get reintroduced into the system if the user later restores to a previous state where an infection as present. The Windows security center and Symantec didn't play nice together initially, but I believe those issues have been resolved for the most part. It may be that your IT staff disabled it b/c Symantec ships with its own security center of sorts.
Virginia Beach, Va,: Brian - I'm thinking of getting a new Mac with Fusion and Windows XP so I can run the stuff that won't run on the Mac. Will I need to run the Windows antivirus, spam blockers, etc, when running Windowns? I'm not planning on running any Windows browsers. Thanks and keep up the good work.
Brian Krebs: Yup. Just because Windows will be running inside of a virtual machine on a Mac doesn't mean it's somehow magically immune from malware. It will no doubt share your Mac's Internet connection, and thus stil has inbound and outbound traffic just like a regular windows system.
If I could advise you on one thing it would be this: Get the XP system under Fusion set up the way you want it, and then create a snapshot of the system (I think this is possible with Fusion, although I've not used the more recent version). After all, it is in essence a virtual machine, and that's what's great about them: If something goes horribly wrong, you can always revert to the saved snapshot, although you will lose any documents/etc that were created on that volume since the snapshot.
Silver Spring, Md.: Brian, In light of your blog entry earlier this week about rootkit malware, should Windows users regularly use anti-rootkit software, in addition to anti-virus and anti-spyware software? How many more ways can Windows PCs be infected with something nasty?
washingtonpost.com: Security Fix: New Nasty Hides From Windows, Anti-Virus Tools
Brian Krebs: Can't hurt. In addition to the GMER tool, there is F-Secure's Blacklight Beta, Microsoft's Rootkit Revealer, and the Sophos Anti-Rootkit. All are free. If you want additional piece of mind, set it to scan before you go to sleep, as these scans can take some time and be very resource-hungry.
Maryland: Hi. I clicked on a link from an RSS feed on my iGoogle for an article on rollingstone.com. Suddenly, I was attacked by flashing annoyances and scary pop ups suggesting my security would be compromised if I didn't download, download, download. My history (in FireFox) tells me these were sites by something called 'Deus Cleaner.'
What is Deus Cleaner? How did this happen? Is my computer infected? How can I prevent incidents like this? Is this site legitimate?
Thank you very much.
Brian Krebs: Deus Cleaner is but one of many "scareware" scam anti-spyware products that use pop-ups, drive-by downloads and other techniques to try and scare you into thinking you have massive spyware/virus infections and that you need to pay for their all-too-likely worthless product. Usually, these are served up by malicious banner ads or sites that have been hacked. I'd recommend running an anti-virus scan on your system, and setting up Firefox to run with Drop My Rights (see link above), which can make drive-by downloads go bye-bye.
Brian Krebs: That's all I've got time for today, folks. Thanks to all who dropped by and for everyone who participated. Please bookmark the Security Fix blog if you haven't already (or hey, even set it as your homepage!) and drop by regularly to stay up to date on the latest security news and tips. Be careful out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.