Security Fix Live
Friday, January 25, 2008; 11:00 AM
The transcript follows.
Brian Krebs: Greetings, dear Security Fix readers, and welcome back to another installment of Security Fix Live. Please remember to include any relevant information about your system, setup and/or installed security software. If your question relates to a particular device, for example, let me know the make and model. Extra information often helps a great deal in diagnosing problems, configuration issues, things like that. With that, I'll dive right in.
Magog, Quebec: Three years ago the license for my anti-virus software expired. As I had been having many virus attacks I meant to subscribe to a different anti-virus program but didn't. Three years on and I haven't had one virus attack! I do use ZoneAlarm and Sbybot though.
What conclusion can you draw from this? Have I been lucky? Are viruses being propagated by the companies supposedly keeping us clean? Are viruses parasiting themselves onto the anti-virus downloads?
Brian Krebs: Hah! Love the name of your town. Conjures up all kinds of biblical references and images.
I hope you'll forgive me, but I had a little chuckle when I read your question. Not that anti-virus software is always up to the task of detecting malicious software -- it is well known that AV does extremely poorly in detecting brand new nasties, as least for the first couple of days -- but you seem to think that even without anti-virus software you'd notice if you had a virus infection.
So the question I'd have is -- How the heck would you know whether your machine was infected with something? Why not download and install a free anti-virus product, such as Anti-vir or AVG Free? I'd be interested in the results of a full system scan.
I've got news for you, Magog: The classical, even romantic notion that many people have about viruses melting your hard drive or replacing your desktop wallpaper with a Jolly Roger flag or some other kind of nonsense that might be obvious signs of an intruder are sadly mistaken, and have never been accurate (okay, okay, maybe 20 years ago or so).
Today's malware is designed to do one thing: remain undetected and as stealthy as possible. Most of it is crafted to steal identity and financial data from your machine. A keystroke logger, for example, will happily co-exist peacefully with your system and not place any noticeable strain on your system, or give off any outward signs of its presence. Even bot programs designed to let criminals use your machine to blast out spam have become so stealthy that people often never notice an infection.
Now, it used to be that when people were on dialup or were running slower systems with fewer resources like RAM and processing power that they'd notice when a bot was hogging their bandwidth or CPU power. Unfortunately, you can't count on those warning signs anymore, as lots of people now use machines that are more powerful than they need.
Stormville, N.Y.: Brian, thanks for the write-up on the latest Java update. You mentioned erasing the older versions. I erased a few which were, by name, obviously older versions.
My question :
First, the latest update is identified as "Java(TM) 6 Update 4"
I left in a couple of what seemed to be older versions but had slightly different names :
"Java 2 Runtime Environment, SE v1.4.2_03"
"Java 2(TM) SE Runtime Environment 6 Update 1"
Can I erase these two as well ? (Operating system is Windows XP Home).
washingtonpost.com: Massive Java Update Includes Security Fixes
Brian Krebs: You're very welcome Stormville. Yes, you can nix those older versions as well. Removing them should have no effect on your latest install of Update 4. I'm assuming, of course, that you're talking about a home user system, not some machine given to you by your employer (in which case there may be some older applications that rely on a custom, older version of Java).
Kent, Wash.: Brian Krebs (probably not of Krebs Cycle fame): (a) How secure is bluetooth from wardrivers? I.e., what is the range of bluetooth signals? - what kind of equipment do wardrivers use? (b) For bluetooth as enabled on a computer, is bluetooth connection to an external device by invitation only? Or can an external device establish contact with computer being in bluetooth discoverable mode?
Brian Krebs: A few years ago, at a hacker conference in Las Vegas, someone demoed a tool that allowed them to eavesdrop on a target's phone conversations over bluetooth. A big part of reason they were able to do that was that so many bluetooth devices have built in passcodes that are the same for every device.
That is, in order to "pair" with a bluetooth device, most of them require you to enter a 4-digit PIN. The trouble is, few people ever change the default PIN, which is usually something like 1234, or 1111, or 0000. If you know the device name and model number -- and there is free bluetooth scanning software that will give you this type of information for every BT-enabled device within a short radius -- you can look up the default PINs online.
Usually BT on a computer you need to set up on both the device and computer with a shared key. If you have done this already, it would be possible for a device within range to set up a communications link with the computer, if the PC had bluetooth enabled and discoverable. But they'd still need to know the PIN, and probably be listed as a trusted device by the PC. But I wouldn't worry too much about bluetooth hacking. For one thing, the attacker needs to be within meters of your device to begin communicating with it.
Short answer: If you change the default PINs on your BT devices, you should have little to worry about from someone trying to hack your BT device.
Brian Krebs: Shameless plug for my reporting here, but washingtonpost.com just published a piece I wrote about "money mules," people who get roped into laundering money for virus writers, scam artists and phishers. I've also put together a blog post with some extra material, screenshots, etc., that I think helps illustrate how integral money mules are to many modern cyber crime operations.
Tampa, Fla.: I use a limited user account on Windows XP SP2 when surfing the internet with the latest version of Firefox. I also use AVG Free and Spybot. Do I also need the NoScript extension (see here) for Firefox?
A while back I had an experience with noscript that saved my bacon. I was blogging about a high profile Web site that had been hacked and was installing a keylogger on visitors machines if their Windows PC wasn't protected by a particular patch Microsoft had released just a few weeks prior. I knew the site was infected, so I took care not to visit it, aware that the system I was using (a work PC) wasn't yet patched against it. I was looking up some stats on the site at Alexa.com, and accidentally clicked on an image of the site that actually loaded the hacked site. Had it not been for noscript, my machine probably would have been infected and out of commission for a day or so.
Ft. Dix, N.J.: I have a warned about e-mail from an african barrister wanting help to obtain money from a bank. The (supposed) money belongs to a (supposed) deceased person with no living relatives. I have not opened it or deleted it. I want to send or report this and other suspect e-mails to a government agency that will track it to the source and deal, legally, with the scammers. What agency do I content? Thank You, Bill.
Brian Krebs: My colleagues and I used to laugh when we'd receive the e-mails you describe. "Hey, I'm going to be rich!" we'd boastfully joke. In truth, these types of confidence schemes -- called "419" scams -- are deadly serious and no laughing matter. They take tens of millions of dollars out of the US from unsuspecting or plain greedy victims every year. People have even been so far pulled into these con games that they actually have traveled to places as far away as Nigeria to collect on the supposed treasure. Most of those who make the trip never make it back.
You can forward the e-mail to firstname.lastname@example.org, but the best thing to do is simply delete the messages. Never, ever respond to these guys, for any reason, even just to toy with them: They are dangerous, desperate people with nothing to lose. If you'd like to learn more about 419 scams, check out 419eater.com
San Diego, Calif.: I don't think that I have Java installed on my Vista computer. I've check the programs installed/uninstalled module and no Java entry is listed. Do I need Java(TM) 6 Update 4 in that case? Do I have it installed and it just isn't showing up? Going to the Sun site and asking the site to check my version doesn't show anything (In fact, the page doesn't work!). Any advice on this?
Great column, btw. KP
Brian Krebs: Hi there San Diego. It may be that you just don't have Java installed. Here's a way to make double sure:
Open up a command prompt (click Start, then Run and then type "command" or "cmd")
Type "java -version" without the quotes
If nothing comes up, then you don't have Java. Do you need it? Probably not, and if you've gone this long without it, why install it now?
Helplessville, Va.: Ok, so I'm the only person in my neighborhood that has a wireless signal without a lock on it. How do I put a lock on there? I really don't want people jumping onto my system without me knowing about it. Do I need to plug my computer directly into the router or can I do it wirelessly.
Brian Krebs: To set up encryption on your router, you need to have a computer physically connected to the router -- that is, an ethernet cord running from the ethernet port on your computer to the router. DO NOT try to configure wireless encryption from a laptop that is connected wirelessly.
You didn't say what make/model your router is, but I'm guessing it's a Netgear or Linksys or D-Link, which collectively make up probably 90 percent of the consumer router market. You can find video instructions for setting up encryption on the four most-common router types at this link here.
Remember that in addition to setting up encryption, you need to change the default password on the router itself in the router administration page. Pick a strong password that you can remember. Good luck!
Verona, IT: Hi, Brian. And thanks for the good info. I'm running Windows XP (auto update turned on), Norton 360, Ad-Aware, Spybot and run Secunia's checker periodically.
That said, how would I know if my more-powerful-than-I-need PC (it is, I admit it) has a key-logger or malware of some sort?
Brian Krebs: Some people like to have the assurance from yet another security program, one that looks specifically for keyloggers. If this interests you, I might recommend a free program I'm using on my PC right now called "SnoopFree," which detects any program that tries to hook the keyboard for any reason. Be advised that this program will sometimes throw up a scary warning when you try to install certain software (I think it gave a warning the last time I applied a patch to the latest version of QuickTime, e.g.). That said, it's a handy little program, and you can't beat the price.
Another free anti-keylogger application is called "Boclean." I used this program a while back but don't currently have it installed (no particular reason, just did a re-image of my hard drive and neglected to re-install it.) But lots of people swear by this program. Check it out at this link here.
Antwerp, Belgium: Hi, many times when i surf on the WP site I am asked suddenly to type in my email address and password. Even after I check remember me on this PC I still have to enter that info. I use IE7 SP2. Cud it be that when I shut my PC my cookies get automatically removed? I do it manually with Cookie Monster because I want to preserve some sites without entering passwords etc. Thanks
Brian Krebs: No idea what's going on there, Belgium. I've not used CookieMonster, so I can't say whether that has something to do with it. But since you're using IE7, I'd recommend taking advantage of the built-in "security zones" feature in IE, which a lot of people find annoying and overly complex, but in your case it may be helpful.
Go to "Tools" then "Internet Options," then on the Security tab and then click on the Trusted Sites icon. You can add Washingtonpost.com to your list of trusted, sites, and if you click on the "Custom Level" button you can configure what options should be allowed by default for sites you designate in your trusted zone. For example, you could set it so that all sites you place in the trusted zone are allowed to place and keep cookies. Try that and see if it fixes your problem. Good luck.
Email retention: What's your take on the technical capabilities (or lack thereof) of the White House email retention system until 2004 and now? If a server didn't save emails and a backup tape was recorded over is there any way to recover all of them? How plausible is the White House's story from a technical standpoint? If they are completely lost is it just incompetence, negligence or something a little more willful?
Brian Krebs: For a president who has made it clear how he views "the Internets" and all of its gears and wheels, I'd say if he were in charge of the White House's email system, then we could probably chalk it up to incompetence. However, e-mail archiving has been not only the law going back several presidents, but it's pretty well understood and not terribly difficult to do. I'm not going to speculate on whether it was intentional or not, but if it was unintentional, then that was one heckuva big one.
Chantilly, Va.: Regarding wireless encryption... make sure that if you have a choice, you choose "WPA" encryption rather than "WEP". WEP will only keep out the most casual of network browsers; anyone who really wanted to gain access to your network can break WEP in about 2 minutes.
The only disadvantage is that some older equipment (more than 5 years old probably) will only support WEP. If you've purchased your wireless access point and wireless cards (including built into your laptop, if that's the case) within the past several years, you should be fine, and WPA is no harder to set up.
Brian Krebs: Chantilly is correct.If you have a choice, go with WPA over WEP. And pick a strong passphrase as your encryption password -- preferably something more than eight characters. One strategy I like is to pick a sentence or phrase from your favorite book or piece of literature, and create a passphrase using just the first or last letters of each word in the sentence. E.g., "It was the best of times, it was the worst of times" might yield a passphrase of IWTBOTIWTWOT.
La Mesa, Calif.: Good morning Brian and thanks for having these sessions. I got a message from ZA warning that RBSOLNUPDATEENU.2.5.0.EXE wanted to put a new entry in the registry. My research showed it was supposedly related to Win 32 Extractor (wextract.exe) which is safe. Past queries on an earlier version of this were reported to be safe. I couldn't find any thing with this version number anywhere though, so I denied it.
Any suggestions on how I can determine if I should allow the change in case it pops up again? It left an entry in the Prefetch folder also, can I delete that safely?
Brian Krebs: Yes. Try to look at where it wants to go, and figure out whether it needs to go there. Googling that exe name doesn't turn up much that's helpful. The question is, what is the context here? Were you installing some program when this alert popped up, or was it just out of the blue? If the latter, I'd be a bit concerned.
Process Explorer from Microsoft is a good, free tool that may be able to shed some light on who makes the exe process in question, and what it is trying to do.
If there is a network component attached to this executable file, Zone Alarm should tell you a little bit about the IP address or domain name that the program is trying to contact. Look at the ZA logs to find out this information. Google the domain name or IP address, and you will probably find your answer. It may be something as harmless as a legitimate program phoning home to check for updates. The question is, what happens if you don't allow it to connect. Does it impair the functioning of any programs you have open? If not, I don't see the harm in blocking it.
Baltimore, Md.: Brian: I have a PC running XPSP2 with Bit Defender anti-virus, which I renewed in December as a new release. Now, when I run a scan, I am told that I have some 150 possibly dubious items that are password protected and that I should "extract these files" before performing a scan. It gives me an endless list of files but I have no idea about how to extract them. Bit Defender does not say they are threats, just that it can't know what they are because of the password protection. Can you enlighten? Thanks.
Brian Krebs: Yes. Some antivirus tools have trouble looking inside of archived or zipped files, particularly archives that are password protected. Are these archives it is complaining about files that you've downloaded or did they ship with the system? Sometimes, program package installers (.MSI and .cab -- cabinet -- files, particularly) can generate these errors.
One thing to note: If I recall correctly, some anti-spyware and anti-adware programs -- AdAware in particular comes to mind here -- archive their definitions files in ways that can be difficult for antivirus software to inspect. Also, Microsoft Windows System Restore points -- if you have System Restore turned on -- can also generate scanning errors.
Blacksburg, Va.: Brian, this is Randy Marchany from VA Tech. A number of us ordered laptops from the One Laptop Per Child site back in November. All of us have been getting the run around from them when we ask about the computers that should have been delivered back in December but aren't here yet. We've gotten similar answers like "we don't have your shipping address". Anyway, I was wondering if you've heard of any problems with OLPC. Here's a link to a blog that talks about the problems. We've seen them here as well.
Hope you're doing well. Thanks.
VA Tech IT Security Office and Lab
Brian Krebs: Hi Randy! Nice to hear from you. I have seen a few blogs pick up on this story, but I don't have first hand knowledge of this as you do. I'll tell you one thing: I've played with those laptops, and they are super-cool: If I had paid for one and was waiting a super long time for it, I'd be pretty cranky as well. I'll poke around and see I can find out what's happening here.
Melbourne, Australia: Are you familiar with a small program called Rootkit Revealer and is it worth having. I understand rootkit attacks are pretty scary.
Brian Krebs: Yes, I am familiar with it. It was created by Mark Russinovich, who is something of an authority on rootkits. His company and software were acquired by Microsoft a while back, and it is still free to download and use from Microsoft. It works very well, although it's not the most intuitive software for the average user. Then again, rew anti-rootkit scanners I've seen are. I mentioned a couple of other free anti-rootkit tools in my chat a couple of weeks ago.
Owings, Md.: Hi Brian,
Recently, I am having trouble with my WiFi. Almost everyday now, when I log into the internet to check email, it is fine, but then several minutes on the internet, my connection is lost and says it is only local. Then it becomes difficult to reconnect to the internet. Any ideas as to why this may be happening or what I could do? I have Zone Alarm security suite, vista, and a zone alarm router (secured).
Thanks for for the great columns and blogs.
Brian Krebs: Hi Mike. Thanks for the kind words. Sorry to hear about your router. I have not used Zone Alarm's hardware router, so I don't have any experience to offer there. But I know that ZoneAlarm itself has a very active and helpful user forum that may be more useful to you than any guesses I might have about what's going wrong.
What I usually tell people in these types of situations is to try to diagnose the source of the problem by process of elimination. Turn one component off temporarily, and see if that fixes it.
If, for instance, you turn off the ZoneAlarm software firewall, and you experience no problems, then you have probably narrowed the issue down to a flaky setting that needs to be tweaked there. If you are using encryption, you might briefly switch that off or clear the settings and set it up again to see if that makes a differece. I'm sorry I don't have better advice for you at the moment: these kinds of issues usually stem from configuration issues which can be difficult to diagnose in a forum like this. Best of luck.
Toronto, Canada: I use Norton Anti-virus but am convinced it is causing my computer to operate very slowly. Is there an alternative program that is less resource intensive? Since I an one of only six people left in the world still using dial up, do I really even need to use a virus protection program?
Brian Krebs: If you don't like Norton, 86 it. There are plenty of other options, including a number of free antivirus alternatives (see this link for other free options. Even if you don't have broadband service, it's a good idea to run some kind of anti-virus program on your Windows system.
I swear, it's possible that this chat attracts astroturfers, but almost every chat I get two or three questions from users complaining about slowness with Norton, or this or that problem with Norton. Take this guy, whose question I can't answer because I'm plain out of time:
"Arlington, Va.: Just out of curiosity, how much do you trust Norton's software?
I've lost a lot of faith in it myself, mainly because it freezes on me every time I run a full system scan. I've talked with Norton about it countless times, and even spent close to 10 hours straight divided between talking on the phone with a Norton tech person and chatting with one online. And I STILL have problems with their antivirus software.
Just wanted to see if I'm alone here."
Short answer: You're not alone, Arlington.
Brian Krebs: That's it, people. I am out of time for this week. Thanks to all who stopped by and to everyone who contributed to the discussion. I'll host another Security Fix Live in a couple of weeks. Meantime, please make it a habit of frequenting the Security Fix blog to stay up on the latest security news, tips, and advice. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.