Security Fix Blogger
Friday, February 8, 2008 11:00 AM
The transcript follows.
Brian Krebs: Hello everyone, and Happy Friday. Welcome to Security Fix Live, where I try to answer as many of your tech/security questions as well as I can in the hour or so that we have. Please remember to give me as much information about your system setup and install security software and hardware wherever possible.
New York, N.Y.: Hi Brian, I've had really bad experiences running Symantec/Norton and McAfee products. They tend to take over and reduce my overall system performance tremendously. Right now, only the Windows XP SP2 firewall, SpyBot's TeaTimer and the built in firewall that came with my 5-year-old router stand between me and certain infection. Would you recommend using a specific firewall program, free or otherwise, on my home PC to keep the bad guys at bay that won't completely take over every program I use and slow my initial login or internet launches to a crawl?
Brian Krebs: Aside from running your browser of choice under a drop-my-rights type setup, I'd say you're fine. I hear your pain about Norton and other firewall products in every single online chat. You should be reasonably okay with a hardware router and the Windows Firewall.
Just spend a little time getting familiar with the items listed in the "exceptions" list for the WF. Make sure to uncheck anything you don't need (e.g. Remote Desktop, Remote Assistance, or any other programs that you'd prefer asked you before connecting to the Web). You can also set it up to log all incoming/outgoing requests in the "Advanced" options tab.
Arlington, Va.: A few days ago, my spysweeper (Webroot) detected a keylogger on my home computer during its daily sweep. It quarantined and deleted the program, and after two further sweeps by Webroot, as well as a full system scan by Norton Antivirus, my computer is seemingly clean.
Since then, I've gone through my various online accounts, like my e-mail, Amazon.com, anything that has my credit card information on file, and changed passwords. The only online banking that I do is for my retirement funds. I don't check my banking or credit card statements online. And for the record, my computer doesn't contain any personal information about myself, like Social Security numbers or credit card numbers.
In your opinion, is there anything else I can be doing in the wake of this spyware discovery? Even though my sweeps have said my computer is clean, I'm nevertheless dubious about using it for certain things in future, like checking my retirement accounts, or for doing my taxes (through TurboTax).
Brian Krebs: I assume you changed the password tied to your retirement fund account? That's the one I'd be most worried about. And I'm assuming you changed them after you got a clean bill of health from your anti-virus?
If it were me, I would run one or two different online anti-virus scanners to feel better that the keylogger was completely gone and that there wasn't anything else hanging around. F-Secure and Bitdefender both offer free online scanning, as do others.
You may also be able to call your retirement account holder and place a special PIN on the account or password that must be uttered in order to make any changes to the account.
If you haven't already, you should be regularly backing up your data to a removable medium, such as a external hard drive or to a DVD -- in case something goes wrong where the hard drive fails or you need to reformat the drive.
I would use this as an opportunity to do things right. If you can't be bothered to set up a limited user account on your system, try the drop my rights approach with the browsers you use. In addition, there are free anti-keylogger programs available, such as SnoopFree and BoClean that are designed specifically to spot malware that tries to hook your keyboard.
Also, just for giggles, you might search your system to see whether the keylogger left behind a record of what it was stealing. Typically, a keylogger will store whatever it steals in a text file somewhere on the system (a file that is periodically uploaded to a server the attacker controls) and sometimes an anti-virus program will destroy the keylogger itself but leave the data behind. I'd probably run a search in Windows (Start, Search, All Files and Folders, and search for any text files created in the last month: e.g., in the file name search box, type "*.txt" and in the "when was it modified" section choose the "last month" radio button. Shoot me an e-mail if you find anything that looks suspicious (oh, I don't know....like "keylog.txt").
Kingstowne, Va.: I often wonder what kind of computer setups all these malware writers have, and what they do to keep their own computers virus free? Just what is the OS of choice for todays hackers?
Brian Krebs: Hehe. Well, it depends. I've spoken with plenty of online miscreants who don't use any anti-virus software at all. Most virus-writers probably are proficient in both Windows and Linux systems, and probably use both interchangeably. As for anti-virus, the main thing virus writers care about is making sure their creations are *not* detected by them. Time was, the virus writing groups would have many different types of anti-virus installed on many separate systems, to test their creations. Nowadays, there are so many different free services you can use online to scan a file against 20-30 different popular AV scanners that it would be silly for the bad guys to use anything else (although only a couple of the aggregate free anti-virus scanning services allow the submitter the option of *not* sending a copy of the malware to all participating AV companies).
I've had really bad experiences running Symantec/Norton and McAfee products. : Brian,
I couldn't agree more with the poster. I went through a lot of pain and agony when I had those products installed.
Life has been a lot easier with AVG free installed. Also, I don't use IE or Netscape for a browser either. That's also a big part of avoiding misery.
Brian Krebs: More heartfelt opinions/advice for our New York reader above:
Auburn, N.H.: In response to your New York writer, I've been a happy user of Sophos Antivirus on a PC with Windows XP for five years. It works quietly behind the scenes and I've never seen any degradation of performance. Good luck with your security!
Boston, Mass.: Hi Brian. I'm looking for suggestions for a good password manager. I was overseas for a while and had to manage my bank account information on computers that were clearly malware infested. I was able to change my account info afterwards and nothing bad come of it but I'd like a way to start using completely random passwords. Thanks!
Brian Krebs: Hello Boston. You're in luck. A few weeks ago, I wrote a column on a few options for password manager programs.
Moline, Ill.: Hi Brian. I'm a senior citizen with a "donated" computer who isn't very confident of his tech savvy. My computer runs windows xp with SP1. I ordered a cd to install SP2 but I have been reluctant to run it because I'm afraid that something might screw up and I will have no computer at all. I have a version of a firewall from Zone Alarm which I know isn't compatible with SP2 and I run microsoft money which has a lot of useful financial history that I would hate to lose if something goes wrong with the changeover. Am I worried about nothing or should I just leave well enough alone?
"over the tech hill"
Brian Krebs: Hi Moline. Thanks for the question. I'm glad to hear you're taking this seriously. And you're right to be a little cautious here, but not overly so.
First off, Microsoft no longer supports Service Pack 1 on Windows XP. What that means is you can't receive the latest security and bug fixes while you're running SP1. Which means in order to run the system securely, you're going to need to upgrade to SP2.
Before you do that, however, I would back up any and all important data on that system. If you have a CD or DVD burner, using that should suffice, unless you have a tons and tons of data. In that case, go get yourself an inexpensive external USB hard drive and copy your data over there.
When you've done that, go ahead and upgrade (it shouldn't affect your install of Microsoft Money, but you might want to make sure you know where the install discs are and have your license key handy in case for some reason the worst comes to pass). After you've upgraded to SP2, you will need to visit Windows Update to make sure you have the rest of the patches released since your copy of SP2. Depending on how recent that copy is, this could range from a few to a few dozen updates. Also, set Windows to automatically download and install updates when they become available.
When you've finished with that, make sure the Windows firewall is turned on, and that you're using some kind of anti-virus program (AVG, Anti-Vir, Bitdefender Free, are just a few free AV programs available). If you can on top download and use Firefox as your browser, and run it under a drop my rights setup, you will have gone a long way toward building yourself a much more secure system. This may sound like a lot of work, but it will only take a couple of hours and will save you a ton of headache and pain in the months and years ahead. Good luck!
Burke, Va.: Yikes. You wouldn't reinstall the OS after finding a keystroke logger on your system? How can you possibly trust the system after that?
Brian Krebs: I completely expected this question. If it were me, I *would* indeed re-install Windows (or a known, safe backup image of it). And I've recommended as much before in no uncertain terms.
The reality, however, is that while this is undoubtedly the safest and wisest approach, I've found that very few Windows users are willing to go that far. Heck, most people don't even know where their Windows install discs are, let alone have a copy of their Windows license key sitting around.
Winnipeg: XP is going out of production soon.
As I understand it MS updates, security and otherwise, happen until the release is two behind the current one.
Given how for most people who just want a tool to write documents, run spread sheets and such, and the fact that Vista requires a hardware update - even the 'lite' version is not for older machines - are we in for a lot of extra high tech landfill, or will there be ways of securely maintaining machines taken over by third party vendors if Microsoft completely abandons XP? (note: I like XP quite a bit, have found it stable and can't see any functionality that Vista would add, but see lots of downsides to an upgrade)
Brian Krebs: Yes, so Microsoft has said it plans to release its final service pack (#3) for XP sometime before the second half of this year, and that it plans to stop issuing new licenses for XP at the end of January 2009. I wouldn't be surprised if we saw XP3 pushed back yet again, along with Microsoft's plans to phase out support for XP. The reason being of course that hardly anyone wants Vista, and the public is clearly clamoring for the familiar OS they've come to know (if not love) -- as evidenced by the number of PC makers who have gone back and started offering both XP and Vista on new machines that once only shipped with Vista.
I suspect that if people were forced to make a choice, a great deal more people would switch over to using a Mac. Keep in mind though that a number of factors cause people to buy newer, faster machines -- the desire to play games that require more robust systems, failing components, etc.
In answer to your question, I'm of a mind that if Microsoft phased out support for XP within the next two years, that there would be such a large community of users still around that at least when it comes to the vitally important stuff -- third parties would come up with fixes to help users maintain their systems securely -- probably for free, but who knows.
Los Angeles, Calif.: thanks for reminding me about Foxit Reader, starting to use it again and it really is faster. now, what to do with all the mostly microsoft updates just hanging around in the control panel?
Brian Krebs: You're welcome. What do you mean what to do with the Microsoft updates? If they're installed, it's for a good reason. Leave them alone.
Antwerp, Belgium: Hi, Antwerp, Belgium, again. Last time you told me about having to type in my password each time I go on the WP website. I followed your tip allowing sites in IE options but to no avail. Still doesn't work. Even if I check to remember my password, i still gotta retype it. Becoming annoying. I delete my cookies manually so that's not it. Any better advice? Have nice weekend
Brian Krebs: I suspect you have some third-party program running that blocks the placement of cookies on your system? If you do, try turning it off or allowing an exception for wp.com and seeing if that works.
Baltimore, Md.: Doing something wrong downloading Firefox: I have tried on two occasions to download the Firefox browsers to my home computer (HP PC running XP and SP2) , but each time I come up with a blank screen. The top of the screen indicates that I am in Firefox yet nothing appears. Incidentally, when I downloaded it to my work computer (IBM running XP Professional) there was no problem. Can't figure it out.
Brian Krebs: You most likely have a corrupt Firefox profile there. Either that or a previous update didn't take.
I would back up my bookmarks file (if not backup the entire profile, then uninstall and then re-install Firefox. Hopefully that will fix your problem.
Loveland, Colo.: Hi, I would like to run OS X 4.0 along side Windows XP, how can I do this?
Brian Krebs: If you have a Mac, you can run Bootcamp, which allows you to choose between booting up in OS X or Windows when you start the machine.
A couple of other options include the use of virtual machines on a Mac. VMWare Fusion has earned nice comments from users. I use Parallels on my Macbook Pro, and run a licensed copy of Windows on top of that. Works great, but then I have 3 gigs of RAM on that system (your mileage may vary). Parallels even comes with a program called Parallels Transporter, which you download to your Windows system and it makes a copy of your entire C drive (and/or whatever other image you want to bring over). Move that over to a removable drive or a DVD and you can effectively port your install of Windows onto your Mac and run OS X and Windows at the same time. Both Parallels and VMWare Fusion are free to try, but you must pay for a license to use them after the trial period.
Washington, D.C.: The other day I noticed Internet Explorer (version 7) began to take an exceedingly long time to load a web page (but only the first web page). About two minutes.
Similarly, any time I open a new Explorer window or new tab it takes about the same amount of time.
Once the first web page is open however, I appear to be able to surf within that window with no further problems. Could this be caused by a virus or something else that was inadvertently installed on my computer. Security settings changed? I've run a virus scan, cleaned up the temporary internet files and tried a few other things, but nothing seems to work. And nothing appears to be amiss. Any thoughts?
Brian Krebs: Hrm. This could be a toughie to diagnose. Random obvious question, but when was the last time you simply rebooted the system? I know, I know, but you'd be surprised how many times this fixes weird stuff.
I assume your home page hasn't changed at all? I ask b/c some people I know set their home pages to sites that are very graphics intensive, load all kinds of charts and flash videos, etc, which can take quite a while to load. Does it make a difference if you set, say, Google.com, as your home page?
It's certainly possible some kind of malware has munged your system, but without more information I can't really speculate further on that.
I'd recommend checking out a free program called CCleaner which spends a bit of time going through and cleaning up worthless crap from your system and generally tidying up the place. You can choose which areas it should clean before you run the sweep. But it can take a while, so it might be best to set it to clean before you go to bed at night. When it's through, reboot and see if that's changed anything.
McLean, Va.: I am about to get a new Dell. Dell offers three security choices: Norton, McAffee, and one other that I can't recall. What is the best choice. The price is roughly the same.
Brian Krebs: Er...neither. If the cost is the same, and you're willing to pay for anti-virus, wait until you get the machine, and then once you're online head over to ESET.com and get yourself a copy of NOD32. It's far quieter than Norton or McAfee and a lot lighter on resources. You won't hear from it unless something goes wrong, and that's the way anti-virus software should work, IMHO.
Alexandria, Va.: Do you have any tips when buying an external hard drive? My iTunes has taken up almost all my hard drive space and I would like to use an external hard drive for all my iTunes storage. I found a 500GB unit for $130 which looks good to me, but I don't want to buy it, then learn that it doesn't have some magic flux capacitor gizmo required for easy operation. Thanks.
Brian Krebs: If you stick with a USB-based external drive, you should be fine. If you have a Firewire connection and can use that, go for it. I bought this Fantom 500 GB hard drive from NewEgg.com a few months back and have been extremely happy with it. It's very fast, and of course huge. For a little more than twice the price I paid ($120), you can get a one terabyte! external drive. Hooked up to my digital video recorder in my PC, I can now record up to like 200 hours of TV shows, or about 40 hours in digital TV transmissions. Of course, I also use it to store my hard drive backups.
Arlington, Va.: Hi Brian, My Norton Symantec AV has quarantined the "bloodhound exploit 65" virus and two trojan horses, but is unable to delete them. Efforts to find an application to delete them has proven unsuccessful. It's becoming annoying to be prompted by Norton AV about these issues over and over every day. Do you have any solutions? Thank you for taking our questions!
Brian Krebs: Yep. Find your Windows install disc and license key, and re-install Windows (see above discussion about this).
Alternatively, you could try to manually locate the buggers by examining the AV log files to see where they are stored (probably at least one copy in system restore, which won't be removable by the AV program). But this is a hugely unreliable way of cleaning your system, as a Trojan's job is to get a foot in the door of infected systems so that more malware can be downloaded.
The trouble is that once a system is compromised, by definition you can no longer trust the system or programs installed on the compromised system to tell you the truth or make sure you're protected. A couple of suggestions to try before you re-install: I mentioned a few free online virus scanners; they may be able to help. Alternatively, you could burn/use something like the Trinity Rescue Kit, but unless you're good at following complex directions and are somewhat familiar wtih command prompt commands, this is likely to waste your time.
Those "annoying" warnings are telling you that you most likely have a very serious security problem on your machine. Back up your important pictures, music, movies, documents, etc to some removeable media, and re-install windows and any needed patches.
Once you've got it back in shape, do yourself a favor and set up and then run the system under a limited user account for every day use.
Best of luck.
Brian Krebs: Well, I'm out of time, here, folks. A big shout of THANKS to everyone who stopped by and to those who contributed to this discussion in one form or another. We'll do another Security Fix Live again in a couple of weeks. Meantime, please drop by the Security Fix blog to stay up to date on security news, tips, patches, etc. Have a great weekend, and Be Safe Out There!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.