Security Fix Blogger
Friday, February 22, 2008 11:00 AM
The transcript follows.
Brian Krebs: Good morning and Happy Friday, dear Security Fix readers. Please remember to be as specific as possible about your computer setup before asking how-to or troubleshooting problems, etc. With that, I'll get started....
Chicago: Brian,Do you know of a utility to encrypt USB flash drives without installing the encryption software on the hosting computer, like a portable application? I'd like to encrypt a drive that I plug in to my work computer, but I do not have administrator privileges on that computer to install, say, True Crypt. I run portable apps (Firefox, Open Office) from my flash, but haven't found a corresponding encryption tool. Thanks!
Brian Krebs: Hello Chicago. You could install TrueCrypt on your home PC and encrypt the USB drive there. Then when you pop it into another machine, it will prompt you to enter your encryption password before opening the file directory. If it doesn't automagically prompt you when you pop it in the PC, then you don't have autorun turned on (believe me, that's a good thing). Just browse to the device in Windows Explorer. The neat part about this approach is if you run something like Firefox ( or better yet, Portable Firefox) from the USB drive, your history, cache, etc. bookmarks, should all be saved on the drive, not on the PC you're using).
Others swear by U3 technology that comes built in to many USB flash drives these days, and your mileage may vary but I've never been all that wowed by U3 drives: The two that I have used have acted a bit flakey.
Hope that helps!
Louisville, Ky.: Would installation of proxy server software on my home PC running Vista Ultimate with or without a router increase my security? If so which proxy server software would you recommend?
Thank you for your response!
Brian Krebs: Hi. Please tell me why you believe installing a proxy server or using one will help you security-wise. Are you concerned about someone knowing your true IP address? That's all that a proxy-server will do for you: it will allow you to bounce your traffic to and from another server on the Web before reaching its destination.
Can you vouch for the security and integrity of the proxy server you want to bounce through? If not, you're letting whoever controls that server watch all of your traffic go by.
I wouldn't advise using any proxy server unless you have a good reason to do so, and you know what you're doing.
Stormville, N.Y.: Hi Brian! Using Firefox on a Windows XP Home machine. I was reading a short article in the NY Times online. I wanted to print it so I clicked on the print button.
A window opened with the following message:
"The page you are trying to visit is using Cross-Site Scripting (CSS). This is a technique commonly used in phishing attacks.
URL ... ".
Now, I did not think the NYT would mount a phishing attack, but was concerned that the site might have been hijacked and did not proceed. Did I do the right thing, or was I overly cautious ?
In any case, shouldn't the NYT programmers use another method in place of one that is often used maliciously?
Brian Krebs: I wouldn't sweat it too much; it's probably harmless, but I would have probably reacted as you did. And you're right, assuming it's not some compromised banner ad trying to load malicious content, there may have been some third-party content the print view page was trying to pull from another server that caused the warning message.
Phishers and online scammers exploit these types of flaws to make their scams appear more legitimate, because XSS vulnerabilities allow the attacker to force the target site to load content from somewhere else. Most of the time, this is in order to pop-up some kind of fake login screen over top of the legit login screen for a bank or other site that requires a username and password. But in theory cross site scripting attacks can be far more creative and malicious than most people assume.
Firefox is in all likelyhood warning you that the NYT is displaying the content in the "print me" page by seamlessly loading it from another server. I'd be interested in knowing whether that page is still generating the error. If so, please send me a note at brian dot krebs at washingtonpost dot com with a link to it. You might also just ping the webmaster there at nytimes.com
Chantilly, Va: Brian,Any good software to let me run my father's computer to fix it, due to a 4 hour distance?
Brian Krebs: Yes, check out LogmeinFree, which I profiled in a blog post not too long ago. Some other folks chimed in with their favorite remote access tool as well.
Melbourne, Australia: G'day Brian,
A routine scan with the free A-Squared anti-adware program turned up 15 instances of "trace.registry.Ultimate Security Suite 2.0, medium risk." Can you tell me what this is? A trojan? It wasn't found by Nod Eset32 v.3, Zone Alarm Pro, Ad-Aware or Spy-Bot S&D. I deleted it, of course, but am just curious about it. I've never installed anything called "Ultimate Security Suite 2.0."
Brian Krebs: Hi Melbourne. Thanks for joining us. It must be getting late in your neck of the woods down under, eh?
I spent a little time on A-Squared's user forum, and there are several people posting about this over the past few days. I suspect it is a false positive, but it looks like Ultimate Security Suite is a product that is designed to erase traces of your surfing habits online etc.
Now, keep in mind that I don't know anything really about this US2.0 product, so please don't take this as an evaluation of the worth or value of that product. But these types of software titles are very often advertised in ways that are awfully pushy, and sometimes try to scare you into installing them or use drive-by install techniques to download some stub installer that pops up alerts every once in a while to scare you into purchasing the product (these types of programs most heavily pushed on adult Web sites, for obvious reasons).
I found a couple of threads on this from A-Squared, but neither of them seem terribly conclusive. I wouldn't worry too much about it, but maybe contribute a bit to some of the folks in that support forum to see if you can get a straight answer from A-Squared.
Arlington: Hi - I'm using XP and Outlook Express. I have a comment and a small question. I was using the free version of AntiVir for several months but ultimately got tired of the constant pop-ups telling me that there was a non-free version available. A couple of weeks ago I switched to AVG and have found it much more willing to operate in the background. My question is this: AVG scans incoming e-mails while AntiVir only scanned attachments to e-mails when you opened them. Presumably, AVG will also scan the attachment when it is opened, but what is the purpose of scanning the e-mail itself? Don't the viruses come in the attachments? Thanks.
Brian Krebs: Hi. The difference is an important one. Presumably, a good anti-virus product would detect a malicious attachment as such before allowing you to open it -- and potentially loosing the nasty on your machine. In theory, it shouldn't matter, because either an AV product will detect a file as malicious or it won't.
But given the choice, wouldn't you choose to have your AV inspect the file before giving you a chance to double-clicky on it? I know I would. So, the difference is, one will let you open the file and react, while the other will try to react *before* you can even get your grubby little mitts on the file.
Brian Krebs: My apologies for the runaway Web link in a couple of the posts above. We'll have it cleaned up in a jiffy. Thanks for your patience.
Washington DC: Following up on Chicago, is there any reason (other than maybe it's easier) to encrypt the entire USB drive versus using software (like Crypto by Software by Design) to encrypt each file? True, if the drive is encrypted, you enter the password once and your have access to all where as if you encrypt each file, you might need to enter your password for each file (and then you have to re-encrypt when done). I think the benefit of file-level encryption is that when I sync it to my harddrive at home, it is encrypted there as well.
Brian Krebs: Well, your approach would work as well, but as you say it would require a lot more entering of your password and such. I was responding to a specific question that was asked by someone who explicitly could *not* install programs on his work PC (and presumably may be limited in his "synching" abilities as well.
Elkton, MD: Wanting to know if you've seen anything really dazzle you lately. I am a computer technician and I am so bored on the job, mainly because I am shying away from Vista and it's headaches and sticking with XP. This leaves me with little challenge as I've mastered securing it. So now I am looking for something to wow me... so what's wowed you?
Brian Krebs: It's never a dull moment when you start focusing on how the bad guys are constantly adapting to stay a few steps ahead of the security industry.
If you've grown bored with the regular PC maintenance stuff, maybe you'd find some inspiration contributing some time to the work of groups like CastleCops that work on the front lines of this war -- people whose investigation into new pieces of malware and phishing attacks often aid law enforcement and victims at the same time.
Annandale, VA: Hi Brian,I took your advice about a year ago and installed Avira AntiVir on my Windows ME machine. Worked great and I loved it. However, about a month and a half ago, it stopped working (i.e. it would not auto-produce a new serial number like before). After many unsuccessful attempts to reinstall, and after an exhaustive internet search, I found out that Avira is no longer supporting that OS. Not too big a deal as I rarely use that machine. However, I just wanted to let you know as it's a software program you usually recommend for those of us with legacy Operating Systems. My question for you, however, is do you have any other recommendations for AV software that will operate on Windows ME? I'm having trouble finding one. Thanks.
Brian Krebs: Hi there. Have you tried any of the other free AV tools listed at this link here? What works on Windows 98 *should* work also on ME.
Washington DC: I just read an article about how encryption can be defeated with liquid nitrogen. I must admit it didn't make a lot of sense to me. Do you have any insights on this?
Brian Krebs: I'm assuming you're talking about the research by the Princeton techies (see their research here and a NYT article discussing the method here.
First off, do you use disk encryption on your system? If so, you are probably well ahead of most in your understanding of security and privacy and the tradeoffs involved in gaining one over the other. If you do use encryption, you're probably the sort who would be slightly frightened by stories like this, which seem to indicate that disk encryption can be broken trivially.
My impression is this is more of a theoretical problem in the first place, and not a very easy problem to fix in the second. On the first point, do you know anyone with easy access to liquid nitrogen? I don't.
If the data you are storing on your system and protecting with encryption is so sensitive that a law enforcement agency or criminal outfit would go to such lengths to get at it, then you'd be best advised to follow the advice that can help minimize the threat from something like this : namely, when you're done using an encrypted volume, unmount it. Or better yet, just shut down the machine as opposed to putting it into hibernate or just closing the lid. That's really where this becomes an issue.
The problem stems from the fact that with encrypted hard drives, the decryption of the content on the disc generally happens at boot time. Simply placing the machine with the encrypted volume into hibernate or closing the lid doesn't restart that encryption process, so the data on disk -- including the credentials used to decrypt the volume -- may be stored in memory while the system is hibernating, b/c hibernating essentially dumps the contents stored in RAM (temporary) memory to the hard disc.
This is not an easy problem to solve. Short of expiring the encryption keys, which would basically kill your login and defeat the point of hibernation -- you can't do much about it, except the two steps I mentioned earlier. But in the end it's not likely to be much of a threat to you personally, IMHO.
Potsdam, NY: Good Morning Brian,Have you any strong feelings about recommending 'beta' security software?I've been using Comodo Anti-virus V 2.0 (beta) for about two years (as well as their V 2.4 of their firewall). Since it is a beta, none of the testing labs will touch it; anecdotally, I can report zero infections since adopting it (as verified by occasional on-demand scans using Trend Micro's 'Housecall' as well as Avira's Antivir).I look after several friends' computers and security is always a concern - especially as many of the leading apps are real system hogs, which Comodo seems not to be. I should like to recommend this product to others with clear conscience. Also, you mentioned Comodo's "BoClean' in passing the other week; any feelings about its overall worth?Thanks!
Brian Krebs: My thoughts are this: All software is technically beta. Almost all software developers issue updates to fix problems discovered by users. In addition, pretty much all software these days requires you to approve a license agreement that holds the software maker free from liability should the program completely hose your machine or data. This is an agreement you make when you install the software. If you don't agree, you don't get to install the software.
BoClean is just another layer of defense that users may want to adopt -- nothing more or less. Bear in mind that because BoClean works at a very low level in the operating system, it may not play nicely with other security software that lives there as well. On one of several systems I tried BoClean on, I got a blue screen of death a day after installing the software, which also already had NOD32 anti-virus installed (I've never had a BSOD on that machine before).
The were two other installations (which didn't have NOD32) where BoClean got along swimmingly with other security software on the system. Your mileage may vary.
Antwerp,Belgium: Hi.I just purchased a Western Digital Elements external 500giga HD.I transfered more than 100 movies and songs to it.The power supply gets very warm though.Can it be left in for a longer period of time or should I unplug it and plug back each time I use it? Thanks and have a nice weekend
Brian Krebs: Yes, I've noticed the same thing with one of my 500 Gig external drives, except the heat comes from the drive enclosure itself, not the power supply. I sometimes like to keep it on because it's the default drive to record movies from my built-in DVR on this PC, but sometimes when the old office is getting a little too toasty I like to turn it off.
Rather than unplugging it and plugging it in all the time, you might consider plugging it into a power strip that has a master on/off switch that you can toggle with your toe when you need to. You might also consider plugging all of your various chargers into that strip as well, as those chargers are notorious for using power even when they are not actively charging a device.
Arlington VA: Brian, I don't know if you've seen this already, but there's a fascinating paper making the rounds about attacking disk encryption by slowing the rate of decay of memory circuits: http://citp.princeton.edu.nyud.net/pub/coldboot.pdf.I'd be interested in reading your comments on this.
Brian Krebs: See my answer to the questioner above, please. Thanks!
Edgewater, Maryland: Hi Brian,I am running a Windows XP SP2 machine which is fully updated as is the Norton Antivirus & AVG Antispyware. The problem seems to be that some programs that I tried to delete (Adobe Acrobat reader, iTunes, Java old version and a few others) via the Windows Add/Remove utility are corrupted. When I try to delete them I get a message that a certain file can't be found so it halts the removal process. If I try to download the more up to date versions of the software I get the same message that a file can't be found & the installation is halted. The only new version I have been able to download was the current version of Java, the rest are still listed in my Add/Remove list. I tried going to a restore point and that didn't seem to help. When I go to Seucunia.com and do a full scan for old versions everything comes up as current. I want to know if I am still vulnerable with those corrupted versions & if so if there is a program that will help me uninstall those older versions. Thanks!
Brian Krebs: Go and grab a copy of Microsoft's free Windows Installer cleanup utility. Read the directions carefully before proceeding to use it. Then follow the directions.
Mooresville NC: Morning. Transitioning from old Mac G4 to spiffy new 2.8 GHz Quad-Core Intel Xeon. Most but not all old files transferred via firewire but firewire no longer works and the G4 stopped recognizing any of my flash drives. I no longer even get the option of reformatting the flash drive, just a "invalid media" message with only option being to "ignore". Any ideas?
Brian Krebs: Obvious question, but have you tried rebooting the Mac, leaving the external drive connected as you do? Does it still not recognize the drive?
Another thought: If you can connect the two machines over a network, either via a crossover ethernet cable or by enabling file sharing on both machines, maybe you can transfer the remaining files that way?
Washington DC: Hi. My computer has been very slow lately and I can't figure out if it's malware, DSL or just the computer's age. I hope you can help.When I first got DSL a few months back (Verizon), everything seemed speedy and great. But now it's almost as slow as dial-up. I have a Mac iBook G4 (model PowerBook6,3 with OSX 10.4) with Windows' MSOffice 2004. I dump cookies and history at the end of each session, and MacScan finds no malware. But I can't help thinking that things deteriorated sharply about 6 weeks ago, after I foolishly failed to recognize as fake an e-mail that appeared to be from someone I know asking me to help him post something on a particular website that I stupidly clicked to. Because I have Mac, I'd stopped worrying about viruses -- But again, daily runs of MacScan since then have found nothing. When I had a PC, it often was a large cache that slowed things down -- but I can't find a cache file to empty on this machine.Could it be that more of my neighbors are on-line when I am and that this is slowing down DSL service? I download very little except for system updates, software to watch TV shows and listen to radio on-lin, and an occasional document.The number of items on my desktop has grown and I could file most of them away if that might help.Or what's your guess about the problem, and what suggestions do you have, if any, for resolving them?Many thanks!
Brian Krebs: Well, which is it? Is the network connection slow, or the PC? Or both?
It may be that the hard disc on the system is just getting full. How much available free space do you have left? Since most operating systems swap some of the temporary paging files out to storage on the hard drive, having low hard drive space can sometimes interfere with that.
Do you use wireless at home? Is it secure? If not, one or more of your neighbors may be sharing your connection (and thus diminishing your network speeds) may be correct. I've seen this happen in an apartment complex, where multiple people are leeching off of one unsuspecting tenant's connection.
Downingtown, Pa.: What do you make of the BBC report at http://news.bbc.co.uk/2/hi/technology/7205059.stm that next month's Vista SP1 will obstruct operation of some 3rd party programs, including some familiar names among Internet Security software?
Brian Krebs: What do I make of it? My understanding is this version interferes with the proper functioning of several different third part security programs. But last time I checked Microsoft hadn't released Vista SP1 to the masses yet. Rather, they released to certain members of the development community, and I suspect for this very reason: to iron out any major bugs in the update.
It appears that Microsoft is working with affected third parties to fix the problem, and indeed a number of those companies have already shipped updates to adjust to the new service pack changes.
That said, when Microsoft finally does release the public version of SP1 for Vista, it probably won't hurt to wait a few days or weeks to install it, just to make sure the update doesn't introduce widely-experienced problems.
Anonymous: To Edgewater, MD :Try CCleaner to uninstall something that is reluctant to do so.Not too long ago I had problems with getting rid of a corrupted (aborted download) installation of Urge (piggybacked in with an update of Windows Media Player) and I was able to uninstall it using CCleaner .
Brian Krebs: More advice for the person who had trouble uninstalling programs in Windows. I recommended this free CCleaner tool in the last Security Fix Live.
Austintown, OH: Anymore info on the MBR RootKit virus...GMER seemed a bit complicated for the average person to understand...any other apps (easier to understand) that one could use? Thanx.
Brian Krebs: Sure. Microsoft has since added detection for this to its Windows Defender suite, as have a large number of anti-virus companies.
Chantilly, Va: Brian,Any relation to the news guy on WRC ?
Brian Krebs: Yes, NBC 4 morning achor Joe Krebs is a 2nd cousin of mine.
Kensington, Md.: Brian, If a house guest wants to connect to the internet at my home, then is it reasonably safe for me to allow them to use a wired connection to my password protected router? Are the other computers on my network reasonably safe from any malicious code on the guest's computer? Are there any extra precautions I should take if I allow guests to connect to my router? Thanks.
Brian Krebs: It's reasonably safe, yes. The worst you would have to worry about would be if your friend's PC had a malicious bot program running on it, in which case it would probably automatically start trying to scan for new victims on the local network.
If you run firewall software on the systems inside of your network (behind the router), then unless you have that software configured to explicitly trust connections from everyone who joins your network, it is unlikely that your friend's system will even be able to see yours on the same network (there are exceptions here, e.g., if you have poked holes in your software firewall to allow file sharing on the network).
Flash Drive Question Follow-up: Yep, I've tried all kinds of rebooting sequences and can't get old Mac to read the drive. The drives all work with other machines.
Brian Krebs: It may be that somehow the permissions set on the external drive have gotten fouled up. If you can get the thing to show up in the Disk Utility program (search for disk utility in finder), you may be able to repair the permissions settings on the drive. The "First Aid" tab should allow you to do this. Good luck.
Brian Krebs: Sorry folks, but I'm out of time for today. A huge thanks to all who participated and stopped by. I'll conduct another one of these chats a couple of weeks from today. Until then, please drop by the Security Fix blog regularly to stay on top of the latest security news and advice.
Be careful/safe out there, people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.