Security Fix Live
Friday, March 7, 2008; 11:00 AM
The transcript follows.
Brian Krebs: Good morning, dear Security Fix readers, and Happy Friday to you! I am ready to answer your security/PC questions. Please be so kind as to include as much information about your problem/computer setup as possible, such as installed security software and/or hardware, any error messages, etc. With that...
Washington, D.C.: I have piled in a corner of a closet the hard drives from every computer I have ever owned, including my first Windows 3.1 PC. All of them have some amount of confidential information on them. What are my options for permanently and securely destroying these drives? Or am I condemned to be buried with them?
Brian Krebs: Hi there. Assuming you'd like to just make sure that any sensitive data is wiped/destroyed on the drives, I'd suggest getting a cheap
IDE-to-USB cable, so that you can connect the drives one at a time to your machine without having to monkey with the insides of your computer.
Then go grab a copy of SDelete, a free secure erase tool from Microsoft. It's a command-line based tool, which means you have to open up a command prompt to use it (start, run, then type cmd.exe).
Make sure you're in the same directory as where you put the Sdelete.exe file, and then follow the command line instructions at this link. So, for example, if you had the drive you wanted to wipe at E:/, you could type: "sdelete -p 3 -c -z e:" (without the quotes); that should write over the used and unused space on the E: drive 3 times, which is more than enough to zero out any data on those drives.
That's just one solution, and there are many others, which I'm sure we'll hear about from readers as this chat progresses.
Falls Church, Va.: As a parent of a 6th grader who is starting to explore the internet what can I do to protect him and the computer from things he might do. What is the best software for controlling the sites he sees. Also Is there anything that works with YouTube to control the content of what he sees - they have a lot of stuff that is fine but some of it is too violent or too adult.
Thanks for any help.
Brian Krebs: Yes. The first thing I would do is make sure that you as the administrator of the computer are the only one who can make important changes on the system or install software (accidentally or purposefully).
Do this by creating a second administrator account (I'm assuming the one you're using now is an admin account), and then switch the account you're currently using over to a limited user account. And then use the limited user account for everyday browsing, etc. Protect the admin account with a strong password that only you know.
Second, I'd recommend using OpenDNS, a tool that allows you as the administrator to decide what sites your machine should be allowed to visit.
It doesn't even require you to install any software. As I wrote in a post last week, not only does this free service let you block most porn sites, it will now let you block sites depending on the content.
So, for example, if you wanted to block all social networking sites, or all video sites like Youtube, there's a setting for that. If you wanted to block sites related to alcohol and drug use, there's a blocking category for that as well. Anything that doesn't fit into neat little categories like that you can always block on a one-off basis by using their blacklist. Alternatively, if you just want to allow your child to go visit a short list of sites and no others, you could adopt OpenDNS's whitelist.
Is "Winspykiller" a legitimate anti-virus software program? An ad for it keeps on popping up on my screen. Txs.
Brian Krebs: WinSpyKiller is yet another piece of scareware that uses malware techniques to get onto your system, and then uses fake reports of malicious programs on your system to try and frighten you in paying for worthless anti-spyware/anti-virus software.
See: CA's writeup, which puts Winspykiller in the infamous BraveSentry category of scareware....
and Sunbelt Software's evaluation which comes to pretty much the same conclusion.
Several self-help forums have removal tools for this rather recent scareware product. See:
MalwareBytes' removal tool.
411-spyware.com has detailed manual removal instructions, if you feel confident in your skills for editing the windows registry (for experts only!).
NYC: Why doesn't Congress or someone enact a 1/100 of a cent tax on email from those who wish it, so that it can keep out spammers? I'd even pay for my friends, so they can send it to me free, but only then can mail get through to me. Or some such idea which would tax heavily those who send millions of spam messages, from robots or from taken over machines.
Pete from NYC
Brian Krebs: This *sounds* like a nice idea, until you understand that spammers don't send e-mail from their own computers. They route the spam through thousands or millions of PCs that have been compromised by malicious software, unbeknownst to the rightful owners of those systems. So, in effect, you'd be asking for victims of cyber crime to pay up when their machine is used to send spam.
Now, there is probably a significant portion of the computer security community who would agree that this would be a splendid way to make the average computer user wake up and take PC security seriously. Whether such a radical program would help in that regard, I don't know. Would you think it fair to get a bill for $1,000 because someone took over your system and used it to send spam?
But there are just too many ways such a system could be abused or completely fouled up. For instance, how would the US govt collect such a tax on machines from outside the US? How could it begin to even prove that a given system actually sent the mail, as opposed to just relaying it? I could go on an on with hypotheticals, but I hope you can see the many obvious shortcomings with this approach.
Annandale, VA: Thanks for your external hard drive (500 GB) recommendation from newegg.com. I bought it and it has worked flawlessly. Plus the transfer rates are phenomenal. Just wanted to circle back and let you know your advice really worked for me. Thanks.
Brian Krebs: Fantastic. Happy to hear you like that drive. It has changed my life as well -- not having to worry about whether I have enough hard drive space for all my stuff!
Los Angeles, Calif.: Hello,
Thanks for the discussions, they are very helpful. My old XP run computer running on an installation several years old, but always running with updated antivirus software (Norton AV mostly) but also several antispyware softwares (System Mechanic, Spybot S&D and Adware Personal). Using this computer, I set up an account with E-trade, and for a reason unknown to myself, I left the account idle for several months. Just recently, I logged back in and realized someone had been writing unauthorized checks from the account! The only conclusion I can make is that the PC I used to set up the account is compromised although my AV and Antispyware software report no problems!! I have not used any other computer to access the account since its inception until I logged into it just recently. What can you tell me about this?
Brian Krebs: Two possibilities: Either eTrade had a data compromise, or you did. Since the latter is more likely, that's probably the best place to start.
Unfortunately, it's difficult to trust a forensic security report on a machine when the machine that's doing the evaluation is potentially compromised. I.e., on a potentially compromised system, you can never be sure when the system tells you it's secure and uncompromised. In order to get a true objective opinion, you'll need to scan the system or hard drive using another machine.
Please drop me a line at brian dot krebs at washingtonpost dot com. I think I may have something for you. Also, eTrade offers customers a token key fob device that generates a one-time password that changes every 30 seconds. So, once you figure out what's wrong and are confidently on a safe machine, go ahead and request one from eTrade. without this data, thieves will be unable to log in to your account remotely. In fact, I think eTrade made it a policy to require that customers who've had break-ins use these devices, but I'm not 100 percent sure on that.
Cody, Wyoming: Hi Brian,This may not be the "preferred" method of wiping out a hard drive.I just donated an older laptop computer to a local nonprofit organization. I physically removed the hard drive since it had so much confidential information on it. Then I smashed into a zillion pieces with a heavy hammer.John
Brian Krebs: Yes. The old "smash the thing to smithereens" is yet another, albeit potentially hazardous, approach.
Anti-Virus: I know you're a NOD32 fan, but is it better than Kaspersky or Bitdefender? Thinking about what to install on my new laptop. Don't really care about costs. Thanks.
Brian Krebs: It's very difficult to compare anti-virus products. I know Kaspersky makes an excellent anti-virus product, which is almost always very good at detecting the latest malware quickly, but my experience with its suite -- which includes the firewall and other protections -- wasn't that great. But then again, I haven't seen a security suite from any vendor that I like very much, mainly because they are all somewhat bloated, usually include a bunch of features that are difficult to disable or silence, and often consume a great deal of system resources.
NOD32 has an excellent heuristic based detection -- meaning it's very good at detecting bad stuff even if it doesn't have a set of instructions for that particular piece of malware conclusively identifying it as such. Kaspersky tends to rely almost exclusively on signatures to detect malware, although it just licensed technology from a promising company called Bit9, which employs a whitelist approach to protecting users from malware (whitelist, as in -- okay, here's a list of all the known good files on an average Windows system -- alert me if someone tries to alter them in any way kind of thing). I'd have to check if Kaspersky's latest AV tool includes that functionality.
Long answer short -- pick one and download a trial version of it to see how you like it. I like NOD32 because I often forget it's even running, until I encounter a site that tries to foist some kind of malware on me.
Schenectady, NY: Does sdelete work on Vista?
Brian Krebs: I honestly don't know. The support/download page for SDelete only says it works on Windows 95, 98, NT, 2k and XP. Doesn't say anything about Vista. Probably wouldn't hurt to give it a shot though.
Alternatively, Eraser is another free tool, and I believe it *does* work on Vista systems.
Collumbia, MD: Hi Brian,I appreciate your blog so much as a teacher at a community college. We are watching your blog in a seminar this morning, and one of the students asked me why you spelled out your email address in a previous response. brian dot krebs at washingtonpost dot comThanks,
Brian Krebs: I do that because of slimeball spammers. Spammers generally purchase their lists of people to whom they send junk e-mail. The primary way those lists are generated is through the use of automated Web spiders that crawl the Internet scouring Web pages for e-mail addresses. Most of those automated crawlers look for addresses by searching for text strings in the usual e-mail format, e.g., email@example.com.
One way to confuse those crawlers, and potentially prevent them from grabbing your address, is to obfuscate portions of the e-mail address when posting it in a public forum online, as I have done by spelling out the @ symbol, etc.
Hope that helps explain things. Thanks for reading!
Vienna, VA: I'm new to the whole wireless networking thing.I just got an iMac and Time Capsule, which i am using for wireless.What do i need to do in terms of settings to make sure i am protected?Can someone hack into the hard drive on my Time Capsule to steal my info when the mac is off but the power is still on to the Time Capsule?
Brian Krebs: Wow. Color me green with envy.
For those who don't know, Time Capsule is a new wireless backup device from Apple. It combines an Airport wireless base station and a giant hard-drive to use with Time Machine, the backup utility that ships with Mac OS X 10.5 (Leopard).
I haven't used this product, but as I understand it Time Capsule uses WPA encryption, which is pretty secure. For written instructions + a nice video on how to set up WPA encryption on an Apple Airport base station (and other Apple components), check out this well-done video over at GetNetWise.org.
Baltimore MD: Just went to the newegg site and I see a number of 500GB external hard drives. Can you provide the brand? Thanks.
Brian Krebs: Hi. I believe this product was the one I recommended at NewEgg. But if you don't need the firewire port and just want a USB drive, this one can be had for about $40 less ($99) when you include the rebate.
wiping disks..: Assuming your computer boots and the disk is attached (and not some SATA RAID drive ...) DBAN is the best thing around to securely wipe the disk: http:/
Brian Krebs: More advice for readers looking to banish data from their old hard drives.
Chesapeake Beach, MD: In so many cyber war games, participants have opted to attack the game controllers systems rather then their opponents systems. In the games schedule this week, do they have some precautions set up for that?
Brian Krebs: Thanks for the question. Chesapeake is referring to a story I wrote that we published today:
Not sure I completely understand your question, but the people who are playing (not those orchestrating the attack scenarios) are focused mainly on defending and rebuilding networks and systems that are under simulated attack. As I understand it, there is not a lot of emphasis in these games on traditional force-response, or counter-attacking the attackers. My guess is the response for any participant who tried to pull such a stunt would be for the game controllers to inject even more chaos and pain into the counterattacking players' scenario, but I don't know for sure.
RE: Newegg: Yep, that is the external hard drive you recommended and I bought. They must be onto you though, Brian. It was $20 cheaper when I bought it a couple weeks ago. To the poster: buy it and enjoy it. You won't be disappointed.
Brian Krebs: Closing the loop (I hope) on this hard drive thingee.
Anti-Virus Follow-Up: Never really cared about packages (suites) that include firewalls. I'm perfectly fine relying on Windows (Vista) Firewall, right?Thanks again.
Brian Krebs: As with anti-virus software, it's important for Windows users to just have and use a firewall product. The firewall built into Windows XP was and is fine for most users, and the Vista firewall isn't too much different and should suffice for the average user (particularly if you take the time to make sure the exceptions you don't need are disallowed).
burke, va: I have a theory that Adobe purposefully injects security flaws into Acrobat so they can "discover" these at a convenient later date. Then by refusing to release security updates for older versions, they can force people to buy the new versions, even though there are no useful new features that would otherwise make that worth while.I say this as someone who works in DoD, in a department where we could very easily get by with Acrobat 4. Except that we had to upgrade to 5,6,7 and now 8 for the security fixes. Very annoying.
Brian Krebs: Interesting conspiracy theory. I have bene on record several times taking companies to task for making customers pay to upgrades that include security fixes. I understand the arguments that companies make when this occurs -- that they are adding functionality that gets broken when certain elements of the programs aren't updated to the newer code base, and that the older code base has structural programming flaws that aren't easily patchable.
Still, you might cut Adobe just a little slack. Many of the vulnerabilities that are identified and released are found by independent security researchers who are trying to make a name (or money) for themselves. Often times, these individuals post the instructions showing everyone how to exploit the flaws they've found. I can assure you that these individuals go after not just Adobe but any other software product that has a broad user base.
That said, I understand that Adobe still has not shipped an update to fix a security problem that it mended in Adobe Reader 8 but not on version 7. My response is why not upgrade to 8 (the reader, after all is free), but you mentioned Acrobat, which of course is not free. My response would be that Adobe is not the only player in this market. If you are unhappy with their performance, maybe it's time to vote with your wallet and take your software purchases to another company? Just a thought.
Foothill Ranch, CA: Hi Brian - love your columns. I'm running XP/SP2 with NAV 08, ZoneAlarm Pro, & Spy Sweeper. After installing NAV, my outgoing Outlook e-mail failed. A chat session with NAV customer support produced no resolution other than to disable outgoing e-mail checking in NAV - I had to do the same thing with ZAP for the same reason. Do you know of any solution that NAV doesn't?
Brian Krebs: Hi. This is a common problem. Both ZoneAlarm Pro and Norton give users the option of scanning incoming/outgoing e-mail for malicious code/actions, etc. In order for this to work properly, you need to set up these programs just-so with your e-mail provider's settings.
In most cases, in order to do this, you need to set up ZAP or Norton to act as a proxy for your mail client, so that it can scan the incoming mail before it gets to Outlook, and then deliver the scanned mail to your Outlook inbox. This can take some patience and trial and error, however, if you're not accustomed to doing this kind of thing.
You should check with whoever your e-mail provider is to see if they have instructions specific to the security software you're using. Don't let them tell you it's NAV or ZAP's responsibility. They should be at least able to direct you to a Web page that lists their incoming/outgoing e-mail server settings.
Bear in mind, however, that some e-mail security scanning software doesn't support SSL (secure sockets layer) e-mail. E,.g., I know Norton's anti-virus products used to not support any e-mail provider that required users to log in via port 443. I don't know whether NAV 2008 has that limitation, but just something to keep in mind.
You said one solution that worked for you was to disable OUTGOING email scanning. Does that mean the program has no problems scanning INCOMING e-mail? If that's the case, I wouldn't worry to much about it.
Annandale, VA: What do you think about using your Hosts file to block unwanted, third party parasites? Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by that DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements.Helpful or hurtful?
Brian Krebs: There's nothing wrong with using a hosts file and maintaining it as a means of blocking the loading or rendering of certain Web sites/advertisers. But then again there are plenty of other solutions that are far more comprehensive and to my mind a better use of your time.
I harp on it about 100x a week, but running the system under a limited user account prevents the logged-in user (or virtually any program running under the logged-in limited user account) from altering the system's host file settings. I run under a limited user account and haven't touched by hosts file, and neither has anything else, ever.
Alternatively, add-ons like Adblock and Noscript for Firefox are probably a bit more user-friendly and configurable for the average user.
Boston, Mass.: Hi Brian,
I recently set up my home wireless connection using the following choices under wireless status.
Radio enabled -yes
Selected a channel(I am not sure if the choice of the channel is important)
Security Enabled -yes
Wep 64 bit
Wireless Mode--Mixed accepts 802.11b and 80211g which is my configuration.
are there any other steps that I should be aware of.
Tom from Boston
Brian Krebs: If you're serious about security and encrypting the traffic on your network, see if your router supports WPA or WPA2 encryption, as opposed to WEP. WEP is all but worthless. It will deter the casual surfer who happens by and wants to jump on your network to check his email, but methods and software for cracking WEP are well known and freely available, so it is unlikely to be much of a deterrent for anyone who really wants to break in.
My advice: use or get a router that supports WPA or WPA2. Make sure the router administration page is protected with a strong (not default) username and password. Make sure the WPA key/passphrase that you pick is similarly strong. Disable sharing of Windows files/folders on the network if you are not using that feature. Turn on any of the other features at your discretion (Mac filtering, disable SSID, etc), but realize that these are more window-dressing type security features -- as they are easily breakable -- and understand that unless you know what you are doing they are only likely to make it more difficult for you to set up your encrypted network properly.
Adobe reader: The problem is, version 7 and before were nice lightweight readers. Modern versions are huge bundled masses with auto-update nags, slow load and response times etc. I've used foxit for my PDF viewing since I saw it mentioned either by you, or the Q/A guys in the Post's Sunday Business section.
Brian Krebs: Yup. That's a common complaint. I've recommended Foxit as often as I can. It's extremely lightweight and does the job if all you want is a reader program.
Annapolis, MD: re the data on old disk drives .... drilling 4 or 5 holes in them with a 3/8" or 1/4" drill bit will take care of the problem ..guaranteed!
Brian Krebs: as will dropping it in a vat of muriatic acid, droping it into the ocean from 30k feet, or stuffing it in a hide of beef and feeding it to a pack of wild velociraptors.
Philadelphia, Pa.: Mr. Krebs, Many thanks to you for publishing that FDIC incident report document. The more that information is published, the greater the awareness businesses and the public can have on the topic of fraud-via-Internet.
I visited the FDIC's web site earlier today to search for an official version of that document since the copy provided by the Post was marked "Draft." The top result was an examination for a financial institution's IT Officer. That exam ran through a bunch of 'what technologies do you use' and 'have you followed these procedures' questions. I think the same type of questionnaire might be a great practice for financial institutions and even schools to ask of new adult consumers and students respectively.
From the perspective of an IT support professional, I would love to hear of financial institutions implementing some sort of consumer audit program where they, via phone or on-site support, make sure that their customer's electronic banking affairs are in order. Firewall? Check. Anti-virus/malware software? Check. All account access credentials documented and saved in a secure location? Check.
Same goes for short, mandatory courses in junior or senior high schools on financial transactions via the Internet and their home PCs or mobile devices.
washingtonpost.com: Security Fix: The FDIC Computer Intrusion Report
Brian Krebs: Interesting. I spoke with a guy recently who's starting up a security company in Brazil, where the malware crime groups have taken bank info-stealing Trojan horse programs to another level. The guy I spoke with said he started a company down there b/c the banks are in dire need of forensic analysts. He said some of them will go so far as to roll truck to a customer's house if that customer had a computer intrusion that resulted in a cetain loss amount. The result: if the bank's forensics examiners determined the customer wasn't using a firewall, anti-virus, patching, etc., that customer didn't get their stolen money/account back.
I doubt it would ever come to that in this country, but it's a different and fascinating approach nonetheless.
Las Vegas, Nv: Thanks Brian for all your good information.I have a small home network which consists of a DSL modem and a wireless router. There's a wireless laptop connecting through the router. There are wired desktops connecting through a hub. All run XP Pro. Shouldn't any of the computers be able to "see" all the others in "My Network Places"?Thanks
Brian Krebs: No. You need to enable file sharing on any of the systems you want to share files and folders. Secondly, you need to make sure each computer on the network is set up to use the same workgroup. I think in Windows by default the domain is creatively named "workgroup" or "mshome", I forget which. Anyway, it doesn't much matter, as long as all the systems you want to be able to network together have the same workgroup name.
On XP home, filesharing is turned on by default. On Pro, you can enable/disable it through the Tools menu of Explorer.
To check to see whether they're all on the same workgroup, to to the control panel and click on the System tab, and then on the "computer name" tab. You'll need to be logged in as an administrator to make any changes to the workgroup.
all that done, you merely need to indicate which files, folders or drives you want to share. I'd advise you in this case that more is less. That is, consider sharing just the drives you want, rather than the entire hard drive (especially if the drive you want to share is the same volume that Windows is installed on). To enable sharing of a folder or drive, right click on it and select "Sharing and Security." Note, again, that this right click option is disabled in all non-administrator accounts.
e-endusa: One alternative to removing personal information from hard drives is to take them to an electronic recycle. In Maryland, you can go to MarylandRecycles.org to find recyclers that degauss and destroy the hard drive then recycle all the components in an environmentally safe way. Do the right thing and protect yourself! Recycle!
Brian Krebs: Okay, thanks for the info!
Brian Krebs: That's it, folks. I'm out of time for today. Thanks to everyone who stopped by to read and/or contribute a question. We'll host another Security Fix Live two weeks from today. In the meantime, please consider making a habit of dropping by the Security Fix Blog to stay abreast of the latest security news, tips and warnings.
Be safe out there, and have a great weekend!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.