Security Fix Live
Friday, April 11, 2008; 11:00 AM
Brian Krebs: Happy Friday, dear Security Fix readers. Some computer glitches prevented me from starting this chat on time (ah, the irony) but I'm ready to roll with your questions now. Please remember to be as specific as possible with questions that involve security software or your PC setup. With that, we're off!
Woodbridge, Va.: I have Firefox/Mozilla applications on my computer. Lately while scanning the net my antivirus program (Symantec) has been showing that the sites are being tracked by Alexa. Should I be concerned and if so, how do I prevent this?
Brian Krebs: Alexa is a site that tracks how many visitors various Web sites receive. One way they do this is by placing a tracking cookie on your system. A cookie is basically a text file that tells a site whether you've been there before, when, and other, mostly harmless data. Some people consider cookies to be a privacy invasion, but in the grand scheme of things that I cover I don't consider them to be much of a
Orlando, FO: How can I remove the xpantivirous from my computer?
Brian Krebs: Google is your friend.
Silver Spring, Md.: Brian,
Could you post another checklist for latest program updates and versions in your blog?
Also - will you be reviewing Windows Vista SP 1? Or is that Rob Pegoraro's territory?
Brian Krebs: I will post another Security Fix pop quiz next week in the blog. And I'll soon be writing about the Vista Service Pack. Thanks for the reminders. In the meantime, if you want to find out what programs on your system need patching, scan your system using Secunia's excellent and free software inspector service.
Bakersfield, Calif.: Question: How can the home user protect their system from being used as a Zombie/bot? Are there any software suppliers that offer such protection?
Brian Krebs: A bot is a catch-all term used to describe a machine (usually a Microsoft Windows system) that has been infected with malicious software that lets the bad guys control it from afar for things like spamming, password stealing and attacking Web sites (bots can also be benign helpful tools, but that's not really relevant to this discussion).
A lot of people get obsessed with the scary thought of their computer becoming a bot, but the reality is that if you're doing what you should from a Windows security standpoint (using up to date antivirus, patching regularly, ignoring links and attachments that arrive unbidding in email/instant message, and being careful about what you install and from where), it's unlikely your machine will become a bot.
By and large, the vast majority of systems that are botted are extremely insecure. In my experience, these systems often lack patches going back years, their users are not using any kind of anti-virus -- or, more often, they are using antivirus but it's the same antivirus that came installed as a three-month trial when they first bought the system and they haven't bothered to renew it.
Security companies are indeed offering specific anti-bot software for consumers and businesses, but I wouldn't recommend those programs for regular end users for a variety of reasons, most having to do with the notion that antivirus software *should* take care of this threat -- they don't always, obviously -- but at some point we've got to stop feeding the beast.
Short answer: use common sense, follow the practices I mentioned above and you shouldn't have to worry about your system being turned into a bot.
But if you do nothing else that I've recommended, you should set up your Windows system to run under a limited user account for everyday use.
Fairfax, Va: Brian,
A while ago you wrote about what should and should not be on a new computer, that is, what things to get rid of. My sister is getting a new computer and I'd like to send her that article.
I already sent her the one about the limited user account.
Brian Krebs: Thanks, Fairfax. You've reminded me that I REALLY, REALLY need to get a project finished: that is, getting some of these basic computer setup tips put in one, static place on the Security Fix blog that I can point people to for securing a new PC.
That said, I'm not sure I know the story you're referencing but a few come to mind.
Those are just a few. I'll keep searching for more, and try to wrap up that all-in-one-place resource soon.
Santa Rosa, Calif.: I've picked up a really insidious trojan called braviax.exe. I'm assuming that the best thing to do is just to save whatever files I need and then scrap the whole system and do a re-install, under the assumption that any other option may potentially leave unwanted traces of this self replicating, polymorphic virus. Right??
Brian Krebs: If you're up for it, reinstalling is always the best way to make sure a threat is fully removed. Some of today's threats are extraordinarily difficult for the average user to completely remove, as they get their hooks deep into the system, and some are able to reinstall themselves on the fly or even during the process of someone removing certain components of the invader.
The best approach by far is to get a decent backup plan (I use Acronis, but there are plenty other options): set up your system the way you want it, with all the applications you want, everything just so, and then get yourself some kind of backup tool or software to make an image of your hard drive, and store that image on a removable media or drive, such as an external hard drive, DVD, or even thumb drive.
I also advise people to change the default location of where Windows saves documents and downloads to a location that is not on the same volume as the main Windows installation. For instance, if you have a removable/USB-connected hard drive, you can right click on the "My Documents" folder, select "properties," and change that target location from C:/documents and settings/[yourusername]/My Documents to a My Documents folder you've created on an external drive. That way, if something goes drastically wrong you can restore to a known, safe backed up state. And you won't have to worry about backing up your documents after you've had a problem, which is infinitely more difficult than doing it beforehand. What's more, when you restore the image to that C: drive, you won't be writing over any of your precious data.
El Paso, Tex.: Thanks for your work. I have been reading your chats for about a year. About 6 months ago, because of your online nagging, I downloaded Firefox, created a limited user account, and use the Internet as limited user.
My next goal is to work entirely in my limited user account, except for when I need to administer something. I've recently had a weird limited user experience, though.
I have Windows XP home edition (continually updated). I'm a lawyer. I use a legal document assembly software and calendaring and billing system called ProDoc SOS. I called its tech support - always excellent - because the data I see when opening the software in the admin account (appointments, case info.) is not visible when I open the software in the limited user account. I do not have this problem with WordPerfect 12.
Tech support asked me to check the version of the software. In limited user the answer was 1.19 (two updates behind) and in admin user the answer was 1.21 (up to date). In other words, software updates I did in the admin account -- after I created the limited user account several months ago -- did not update the software as accessible in limited user. Like there were two separate versions of the software installed on the computer.
Does the limited user account carve out a piece of hard drive some way? Doesn't it defeat the purpose if I have to separately update software for each limited user? Explanation or speculation welcome.
Thanks for reading this.
Brian Krebs: Thanks for the question. I've encountered this same thing with a couple of custom software titles I have installed on my system, and it's a real pain, and frankly one the behaviors that keeps many people from adopting the limited user approach. This isn't a fault with Windows though: the company that makes your software can change that behavior if they want, but they likely realize that most of their users don't run under a limited user account, so why should they bother?
At any rate, there are a couple of things you can try.
One is just to run the program while logged in as limited user using the same "run as" method described above, and see if that allows it to update itself. To do this, right click on the installer program, and choose "Run as". Then enter your administrator account name and password.
The other -- albeit more drastic -- approach that has worked for me is to uninstall the program and then -- while logged in as the limited user -- reinstall it. Right click on the installer program, do the "run as" routine described above, and the re-install should proceed. You may find that the behavior then switches, so that the limited user account gets the updates, while the program run under the admin account does not, but that seems like a better approach if all you're doing in the admin account is maintenance now and then.
Good luck, and please let me know whether either of these approaches works.
Austinown, Ohio: Hi Brian,
I'm using the hardware firewall(SPI) in my Linksys router and the free version of Ashampoo software firewall for outbound info. I know that the Ashampoo firewall isn't the most sophisticated firewall, but seems to work well for this purpose. Am I correct in my assumption? Thanks and I really appreciate this forum.
Brian Krebs: Yup. You've got a fine setup there. This is another thing I need to add to that roundup of tips thing. Many people do not understand the difference between a hardware and software firewall, or whether they should have one or the other or both. Hardware firewalls are excellent because they stop unsolicited traffic from even seeing your system on the Net. In fact, I'd go so far as to say anyone who is only using a software firewall and otherwise plugging their computer straight into a broadband modem is asking for trouble.
Manhattan, N.Y.: Last post was a little misleading. If you back up before you recognize that your PC was compromised, the attendant My Documents file might also be infected even though the properties are different from a normal Windows setup. The problem is really when did the PC get the virus and did it backup while the virus was on the system.
Brian Krebs: I don't think it was misleading at all. What I said was, keep a backup image that you know to be safe and pristine. I still do that for my main PC. But what I didn't mention is that if you have the space, keeping incremental backups of your main image can be crucial. Yet, as you mention, if those incremental backups happen to backup a Trojan or rootkit, you've got problems. That's one of the reasons I prefer to initiate backups myself rather than to schedule them. If something's not quite right on my system, I don't want to wake up the next day to discover my backup image has been updated to the new, screwy state.
Adams Morgan: Hi Brian,
I have a Linksys wireless router for my laptop that is connected to my desktop. How can I tell that the laptop is accessing the network ( or an outside computer)?
Brian Krebs: Where to start? Hopefully you've changed the default name of the router so that it doesn't have the same name as 95 percent of the rest of the wireless devices out there (I think the default linksys name is just "linksys", but other routers have similarly imaginative default wireless SSID names like "wireless".
You should know when the laptop is connected when the Windows says so. By default, Windows should pop up a nice little text balloon whenever it connects to a wireless network. That balloon should pop up from a little blinking network icon in the bottom right corner of the taskbar. Double click that icon and it should say whether you're connected or not. Anyway, name the router's wireless link something unique and you'll know when it connects to your router because it that balloon will include the name of the network it's connecting to.
Alternatively, click Start, then Run, and type "cmd" without the quotes. At the command prompt, type "ipconfig" and if you see an address that starts with 192.168, then the laptop is likely connected to the router wirelessly. If it says not connected or begins with the number 169, it is not connected.
Cody, Wyo.: Hi Brian,
Great chat today!
Regarding the El Paso lawyer's question -- I've had the same sort of problems with the limited user account. So -- as per your advice -- I now use the Drop My Rights system. Takes a bit to set it up, but I think it achieves the same end result.
Brian Krebs: Thanks, Cody. I forgot to mention that option, as I usually do.
Stup, ID: I want to know how stupid you think the following act may have been. Let's not quibble about why I did it. I emailed my completed turbo tax file to my yahoo account as a temporary backup. How worried do you think I should feel about this being examined by others and to what extent do you think it is gone after I erased it? Thanks.
Brian Krebs: Haha. Don't beat yourself up too much. I'm sure the marketing bots at Yahoo enjoyed reading your tax infos. Beyond that, I doubt you have much to fear from this oversight. As you rightly alluded to, regular e-mail is not a secure mode of transferring data. It's more like a postcard. Anyone who happens to be in the middle can read it.
The question about whether it's truly gone when you deleted it is an interesting one, and I suspect only people who work at Yahoo know that answer. There's a non-trivial chance that it's kept in some kind of storage even after you delete it for a period of time.
Frederick, Md.: When the Caps beat the Flyers at the Verizon Center tonight, what security measures will have to be put into effect to ensure the safety of all late arrivals to the Caps bandwagon?
Brian Krebs: Hah! This is the third Caps-related comment I've received today in this chat. Never knew so many of our readers were just as rabid about security as they were their local hockey club.
Brian Krebs: I'm out of time, sadly. We had an all-staff meeting here in the middle of my chat that sort of ate up the rest of the time I had for this discussion (you can read about that on the site later today). My apologies, and if I didn't answer your question and it's an urgent one, you can always drop me a line at brian dot krebs at washingtonpost dot com. Thanks to everyone who dropped by, and until next time, please consider making it a habit of dropping by the Security Fix blog.