Security Fix Blogger
Friday, April 25, 2008 11:00 AM
A transcript follows.
Brian Krebs: Good morning, dear Security Fix readers, and Happy Friday! We've got more than the usual amount of questions today and I've gotten a head start on trying to tackle them. But please don't let that discourage you from dropping a query in the queue, and I will do my best to answer them quickly. Please remember to be as specific as possible in telling me a little bit about your system, which browser you're using, and any installed security software/hardware.
Boynton Beach, Fla.: Hey Brian '
Lately i have been receiving e-mails from pharmacies ' How do i stop getting e-mails from these annoying companies ' Thank you for your time and expertise '
Brian Krebs: Hello William. There isn't a lot you can do to keep these spammers from sending their junk mail to you. However, you can take advantage of some anti-spam tools to help you filter this crud into the ole Trash bin.
The Thunderbird e-mail client from Mozilla has a pretty decent built-in spam filter that can learn to ignore junk mail even better if you take the time to train it.
One of the best anti-spam services I've seen comes from Postini, a company recently bought by Google. In either an act of madness or sheer brilliance, Google is practically giving away this service at $3 per year per person. You can learn more at this link here
Cottage Grove, Ore.: When installing realplayer, my Snoopfree Privacy Shield program warned me that Realplayer was trying to get permission to read any screen, whether or not Realplayer "owned" that screen. Why does RP want to do that? Does this behavior make it a greater than average spyware risk? Would the BBC's version of Realplayer be any less of a risk?
Brian Krebs: I've seen this behavior when updating Apple's QuickTime media player as well on a systme of mine that has SnoopFree. I don't think RealPlayer is trying to steal your keystrokes, but I agree it is jarring to see this pop-up. I'm not a huge fan of RealPlayer (we recently published a blog post about a pro-consumer group labeling RP as "Badware" because of potentially misleading practices.
If I could suggest an alternative to RealPlayer, it would be the free Videlolan VLC media player. It can play RealAudio files, along with a ton of other media formats. And it won't take over your system as RP likes to do. VLC may seem a bit less intuitive at first, but take a minute or two to fool around in the menu items and maybe scan through the included help file, and I think you'll find you no longer need RP installed.
Anonymous: Brian -
I've read about the risk of "always on" ISP connections. How serious is this, and is one safer by going into standby mode overnight?
(I use Windows XP). My ISP is Hughes satellite.
Bill, Mason Township, ME
Brian Krebs: Hi Bill, thanks for the question, and this is one I get a lot (in fact, there are two other variants on this question submitted by readers today).
Protecting a computer system or network is in large part about reducing its "attack surface," that is -- the number of Internet-facing applications.
I recommend that people purchase/use a hardware firewall because it will block traffic that you did not initiate from even seeing your system on the Internet. Basic hardware firewalls cost between $30-$50, and pretty much all wireless routers have one of these firewalls built in to the devices. Yes, firewall software programs will do a decent job keeping out unwanted traffic, but they sometimes leave certain "ports" or doors on your PC reachable from the outside. Not to say attackers can break in using those doors, but often it's enough to let them know there is a computer behind those doors. Hardware firewalls simply drop any traffic that you didn't initiate.
There are a couple of "leak tests" that you can use to see if your software firewall is adequately protecting you. Check out the free scan offered by GRC to get an idea here.
If you're not behind a hardware firewall, you might consider powering down the modem or the system when you're not sitting behind the keyboard for long periods of time. It's not a huge risk to do otherwise, but in addition to being a tiny bit safer you will be greener, as computers and other devices plugged in to the wall require lots of energy to operate (and can increase your cooling costs in the warm summer months).
One note about hardware firewalls that ship with wireless routers: If you're simply using the wi-fi router but not the wireless connection, turn off the wireless fuction -- as it's on by default.
Robbins, N.C.: When I enter a secured site requesting a password, as soon as I click to enter a password, my computer reflects a number of my passwords used for most of my secured sites. I have never clicked to ask these sites to remember my passwords. How can I delete this screen?
Brian Krebs: I'm not familiar with the prompt you're describing. But I'll take a stab at your question anyway. You didn't say what browser you're using, but I'm going to guess that it's Internet Exploder. To make it so that IE doesn't remember or nag you to store passwords, go to Tools, Internet Options, Content, autocomplete and turn off the option to remember passwords. While you're there, it's a good idea to uncheck the rest of the boxes next to "forms" as well.
In Firefox, to Tools, Options, then click the Security tab. Uncheck the box next to "remember passwords for sites." Firefox also has a setting there for a master password, which when set prevents anyone who happens to be using your machine from simply clicking through to view your stored passwords. Make sure that if you set a master password, however, that it's one you can remember. Firefox warns you as much, saying if you forget your master password you won't be able to access any of your stored passwords.
Bedford, Tex.: have a friend that accidentally clicked on a site, how their home screen has a blue screen with yellow lettering that says LIVE SECURITY.COM FIX Click here. they can't find a way to delete this page and can't get a response from Live Security.com .can you help us .thanks
Brian Krebs: You've got some scareware on that system. Usually this is software that installs through browser-hijackers to modify your homepage or wallpaper with messages saying you have privacy or security threats on the system and need to pay the same criminal who hijacked your system to get the crap off of your system.
I don't know anything about this particular scareware product, but you're right in wanting to get rid of it. A couple of pieces of advice: spend a little time over at the excellent DSL Reports Security Cleanup Forum, and pay strict attention to the rules (e.g., download and run HijackThis! etc) BEFORE posting anything there, and you will almost certainly get the free help you need to rid your system of this scareware.
Second tip: consider adopting a limited user approach, or at least setting up drop my rights for any and ALL browser and intant messenger programs you use. Either of these approaches should help prevent sites from inflicting drive-by downloads on your system.
Secondly: run, don't walk, away from Internet Explorer. Whether you use Opera or Firefox or even Safari for Windows, you will be far safer than using IE. When I visit friends and relatives and invariably end up troubleshooting their PC, one of the first things I do is install an alternative browser, make it the default, and then delete the IE icons from the face of the Windows desktop.
Honolulu, Hawaii: Hi Brian,
I have a current subscription of Norton Internet Security 2005 installed in my computer. This subscription will end early next month. I plan to purchase and install Norton Internet Security 2008 before it expires.
My question is: Do I need to remove the 2005 version before I install 2008? Or will the 2008 version override 2005 version without removal? What do you recommend. Thanks...
Brian Krebs: If you choose to upgrade to NIS 2008, you should most definitely removed ALL components of the older NIS program before installing the new version(make sure that if you're carrying over your old license number that you look up and jot that down before removing NIS 2005).
When you go to remove NIS 2005, you may find that the uninstaller leaves a bunch of components behind (in fact, you will almost certainly find this is the case with Norton). Thankfully, Symantec makes a tool available to help fully uninstall this program.
Kansas City, Mo.: On a corporate level, how secure is the AIM? I am in a small firm and many people have loaded the Instant Messanger program on their PCs.
Brian Krebs: AOL Instant Messenger is no more or less secure than other IM clients. But IM software, be it from AOL, Yahoo, or Microsoft, is an absolutely HUGE vector for viruses, worms and malicious bot programs. If you choose to allow these programs in your office, be sure that your regular users are just that - i.e., not all-powerful "administrators" who can install anything they like on the systems.
I simply cannot emphasize the importance of this enough: If you want to avoid spending lots of time cleaning up after employees who download and install all kinds of programs that not only affect the security and integrity of your network and your business -- but also potentially open you up to copyright infringement claims (think peer-to-peer file sharing applications like BitTorrent, e.g.), you had better make sure those systems are locked down and that your employees are cannot install software.
Warner Robins, Ga.: Hey Brian,
Thanks for all your security info.
I have Win XP with all the updates and I have AVG as anti-virus. I use the Win XP firewall and I use a limited user account. My internet access is via dial-up. I also have on demand spyware and malware scanners with Firefox and the No-script extension. Is this "good enough" these days? Thanks for all the info you give us every week!
Brian Krebs: Nice setup there, Georgia. I would just add that of course you should be keeping up to date with the latest security updates, not just for Windows of course but for third party applications as well. Secunia's Software Inspector (Web-based scan, requires Java), or the installable Personal Software Inspector are great ways to do this.
This answer goes double for the other question submitted by a reader who asked what else she could do to stay abreast of important security news (besides reading Security Fix regularly, of course ; )
Silver Spring, Md.: Brian,
What can we expect from Windows XP, Service Pack 3? When's the release date? Will Microsoft sell copies of XP with the SP3 update on CD? I'd like to obtain a copy for future use, before Gates and Co. stop selling XP altogether.
Brian Krebs: Microsoft has already released Service Pack 3 for XP to computer makers. It will release the update to consumers via Windows update next Tuesday on April 29. I plan to have a writeup on the package up on the blog sometime Monday.
Once Microsoft makes it available online next week you should be able to download the thing as a stand-alone installer, if you'd rather not get it from Windows Udpate or for whatever reason cannot. You should also then be able to purchase a DVD from Microsoft, if you choose to go that route.
West Dummer, N.H.: Is there anything for Apple's Safari browser analogous to NoScript for Firefox?
Warner Robins, Ga.: Secunia is a great resource Brian. I have used it every week. I also got that source from you in the past. I also use the filehippo updater from filehippo.com
Brian Krebs: Glad to hear the advice was helpful, Ga., thanks!
Spotsylvania, Va.: I much prefer paying bills by writing a check and paying $.41 postage over paying online with a few clicks on this computer. I avoid online financial transactions as if it were poison ivy. Am I paranoid?
Brian Krebs: I don't think so. Plenty of people simply feel they cannot trust online transactions for fear of security problems. That's a perfectly rational response. My wife and I do largely not do online banking or bill paying for these same reasons -- even though I'm one of the most paranoid people I know!
Washington, D.C.: Why do you believe that Michael Chertoff and the DHS have decided to take cybersecurity seriously at this time? Industry has been calling for a more serious approach to the subject for sometime. It also appears that they are trying to put the emphasis for infosec on the private sector. Who should be leading on this area?
Brian Krebs: Well, this is a bit of a loaded question, IMHO, but I'll bite. If the DHS and our federal government leaders are taking cyber security more seriously it is because they could ill-afford not to. Government networks, and those of the myriad contractors and companies that support them and hold/process sensitive or top secret military and trade secrets, are the targets of non-stop, highly targeted and sophisticated attacks by foreign governments bent on stealing that data any which way they can.
The reason Uncle Sam in finally putting some resources behind this effort is that the attackers are succeeding on a massive scale in stealing that data.
The government places a very strong emphasis on public/private cooperation on cyber, as well they should -- as the private companies own and operate the vast majority of our most critical information systems -- those that control the power grid, water distribution systems, nuclear plants...you get the picture.
Interestingly enough, most of those industries are not laboring under heavy handed regulations from the federal government to secure their systems -- with a few notable exceptions. Uncle Sam has left this task up to industry itself -- through various industry-led consortiums. We can argue all day about whether those groups are being as effective as they need to in addressing the most critical security vulnerabilities and weaknesses in their systems. But I will say this: If, God forbid, we do experience a major cyber attack on these critical infrastructures -- particularly one that results in the loss of life or a substantial hit to the US economy, the private sector will swiftly find itself under heavy regulation from the government. Alternatively, depending on which party wins in November, these industries may find themselves grabbling with federal mandates and timetables here.
I don't think it much matters who takes the lead, as long as the organization in charge can work effectively to gain the cooperation it needs -- not an easy task in an area that is already fraught with red tape and seemingly endless studies, working groups and so on. I like the fact that the Air Force is making a grab for this space, running prime time commercials saying as much. I think we would do well to make it known to the world that this is a strategic battle front that we as a nation do not intend to cede ground on.
Rockville, Md.:"Plenty of people simply feel they cannot trust online transactions for fear of security problems. That's a perfectly rational response"
And plenty of elderly don't trust banks as they remember the 1930's. They don't care that the FDIC is here (and here to stay).
A little caution is warranted but your biggest credit card risk is at a restaurant when the waiter takes it away. That waiter could be skimming it. Online does not mean unsafe.
Brian Krebs: Sure, crooked waiters, waitresses, hotel staff, et.al. are and have always been a threat. But frankly, I worry a lot less about someone stealing my credit card number than I do someone gaining access to my checking or savings account.
I should note that while I don't bank online, I do conduct a large amount of online transactions with my credit card. I know if I lose my credit card or have it stolen by cyber thieves, that my issuer isn't going to hold me liable for those charges. I'm not as sanguine about that guarantee with respect to my bank and savings account, hence the sense of caution on that front.
Cody, Wyo.: Hi Brian,
I've got kind of an odd question. I recently installed Quicken Deluxe 2008 as my main accounting program. I really love it, but it contains 5 QuickTime files, although I have no idea why. QuickTime seems to have quite a few security problems.
So I asked the Quicken technical support people if I could delete those files. They said no, as the files are required for the program to work properly, but they offered no explanation beyond that.
The files are old -- 4 from 1998, and 1 from 2007. I suspect they have something to do with the music that plays whenever you open up Quicken.
There have been QuickTime security updates since I installed Quicken. But there have been no Quicken software updates. So I don't know if Quicken is ignoring the issue, or if perhaps those 5 files are okay.
My question is: Should I do the security updates whenever QuickTime makes them available?
Brian Krebs: Yes, of course you should update QuickTime with patches whenever they are released. As to your question about the QT media files themselves, they're harmless as long as your QT player is up to date on patches.
Modesto, Calif.: My daughter got a replacement laptop that's has 2 Gb with a dual Core and is running Vista. She complains about it being slower than her old computer. Before she gets too much data on it, would performance improve if I reinitialized her laptop with Windows XP?
Brian Krebs: Depends. XP is blazingly fast compared to Vista, in my experience. That's usually because people running Vista are using machines that meet the bare minimum hardware requirements. You didn't say how much system RAM is installed on the computer, but if it's not at least 2 GB, that might explain some of the slowness.
Also, have you installed Service Pack 1 for Vista yet? I did a few weeks ago and noticed a marked improvement in the responsiveness of the Vista PC I use.
I'm not a huge fan of Vista, but part of that may be that Microsoft changed things around just enough on Vista so that it's been easier for me to get around using my XP machine, or my Mac, frankly. If you decide to go back to XP, you should wait until after next Tuesday, when Microsoft releases XP Service Pack 3 to end-users via Windows update. That way, after installing the base operating system, you will only have to apply the Service Pack to be up-to-date with all of the latest security updates for XP.
Long Island City, N.Y.: I have a Gateway GT5418E running Windows Vista. I recently got a message saying I needed to update my Java to 6 5. But when I downloaded, I got a message about an unknown problem and "http status code = 302." The same thing happened using Firefox and IE. (I didn't have the problem updating my old Windows XP laptop).
Unfortunately, I deleted the old version of Java, 6 3, before trying again, but with the same result. I then did a system restore to a point before I deleted the old version. I got a message that the restore was successful, but now when I try to use a Java feature on a web page, I get cut off from the web site immediately.
When I click on the Properties, Compatibility sections of the Java installer, I notice that it does not include Vista, although the Java web site test confirmed that I needed the new version.
I e-mailed Java, but I haven't heard from them yet. Any ideas what I can do?
Brian Krebs: I'm out of time, Long Island. But drop me a line with your email address, at brian dot krebs at washingtonpost dot com. Thanks.
Brian Krebs: That's it for today, people! Thanks to everyone who stopped by to read or submit questions. Please consider coming by the Security Fix blog with regularity to stay on top of the latest security news, tips, and threats. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.