Security Fix Blogger
Friday, May 9, 2008 11:00 AM
A transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers! Thanks for joining us today. I'll jump right into the questions straight away, but please remember to give me as much detail as possible about your setup (installed security software and hardware) when posting a question.
Atlanta: How risky is it to download upgrades such as flashplayers from sites that say you cannot watch something without an upgrade?
Particularly when the site telling you to upgrade is a major website?
Brian Krebs: Good question, Atlanta. Doesn't matter whether you're on a site you think you can trust. It's always a good idea to update software from the Web site of the producer of that software. The reason being that we've seen time and again attackers who have hacked a site or created a malicious site that prompts the user to install some plugin or "update" their video player in order to view some content.
Avoid this practice like the plague. If a Web site (and I don't care if it's washingtonpost.com) says you need to update your Flash player, take a secondn and visit Adobe's site to get the latest version. Too often, legit sites will indeed offer you an update, but the update isn't the latest update.
Washington, D.C.: By mere accident I came to learn that someone had "hacked" into my gmail account and then had been accessing my account on a regular basis. No ostensible harm was done and no information compromised as far as I could tell, but I still feel very violated, and even the victim of a crime to be honest. Is a gmail password that easy to crack? Is there an actual crime involved in what I just went throught for the past year plus? Thanks!
Brian Krebs: I wanted to tackle this question early because it raises a number of questions in my mind. Such as, how do you know someone was reading your Gmail? I suspect this is someone you know, and probably someone you were close with, maybe an estranged family member or former boyfriend?
I ask because people tend to pick passwords that hold special meaning for them and are thus easier to remember. If the person who was reading your email was close to you,and your password was related to something that identifies you (your birthday, middle name, graduation year, etc) then it may have been very easy for that person to guess.
If your Gmail was being read by someone who at one time had physical access to your computer, then all bets are off. You can put all the security you want in place around a system, but most of it can be foiled if a knowledgable attacker with the right tools is seated in front of your machine.
Was there a crime here? Sure. Reading someone else's email without their permission is an unlawful intercept of electronic communications (think wiretap). Will you convince any prosector to take your case, given that you suffered no real damages as a result? Keep dreaming.
Aberystwyth, Wales: Hi Brian,
Your column is greatly appreciated over here. I have one computer still running Win 98SE, currently protected by AVG 7.5. Rumour has it that support will be withdrawn at the end of May. Any suggestions for a suitable replacement?
Brian Krebs: Quite a while back, when I wrote about Microsoft ending support for Windows 98/ME (July 2006), I researched a number of security tools that were Win98-friendly. That list has no doubt changed since then.
While I probably need to update that post, I don't have time right now to-reresearch which of those tools still work with 98. Take a look at this list and check their FAQ pages to see if they still support Win98. Good luck.
Potomac Falls, Va.: Brian, the Free AVG antivirus program has become quite popular with home users. They have recently released a new upgrade, v 8.0, and are giving their existing 7.5 users a pop up telling them to get the upgrade.
This has become quite unpopular in the AVG user community, since the new version seems to have a lot more overhead, and includes (horrors!) a yahoo toolbar!
Have you been following any of this and do you have any thoughts about this product?
Brian Krebs: Yeah, I've been "following" it, to some degere....reading on various support forums that people are griping. My thoughts? You get what you pay for. When you get free AV without paying for it, you get stuff like the Yahoo! toolbar. Yawn.
That said, AVG's free offerings aren't what they used to be. Even with its occasional nag screen, if I were on the hunt for a free anti-virus program, I'd probably choose the free version of Avira's Anti-Vir Personal.
I've been meaning to ask you this since I started grad school. Our building has a wifi network of course. To surf the net you need to enter your assigned user name/password. But the network itself is totally unencrypted. Is this a serious problem? I use the gmail login that keeps your session secure the entire time, I avoid checking my financials at school, and have the vista's wifi manager treat the building as a public place.
Does the lack of encryption mean that only info that I send out through the internet is vulnerable or is my computer potentially vulnerable as well? Are there other precautions I should take? Thanks and best regards.
Brian Krebs: Someone wiser than me once told me that a good way to live your life is as if everything you did were going to be on the front page of The Washington Post. That may seem egocentric or stupid, but the point is that if an action is something you'd be ashamed to admit or acknowledge in public, then it's probably best to avoid it.
I take a somewhat similar approach to public wifi. I use it on occasion, but never, ever, do anything important or vital on it. Maybe this comes as a result of too many years at the DefCon hacker conference in Vegas each year, where they have a "Wall of Sheep" that promintently and continously displays the usernames and passwords of people insane enough to a) get on the DefCon wireless network and b) log in to their e-mail accounts on such a network.
As I've said time and again, if you don't control the network, you cannot vouch for its security. If your passwords are cruising by in plain text, that means anyone who's on the wireless network can sniff your passwords or steal your cookies. Yes, logging in to a site that uses SSL (https://) can protect traffic from that session from being read, but many sites (hotmail, gmail, et. al) only require https://when trasmitting the initial username and password (if you want to access your gmail on a wireless network, make sure you type https://mail.google.com, as doing so will maintain the https connection the whole time you're logged into Gmail on that network).
From a security standpoint, being on a wireless LAN doesn't necessarily expose you to any particular threats, save one: That is, it becomes much easier for a potential attacker on the network to find your system. E.g., if there are 15 machines on a network, I can, with free, downloadable tools, monitor a wireless LAN and most often pretty quickly figure out -- just by looking at the traffic going by -- who owns which machine.
Baltimore: Brian: I really broke out in a sweat when I read (I think on your blog, not in the chat) that you do not do online banking. I have viewed banking online as a godsend for several years now when it comes to making sure bills get paid on time, but now I am a good deal more nervous about it. Can you explain the reasons for your reluctance? Thanks.
Brian Krebs: Happy to do that. First off, I don't want to frighten anyone away from banking online. As you say, it's a huge convenience.
I should clarify that statement a bit. The wife and I DO check our balances occasionally online, but only from a secured, totally locked down machine that we don't use for much else.
Why? Having written about this space for so long, I'm constantly exposed to the worst that can happen. So, naturally I'm a bit paranoid about these things. But for the average user, I think a more sane approach is -- if you're doing all the things right from a security perspective (patching -- not just the OS but all the browser add-ons...Adobe, Quicktime, Windows Media Player, Flash, Java,etc -- but also running up to date anti-virus, avoiding risky installs, etc) you're *probably* fine.
But in my experience, the vast majority of people who use a Windows PC can't be bothered with one or more of those steps, and so eventually get something on their system that steals their data.
So I guess my point is this: If you're being appropriately careful with the security of your system, then you should feel fairly confident about online banking. If you can do your online banking from a Mac or a system that does not leave your local home network (i.e., not a windows laptop), then you're even more secure.
Honolulu, Hawaii: Hi Brian,
Microsoft recently release XP SP3. In reading their instructions to download and install, they recommend one disable the anti-virus software on the computer. I am leery doing this. Do you think I should do this? BTW, I have NIS 2008 installed. Thanks...
Brian Krebs: Yeah, I'm going to have to update that SP3 blog post from the other day, where I said most people probably don't have to worry about the Service Pack borking their systems. I didn't have any problems updating two different XP machines, but judging from the comments in that blog post, I may have been the exception.
News-for-nerds site Slashdot also points to two other news outlets that are reporting user complaints of problems after installing Service Pack 3.
My revised recommendation: Avoid installing Service Pack 3. It's not clear what benefit -- if any -- Service Pack 3 brings to XP users who have been staying on top of security updates. My motto: If it ain't broke, don't break it.
Hudson, Mass.: Hi Brian,
I have AVR, SpyWare Blaster and Ad-Aware all sitting there using cycles and taking my attentionm at laeast now and then. How do I assess that these are worth it?
Brian Krebs: Do yourself a favor, Peter. Consider running your system as a limited user (HAHA! you thought I was going to get through an entire chat without mentioning the limited user account, didn't you dear Security Fix reader??) You can then feel free to uninstall those anti-spyware programs, b/c I can virtually gaurantee they won't find anything.
If running as limited user is too drastic for you (some programs simply don't work correctly or require tweaking under a limited user account), then read my column from a while back on Drop My Rights a program that lets you run specific applications in the least-privileged user status while still running the overall operating system as administrator.
Nashville, Tenn.: I'm so glad you're having this chat today, Brian! Just yesterday I downloaded the latest free AVG 8.0, intending to upgrade from version 7.5. I followed the directions but got an "incorrect configuration" error. Had to uninstall 8.0 and reinstall my old 7.5. I was congratulating myself on keeping the old 7.5 install file, when I noticed that it was only 17 megs as opposed to 8.0's 47megs! Wow. I'm a longtime fan of AVG, but I think this illustrates some (dare I say it?) Norton-like tendency to expand and take over my set. I hate to criticize anything free, but there were some explanations of the new "AVG toolbar" that made me think I'm better off without the upgrade. Have you tried 8.0?
Brian Krebs: Sigh. I don't know what happened with AVG. I guess they decided the free version was eating too much of their lunch that they needed to add everything but the kitchen sink (I haven't tried 8.0, to answer your question). But your criticism is right on, and I've heard it from many people and seen the complaints on various user forums. Symantec's products almost always take the cake in terms of complaints about slowness and bloat in this chat, but I've received at least 4 questions/complaints about AVG's latest version from different readers already in this chat.
What's going on AVG?
Knoxville, Tenn.: After installing SP3, my IE6 desktop shortcut disappeared and I could not find iexplore in the Internet Explorer folder. It now turns up in Windows-ServicePackFiles-i386.
Why has SP3 rearranged my IE6?
Brian Krebs: Weird. I have no idea why SP3 messed up your IE6. But maybe SP3 did you a favor and you just don't know it yet. My question is: "What the heck are you doing still browsing the Web with IE6????"
If you're going to use IE, at least use IE7. My advice would be to ditch IE in favor of almost any other browser. ActiveX and a lack of easy ways to manage Javscript in IE are two reasons I recommend Firefox (+ the noscript add-on) over IE 10 times out of 10.
Falls Church: I do all my online baking and purchasing on a system running Suse Linux and Firefox. I keep the OS and browser updated. Am I fooling my self thinking this is safer than Windows or the Mac OS?
Brian Krebs: I would say you're considerably more safe than anyone using Windows. That doesn't mean you can become complacent about patching, though, as there are plenty of threats around that will happily compromise a Linux box, as I'm sure you already know.
Olney, Md.: Hi Brian - I have a home built - AMD Skt 754-3200, 2M Ram, 3-160 G Hard drives that are multipartitioned, XP(SP2), Avir Premium, Norton Sytem Works-Basic, limited user accounts,and Secunia. You wern't able to recommend a good defrag/registry cleanup software last year. I found and use Norton SystemWorks basic, since that does not include Symantec's anti virus - I like Avir much better. However, Norton's performance is still not great. Sometimes takes two or threee tries to completely defrag C:-. Any other suggestions for good defrag/cleanup utility software? Thanks and keep up the good info.
Brian Krebs: Thanks for circling back with the question, Olney. Yes, since then I've had the chance to try a free tool called CCcleaner, which does defrag among many, many other things to clean up clutter on a Windows system. Check it out here.
Arlington, Va.: Brian,
I have switched to a limited user account on the laptop I use to do the vast majority of my web surfing. I did that because the Drop My Rights, just didn't work on Firefox. However, I have to use my admin account whenever I want to update my iPhone or iPod because that is where the library is located. I cannot seem to move the library to a shared file. I tried moving the entire iTunes folder into a shared folder and then going into iTunes preferences to change the pointer, but it wouldn't connect.
Brian Krebs: Please drop me a line with your contact info at brian dot krebs at washingtonpost dot com. I had this same exact problem and it took me forever to figure out how to fix it, but I did. I just can't remember how I did it at the moment.
Sibu, Malaysia: Does Windows XP SP3 make a PC significantly safer than one with SP2 installed?
Brian Krebs: No. See my response to a similar question above. Due to the problems many people are reporting after installing SP3, and given the relatively limited benefit of installing this service pack, I'm recommending that people not install Sp3 for the time being.
Chicago: Hi Brian,
I run XP Mediacenter on my laptop. I never hook up to a wireless connection and use Webroot Spysweeper with antivirus plus Norton Internet Security. When I check for email, I have to turn off my Norton firewall. For those few seconds, how vulnerable am I to attacks? My ISP says I don't need Norton since I have Webroot. Your opinion? Thanks for taking my question.
Brian Krebs: I'm confused. You have to turn off Norton's firewall every time you want to check your e-mail???? That's the craziest thing I've heard all week. Think maybe it's time to get a less insane firewall? Try ZoneAlarm or something else, but I'm sorry...I wouldn't put up with that at all.
Unless you bought the super-duper version of Webroot (anti-spyware + firewall), it does not have a two-way software firewall built in.
My unvarnished opinion: You have two of the most bloated security software titles on your system.
Laurinburg, N.C.: I live in the suburbs of a small town. I keep any neighbors from logging on to my wireless (MAC filter) but I don't use encryption because I don't want to slow things down. I figure, what's the chances that someone out here is going to have the equipment to get my info from the air. Am I living to close to the edge?
Brian Krebs: For the uninitiated, the MAC address refers to an alpha-numeric sequence that uniquely identifies the network card in your computer. Most wireless routers allow you to limit access to a pre-defined list of MAC addresses, as a way to restrict access to the network to only those machines you know and trust.
This is a great idea, in theory but it doesn't make for great security in practice. MAC Addresses are broadcast over the network, so anybody who can intercept the wireless signal -- that is, anyone within range of your router -- can also see the MAC address of any system connected to your network. It is trivial to change your MAC address and spoof the address of a machine already connected to the network. This will usually result in the legitimate user getting disconnected from the network, while the imposter's machine steps in.
So, short answer -- Yes, you are living close to the edge, as you say. MAC address filtering is fine as part of an overall encryption and security setup on a wireless network, but MAC filtering alone isn't much security at all.
Brian Krebs: By the way, if you want to know your computer's MAC address, in Windows, click Start, then Run, then type cmd.exe. Then at the command prompt window type ipconfig/all. On a Mac, you can find your MAC address by opening up Terminal and typing ifconfig.
Brian Krebs: I'm out of time, here, people. Thanks to all who stopped by to read or ask a question. Please join us again in two weeks, and until then consider making it a habit of dropping by the Security Fix blog regularly.
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.