Security Fix Blogger
Friday, May 23, 2008 11:00 AM
A transcript follows.
Brian Krebs: Good morning, Happy Friday, dear Security Fix readers, and thanks for joining me today for another Security Fix Live. I'm rather impressed with the number of questions we've got already given the holiday weekend (in the US) ahead of us, but don't let that discourage you from popping a question in the hopper. Please remember to be as specific as possible about your system setup, installed software, any error messages, etc., as those details help enormously in answering your questions.
San Diego: What should you do to reduce the risk that your keystrokes on the computer keyboard might be transmitted to an identity thief as you enter passwords and personal identification information at a website?
Brian Krebs: Here are a few things you can do:
1) Use any other browser besides Internet Exploiter.
2) Run your browser of choice under "drop my rights" (see here for tips on how to do that)
-- or -- run your whole system using a limited user account (see here for tips on that).
3) Use a free program like Snoopfree, which looks for anything trying to hook/spy on the keyboard.
4) Be very judicious about the software you install on your system.
5) Keep your operating system and third party software programs up to date on security patches (Secunia's online scanner. The online scanner requires you to have Java installed, which brings its own security headaches, so if you'd rather not install Java, try the installable Personal Software Inspector program, which makes this process somewhat less tedious/painless).
Falls Church: Brian,
How vulnerable is a computer that is on and connected to the internet via a consumer router but not being actively used? I'm thinking of the times where I'm doing a clean install of XP and my "internet usage" consists of downloading updates from Microsoft prior to the initial installation of any type of antivirus (which does require downloading from the vendor site).
Brian Krebs: Not very vulnerable at all. A router will stop incoming, unsolicited traffic from finding/entering/attacking your PC. While it does nothing to stop programs that are already on your machine from accessing the Internet (this is the job of a software firewall, like ZoneAlarm or Kerio or Comodo), it's an essential line of defense for any Windows user.
Uptown D.C.: Our home network is a hard wired ethernet router with 4 computers (all WinXP Pro w/SP2), two printers and a cable modem.
Each computer runs AVG's free Anti-Virus and Anti-Spyware, and Windows Defender.
My quesion: with AVG going to a paid mode, I might as well take the opportunity to change/update everything. You've mentioned alternative free anti-virus programs, but I'm not sure what to do about the others.
Suggestions or recommendations?
Brian Krebs: Not sure what "pain mode" means. Does it mean AVG is acting up/being sluggish? You also didn't mention if you're running a software firewall? If not, see post above for recommendations there.
If AVG is acting up, I'd wholeheartedly recommend the free Avira/Antivir software.
Consider running your internet-facing apps, e.g., browsers, IM software, etc. using drop my rights, which runs the respective programs in limited user mode (i.e., no rights to install software on your system, so any exploits that try to attack vulnerabilities in those programs while you're using them online will most likely fail).
Silver Spring, Md.: How do I secure my wireless router (d-link)using Windows XP?
Brian Krebs: See these wonderful tutorials/videos from GetNetWise on how to secure your wireless router. The instructions include specific step-by-step for your D-Link router.
Anonymous: Last Saturday morning, I opened my computer to find a persistent pop-up that said the computer was infected with a Trojan, and that I should click on the balloon below to download a security software to rid the computer of the Trojan. When I tried that, my McAfee contract kicked in said this is a dangerous site know for spyware and other malicious software. After several attempts to try and close the persistent pop-up, I turned to Google and did a search that led me to a Microsoft help number. I called them, and three sessions later, by noon Sunday, had the pop-up fully removed. The first attempt got the balloon to close. The second attempt removed the persistent pop-up, and on the third session with an override from Microsoft, they sifted through all the temporary files to find the traces of the Trojan. The computer now seems free of the Trojan. My questions: (1) Wouldn't my McAfee contract find the Trojan initially so it couldn't seat the balloon? and (2) is it safe to allow technicians from Microsoft (from India and the Philippines respectively) to override control of my computer to rid it of the infection? My computer is now clean, but I worry that I might have sacrificed something with the override.
Brian Krebs: Your system was attacked with "scareware," which uses tiny dropper Trojans to place software on your system that tries to scare you into paying for their crap software to remove (usually) non-existent threats on your machine.
That said, this should be a lesson. You didn't say, but I'm going to bet dollars to donuts that you're running Internet Explorer as your browser. Run, run away from IE, now. Use Firefox, Opera, anything but IE.
When you've installed an alternative browser, configure it to run in a limited user mode using "drop my rights" see link in an answer above.
Anti-virus software is not always going to catch threats; these companies are having to deal with tens of thousands of new threats each day, and when it comes to so-called "zero day" threats -- exploits for vulnerabilities no one knew about before -- their detection of these threats is dismal (see my post Don't Depend on Anti-virus to Save You and the related story linked in that blog post for an idea of the scale of this malware glut.
What's more, while anti-virus software often detects scareware and spyware/adware, it hasn't traditionally done a great job in this area. Hence, many people rely on additional anti-spyware programs to help with the job. But if you take my advice and run your main internet-facing apps under a drop-my-rights approach -- and start using a non-IE browser -- I think you will find that you no longer have to deal with adware/scareware/spyware.
If you contacted Microsoft to help you out (and not the other way round) I wouldn't worry too much about it. The "override" you speak of is probably your allowing them to remote control your PC for a short time to get rid of the threat. Most modern remote tech-help services rely on this method now.
Chantilly, Va: Brian,
Thanks for recommending Avira anti virus. Not as big a resource hog as AVG was. However, the popup trying to sell the pay for version is ominous and annoying. Saying stuff like someone is trying to hack your computer as we speak.
I know I got it for free, but they could lighten up on their pushy pop up ad. Comes up every day when it does the file update.
Brian Krebs: Yeah, the nag screen/popup is annoying, but then again the software is free.
Nashville, Tenn.: ZoneLabs has a new product, ForceField, that just came out of beta. It turns your browser into a virtual browser, supposedly immune from keyloggers and from infected sites that download malware without your knowledge. I have been using it in beta and now the production version and it seems great.
What I would like to know is, are you familiar with this product and are there any independent security groups that have tested the validity of the claims that ZoneLabs makes for this product.
Brian Krebs: I am NOT familiar with this product, but I plan to be soon. However, if I had to guess I would say that ZoneLabs is merely doing what I've told countless other readers in this chat and elsewhere to do with browsers and other 'Net-facing apps: Run them under a limited user mode (for instance, with drop my rights ....see link above, again).
Hate to sound like a broken record here, folks, but most of the malware out there today depends on the user running their OS/and/or Internet-facing apps like the browser under the all-powerful administrator account, which has complete rights to change vital system settings, delete files, etc. Run your system under a limited user account OR set up "drop my rights" for your most-used apps, and rest easy.
Fairfax, Va: Brian,
I downloaded Firefox just to see what everyone was talking about. I'm not impressed with the looks. So totally looks like IE. Or Netscrape, for that matter. (that wasn't a typo). It doesnt' really have any great looks about it, and it isn't a mail client.
Maybe I'm spoiled by using Opera for the past 7 years, but I just don't see what's so great about it, other than ANYTHING is better than using IE.
Brian Krebs: I can't decide which group is more nuts -- the Apple Mac fanatics (don't get me wrong, I love my Macbook and I recommend them to anyone who's thinking of buying a computer) -- or the Opera enthusiasts.
Your mileage may vary. The poster was asking about security -- not which browser wins a beauty contest (and you'll note, I did mention Opera as a decent alternative to IE).
Centerville, Va.: Brian,
I am new to Vista and confused about the need for the use of limited-user-accounts. It seems that Vista will not let anything happen without my permission. Can you clear this up for me?
Great column, thanks.
Brian Krebs: Yeah, Vista's main security feature is something called User Access Control, which essentially and some would say "annoyingly" asks for permission every time you want to do something significant on the system, such as change settings or install software. But all a user has to do is click okay, and the OS happily allows the user/process to install software.
Apple has the correct approach, which Vista lacks, IMHO: It should, when the user/browser/program/whatever, wants to install software, it should require the user to enter their password first. This seems like a small distinction, but Vista's UAC asks for permission for so much stuff beyond installing software that I fear many users simply grow accustomed to clicking "yes" all the time no matter what's going on. If the user had to enter a password mainly for installing software on Vista, I think that would probably make users think twice about what's really going on, particularly when they didn't request a software install. Maybe I'm giving the average user too much credit. Nonetheless, Vista does a poor job of explaining what's going on when users see the UAC pop-ups.
Annapolis, Md.: What are your thoughts about Linux SE? For typical home or business user who is very concerned about security, are the results worth the extra effort required to configure a Linux SE system? Thanks.
Brian Krebs: SE Linux (Security Enhanced Linux) is an ultra-secure version of Linux that was developed by spooks at the NSA. Its main feature is that every single process runs in its own little box and has no authority to impact the operation of any other process on the system (this is WAY oversimplifying things but I'm pressed for time).
I wouldn't recommend SE Linux for anyone but the more seasoned Linux users who are already familiar with the OS. That said, it is VERY secure: The code has been rigorously reviewed, and only a handful of security flaws have ever been found in it, to my knowledge.
Alexandria, Va.: The poster wrote "paid mode," not "pain mode." I guess AVG is going to be charging for security.
Brian Krebs: Apologies.
Fairfax City, Va.: Hello, Brian. I'm on a limited income and have not bought any virus or security protection for my 3-year-old home laptop, which came with basic Norton Antivirus protection that supposedly has expired. Norton constantly sends me annoying pop-ups telling me to re-subscribe but, at the same time, indicates it is doing a virus check (never finds anything). I have Windows XP, use Mozilla Firefox as my search engine, and I'm stuck with Cox as my Internet provider. So far I've managed most computer slowdowns by deleting cookies. Do I need to buy virus or security protection? Thanks!
Brian Krebs: Okay, first off, Norton isn't finding anything probably b/c your anti-virus signatures are 2.5 years old. Anti-virus mainly works by regularly downloading signatures, which are tiny snippets of code taken from malicious software. It then scans each file on the system for evidence that those signatures show up as attached to or embedded in any files/folders, etc. Without the latest signatures, anti-virus software is essentially useless.
Do this. Uninstall Norton. Reboot. Download and run Norton's uninstaller tool to clean up any remaining components.
There are several free anti-virus programs available. Anti-vir/Avira as I've mentioned before is a good one (if you don't mind the occasional nag screen).
Side note: I seriously doubt that cookies are slowing down your system. Download/install one of those free anti-virus offerings and run a complete system scan before you do anything else. Then see some of my advice above about "drop my rights".
Newllano, La.: AVG 8 has a free virus checker http://free.grisoft.com/ww.download?prd=afe
Brian Krebs: More free AV advice.
Pittsburgh, Pa: Brian,
Any suggestions for securing my wireless network ? I have a Linksys router and one pc and one laptop. I have the wireless part secured by a password, but wonder if there is more that could/should be done. The laptop is XP and the pc is W2K.
Brian Krebs: Yes, the instructions I mentioned in an answer above link to some great video tutorials on securing your wireless router (they include instructions for Linksys). See this link here.
Orlando, Fla.: Hi, Brian!
Am I so safe that my home network won't work?
My little LAN is simple - a DSL cable into a Netopia modem which in turn is connected by cable to an AirLink wireless-g router. Three computers, all running XP Pro, share the router as a hub: a desktop connected by a cable and an Ethernet card and two laptops connected by AirLink cardbus wireless-g adapters. I use the router's firewall, XP's firewall, AVG Free anti-virus, and WPA encryption for the wireless connections. All of the machines run as "user" rather than "administrator" and none of the user accounts are passworded.
This humble rig runs just fine for the independent use of the internet by the three machines and regular scans have found no evidence of any intrusions.
My problem is that I cannot configure the computers to transfer files between themselves using XP's "My Network Places" file sharing protocol. I can see all of "My Network Places" on each of the three machines, but I'm blocked from moving files between them. I have read every Microsoft "knowledge base" document on XP file sharing, sharing is enabled on all three machines, I have tried every combination of sharing settings for user, machine, and workgroup, and I still get "Access denied" when trying to move or copy files between "My Network Places."
A techno-buddy suggested I disable the router firewall and/or the XP firewalls and/or the wireless encryption and/or the anti-virus, but I don't think I want to forfeit those defenses in the internet jungle. Am I doomed to transfer files with a flash drive forever?
I value your advice and will appreciate any suggestions of how to make my little home network more flexible and gregarious within itself but still safe from the baddies outside.
Thanks for the blog and the chats.
Brian Krebs: The router is not your problem, and neither is the anti-virus software. You can try temporarily disabling the firewalls on the systems, but doubt that's the problem either -- UNLESS....unless, you haven't enabled the "file and printer sharing" exception in Windows Firewall. See the "exceptions" tab, and make sure there's a check box next to that (it's not checked by default).
Second, you need to make sure all computers that you want to be able to share files are using the same Workgroup. In Control Panel, open up System, then click on the Computer Name tab. Most XP systems are set to MSHome I believe, but depending on the options you chose when you set up XP, it may be different on your system. Anyway, just make sure they all have the same workgroup name (click "change" to make that change), and then reboot the systems.
Then you will need to enable file-sharing on specific folders you want to share. I'd recommend that you NOT share the entire drive. If you want to share, say, My Music, then right click on MyMusic folder (you must do this using an administrator account), and select Sharing and Security, and then Share this Drive. Once you do that, the PC should set the permissions, and then you *should* be able to see the shared folder in My Network Places.
Charlottesville, Va.: Are programs that store all your passwords so that all you need remember is the one password that will give you access to all the others safe?
Brian Krebs: Yes, provided you pick a strong master password. I have recommended a few of these programs, in a post here.
Does the Web suddenly consist only of twelve-year-olds?
Brian Krebs: Haha. I hope not.
Sorry, but IE has earned that nickname. And Netscape (I've heard far worse bastardizations of that name, believe me) is no longer supported.
Brisbane, Australia: For those installing AVG 8 who do not want the "linkscanner" toolbar:
1. open menu Start -> Run
c:-avg_free_stf_-.exe/REMOVE_FEATURE fea_AVG_SafeSurf/REMOVE_FEATURE fea_AVG_SafeSearch
The installation will be started, and AVG will be installed without the LinkScanner component.
Brian Krebs: Nice, thanks Brisbane.
Re: Opera Enthusiasts: Brian,
I think you were a bit harsh on that poster. He, like anyone else, has found something that works well for him, doesn't have the issues that IE has, and well, he's happy with.
You should also recomment a better alternative to Outlook, which seems to take a lot of hits from viruses.
Remember, too much Microsoft is NOT a good thing.
Brian Krebs: You should also recomment a better alternative to Outlook, which seems to take a lot of hits from viruses.
Happy to do that:
Atlanta, Ga.: Mr. Krebs,
Sometimes when I shut down my computer, a message pops up saying something like this:
"If you shut down your computer other users will be logged off".
I imagine if its because there is a hacker trying to steal my information.
Brian Krebs: I doubt this is because some intruder is lurking on your machine. You probably have multiple user accounts on your system, one of which in addition to your main account, is logged on to the system when you try to shut down.
I got this question a few weeks ago from a family member. They had created a separate account for each member of the family, and it turned out that two of the kids were logged into Windows when the parent tried to shut down the machine.
Baltimore, Md.: Brian: Perfect timing! I ran a deep system scan using Bit Defender Internet Security 2008. The report told me I had 10 instances of one virus on my system. (Compaq PC running Windows XP service pack 2, wired DSL connection through Verizon.) As the virus is in password protected files, BitDefender could not remove or quarantine. The problem is, I have no idea how to find these files. They are all tagged aol, which I still use as an e-mail address, accessing either through Explorer 7 or Firefox 188.8.131.52, not through the aol software.
#1,how worried should I be about something called "Trojan: Generic." And #2, how do I get rid of the darned things? I have cut and pasted from the BitDefender log to show what it found.
:-Program Files-Common Files-AOL-ACS-uninst.exe=](NSIS o)=]lzma_solid_nsis0002 Trojan.Generic.268582
Brian Krebs: AV software often has trouble scanning or deleting password protected files. Just because there's a trojan on your system doesn't mean it's been totally compromised. Trojans are most often used to download other malicious software, but they aren't always a direct threat in and of themselves, particularly if your security software blocks the secondary download.
Have you tried simply opening up Windows Explorer and navigating to the folder in the Program Files directory, and then manually deleting the offending files?
Pasadena, Calif.: Over the last few weeks my computer suddenly received a slew of spam and was hit by a (not sure of spelling) Preskie Worm. I have not changed my browsing practices and I have used all sorts of wording in installing filters in my gmail to try to screen out the spam. My Avira (great program) managed to catch the worm in 161 places possibly just as it began to hit. Is mine a singular incident or has there been a surge in spam/virus attacks? Would a more inclusive counter-spam/virus package be warranted? Suggested programs? Your advice in the past has been sterling and I could use some now.
Brian Krebs: There is no more or less virus-laden spam of late. It's a pretty constant stream of nastiness. Was Avira able to remove all instances of infected files?
I mentioned this in a chat a few weeks ago, but Google has a compelling offering where they're making their recently-purchased Postini e-mail scanning/filtering service available to anyone for just $3 per year. Postini protects my inbox at work, and it does a good job of blocking spam and virus-laden e-mails. Mind you, you'll need to check the Postini inbox a few times a week to make sure good stuff you want to receive didn't get flagged -- which will happen from time to time (you can build exception lists so to allow specific senders who get flagged to bypass the postini filters).
Have you ever had (or heard of) a problem with unsubscribing from e-mails. For the life of me, I cannot unsubscribe from Dell's trash and there are several other companies who also ignore my unsubscribe requests (yes, I am following the unsubscribe instructions).
Brian Krebs: Yes, I have. Often times, unsubscribe requests go unmonitored or are handled automatically by the company. In my requests (and NEVER "unsusbcribe" or click on unsubscribe links in really spammy spam), I have always made it clear in the body of the reply message that this is my one and only request to be removed.
Some states have passed very strong anti-spam laws (Washington state and Virginia come to mind, but I'm sure there are others) that allow individual users to sue companies for monetary damages per piece of spam if a company ignores remove requests.
Brian Krebs: I'm very sorry that I can't get to all of the rest of the questions in the queue, but I'm out of time today, folks. Thanks to everyone who stopped by or submitted questions, and I hope this chat was helpful. We'll host another chat in two weeks, but until then please consider making it a habit of dropping by the Security Fix blog to stay abreast of security news, tips and advice (and the occasional rants).
Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.