Security Fix Blogger
Friday, June 20, 2008 11:00 AM
A transcript follows.
Brian Krebs: Good morning, Security Fix readers, and Happy Friday! I'm going to dive right into the questions...please remember to be as specific as you can about any error messages, installed security software, etc. in your queries.
Helena, Mont.: Is the information entered prior to a secure site being completely loaded still safe? When a secure page is loading, where does the information go if you enter text in dialogue boxes prior to the page being fully loaded? For example, if you log into your online banking site and enter your username prior to all site components being loaded, is that information still secure? Often pages will have default starting points. After beginning to enter information, the page will set its default prompt in its set location.
Brian Krebs: Generally speaking, if you enter data into a form or field on a web page and you do not see an https://in the address field of the browser, the information is sent in clear text.
That said, for a while many banks -- in the interests of having their home pages load faster and to save a little money -- have changed their landing pages to be http://and only switching over to https://when a visitor starts to enter a password.
As I've written before, this is a very, very confusing practice for the user who's been trained to look for the https://and padlock icon before submitting sensitive data. Quite recently, a number of banks have moved away from this practice, and have gone back to encrypting their home pages instead of just one corner of the home page or waiting for a visitor to begin entering their username or password.
You should rest assured that as long as you typed the URL of your bank in your browser or got there via a bookmark, that when you transmit data to them it will be encrypted (now, the security of YOUR PC is another matter). But as I said, far too many banks still do this ole switchero on http and https that confuses consumers.
Arlington, Va.: Do you have any thoughts about free AVG 8.0? I downloaded it a few weeks ago and like it because it just stays in the background, as compared to AntiVir or even AVG 7.5.
Brian Krebs: Yes, I played with it for a few days on one machine I have. It's not bad as far as free software goes, but it could be a LOT leaner, and a small amount of tweaking can really make a difference in how the program performs, how much system resources it uses, etc.
Back when I was testing AVG8.0, I stumbled across this tweaking advice at DSL Reports' Security Forum, and found it to be very helpful. Your mileage may vary.
Washington, D.C.: Is there any benefit to having two different anti-virus programs installed, like Clam and AVG? Or would they interfere with each other?
Brian Krebs: No, with a caveat. But almost always, no.
Anti-virus by its nature tries to be the gatekeeper on the system: it watches things coming onto the system, leaving the system, etc. It hooks into system processes, it looks at content on Web pages, and on and on. These processes take CPU time, memory and other resources. Having two anti-virus programs running at once is at the very least asking for your system to slow to a crawl. At worst, each could identify the other as a potential threat.
The caveat is that some anti-virus programs are on-demand scan only. That is, they don't load when Windows starts up, and they do do "real-time" protection. So you mentioned Clam - I think they have an on-demand file scanner that doesn't do real time protection. If you felt you really wanted that, I don't see the problem with it, but it's probably overkill, IMHO.
Remember, this is not substitute for being vigilant and smart, and avoiding risky behaviors. Don't click on links in emails and IMs that you weren't expecting, and don't open unexpected e-mail attachments either.
You want to be really safe? Run your system using a limited user account or set up your most-used Internet-facing applications to run under something like Drop My Rights; both approaches limit the programs you most commonly use from being used to make important changes to the system.
Washington, D.C.: How can I tell if my crappy three-year old Dell is simply slow and old or if it's been compromised and is a "zombie" computer? I'm a technical neophyte and I'm too cheap to buy much of a fix.
Brian Krebs: You might try running various online anti-virus scans against it. Microsoft has a free scanner, and most of the anti-virus companies offer free scans that remove anything they find (stay away from Panda, which apparently now charges you to remove what it finds).
The tough part about judging the security of a PC that hasn't been well-maintained is that today's malware is extremely adept at hiding, and at fooling security software that installed on the system into thinking everything is okay. Unfortunately, in those cases, you really need a third-party opinion, either by inspecting the hard drive while booted into another operating system, or using something like an online scanner.
Have you considered just re-installing Windows and setting it up securely from the start? Installing Firefox, patching, keeping up to date with third-party patches, perhaps with a tool like Secunia Software Inspector; running important key Internet-facing programs under "Drop My Rights" or a limited user account (see links in answer above); using some/any anti-virus software and firewall, even if it's just the built-in Windows firewall.
Alternatively, if you don't do much beyond checking e-mail and browsing the Web, consider installing another operating sytem: Debian and Ubuntu are great choices, and are very easy to use and include auto-updating features. Also, there are plenty of "Live CD" versions of Linux, bootable operating systems that run entirely from the CD-ROM.
Silver Spring, Md.: Brian, I need somewhere to vent and seek some advice. This has been a HORRIBLE month for updates that completely ruin the software.
The forced switch from AVG 7.5 to 8.0 destabilized my Vista laptop; it would lock up whenever I tried to enter sleep mode, to where it would neither sleep nor wake up. Only a cold reboot would fix it, until the next time I wanted to sleep. Uninstalled AVG 8.0 and switched to Avast, and now the laptop works again.
Now Memeo Autobackup had another version "upgrade", and so far the only differences I've seen are that it (a) lost one of my two backup plans and refuses to re-add it, and (b) just ignores the other backup plan and won't actually copy changes to my external drive. Oh, and it now also constantly uses the CPU and leaks memory so that it sits there with 700MB allocated. (Firefox, in comparison, only grabs 100MB). Company tech support is not helping me at all, and I see many other users complaining on their forums with similar problems.
This is ridiculous. I'm a software developer, I know bugs get out, but both of these are completely inexcusable. Just like I ditched AVG, I now need a different backup program that actually works. Is there anything that you can recommend?
Brian Krebs: I'm sorry to hear about your troubles, but I know the feeling. I have myself been feeling like all the technological beings in my life have been acting up this week, and at least one softwar upgrade of mine went south.
To your backup question, I have been an Acronis True Image ($30) user for many years now. I would not say the program has been entirely free from problems, though. However, I have found that as long as I have the latest version of the backup program installed (and the latest version of the boot disc burnt to a CD), then the software works like a charm. I use Acronis True Image to make whole and incremental backups of my drive and key data. I also use Acronis Disk Director to occasionally resize some of the many hard drive partitions that I have.
Croton on Hudson, New York: I have a 5 or 6 year old Dell laptop that someone else wants to use. I want to completely erase its drive, but I'm confused by what I read about this. Any suggestions? (please note that the Dell no longer connects to the Internet).
Thanks very much,
Brian Krebs: There are a few good, free options for erasing data from a drive that you want to re-use. The two I've used before are: DBAN (stands for Darik's Boot and Nuke).
There's also Secure Erase, which I have used with success on a couple of hard drives I gave away/sold.
Bethesda, Md.: Brian, on a PC using Windowds XP Professional I downloaded and installed Internet Explorer 8 Beta. I've been having problems with it. How do I switch back to IE 7?
Brian Krebs: Unless I am missing something, you should be able to go back to IE7 by going into the Control Panel, then Add/Remove Programs, and uninstalling IE8 Beta from there. After uninstalling, reboot. Please let me know at brian dot krebs at washingtonpost dot com if that did not work.
Cottonwood, Ariz.: RE: Firefox 3.0
I was reading a blog from our Channel 3 website just now: http://www.beloblog.com/ProJo_Blogs/shenews/archives/2008/06/i_mentioned_las.html
Apparently she does not like Firefox. I love it. What worries me is she says that Firefox 3.0 may be the last release. Say it ain't so please. Thanks much.
Brian Krebs: Hi Dave. I think that author was mistaken. I don't believe Mozilla is going to just give up on Firefox. Quite the contrary. They seem to have gotten nearly 10 million people to download this latest version of Firefox in a single day, and that's saying something. Firefox is here to stay.
I have to say that while my experience with the release candidates of Firefox 3 has been great, my experience thus far with Firefox 3 as released this week has been less than stellar. Firefox 3 crashed so many times on my XP Pro machine yesterday that I had no choice but to uninstall it and revert back to FF184.108.40.206, just so I could get my work done.
I love the look and feel of FF3, and it certainly uses quite a bit fewer resources. But as cool as it is, I get the sense that this release was rushed a bit and as a result this release maybe wasn't *quite* ready for prime time.
Frederick, Md.: Long tale but here goes:
Lexmark all in one printer attached to the basement computer, Windows XP, Dell Dimension 4600, 4 years old, up-to date with SP2 and appropriate antivirus, firewalls, etc (had a Dell pinter attached at one time) finally crapped altogether after scan function quit months ago. I buy an HP all in one and have trouble with the software installation. Can't get past a print spooler error. HP Tech support spends 3 hours on the phone with me one evening, mucks around with the Registry Editor and finally installs the software, and the printer and internet connection work fine. Hindsight, probably should have restarted, because trouble started the next day. Turn the machine on, printer works fine, but no internet connection. Hmmmmm, I say, ain't that odd. Continued restarts produce same results. I unplug the printer, restart, and the internet connection comes alive again. Plug the printer back in and the system won't recognize it, so I attempt to re-install the software, only to get stopped halfway through with the same print spooler error message.
Next day, HP tech goes through similar attempts for another 3 hours, same results, printer works, internet doesn't, unplug printer, internet works. Tech thinks some bits of info remain from both old Lexmark and Dell printers, so after hanging up with
him, because the printer software installed successful through remote access, and his job is done. HP printer immediately is disconnected, software removed, registration deleted, internet connection is perfect. I returned the printer to Best Buy for credit, and we'll just take any files we want to print from the downstairs system, which now has no printer attached, put it on a memory stick and print upstairs on the perfectly-working Dell printer. I try to remove both Lexmark and Dell printer software from the basement computer through Control
Panel-Add/Remove Software. Lexmark removes fine. I try to uninstall the Dell
software using the install disk and all seems to work OK. When I try to use
Control Panel-Add/Remove Software on the old Dell software, an error message pops up: #BuildTemplateErrorMessage# exactly as you see it typed. And the removal is unsuccessful. It's not bothering anything as the computer, internet, all other programs, etc. are working peachy.
I tried a google search, but it lead me nowhere. I'm only concerned that should I try to install another printer/software (won't be an HP, I promise you that!) there
could be some interference of some type. Any idea what this means? I'm guessing something in the mucking around in the Registry Edit process created the error. Any recommendations? Thanks, and sorry for being long-winded, but the saga was long too.
Brian Krebs: Ugh. What a saga. Not quite sure if this will help your case or not, but Microsoft makes an installer cleanup utility that is designed to clean up after programs that do not install/uninstall cleanly. Download it and instructions for using it at this link here.
Austintown, Ohio: Hi Brian,
I can't recall if it was you or someone else, but it was suggested that it was better NOT to run one's Administrator account with a password. I also can't recall the reason for this rationale. Since - following your advice - I run a limited user account, I prefer to use a password with my Administrator account so I can use the "Run as..." feature to avoid switching/logging off to my Administrator account when necessary. I wonder what your thoughts might be on this? Thanks.
Brian Krebs: If you're on a network with Windows XP and your account does not have a password assigned to it, by default it cannot be used to log into the machine remotely over the Internet or the local network. With accounts that do not have a password assigned, you must be physically in front of the machine to get in.
Microsoft says you should consider using a blank password (no password at all) only if the following conditions are true:
-- You only have one computer or you have several computers but you do not need to access information on one computer from another one
-- The computer is physically secure (you trust everyone who has physical access to the computer - like your family members)
The use of a blank password is not always a good idea. For example, a laptop computer that you take with you is probably not physically secure, so on those you should have a strong password.
Arlington, Va.: I have read that cell phones can turn into eavesdropping devices, and that the only way to prevent this is to remove the battery. If this is correct, how does anyone with an iphone do so since you can not remove the iphone battery. Is this a real concern, specially that Apple is going to allow people to write software for their iphone?
Brian Krebs: Obviously, having a phone that has a full-fledged operating system on it makes it a tempting target for attackers. Add high-speed or 3G connections, and you're practically painting a target on it.
That's a bit overstated, really. The threat to mobile phones has been hyped but not really materialized over the years. Now, it is true there are applications out there deisgned to let people eavesdrop on mobile communciations from afar. But generally, these spy apps are installed in one of two ways: the user is tricked via e-mail or IM into clicking on a link or installing some nasty software, or the eavesdropper has physical access to the device he wants to eavesdrop on and installs it that way.
Will people write applications for the iphone that do more than what they advertise, allowing attackers to disguise their spy programs as something innocent? If history is any teacher, it will happen eventually. Is it something to lose sleep over? I really don't think so.
West Des Moines, Iowa: I work for one of the largest banks in the United States and yesterday we received a corporate email stating we may receive an email from classmates.com with a subject line of "You have one new message - Classmates." Tech support tells us to call them if we do indeed open the email. Could this possibly be an online threat from an outside source other than Classmates or an in-house security risk?
Brian Krebs: Wow. I certainly haven't heard of a specific threat (social engineering or otherwise) that makes use of Classmates.com or pretends to be a Classmates invite, but that would be a very smart ploy.
So, if West Des Moines' info turns out to be rooted in truth, remember YOU HEARD IT HERE FIRST, PEOPLE!! :)
Cottage Grove, Ore.: Regarding e-mail privacy: I understand e-mails sent by the Blackberry can send a read or received confirmation back to the sender. Does this work only if the the recipient is another Blackberry, or also for web based mail (e.g. Yahoo mail) recipients?
Brian Krebs: I don't know, and our in-house crackberry experts didn't know for sure either. But I'd be willing to bet that it is the Blackberry server that handles the receipt and transmission of delivery receipt requests, not the recipient's email server, be it yahoo or hotmail or blackberry. In other words, e-mail receipts are a pretty standard communications technology, so it shouldn't matter whether the recipient is a blackberry user or they read the e-mail with their Hotmail account.
That said, there is no way to prevent the receiving computer system/email server from making the message available to the recipient without issuing an acknowledgment to the sender. That, and the recipient generally needs to approve the sending of a return receipt.
re: Firefox 3: In support of Firefox 3, I've been using it on my Mac Powerbook since release day and have had no problems. It definitely seems to run a little faster than Firefox 2.
Brian Krebs: More feedback on FF3.
Prince George's County, Md.: Ack! My Spy Sweeper has detected a Trojan. And every time I attempt to quarantine it my computer locks up. What's a girl to do?
Brian Krebs: Go into Spysweeper logs and write down the location of the file in question. Then shut down the machine. Unplug your system from the Internet. Reboot, and immediately hit the F8 key repeatedly, until you see a screen asking what you want to do. Choose Safe Mode. When you get to the Windows desktop, open up Windows Explorer and navigate to the folder where the Trojan is located. Find the file, delete it. Empty the virus vault and recycle bin. Restart. Run a full system scan, and hopefully that will have fixed the bugger.
If it didn't, the nasty Trojan may be working in tandem with a rootkit. Check out F-Secure's excellent and still-free Blacklight anti-rootkit software.
Brian Krebs: I'm out of time, folks! Thanks to all who dropped by to read or to send us a question. Please join us again in a couple of weeks for another Security Fix Live. In the meantime, consider making it a habit to visit the Security Fix Blog regularly to stay abreast of the latest security news, tips and warnings.
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.