Security Fix Live
Friday, July 18, 2008; 11:00 AM
Security Fix blogger Brian Krebs was online Friday, July 18, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.
The transcript follows.
Brian Krebs: Good morning, Happy Friday, and thanks again dear Security Fix readers for stopping by for another Security Fix Live. I am late in getting started, so I'll dive right in. Please be kind: remember to include as much information as you can about your setup, installed software, error messages, that sort of thing. It helps me immeasurably in finding the most accurate answer to your question.
Naperville, Ill.: Brian,
I have a web page. The other day I tried to upgrade my web page by installing a new software that creates web pages. It seems that the new software changed the configuration of my computer that now I cannot open my web page. I can access the web page from any other computer except the one with the new software.
When I try to get access, I get this message: Waiting for res://ieframe.dll/dnserror.htm
I have installed the new software with no result. I tried to reset the computer to a date prior to the installation of the new software with no result. Any suggestion how to undo the damage?
Brian Krebs: I'm going to guess that your HTML editing software is not compatible with a patch that Microsoft issued earlier this month to fix a fundamental problem in the domain name service (DNS) built into Windows.
That patch was found to cause internet connection problems for users of Zone Alarm firewall products. ZoneAlarm has shipped an update that fixes the problem, but the Microsoft patch changes things at such an important level of the operating system that it's safe to assume that other software -- possibly your HTML editing software -- may also be prevented from working because of it.
There's one way to find out for sure: Open up Control Panel, Add/Remove Programs, and make sure the box next to "Show Updates" is checked. Then scroll down the list and look for an update called KB951748. If you see it, uninstall it, reboot, and then restart your HTML editing software to see if it works. If it does, you have found the problem.
Leaving the Microsoft patch uninstalled is probably not a smart long-term option, so you should consider visiting the site of the company that makes the software to see if has an update that fixes the compatibility problem? Failing that, maybe ask them if they are aware of the issue and can suggest an alternative workaround?
Best of luck, and please circle back to let me know if this fixed your problem.
Long Island City, N.Y.: I run Norton 360 on my Windows Vista computer. Sometimes when I try to run live update the program freezes and continues not to respond no matter how long I wait or what I do. The Task Manager will not allow me to end the process. In the end I have to restart the computer to get rid of it.
At other times, when I try to check for updates, I get a message that Live Update is already running. But if I run Live Update later, it will download any available update. I find it strange that the update was not downloaded when Live Update ran automatically earlier.
Both of the above occur when I try to check for updates shortly after turning on the computer. I spend a long time on-line every day, so like to check for updates at the beginning of each session But these situations tend to prevent me from doing this. Although they only occur occasionally.
Brian Krebs: Forgive me if I am misunderstanding the thrust of your question, but I have to ask.....why you feel the need to manually check for updates? Norton and pretty much every other anti-virus software is configured to automatically check for updates, often several times a day.
If you're unhappy with the frequency with which the program checks for updates, you can probably change that in the settings, but honestly it's not going to keep you any safer. Anti-virus software is useful, but it's not going to save you from careless or reckless behavior online. And for better or worse, AV software usually lags behind the latest threats by many hours or days, and no amount of manual updating is going to fix that.
Stormville, N.Y.: Hi Brian!
My cousin who has never made an entry in a forum or blog asked me to pose the following question for you: "I recently "googled" myself and, found several pages worth of information and MISINFORMATION about myself (I am a retired high-ranking Federal official). Also, while I was searching for a telephone number of a person I had lost contact with through the years, I happened on a web site that listed the person's name, address, telephone number, age and other information. Because I have an unlisted and unpublished number, I put my own name in and found out, also to my amazement, that my address, telephone number, age, etc. was noted.
Thus, I wish to know is there any way one can eliminate oneself from the various web sites on the Internet? Surely, at the minimum, how can one eliminate your own address, telephone number, if you have an unlisted number? I am sure there is no such way and privacy is now lost forever. Any thoughts on this?"
Brian Krebs: Without specific examples of which sites she's talking about....there are plenty of sites out there than catalog all kinds of public (and sometimes non-public) information about people, some offering it for free and others as an enticement for pay info search services. One could certainly try contacting those entities to see if they would respond to removing the data from their databases, but I seriously doubt that would be fruitful.
The question is, if the information includes merely, name, address, telephone, age, that information (in the US at least) is not really considered private data, so trying to get it removed from a myriad databases online is probably not the best use of your time.
However, when it comes to sites hosting information that is slanderous, libelous, incorrect or otherwise harmful to your reputation, there are a host of companies springing up to help people clean up their online reputations. Most of these companies charge a fee in exchange for services that mainly try to get negative information about their customers expunged from various Web sites by asking nicely. Some use other tactics, I'm sure. Newsweek recently ran a story about some of these companies. That story is at this link here.
blue grass, iowa: Brian, is it too late to upgrade my PC from Windows XP, SP1 to SP2? I think I read in your column that Microsoft no longer supports XP. If so, I couldn't get all the updates that have been issued for SP2. If I can't bring it up-to-date is it worth the bother?
Brian Krebs: Hi Jeff.
No, it's not too late to go from Service Pack 1 to Service Pack 2, but it makes more sense to go straight to Service Pack 3.
First let me set you straight on a couple of points. Microsoft still continues to support XP and will do so for at least another 3 years, probably longer considering its massive install base and customer loyalty to and familiarity with the operating system.
What you are referring to is the fact that Microsoft no longer ships updates for people running Service Pack 1 on XP. This didn't just happen yesterday, though. See this Security Fix column warning about this pending change back in *Oct. 2006*. This means that without SP2 installed, your system is missing dozens of vital security updates and is woefully behind in patches!
In addition to giving your system the ability to update to the latest patches individually, SP2 includes important changes in the overall security posture of the system, changes that block entire classes of security exploits. However, if you don't have SP2 installed, you can skip that and head straight to Service Pack 3, which is now available through Windows Update or directly at this link and includes all previously released updates for Windows XP.
Fairfax, Va.: Hello, Brian, thank you for taking this question about online credit card transactions. To abbreviate a long and abstruse conversation with my -Capital One credit card's "Fraud Protection Department," I was told that the 3-digit "security code" on the back of the credit card represents an "electronic signature" and that (in addition to card number, expiry date, and your name and address) it is required to finalize and authenticate an online -or, for that matter, telephone purchase. Supposedly, you can provide all the other information to the merchant but, if you do not provide the "security code," the transaction CANNOT be approved by the credit card. Further, this security code is to be requested by the merchant and provided by you only AFTER you receive the purchase summary information at the END of the transaction. If the code is requested BEFORE this, it could be a fraudulent merchant entity and you need to contact the credit card immediately and cancel your card, etc. Do you agree with this? Thank you!
Brian Krebs: That advice you received sounds half-baked at best, and expensive and inappropriately alarmist at worst.
The 3-digit number you're referring to is called a card verification value or CCV number. CVVs are supposed to be requested -- but not stored -- by online merchants because these are so-called "card not present" transactions, to verify that the person entering the credit card actually has the card in their hands and can flip it over and input that 3-digit number.
The trouble is that, in violation of the card industry rules, way too many merchants store the CVV values as part of their customer records. When those databases get breached, the bad guys steal those numbers in addition to the credit card # and expiration date. So the CVV's real value as an authenticator in a card-not-present transaction is pretty low, but online merchants can nonetheless protect themselves from excess chargeback fees if they request this number for the purposes of processing the payment with the credit card company.
At any rate, I've never heard that advice before, and for a credit card company to suggest that you should cancel your card if a merchant asks for the CVV during and not at the end (whatever that means) of the transaction is surprising to hear.
Just remember this: Shopping online with your credit card is pretty safe. For one thing, even if you DO shop at an unsafe site, the credit card companies are not going to hold you liable for charges you didn't authorize or if someone makes off with your credit card number (even if that includes the CVV). At most, you will be asked to pay the legal limit - the first $50 worth of charges -- but I've never heard of a case where the credit card companies even ask for that. Yes, having to get a new credit card re-issued is a pain and can take a few days. But that's nothing compared to the dangers of having your debit/bank card information stolen, which can cause bounced checks, attendant fees, and all kinds of other headaches.
Brian Krebs: My apologies. The SP3 download location is here.
Long Island City, N.Y.: Re my earlier posting, and your reply: I was concerned that although I get a message that Live Update is running automatically, if I run it again manually a very short time later (perhaps less than half an hour) an update may be downloaded. This has happened a number of times, making me suspect the effectiveness of the automatic update. My concern is why the automatic Live Update didn't download the update.
But, from what you say, I may be expecting too much from the software.
Brian Krebs: Ah. I'm not intimately familiar with Norton 360, but many AV programs will tell you the date of their latest updates if you merely hover your mouse over the program icon in the taskbar. Otherwise, you can no doubt find out the date of the most recent update by opening the program's control panel.
Washington, D.C.: I recently purchased a new PC running Windows XP to replace a 4-year-old PC because I didn't want to have to use Vista as the OS. Since the older PC is still in good condition, I've decided that I will teach myself Linux on it. So, here's my question: do I need to use anti-virus and anti-spyware software on a Linux system, or is Linux like a Mac, with very low vulnerability? Thanks!
Brian Krebs: Good for you. I guarantee you will learn a great deal in a short period of time if you take the effort to learn some fundamentals about how Linux works. A great all-purpose book that I reference quite a bit is O'Reilly's "Running Linux." If you'd prefer for a Linux that's more forgiving (i.e., changes are discarded on reboot), check out any one of hundreds of Live CD versions of Linux.
To answer your question, I don't believe you need anti-virus or anti-spyware software for Linux. However, just like Windows and OS X, Linux distributions ship security updates which should be applied as soon as possible. Some distributions, such as Ubuntu and Red Hat, make this an easier process than others.
Probably most important, it is vital that you learn and understand the use and role of user accounts on Linux systems, and only run as "root" for specific tasks.
St. Louis, Mo.: Windows XP Service Pack 3 is now being offered as an automatic update from microsoft. Have you modified your previous caution with regard to downloading and installing this program? I use XP Media center edition 2005 with SP2. Thanks, Tim
Brian Krebs: Nope. I still see no burning reason to upgrade to SP3 on Windows XP. Unlike Service Pack 2, SP3 doesn't add major changes that make the system fundamentally more secure. If you're keeping up to date with patches for XP, I wouldn't worry too much about not having SP3 installed.
The reality is that most people probably will experience zero problem in upgrading to XP3, as I call it. My upgrades went off without a hitch. But you might just be the exception to the rule. My approach has been, in the absence of a compelling reason to update, combined with the fact that you can still get regular updates fine, and that a non-trivial number of people have had problems with SP3, what's the incentive?
If you have a good system for imaging your hard drive and can create an known good image of the system as you have it (and know how to restore that image if things go south), then I say go for it. Otherwise, I ask again: Show me the upside.
Washington, D.C.: How safe are on-line data storage services? I think that off-site storage makes sense in the case of a fire or flood, but I wonder if the data servers could easily be breached or stolen.
Brian Krebs: Most of the big online data storage services I've seen or read about take security as their top priority because they recognize that people will simply not use the service if they think just anyone will be able to read their precious files. So, in most cases, the data storage services encrypt their customers' files with an encryption key that only the customer possesses. In that case, even if the database is breached or stolen, the data is of little use to the thief.
Reston, Va.: I bought a computer (using my credit card) from a major retailer. Behind the scenes and without my knowledge, the retailer utilized a contract with Verizon on their end to extend their marketing. Verizon identified me by an old phone number I had with them years ago at a different address, and their system send me a letter.
So, in the mail and thanks to postal forwarding, I get a letter from Verizon with personal information and a PIN.
You never know what these companies are doing in the background. Had the letter been delivered to my old address, the recipient would have a lot of info on me, plus a PIN with which to make future purchases.
Not a very secure system, and this is a system designed by banks and retailers.
Brian Krebs: Scary indeed, and part of a disturbing trend. Would you mind contacting me personally with your contact details?Your story would fit nicely into another piece I am currently reporting. I'm at brian dot krebs at washingtonpost dot com.
Stony Brook, N.Y.: How can I protect myself when traveling and using either my laptop or a hotel computer to connect to my university Lotus Notes email account?
Brian Krebs: You should be fine as long as the e-mail session -- both the login and the browsing/sending/reading of e-mail all takes place over an SSL connection. Be sure that for the entire session your browser is connected to your mail account via an https:/
The following scenario is not likely to come up, but if you happen to be on an open network and see an error message about an SSL certificate mismatch, that's a good sign that someone may be trying to intercept your communications by serving you with a fraudulent SSL certificate.
Baltimore, Md.: Re SP 3 for XP: My computer has an AMD processor, which is supposed to make SP3 problematic (sending your PC into endless reboots). So I wrote to Microsoft about this and, to their credit, they got right back tome with detailed--very detailed--instructions on how to avoid this. But it seemed like a lot of work and, as long as SP3 isn't a major move beyond SP2, I decided to hold off.
Brian Krebs: Sensible choice.
Would you care to reply back with a cut and paste of those instructions? Or maybe they sent you a special link that I've not yet seen? Thanks!
Arlington, Va.: Brian, what are the advantages/incentives for upgrading from XP to Vista? My current computer died and I am researching new ones and find most vendors are offering a choice.
Brian Krebs: I could sit here and tell you about what Microsoft says are advantages to upgrading to Vista, but frankly I don't see the benefit. I actually like XP. It's stable. It works with my existing sofwtare. I know it like the back of my hand. I go to my Vista machine, and it feels like I'm visiting a relative whom I feel guilty about neglecting. I know I should probably use it more often, but I just don't want to. Why? Probably because I find it to be slower and less responsive than XP.
Also, I still haven't quite gotten used to how Microsoft has changed things around. Finally, I find the User Account Control feature to be annoying without adding much in the way of real security. A lot of smart people will quibble with me on this last point, but the tough truth is that Vista isn't all that desirable of an operating system, and I think even Microsoft is willing to admit that at this point.
If you're looking to stick with Windows, I'd advise you to stick with XP. If you're willing to spend a little more, I'd advise you to purchase a Mac. I'm not saying Macs are these uber-secure systems that allow you to forget about security, but I will say you will probably spend a lot less time worrying about security.
If you get a Mac with enough hard drive space and memory, you can run Parallels on it and make an exact copy of your existing Windows installation and port it over to run on your Mac -- at the same time while you're running OS X. Very cool.
Or, you can install bootcamp and boot into Windows or OS X and have the best of both worlds.
Lexington, Ky.: Because of the incompatibility of the latest MS security update with Zone Alarm, I am not trying to remove Zone Alarm and replace it with another firewall. Trouble is, I cannot remove it from two of my three computers. Nor can I install any of the Zone Alarm updates. Every time i try to use the ZA uninstall program, it is interrupted by various error messages, some of the telling me Zone Alarm exe. is not a proper "Win 32" application, and others saying I have reached a "breakpoint." I am not a real expert on this matters, but I need to get rid of Zone Alarm. Any idea what I can do. (The Word uninstall program will not uninstall ZA either). Thank you, Dan
Brian Krebs: Try shutting down ZoneAlarm completely before running the uninstaller. If that fails to work, try uninstalling from the Add/Remove Programs panel. Failing that, spend a little time reading some of the suggestions in ZoneAlarm's Uninstall/Install User Forum.
Fairfax, Va.: I'm an avid user for firefox (3). However, I find that I cannot download any program file in Firefox unless I reduce security settings in IE7. I usually leave IE at high settings since I don't routinely use it. What is the relationship between Firefox and IE? I thought the purpose was to avoid IE?
I tried reducing all the security settings in Firefox to make sure it wasn't the cause. And the problem exists without using noscript. Only reducing settings in IE allows downloads.
I'm using xp sp3.
Brian Krebs: This is one of those questions that I *really* want to answer, but honestly don't really know where to start. I've never heard of this problem before. IE's security settings should have no bearing on whether Firefox can download files to Windows. I'm stumped.
That said, if you don't routinely use it, why not set IE7's security settings to medium? It's not like just having that setting at medium by itself is going to cause your system to be more exposed. Medium is the default security level, and if you're not really even using IE to browse the Web, what difference does it make? Change it back to medium and get on with things, already!
Brian Krebs: I'm out of time for today! A hearty "thanks" to all who participated in this chat, and to everyone stopping by for a read. We'll host another Security Fix live two weeks from today. In the meantime, please consider making the Security Fix blog a regular stop in your daily surfing route. Be safe out there, people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.