Security Fix Blogger
Friday, August 1, 2008 11:00 AM
Security Fix blogger Brian Krebs will be online Friday, Aug. 1, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.
A transcript follows.
Brian Krebs: Welcome, all, happy Friday, and thanks for joining us for another Security Fix Live. Standard boilerplate: Please try to be as specific as possible about your setup/problem, and try to let me know about the security software/hardware you are using, if possible. With that, I'm off to tackle your questions!
Gaithersburg, Md.: Hi, Brian.
Thanks for the column and chat! You have helped keep me and mine safe for years!
I finally took the plunge and got high-speed service through Comcast and a cable modem that is hooked directly from the wall into my computer. I run XP SP3, Zone Alarm free firewall and Norton anti-virus, Spybot and I only use FF with Adblock, Noscript and Flashblock (which is how I managed to survive on dial-up all these years).
However, I am uneasy with the fact that I now have an open pipeline to the internet at all times. Is there anything I can do to outside of my current setup to help keep my computer safe?
I'm not sure what a "router" is, but is that something I should look into?
Thanks again for the great information!
Brian Krebs: A hardware router is nothing more than a machine that takes your connection from your cable modem and splits it into multiple connections, allowing multiple machines to share the same line. Some hardware routers are wired, and some allow you to do both wired and wireless connections.
Pretty much all low-end consumer routers have hardware firewalls built in. A hardware firewall is among the single best lines of defense for home users. With a router, Internet traffic that you did not initiate will be dropped by the router -- meaning anyone scanning your ISP for systems to attack will simply not see your system.
Hardware routers don't necessarily stop programs already on your machine from using your Internet connection to dial out to the Web, so using a software firewall, such as the one that comes built-in to Windows or something like Commodo or Zone Alarm is another essential item for Windows users.
The way it works is you plug the ethernet cord coming from your cable modem not into your PC, but into a port on the back of the router. Then you plug in any machines that you want to use into one of the other four ports on the back of the router, so that all of those machines are protected by the router's firewall.
A decent router is the Linksys WRT-54g/b, which runs about $50. If you choose a wireless router, make sure to lock it down by following these manufacturer-specific instructions here.
Hope that helps.
Mt. Olive, N.J.: how do i stop aolload.exe from locking up my comp.
Brian Krebs: I believe the program in question is associated with AOL's Internet service, so I assume you are an AOL subscriber?
Two tools I'd recommend. One is HijackThis!, which lists every single program and setting that is set to start up when Windows boots. Find the box next to aolload.exe, put a check mark in that box, save or "fix" the changes, and aolload.exe should fail to load on the next bootup.
Bear in mind that if AOL is how you get online, you may be unable to get back online until you restart the aolload.exe process. You can find it in C:\Program Files\Common Files if you need it later.
The other tool I'd recommend is Process Explorer, a free tool from Microsoft that lets you see very plainly the processes running on your system, all the various programs launched as a result of each process, and the maker of each.
Fairfax, Va.: Please help with a non-updating Windows Update!
Sony Laptop, Windows Vista Home, Used primarily on a Limited account setting
On Windows Update, there has been an "Important Update" called Security Update for SQL Server 2005 Service Pack 2 (KB948109) that has been showing up as an available update since July 9.
Every time when it comes to install it, it then shows that the update failed. This happens when I:
1. Press install update myself 2. Let the Windows Update try to to it automatically 3. Tried both above in the Admin setting
Can you please tell me if this really is an important security update, and if so, how can I get it installed?
My Windows Update log is a long list of failed update attempts of this one update. Everything else sent through Windows Update has been fine.
Thanks so much.
Brian Krebs: I Googled around for an answer to your question, and found that a great many Vista users are having similar problems installing this same update.
Microsoft says it offers no-charge support for update problems at 1-866-PCSAFETY.
But before you go that route, it sounds from what I read that Redmond is trying to route people paid support to fix this problem. I found several sites that recommend trying to manually install the update. Finding the link to the direct download on Microsoft's murky morass of a Web site might take some patience, though. You'll need to search the Microsoft Update Catalog for MS08-040.
I also found this advice that seemed to work for some, following a remote support session from a Microsoft technician who ended up renaming some files before the install. See the last post at this thread here.
Sorry that I can't be more helpful in the short time that I have. Good luck!
Arlington: Is there any particular reason why my torrent speeds are slower with Verizon FiOS when compared to my previous service with Comcast? I'm under the impression that the router they provide is UPnP capable but I still have some port blocking issues. Is it possible that Verizon is (contrary to google's opinion) blocking torrent traffic?
Brian Krebs: It's not only possible, it's very likely.
But don't take my word for it. There are tools you can use to tell which ISPs are throttling this type of traffic. Check out this one for starters.
You should know that using Bittorrent may violate your ISPs terms of service. Some ISPs are even starting to drop customers who uses these file-sharing services.
Washington, D.C.: My husband and I recently purchased a laptop and a Linksys router. However, last night when we tried to set everything up and hardwire it for the first time to our existing PC, we got nowhere. Do you know what might be the problem? My husband was on the phone with the tech help for hours.
Brian Krebs: The biggest source of problems for people I've found in setting up wireless or wired routers is they try to set it up using a laptop that is not physically connected to the router. Any machine you use to administer the router should be physically connected with an ethernet cord to the router. This isn't always strictly necessary, but it eliminates another level of complication.
Second, the order of powering on the various components is key. You should start the setup with all devices powered off. That includes the main PC, the router and the modem. Important first point, is to turn the modem on first. Wait until you see all but the bottom light on the modem go solid. Only then should you connect the router to the modem, making sure that the cord is connected to the router in the ethernet slot that is set apart from the other four on the back of the router.
After the router is powered on, go ahead and connect the PC to the router at any of the other four available ports. Start the PC. Open a browser, type http://192.168.1.1, and it should ask you for a username and password. The default on the Linksys should be admin/admin.
Make sure after you've verified that you can get online, that you secure the router. How-to video and text instructions are broken down by hardware maker here.
Finally, I'd *if you've also swapped in a new MODEM (not router), your ISP will need to know the hardware number attached to your new modem (this is known as a MAC address, and should be printed on the underside or back of the device). If the instructions above fail to get you online, call your ISP and see if updating your account with your new MODEM's MAC address fixes things.
Pittsburgh, Pa.: Brian,
Ok, I give up. What's a torrent?
Brian Krebs: Google is your friend.
Menomonie, Wis.: Good morning, sir. What do you think about the laptop and Homeland Security/border story in this morning's Washington Post? Would you advise one that values privacy just to leave their laptop at home if they plan to cross the border or travel internationally?
washingtonpost.com: Travelers' Laptops May Be Detained At Border
Brian Krebs: I would absolutely advise anyone the same: if you don't need your laptop, and/or if contains sensitive/proprietary/personal information on it, you should seriously consider leaving it at home. Other governments are likely to have or adopt the same policy of seizing laptops, etc.
Sure, you could encrypt the whole hard drive to keep any border officials from casually opening your laptop and snooping around. But then again, if you're in a foreign country, you're bound by their rules and laws. If they decide they want to detain you until you feel like giving up your encryption password, that's not beyond the realm of possibility.
Same goes with other devices that store personal/financial/proprietary data. iPhones are wonderful gadgets, but they're more or less tiny (or not so tiny as the case may be) hard drives that people often store very sensitive data on. How would you like to lose one of those?
Rule of thumb when packing for travel overseas: When in doubt, leave it out.
Silver Spring, Md.: I have spybot, Ad Aware, Commodo and AVG on my computer (XP, 512 RAM). Is there a conflict with these programs being on the same computer?
Brian Krebs: Not that I'm aware of. The first is an on-demand anti-spyware scanner. The second is a software firewall. The third is anti-virus. You should be good.
Connecting a laptop to network: Maybe the problem is that the laptop defaults to using its wireless card, not its NIC. The user should check Network Connection and make sure the NIC is enbaled and then disable the wireless card, as some laptops can't have both enabled. (Speaking from experience here.)
Brian Krebs: More advice for the person having trouble setting up the router. You can see which network connections are enabled/disabled and administer each by clicking Start, Settings, Network Connections (or if you don't see it there, Network Connections is also listed in the Control Panel).
For Washington, D.C. and the router: It could also be the connection between the modem and the router. When I had Comcast, they set up their modem to ONLY connect to my computer using the MAC address of the computer. Anything else connected to the modem would not connect (other computer, router, etc.) until I told the router to use the MAC address of the computer as its MAC address. Then, the modem thought it was talking to the old computer again and everything worked.
Brian Krebs: Yet more advice.
BTW, I didn't know that was Comcast's policy. I hope it was a local tech's decision, and not SOP for them. That's just lame if it is, IMHO.
Manassas, Va.: Brian,
There is a lot of software and hardware that is available to help you keep your PC secure. However, I believe one of the most important tools for keeping your PC secure is the user. The user must keep his/her software/hardware up to date. Also, any email where you do not know the sender must be taken with suspicion. I receive an email earlier this week with the subject "Do you trust me?". I wanted to open it up, but I marked it as spam. I did not want to take the chance that something bad might happen as the result of opening it. I am still curious about what the email said, but it is not worth the risk.
Brian Krebs: All good points. I tried to get at this a bit in yesterday's lighthearted post about spam.
Power off or sleep?: Brian,
Can you settle this debate once and for all? I can never seem to get a consistent answer from any one person. And, is it different for pc vs. mac? More mac people seem to be in the "you never turn it off, just let it sleep" camp. Thanks for settling the issue!
Brian Krebs: I don't think there's any "settling" this. It depends on your preference, really. Even computers that are powered off still draw some amount of current, so deciding based on the environmental impact here...doesn't make too difference, in my opinion.
Now, powering up the PC from a powered down state takes longer (usually) to get you to the login screen/desktop than resuming from a hibernate or sleep state -- with the exception of sometimes when you have a gazillion programs open at once before hibernating.
Is one state more or less secure than the other? Not really. I suppose -- if you had a whole bunch of programs and files open just so when you hibernate the PC -- you might be better able to tell if someone gained physical access to your machine and tampered with it, but that's probably an unlikely scenario.
Washington, D.C.: I have asked this question of Rob and I am wondering if you can help me get rid of this program. Watch My Cell is an excellent program but in trying to get rid of it I took a wrong turn and now cannot get it off my system. I cannot download it again to try and over write the old program it because it has now become a web based program. It also does not appear in add/remove programs nor in the registry - where else could I find and delete it? Thanks in advance for any help you can offer.
Unhandled exception has occurred in your application. If you click continue the application will ignore this error and attempt to continue. If you click quit the application will close immediately. Index was outside the bounds of the array.
If I click continue: a box comes up asking me to select my provider and the box is blank
P9: system.nullreference exception
Brian Krebs: Sometimes it becomes difficult to banish programs when the uinstaller fails because you deleted some component of the program before trying to uninstall it.
I've had luck with Microsoft's free Installer Cleanup Utility. It's worth browsing the instructions before proceeding here. Then, see if you can find Watch My Cell listed in the installed files list after running the cleanup tool, and then put a check mark or box (I forget which) next to that item and proceed.
That may or may not fix the problem. The other options involve editing the registry, and that's beyond the scope of this chat.
Pittsburgh, Pa.: Brian,
What's your opinion on the Linksys N series wireless router? The upside, to me anyway, is the 256 bit encryption, as well as the better range of the wireless.
Your thoughts ?
Brian Krebs: I haven't tried the Linksys N routers, but I can tell you this: I've spoken to a number of people who went out and bought these N routers because they're supposed to be faster and have a much longer range. They didn't think about the fact that their existing hardware didn't support it, or if it did, it only supported it at a B/G setting, which sort of nullifies any benefit of upgrading to 802.11N.
In short, my biggest piece of advice would be make sure you know whether, for example, the built-in wireless card on your laptop supports 802.11N, etc.
SF, CA: We have a family iMAC and have been using it without issue for about 6 months. Mostly surf internet...
What is the best freeware app we can use to periodically sweep the machine for malware?
Brian Krebs: You could try the free ClamXAV.
Reston, Va.: I did the trial of Microsoft OneCare and liked it very much. I started the subscription process. However, as a requirement to the subscription, Microsoft requires the customer to complete a form that would contain some very personal information - they call it setting up a "Windows Live ID" account.
So, I went with another firewall.
Have you heard anything regarding why Microsoft is so data intrusive on this?... ie. How would knowledge of a subscriber's birthdate help with firewall protection?
Brian Krebs: That's an excellent question. I don't know why Microsoft asks for a birthday. Maybe because they've found that it's a convenient data point to have, and that most customers don't think twice about giving it away.
To answer your question, I'm not aware of any way in which having that data would allow Microsoft to offer you any better firewall protection.
Kudos to you for voting with your wallet. You might consider letting Microsoft know that you gave your money to another company that wasn't so nosey about details it doesn't need.
Rockville, Md.: Brian:
I like to monitor several discussions at a time and use the list of active discussions at the top to move from one to the other. However, some (yours and the one on money) do not have a list. Is this on purpose? What goes?
Brian Krebs: Not sure why you're not seeing it, but this chat is actually linked in three places off the wp.com homepage. It's currently under the Friday list in the Discussions box halfway down the home page on the left. It's also listed under Technology includes directly to the right. Finally, a link to this chat is in the top table of the web site,"Q&A Now" under the News Columns and Blogs links.
It's also listed prominently here, next to my big mug.
Taylor, Tex. (Currently in Lanzhou, China): How vulnerable to intrusion is a computer during its boot phase, particularly if the networking applet that enables LAN-based Internet accessibility, loads prior to either the AV or firewall?
Is there some registry configuration method that will force the boot sequence to ALWAYS load the firewall/AV prior to the wired or wireless network applets? (FYI, I'm running WinXP Pro SP3 on my laptop, if that makes a difference.)
Brian Krebs: Most security software (firewall, antivirus, etc) tries very hard to get itself loaded early on in the bootup process, usually while the little progress bar is shown moving across the screen under the Windows logo. If you were to see what was really going on, you would see a bunch of different processes flying by as they get loaded up. Not all load at the exact same time, of course, and so it's completely possible that a malware module that gets its hooks into your machine could load before your security programs do. A number of well known malware families do this quite well.
I'm not aware of any registry setting that would give you the piece of mind you're after. However, if you're behind a hardware router/firewall, this would seem to be a non-issue.
Arlington, Va.: Hi Brian:
Question about external hard drives and being able to use the full memory. For ex., a 300G HD will read available memory of 275G.
I know you mentioned in the past there is a way to change settings to you can fully utilize the memory. Can you please go over it again?
Brian Krebs: You forgot to tell me what operating system and version you are using. That's kind of important for diagnosing this issue.
I don't have much time left, so I'm going to go with the most frequent culprit here. If you're running XP Service Pack 2 or higher, you should be able to see larger harder drives (the drives will never show up as large as they're advertised in Windows...usually a few gigs under the actual size of the drive). In most cases I've found where the full drive size is not available, the user is running windows on a computer that is pretty old (i.e.,>= 5, 6 years). In many cases, this is not a limitation of windows as much as it is a limitation built into the motherboard of the computer. In that case, short of upgrading the motherboard (a pain, expensive for most people, not worth it), you might be stuck.
Asheville, N.C.: Do you have any information on which local ISPs have patched their systems to deal with the DNS vulnerability?
I ask because I no longer live in the area, but my parents (who are just computer literate enough to be dangerous) do and have been concerned since I sent them a link to your article last week.
Brian Krebs: I've been trying, without much luck, to build a list. Your folks can visit this site and click the "Check My DNS" button to see if their ISP has fixed the problem.
If they haven't, one option is you can set them up to use OpenDNS, which has fixed this problem.
Rockville, Md.: My parents had two old (very old) computers that they wanted to recycle. I took them to the County computer recycling drop-off but removed the hard drives first. Now, I have two hard drives sitting in my kitchen.
What's the best way to make sure the data never get read again? Sledgehammer, bury in the back yard under 2 feet of dirt, both?
Brian Krebs: A sledgehammer will probably prevent the casual person who finds the pieces in a dumpster from trying to do anything with them. It can be gratifying and fun to smash things with a sledgehammer, but flying bits of metal hard drive shrapnel can hurt and poke out eyes, too.
A giant magnet will probably also do the trick.
You can also buy a hard drive cable and special connector off of ebay and load the thing as a slave drive in windows. Then use free programs like Eraser, Sdelete or Dban to write over the data on them.
Austin, Tex.: I'm getting "Denial of Service attempt blocked" from my Panda Internet Security software several times a day. Is it really plausible that my computer is being attacked that often, or is something maybe going wrong with the Panda software? I'm suspicious because the Panda software seems to be giving me other problems, like making Outlook stop responding now and then.
Brian Krebs: I'm sick to death of hearing about security software that gives the user meaningless but scary notices all day about things it's blocking. I'm not a major fan of Panda's stuff or their research. That said, you can probably turn off these annoying alerts in the Panda control center. Further, turning off the alerts might free up more resources on your system.
Brian Krebs: That's all, folks. I'm out of time for this week. Thanks to all who stopped by and contributed to the discussion. I should be back on Security Fix Live in a couple of weeks from today. Meantime, please consider making it a habit of reading the Security Fix blog to stay on top of the latest security threats, tips and news.
Have a great weekend, and be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.