Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, August 22, 2008; 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Aug. 22, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.

A transcript follows.


Brian Krebs: Happy Friday, dear Security Fix readers, and welcome back to another Security Fix Live. The questions are piling up, but before I dive in, I'd like to remind readers to be as specific as humanly possible about their system setup, installed security applications and hardsware. Also, please tell me what browser and operating system you are using. Thanks!


Short Hills, N.J.: My colleague's computer, running Windows XP, was/is infected with the XP 2008 Antivirus virus (she opened and executed a bogus "greeting card" message). We have yet to find a good tool to remove all of the malicious code introduced to the computer. And a restore point was not available for the computer. Might you have any good suggestions on how to clean up the computer? Thanks.

Brian Krebs: This scareware piece of nastiness if probably one of -- if not THE MOST -- pervasive intruder out there right now. Tons of people are struggling with this XPantivirus program.

The one application I've seen that does a fairly good job banishing this thing is Malwarebytes' Anti-Malware. It's trialware (you'll have to pay after the trial period) but it should do the job for what you need. Grab a copy at this link here.

When you've cleaned your colleague's computer, set him/her up with Firefox and the noscript add-on and I can pretty much guarantee you wont' have problems from XPantivirus or its ilk again.


DC: Brian:

A new Mac user, am I being lulled into a false sense of security?

I was given a hand-me-down Mac laptop (most updated OS and Firefox) by a friend who is trying to convert me over to the Apple side.

I'm using it at home with a wireless router issued by Verizon FiOS, primarily surfing the web. I have not done any personal financial transactions yet, because I'm just a bit uneasy.

So far so good, I like it and all, but as a regular reader of yours, I was pretty aware of how important security can be.

On my wired connection, desktop HP, with XP Home Edition, I was using AVG anti-virus and anti-spyware, Ad-Aware, Spybot Search & Destroy, ZoneAlarm free firewall and running regular scans.

As far as I can tell, the Apple doesn't have any of these kind of security products. Of course, my Apple friend tells me "you don't need any of that stuff on a Mac, they're safe."

Am I being paranoid or are there similar security products I should be looking into?

thanks a lot!

Brian Krebs: The other day, I walked into the local Apple store and asked the employee wandering the store what I needed to do to secure my Mac from viruses and attackers, and was told very casually not to worry about that sort of stuff.

At the very least, you should have the built-in Mac firewall enabled (System Preferences, Sharing, Firewall). Also consider clicking "Advanced" and placing a check mark next to all three boxes, Block UDP traffic, Enable Firewall Logging, and Enable Stealth Mode.

As to using anti-virus on a Mac? I'm not sure we've come to that point yet, but if it would give you piece of mind, there is at least one free anti-virus tool -- ClamXAV-- for Mac users. However, given the waning effectiveness of anti-virus software in detecting threats against Windows systems, I don't have too much faith that these tools are going to detect the latest malware built for the Mac.

Here's what I would advise for any computer user, whether they go online with a Mac, Windows or Linux machine: Be extremely careful about the software you install on your system. This is easily the most common way malware gets onto computers in the first place: People agree to install it, either through trickery and deception (or scaring them into installing it), or because it's a piece of software the user really wants and s/he is not terribly concerned if it should come with malware attached.

Most of the threats we've seen against Mac users fit this profile as well. The DNSChanger trojans will happily infect Mac systems. They usually are disguised as video codecs that you supposedly need to install in order to view video content (porn). There also is scareware built for the Mac, which uses the old "you've got malware/privacy threats on your computer, click here to get our software to remove them" type scams.


Security on my Network: I've got a WPA2 encryption on my Verizon router (with a complicated password to get to the router administration page). I recently set up a network between my desktop and laptop (both running Vista). In order to do this, each machine requires a password, for which I'm using a simple one. So, even though I have this simple password, my network is basically safe, right? In other words, you would still have to break through the WPA2 protection in order to get to my network, right?

Thank you.

Brian Krebs: Well, you're talking about a couple of different things here. First off, WPA2 is an encryption technology designed to secure your wireless network. That will prevent people within a few hundred yards of your wireless router from gaining access to your wireless network without the proper passphrase.

Now, whether or not your internal network can be accessed by outsiders goes beyond the security of your wireless network. Obviously, if your system is compromised over the Internet by malicious software that pokes holes in your network defenses to download additional malware and tunnel sensitive data out of your network/PC, then the level of security on your internal network becomes an issue. If you've chosen a password to protect your Windows shares that is easily guessable (i.e., a person's name, your birthday, or a word found in the dictionary), it would be trivial for an attacker who has gained a foothold on your system to access other systems on your internal network that also rely on that password.

So, just to be on the safer side, you might consider using an alphanumeric password for your network shares, preferably one that is at least 8 characters in length.


State of Dyspepsia: Brian, XP's Service Pack 3 seems to have been 'Released to Web' (Released to Wild?) as it's popping up in most of my XP installations as a Windows Update release.

What changes, if any, have been made that make it ready for public consumption now vs. it's initial release a few months ago that was pulled from Windows Update?

Brian Krebs: I'm not privy to any changes that Redmond may have made to the XP update bundle known as Service Pack 3, since they initially released the thing earlier this summer. It is likely, though, that the version they are offering now has been tweaked to eliminate some family of problems that a large enough population of XP users were experiencing after install it.

As far as I know, though, SP3 hasn't gained any more functionality that would make it any more appealing as an update -- at least from a security perspective. One could argue there are stability or performance improvements to be had from SP3, but I haven't seen them.


Washington, D.C.: Brian,

I am hoping you or your readers could offer some advice regarding PC software that creates an image of the entire drive for backup purposes. I am not interested in the file back up utilities. I need software that creates a drive image. Any opinions or direction on which software is worth looking into would be greatly appreciated. Thanks for your time.

Brian Krebs: I've mentioned before that I use Acronis True Image to make whole copies of my hard drive. It forces you to create a book disk, so that if something goes wrong you can pop the disk in, boot up into the Acronis loader, and pull a known good saved disk image from another location and re-write it over top of the corrupted image.

Previous Norton products (like Save and Restore) did the same thing, but now Norton seems to be focusing on online backups, through products like Norton 360, which is still on my list of products to test.

Anyone else have whole-disc backup software they're using and can recommend?


Aurora, Colo.: What's a SQL injection? Can I, as an internet user, be affected by this kind of attack?

Thanks, Millie

Brian Krebs: SQL stands for structured query language, and its a cmoputer language used for retrieving and managing data in databases. SQL injection refers to the act of forcing databases to spit out their protected contents.

Rather than re-create the wheel, I'll cite from this entry on SQL attacks that I wrote up in June:

"In most of these compromises, the hackers broke in using an attack called SQL injection. Rather than attacking specific software security vulnerabilities, SQL injection attacks target configuration weaknesses in the database layer of the site's Web application, be it ASP, CGI, or PHP.

While most SQL attacks are automated with the help of scanning tools, SQL attacks can be carried out using nothing more than a Web browser. An injection vulnerability most commonly exists when a site accepts input from a visitor -- such as through a search or login box -- but fails to filter out potentially harmful instructions, non-standard characters or computer code.

Successful SQL attacks can force a site's database to cough up configuration settings, user names and passwords, or sensitive data that can help an attacker inject content onto the site."

Unless you are running a Web site that pulls information or data from a database via SQL, you don't have to worry about this kind of attack.


Mac vs. PC memory ratio?: Hi Brian,

On Rob's chat, he said something to the effect of having 2GB RAM on a MAC was equal to a Windows Vista machine running 3GB RAM.

All other things being relatively equal (processor speed, programs being used, etc) would you agree that you only have to buy 2/3 the RAM in a MAC and get equal speed to a Windows machine?

This would help as I am debating whether I can manage if I buy a 1GB RAM Macbook that will be used for web surfing and Mac Office 08 for schoolwork.

Brian Krebs: I really don't have the metrics avaiable to answer your question authoritatively. I would guess, however, that just the lack of overhead taken by security programs commonly installed on Windows machines (think, host-based intrusion detection, anti-virus, anti-spyware and active, two-way firewall programs) would give most Mac users a decent head start on system/RAM resource usage right there.

Secondly, whether you're using Windows or Mac, the amount of hardware memory/RAM your system has installed is likely to be one of the biggest factors in determining how fast your system is. I always go for the maximum amount of RAM possible in any system I own (within reason). My MacBook Pro has 3 gigs of RAM installed, which allows me to run Parallels virtual machine and other operating systems at the same time, alongside a gazillion other running applications. Same with my main Windows system here at home, which runs 4 gigs of DDR700 RAM, upgradable to 16 gigs of RAM.

No doubt you can manage just fine with 1 GB of RAM in your Macbook. Will you be happier and accomplish more with more RAM installed? Almost certainly.


Arlington, Va.: Brian,

Do you have any opinion on ZoneAlarm's ForceField product?

A couple weeks ago, ZA was offering a year of it free, so I took advantage and installed it on 2 PCs, one XP Home and one Vista Home.

Used w/Firefox, it's been ok so far- it does add a toolbar, but yesterday I discovered that while ForceField is running, you can't install the NoScript add on updates from Firefox.

I had to manually exit ForceField, close Firefox, open it again, apply the NoScript update, then close out and then activate ForceField again.

Knowing how frequent NoScript updates are, would you say it's worth it to go through this on each computer for every update?

Brian Krebs: I haven't had time to try Forcefield yet, but plan to. Is there no way in ForceField to add exceptions for Add-ons or specific apps? I realize that enabling exceptions for entire programs chips away at the usefulness of such a program, which I gather is to preserve each process or program in a pristine state and not let anything external change the way it behaves.

But you're right: Seems like Noscript has a new update almost weekly, and if I had to go through that process as you described that frequently, I probably would give up on ForceField pretty quickly.


Arlington: Hi Brian,

Don't mean to nitpik, but on your 2nd response to the new Mac owner, it should be (System Preferences, Security, Firewall), not Sharing, he/she won't find the settings for Firewall that way.

Brian Krebs: That's the way I access it on my Macbook Pro (Tiger). Perhaps it's different in 10.5? I don't have a firewall option under "Security" in the preferences pane.


Melbourne, Australia: G'day Brian, My Eset Nod32 and Zone Alarm Pro are due for renewal soon and I'm inclined to switch vendors simply because I'd like to bundle anti-virus and Internet Security in one package. I see that Kaspersky all-in-one (AU$89.95) is C-net's Editor's Choice, and that Bit Defender Total Security (AU$69.95) is rated high. If you were doing it, which would you choose? Or another? I use Windows XP Pro, Spybot S&D, A-Squared Free and am very careful browser and emailer. Thanks

Brian Krebs: As a rule, I generally avoid the all-in-one suites, because regardless of what the vendors say, they all tend to do one thing well at the expense of the rest of the functions, or at the expense of gobbling up serious amount of system resources.

That said, I haven't tried Bitdefender's suite, but I've heard good things about it. I have had fairly positive experience with F-Secure's offering, which also earns high marks. Much to my dismay, both times I've tried using Kaspersky's suite, it has either failed to install properly or borked some function on the host machine to the point where it was unusable and I had to remove it.


Tulsa, OK: Brian,

Would it be possible for just any old node of the internet to employ deep packet inspection?

Are there internet nodes controlled by iffy entities?

Could they use DPI to harvest financial data sent in the clear?

Is there any reason left for not encrypting all data?

Brian Krebs:"Deep packet inspections" is a bit of buzzword at the moment, thanks in part to media attention to the idea that some ISPs are considering putting in place technologies that make it easy for them to inspect "packets" or bits of data flowing to and from customer machines, mainly to peer inside of the packets and offer more targeted advertising to each customer based on what s/he maybe talking/emailing/chatting about online. This is an extremely invasive idea, and I hope it never gets off the ground, but I'm afraid it will soon.

In fact, I believe that 5 to 10 years from now, people will access the web largely for free, in exchange for giving marketers complete rights to mine their e-mail, chats, phonecalls, etc. in order to serve targeted ads.

Now, to your question. Any data that is sent "in the clear" that is, unencrypted, is readable by pretty much anyone else on the network. If you go on a wireless network and start surfing or chatting without the benefit of your communications being protected by an SSL connection, potentially anyone else on the network, including but not limited to the network operator, can deep packet inspect till the cows come home.

Frankly, you raise an excellent question: Why Google (and for that matter, other major search providers) doesn't simply encrypt all of their search queries? One could make the argument that it's too expensive to do so, but I've spoken with folks recently who seem to think that's no longer a valid excuse because the costs that once made such a proposition prohibitive have come way down.

I would wager that if companies offering ISPs deep packet inspection services actually do gain some traction and start eating away at Google's targeted ad revenue, then Google may just take that step. Until that happens, though, I wouldn't hold your breath.


Which is more secure, Mac, Windows, or Linux?: I know you get this question all the time. I also know that with the disparity in market share, doing a fair comparison can be tricky. Still, I think it would be useful if an expert such as yourself separated the facts from the hype.


Brian Krebs: Which car is more secure or safest? The Volvo, or the Saab? Sure, we could pore over crash test results and compare safety features ad nauseum, but wouldn't it be better if you didn't get in crashes in the first place?

Alas, computer security is sort of like that. A huge percentage of the infections on Windows systems these days succeed not because of holes in the operating system but because they trick people into installing the malware.

There isn't a software security suite in the world that will protect users from themselves. This sounds trite, but it's sadly very true. The threats being created today focus on hacking the user, regardless of the operating system they're running. There are threats being built that exploit vulnerabilities in software programs that run on multiple operating systems (think Flash and Java).

That said...Mac users undoubtedly have far fewer threats to worry about than Windows users. Linux users are sort of in a class by themselves. There are plenty of threats to the Linux user but they mainly tend to be network-based as opposed to browser-based -- although compromised program packages have been an issue in the past for Linux users.


Vienna, Va.: When I submit a question to an online forum such as yours...what kind of information can the receiving organization (in this case the Washington Post) learn about me? Does the system pick up my user ID, IP address, geographic location? Just wondering.

What if I submitted a question to an online forum run by an organization that was less ethical than the Washington Post?

Brian Krebs: I used to have a neat page bookmarked that showed all the data that Web sites can grab about you and your system when you visit them. Alas, I can't find it at the moment. But let me try to reconstruct some of it from memory. This page from the SANS Internet Storm Center is the best I can do right now.

For starters, I don't think you can ask a question in this forum without signing up as a user, so we probably already have your username and password, as well as a cookie on your system that identifies your system as having at one point provided the proper credentials to keep you logged in at our site.

We also know your Internet address. We can see what browser you are using, and also the version of the browser in most cases. We can see which web site you came to us from (called the "referrer".) If you leave this page and go to another site, we can tell where you went. We can see what operating system you are using, and what version of that OS.

That's pretty much it for the basic stuff. If we were use Java or javascript or other trickery, we could dig deeper and see all kinds of stuff about your system: which service pack you're using, whether certain browser plug-ins are patched and up to date, and whether certain applications are installed on your system. We could use that access also to get your system to cough up your default system username. That's why I so often recommend the noscript add-on for Firefox, because Javascript is way to just let any old site use it against your system willy-nilly.


Salem, Ore.: Brian, I use System Guardian from for full drive image on my XP Pro sp2 system. It requires an identical drive, and makes a complete bootable copy, even with several partitions. It has auto failover, too. I have tested it several times, and it has always worked. Unfortunately, there is no Vista version, and no 64 bit version. You can use their pooling wizard to back up to multiple drives. I keep one in the computer, and one in the safety deposit box, and swap them weekly.

Brian Krebs: More advice for the reader seeking whole disk imaging programs.


Washington, D.C.: My laptop which has Windows Vista as its operating system has become too low within the last 6 days. It takes me forever to even open my email. What could be the likely cause for this slowness?

Brian Krebs: Without more information, it's impossible for me to say for sure. But let me take a stab at the obvious answer: Windows Vista. I just bought a brand new PC with a blazing processor and 4 gigs! of RAM. It came with Vista Home Premium installed, but I'm getting ready to "upgrade" it to Windows XP. It ran okay when there was no security software or other applications installed on it, but now that I've got my usual apps installed, the thing acts like I'm demanding the world just to run three or four apps at the same time.


Firefox: I'm new to owning a computer, and I'd like to know how I can get Firefox as my web browser. Also, what is the best starter anti-virus software?

Brian Krebs: Well, for starters, you can fire up IE and head on over to Mozilla's Web site and download the program there. Once you've got it installed, head on over to the add-ons page and check out some of the more popular extensions that make using Firefox more enjoyable.

For anti-spyware, I'd recommend Superantispyware. The free version is not "real time" protection, in that it works only when you manually run/invoke the scanner.


Arlington: Hi Brian - well, my years long streak of never having a serious problem with a virus or malware ended recently. I have XP SP2, and run Antivir, Windows firewall, and SpyBot Resident. I was on the internet and "the next thing I new" I started getting window after window that told me that I had a gazillion viruses, trojans, etc. Also, SpyBot started going crazy asking me if it was ok to make all kinds of changes to the registry. At first I thought it was the Antivir that was alerting me about the viruses but then I realized that I had somehow downloaded a particularly annoying piece of scamware called Antivirus XP 2008 - one of those that tells you that you have all kinds of viruses and you need to buy their program. Not appreciating the magnitude of the situation at first, I tried to uninstall the program with add/remove programs. Needless to say it did not work. So, I ran a full SpyBot scan which, of course, takes over an hour. At the end of it, it told me that I had 11 problems but it was only able to remove 9. It suggested that I restart the computer and run SpyBot again. I did that and after another hour it did not find or remove anything else. At this point I'm still getting the popups about trojans, but not as frequently. Next, I ran Windows Defender, which was defenseless against this scamware, finding no problems. Then I recalled the online Microsoft full system scan that you have mentioned in the past. I ran that and it told me that I had two problems, one severe and one medium. So, it removed them but I was STILL getting the trojan popups. I did some research online and some people were recommending a free program that I had never heard of called Malwarebytes for this specific issue. I downloaded that, ran it and was told that I had 23 pieces of malware in the system. So, I removed them and ran the program again, just in case. At that point I got one more of the trojan popups, but it was the last. That was about two weeks ago. So, I'm hoping that the last popup was on some kind of slow burning fuse and that the system is clean - it seems to be ok.

I have two questions. First, which of my security programs do I blame for allowing this program to be downloaded? According to my research this piece of scamware has been around for quite a while, so I'm a bit disappointed that it got downloaded and was so hard to remove. Second, is there any way I could have handled this situation better once the scamware was on my system? Thanks very much.

Brian Krebs: I'll respond to both of your questions with the same answer. Rather than blaming failures of security applications on your computer, consider why you need those applications to begin with? Windows XP is set up so that by default the user running the system does so using the all-powerful administrator account. That means that any program that faces the Web is vulnerable to being used to install software against the owner's wishes, because that program is being run in the context of an account that has full rights to install programs and change important settings on the system.

What you can and should do differently is stop running the system as admin all the time -- by creating and using a limited user account. An alternative, less dramatic approach involves dropping the admin rights of individual Internet-facing programs, such as your web browser, IM client, etc.

Please consider reviewing these two posts, and adopting one of the two approaches.

The Importance of the Limited User

Windows Users: Drop Your Rights


Arlington, Va.: I'm not surprised by the comment from the Apple Store guy, but Apple is playing a very dangerous game.

There may not be many traditional malware type threats to the Mac, but Mac users are just as vulnerable--if not more so--to phishing attacks like this recent one.

I say more so because Macs as far as I can tell have little or no phishing protections like those in Outlook, IE7, Vista, etc.

Apple has also had numerous glaring security vulnerabilities recently. There are almost constant holes found in Quicktime, which every Mac user has. I think Apple still has not fixed the client side part of the recent DNS vulnerability.

As Apple's marketshare increases, their lax attitude toward security, and their lulling of their customers into a false sense of security will backfire in a major way.

Brian Krebs: I always welcome feedback and reader opinions. Thanks!


Arlington, Va.: SP3 hasn't been tweaked or updated. The only thing that has happened is that SP3 is now being offered through Automatic Updates, so more people will be seeing it.

Brian Krebs: So says Arlington. Thanks!


Brian Krebs: I'm out of time for today, folks. A big "thanks!" to all who came by to read or to participate in this discussion. I should be able to host another Security Fix Live a couple of weeks from now. Until then, please consider making the Security Fix blog a regular stop in your daily browsing rounds. And be careful out there, people!


Editor's Note: moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. is not responsible for any content posted by third parties.

© 2008 The Washington Post Company