Security Fix Blogger
Friday, September 5, 2008 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Sept. 5, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.
A transcript follows.
Brian Krebs: Good morning, loyal Security Fix readers, Happy Friday, and thanks for participating. We've got some great questions in line already. There are quite a few of you, however, who forgot to tell me the slightest details about your setup, operating system, version, and installed security software/hardware. Please be as specific as possible in your question; it helps immeasurably in finding the best answer! Now, onwards!
Bethesda, Md.: In light of the recent issues raised about sites not using SSL fully after login (see 8/10 Security Fix) I checked on Discover Card's site at www.discovercard.com. I was surprised to see a login form on the left side of the home page (which includes a help popup stating that SSL is used) but the URL is only "http://..." and not "https://..." nor is there a lock icon shown in my browser indicating SSL is active. There is a separate Log In link on the upper right, and when I click there, I am taken to an https://page. So doesn't it seem like the login itself is insecure from the home page? I assume this means my login ID and password are being sent as clear text -- is that correct?
washingtonpost.com: New Tool to Automate Cookie Stealing from Gmail, Others
Brian Krebs: This is an extremely vexing practice by the banking industry that actually began several years ago (see this post, Bank Sites Still Driven by Marketers, Aug. 2005 to see what I mean).
That post explains pretty clearly what's going on, but here it is in a nutshell. The banks, in the perceived interests of saving money, have separated out their home pages between SSL and non-SSL. Reason? Plenty of people visit the site but don't actually log in, so why serve those people a full-SSL page, when SSL pages take a fraction more resources and time to load? So the banks leave their main page http://, and make it so that if you type your username in the login box, as soon as you start to type your password, that frame or page switches over to https://. So, while it may seem that your user/pass is being sent in the clear, it is not.
But that change isn't obvious to most users. It only confuses them. After all, they've been taught for years to look for the padlock icon. It's pretty unconscionable that this practice still exists, in my opinion, but it is still very common, unfortunately.
Baltimore, Md.: My O/S Windows Vista Home SP1. When I use IE7 it crashes saying an unknown error has occurred. Any suggestions for a fix? Thank you.
Brian Krebs: Hrm. I would try resetting IE7 to its default configuration, to see if junking any errant changes maybe made to the browser fixes things. To do this:
Reset Internet Explorer (IE) & register files
1. Click Start, please type "inetcpl.cpl" (without quotation marks) in the Start Search bar and press Enter to open the Internet options window.
2. Switch to the Advanced tab.
3. Click the Reset Internet Explorer Settings button.
4. Click Reset to confirm the operation.
5. Click Close when the resetting process finished.
6. Uncheck Enable third-party browser extensions option in the Settings box.
7. Click Apply, click OK.
Please let me know if this did or did not fix the problem. Thanks!
Pete from Arlington, Va.: Brian, in an earlier post on one of your great blogs, I mentioned that you have been poking around (excellent investigative reporting that I hope is recognized!) on some pretty sensitive turf owned by serious players. Your revelations may harm them financially. Have you received any threats?
Brian Krebs: Hi Pete, nice to see you in the chats. Thanks for the kind words.
I may be treading on sensitive turf, maybe not. I don't know. One thing I can say for sure: sunshine is a great disinfectant, and there are sooooooo many corners of the Internet that need a little light shone on them.
Unfortunately, so much about how the big players operate the Internet is obscured from public view. For example, you might think it would be a trivial thing to learn all of the domains registered to a given domain registrar, but you'd be sorely mistaken. That information SHOULD be public, but it is not required to be, and so is hoarded by those who have it. We can talk about WHOIS privacy issues until we're blue in the face, but the only way the criminal operators on the Internet are going to be exposed is if we start finding creative ways to a) mine this data, and b) make it more available.
And I'm not just talking about WHOIS data, mind you. Stay tuned to the blog for more on what I mean here. :)
Sorry, I realize I didn't really answer your question, but then again it's probably unwise of me to do so. I hope you understand.
Alcoa, Tenn.: Can I grant a program that requires full privileges permission under a limited user account without the user having to enter the admin password? Thanks
Brian Krebs: Thanks for your question, Alcoa. You didn't say what operating system you're using, but I will assume Windows XP.
If you're using XP Pro, then the answer is yes. You can, while logged in as administrator, right click on any folder or file, select properties, and then change its permissions for any user account.
There is also a way to share folders/files using Windows filesharing, so that they have the same permissions across user accounts on Windows XP Home Edition, but it's slightly involved and you really need to do know what you're doing before you monkey with it. If you're stuck with Windows XP Home, and still want to attempt this, check out this link here. Microsoft has more on file-sharing in XP here.
I may not have answered your question fully. If I didn't please don't hesitate to ask a follow-up. As always, I welcome tips from other users who may have a different take on the reader's question.
Baltimore, Md.: My Bank of America credit card had a charge in June of this year. It was for a FED RED CROSS charged to a PETIT SACONNECH for $20.00 Just about the same time as the charge I received a letter from Bank of America stating that my VISA card had a suspicious charge on it and that I should call Bank of America. Ironically the charge appeared the same week that I was issued a new VISA card because the old one was about to expire. First I thought that the letter from Bank of America was just a scam for me to purchase extra credit card insurance so I called them anyway. To my surprise they pointed out the fraudulent charge and asked if I had made a donation to the Red Cross. I said no, they credited me the $20 and issued me another VISA card. My opinion is that Bank of America credit card service had been hacked with tons of bogus $20 charges when they were issuing new credit cards to customers. What is your take on this and was this a large scale hack? Thanks.
Brian Krebs: Credit card thieves very often will test whether a stolen account number is still active by making small donations at charity sites.
I wouldn't read too much into the fact that the charge occurred on a new card, as it should essentially be the same card number. After all, the first card you received before being notified of the fraud was most likely still using your old Visa number. Without more context, there's really no way for me to know whether this was an isolated or large scale "hack." Chances are, though, that your card information was sold in bulk to fraudsters who pilfered it from some online or offline database.
Minneapolis: ok...running XP pro on a 2.6 cpu in a gateway. i have begun getting an error message on boot that says windows can't find ORDINAL 397 in the dynamic link library. just curious what an ordinal is and if i should go back to my old commadore or reload windows, or ignore it. there were multi-media issues (couldn't see the D drive, for example) which seem to have healed themselves. dvd's and CD's and associated software now function again without my having taken a wrench to it, but it's a bit mysterious to me. should i move to Costa Rica..? thanks. love this chat. read it most every week.
Brian Krebs: Usually you will see this error for a program that didn't install correctly. You can read about ordinals here if you really care, but the point is that dynamic link library -- or DLLs, as they're called -- are shared library files on Windows that are used to initialize certain processes. Have you installed any software recently?
Does the error message mention a specific DLL file? I'm guessing it does and that file is the key to figuring out why your seeing that error. When you see the error message on boot, does it let you continue or does it interfere with the proper functioning of of the OS?
Chantilly, Va: Brian,
Windows XP user here. Tried to install Google Chrome browser and kept getting something called error 4. Have you tried it yet ?
Brian Krebs: I only just downloaded it. What I find most interesting and scary about this browser is that it's made by an advertising company.
Let me explain. When you use Firefox, for example...Mozilla has a deal with Google to distribute the Google Toolbar as part of Firefox. Now, when you type stuff into the Google toolbar, Google can actually see what you're typing. But Google can't see that data if you're typing the same address/letters into the URL/address bar.
What Chrome has done is essentially merge the toolbar and the address bar. So Google gets to see whatever you're typing in the address bar.
Baltimore, Md.: A heads up for users of BitDefender: This week, I received an e-mail from BitDefender saying my subscription had expired. It looked legit, but I was certain my expiration date was several months away. So I wrote BitDefender and they confessed I had gotten the e-mail by mistake and that they were looking into it.
If anyone else has gotten such an e-mail, get in touch with the company--but don't worry that it's a phishing attempt, because it is a legitimate error.
Brian Krebs: Thanks for the tip, Baltimore!
Tyler, Tex.: What would be the result of never permitting the acceptance of a cookie? In other words, my computer would not allow the 'addition' of cookies while browsing, reading articles or shopping? Are cookies a problem for individuals much like spyware is a problem?
Brian Krebs: Cookies allow Web sites to tell that you've been there before. They can store basic information about you/your browser, such as the date and time of your last visit, the location you last visited from, and a username and password if a login is required.
Some sites behave weirdly if you do not let them place a cookie on your computer. Some will simply refuse to let you use the site without allowing them to place a cookie. In other cases, you simply will be force to re-identify yourself each time you visit, assuming you're visiting a site that requires you to login.
Cookies are relatively harmless, in the grand scheme of things. Some people would disagree, but I've never felt particularly threatened by them.
Houston, TX: Brian, I thought Mozilla Firefox was a bit safer to use since most hackers were writing for IE. What is your opinion on which browser is safer? Jewel
Brian Krebs: I think that's a fair statement. 75-80 percent of the plant still uses some form of IE to go online, so it makes sense that hackers are targeting IE. I'm not going to stoke the debate over whether one browser is more secure than the other: my own research on the matter has focused on what I believe to be a more fair and relevant question. Namely, how quickly do the various software makers fix problems once they hear about them. On that front, you can see for yourself that Mozilla consistently addresses flaws much faster than Microsoft.
Rockville, Md.: Brian, ever since Ad-aware switched to a service-based program, I've been without a spyware checker other than the possibly useless Windows Defender. Do have any recommendations for an on-demand spyware finder? I've seen readers advocate for this product and that product, but it seems a lot of these programs have way too similar names and I don't want to accidentally download scareware.
Brian Krebs: Who needs anti-spyware? It's just another program to weigh down your machine. Do yourself a favor and run whatever browsers you use under the Drop My Rights program (assuming you're not already running Windows in a limited user account...hey, come to think of it you didn't tell me what version of Windows you're running!) DMR really is a very simple and easy to set-up approach to making sure you don't have to worry about adware or traditional spyware. It is not, however, a substitute for other Windows safety precautions, such as patching, using a firewall and hopefully some kind of antivirus.
If you can't be bothered to use Drop My Rights, Windows Defender is free and does a decent job, although it consumes quite a bit of resources.
Woonsocket, RI: Brian, your column helps me to maintain my rep as a computer whiz; thanks.
Perhaps you can help me with an odd problem. I installed Google Chrome at home, and took a look at my personal website. To my surprise, Google said that it had malware. It's a simple old site with just HTML that I mostly hand-coded, image files and PDFs, so this confused me. I eventually found a script exploit in my index.html, and also found that my index.php was infected. I cleaned out the script code, deleted the php file, and changed my password. But I still can't figure how my site got infected. My password was strong, and I've never shared it. I never used any software I didn't understand. What could have happened?
And how can I get my site's reputation back? Even the firewall at my workplace is blocking it now! I've asked Google for a review; is there anything else that I can do? Thanks!
Brian Krebs: Ah, reputation on the Web. You're finding out the hard way that, while you can usually fix the problem in a few hours, the stain of that infection on your site's reputation can last for quite some time.
My advice is to stick with the Stopbadware forums and be polite but insistent that your site receives another review and is de-listed from Google's Badware database. It will happen, but for many people it doesn't happen fast enough. Try to be patient.
PHP is probably one of the most -if not THE most - frequent vectors for Web site compromises by bad guys. There are just too many third-party plug-ins that aren't well maintained either by the vendor or by the Webmasters responsible for keeping up with the latest releases. If you're going to use PHP code or special PHP modules, be sure you feel confident about their origins. And by all means, see if the maker of the code set you're using has a mailing list you can subscribe to in order to stay abreast of new versions or important updates.
Best of luck.
Columbus, Ohio: Earlier this week, I upgraded to Webroot's 5.8.1 build for anti-virus/spyware protection. I am still not running the firewall included with the software (free Zone Alarms instead).
The previous Webroot build was a resource hog. However, at the end of an overnight sweep, this new one leaves me with an onscreen message that Windows must add to my depleted virtual memory. Unless I run a custom very-slow scan (requiring less system resources), my computer will seize up following the scan, necessitating a reset.
Is it time to dump this program? Or should I return to the previous build? If so, how? Running XP/SP3 fully patched, 1gb RAM.
Brian Krebs: Run, don't walk, run, away from Webroot. I happen to know some of the people who work for that company, and like them very much. However, that is one of the most bloated anti-spyware products I've ever seen. It's a huge resource hog. At one point, that company had a decent product. I don't know where they lost their way, exactly.
You could try to revert to an earlier build, but I'd suggest dumping the program in favor of some other anti-virus program (ESET NOD32, F-Secure, Avira all rate highly in recent tests). See my answer above to the person who asked about anti-spyware and my response re: Drop my Rights. Use DMR and the whole adware/spyware thing will go bye-bye, trust me.
Re: which browser is safer?: Firefox doesn't do ActiveX, AFAIK, and that is a big advantage.
The problem I'm seeing is the social engineering; "Watch the video, download the CODEC here." "Your computer has 87 threats. Click here to install Antivirus 2009." I don't know how to protect the average user against stuff like that.
Brian Krebs: You do like I suggested in a blog post yesterday: If you didn't go looking for it, don't install it! If you live by that maxim, the codec/add-on baloney/social engineering crap that criminals are constantly trying to throw at you will be a non-issue.
San Francisco, Calif.: I am using XP Pro and put in SP3 about 2 weeks ago on 3 laptops -- ever since then all 3 units do the same thing whenever we start to defrag: "MMC has detected anl error in a snap-in. It is recommended that you shut down and restart MMC." Options are: 1 - report to Microsoft and shut down MMC; 2 - continue and ignore errors for rest of this session; 3 - continue running and always ignore errors regardless of session. HELP!!
Brian Krebs: Hrm. My guess is some third-party disk management software you have installed on your machines isn't playing nice with SP3. Have you tried just hitting continue and ignore? What happens then? This error has been seen on plenty of other programs, and from what I can tell it's *usually* safe to ignore and continue.
Before you go and hose your machine, I'd advise you to make sure you have backed up your data and important files. I really don't think hitting continue will cause any major problems, but you probably don't want to find out the hard way that I'm wrong.
Brian Krebs: I am out of time today, people! Thanks so much to all who dropped by to read or pop a question in the hopper. We'll try and do this again in a couple of weeks from today. In the meantime, please consider making the Security Fix blog a routine stop on your daily browsing commute! Thanks again, and be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.