Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, September 26, 2008; 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Sept. 26, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.

The transcript follows.


Brian Krebs: Good morning, dear Security Fix readers. Happy Friday and welcome to Security Fix Live. If you can give me as much information as possible about your setup and installed security software and/or any error messages, etc., it will help enormously in getting you the best answer to your question. With that, here we go!


Anonymous: I was informed by a bank that is unknown to me that they had lost computer tapes with my personal information on them. They offered to purchase a credit monitoring product Triple Alert in my name to protect against fraudulent use of my information. Is Triple Alert a good product? What are some alternative products that I could find? And why is the BNY Mellon Bank of New York claiming they have my personal information when I don't recall doing business with them?

Brian Krebs: Bank of New York Mellon is a large financial institution that recently disclosed it has lost several backup tapes and that as a result millions of consumers could find their financial and personal data at risk, such as bank account numbers and social security numbers.

You may have received a notice even if you are not a direct customer of BNY because the bank handles money for a number of different banks.

I don't know much about Triple Alert, but it is probably not a whole lot different than the rest of the credit monitoring services out there. Mainly, these services for a monthly fee of anywhere from $10 to $15, will monitor your credit file for signs that someone is trying to open a new account in your name. However, most of these services will do nothing to prevent fraudsters from abusing accounts that you already have open. The best remedy for that is to keep close tabs on your credit card and banking statements for anything unusual, and report suspicious or unauthorized transactions immediately.

I am currently conducting a trial of services from Debix, which has a unique way of notifying customers when someone tries to open an account in their name. The company also lets you view your credit file, but a key differentiator of their services is that it is quite a bit cheaper than most any other. I've looked at various offerings from the three major credit bureaus and companies like TrustedID and Lifelock, but I can't see paying more than $100 a year for this service. Debix's service costs about $24 a year per person: about the price of a cup of coffee each month.


Rob, Minneapolis Minn.: Many people are concerned about the private information that they are keeping on their mobile devices such as contacts, and even now important information about themselves such as health plan numbers, and passwords. With the rapid innovation we're seeing in the cellular and mobile marketplace largely fueled by the introduction of the iPhone, how do manufacturers balance the need for rapid innovation versus the need to apply appropriate security to those devices? -- Is the marketplace taking a responsible position on mobile security?

Brian Krebs: Not sure if the marketplace is taking a responsible position on this or not, but iPhones used in the enterprise, as well as the ubiquitous Blackberries, have remote-wipe features that businesses can use to remotely zap the data on the device should it be lost or stolen. This is a fair straightforward and simple process that can and should be communicated to employees; much like when your credit card is lost or stolen and you (hopefully) promptly report it to the credit card issuer, employees should be given instructions about what to do in the even they lose their mobile devices.

Communicating security policies to employees is necessary but I'll grant you is an uphill battle. Even employees who ought to know better often don't fully understand what data to leave off of their mobile devices. What's more, it's not uncommon for corporate mobile users to jeopardize sensitive data accidentally. For instance, as I wrote in my coverage of the Black Hat security convention in Las Vegas this summer, many of the people caught on the Wall of Sheep which grabs usernames and passwords passed in the clear over the conference's wireless network, turned out to be security executives who were checking their e-mail on their iPhones and weren't aware that the device had switched from the using the internal GPRS modem to passing the information over the local wi-fi network.


El Paso, Tex., again: In follow up to your blog post about Facebook-like phishing:

I've gotten some VERY "good" phishing lately, impostering a bank I have accounts at and a credit card I have.

When I'm not sure, I right-click on links or hyper-text in the phish-y e-mail for "properties". That seems to work, to flush out phish. That shows me it's based on a weird web site, likely in another country.

Any reason why right-clicking is a bad idea?

Brian Krebs: Hrm. Well, clicking anywhere on e-mails you suspect may be fraudulent or malicious is a dicey affair. I say this because I've had right clicks errantly become left clicks, with scary results.

But to your question, I'm not sure what you hope to gain by right-clicking and selecting "properties"? You can always view the composition of a link merely by hovering over it with the mouse and viewing the output in the lower left corner of your Web browser Window.


Arlington, Va.: I recently made a very troubling discovery. My workplace only has antivirus protection. They don't have any spyware protection on our computers. Identity theft aside, isn't it standard operating procedure to have spyware protection on all company computers so as to maintain corporate integrity?

Brian Krebs: It really depends on how your employer has set up her network. Most malware, be it spyware/adware or more malicious bots and computer worms --works by modifying key, fundamental components of the operating system, like adding new user accounts, changing registry settings, or injecting programs into running processes. Most of these behaviors can be blunted if the user operating the machine for everyday use isn't running under the all-powerful administrator account, which has rights to change any system setting, install software, delete programs, etc.

I have long maintained that running a computer under a limited user account is the safest way to keep malware and spyware off your system, and I've even gone so far as to say if you've done this then you probably don't have much need for anti-spyware programs.

Many, many corporations lock down their employees' computers this way, because it saves them a ton of hassle from having to clean up infections and otherwise mucked up PCs. One quick and easy way to test if your employer has limited your access in this regard is to try and install a program: If the install fails, giving you a message that you don't have adequate system privileges, then your employer has set your system up so that you're running under a limited user account.


Re: "I was informed by a bank that is unknown to me...": Sounds a whole lot like "PayPal/Bank of America/insert some other bank here requests that you update your security information..." There is this thing going around called "social engineering"...

I'd bet that some scammer is taking advantage of the lost tapes in order to make a few bucks.

Brian Krebs: Yes, this is a possibility as well. Thanks for mentioning it. However, I'd wager that if the person asking the question received a notice via snail mail about this, it's most likely not a scam. In any case, Bank of NY Mellon has a link on their site to the Triple Alert service offering on the same page as their description of this incident, which takes visitors to a page at credit reporting firm Experian. Breach letters and service offerings like this generally come with a unique identifier that must be entered before the notified person can take advantage of the service, which would be another way to verify the authenticity of any notification letter.


Silver Spring, Md.: I use both (anti-virus software with a firewall) and a router on a stand alone PC with Windows Vista.

I suspect that someone periodically puts "session cookies" as well as "persistent cookies" on my computer that is forcing Outlook 2007 to send out emails without my consent. Sometimes whenever I send out one email, Outlook 2007 says "sending 1 of 4", then "sending 2 of 4" up to "4 of 4" even though I am only sending 1 email and no other emails are pending to be sent.

How can I locate and delete the "persistent cookies" and stop Outlook 2007 from sending out emails without my consent. Does this person have my email password. ======================== Outlook 2007 also closes whenever I open it and a web page pops up with a URL. Is this person putting "session cookies" on my PC. How can I stop it. The link that pop up is as follows:

(with a page asking me for info about my PC.)

This link does not appear to be from Microsoft. Is this link putting session cookies or persistent cookies on my PC?

Brian Krebs: I think there are a couple of things going on here. First, I'm not sure where you came up with the idea about tracking cookies and persistent cookies (which almost certainly have nothing to do with this Outlook problem you're having).

First, let me note that the link you mention IS from Microsoft, and it's part of the crash reporting service built into Windows that lets Microsoft know basic information about program crashes so that it can figure out (in the aggregate) what applications might be causing compatibility or stability problems. You can disable the "Doctor Watson" service by editing the registry (Google for it you really want to do this) but I'd advise against doing that for now, unless you really know what you're doing, as monkeying with the registry can have disastrous results if you screw something up in there.

One question I'd have is are you using Outlook to manage multiple e-mail accounts (e.g., POP3 email accounts such as Gmail or Yahoo?). If so, it could be that some setting has changed on those other accounts (a password maybe?) and the outgoing mail is not able to be sent so it keeps trying over and over each time you send a mail with your main Outlook account. Just a guess. Another guess, perhaps you have return receipts turned on and something is getting borked there? Again, just a guess. It's also possible that there is some kind of infection on your PC, but I really haven't heard of this behavior before.

To get a better sense of what's going on and get beyond the guessing, I'd encourage you to enable Mail Logging on Outlook 2007. Instructions on how to do that are here (use the first method listed, not the registry-editing method). Then, review the log files (they should be stored in \Documents and Settings\[username]\Local Settings\Temp, but that may be slightly different in Windows Vista. That should enable you to see where the emails are trying to be sent, and should display more granular error messages about what's going on.

Good luck, and please circle back in a future chat or drop me an email (brian dot krebs at washingtonpost dot com) to let me know if this helped.


Washington, D.C.: I would like to get your opinion on this situation. I work for a small Federal agency. Earlier this year, we were notified (several months after the incident) that the agency had 'lost' a notebook with the names and social security numbers of over 4,000 former and current employees. The official story is that the notebook was misplaced during an office move, but an IT employee told me that what "really happened" is that an employee took the notebook home with her and then claimed she misplaced it. I have no idea whose story is correct. In any event, the agency has purchased a year's worth of credit monitoring for all affected employees, current and former. I have been checking all my accounts every month, and I haven't seen anything suspicious, but I wonder if you can assess whether I am truly at risk of identity theft and how long I should continue (at my cost) the credit monitoring. Thanks.

Brian Krebs: All of the studies I've seen indicate that very few cases in which a consumer's data is lost or stolen does the data end up being used for identity theft or ID fraud. I think the stats are somewhere around 1-3 percent. It's not clear whether that incidence is higher with laptops and other storage media that are stolen vs. lost, but in any event the data suggests that your risk is actually quite low.

You should know that there are alternatives to credit monitoring service. One is simply to place a reminder on your calendar to call up one of the credit bureaus every 90 days and place a fraud alert on your file, so that credits need to get your permission via phone before approving the opening of a new line of credit in your name. This isn't foolproof, as some creditors will ignore these alerts, but it's free.

Another, perhaps more drastic option, is a security freeze. Many states, and now the major credit bureaus, let consumers freeze their credit files for a $10 fee per bureau (count on paying $30 for a freeze, and probably another fee on the back end to unfreeze your credit.) Credit freezes should not be done lightly though: they can impact your future ability to get credit, take out a loan, gain instant credit, etc. Some employers also do background checks before hiring, and a freeze may interfere with that without your knowing.

I've written a great deal about credit freeze laws on the up and downsides of this option: you can find many of those pieces by checking out this Google search link. You can also find a wealth of other information and options at the Privacy Rights Clearinghouse Web site.


Re: "I was informed by a bank that is unknown to me...": Your suggestion, go directly to the web site (or contact the institution directly by phone), is always the safest thing to do when in doubt (or maybe even when not in doubt...).

The original poster didn't say whether s/he got e-mail or SnailMail, but I have trouble believing that a bank would contact someone who isn't a customer and try to market a service because the bank screwed up. This sounds like a violation of somebody's TOS, But hey, if I was smart I'd be rich...

Brian Krebs: In an effort to put this one to rest, check out this FAQ link here at BNY on the incident. Specifically:

"I am not familiar with BNY Mellon Shareowner Services. How is it you may have my personal information?

BNY Mellon Shareowner Services serves public companies as their stock transfer agent, stock plan administrator and in other capacities. Companies also hire us to process corporate transactions such as mergers and acquisitions. If you receive a letter from Shareowner Services, it is because you are or were a shareowner or employee of one of the companies we serve, and data relating to you was included in the missing tapes."


Rockville, Md.: Comment:

Recently the Washington Post's Postpoints sent me an e-mail concerning a reward. It landed in my spam account where it was almost deleted because it wasn't clearly marked as coming from a reputable company; a person's name, as I recall, was used. This happened with another company's legitimate e-mail. Companies should include their name in mailings.

Brian Krebs: Thanks, and I'll pass this along.


El Paso, Tex.: trying to live as a limited user: I've read your chats for about a year and in the last couple of months started reading your blog. Thanks for your work.

No network. I run Windows XP Home, Service Pack 2 (have not yet installed 3). I use Webroot Anti-Virus with Anti-Spyware and Webroot Desktop Firewall. I use the latest Firefox with the latest no-script add-on, thanks to your repeated nagging. I use a DSL connection for Internet access.

I'm finding it difficult to live life as a limited user:

1. My legal document-assembly and scheduling software -- formerly ProDoc in Texas, recently bought out by Thomson/Westlaw -- will not function with my years-old database unless I am in the admin user. (In a chat a few months ago, and later by exchange of e-mails, you tried to help me with this. I appreciated your efforts very much -- thanks again -- but we did not succeed.)

2. My Webroot firewall/anti-virus/anti-spyware will only run in one user at a time. If I have two users logged on -- Admin & Limited -- one will NOT benefit from the Webroot (if I understand the warning correctly when I change user without logging off). I now pull out my Internet connection while I log out and change users, or if I'm logged into both. Ridiculous, right?

My Corel Word Perfect X4 works fine in either user, or in both users at the same time.

If you have not done so already, can you suggest alternative virus-spyware-firewall software that plays well with more than one "user" on the same hardware? (Until this problem, I was satisfied fine with Webroot.) I will write the new ProDoc owners about this issue myself.

Brian Krebs: I feel your pain, El Paso. And I'm sorry my previous advice didn't help your situation. Have you given thought to using the Drop my Rights approach? Using DMR, you basically run the system as admininistrator, but set up individual applications to run under a limited user setting. I often advise people who have trouble with the wholesale limited user account approach to use DMR on their major Internet-facing apps, such as IM, e-mail, most importantly any Web browsers.


Washington, D.C.: Hey B. i have a presario laptop (r3000) that a friend gave to me because it was so screwed up with "spyware removal software" and they had bought a new one. this computer is so screwed up with fake "helper" software that it creeps. i am trying to recover the system back to what it was the day it was new, but have no recovery disk. is there a way to do a complete system recovery with no disk? thanks for your help. p.s. you're dreamy

Brian Krebs: You have a few options. The simplest and most obvious is to borrow an installation CD from a friend. Provided that you have a valid license key, there's nothing wrong with this approach. I'd encourage you then to wipe the drive and reinstall from scratch, updating with patches, etc.

If this isn't an option, you might consider installing Ubuntu or some other free operating system. Alternatively, you could download and burn a Live CD version of Linux (there are literally hundreds of these now, catering to just about any imaginable set of tastes, tools, interests). You burn them to a CD, boot up into the CD and you're good to go. You can even set it up so that you can save files/browsing, etc. to a removable flash drive.


Whitefish, Mont.: Hello, and thanks for taking my question. Do you know if the government is infiltrating computers with spyware, in the interest of domestic spying? Nothing would surprise me, these days, but just curious with regard to what we know. (or think we do.)

Brian Krebs: Is our government infiltrating computers? Without a doubt, yes. Are they do so to further domestic spying? Perhaps. They've done it before against the mob, but that's not exactly the same as your average Joe.

Are they infiltrating YOUR computer? Not likely. Would you know it if they were picking on you specifically? Again, probably not likely.


Columbus, Ohio: On your advice, I recently got rid of my Webroot security software (good riddance!) and replaced it with F-Secure AV 2009 with spyware protection. It would not download until I uninstalled my free Zone Alarm firewall. F-Secure is currently running OK with my XP (SP3 fully patched) Windows firewall. Will F-Secure still work if I reinstall free ZA? I used the latter for years and really like it.

Brian Krebs: I don't know of any compatibility issues between ZA and F-Secure, but the two programs hook deeply into your operating system and it's not uncommon for two security programs to struggle for supremacy over a single machine, each viewing the other as a threat.

You could try reinstalling ZoneAlarm to see if the two play nice now. I suspect they will. You may, however, have to let ZA know about the things that F-Sec needs to download updates, etc.


Brian Krebs: I'm going to submit and answer a question on my own, since it's probably a situation that many people will run into at some point.

My father in law called a few weeks back to say he couldn't get on his wireless network anymore, and that the laptop was no longer seeing any of the wireless networks around, even the neighbor's. I had the answer at the ready because this exact same thing happened to me and I must have scratched my head for hours before smacking it when I figured out the obvious answer: Many laptops now ship with a tiny button somewhere on or near the keyboard that turns the built-in wireless card on and off.


Brian Krebs: I'm sorry but that's all the time I have today. Thanks to all who stopped by and to everyone who submitted questions. Please come back for another Security Fix Live chat in a couple of weeks, and in the meantime consider popping by the Security Fix blog to keep on top of the latest security threats, tips, and advice.

Be safe out there, people!


Editor's Note: moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. is not responsible for any content posted by third parties.

© 2008 The Washington Post Company