Security Fix Blogger
Friday, October 10, 2008 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Oct. 10, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.
The transcript follows.
Brian Krebs: Happy Friday, dear readers, and welcome to Security Fix Live. This morning is somewhat quiet question-wise, so if you've got a security question or computer conundrum, please don't hesitate to drop it in the hopper. With that, onwards!
Arlington: Hi Brian,
I use Fios, and have an Actiontec MI42WR wireless router issued by Verizon.
I have a Vista Home PC (zonealarm free firewall, avg antispyware, lavasoft, spybot) hooked up to it via ethernet cable and sometimes use a Mac Leopard laptop wirelessly throughout our apt.
I can enable/disable the wireless function on the router using a webpage.
My question is: when I have the wireless function enabled, is my websurfing on the wired PCs- bill paying, financial transactions - any LESS secure than if i were to first disable the wireless?
Or does it not matter at all?
Brian Krebs: Hi Arlington. You didn't say whether you had enabled the wireless encryption that ships with that router. From Actiontech's support page, it appears that the device supports both WEP and WPA forms of encryption. WEP is a badly outdated option, as methods and tools for cracking WEP passwords are well known and widely available.
Qwest has a support page for this router that explains how to access the router's built-in Web page to configure WEP/WPA if you haven't done so already.
While WPA is not unbreakable, it is far more secure that WEP, and if you use a sufficiently long passphrase as your WPA key, you'll have a very solid setup.
Provided you are using WPA with a sufficiently strong key (I would recommend greater than 10 characters), your wireless setup should not impact the security of the other systems on your network.
Washington, D.C.: Hi Brian! This perfectly came just as I need it.
I been experimenting using Linux only for the last few months and I've given up. A full reformat later I now have a duel Ubuntu/XP laptop. I've secured XP in the usual ways, but how protected will my Linux data be (my primary OS)? Thanks!
Brian Krebs: Good for you for setting your system to handle dual booting. I have the exact same setup as yours on one of my laptops, and enjoy having the option of using either operating system.
There are plenty of security forums that explain various ways to harden the security of Ubuntu. The Ubuntu security forum has some excellent tips; you don't need to do everything they recommend there, but it's a good start and will help you understand what to look out for and how to configure the OS securely.
One of the biggest security differences between Windows and Linux/Ubuntu, etc. is the default user rights. By default, all users on XP are "administrators," in that they can make any and all changes to the operating system, can delete entire directories, install programs, etc. This is very dangerous, as it allows things like drive-by downloads to install malicious software and otherwise hijack the user's system.
This is one of the main reasons I constantly recommend Windows XP users do NOT run as admin for every day use, but instead use a limited user account, or at least a program like Drop My Rights which can lower the rights of specific Internet-facing applications that are most frequently attacked, such as the Web browser or media player software.
Ubuntu addresses things differently. By default, Ubuntu locks the admin or "root" account so that the user does not have all powerful rights on the system. With Ubuntu, the user is forced to use the "sudo" command to elevate their privileges on the system. That said, the easiest way to poke holes in the security of an Ubuntu system is to run applications and processes as root. Avoid this practice at all costs, and by and large you should be fine.
Sun Prairie, Wis.: Good morning, Mr. Krebs. I recently had a hard drive on my Dell Dimension crash and have to be replaced. The computer was under warranty, so I shipped the old hard drive back to Dell. Should I be concerned about the data on the old hard drive? Specifically, should I change all my passwords (for things like online banking)?
Brian Krebs: Good question, Wisconsin. I wouldn't worry too much about Dell technicians rifling through your data. Chances are they will simply copy the data on the old drive over to the new one.
However, it's always a good idea to periodically change your passwords for financial sites and others that have access to your personal and financial data. This seems like an excellent time to go ahead and do that.
Woodbridge, Va.: I'm using Windows Vista and my backup has not worked for months-it says last backup failed. I tried a few things to to fix it but to no avail. Any help with this would be appreciated. Thanks, Novice
Brian Krebs: It would help me answer your question if I had a bit more information about your setup (e.g., if you're using Vista's built-in backup program or a third-party one, any error codes or messages, etc.).
A couple of things come to mind. You didn't say whether you're running anti-virus on your PC, but it may be that some auto-protect feature of the anti-virus software is preventing the backup. You might try temporarily disabling the auto-protect feature of your AV software and trying a manual backup again directly afterwards to see if that's the culprit.
It may also be that one or more of the system restore points on your computer is corrupted, and that the backup is failing as a result.
Here are a couple of things you can do to help solve this mystery. First off, try checking in the Windows Event Viewer log to see if there is any more information about why the backups are failing. Often, these messages are cryptic, and only include an error number, but Googling on that error number can sometimes lead to solutions that other users having the same problem found to fix it.
To get to the Event Viewer, click on the Vista Start button, then in the "Start Search" box type "event", and you should see Event Viewer listed in the results.
If you don't mind deleting past restore points (your call, but if you do this you will lose the ability to restore the system to know good states), that might be a last-ditch option to see if doing so allows backups.
Best of luck. And please circle back with any follow-ups or solutions you find. Thanks!
Barberton, Ohio: Brian, You have supplied such helpful information in the past I thought that I would run this by you. I have a Lenovo X41 tablet running XP tablet with AVG 8 and Spy Sweeper. I have 1 1/2 gig of ram and it takes over 9 minutes to boot up. The only programs in the start up are the above mentioned security software along with the tablet software (Journal)and Open Office. Can you give me some suggestions on how to speed up the boot process? Thanks!
Brian Krebs: Hi Barberton. Thanks for the kind words. We have one system at home that runs AVG8 (free), and I noticed that it was taking forever to boot up, and that the first thing it does is try to download updates. Now, this is an XP laptop on a P3 with limited amount of ram (I think it only has 512 MB of ram), and it is two floors down from our router, so that may have explained some of the slowness.
But after I swapped out AVG for Avira, I noticed a remarkable performance improvement immediately. I'd recommend swapping in Avira for AVG to see if you notice similar results. You may get periodic nag screens to upgrade to the paid version, but I'm betting you'll notice an overall performance improvement.
Please circle back at some point and let us know if that helped or not. Thanks!
Wash, DC: Your answer to Arlington about the wireless router didn't mention limiting access to the wireless network to specific devices by using the unique identifier of each device.
Brian Krebs: I *think* Washington is referring to enabling MAC address filtering on the router. MAC addreses are unqiue identifiers encoded onto all networking devices. Most will have the MAC address printed on the back of the devices themselves, but you can also tell the MAC address of any devices connected to your system by opening up a command prompt (Start, Run, type "cmd.exe") and then typing "ipconfig/all". The MAC addresses are the six-figure addresses listed next to "physical address" in the results produced by that command.
Many routers support a security option whereby you can limit access to the network so that only MAC addresses that you input into the router admin page can gain access to the router.
I didn't mention MAC address filtering for a couple of reasons. One, I wasn't sure whether that router supports MAC address filtering. But secondly, it's more of a superficial security measure than anything, IMHO. It can't really hurt to enable MAC filtering (unless and until a guest or family member wants to pop on the network while they're visiting), but anyone who has access to the wireless network (assuming he or she knows the encryption passphrase or encryption is not enabled) can see the MAC addresses of the systems already connected to the router.
Atlanta, Ga.: Hello Brian,
I love your information. I use Firefox with the noscript extension in a limited user account. I only have a couple of websites that I fully trust. How do you generally use noscript and Firefox on your computers?
Alexandria, Va.: Hi Brian - Maybe this is a security question, but maybe it's more of a network question. After my computer is idle for an hour or so, I sometimes get knocked off my home wireless network (my computer is two floors down from the router). If I restart, I can get back on. Any ideas why this is happening, and is it a necessary evil (like, maybe my firewall is doing what it should be doing?)
Brian Krebs: I doubt your problem is malware-related. Most of the time, in my experience, problems with wireless connections randomly disconnecting are due to either low signal strength, or more often dueling wireless management software.
If you use a PCMCIA or USB-based network card for your computer/laptop, chances are good that it came with an installation disk that installs the product maker's own wireless configuration client. But Windows has its own wireless configuration utility that works just fine. That is, until you install another wireless utility on top of it. If you have one of these secondary wireless utilities installed, remove it, and see if that fixes your problem.
Otherwise, check your signal strength. If the network icon in the Windows taskbar is not at least showing "good" when you hover over it, it may be that you need to increase the signal strength. The best option here is to move the router to the center of the house; there are wireless repeaters or signal strength extenders available (be aware that these may not increase the signal strength by much, and many of them only work with WEP wireless encryption and do not support the stronger WPA encryption). There are also relatively cheap stronger antennas that you can substitute for the router's default ones, but in many home setups these will not help at all.
Stockholm, Sweden: Hi Brian,
My little brother has somehow downloaded a software from antispyware.com that claimed that our computer was full of Viruses. He wasn't reading EULA for this and installed this software.
Now this program wants money for registration and keeps popping up every 5 minutes saying that we need to upgrade and pay for that. I wasn't able to remove it easily and it is still popping up.
I made a little research about it and saw many people complaining about the same on this site. E.g http://www.mywot.com/en/scorecard/antispyware.com
How is it possible that they are still online with domain registered with Godaddy and hosted by The Planet? As I suppose the biggest and very much full of such scam companies. Why you still haven't wrote a word about them as they seem to ignore very much of abuse letters send to them ("just because they are big") and providing services for such domains for a long time already?
Brian Krebs: Hi Stockholm. The fake anti-spyware and anti-virus problem is huge and widespread. Millions of computer users are being infected with these extortion scams. Worse still, some folks are falling for them, handing their credit card numbers and personal info over to scammers while leaving their computer no more secure for the purchase.
Two programs I've found are tremendously helpful in getting this scareware products banished from Windows systems. One is Superantispyware, and the other is Malwarebytes Antimalware. Both have free/trial versions and pay versions that work equally well at removing this stuff.
To answer your larger question, a number of registrars are trying to clean up/shut down these domains, but the scams are so successful that new domains are popping up each day.
Rockville, Md.:"It can't really hurt to enable MAC filtering (unless and until a guest or family member wants to pop on the network while they're visiting), but anyone who has access to the wireless network (assuming he or she knows the encryption passphrase or encryption is not enabled) can see the MAC address of the systems already connected to the router."
Correct me if I'm wrong but if you have MAC filtering, an "outsider" doesn't have access to the wireless network and therefore cannot see the MAC addresses of the system already connected. Yes, MAC addresses are spoofable but if you don't know the address to use (since you can't get the list), you can't spoof it.
Brian Krebs: What I'm saying is that using WPA encryption is crucial. MAC filtering on its own won't do much good, b/c if someone can freely get an IP address from the wireless router, they can sniff and spoof the MAC addresses of other devices on the network. Unencrypted traffic sent in the clear is easily sniffable using available tools like Kismet and NetStumbler.
NY, NY: Given the recent article on software allowing people to hack their passports, any suggestions on how the governments might be convinced to share their public keys?
Brian Krebs: NY is referring to this recent blog post:
The answer is that some governments *are* sharing that information, but not enough of them are. More are planning to, but there are other considerations that make this a less-than-simple task. For example, there are issues of certificate revocation (the keys need to be changed periodically for security reasons, and keeping track of old keys is costly and complicated).
Clemson, S.C.: Good Work Brian!
I took your advice about a year ago and set up limited user accounts on all my computers. I tweaked all the security settings, I use Avast antivirus, WinXp firewall and a router. I see all my friends with five and six different type security programs and I keep wondering... when is enough, enough?
Brian Krebs: Clemson, glad to hear you've set up limited accounts. My guess is that all your friends who had 19 different security applications running on their systems do so because they are still running Windows under the default, all-powerful "administrator" account, which of course exposes the user to all kinds of unnecessary and dangerous security risks. Rest easy.
Password Safe: I am using Password Safe to handle the log-ins for all my accounts, from financial transactions to discussion forums. In fact, I believe I was directed to this application by you (or maybe one of your colleagues). Do you know how the specific file on which the critical data (user IDs and passwords) is stored is protected? Is it itself encrypted? When I look at the director for the application, there are loads and loads of interim backups in addition to the current file. If my PC's hard drive were stolen or improperly accessed by an intruder, could those files be read? Thanks for your help.
Brian Krebs: That program, which as you mentioned I have recommended on a couple of occasions (the latest one being here, relies on a vetted "twofish" encryption algorithm that appears to be very strong. I would be most concerned that you have chosen a very strong but memorable "master password," because in Password Safe -- as with other password management programs -- all of your passwords are accessible if you know the master password.
Chantilly, Va.: Brian,
I tried the Comodos firewall on my XP SP2 laptop and it went into a continual loop asking permission for the same file, so I had to delete it. I'd take it off of your recommended list.
Brian Krebs: In a follow-up email to Commodo, I asked what users could do or change in the program to make it less annoying when installing other programs. Here was their response/advice:
"1 - Going to Misc->Manage My Configurations
2 - Select->COMODO Network Security
These 2 steps would make CFP a leak proof but less intrusive firewall. Additionally, our next big release should have the settings to reduce popups set to default, so hopefully you won't run into as many problems in the future."
Dayton, Ohio: Many open source projects include MD5 (or other) checksum information at the download site. Can you recommend a tool that allows a user to calculate the checksum of what gets downloaded to verify the downloaded file matches checksum wise?
Brian Krebs: Microsoft has a command line utility that does this. You can read about it and find the download link here.
Brian Krebs: Just a follow-up note to clarify my response to the question from a Rockville reader who asked about MAC filtering. An attacker would not need to get an IP address from the router to carry out a MAC spoofing attack. Sorry for the confusion.
Russ, Lansdale, Pa.: I have a Dell desktop running Vista under limited rights accounts for the general family computing. I am running Firefox 3 and locked IE down with highest restricted settings b/c I understand from past columns, Firefox can sometimes refer to these for permissions. I use the McAfee suite avail through Comcast. Despite these, I downloaded and ran both Spybot and AdAware and was surprised to find over 100 misc tracking items on the machine. How do they get past all the other stuff and how do I prevent re-occurrences
Brian Krebs: I'm guessing that the "tracking items" you mention that Spybot and Adaware found were in fact "tracking cookies," tiny text files placed by Web sites that identity you as having visited before, and often store credentials that allow you to avoid having to enter your information/login each time you visit the site.
A lot of people freak out about tracking cookies, but they're mostly harmless, IMHO. Well, at least compared to some of the other threats out there today.
Fort Collins, Colo.: Hi Brian,
I'm continually forced to come up with new passwords because, say, one system I have to access has a requirement of a 12 character password with a number or special character in the middle; then another one just wants 8 characters but two special characters; some need to be changed every 45 days, others never need to be changed...
So I wonder two things: does adding password complexity translate to real world security, and how you keep up with all of your passwords. At one point, I was so frustrated with a web site (Fedtraveler.gov), that I just put my password on a sticky note and put it on my wall.
Brian Krebs: Fort Collins -- For whatever reason, I don't have much trouble remembering passwords, but I know plenty of people do and find it extremely frustrating. I've used Password Safe before and found it to be a very effective option. I mention some other options in this blog post:
Writing down your passwords is a sane approach, assuming you are confident about the physical security of that list. Putting a password on a sticky and slapping that on the monitor, computer or wall is probably not ideal; but then if the wall said sticky is placed on is surrounded by a solid physical security system, that's a whole lot better.
Brian Krebs: That is all I have time for today, folks. Thanks to all who participated or just stopped by to read. We'll try and have another Security Fix Live in a couple of weeks. Until then, please stop by the Security Fix blog regularly to stay aware of the latest threats, scams and tips. Be safe out there, people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.