Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, November 7, 2008; 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Nov. 7, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.

The transcript follows.


Brian Krebs: Good morning, Happy Friday, and welcome to another Security Fix Live! Questions are piling up already, but don't let that discourage you from dropping your own in the hopper. Please remember to be as specific as you can in describing your system setup - try to let me know what version of the OS you're using, installed security software, that sort of thing. And....WE'RE OFF!


West Falls Church: What's your take on wireless keyboards and mice. I know the transmissions back and forth aren't encrypted, and there's no software that exists right now to protect this data.

Brian Krebs: You might be more worried about someone sniffing the data going over a wired keyboard than a wireless one.

Beware, Your Keyboard May Be Tattling on your Typing

Seriously, I think the threat of wireless or wired keyboard data sniffing is next to nil. What's more, it's not likely that even if someone wanted your data that badly that they'd be able to intercept the transmissions any more than a few feet away (i.e, they'd probably have to be in the room with you).


Arlington, Va.: Is there a web site that can reveal what information one is revealing? There used to be such a link on the web site but I think they removed it.

Also, what is the best way to test if I have adequate security, I tried running Norton testing but for some reason it is not working on my Vista.


Brian Krebs: Yes. If you have Javascript enabled by default (e.g., running IE in its normal configuration), there is really no limit to the amount of data a site can collect about you and your browsing activity.

Check out the test at

Master Reconnaissance Tool.

I think you'll be amazed at what it finds. Sites can also gather information about the places you've been online even without Javascript enabled -- by using what's known as CSS hacks. Check out this neat page, put together by researchers at Indiana University, which shows how phishers could tell which financial institution you bank with online, just by checking which major bank site names are marked as "visited" in your browser (it checks a long list of bank URLs to see which ones your browser has marked purple for visited).

Anyway, there are lots of sites like these. If you want a good way to test your system security, scan your computer over at Secunia. It will tell you whether you have any outdated, insecure software on your system that needs updating.


Fairfax, Va.: Re: Twin Compaq laptops, can't load Windows XP Service Pack 3 (XP-SP3) without live electrical connection-- How critical is it that I load XP-SP3? Does one XP-SP build upon the other? If it's critical, any ideas as to how I can get it loaded without having to get the laptop(s) replaced or serviced, which I'm not able to do? Thank you!

Brian Krebs: Unlike Service Pack 2 for Windows XP, there are no real security improvements in Service Pack 3. Of course, SP3 is a rollup of previously released patches, but if you've been keeping up with the monthly releases, you don't need SP3 for that.

As I've written, it's more useful for people who need to reinstall the OS and want to get up to speed on patches very quickly.

To answer your question, yes, Service Packs build upon one another, so that if you install SP3 on a fresh XP install, you don't also need to install SP1 and SP2 - they're all included.

In short, if you're keeping up with the monthly patches from Microsoft, there's no need to install SP3 on XP. Microsoft claims SP3 users will see a performance boost on XP, but if you can't install it for whatever reason, I doubt you'll miss it.


Stormville, N.Y.: Machine: Dell Dimension 4700, Windows XP. Running AVG Anti-Virus Free. Software firewall : Windows. Hardware firewall: router (not wireless). SuperAntiSpyware Free edition. SnoopFree Privacy Shield.

Yet something slipped by all these defenses.

A scan revealed the following:

Object name: c:-RECYCLER-many

Detection name:Trojan horse Downloader Generic8.BSQ

Object type: file

SDK type: Core

Result: Moved to virus vault

There was a second one, too. It was almost identical, but I failed to record beyond "cab".

A re-scan showed no infection. Am I safe now? How did this slip in? I recently downloaded the latest version of OpenOffice. Was that the vehicle for the infection?

Brian Krebs: In all likelihood, you're running up against what's known as a "false positive": essentially, antivirus software detecting good software as bad or malicious. This happens more often than people think, and it's something the AV companies strive very hard to avoid, because businesses absolutely hate it and will switch to a new AV in a heartbeat if the one they're using has too many false alarms.

AVG is more of a consumer product, and perhaps may be more prone to false positives. I found this thread over at OpenOffice user forum that suggests you are not the only one who has had this problem.

Rest easy. False alarm.


Chantilly, Va.: Brian,

Why can't/won't most of the browser designers integrate a mail function into the program? As far as I can tell, Opera does this, but no one else seems to like the idea.

Is it a security or some other technical issue that I may not be aware of?

Brian Krebs: I suspect there are many reasons why more browsers do not bundle in a full-fledged e-mail client. For starters, browsers are incredibly complex pieces of software, and just getting them to work as stand-alone Web browsers is a job in itself, to say nothing of adding a bunch of e-mail applications on top.

Also, additional features add to program size, can interfere with browser speed and startup, etc. Opera obviously has licked these issues. It is a very slick piece of software, indeed.

Yet, Opera has a miniscule market share. Why? I don't know. But perhaps there simply isn't much demand for a browser that includes an e-mail client. After all, most people probably are more familiar with using Web-based e-mail these days.

This is all pure, off the cuff speculation, of course. Thanks for the question.


Columbus, Ohio: I used Bounceback Express for my backup program. It came with a portable hard drive that I have been using until recently.

Lately, the logs (plain text notepad files) of the backups to this drive include 16 screens (over 800 lines) of copy error line items--most of them 0003's, although there are a number of 0032's and a couple of 0002's. Most (@14 screens) of the 0003's point down the "program files" path of the directory of my F-Secure AV and anti-malware program. Every backup opens a dialogue box announcing that errors have occurred and telling me to check the log. Here is a random error line I copied: "563) 0003 copy C:-Program Files-F-Secure Internet Security-FSAUA-content-avpe-1225920356-base363c.avc". Since I do the backups overnight, I have no idea at what point the dialogue box pops up, but each backup process seems to complete itself.

If I do the backup via Bounceback to a newer portable hard drive, I wind up with only one screen of copy error line items and no error dialogue box at the conclusion of the backup process. In either case, the logs seem to indicate--to my non-techie eyes--that all essential data is backed up.

Has something gone south with the original, smaller (40gb) portable hard drive? It's a Firelite Smartdisk that I have used for @ 6 months. The new portable drive (300gb) is a Fujitsu. My system: XP/SP3 Home, fully patched, 40gb hard drive. I would like to alternate backups between the 2 portable drives so that I can always keep one off-site.

Since several hundred of the error lines point to my security program, I hope it makes sense to ask you about this issue.

Thanks for whatever light you can shed.

Brian Krebs: Hi there, Columbus. Thanks for your question. Seems as though plenty of people use this little backup program, I suppose because it is distributed for free with certain Seagate hard drives.

I don't have experience with the program, however, so I'm making a semi-educated guess here. Security and anti-virus programs can be finicky about the access they allow other programs, particularly when it comes to copying or in any way fiddling with the files they need in order to operate properly. This is because a great many malicious programs try to disable or destroy security programs on a host machine, so anti-virus and other security programs are understandably and quite rightly unfriendly to other processes that try to monkey with them.

I suspect that's all that's going on here. If the errors are limited to the F-Secure program directory, I wouldn't worry too much about it. After all, if you need to restore your system or reinstall, you're not going to lose anything by overwriting an old install of F-Secure: You can simply go to their site and download it again.

Anyway, I seriously doubt the problem is with the drive itself. Best of luck.


Indianapolis: Brian,

I run a non-religious, non-government charity in Ukraine and I purchased 5 computers with slim funds. During a recent visit I thought I'd be smart and run Windows Update. While I was talking to the tech that had to reload the software he told me, "There is one copy of Genuine Windows software in Ukraine and you don't have it".

Until I can purchase genuine software (if I ever can) what software would you recommend to me and Eastern Europe and the other millions of computers in the world to keep them from turning into bots (which affects the genuine software people). I was shocked to learn how many computers are out there unable to update.

Brian Krebs: Hello, and thank you for this question, because it addresses a very important and often misunderstood area of security vis-a-vis patches and genuine Windows.

Microsoft *does not* and has *never* withheld security updates for users who are not running genuine copies of Windows. I repeat: Even if you are running a pirated version of Windows, you can still download and install security updates.

That said, Microsoft's anti-piracy program (a.ka., Windows Genuine Advantage Notification tool, required at some point as a condition of installing updates) is quite aggressive, and will let you know by plastering your desktop with warnings and pestering pop-ups if it detects you're running an unlicensed copy of Windows. But it should not prevent you from downloading security updates. Please try it yourself and tell me if you are blocked from downloading updates. In fact, if you are, drop me a line at brian dot krebs at washingtonpost dot com, and I will make sure someone at Microsoft gets in touch with you.

Now, Microsoft does have a program that allows people who have bought computers that were installed with bogus Windows copies to get licensed copies for a reduced price.

All the same, you can and should get a licensed copy of Windows if you want to continue using the operating system. You also can and should make sure to keep all the rest of the third party software that you put on those machines up to date as well. Reading my Security Fix blog is a good way to do stay abreast of security updates, as is occasionally viiting the scan at Secunia's software inspector site (linked in answer above).


iPod Touch: Brian, I have a spanking new iPod Touch, and I've managed to tear myself away from playing 3-D mah-jongg on it to ask you whether you think that there is any risk of down-loading malware or a virus if I use the Internet function at hotspots -- I'm not downloading e-mail, just checking weather, the market, news, etc. Thanks.

Brian Krebs: Well, seeing as the iPod is little more than a big fat hard drive with some pretty neat software running on it, there's certainly nothing to prevent the thing from harboring malware, and potentially becoming a carrier over to a Windows system that it later gets plugged into.

That said, I'm not aware of any threats that specifically target the iPod or iPod Touch. What's more, if you're not doing anything more than checking Web sites, then you don't really have much to lose even if malware *were* to somehow worm its way onto your device, do you?


Stormville, NY: Thanks for the answer, Brian.

Brian Krebs: Happy to help.


Cody, Wyo.: Hi Brian,

I read your disturbing article, "Virtual Heist Nets 500,000+ Bank, Credit Accounts" Friday, October 31.

I do everything you've advised over the years. I use non-administrative accounts for all internet-facing programs, do regular anti-virus and anti-spyware scans, never open email attachments when I don't know the sender (or even sometimes when I do), etc. etc.

But this threat sounds like it could get past all those safeguards. Am I understanding this correctly?

What, if anything, can ordinary folks to do prevent, or at least reduce the chances of, these attacks?

Thanks, Brian, for your great columns, and for keeping all of us abreast of all the dangers out there in cyberspace.

John Security Fix: Virtual Heist Nets 500,000+ Bank, Credit Accounts

Brian Krebs: I think that article was pretty clear in noting that the victims of that Sinowal/Torpig Trojan were all people who had fallen behind in patching their browsers (not updating things like QuickTime and RealPlayer plugins, e.g.).

Keep third party software updated. Use current anti-virus, and a firewall. Patch the OS. Be careful about the programs you install and run. Use a non-admin account for everyday use (you're already doing that, you say). You know the drill.


Manassas, Va.: Brian,

Just yesterday, I heard a report that the White House computers have been hacked. I would think that this would not be possible, but I guess no system is immune of attack. Any comments?


Brian Krebs: As I was just saying to my colleague here at WaPo, no system is 100 percent secure. Any system can be compromised. It all depends on how badly the bad guys want to compromise it. If he has the skills, unlimited time and a relatively decent budget, an attacker has a tremendous advantage, and it's usually just a matter of time.

After all, hacking into a system is as much (if not more) about understanding the weaknesses of the system as it is hacking the human sitting behind the keyboard. In fact, in successful hack after successful hack, the weakest link is almost always the user. Sooner or later, someone will click on a link, install a backdoor, or simply give away key information.

Banks realized this a long time ago. Criminals know where the money's at, and so they try to hack bank systems, and when they can't do that they try to hack the bank's customers. The banks understand risk very well, and they understand that obtaining 100 percent security is not only impossible, but it would be prohibitively expensive. So they focus on responding to compromises very rapidly, in an effort to stop the bleeding as soon as possible. This is a very rational and effective response.

I could go on about this forever, but I won't. Thanks for the question.


Arlington, Va.: Good morning Brian, I'm running Vista and Zone Alarm as my firewall. I keep getting a windows security alert in my tray telling me that my firewall is turned off. Zone alarm is obviously turned on and working. When I restart zone alarm, the security alert goes away.

I'm guessing windows security alert starts running earlier in the startup process than zone alarm. Is there any way I can change this? Do you have another conclusion as to what might be the problem? Thanks.

Brian Krebs: Morning, Arlington. I know that Zone Alarm and Vista haven't always gotten along swimmingly, and I seem to recall another reader with a similar question.

You can tell the Windows Security Center to stop bugging you about it. I use a corporate version of Windows XP here at work, so I don't have access to the way the Security Center works/looks on a normal XP system right now, but Microsoft's instructions for doing this are as follows:

1. Click Start and then click Control Panel.

2. Double-click Security Center. (You can also access the Security Center by clicking on an alert sent by the Security Center. For example, if you receive an alert telling you that your antivirus software is out of date, when you click that alert, the Security Center will open.)

3. In the Security Center, under Firewall, click Recommendations. (The Recommendations button is not available when your Firewall setting is marked ON.)

4. In the Recommendations dialog box, select the I have a firewall solution that I'll monitor myself check box, and then click OK.


Gaithersburg, Md.: I'm installing Norton 2009 as we speak but it appears stalled at "collecting error logs". It's been running for the last twenty minutes...suggestions?

Brian Krebs: Not sure what's going on there. I'm evaluating Norton 2009 now and it installed very quickly - less than 60 seconds, no problems.

If you paid for this software, you're entitled to support. Norton has a pretty active support forum that you can try. Also, a quick search showed another user having the same problem, with some possible solutions at this link here (that's the Norton message board).


Pasadena, Calif.: I'd like to extend my computer's security's capability to my entire house so I am considering using it to monitor interior and exterior areas of my home however I can't seem to identify where to obtain the proper information or hardware for the job, e.g. a drop in board for my computer and the necessary compatible materials. Any thoughts or suggestions?

Brian Krebs: I do in fact have a few thoughts, having done this myself and having a few regrets about my setup.

First, you need to decide how much you want to spend. If cost is not an issue, there are some very high quality wired and wireless options for cameras out there, both indoor and outdoor. Wireless is nice, obviously, because you don't have to worry about running wires through the attic or elsewhere (nor about the possibility of an intruder simply cutting the wires).

Also, I'd advise you to do your homework on the PCI cards that allow you to hook up multiple cameras. Many of these are cheap cards that come with crappy software that doesn't work very well. What's more, many of these cards are not true multi-threading, i.e., the all share the same resources and so produce herky jerky video -- and cannot record true 30 frames per second, or can't do it without seriously taxing the resources of the system.

I'm out of time for today's chat, but most of this stuff is not hard to put together; but spend some time shopping around and comparing the hardware and software that ships with whatever you're buying. There are a lot of really poor video surveillance products out there, and to get a good setup you're going to need to spend probably at least $500.

Good luck, and I'm sorry I don't have time for a more detailed reply.


Brian Krebs: Thanks everyone, for reading and for the thoughtful questions, today. I'm all out of time for today's chat. Please join us again in a couple of weeks, and in the meantime drop by the Security Fix Blog at least once a day to stay on top of things. Have a great weekend, all, and be safe out there!


© 2008 The Washington Post Company