Security Fix Blogger
Friday, December 19, 2008 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Dec. 19, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.
The transcript follows.
Brian Krebs: Good morning, dear Security Fix readers, and thanks for joining me for Security Fix Live. I'll dive into the questions momentarily, but just a reminder: Please try to be as specific as possible in your questions, including information about your setup, installed security software, error messages, etc. With that.....ONWARDS!
Chicago, Ill.: Brian, is it safe to open spam messages in order to forward them to Spam Cop? Does just looking at a message open myself up to getting more spam, or malware? My husband thinks it is safer to delete the messages without opening them, but I say it's all right to open a message as long as I don't click on any of the links embedded in it. Who's right?
Brian Krebs: I applaud your dedication to doing your part to fight the battle against spam, but the truth is that your husband is probably right on this one. In all likelihood, it's probably safe, but is it really not worth it?
Especially if whatever you use to read your email is set up to display HTML automatically, as HTML can include code that downloads content from other sites. This content may do nothing more than let the spammer know they found a live one, or it may try to download malicious content.
In any event, don't be a hero. It's generally best just to delete it.
Austin, Tex.: Howdy, Brian. A few weeks ago some son of a sow stole my wallet, took my Chase debit card, and immediately charged $500 worth of stuff from the Apple Online Store. I found this out when Chase's Fraud Unit called me. Last week, a woman who also uses Chase said that when she made a purchase at the Apple Store, the fraud unit had called her as well to confirm the purchase. Is there some sort of scam going on vis-a-vis Apple Online that Chase is Chasing down? Might wanna ask them.
Brian Krebs: Great question, Austin. I have heard of similar fraudulent activity where people find charges on their cards for Apple's iTunes store, so you're not alone. A source of mine who works to combat fraud said he's seeing quite a few reports of people making fraudulent charges at iTunes using stolen credit cards. And it's not limited to Chase; they're just the issuer in this case.
Here's what I believe the thieves are trying to do: Convert your card into cold, hard cash. How do they do that? Consider this: You buy an iTunes Gift card with $100 on it, but using someone else's credit card. Then you go on eBay and sell the card for $80. Bam. You've just made $80.
Bethesda, Md.: Is there a way to tell if my computer is a zombie sending out spam?
Brian Krebs: Hard question to answer with any kind of conclusive suggestions. Many machines infected with malicious software won't show any overt signs of infection.
You could visit Spamhaus.org to see if your IP address is listed as one that's been spotted sending spam, but there are problems with that approach because a great many home Internet users are assigned "dynamic IP addresses" by their ISPs that change quite frequently, so your address today might be someone else's tomorrow.
If you knew what to look for and were familiar with what your Internet traffic normally should look like, you might have some success with an open source tool like Wireshark, which is a free traffic analyzer that can give you very detailed views of what's going on on your network. That said, this is a not a tool for newbies, and I know security pros who still don't know how to properly interpret or sift through the mountains of data collected and outputted by this tool.
One of your best bets to find out if your computer is infected with anything is to run a scan on the system by booting into another operating system. Mynetwatchman.com offers a remote scan that may tell you if something is amiss. The Ultimate Boot CD is great for this. It's free, but if it helps you, consider leaving the guy a donation.
You basically download the 250MB+ image, burn the image to a CD or DVD, and then boot your computer up and let it boot from the CD. This will take a little while to start up, but eventually if you follow all the default settings, it will boot into a Windows-like environment that includes a ton of really useful tools for diagnosing and fixing problems with your PC.
Including in the UBCD are three different anti-virus scanners that can scan your system for malware and remove anything found. The main reason I suggest this option is because most malware sophisticated enough to turn your machine into a spam zombie is going to do some serious damage to the tools on your system you normally use to tell whether something is wrong. In short, the malware will cause your system to lie to itself, telling you everything is hunky dory, when it clearly is not. Not trying to scare people, here, but that's the sad reality of most malware these days: First thing it will do is try to disable or hobble security software, and hijack key system commands typically used to diagnose settings and errors.
Pittsburgh, Pa.: Brian,
Thanks for doing these chats. I've learned a lot from them.
Question: I bought a Dlink Dir 615 N series router. I'm getting a 130Mb signal 30' away. According to the specs, I won't see the full 300 or so unless I'm further away from the router. True ?
Brian Krebs: I admit I am not as well read on the N series routers being pushed so hard now by retailers, but what you described makes no sense to me. If someone else has knowledge here that could help shed light either way on this person's question, I'd be happy to post it in this chat.
As far as I'm aware, wireless signal strength decreases follows the inverse square law, which basically means the wireless signal varies in proportion to the distance squared. Here's more info on this concept. That site explains the concept thusly:
"Power in a wire is lost "linearly". When the length of a wired link is doubled, the power loss is doubled. This occurs because the size of the wire and therefore the area of the wire (the cross-sectional area) remain constant from the beginning to the end of the wire. As the signal power travels forward through the wire, it only expands in one direction - along the length of the wire.
In contrast to the wired link, the power traveling across a wireless link expands in all directions. Like a flashlight shining on the inside of a ball, the wireless power spreads out left and right and up and down as it travels forward. The further the wireless power travels, the more it spreads out, the larger the area it travels through, and the quicker the power level decreases. Because the wireless power spreads out in all directions, it decreases much faster than linearly - it decreases logarithmically, according to the "inverse-square" law."
Confused in Barberton: I purchased a factory refurbished Lenovo X41 tablet PC, running the XP tablet OS. I have AVG (paid) and Spy Sweeper running on it. The boot up time is extremely slow (5-7 minutes), would a fresh install of the OS help? And lastly, since it was preloaded with the OS, I do not have the XP tablet disks. What are my options?
Thanks for all you insightful help during these chats!
Brian Krebs: I would recommend removing Spy Sweeper. I hear nothing but complaints of slowness from readers who have this program installed. But don't take my word for it: Remove the program, and see if that speeds things up. I think you will find it does.
I lieu of Spy Sweeper, consider running your browser using Drop My Rights. Read more about that here. You probably also need to ditch Internet Explorer for something like Firefox (preferably with Noscript add-on installed) if you haven't already.
Your options on the disc are to call the company you purchased the computer from and ask if they can send you an installation disc. Barring that, you would be well advised to start asking your friends and family if anyone has an install disc for this OS. Sooner or later, you will need it, and it's best to start asking now so you are prepared when something happens that causes you to need the install disc.
You also may want to make sure that you have a valid XP license key and that you have it written down somewhere.
Chances are it is printed on a stick on the bottom of the computer, but you never know with refurbished machines.
Hope that helps somewhat.
Rural, Virginia: When I visit a webpage and right click on the mouse - then select properties- a dialog box appears. On this dialog box it says: protocol, type, connection... and then it says "size". Would I be correct in saying that the size displayed (for example, 124948 bytes) is the size of the webpage that is "downloaded" to my computer?
If I visit the same webpage daily - for example. The Washington Post - and the size suddenly is twice what is normally... could that be an indication of a security breach?
P.S. The reason I am using the word "downloaded" is because I have a satellite connection and am only allowed a fixed download daily amount. The ISP - Hughes - calculates a download amount for each webpage visited.
Brian Krebs: Yikes! A download amount for each Web page visited?
I've never heard of the size of a Web page being a factor of any kind indicating a site compromise.
The "properties" option is something that in my experience appears quite a bit more reliably on pages loaded with Internet Explorer (not so much with Firefox). So I'm going to take a guess that you're browsing the Web with IE.
If that's the case, you might consider switching to Firefox or some other browser that allows you to install add-ons. Many people find that using the Adblock add-on for Firefox stops a great many ads and other third party content from loading on a page, which could decrease the page load times (and sizes) for any given Web page considerably.
Verona, Italy: Hi, Brian. Thanks for the good info you provide via your columns and chats. I set up User Accounts on my XP SP3 machine, but now I can access certain applications that I installed as Administrator (Nikon Cool Pix manager, Windows Media Player) ONLY from the Administrator account. Is there some way to permit access to User accounts? Thanks.
Brian Krebs: There are a couple of options. One is to simply right click on the program, select "Run As" and pick the name of your admin account and enter the password.
The other is a bit more complex, and depends on your having XP Pro installed. If you have Pro, right click on the program while logged in as admin, and then select properties. On the "Security" tab, it should show you which users have which rights for the program. Assigning "full control" to the user account with lesser rights should fix your problem, but bear in mind that the more you do this with programs the more it will chip away at the whole premise of using the computer in a limited user setup.
Tampa, Fla.: I have 2 questions, one probably stupid. They involve Anti-Virus Pro, which has been ID's as malware. See [here].
I came across this on friendster.com while using a Mac. As soon as I opened the page of the person I wanted to check out, I started getting messages in German that seemed to say it was scanning my Mac (OS 10.4.11) for viruses. I saw references to .exe files. My browser (Camino 1.6.6, the latest) froze and I had to Force Quit.
Stupid question: Is there any chance my Mac has malware from this? It seems like a Windows-only attack.
Second question: Would I be safe from this on Windows SP Home Edition (fully updated) if I was on a limited user account, using the latest Firefox browser with the latest version of the NoScript extension, with Bit Defender Internet Security running?
Brian Krebs: Hi Tampa, thanks for your question. First, I don't believe this would be an issue on a Mac.
A limited user account is a great and important line of defense. It won't stop all malware attacks, but it will blunt a great deal of them because many types of malware assume the user is running as administrator and consequently fail to install.
refurbished Lenovo X41 tablet PC, running the XP tablet OS: Brian,
The poster should get rid of the Spy Sweeper AND the AVG. As we both know, AVG is a big resource hog. Avira is a much more resource friendly program, and it's free.
Brian Krebs: More advice for the reader with the slow Lenovo machine.
Latest problems with IE: Brian,
Can you bring us up to date on the latest issues with IE ? I know Microsoft has a patch, but is it out yet ?
Brian Krebs: Yes. Microsoft issued an emergency patch for this on Wednesday. You can read more here.
Speaking of wireless routers and such: Brian,
I'd like to mention that people should be careful when presented with "recertified" wireless routers, more than any other piece of equipment.
Wireless routers put off a great amount of heat in normal usage. For that reason, I would recommend that wireless routers be used/mounted in a vertical configuration that allows for maximum heat dissipation.
Take for example the Linksys WRT54G, which is a great basic 54 Mbs router. Usual lifespan is 18 months, due to the horizontal configuration with very little room under the unit to dissipate heat.
Brian Krebs: I did not know that. Thanks for the info.
Chicago, Ill.: "Rural Virginia" could also try Ad Block Plus with Firefox.
How often do you do these chats, BK? I read your blog, but I wasn't aware of the chats till recently. Maybe you should bring them up in your blog on occasion.
Brian Krebs: Thanks for dropping by. I generally do these chats every other Friday. Occasionally, when I am spry and awake enough to put up a blog post prior to my chat, we will use that as a chance to plug the chat. It's also usually teased on at least three different places on the washingtonpost.com homepage, but I realize there's a lot of stuff there so it's easy to overlook.
Fairfax, Va.: My wireless keyboard has recently began to act a tad slower, the letters do not register instantaneously. I have micro pc-cillin loaded and up to date but worry that I might have a key logger installed somehow even though pc-cillin always asks before a program is loaded. Is a slow keyboard symptomatic of a key logger is this my 5 year old Pentium 4 machine showing its age, and is there any way to check whether a key logger is loaded onto a machine? Thanks
Brian Krebs: In my experience, a slow wireless keyboard means the battery inside the keyboard is running low and it's time to replace it/recharge it. But you've probably already checked that, haven't you? Does it matter if you move the receiver closer to the keyboard?
Generally speaking, slow typing would be a sign that the system is struggling for resources. Is anything else on the system sluggish, or is it just the keyboard? Have you tried plugging in a wired keyboard to see if that is any faster?
I'm sticking with my battery answer as the most likely. Please reply back if you can. Thanks
Anonymous: Re "Bethesda, Md.: Is there a way to tell if my computer is a zombie sending out spam?"
What about BotHunter, Brian ?
Brian Krebs: I installed this program after the SANS Internet Storm Center and others recommended it. However, nothing happens when I start the program. A tiny command prompt pops up and then nothing. TaskManager says it's running, but no GUI, no sign of a way to enter/interpret anything. Just haven't had time to try it on another machine.
Waco, Tex.: I applied the Windows updates last night last thing to my Windows 2000 machine. This morning my computer is running v-e-r-y s-l-o-w-l-y. Do you think it coincidence? Anyone else have that problem?
Brian Krebs: I have not heard of any problems with this IE patch, but most patches do cause problems with some small subset of users running different applications in odd settings. Does your system run slowly even if you do not have IE running? When you open up Task Manager (right click on taskbar and select "Task Manager" does it show one program taking up an inordinate amount of system resources?
Anyone else having this problem? Sound off here or in the blog post we wrote this week about this patch, please.
Wireless routers and heat: Brian,
On the back of the WRT54G, the text at the power plug reads 5 volts, 2.5 amps. That's a lot of power for something with NO moving parts.
Brian Krebs: Agreed. I'm learning so much today!
Lagos, Nigeria: My Vista Business laptop takes more than 3 minutes to boot even though I have 2g memory installed. I have office 2007 installed also. I have stopped Windows defender and google updater from auto starting with windows. I only have my firewall(ZoneAlarm) and antivirus (AntiVir) start with windows. Any suggestions for a faster boot time. I don't do any gaming.
Brian Krebs: Yeah, I feel ya there. I could make an egg and cheese sandwich in the time it takes my Vista PC to boot. Not an uncommon issue. But these guys have some great suggestions that I'm really dying to try now. Thanks for the question.
Pasadena, Calif.: I discovered something called "Mrvlusg Tracking" on my add remove list and have no idea where it came from. Marvell is the listed publisher but I can find no information on what it does. Any thoughts?
Brian Krebs: Ick. Nothing says suspicious like a company Web site that tells you absolutely nothing about what their products do. I could find very little information about this program, but my gut on anything that clearly states "tracking" in the title is to remove it. If you see a setting in the Add/Remove Programs listing, it's probably not that bad, but who knows? I'd remove it.
Stormville, NY: Happy holidays, Brian !
What is your opinion of SUPERAntiSpyware ? (The free edition)
Brian Krebs: I like it. A lot. And I recommend it quite a bit, because it's almost an essential tool in helping to remove much of this rogue anti-virus software that so many people are getting whacked with.
Silver Spring, Md.: When printing from outlook I am getting things truncated on the left hand side. Print preview shows whole document but that is not what gets printed. Even shrinking document does not print the whole left hand side. Any suggestions?
Brian Krebs: Is it just Outlook that does this? What happens when you try to print a document from, say, Microsoft Word? If it does the same thing, I'd say it's an alignment problem with your printer, and perhaps suggest seeing if you can reset the printer back to its default settings if that's possible.
Maybe try changing the margins in Outlook? Open Internet Explorer, go to File, then Page setup, and then reset your margins.
If it's just Outlook that's being squirrely, one option might be to cut and paste the content of the e-mail into a program like WordPad, Notepad or Word and print it from there.
Rockville, MD: I'm running a scan on my Windows XP computer right now (Symantec Antivirus. The -Temporary Internet Files-Content.IE5 section has been going for a very very long time. Can I delete the stuff in this folder?
I'm not running Internet Explorer 5 and just installed all recommended microsoft patches this morning. It just seems like this much stuff has to slow down the computer.
Brian Krebs: Yes, it's generally safe to send the stuff in that folder to the Recycle Bin.
Astoria, N.Y.: Are you worried about clicking jacking and the Flash Player Global Security Settings panel? I was reading Jeremiah Grossman's blog, and it's scary stuff! I have OS X 10.5.6, FF3 3.0.5, NoScript and flashblock, but still! How much of a threat is this stuff, and why are flash player settings hosted remotely!?
Brian Krebs: I wrote about this a while back, and Adobe has issued some updates to address this. It's scary because Flash is a VERY powerful program, and it's required by soooooo many sites.
I had a chance to interview the co-discoverer of this bug -- Robert Hansen -- at a Santa Fe Institute gathering about a month ago, and he was pretty clear about the fact that this goes way beyond Flash, and that the browser makers need to address it as well. Problem was, he said, doing so generally required an architectual overhaul that wasn't a trivial fix for the browser guys. For now, the best defense is what you've already mentioned: noscript, firefox, etc.
San Francisco, Calif.: I got the CheckFree e-mail this week about the security breach. I had used CheckFree to pay a Macy's bill the day of the attack and have been monitoring the coverage. When I called CheckFree, the representative told me my Mac was under no risk because only Windows OS was exposed. Do you think I'm really OK? The representative was clearly not a tech expert but was reading a script.
Brian Krebs: I think you're fine. The malware that it was trying to foist is indeed designed for Windows. Rest easy.
re: keyboard issue: I did change the batteries in keyboard and the slow response continued so I think it might be an aging keyboard issue (its an old Belkin that they no longer make). I will try plugging in a wired keyboard but your comment on resources hit a nerve. I have a 120G HD that's filling up with photos so I'm in the process of moving my files to an external HD. I think its time for a new machine (like a Dell Studio laptop). I was more concerned about having an unknown keystroke logger installed so I guess in the interim I'll just have to adjust my typing speed. Thanks for the info.
Brian Krebs: Not sure I helped that much, but you're welcome just the same :)
Omaha, Neb.: What is Spam Cop mentioned in the first discussion? How do I report suspicious e-mail? For example: I received an e-mail from FBI Director. First mistake, I opened it. Then I kept it so I could report it but did not know who to report it. I later learned I should not even open the mail. However, it there a place I should report suspicious e-mail or is deleting it the best thing to do?
Brian Krebs: Spamcop.net is an anti-spam service for people who run mail servers. You can use their service to report spam, if you really want to. But unless you run a mail server (no, Outlook doesn't count), you probably have no use for this service (except they DO have some pretty graphs).
Lots of organizations collect spam, for various reasons, most of them to feed into anti-spam products and services they sell commercially. You can forward spam to the Federal Trade Commission (email@example.com), but you're probably best off just deleting it and moving on with life.
Brian Krebs: Well, folks, I am out of time for today. A big shout of thanks out to all who stopped by for the chat or just to read the discussion. Join us again in a couple of weeks from today for another Security Fix Live. In the meantime, you can stay up to date about the latest security threats and tips by regularly visiting the Security Fix blog. Have a great weekend all, and Happy Holidays! Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.