washingtonpost.com
Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, January 16, 2009 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Jan. 16, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.

The transcript follows.

____________________

Brian Krebs: Welcome, all, to the first Security Fix Live of 2009! Already, it's shaping up to be a lively one. Please try to be as specific as you can in your questions, and let me know as many details about your system setup, installed security software, error messages, etc -- basically any little details pertinent to your question that might help me provide a more targeted answer. Thanks in advance, and with that, let's get started.

_______________________

Colorado: Dear Brian,

I have a wireless network at home that uses WEP encryption, because I can't yet use WPA encryption with the wireless in my linux box. Should I be worried that WEP is not really secure?

Brian Krebs: You are correct in saying that WEP is not very secure. It is fairly trivial to hack in most cases if you have the right tools.

I seem to recall that there was a toolset of sorts for linux that allowed kernels that didn't natively support WPA to support most WPA cards/routers, as well as hardware built specifically for Windows. I believe the package is called "Ndiswrapper".

Google "ndiswrapper wpa" and you should have plenty of links to get you going. I'm not saying it won't take a little bit of reading and some configuring to get it working right, but it *should* work. Also, a number of "Live CD" distributions of Linux -- the kind you boot into from a CD -- have Ndiswrapper built-in.

Good luck.

_______________________

New York, N.Y.: It seems that few, if any, of the security fixes relate to Mac users. Please respond.

Brian Krebs: Ah, an oft-uttered, but ill-informed viewpoint.

Plenty of fixes apply to Mac -- both for the Mac operating system and for third-party plug-ins and software designed to run on the Mac.

Apple releases patch bundles for the Mac nearly once a month, sometimes more. Just scroll through the "New Patches" list in the Security Fix archives and search for "Apple". You find dozens upon dozens of entries.

In addition to updates for the operating system, it's important to keep third-party software updated as well. If you're like me and can't stand the built-in Safari Web browser on the Mac, you probably prefer Firefox for the Mac. Guess what? That program needs frequent updates as well, as do its various add-ons.

Adobe Flash player and Adobe Reader also are programs available for Mac that need regular updating, just as they do on a Windows machine. These two programs are considered cross-platform, in that vulnerabilities in them generally can be exploited through them on the Mac in much the same way they can be attacked on Windows PCs.

There are other examples, of course, but you probably get the idea by now.

_______________________

Los Angeles, Calif.: What's the best way to keep a back up of my system. I'm working on Mac OS 10.4.11.

Brian Krebs: Leopoard's Time Machine backup is pretty slick, but I see that you're like me and are still on Tiger (10.4.x).

I've used SuperDuper and have been quite happy with it. It can make backups of your data to a removable volume, or take an exact snapshot of your entire hard drive in case things go south with your Mac at some point.

_______________________

Upper Marlboro, Md.: How can you determine if your computer has been hijacked by a Bot-net, and how can you remove the computer from the Bot-nets control?

Brian Krebs: A number of people have written me, after we ran a blog post this week (Meet the New Bots: Will We Get Fooled Again, asking how they could tell whether their PC was part of a bot, and if so what they could do about it.

In the comments section of that post I tried to offer some tips:

"There was a time not long ago where a user whose Windows system was infected with a bot might see signs of slowness, system crashes or other oddities that might hint at a bot infection.

But these days, the bot malware is written by such professionals that it is unlikely to cause the average user to notice anything awry, unless perhaps they are using an older PC, or perhaps the bot software tries to limit the sites the user can go to.

Typically, the big spam based bots do not do this, b/c it's a sure-fire giveaway to the owner of the host system that something is not right.

That is why I spend so much time on this blog trying to impart the idea of keeping your system secure, since it's far easier to prevent a PC from becoming a bot than it is diagnosing a bot infection or cleaning one up after the fact.

The best way to keep your system secure?

-Download program updates only from the maker's Web site (this includes but is not limited to browser plug-ins and things like Adobe reader and Flash Player)

-Never open attachments sent in emails you were not expecting.

-Be extremely judicious about the software you chose to install on your system.

-Run up-to-date antivirus software, but don't count on it to protect you from insecure/unsafe behavior online.

-Avoid downloading software from P2P networks/crack sites.

-Keep third-party and Windows software up to date with the latest patches.

-If you run Windows XP, consider using a limited user account. If you run Vista, the UAC should warn you if anything tries to install software. Pay attention to the warnings when they do pop up.

-Use a software firewall. If you can afford one, get a hardware router (wireless or wired): these include firewalls as well.

Those are a few tips. If you follow those, you will be more secure than 95 percent of all Windows users out there."

That said, a couple of very useful -- if not essential -- tools for helping Windows users clean up after malware infections are Malwarebytes and Superantispyware. Both have trial versions that can be used to clean up a system from many of the most serious infestations out there today.

Some people believe it is next to impossible to completely tell whether a system is clean of malware if you're using tools on the infected system itself to give you a clean bill of health. However, if you combine the above mentioned tools with something like HijackThis! and spend a little time at a security cleanup forum like this one, there's a very good chance you can fully regain control over your PC.

_______________________

Tysons Corner, Va.: I recently had two credit cards compromised. One appeared to be a number only (all purchases were online) and one was a clone (all purchases appear to have required a physical presence). Is there any reason to believe that this is due to poor security on my end? or is it more likely to be poor security on the merchant or bank side? I use FFX, on a secured wireless connection and am running AV and Windows Defender, as well as having a hardware firewall in my home router.

A colleague holding one of the same cards (same issuer) had a similar experience with cloning, the cloned card was used in the same part of the country.

If there is reason to believe that this is something on my end, what's the next level of security I would need to add?

Brian Krebs: Unfortunately, this is not an easy question to answer with any sort of certainty. There are far too many variables, too many possible causes.

For example, it could be that one of the many retailers you've entrusted with your card got hacked, or otherwise lost control over their customers' financial data.

Cloned credit cards are almost always the result of two sources. The first, and by far the most prevalent, are merchants who store the 1s and 0s that make up the data embedded in the magnetic stripe on the back of your credit card. This is against payment card industry security standards, but far too many retailers still store this data. If they get hacked, or a rogue employee gains access to the database of mag stripe data, that data can then be sold to credit card and ID thieves, who use special devices to transfer the data onto fake cards and use them at retail stores.

The second most common source of cloned cards are from skimmers. Sometimes these skimmers are placed on automated vending machines, and sometimes rogue employees in the hospitality and restaurant business will use them to copy customers' info.

While it's unsettling and certainly a pain to have to get a new card, remember that with credit cards your issuing bank will almost never hold you liable for any fraudulent charges.

I wouldn't worry too much about whether your machine was the source of the breach: in all likelihood it was not. However, I still advise people not to use debit cards for shopping online, because the money in your checking account can be tied up during the time it takes for the bank to do its investigation, and the liability is in some cases not as flexible/good as with credit cards.

_______________________

Upper Marlboro, Md.: For the past few days I've been getting the popup virusremover 2008. I use McAfee to protection but have not been able to remove the file. Any idea how to delete this file?

Thanks

Brian Krebs: Please see many answer to the question above about what to do with bot infections. The tools I mention at the end will almost certainly help you find and get rid of this infection.

_______________________

Mombasa, Kenya: Good Afternoon Brian.

First I would like to thank you for providing these forum. It has been very helpful to many of us.

I have Dell Dimension E5500 with Vista Business 250HD and 3GB mem. My computer is working fine.Everything is up to date. And yes we always use under "limited rights" to keep the computer more secure.

So last week I decided to create 2 additional partioner, One to load with XP PRo and the other to test with Vista 7.

Now my problem is that I want to delete one partioner (15GB). But I am having problem on deleting. Here what I do

Start-control panel- computer management icon- Disk management.

But When I right click on the space listed as unallocated I do not see the "DELETE" option.

I can only reformat or re-size it.

What is the best way to reformat my entire hard drive back to one size. I tried to use Acronis disk director suite 10.0. Still not able to delete the 15GB unallocated.

Thanks in advance

Brian Krebs: Hrm. Strange. Acronis Disk Director should be able to delete the partition. If it is somehow listed as an active partition, however, that might be trickier.

First off, I'd advise you before you go any further to make sure you have all of your important data backed up.

That said, Disk Director does have a "merge" feature which should be able to merge your main (C:\Winows) drive/partition with the unallocated ones. Have you investigated the merge feature?

Obviously, if you don't care about blowing the whole installation away, another way to fix it is to just reinstall Vista, and use the partition tools at setup to make the whole drive one big partition.

If neither of these options appeal to you, the free Qpartd program should do what you want (you burn it to a CD and boot into it). Again, better make sure you've backed up your important data.

Finally, I believe the best setup for any computer is to separate the operating system files on a different partition from data files -- and then to keep semi-regular or incremental backups of both the data and the partition that the C:\ drive is on. That way, if something goes wrong with your system, you don't have to worry about separating out your data and can simply reinstall a known good image of the C:\ drive or reinstall from scratch. I mention that because a 15GB partition on a 250GB drive is a great size for storing "My Documents," and "My Pictures" folders, e.g.

Hope that helps.

_______________________

chicago, il: Hi Brian,

Thanks for all the great advice you give. I have a Vista 64-bit system with webroot and avg. I always lose my dsl signal, whether wired, or wireless and then always have to reset the modem. Is it due to an infection or bot or is it just a bad modem? Sometimes I have to wait 30+ minutes for the signal to come back on. Thanks.

Brian Krebs: This is a perfect example of how having just a bit more information could probably allow me to provide a much better answer. What kind/make/model modem are you using? What wireless/wired router are you using?

Yes, some routers/modems just suck. And others simply stop working right after several years of use. I had that happen to me with an otherwise wonderful Motorolla Surfboard 5200 modem about a year back. Same thing: unexplainable dropouts in the connection at semi-random intervals, necessitating the reboot of the router, and the main PC plugged into the router.

My bet is that it's the modem that's borked. But to get to the root of the problem, you may need to do a bit of testing. For example, if you disconnect the router and and just run the connection straight from your modem to the PC, and you no longer experience problems after a few days, that may indicate the problem is with the router (make sure you have a decent software firewall in place before if you decide to do this). If the problem does not go away without the router in place, that's a good indicator the modem is on its last legs.

Alternatively, you could go to an electronics store that doesn't punish you for returning merchandise within a given grace period, and purchase a new modem. Swap that puppy in for the old one and see if that fixes your problem.

Good luck!

_______________________

Brian Krebs: An additional thought for the reader from Chicago having the modem problem: Obviously, you want to rule out your ISP having intermittent trouble in your area. Wouldn't hurt, before you go buying new hardware, to give them a call and see if they're experiencing any outage conditions. Chances are very good they will say no, and try to get you to go through their (sometimes-painful) troubleshooting tests that will ultimately leave you no wiser than when you first called an hour earlier. But something to consider before your purchase, nonetheless.

_______________________

Warner Robins, Ga.: Hello Brian,

Love the chats.

I installed the Windows 7 Beta this weekend. When the OS notified me that I needed an anti-virus program I just installed what I had on my XP box - Avast 4. I really didn't think about the compatibility problems that I have been reading on tech sites.

Any comments about what your readers should know about security and testing a beta product?

BTW: I liked Windows 7 but I reimaged my hard drive back to XP.

Thanks

Brian Krebs: I still need to play with an install of Windows 7, so I'm afraid I can't offer much in the way of reviews on how well it works, plays nice with other software/hardware, etc.

However, what I can tell you from personal experience with other beta products (including past operating system betas), is that it's a bad idea to a) count on these systems to be stable and secure, and b) to expect them to work well with security software that was designed for an earlier version of the operating system.

In short, play around with Windows 7, sure. Have a ball. But for the important stuff, for now it's best to stick to an OS that is stable and familiar.

_______________________

Asheville, NC: What are the signs one might look for if being phished through Google?

Brian Krebs: Phishing, of course, refers to a scam in which someone tries to trick you into giving away personal and financial data online. The targets change all the time, but the basic safety rules apply whether you're talking about Google, AOL, Microsoft, Bank of America or Adwords.

Here are a couple of rules of thumb:

-Legitimate financial institutions and businesses will never ask for sensitive data via email.

-Notices that your account needs to be "updated" with additional information, combined with an urgency that failure to act within a certain amount of time will void your account or something similarly drastic are hallmark signs of a phishing attempt. This can include everything from requests to "update" your bank account, Adwords account, ISP account, hosting provider account....the list of targets that phishers pursue is long and growing each day.

-Avoid responding to emails by clicking on links included in them. If you want to visit a site referred to in an email, open up a browser window and type in the address to visit it that way.

-If you didn't go looking for it, don't install it. Phishing is just data-stealing by another method, and most malicious software -- whether disguised as some video codec or a supposed "update" for your Flash player -- includes data stealing components. So, if a site says you need a plug-in or add-on to view content, and you're not sure whether you do or not, visit the vendor's site to find out if you indeed have the latest version of the plug-in (bear in mind that plug-in notices at porn sites are almost without exception an enticement for you to install malicious software)

_______________________

Washington, D.C.: Another internet modem question, any idea if you can purchase DSL modems? The one supplied by Verizon are not great, but it seems like most (all?) high speed internet modems sold are cable modems.

Brian Krebs: Sure. Newegg sells them, as do others. Many wireless/wired routers now come with DSL modems built in. See this page for some ideas/choices/examples.

Might want to double check with your ISP before purchasing, however, to see if they can tell you whether the product you're interested in will work with their network.

_______________________

chicago, il: Hi Brian,

me with the modem problems again. I have ZyXEL p-600 series modem and Linksys Wrt54gl router. I tried computer to modem only and still could not get a signal. Also called ISP tech support and was not any wiser after the call. Must be the modem, right? Thanks so much.

Brian Krebs: One more question: Have you tried resetting the modem, and reconfiguring it?

You may also want to have a look at this discussion thread over at the DSL reports forum. It could be that your signal strength on your DSL line is way too low, and that is what's causing the drop-outs.

_______________________

Rapid City South Dakota: A malicious and totally fake program that calls itself "Antivirus XP 2009" (formerly Antivirus XP 2008)" is designed to infect PC's with multiple Trojans,take over computer browsers, cripple legitimate anti-malware programs, and shut down Microsoft patches from updating has the gall to offer its supposed antivirus program for a price via credit card. Why was this malicious program allowed to continue and even upgrade from 2008 to 2009? Since this program offers itself to be paid for by credit card, why has not the credit card companies traced the perpetrator's and turn them over to Interpol or the FBI to be closed down? Why don't the credit card companies simply refuse to do business with criminals? Why hasn't there been arrests a long time ago in this case?

Brian Krebs: The answer to this question is complicated. A lot of smart people are in fact working to go after the people behind these rogue anti-virus scams, which are bamboozling a lot of people out of hard-earned money. Worse still, some people think they're actually safer and more secure after installing these bogus programs!

The FTC recently announced some tentative victories against some individuals accused of perpetuating these scams and profiting from them. See:

FTC Seizes Assets of Alleged "Scareware" Purveyors

Microsoft also has taken aim at a number of these operations.

The credit card companies do in fact eventually catch up to these guys, once they've had enough chargebacks from irate "customers". Unfortunately, many consumers never dispute the charges.

A big part of the problem is that many of the people setting up these scams reside in areas of the world where our law enforcement has very little reach or impact. Plus, the infection vectors are often extremely convoluted, involving bogus banner ads submitted to legitimate online advertising companies, hacked Web sites that silently redirect users to malicious, third party sites.

What's more, most of these programs are distributed and installed by affiliates, scammers who get paid commission for each instance of the software successfully installed on a victim's machine. Thus, we have seen this rogue anti-virus stuff bundled with other malware that gets dropped on users' systems, usually through unpatched security vulnerabilities in the user's operating system or their Web browser.

_______________________

Brian Krebs: I'm out of time for today's chat, folks. Thanks, everyone, for the nice variety of questions, and/or for just dropping by. We'll host another Security Fix Live a couple of weeks from today. Until then, consider making the Security Fix blog a regular stop on your daily Web browsing route. Happy 2009, and be safe out there, people!

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.

View all comments that have been posted about this article.

© 2009 Washingtonpost.Newsweek Interactive