Security Fix Blogger
Friday, February 13, 2009 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Feb. 13, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.
The transcript follows.
Brian Krebs: Good morning, dear Security Fix readers, and welcome to Security Fix Live! As always, please try to be as specific as possible in describing your problem, including any error messages -- and please give me as much relevant information as you can about the security software you are using, the default OS and browser, and if it's hardware issue, please try to include mention of the make/model. On that note...onwards!
Silver Spring, Md.: Brian:
With regard to the Microsoft reward for information about the Conficker worm: how exactly can Microsoft or any other organization verify that a suspected individual or group of people created a specific piece of malware? Do the cybersecurity cops need access to the original machines on which the malware was created, or can they rely on other methods?
washingtonpost.com: Microsoft Offers $250,000 Reward for Conficker Worm Author(s)
Brian Krebs: Good question, Silver Spring. Microsoft doesn't offer these rewards lightly, mainly because they require a great deal of vetting. A former security guy at Microsoft I spoke with recently told me that their legal team in past reward offers spent many hours vetting both the claims of people who said they knew who the culprit was, and the backgrounds of the people making the claims to make sure they weren't somehow involved in releasing the threat in the first place.
In this case, there's an aspect of this Conficker worm that could make it pretty easy for any court to convict the accused. That is, Conficker instructs infected systems to visit a precomputed list of some 250 domain names each day, in order to download a second-stage component of the worm -- ostensibly the part that enlists the victim's machine in whatever the criminal enterprises the worm's authors have in mind.
What's unique about this update process is that unless one of the 250 sites sought by Conficker-infected systems has a special encryption key known only to the worm writers, victim PCs that visit that site will move on to the next. The thinking is that this prevents security companies and researchers or bad guys from hijacking the pool of computers infected with Conficker, since AV companies long ago figured out the algorithm the site uses to generate new web site domains and researchers have been registering those domains in advance.
Point is, nobody but the worm's authors right now has that private encryption key. Should a tip lead to a bad guy and that bad guy has this secret key, that would be pretty damning evidence that he or she was involved in writing and/or releasing the worm.
Annandale, Va.: Hi Brian,
IBM ThinkPad, 512 RAM, 30GB HD, 13 character password on my router, Windows Home XP SP3, ZoneAlarm, AVG Free, and SnoopFree installed (all up to date). I have two questions for you. First, while using the TurboTax software the other day, SnoopFree issued a Keyboard Hook alert when I was on the page where I was supposed to enter my credit card info, etc. Obviously, I declined. This made TurboTax shut down and restart without any initiation from me. Once back to the credit card page, SnoopFree did not issue another alert. Any idea what is going on here? Should I be concerned, or is this something 'normal' in the software?
On a less alarming note, every time I navigate to The Washington Post homepage, I get a pop up dialog box asking 'You have chosen to open wpni.washingtonpost.com which is a binary file from http://ad.doubclick.net. Would you like to save this file?" I click cancel, but it reappears every time I revisit the homepage (or the homepage reloads). Why is this appearing now? I use FireFox with the No Script, Netcraft, Ad-block Plus, and AVG Safe Search add-ons. Any idea how to make this go away, other than saving the file?
Brian Krebs: Hi Annandale. To your first question, re: SnoopFree, as I've warned before, this program does occasionally toss up keyboard hijacking warnings for legitimate programs. The warnings can be jarring and scary, but they usually happen when you first start up a program. As for TurboTax, it may be trying to hook the keyboard in some weird way that is freaking Snoopfree out. Perhaps the new version of Turbo Tax comes with some component that hooks the keyboard as a security measure, but I'm not aware of that.
While SnoopFree can be useful to stop keyloggers and the like, it does occasionally generate false positives. My guess is this is probably one of those false positives.
Re: your Firefox/binary file message, try clearing out the cache in Firefox to see if that gets rid of the message. I know that sounds lame, but you might be surprised. If you can, please circle back to let me know if that fixed the issue or not.
To clear the browser cache in Firefox, do this:
Tools--Options--Advanced--Network tab--Clear Now.
Kingstowne, Va.: When setting up a wireless network at home, is there any reason or benefit to broadcasting the SSID?
Brian Krebs: You can disable the router's broadcasting of the SSID, but that's not much of a security protection. If someone really wants to hack your network, disabling the SSID broadcast is not going to magically prevent them from finding it. The SSID still can be viewed by anyone with a wireless sniffer program.
Futhermore, you may find that connecting laptops to it (I'm thinking more random laptops from friends and family that might normally only connect when they come to visit) is a bit more of a pain. That's because disabling SSID broadcast on a router blocks Windows systems from being able to see the router on the "available wireless networks" list, which means that in order to connect, any user will have to configure the connection manually.
If you really want to beef up the security of your router, make sure to a) use a router that supports WPA or WP2 (not WEP, which is insecure) and that you configure it with a strong passphrase. If you don't know how to do this, here are some decent videos on that here.
Also, make sure that you change the default user name and password needed to configure the router itself. This is the set of credentials you are asked to input when you browse to the router administration web page (usually at http://192.168.1.1 or http://192.168.0.1).
Binghamton, N.Y.: Good Morning - you have written about the Heartland Data Breach. There is now another large processor that has been hit. We received the following info this morning on this. Do you have any idea who has been breached? NEW MERCHANT ACQUIRER SECURITY BREACH Executive Summary Earlier this week, Visa and MasterCard began issuing accounts involved in a merchant processor breach. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor's settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert.
As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor.
It is important to note that this event is not related to the Heartland Payment Systems breach.
While it has been confirmed that malicious software was placed on the processor's platform, there is no forensic evidence that accounts were viewed or taken by the hackers. Since the final forensic report has not been provided, there is no estimate available at this time of the number of accounts involved in this event. Law enforcement is activity engaged in an investigation into this situation.
Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series
Brian Krebs: Please send me a note with your contact info at brian-dot-krebs-at-washingtonpost-dot-com.
San Rafael, Calif.: Brian, thank you for your article on 2/12 about free anti-virus programs. Not mentioned in the article, however, is Windows Defender, which I downloaded for free from Microsoft.com. Is Windows Defender also a usable anti-virus program, or are there problems with Windows Defender that I should know about?
Brian Krebs: Windows Defender is not an anti-virus application. It is more akin to an anti-spyware application, something that tries to block and/or remove nasty programs that try to hijack your browser or search results or install tracking software. So, having Windows Defender is not a substitute for having a decent anti-virus program installed.
RE: Clear Firefox Cache: Annandale here again. Thanks for your reply to both my current issues. I just followed the instructions you posted to clear my cache, and I am still getting the same popup dialog box on The Washington Post homepage. Do you think this might have something to do with any of my Firefox add-ons, specifically the Ad-block Plus add-on?
Brian Krebs: Thanks for circling back. Could definitely be an add-on issue. If you want to check and see, try starting Firefox in Safe Mode. No, not Windows Safe Mode, where, you boot into Windows and all the desktop icons are huge, but Firefox Safe Mode. This should be an option you can select if you start Firefox by going to Start, Programs, and the Mozilla (make sure you've completely closed all Firefox windows before doing this, and that Firefox.exe is not still running when you check out running processes in Task Manager (to start Task Manager, right click on the Windows taskbar and select Task Manager).
When you start Firefox in safe mode, it disables all add-ons by default.
If this doesn't work, you might try creating a new firefox profile, in the event that your current profile has become corrupted somehow. If that fails, maybe back up your bookmarks and settings, and try a fresh install of Firefox?
Sorry I don't have a better answer for you. I'd still be interested in hearing if any of these suggestions work. Thanks.
Clifton, Va.: How do I turn the wireless service for my Verizon FIOS and just remain hard wired for security for my Imac?
Brian Krebs: Not being a Verizon FIOS user, I can't really tell you how to do this, and Verizon's FIOS online support site is giving me an error page at the moment. But I can take a guess (readers, please let me know if you know how to do this and my guess is incorrect).
-Fire up your bureaucratized and point it to 192.168.1.1
-If asked, give it your username and password (if you don't know what the u/p is, it's probably admin/admin, or admin/password, or admin/(no password), or admin/verizon, or admin/verizon1.
-Look for a tab or link that says 'wireless settings'.
-there should be a setting under the general or basic security settings area to switch wireless on or off. Switch to off and hit apply or save. You may have a short time when your Internet connection dies, but it should come back up in a few seconds for any systems hard-wired to the router.
Washington, D.C.: I periodically experience disconnects from the Internet on my wired desktop connection. Comcast is my ISP, I'm using a Motorola SB5120 modem, a Linksys WRT54G router, Windows XP, McAfee Security Suite, and several anti-spyware/anti-malware programs. I checked the lease time, and it's the typical one hour. The curious thing is that when I do get disconnected, the lights on the cable modem and the router all appear fine, as does the connection icon in the system tray. Repairing the connection or re-booting the PC does not restore the connection, only re-booting the cable modem does. I've updated all firmware. This situation baffles me, especially given that the lights on the modem and router don't show any problems in the connection, which is nonetheless off. Any suggestion as to where I should look for solutions? Thanks.
Brian Krebs: I had this same problem with that exact same Surfboard modem, which I got from a friend who was throwing it out. I grabbed it because it was black and it matched the rest of my equipment, and it was a newer model so I thought what the heck. The dropouts occurred at first every few weeks, and then more and more frequently. I chatted and tested the thing with my ISP's support technicians, and with the good folks over at Broadbandreports.com, and they couldn't find anything incorrect with the way my system was set up or any problems with the modem. I ended up going back to my trusty but ugly and large, beige Surfboard 5100 modem, which has been working flawlessly ever since.
My guess is your modem is on its last legs. But before you go out and buy a new modem, you might want to run the system without the router for a little while to see if the problem goes away (if you choose to do this, make darn sure any systems connected to the modem are behind a software firewall).
Best of luck.
Austintown, Ohio: Hi Brian, Regarding TTax and Snoopfree, I had a similar occurrence with TaxCut. I logged into TaxCut with my Limited-User account using the "run as" feature. While I was entering info into the W-2 section, at about the local tax part, Snoopfree popped up. But I was unable to click "deny" or anything else so I hit the reset button and rebooted. Did it all again and got the same results. So I then decided to just use my Administrator login, as TaxCut suggests, and had no problems. In fact Snoopfree has not popped up since. I don't know if this helps, but I thought I'd share it with you. Thanks for your help in this area and continued success.
Brian Krebs: Interesting feedback, Austintown. Thanks for sending this along.
Wireless: Hi Brian - I'm kind of new to using wifi and got an iTouch as a gift and have been using the web access at places that provide free access. Obviously I know not to do my banking or anything like that, but what is safe and what isn't? Logging into my Gmail? Coming here to WP and logging in so I can see some articles? etc. I have a neighbor with an unsecured router it appears. If I log on using my iTouch, rather than coming up to my regular computer, can my neighbor see what I'm doing?
Brian Krebs: If you're logging into anything that doesn't use https://persistently, and you're using an open wireless network, there's non-trivial chance that someone sniffing the network for mischievous reasons could read your messages or interactively log in as you at some point. It's generally a good idea to avoid transmitting sensitive information over unfamiliar or open networks -- particularly wireless.
Gmail has a setting that you should change so that it always uses https://, not just when you log in and pass your credentials.
If you log into any network, wired, wireless, encrypted, open, the administrator of that network can almost always see where you're going, if they have logging turned on and care to look for that information.
FiOS and wireless: The user name/password for the FiOS router is on the bottom panel of the router.
Brian Krebs: Hey, nifty. Isn't that handy? Thanks, mystery reader.
Cody, Wyo.: Hi Brian,
Just a comment instead of a question (for once!).
As per your advice, I've been using McAfee SiteAdvisor for a long time now. If someone sends me a link to a site I'm not familiar with, I simply do a Google search on the URL. Then if it comes up in the search results with McAfee's green check, I know the site is safe.
Thanks so much for all your great advice and guidance over the years!
Brian Krebs: Yeah, McAfee's Siteadvisor tool is nice and all, but just because it says a site is green (safe) doesn't mean it is. It's just yet another tool to help people make informed decisions about the sites they visit. I have visited plenty of malicious sites that McAfee either listed as green or didn't have a listing for because it was too new. Bear in mind also, that this program isn't much help if you visit a legitimate site that has been hacked.
Roseville, CA 95678: I recently had a Virus which I removed using Norton. Now I cannot print using Firefox--I can however print w/IE, Chrome and Word. What could be the problem? -I have deleted and re-installed both Firefox and the Printer].
Brian Krebs: Have you checked out the Problems Printing Web Pages FAQ from Mozilla's support forum? If not, I'd start there.
Portland, Ore.: Brian: I have been the Washington Post for many years. My computer has been hacked by the cried baby. Furthermore, I do want to make money online. When I disclosed my bank account online; it seemed not to secure on this transaction. 1. Question: How to get rid of this baby cried in my computer? 2. Question: Do the customer trust the Bank credit cards?
Brian Krebs: Maybe something is getting lost in translation, here, but I have no idea what the "Cried Baby" is, or why it would hack you. More information, anyone?
Woodbridge, Va.: How prevalent and/or severe are the malware threat for cell phones, specifically windows mobile phones? As an individual user (not connected to work/exchange/etc) what steps, if any, should be taken to protect yourself?
Brian Krebs: Not a threat. At least not now, and not from my vantage point. Rest easy. Now, what is a threat is if you have sensitive information stored on your phone that would present a security risk if you lost the device itself (a much, much more likely experience). iPhones, Blackberrys, I believe both have remote wipe features if you're using stuff like Exchange, or Blackberry Server. I know there are apps sold/trialed for other phone types that specialize in remote wiping or resetting the phone if you send it a special text message or email.
Woodbridge, Va.: Hello. My question is reference security for personal (not office issued) smartphones/pocket pc's. How prevalent is the malware for windows mobile phones and what precautions can/should we take besides turning off bluetooth, etc when you are not using it? How serious is the threat and should we buy the hype and install a firewall package, etc?
Brian Krebs: See my answer above. Your biggest concern should be about the physical security of your phone. The rest is just hype and scaremongering for now.
I should note that while there is in fact malware designed for phones, mostly those running the Symbian operation system, the vast majority use bluetooth and then send unsolicited messages to your phone asking you to download and install a file. Obviously, the smart thing to do if this happens, is to decline the download.
Clifton, Va.: Mr Krebs,
is there something you would like to disclose about the picture of you at the top of your chat? It looks like a mug shot. What software program did you use to remove the number board? I need to know since I want to use my mug shots for my passport photos!
Brian Krebs: Hi. I'm pretty sure the design folks used Apple software -- probably Final Touch. That is a mugshot; one of the post.com photographers, a super-cool gal named Jen Crandall, took that photo of me. She was very patient and must have taken 50 or so shots, but we both decided I looked kind of dorky in the smiling ones, so we chose the serious one. After all, this IS a very serious topic, no? ;)
FYI, I believe the mugshot was just superimposed on top of the binary banner. Don't know if that helps or not.
Rockville, Md.: Are you saying that there is a difference between spyware, malware and viruses and maybe anything else?
How many different types of anti-"bad stuff on my computer" do I need?
Brian Krebs: Yes, there is absolutely a difference, albeit one that isn't always obvious. The reality is that spyware, malware and viruses often are planted via the same mechanism: through security vulnerabilities in software or via dodgy browser plugins, etc, or -- most often - by tricking the user into simply downloading and installing it themselves (i.e., through some supposed video codec that a site claims you need to install in order to view some content.
I have long urged readers to run Windows under a limited user account, or to at least run the browser of choice under a drop my rights type scenario. Reason being is that most malware simply won't install unless the user is running in the all-powerful administrator mode. In fact, I routinely tell readers that if they have taken this advice, they can more or less forget about running anti-spyware applications. Having a decent anti-virus program is always a good idea, but it's not going to save users from doing stupid stuff, like installing programs of dubious origin or odd browser add-ons.
When in doubt, if a site says you need a plug-in (ie., Adobe Reader or Flash), download the plugin from the vendor's site itself. Avoid downloading programs from P2P file-sharing apps. Run the system or the browser under a limited user approach, and you will have far, far fewer issues -- if any -- to deal with (aside from the occasional program that doesn't work quite run under a limited user account).
Chattanooga, Tenn.: Hi Brian, Although I use AVG the free antivirus and Superantispyware some one was still able to hijack my computer and post spam to a mailing list I'm on. Is there anything else I should use? I have auto updates turned off but my anti-spyware and antivirus still update automatically. Thanks, Lindsay
Brian Krebs: It's not clear to me whether someone really hijacked your PC to send email as you, or if someone merely used your email address in a forged email header. The difference is that anyone can use any email they want and put it in a forged email header, so that it appears to have been sent from that address to the casual reader (someone who doesn't read email using the full email headers).
Not saying your machine isn't hijacked, I just don't have enough information to make that assessment. But I would ask, you said you had automatic updates for Windows patches turned off. I'm hoping that in place of that you are regularly going to Microsoft Update and applying the monthly patches, or that you at least set Automatic Updates to download the patches and let you choose when to install them and which ones to install? Letting Windows patches slide for any substantial amount of time is not a good idea at all.
Omaha, Neb.: I have a refurbished XP computer. On a sporadic basis, the active window starts jittering up and down. This applies to all applications so far, including the little windows where you have to make selection, as in the places where you have to select the month of your birth or the state where you live. Clicking off that window (so it's no longer the active window) stops the jitter, but you might not be where you want to be in the window, and of course you can't do anything with it until you select it, and then it jitters again. It's not a monitor-wide problem, and I haven't seen a correlation to the mice or trackballs I use. Any ideas? Thanks, Scott
Brian Krebs: I assume this is a desktop system, not a laptop, since you said monitor. If this is a problem with a laptop, you could be having a problem with a faulty inverter in the laptop screen hardware (HP systems have had a number of these problems, if I recall correctly).
Otherwise, you may be having a problem with the video card or the drivers that interact with the Windows operating system and the video card. Have you tried checking Windows Update to see if there is an optional hardware update for your video card software and/or drivers?
To do this, visit Windows/Microsoft Update, and then let it scan your system for available updates, selecting "custom" to let you choose which ones to intall. Then, on the page that lists the available updates, check the area to the left, and look for anything available under "harware, optional" and "software optional" that may relate to the video card installed on your system. If you find any of those, make sure you have a decent backup of your important files and/or entire system, or at the very least that you have System Restore turned on. Apply the optional updates for any video hardware/software available and see if that fixes your problem.
Rockville, Md.: I'm running a fully patched, service pack 3 windows XP machine and have been slowly switching to more of your commendations over the past few weeks.
I ran Secunia and patched everything that was vulnerable (not much). My old Symantec Antivirus was the only thing that I absolutely couldn't get patched so I uninstalled it. I still have the full McAfee suite from Comcast.
Then I downloaded Malwarebytes' Anti-Malware and SuperAntiSpyware. The Anti-Malware now runs clean, but SuperAntiSpyware shows 3 problem registry keys every time I run it. I let the program quarantine and delete the items and then accept the reboot, but running it again as soon as it restarts shows the exact same problems.
The summary is: Browser Hijacker.Apropos Media/PeopleOnPage.Explorer Bar.
The company is: PeopleOnPage, Inc.
The description is: Displays pictures and profiles of people based on site navigation. Modified IE settings. Can cause browser slowdown. (POP225.DLL)
Is this just a speed thing? SuperAntiSpyware calls it a level 10 threat. I'd rather stick with IE since I am more used to it, but if I need switch to using Firefox exclusively I can do that. Any ideas? How bad a problem is this?
Brian Krebs: You've got some spyware/adware on your system that hooks into IE specifically. But this particular program is often bundled with other adware and spyware programs, so that may not be the extent of your problems. I'd suggest visiting one of several security support forums, such as BroadBand report's Security Cleanup forum, and requesting assistance there, being sure to follow their "instructions before posting" very closely before doing so.
As for Firefox vs. IE, yes, I would wholeheartedly recommend that you and anyone else who reads this change their browser of choice from IE to Firefox.
Salem, Ore.: Built my first computer in 1968 but I still read your column first thing every morning; appreciate the fine work you guys are doing there.
Finally upgraded our network from 2k Pro to XP Pro SP2 -#1 (Xeon 2.8 x2, 3GB, Nvidia GeForce 6600, 2 IDE HDDs, Xonar D2) runs XP Pro; #2 (Phenom X3, 4GB, GeForce 9600 GT, SATA HDD, Xonar D2) runs XP Pro x64; laptop also runs XP Pro): any USB device without specific drivers is lost (currently that includes two different portable hard-drives and Zen MP3 players). Nikon camera is fine, printer combo is fine; Palm and Blackberry synch in Admin. Acct. only, but they are recognized at least!!
Tried plugging directly into each of the ports, again with passive and powered hubs: same. The USB HDD's are most critical, though the MP3 players would be nice, too.
Also, what's the secret for getting Palm and Blackberry to synch in a LUA? We can access Palm running as admin., but read-only. Is there a file that needs its permissions changed that I'm missing?
Thanks very much, you guys are life-savers...
Brian Krebs: In XP Pro, you can change the default permissions settings for any file folder or program. So that may help. But you might try uninstalling the palm program, then logging in under the LUA and selecting "run as administrator" on the installation file. That may fix the problem.
Regarding your USB problems, you may not have all of the correct hardware drivers installed. Go to Control Panel, then select System, then the Hardware tab, and click Device Manager. If you see any yellow exclamation points, those indicate hardware devices that do not yet have device drivers installed. It could be that one or more of the USB ports (especially if they are on the front of a tower computer) aren't installed with the proper drivers. If you see any missing drivers, try right clicking and selecting "install drivers". If you have a driver disk for that motherboard/tower system, insert that and let it search for the drivers. If not, you could try letting it search at Microsoft Update (search online option in that settings dialog that pops up when you choose install drivers).
Knoxville, Md.: Hi Brian. My IBM laptop has been relegated to Windows Safe Mode for months, as it suddenly stopped booting normally and this was the only way I could get access to my files and the Internet. When booting, it gets to the point where it says Windows is starting, then hangs. I suspect (but am far from sure) this may have been caused by an update to my IBM fingerprint-reader software, since that is the point where I'd normally have to scan my finger in lieu of the Windows password. But I can't figure out how to undo the update because the IBM updater program which may have created this mess doesn't seem to work in this mode. Other apparent casualties of running in Safe Mode -- I cannot get Windows updates, anti-virus signature updates (for Avast) or anti-spyware updates (for Webroot Spy Sweeper). I also have no sound, and a number of other programs will not run. Do you have any suggestions either for staying protected or for getting back to normal Windows?
Brian Krebs: Can you uninstall the IBM software and/or hardware when in safe mode? To uninstall the hardware drivers for this device, to to Start, Control Panel, System, Device Manager, and then look for an entry for the IBM reader you're talking about. If you find it, right click on the entry and select "uninstall." You might also see if you can remove the program wholesale via Add/Remove Programs. Best of luck.
Brian Krebs: I am out of time for today, folks. Thanks to all who stopped by to participate or just to take a gander at the questions and answers. We'll do another Security Fix Live in a couple of weeks from today. Until then, please drop by the Security Fix blog regularly to stay on top of the latest tips, advice and security threats. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.