Security Fix Blogger
Friday, February 27, 2009 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Feb. 27, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.
The transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers. Please keep the questions coming, but please all be as specific as possible about your computer setup, and if relevant, tell me what browser/OS you're using, and what security software you have installed if any. If it's a hardware-related question, please try to give me as much info as you can about the device (even make/model if possible). With that....ONWARDS!
Cherryvale, KS: Has Microsoft developed a patch for the last security breach on Internet Explorer? I quit using IE because of the risk. I now use Mozilla's Firefox.
Brian Krebs: I'm not aware of any known, unpatched serious holes in IE. That certainly doesn't mean there aren't any -- there almost undoubtedly are. It's just I don't know of any outstanding advisories that rise to the critical level (visit a site with IE and have your computer hacked without any other action on your part-type of vulnerability).
Rockville, Md.: Hi Brian I have three questions. 1. How can I know the website I visit is not hacked? Recently, I visited the Burmese language social network site and later it was known to be hacked. 2. To what extent a hacked website can damage the visitor's information? 3. What are the protection measures in such a case?
2. A hacked web site can be loaded with code that tries to install a Trojan or other malicious program when the user visits. Often, this is accomplished by probing the visitor's system for Web browser plug-in flaws that are unpatched. Barring that, a hacked site will often tell the visitor he or she needs to install a plug-in (malware in disguise) in order to view content. If successful, the malware can very easily steal usernames and passwords stored on the victim's system, and intercept those credentials when victims go to enter them at bank and ecommerce sites.
3. Keeping your system and browser(s) up to date with the latest security updates is huge. Browsing with something more secure than IE -- such as Firefox with the noscript add-on as mentioned above -- is another great way to lessen your chances of become a victim of a hacked site.
Anyway, if you go back to foxit, you can simply set it as your default reader in Vista (I think there's a default programs section in the Vista Windows Control Panel). Either that, or just uninstall Adobe Reader altogether.
Also, as per our blog post yesterday, it's very likely that your installed version of Adobe Flash Player is out of date. Time to update that as well.
Anonymous: My computer is infected with "worm 32". Norton 360 finds bits and pieces of it all called some variation of xxx32. It removes these, only to find a new yyy32 a few days later. What can I do? Thanks.
Brian Krebs: The help you need is some step-by-step guidance that requires downloading lots of tools, scanning, rescanning, rebooting, rescanning, etc, and is well beyond the scope of advice I can give you here. It sounds like you have a file-infector on your system (probably combined with a rootkit of some sort) that basically re-infects files and programs after they are disinfected.
I'd advise you to take your problem to BroadBand Reports' Security Cleanup Forum, making *double sure* you follow their instructions *before* your initial posting there.
Dos Palos, Calif.: My son-in-law lives with my husband & me. The son is a computer hacker & has violated my computer several times. Unfortunately, I am a novice at the computer, but I'm tired of my rights being violated. Any suggestions?
Brian Krebs: Yes, forbid him from using your computer.
Have you set up a password for your user accounts? That might be one way to keep him out of your computer, although truthfully, there is not much you can do to keep him from abusing the system and compromising that security if he has a) physical access to the computer and b) no care at all whether he resets your passwords, and potentially locks YOU out of the system.
The other thing to consider is that, if you truly believe he is breaking the law using your computer, it may well be that the law could at some come down on YOU for said activity.
I would try talking to him about it first. I would also set a strong password on the administrator (main) account -- making sure to keep that password private (not Postit-noted to the monitor, e.g.,), and then set up a limited user account for him, an account which does not have the rights to install software, access your other files, etc. You will need to make sure that you don't leave yourself logged in to the administrator account while you are away from the computer.
Good luck. I'm sure some of our other readers will have some added advice.
Sarasota, Fla.: Hi Brian
The IT guy at my company alerted us all to a computer virus warning us to not open e-mails with .americangreetingcards. If we have up to date antivirus wouldn't it protect against infection?
Brian Krebs: Hah!
Just because you have anti-virus software installed, doesn't mean it will save you from random fool thing you might do on your computer. In fact, anti-virus almost *always* lags several hours if not days behind the latest threats. The entire industry is predicated on a small subset of users getting whacked before the rest are protected. Sounds harsh, but it's true.
I said all this more than a year ago, in a story we wrote about the onslaught of malware the antivirus industry has to contend with each day. Yes, the AV firms write generic signatures that can catch a lot of stuff without having to ship new signatures, but the bad guys are well ahead and getting further ahead of anti-virus tools every day.
So, in short, no: You cannot depend on your anti-virus software to protect you from doing things that are for better or worse risky propositions. That includes randomly clicking on links in unsolicited email. And fake greeting cards are among the biggest e-mail vectors for malicious software and have been for some time.
It's really too bad for the online greeting card industry that this is the case, but it's reality. These services, however well-meaning, encourage people to click on links in unsolicited emails.
Think I'm overblowing this? Security provider Marshal, which specializes in tracking botnet activity, just today put up a blog post warning that most of these ubiquitous "Classmates" invites are an invitation to infect your computer with a nasty information stealing trojan and a bot.
Think before you click. Anti-virus will not save you from poor decisions. That goes for any other software solution out there.
Northern VA: What are your thoughts on privacy in regard to Google services(Gmail, Google Docs, etc.), should we really be worried that our stuff are being read? Gmail probably does scan the contents, because they display relevant ads.
Brian Krebs: As I wrote in a story earlier this year, there is no such thing as "free" online. To quote someone smarter than me, the things we think are free we actually pay for in micropayments of personal information over time, micropayments that translate in marketers building pretty large databases about each of us, our preferences, where we like to go online, etc. Some people don't really care if marketers have this information. Others find it very unsettling. In the end, it doesn't matter where I come down on this really: The question is whether the trade-off is worth it to you?
Gmail's services are free, right? Well, that depends on how YOU look at it. Of course they are mining keywords in your emails and documents to serve you more targeted ads -- they state that up front in their terms of service. Does some at Google go through hundreds and millions of peoples' billions of gmails a day and start reading messages? Not likely.
Free or no, I'd encourage people to be aware that e-mail is not a secure form of communication. Yes, Gmail and some other providers allow you to tweak their settings so that every email you send is encrypted and cannot be intercepted, but if you're truly worried about privacy in the traditional sense -- that someone isn't reading your e-mail, that's a different question altogether.
Adams Morgan: I saw one of these scare pieces on the Today Show about how PTP sharing can lead to having your documents ( like tax filings) compromised. How likely is that if you have a firewall and only have one folder that you use to share files? I use the Azureus software. How can I make sure that the rest of my computer is secure?
Brian Krebs: Using P2P software and downloading files -- be they music/mp3 files or executable programs -- is fairly dangerous. Veteran users will say, ah baloney, it's safe. In my experience, a lot of those users are using expired or pirated security software as well, so I take that reaction with a grain of salt.
I'm not saying P2P software is evil, or that if you download stuff via file-trading networks that you'll automatically get a virus or worm on your system. I will say, however, that P2P networks are and always have been the training grounds for malicious software writers. The idea is that you don't really have to build a botnet or some other distribution mechanism for your creation: the P2P network takes care of that. Just name your nasty something that is popular and highly-sought out, and you can have tons of victims pretty quickly.
It's also worth noting that recently we've seen an uptick in malware that masquerades as music files.
Point is, you're downloading programs from unknown sources. This is risky behavior. Sooner or later, it will probably result in you downloading something you don't want (and become a distribution hub for that nasty to the rest of the world). The risks increase exponentially when you start downloading .exe programs, such as pirated software, games and "crackz".
Los Angeles, Calif.: per your advice I only use Firefox and go to IE when necessary. if I disable adobe reader how will I get pdf programs? per your blog I did update flash player on both browsers.
Brian Krebs: If you disable/uninstall Adobe Reader, you'll need to install an alternative reader, such as Foxit. Foxit should install plugins for the browser that allow, for example, Firefox to recognize that Foxit should be used by default to open up PDF files.
If that doesn't happen, then you can always right click on the PDF link, save it to your system, and then double-click on the file to open it.
Warren, Ohio: I sometimes use the free Limewire music download service and have Embarq on-line security as well as PC Tools. Should I be concerned about recent reports of identity theft like those on NBC Today Show yesterday? What other precautions should I take.
Brian Krebs: See my answer to a similar question above. The Washington Post ran a front-page story of mine not long ago about a local investment firm who had a young employee who inadvertently shared the company's customer list -- including 2,000 or so names, social security numbers and birthdays -- for some of the Washington area's most powerful lawyers. Among those who had his information compromised in that breach was Supreme Court Justice Stephen Breyer.
Taylor, TX (currently in Lanzhou, China): No question this time, just a comment and warning about an "e-card" trojan that sneakily tried to slip through my e-mail yesterday, supposedly as a ZIP file attachment. I run NAV2008 that's fully up-to-date on patches and virus definitions, and it didn't identify it when coming into my in-box or after when I directly scanned the attachment.
The sneaky part is that the ZIP file supposedly contains a PDF e-card, but in reality it's an executable with a LOT of spaces (maybe 40) in the filename between the ".zip" and the trailing ".exe". I got fooled by a similar ploy several years ago while in Kyrgyzstan (though the executable filetype was a PIF, not an EXE), and so am doubly cautious to look very carefully at such things. I almost deleted this even before downloading it, but then decided it would be best to verify whether it was malware or legit. The base message purported to be from American Greeting cards (which is a legit operation), and the HTML webpage which it opened looked very much like the legit page, but wasn't quite right in some aspects of its appearance and that really twigged my suspicions.
Once I proved that it was malware, I uploaded it to Symantec with a detailed explanation and highlighted the fact that NAV2008 had NOT caught or identified it at either step, but other than the automated response with the case ID I've not received any further response from them. I dodged a spam-induced malware bullet this time, but other readers of this great column of yours might not be so fortunate if they are more trusting...
Brian Krebs: Thanks, Texas. Another example of why I am highly suspicious of any e-cards.
Arlington, Va.: Hello Mr. Krebs, I wanted to uninstall old versions of Java from my vista pc and I uninstalled a few. My motivation is more for security than hard drive space. I still have Java(TM) 6 Update 11 and Java(TM) SE Runtime Environment 6 Update 1. Is one an old version that I should uninstall or are they two different programs?
Also, while those are the only two Java programs I see on the Add/Remove programs, something called Java Platform SE Binary keeps asking ZoneAlarm for permission to access the internet. Do you know what that's about?
Thanks for the chat and the great column.
Brian Krebs: You can remove the Java SE Runtime 6 Update 1, as it's very old. I don't know why those are the only two Java programs on your system.
Java is equipped with an auto-update mechanism that periodically tries to check Sun's update servers for a new version. That's what Zone Alarm is complaining about.
You're welcome :)
New York, N.Y.: In my Computer, Properties,Security tab there is a group titled "Authenticated Users" along with "System", "Administrators" and "Users". Is this a trojan group? I had a trojan shut down my other PC and I think I remember this "Authenticated Users" as a group put there by the trojan. Is this group necessary? Thanks.
Brian Krebs: I assume you are asking about a Windows computer that is on a domain, such as one you use on a business network? The authenticated users group is necessary for certain accounts and services to work correction across a domain, and no I doubt it's a trojan.
Fairfax: While websurfing on coffeeshop wifi recently, a message box popped up on my screen that showed an ISP address, another long number followed by DHCP, and a request that I do something (add or connect or join or something similar). The only option given was to click ok; no "cancel," "close window" or anything else. I didn't want to agree to something I didn't understand, so I closed the airport connection. After I reopened it I didn't see the message again. I've never seen this before or since. I understand that DHCP is some kind of network management protocol. Was someone trying to connect to my computer? Was breaking the wifi connection the right thing to do? More generally, I understand that there are security issues associated with using wifi. But does the router itself record any user information? Can a computer connected to the router intercept, re-route or record another computer's wifi traffic? Is there any way the user can know whether this is happening?
Brian Krebs: You haven't told me anything about your setup, except the word "Airport" which maybe means you're talking about an experience you had on your Mac or you were connecting to a wireless network at an airport.
In either event, the wireless systems built into both Mac and Windows computers are configured to seek out and join local wireless networks by default. I've not see this specific type of connection attempt, either on a Mac or Windows system. And if you're not sure what requested an action on your system, particularly anything having to do with the network you're on (esp. wireless), your instincts to nix the thing are correct.
It may be that the whole incident was harmless. It may also be that someone nearby you in the coffee shop was browsing the Web with a PC or Mac that was infected with the latest DNS Changer Trojan, which actually tries to hand out its own DHCP lease in yet another bid to hijack DNS settings -- but this time even for uninfected, nearby systems. Check out this story for a bit more on DHCP, and a sobering look at some of the threats on that front.
Vienna, Va.: So, you've disable Autorun. What do you do when you put in a CD that you trust has no malware? How do you get the Autorun.inf to execute?
I suppose it's something really obvious, but I've done some Googleing and can't find the answer.
Brian Krebs: Open up Windows Explorer, or go to Start, My Computer. When you see the CD/DVD player icon, right click on it and select "Explorer." Then you should see all the files on the disk. In most cases, e.g., installation discs that come with hardware, the file you need will be called setup.exe.
Phoenix, Ariz.: Over a year ago signed up for AVG 7.5 free. Later they updated me to AVG 8.0 free Now my AVG virus site says database is outdated. In a loop with messages saying update successful, restart computer. Contacted AVG . . .learned how to delete program. Didn't work. Couldn't even update to AVG program for fee. Now can't seem to get news videos that I watch. Is this because my anti-virus program isn't working? What anti virus program do you recommend for a personal computer--home use? Also why do I keep getting emails that are sent to the wrong address. . .one letter deviates from my correct address. I try to block sender, but to no avail.
Brian Krebs: The e-mails-to-the-wrong address thing is just normal spam annoyance, and should be deleted. It has more to do with the fact that lots of companies and people running networks and mail servers don't know squat about how to configure them.
Re: AVG, I'd recommend kicking that program to the curb (its detection rates on malware are some of the lowest of the free AV solutions, and its update mechanism can be a bear). Couldn't tell from your question whether your attempts at removing it were successful. But I doubt the lack or presence of AVG on your system as anything to do with your ability to watch videos.
Avira's Anti-vir is a very good choice, is free, relatively lightweight, and much better detection. For other options, my colleague Rob Pegoraro recently posted a column on free antivirus options.
20036: Just a FYI...a friend just received a warning letter from Verizon (he has FiOS) for downloading a movie using a Bit Torrent client. The letter talks about copyright infringement, that Verizon hasn't revealed his name but will do so if the complainant comes back with a court order. FYI.
Brian Krebs: Yes, this happened to a good friend of mine recently as well. It was not because he was downloading files, but because he was also sharing them. Sharing is what will get you in trouble. By default, the same folder that you use to store downloaded files in most P2P programs is the same one that's shared with other P2P users. The entertainment industry generally goes after sharers. The P2P networks also generally reward sharers by making their downloads faster.
Cleveland, Ohio: How do I get rid of the message "Stack Overflow at Line 873 "? I am weary of having it pop up every time I use my computer.
Brian Krebs: IE user? Please, folks, at least tell me what browser you're using.
Completely close out, and restart IE. That message should no longer be a problem.
Cody, Wyo.: Hi Brian,
Thanks for your Adobe Flash article yesterday. I did the separate installations for Firefox and IE, as you advised. I had no problems. But I do have a question.
I've never been sure about the older installations of Flash when we update. Do we need to manually remove the older files? Or does installing the newest ones automatically remove the older ones?
Thanks a bunch!
Brian Krebs: If you click the "more information" button when you're installing the flash update, you should be able to see a list of the files it updates and removes. Last time I checked, Adobe's Flash installer removes older versions after it installs the newest one
Minneapolis, Minn.: I am the only person with physical access to my new Vista SP1 desktop computer. I run as an Admin, with no password. What, if anything, would I gain by running as a Standard User? As Admin, it seems that I get a UAC warning every time that something "security important" happens.
Brian Krebs: You might be better off running as admin with the UAC enabled. A while back, I fooled around by switching to a lesser user in Vista, and a couple of programs broke, requiring me to reinstall them. The UAC prompts essentially accomplish the same thing as a lesser account, except that in a lesser account you're more likely to be required to enter your password, which might make the lesser user more inclined to really consider why they are being asked for a password, instead of just clicking through the "are you sure" prompts in admin-mode UAC.
Winnebago, Neb.: I just set up a friend with Windows XP. I have her using Firefox and No-Script and running in Limited User Mode. (My own computer runs Ubuntu when I go online.)
My question is: I read that a great many viruses come from opening infected emails. Is "limited user mode" the only protection needed or available?
I have informed my friend about not opening unknown emails but a lot of her friends are not so careful about security and could be forwarding or sending emails.
Brian Krebs: It's not often that people infect their systems with malicious software after merely viewing an email with a virus in it. In most cases, the malicious software is included as an attachment that only infects the user's system the recipient clicks on the file and opens it. That said, it's not uncommon for anti-virus software on your system to detect an "infection," even though the "infection" is merely an infected file that was downloaded with your mail -- but not necessarily one your clicked on and opened. Make sense?
However, more common than poisoned email attachments are simple links included in spam that when clicked bring the user to a hostile site or tries to download a file. Obviously, the answer here is simply not to click.
I tell my friends and family, if you're going to send or forward me an attachment, if you want me to read it or look at it you'd better give me a good reason to do so. I don't open unbidden attachments sent to me via email. If I'm really curious, and someone I know sends me something that's little more than a "haha you should see this" or "dude, you have to check this out", in the few cases that I bite, I merely ask the sender - why are you sending this. And then I usually say, shame on you for perpetuating this kind of thing. Tsk Tsk.
Salisbury, N.C.: Our local hospital, doctors, dentists, etc. require a person's social security number and date of birth before the person can get services. What can a person do to protect his/her identity in such cases? The Washington Post just reported that nearly 60% of people leaving or asked to leave their jobs are taking proprietary data with them. I wonder how many current employees also take such data?
washingtonpost.com: Data Theft Common By Departing Employees
Brian Krebs: Far more common than malicious insiders on the job are well-meaning but clue-needing people who inadvertently send expose sensitive consumer or company information. This can include emailing in plain text health care records, installing P2P Software on work computers that hold (and end up sharing) sensitive information, or by someone who puts sensitive information unencrypted on a laptop or removable drive and then later loses said device.
NYC, NY: Hi Brian,
My computer crashed. I purchased a new computer. Is there way to transfer the lost data to a new computer?
Brian Krebs: Yes. Care to tell me the first thing about your setup? Windows computer? Vista maybe is on the new computer?
I'm assuming you're saying the hard drive on the old computer crashed? You can probably still get the data off of it. If it were me, I would use a hard drive caddy that comes with a USB plug (you can buy them at any electronics store for about $20-30). I have three of these puppies, and they work like a dream. You simply plug in your old hard drive into one of these bad boys, and then plug the USB cord into it and the other end into your new PC, and power it up. You can then transfer files from one PC to the other.
Note that if you have two DVD drives on your system, you could also use a live linux distribution CD such as Knoppix to boot into Linux on the old drive (you'd be booting from the CD, not the hard drive), and then burn data from the conked hard drive onto a DVD using a Knoppix program like K3B.
Portland, Ore.: Is there really anything you can do about debt collectors calling you, thinking you're someone else? I constantly get prerecorded messages on my machine, and of course I'm not going to call them back when it's not me they're looking for. On the rare occasion when an actual human calls, I tell them I am someone else and plead with them to stop calling, but they still call. It's infuriating!
Brian Krebs: Have you listed your number on the FTC's national do-not-call registry?
Have you considered cutting the cord on your land line? Could save you $40 a month and a lot of telemarketing headache. Makes a lot of sense if you're already paying lots of money each month for a cell phone bill.
Goa, India: Hello, Some time back I realised my wireless modem was being accessed by others- due to the abnormally high billing charges. I use a UTStarcom -WA3002G4 modem and the service provider is DATA ONE . I was advised over the web (Fix Ya) as to how to reconfigure the modem to be a securitised one. It now shows-up as a 'Security enabled network" when I view available networks. Is this ALL that is required to be done and sufficient to prevent unauthorised access to my modem? I also use a Norton Anti virus package and the Windows firewall.
Brian Krebs: It's probably sufficient to keep casual passerby from jumping on your wireless network, yes. If you want to make sure the network is even stronger, make sure you're using a router that supports WPA or WPA2 encryption. WEP is not very secure, but again, it's better than no encryption, as you have found.
Brian Krebs: I wanted to let readers know that over the next few weeks, we will be phasing in a new design for the Security Fix blog, which will include among other things a home for not only a glossary of terms but also a series of pages for resources that touch on some of the most common themes of questions that show up in this chat.
I'm out of time for today. Thanks to the many folks who submitted questions. I'm only sorry I could not get to them all. Please join us again in a couple of weeks for another Security Fix Live. Until then, consider dropping by the Security Fix blog to stay on top of the latest threats, tips and security advice.
Be safe out there, people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.