washingtonpost.com
Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, April 10, 2009 11:00 AM

Security Fix blogger Brian Krebs will be online Friday, April 10, at 11 a.m. ET to answer your personal technology questions and offer ways to protect yourself from online security threats.

Brian, who considers himself a well-rounded geek, can also field queries about broader technical topics, such as mobile banking, online and location-based privacy, as well as social networking and tech policy issues.

____________________

Brian Krebs: Good morning, Dear Security Fix Readers. Welcom to Security Fix Live! I'm all set to get started on your questions. Just a quick reminder to those of you who haven't joined us before...please be as specific as humanly possible in your questions about your system setup, the browser and installed security software/hardware you're using, as well as operating system version. I will do my best to answer all of the questions in the short time that we have. With that...ONWARDS!

_______________________

Chicago, Ill.: Hi Brian,

RE the Conficker.C virus you mention in your column, I think my dad's computer is infected. What do you do to get rid of this thing?

He has a Windows XP computer with (I believe) all SPs installed, plus McAfee virus protection. Until a few months ago, he was using AOL dial-up (yes dialup!) for internet, and he has that "suite" of built-in protection for his computer too. I think he may be a Power User or Admin.

I use a Mac primarily, so while I can work with a PC, I'm not sure how to check and fix this.

I'm going to look into setting him up with Drop My Rights for the future, but how do I check and clean (if needed) his system? (What apps to use? And, other than Windows update, what do I need check?)

Thanks so much for any help you can offer!

washingtonpost.com: Help File: Combating Conficker (March 29)

Brian Krebs: You can find out if you have conficker by visiting this page and checking the eye chart.

If you have conficker, you will not be able to use that system to visit most security sites. There are a few exceptions. For instance, conficker blocks infected systems from visiting F-Secure.com, but not fsecure.com, which is the same domain. They have a removal tool, available

here

that you should be able to grab.

Conficker has been dropping fake antivirus software on infected systems as well as other nastiness. You might consider grabbing the free version of

Superantispyware

as well and running a scan there.

There are other resources and advice for people who find infections by Conficker, at the working group link at the beginning of this response.

_______________________

Clementsport, NS, Canada: After two frustrating years of dial-up, we have been given a glimmer of hope in the form of a wireless high-speed internet connection to be installed in the next couple of years. If I manage not to die of a heart attack brought on by extreme anger and frustration before this happens,what are the security risks and concerns?

Brian Krebs: Do you imagine that just because you are moving from dial-up to DSL that somehow a slew of new threats emerge? What are you presently doing to keep your system secure? My main recommendations would be to grab a $50 router and connect that to the DSL modem. If you purchase a wireless router instead of a wired one so that you can use laptops around the house, make sure you secure the router with stronger WPA or WPA2 encryption. Here are some videos and text instructions on how to do that for the most popular routers.

Hopefully you already are following all of the other best practices, such as keeping up to date with patches for the operating system, for third party programs like Flash and Adobe, using up-to-date antivirus software. A software firewall like ZoneAlarm or at least the built-in Windows firewall should round out the basic protection scheme for you. If you're running Windows XP, consider setting the system up to run under a

limited user account

. Best of luck.

_______________________

Petersburg, Va.: My personal e-mail address is being used to send spam. I became aware of it yesterday when I received a failure notice from hotmail for an e-mail I hadn't sent -- the contents of the e-mail concerned a shopping site. This morning, a friend told me he's received spam in reply to an e-mail he'd sent me. How do I stop this? The address is the main one on our home MSN account so it's not as simple as just changing my e-mail address. thanks.

Brian Krebs: It is very unlikely that someone has hacked your MSN account in order to send out spam. Here is what is going on: spammers buy, sell, beg, borrow or steal to get huge lists of e-mail addresses. These e-mail addresses are used not only as recipients for the junk mail, but they also spoof the address in the "from:" field using the same lists.

When you receive a bounce-back reply on a message you did not send, that's because some spamming program simply inserted your e-mail address in the from: field and the message was sent to a mail server that rejected it for some reason (probably because the destination e-mail address is no longer valid).

There is no really reliable way to stop this kind of thing, unfortunately.

_______________________

Chicago, Ill.: Brian, what's the safest Web browser to use on a Macintosh? My mother isn't very tech-savvy, and she has a Mac. Is Safari okay to use on a Mac, or should I encourage her to switch to Firefox instead?

If you don't know the answer to this question, could you refer me to a Mac-centered discussion group/blog where I could post this query?

Thank you for your time. Thank you, too, for your blog and chats. I've learned a great deal from both.

Brian Krebs: Hi Chicago. Your mom is orders of magnitude safer on the Internet these days just by being on a Mac. Safari is pretty safe, and Firefox for the Mac may be safer. I prefer Firefox on the Mac over Safari simply because I find Safari crashes too much for whatever reason. Plus, I've grown accustomed to having certain Firefox plugins.

I would just make sure you explain to her that she should be extremely wary about installing anything that she didn't go looking for. There aren't many malware threats for the Mac, but those that are out there generally require some user participation (i.e. the user is asked to enter their system password). Most of these threats come from Web sites that ask you to install updates or warn of security threats on your system. Just make sure she understands that if she's going to update the Flash player or Adobe reader or whatever on her system, that she does so by going to the vendor's site, not by accepting updates from random Web sites.

Hope that helps.

_______________________

Pittsburgh, Pa: Brian,

Bought a new flash drive. Says it's "U3" compatible. What is that?

Brian Krebs: U3 is a proprietary data storage system that basically makes it so that you can use a portable flash drive to store not only programs but all of the data that these programs produce and store.

PCHell has a pretty good and

succinct description

of what makes these U3 drives different from regular Flash drives.

The maker of U3 technology also has a nice

list of apps

that one might like to use to take advantage of the U3 features.

_______________________

Lorton, Va.: My wife and I both use Firefox 3.08. For reasons I can't find out so far, the password remember feature works for me and no longer works for her. I've spent 2+ hours checking all our Firefox settings, versions of Java now .13 including removal of all old ones. Javascript enabling and cookies are the same on both machines. Nothing I've yet done has fixed this. Any ideas Brian?

New subject: I now have a friend who is an engineer working for the FCC. Anything you'd like me to bend his ear on? Sincerely, Rob

Brian Krebs: Is this on the same computer using different profiles, or same version of Firefox on two different PCs? I ask because managing multiple Firefox profiles on one PC has never worked out to well for me in the past.

Assuming she's having the problem on her own computer, you probably checked this already, but go to Options, and then on the main tab under Passwords, make sure there's a check box next to "Remember Passwords for Sites."

_______________________

Southwest, Va.: In cleaning up some files on my pc, I deleted several spreadsheets mistakenly. My bad is that I didn't have those things backed up. So, I purchased a product called "Search and Recover".

And here's the catch 22..... the "Search and Recover" software requires connection to the Internet in order to "authenticate and update the product".

My concern is that they intend to open a port, clear it with Norton Security code-wise, and gain eternal access to my hard drive. Wondering if my concerns are unfounded...

Brian Krebs: I've never heard of this product, but a quick search suggests that it's more or less legit. My suspicion is that your need to recover this file will outweigh any concerns you may have that the software's authors may do something untoward. I think the risk is minimal.

You can always tell the firewall to block subsequent access attempts. It's fairly common for software to phone home on the first run, usually to check for newer versions and/or to validate that a product installed correctly/license check.

_______________________

Alexandria, Va.: Brian: What's the latest on this 'April fools' worm? I still run a fat32 OS here, so I'm likely immune, but I have seemed to pick up some occasional keylogger here lately. I have learned to crash it out.

Why doesn't anyone tell the NTFS world that they will never get so much as a symptom if their NTFS system gets compromised?

This is a national disater in the works, and it seems nobody is in charge except the stupidest congress in history.

Just sayin is all

Brian Krebs: I don't know why you think having an installation of Windows on a FAT32 type partition is going to save your system from being infected with this worm. Very few people are running FAT32 installations of Windows these days. Either you have installed the MS08-067 patch for this vulnerability or you have not. The rest comes down to basic security practices and having some decent protections in place and not doing dumb stuff online.

Since you and several others have asked, the latest on the Conficker worm is that it is now being used to push out a spam bot, as well as rogue anti-virus software. If you're seeing incessant prompts to install SpywareProtect2009, chances are exceedingly good that your system is infected with Conficker. One of the first responses I gave in this chat today had links for those who need to respond to a conficker infection.

The blog post we put up this morning about the latest Conficker antics is here:

Conficker Worm Awakens, Downloads Rogue Anti-virus Software

_______________________

Hayward, Calif.: Brian.. Thank You for your column. I really enjoy it and find it most informative. I read it religiously. In your opinion can the security problems for the web be fixed?? If you could fix the web, how would you do it?? Why aren't you on the Obama team that is supposed to be assesing cyber security as it seems you are one of most savy security folks around??

Thank you

Dennis

Brian Krebs: First off, thanks for the compliments. I feel that being a journalist allows me to have a much bigger impact on this issue than any political position or any other advisory-type role could ever bring. Happy where I am, thanks very much.

Some of the problems we have with the Web today stem of course from the fact that this entire thing was never designed to be the size and scope that it has become today. It was designed in an era when very few people were using the network, and everyone trusted each other implicitly. The system was designed to be very resilient, routing around problems if there were ever an attack on our communications infrastructure.

The Internet we have today is more resilient than ever, but it is really no more secure than it was 20 years ago. The basic protocols that drive the Web haven't changed since the whole thing took off. The basic problem is there is no authentication, no easy, scalable way to manage identity on the Internet today.

There are some things that can be done to build identity management and better authentication in at a much higher, 50,000 foot, internet-wide level, and some of that is going on as we speak. Other, more granular approaches to increasing security on the web, however, almost always involve trade-offs. Chiefly, in order to be more confident that when someone is who they say they are, we need to have some way of referencing something we know about this person or entity or location, and that probably would require people using the network to give up more identifying information about themselves, and would probably result in even less anonymity online that people have today (which may not be as much as people think when you cut through all the stuff that marketing companies are hoovering up about most online users).

As you can see, this is a complex topic that defies easy answers. That's just my off-the-cuff response. Wish I had time for more. Thanks for the question.

_______________________

Philadelphia, Pa.: Hi, a comment regarding the fellow who is getting spam bounced with his email address. Usually spammers aren't going to use the email address belonging to the person who owns the computer they've hijacked to send the spam. But I was concerned about this comment:

"This morning, a friend told me he's received spam in reply to an e-mail he'd sent me."

Hotmail is usually sent through the web application, not from the user's own computer/ISP. If someone has guessed his email password, or guessed the answer to his security question, I believe they can add a "vacation" autoreply to his hotmail account that would send spam to anyone who sends him an email. While the volume of spam being sent is low, it's not easy to trace to the spammer, and it's virtually assured of getting into the recipients' inboxes since it's coming from someone on their own whitelists.

Brian Krebs: Thanks for the input, Philadelphia. You are correct in your first statement.

I would respectfully disagree, however, that spammers may be doing anything as complex as messing with an individual users' vacation settings on their Web mail account. There are just way too many easier, more scalable ways of getting e-mail accounts, e-mail addresses, etc. to spam from.

_______________________

NY, NY: Brian, Your chats are so helpful. It seems that I have a virus that does the following: when I do a search on Google, and click on a search result, it will redirect me to a random site. I use Webroot Spysweeper to scan my computer, but nothing is found. Any suggestions?

Brian Krebs: You most likely have gotten infected with something like a TDSS Trojan, which is the generic term for a Trojan that redirects your search traffic to a third-party search engine you're probably never heard of that is getting commissions from all the hijacked traffic.

I would recommend grabbing a copy of the free versions of these two tools, downloading them, running a scan and removing whatever they find. Reboot, repeat. See if that fixes your problem.

SuperAntiSpyware

Malwarebytes' AntiMalware

By the way, I don't think too highly of Webroot's protection. If that's all you're using, it's no wonder your system is in the state it is. If you're willing to pay for AV/Firewall protection, consider Norton Internet Security 2009. It's actually pretty fast and quiet, and remarkably low on resources (unlike older versions of Norton). If you'd prefer to go free, consider running Zone Alarm Free, along with something like Antivir or AVAST.

_______________________

Pittsburgh, Pa: Brian,

We're having computer issues on the weekends, when we only have a skeleton staff. Can you recommend a good key logger program so we can cut down on the internet abuse?

Brian Krebs: There are plenty of legit keylogger programs out there you can buy. Ardamax makes a decent one for about $30.

However, you might simply consider locking down the systems so that the users don't have all-powerful administrator rights to change system settings, install programs, etc. This should be standard operating procedure for all of the systems in your business.

For information on how to do this on Windows XP, see

this tutorial

. On a Windows Vista install, you'd want to change the accounts from administrator to standard user accounts.

_______________________

notebook connections: Is there a way to connect all my peripherals to my notebook thru its wireless port.

these include 1 usb hard drive 2 usb keyboard 3 usb trackball 4 external monitor 5 phone line 6 iPod connection 7 usb wireless high speed internet 8 spare usb port for sound recorder

the poor little notebook is the head of an octopus of wires and tough to take on a casual trip because of all the connections that must be broken.

thanks

Jerry

Brian Krebs: No, but you could purchase a docking station for your version of the laptop. Those usually come with all the ports and connections you need.

_______________________

Eugene, Ore.: I'd like to securely check mail and do occasional bank or stock transactions from a public hotspot. Do you have a preferred free or subscription VPN (virtual private network)? Would using TOR (http://www.torproject.org/overview.html.en) be a satisfactory choice?

Thanks for the informative Web chats!

Brian Krebs: I don't have a preferred VPN provider. I can't tell if half of the companies offering these services (some are free, go figure) are legit or not. At any rate, I don't think they're really necessary.

If you do a lot of mobile computing, the very first thing I would suggest you do is take advantage of a free service like

OpenDNS

. There are several different types of threats now that can hijack your DNS settings wirelessly and on open wireless networks, and that's just bad news. OpenDNS can prevent that from happening.

Aside from that, just make sure you pay attention for any strange SSL cert errors while browsing wirelessly (if you see any on an open wireless network, it's a good idea to put off that transaction until you can be sure you're on a network you trust).

TOR is nice for anonymity, but it doesn't do much for security. The data will be encrypted while it's bouncing around the various TOR nodes, but it eventually comes out unencrypted. So, just make sure that when you're transmitting sensitive information over a wireless network, that the browser session is protected by an SSL connection (the browser url starts with https://).

_______________________

Clarendon, Va.: Brian,

AOL adds a little ad to the bottom of every email I send. Is there a way to disable this annoying feature? I only want to run ads for the Post!

Brian Krebs: I'm not an AOL user, but WinPatrol author Bill Pytlovany says this method worked for him. Your mileage may vary.

_______________________

Va.: hi brian, a whileback you printed an extensive list of linux distributions. could you possibly reprint that list? tnank you

Brian Krebs: Sure. I believe what I posted was a list of LIVE Linux CD distributions. These are distros of Linux of various flavors and focuses that you can burn to a CD. Boot up from the CD and you're in Linux!

Linux Live CD Distros

_______________________

Taylor, Texas: I'm running Windows XP SP3 with Norton Antivirus 2008, ZoneAlarm Pro and Spybot on a vintage Toshiba notebook that I take on international project assignments to countries (like China) with lots of potential malware exposure. The subscriptions for Norton and ZA expire in another few weeks, so while I'm at my home base I need to address the pending deadlines. I've got various options -- I could 1) simply purchase an annual subscription to extend the current versions for another year, 2) purchase the latest versions of these (or some other vendor's product, as the local Fry's has various good deals from week to week), 3) purchase an integrated suite from one or the other vendor, or 4) go with something free like the Comodo antivirus and firewall suite (I'd keep the free Spybot, but get rid of the others presently installed). Any thoughts on how well Comodo stacks up against other vendors in protecting against various forms of malware, or further suggestions beyond the options I laid out?

Brian Krebs: A couple of thoughts. Norton Antivirus2009 and/or Internet Security 2009 are worlds faster/quieter than NAV2008 versions and well worth the money. If you prefer not to have an all-in-one suite, I'd recommend as a standalone AV something like Antivir Pro or ESET Nod32.

I tried Comodo for a while on two different machines, and enjoyed using it, except that it would toss up a bizillion warnings and prompts every time I tried to install a new program, which got old very quickly. I was told the advice I passed on in

this Security Fix Live chat

should work to address that annoyance, though.

_______________________

San Jose, Calif.: Is there a specific anti-malware program that can tell you whether or not you are infected with a spambot sending piece of malware?

I tried RUbotted for a few weeks, but other than recommending antispyware scans via spybot, windows defender or adaware, antivirus scans from kapersky, panda, trend micro, avg, bitdefender or fsecure, or manual tools such as hijackthis or cccleaner, are there any surefire ways to tell if you are infected with a bot or a rootkit?

If you run the scans above, then change all of your passwords, is it more likely than not you are simply receiving spoofed emails that can not be dealt with instead of being infected?

Brian Krebs: You can grab a copy of the Ultimate Boot CD, burn the downloaded ISO image as a bootable image onto a blank CD-ROM using something like Nero or the free DeepBurner. Then boot into it, and be patient while it loads the desktop. You should find under the start menu and programs a listing of several anti-virus tools that you can update and then use to run a scan on the underlying hard drive.

This way, if your system was compromised, and the malware had succeeded in disabling your security software or deeply hijacking the Windows operating system, a scan with a bootable disc would probably find the malware, whereas a scan with your malware tools while booted into regular Windows probalby would not.

_______________________

Brian Krebs: We are out of time for this week, folks. I am only sorry I could not get to more questions than I did. Please consider making it a habit (if you don't already) of dropping by the Security Fix blog at least once a day to stay abreast of the latest security news, updates, and advice. Until next time, be safe out there, people!

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.

View all comments that have been posted about this article.

© 2009 Washingtonpost.Newsweek Interactive