Security Fix Live
Friday, May 8, 2009; 11:00 AM
Security Fix blogger Brian Krebs was online Friday, May 8, at 11 a.m. ET to answer your personal technology questions and offer ways to protect yourself from online security threats.
Brian, who considers himself a well-rounded geek, can also field queries about broader technical topics, such as mobile banking, online and location-based privacy, as well as social networking and tech policy issues.
Brian Krebs: Good morning, Dear Security Fix readers, and welcome to Security Fix Live! Please do me the favor of being as specific as possible in describing your system setup, what security software you're using, operating system, browser, etc. Ditto for hardware related issues. With that...ONWARDS!
New York, Neeeeeew Yoooooooooooooooooooork: I switched from msdos to Coherent Unix when Windows 3.1 first came out. I've been watching the M$ operating systems -- and supporting them -- for 15+ years. What I still cannot figure out is why anyone subjects themselves to this much pain?
Q: Do you think that making hosting a botnet service a parking-ticket level offense would help?
Today neither M$ nor the users have a significant reason to correct the problems. If everyone who was found hosting a botnet (i.e., not taking adequate care of their system) were charged, say, US$40 it'd certainly give everyone a reason to pay attention and even M$ to correct the known problems.
I'd put it in the same category as leaving your car parked with the e-brake off or failing to correct known-faulty brakes: you put other people at risk by not taking proper care of machinery you own.
Brian Krebs: Goooooood mooooorning New York!
Your suggestion is an admirable one, and it at least gets to what I think is the heart of the matter, which is that ISPs are under no obligation to police their networks for users who are clearly a danger to others.
There is no reason that an infected machine should be allowed to spew spam and hosting phishing pags or stolen data and the like for weeks and months on end
while the ISP does nothing. Oddly enough, I think there are good parallels between the Internet security problem we face today and the copyright battles that
are ongoing. Right now, we have a law that says to ISPs, if you've got a customer who's hosting movies or songs and sharing them with the rest of the world
without permission, you have to take that content (or customer) offline, or you as the ISP waive your right to immunity from prosecution for aiding copyright
violations. This imperfected but reasonably effective law was won through no small measure of lobbying from Hollywood. But who's lobbying for the same thing
on behalf of Internet users everywhere: a law that would require ISPs to police their networks for clear problem customers? Answer: nobody.
And with all the public uproar over Net Neutrality and deep packet inspection, you can probably kiss this idea goodbye, because it would probably never fly.
To answer your question directly, would a parking ticket level fine work for clueless or careless Web users? I doubt it. You get a parking ticket, it's
usually pretty clear why you have a ticket, right? Time expired on the meter, parked in the wrong spot, etc. Not so with computers. I got a ticket. Dang.
Now what?j All you're doing with that approach is shifting the cost to the user. That's a tempting solution, but it won't bring about the outcome you're
accord, ny: Have recently begun receiving spam from different sources, but it's always the same type of ad, indicating it's from one source. How would one spammer target me from multiple email addresses and urls? Any way to block such a technique?
Brian Krebs: Spam is by definition sent by multiple sources at once. Spammers blast their junk mail through hundreds, thousands or tens of thousands of compromised systems simultaneously.
Why do you care how many sources it's from? It's still unwanted email, right? You haven't told me a thing about your setup, but if you use Outlook, OE, or any one of several other common types of email programs, you can download and use something like the free Mailwasher
San Jose, Calif.: I just want to say I recently found your blog and I enjoy it very much. You manage to find topics/stories that I don't see anywhere else. As an information security professional, I read many blogs and newsletters, and I read your blog daily. I want to say thank you and keep up the great work! Sheryl, CISSP
Brian Krebs: Thanks, Sheryl! I love hearing from fellow geeks who enjoy my work.
NYC: I recently upgraded, as a hobby, two old laptops (Thinkpad, Toshiba) with 80meg and 160meg RAM respectively, 2.1 and 4.2 GB hard drive size, from Windows 98SE to Windows 2000 Professional and was floored by what a good operating system this is. Both laptops work speedily and when I tried to remove excess back-up files through a DOS command the OS stopped me and had me re-insert the installation disk to be sure the dlls were still accurate. It beats me why one would choose a later Microsoft OS over the 2000 Professional, it being, comparatively, so small and stable.
Brian Krebs: I really liked W2K as well. I smiled when I read your Toshiba/160mbRAM description, because I was booting up an old Toshiba P3 with 160mb of RAM just the other day, and noticed that it still had W2k installed. And like you, I was reminded of what a speedy OS this was, comparatively.
Thanks for the trip down (low) memory lane.
Rural, Va.: After downloading Internet Explorer 8 - and rebooting my pc - when I went back onto the internet, the Norton Security Icon turned red. I selected the "fix now" option. Then the Norton Icon went back to fine with the little green check. In between, for a very brief time Norton displayed a box noting that something was happening with the phishing protection feature. Does anyone else have the same problem? Is this an indication that Microsoft is utilizing phishing methods?
Of note, after installing IE8, it opened a new tab on my Google browser. The new tap displayed options such as "inprivate browsing", "web slices", "accelerators", and "smartscreen filter". Could any of this be the cause of Norton's phishing notice?
Brian Krebs: Hi. This appears to be a known compatibility issue between IE8 and Norton. There is a thread here at Norton's user forum that looks like it has a suggested workaround that fixes this.
Old Town Alexandria, VA: Hello. I have a laptop with Windows XP home and am using Firefox. I never use Internet Explorer, but seems I can't get Windows updates without it. Question: Should I continuously update IE even if I don't use it at all? I know the latest edition IE8 is out, but didn't know if I should have been updating it all along. Thanks.
Brian Krebs: If you're using XP, you don't need IE to get updates. You can use the Automatic Update feature built-in to Windows. To configure this, go to Start, (Settings), Control Panel, then Automatic Updates. You'll see several options. If you select "download updates for me, but let me choose when to install them," windows will grab the latest updates shortly after they're released, and notify you with a yellow shield icon in the bottom right of the Windows taskbar. Double click that and either choose to install all of those available or click "custom" if you want to pick and choose.
To your question, you should continue to apply all security updates, regardless of whether you regularly use the software in question.
Madison, NJ: Online banking - 2 part question Is there more risk in paying bills online than in mailing a check? And, if so, how can one best protect oneself from that risk?
Brian Krebs: Paying your bills online is akin to shopping with your debit card. It just means that if your credentials do get compromised, it might be somewhat more complicated to sort things out, especially if fraud causes overdrafts and then checks to bounce. Whereas, shopping online with a credit card brings you zero liability, and any disputed charges are usually removed without issue, as long as you contest them relatively early.
Lots of people think my approach is overkill, but I think it's perfectly reasonable in today's households, which generally have more than one computer. I always advise people not to do online banking, shopping, personal data transactions, etc., from the same machine that the rest of the house is using to browse web site, play games online, etc.
Beyond that, the usual advice should keep you safe. Keep your antivirus up to date. Use a firewall. Patch the operating system when it says you should. Keep your browser plug-ins (especially Adobe Flash/Reader) up to date. Never install anything you didn't go looking for. Install updates only from the manufacturer/software maker's web site. If you run into a "mousetrapping" problem with your browser that won't let you get out of endless attempts to get the action you desire from clicking, close out of the browser completely by hitting ctrl-alt-del. and then terminating the browser. If you use Windows XP, consider running Windows as a limited user. Don't open spam e-mails. Don't open e-mail attachments you weren't expecting.
That's a pretty long list, but if you take half of that advice, you'll probably be better secure than most online.
Chicago, IL: Hi Brian,
Thanks for all the wonderful advice you always give. Your blog is great.
Is there such a thing as antivirus protection for a smart phone, for example, the Sony Ericsson X1 or the new Nokia N97? These phones have a web browser feature but I'm worried about viruses, etc. Don't have either phone yet,but thinking about it.
Thanks so much.
Brian Krebs: Thanks for the praise. Yes, there is such protection. I believe F-Secure makes some anti-virus software for phones, but not sure about your model.
Still, I don't think that there is any kind of virus threat to mobile phones yet sufficient enough for people to worry about this sort of thing. As I always
say when I'm asked this question, the bigger threat for most people is, "what would you do if you lost your phone?" how screwed would you be if there was
sensitive data on there? Have you investigated to see whether your model supports remote data wipe features? Something to chew on.
Austintown, Ohio: Hi Brian,
Enjoy reading your invaluable writings and this Q&A especially.
Just a couple of general questions today. Have you any experience/thoughts regarding Panda's Cloud Antivirus beta? Do you know if SnopFree.sys (with one "o") in the Windows/system32/drivers folder is part of Snoopfree P.S. 1.0.7 or is it malware? Thanks.
Brian Krebs: I'm actually running Panda's new cloud antivirus service through a trial run right now. Will post a review later next week. Stay tuned.
Chula Vista, Calif.: Hi Brian,
I really enjoy your security fix column and I follow your advice every time, and up to know haven't had any problems, thank you.
I have a problem with my daughters laptop that I hope you can help me with, for some time now this computer is really slow, I have zone alarms, avast antivirus and antispyware software run regularly without any problems, it runs on wn/xp and all of them are up-to-date, but if I run task manager it shows to many process running at the same time (200), it has to many registries and I need to get read of some, but I don't know how to do it safely and efficiently, the only thing I can think of doing is reformatting the hard drive and load again all the essential software that she needs.
Brian Krebs: Sure. I find most machines can be cleaned up pretty quickly using a couple of tools.
Try this: Download, install, run these two programs, and remove whatever they find:
Let use know how it goes.
Arlington, VA: Maybe I'm worrying too much or reading too much into this, but with all the panic of the Conficker virus and how it prevents updates to antivirus software etc., I couldn't help but notice that the same Windows XP update is getting downloaded onto my machine every night. The exact same update! The automatic updates window simply calls it "Update for Windows XP" along with a code number (which escapes me at the moment), and I can't help but wonder why the exact same Windows update is getting loaded onto my machine every time I turn it on.
Like I said, would this at all be symptomatic of Conficker, or am I just reading too much into this?
Brian Krebs: Is the update being downloaded over and over, or is it just trying to and failing to install it?
To find out for sure, check out your Windows Update logs
1. Click Start, and then click Run.
2. In the Open box, type %windir%\windowsupdate.log, and then click OK.
That should tell you what's going on with that update, if there are any errors. If so, Google the error message and see if you can find out what's up, or post what you find here.
Conficker is just one of many, many, many threats out there today that automatically block infected PCs from visiting Microsoft.com or one of dozens of security Web sites. Just b/c you're having a Windows update problem or glitch doesn't by itself mean your system is infected with one of these parasites, however.
Ellicott City, MD: Your thoughts on internet explorer 8?? I'm using version 7 and am reluctant to switch. There are rumors that it's faster and more secure. But I also heard that some websites won't work. Do you recommend waiting until all the bugs are out?
Brian Krebs: Everything you've heard is true, from where I sit. It is faster than IE7, and more secure. And some Web sites won't work perfectly with it. Microsoft has shipped a compatibility adjustment feature with IE8, but having to adjust it all the time is kind of a pain.
I don't think there's any harm in waiting to update though. However, I'm a Firefox user myself. I simply have grown waaaaaay too attached to some of my favorite add-ons in Firefox, features that simply aren't available in IE.
New York, NY: Hi Brian,
Whenever I open a folder with AVI files in it, I get a message about COM Surrogate failing. I've googled this and tried everything I see (uninstalling codecs, turning off thumbnail previews, etc.) but nothing seems to work.
If it helps, I use VLC player as my media player and I'm using Windows VISTA. Do you have any ideas as to what might cause this problem? Or even better, how I might resolve it?
Brian Krebs: I've never heard of this problem, but thank you for following my instructions by including the error message in your question.
I believe this site has several answers/fixes. It sounds like it's related to the installation of a codec pack, perhaps one that is bundled with VLC. Note, one of the solutions is to "disable data execution prevention (DEP)", but this is a pretty useful security feature in Windows. If you can find a way to make this work without disabling DEP, I'd urge you to do that.
Salem, OR: Is a fax more secure than e-mail? If so, how?
Brian Krebs: Neither are terribly secure or private. E-mail without encryption is about as private as a postcard, meaning that almost any party that sits in the network path between you and the recipient can potentially read it. Faxes aren't much different, except they're sent over the public switched telephone network, and of course are readable in plain text on both ends of the conversation.
I don't know the real answer to your question. I suspect more people would be familiar with how to intercept an e-mail than a fax transmission, but that's just a guess. Faxes aren't very secure, but it's amazing how much really, really important and sensitive business info is sent each day over them. Now that I think about, same is true for e-mail. Doh!
Bismarck, ND: I was just reading the transcript of last weeks chat and this is to spread some knowledge to the poster with the burning UPS. I worked for 6 years on RADARs for the Navy. Problems in the power train from the wall into your equipment can cause lots of damage and not all of it immediately obvious. I'm not sure if there are any hard numbers but I would be willing to bet that most hardware faults in computers are not from manufacturing issues but from bad power. The person with the lemon name brand computer might want to check his power, when his surge suppressor was last replaced etc. Surges can originate from any device on the power grid that changes power state(think microwave, refrigerator, etc). Lighting protection is a joke as it will blow through any UPS or surge suppressor as if it didn't exist.
When computer power supplies fail they can also send smaller surges generated internally into the sensitive electronics of your computer. This damage may not be immediately obvious as a damaged transistor may continue working - just generating extra heat. When transistors and other silicon based electronics heat up they conduct better, when they conduct better they generate more heat and eventually you get thermal runaway. Depending on the damage this can take months to show up. As a rule of thumb I always treat a computer that has had to have a power supply replaced as one step from sudden death. On the other hand it may continue to work for years but it is wise to be cautious (i.e. making backups of your work).
On the note of consumer UPS's and surge suppressors. Nearly all of these devices use a device called a MOV to do at least some of the suppression work. These devices will degrade with every surge they shunt and eventually fail. There have been reports of MOVs actually catching fire but I've never seen one do it personally. The Jule rating on these surge suppressors gives an estimate of how much cumulative energy they can absorb before they fail. As a rule of thumb I replace a surge suppressor every two years for every 1000 Jules of surge suppression, though I've never found hard numbers to indicate under normal household conditions a surge suppressor's MOVs will last and some companies use additional circuitry that claims to reduce or eliminate the need for MOVs Unfortunately most of those claims are long rants on web sites designed to sell alternative surge suppressors, which makes me suspicious of the validity of their claims (kind of like a late night TV infomercial). Hope this helps (and sorry if I was too long winded.
washingtonpost.com: Security Fix Live (4/24/2009)
Brian Krebs: Wow. Lots of interesting info here on power supplies, a la a question from a previous chat. Thanks, Bismarck!
Centreville: Hi Brian, What do you think about identity theft insurance? My wife has been informed that a computer was hacked into that contained her (and a whole bunch of other people's)personal information such as social security. She was told to have a fraud alert put in her credit file. GEICO sells the insurance. Is it wise to get it?
Brian Krebs: The problem with these types of services is that they don't lend themselves to easy reviews that one can compare and contrast. Yes, one can compare their various offerings and features, but really you sort of have to be a victim who's also a customer to figure out whether they're worth spending money on, and then of course it may be too late by then to do much about it if the service turns out to be useless.
I don't know whether it's worth it. You can get ID theft insurance up to $10,000 with Debix, which provides the service of automatically renewing your fraud alert every 90 days when they expire (you can do this yourself for free, but you have to remember to call one of the credit bureaus every 90 days for it to be fully effective). And Debix costs like $25 a year per person, far cheaper than most ID theft insurance schemes or $12 a month credit monitoring plans the credit bureaus push so heavily.
I'm a Debix user, have been impressed with the service, and think it's worth the price of two tickets to the movies each year.
Bethesda: Brian - I have used AVG for years, but recently thought it was bogging down my machine. I uninstalled and put on Avira due to your recommendation. However, I find their pop ups really annoying, and since I don't leave the machine running all the time (probably turn on twice/week), it always scans when I boot it up, slowing it down. Besides paying for Avira, any other recommendations?
Brian Krebs: Yes. AVAST. Same great protection as Avira, minus the annoying nag screen. AVAST....FTW!
Clinton, CT: 05/06/09
Dear Mr. Krebs:
I have a fairly powerful two year-old Hewlett-Packard (home) computer using Windows XP. For security, I subscribe to Norton Internet Security and SUPERantispyware (free version), both of which I update as updates become available and both of which I periodically scan.
In addition, I try never to open e-mails from unfamiliar sources.
Are these steps sufficient to give me a reasonable (whatever that means) level of protection against viruses, worms, spies and other bad things?
If not, what else should I be doing?
Brian Krebs: Hi Chilton. I think I've answered your question in my reply to Madison, NJ above. I'd place a special emphasis on adopting either the Limited User approach, or the Drop My Rights, one-off approach. Limited User directions linked to in that response, and DMR instructions linked to from there. Adopt one of those approaches and I can almost guarantee you that your anti-spyware programs won't find anything to remove anymore, except maybe cookies, which are pretty harmless.
Harrisburg, Pa.: Brian,
My OLD windows 2000 computer now has a stop error (blue screen on start up, safe mode doesn't help). I do not have a boot disc/rescue disk. Is there a not too complicated way to run a boot disc/rescue disc from a USB drive to either repair the hard drive or remove a virus? No anti virus program is installed. Thanks.
Brian Krebs: Diagnosing blue screens of death is beyond the scope of this chat. There are simply far too many hardware or software issues that could be at issue here without more and very precise information. Have you considered asking whether someone you know or a family member has an old W2K install disc?
I'd consider what it is that you need this computer for? If you just want a backup computer to have around and surf the web while on the road or whatever, consider burning something like Knoppix to a CD and booting into that, or install an open source OS like Ubuntu.
If you're just trying to get the data off, you could download and burn onto a CD the Ultimate Boot CD for Windows. That will let you boot into a Windows-like environment and copy the files/data you want to a removable drive. I believe you can install the UBCD-W onto a USB drive, but it should be a relatively recently-made USB drive (some of the older ones won't accommodate it for speed reasons).
Burke, Va.: With all the whining about security software, can I give a shout-out to Kaspersky? Yeah, you gotta pay, but (a) it appears to work (that is, when I do scans with other anti-virus programs online, I'm not finding lots o'junk); and (b) it doesn't eat up all my systems resources (on a three-year-old Dell 2.8 system with 2GB).
Beyond that, I occasionally scan with Ad-Aware and Search-and-Destroy. Hijack This rocks, but it helps to know what you're doing with it . . .
Brian Krebs: Sure. I have tried KAV twice, and both times found it either consumed too many resources, or it did something unacceptable, like stopping my internet connection from working. Maybe it's time to give it another try. Thanks for your input.
Mamaroneck, NY: hi brian, i have never used wifi in a public place and terrified of using a laptop in an exposed setting like that. can you please give me the basics as far as security steps that will give me the confidence to surf the web in a place other than home? btw, i use a mac. thank you.
Brian Krebs: No need to be terrified of Wi-Fi. Just understand the basics, and take a few precautions and you'll be fine. First off, whether you're on a Mac or a Windows machine, make sure you at least have the built-in firewall turned on.
Second, understand that wireless networks operate very much the same way wired networks do, in that if you are sending information "in the clear" -- that is, not protected by an SSL connection -- it can be read by any party that is on that network. When the URL of the site you're visiting begins with https:/
One other big thing you could do to improve security while on public wireless networks -- whether you're a Mac or a Windows user -- is to sign up for a free service at OpenDNS. This will prevent third parties from hijacking your computer's DNS settings and potentially sending you to cleverly-created phishing sites.
Guanajuato, Mexico: As you have recommended, I use the NoScript add-on with Firefox. What I don't understand is when it's safe to override it and allow a webpage to run scripts. Say I'm reading an article in the Post and I follow a link to a site I've never visited before. If NoScript blocks part of the page, how do I know whether it's safe to allow the whole page? If in doubt, is it safer to choose the option to allow the page temporarily? I've read NoScript's FAQ on this subject, but I find it unhelpful. In a nutshell, how do I know whom to trust?
To your question: I generally take the least-needed approach with noscript, and choose to load pages temporarily. Part of that is due to the fact that I just like knowing what's loading in the background. Some people don't care. YMMV. I don't have too many sites that I've told it to trust completely, all of the time, but there are a few.
Manassas, VA: Brian, this morning I received an email, supposedly from Microsoft, that invites me to to register for "Office Insider." If I do so, I will receive emails with tips on using Microsoft Office. Do you think this is legit? Thanks!
Brian Krebs: Yes, it's a legitimate offering from Microsoft (see here for more details.
Yes, you are right to be paranoid. When in doubt, avoid clicking on links sent unbidden in e-mail, especially those that ask you to sign up for stuff. Use a search engine, decide for yourself whether the offering is legit, and go from there.
Columbia, MD: For the past 6 years, I've been using Zone Alarm Antivirus and have never had a virus attack my computer (Windows XP). I don't think I've ever seen Zone Alarm discussed on your program. How would you rank it among the other subscription and free programs out there? I also use Spybot Search & Destroy and keep up on the Microsoft updates. I use a wireless router with a strong WPA password. Anything else you would suggest? Thank you.
Brian Krebs: For the record, I have recommended and discussed ZoneAlarm plenty of times in these chats.
You say you're using ZA Antivirus, which last time I checked was not free, as is the free version of ZoneAlarm's very good firewall program. It's one of the few remaining good free options out there for Windows users.
Bethesda, MD: I have run Firefox since it was first released, but tried to avoid add-ons, toolbars, etc. Recently it has started locking-up several times a day - often for close to a minute or so. The other windows are unaffected, but Firefox is totally dead to anything short of killing it with Task Manager.
Brian Krebs: You should consider backing up your profile and bookmarks, and then removing and re-installing the latest version of Firefox.
Columbia, Md: I need some advice on whether I should use Windows XP Professional or Vista Business on my new computer. I do graphic design work and use Adobe Creative Suites (InDesgin, Illustrator and Photoshop) and currently use Window XP Professional. The new computer can come with Win XP and downloadable Vista Business at a future time. Should I stay with the Win XP or go ahead and get the Vista Business installed? Thanks for you thoughts.
Brian Krebs: If you have the option to go with XP, I'd do that. Vista doesn't add much in my opinion, except overhead on resources. If you use XP, I'd strongly advise you to adopt the limited user approach or drop my rights approach mentioned several times already in this chat (with links).
Libreville, Gabon: Good Morning Brian.
We have learned so many things from your blog. From time to time I help my family members or friends via XP remote assistant. I have to say that sometimes its hard people who need my support to set up the connection. I am talking about elderly people and people with limited computer usage. I don't think Windows XP remote desktop is user friendly (unless you can convince me otherwise).
Money is tight, what is the best free remote assistance software that you recommend. Because of your past recommendation all of my family and friends use XP/VISTA under limited user accounts. I have to say that that we have not had any virus/spyware/screware for the last 20 months on the 28 computer that my extended family uses.
Thanks in advance
Brian Krebs: Hello. Glad to hear my advice is helpful all the way to Gabon! Welcome.
Ultra VNC is a good option, yet it may not be any easier for your relatives to set up. I've used Logmein and Logmein and LogmeinFree, which are incredibly easy to set up.
I wrote a column a while back about this very issue. Check it out here.
Richmond, VA: Just got a new Vista (yuck!) machine. C:- partition used almost entire HD; no free space. I could not find a no-risk way to shrink C:-. Finally used GParted and Vista did a --very-- lengthy auto-repair. Worked out OK. Did I miss a better tool? What's with Microsoft thinking that there is only one way to partition the primary drive?
Brian Krebs: I feel your pain. I went through the same thing, on a Vista Ultimate machine that came with a 500GB drive installed. Vista has built-in tools that are supposed to let you shrink the C drive size, but somehow Msft really managed to bork this tool because it's completely useless, or if it is useful, you won't get the C drive down to less than about 220 Gigs without some serious tweaking of the system, shutting down system restore and wiping restore points and all kinds of other nonsense.
Gparted is a great option, but free isn't always free in terms of time you need to sink in to make it work, as you've discovered.
Brian Krebs: I'm out of time for this week, folks :(
Thanks to everyone who stopped by to read or contribute to the discussion in some way. We'll have another Security Fix Live chat in a couple of weeks from today. Meanwhile, please consider dropping by to see me once a day at least on the Security Fix Blog to stay abreast of the latest security advice, news and musings. Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.