Security Fix Live
Friday, July 17, 2009; 11:00 AM
Security Fix blogger Brian Krebs was online Friday, July 17, at 11 a.m. ET to answer your personal technology questions and offer ways to protect yourself from online security threats.
Brian, who considers himself a well-rounded geek, can also field queries about broader technical topics, such as mobile banking, online and location-based privacy, as well as social networking and tech policy issues.
A transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers, and welcome to Security Fix Live! I will dive straight into the questions in a moment, but first just a reminder to everyone: please try to be as specific as humanly possible about your setup when asking questions, including if you can your operating system, the type of browser you normally use, any installed security software (or if the question involves hardware, some idea of what model/make of the device you're referencing). Without further delay.....ONWARDS!
Arlington, VA: I have a problem with the FoxitPDF reader/creator (you recommend!) and Windows Vista running a regular (non-administrator) account. Anytime I use Foxit to open an existing PDF or create a new PDF, Vista's User Account Control asks for the admin password. Any idea how to eliminate this annoyance? I don't recall if I installed Foxit while logged on as Admin or if I installed as a regular user and had to give UAC the password so it would install.
Brian Krebs: You might want to make sure you're running the latest, most secure version. My guess is that the auto-update feature in Foxit is trying to search for and/or apply an update. The latest version is 3.0, build 1817. You should be able to check which version you're running by clicking Help, and then About Foxit.
I've seen this behavior in Winamp when it has an update to install. You might just consider right clicking on the program icon, selecting "run as administrator" and then waiting to see if it prompts you to install an update. It may actually just be configured to periodically check for updates, and that's all it needs to do.
Arlington, VA: Brian,
There seems to be a significant change in my computers when I down load the IE8 software. A number of thing happen, unrelated to the software itself, and not all computers have the same problem. My Vista computer became unstable, my XP computer would not let me open Access and other odd responses. All went back to normal if I restored my systems. What is going on here? Am I making the wrong assumption that IE8 is the culprit?
Brian Krebs: Well, there's one way to find out. You can remove IE8 and revert back to 7, and see if that fixes the problem. I'm not terribly thrilled with IE8 myself. I don't use IE for much, but for the few things I do I find it behaves oddly at times. For some reason, IE8 keeps messing with my cut-n-paste, so that I can't just Ctrl-C to copy the selected text, I have to right click on it and select copy. Very annoying.
Microsoft's instructions on how to remove IE8 are here. I'd be interested to hear if you uninstall IE8 whether you still have the same problems with IE7.
Washington, D.C.: Hi Brian --
Thanks for your help on these issues. I use Firefox and Windows XP under a limited user account. What is the best way to make sure my browser plug-ins (e.g. Quicktime) are not out of date security threats? Besides blogs such as yours, how would I even know one of my plug-ins is a potential problem? Do I need to run under an administrator account to update the plug-ins or other programs (e.g. pdf reader)?
Brian Krebs: You might consider checking out Secunia's Software Inspector, which is a program that sits in your Windows taskbar and periodically notifies when updates for various software you have are available.
I reviewed this service in a blog post a while back.
Washington, D.C.: We are remaking the Washington area chapter of ISOC -- The Internet Society. Our challenge is to devise ways to get news out to our 500+ members in the DC/MD/VA area and provide an online facility for supporting multiple informal groups of our members supporting a number of Internet-related projects. We want to avoid the dread email "discuss" listserv. We have a front-door web site at www.isoc-dc.org, but what do we use behind it for social sharing? Facebook? LinkedIn? Ning? Twitter? What are your thoughts?
It is amazing the difference in approaching this problem between our college student members and the old retired members. We want to build an environment where all will participate!
Brian Krebs: Good for you! I'm not familiar with Ning, but I know Facebook, LinkedIn and Twitter all allow you to create groups that people can subscribe to for updates. Sounds like a great idea.
Alexandria, VA: I'm about to use Skype for the first time (yeah, I'm very late to the party!). Should I be aware of any security concerns?
Brian Krebs: I've been a loyal Skype user for several years now, using Skype out with my own custom voicemail and phone number. The service has much improved over the years, but the same stupid things still bother me about it (occasional, inexplicably bad call quality or dropped calls).
Security-wise, about the only thing you need to be wary of are unsolicited instant messages (Skype by default includes an IM client) from scammers and virus writers. Every once in a while you will get unsolicited IMs from someone trying to get you to click a link, download a file, etc. Obviously, this is a very bad idea, so don't do it.
If you prefer only to receive Skype IMs from people you trust, there's an option to change that in Skype's preferences settings.
Passwords: Can you recommend some secure ways to keep track of passwords? Right now I'm keeping login ids and passwords listed in a draft e-mail, and I'm not comfortable with that. Thanks.
Brian Krebs: Yes. I also wrote a column not long ago about password manager options, available here. Many people find that Password Safe is a nice, simple, free option.
Washington, D.C.: Recently while traveling to Italy, there were fraudulent charges on my credit card. It wasn't a big deal, the card was canceled the charges removed, etc. While there, I used an insecure internet access to check my credit card information. When I talked to the credit card fraud people, they said that was the likely source of how my card number was obtained. I am confused though, because the card number never appears on the web site and I don't see how someone could get a credit card number that is not there. Are they correct? Is that the likely source for someone to have gotten my card number?
Brian Krebs: It is highly unlikely that the person you spoke with at the credit card company really knew how your card was compromised. They are not terribly concerned with that. Their job is to make sure the card gets cancelled and that you get a new one in your hands asap, so you can keep spending.
If I had to lay bets on it, I'd say more likely that the information was intercepted via a hacked computer you used to shop online, not an insecure Web site you shopped at.
Kansas City, MO: I understand that Firefox 3.5 is now released and still a great product, though some say slower than Safari & Chrome, but beating IE. Two questions: 1) Which of the browsers (named or not) is the best for Internet safety & privacy? 2) If you are private browsing on Firefox or other browsers is it really private? By that I mean can the techs at work still see where you've been?
Brian Krebs: Re: browser security, Opera may actually be the safest, since it has the smallest market share and hence the fewest number of targets. Opera is based on much of the same underlying code that Mozilla's browsers are built from, but by the same token it ships updates and security fixes far slower than Firefox, and in any event doesn't auto-install them as Firefox does.
Safari 4.0 has won a bunch of speed tests vis-a-vis the others, including Firefox 3.5. I've stuck with Firefox because I can't live without its add-ons (e.g., Foxytunes, Adblock Plus, Greasemonkey, et. al).
Re: private browsing, if you're trying to hide your browsing habits and you're doing it on a network that you don't control, good luck with that. Your employer may be (and probably is) keeping logs of which sites employees visit and when, and may even be using software that keeps an eye out for employees visiting dodgy sites. If that's the case, it doesn't matter whether you clear the browser's cache or never store the info on your machine in the first place.
Providence, R.I.: I am hoping to get a Microsoft certification and have an old copy of server 2000 running on my PC (I know it is old, but I can still play with a server). However I can't seem to find a free anti-virus software that will run on it. Do you have any suggestions?
Brian Krebs: Hmmm. I don't have time to research this right now, but you could do worse to check out some of the tools that used to work with Windows 98 (I don't know how many -- if any -- of these will work with WS2k).
Baltimore, Md.: Regarding your Password Safe suggestion: if we store all our passwords in this software, what happens if there's a hardware failure? Can you back everything up on a flash drive, for example, or is it all locked on the hard drive? Conversely, if you keep it all on a flash drive, can you back up to a hard drive in case you lose the flash drive?
Brian Krebs: There is a support forum for Password Safe at this link here. One or all of your questions about this program is/are almost certainly already answered there.
Kensington, Calif.: I was catching up after a long rafting trip through the Grand Canyon (yay!) when I saw you had written on the May 8 Security Fix Live the following: "I have tried Kaspersky AntiVirus twice, and both times found it . . . did something unacceptable, like stopping my Internet connection from working."
When I read that, a gong went off. Could it be my antivirus program that's causing me to keep losing my DSL wireless Internet connection? Specifically, could it be AVG Free 8.5, which you've said recently (5/22/09) is causing people problems?
My wireless Internet connection works fine until I open a browser (usually Firefox 3.0.11, but it also fails if I use Internet Explorer). With a browser open the connection becomes erratic to the point of impossible.
The REALLY WEIRD THING is that if I first open Windows Media Player (WMP) and get a radio station streaming, I can maintain a relatively stable connection with the browser about 95 percent of the time. But it must be both, not just WMP. (Ain't computers lovely, hellish critters?)
INFORMATION: I use Windows XP with 1.5 GB of RAM and an older, fairly slow processor (Pentium III, 933 MHz, 133 MHz FSB). I use ZoneAlarm 8.0 free firewall, AVG Free 8.5, SUPERAntispyware, SpywareBlaster and Guard, MalwareBytes, etc., and I update with Secunia. I'm connected to a DSL router (2WIRE Gateway 1701 HG) via a Netgear WG311T wireless PCI adapter. A nearby laptop, which also has a Netgear adapter card, has no problem maintaining a stable wireless connection 100% of the time. The wireless signal is strong.
Brian Krebs: It could be AVG, that's true. Still, I stand by my gripe against the latest version of AVG Free: it stinks. There are just too many other free options out there to stick with that beast of an AV program. My advice: grab AVAST! Home Edition, or Avira or Bitdefender Free or Panda Cloud Antivirus, or something else.
Have you considered giving your main desktop PC a second opinion or three with a online antivirus scanner? ESET -- the maker of NOD32 -- has a very good,free online scanne. F-Secure and Bitdefender also offer free scans. All three will remove any malware they find (although one or more of them may require you to install IE plugins to do this.)
Brian Krebs: I received this message from a reader as a comment in the blog, and since I went through the trouble of finding the answer and all, I thought I'd publish it here.
Question: I am getting more and more text spam on my iPhone. I am not on a text plan so each one costs me 20 cents. What a pain.
Answer: AT&T lets you block SMS messages. You just have to sign up for a free account on their Web site. Once you've done that (setting it up requires you to receive a code via SMS from AT&T), you can go in and block SMS messages altogether, or selectively by using "allow" and "deny" lists.
I have uploaded a screenshot that shows this option at AT&T Web site, available here.
Kingstowne, Va.: Is it possible for an identified bot to be blocked from further internet access? Say someone's PC has been hacked and is part of a botnet attack. Once it has been used in an attack, can it be identified and further blocked until the user corrects the problem and requests to be unblocked? If this were possible, would it have a significant impact on botnets in the long run? Thanks.
Brian Krebs: Good question, Kingstowne. It is, of course, possible for ISPs to block botted systems on their networks, and some do do this with regularity. Unfortunately, few providers advertise that they do this, mainly because they're concerned that customers will find it annoying that their ISP is blocking them and choose another provider. But many ISPs simply don't isolate bots on their network because they're concerned that doing so will generate a support phone call, which costs on average about $20 per call.
Some ISPs adopt what's known as a "walled garden" approach, which is that if your PC looks like it's blasting out spam, your ISP may when you open a browser send you to a page that says your machine has been put in quarantine, and offering some links to clean up your system. Unfortunately, most ISPs that do this don't enforce it -- meaning that if customers really want to they can ignore that advice and go on surfing the Web. Many university/college networks, however, won't put up with that, and will block users from proceeding further without first cleaning up their systems.
Other countries have tried different approaches. I will be writing a longer story/column about this, but Australia and Japan both have very interesting, different approaches along the lines of blocking or isolating botted PCs.
Would it have a significant impact on bots if the users of the botted PCs were made to face reality more consistently? Absolutely. Would it solve the problem? No way. But it would be nice, I agree.
Warner Robins, Ga.: Hello, Brian,
Do you have any new information about the Microsoft Anti-Virus Beta product?
I tried it out on my system, but it would not update if I was logged in as a limited user in Windows XP. I'm back to using AVAST!.
Brian Krebs: What? That's just garbage. I will double check your claim, but if it's true that their software doesn't run under a limited user account, then someone at Redmond has some explaining to do.
Haifa, Israel: I am a Middle East reader of your column. Please refer to the query below only if it might be of interest to your US readers.
Dear Brian, I am using Windows XP2, a Yahoo.com mailbox for my English correspondence, and a utility called Internet Explorer (6 or 8) for saving, editing, copying, etc. my correspondence.
When I try to read already saved .html or .htm documents, I get the following announcement: "To protect your security, Internet Explorer has restricted this webpage from running scripts or Active X controls that could access your computer. Click here for options". Clicking results in the display of the yahoo homepage, but not the item wanted to be read. I know my document is saved (sometimes I see it flash for a tenth of a second on the screen before the announcement appears). As the wanted information is already stored in the computer, the announcement makes no sense at all. Any suggestions?
Brian Krebs: Hi there. Thanks for reading, and for sending your question. My advice: run, run away from IE (IE6! no less). Do yourself a favor and make the last time you use IE6 a trip over to this link, download, install and use Firefox instead of IE. Much safer (particularly if you use add-ons like Adblock Plus, noscript/request policy, and other safety add-ons).
Arlington, Va.: Good morning Mr. Krebs, I just started working at a large office where the IT admins mandate that we all use IE6 as our web browser. Aside from the functional irritations and e-hoodlums' apparent focus on internet explorer, are there security concerns from using IE6? Thanks.
Brian Krebs: Please tell me that they don't allow you to install programs, that you're at least restricted to a limited user account on your PC there? IE6 is not a secure browser (just ask Microsoft), and it's a shame that so many businesses still blindly accept this fate.
If you do run as admin at work, and they allow you to install programs, you might do yourself a favor and grab Firefox. Alternatively, you could download and run something like Drop-my-Rights, so that IE6 doesn't run in all-powerful God mode, with full privileges to change operating system settings, etc.
Washington, D.C.: Why does my antivirus software say my Administrator password is weak? I use a many-character one, a variety of letters, numbers and symbols in random order.
Brian Krebs: What AV software do you use? I've not heard of a product that peeks at your admin password and hassles you about it the relative strength of it.
Georgetown: I ordered a new PC laptop last night, and this will be my first venture into Vista world.
Is there anything massively different to do under Vista than you've been telling us to do with XP?
I presume Firefox and NoScript/RefControl and so forth remains the same, but will I need to do the admin/day-to-day user accounts duplication again? I saw that you recently dissed someone's XP lineup of AdAware, Spybot, and EasyCleaner, which I also have -- are there analogs for Vista? (McAfee will remain my antivirus -- got it for free again.)
By the way, thanks for your advice on Acronis True Image. It really is easy, and I particularly love how it'll shut off the computer when the backup's done, so one can run it before bed/leaving the office and in the morning have a fresh restart.
Brian Krebs: A lot of people gripe about the user account control feature built into Windows; it's true, it can be annoying, but it is useful, and you will get alerted if something you didn't initiate tries to change an important security or system-level setting.
By default, Vista runs under a limited-user-like account, requiring the user to approve system changes and in some cases enter an admin password to make those changes. Vista allows users to create separate limited user accounts, but this is not necessary if you're using the default UAC feature.
I would say if you're running an AV tool, staying up to date with patches for the OS and for third party software, avoiding the usual dodgy downloads/p2p crap, you're probably fine with FF, McAfee and maybe the built-in firewall, which is not bad, really.
By the way, I'm very glad to hear you like Acronis. I can't say enough about this program, and it's always nice to hear from readers who are taking data backup seriously.
Warner Robins, Ga.: Brian,
MS anti-virus works in a limited user account, but a manual update is not allowed by a limited user. Sorry for not explaining further. Everything works, but as the sole user of this computer, I rarely go into the admin account. MS anti-virus grays out the manual update button and the info it shows about when a new update occurs is only when I sign into the admin account... and then it updates automatically.
Brian Krebs: Most antivirus -- this one included -- ship with auto-update turned on by default, meaning they will download new antivirus definitions automagically on their own timetable. My question would be, then, why are you trying to update manually, or are you saying it doesn't do auto-update under a limited account? If the latter, then it's worthless.
Independence, Ohio: Recently, whenever I try to open a pdf document in Firefox I receive the error message "FoxReaderOCX.ocx failed to load." I haven't found a solution. I am on Windows XP SP3. Thanks in advance for your advice.
Brian Krebs: I would try uninstalling, reboot, and then reinstall Foxit to see if that fixes it.
Alternatively, you can try unregistering and then re-registering the OCX file.
To do this, click Start, Run, the type cmd.exe
Navigate to the directory where that file lives (most likely C:\Program Files\Foxit\(plugins?) use Windows Explorer to locate the file if you don't know where it is. To change directories using the command prompt, you type cd [directory name]. If you have trouble getting out of current directory, just go to the root by typing c:, then cd program files\foxit
Once you're in the right directory, type:
regsvr32 -u FoxReaderOCX.ocx
You should get a message saying it was unregistered.
Then type the same thing, without the -u option, and if you got a "succeeded" box, then you may have fixed the problem.
Austintown, Ohio: Hi Brian,
I ran Secunia yesterday and found both IE8 and WIN XP 3 to be insecure. I know you mentioned a problem with IE8 a few columns ago, but what can one do in regard to this OS being insecure? I have not checked the Secunia site today. Thanks for all your great info.
Brian Krebs: Haha. Thanks for the laugh. I'm sure a lot of people would agree with that finding.
Seriously, I think what's going on here is that Secunia's tool has detected that you haven't yet installed the software updates that Microsoft released this week (on Patch Tuesday). See my column about that: Microsoft Patches Nine Security Holes.
Hallandale Beach, Fla.: I'm sure you have been asked this many times, but I need to know your opinion. Is it necessary to install an anti-virus and firewall on a Macintosh computer? Do you prefer Macs to PCs? Also, was today's Firefox 3.5 patch the one that solves the recent security problem?
Brian Krebs: It's not necessary to install anti-virus on a Mac. You can if you want, but I don't think it's needed, provided that you use common sense about the programs you decide to install, and only grab software updates from the source (lots of Mac Trojans these days come disguised as a browser add-on or video codec some site says you need to install in order to view content).
I use both Macs and PCs about the same, and for different purposes. My laptop is a Macbook Pro, so I use that quite a bit, while my main desktop is a Vista system with multiple other operating systems running in virtual machines on top of that (using the free and excellent VirtualBox tool from Sun).
I answered your last question in my blog post this morning:
I Must Have a Lot of Friends: For the last month, I've received about fifty email greeting cards every day. Am I special?
Brian Krebs: No, you're not special, or a snowflake. You're just like the rest of us: We all get sent these fake e-greetings cards. Virus writers use e-greetings as a ploy because they're very believable. Plenty of people like to think they're receiving a card, when in fact they're being asked to click a link that tosses browser exploits at them or prompts them to download a file in order to view their greeting. We use Google's Postini product here as one of many anti-spam tools, and it constantly blocks e-mail viruses disguised as e-greetings cards.
Warner Robins, Ga.: Re: MS Anti-Virus
I'm just a controlling type of person. I like to make sure the automatic stuff is really working. I just want to make sure a piece of software is doing exactly what it says it is going to do.
Just a retentive personality!
Brian Krebs: Wow. Manually checking for updates is a waste of time, in my humble opinion. The AV companies themselves know how regularly they ship updates, and they set the intervals. You're not making your computer one iota safer by manually checking for AV updates all the time. So, relax, go for a walk, read a book, anything....other than manually clicking on AV update button.
Go on...you can do it. That's' it...step away from the update button.
Columbia, Md.: I have a pop-up problem. I'm using Firefox and Google's pop-up blocker, just ran Ad Aware and removed two malware programs and some cookies, but I keep getting small windows popping up in the upper left corner. (Sometimes it happens when I search for something on Google, and the pop up will be related.) Most annoyingly, they are audio files, and even when I close the pop-up, the file keeps talking! Argh! How can I make this stop?
Brian Krebs: Go grab a trial copy of Superantispyware. If that doesn't find anything, check out Malwarebytes' Antimalware. I'm willing to bet one of those tools will root out the problem (inexplicable pop-up ads are almost always a sign of some adware/spyware installation).
London, U.K.: Hi, Brian. I'm looking for a new PC to replace my aging Windows XP. For security reasons, should I wait for Windows 7 out in October, or can I get a Vista and upgrade? Thanks.
Brian Krebs: Yes. My cousin asked me this same question when he was shopping for a laptop recently, and I told him to get a Macbook, or if he didn't want that to just wait for Windows 7. He didn't take either advice -- he bought a Dell with Vista.
I've been using Windows 7 for many months now and find it to be much faster and responsive than Vista. If you've waited this long, a few more months probably won't hurt, would it?
A PC user until now, I have heeded your advice to go to a limited user profile for the majority of my usage.
I've now switched to a Mac using Leopard. Should I apply the same logic and set up a "guest" account and use that primarily? Or does it not provide the same protection to do it this way on a Mac?
Brian Krebs: Running as admin is a dumb idea, I don't care what operating system you're using. If you're using the default account in Mac OS X, you should make sure that you create a separate account with fewer privileges and run the root account only as needed.
This site has a quick and dirty tutorial for doing this on a Mac.
Postini: We also use Postini here at work. Great spam filtering. But they don't sell accounts to individuals, do they?
Brian Krebs: Yes, they do. Regular/home/end users can use Postini for a $12 fee per year.
Brian Krebs: I wish I had all the time in the world today to answer the several remaining questions, but I don't, sorry. Thanks to everyone who dropped in to participate in one form or another. We'll try and host another one of these Security Fix Live chats again in a coupe of weeks. Until then, please consider making it a habit to visit the Security Fix blog once a day to stay abreast of the latest security news, tips, advice, etc. And be safe out there, people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.