Security Fix Blogger
Friday, August 28, 2009 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Aug. 28, at 11 a.m. ET to answer your personal technology questions and offer ways to protect yourself from online security threats.
Brian, who considers himself a well-rounded geek, can also field queries about broader technical topics, such as mobile banking, online and location-based privacy, as well as social networking and tech policy issues.
Brian Krebs: Greetings, dear Security Fix readers, and Happy Friday. Welcome to Security Fix Live. I'm all set to jump right to your questions in a moment, but first let me remind you all to please be a precise as possible in your questions, and try to give me some basic details about your setup, such as the operating system you're using, the installed security software, which Web browser you typically use, that sort of thing. If you're asking about an error message in particular, include that message or number if possible. Thanks, and with that....ONWARDS!
Sydney, NSW, Australia: Hi Brian, Really love your column, it's saved me so much grief. There is a huge time difference between the formatting of a hard drive by XP and Vista - XP takes forever and Vista it seems takes a few seconds. Why is this? My C drive is about 80 gigabytes. Is Vistas' in fact a proper thorough re-format that really wipes everything off the same as XP? Thanks, regards, Peter in Sydney
Brian Krebs: Hi Peter. It may be that the time difference between the two OSes is a function of that fact that with XP you were telling the operating system to do a full format, whereas on Vista the default option was a quick format. And yes, the time differences between the two are dramatic. Full formats write over each sector of the disk, whereas the quick format is akin to simply ripping out the table of contents for the data that's on the drive.
You could read all of the articles on the front page of my blog and still have time left over for a nap before a full format would finish with today's larger hard drives. Quick formats, on the other hand, typically take about a minute or two.
Carrollton, Texas: If I restore my computer to the original factory(OEM)shipped condition will I lose my Gmail account, including in and out messages?
I have backed up My Documents. I have a HP Pavilion a705w with Windows XP. My Gmails date back several years.
Brian Krebs: No, unless you've downloaded some program that downloads your Gmail messages straight to your hard drive. But guessing from your question, that's probably not the case. Gmail is a "cloud" service, meaning that it stores everything -- from Google Documents (if you use that service), to Gmail messages, to your Calendar -- online. The biggest selling point of these cloud services is that your data/email etc lives not on your machine but on Internet servers, so you can access it anywhere. Cloud security critics, however, say that very element -- that someone else is in control over the security of your data -- is what makes cloud computing so dangerous.
Leaving that debate aside, your Gmail messages almost certainly are NOT stored on your hard drive, and should be safe if you restore your computer.
Warner Robins, Ga.: Hey Brian, You do good work for us!
Can you explain to me if Web sites passwords are saved in cookies. I don't save cookies or passwords for my banking and medical websites but my browser automatically loads to my iGoogle page and thus my email.
Firefox asks you to save, deny now or not ask again about saving a password for a new website you log-in to when a cookie is not present. I don't have any passwords saved but the 10 cookies I have saved allow me instant access to these 10 (non-vital) websites with specific preferences in use.
Am I missing something about cookies and passwords?
Brian Krebs: Cookies can be used for tracking users across sites, and for authentication. But it's important to bear in mind that there are many different kinds of cookies. Typically, with more sensitive sites, such as online banking...the bank site may use a cookie wtih a very short lifespan that is designed to expire after a set number of minutes or hours, depending on your activity. The purpose of these cookies is almost never to store your credentials/username/password per se, but to store an encrypted hash that tells the site that for [variable] number of hours/minutes/days, etc., this user has successfully passed us valid credentials for this site, please don't bug him again for them.
St. Paul, Minn.: Last week I purchased Dell Studio laptop with 4GB memory, 256 video card, 500GB hard drive and Windows Vista Ultimate edition SP1 64bit. I am eligible to get Windows 7 Ultimate upgrade kit after October, 23 of this year. My question to you is do I have to upgrade (install on top of Vista) or do I have the option of doing clean install. I would like to do the later if that is possible.
Brian Krebs: You should be able to do a clean install with the upgrade disc. If you are using Windows Vista, it should give you the option of an upgrade or a clean install (not the case with upgrades from XP, which require clean install, i.e., all data on the disk is lost).
Good on you for leaning toward the clean install: I prefer a clean slate whenever possible, and it eliminates the possibility that something will get munged in the upgrade. Plus, users should already be in the habit of backing up their data to a separate drive, so upgrading merely means reinstalling programs you want (and not reinstalling programs you never use anymore).
Northern Virginia: Why is it that the UK will go to great lengths to stop downloading copyrighted materials by cutting off Internet connections, but they will turn their heads when it comes to malware, zombied pc's spewing attacks, and kiddie porn sites..?
It makes no sense..
Brian Krebs: I don't really know. This was the rhetorical question I asked in my column, as in "Haven't we got more serious problems to worry about?"
Wait...you mean there is no giant, well-heeled industry lobbying for a less bot-infested Internet? Oh, sorry.
Annandale, Va.: Hi Brian,
IBM ThinkPad laptop, 512RAM, XP SP3, 30GB HD, SnoopFree, Avira, ZoneAlarm, OpenOffice.
Help! I am running out of HD space. I use an external hard drive for everything I can save (all docs, iTunes, etc), but I am still running out of room and my laptop is becoming sluggish (up to date on ALL virus updates and scans). I defragged the hard drive, etc as well. I tried to do a restore from the Backup Utility from a backup I did a few months ago but it could only get so far before it ran out of room. How have I run out of room? I only have the Admin account and then run off the limited user account.
Brian Krebs: The XP+SP3 install, plus the big Windows temporary files that you can't get rid of (hiberfil.sys, pagefile.sys) + all of your installed programs probably make up between 8-15 Gigs of your hard drive space, depending on how many programs you have installed.
You can do a quick gut check to see where the biggest programs are by opening up Windows Explorer, and then clicking the "Size" column to sort by the largest files/folders. That will give you a sense of where the biggest disc gobbling portions of your drive reside. You may find that Recycle Bin is up near the top. It's not uncommon for people to never realize they've been deleting files and folders without ever emptying their recycle bin (leaving files in that bin doesn't do anything special to them except move them to another part of the disc -- you have to empty it to get rid of them).
I'd suggest you grab a copy of CCCleaner, a free tool that can help you quickly clean out areas of the OS that are notorious for getting gummed up with temporary files from the operating system, browser, or from installation programs. Install it, run that program, and accept the default items it finds and "clean" them. Then see how much drive space was freed up. You might be surprised.
Appleton, Wisc.: "Mass infection turns websites into exploit launch pads," Dan Goodin, The Register UK, August 24. 2009, is one of the articles referenced in today's Firewall Guide's page "Internet Security for End Users," where your blog also can be found. Apparently ordinary normal websites are sometimes very infected with malware without anyone on either end noticing. What would be your advice for blocking software (Windows or Mac) in case a person happens to stumble upon one of these sites?
Brian Krebs: Hello. A blog post we published today speaks to this very issue.
This latest round of attacks, as I mentioned in the column, is not new: I wrote about similar attacks earlier this year. In that post, I mention a column I wrote a while back on various tools for Web site owners and regular users.
The single best tool for protecting yourself against malicious scripts on hacked/malicious Web sites is Firefox or some other non-Internet Explorer browser, along with one of several security related add-ons designed to block scripts until and unless you specifically allow them for any given site.
From that post:
The malicious links most often left behind on hacked sites are known as "IFRAMES", or lines of scripting code that invisibly redirect the user's browser to a site that tries to install a Trojan horse program. The noscript and request policy add-ons for Firefox can help users load only the scripts they want for any Web page, and are among the best lines of defense against malicious scripts.
Obviously, having up-to-date anti-virus software installed also can help block some of these attacks.
Malware attacks against Mac systems these days generally come in the form of fake video viewer programs or "codecs," threats that try to trick the user into installing something malicious by posing as a legitimate program. My rule of thumb -- if you didn't go looking for it, don't install it -- should help Mac (and Windows) users avoid most of the threats out there today.
Virginia Beach, Va.: I have an Apple laptop. Do I need to install the Apple Remote Desktop Client? I don't intend to "share" anything with anybody. And yeah, I realize Apple always adds the description that installing each update helps with "stability issues."
Brian Krebs: Apple has told me before that it ships its updates in such a way to minimize the likelihood that users will try to pick and choose which updates to install. I couldn't find any mention in the support advisory that indicates it ships security fixes. It sounds like you have the choice on this one. I'd say it probably doesn't matter one way or the other.
That said, it might not hurt to install it anyway, even if as you say you don't intend to use this feature: Perhaps somewhere down the road you will want remoate assistance from someone (Apple support maybe?), and in that case they will almost certainly insist that you have the latest version installed.
Lutz, Fla.: I heard a rumor that Microsoft was coming out with a security package, downloadable from the Web, at a low or no cost, that will be similar to what they currently sell as Microsoft LiveCare One? Is this true, and if so, when?
Brian Krebs: Yes, Microsoft is in the process of beta-ing a free, real-time antivirus solution for Windows users, called Microsoft Security Essentials. I wrote about the very limited free copies of that were available for about 24 hours. The beta is now closed, and Microsoft hasn't yet announced when the free version will be available to the larger public.
MS is still supporting licensed, valid copies of LiveCare/OneCare, but stopped selling new licenses in June.
Millville, N.J.: How do you see Apple's Snow Leopard affecting Mac security? Is it significantly more secure than Leopard? Finally, what's the story on SL's supposed malware scanner?
Brian Krebs: So, Snow Leopard -- Apple's latest OS version, which ships today -- comes with limited anti-malware capability, as you may have heard. I'm still researching this a bit, but from what I've read so far that capability is at present limited to blocking two malware families that account for the majority of the few malware threats designed for OS X these days.
It's worth noting that neither of those threats exploit vulnerabilities in OS X. They simply rely on social engineering -- tricking the user into installing them. In most cases, these pose as video "codecs" supposedly needed to view some online video (usually porn). In other cases, they may come disguised as security or privacy applications for the Mac.
It's entirely possible -- I'd say likely -- that Apple will in the future ship updates to this functionality to target new threats as they emerge, much the same way Microsoft does with its Windows Defender and malicious software removal tools.
Lexington, Ky.: Hello Brian.
Thank you for all you do.
Since Apple's newest operating system for the Mac (called 10.6, or Snow Leopard) began selling today, have you had a chance to use, review, and work with it to see how it performs from a security viewpoint?
From several reviews I've read, Apple has dramatically rewritten the code from 10.5 (called Leopard).
But I understand that Snow Leopard contains a built-in anti-virus program. As Macs become more popular I would predict this will be utilized more and more as updates are forthcoming.
Brian Krebs: See my answer to the previous question. I haven't played with Snow Leopard yet, but plan to. My colleague Rob Pegoraro will be posting a review of it soon, I believe.
Greenfield, Ind.: Brian, The following message pops up often and really slows down my computer. What does it mean? Thanks. Ray A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: chrome://global/content/bindings/browser.xml:0
Brian Krebs: You may be able to address this issue by twiddling with the browser settings. Now, you didn't say what browser you're using, but let's assume Firefox. Mozilla has some tips here on this very issue, and suggests it may happen when you're on a page with very ambitious scripts that time-out before they can finish what they're trying to do. It also suggests some workarounds that may help. Script-blocking add-ons, like noscript, request policy, and adblock plus, also will likely solve this problem by default.
I've also seen a variation on this error with IE. Usually clearing out the cache and restarting the browser helps.
Cameron, N.C.: Thunderbird profiles. I don't know if you've covered this or not. Whenever I get a new computer or re-install the OS on another, I go into my user name folder/application data/Mozilla/profiles and save the profile to another disk/thumb drive. When I install Thunderbird to the new computer I do not set it up. I go to the profile folder in the new computer location. I move the saved profile folder to that location and change that name to the existing folder name and then erase the existing folder. When I open Thunderbird everything is there ready to go.
Brian Krebs: I don't believe I have covered this, but thanks all the same for this nice tutorial. Cheers.
Arlington, Va.: I have a Dell Mini 9 with an Ubuntu operating system. Firefox takes up most of my space which is about 7GB total. Can I put a browser on an external drive so that it saves up space or does it have to be on my laptops hard drive?
Brian Krebs: There is a version of Firefox you can install and run from a USB/Flash drive from Portable Apps, which I've used on Windows systems, but I admit I've not tried it on a Linux machine. The documentation on their site says it works under Linux if you have Wine installed as well, but I've not tried it so I can't tell you either way.
Any other readers have experience with a portable version of Firefox for Linux/Ubuntu?
NYC: Is a limited user still subject to scripting attacks?
Brian Krebs: Sure, but the scripts will execute in the context of a limited user, not the administrator. So, for example, if the script tells the browser to fetch a Trojan that tries to install software, that installation process will most likely fail. However, the limited user account may still download the Trojan.
Central Mass.: Brian, thanks so much for all you do. I recently set up a new netbook and your articles and links made life SO easy for me. Based on your info I knew to insist on WPA setting instead of WEP that the router tech support guy tried to get me to use. Everything is working great so far. (Next project is to see if I can get my old reliable Epson Stylus Photo 750 printer to work with the new baby...any words of wisdom are of course appreciated.) Question re one of your recent posts - are you saying we should definitely NOT install OGA? I put Office 2007 Home and Student on the netbook and have no reason to think that it's not a legitimate copy...but am I asking for trouble if I install the OGA update? Thanks!
Brian Krebs: The problem with OGA and Microsoft's anti-piracy efforts in general is that they sometimes don't work right, in that they occasionally give a false positive -- the program errantly says someone is using a pirated copy of the OS/program when they in fact are not. In this case, it often takes many hours of phone calls or online support (or both) to remedy the situation.
I understand that Microsoft has a very legitimate right to protect its investments against pirates. And, Microsoft (rightly) notes that a great many people buy computers from spurious sources that may be scrimping on legit licenses, unbeknownst to the buyer. Still, I feel like if given the choice, and I know my copies of Windows are legit, I'll say "no thanks" the the piracy check.
Rockville, Md.: I hear than Snow Leopard has improved security of the Address Space Layout Randomization (ASLR) they added in Leopard. Apparently there it was easy for hackers to circumvent (MS's implementation is better, apparently).
Have you heard details of this change?
Brian Krebs: Actually, I heard from a very good source the other day that this was largely not the case, that Snow Leopard missed a big opportunity on ASLR. I still haven't been able to verify that, but I'd be interested in where you heard that information.
Cody, Wyoming: Hi Brian,
I had a strange problem last week with two separate computers. I could not access either youtube.com or twitter.com from the latest versions of either Firefox or Internet Explorer.
Instead I would be redirected to http://www.opendns.com/. There I would receive an error message saying those sites were not available on my network because they were file-sharing sites, or something like that.
I contacted my ISP (Qwest) and talked to several of their technicians, none of whom knew what the problem was. For some strange reason they transferred me over to Dell (one of my computers is a Dell laptop).
Of course I knew that would do no good. Even a non-techie like me knew it wasn't a problem with my Dell since my other computer is a Gateway, and it was having the same problem.
So after talking to 5 or 6 people and wasting several hours, I just gave up. The next morning I could get access to both youtube.com and twitter.com with no difficulty.
This may or may not be relevant -- but I followed your advice some months ago to change my local area network DNS server addresses.
Do you have any idea what the problem was?
Thanks, Brian for all your great advice and guidance!
Brian Krebs: OpenDNS is nice, but it can be confusing if you don't take a moment or two to understand how it works. Visit opendns.com, log in, click over to your dashboard, and click manage settings. My guess is you have it set to filter content at "high" which blocks access to social networking, video sharing sites, etc. You might want to dial that setting back to something like "low" -- which blocks porn and phishing sites -- or "moderate" which blocks "all adult related sites and illegal activity" sites.
Fairmont W.V.: Is the working group for Conficker making any new progress.
Brian Krebs: As I am not technically a member of that working group, I can't tell you officially. I have spoken recently with several key members of the group focused on finding those responsible. Those individuals say while the group has some interesting leads, they also have hit something of a brick wall.
Ultimately, the relative success of the "tracking-the-culprits" mission of the working group is going to hinge on the level of cooperation the United States receives from other nations.
Stormville, N.Y.: Hi Brian !
Dell Dimension 4700, W XP Home w/SP3 up to date, 2.5G RAM, Pentium 4 3GHz.
I use Avira AntiVir Personal (free). Since it kept on wanting to quarantine Encrypt.exe (of EncryptEasy)("suspicious heuristic code") In Configuration I set the Guard - Scan - Exception for the Guard to omit that file. However, that setting keeps disappearing and when the Guard is actively scanning I have to sit there because it complains usually three times about the file (same location for the file all three times) and does not let the scan proceed until I respond to the "finding". Shall I just switch to Avast?
Brings up another question. On my new laptop with Vista the 60 day trial period for Norton is up soon. Would you recommend Avira or Avast ?
Brian Krebs: The free version of AVAST! is super-configurable, much more so than the free Avira. It sounds like a little more configuration is what you need. I'd give AVAST a whirl. If you don't like it, you can always switch back to Avira or one of the other many free AVs out there.
Washington, D.C. metro: I have somehow been infected with one or more fraud robot virus, e.g., Fraud.PCAntispyware2010. It has dramatically changed, perverted my XP system, including Windows Security Window, with genuine appearing Windows solicitations urging me to download more viruses. Control Panel is irretrievably corrupted, apparently from a bogus registry command to "don't load." System Mechanic scans consistently and invariably produces registry errors numbering from 1 - 100 each times I analyze the system. Notwithstanding my System Mechanic virus, Ad-Ware and SpyBot scans, the system remains hopelessly corrupted. I have determined that I must do another repair recovery to convert back to the original windows software state. What I'm concerned about are whether reside issues of fraud robot virus software will remain as remnants in the new setup to return later and resurface. Also, I want to eliminate some of the older user identities and streamline my system files total count, which ballooned from about 136,000 to 190,000 after the last recovery repair. I know I have to be careful about selecting names of the computer that will be reflected as the Administrator user. I don't have any other user on my system.
Brian Krebs: Go grab copies of SuperAntispyware and Malwarebytes install and run the programs, delete anything they find, reboot, rescan. If you cannot browse to those site with the infected computer (very likely), use a known-good computer download them to a clean removable drive (USB stick, e.g.) or burn them to a CD, and then bring that media over to the sick computer and run the programs. They should help get rid of those nasties and the crap they bring.
Longer term, though, you should seriously consider several steps to stop this from happening again: First off, consider adopting a limited user account for your XP, for everyday use.
Second, do not browse the Web with Internet Explorer. I'd recommend Firefox, with one or more anti-scripting add-ons mentioned several times so far in this chat (noscript, request policy, adblock plus). Thirdly, be very careful about the programs you choose to install or download onto your PC. Many of these fraudware/scareware products come disguised as bogus "flash player" updates or video "codecs." Remember, if you didn't go looking for it, don't install it. And if you are looking to install or update some application, do it from the vendor's own Web site, whenever humanly possible.
Finally, you didn't actually mention using an anti-virus product. Last time I checked, none of those apps you mentioned (System Mechanic, Ad-Aware, Spybot) are anti-virus programs. They are PC performance enhancing and anti-spyware applications.
for Greenfield: Actually, NoScript can CAUSE the chrome script error, if you have the site that's trying to execute the script blocked via that add-on. We had lots of trouble with Yahoo!'s email program, till we re-enabled the Yahoo! sites (yahoo.com, yimg.com, and the yahoo api site, whatever that is) in NoScript. Now, we don't see that error anymore.
Brian Krebs: Thanks Greenfield.
Washington, D.C.: I only visit American Web sites and buy things from American companies. Is there any software that can block all non-US web sites and IPs so Russians and Chinese hackers can't break into my machine.
Brian Krebs: Haha. I love this question, because it's a legitimate gripe: If so much badness is coming from China and Russia, why don't we just wholesale block traffic to and from these areas?
Actually, this isn't as hard as it sounds, if you feel like spending some time researching the address ranges at APNIC and RIPE, the two regional address space authorities for those areas.
In fact, I recall reading about at least one local company I believe that was actually offering a service like this.
Reading, Pa.: Brian:
Running IE8, Vista Home Premium SP1 (64-bit)on a Dell E530, along with Trend Micro Internet Security (updated and run regularly). Comcast supplies internet through a Motorola modem. No wireless connections at all. I'm using the Trend for my firewall; have the Windows firewall turned off. Can I/should I use the Windows firewall with the Trend? Is one better than the other? Will there be conflicts if I use both?
Brian Krebs: I would not recommend running two software firewalls at once, which is what Trend and the built-in Windows Firewall are. One or the other is sufficient, as far as that goes. And yes, there could be conflicts if you try to use both at the same time. In fact, some software firewalls explicitly disable the Windows Firewall for that very reason.
Brian Krebs: I am out of time for today, folks. Thank you to all who stopped by to submit questions, or just to read the transcript. I took a little time off this month, but we should be able to get these chats back on a regular schedule going forward. So join us again in a couple of weeks, when we host another Security Fix Live. Until then, please consider stopping by the Security Fix Blog once a day at least to stay abreast of the latest security threats, tips, musings, etc. Thanks again, and be safe out there, people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.