Security Fix Live
Friday, September 11, 2009; 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Sept. 11, at 11 a.m. ET to answer your personal technology questions and offer ways to protect yourself from online security threats.
Brian, who considers himself a well-rounded geek, can also field queries about broader technical topics, such as mobile banking, online and location-based privacy, as well as social networking and tech policy issues.
Brian Krebs: Greetings, dear Security Fix readers, and happy Friday. Welcome to Security Fix Live, where I boldly attempt to field your questions about all things security and tech-related. Please, please please...if you have a question about a specific software or hardware problem, give me some clues about your system setup -- i.e., at the very least, what operating system you're using, which Web browser, installed security software, etc. With that...ONWARDS!
Eugene, Oregon: When connecting to wifi hotspots, sometimes I see a "computer to computer" connection option which I always avoid due to the risk of being snooped on or picking up malware. Is there any other reason this type of connection is showing up in public places? Is there any way to spot who it is in the vicinity that is offering up these dangerous connections? If my computer is running Drop My Rights, is it safe to connect?
Brian Krebs: What you're seeing there is the default behavior of Windows XP systems wireless configuration utility, which beacons out when the computer is turned on. The "computer to computer" connection is another Windows laptop in the vicinity that is offering an "ad hoc" connection. You can and probably should ignore these offers.
If you'd like to not be bothered by them at all, you can turn off this feature, by clicking the Wireless Network Configuration icon in the notification area of the taskbar, then select "view wireless networks," then "change advanced settings," then click the advanced tab in the box that comes up, and select the radio button next to "access point (infrastructure) networks only."
DC: Following your blog advice, I installed the Firefox ad-ons Adblock Plus, NoScript and Request Policy on my Imac with Leopard. Adblock seems to work pretty much invisibly, but I'm wondering whether I really need the others. NoScript will show several secondary links that you can approve/not approve in addition to the site you're on (Washingtonpost.com often has six or seven links), and RequestPolicy automatically approves those secondary links when you approve the primary site. I don't even know what most of these links are. (What's "quantserve" or "yimg"?) Both add-ons seem to slow down loading web pages and often require responses to see the whole page. What are these add-ons actually doing for me?
It is true that NosScript and Request Policy will block the proper loading of many pages, and using these plug-ins frequently require that you approve the display of certain -- sometimes multiple -- scripts on a page -- particularly with video content embedded in a page.
I appreciate these plug-ins because they actually cause most sites to load faster because the browser isn't trying to fetch 16 different scripts and actions from a whole bunch of different third-party tracking companies who are doing heaven knows what with my data. More specifically, I like these plug-ins because most hacked or malicious sites use scripts to do their dirty work, scripts that are blocked by default by NoScript and Request Policy. But many people finding managing scripts on a per-site basis to be annoying, and prefer not to be bothered. If you're one of those people, perhaps the trade-off is not worth it for you.
Steubenville, Ohio: Brian, my Acer AST690 runs Vista Home Premium and I am using AVG 8.5.x Several times (more than two) I have shut down the computer normally only to turn it on the next morning and find AVG has been shut off. I go through the Security Center and try to turn it on. I have to reboot for AVG to then auto start and monitor. Once I used Revo uninstaller to remove AVG and start from scratch. After removing it the Security Center still told me that AVG was turned off. I had used Revo to pillage and burn so I thought every remnant of AVG would have been removed, even from the registry.
Two questions then: Should I suspect nefarious doings with AVG being turned off or is this likely the vagaries of Vista and, if I decide to Revo AVG again and go to another program, where or where does the Security Center store the info that tells it that AVG is still on the computer? I will gladly go into the registry if I have to. Thank you.
Brian Krebs: AVG is fast replacing Symantec's Norton products as the anti-virus product that I keep receiving tons of complaints about from readers. Revo is a great product, but anti-virus software can be tenacious (it has to resist removal or subversion by malware, so it tends to hang on tight). Have you tried using AVG's own removal tool? If anyone would know best how to fully banish their software, AVG would.
Otherwise, you might try using Microsoft's Windows Installer Cleanup Utility
after you've uninstalled the program. to remove any registry remnants that AVG's uninstaller may or may not leave behind.
I wouldn't worry too much about what the Security Center says vis-a-vis your installed (or not) anti-virus software. If it persists in telling you AVG is inactive even after you have replaced it with another AV product (Avira or AVAST, perhaps?), then message me back at brian dot krebs at washingtonpost dot com, and I'll try to help you out.
automatic MS updates: I just got a new Vista PC and I am wondering if I should set it to take all updates from MS (including "recommended" ones). I am not that tech savvy, but on my last PC I was pretty selective on updates (partly because I was running out of disk space), but between security concerns and my sense that x64 Vista might need more bug/compatibility fixes I was thinking of taking all updates. What's your recommendation? What is the difference between "recommended" updates and "important" updates? Are recommended updates those that aren't security related?
Brian Krebs: Microsoft tried to clarify its "type" rating for various software updates in Windows Vista, but as far as I'm concerned they only managed to introduce another layer of confusion. For example, Microsoft lists the "severity" of security updates as "critical," but then when you view the update in Windows Update, it shows the item as "important", which also happens to be the name of a less severity rating that Microsoft uses. What's more, non-security related updates, such as those for Micrsoft's Office Genuine Advantage Notification (anti-piracy) program, also earn this "important" label when listed in Vista's Windows Update pane. And then there are "optional" updates, which are things like language packs and program enhancements.
Generally speaking, "recommended" updates are those for non-security related items, such as the Windows Junk Mail E-mail filter, or compatability updates.
Clear as mud?
I like to review each patch before installing it, so that I am at least aware of what Microsoft is (saying it is) putting on my machine. I haven't approved Microsoft's anti-piracy patch, because I've heard from legitimate users in the past who've been flagged as pirates by this program. But your mileage may vary.
Bowie, Md.: Brian, in your articles on bank scams you've suggested several times that a stripped-down Windows machine, a Mac or 'even' a Live Linux CD may be used to minimize the risk. I'd say that the last method is both the safest and cheapest option. Would you consider writing an article on how to boot a PC off a memory stick with some Live Linux distribution?
Brian Krebs: Thanks for reading, and for your question. Yes, I'm working on such an article now...just trying to figure out which Live CD is the friendliest to all setups (many of these Live CD versions simply don't work with the built-in wireless capability in Windows without some super-geeky command-line kung fu). If anyone has suggestions on which LiveCD installation plays nicest with wireless/wep/wpa, please feel free to drop me a line. At any rate, stay tuned.
Ellicott City, Md.: I know you must get this question a million times, but I still am confused about WEP or WPA security choices on WiFi. Which one is more secure?
And what should my Fire Wall setting be set on my computer. Should the Firewall be set from the control panel for the modem/gateway or from my computer. I have had a MacBook Pro for about 4 months now and I still don't know what is best. The tech support people from my modem company (Motorola) say I should turn the firewall settings off for the modem but turn them on my computer.
Okay, end of stupid questions.
Brian Krebs: WPA is more secure that WEP, which can be broken quite quickly with the right knowledge and free software tools. WPA is harder to crack, but can be broken. In fact, some Japanese researchers just presented a paper that claims the ability to hack WPA passwords too. I don't think those attacks against WPA are an imminent threat, but they probably are an eventual one, as automated tools get updated to incorporate these new methods. At any rate, WPA is far more secure than WEP, as those things go.
I don't know for sure, but it sounds like your Motorola modem has a built-in firewall (called a hardware-based firewall), which means it essentially drops all incoming communications that you did not initiate. This is a good a very useful thing, and I recommend nearly every chat that if people have the ability to use a hardware firewall in combination with a software-based firewall (such as the built-in Windows Firewall or the firewall built-in to the Mac) that they should indeed use both. It is unlikely that either will interfere with whatever you want to do online.
NoVA: I have a brand new HP computer (sorry don't now what model) with Vista. I have BitDefender as my antivirus and every time I start up, for a couple of minutes Windows Security says I have no antivirus on. It's annoying because BitDefender is on and running just fine. Why does it do that? It does this on my ancient Gateway laptop as well which has AVG and runs XP. Thanks.
Brian Krebs: This appears to be a known issue that BitDefender is aware of. See this knowledgebase entry from BitDefender's forum in July. It says:
Show/hide left menu | Print
Welcome to BitDefender Knowledgebase
Here you can search for documents addressing the most common and current issues. In order to access these documents, please follow the steps below, using the drop-down menus on the left hand side of this page.
Step 1: Define your query
Choose the appropriate articles category:
# Customer Service for information about downloading, trialing, registering, renewing, upgrading, refunding or order information.
# Technical Support for current and common issues for the product and version you are using.
# Fight against malware your computer is infected or you need more information regarding malware.
Step 2: Documents
After completing the selection at Step 1, please take a look over the list of available documents, select the appropriate one and review its content. You can change the document you are reading at any time. Each document includes contact details for the Customer Care team if it does not give an answer to your situation.
BitDefender 2009 and Windows Vista Security Center
When opening the Windows Vista Security Center you may see a message saying that BitDefender is reporting to Windows Security Center in a format that is no longer supported.
This message appears due to some modifications made to the Windows Security Center included in the SP1 package for Windows Vista. As a result the mechanism through which security applications communicate with the Security Center has changed. The 2009 version of BitDefender was not yet updated to use the same communication mechanism with the Security Center. However, to verify that BitDefender is working properly you just need to bring up the BitDefender interface, switch to Advanced View and go to the Antivirus->Shield tab to make sure that the Realtime Protection is enabled. Our team is currently working on a fix for this issue and it will be released through automatic updates shortly.
Reston, Va.: While the Banks offer on line banking with 128bit IPSEC during the session, how much risk is associated with logging on while at a public wifi hotspot?
Brian Krebs: This question is one that I receive quite a bit, but there is no simple answer. People always ask, "Is it safe to bank online in a hotspot, provided I ensure all of my communications are protected with https:/
The long and the short of it is this: If you can do your banking from your home network, then do it there. If you dont' *need* to check your savings account statement at a coffeehouse, then *don't*. I always tell people, if you do not control the network, you should consider it hostile. I'm sure there are people who disagree, but they're probably few and far between if they're also employed in the field of computer security.
Moscow, Idaho: Downloaded and am running iTunes 9, did Apple have all their UI people quit? Whats up withthe blaring white background and ugly top bubbled buttons? Also, it after much digging I got my headers and columns all situated, it seems like the last developer who touched it, left it the way they like it as opposed to the way version 8 was installed. Hint View- Show Headers or Column Browser is the key place to get things lined by up normally.) Finally, why does playing music through iTunes peg my processor out and then keeps memory up new 200,000K
Brian Krebs: Frankly, I'm intrigued by the name of your home town. Apple, producing something ugly? Heretic! You blashpeme!
Columbus, Ohio: After my first satisfactory year using F-Secure AV, I recently renewed my subscription. A day later, I read some intriguing info on ThreatFire AV. ZDNet calls it a supplement to conventional AV programs that will work with them and provide additional, behavior-based protection against malware. However, I could find no specifics online as to whether F-Secure and ThreatFire play well together. What have you heard? Also, which--if either--would you choose as an alternative to Task Manager: System Explorer or Process Explorer. Running XP/SP3 home, fully patched, w/MS firewall.
Brian Krebs: I don't know about F-Sec and Threatfire compatibility (I've not heard of or seen on quick search much in the way of problems), but you could do worse than to install the free version of ThreatFire and see what happens. You can, of course, always remove it if there are problems. And, depending one whether the latest version of F-Sec satisifies your needs or not, most AV companies offer some kind of 30 or 60 day money back guarantee.
Vancouver, BC: Hi Brian,
I'm having trouble adding Bing to my toolbar. I added it once, thought I removed it (it's not there), but now when I go it add it, Firefox says I already have it loaded (even though it doesn't show up in my add-ons).
Brian Krebs: Hrm. Have you checked to make sure it's enabled in the Toolbars list? To do this in Firefox, click "View," then "Toolbars". I apologize in advance if this is an obvious question.
Falls Church, Va.: What is the default setup for the FIOS service's wireless router? Do they default to WEP or WPA security, or do they set customers up on an open network? I ask because I know folks who are getting it who have no clue about these things and I'm wondering if I need to help them out. They're at a technical level where I doubt they would be able to answer the question if I asked them.
Brian Krebs: I know for a while there customers were complaining that Verizon offered but didnt' support WPA, but last time I checked that had changed. Which one they enable by default, I don't know. My suspicion is that unless the tech who sets it up specifically asks you, there is probably no encryption set up by default.
DSLReports has a very active support forum for Verizon FIOS users that you may find helpful.
Arenas Valley, New Mexico: Will it be safe to uninstall Internet Explorer now that I have installed Firefox?
Brian Krebs: Hah! Depending on which version of IE you are asking about, you may or may not be able to completely remove IE. In any case, you may actually need IE for the odd site that doesn't load correctly in Firefox for whatever reason.
Honolulu, Hawaii: I just got an iMac after being a PC user from day one. Should I get an uninterrupted power suppy (UPS) and an anti-virus program? I had these two installed in my old Dell PC. Thanks.
Brian Krebs: I don't think you need antivirus for the Mac, but there is a free AV tool for Mac systems, available here.
As for a UPS, it's up to you. Those systems can be expensive and require replacing the battery every so often, depending on the usage. I have a very good, APC backup on most of my systems, but it wasn't cheap (I think I paid $250) for it. That said, in the four power outages we've had in the last couple of months, none of the systems blinked even once.
Whether or not you choose for a UPS, you should at least make sure that all electronic components that you care about are hooked up to a surge protector. I've had a DVD player and a power supply for a computer melted because of power surges over the years. Properly rated power supplies are one of the cheapest ways to make sure your computer chips don't turn back to sand, or glass.
Tulsa, Okla.: Brian,
Here is a vote for the puppy linux live cd for use as a "safe" banking option.
BUT there is one issue I havee been unable to solve with any linux distro.
Some sites will tell me my linux does not have java or flash even though it is installed. Any pointers?
Brian Krebs: Ah, but you didn't say whether this puppy linux distro plays nice with the built-in Windows wireless (generally this is the Broadcom wireless device driver).
Richardson, TX (re uninstalling IE): Don't you have to have IE to update Windows?
Brian Krebs: No. You can enable Automatic Updates to get patches as well. There are also gradations of Auto Update:
Fully automatic, in which you give Microsoft full access to download and install patches whenever the operating system wants (I don't like this setting, but may be best for computer noobs).
Check for updates but let me choose whether to download and instal them (this is the setting I like).
Thanks for taking my question. My brother recently got the Vundo trojan/virus. My question is since this bug has been around for some time why is it that his McAfee (which is up to date on his PC) cannot fully recognize and delete this bug? McAfee notes there is a problem but cannot fix two files. He is using up to date IE and XP.
Brian Krebs: You may want to check out a column I wrote last week:
You will find in that links to two tools that should help you clean out those infections.
There is also a tool call "Smitfraud Fix", available from the BleepingComputer help forumhere which should be able to help you get rid of Vundo infections.
Washington, D.C.: Trying to get into the security field of the IT industry. Slowly getting certifications, wanted to know what if any other advice you have? The extent of my security experience currently is just being the go to guy for friends and family whenever they have a tech question.
Brian Krebs: Ah, good question, thanks. My advice would be to get your hands dirty as often as possible. Earning security certifications is nice, but unless you have hands-on experience, all that knowledge is useless.
One easy, cheap and relatively painless way to learn (i.e., mistakes cost nothing) is to set up your own LAN, and start attacking it using open source tools. I'd recommend Backtrack 3 from remote-exploit.org.
Make sure you fully understand TCP/IP and the networking stack. Take the time to understand how to use and interpret information from an open source packet sniffer like Wireshark. This will help you greatly in understanding network traffic flows, etc.
Also, check your local listings to see if there are security gatherings in your area (OWASP, Defcon, etc). Making friends with other geeks who know more than you do is always a good way to learn.
Bowie, again: (not really for this chat but my thoughts:) I agree that the combination of Live Linux and wireless is very tricky - it took me hours to get it working, and I'm the kind of geek who happily builds Linux kernels. I would suggest telling your readers to forget about wireless, just Ethernet. As for a distribution: I'm now using sidux, which is great but it lacks the 'save configuration' option to store bookmarks and other settings (it has persistent storage, but that would defy the purpose). Kanotix seems to have been abandoned. Knoppix may still be the best choice.
Brian Krebs: Yes, I am leaning toward Knoppix and/or Ubuntu Live.
Washington, D.C.: I got an email from Verizon Online saying I would have to reset the outgoing email port from Port 25 to Port 587 to prevent spam. The email had no logo on it for Verizon, just instructions for various email handlers (but not my Iphone). Is this legit? It seems so casual, but important.
Brian Krebs: I don't know about this email specifically going out, but my guess is that it's legit. Earlier this year, I broke a story about this very shift, which sounds minor but is actually a fairly big deal within the ISP community.
Baltic, Ct.: Occationally someone 'steals' my address book. It may or may not be emptied, no addresses left in it. People receiving the unwanted email ask 'what is this junk-mail'. Short of leaving addr. book empty what else can be done? One solution I used was to leave out a part of the address eg; '@yaho.com'
Brian Krebs: There is quite a bit of Webmail hijacking going on. See:
I would recommend changing not only your password for Yahoo, but also your secret questions, to something that is not obvious. Best of luck.
Salem, Ore.: Good day, Brian.
Perhaps you can help. A few weeks back my sister asked if I was on Facebook. When pointing out that after a certain age..., well anyway, suffice it to say my point was lost and the answer was no. I once again cited your expertise, explaining the security issues involved and pointing her to your excellent write-up in Koobface.
Minutes later I got a message from her address saying simply, "You're a koobface."
Now I'm wondering (is her machine infected?) and worrying (is mine?).
But my real question is this: Is there a safe way to look at Facebook? Does Firefox have an extension I can't find that will let me know if the page I'm looking at is 1) authentic and 2) not a threat? It would certainly be nice to watch the grandchildren grow up, even if only by slideshow.
Thank you very much.
Brian Krebs: Sure. Facebook has one major malware threat, and that's Koobface. It's not the most subtle attacker out there, either. It basically tries to trick you into downloading and installing a ".exe" file that masquerades as a video or browser plug-in. Avoid downloading and installing software that you didn't go looking for, and you should be safe from Koobface.
You can sign up for a Facebook account and not really do much with it if that's your preference, so that you can follow your kids and their kids' lives. Facebook isn't that dangerous from a malware point of view.
I would say more up in the air is the question of how much privacy you give away by using these networks. You will find that just by signing up, people you know and probably lots of people you don't know will ask to have access to your inner circle of friends. On top of that, all kinds of apps and quizzes and other clever marketing tools will ask for access to your friends as well.
San Pedro, Calif.: Hi Brian, Sometime ago i purchased a used dell laptop which was working fine. the first thing i did was reset the password. My problem is that i gave it a tune-up and it now request that old password from former owner which i dont have anymore, so im completely locked out! can you help me with this ugly problem please?? what do you advise?? Thanks Brian.
Brian Krebs: This would be one of those questions where just a little bit more info about your setup would be enormously helpful.
If you're referring to the regular Windows user account password (as opposed to a password in the system BIOS), there is a handy, free password reset tool that has saved my bacon a few times, that works on Windows XP/2003 systems to reset the administrator password. You have to burn it to a CD-Rom, boot into it, and follow the instructions *exactly*.
Check it out (and read all about it before proceeding) at this link here
Brian Krebs: I am out of time for this week, folks. I apologize to the questions I could not get to in this short time we have here. Please join us again two weeks' time, and until then, consider dropping by the Security Fix Blog on a regular basis to stay abreast of the latest security and technology news and tips. Be safe out there people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.