Security Fix Live

Brian Krebs
Security Fix Blogger
Friday, November 6, 2009; 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Nov. 6, at 11 a.m. ET to answer your personal technology questions and offer ways to protect yourself from online security threats.

Brian, who considers himself a well-rounded geek, can also field queries about broader technical topics, such as mobile banking, online and location-based privacy, as well as social networking and tech policy issues.


Brian Krebs: Hello dear Security Fix readers, and welcome to Security Fix Live! Thanks for joining us. Just the usual plea before we get started: For the love of all things technology, please include in your question as much information about your current setup as you can manage or as seems relevant, including the version of your operating system (Vista, XP, Windows 7, Mac, etc), your Web browser of choice, any installed security software, or if it's a hardware problem, at least the make and model of the hardware in question. Okay, now that we've got that covered -- ONWARDS!


Sydney, New South Wales : Hi Brian, This is not really a security query but I'll ask anyway. My DVD drive is a Lite-On DVDRW SHM -- 165P6S ATA device. I have no idea what all that means. It will play some movies beautifully on Windows Media Player or Windows Media Centre-Vista Ultimate but there are a few others that the drive does not even recognize, instead I get a "please insert a disk into drive E" -- Drive D is another partition. Might this be because the movie is copy protected? I doubt the disks need cleaning because they play fine on a stand alone DVD player through my TV monitor. I only want to watch them sometimes on the computer screen, not make illegal copies, I promise. Thanks, kind regards, Peter.

Brian Krebs: It means you have a nice, fast DVD player that will also allow you to burn DVDs. :)

I constantly have problems with Windows Media Player and DVDs; It seems that it's always something...either the sound isn't right, or I can't skip past certain menus, or it tries to autoplay stuff that I don't want.

Two free software tools I can't recommend enough are Media Player Classic and VLC Player. The latter is a bit more option rich, and supports a massive number of video formats. MPC is a very small, fast little player that can handle a wide range of DVDs extremely well. Grab MPC at this link here, and circle back to let us know if it addressed your problem.


Ljubljana, Slovenia: Which type of protection do you think is better?

Banks (NLB) here currently use certificate + password + random two out of eight character string (that was sent to customers via ground mail). Other banks use one-time passwords generated by ActivCard devices.

First bank (NLB) charges for certificate renewal and started to charge around 50 cents extra per month, for "costs of constantly upgrading security of online bank".

What type of login protection is currently the best in this crazy "trojan horse/keylogger/remote control" times?

Brian Krebs: The most secure approach, in my humble opinion, would be to use two-factor authentication twice in the same transaction. This is a pain for the user to be sure, but it's also very hard for the attackers to get around.

E.g., some of the most hardened setups I've seen use a username/password + token/one-time pass up front for logging in. Then, if the user then goes to make a money transfer or wire, the same information is requested again. Most of the attacks on two-factor work by injecting code into the victim's browser and actually re-writing the bank's web page, and intercepting any data submitted by the user *before* it gets to the bank's page. In those cases, the attackers usually snatch the information and send the user to an error page or something to buy them a few seconds while they go and log in as that user using that information (remember, these USB token codes are usually only good for ~ 30-60 seconds). But if you request it again after the user is successfully logged in, it raises the bar considerably for the attackers.

Of course, few banks do this because they probably (and maybe rightly) believe their customers won't put up with it.


Anonymous: I have a Western Digital My Passport Elite external hard drive. I would like to use Acronis WD edition for backup but the drive doesn't show up as an option under backup drive destination. Strangely it does appear as an option under drives TO backup. In Windows, it does show as My Passport(F:) in Device Manager and Disk Management (status Healthy), but is not listed in My Computer drives. I think if it would show there that it would also appear in Acronis as a backup destination option. Any suggestions? WD's support so far has been limited to repeatedly asking me to resubmit same info over and over. Running Vista SP2 on a Toshiba Satellite laptop. Recently switched from AVG to MSE - which I like, by the way (although it does seem to use a lot more RAM while running).

Brian Krebs: Anonymouse is referring to the last Live Online, where I told readers about the fact that Western Digital and Acronis had teamed up to allow any Western Digital hard drive user download and use Acronis for free (link here)

Acronis is designed to make full disc backups, with a focus on making an exact replica of the system you're booting into (i.e., your C drive + all the programs and data on that drive). The beauty of this is if you take a snapshot image of your system today, and then tomorrow the whole thing goes south, you can simply get a new drive, boot into the Acronis boot CD, write the saved image to a new drive, and you're back in business.

Acronis TI isn't really designed to copy external drives. And you don't need a program like Acronis to do that for you. If all you want is to copy data on an external drive, why not just manually open Explorer with a secondary external drive also attached, browse to the external drive you want to copy, select the folders you want to copy, select "copy," and then switch over to the secondary external drive and hit "paste". That's what I would do.

I wish you had told me whether the drive that you are booting from (where Windows is currently installed) is a Western Digital drive also. The user manual for Acronis WD version isn't totally clear on this point, but it says you have to have a WD drive connected to the system for the program to even install, but perhaps you can still install it without booting from a WD drive.


Bowie, Md.: Home network question. Can a Windows XP Pro machine be networked with a Windows 7 machine. I have a working desktop Win XP Pro and would like to add a laptop. The desktop connects to the internet via a wireless N router. If the laptop runs Win 7 with an N WiFi, could I network the two?



Brian Krebs: Yes, it's definitely possible, but not with the default way that Windows 7 is set up. By default, Windows 7 has a feature that makes it very easy to share files between Windows 7 systems, but it doesn't work with non-Windows 7 systems. To make file sharing work between Windows 7 and XP, you need to tweak the defaults a bit.

First off, you need to make sure both systems are on the same workgroup. By default, the Win7 system will set the workgroup name to "homegroup," but I believe the Windows XP default is "workgroup" (it might also be "mshome"). Just make sure the Windows 7 have the same workgroup name: for simplicity's sake, just use the name "workgroup"

Bah, I just realized that this is going to take a lot longer to answer than I have time in this chat. And there are a number of other sites that will walk you through this step by step, with pictures even. Check out, for example, this link at, which appears to have all the right steps laid out (even for sharing printers!).

My main advice would be to just share the folders that you need, *not the entire drive*.


Guanajuato, Mexico: I generally run Windows XP under a limited account, as you recommend. At least a few times a week, however, I need to switch temporarily to an administrator account, and it's a time-consuming pain--logging off, logging in, logging back off, etc. Is there an easier way to do this?

Brian Krebs: You might consider looking at the make me admin approach, which addresses frustrations you cite. It may seem daunting at first glance, but take a few minutes to read through that post, and I think you'll find it's a decent compromise that's a little simpler than logging in and logging out, etc. all the time.


Portland, Ore.: What's up with Word? I typed a 6-pg paper, saved it, saved it "as", printed it, then tried to send it as an attachment to e-mail. It is nowhere to be found--when I bring it up from my "recent documents" list, the screen is completely blank. A friend told me the exact same thing happened to her.

Brian Krebs: It's unsusal for things like this to just vanish into thin air. Generally speaking, there will be some kind of at least temporary copy of this file stored somewhere on the system (assuming you haven't rebooted and/or cleared the cache/temp bins recently). Probably the phantom file you're looking for is in your user folder (documents and settings\username\application data\microsoft office\microsoft word\ for example....your exact folder location may vary.

If you know what the file was saved as, check out this tutorial for finding lost Word files on your system.

Also, pretty much all versions of Word have auto-save options that you can manage so that it automagically saves copies of documents you have open at whatever time interval is good for you. I'd recommend turning that feature on or maybe asking it to autosave every few minutes.


Washington, D.C.: I update Java when prompted by my PC. I am annoyed by how it always tries to trick me into installing the Yahoo Toolbar at the same time.

Brian Krebs: Argh. Yeah, that's a real bummer. And I meant to remind folks as I usually do to watch out for that. Thanks for the reminder, Washington.


Bridgewater, Va.: Why doesn't everyone switch to Linux. I have and have no problem with viruses because they can't run on linux. It's also very hard for hackers to get in. Much better than some that have no security at all and are wide open. Doug

Brian Krebs: Haha. Your rhetorical question just reminded me of a really funny and I think still somewhat appropro video of a super villian named "Steve," who wonders why more people don't use Linux. Highly amusing. Check it out here (requires Flash). As funny as it is, it's hard to really appreciate unless you've already spent some time on Linux.

Seriously, though, "check your version dependencies," "patch [or recompile] your kernel," these are concepts you will eventually have to learn using Linux. I love Linux and use many varieties of it every week, but I'm still not sure it's made for the computer user who barely understands computers.

My answer to your rhetorical question is most people don't want to become computer experts to use computers. But the more accurate answer is probably inertia: People stay with what they know, and fear what they do not.


Kansas City, MO: Brian - I'm getting error messages saying that my Windows is not a genuine Windows product. Its a Dell desk top with XP and I never got these messages until a few months ago. Now, I get them when I first start the computer and then periodically. I've run the Windows test and it confirms that it is not genuine Windows. The only option Mcrosoft offers is for me to buy XP again. Although none of my virus programs have found anything, could some virus have changed my settings so that it appears I no longer have a valid copy of Windows XP? Besides the annoyance of the messages and having to click on them to close, the major downside is I'm not getting the updates from Microsoft - they don't update XP if its not a valid version. Do you have any suggestions on how to fix this?

Brian Krebs: Yes. Call Microsoft (I believe the error messages tell you a number to call). If your copy of XP is indeed valid, they should be able to walk you through a process for getting rid of that prompt. Unfortunately, if it turns out you purchased the computer or the copy of XP through a distributor who was less-than-honest, you may end up having to pay again.

Your other option is to back up your data, and reinstall, assuming you still have the Windows installation CD and your Windows license key handy. Then set up Windows Update to download patches for you, but let you choose which to install and when. Then, when Windows update says there are patches available, click the "Custom" button, and deselect the Windows Genuine Advantage patch. You may have to do this every time Windows offers new updates.

Best of luck.


Medford, Ore.: What do you think of MS's Security Essentials so far? Do you expect this to be superior compared to the main competitors?

Brian Krebs: I like it for what it is, and have it running on a system that I don't generally use for Web browsing.

I doubt that MSE will ever be called "superior" to its competitors, except perhaps competitors in the free range. MSE is fine for what it is, but it has very few options. This is, of course, by design, as it's made for people who want set-it-and-forget-it, free antivirus protection. But as free anti-virus goes, even, it's not terribly configurable (nowhere near as configurable as, say, AVAST's free edition).


Bremerton Wash.: I have Windows Defender on my computer with Windows XP. Will I be able to add MBAM also as another anti-malware program without the two conflicting with each other

Brian Krebs: Yes, it is quite possible there will be a conflict if you're using Windows Defender and MBAM (Malwarebytes' Antimalware). That's because one of Defender's big features is that it tries to stop malicious programs from adding themselves to the list of programs slated to start when Windows boots up.

In fact, MBAM recently acknowledged a conflict between WD and the latest MBAM that prevents the startup entry for the Delete on Reboot script from being removed after it runs. See here for more information on that. Ther may be other conflicts that arise between the two, but they are probably addressed in the WBAM user forum.


Upper Marlboro, Md.: Hi Brian. I asked a question about basic security computer at the last chat and took your advice to jettison System Suite 9 in favor of Avast!. I am glad I took your advice. So far, Avast! seems to be working pretty well. Thank you!

What I am wondering is, do I need another spyware program to run with Avast! or is the latest version of Avast! good enough? I use a Toshiba Satellite laptop running Windows XP Media with 2 G Ram on the Verizon Fios wireless network with WPA2 security enabled. Firefox is my main browser and I use the Windows firewall. I also took your advice about logging on as a limited user unless I need to make software changes.

BTW, I was listening to a recent Leo LaPorte podcast and he said that the free security programs offer only basic protection - basically "better than nothing" and all paid programs, (like Eset's Nod 32, a sponsor) are definitively better. Any comments?

Brian Krebs: Great to hear my advice was useful.

Re: free vs. paid AV, I get really tired of this question, mainly because there isn't a lot of data to support a conclusion one way or the other.

What IS abundantly clear -- even to the AV companies if they're honest -- is that anti-virus software (whether paid or free) is increasingly of little help against the latest threats. That would be great if most people got hit with old threats, but that's simply not the case anymore. If you use Windows, it's important to have *some* kind of up-to-date antivirus software installed. Is it worth it to spend $50-$75 on a product that fails to stop malware a good percentage of the time anyway? I leave that up to the reader.

The single strongest protection against malware is a healthy dose of skepticism lightly flavored with a drop of paranoia. Add a dash of street smarts and commoon sense in there and you have a good setup.

Keep your software and plug-ins up to date. But don't grab software updates or plugins or add-ons from anywhere but the original source. Don't install programs of dubious origin. Don't click on links or attachments in e-mails you weren't expecting. Stay away from software crack and P2P programs.


Atlanta, Ga.: Do you know of any cases where a company using a bank's true out of band solution (transactions are completed off the internet) has been successfully defrauded via wire transfers or ACH transfers?

Brian Krebs: No, but then again out-of-band/off-internet transactions has not really been a major focus of my ongoing investigations into this topic.


Tampa, Fla.: Will the NoScript Firefox extension block the Zeus trojan?

Brian Krebs: It's quite possible, since many attacks that try to install Zeus leverage iframes, which are blocked by default from loading on untrusted sites with Noscript. However, what would you do if the link you clicked led you to a blank page? Would you temporarily allow scripts on that page to see what was supposed to be there?


Batesville, Va.: Hi Brian,

Three times since Oct. 26 I have returned to my computer during the day to find that my PC has "recovered from a blue screen error caused by device or driver". The message says that I may want to consider restoring to a previous check point, but when I pick a point earlier in October it says I cannot restore as no changes are in effect since that point. I have not knowingly updated any of my drivers.

My XP Pro SP3 system is fully patched as indicated by Secunia PSI.

Brian Krebs: Yeah, so this happened the other day on one of my machines here at home -- an XP Pro system I set up in Mrs. Krebs's office. She complained that the screen went white (that was a new one to me) and sure enough nothing I could do would get the thing back to the desktop. I initally thought this was the beginning of the end for her machine, and suspected some kind of corrupted driver or video card problem.

While this sounds ultra geeky, and very few people actually use this approach, the System Event Viewer in Windows is a font of information about what's going on under the hood in Windows, and the events it logs can often give you extremely detailed and valuable information about bottlenecks, driver or hardware conflicts and stability problems that can lead to things like the dreaded bluescreen of death.

I'm going to assume you're using XP (you didn't say, shame shame) but I'll try and give you an approach to getting to the event viewer that works on all Windows OSes: Click Start, then click Run (in Vista or Win 7, just type the following in the search box) then type "eventvwr.exe" without the quotes. That should bring up the Windows Event Viewer.

From there, click Windows Logs, and check the "application" and "security" headings for a list of associated event alerts. You want to pay special attention to those alerts that match the date and time of the last time you had this problem, and then on those alerts that are marked with a yellow or red exclamation point. Click those individual alerts and you will be able to see what program caused the alert, and probably will see some information about what Windows thinks the problem was.

In the case I described with my wife's computer, Windows Event Viewer told me that it was the ATI video card driver that got caught in an endless loop, causing the system to hang. I chalked that up to a one-time problem, because it hasn't happened since, but it was nice to be able to rule out other problems.

Anyway, good luck. I hope that helps.


San Diego, Calif.: A while ago you had mentioned that there are more viruses out there now that can attack an XP system running under a Limited User account. What's your sense of how big a threat this is? How do these viruses work if they can't alter system files? Just looking for some guidance on how worried I should be.

Brian Krebs: It's actually becoming more of an issue, but there are limitations. Here's a common scenario: The user is running under a limited user account and browses to a hacked or malicious site that takes advantage of several different browser vulnerabilities to try to install malware. Let's assume for the sake of this example that the user's browser is vulnerable to one of these: But because the user is running in a limited user mode, the malware can't write itself to the admin account or the places on the drive where it would need to be in order to be started up when all of the other programs on Windows start up at boot time.

So in this case, it stashes a copy of itself in the user's directory (documents and settings\username\temp) and runs in memory for the duration of that logon session. As long as the user doesn't reboot, it's possible for that keylogger or whatever to run in memory happily on that user's system.

How worried should you be? Probably not terribly so. Just be sure to stay on top of the latest updates for the operating system, and for the browser and associated plugins (java, quicktime, and especially Adobe products, like PDF and Flash). Never download these updates from anywhere but the vendor's own Web site.


Hamilton, Va.: Question might be for Rob Pegoraro but I'll try you. I have a laptop running VIsta and whenever I use IE it has a habit of taking itself offline. If I open a new tab it will often respond "webpage cannot display offline. Do you want to connect?" Firfox does not do this. Any ideas?

Brian Krebs: Ack. No clue what's going on here. Microsoft has a monster knowledgebase page on this very issue, with loads of suggestions. The one that looks most promising is emptying out the browsing cache -- it could be that some expired page in the cache keeps trying to load.


Pacific Grove, Calif.: I am a newly converted Apple user after years on a Toshiba lantop PC. I run a MacBookPro with Snow Leoaprd and also with parallels 4 and a Windows platform using XP so I can use my Word Perfect program which I love. The problem is that I don't seem able to print from the Windows partition to my Canon i850 printer--says it's not connected. I can save my word perfect file and go back to the Mac side, call it up in open office and print from there, but that is a pain of a workaround. Any idea what I may need to do? I am looking at upgrading to Parallels 5 also and wanted to know if you had heard anything of it yet. All I really use the windows side for is Word Perfect -- wmv files for the most part play on my Mac using VLC. Thanks for your wonderful column by the way, which I read regularly.

Brian Krebs: I used to monkey with Parallels, and even paid for two version upgrades, before I discovered that Sun's FREE Virtualbox software runs incredibly smoothly on the Mac (you can even transfer over .vdi images from Windows to the Mac and they will run just fine).

Truthfully, I haven't tried networking printers in Virtualbox, so my answer is more about suggesting an alternative to Parallels, I'm afraid, as opposed to paying yet again to upgrade for features that may or may not work.


Lorton, Va.: Good intentions backfire. My friend was using a torrent software for sometime. The program (Vuze)is free and asks for donation. So recently he wanted to donate $5 and the site took him to Paypal. As soon as he paid $5, someone in England tried to buy a Blackberry phone for 400 euros using his credit card. Luckily the credit card company stopped the payment. Undeterred the guy tried to withdraw 300 euros from my friend's checking account (Paypal has this information too, again luckily Paypal stopped the transaction.

This is another scam to get your money. It is difficult to trust anyone on the web. I suggest people have a differnt credit card and checking account for Paypal transactions.


Brian Krebs: I am sorry to hear about 'your friend's' problem. When one reads your comment, it is tempting to conclude that the problem here is with Vuze or with their donation system or with PayPal or something like that. I'm going to guess that the problem is that your friend's machine was already compromised with a keystroke logging Trojan, and that his information was stolen by the malware on his PC after he entered it in making that donation. That is the most likely (and probably correct) explanation of what really happened to your friend's payment information.

People take umbrage at my suggestion to stay away from P2P for security reasons, but I find time and time again that experience proves that people who regularly download applications from P2P programs have malware on their systems as a result. I'm going to go even further and suggest that your friend at some point used P2P software to download a pirated game or software title, or at least a "crack" that would allow him to get a license key or the ability to play a copied game CD without the actual CD in the hard drive. I would love it if you would ask your friend whether any the above are true, and then circled back here in a couple of weeks to let us know. Thanks for your question.


Upper Marlboro, MD: @ Bridgewater, Va. I have an inkling as to why more people don't use Linux. I use a Puppy Linux Live CD for banking and bill paying. I was using the included browser, (Seamonkey) and all was well until I got an alert that I needed to update to the next version of Seamonkey (version 2.0) ASAP. That was over a week ago and I still haven't figured out how to do this upgrade yet. Eventually, I gave up and installed Firefox for Linux. Come to find out, Seamonkey 2.0 was released without an installer, which makes no sense to me. As a Linux newbie, my biggest frustration with Linux is that "open source" means information all over the place, some of it current, some of it not so much, cryptic instructions written in "linux-ese," and what happened with Seamonkey. Why make a program available for release without some easy, convenient way to install it? Unless you are highly motivated, it's pretty easy to give up on Linux.

And yes, I will continue to use my Puppy CD for financial transactions, but it will be a long, long time before I rely exclusively on Linux as an operating system, unless the programmers improve its accessibility for those who are used to a Windows environment.

Brian Krebs: More comments on the rhetorical question from the Linux-switch guy.


Brian Krebs: I am fresh out of time for today, folks. I apologize that I could not get to all of the questions, but I will try to save a handful of them for the next chat, since several of them are sort of evergreen questions. Thanks to all who stopped by to submit a question or just to have a look at the transcript. I'll host another Security Fix Live in a couple of weeks from today. Meantime, please consider dropping by the Security Fix blog regularly to stay on top of the latest updates, threats and tips. Be safe out there, people!


© 2009 The Washington Post Company