Fast Forward: Computer Security
With Personal Technology columnist Rob Pegoraro
Monday, April 22, 2002; 2 p.m. EDT
Join Fast Forward columnist Rob Pegoraro for a discussion on computer security.
When it comes to Internet security -- protecting your computer from the dangerous viruses and worms pervading the World Wide Web -- diligence is the greatest challenge. All the sophisticated software and systems won't work if users fail to update security software on their home computers and business networks.
As Pegoraro notes in this week's Fast Forward column, many of the most persistent computer viruses circulating on the Internet are actually updated versions of old viruses. Or, in many cases, the original viruses are still wreaking havoc on users who never installed protection software or updated versions they bought years ago.
Submit your questions and comments before or during the discussion.
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Rob Pegoraro: Welcome back to the Fast Forward personal-tech chat-fest, where you all throw complicated, convoluted questions at me and I try to sound somewhat intelligible in my two- or three-sentence answers. We've got a few questions about security, since yesterday I wrote about computer viruses; the week before, I covered DataPlay, a new format for digital music. And this Sunday, I'll be evaluating Windows XP six months after its arrival in stores--how well has Microsoft's new operating system lived up to its marketing promises?
So there should be plenty of material to keep me busy for the next hour. Let's go to the first question:
Alexandria, Va.: I have a Windows 2000 laptop that accesses the internet via a cable modem. I do not run a local firewall or other security software. Should I?
Rob Pegoraro: Yes. You also need to go through your default networking settings to see what services you're running and what ports you have open. As a first step, visit grc.com or security.norton.com to have your system's security inspected online. Do this *now*--a lot of people picked up Code Red or Nimda on systems set up like yours.
Alexandria, Va.: I read my e-mail on Webmail sites such as Yahoo and Hotmail instead of downloading my mail to Outlook or Netscape. I never worry about viruses and I never get any either.
Are Webmail sites safe?
Rob Pegoraro: Generally, yes--although you can still pick up a virus through your browser if it's sent to your Web mail account. Webmail is probably still more secure in practice, though, just because the people running the site (if they're doing their jobs) can keep their system up to date and secure much more quickly than millions of individual PC users.
Plus, some Webmail sites, like Yahoo, run anti-virus software of their own on all incoming and outgoing messages.
College Park, Md.: Hi Rob,
To secure a pc from virus infection and other vulnerabilities it is necessary to keep abreast of the latest operating system patches and software releases.
Well, most people I know _don't_ do this...but even if they did, the future of their computer's health is uncertain. All it takes is a mindless click to release some dubious payload. The harm that would bring can be limited by logging into your computer as an unprivileged user. Firstly, that is an unfamiliar security concept for most Windows users. Secondly, it's always a possibility that someone will root your system and corrupt your files.
The best OS independent computing advice anyone can give: Make a habit of backing up your important files.
Rob Pegoraro: Couldn't agree more on that last line--although if your backup includes some hidden virus, you're still in trouble.
Washington, D.C.: Hey Rob - really quick question. I have a cable modem and use ZoneAlarm as a firewall. Lately, I've noticed that when my system is "locked," I'm getting a few hundred notices a day that some IP address or another is trying to access my computer. Are these alerts triggered by ads and cookies, or are there really that many people out there probing for open ports? - Woodley Park
I'm wondering if it has anything to do with using Morpheus, but I keep that turned off unless I'm using it.
Rob Pegoraro: If you're on an always-on connection, the odds are that, yes, people are sniffing around your PC to see what's open. Does ZoneAlarm characterize these attempts as malicious in any way?
Hyattsville, Md.: Hi Rob,
I bought my new PC last August. It came with three months free subscription to Norton Antivirus. When it ended in November, I paid for one year subscription.
Early this year I opted to install, instead of to upgrade Window XP to my PC, and the Norton program is deleted. SO now I'm running my PC unprotected. Is there anyway I could get back the software since I just paid for the update version. This might be a dumb question but I'm wondering if I can get it from my system restoration disc that came with the PC ? Thanx Rob
Rob Pegoraro: The old version of Norton won't run under XP (any major operating-system upgrade almost always breaks anti-virus software and other utilities that have to run in the inside of the system). Symantec ought to offer a free download to remedy the XP situation.
Falls Church, Va.: Hey Rob. A month ago I got a new Dell running XP and jumped to Verizon DSL. Service has been OK with Verizon. Word to those new to Verizon DSLs -- the filters they send you have a high failure rate -- if you have static on the line get more filters before you start looking at more complex issues. I have them daisy chained all over the house. I had FOUR bad components out of 8 they sent me. I am sitting here with a new copy of Norton Firewall ( uninstalled yet) and wonder if the brain trust has any advice for settings before I load it? I have heard it can jam up web pages if the settings are wrong. I am not protecting national secrets but think that DSL "always on" is an invitation to some. Verizon says I do not need a firewall because they provide it on their servers- make any sense?
Rob Pegoraro: Thanks for the update on Verizon's DSL (the "filters" Falls Church is talking about are the little adapters that plug into your phone jacks to allow the voice and data parts of the signal to be split).
Given Verizon's history of, shall we say, limited cluefulness on Internet security issues, I would trust that firewall assertion as far as I could throw one of their servers. I'd load the firewall application and see how things go--if some applications are limping along from an overly restrictive setting, you can always dial things back.
Sterling, Va.: Rob, where can I find a list of file types that are virus prone and ones that are not? For example, if I'm downloading .pdf files from Kazaa, should I worry that it could be virus prone, or does the .pdf file type also support viruses? Also, how virus prone is Morpheus, Kazaa, Audiogalaxy, etc.
Rob Pegoraro: PDF is short for Portable Document Format, and as such is generally secure. But not always--there was one virus last year that would infect the full Adobe Acrobat program (not the free Reader most people have, but the $300 app that generates PDFs).
I'll post a list of dangerous file-name extensions in a moment... looking one up for you now.
Rob Pegoraro: Here's that list, courtesy of Microsoft (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q235309):
ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf or .wsh
Washington, D.C.: What can I do to protect my home computer from being invaded? I have a phone connection.
Rob Pegoraro: Using dialup alone makes your PC a much smaller target. You can also do a lot to secure things by shutting down services and closing ports that you don't need--Windows has traditionally left a lot of things active and open (for instance, file and printer sharing over the Internet's TCP/IP protocol) that nobody actually needs. Grc.com has a good tutorial on fixing this, although it is a little tedious to read through the whole site.
For a non-computer security question, I'm considering getting a cell phone for use at school and at home (Williamsburg, Va. and northern Virginia, respectively).
The reviews in the Post last fall weren't entirely conclusive, but Sprint sounds like a good deal; the feedback I've gotten from other students here has been -largely] positive. It seems there's no absolutely right choice -- a lot of performance will be unique to my phone.
Finally, would it make sense to sign up for their month-to-month plan, at $10 more per month, until I know I should sign a contract with them? Does it really matter where I sign up? I know Costco stores have Sprint kiosks.
Rob Pegoraro: The phone won't be what makes the real difference--it's the coverage. Look at Sprint's own coverage around Williamsburg and your area of NoVa, then see if you can get any feedback from users around the 'burg.
It doesn't matter all that much if you sign a contract--sure, you could bail out early by paying the $10 extra, but you'd still be stuck with a useless phone afterwards.
Atlanta, Ga.: I dutifully update my virus checking program at home and am careful about what attachments I view. However, I am still beset by virus-like attacks when some websites open multiple--often dozens of windows at a time without permission. Internet Explorer dutifully opens them all, sometimes causing a system crash. As far as I know, virus checking programs don't stop this kind of attack. Shouldn't they treat this computer takeover as a type virus and be able to stop it?
Washington, D.C.: Is it okay to ask a non-Internet security question? I have a trusty Visor Platinum that I've been using with no problems now. But, the siren call of color PDAs is getting to me...do you have a recommendation for one that will work well between my PC at work and my iMac at home? Should I just look at the Visor Prism or is that technology too out-of-date? Thanks for taking an O/T question.
Rob Pegoraro: Nothing's off-topic here! (Well, within reason; you can ask me about souffle recipes, but my answers will all be lies.)
Don't get the Prism; its screen will wash out mercilessly in the sun. Look at the Sony Clie T615C (pricey, but beautiful high-res color screen) or the Palm m130 (cheapest color, at $280 or so) or the Palm m515. Note that even though Sony says the Clies don't work on Macs, it's BS: I've been able to sync by Clie N610 under both Mac OS 9 and OS X without any problems.
Philadelphia, Pa.: Good afternoon, Rob;
As an Info Security professional, let me tell you what I find to be the worst InfoSec transgression: Sloppy users.
As part of my audits for my large company, I go around to different desks and find the following;
- PCs are not locked (we use Win NT here and can be locked by pressing Ctrl-Alt-Del).
- People actually write down their passwords and try to "hide" them under the desk or behind the monitor. Guess who always finds it?
- People pick LOUSY passwords. I gave a presentation to some 7th graders last week and told them to mix up letters and numbers liberally and don't use words that can be found in a dictionary. For example, someone might LOVE Shaq O'Neal and make his last name their password. Here's how to make it REALLY hard to break:
ONEAL --> 0N3A7
By substituting letters for numbers, it becomes exponentially difficult for a hacker to break... except:
- When people who have no need to use the system call up their victim and say, "I'm from (insert VP's name here)'s office. He has apparently forgotten his password and we need to use yours to file an important case!"
Thanks for the opportunity to let me rant.
Rob Pegoraro: Glad to let you do so!
Alexandria, Va.: PGP is dead. Quoth CNN (via /.), NA dropped support for commercial versions. Comment?
Rob Pegoraro: As a PGP user, I would like to say that what Network Associates has done here stinks. If the company isn't going to market or support the application, release the damn code! Make it open-source, so the GnuPG developers don't have to rewrite everything from scratch.
Somewhere, USA: Basically they list most popular executable file format extensions,and other popular extensions. That's amusing.
Re: The firewall question.
Some ISP's have a history of blanket firewalling of users' ports when a prevalent virus is propagating through their network. Code Red, I believe is an example. IMHO, they usually don't. User agreements generally prohibit running servers, but ISP's let people get away with running them for personal use, and so expect no protection from an ISP firewall.
Rob Pegoraro: Good reminder about Code Red--as we wrote at the time, a number of ISPs had to shut down the ports this worm was using to spread, which really inconvenienced many innocent users but, OTOH, was a reasonable thing to do.
Centreville, Va.: Re: Phone connections being less of a target. I got hit with Nimda a couple of times in the past few months using dial-up, probably because I tend to leave the dial-up connection for hours or days at a time (two phone lines). I think it's important to note that it's not so much the type of access as it is the duration that makes one a target.
Rob Pegoraro: Yes. I had in mind the more typical dial-up usage profile, where somebody's only online for a few minutes before closing the connection (or seeing it drop unexpectedly).
McLean, Va.: We recently got a second phone line used only for computer Internet connection, and therefore have no long distance service. Last month my ATT phone bill had $300 of long distance charges (two 30 minute calls) from Papua New Guinea for "adult web site connections." The time of the calls was when no one -- adults nor kids -- were in the house. Of course I'm protesting and refuse to pay. Aside from the fact that nobody in the household could have or did make the calls, it seems like some scammers are using phone charges to run around the fact that no credit card was given. Is this legal? How to protect against this? I had Norton AntiVirus.
Rob Pegoraro: Somebody, somehow, downloaded a Trojan-horse type of program, which switched your outgoing connections to start making these calls to that number. It's an old scam, one that apparently still works. You're going to need to remove this other application, whatever it is, that'd dialing the phone in the middle of the night. One way to catch it will be to swap the computer's clock, then unplug the phone line and wait to see what tries to dial out.
I'd like to hear if anybody else here has run across this recently, and if they had any sort of resolution to things.
The first release candidate for Mozilla 1.0 is out, so maybe expect a new and much improved Netscape in the comming months.
Rob Pegoraro: I'm looking forward to trying out this 1.0 release--the prospect of Netscape without all the AOL marketing junk is really appealing to me.
Re: popups: Mozilla and to a lesser degree netscape will let users disable this. Plus it's got a nicer UI than IE. Unfortunately it's too big a download for modem users. I'm not sure, but Kameleon, the smaller Mozilla based browser only might be up to date and feasibly downloaded over a 56k connection.
Rob Pegoraro: Opera (www.operasoftware.com) also lets you restrict pop-up windows, but it's a *lot* smaller to download than Mozilla or Netscape.
Crystal City, Va.: This might sound like a silly question, but do personal firewall programs run in tandem with antivirus programs, or does having one obviate the need for having the other? I've got a cable modem and keep Norton updated on a regular basis -- am I still at risk for being hacked/infiltrated/whatever?
Rob Pegoraro: Unfortunately, the two kinds of programs do different things. Anti-virus utilities keep software on your computer (whether or not you meant to install it) from doing bad things. Firewalls keep other people and programs from sneaking onto your computer in the first place.
Some security developers (for instance, McAfee and Symantec) now offer combo programs that incorporate both applications.
Washington D.C.: Quick PDA follow up: You sync your Clie to your Mac using that "Missing Sync" software?
Rob Pegoraro: Nope, just plain old Palm Desktop 4.0.
Somewhere, USA: wiredog: I run linux with the built-in firewalling. Also, I have all the ports (except what I need for http and smtp/imap/pop download) closed.
Got the "update your ie" mail. I laughed, and replied "You've got worms".
By the way, kde 3 is very nice (except that konqueror, for some reason, has much of the NY Times site in a greek font) and Mozilla rc1 is very nice.
Rob Pegoraro: Sounds like a properly configured system to me. How tough was it to set up that built-in firewall (ipfw, right?)?
Somewhere, USA: BSD: Now that Mac is (Free?)BSD based are people going to start writing virii that will work on my FreeBSD system? I don't want have to switch back to Irix to browse. BSD for speed, Irix for power!
Rob Pegoraro: Good question. Very good question. I don't think the frequency of Mac viruses will increase with the move to OS X, but it *is* something to consider. OS X is in general not as inviting a home for viruses as Win 98/Me or OS 9--a virus can't run as root and therefore should not be able to trash things in a major way.
The bigger area of worry is, I think, firewalls. Mac OS 9 basically didn't need a firewall, because it never integrated Internet networking to the degree that OS X does. OS X has all these Internet services turned off by default, but there are still vulnerabilities to exploit (which is why Apple released a security update two weeks ago that updated a bunch of these services).
Falls Church, Va.: follow up DSL: Re: Verizon DSL, be sure to specify if you have dual line phones (I got spoiled when I had a dedicated dial up line so I'm keeping it! )There are different filters that must be used for dual line phones and the sales staff did not ask me- just sent the single line starter kit- required another call to get the right flavor (of course some of these were bad ones). Thanks for the Firewall info I will play with it. Tina
Rob Pegoraro: Good reminder, for all Verizon shoppers out there.
re: popup ads: time to change browsers. ie is one of the biggest targets for this foolishness. right behind outlook express, neither of which i have on my computer. check out the new 6.01 version of opera. it also runs java, but i haven't had the popup problem.
Rob Pegoraro: I really think that Microsoft would think to offer some limits on the ability of Web sites to hijack its own browser. I hope somebody there is working on such an option--it's one area where IE is really starting to fall behind the competition.
Arlington, Va.: I have an always on internet connection with a company called Metronets that wires highrise building basically with an internal network. The company says their server protects me from the outside, but I am still vulnerable to attacks from other users on the internal part of the network. I have tried using firewalls on my machine but they bog things down to such a slow state that it makes having highspeed internet not worth it. McAfee's firewall ended up making my system run such that I could not connect at all to many sites and could only connect very slowly to others, I assume because it was filtering things so much. I then tried a free product I downloaded from a company called Sygate which basically killed my computer to the point where I couldn't do anything online or off. I had to do a reload of all my software which was needless to say a frustrating experience. What can I do to protect my machine but actually have it be usable? Now I just turn the little box off when I'm not using the internet.
Rob Pegoraro: First of all--could you e-mail me later on about this? I'd like to quiz you about your experience with MetroNets.
Second: You should still be able to use a firewall in that scenario... it just may require some tweaking to keep things from being overly restrictive. I'd try, for instance, the free version of ZoneAlarm. But you should also get the addresses of whoever's doing this probing and turn them into MetroNets. What your neighbors are doing--or allowing to be done from their computers--is a violation of every terms-of-service agreement that I've ever seen.
Fairfax, Va.: I'm thinking about installing one of those home-network hubs. I've seen some advertised recently that claim to have "built-in firewall protection". Are those really secure, and could I protect a single computer with one of those instead of a resource-hogging software program?
Rob Pegoraro: Yes, there are such things as hardware firewalls. You configure them from your desktop, and then they do the job of inspecting and filtering your network traffic for you.
Somewhere, USA: wiredog: The linux firewall (ipfwadm (or is that the daemon?)) was fairly easy to set up. (I use RH 7.2) In fact, it was easy enough that I've forgotten exactly how I did it. I check the logs weekly and haven't seen anything unexpected there, nor have I gotten mail from any outraged sysadmins, so I guess it works.
KDE3 is pretty and fast although, since I run a 1ghz system, most anything seems fast. (My first computer was a Vic-20, what was that, 2MHz or so?)
College Park, Md. again: Hi wiredog.
Recent linux distro's install with a firewall by default, and installation is actually user friendly...with pretty pictures, and for a while now some even let you play games during installation.
Just do a little hardware research ahead of time.
Rob Pegoraro: Wiredog, you see this?
(What sort of games? I've never heard of such a thing--but it beats having to watch ads.)
Washington, D.C.: What can a Network Administrator do to protect his system from Hackers and Virus attacks?
Rob Pegoraro: My first thought here is "be a good network administrator." I mean that in a non-facetious way; it's the network admin's *job* to make sure that the system is secure. That means making sure that every machine on the network has all the appropriate security patches installed. It means that the computers aren't set up with the front door wide open. It means running a firewall and an up-to-date virus scanner.
What happens if you don't do that? Well, Fairfax County had to take its entire Web site offline after its network got clobbered by Nimda or Code Red last year.
Towson, Md.: How about hardware firewalls? I'm considering boradband, & thinking of using a Linksys with hardward firewall, even tho I'm only running one box (Linux) just to have the extra security
Rob Pegoraro: From what other folks are saying here, you should be fine with just ipfw. I'd tend to agree; using a router with just one computer is a waste of money.
re: Arlington's firewall problem: How much ram did your computer have when it started to slow down? Firewalls require a bit more ram to operate efficiently.
Rob Pegoraro: You there, Arlington? Also, what sort of processor does your machine have?
College Park, Md.: Pac-man, tetris..
Rob Pegoraro: Heh. That's a really good idea to make software installs a little less boring.
re: netscape: don't get too giddy about netscape being able to knock popups for a loop. remember, it's still owned by aol, the king of popup and other unwanted ads.
Rob Pegoraro: Sure--but AOL is still using IE in its own online-service software. (CompuServe 7.0 now uses Netscape's rendering engine... I'll ask our reviewer if the software includes an option to block pop-ups.)
wiredog: Linux install games. Caldera had a tetris game several years back.
Linux (and open source in general) is much better about the hardware support than it used to be. Haven't found a good driver (that supports hot plugging) for the 1394 card yet (well, not in the 2.4 kernel. The 2.5 supposedly supports hot-plug safely).
A couple snippets from zdnet: Apache 2.0 is better than IIS, and John Dvorak (at pc magazine) got multiple BSoDs in Win XP.
Not that I'm an automatic MS basher. When my Father bought a new system, I told him to get Win XP. It's still a bit easier for the clueless, except that his old (parallel port) Zip Drive bogs it down something fierce.
Rob Pegoraro: Isn't a parallel-port Zip drive's normal state "bogged down"? :)
We throw around a lot of jargon here, so here's what some of the terms Wiredog's talking about mean:
* Apache is an open-source Web server; ISS is Microsoft's Internet Information Service, which is built into Windows 2000 and XP Pro.
* BSOD is short for Blue Screen of Death, which is what Windows rewards you with when it blows up.
Rob Pegoraro: As a reminder, for those of you who might be wondering if your systems are secure: Visit either grc.com or security.norton.com to get a free online checkup.
The first site is run by a (somewhat alarmist) programmer and consultant named Steve Gibson. The site will tell you more than you need to know, but the basic points it makes are solid. Click on the "Shields Up!" link to start the test.
The second is run by Symantec, so don't be surprised when it recommends, no matter what, that you buy a copy of Norton Anti-Virus and Norton Personal Firewall. It's a little more user-friendly than Gibson's site. On the other hand, Gibson's site works with a lot more browsers and also offers useful, step-by-step instructions on securing a typical Windows setup.
Rob Pegoraro: And with that, I will sign off. I'll be here again at my usual time in a couple of weeks, I hope. Thanks!
© Copyright 2002 The Washington Post Company