Security Corner

November 23, 2014  7:04 PM

Does cell phone encryption hinder law enforcement?

Ken Harthun Ken Harthun Profile: Ken Harthun
FBI, Mobile encryption, NSA, privacy, Security

encryptionAccording to The Intercept, if you listen to FBI Director James Comey, you would be led to believe that “…cell-phone encryption could lead law enforcement to a ‘very dark place’ where it ‘misses out’ on crucial evidence to nail criminals.” In his recent speech, Comey sites four cases that he says could have been solved if only they were able to decrypt the criminals’ cell phones. The truth is quite a bit different however, as this piece in The Intercept shows:

In the three cases The Intercept was able to examine, cell-phone evidence had nothing to do with the identification or capture of the culprits, and encryption would not remotely have been a factor.

In the most dramatic case that Comey invoked — the death of a 2-year-old Los Angeles girl — not only was cellphone data a non-issue, but records show the girl’s death could actually have been avoided had government agencies involved in overseeing her and her parents acted on the extensive record they already had before them.

In another case, of a Lousiana sex offender who enticed and then killed a 12-year-old boy, the big break had nothing to do with a phone: The murderer left behind his keys and a trail of muddy footprints, and was stopped nearby after his car ran out of gas.

And in the case of a Sacramento hit-and-run that killed a man and his girlfriend’s four dogs, the driver was arrested in a traffic stop because his car was smashed up, and immediately confessed to involvement in the incident.

As a general rule, I don’t trust government agencies (with the possible exception of the FCC, who seems to do a relatively good job of regulating the various modes of communication), especially the FBI, CIA, DHS and NSA. Comey’ stance disturbs me, but I shouldn’t be surprised; most non-technical types — Comey being one of them — are clueless when it comes to technology. Then again, I’m sure he’s an intelligent fellow and realizes that he’s up against a lot of evidence that encryption makes us safer. He’s trying to spin any case he can find, however feeble the connection with encryption, to show that having backdoors into encryption software is essential to the solving of crimes. But it’s just not true.

Bruce Schneier has this to say: “All the FBI talk about “going dark” and losing the ability to solve crimes is absolute bullshit. There is absolutely no evidence, either statistically or even anecdotally, that criminals are going free because of encryption.”

Follow me on Twitter.

November 23, 2014  12:06 AM

Solution: Hacking Skills Challenge – Realistic 1

Ken Harthun Ken Harthun Profile: Ken Harthun
cybersecurity, Hacking, Security

In this post, you were given a challenge to hack a band review site and move your friend’s band, Raging Inferno to the top of the list. Did you figure it out? No? Well, here’s how it’s done.

Follow me on Twitter.

November 21, 2014  5:07 PM

Making Hard (drive) Decisions – Data Security and Storage

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
cloud, Data, IT, Security, Storage

My photos are important to me. We’ve covered that in past columns here on ITKE and I’ll probably talk about it again in the future. To keep these images safe, I’ve employed a set of steps that are logical, unobtrusive and practical. But they’re driving me mad.

Screen Shot 2014-11-21 at 12.05.19 PM

When data storage costs – and let’s be clear that photos and videos are just data, though large chunks of data – are dropping faster than the the temperatures outside, why does it require a Ph.D. to figure out the best solution for storing information.

In fact, why do most people revisit their data storage and security strategy at least quarterly to ensure recoverability, access and affordability? To me, it’s the biggest riddle technologists face. So, let’s dig a little deeper as I share my perspective.

Screen Shot 2014-11-21 at 12.05.09 PM

1 – Pick a plan and stick to it. Technology is changing and online/cloud storage solutions are myriad. But with change comes uncertainty, so don’t change your decisions with the seasons. Pick a strategy for backing up and securing your data and stick with it for a while. Most cloud contracts are a year or so anyhow, so why not look at an 18-24-month review period. If you start to become disenchanted with a provider, then you’ll have ample time to research and move your data to a new location.

This also comes into play if you’re still backing up your information physically. Drive prices are spiraling ever downward. Get a SATA or other RAID solution that works for you and up the size of the drives you use with your servers. Right now a small office can do quite well by getting four or eight 2TB or 4TB drives. If you outgrow this solution, it probably won’t be for at least two years. When that time comes, reevaluate cloud and other physical solutions.

2 – Be dedicated to security. This column is focused on security, so I’d be negligent if I didn’t emphasize how well you should lock down your accounts. So, do it! Change passwords regularly. Use password generators to assist you in creating secure access. Keep your sites locked and make sure browsers don’t auto log you in. Shut down all office machines at night so they’re off the network and disconnected from the Web.

Screen Shot 2014-11-21 at 12.04.58 PM

When it comes to physical devices, rotate – rotate – rotate. Have at least three drives for one set of data. As I type this, I’m waiting for FedEx or UPS to deliver a 2TB drive so I’ll have the recommended three-pronged data storage approach. I currently rotate two drives with photos on them and three drives that back up my complete office system. I keep one drive at a safe-deposit box and the others are secure locations at my home and my office. I plan to expand this approach by carrying a drive with me so I’ll always have a backup available if disaster were to strike.

3 – Relax. I may have served up some great paranoia ingredients here, but once you’ve done all you can to secure your stuff, focus on other stuff. Go take great photos. Go do great work. Go serve your clients. With a comprehensive and secure data backup system in place, you can concentrate on running your business. Treat your data as one more component to your enterprise. If you’re convinced it’s secure, then go make money and revisit your strategy every so often.

It’s akin to any other business strategy you have in place. Pick the right solution and then move on to the actions that make you successful.

How do you secure your data? How much do you worry about data security after you’ve picked a solution?

Talk to you next week!

November 10, 2014  4:09 PM

Your Online Self and Your Real Identity – Security Strategy 101

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Internet, IT, Security, Web

Can people find you?

I’m still listed in many online repositories with a beeper number I had in college. Yes, I had a beeper in college because I couldn’t afford a cell phone and I was a bike messenger. But both those intriguing tidbits are better saved for another column. Today, I want to discuss clearing your personal cache as you move through life.


Unless you live with your parents and have them take messages for you on the land line, you’ve probably got some semblance of a digital footprint. With that footprint comes trackability, the danger of breaches, loss of privacy, and even the possibility of identity theft. It’s the world we live in and things aren’t likely to change.

The one thing that can change is how you operate within these parameters. That’s dictated by how much info you share online, what you share with companies, if you use credit cards and generally how relaxed you are about your data.

Lots of people realize that cleaning up your credit and your digital footprint can be time-consuming and labor-intensive. In some arenas it can even cost a bit of cash. Let’s look at digital triage from another angle. If all the info about you online is accurate – then it’s probably pretty easy for anyone to misrepresent themselves as you. Follow me?


If your online self lists your address, current phone numbers, email addresses, names of your lovers and children, and even the types of pets you own…then you’re in a sticky situation. That’s a bucket of info that anyone can use to spoof people and breach your defenses. Even steal your identity. Where it becomes more difficult is if you leave your path alone and don’t clean up after yourself.

This might be counter to what your parents suggested during your formative years, but if you leave your digital path littered with misinformation and red herrings, then you’ll easily be able to identify when people are trying to phish you, scam you, steal your data and generally make themselves a thorn in your side.

Using my life as an example, there are multiple sites that still list me as working at a job I left a decade ago. There are people-finder services that have that old beeper number as my phone number. There are even credit services that have my college major as something different from my eventual degree. Better than thinking up crazy answers to two-step authentication quizzes, I can just use some of my real info that can’t be found anywhere online.

We’ve heard about celebrities who have had their online accounts hacked and photos stolen (see my column from a few weeks ago). You think that was because the actresses were so skilled at keeping their info private? Hardly. They were bad at choosing passwords, they used common-knowledge facts that any fan might know, and they didn’t employ basic security techniques.

Is there something about you online that is blatantly incorrect? As long as it’s not hurting your chances for advancement at work or is damaging your reputation, let it be. Maybe the ‘fact’ you still work at an ice cream truck in the summer will come in handy the next time a Nigerian relative calls to ask if you’d like to adopt them and share in their inheritance.

What little facts are wrong about you online, and how anxious or angry does it make you? Is it worth the hassle to correct that stuff and possibly open yourself up to an attack on your privacy?

Let me know in the comments. I love sharing these deep discussion topics on a Monday. Look for something less brain-wrenching later this week. Maybe even a video interview with a security pro. Until then, be safe!

November 10, 2014  2:03 PM

The Home Depot stolen emails are already spawning scams

Ken Harthun Ken Harthun Profile: Ken Harthun
Inheritance, Scam emails, Security

And so it begins.

Here’s a link to a WCNC (Charlotte, NC) news story about how scammers are using the emails from the Home Depot breach in an inheritance scam:

The scammers send an email mentioning that you have money coming from a deceased relative. If you fall for it and call them as they ask, they’ll exchange information back and forth with you to build your confidence. At some point, they want you to give them your bank account information over the phone so they can send you the money, less their fee for helping you. Once they have your information, of course, they will drain your bank account.

NEVER give anyone your bank account information over the phone. If you have been a victim of this scam and have given them the information, immediately call your bank and report it. Then, set up fraud alerts and credit monitoring on all your credit cards.

According to the Better Business Bureau, this scam is going on nationwide, not just in Charlotte, NC.

If you get such an email, immediately report it to your State Attorney General Consumer Protection Division. Please do not fall for it!

November 10, 2014  12:45 AM

Home Depot announces 53 million email addresses stolen

Ken Harthun Ken Harthun Profile: Ken Harthun

According to CNET: “An investigation of what may be the world’s largest credit card breach reveals hackers didn’t just grab 56 million credit card numbers — they stole tens of millions of email addresses, too.”

Both my wife’s and mine are among them. My wife got this email on Friday and I got it yesterday:

Notice to our customers from The Home Depot

Dear Valued Customer,

The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.

In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.

Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.


The Home Depot

November 8, 2014  11:29 PM

Security is more attitude than technology

Ken Harthun Ken Harthun Profile: Ken Harthun

There is certainly a lot of technology associated with security. We have firewalls, anti-virus, malware blockers, intrusion detection/prevention systems, security badge access systems, alarm systems, and you-name-it. And most of that is adequate most of the time. But the wrong attitude about security measures can defeat their effectiveness in one beat of a hummingbird’s wings. For example, consider these attitudes:

  • I use the same password for all my accounts.
  • I don’t have anything a hacker wants. They won’t hack me.
  • I don’t need any antivirus protection; I don’t do unsafe things.
  • I keep all my passwords under my keyboard in case I forget.
  • Oh, Macs don’t get viruses like Windows does.

It always amazes me that people have such a cavalier attitude about such things. These are some of the very reasons why the internet is rife with malware–malware that often works and serves its purpose.

In just the past month alone, I have had to deal with instances of CryptoWall (I successfully defeated it), an instance where “Microsoft Tech Support” accessed a client’s PC (and deleted all of his documents when he refused to pay),  and various and sundry password-stealers, keyloggers, and browser hijackers. In only one case was the person an unwitting victim of an undetected malicious ad on a legitimate site. In all other cases, the person either didn’t have anti-virus protection or clicked on a popup that said they were infected.

My point? We in IT Security are fighting attitude more than anything else. We can put all the technology we want in place and it will never be enough.

Nice to know we have that kind of job security.



October 31, 2014  7:52 PM

Security Need Not Be Scary – Happy Halloween!

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, IT, Security

We all have habits when it comes to accessing and sharing our data. And some of these habits have scary consequences…which is especially poignant as we wait for little creatures to come asking to get treats or tricks at our door this Halloween night.

Screen Shot 2014-10-31 at 3.50.50 PM

We’ve all done it. You fill out an online form and share information – or place an order and hit send. And then you realize the information you shared was probably too intimate or detailed to be sent unencrypted over public wifi or to that certain retailer.

With some luck, nothing bad happened when you did that, but it served to reinforce bad behavior that will at some point bite you in the butt. Ultimately, until we all embrace more secure behaviors, nobody and no data is really going to be safe.

It was just this topic – in a related realm – that three of us debated this week on the #ITKESecurity Chat. We were talking about passwords and the common man (or woman). To that end, we pretty much agreed that we are not going to be able to change human nature and no matter how powerful or innovative an IT department is, they won’t be able to affect employees’ methods regarding passwords.

With an ultimate goal of keeping machines, facilities and data secure, IT has a whopper of a job to do. They need to provision users, allow data to flow freely to workstations and devices inside and outside an organization’s walls, and then promise the folks at the C-level that everything is compliant, safe and efficient. It’s a lose-lose proposition.

It can be over in an instant. Like the moment Mary in Accounting leaves a password on a sticky note under her keyboard; or when Jack in Sales uses speakerphone at the airport to help his admin log into his desk computer; or as Pat in Marketing logs into company files over the open Wifi in a hotel lobby.

What’s a smart IT department and progressive company to do? I don’t have all the answers, but the one I always give is to use common sense and think like a criminal. It’s not that devious and it will keep you on your toes…really.

Screen Shot 2014-10-31 at 3.46.44 PM

In the same way you might evaluate your home or car if you’re trying to avoid thieves (walk around the house and look for ladders, open windows, basement door access and easy entry), use the same process with your office assets. See if you can log in to other accounts using simple passwords. See if people are actually writing passwords down and leaving them on LCD monitors or in unlocked drawers of their desks. And see how deep you can get into proprietary materials via the company’s public-facing Websites.

All this will help you tighten down access at your firm. In fact, once you do a little audit exercise like this, it will probably help you secure your personal info too. You might eve start using longer, character-variable passwords and setting up two-step authentication for your various online accounts.

The world isn’t such a bad place, there are just a few bad people out there. So, with Halloween at our doorstep, keep the evil at bay and make your data a little more secure. Let’s chat next week!

October 23, 2014  2:34 PM

Protecting Your Data in Any Storm

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, IT, Security

Luckily we still have power as I write today’s column. The winds have been gusting to about 55MPH and the rain is lashing the windows of my office. In some ways, it’s akin to being at sea without the added fear that we might capsize. Regardless, the power and Internet are still up and I’m typing as fast as I can because I need to share my thoughts on storm damage as it relates to data.

Screen Shot 2014-10-23 at 10.31.55 AM

Not specifically what happens to data in a physical, rain, wind and destruction event. But what happens when your data is constantly at risk and possibly under attack from all the evil elements. I want to talk about keeping your data secure and I’m using weather as an analogy.

Therefore, what’s the first thing you do in a storm?

On a ship, you batten down the hatches. In an IT and data environment you either silo, sandbox or lock off your data from prying sources. To do this, you need to be adept at provisioning and recognizing possible threats. It’s easy to see the radar for rain, it takes a bit more perspective to identify hackers and other dangers. So, always keep your data hatches battened down and you won’t have to worry as much.

At home, you have extra supplies to ensure you can survive in a storm. In your office, you should have backups, protocols and other similar ‘supplies’ that will help you survive and relaunch in case of a data breach or other event. Having those resources in place NOW will make it much easier if (or when) your organization is targeted.

Finally, have an escape plan and a ‘go’ bag. Like all well-trained spies or any family that lives in the path of frequent bad weather, everyone should have a duffel bag packed with essentials and a plan for evacuating the home. Businesses don’t need to evacuate, but they do need a plan for any disaster…especially those that involve IP and customer data. First step is to establish a hierarchy for emergencies, then protocols, then a schedule where you practice these things.

Screen Shot 2014-10-23 at 10.32.57 AM

Ultimately, data protection is a constant battle. We’re all under siege and have to have the right plan in place to protect us from the next storm. Even if that storm is a bunch of hackers or even a piece of software that crashes our systems.

Do you have your data protected? How?

October 16, 2014  12:28 PM

Password Mindsets and Landmines

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Authentication, computer, Data breach, Hackers, Security

The history of the password takes a few paths…none of which really makes sense if you’re focused on usability. But let’s jump in…

Once upon a time it was enough to be able to remember your first pet’s name and use that as your password for everything. Who would be able to crack the cryptic protection of the word ‘spot’ or the even longer and more secure ‘mittens’? Your online banking, MySpace account and Yahoo Fantasy Football team was perfectly safe. Then it fell apart.

Screen Shot 2014-10-16 at 8.26.36 AM

Hackers breached a few online sites, blogs suddenly required more characters and variations to sign on, and email servers went over the top asking you to use special symbols, numbers and capitalization to make your password safe. As security increased, difficulty and barriers to use appeared. No longer was it enough to remember a keyword, people had to start writing stuff down.

That was the turning point. While IT folks and security pros realized the need for stronger encryption and data protection, users were the ones actually using their workstations. In the quest for continued productivity, passwords were a speed-bump so people started to ignore them. This made IT wring their collective hands and implement password requirements.

Not quite the immovable object and unstoppable force, users and tech support were at odds. As a side note, I think this is what has caused employees to perpetually treat IT folks with disdain. If tech support didn’t have all the power, users might act with more acceptance to their suggestions. But onward…

Passwords had to be long and complicated. Users needed fast access to their stuff to do their job. Passwords were then written down on sticky notes or computers were left on and users stayed logged in. Not a great way to keep stuff safe.

While it’s a running joke that the best way to crack a password at any large company is to flip over the keyboard and read the sticky note, it’s based in reality. And it’s not going to change until education and/or process goes through a wholesale change.

Maybe I wrote this today as a wake-up call. Maybe I wrote this to remind myself to choose better passwords for my stuff. And maybe I penned this column to let you know the discussion surrounding passwords isn’t going to end soon. In fact, Oct. 22 on Twitter, a few of us are participating in an online discussion about the power and/or futility of today’s password process.

Join me online to support, dispute or solve any of the password thoughts I’ve shared above. Maybe you can help make all of us more secure. I hope so.

See you next week! Watch this blog for details on the upcoming Twitter chat!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: