Security Corner

October 7, 2015  2:14 PM

Video: The TSA makes us more secure, right? Wrong!

Ken Harthun Ken Harthun Profile: Ken Harthun
humor, Security, security awareness, Security scan, Security threats, Video

I like this guy. His special guest is one of my favorite security researchers, too. Enjoy!

September 30, 2015  9:10 PM

There’s no place like

Ken Harthun Ken Harthun Profile: Ken Harthun

During a recent rash of malware infections on students’ laptops, most of which were probably drive-bys or served by frames in otherwise innocuous pages, I remembered a solution that had once served me well: A HOSTS file. As you know, a HOSTS file is a text file on your computer that is used to map host names to IP addresses, but did you know that this was the precursor to DNS? Back in the ARPANET days, this file was manually updated as new hosts came on line or their addresses changed. The file was shared with the members of the network so they could all communicate. DNS made sharing and updating host addresses automatic and relegated the HOSTS file to use mostly on local networks.

While the file isn’t broadly used on most networks these days, it remains an integral part of the networking stack on all operating systems. It is the first thing that is checked prior to routing traffic and usually takes precedence over DNS. This makes it very useful for blocking access to unwanted web sites or servers. All you have to do is make an entry in HOSTS.TXT that points the web site or server address to the local machine address, The good folks over at for years have been maintaining a hosts file that does just that. It contains thousands of malicious, useless, or unwanted websites.

I’m going to try using this again on some student laptops and see if it helps. I’ll let you know. In the meantime, you can read all about it and download the file for yourself here.



September 30, 2015  7:14 PM

Password guidance from Britain’s CPNI

Ken Harthun Ken Harthun Profile: Ken Harthun
Password management, Password policies, Passwords, Security

Britain’s Centre for the Protection of National Infrastructure (CPNI), which works with General Communications Headquarters (GCHQ), recently issued a publication “Password Guidance – Simplifying Your Approach.” I found the 13-page PDF document interesting because it provides guidance on simplifying things at a system level rather than asking users to remember complicated passwords. It also says that regular password changing as a policy is not a good thing:

Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

But how do you prevent users from using common passwords? Simple: Blacklist the most common passwords (I’ll be writing about this later). I would include code to check to see if user name or company name or other common strategies are used and refuse to accept them.

I won’t elaborate further; you can read the document and glean from it what you will. However, here is the list of tips. A couple of them offer a different view. It’s definitely worth your time to download and read this whole thing.

  • Change all default passwords
  • Help users cope with password overload
  • Understand the limitations of user-generated passwords
  • Understand the limitations of machine-generated passwords
  • Prioritise administrator and remote user accounts
  • Use account lockout and protective monitoring
  • Don’t store passwords as plain text

And finally, here is a very nifty infographic: Password guidance – infographic

September 29, 2015  3:41 PM

Passwords today: How long and how complex is enough?

Ken Harthun Ken Harthun Profile: Ken Harthun
Data breach, High performance computing, Passwords, Security

In these days of of high profile data breaches, it behooves us to take another look (or two) at passwords.  Computing power has increased at phenomenal rates over the years making it (relatively) straightforward to defeat short and simple passwords with common, freely available hacking tools. If you want to explore the exponential increase in computing power further, this Wikipedia article on Moore’s Law is quite enlightening. Here’s an interesting comparison:

[Illustration] An Osborne Executive portable computer, from 1982, with a Zilog Z80 4 MHz CPU, and a 2007 AppleiPhone with a 412 MHz ARM11 CPU; the Executive weighs 100 times as much, has nearly 500 times the volume, costs approximately 10 times as much (adjusted for inflation), and has about 1/100th the clock frequency of the smartphone.

In March, 2014, I posted “Oh no! Not another password post!” In that post, I recommended 12 characters for a minimum length and said that 15 characters is even better.  I still stand by those numbers at this date; however, I did not address password complexity in that post. Length means nothing if the password is either one that is commonly used–such as those on this list–or is a dictionary word or common phrase. “LetMeIn” and “antidisestablishmentarianism” are equally useless. Even “TippecanoeandTylerToo,” though seemingly complex, would be easily cracked as it’s a common phrase from American history.

Complexity connotes intricacy: The more intricate the pattern of a maze, for instance, the more complex its solution. Intricacy connotes quantity: The more parts the there are to a machine, the more intricate its design. Therefore, we make passwords more complex by using more parts in their creation. This is simply illustrated by comparison. “Password” is eight characters long and uses only letters; “P12@#or9″ is also eight characters long but uses letters, numerals and special characters. The latter is the more complex.

So, how long is long enough; how complex is complex enough? A password that is 12 to 15 characters long, is not a common word or phrase, is a mixture of upper and lower case letters, uses special characters and some numerals, should be good for most situations.

Next up: Password advice from Great Britain’s GCHQ.

September 18, 2015  7:37 PM

Ransomware on the rise

Ken Harthun Ken Harthun Profile: Ken Harthun
Cybercrime, cybercriminals, malware, Ransomware, Security

cryptolockerAccording to the FBI, ransomware is on the rise:

Ransomware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals.

While it used to be that only desktops and laptops were affected, now mobile phones are being targeted. According to Wired, last week news broke about “The so-called Porn Droid app that targets Android users and allows attackers to lock the phone and change its PIN number while demanding a $500 ransom from victims to regain access.” Read the article here.

It’s a very lucrative business. Last year victims paid an estimated $27 million to the crooks according to the FBI.

The best protection against becoming a victim of ransomware is to have a good antivirus and keep it updated along with making regular backups of your data that are stored on an offline device.


August 31, 2015  11:59 PM

Top five security faux pas redux

Ken Harthun Ken Harthun Profile: Ken Harthun

An interesting conversation with our interim campus president at the college today brought back to mind a post from more than five years ago. A server crash this morning made her wonder if a former network administrator, who did not leave on good terms, still somehow had a hand in the incident. Apparently, this fellow had succeeded in planting a logic bomb in the network timed to go off on the date of each new term start. Today was a new term start; today the server crashed. Our president’s logic said that “[name withheld] was up to his old tricks.” It wasn’t that, fortunately. The power supply died.

What was revealing about that conversation is that management at the time failed to consider an internal threat. No doubt the other faux pas were also committed. I saw evidence of them when I first took on the role of network administrator and have since corrected things. So, here’s a reminder of how NOT to do things.

Here are my Top Five Security Faux Pas beginning with number five:

  • 5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.
  • 4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.
  • 3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?
  • 2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.
  • 1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…

Not to sing my own praises, but to sing my own praises, they picked the right guy when they picked me; there have been no major security incidents since I took over.

August 31, 2015  2:21 AM

Privacy is your responsibility, too

Ken Harthun Ken Harthun Profile: Ken Harthun
personal data, Privacy Protection, Privacy rights, private data

It seems these days that everywhere you look, there is a privacy disclosure statement. You get them from your bank, your credit card companies, lenders, and just about everyone who asks for any non-public personal information (NPI). Have you ever read one of those things? You should. You have a right to know what information is being kept and how it is used. Here is one such clause:

You have the right to know what NPI we have about you, to have access to it and to receive a copy upon request, where required by law. If you have questions about what we may have on file, please write to us. Give us your name and address, date of birth, [other information] and the type of NPI you want to receive. Some types of NPI obtained when [actions are taken] or defending lawsuits need not be shared with you.

The firm or group who has NPI about you may not have obtained all of it directly from you, so unless you ask for it, you don’t know exactly what they have. It is entirely possible that some NPI is incorrect and you will never know unless you request it. You have the right to request erroneous information be corrected.

You may contact [company] if you believe your file should be corrected, amended, or deleted. We will review your request, and within thirty (30) business days, we will make the requested change or provide an explanation of our refusal to do so. If we do not make the change, you may send a statement for insertion in your file, setting forth what you believe to be the correct NPI and explaining why you believe the NPI in our file to be incorrect. If you ask us to, we will notify persons to whom we have shared NPI of the change or your statement. With any subsequent sharing of NPI, we will include a copy of your statement.

You see, you have to ask. Any firm is going to do only what they are bound by law to do and no more. That’s their responsibility. Your responsibility is to be alert and informed and to take action if you are concerned. It’s not up to someone else.

It’s up to you.

August 30, 2015  1:07 AM

Video: Lighten up! Password humor

Ken Harthun Ken Harthun Profile: Ken Harthun
humor, Passwords, Security, Video

I simply have to try this someday. It’s hilarious! No better therapy for the IT Blues than a good laugh.

August 30, 2015  12:36 AM

Infected PC? Refresh or restore

Ken Harthun Ken Harthun Profile: Ken Harthun
malware, Restore, Security, system recovery

The more things change, the more they stay the same. I’m still seeing PCs with serious malware infections that defy any and all attempts to clean them up. I used to persevere and eventually succeed in killing whatever beasties were inhabiting the dark recesses of the system. Just last week, I fought one for two hours before finally doing a factory reset.The trouble is, now as then the things keep coming back and if I didn’t take drastic action, I’d be facing another hours long battle. Once a machine is infected you can never trust that machine again unless you refresh or restore it to factory configuration.

Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware (as in 2015) is even more tenacious and stealthy that it was 7 years ago when I first wrote about this. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Windows 8 gave you an easy way to preserve user files while restoring the factory image and it’s still going strong in Windows 10. I’m not totally convinced that this is the best way to go, but so far I haven’t seen too many “repeat customers” after doing it.


July 31, 2015  6:10 PM

What can we expect from Windows 10 security?

Ken Harthun Ken Harthun Profile: Ken Harthun


Maybe the question should be: When can we expect to see the first Windows 10 security vulnerability? The follow-up question is: What will it be?

With the recent release of Windows 10 on July 29, 2015, we are faced with a new operating system that is bound to have some security issues. It’s impossible to predict what and when but let me point out that Microsoft has introduced some new security features (Device Guard, Windows Hello, Passport, to name three of them, all of which are covered elsewhere). Any new feature means that it has been subjected to limited testing and we can’t have complete confidence in it until the millions of true beta testers–the user base–have put it through its paces.

Having said that, I do have the feeling that Windows 10 security will be far better than in all previous versions. Still, you have to realize that security is, and probably always will be, a cat-and-mouse game. We can keep building better mousetraps, but as long as the cyber-criminals continue to realize huge profits, they will continue to build better mice (or bring humans–the one irreparable vulnerability–into the colony).

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: