Security Corner


February 6, 2013  5:11 PM

Beware tax agency phishing scams



Posted by: Ken Harthun
Online Scams, Security, spam, Tax scam, taxes

It’s that time of the year again: Tax filing season in the U.S. And that means the cybercriminals will be spamming out their tax letter scams. Here’s one example of such an email as reported by Sophos:

Subject: FW: 2010 and 2011 Tax Documents; Accountant's Letter

Message body:
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2010 and 2011, plus an accountant's letter.

This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission.

Attached to it is a ZIP file, whose filename will vary depending on the recipient. For instance, if the email is sent to chris@example.com, the zip file will be called chris.zip.

Inside the ZIP file, is an executable file: “Individual Income Tax Returns.exe”

The executable file is a Trojan horse backdoor that will allow hackers to take over your computer for their own nefarious purposes.

Keep in mind that this is only one example and there are usually many variations out there. There is one thing you can be certain of: They are all designed to steal your money and/or your identity.

January 31, 2013  2:31 AM

Physical security: Implementing a card access system



Posted by: Ken Harthun
Security, Security best practice, Security management

At the college where I work, we just implemented a card access system. All staff, students and faculty are required to have badges that have inductive proximity devices attached to them. I opted for the self-adhesive tags shown here because I didn’t want to have to create 300 new photo badges. It was much simpler to have everyone file into my office and get the tag attached to their existing badge. The project took six weeks in planning including notifications to staff and students and a two-week grace period after installation of the scanners.

I was concerned that we would have major issues when I flipped the switch on January 28th. You just never know how these things will play out. I was pleasantly surprised, however. We had a few stragglers who didn’t get their chips and a few people who, for whatever reason never got an ID badge, but the process I put in place worked well and the system is now operational.

If you plan such a security system, here are a few things to consider:

  • Depending on the size of your organization, begin to notify your staff and/or students four to six weeks in advance of implementation
  • Send at least three notices of the impending lock down
  • Give yourself a sufficient window to make sure all card IDs are entered into the security software database.
  • During the pre-launch phase, explain the process to everyone and make it clear who to contact if there are problems.
  • Expect Murphy’s Law to manifest itself

I was pleasantly surprised how well our implementation went. Our receptionists handled missing chips and badges extremely well and though we experienced an increased workload in our department, there were no major upsets.

The most interesting problem we experienced was with a student who could not gain access even though he had a valid chip on his badge. The system kept saying “Invalid/unknown security ID.” When I investigated, I found an ID number that was not in our series of chips. I suspected a typo, but found that the student had an access card to his apartment complex that was the same type used by our system. He had all of his cards on the same lanyard and when he held up his student ID, his apartment complex ID was being read by our system instead.

Security is fun, isn’t it?


January 31, 2013  1:26 AM

Video: How to explain phishing to your Grandma



Posted by: Ken Harthun
Malware, Secure Computing, Security

Catchy title, but the video really doesn’t explain. The Sophos Threatsaurus, however, does a wonderful job of explaining all kinds of malware to everyone. I have a copy and keep it handy on my desk. I suggest you do, too. It’s still a catchy video, especially for those who love British humour.


January 30, 2013  12:39 AM

All your secret are belong to us



Posted by: Ken Harthun
Password, Security, Security best practice

The eight-character password is dead. All possible combinations of 8 character Windows passwords can now be broken in six hours using some sophisticated, but readily available hardware. A paper from the Oslo password hacking conference gives details of how researcher Jeremi Gosney lashed together 25 AMD Radeon Graphics Processing Units (GPUs) into a specialized computing cluster and used it against NTLM password hashes. You’ll need twenty rack units of space in a server room and an industrial-style power supply delivering 7kW. It’ll cost you about $20,000 to build.

As you probably already know, “NTLM relies on one of the easiest-to-crack hashing systems still in widespread use: a straight, unsalted, uniterated MD4 hash of your password,” according to this Sophos Naked Security post.

Not that any savvy administrator permits NTLM hashes anymore, but 8 characters is simply not enough password length for these times. My shortest password used for critical systems is 10 characters and I’m going to be increasing that to at least 14 in short order.

I recommend you do the same.


January 20, 2013  5:08 PM

Simple password tip to create unguessable passwords



Posted by: Ken Harthun
Password, Secure Computing, Security, Security best practice

Remember the Worst Passwords of 2012? Besides the advice I gave in my post about what you can do about that, here’s another tip: Use accented special language characters. This article: http://www.forlang.wsu.edu/help/keyboards.asp#unicode gives you plenty of choices. Let’s do my name in several variations (I don’t use these as passwords anywhere, in case you are wondering):

kenharthun
kénhårthun
KëÑharthuñ

Because of the key sequence necessary to enter these characters, no one is going to discover them. There is a caveat, however: The program or site may not allow these characters. I suggest you test it in depth.

This is also a password cloaking method if you are one of those people who write passwords in a book and keep it on your desk. Let’s say your password is I@mgreat. You could write that down with the sequence I064mgr101065t.

It’s not likely anyone is going to figure that out.


January 19, 2013  4:17 PM

Who really needs anti-virus software?



Posted by: Ken Harthun
Anti-malware, Anti-virus, Security, Security best practice

Every list of best security practices contains an admonition to run anti-virus and/or anti-malware software. I have certainly been one to push such things over the years and have tested and recommended most of the popular contenders. But I got tired of the performance problems, the updates, the scans, the false positives and the generally intrusive nature of the stuff and opted to “run naked,” relying upon safe computing practices instead of a software overlord. I have no regrets and in four years have not had a single malware infection of any kind. I think that proves my point.

Can the average person get away with this? Probably not. But if one really understands the landscape of the internet and adheres to a few basic, common-sense security practices, chances are they’ll be safe. Here’s the configuration of my home system:

  • Windows XP, Service Pack 3 with Windows firewall enabled.
  • Linksys broadband wireless router with firewall features enabled and remote administration disabled.
  • WPA2 Personal with strong pass phrase for wireless access
  • Third-party spam filter on main email account (MailRoute.net)

Best practices I adhere to:

  • I do not click on any links in email, social media posts, etc. unless I examine exactly where it it taking me.
  • I do not download illegal copies of movies, music, books or anything else from torrents or P2P sites of any kind.
  • I test freeware apps in a sandbox before I allow them on my system.
  • I use super-strong passwords and manage them with LastPass.
  • I do not visit sites known to be harbors for malware.
  • When surfing in unknown territory, I disable all scripting.
  • My browser security settings are set to ask me before running any plugins.
  • I don’t use Adobe Reader, Flash must ask and Java is disabled.

What about you? Do you use AV software? What are your best practices. Hit the comments.


January 15, 2013  1:14 AM

Renegade executives can wreck security



Posted by: Ken Harthun
Secure Computing, Security, Security best practice, Security management

There is probably nothing more frustrating to an IT professional than having the security of his network compromised by a renegade executive who refuses to consult IT before ordering the installation of untested applications. Case in point: A recent help desk ticket read, “[Executive] told me to install Dropbox on my system, but I need administrative rights on my machine to do it.” WHAT? Where did that come from? No one mentioned this to IT, particularly the exec in question. Dropbox is blocked on our networks.

The weirdest part about this whole thing is that we have SharePoint 2010 and we are running Live@Edu (soon to migrate to Office 365) that has 25GB of storage. Why would anyone want to use an insecure service that provides only 2GB of storage in the free version? I asked that question. Answer: Preference. Huh?

Needless to say, I responded rather strongly:

The real issue here is that IT was not consulted before someone decided to start using an application that had not been vetted for both security and performance. There could be a workable process (pre-egress encryption using a proven encryption algorithm) formulated, but this should be driven by IT, i.e., those of us who know and understand the potential risks and benefits.
 
The Net Admins are responsible for the reliability, performance and security of our networks and the data flowing on them. I take this responsibility seriously and I’m sure my fellow Net Admins and assistants do as well. To ask me to put my network and data – and thereby my job – at risk because of some preference is just not acceptable to me.

What is your opinion? Hit the comments and let me know.


December 31, 2012  11:50 PM

Be careful out there tonight



Posted by: Ken Harthun
Security

This is a repeat of another post I made, but it bears repetition. New Years Eve is one of the most dangerous nights of the year. Be careful out there tonight.

I know I don’t have to tell you, but if you drink, don’t drive, especially tonight. There are going to be plenty of revelers out there who don’t heed such advice. If you don’t have to go out, don’t. If you want to party hearty, do like my wife and I do every year and stay home, maybe with a few friends or family members who can spend the night.

That said, if you do plan to go out and party, leave your wallet or purse at home. Carry only your ID (driver’s license) and sufficient cash to get you through the night. Keep everything in your front pockets and rather than a large wad of bills, break it up into a couple of smaller batches. Drinking sensibly will keep you from doing something completely stupid. Better option is to carry cash for a cab ride home (or at least a tip–many cab companies will offer free cab rides tonight) and pay your bar tab with a credit card. You could lose all your cash; a credit card is replaceable.

Have fun. Celebrate. But be safe, okay?


December 31, 2012  11:45 PM

Happy New Year!



Posted by: Ken Harthun
Security

New Year Resolutions Graphic

What are your New Year resolutions for 2013. Here are a couple of mine related to security:

  • Clean up my passwords and get a higher score on LastPass security assessment.
  • Continue to educate users on strong password creation and management.

Have a safe, prosperous and Happy New Year!


December 31, 2012  11:40 PM

Ten New Year security resolutions



Posted by: Ken Harthun
Encryption, Password, Secure Computing, Security, Security best practice, Security management

We all do it at this time of the year: We make resolutions to do things better in the New Year. And why not? It’s a great thing to do, starting with fresh goals and a resolve to do better. Here are some ideas for you choose from with a security twist:

  • I will change my critical passwords.
  • I will finally start using a password manager (such as LastPass or KeePass).
  • I will adopt an algorithm for generating strong passwords (at least 12 characters).
  • I will use two-factor authentication where it is available (YubiKey and Google Authenticator come to mind).
  • I will use encryption for all sensitive personal files on my digital devices, including thumb drives, laptops, smart phones, etc. (Rohos Mini-drive, AxCrypt, TrueCrypt, Wickr).
  • I will establish a regular backup routine for all my devices that uses two different media and at least on copy off-site.
  • I will encrypt my backup.
  • I will become aware of physical security and make sure that my digital devices are always either in my possession or safely stowed.
  • I will not blindly click on links in email, nor will I respond in any way to pop-ups or messages I am not sure about without checking them out first.
  • I will not open any attachment in any email from anyone unless I am expecting it or absolutely sure of what it contains.

There is new or Earth-shattering here, at least nothing that I haven’t mentioned and advocated for years. Hit the comments and add your own.

Happy 2013!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: