Security Corner

May 31, 2013  1:52 PM

When hackers hack, hack ‘em back?

Ken Harthun Ken Harthun Profile: Ken Harthun

question-markForgive my alliteration; one should avoid alliteration always. But, I came across an interesting report that seems to suggest–though not necessarily advocate–retaliation against suspected copyright abusers. The report, entitled “The Report of the Commission on the Theft of American Intellectual Property,” and published by the US IP Commission. The report is rather sobering as summarized in the Key Findings:

The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP [Intellectual Property] is “the greatest transfer of wealth in history.”

Where the report really gets interesting is in the concluding Chapters 13 and 14 entitled “Cyber Solutions” and “Potential Future Measures,” respectively. They come right out and suggest the use of what would amount to legally sanctioned ransomware:

Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.
. . .
…software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.

And here is the “hack the hackers” section:

While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

Food for thought…

May 30, 2013  8:41 PM

Internet History, Technology, and Security course at

Ken Harthun Ken Harthun Profile: Ken Harthun

If you aren’t familiar with, you need to get over there right now. I just completed the nine-week course Internet History, Technology, and Security. This is a must for anyone in tech who did not grow up pre-internet and a dance down memory lane for anyone who remembers slide rules, adding machines, and punched cards. The instructor, Dr. Chuck (Charles Severence) from the University of Michigan was engaging, amusing at times and a real pleasure to listen to. I hope to meet him some day.

Even being the security wonk that I am, I learned some new things about security (which is why I’m posting this). If you get the chance to take this course when it is offered again, I highly recommend it. I completed “with distinction.” So, please pat me on the virtual back a bit and stroke my ego <wink>. Here’s my cert:


May 29, 2013  8:02 PM

Is your password “qeadzcwrsfxv1331?”

Ken Harthun Ken Harthun Profile: Ken Harthun

If so, it has been cracked. And rather easily, I might add. How is it that a 16 character password with seemingly random characters could be easily cracked? The answer might surprise you and you’ll definitely rethink the way you create passwords.

An article on Ars Technica (link) discusses how three crackers have achieved a 90% success rate on 16,000+ hashed passwords using some quite sophisticated techniques. These days, before crackers attempt brute force attacks – which can take a very long time to complete – they run a series of hybrid attacks which are a marriage of dictionary and brute-force attacks which greatly expand the word lists while keeping the keyspace manageable.

Another highly effective method is the Markov attack. Here’s a simple explanation from the Ars Technica article:

Where a classic brute-force tries “aaa,” “aab,” “aac,” and so on, a Markov attack makes highly educated guesses. It analyzes plains to determine where certain types of characters are likely to appear in a password. A Markov attack with a length of seven and a threshold of 65 tries all possible seven-character passwords with the 65 most likely characters for each position. It drops the keyspace of a classic brute-force from 957 to 657, a benefit that saves an attacker about four hours. And since passwords show surprising uniformity when it comes to the types of characters used in each position—in general, capital letters come at the beginning, lower-case letters come in the middle, and symbols and numbers come at the end—Markov attacks are able crack almost as many passwords as a straight brute-force.

Are you feeling a bit insecure yet? You should be, if your passwords conform to any of those “standard” practices. I think the discovery of the password in the headline was probably an example of a good, educated guess and I’m sure a password like !!sREkaerb-Eci@@ would prove next to impossible to crack even with sophisticated tools.

But, I could be wrong…

May 27, 2013  1:57 PM

To change or not to change passwords, that is the question.

Ken Harthun Ken Harthun Profile: Ken Harthun

158376_linux_loginDo you change your passwords regularly? Do you as an administrator require users to change passwords? Does your company have a password policy that requires regular changes?

I recently entered into a discussion with my fellow network administrators about their having password change policies and realized that opinions vary greatly on the efficacy of the practice. We had a rather lively discussion and in the end we just agreed to disagree. I am interested in your views on this and would greatly appreciate your feedback in the comments. To get things started, here are my answers to the three questions above and my reasoning for those answers.

  1. I do not change my passwords on a regular basis because there is no need to. I use extremely strong passwords and store them in LastPass. My Yubikey gives me two-factor authentication for LastPass on non-trusted computers. The only time I have changed a password is when I have been forced to by some policy on the network, or in the case of unusual behavior that could indicate a potential compromise. I was recently notified that one of my email addresses was on a list of sites that had been breached, so I changed that account password immediately. So, the simple answer to this question is that I change my passwords only a reactive basis.
  2. On my network, I do not require users to change passwords. I emphasize to users that strong passwords are easy to create and remember and I help them do so. Forcing users to change them pretty much guarantees that they will choose something simple. A strong password is golden.
  3. Since I am the Network Administrator for my company, there is no policy forcing changing of passwords. And for my reasoning on this, I think it’s best communicated by saying I agree with this this article by Bruce Schneier.

What’s your take on the subject?

May 26, 2013  12:12 PM

Cipher challenge: Can you decrypt this?

Ken Harthun Ken Harthun Profile: Ken Harthun

encryptionTime for some crypto fun. If you have been following my posts, you know that I’m a crypto freak. I have loved codes and ciphers since grade school days (and that is quite a long time…). Surely, I was a secret agent or a cryptographer in another life; it’s simply fascinating to me. Anyway, the internet makes simple ciphers and cryptograms trivial to solve, but it still takes some ingenuity to figure out how the ciphertext was generated. So, here’s a challenge for you: Decrypt a simple sentence using any means at your disposal, including tools available on the internet.

It won’t be as easy as you might think. The sentence is very short, and does not contain the standard distribution of vowels and consonants, so you won’t figure it out that way. Moreover, the sentence contains every letter of the alphabet (hint, hint <wink>). And for those of you who think it’s going to be ROT-13, think again – it’s not. I have preserved the spaces to make your job slightly easier.  Here’s the sentence:


Have fun and post your solution in the comments.

May 26, 2013  2:05 AM

Security Now! Illustrated – Episode 17: PPTP and IPSEC VPN Technology

Ken Harthun Ken Harthun Profile: Ken Harthun

I simply love these Ask Mr. Wizard animations and illustrations of Steve Gibson’s Security Now! episodes. Here is the latest post, and it’s a good one. Note: There are several segments to this series and this video will refer you to them at the Ask Mr. Wizard site.

May 25, 2013  4:54 PM

Twitter now has two-factor authentication

Ken Harthun Ken Harthun Profile: Ken Harthun

twitter-bird-white-on-blueFrom SANS News Bites Vol. 15 No. 41:

Twitter has introduced two-factor authentication for account access.
Users who opt in to the feature provide Twitter with a mobile phone
number, and whenever they want to log in to their accounts, they will
be required to provide their regular passwords along with a verification
code which will be sent to the specified phone. The introduction of this
feature comes just weeks after several high-profile Twitter accounts
were compromised and misused.

It’s fairly straightforward to set this up on Twitter. Simply log into your account, go into settings, select Password and you’ll see this message at the top:


Click on the link and follow the instructions to set it up on your mobile phone. Once you do, there is a complete range of settings that allow you to customize text notifications. Do what you want with that. My main interest is in the two-factor authentication.

After you get the preliminaries completed, you’ll have to go into your Account menu and activate the option. Here’s what that looks like:


Once you do this, you should be good to go and Twitter will require a code every time you log in.

Sidenote: Twitter is now more secure than my bank which only asks for username and password. Go figure. But more on that in another post.

May 22, 2013  3:51 PM

DO NOT open these attachments!

Ken Harthun Ken Harthun Profile: Ken Harthun

dot_not_touchWe all know that Adobe PDF Reader and Acrobat are hopelessly insecure due to their ability to use embedded JavaScript in the PDF content. Despite an unending stream of updates to these applications, users still get infected. (In Adobe’s defense, a big part of this problem is clueless users who actually open unsolicited attachments; nevertheless, the security vulnerabilities shouldn’t exist in the first place.)

Data gathered by Microsoft’s antimalware products has identified a list of common infected PDF files and they are listed on the Microsoft MSDN blog. Here they are:

  • pdf_new[1].pdf
  • auhtjseubpazbo5[1].pdf
  • avjudtcobzimxnj2[1].pdf
  • pricelist[1].pdf
  • couple_saying_lucky[1].pdf
  • 5661f[1].pdf 7927
  • 9fbe0[1].pdf 7065
  • pdf_old[1].pdf

More information is available at the Microsoft Malware Protection Center.

April 30, 2013  8:40 PM

Humor: Best password security message ever!

Ken Harthun Ken Harthun Profile: Ken Harthun

mega-icon-smiley-thumbs-upThanks to for lightening my otherwise stressful day. What would you do if you saw this?

Height of security! This error message was generated when Windows 2000 users logged into an MIT Kerberos realm and got a shock of their lives on attempting to change their password. They were given a seemingly impossible task of setting a password with 18,770 characters that was different from the last 30,689 passwords. Thankfully, this uncommon error was fixed with the release of SP3 for Windows 2000.

April 30, 2013  4:40 PM

!!!!!!!!!! RED ALERT for YOUR COMPUTER – Not!

Ken Harthun Ken Harthun Profile: Ken Harthun

stressedI guess the goofiness runs in cycles or waves. Variations of this hard-drive-burning-most-destructive-virus-that-ever-existed hoax have been floating around in email since email went public. Makes me want to tear my hair out. This one was recently seen floating around on Facebook:


Please circulate this notice to your friends, family and contacts!

In the coming days, warning: do not open any message containing an attachment called Archive (Windows live) regardless of who sends you. This is a virus that burns the entire hard disk. This virus comes from a known person you have in your mailing list, which is why you should send this message to all your contacts. If you receive a message called "UPDATING WINDOWS LIVE", even if is sent by a friend, do not open it and stop immediately. This is the worst virus announced by CNN. It has been classified by Microsoft as the most destructive virus that ever existed. The virus was discovered yesterday afternoon by McAfee, and there is no chance of repair for this type of virus. Simply destroys Sector Zero of the hard disk. Just copy and paste..

C’mon, people! A simple check of would reveal any such virus hoax.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: