Security Corner

June 26, 2014  4:14 PM

Highly effective security: Create strong passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

managing-passwords-2012_06Passwords are usually the frontline protection against unauthorized access. In fact, sometimes a password is the only protection. If you have weak passwords, you’re vulnerable to attack and compromise of your valuable data. If you have weak passwords and use those same weak passwords at multiple sites, you’re a disaster-waiting-to-happen.

There are two rules you should always follow.

1. Always create strong passwords. This means

  • Don’t use your name, dictionary words (even foreign words), acronyms, or even common phrases or slogans.
  • Don’t use prefixes or suffixes that use common keyboard patterns such as “Asdf1.” See Steve Gibson’s Password Haystacks page.
  • Use a random mixture of upper case, lower case and special symbols. Even ASCII symbols such as ▐ (Alt-222) can be used.

2. Never use any password for more than one site. One site = one password.

If you have passwords on sites you don’t care about — as long as they don’t contain any personally identifiable information — you could use a throwaway password for those. Some sites just insist that you have a login when it really doesn’t matter. What comes to mind are pure news sites that you only read and that don’t force you to create a profile. Those would be the only exceptions, but I don’t even recommend that.

Bottom line: Create strong passwords and never use the same password for more than one site.

June 10, 2014  6:27 PM

Holy Patch Tuesday, Batman! 66 holes in Windows products

Ken Harthun Ken Harthun Profile: Ken Harthun
Adobe, Microsoft

Today is Patch Tuesday and Microsoft’s seven updates address 66 security holes in Windows and related apps. Most of those vulnerabilities — 59 of them —  are in Internet Explorer (MS14-035). No surprise there. It’s the most insecure mainstream browser ever developed. Most of the vulnerabilities were labeled “critical,” meaning the bad guys can exploit them without any conscious help from users. Again, no surprise. You can read all about it here.

Lest I be unduly unfair to Microsoft, Adobe’s update for the Flash Player plugin fixes six bugs. I have the plugin set to ask me if I want to play a video. It’s inconvenient, but a lot safer than trusting a proven insecure plugin.

Bottom line: Apply the patches and hope the bad guys don’t find something MS and Adobe missed in the meantime.

June 5, 2014  8:32 PM

Yes, Virginia, TrueCrypt is still safe to use

Ken Harthun Ken Harthun Profile: Ken Harthun
GPL, Security, TrueCrypt

TrueCrypt_LogoDespite the ominous warning on the redirected TrueCrypt page at SourceForge, the venerable encryption software is still safe to use. Noted security expert Steve Gibson of SpinRite and Security Now! fame recently posted an in-depth article on the website here. To those pundits (including me, unfortunately) who have advised us to look elsewhere for encryption software, he says: “Those who believe that there is something suddenly ‘wrong’ with TrueCrypt because its creators have decided they no longer have so much to give are misguided.”

I do believe the way the TrueCrypt developers bowed out definitely tended to lower confidence in their creation, but when a developer of Gibson’s caliber says “And have YOU looked at their code? OMG, it’s truly a work of art. Whomever and wherever these guys are, SOMEONE is paying them some serious coin to create code of that caliber,” I tend to listen. I further will heed this level-headed advice:

Time to panic?

No. The TrueCrypt development team’s deliberately alarming and unexpected “goodbye and you’d better stop using TrueCrypt” posting stating that TrueCrypt is suddenly insecure (for no stated reason) appears only to mean that if any problems were to be subsequently found, they would no longer be fixed by the original TrueCrypt developer team . . . much like Windows XP after May of 2014. In other words, we’re on our own.

But that’s okay, since we now know that TrueCrypt is regarded as important enough (see tweets above from the Open Crypto Audit and Linux Foundation projects) to be kept alive by the Internet community as a whole.

So, thanks guys . . . we’ll take it from here.

I plan to continue to use TrueCrypt and be relaxed about it. We’ll see what develops, but already there is interest in picking up where the original developers left off: A just launched, Swiss-based, possible new home for TrueCrypt. Follow these folks on Twitter: @TrueCryptNext. Given the deliberate continuing licensing encumbrance of the registered TrueCrypt trademark, it seems more likely that the current TrueCrypt code will be forked and subsequently renamed. In other words . . . for legal reasons it appears that what TrueCrypt becomes will not be called “TrueCrypt.”

Bottom line: Continue using TrueCrypt without concerns and watch for what happens as it forks off.

June 5, 2014  6:37 PM

Microsoft calls government snooping “advanced persistent threat”

Ken Harthun Ken Harthun Profile: Ken Harthun
Data integrity, Data privacy, Encryption, Information security, Transparency

Yes, just like malware. Well, isn’t it a malevolent government act to spy–without cause–on its citizens?

In a December 2013 blog post, Microsoft says they share our concerns:

Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.

Then they position such activities right there alongside malware and cyber attacks:

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” [emphasis added] alongside sophisticated malware and cyber attacks.

Because of this, Microsoft is ramping up its encryption on, Office 365, SkyDrive and Windows Azure, to name a few. They are also working to reinforce legal protections by notifying customers if they receive any government order to release data and they are challenging any gag orders:

Where a gag order attempts to prohibit us from doing this, we will challenge it in court. We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data. And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.

Another step they are taking is to increase transparency by making their source code available for review where appropriate:

We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors.

I’m very happy with these efforts on Microsoft’s part. How about you?

June 3, 2014  2:44 PM

You can help in the Gameover Zeus & Cryptolocker takedown

Ken Harthun Ken Harthun Profile: Ken Harthun
CryptoLocker, Cybercrime, cybercriminals, DOJ, FBI, Security, Sophos

Your help is needed in a massive law enforcement effort to take down the Gameover Zeus (GOZ) and Cryptolocker botnets. The Department of Justice (DoJ) has announced a massive international legal and technical assault against these two infrastructures. To give you an idea of the scope of this action, here is an official list of the other cooperating agencies:

The Australian Federal Police; the National Police of the Netherlands National High Tech Crime Unit; European Cybercrime Centre (EC3); Germany’s Bundeskriminalamt; France’s Police Judiciare; Italy’s Polizia Postale e delle Comunicazioni; Japan’s National Police Agency; Luxembourg’s Police Grand Ducale; New Zealand Police; the Royal Canadian Mounted Police; Ukraine’s Ministry of Internal Affairs – Division for Combating Cyber Crime; and the United Kingdom’s National Crime Agency participated in the operation. The Defense Criminal Investigative Service of the U.S. Department of Defense also participated in the investigation.

You can read all about what they have done here. Here’s an excerpt:

Here is what we did: first, on May 7, in coordination with the FBI, Ukrainian authorities seized and copied key Gameover Zeus command servers in Kiev and Donetsk.

. . .

At the same time, our foreign law enforcement partners seized critical computer servers used to operate Cryptolocker, which resulted in Cryptolocker being unable to encrypt victim files.

. . .

Beginning in the early morning hours on Friday and continuing through the weekend, the FBI and foreign law enforcement then began the coordinated seizure of computer servers around the world that had been the backbone of Gameover Zeus and Cryptolocker.   These seizures took place in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the United Kingdom.

. . .

I am pleased to report that our actions have caused a major disruption of the Gameover Zeus botnet.   Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week.

A huge blow, to be sure, but that’s not the whole story. Hundreds of thousands of computers are still infected and it’s possible that the bad guys could re-establish communications by setting up new servers. Keep in mind, these guys are geniuses, albeit acting evilly at the moment, so don’t assume they are down for the count.

“But I’m just a single person,” you say. “How can I possibly contribute to such a massive effort?”

Simple, follow the advice of Sophos:

The next stage – the part of the operation that is the duty of all of us – is to dismantle the rest of the botnet, by progressively disinfecting all the zombie-infected computers that made the Gameover and Cryptolocker “business empires” possible in the first place.

US-CERT has come up with a whole list of free tools so you can do just that, and (if you are the go-to person for IT problems amongst your friends and family) so that you can help others, too.

I’m delighted to say that the Sophos Virus Removal Tool is amongst the recommended cleanup utilties.

Scan every computer you touch that you suspect might have malware of some kind. Let’s break this thing completely.

May 29, 2014  1:02 PM

Is TrueCrypt really dead?

Ken Harthun Ken Harthun Profile: Ken Harthun
Disk Encryption, Security, TrueCrypt

Because of the abrupt announcement at, no one is completely sure yet whether or not the venerable staple of file and disk encryption is really finished for good. Here’s the notice posted there:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

You should download TrueCrypt only if you are migrating data encrypted by TrueCrypt.

The site then goes on to explain how to migrate from TrueCrypt to BitLocker under Windows and an encrypted disk under Mac OS and linux.

Whatever is going on here, it’s going to make users very wary about ever trusting the software again. It’s probably time for all of us to find another way to do encryption on our files and hard drives.

May 27, 2014  5:19 PM

eBay STILL hasn’t notified me to change my password

Ken Harthun Ken Harthun Profile: Ken Harthun
Ebay, Password, Security

I posted 5 days ago (5/22/14) about the eBay security breach. I STILL haven’t received an email from them about it. This is absolutely unacceptable.

Apparently, some people have gotten emails, like Graham Cluley

“Yesterday, at 5:32pm UK time, I received an email from eBay, telling me that I should consider changing my password because they had suffered a security breach.”

C’mon, eBay, get your stuff together.

I do a lot of business on eBay and now I’m wondering If I can trust them.


May 22, 2014  9:05 PM

Highly effective security: Use a pre-boot password

Ken Harthun Ken Harthun Profile: Ken Harthun
best practices, BIOS password, Security, UEFI

If hackers can’t boot your PC, it makes the task of stealing your files that much more difficult. Using a pre-boot password is a highly effective security precaution.

In the latest issue of Windows Secrets newsletter, one of my favorite gurus, Fred Langa, explains:

Most current PCs have some kind of BIOS/UEFI-password option built in. There can be multiple types of passwords, and they typically appear immediately after a system powers on and before the operating system loads.
. . .

Some passwords lock down the entire system; without the proper password, the system won’t boot at all — either from the internal hard drive or from any bootable media! Other passwords help to protect the hard drive from unauthorized access. And still other passwords let you set an administrator/supervisor password to prevent unauthorized changes to the BIOS/UEFI settings.

. . .

Using one or more of these low-level passwords can help lock your system down tight, making it extremely secure against any unauthorized access.

Very good advice, Fred. Thank you!

May 22, 2014  8:21 PM

eBay passwords breached: Change your password now

Ken Harthun Ken Harthun Profile: Ken Harthun
Data breach, Ebay, Paypal, Security, Two factor authentication

If you have an account on eBay, be sure to change your password now. eBay has confirmed that they suffered a breach that revealed non-financial user data. From the ebay inc blog:

eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

. . .

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

Other takes on the breach:

Graham Cluley’s blog.

Brian Krebs’ Krebs on Security blog.

eBay said they would be sending out emails to customers, but I, for one, have not received anything from them yet.

Another piece of advice for you: If you haven’t done so, consider setting up the PayPal Security Key on both eBay and PayPal. You can use your mobile phone for free, or buy the special credit-card size device for $29.95. Either of these methods adds additional two-factor security on both sites.

May 22, 2014  8:04 PM

Get rid of Adobe Shockwave Player now

Ken Harthun Ken Harthun Profile: Ken Harthun
adobe reader, Adobe Shockwave Player, Foxit Reader, Security, Shockwave Flash, Shockwave Player security

I have been disaffected with Adobe for a long time. Though they have excellent programs like Photoshop and now Creative Cloud suite, Their security has been dismal and Acrobat Reader is probably the worst piece of bloatware to ever hit a computer. I got rid of Shockwave Player last year because of obvious security issues and because it’s really not needed much of anywhere. I refuse to use Adobe Reader anywhere, opting for Foxit Reader instead (which I have used since version 1).

Today, I saw this from Krebs on Security:

This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it.

So, I’m once again recommending that if you have any version of Shockwave on any of your systems, or your users have it, get rid of it now. Adobe says they’re going to bring it up to date. Whatever. Just get rid of it.

If you’re not sure you have it, you can go here to find out. If you see an animation, you have it and should uninstall it using Adobe’s tool.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: