Security Corner

March 29, 2014  9:36 PM

Oh no! Not another password post!

Ken Harthun Ken Harthun Profile: Ken Harthun

bad-passwordsYes, another post about passwords, choosing secure ones. Unfortunately, they aren’t going to go away anytime soon and, equally unfortunately, they are getting easier and easier to break. In a recent blog post, Bruce Schneier said: “As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.”

Indeed. Agreed. I’ve written many posts about how to choose secure passwords. I’m not the only one. In addition to the blog post mentioned above, here are some other resources that have strategies designed to help you create secure passwords. Oh, and regardless of what any of these articles say is the best length for a password, I recommend no fewer than 12 characters and prefer 15 characters. This number is always a moving target, subject to adjustment upward as computing power increases. Here’s my top five list:

Steve Gibson’s Password Haystacks:
My article: Is your password “qeadzcwrsfxv1331?”
Sophos’ How to Choose a Strong Password:
Roger Grimes’ Creating strong passwords is easier than you think
Microsoft’s Tips:


March 26, 2014  1:55 AM

Thwart predators and social engineers with a passphrase

Ken Harthun Ken Harthun Profile: Ken Harthun

I don’t remember exactly where I saw it or heard it, but I recall a story about an incident where a child was approached by a (potential) sexual predator.  The child was told his mother wanted him home right away and — we’ll call him Mr. Friendly — Mr. Friendly was there to pick the child up. The child then asked Mr. Friendly for the password and was able to get away in the resulting delay caused by the confusion when Mr. Friendly couldn’t remember the password. The lesson learned here is that every child should have a secret passphrase and only trust those who can repeat that passphrase back to them. This could save countless lives. In fact, my wife had all our kids indoctrinated in this trick back in the day (she just reminded me). Thank heaven the kids never had to use it.

It could also save your corporate network.

Social engineers who call you pretending to be from Microsoft, your corporate office, or some other normally trusted entity are just the digital version of Mr. Friendly. And the same tactic will work on them.

Your organization should have a passphrase that is required to be known by every person on your help desk and any and all support personnel. Every staff member should be required to ask any caller who seeks sensitive information to repeat the passphrase. The passphrase should be changed on a frequency that is appropriate for your organization.

A typical scenario may go like this:

Caller: “Hello, this is Corporate Help Desk. We’ve noticed you have a virus. We can remove it, but we need your user name and password.”

You: “Sure, be happy to help you. What is the passphrase for today?”

Caller: “Ummmm.”

You: <click> <dial IT deparment>

IT: “Hello, IT.”

You: “I just received a call from 555-5555 asking for my login credentials. They didn’t know the passphrase.”

IT: “Well done. Just in case, we’re forcing a reset of your password.”

Trust No One on the internet…

March 17, 2014  2:49 AM

KrebsOnSecurity hit with massive WordPress pingback attack

Ken Harthun Ken Harthun Profile: Ken Harthun

In a March 14, 2014 blog post, Brian Krebs revealed that his site, KrebsOnSecurity, which runs on WordPress, was hit by a DDoS attack:

On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward.

I covered the details of the attack method in my last post, but I also want to help spread the word to other WordPress administrators via the list of attacking sites that Mr. Krebs provided:

My hosting provider shared with me a list of the WordPress blogs that were used in the attack on this blog. I’m sharing it here to get the attention of WordPress administrators. I realize that some readers will view this as providing a roadmap for attacks, but I’m hopeful that making this information public will decrease the number of blogs that can be used in future such attacks.


March 15, 2014  4:21 PM

Is your site an unwitting participant in a DDoS attack?

Ken Harthun Ken Harthun Profile: Ken Harthun

In a normal DDoS attack, a botnet of hundreds or thousands of computers performs a coordinated attack against a particular website. But what if you don’t have access to a botnet? You trick WordPress sites into sending unwanted traffic to the site. Here’s how, according to a blog post by Sucuri:

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.

Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site.

Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D -  "" -d '<methodCall><methodName></methodName><params><param><value><string></string>/value></param><param><value><string></string></value></param></params></methodCall>'

How can you tell if your site is being used in an attack? You’ll have to check your web server logs. This is they type of entry you are looking for with pingbacks to random sites. If you see these, your site is being misused: - - [09/Mar/2014:20:11:34 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" 
"POSTREQUEST:<?xml version=\x221.0\x22 encoding=\x22iso-8859-1\x22?>\x0A<methodCall>\x0A
<methodName></methodName>\x0A<params>\x0A <param>\x0A  <value>\x0A   
<string></string>\x0A  </value>\x0A </param>\x0A 
<param>\x0A  <value>\x0A   <string></string>\x0A  </value>\x0A </param>\x0A

You can also check out WordPress DDOS Scanner to check if your WordPress site is DDOS’ing other websites (I checked and mine isn’t).

Here’s how to stop your site from being used for DDoS, according to Sucuri create a plugin that adds this filter:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘’] );
return $methods;
} );


March 15, 2014  2:37 PM

PWN2OWN cracks Reader, IE, Flash, Firefox and Chrome, but not Java

Ken Harthun Ken Harthun Profile: Ken Harthun

laptopthiefThe first day of the PWN2OWN 2014 competition, an elite hacking competition that runs each year in parallel with the CanSecWest security conference in Vancouver, Canada, was held Wednesday 12 March 2014. Right out of the box, Adode Reader, IE 11, Adobe Flash and Mozilla Firefox were PWNed. An attack on Java was not attempted, presumably because it was considered too difficult a target. What a change that is!

Day two saw both Chrome and Safari PWNed.

You can get a full recap of the results of the competition here.

Since attackers must responsibly disclose how they accomplished their hacks as a condition of entry, we can expect patches for the vulnerabilities in the next round of security updates for the affected apps.

March 13, 2014  12:56 AM

iOS 7.1 released to patch bugs and fix the White Screen of Death

Ken Harthun Ken Harthun Profile: Ken Harthun

On Monday, Apple released iOS 7.1 for iPad and iPhone and recommended that users update as soon as possible. The update comes just a few weeks after Apple released an emergency update for iOS that fixed a critical security hole that could have allowed hackers to intercept secure communications between your iPhone and SSL-protected websites.

According to security expert Graham Cluley (GCHQ: Graham Cluley’s security newsletter), “If you didn’t install that update (and you really should have done if possible), don’t waste any time and leapfrog up to iOS 7.1 as soon as you can.”

February 28, 2014  10:28 PM

MasterCard uses geo-location to reduce card fraud

Ken Harthun Ken Harthun Profile: Ken Harthun

This is a great idea and one that may turn out to be the simplest way to implement two-factor authentication for credit card companies. In fact, this is similar to what Only Coin plans to implement as part of its security suite.

From nakedsecurity:

MasterCard announced on Tuesday that it has partnered with Syniverse, a mobile technology company, in order to minimise unauthorised purchases made with stolen plastic.

The two companies are currently running an opt-in pilot scheme which allows users to make a credit card transaction only when they have their mobile device switched on and to hand in a specific location.

The service providers then cross-check the locations of both the credit card and the mobile device at the time a transaction is made. If they match, bingo. Otherwise, if the card is in Toronto, for example, and the smartphone is in London, the transaction will be denied.

Go for it!

February 28, 2014  10:21 PM

Two factor authentication becoming a necessity

Ken Harthun Ken Harthun Profile: Ken Harthun

With the password’s fading usefulness, we have to seriously consider two-factor authentication as the minimum level of security for any site dealing with sensitive information. I have been using the PayPal “football” for years as a second factor on both PayPal and eBay. I’ve implemented Yubikey and Google Authenticator on LastPass and Google Authenticator on Dropbox. But these aren’t the only ones out there. There is, of course, the well known RSA SecureID, but here’s a few two factor authentication providers you may want to look into.

  • Yubikey – a USB hardware token that is in essence a second authentication method based on a unique physical token which cannot be duplicated or recorded, providing a credential based on something only an authorized user possesses. Used with a standard username and password, the YubiKey provides a strong, two-factor authentication to any site, service or application.
  • Google Authenticator – provides a six digit one-time password users must provide in addition to their username and password to log into Google services. The Authenticator can also generate codes for third party applications, such as password managers or file hosting services.
  • PayPal Security Key – The PayPal Security Key creates random temporary security codes that help safeguard your PayPal account when you log in. There are two types: A credit-card sized device (the “football” is no longer available); and, security codes sent by text message to your mobile phone. (I actually use both.)
  • Duo Security – Uses a mobile phone similar to Google Authenticator. Duo’s solution is cloud-based.

February 27, 2014  2:33 AM

Mac OS X 10.9.2 released to fix critical SSL security hole

Ken Harthun Ken Harthun Profile: Ken Harthun

They promised “as soon as possible” and they delivered. Here are the details straight from the OS X App Store.


February 27, 2014  2:12 AM

Why passwords alone are no longer sufficient security

Ken Harthun Ken Harthun Profile: Ken Harthun

We have all see this coming for a long time; in fact, I’m surprised it has taken this long to become obvious that passwords are no longer sufficient security. Sure, they’re OK for things that really don’t matter like news sites and entertainment sites — any site that doesn’t store sensitive information about you — but for all other things they’re just not enough anymore.

Passwords are the “something you know” part of security and therefore the easiest factor to guess or otherwise obtain. Beyond the fact that people tend to use passwords that are easily guessable, here are three other reasons why passwords alone are no longer sufficient security.

1. Duplicate passwords. People tend to use the same password in multiple locations, often using the same one for everything. I don’t know how many times I’ve had people tell me, “I always use xxxxx for my password” meaning, of course, that when asked to create a password for anything, that’s the one they use.

2. Keylogger infections. Every day, I see computers with bogus “system cleaners,” “system optimizers,” “pc boosters,” etc. infecting them. I can only assume that beyond these junky scams, there is more sinister stuff installed. People just don’t know any better and if it sounds good to them, they click OK. I envision that some sort of message like “Please click here to protect your bank account from unauthorized access” would be a quite effective technique.

3. Phishing scams. I’ve seen some of these in my own inbox that made me do a double take until I dug a bit deeper. If I almost got phished, I promise you someone else really did. Then, once the hacker had the password, he probably tried it on every site the person had, and was probably successful at gaining access to several of them.

Bottom line: Two-factor authentication is not only long overdue, it’s critical if we ever hope to prevent the huge data breaches like Target’s and others that have been in the news.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: