Security Corner

July 21, 2015  6:04 PM

A novel password strengthening approach

Ken Harthun Ken Harthun Profile: Ken Harthun
morse code, Password, Password cracking, password encryption and decryption., Security

We all agree that strong passwords are especially necessary in today’s hack-a-day world and there are sites galore giving advice on how to create memorable strong passwords. I’ve posted more than my share of advice on this subject over the years.

One thing that has always been frustrating is attempting to use one of my favorite password strengthening patterns only to be told that the characters are not allowed. So, I’d have to switch to my alternative method which, unless I added several more characters, wasn’t as strong.

One thing I’ve noticed on these sites is that usually they will allow special characters like periods, dashes and the like. Periods. Dashes. Hmm, we Ham Radio operators (I’m W4KGH, in case you’re wondering) use dots and dashes to signify Morse Code characters. Everyone is familiar with the international distress signal, SOS which sounds like di-di-dit dah-dah-dah di-di-dit. Written with dots and dashes, it looks like this: …—…

So, I thought, why not use Morse code patterns in place of some letters in your password? Doing that will significantly increase the length and strength of your passwords. One might even consider it a form of encryption.

By way of example, the word “password” is eight characters. Replace one “s” with the Morse equivalent, “…” and you’ve lengthened it to ten characters. Let’s replace both both of the s’s and the o with the Morse characters and it becomes pa……w—rd with 14 characters (I don’t recommend you use my example).

You might say that using Morse code–which most people don’t know–would make passwords even harder to remember. Not so. If you limit your use to only the numbers, there is an easy-to-remember and quite elegant symmetry to the character patterns. You should be able to see it easily in the illustration.

Morse NumbersNote that each number comprises 5 characters, so just by using your age, for example, you’re adding a lot of complexity to your password.

Something like 8/.——–………– (22 characters) isn’t going to be cracked easily with a brute force attack and it sure isn’t going to fall to a dictionary attack.

There are many ways to utilize this and I’ll leave the rest to your imagination. Give it a try. It can’t hurt and you might have some fun.

July 9, 2015  4:22 PM

Who or what is the most dangerous security threat?

Ken Harthun Ken Harthun Profile: Ken Harthun

Hackers, cybercriminals, government-sponsored cyberattacks, terrorists, et al. are constantly in the news related to cyber security. The focus is usually on data breaches. These things certainly are not good and cause a lot of economic damage to the victims, not to mention the emotional distress and inconvenience. But is this really what we should be concerned about? Who or what is the most dangerous security threat?

Here is some food for thought. I venture to say that the most dangerous security threat we all face is our totalitarian-wannabe government (if you have never read George Orwell’s novel, 1984, I highly recommend it). It’s not too far a stretch what with how the NSA is actively spying on all of us (and don’t think for a moment that they aren’t still doing it, despite utterances to the contrary). The NSA continues to develop spyware and malware that even the elite in the cybercrime community haven’t begun to approach. Oh, wait, maybe the NSA are the elite in the cybercrime community.

Lest you dismiss what I am saying here, please take a look at what noted security researcher and Electronic Frontier Foundation board member, Bruce Schneier has to say in his article “How the NSA Threatens National Security:”

…the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like “collect,” “incidentally,” “target,” and “directed.” It cloaks programs in multiple code names to obscure their full extent and capabilities. Officials testify that a particular surveillance activity is not done under one particular program or authority, conveniently omitting that it is done under some other program or authority.

…US government surveillance is not just about the NSA. The Snowden documents have given us extraordinary details about the NSA’s activities, but we now know that the CIA, NRO, FBI, DEA, and local police all engage in ubiquitous surveillance using the same sorts of eavesdropping tools, and that they regularly share information with each other.

Those of us who know the score need to present a united front with our strong voices against the criminal agencies who continue to insist on spying on its law-abiding citizens. Inspection before the fact has always been–and always will be–a violation of individual rights, liberties and personal privacy.

June 26, 2015  2:04 AM

Samsung making Microsoft a little unhappy

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Apple, Business, laptop, Microsoft, news, samsung, Security, Updates, Windows

You know the person in your office who leaves their passwords taped to the front of their monitor? Sure you do. They’re putting everyone’s data and hard work at risk because they’ve short-circuited the security process. It’s not nice and it sometimes could cost the company money.

Screen Shot 2015-06-25 at 9.52.46 PM

What would you do if that same person ran around the office and logged into EVERY workstation – if that were allowed because it shouldn’t be – and then left all the machines on and the doors to the office open? You might actually think they had left the door to the Internet open with a sign for hackers to stop by and take what they want.

Yeah, well that’s pretty much what Samsung did recently when they took it upon themselves to disable the security update from Microsoft on some Samsung machines. In the news this week, the BBC reported that there have been some tales of Samsung machines disabling updates from Microsoft in favor of different software. This was denied – sort of – by Samsung with a comment about giving consumers a choice when it came to software.

But the bottom line is that it happened enough to get people’s attention.

Is it a huge deal? Not really in terms of numbers, but it might represent the way the market is going when it comes to software that comes preloaded on machines and what security is used to protect certain platforms.

Here’s a snippet of the article…

Screen Shot 2015-06-25 at 9.52.58 PM

What do you think? Does it make sense for Samsung to actually have some say about what goes on their machines? Should consumers have a say? Or are we still in a three-platform world with Linux, Apple and Microsoft running everything?

Leave your thoughts in the comments. Thanks!

June 20, 2015  1:40 AM

Want Money from the Gov’t? Get a Death Certificate.

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Data, Facilities, Facilities management, Log management, money

It’s odd. When most of my posts are about keeping things secure, this piece of news jumped out and reminded me that log and access management are still vital pieces to data and facilities security.

Screen Shot 2015-06-25 at 9.31.16 PM

A primer for those who just read the security corner for fun. Log management is the careful examination of all the people and events affecting the access to data on a system. That’s simplified.

Further, log management can also mean the examination of access logs to facilities and offices within a building or campus. That’s why so many businesses (most if not all these days) ensure that everyone they employ has a badge and that the badge is coded to allow them into certain areas. If you don’t have permission to be in an area – you have not been provisioned – then your badge won’t let you in.

In the case of the news in this article about the government paying out LOTS of money to dead people, it’s very clear that nobody checked to see if the people were still breathing. A simple check of credentials would have kept $46.8Million in the coffers of the USA and out of the pockets of thieves. While this wasn’t simply a case of “OK, your badge looks legit, go on in”, it is a case where better security should have been used.

What’s your take on how secure our government keeps its money? And then beyond that, how safe do you think they’re keeping information if they let actual cash get away so easily?

Yikes! I look forward to hearing from you in the comments or discussions. Thanks for reading!

June 16, 2015  2:39 PM

Opiates, Hospital Records and Communication

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Email, Hack, Healthcare, Password

In the news lately in MA is the discussion over stricter laws/legislation/rules about prescribing drugs. That’s pretty much always been the case, but this time the focus here is on opiates. The numbers are staggering – 6600 people died in ten years from this class of drugs in MA – but the security ramifications are also hefty.


For instance, right now you can go pick up an antibiotic prescription from your pharmacy just by telling the pharmacist your name and paying $5 or whatever these drugs go for. For many classes of opiates – up until the recent crackdown and increase in awareness – you would need your license and an actual paper prescription from the prescribing doctor.

Some folks say that the increased focus is going to make that seem like a cakewalk. In some instances, people are talking about patients on pain killers having to visit the pharmacy each week, each couple days or even for each dose. While this might make the handing out of these drugs more secure, it’s going to present issues itself in time, resources and headaches.

Similarly, as the actual drugs are being restricted so too are the records about your health. My current health pland and hospital have joined forces to institute an online site that allows me to get access to my records any time I’d like. The main issue is that the security interface, required password and lack of ability to reset passwords in a timely manner effectively lock me out of my records about 65% of the time.

In theory, it is a great system. My data is available to me and my physicians when I want to access it. In practice, only a skilled hacker would likely be able to get to this data on a regular and efficient basis. That scares me a little because I like to be able to get to my information and if it’s too hard to do so, most people will find shortcuts that eventually allow hackers and thieves to get inside the system. Stuff like writing passwords in plain sight, staying signed into accounts or even emailing themselves sensitive info about access.

Lastly, and maybe the best thing about the collection of healthcare technology I have working for and against me is the communication. That’s down to a science. While we might be informed time and again that emails are not secure communication, they are the fastest way to get the attention of my doctors and the best way for me to share information that they need to make decisions.

I’m loving that I can ask one doctor about symptoms, another about a prescription and set up an appointment with another all via email. That’s the way I communicate these days and I think the population of doctors have become more accustomed to doing business this way. I’m still careful not to share any specific info like hospital record numbers or minute details about my health. But I think this is where healthcare is headed.

I’m now waiting for the healthcare IT folks to actually spend some time on UX so their magnificent sites can be used by people like me and even those who are even more daunted by technology.

June 11, 2015  1:50 AM

Hacking Roundup – Tech News World

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Hacking, Internet, news

I like hacking news. Not because it trumpets vulnerabilities, but because it keeps people on their toes and holds all of us to common-sense standards. If we hear about someone waltzing onto the White House lawn, don’t we all think a little harder about how we keep people off our business campus? You bet.

Screen Shot 2015-06-25 at 9.41.24 PM

And when we hear about how apps and systems and even text messages are enabling thieves to collect data and then use that data for bigger breaches – it should scare us. Thankfully it does. I didn’t want you to lose sight of that, so I did a little googling and found this little roundup of hacking articles on Tech News World for you to read.

It’s summer, it’s hot, people don’t want to plow through long articles. The tl;dr notation is appearing with regularity on lots of Facebook status updates these days so you know people don’t want to dig too deep. So, this roundup is just about 12 shorties for you to peruse and then we’ll get back to longer pieces next month.

If you have suggestions for a security corner piece you’d like me to write, leave a comment on this post or hit me up on Twitter. I’m a big fan of doing interviews, too. So if you’re a security pro who wants to step into the spotlight for a moment, also give me a shout. You’ll need skype and a good microphone and Internet connection.

I love hearing about new security methodology and solutions, so do the same thing. Leave a comment or tweet at me. Thanks and enjoy the beach!

June 1, 2015  12:22 AM

Airport Security Breaches – Inconvenient, but it’s not a data breach.

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Security

In the news today is a story about how the the Winnipeg Airport had a security breach the other day and more than 400 flights were affected. It’s just the latest of a series of breaches affecting airports around the world and disrupting air travel.


From the story, the spokesperson named Talbot indicated the breach wasn’t anything major and was cleared up fairly quickly.

Because that breach was discovered in the holding area, those passengers were evacuated so that airport security personnel could conduct a sweep.

“As far as a breach goes, it was minor,” said an airport official who declined to give his name and referred all further questions to Talbot.

One passenger told reporters that at least 20 RCMP officers wearing body armour were inside the security area checking people over suspiciously before they were evacuated. However, no one was arrested, Talbot said.

It makes me wonder if events like this are going to continue to happen and subsequently the response to these events might change. In fact, if these breaches keep happening security might start to expect stuff like this to happen. The probability, I see, is that if these happen all the time the response might start to taper off. Folks will take these less seriously in the interest of keeping planes, commerce and travel happening.

That would be a bad thing, I think. What’s your take?


June 1, 2015  12:05 AM

Storms and Keeping Your Home Safe

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Facilities, home, Insurance, IT

One of my other professional hats is the Chief Content Officer at a real estate brokerage. In this role, I list property and help buyers find homes in Massachusetts. The fun part is that home security and methodology often carries across boundaries so I can make a security point using examples that come to me when doing home visits.


To that end, one of the biggest ways to protect your home is through insurance. But nobody wants to overpay for insurance or get too little coverage in case of a weather incident. Up here in the Northeast, the two biggest insurance expenses are flood insurance and hurricane insurance. While flood insurance is a real thing – and often really expensive, hurricane insurance isn’t really a specific type of insurance…it’s just an adjustment to overall homeowners insurance in areas where hurricanes have been shown to wreak havoc.

One way – but an inexact one – is to watch the forecast for the coming season and make plans for the storms the experts think will come ashore.

Ultimately, if you’re going to protect yourself and your property you need to be as informed as possible. It’s the same methodology IT professionals use when keeping data and facilities safe. Here’s wishing you an uneventful 2015 and a year that doesn’t cost you more than you can afford.

May 31, 2015  11:28 PM

The Mighty Wallet and Security of Your IDs

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Backup, Data, Internet, online

The Summer season of travel is upon us. Lots of folks are headed out to have amazing adventures here in the United States and within other countries all over the world. They’re bringing family, friends, loved ones and they’re also carting along the digital keys to their castles at home.


Don’t sit there and imagine the janitor’s keyring with 185 keys rattling around on it. The access I’m referencing is the online passage to accounts, data and financial history that could be very valuable to a thief. In fact, armed with one way to get into someone’s bank or investment accounts, thieves are often able to find more ways to wage war and attack victims’ personal information.

That’s got to stop. Essentially, the best way to keep your data, credit cards, passwords, home and other belongings safe is to be smart. Take only one or two credit cards with you when you travel. Bring a printed copy of all your cards, IDs and information in case there’s an issue and you need to notify credit card companies. Email a copy of this same information to yourself and to someone at home who can forward it to you in case you need it.

It sounds like common sense, but lots of travel guides discuss the best way to keep your self and your stuff safe. It’s by not carrying more than you need; keeping your wits about you; not going out into bad areas; and having a plan in case you do lose your belongings.

Have fun this Summer. See some great places, have some amazing adventures, and don’t lose your money or valuables.

If you have travel safety tips, please share them here. Thanks!

May 11, 2015  11:22 PM

Football Security – Deflategate and its Lessons

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
football, Game, information, Security

A few moments ago the journalists on ESPN announced that Tom Brady – quarterback for the New England Patriots – has been suspended for the first four games of the 2016 NFL season. This is a result of the #Deflategate investigation and the penalties handed out by the league. Added to the penalties were the loss of two draft picks – a first rounder in 2016 and a fourth rounder in 2017. Further, the team has been fined $1Million.


What’s this mean to anyone dealing with security issues? Actually a lot. In fact, if the NFL had been better at protecting the tools of the game, this situation might not have occurred at all. If the powers that control the game and regulate the pressure of the footballs used in the games was watched closer, one of the icons of the game wouldn’t have even had the chance to cheat to gain an advantage.

But that’s the big issue. In competition – as in business – companies and players are always looking for a competitive advantage. In this case, it seems that Tom Brady was trying to get an advantage by letting a little air out of the footballs that his team was using during the season. What this does – a softer football – is offer the quarterback an easier ball to handle and running backs and receivers a much easier ball to catch and carry.

In fact, it was said on ESPN tonight that a deflated football is almost impossible to lose control of. Which means fumbles are eliminated and any football fan knows how big a factor fumbles and takeaways are in whether a team wins or loses.

So, let’s talk about this as an analogy to business processes. How can we learn from this?

Essentially, we need to have better security at all levels. From front-line security and reception (akin to the ball boys and equipment managers), we need to ensure that only properly provisioned and approved personnel get onsite and have access to company data.

Then our inside staff – IT and technology personnel – should follow up and keep systems and facilities as safe as possible. This is similar to what the referees did when they found underinflated footballs in possession of the New England Patriots.

Ultimately, the stigma that will follow Tom Brady and the New England Patriots may leave an asterisk on all their successes – because nobody can truly know if they were deflating footballs as far back as their first Super Bowl win. And this type of stigma might manifest itself as loss of business when it comes to technology companies.

The lesson to be learned? Don’t be like Tom Brady when you look for a competitive advantage. Cheating is wrong, integrity is right, and we should all focus on security as much as possible. What’s your take?

How are you going to make your company more secure?

If you were in charge of the NFL, how would you punish cheaters and those who didn’t keep the game secure and clean?

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: