Security Corner

February 26, 2013  12:25 AM

Could you pass this LAN Engineer test?

Ken Harthun Ken Harthun Profile: Ken Harthun

Back in July, 2009, when I found myself looking for a new gig, one of the firms I contacted gave me written test as part of their recruiting and interview process.  Part of that test included a hacking skills challenge (something I have included here in quite a while). I thought you, dear reader, would be interested in taking the test, so I’m posting it here. There are some questions that require correct answers and some that are more subjective. Try out your skills and email your answers to kenharthun <at> gmail <dot> com. I’ll post my answers tomorrow (and my answers were good enough that I got offered the job after my interview). Good luck!

  • Q1.  A company believes that a workstation on their network has a worm because everyone’s Internet access is slow and their T1 utilization is high.  You only have remote access to their firewall.  How would you figure out what traffic on the Internet connection is causing the slowdown, what IP address the traffic is coming from, and how would you prevent that traffic from causing problems until the workstation causing the issue is disabled?  Assume that the firewall that is in place is one you are familiar with, and note that information in your response.
  • Q2.  Please provide a few lines of a Windows network login script that you have created.  Please explain what the script accomplishes.
  • Q3.  A user connects remotely to a Citrix MetaFrame 4.0 server.  The user just purchased an HP 1150 Laserjet printer and has it connected locally to their workstation.  The server doesn’t have this driver on it.  What are 3 different ways you could get the printer to work, and which one would you choose, and why?
  • Q4.  A company is assigned the network for a T1 to the Internet.  The ISP sets the router at  The company sets up a workstation at with a default gateway of, but can’t get to the Internet.  What is the most likely issue?
  • Q5.  A company has a network with 30 servers and 500 workstations. They are still running a Windows NT domain with a PDC and a single BDC.  The company has purchased a new server and 3 licenses of Windows Server 2003.  The company operates 24 hours per day and can’t take the network down.  Please list the steps you would go through to convert the NT Domain to AD in Native Mode with 3 DCs.
  • Q6.  A company has a network of 200 Windows XP workstations and 5 Windows 2003 servers.  Active Directory is running in Native Mode and all of the workstations have been added to the domain.  The network administrator would like to apply all of the critical MS updates to all of the workstations and force the workstations to automatically apply updates nightly.  If possible, he would also like to have one of his servers download the patches and have the workstations pull from that server.  How can this be accomplished without going to every desktop?
  • Q7.  A company decides to get a point to point T1 to connect their main office to an office across town.  The T1 will be connected to a Cisco 1841.  All of the servers and workstations at the main office currently have a PIX 501 on a DSL connection set as their default gateway.  The PIX is running 6.3(5).  How would you reconfigure their network to route Internet traffic out the DSL line, and traffic bound for the remote office over the T1?
  • Q8.  A company has an Exchange 2003 server and remote users needing to synchronize their e-mail securely.  The remote users are running workstations with Windows XP SP2 and Outlook 2003.  How can this be accomplished?
  • Q9.  Please describe a time where you solved a difficult problem.
  • Q10.  Optional – Extra Credit – Create an account on and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level. [We’ve covered all those in this blog, but go ahead anyway.]

February 24, 2013  6:15 PM

The password as a security token – Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

In my first post, The password as a security token – Concept, I discussed using a password as the “what you have” part of two-factor authentication. Today, I’ll outline how to implement a simple way to do that.

First, create a strong password at least eight characters long. It doesn’t have to be easy to remember because you will write it down and carry it with you. You can use GRC’s Ultra High Security Password Generator to get some really random characters like these: tyL&FG.3

Write this password down and carry it with you. This is your token.

Now, you simply create new passwords or change your existing ones to include the token at the beginning or the end. Your new passwords need not be more than four or five characters long and can be something that you’ll easily remember, or you can safely write them down.

You could also have more than one token, perhaps one that you use only for your financial accounts and one that you use for email.

February 15, 2013  3:49 PM

Video: Double your internet speed? Not!

Ken Harthun Ken Harthun Profile: Ken Harthun

This video purports to instruct you on how to to double your internet speed. If this guy is serious, he really has some issues; but, it may be just tongue-in-cheek. In particular, be sure to pay attention to the part where he tells you to tape the bare connectors on each end so the signal won’t leak out. Oh, and he even “proves” his theory with (totally bogus) calculations. In any event, I found it extremely amusing.

February 10, 2013  5:29 PM

Flickr bug compromises privacy

Ken Harthun Ken Harthun Profile: Ken Harthun

If you use Flickr and you had any private photos posted there, well, the world may now know what you didn’t intend to share. Just got this notice from them yesterday:

Dear Ken Harthun,

I’m writing to let you know about a recent issue with Flickr’s privacy settings that impacted some of the photos in your account.

While performing routine site maintenance, we identified a software bug that may have changed the view setting on some of your photos from non-public (i.e., private or viewable only by family and friends) to public. Affected photos were visible on Flickr between January 18th and February 7th, 2013. The affected photos were barred from appearing in any search results and they were limited to photos you’ve uploaded between April and December of 2012. Overall, this issue impacted only a small percentage of photos.

I have nothing to worry about, but I’m sure there were some people affected by this. I can imagine some very embarrassed people who were questioned by their parents or friends about certain photos they posted.

It’s not just hackers and those with malicious intent that you need to worry about. In this case, it was a software bug. Not malicious, but it was, potentially, equally as damaging. Once again, I stress that you should never post anything anywhere on the web that you wouldn’t want the world to see. The web is about as secure as a bank vault using a piece of spaghetti to lock it.

February 10, 2013  5:13 PM

The password as a security token – Concept

Ken Harthun Ken Harthun Profile: Ken Harthun

We all know the three basic ways of proving identity:  What you know, what you have, and what you are.  Though there is a plethora of articles asserting that the password is dead, I’m not convinced that is the case. Consider that a password could serve as two of those factors: What you know and what you have. Bear with me here because this takes some thought.

We normally look at two-factor authentication as using both a password and some randomly-generated numerical sequence on some physical device that changes every minute or so. There is another option. I use both a Yubikey and a PayPal “football” token. These two devices are worlds apart: The Yubikey has a unique ID that never changes and you have to have that device plugged in to validate it; the football generates a random six digit number that you append to your password or input in a secondary authentication screen. Both of these assume one key factor: You must possess the token and combine it with your password in order to authenticate. That means you must KNOW the password and you must HAVE the token to authenticate. Having one or the other means nothing.

The key difference is that one device – the Yubikey- requires a physical connection; the other device – the football – requires only that you possess it. Why not synthesize this concept using only a password? A physical connection won’t be necessary, but you must possess the second factor, so this resembles the football more than the Yubikey.

I’ll outline the implementation of this concept in a future post. For now, I want you to give it some thought and let me know via the comments your thoughts on this.

February 6, 2013  5:11 PM

Beware tax agency phishing scams

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s that time of the year again: Tax filing season in the U.S. And that means the cybercriminals will be spamming out their tax letter scams. Here’s one example of such an email as reported by Sophos:

Subject: FW: 2010 and 2011 Tax Documents; Accountant's Letter

Message body:
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2010 and 2011, plus an accountant's letter.

This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission.

Attached to it is a ZIP file, whose filename will vary depending on the recipient. For instance, if the email is sent to, the zip file will be called

Inside the ZIP file, is an executable file: “Individual Income Tax Returns.exe”

The executable file is a Trojan horse backdoor that will allow hackers to take over your computer for their own nefarious purposes.

Keep in mind that this is only one example and there are usually many variations out there. There is one thing you can be certain of: They are all designed to steal your money and/or your identity.

January 31, 2013  2:31 AM

Physical security: Implementing a card access system

Ken Harthun Ken Harthun Profile: Ken Harthun

At the college where I work, we just implemented a card access system. All staff, students and faculty are required to have badges that have inductive proximity devices attached to them. I opted for the self-adhesive tags shown here because I didn’t want to have to create 300 new photo badges. It was much simpler to have everyone file into my office and get the tag attached to their existing badge. The project took six weeks in planning including notifications to staff and students and a two-week grace period after installation of the scanners.

I was concerned that we would have major issues when I flipped the switch on January 28th. You just never know how these things will play out. I was pleasantly surprised, however. We had a few stragglers who didn’t get their chips and a few people who, for whatever reason never got an ID badge, but the process I put in place worked well and the system is now operational.

If you plan such a security system, here are a few things to consider:

  • Depending on the size of your organization, begin to notify your staff and/or students four to six weeks in advance of implementation
  • Send at least three notices of the impending lock down
  • Give yourself a sufficient window to make sure all card IDs are entered into the security software database.
  • During the pre-launch phase, explain the process to everyone and make it clear who to contact if there are problems.
  • Expect Murphy’s Law to manifest itself

I was pleasantly surprised how well our implementation went. Our receptionists handled missing chips and badges extremely well and though we experienced an increased workload in our department, there were no major upsets.

The most interesting problem we experienced was with a student who could not gain access even though he had a valid chip on his badge. The system kept saying “Invalid/unknown security ID.” When I investigated, I found an ID number that was not in our series of chips. I suspected a typo, but found that the student had an access card to his apartment complex that was the same type used by our system. He had all of his cards on the same lanyard and when he held up his student ID, his apartment complex ID was being read by our system instead.

Security is fun, isn’t it?

January 31, 2013  1:26 AM

Video: How to explain phishing to your Grandma

Ken Harthun Ken Harthun Profile: Ken Harthun

Catchy title, but the video really doesn’t explain. The Sophos Threatsaurus, however, does a wonderful job of explaining all kinds of malware to everyone. I have a copy and keep it handy on my desk. I suggest you do, too. It’s still a catchy video, especially for those who love British humour.

January 30, 2013  12:39 AM

All your secret are belong to us

Ken Harthun Ken Harthun Profile: Ken Harthun

The eight-character password is dead. All possible combinations of 8 character Windows passwords can now be broken in six hours using some sophisticated, but readily available hardware. A paper from the Oslo password hacking conference gives details of how researcher Jeremi Gosney lashed together 25 AMD Radeon Graphics Processing Units (GPUs) into a specialized computing cluster and used it against NTLM password hashes. You’ll need twenty rack units of space in a server room and an industrial-style power supply delivering 7kW. It’ll cost you about $20,000 to build.

As you probably already know, “NTLM relies on one of the easiest-to-crack hashing systems still in widespread use: a straight, unsalted, uniterated MD4 hash of your password,” according to this Sophos Naked Security post.

Not that any savvy administrator permits NTLM hashes anymore, but 8 characters is simply not enough password length for these times. My shortest password used for critical systems is 10 characters and I’m going to be increasing that to at least 14 in short order.

I recommend you do the same.

January 20, 2013  5:08 PM

Simple password tip to create unguessable passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

Remember the Worst Passwords of 2012? Besides the advice I gave in my post about what you can do about that, here’s another tip: Use accented special language characters. This article: gives you plenty of choices. Let’s do my name in several variations (I don’t use these as passwords anywhere, in case you are wondering):


Because of the key sequence necessary to enter these characters, no one is going to discover them. There is a caveat, however: The program or site may not allow these characters. I suggest you test it in depth.

This is also a password cloaking method if you are one of those people who write passwords in a book and keep it on your desk. Let’s say your password is I@mgreat. You could write that down with the sequence I064mgr101065t.

It’s not likely anyone is going to figure that out.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: