Security Corner


June 8, 2012  12:53 PM

Online privacy: Forget it!

Ken Harthun Ken Harthun Profile: Ken Harthun

If you are naive enough to think that you can post anything online, or even surf to a “safe” site, and maintain any semblance of privacy online, then you haven’t been paying attention. If you’re online, most of your life and all of your surfing habits are known. Gary Kovacs, CEO of the Mozilla Corporation gave a talk at TED in February, 2012 called “Tracking the Trackers.” If you aren’t outraged after watching the video, then you’re either completely apathetic or totally clueless.

As you surf the Web, information is being collected about you. Web tracking is not 100% evil — personal data can make your browsing more efficient; cookies can help your favorite websites stay in business. But, says Gary Kovacs, it’s your right to know what data is being collected about you and how it affects your online life. He unveils a Firefox add-on to do just that.

The video is just under seven minutes long and well worth watching. I also recommend you download the Collusion plugin for Firefox. Download Tracking the Trackers.

June 7, 2012  1:51 AM

Change your LinkedIn password

Ken Harthun Ken Harthun Profile: Ken Harthun

If you have an account on social network LinkedIn, you had better change it immediately. Hackers apparently got hold of an estimated 6.5 million passwords of LinkedIn users, about 4% of the 161 million population. This from Forbes:

According to security researchers, it appears that a file containing hashed passwords for about 4% of LinkedIn’s 161 million users has been posted online and hackers are working to crack it, reports Graham Culey at Sophos. “Our team is currently looking into reports of stolen passwords,” says LinkedIn via Twitter.

Security researcher Mikko Hypponen says he’s seen three lists which contain a few hundred thousand cracked passwords, including ‘nathanlinkedin,’ ‘linkedintrouble,’ ‘hondalinkedin,’ and ‘eaglelinkedin.’

I checked mine and found that it was the same password I had used on a couple of other sites and I hadn’t changed it for a couple of years. It’s changed now and it’s a good, strong password. Even if mine was among the hashes and the hackers crack it, it won’t do them any good.

We probably haven’t heard the last of this.


May 31, 2012  8:03 PM

Reintroducing Identity Exposure Index (IEI)

Ken Harthun Ken Harthun Profile: Ken Harthun

I first introduced the concept of an Identity Exposure Index (IEI) back in April of 2009. With all of the security breaches in the news over the past few months, I am presenting it again.

On a scale of 0 to 5 (0 being nearly invisible, 5 being at risk), how much of your identity is exposed on the Internet? If you’re wondering, there are some tests you can try that will give you a good idea of you Identity Exposure index (iEi). Here are the tests I performed and some calculations you can use. I chose these tests because they could give an identity thief enough information to impersonate you under the right circumstances. For example, knowing your mother’s maiden name and a former address might be enough to get past a security question or two. Heaven forbid your Social Security number shows up anywhere on line!

Keep in mind that this isn’t absolute by any means; it’s more of a quick-and-dirty estimate. But what you find might surprise you.

Use any top search engine. I used Google. My test results are shown in parentheses.

1. Search your name in the form you commonly use; e.g., Ken Harthun, not Kenny, Ken G. or other variants. Count the number of accurate hits on the first page. (9)

2. Search your full legal name as it appears on your birth certificate. Count the number of accurate hits on the first page. (3)

3. Search your mother’s married name, with and without her middle name and middle initial. If her maiden name shows up anywhere on the first page, count 10; if not, count 1. (10)

4.  Search the last six digits of your Social Security number, including the dash. If your name shows up anywhere on the first page, count 10; if not, count 1. (1)

5. Search your home phone number with area code. If your current address is shown, count 10; any former address, count 5; else, count 1. (5)

Now, add all the scores. Maximum score is 50. Divide by 10 to get your iEi. It’s your choice whether or not to round off.

As you can see, my score was 28, so my iEi is 2.8, which is above the median. For comparison purposes, I also did the tests using my wife’s information and her iEi is 0.7. That makes sense because she does almost nothing on the web, save for checking her one Yahoo! mail account.


May 30, 2012  8:41 PM

Video: Don’t Be a Billy

Ken Harthun Ken Harthun Profile: Ken Harthun

A hilarious retro video about what NOT to do on the Internet. Funny, but true. Enjoy!

[kml_flashembed movie="http://www.youtube.com/v/nPR131wMKEo" width="425" height="350" wmode="transparent" /]


May 29, 2012  6:31 PM

Minimum password length redux

Ken Harthun Ken Harthun Profile: Ken Harthun

About this time last year, I posted this article about minimum password lengths and ended up recommending 15 characters. I didn’t give it much more thought after that; however, in the light of Steve Gibson’s Password Haystacks and my recent post about PassFault.com, I decided to to take those two tools and compare some passwords of various lengths, both randomly generated and using Steve’s Personal Password Padding. For this test, I chose “unto” as a common word which I used to build variable length passwords from 8 to 16 characters in length that contain upper- and lower-case letters, numbers, and special characters. I also used LastPass to generate random passwords of various lengths. I assumed a massive attack scenario with no password file protection for both tools.

Password Time-to-Crack Analysis
Password Length GRC’s Brute Force Password “Search Space” Calculator PassFault’s Dictionary and Pattern Based Analyzer
KF&x8SPw 8 1.12 minutes less than 1 day
wIhE7SdAl! 10 1 week 3 days
8nK1Uaxh&xC3 12 1.74 centuries 50 centuries
iD0L&DKv39FBK% 14 15.67 thousand centuries 1,652,459 centuries
eS5E2p^SK#Uwg4WK 16 1.41 hundred million centuries 242,335 centuries
<>Unto90 8 1.12 minutes less than 1 day
<>Un90to<> 10 1 week less than 1 day
<>Un<>90to<> 12 1.74 centuries 4 decades, 3 years
<>Un<>90to<>90 14 15.67 thousand centuries less than 1 day
<>Un<>90to<>90<> 16 1.41 hundred million centuries 3 months

Obviously, PassFault’s algorithm is flawed, as can be seen in the results above. This is evident from the last three lines of the table.

I’m going to stick with 12 characters as an average minimum password length and 15 characters for critical data.


May 28, 2012  5:24 PM

Password patterns to avoid

Ken Harthun Ken Harthun Profile: Ken Harthun

There are all kinds of password strength meters on the Internet and for what most of them do, they’re pretty good. However, nearly all of them assume a brute force attack where the algorithm has to try all possible combinations of characters. In the real world, hackers have learned to use rainbow tables and pattern-matching as their first attempts; the first thing they usually try, of course, is a systematic dictionary attack. This is usually sufficient to guess anywhere from 20 – 50 percent of passwords on a given site. We all know to avoid dictionary words, our names, etc., but what about other password practices that may be risky, assuming all of us use some sort of mnemonic or pattern to remember passwords?

I came across a nifty site called PassFault, a project sponsored by The Open Web Application Security Project (OWASP). It has a nifty application you can use to test passwords: “Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple.” What I found most interesting is the types of patterns Passfault looks for and how it is done:

Passfault identifies patterns in a password, then calculates the number of passwords that could exist in those patterns. This is the measurement of password complexity. It is more academic and much more accurate than existing password analysis tools.

According to the site, you want to avoid these patterns:

  • Dictionary Word Insertion – putting random characters in between letters in a dictionary word
  • Dictionary Word Substitution – substituting letters with random characters
  • Dictionary Word Misspelling – “werd” instead of “word,” for example
  • Dictionary Leet Substitution – 137m31n (letmein)
  • Dictionary Word Backwards – “drow” instead of “word”
  • Repeated Pattern – 123123123
  • Random Latin & Cyrillic Characters – PasЛуни, or PasΦΘo®d
  • Horizontal, Diagonal & Repeated Key Sequences – asdf, cgybfe, rrrrr, etc.

I decided to test some of this by intentionally violating the guidelines and generally playing around. Note that the tool gives you some options of what kind of cracking hardware and password protection you can specify. I just used the defaults of “a $900 password cracker” and “Unix SHA1-based Crypt.” Here are the results in time to crack:

  • antidisestablishmentarianism – less than 1 day
  • 137M31n – less than 1 day
  • Password…….. – less than 1 day
  • …password… – less than 1 day, but a weird result in that it said “Repeated – Russian”
  • %^password^% – 1 day
  • %^wordpass^% – 2 months, 4 days
  • passwordwordpass – 1 year, 8 months
  • %^word^%pass!! – 2 centuries, three decades
  • Wo&rd – less than 1 day
  • Wo&rdw*rd – 2 months
  • Wo&rdw*rdwerd – 13 centuries
  • Wo&rdw*rdwerd1337 – 450,556 centuries
  • Wo&rdw*rdwerd1337drow – 7,788,860,117 centuries
  • [21 random keyboard characters] – 3.74068l0448019244e+21 centuries

Conclusion: it’s a fun tool to play with, but no Earth-shattering revelations here. Longer is better and mix it up. Steve Gibson’s Password Haystacks, which presents the concept of password padding, is still the most recent innovation in password theory.


May 15, 2012  5:32 PM

Before you upload to the cloud, PEE

Ken Harthun Ken Harthun Profile: Ken Harthun

Source: fotosearch.com

“The Cloud” is becoming the place to be for backup and data storage. Microsoft offers its SkyDrive; Apple has iCloud; there’s Mozy, Acronis, JustCloud, Carbonite, Dropbox, etc. There are so many, it’s impossible to list them all. This Geek uses SkyDrive, iCloud, DropBox and, for clients, Carbonite. They all have their advantages, similarities and differences. You can do your own study and make your own choices as to who you choose for your cloud storage provider; however, be aware of this very important concept: TNO – Trust No One. You want to make sure that only you, or those you designate, have access to your data. This means that:

  1. Your secret phrase, private key, PIN or password is known and visible only to you; and,
  2. Nowhere in the cloud or during transit is your data ever visible as clear text.

This is why you must PEE before you upload anything to the cloud.

PEE stands for “Pre-Egress Encryption.” In other words, encrypt your data before it ever leaves your machine. If you do this, no one will ever be able to see anything but random noise unless you allow them to decrypt it by providing the key.

Over the next couple of posts, I’ll give you a rundown of what I consider the best applications and techniques to make it easy for you to PEE. Stay tuned.


May 14, 2012  4:04 PM

Apple’s security 10 years behind Microsoft’s?

Ken Harthun Ken Harthun Profile: Ken Harthun

In light of the recent Flashback Trojan that infected an estimated 600,000 Mac users last month, industry experts are discussing Apple’s security. The perception has always been that Apple’s OS is more secure than Microsoft’s. This was led by the misconception that Apple computers could not be infected with viruses. Of course, this isn’t and never was true. But the idea that Apple is 10 years behind Microsoft in security is stretching things a bit. This item from The Verge lays the ground work:

A Flashback trojan, that affected more than 600,000 OS X users earlier this month, has industry experts discussing Apple’s response to Mac malware and its future prospects on security related issues. Eugene Kaspersky, CEO and co-founder of security company Kaspersky Lab, believes that Apple is “10 years behind Microsoft in terms of security.” Citing the relative success of the Flashback infections in an interview with CBR, Kaspersky predicts that cyber criminals will progress to create “more and more” malware in the future.

Kaspersky goes on to say that Apple will face the same problems that Microsoft did 10 or 12 years ago. I disagree. Here’s why (from the same article):

Mountain Lion, the company’s upcoming OS X operating system due in summer, includes a new Gatekeeper feature that, by default, restricts applications from running unless they are from the Mac App Store or identified developers. There is an optional switch to enable all apps again, but it’s clear this timely feature is designed to prevent malware from executing.

I’ll be watching this from the front row now that Casa Harthun is 3/5 Apple, and I’ll certainly keep you posted.


May 13, 2012  4:03 PM

Scam email poses as account alert

Ken Harthun Ken Harthun Profile: Ken Harthun
FortBendNow.com

Source: FortBendNow.com

I sent this out to my entire staff at the school the other day after a staff member alerted me:

There is an email floating around that warns you to “Validate” an email account. The email is a phishing scam that attempts to get you to visit a form and input your email details including your password. If you receive an email similar to the one below, delete it immediately!

IT Service,

You have exceeded the limit of 23432 storage on your mailbox set by your WEBCTSERVICE/Administrator, and you will be having problems in sending and recieving mails Until You Re-Validate. To prevent this, please click on the link below to reset your account.

[URL deleted]

Failure to do this, will result in limited access to your mailbox Warning !!! Do not send your username and password via email.

Regards,

IT Service
System Administrator


May 6, 2012  1:49 PM

Canadian drugstore spam poses as Amazon order cancellation

Ken Harthun Ken Harthun Profile: Ken Harthun
FortBendNow.com

Source: FortBendNow.com

Last week, I started to get emails in my Yahoo! mail, purportedly from Amazon.com, about a cancellation of my order. I figured these were bogus and confirmed this when my wife got identical emails. I decided to dig a bit deeper to see what they really were all about. Here’s a recent one:

Dear Customer,

Your order has been successfully canceled. For your reference, here's a summary of your order:

You just canceled order 111-219-44774 placed on May 5, 2012.

Status: CANCELED

_____________________________________________________________________

1 "Araby"; 2003, Second Edition
  By: Rachel Armstrong

Sold by: Amazon.com LLC

_____________________________________________________________________

Thank you for visiting Amazon.com!

---------------------------------------------------------------------
Amazon.com
Earth's Biggest Selection

http://www.amazon.com

---------------------------------------------------------------------

The order number and URL for Amazon both linked to a URL pointing to a Canadian drugstore site pitching those familiar male enhancement drugs. Here’s a partial screen shot:

Fortunately, there’s nothing malicious in this URL. It’s just scam drug spam. Put it where it belongs: in the trash.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: