Security Corner

April 17, 2013  3:04 PM

Despicable cyber-slugs exploiting Boston Marathon bombing with Trojan attack

Ken Harthun Ken Harthun Profile: Ken Harthun

Despicable, but it’s always inevitable in the wake of any human tragedy. Cyberslugs (I won’t elevate them to cybercriminal status, though they are certainly criminals) are using the Boston Marathon bombing to spread malware. Spam emails claim to contain a link to video of the bombing. The links vary but take you to a website that attempts to infect your computer with a Trojan horse. The videos are, in fact, real YouTube videos that disguise the malicious activity.

Subject lines of the emails vary, but include:

  • 2 Explosions at Boston Marathon
  • Aftermath to explosion at Boston Marathon
  • Boston Explosion Caught on Video
  • Video of Explosion at the Boston Marathon 2013

According to Sophos’s blog, nakedsecurity:

If installed, the malware makes changes to the Registry and installs the following files, allowing hackers to gain remote access to infected computers:


The file NPF.sys is registered as a new service named “NPF”, with a display name of “WinPcap Packet Driver (NPF)”.

Never accept “news” from other than legitimate news sources, especially not from unsolicited emails.

April 9, 2013  1:44 AM

Could my client’s server be part of the Spamhaus DDoS attack?

Ken Harthun Ken Harthun Profile: Ken Harthun

In the wake of what is reported to be the largest DDoS attack ever–actually a DNS amplification attack–I received a message on behalf of one of my clients that indicated his server has been shut down because of an outbound DoS attack originating from it. How it got infected, and with what, I don’t know, but something is surely amiss. I wonder if his server could be part of that massive attack. Here’s a redacted excerpt from the notice I received:

Your <redacted> Server was found to be part of a network of compromised machines
leading a Distributed Denial-of-Service Attack (DDoS Attack) against other servers.

IMPORTANT: In order to prevent further criminal activity from your <redacted> Server,
we have suspended access pending an investigation and resolution.

The logs they sent me show UDP packets indicating that this could be part of a DNS amplification attack. Take a look:

Please see the firewall logs below for details:
1365103763.526228 IP > UDP, length 1
1365103763.526232 IP > UDP, length 1
1365103763.526234 IP > UDP, length 1
1365103763.526236 IP > UDP, length 1

That’s all I know for now. I have to contact the provider, open a window of time to gain access, and secure the server. I’ll keep you posted.

March 31, 2013  10:17 PM

Beware of Easter holiday scams

Ken Harthun Ken Harthun Profile: Ken Harthun

I know I probably don’t have to mention this, but beware of scammers targeting the Easter holiday. Same tricks, different holiday. (I know this is a bit late in coming since it’s already late on Easter Sunday, but it’s just as valid for next year.) Some examples:

  • Emails with the subject “Happy Easter.” Make sure they are actually from someone you know and don’t click any links or open any attachments until you have verified that the send is who they say they are.
  • Fake ads for animals such as bunny rabbits and ducklings. Buy them live from a local dealer. Don’t have them shipped.
  • Solicitations by “charities” using the Easter holiday as the motivator. One such scam I have seen tugs your heartstrings by showing hungry children and tying it to Easter’s resurrection theme. Don’t fall for it.
  • Cheap “clearance” sales of Easter candy. Some of it has been known to be five years old and rancid. It could make you or your children sick.
  • Cheap Easter toys and baubles that come from countries that still use lead-based paints.

And, for those of you who celebrate the holiday, Happy Easter!

March 31, 2013  3:12 PM

Humor: Windows 98 BSOD at Comdex 1998

Ken Harthun Ken Harthun Profile: Ken Harthun

This isn’t exactly security related, but it’s a good laugh and we all need to take things less seriously now and then. Saw this on the Petri IT Knowledgebase site:

If you’ve ever used a Microsoft Windows OS over the last decade or so, you’ve undoubtedly come across the infamous blue screen of death, more commonly referred to by the acronym BSOD. Arguably the most famous BSOD sighting was at Comdex in 1998, when Microsoft exec Chris Capossela — now Microsoft’s Chief Marketing Officer — was demonstrating the still-in-development Windows 98 to an assembled throng of Comdex attendees, with Microsoft co-founder and then-CEO Bill Gates by his side. The rest, as they say, is history, as shown by this humorous video clip:

March 30, 2013  3:01 PM

Spamhaus target of massive DDoS attack

Ken Harthun Ken Harthun Profile: Ken Harthun


If you have noticed a bit of sluggishness on your internet connection in the past week or so, it could be due to the most massive DDoS attack ever recorded. Here’s what’s happening according to Naked Security:

A little over a week ago a questionable internet hosting provider in The Netherlands called Cyberbunker took umbrage with SpamHaus, an non-profit organization that was founded in 1998 to take on spammers and the internet hosts who profit from their activities.

How big is the attack? At times it has been reported to be as large as 300 gigabits per second. Traditionally even large botnets are only able to deliver hundreds of megabits or a few gigabits per second.

Ouch! That’s huge. It seems that many primary internet backbones (“tier 1 service providers”) are being overwhelmed by the volume of traffic. That’s why you may have noticed the slowdown on the internet. I certainly did, but since it was most prevalent where I work, I didn’t think much of it. Our bandwidth is always strained when school is in session. I did find it a bit odd that my home connection seemed sluggish. It all became clear with the report of the DDoS attack.

So, if large botnets aren’t capable of delivering such a volume of traffic, what is causing it? It’s a large scale DNS amplification/reflection attack taking advantage of misconfigured DNS servers that will allow anyone to query them without any filtering or rate-throttling. It’s a huge problem as there are reportedly more than 21.7 million such servers online (Open Resolver Project). A Microsoft TechNet article provides a high-level summary of this type of attack:

A DNS amplification attack (aka DNS reflection attack) is a type of distributed denial of service (DDos) attack that takes advantage of the fact that a small DNS query can generate a much larger response. When combined with source address spoofing, an attacker can direct a large volume of network traffic to a target system by initiating relatively small DNS queries.

I’ll leave it at that for now. I plan to give a more detailed analysis in a future post.

March 27, 2013  2:27 AM

Are you personally prepared for disaster?

Ken Harthun Ken Harthun Profile: Ken Harthun

Doomsday Preppers is a popular (in some circles) American reality television series that airs on the National Geographic Channel. I’m not a prepper in the sense of that TV series, but I grew up with Scouting whose motto has always been — and will probably always be —  “Be Prepared.” That motto has served me well in my life and has given me a sense of the need to always stay one step ahead of disaster in all meanings of the word. While we in the IT world don’t always phrase it that way, I think it is a motto that we always embrace, consciously or unconsciously.

I saw an interesting video last week that promotes the need to stock up on 37 foods that will sell out quickly during a crisis. I bought the book (actually a CD with PDF files) and started to read it tonight. In the preliminary chapters, the author discusses the need for a “bug out” kit and what that kit should contain. I’m not going to go into great detail here, but I am going to mention that all of your valuable documents should either be carried with you or available in electronic form so they are accessible no matter where you happen to find yourself. Examples of these are:

  • Passport
  • Social Security cards
  • Bank account information
  • Deeds to your property
  • Insurance policies
  • Medical records and prescriptions
  • Driver’s license

You should do your best to keep all of these documents in a portable fire-proof safe that you can take with you if you have to evacuate. But, you should also scan every single document and store those scans on both a portable storage device and do one or both of these things with them:

  • Email them to yourself at a cloud email service such as Gmail,, Yahoo, etc.
  • Save them to a cloud backup service or cloud storage such as SkyDrive, Dropbox, iCloud, etc.

You never want to be at the mercy of a single point of failure, especially in an emergency.

Doomsayers may be a bit over the top sometimes, but there’s no reason you can’t exercise good sense and “Be Prepared.”

March 18, 2013  10:35 PM

Security Now! Illustrated is a great resource for security training

Ken Harthun Ken Harthun Profile: Ken Harthun

My readers know that I’m a diehard Security Now! fan. As far as I’m concerned, it’s the best security related podcast on the internet, bar none. It is evident that I’m not the only Geek who feels this way. Whomever is behind loves SecurityNow! and has taken on the task of creating 3D animations of the concepts that Steve Gibson and Leo LaPorte discuss every week. I’ll be posting these videos here, but I wanted to give you an introduction so you can check them out for yourself. Included today is Steve Gibson’s introduction to what is doing with the SecurityNow! podcast episodes.

March 18, 2013  1:22 PM

Security blogger Brian Krebs targeted by cybercriminals

Ken Harthun Ken Harthun Profile: Ken Harthun

Anyone who knows anything about security researchers and bloggers knows of Brian Krebs and his blog,; nevertheless, here’s some background in case you’re wondering:

Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of storiesfor and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators.

According to Dan Goodin at Ars Technica, Krebs is known for work that includes:

It’s hardly a surprise that he has made enemies in the cybercrime underworld. Last week, some of those enemies attacked him. Writing in a March 13 blog post, he described what happened:

It’s not often that one has the opportunity to be the target of a cyber and kinetic [armed -Ed.] attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.

Fortunately, everything turned out fine, but the incident serves to illustrate that cyber-criminals–Krebs calls them cowards–are very jealous of their turf and will retaliate against those who they believe have violated it.

If you enjoy reading about real-life attacks via cyberspace, you should check out the post here.

March 17, 2013  10:27 PM

How much of your spam contains malware?

Ken Harthun Ken Harthun Profile: Ken Harthun

I am in my second year of using‘s excellent spam filtering service. I cannot recommend them enough. My main email account is so spam-free that I sometimes don’t even check the admin interface to see what MailRoute has been filtering for me. Today, I was curious to see just how much of the spam I receive contains malware. I was prepared to scan through the list of spam in the quarantine and perform my own analysis, but when I logged in and was presented with their new look, my quarantine had a tab named Virus. That made my job much easier.

My analysis showed that approximately three percent of my spam messages contained malware during the period of February 2 to date. That tracks with Kaspersky’s Securelist’s figures for January 2013:

January in figures

  • The percentage of spam in email traffic was down 7.7 percentage points compared with December and averaged 58.3%
  • The percentage of phishing emails halved compared with December, falling to 0.003%
  • In January, malicious files were found in 3% of all emails, a decrease of 0.15 percentage points

The biggest source of malware in my spam filter was the fake FedEx Tracking Service message, but I’ve seen a variety along the way.

March 3, 2013  1:46 PM

Evernote hacked

Ken Harthun Ken Harthun Profile: Ken Harthun

Evernote, the popular note taking program whose goal is “to help the world remember everything, communicate effectively and get things done,” has had their website hacked and is forcing all users to reset their passwords:

Security Notice: Service-wide Password Reset

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

Good for them that they salt their password hashes and good for them for implementing a password change for all users. Others should follow this example.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: