Security Corner


April 30, 2012  5:08 PM

One of the funniest security videos ever!

Ken Harthun Ken Harthun Profile: Ken Harthun

WARNING: Adult (almost) content. I’m going to say nothing more about this, but you have to watch this video.

Have a great week!


April 30, 2012  10:16 AM

Not using Firewire port? Disable it

Ken Harthun Ken Harthun Profile: Ken Harthun

Source: Wikipedia

From Wikipedia: “The IEEE-1394 interface, developed in late 1980s and early 1990s by Apple as FireWire, is a serial bus interface standard for high-speed communications and isochronous real-time data transfer. The 1394 interface is comparable with USB and often those two technologies are considered together, though USB has more market share.”

FireWire has some inherent security issues due its ability to communicate by direct memory access (DMA). In many implementations, this is done in hardware without direct operating system intervention which “can be a security or media rights-restriction risk if untrustworthy devices are attached to the bus.” What to do about it? From Wikipedia:

…high-security installations will typically either purchase newer machines which map a virtual memory space to the FireWire “Physical Memory Space” (such as a Power Mac G5, or any Sun workstation), disable relevant drivers at operating system level,[65] disable the OHCI hardware mapping between FireWire and device memory, physically disable the entire FireWire interface, or opt not use FireWire hardware.

My simple take on it is that if you aren’t using it, disable it. Sure, a FireWire hack would require physical access to your system and isn’t a remote access threat. Nevertheless, it is a door and should be locked. You lock the doors to your house, don’t you?


April 29, 2012  11:25 PM

Schneier says post-9/11 airline security harms us

Ken Harthun Ken Harthun Profile: Ken Harthun

If you follow security expert, Bruce Schneier, then you’ll agree with the following:

Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a “security guru,” he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

The man knows of which he speaks: in 1992, he developed the Blowfish encryption algorithm, a keyed, symmetric block cipher that is still in use today.

His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as “the book the National Security Agency wanted never to be published.”

So, if he says something isn’t right, I’m willing to listen. And he says that airline security isn’t right. He recently debated former TSA Administrator Kip Hawley on the “Economist” website. You can find the debate here.

In his latest issue of CRYPTO-GRAM, his monthly security newsletter (subscribe free here), he summarizes his position and points out what I consider illogic that pervades our entire government. Schneier is highly critical of the measures in place today and suggests that airports are effectively rights-free zones. I suggest that such things are reactions to irrational fear; perpetrated by insane men that would have us all believe that terrorists are waiting in every public venue to kill us all. That’s absolutely ridiculous. You don’t have to look into it very far to see:

Kip Hawley doesn’t argue with the specifics of my criticisms, but instead provides anecdotes and asks us to trust that airport security — and the Transportation Security Administration (TSA) in particular — knows what it’s doing.

He wants us to trust that a 400-ml bottle of liquid is dangerous, but transferring it to four 100-ml bottles magically makes it safe. He wants us to trust that the butter knives given to first-class passengers are nevertheless too dangerous to be taken through a security checkpoint. He wants us to trust the no-fly list: 21,000 people so dangerous they’re not allowed to fly, yet so innocent they can’t be arrested. He wants us to trust that the deployment of expensive full-body scanners has nothing to do with the fact that the former secretary of homeland security, Michael Chertoff, lobbies for one of the companies that makes them. He wants us to trust that there’s a reason to confiscate a cupcake (Las Vegas), a 3-inch plastic toy gun (London Gatwick), a purse with an embroidered gun on it (Norfolk, VA), a T-shirt with a picture of a gun on it (London Heathrow) and a plastic lightsaber that’s really a flashlight with a long cone on top (Dallas/Fort Worth).

His summary of the harms done post-9/11 by increased “security” measures is spot-on: “That we allow governments to do these things to us — to effectively do the terrorists’ job for them — is the greatest harm of all.”

“We have met the enemy and he is us.”


April 29, 2012  4:22 PM

Don’t let fake antivirus sucker you

Ken Harthun Ken Harthun Profile: Ken Harthun

Fake antivirus, also known as scareware, rogue antivirus and scamware, is one of most common threats you will encounter on the web today. You’ve probably seen it before, and if you’re smart, you didn’t fall for the scam. The tactic this junk uses is to lure users to malicious sites and then scare them with fake threat warnings in an attempt to get them to pay for fake – and useless – threat removal tools.

Unfortunately the tactics these criminals use are highly effective against the average user who doesn’t know any better; this is why the scams are so prevalent – they make a tremendous amount of money for the criminals. For this reason, they are not going to go away any time soon and you need to know everything you can about how to keep this threat off of your network and away from your users.

Sophos has released a white paper entitled “Stopping Fake Antivirus: How to Keep Scareware off Your Network.” It contains a wealth of information and tips on how to combat this threat. I highly recommend your download and read it.


April 28, 2012  1:34 AM

IT Security Dos and Don’ts

Ken Harthun Ken Harthun Profile: Ken Harthun

Sophos has released the “IT Security Dos and Don’ts” toolkit that is a complete employee security awareness training campaign. Here’s what you get:

  • Program launch guide
  • Employee handbook
  • Email series of 10 tips
  • Poster series of 10 tips
  • Online videos
  • Password quick tips
  • Launch announcement
  • Buy-in documents

I immediately downloaded it and checked it out. I’m impressed. This will save me hours of work coming up with my own campaign and presentation for our employee Lunch-n-Learns.

One of the things I really like about this campaign is the each email tip links to a short video on the topic. Here’s the first one in the series, “Don’t Get Tricked:”

[kml_flashembed movie="http://www.youtube.com/v/rLO4EKvJbEM" width="425" height="350" wmode="transparent" /]

I highly recommend you check this out.


April 27, 2012  12:54 AM

Crossword passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

I love crossword puzzles. I’ve been doing them my whole life. My wife loves Sudoku puzzles. I can beat her any day at crossword; she slaughters me at Sudoku. This lead me to an interesting realization about passwords: People tend to remember things they have an affinity for. Corollary: People are competent using tools they understand.

So, using crossword as an example, why not use one as a password generation matrix? You could fill it in with random characters, or you could solve the puzzle (in pencil, of course) and then randomly substitute numerals, upper/lower case letters and symbols.

Take a highliter and mark off an 8, 10 or 12 character password. Make it 16 characters if that makes you feel better. When you are done using that password, mark it out in red ink and highlight another one. Use your imagination. Think. Get creative. Fill in those boxes with whatever comes to mind.

(Note: Someone recently told me that they had searched the web and found that I write a lot about passwords. I asked them if they had read any of the articles. They had not. I asked why. They told me that they had their own system and didn’t need to read about it. I asked them about their “system.” I won’t tell you what they told me. I write about this subject a lot in the hope that someday, maybe, someone will realize that passwords can be fun and will start doing fun things to generate secure passwords…)


April 24, 2012  1:16 AM

IE Trusted Sites blocks trusted sites?

Ken Harthun Ken Harthun Profile: Ken Harthun

A client called today saying that his remote login quit working on his laptop. When he would type in the URL of the Remote Web Workspace login for Microsoft Small Business Server 2011, he would get the dreaded “Internet Explorer cannot display the web page” message. I tried every suggestion that Microsoft had come up with:

  • Delete browsing history
  • Reset IE to defaults
  • Edit two different registry keys
  • Clear SSL cache
  • Delete and re-add certificate
  • Flush DNS
  • Check HOSTS file
  • Check DNS settings
  • Disable Add-ons
  • Set Advanced settings to prompt for any active content

Nothing worked. I even upgraded to IE9 and reset it. No joy there, either. So we got another fellow on the line from the company who had recently migrated my client’s server to the cloud to see if it could be related to going virtual. He basically ran down the list with me and verified that nothing worked.

We kept going back to Trusted Sites because, naturally, we want the lowest possible security settings so everything would be allowed. Logical, right? Well, forget logic. It doesn’t apply here (and sometimes doesn’t in things Microsoft).

We set up a Webex and the other tech started looking around. We went right back to Trusted Sites and looked. Everything looked right; so the tech deleted the URLs from the Trusted Sites list and voila! It was all good. Like I said, forget logic.

Sometimes you just have to do what seems the most counter-intuitive.


April 22, 2012  1:56 PM

WordPress sites responsible for Flashback attacks

Ken Harthun Ken Harthun Profile: Ken Harthun

Researchers say that infected WordPress sites were the initial attack vector for the Flashback Trojan horse program. Anywhere from 30,000 to 100,000 sites are thought to have been infected during February and early March with 85 percent of the infected machines located in the U.S. According to Kaspersky Lab researchers, the infected sites were rigged with code that silently redirected visitors to a malicious server.

The vulnerability that Flashback exploits is a known vulnerability in Java. Apple has issued a patch and Kaspersky has an online detection and removal tool available.

According to Dark Reading, This is a good example of why Mac users are an APT (Advanced Persistent Threat) attacker’s dream come true:

[Mac users might not have a lot of exploits to worry about, but their lack of security worries makes them an APT attacker’s dream come true. See Anatomy Of A Mac APT Attack. ]

At the college where I am Net Admin, we have posted notices to all Mac users to protect themselves against this threat. We have also patched our 75+ iMacs in the Graphics Design and Photography labs.

With the growing popularity of Macs in the enterprise and with many consumers moving to “all Apple” technology — probably spurred on by the popularity of the iPhone and iPad — it’s no surprise that attackers have begun to zero in on the Mac.

Fortunately, there is free protection available to Mac users: ClamXav is available on ClamXav’s download page or in the Mac App Store.


March 31, 2012  9:48 PM

World Backup Day 2012

Ken Harthun Ken Harthun Profile: Ken Harthun

Today, March 31st, is World Backup Day 2012. The tagline reads: “Don’t be an April Fool. Backup your files. Check your restores.” You can visit the site for some great deals on backup services. They have a list of featured articles all about backup and a link to a great infographic on Pinterest. To save you time, I’ve placed the infographic below this post.

Hostgator’s monthly newsletter makes a good point: “Our whole lives are found on our hard drives. When a hard drive fails and the data isn’t backed up, it’s gone. And it’s not a question of IF your drive will fail, it’s WHEN.”

Those of us in the know, who do back up our data on a regular basis are fairly well versed in some of the scary statistics about data loss and data security. For those who aren’t as familiar with the stats, here are the main ones in favor of backups:

  • All hard drives will crash during their lifetime
  • More than 1 in 10 laptops will be stolen in their lifetime
  • A laptop is stolen every 53 seconds
  • Every year 46% of computer users lose their music, photos, and documents
  • 50% of all hard drives will crash within 5 years
  • 89.1% of PC users don’t perform regular backups
  • A recent study from Gartner, Inc., found that 90 percent of companies that experience data loss go out of business within two years.
  • 70 percent of companies go out of business after a major data loss

While it’s on your mind, go ahead and take advantage of one of the free backup offers commemorating World Backup Day 2012. I promise, you’ll rest easier tonight.

Source: facebook.com via World on Pinterest


March 31, 2012  12:31 AM

“Glory Johnson” loves me

Ken Harthun Ken Harthun Profile: Ken Harthun
FortBendNow.com

Source: FortBendNow.com

I have been getting a deluge of spam comments to my various posts on this blog from a one Glory Johnson who goes by various nicknames. The most common nickname is “Glory39,” but the number is a moving target; “she” has posted as Glory342, Glory50, Glory34, and Glory38 among others. Well over 50 comments just today and they are still coming in. This is obviously a come-on for a scam, I’m just not sure what kind. I doubt that “Glory Johnson” is actually a female, nor does she have amorous intentions.
See what you think about the text of the comments. They are all identical, regardless of which version of “Glory” is posting them:

Hello My name is glory johnson i saw your profile today techtarget.com) and became intrested in you,i will also like to know you the more,and i want you to send an email to my email address so i can give you my picture for you to know whom i am.Here is my email address ( gloryjohnson001 at yahoo.com) I believe we can move from here!I am waiting for your mail to my email address above. glory. (Remeber the distance or colour does not matter but love matters alot in life) please contact me here ( gloryjohnson001 at yahoo.com)

I decided to play along and use one of my anonymous email addresses to appear to take the bait. Here’s what I sent to “her” email address:

Subject: I will like to know you the more
From:xxxxxxx
8:09 PM (16 minutes ago)
To: gloryjohnson001@yahoo.com
Hello,

You sent me this. I am wanting picture.

Hello
My name is glory johnson
i saw your profile today(techtarget.com) and
became intrested in you,i will also like to know you the more,and i
want you to send an email to my email address so i can give you my picture for you to know whom i am.Here is my email address (gloryjohnson001@yahoo.com)
I believe we can move from here!I am waiting for your mail to my email address above.
glory.
(Remeber the distance or colour does not matter but love matters alot in life)
please contact me here (gloryjohnson001@yahoo.com)

Unless this post has just tipped off the scammers, I’ll keep you posted on what transpires.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: