Security Corner


March 11, 2012  2:41 PM

SANS’ Conversations about Cybersecurity

Ken Harthun Ken Harthun Profile: Ken Harthun

As you know, I’m a big fan of SANS Institute; their site, their various newsletters and their wealth of knowledge about cybersecurity are unparalleled. One day, I hope to be able to take some of their excellent training courses. In the meantime, however, I continue to peruse their newsletters and learn what I can.

The latest issue of SANS NewsBites, March 9, 2012, Vol. 14, Num. 020, beguns with this blurb written by Alan Paller, director of research for SANS:

The managing partner of a large New York law firm had a visit from the FBI in which he learned that the files of every one of his firm’s clients had been copied from the law firm’s servers and placed on servers in Asia known to be used as transfer points in APT attacks (APT translates loosely to Chinese, he learned). Nine days later, he and another partner from his firm came to my house on a Sunday morning fora conversation. They wanted to know why the intruders wanted the data, how they got in, why the firewalls and AV and other security tools their consultants told them to install didn’t stop the attacks, and how they could be stopped in the future. The conversation is posted at http://www.sans.org/security-resources/cybersecurity-conversations

This four part series is a fascinating read and I highly recommend it to anyone who is curious about the types of targeted attacks that are out there and how to protect yourself from them.

February 29, 2012  11:04 PM

And finally…give them your security question answers

Ken Harthun Ken Harthun Profile: Ken Harthun
wpclipart.com

Source: wpclipart.com

I promise that this is the last password succession hint for a bit. I just think this information needs to be out there for everyone to access. It doesn’t matter if you’re 16 or 95, if you have any accounts that your loved ones need access to in the event of your untimely (or even timely) demise, these tips will help you choose the method you most favor.

Most accounts you set up these days with banks, email, credit cards, PayPal, etc. allow you (or force you) to create security questions in the event you forget your password and need to reset it. You know them; they are things like, “What was the name of your first pet,” or, “What was the model of your first car.” The variations are endless, but they all satisfy the condition of “something you know.”

Normally, these should be something that only YOU know, but you can easily tell your loved ones what questions and answers you have chosen. This is probably the simplest way of providing for account succession as it will allow your loved one to reset your account passwords to something they will be more likely to remember. Besides that, the other methods my be a bit too technical for some; good for geeks, but not so good for the gander.

Do give it some thought, will you? The responsible among us urge you to make it easy on your loved ones during what is always a very difficult time.


February 28, 2012  10:48 PM

The succession power of LastPass One-time Passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

My previous two posts have dealt with the concern of what happens if you pass away without your loved ones having access to your various account passwords. What will happen if they can’t access online banking information, credit card accounts, email accounts and other critical information? The process can be a nightmare, adding even more stress on top of the grief of loss. Therefore, it’s a loving thing to do to provide a means for your family to be able to access critical online accounts in the event of your death.

There is no question that the most expedient way to insure access is by storing all of your critical account information, financial information, and any other personal information (using Secure Notes) with LastPass. With LastPass, you can securely store any critical or personal information under one password. You can, as I have shown, make a list of passwords that you will use into the future; however, there is an even simpler solution: LastPass One-time Passwords. Generate a few of those, store them in your safe deposit box or with your attorney and no matter what happens to you, your loved ones can get into your Last Pass vault. Once they do, they can change the master password.

Here’s a video on how to do that in LastPass. And, if you don’t already have LastPass, what are you waiting for?

[kml_flashembed movie="http://www.youtube.com/v/-6lO280MJ0w" width="425" height="350" wmode="transparent" /]


February 26, 2012  1:00 AM

How will you pass on your passwords when you pass away? Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

Last time, in How will you pass on your passwords when you pass away? Part 1, I suggested that you need to start using a password manager to store all of your critical passwords and make the master password available to your spouse or loved ones in the event of your demise. But how do you insure that your master password is accessible if, as you should, you regularly change it and something happens to you before you can pass it on? Thanks, in part, to a listener’s question in Security Now! Episode 340, I present the following:

Method 1: Come up with a standard master passphrase that will always remain the same. When you change your passphrase, you will not alter the master portion, but will add to it at the front, the back, or both. What you add will be your own personal pattern based on the year and frequency of change. It is a simple matter to write up instructions and/or a list of those changes going ahead to any date in the future.

For example, you change your passphrase two times a year, say on January 1, and June 30. Assume your passphrase is MyPassphrase and it’s January 1, 2012. You might do this: 0101MyPassphrase2012; then, when you change it in June, you might do 2012MyPassphrase0630. What and how you do it is up to you; just make sure it is a pattern that you can easily communicate.

The beauty of this is that someone who knows the pattern could go back or ahead in history to try different passphrases if the first try doesn’t work. That would also work with the next method.

Method 2: Generate a long list of passphrases that extends well into the future and store the list in your safe deposit box or with someone like your attorney or accountant. If you change your passphrase twice yearly, generating 100 of them would give you 50 years of changes.

You can use GRC’s Ultra High Security Password Generator or any method of your own choosing to generate the passwords, save them in a spreadsheet, and pass them on.

In the meantime, Live long and prosper!


February 21, 2012  1:46 AM

How will you pass on your passwords when you pass away? Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

Have you ever considered what your family would go through trying to gain access to your various online accounts when you die? I know it’s not a pleasant thing to think about, but nothing about death and the various arrangements thereof ever is pleasant. Yet, it is something that must be done at some point, lest your family go through additional agony during an already difficult time. If you haven’t considered how to make it easy for your family to clean up and/or transfer your online accounts after your demise, then this article is for you.

I actually started to think about it after a client requested that I provide him with all of the logins to the various servers, backups, managed endpoint protection and special support email accounts. He said he got to thinking about where he would be if I “got hit by a bus.” He’d be lost and would not be able to manage his business or replace my services smoothly. That day, I gave him everything I had and wrote up how to change all of the logins if he needed to.

I also gave instructions to my wife on how to login to my computer with my credentials and how to use my master password for LastPass to access all of my passwords (which includes some of her accounts as well). I know what you’re thinking: What if I change the passwords and get hit by that bus before I tell her the new passwords?

I have a couple of rather ingenious solutions to that dilemma, but first, you MUST go get and start using a password manager if you have not done so already. I’m a LastPass guy, but that is by no means the last word (pun intended) on the subject.

The solutions are coming in Part 2.


February 19, 2012  5:00 PM

Boston Police respond to Anonymous hack with sarcasm

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s a saying that “nothing succeeds like insouciance.” Seems the Boston Police Department knows how that works. You may be aware of this news item, courtesy of Sophos:

A week ago, the BPDNews.com website which provides news about the Boston police and crime in the area was hacked by Anonymous. The hackers replaced the home page of the site with a message and a video of American rapper KRS-One performing his song “Sound of Da Police”.

After almost a week of downtime, Boston Police have managed to bring their website back up – and have proven they have got a sense of humour by making a video about the hack.

[kml_flashembed movie="http://www.youtube.com/v/ILhiW76B3H8" width="425" height="350" wmode="transparent" /]


February 19, 2012  6:03 AM

Beware Whitney Houston autopsy links on Facebook

Ken Harthun Ken Harthun Profile: Ken Harthun

It isn’t true, folks. Yes, Whitney Houston died; no, there isn’t a video of her autopsy available. It’s a scam, typical of other “disaster news” scams that seem to pop up around other shocking news events.

The video will appear as a status update with text similar to this:

– Whitney Houstons autopsy reveals a shocking secret that explains her death.

[LINK]

Breaking News: Coroners autopsy reports reveals a dark past and secret life which tragically led to Whitney Houstons death.

Here’s a screen shot courtesy of Sophos:

Do NOT fall for this scam. It will take you to a fake YouTube screen that says you need an update. You don’t. The “update” is malware.


February 18, 2012  8:01 PM

If you still use FTP, stop!

Ken Harthun Ken Harthun Profile: Ken Harthun

If you are still using FTP to transfer web site files and other things to your servers, stop doing that and switch to something more secure. FTP sends usernames and passwords in plain text, so you’re opening yourself up to attack. Here are some alternatives to FTP that are much more secure:

Smart FTP: SmartFTP is an FTP (File Transfer Protocol), FTPS, SFTP, SSH, Terminal client. It allows you to transfer files between your local computer and a server on the Internet. With its many basic and advanced Features SmartFTP also offers secure, reliable and efficient transfers that make it a powerful tool.

WinSCP: WinSCP is an open source free SFTP client, SCP client, FTPS client and FTP client for Windows. Its main function is file transfer between a local and a remote computer. Beyond this, WinSCP offers scripting and basic file manager functionality.

WebDrive: A Universal File Access Client that maps drive letters to FTP, WebDAV, SFTP and S3 Servers. Not free, but probably well worth it for the features provided.

FireFTP for Firefox: FireFTP is a free, secure, cross-platform FTP/SFTP client for Mozilla Firefox which provides easy and intuitive access to FTP/SFTP servers. (Note: there is also a version for Google Chrome.)


February 13, 2012  4:30 PM

The death of spam is imminent!

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, if Microsoft, Facebook and Google have anything to say about, yes. But, recall that back in 2004, Mr. Bill Gates predicted the death of spam by 2006. Of course, by all accounts, the problem is worse than ever.

Enter the aforementioned titans who along with PayPal, LinkedIn, Bank Of America and others are getting lots of press about a proposed new internet standard called DMARC, or Domain-based Message Authentication, Reporting & Conformance. Some of the headlines noted by Sophos in a recent blog post:

Google, Microsoft Say DMARC Spec Stops Phishing (Information Week)
Google, Facebook, Microsoft in PHISH-FIGHTING smackdown (Channel Register)
[DMARC] could dramatically slash the amount of spam received by hundreds of millions of people (Financial Review)

If you’re responsible for the mail infrastructure in your organisation, you might be a little sceptical at this point. You’re probably asking yourself, “What happened to SPF and DKIM, which themselves were going to be the scourge of spammers?”

The answer to your sceptical [sic] question about DMARC is that it doesn’t replace SPF or DKIM, and it doesn’t replace your current email security and control solution. In fact, it is predicated upon them, to the point that DMARC’s official first step in its implementation guidelines is:

* Deploy DKIM & SPF. You have to cover the basics first.

So, will it work? We can only hope.


January 31, 2012  7:16 PM

When Hollywood tells hacker stories

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, in this case, it’s the BBC from an episode of “Spooks,” a TV drama which follows the complicated lives of MI5 agents. Seems the Russians are trying to launch a DDoS attack on Britain’s computers in order to collapse their economy. The Ruskies are using a submarine that can intercept transatlantic Internet cables. Interesting concept.

Anyway, MI5 has a “zero day virus” and 30 seconds in which to launch a counter-attack against the sub. Now, this is completely over the top, but it makes for a good story.

Most TV and movie depictions of hackers and malware are off the mark because they are trying to dramatize something that isn’t very dramatic in real life. Most malware is pretty humdrum when you get down to it and hackers are rarely spotted in real time. See what you think about this clip:

[kml_flashembed movie="http://www.youtube.com/v/0oTZFDrmE30" width="560" height="315" wmode="transparent" /]


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: