Security Corner


January 29, 2012  5:10 PM

Beware Chuck Norris Facebook scam

Ken Harthun Ken Harthun Profile: Ken Harthun

Hey! Chuck Norris is NOT dead. The Facebook messages claiming to link to a video news report on his death are a scam. Here’s the text of a typical message:

Chuck Norris dies at age 71! Not a Joke.
[LINK]
See the video to find out how he died. News today of Chuck Norris death at age 71 has been met with confusion and humour, but sadly it is true.

If you are gullible enough to click on the link, you will be presented with a survey scam like the one below.


If you do fall for this scam, or one like it, make sure you aren’t now allowing rogue applications or “liking” questionable pages. These can help spread the scam.

And it’s probably a good idea to change your Facebook password while you have it on your mind.

Why do people do things like this? Simple, they do it for the money. Every survey someone fills out results in a payment to the scammer. It’s called “Cost Per Action” marketing and the scammers are just trying to run up their numbers. It’s illegal and they’ll get banned from the program if they get caught, but they can make a good haul before that happens.

Don’t help line their pockets.

January 28, 2012  8:34 PM

Full two-hour audio interview with Mary Coon

Ken Harthun Ken Harthun Profile: Ken Harthun

As promised, I am posting the full audio file of my recent interview with Mary Coon of Motivational-radio.com. We talked about online security and there was some great music (chosen by me) during the breaks. Be sure to listen to the first part of the interview to find out what life was like online during the early days of the Internet. I guess I give my age away, but you’ll find it fascinating if you didn’t experience it for yourself.

Download Interview with Mary Coon. (Will either open an audio player or will play in a browser window depending on your settings.)

Enjoy!


January 22, 2012  9:39 PM

Listen to my interview with Mary Coon about online security

Ken Harthun Ken Harthun Profile: Ken Harthun

I recently did a 2-hour special interview with Mary Coon of Motivational-radio.com on the subject of online security. We focused on my “14 Golden Rules of Computer Security” (which is currently being revised and will help launch my new site) We had a very lively discussion.  More interviews are planned for the future. I guess I’m now a radio “star,” at least online. Seriously, though, I think you should check out the site. I’ve been keeping it playing in the background. When there are no actual interviews or special programs running, they play some great inspirational and motivational music.

My show airs Wednesday, January 25, 2012 at 8 pm EST. Please make it a point to listen. I think you’ll like what you hear, as I certainly enjoyed doing it.

Who knows? There may be a podcast in my future…

Click here to listen.

After the show airs, I will post the audio file here for you to download and pass onto to your clients and family.


January 18, 2012  1:38 PM

Zappos security breach affects 24 million

Ken Harthun Ken Harthun Profile: Ken Harthun

This news is already getting old, having broken yesterday; however, there’s some good advice issued by Tony Hsieh, CEO of Zappos. I’ll get to that in a minute, but you might want to read his blog post.

So, Zappos got hacked. Customer account information on 24 million customers including names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords was obtained by the criminal(s). The actual passwords weren’t obtained, but we can assume the hackers will try to crack the crypto.

The email sent to the customers contained some great advice: “We also recommend that you change your password on any other web site where you use the same or a similar password.” Not that you should ever use the same password on multiple sites, but this is great advice. If you are an affected Zappos customer, be sure to take this advice and go change that password on the other sites. Just make sure that for each site you change it on, you use a different password, not the same one over and over.

To be honest with you, I do use a certain set of passwords that are the same on multiple sites. The sites I use these passwords on are not anything important and the passwords I repeat are never the same passwords I use on shopping sites and other critical financial sites; those are all different, very strong passwords.

With all the great password advice I’ve been giving you over the years, there is no reason for you to have any trouble coming up with good, easily remembered passwords.


January 17, 2012  11:33 PM

Understand Password Haystacks in under three minutes

Ken Harthun Ken Harthun Profile: Ken Harthun

As you know, I am a big fan of Steve Gibson’s Password Haystacks concept. The idea is very simple and makes it easy for anyone to create secure passwords that are also easy to remember. Last September, KABC in Los Angeles did a short news segment that full explains the essence of the password haystack. I was impressed. See what you think.

Click here to see the video interview.


January 17, 2012  10:57 AM

What the heck is a password honeypot?

Ken Harthun Ken Harthun Profile: Ken Harthun

Has your Gmail, Yahoo, Hotmail or Skype account ever been hacked? If so, you either have an extremely guessable password, or you gave hackers your login credentials by putting them into a password honeypot. What the heck is a password honeypot? Good question. Let me give you a bit of background.

The good guys who fight malware set up servers and computers that are directly connected to the Internet and which are deliberately left vulnerable to malware infection. They do this knowing that the bad guys will infect the machines as soon as they find them. The good guys then have an in-the-wild copy of the malware that they can reverse engineer to see how it works. This is the good version of a honeypot.  All of the major anti-malware companies continually monitor their honeypots to discover new malware and variants of old malware.

The bad guys want to hack you and steal your credentials so they can gain access to your accounts for nefarious purposes, such as sending spam, stealing the money from your bank accounts, hijacking your credit card numbers, or even stealing your identity. Besides other, more conventional methods such as email links and poisoned search results, the bad guys set up websites that pretend to give you access to good stuff, often free software, games, etc, and force you to “create an account” to gain access. This is the bad version of the honeypot.

The bad guys know that most people always use the same login name for everything and often also use the same password for everything. Create an account on one of these password honeypots, and there’s a good chance the bad guys have what they need to make your life miserable. Once they have the credentials you used to create the honeypot account, the bad guys (or their hired cronies) will try those credentials on all of the major email, social networking, banking, and credit card sites.

This is one very good reason never to use the same password on more than one site; and, certainly never use the same credentials ad your financial accounts. I have a very specific username for certain types of sites I don’t trust and I always use an unguessable, different password for each one.


January 16, 2012  10:47 PM

A simple password recycling method

Ken Harthun Ken Harthun Profile: Ken Harthun

Oh, I can already hear the groans and see the rotten tomatoes flying my way. But wait! There’s a way to recycle  your favorite passwords without compromising security. It’s rather ingenious, if I do say so myself. All you have to is set up a recurring, shifting pattern based on your password change cycle. This will work on your job as well as at home. Inspired by Steve Gibson’s Password Haystacks, and completely in line with my New Password Paradigm series of posts, this method of recycling passwords makes it easy for you to comply with your corporate password policy, without getting stumped about what password to use next.

The first thing you will want to do is take out a piece of paper; you are going to write down your password pads, i.e., the characters you are going to add to your “standard” password.  (Don’t worry, you won’t be writing down the actual password, that’s going to be something you will easily remember.) I suggest you use two characters at the front and two characters at the end, but that’s entirely up to you. The key is to make a secure password that is not only easy to remember, but different every time you are required to change it.

For the sake of illustration, let’s say that you are required to change your password monthly and that you cannot use any of the last six passwords you previously used. That means you must have seven “pads” that you rotate. (DO NOT USE the pattern I propose here; change it to make it your own!) You could do it this way: on the left side of your paper, write down the numerals 0 through 6 placing each on a new line. Then pick seven different uppercase and lowercase letters and some symbols and write one next to each numeral. My example list looks like this:

0!
1&
2J
3k
4s
5V
6+

Now, either choose your favorite, easy-to-remember word or phrase, or use the favorite password you use for everything (I KNOW you do that, so don’t worry about it). For this example, I’ll use password.

At the first password change, use 0!password, 0!Password, 0!password0!, or whatever variation you wish, provided that you will remember it easily. Remember, the longer, the better. Cross off the pad you just used and each time you have to change the password, just change the pad and cross it off. After you use the seventh one, you can start over at the top of the list and the server should allow it.

One caveat: some password policy engines require a certain number of characters in the new password to be different from the old password. That’s no problem, just use the pad more than once or twice and you’ll be good to go.

Simple. Secure. Easy to remember.


December 31, 2011  11:59 PM

Solution: What a Geek puzzle!

Ken Harthun Ken Harthun Profile: Ken Harthun
New Year Resolutions Graphic

Happy New Year!

Happy New Year!

I promised you a solution and here it is!

[kml_flashembed movie="http://www.youtube.com/v/K5pOWP0nGBE" width="425" height="350" wmode="transparent" /]


December 31, 2011  12:54 PM

What a Geek puzzle!

Ken Harthun Ken Harthun Profile: Ken Harthun

Can you solve this? The actual contest is over, but Sophos published a challenge recently that even stumped ME! Can you believe it? Anyway, here’s a link to the original challenge: “The #dragontattoo #sophospuzzle.”

Stage One is a simple 24-character code.

Here it is:

=ImYndmbn1ieiBnLmJWdjJmZ

All you need to do is to figure out how to transform this code into a URL.

Then follow your nose to the next stage.

Believe me, it’s not easy (unless you already know how to transform the text!) Hint: The “=” gives it away if you know your Linux.

I’ll post the video solution on New Year’s Eve, 23:59 UTC.


December 30, 2011  6:45 PM

Oíche Shamhna agus tá na Nollag ar an lá céanna?

Ken Harthun Ken Harthun Profile: Ken Harthun

Now we’re having fun. In the spirit of the celebratory season, when brain cells are being destroyed by the millions, I think it’s a good idea to stimulate those that remain. The challenge is to identify the language and translate the post. Hint: the format of the post is the clue. It’s probably too easy, but what the heck, everyone deserves to win this one….

Tá sé an joke d’aois agus is dócha caite amach go hiomlán, ach ní raibh mé in ann resist scríobh faoi. Tar éis an tsaoil, tá mé ar Geek agus Ríomhchláraitheoir ó bhealach ar ais, agus mar sin bhuaileann sé sa bhaile.

C. Cén fáth a bhfuil mearbhall ríomhchláraitheoirí Oíche Shamhna leis na Nollag?

A. Toisc 31 Deireadh Fómhair agus an 25 Nollaig an gcéanna; dá bhrí sin, Oíche Shamhna = Nollag!

Mura ndéanann tú é a fháil, ní bhíonn tú ar Geek fíor. D’fhéadfaí a thabhairt Geek fíor gur míniú níos ciallmhaire ar an gcaidreamh Deireadh Fómhair 31 = Nollaig 25 Oíche Shamhna = Nollag!

An féidir leat freisin a mhíniú cén fáth 16 = 20 = 10? Cad é faoi 86 = 126 = 56?

Stuif spraoi. Geek siamsaíochta.

BTW, Googling Verboten! Iad siúd a fhaigheann Beidh Google Schlag i nead Arsch!

Iar do fhreagra sa tuairimí.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: