Security Corner


October 30, 2011  4:00 PM

Celebrate International Kill-A-Zombie Day

Ken Harthun Ken Harthun Profile: Ken Harthun

Though announced by Sophos on Halloween Eve (Oct. 30) two years ago, International Kill-A-Zombie Day is just as relevant this Halloween as it was then. So, with Halloween 2011nigh, let’s redouble our efforts against malicious software. It’s still out there, you know. Have you noticed any drop in activity?

“Millions of computers around the world, in homes and business premises, are – without the knowledge of their owners – under the control of cybercriminals who commandeer the PCs to send spam, distribute malware, and commit identity theft,” says Graham Cluley, senior technology consultant at Sophos.

“Billions of spam messages are sent every day, with over 99% determined to be relayed from innocent users’ computers that have been hijacked and turned into a “zombie”. Hackers control networks of zombie computers, known as a botnet, in order to silently send out adverts that peddle sexual enhancement drugs or questionable financial deals, distribute scareware attacks to trick users out of their credit card details, access your social networking accounts, and spread further malicious attacks.”

[kml_flashembed movie="http://www.youtube.com/v/C6Jm_wAl668" width="425" height="350" wmode="transparent" /]

October 29, 2011  2:39 PM

Beware of Halloween tricks

Ken Harthun Ken Harthun Profile: Ken Harthun

The bad guys love to trick people into downloading their malicious garbage and will use just about any tactics to do so. It’s Halloween season, so people will be searching for all kinds of scary stuff to decorate, dress up and generally celebrate the creepy. The hackers know this and have started putting up poisoned search results, such as the one below for “free halloween skeleton templates.”

The site links to a fake video site and will infect you with malware if you fall for the trick of installing Adobe Flash player. More info can be found here: http://community.websense.com/blogs/securitylabs/archive/2011/10/05/first-wave-of-halloween-scare.aspx


October 29, 2011  12:40 AM

Yubico delivers secure two-factor authentication for Gmail and Google Apps

Ken Harthun Ken Harthun Profile: Ken Harthun

I love my Yubikey and I recommend it highly to everyone. I have it set up to authenticate me to LastPass and as the second factor on PayPal and eBay. Now, thanks to a small Windows app, you can use your Yubikey to provide two-factor authentication for Gmail and Google Apps.

This past Wednesday, October 26, 2011, Yubico announced that the company has successfully implemented the Initiative For Open Authentication (OATH) Time-based One-time Password (TOTP) configuration for the YubiKey USB authentication key, enabling secure access to Gmail and Google Apps.

Built into the Google account framework to supplement traditional password protection, Gmail and Google Apps users are able to authenticate their login with an additional layer of security using OATH TOTP.  The YubiKey simplifies the process of logging in with a one-time password token, as it does not require the user to re-type long passcodes from a display device into the login field of the computer.

“The OATH-TOTP configuration of the YubiKey enables Google Apps and Gmail users to authenticate with a simple click of the mouse, with a higher level of security than a smartphone application and with a minimal sized and practically indestructible token,” said Stina Ehrensvard, CEO and Founder, Yubico.

The OATH-TOTP protocol relies on using the current time to create a hash-based message authentication code for login credentials.  To utilize the YubiKey to support this protocol, Yubico has developed a small Windows app.  Once installed, the app sends the current time as a challenge to the YubiKey and the response is processed to produce the OATH-TOTP six-digit response.

You can get full details here: yubico.com/totp.

Now, I’m off to set up Google two-factor authentication on my accounts.


October 17, 2011  5:09 PM

Why you should stop posting these five things on Facebook

Ken Harthun Ken Harthun Profile: Ken Harthun

If you’re not already a member of MakeUseOf, I highly suggest you join. They have a wealth of information that can make your lives and jobs easier. Today’s tip comes from a MakeUseOf email I just received. These are five things you need to stop posting on Facebook for both professional and personal reasons. Here is my take on them from a security standpoint.

  1. Your current location. You want the whole world to know where you are, or a thief to know you’re not home? This is just dangerous on the web. There are people out there who don’t have your best interests in mind and letting them know where you are just doesn’t make sense.
  2. New technology toys. “Wow, I love my new expensive gadget! Here’s a picture of it sitting on my bed. There is no reason for the whole world to know how you spend your money and no need to make yourself the target of thieves. This also ties in with #1 above: If the bad guys know you you aren’t at home and that you have penchant for expensive technology, you’ll be on their radar. Believe me, there are rings of people out there who take advantage of this.
  3. Chain posts about Facebook’s new payment system. It’s free: always was and always will be. It is absolutely amazing to me how these things just seem to persist forever. Posting these things is an indication that you’re, well, not the brightest bulb in the lamp. Hackers target gullible people with this stuff and gullible people continue to fall for it. Stop letting them know you’re a potential target.
  4. Vague or impersonal “personal” messages. You’ve seen them; you read them and go “huh?” Again, this could indicate that you are low-hanging fruit for the scammers and spammers.
  5. Vacation, pictures. I’ll let you be the judge on this one. This is not only related to #1 above – you’re letting people know you’re out of town – but depending on where the vacation spot is, local bad guys who may be monitoring things could target you.

You think your security settings that only allow your friends to see your updates are going to prevent bad things from happening? Well, take a good hard look at your friends list. Anyone on there who may be questionable? Anyone on there you really don’t know and have never met?

Facebook isn’t a private telephone conversation, it’s more like a 50,000 watt radio station; it can reach into places you don’t consider. And, unlike a telephone conversation that is over when it’s over, what you post on Facebook and the web will probably never go away. It can come back to bite you.

It’s not fun to get bit…


October 11, 2011  3:12 PM

Operation Swiper – Largest ID theft bust in history

Ken Harthun Ken Harthun Profile: Ken Harthun

From BankInfoSecurity.com (BIS):

On Oct. 7, the District Attorney of Queens County, N.Y., and City of New York Police announced the results of a two-year investigation that resulted in the biggest identity theft takedown in U.S. history.

The elaborate scheme, which involved five organized crime rings with ties to Europe, Asia, Africa and the Middle East, resulted in financial losses exceeding $13 million over a 16-month period.

So far, 111 individuals have been indicted, and authorities say 86 are now in custody.

The operation was dubbed “Operation Swiper.”

The criminals focused on credit card fraud, using stolen credit card numbers which they then used to create counterfeit credit and identification cards. Skimming devices were used in restaurants and on bogus websites to obtain the credit card numbers.

“The counterfeit cards were supplied to hired shoppers who were instructed to purchase high-end electronics and other merchandise, items that could easily be fenced and re-sold, usually over the Internet. Some of the shoppers also have been accused of using counterfeit cards to stay in five-star hotels and rent luxury cars during their so-called shops. In one case, a shopper allegedly commissioned a private jet to travel from New York to Florida,” BIS reports.

This is why it pays to keep careful tabs on your credit cards.


October 10, 2011  3:32 PM

Patch Tuesday – two critical vulnerabilities

Ken Harthun Ken Harthun Profile: Ken Harthun

Tuesday, October 11, is the second Tuesday of October and is the usual day when Microsoft issues security updates for its Windows products. This one contains two critical updates, so you will want to make sure that you turn your automatic updates on at your home PCs. (Mac users don’t have to worry about such things…) Here’s the scoop:

Microsoft is planning eight security updates next week – two critical – as part of its regular Patch Tuesday program.

The obvious highlight of the batch is a critical update for Internet Explorer that affects all supported versions of Microsoft’s ubiquitous web browser, including IE 9. The second critical update covers flaws in Microsoft .NET Framework and Microsoft Silverlight that create a possible mechanism for miscreants to inject hostile code onto vulnerable systems.

The bad news is that most of the updates will require system restarts. I suggest you set updates to manual on any application servers.


October 1, 2011  3:36 PM

If computer problems were real…

Ken Harthun Ken Harthun Profile: Ken Harthun

Hilarious YouTube video that one of my fellow Net Admins sent out this morning. So, I’m going to kick off the new month with a bit of humor. And watch for some scary Halloween-esque real-life security horror stores in celebration of the scariest month of the year.

[kml_flashembed movie="http://www.youtube.com/v/L1jAr466DJc" width="425" height="350" wmode="transparent" /]


September 30, 2011  4:00 PM

Three years later and Conficker is still going strong

Ken Harthun Ken Harthun Profile: Ken Harthun

If your computer is not properly patched (according to all the best advice I have given you), you are at risk of infection. According to Sophos, “Even after 3 years, Conficker is the still the most common virus. Since 2008, it has exploited unprotected computers, weak passwords and USB storage devices.”

The good news is that Sophos has released a Conficker Removal Tool that you can use to scan your system and remove the virus. I tested the tool and it’s very simple – no complicated installation or configuration. Naturally, the tool didn’t find Conficker on my system :-)

If you suspect you have Conficker on your system, or you’re not sure, but want to check, download the tool and remove Conficker now. They, get your system security patches up to date. Please. The virus will just keep spreading until everyone is patched.

Don’t be a Conficker enabler…


September 29, 2011  9:12 PM

The lighter side of computing

Ken Harthun Ken Harthun Profile: Ken Harthun

Sometimes, all we have to do is laugh about it.

Enjoy!


September 28, 2011  2:02 AM

Real dialogue about real password ideas

Ken Harthun Ken Harthun Profile: Ken Harthun

We have a Skype room called the International Internet Marketing Group where we discuss various topics related to Internet Marketing. Last night, we had a discussion, which I led, about passwords and online security. Here’s an excerpt:

EVERYBODY here needs to LEARN this stuff today.
[9/26/2011 7:59:22 PM] ™ Gary Simpson: If you choose not to read it or – even worse – IGNORE it then more fool you!
[9/26/2011 8:00:16 PM] ™ Gary Simpson: Marj, you wanna kick off with the subject?
[9/26/2011 8:00:43 PM] Steve Lorenzo: Ken is the (*) tonight
[9/26/2011 8:00:51 PM] ™ Gary Simpson: Yep.
[9/26/2011 8:00:59 PM] ™ Gary Simpson: The Sheikh of Geek!
[9/26/2011 8:01:22 PM] Dennis Pippin: I’m all ears Ken
[9/26/2011 8:03:13 PM] ™ Gary Simpson: Banging fist on table: GEEK! GEEK! GEEK!
9/26/2011 8:04:17 PM] ™ Gary Simpson: Those who need it most ain’t here – as USUAL!
[9/26/2011 8:04:21 PM] Marj Wyatt: Bill will catch up
[9/26/2011 8:04:55 PM] ™ Gary Simpson: “I will read it later” <— translates to “I can’t be stuffed.”
[9/26/2011 8:05:16 PM] Maureen Amberg: I’m here
[9/26/2011 8:05:24 PM] ™ Gary Simpson: NEXT: “My site has been hacked!”
[9/26/2011 8:05:35 PM] ™ Gary Simpson: HEEEEEEEEEEEEEEELP MEEEEEEEEEEEEEEEEEEE!
[9/26/2011 8:05:39 PM] Marj Wyatt: Topic tonight is Online Security for your Business (think we ought to keep it focused on Business)
[9/26/2011 8:05:59 PM] + Ken Harthun (Co-host: TIIMG): [Monday, September 26, 2011 8:04 PM] ™ Gary Simpson:

<<< Those who need it most ain’t here – as USUAL!Let them eat Phish!
[9/26/2011 8:06:14 PM] ™ Gary Simpson: ************************************
[Monday, September 26, 2011 8:05 PM] Marj Wyatt:

<<< Topic tonight is Online Security for your Business (think we ought to keep it focused on Business)************************************
[9/26/2011 8:07:15 PM] + Ken Harthun (Co-host: TIIMG): Gary, Steve, Anyone. What is the least secure password you can use.
[9/26/2011 8:07:26 PM] Kay Brasher: password
[9/26/2011 8:07:37 PM] ™ Gary Simpson: admin?
[9/26/2011 8:07:47 PM] Kay Brasher: I thought admin was the login?
[9/26/2011 8:07:49 PM] ™ Gary Simpson: Both are as DUMB as each other.
[9/26/2011 8:07:56 PM] Marj Wyatt: @Ken, children’s names, birthdays
[9/26/2011 8:07:58 PM] + Ken Harthun (Co-host: TIIMG): Yes, Kay, and what if I told you that password is perfectly OK to use IF you do something to it?
[9/26/2011 8:07:59 PM] ™ Gary Simpson: Your name?
[9/26/2011 8:08:01 PM] Marj Wyatt: Marj Wyatt just guessing
[9/26/2011 8:08:11 PM] Kay Brasher: Oh I am all ears
[9/26/2011 8:08:11 PM] Dennis Pippin: 123456
[9/26/2011 8:08:19 PM] ™ Gary Simpson: eg password versus !pass!word%
[9/26/2011 8:08:40 PM] + Ken Harthun (Co-host: TIIMG): Yes, 123456 is a good one. Also, can be one of the most secure passwords you can use. Anyone confused yet? Ready to lynch me?
[9/26/2011 8:09:09 PM] Marj Wyatt: have no idea, Ken
[9/26/2011 8:09:09 PM] ™ Gary Simpson: @ Ken – depends how you “conceal” it.
[9/26/2011 8:09:27 PM] + Ken Harthun (Co-host: TIIMG): Gary, you’re too damn smart for your own good… LOL
[9/26/2011 8:09:39 PM] Marj Wyatt: combo of upper/lower case alpha with numeric and special characters
[9/26/2011 8:09:47 PM | Edited 8:09:58 PM] ™ Gary Simpson: LOL!
[9/26/2011 8:10:01 PM] Marj Wyatt: lower case “us” Robert
[9/26/2011 8:10:22 PM] + Ken Harthun (Co-host: TIIMG): Here’s a question, based on Marj’s comment. What is the most secure password of these two? Xh73!*j3 or Dog……..?
[9/26/2011 8:10:37 PM] Kay Brasher: Xh73!*j3
[9/26/2011 8:10:48 PM] Marj Wyatt: [Monday, September 26, 2011 8:10 PM] + Ken Harthun (Co-host: TIIMG):
<<< Xh73!*j3that one
[9/26/2011 8:10:55 PM] + Ken Harthun (Co-host: TIIMG): @Kay BUZZZZZ! Not!
[9/26/2011 8:11:04 PM] + Ken Harthun (Co-host: TIIMG): Wrong, Marj.
[9/26/2011 8:11:20 PM] Marj Wyatt: oh well
[9/26/2011 8:11:28 PM] ™ Gary Simpson: 1k2e3n4h5a6r7t8h9u10n
[9/26/2011 8:11:34 PM] Marj Wyatt: I use an online strong password generator tool
[9/26/2011 8:11:44 PM] + Ken Harthun (Co-host: TIIMG): @Gary BUZZZZ you’re out XXXXXX
[9/26/2011 8:12:04 PM] ™ Gary Simpson: Spill Geek.
[9/26/2011 8:12:15 PM] Marj Wyatt: Ok Ken, why would Dog…….. be better?
[9/26/2011 8:12:23 PM] + Ken Harthun (Co-host: TIIMG): I vill give you my secret for a fee!
[9/26/2011 8:12:36 PM] ™ Gary Simpson: Stop speaking like the Count!
[9/26/2011 8:12:39 PM] Marj Wyatt: umhmmm
[9/26/2011 8:12:43 PM] ™ Gary Simpson: Has he bitten you?
[9/26/2011 8:12:43 PM] + Ken Harthun (Co-host: TIIMG): Everyone must pay the fee!
[9/26/2011 8:12:58 PM] Marj Wyatt: (bow)
[9/26/2011 8:13:09 PM] + Ken Harthun (Co-host: TIIMG): Ist you villing to pay ze fee?
[9/26/2011 8:13:27 PM] ™ Gary Simpson: I vill keel you if you keep the teeze.
[9/26/2011 8:13:30 PM] Kay Brasher: Sorry I am broke
[9/26/2011 8:13:37 PM] Marj Wyatt: I just bowed to you, that’s all yer gettin
[9/26/2011 8:14:04 PM] + Ken Harthun (Co-host: TIIMG): OK. The fee is simple: Promise to heed these words and USE what I am about to reveal to you!
[9/26/2011 8:14:10 PM] + Ken Harthun (Co-host: TIIMG): Agreed?
[9/26/2011 8:14:19 PM] Dennis Pippin: Agreed!!!
[9/26/2011 8:14:19 PM] ™ Gary Simpson: Agreed.
[9/26/2011 8:14:20 PM] + Ken Harthun (Co-host: TIIMG): It’s really a revelation1
[9/26/2011 8:14:21 PM] Marj Wyatt: (nod)
[9/26/2011 8:14:27 PM] Tina Golden: Agreed <and I’m here now… lol>
[9/26/2011 8:14:35 PM] ™ Gary Simpson: Quoting from the Bible now?
[9/26/2011 8:14:37 PM] Suzanne Patricia Howarth: most programs won’t allow 3 letter passwords anyway
[9/26/2011 8:14:41 PM] Kay Brasher: Agreed
[9/26/2011 8:14:43 PM] ™ Gary Simpson: ie Revelations.
[9/26/2011 8:14:50 PM] Maureen Amberg: Why can’t you have a password that noone could guess?
[9/26/2011 8:15:02 PM] Marj Wyatt: @Suzanne, except for DAP
[9/26/2011 8:15:03 PM] + Ken Harthun (Co-host: TIIMG): The correct answer is that Dog…… is a very secure password and easier to remember than XH@*222>>>@
[9/26/2011 8:15:22 PM] Marj Wyatt: That’s why I use Roboform!
[9/26/2011 8:15:23 PM] ™ Gary Simpson: @ Maureen – A brute force password attack will crack almost any English word so it’s
best to include some random characters to avoid the possibility of that.
(See Steve Lorenzo’s e-book/report on the most common passwords NOT to use.)
[9/26/2011 8:15:26 PM] -Bill Vallee (Leader:TIIMG): (whew) (wave) (flag:us)
[9/26/2011 8:15:38 PM] Suzanne Patricia Howarth: You are not saying why. please get to the point I need to go
[9/26/2011 8:15:40 PM] + Ken Harthun (Co-host: TIIMG): Gary, you’re stealing my thunder here.
[9/26/2011 8:15:59 PM] ™ Gary Simpson: Soz Ken. I will STFU. LOL!
[9/26/2011 8:16:14 PM] Dennis Pippin: so you mean dog with the dots?
[9/26/2011 8:16:45 PM] + Ken Harthun (Co-host: TIIMG): OK. here’s the scoop. You take any dictionary word, your name, your dog’s name, anything you want and PAD it with a personal password pattern that you will easily remember and you have an virtually unbreakable password.
[9/26/2011 8:17:05 PM] ™ Gary Simpson: EXCELLENT point.
[9/26/2011 8:17:35 PM] Steve Lorenzo: [Monday, September 26, 2011 8:06 PM] + Ken Harthun (Co-host: TIIMG):

<<< Gary, Steve, Anyone. What is the least secure password you can use.The MOST used password is
“123456″
See the Most Used 500 Passwords here:

http://tipsandtricks.im/TOP-500-Passwords-Download/

^^^ It is still free to get for you ^^^
But I’ll be releasing it as a PAID product WSO next week
[9/26/2011 8:17:54 PM] Tina Golden: Awesome tip, Ken, thanks!
[9/26/2011 8:17:57 PM] + Ken Harthun (Co-host: TIIMG): The secret is that the hackers don’t know your password. They will try dictionary words and common variations, but once you force them to use brute-force guessing routines, they’re lost.
[9/26/2011 8:18:00 PM] Maureen Amberg: I do not use a dictionary word…..and do add numbers or symbols.  Is OK?
[9/26/2011 8:18:45 PM] Tina Golden: I use a name (not my own) and number combination
[9/26/2011 8:18:51 PM] Steve Lorenzo: One VERY important thing is
You do not need ONE password .. <<< dumbest thing to do, no matter how complicated it is!
[9/26/2011 8:18:56 PM] Tina Golden: But I like Ken’s suggestion
[9/26/2011 8:19:10 PM] Steve Lorenzo: But rather different passwords for each separate website
[9/26/2011 8:19:13 PM] + Ken Harthun (Co-host: TIIMG): Steve, I’ll use 123456 every day. Try to guess this one: +_..123456.._+
[9/26/2011 8:19:18 PM] Dennis Pippin: [Monday, September 26, 2011 8:16 PM] + Ken Harthun (Co-host: TIIMG):

<<< OK. here’s the scoop. You take any dictionary word, your name, your dog’s name, anything you want and PAD it with a personal password pattern that you will easily remember and you have an virtually unbreakable password.I don’t understand this
[9/26/2011 8:19:48 PM] Maureen Amberg: Excellent point Steve!
[9/26/2011 8:19:51 PM] Tina Golden: If you have a virtually unbreakable password, would it matter if we used it on more than one site?
[9/26/2011 8:19:52 PM] Steve Lorenzo: Ken, it’s not about me, but the hackers who would use software to try all the combos possible
[9/26/2011 8:20:04 PM] Steve Lorenzo: the simpler it is, the fastest they can push through it
[9/26/2011 8:20:11 PM] Dennis Pippin:  PAD it with a personal password pattern…. this is what I don’t understand
[9/26/2011 8:20:25 PM] ™ Gary Simpson: @ Dennis – look what I did here:
[Monday, September 26, 2011 8:11 PM] ™ Gary Simpson:

<<< 1k2e3n4h5a6r7t8h9u10n
[9/26/2011 8:20:34 PM] + Ken Harthun (Co-host: TIIMG): Once you add the padding, which is unkown to a hacker, and force brute force attacking methods, then length trumps complexity. Use anything you will easily remember, just add a pattern that you will remember and you’re good to go.

[9/26/2011 8:24:52 PM] + Ken Harthun (Co-host: TIIMG): @Marj. Brute force means you have to guess every character one at a time. It can take eons if your password is long enough.

Are you getting this?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: