Security Corner


May 22, 2011  4:56 PM

How Long Should a Strong Password Be These Days?



Posted by: Ken Harthun
password manager, passwords, SANS, Security, security awareness, Security best practice
thegoldguys.blogspot.com

Source: thegoldguys.blogspot.com

It used to be – and I used to recommend – that a good, strong password was a combination of upper/lower case letters, numbers and special symbols at least 8 characters long. But as technology advances, CPU speeds and processing power also increase, making brute-force password cracking programs able to guess longer passwords in less time. In these days of multi-core processors running at speeds approaching 4GHz, making distributed computing projects such as Distributed.net‘s Project Bovine RC5-64 reportedly capable of guessing 76.1 Billion passwords per second 8 characters just isn’t enough. Think about it, an 8 character password using a 96-character field has 7.2 quadrillion possible combinations; RC5-64 could guess it in less than 100 seconds.

When Georgia Tech Research Institute developed a method of using general purpose GPUs, to crack passwords last year (2010), I took their advice and began recommending 12 characters as the minimum length for passwords. With all of the recent database breaches in the news, I’m now considering upping the ante and recommending 15 characters as a minimum length for passwords. The problem with this is the extreme difficulty in remembering a password like %qz!BUrznT8Vs&T. Such long, random passwords have to be recorded somewhere, so some method of encrypting your password list or a secure password manager such as LastPass becomes essential.

The SANS Institute’s Security Awareness project recently published some good advice on creating and protecting passwords in this newsletter (PDF). I agree with their advice and highly recommend you take a look at the newsletter.

May 17, 2011  3:02 PM

Scam Alert: Fake Skype Update Email



Posted by: Ken Harthun
E-mail scam, Fraud, Scam alert
FortBendNow.com

Source: FortBendNow.com

Got an email this morning from “Skype Newsletter” with the subject “New version of Skype has been released ! Upgrade now.” If you use Skype and you get such a notice, delete it: it’s a scam to get you to “join” some bogus software site. It is NOT from Skype. I did not see any attempt at installing malware. Here’s the text of the email:

Skype Voip  Upgrade Notification‏

This is to notify that new updates have been released for Skype.

(link removed)

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

(link removed)

Start downloading the update right now and let us know what you think about it.

We’re working on making Skype better all the time !

Talk soon,

The people at Skype

====================== PROTECT YOUR PASSWORD ===========================
Skype or Skype Staff will NEVER ask you for your password via email. The only place you are asked for your password is when you sign in to the Skype application or our website.


May 16, 2011  10:50 PM

Michaels POS Breach Bigger than Reported



Posted by: Ken Harthun
Credit Card Fraud, data breach, Fraud, Security

Michaels Stores, Inc. says that their point-of-sale (POS) PIN pads at 90 stores in 20 states were tampered with. The craft store chain is replacing PIN pads at most of its 964 U.S. Stores. According to BankInfoSecurity.com, the breach is much bigger than the company initially thought. [See Michaels: Patterns Showed Fraud.]

Michael Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but on Tuesday [May 10, 2011] the arts and crafts supplies retailer issued a statement that said nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.

Michaels’ statement includes a list of the stores they determined were actually affected, but decided to be extra cautious and said this about the incident:

Michaels has identified less than 90 individual PIN pads (or approximately 1% of the total
devices) in its 964 US stores that showed signs of tampering. Suspicious PIN pads were
disabled and quarantined immediately. Out of an abundance of caution, Michaels has
removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads
from its US stores.

The company has commenced replacing these PIN pads in all US stores and expects the
replacement to be completed within the next 15 days. Until the new upgraded PIN pads are
installed, customers may have their credit and signature debit transactions processed on the
store register. As an additional precaution, Michaels is screening all PIN pads in Canadian
stores.

It is highly likely that this is a very carefully targeted organized crime effort, given the scope and level of effort needed to accomplish the physical tampering of the POS devices.


May 10, 2011  4:34 PM

LastPass Security Incident #4dc9630d9b403



Posted by: Ken Harthun
LastPass, Password, password manager, Security best practice

Just received this email from LastPass which gives further information about the security incident.

Dear LastPass User,

On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.

As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.

Please visit https://lastpass.com/status for more information.

Thanks,
The LastPass Team

As I said before, I am very impressed by their response to this incident. Here is their latest update on the blog:

LastPass Security Notification

Update 9, ~11am 05/09 EST:

Many users are changing their password and then determining they can’t remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert
It allows you to either roll back your last password change or revert your account to the 4th. You must prove access to your email again to use it.

I guess those users should read Security Corner more often. This would help them:Your Wallet is the Best Password Manager, as would this one:Un-guessable Passwords—How to Make Them.


May 7, 2011  11:32 PM

Video: How to Choose Strong Passwords



Posted by: Ken Harthun
Password, Security, Security best practice

The LastPass network anomaly incident (it’s still not known whether an actual data breach occurred) once again underscores the importance of using strong, unguessable passwords. Using dictionary words or short, simple, easy-to-crack passwords for a master password that protects all of your other passwords is just not smart. I have spent years educating my clients and their employees on the use of strong passwords and giving them simple solutions for coming up with them. This short video from Sophos Naked Security is a good resource.

[kml_flashembed movie="http://www.youtube.com/v/VYzguTdOmmU" width="425" height="350" wmode="transparent" /]


May 7, 2011  3:32 PM

LastPass Experiences Network Anomaly, Forces Users to Change Master Passwords



Posted by: Ken Harthun
data breach, LastPass, security awareness, Security best practice

Earlier this week, I noticed errors from LastPass when I fired up my browser and was unable to log in manually with my normal master password. I didn’t pay much attention to this at first since the email address I used to log in was one I shut down recently. I figured that was the reason and made a mental note to go change it later. But, when I tried to log in to LastPass to change my account settings (using a one-time password that I had previously created), I got a notice saying that the LastPass servers were overloaded and that I should try again later. That’s when I began to take a deeper look and discovered what others already knew: LastPass had noticed an “anomaly” in their network traffic and as a precaution had begun to force users to change their master passwords.

According to LastPass’s blog, May 4th, 2011, here’s what happened:

LastPass Security Notification

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

LastPass posted ongoing updates to the situation as it developed. The second update explained why I couldn’t get in properly.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We’re switching tactics — if you’ve made the password change already we’ll handle you normally.If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).

As it stands right now, I was able to log in with my original master password (which is very strong) and make account change settings, so everything seems to be back to normal. As of 9 am 5/7/2011, this the posted status on the blog:

Update 8, ~9am 05/07 EST:
We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.
We’re asking any users that have current issues with a password change to contact us — we will restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.
We appreciate your patience, we’ll continue to update with any changes.

So, back to normal it seems. And even though LastPass’s response over a mere “oddity” caused some major inconvenience for many of its users, I am even more confident in their security than I was before. Think about it. They saw something odd in their network traffic that they couldn’t explain. They saw a risk that sensitive information was getting into the wrong hands and they immediately took action, keeping users updated with detailed information about what they were doing and why and told users what to do about it.

Kudos to LastPass for being a good example of how to do security the right way.


May 2, 2011  8:36 PM

Bin Laden News Event Spawning Malware & Phishing Attempts



Posted by: Ken Harthun
Facebook Bin Laden Video Hoax, Security, Virus, virus warning

As always happens around big disasters and news events, the miscreants are using the event to attempt to infect PCs with malware and are sending phishing emails. Apparently Facebook is being targeted with video. Got this note from a friend on Skype:

“PLEASE READ AND REPOST!
WARNING: there is a video circulating around Facebook of a BBC video of the killing of Osama Bin Laden, supposedly made by US troops. It is a Virus!!!!! Spread the news because it’s circulating fast!!”

Here’s a video showing one of the virus attempts:

[kml_flashembed movie="http://www.youtube.com/v/D5CRARPMaeU" width="640" height="390" wmode="transparent" /]

Be aware that NO photos or videos have been released officially. The only official video is the one of President Obama announcing Bin Laden’s death.

I haven’t seen any phishing spam related to the event yet, but you can bet it will be on its way before you know it.


April 30, 2011  10:37 PM

Think You’re Not a Target Because You’re Small? Think Again



Posted by: Ken Harthun
Credit Card Fraud, data breach, Data Theft, Hacker, Online banking fraud, security audits, Security best practice, SQL Injection

If you pay attention to mainstream media, you can easily get the wrong idea about online attacks. The press usually only covers the sensational data breaches like the recent Epsilon and Sony fiascoes. Truth is, there are far more people at risk than the press leads you to believe.

Consider the case of Rogelio Hackett, Jr., a 26-year-old hacker from Georgia who recently pleaded guilty to the theft of more than 675,000 credit cards. More than $36 million in damages resulted from his crime. Hackett targeted smaller organizations that had not coded their websites properly, leaving them open to SQL injection attacks. “He exploited SQL vulnerabilities,” say Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP. “And despite the fact that SQL injections are well documented, we’re still seeing companies that are getting hit and compromised by that kind of attack.”

This article on the Bank Information Security (BIS) blog gives further details:

According to court records, Hackett began his hacking career in the late 1990s by searching for and exploiting SQL vulnerabilities. More than a decade later, the same method of attack continued to reap rewards. “These SQL injections are allowing someone in through the side fence, not the front door,” Sabett says. Josh Corman, research director of the Enterprise Security Practice at The 451 Group, says SQL injections, oftentimes, go right through firewalls. “That’s why we need to look at application-level security,” Corman says. “Firewalls need to be augmented, with things like web-application firewalls.”

If you are a small business with an e-commerce site that stores transaction information in a SQL database, I would suggest you perform an immediate security audit to reveal any potential vulnerabilities in your system. You just don’t know where an attack may come from. It’s not like it used to be, with high-profile hackers and Eastern European crime syndicates leading they way. These days, it’s more like “disorganized crime.” Smaller, less spectacular crimes are able to stay under the law enforcement and card companies’ radars for longer periods.

Avivah Litan, distinguished analyst at Gartner Research, points out, Hackett’s case highlights how widespread and diverse hacking has become. “For every Rogelio Hackett Jr. that gets arrested, there are likely at least another dozen or more ‘Hacketts’ or ‘hackers’ that are not,” Litan says. (Source: BIS blog)


April 30, 2011  3:32 PM

New York Yankees Leaks Personal Info of 21,000 Season Ticket Holders



Posted by: Ken Harthun
Data Leak, Identity Theft, insecure, Privacy, Security, security awareness

Yikes! Indeed, it has happened again but this time the leak was completely preventable. A season ticket sales representative for the New York Yankees inadvertently emailed a spreadsheet to 2,000 of his contacts. The spreadsheet contained account numbers, names, addresses, phone numbers, email addresses, and other information like their seat numbers and which ticket packages they purchased. .

Part of the notification sent to the victims from the Yankees’ office said this:

NO OTHER INFORMATION WAS INCLUDED IN THE DOCUMENT THAT WAS ACCIDENTALLY ATTATCHED (sic) TO THE APRIL 25TH E-MAIL. THE DOCUMENT DID NOT INCLUDE ANY BIRTH DATES, SOCIAL SECURITY NUMBERS, CREDIT CARD DATA, BANKING DATA OR ANY OTHER PERSONAL OR FINANCIAL INFORMATION.

Apparently, the data contained information only on holders of season tickets for the “non-premium” seats that make up the vast majority of Yankee Stadium; those holding tickets for suites and the first few rows in the infield were not listed. So the high rollers and celebrities aren’t in there. That certainly lessens the value of the data somewhat (no big, juicy targets), but It’s a good bet that the victims are going to spammed and phished to death at some point.

This is yet another piece of evidence in support of my continual assertion that there is absolutely no such thing as private information. Once you have given anything to a third party, you might as well have advertised it on lighted freeway billboard.

Your information is not safe and probably never will be.


April 29, 2011  2:49 AM

How to Secure WordPress in Five Easy Steps



Posted by: Ken Harthun
Security, Security best practice, WordPress

Source: narga.com

WordPress is pretty secure out of the box. Nevertheless, there are always going to be individuals who want to crack into accounts for nefarious purpose or inject hidden spam links. Just as with any other application software, it’s important to make sure that your WordPress installation is as secure as you can possibly make it.

While these tips may seem like the same old over-used advice I give to everyone, they are still relevant. They are even more relevant to many of my marketing friends, business clients and colleagues who base their businesses in whole or in part on their blogs.

I’m not going to recommend a bunch of WordPress add-ons and plugins in this post (I’m still researching), but I am going to give some general advice on how to secure your installation. Here is how to secure WordPress in five easy steps:

  1. Update regularly – As with any other application, hackers find vulnerabilities and attempt to exploit them. WordPress developers are very conscientious when it comes to fixing security holes and WordPress is regularly upgraded. If you are in your administration panel and see a notice about a new version, upgrade immediately. As of the date of this post, the current version is 3.1.2.
  2. Use strong passwords – It goes without saying that if you use your pet’s name or some other simple, easy to guess password, you’re inviting hackers to hack you. I recommend no fewer than 8 characters that include both upper and lower case letters, numerals and punctuation. Example (don’t use this!): Th3Qu&(!
  3. Use Secret Keys – The WordPress config.php file that contains the name, address and password of the MySQL database for your blog allows you to use secret keys. In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. You don’t have to remember these. You can generate them at this link: https://api.wordpress.org/secret-key/1.1/salt/.
  4. Use .htaccess file properly – This can get complex, so I won’t go into details here, but you must be aware of what your .htaccess file contains and make sure it doesn’t allow access to files and directories you don’t want people to see. WordPress won’t do anything insecure to it, but it never hurts to be sure. A good tutorial is The Ultimate Htaccess. Warning: if you are not a techie, skip this and as a friendly Geek!
  5. Set proper file permissions – This is the first line of attack for a hacker, and the biggest problem is when you have file permissions set so that anyone can list a directory’s contents. Just go to WordPress Codex and do what it says. Again, if you’re not a techie, find a friendly Geek (like me) to help you.

Good luck, and if you need help, just ask!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: