Security Corner

July 16, 2012  12:55 PM

Humor: The first backup

Ken Harthun Ken Harthun Profile: Ken Harthun

I don’t know the exact source of this (unless its creator is the colleague who sent it to me, Kenneth Nelson), but my hat is off to the author.

Tablets, of course, are a vital component of Christian iconography, as the Old Testament tells us. On Mount Sinai, God gave Moses two tablets (of the analog kind) upon which the deity had inscribed the rules for his creations, a process which saw Moses on the mountain for 40 days and 40 nights without food or water.

But when Moses came down the mountain and discovered the Israelites cavorting around a golden calf, he smashed the tablets, burnt the idol, ground it up, mixed it with water, made everyone drink it, then ordered the killing of 3,000 of of those Israelites who didn’t immediately side with him (Exodus 32:19-28). 

Moses was then told to carve a new set of tablets, and upon them God restored the sacred text files from what was presumably a celestial backup, thus retiring history’s first recorded tablet tech-support ticket.

July 8, 2012  11:40 PM

Paper is still king for passing on your estate’s online assets

Ken Harthun Ken Harthun Profile: Ken Harthun

These two articles became the subject of a lot of thought and discussion on how to best pass on your electronic assets when you pass away:

How will you pass on your passwords when you pass away? Part 1
How will you pass on your passwords when you pass away? Part 2

In the process of figuring out my own system, I became aware of the existence of  “electronic will” sites that will supposedly allow your loved ones to get your passwords and other online account information in the event of your demise. I advise against using such sites for two reasons:

  1. If the site disappears (despite what promises are made as to their plan for succession) and you die before you can find a replacement site, your loved ones are out of luck; and,
  2. If you fail to keep the site updated with changes, it’s useless.

This is why I say “paper is king.” You need to come up with a system that is relatively fail safe and that system needs to be committed to paper and placed in a safe deposit box or held by your attorney or other trusted person.

By “fail safe,” I mean a system that will allow your survivors to gain access to all of your important online assets even if you do not faithfully apply it. Yes, it has to be set up in such a way that someone could easily discover where your lapse occurred and recover your credentials. This isn’t the least bit difficult to do; in fact, it’s rather simple and I’ll present a full system in a future post.

July 6, 2012  1:12 PM

The Great Internet Blackout is coming July 9

Ken Harthun Ken Harthun Profile: Ken Harthun

If you are still infected with the DNS Changer malware, you will be unable to access the internet as of July 9, 2012. According to the FBI, who took over a series of rogue DNS servers last November,  there are still hundreds of thousands of computers infected with the malware. While the FBI substituted valid DNS servers to keep resolving internet names, these servers will be taken offline on July 9, making it impossible for infected PCs to resolve domain names.

You need to make sure your PC is not infected. You can do that by checking websites created by the DNS Changer Working Group (DCWG), a cross-industry team of experts. The list is posted here.

Sophos also provided an informative video:How not to lose your internet connection

June 30, 2012  8:11 PM

Give Spam the Finger

Ken Harthun Ken Harthun Profile: Ken Harthun

No, I’m not talking about that finger; it’ll become obvious in a moment which finger I’m talking about. First, let me ask a few questions:

  1. Is your car parked, empty, in the driveway right now with its engine on?
  2. Is your shower, with no one in it, running?
  3. Is your stove, with nothing cooking on it, turned on?
  4. Is your attic light on 24/7?

I’m fairly sure that you answered “no” to all of these questions. It just doesn’t make sense to leave something on if you’re not using it. All this does is run up your electric bill for nothing, right?

Then why would you want to leave your PC on 24/7? If your PC has been compromised and is a member of one of the major spam zombie networks, chances are that you’re spewing spam in a constant stream.

Do us all a favor and use your index finger to switch it off when you’re not using it. If you do nothing else to clean it up, just shutting down the PC if it’s not being used would cut spam volume significantly.

Do you agree or disagree? Hit the comments and put in your two cents.

The Geek

June 29, 2012  1:17 PM

Security a priority for Apple

Ken Harthun Ken Harthun Profile: Ken Harthun

Apple is making security a priority in the next version of OS X, Mountain Lion. This is good news:  new threats continue to crop up as Macs gain a larger user base. Apple Insider reports that “…Apple’s upcoming OS X Mountain Lion will feature an automatic security check feature that will ensure users have the most up-to-date software protection amid a growing number of Mac-targeted malware.”

The new feature is called “OS X Security Update Test 1.0″ and will either run daily or whenever a Mac restarts. It will download and install updates in the background, thus lessening the necessity for manually performing checks. The feature is also reported to create a “more secure connection” to Apple’s servers.

This comes at about the same time as Apple changed its OS X web page. No longer is Apple boasting “It doesn’t get PC viruses” or “Safeguard your data. By doing nothing.” The web page has been toned down to read “It’s built to be safe” and “Safety. Built right in.”

Nice to see this attention to security.

June 29, 2012  12:44 AM

Looking Back: Will You Be Used As a Weapon Against Your Own Country?

Ken Harthun Ken Harthun Profile: Ken Harthun

[I first posted this piece in June of 2007. In light of the Stuxnet attacks and Flame Malware attacks, I believe I was on the right track. It’s fun to look back and see how close we often come to predicting the future.]

It’s 2010, maybe sooner. A rogue nation has just declared war on your country. No one will be killed in this war, at least not directly. But people will die from starvation, disease, and in the general chaos caused by disruption in vital communications lines. The rogue nation’s primary weapon? Botnets capable of taking down huge segments of the Internet and telephone networks.

Such a weapon is already being used in cyber attacks against Estonian web sites, as reported by SANS:

The ongoing cyber attacks against Estonian web sites, covered
in a recent NewsBites edition should serve as a sobering reminder that Cyber Warfare is not a theoretical threat but a very effective and real one….

Having made my own observation of the shifting threats to computer and network security, I have to agree with SANS editor Skoudis:

Before 2003, our dominant threats were hobbyists and insiders. In 2003 and 2004, the threat then changed to organized crime looking to make money. Depending on the geopolitical environment, the dominant threat may shift again, and very quickly, to state-sponsored cyber warfare.

What’s ironic is that the attacker will, to some degree, be using your own people–as well as your allies–against you. There’s certainly a good number of people in every country whose computers have become zombies in a botnet. The actual attackers are virtually untraceable, so unless the attacker makes himself known, you’ll not even know your enemy. Scary.

This is why every citizen, every government, must share responsibility in protecting the security of their country’s network infrastructure. There are steps everyone can and should take…

June 24, 2012  12:43 AM

Got backup? Try Duplicati

Ken Harthun Ken Harthun Profile: Ken Harthun

Source: Mozy, iJustine

Nice T-shirt, eh? Yeah, it’s been around for awhile, having been part of one of Mozy’s (the online backup firm) promotions a few years back. It’s a great double entendre (not to mention the eye candy) and really punches home the need for backups. Which is what this post is about. Specifically, it’s about Duplicati, a free backup client that securely stores encrypted, incremental, compressed backups on cloud storage services and remote file servers. It works with Amazon S3, Windows Live SkyDrive, Google Drive (Google Docs), Rackspace Cloud Files or WebDAV, SSH, FTP (and many more).

Duplicati is licensed under LGPL (if you don’t know the difference between this and the GPL, well, better find out) and is available for Windows, Linux and, as of May 2012, MacOS in several languages. AES-256 encryption is built in and GNU Privacy Guard is also available. The latest version is 1.3.2.

It took me less than a minute to download and install with the defaults, but you’ll probably want to turn off the translations unless you speak several languages. After installation, the Duplicati Setup Wizard let me set up a new backup. For test purposes, I selected “Custom folder list” for my backup. After that, I was taken to the “Select password for the backup” screen. Here, you can choose the encryption method you want and set a good password. You can click the magic wand button to generate a super-strong password, or you can use one of your own. I chose to run the backup immediately and everything went smoothly.

Restoring from backup is straightforward: just click the Duplicati tray icon, open the wizard and follow the instructions.

It doesn’t get much easier than that to produce reliable, secure backups.

June 21, 2012  12:13 AM

Got encryption? Try AES Crypt

Ken Harthun Ken Harthun Profile: Ken Harthun

You know you need encryption to protect sensitive information whether you travel, upload sensitive files to the cloud, or just want to feel secure knowing that your data is accessible only to you; I won’t belabor the point. What I will do is talk about AES Crypt, advanced file encryption software for Windows, Mac, Linux, and Java. AES Crypt uses the industry standard Advanced Encryption Standard (AES) to easily and securely encrypt files:

Using a powerful 256-bit encryption algorithm, AES Crypt can safely secure your most sensitive files. Once a file is encrypted, you do not have to worry about a person reading your sensitive information, as an encrypted file is completely useless without the password. It simply cannot be read.

Steve Gibson uses AES Crypt and had this to say about it in Security Now! Episode 356:

This is simply a utility to give end users access to AES 256-bit file encryption. So it’s just a – it’s as simple as you use this in the same way that you use ZIP to zip up a bunch of files, you use this to encrypt a file. It asks you for a password. And that password is hashed and then used as the key for the encryption. And no force on Earth, as far as we know, if you use a strong password, is able to decrypt it. So it’s absolutely bulletproof.

If you don’ already have it on your system, the installation routine will install Microsoft Visual C++2010 Redistributable. Installation is quick and does not require a reboot. The program has a context menu entry so you can simply right click on a file and select “AES Encrypt.” Enter your password (be sure it’s a strong one) and the program creates a new, encrypted file with a .aes extension.

One big advantage is that AES Crypt’s file format is also published so other applications can utilize it. In fact, Duplicati, an Amazon S3 front end that I will cover in a future post, bundles the file format into their back end so the files that Duplicati stores at Amazon are AES Crypt compatible encrypted.

June 9, 2012  1:18 PM

Change your password

Ken Harthun Ken Harthun Profile: Ken Harthun

If you are a member of music site, you may want to change your password. While they have not confirmed that any passwords have leaked, an announcement on their web site says they are “investigating the leak of some user passwords.”

This is a good time to think about changing passwords on all of your social media sites. While you’re at it, do a thorough review of all your passwords. If you have a password manager such as LastPass, or KeePass, the chore is much easier.

June 8, 2012  12:53 PM

Online privacy: Forget it!

Ken Harthun Ken Harthun Profile: Ken Harthun

If you are naive enough to think that you can post anything online, or even surf to a “safe” site, and maintain any semblance of privacy online, then you haven’t been paying attention. If you’re online, most of your life and all of your surfing habits are known. Gary Kovacs, CEO of the Mozilla Corporation gave a talk at TED in February, 2012 called “Tracking the Trackers.” If you aren’t outraged after watching the video, then you’re either completely apathetic or totally clueless.

As you surf the Web, information is being collected about you. Web tracking is not 100% evil — personal data can make your browsing more efficient; cookies can help your favorite websites stay in business. But, says Gary Kovacs, it’s your right to know what data is being collected about you and how it affects your online life. He unveils a Firefox add-on to do just that.

The video is just under seven minutes long and well worth watching. I also recommend you download the Collusion plugin for Firefox. Download Tracking the Trackers.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: