Security Corner


July 24, 2011  1:05 PM

Amusing 419 Scam Tactic

Ken Harthun Ken Harthun Profile: Ken Harthun
FortBendNow.com

Source: FortBendNow.com

Ever heard of the “Anti-Cyber Crime Unit?” Neither have I, but when I got an email the other day with the subject line “Email from: The Anti-Cyber Crime Unit,” it piqued my curiosity. I found it clever and amusing, but read for yourself and see what you think:

The UNITED NATIONS, FBI, LOTTERY OFFICES, COMPENSATION OFFICES AND BANKS recently discussed at a congressional hearing conducted this week just how its special anti-cyber crime taskforce worked when it came to combating cyber crime and the nefarious digital machinations of web rapscallions, hacker hooligans, cyber criminals, and virtual villains. They outlined its latest accomplishments in the IT security front, which included the capture of million-dollar scammers via a synchronized raid on a thousand ATM machines a few months back.

However, truth be told, no one thinks that the U.k. Government and other goverment is fully equipped and ready to stop a really bad hacker attack against its physical or financial networks.

The Decision has been taken, and they have decided to instruct the Anti-Cyber Crime Unit to see and investigate your funds Transfer and why you are yet to get your funds.

You are now to provide Us with the following information below;

YOUR NAME; ………………..
ADDRESS; ……………….
SEX; ………………..
MOBILE NUMBER; ………………….
OCCUPATION; …………………..
AMOUNT OF FUNDS TO BE CLAIMED; …………….
AGENT IN CHARGE OF TRANSFER; …………..
BANK WITH YOUR UNCLAIMED FUNDS; …………….
TYPE OF FUNDS; ………………
STATUS OF TRANSFER; ……………….

Immidiately you provide us with the information above, we will investigate your transaction and get back to you with the full details of your funds WITHIN 24HRS.

This is to Fight the Cyber Crime and also inform you if you dealing with the right Person or not.

After the investigation we will instruct you on how to get your funds.

Anti-Cyber Crime Unit
Mr. Thomas Lifson
+447035906084

You’d think by now that the crooks would give up, so why don’t they? The answer is: people still fall for this ruse and as long as people keep falling for it, crooks will keep running the scam.

July 23, 2011  4:06 PM

Microsoft is Finally Starting to Listen to Me…

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, maybe not me, but over the past couple of years, Microsoft is finally starting to get their security practices in order.

The college I work for has just switched all email for students and staff over to Microsoft’s Live@Edu hosted Exchange offering. While we administrators set pretty secure default passwords when configuring the accounts, people will be people and usually change them to something they can remember, meaning completely guessable and insecure. So, Microsoft is going to enforce strong passwords going forward:

Dear IT Administrator,
Thank you for your continued participation in the Live@edu program. We would like to make you aware of a Windows Live service update that will bring new improvements to the end user experience. You should also be aware of some minor changes to the administrator capabilities brought about by this update. This email provides a summary of these changes along with the timeframe for the update.
Changes in the Password Policy for Windows Live ID
As part of an effort to increase security, the password policy for the Windows Live ID will be strengthened. These changes will come into effect on September 1st, and will only affect those users that change their password or create a new password after the update. Under this updated policy, the new password must meet the following requirements:
Must be at least seven characters long and not longer than sixteen characters.
Cannot be reset to any of the previously used 10 passwords.
Must contain characters from all of the following three categories:
º
Uppercase letters (A through Z)
º
Numbers (0 through 9)
º
Special symbols such as:!, $, #, % etc.
Current Live@edu users will not be required to change their existing password as a result of this change in policy. However if you try to change or reset it, then the new password must meet the above mentioned requirements. If a password is among previously used 10 passwords, you will see an error message “A password match is found in the history.”

All I have to say is, Bravo!


July 23, 2011  12:59 AM

Video: Security News Roundup

Ken Harthun Ken Harthun Profile: Ken Harthun

An interesting roundup of stories from Sophos.

[kml_flashembed movie="http://www.youtube.com/v/_f1IOb5B7OY" width="425" height="350" wmode="transparent" /]


July 17, 2011  2:14 PM

Update on Security Nightmares

Ken Harthun Ken Harthun Profile: Ken Harthun

Recall my June 30, 2011 post where I talked about the security nightmares I walked into on my new job:

In this case, it’s a nightmare on Seventh Street! These are the types of things that give me nightmares and I walked into a total nightmare factory:

Wiring closets are open on every floor and every floor has a managed switch and/or router sitting in the closet.

Servers behind unlocked and open doors because shutting the door makes the room too hot and the servers shut down.

Contractors putting in new floors in the server closet and I have no access control.

Backups to external USB drives that anyone in the unlocked closets could walk off with and backups have been intermittent.

Staff laptops are not using encryption.

The good news is that I have corrected some of these things, so I now sleep much better at night!

  • The wiring closets are now locked.
  • Core switch and servers are now behind locked door and cooling has been installed.
  • Barracuda backup server installed and all servers are being backed up with critical data backed up every two hours and sent to the cloud.
  • Data structure standardization initiative in progress which includes backup/encryption for staff laptops.

I have to say that the organization is now probably more secure than they have ever been, thanks to my efforts and the efforts of the IT staff at the other locations. Good thing is, we have corporate backing on these efforts. It’s nice to know you have the power to make a difference and get things done.


July 7, 2011  2:20 AM

Cryptogram Contest Solution

Ken Harthun Ken Harthun Profile: Ken Harthun

Better late than never, I guess. I promised this would be published on June 30. Well, I got a new job and I got really, incredibly, insanely busy. But, here we go. Recall this:

The ciphertext is below. Hint: The key to solving this cipher is to figure out the shift and the variation. The very first letter of the cryptogram is the actual first letter of the first word and all punctuation is preserved. Please note that this is NOT a simple substitution cipher. There is no guarantee the letters will be the same throughout, though you may notice repeating patterns.

‘TXZT ASHMKIF, BME SID TKJSIZ UNWDT CJC HXSD BME FJLCKF HO SID XZCD: BKM LJLTX XDSD UGF APQPFPUFR, BME SID NNND SZUGT NVSHQBAF.

Two readers solved the puzzle, one by conventional means and one by rather unconventional, but ingenious means. Here are there results:

Brian: “Confession time – I cheated. I eventually tracked the quotation down >> > on the basis of the word count. I quite understand if this disqualifies me. If it doesn’t, then I would choose the download.”

When I told him he won based on his approach, he wrote back with this:

I had verified my solution using the shifting Caesar Cipher, but I’m hoping your blog will have something about the approach taken by the other solver. I only came to the “words” approach when I had to admit to defeat using more orthodox methods!

Fact is, Brian made the effort to solve the cryptogram and his unconventional method was successful. This shows very analytical thinking worthy of any cryptanalyst. Well done, Brian!

John provides the conventional solution to the cryptogram:

I think I figured the puzzle out. It is referencing a very old science fiction quote from a short story “Mimsy Were the Borogoves” by Lewis Padgett published in February 1943. I also think there were a couple spelling errors in the pattern.

‘Twas Brillig and the slithy toves did gyre and gimble in the wabe:
All mimsy were the Borogoves, and the mome raths outgrabe.

The pattern, outside of the first “T”, was -1 then +1 then -1 then +1, and so on…

Two winners, two different approaches.

And, by the way, the poem is called “Jabberwocky” and was written by Lewis Carol of “Alice in Wonderland” fame.

Congratulations, winners!


June 30, 2011  3:08 AM

Security Nightmares

Ken Harthun Ken Harthun Profile: Ken Harthun

In this case, it’s a nightmare on Seventh Street! These are the types of things that give me nightmares and I walked into a total nightmare factory:

Wiring closets are open on every floor and every floor has a managed switch and/or router sitting in the closet.

Servers behind unlocked and open doors because shutting the door makes the room too hot and the servers shut down.

Contractors putting in new floors in the server closet and I have no access control.

Backups to external USB drives that anyone in the unlocked closets could walk off with and backups have been intermittent.

Staff laptops are not using encryption.

Insecure and obsolete (Win 2000) servers on the network.

Still some floater laptops that have NO antivirus protection (just had to re-image one that got infected with a really nasty rootkit).

No security policy exists.

This is like a game show: “Hey, Mr. Hacker, COME ON IN!”

But don’t try it: I’m on the scene. “Drunk hacking – You WILL get caught, and you WILL be arrested!” LOL

Another week or so and those nightmares are history!

Believe me.


June 18, 2011  10:15 PM

Reduce Unwanted Email

Ken Harthun Ken Harthun Profile: Ken Harthun

If you use your main email address to get free offers, downloads, etc., you run the risk of having your email address become Spam Central. I know because not only has it happened to me, it has happened to almost everyone I know. Recently, I made the mistake of providing my main email address to an auto insurance “quote portal” who promised to get me three of the best rate quotes from top insurers. Big mistake! Within minutes, I was receiving loads of unwanted solicitations that I did not opt into. This “portal” must have sold my email address 300 times in mere seconds.

I could have prevented this incessant barrage by using a disposable or temporary email address. I’ve written about this before (see
Protect Yourself From Spam With Disposable Email Addresses) but I wanted to update you on a couple of other services I discovered.

10-Minute Mail gives you a temporary email address that lasts — you guessed it — 10 minutes. It has a neat feature whereby you can extend the time by an additional 10 minutes in case you didn’t get your download link quickly enough. Geek tested and approved!

Spambox creates a temporary e-mail address for you that will expire in the time you chose, anywhere from 30 minutes to a full year. All the mails directed to this e-mail will be transparently forwarded to your real e-mail. If you’re getting too much email from that address, you can cancel it and stop the flow. If you want to extend the life of the mailbox, you can do that too. This service has a very, very cool feature that allows you use your own domain so that websites who think they are wise to temporary email addresses won’t know the difference. Geek tested and approved!


June 12, 2011  4:33 PM

Cryptogram Contest

Ken Harthun Ken Harthun Profile: Ken Harthun

This is the “lighten up” portion of this month’s series of blog posts. I have created a cryptogram that I believe will be difficult to solve, though I have used a simple sequential variation on the Caesar Cipher. Everyone is eligible to play and the prize will be a DVD (or download – your preference) of my Geek Toolkit that normally sells for $27 through my special offer (You don’t have to enter – you can just buy a copy of the toolkit if you want). To enter, just email your solution and shipping details to me: ken [at] kenharthun.com. Deadline is 28 June 2011. I will publish the method I used and the solution on 30 June 2011.

The ciphertext is below. Hint: The key to solving this cipher is to figure out the shift and the variation. The very first letter of the cryptogram is the actual first letter of the first word and all punctuation is preserved. Please note that this is NOT a simple substitution cipher. There is no guaranteed the letters will be the same throughout, though you may notice repeating patterns.

‘TXZT ASHMKIF, BME SID TKJSIZ UNWDT CJC HXSD BME FJLCKF HO SID XZCD: BKM LJLTX XDSD UGF APQPFPUFR, BME SID NNND SZUGT NVSHQBAF.

Good luck!


June 11, 2011  2:34 AM

The American Cryptogram Association

Ken Harthun Ken Harthun Profile: Ken Harthun

Naval Enigma Machine

If you have followed me for any length of time, you know that I’m fascinated with codes, ciphers and crypto in general. My love of codes and ciphers started in the early 1960′s when I was an elementary school student. Being the mischievous type, I and several of my other geeky friends would invent codes and ciphers to pass notes in class. We’d say naughty things about the teachers or other students and even if we got caught, no one could figure out the messages. So, you can imagine my delight at finding the American Cryptogram Association web site.

Here’s what they say on the home page: “The American Cryptogram Association (ACA) is a non-profit organization dedicated to promoting the hobby and art of cryptanalysis — that is, learning to break ciphers.”

Sounds like great fun. They even provide a sample issue of their bi-monthly newsletter, The Cryptogram, which I immediately downloaded. I can’t wait to dig into that and peruse the rest of the resources on the site. One thing I’m particularly interested in is Crypto Lessons and Tutorials by LANAKI.

There are links to several cryptogram pages and scores of crypto tools on the Resources page, though I found a couple of broken links. Still, the home page appears to contain current information, so it looks like ACA is alive and well. Check it out.


June 9, 2011  3:36 PM

The New Password Paradigm – Part 3

Ken Harthun Ken Harthun Profile: Ken Harthun

In this part, I’ll comment on some of the past articles I’ve posted about passwords and align them all with the new paradigm (See “The New Password Paradigm – Part 1” and “The New Password Paradigm – Part 2“).

Feb 17 2008: How to Write Down Your Passwords and Not Worry About Someone Stealing Them – This article, one of my earliest on the subject, is a neat little system for creating unguessable passwords and writing them down. It’s a bit too complex and is now obsolete as is this Aug 24 2009 post: Un-guessable Passwords—How to Make Them.

Feb 24 2008: Can a Criminal Hacker Guess Your Password? – This article talks about the dangers of using common words, keyboard patterns and other easily guessable passwords. It is just as valid today as it ever was with the exception that under the new paradigm, you can use such things in combination with your personal password padding policy.

Apr 27 2008: Your Wallet is the Best Password Manager – Says to write your passwords down and keep them in your wallet. Still applicable. You should not write down your padding pattern with those passwords, however. Say you use “…” as your padding and choose the word “fireplace” as your password, padding it like this …fire…place… Simply write the word fireplace on your list, not the whole padded thing.

Aug 20 2009: Peter Piper Picked a Perfect Password Pattern – I suggested using patterns to pad passwords almost two years ago, a major component of the new paradigm.

Apr 22 2010: Passwords Are Too Complicated – I was right: passwords are too complicated! Passphrases are easier to remember and under the new paradigm, you don’t even have to get very creative to come up with them.

Apr 26 2010: Jabberwocky – Password – This nifty little post about using Lewis Carroll’s poem, “Jabberwocky,” to create stong passwords is pretty brilliant if I do say so myself. Couple that with a good padding pattern and you have a real winner.

May 13 2010: Secure Computing: Password Card is a Winner – The password card is a nifty little tool and is still a valid way to create and remember complex passwords; however, it’s obsolete under the new paradigm unless you want to use it to create padding patterns.

Sep 14 2010: Is Your Password on the List of Worst Ones Ever? – Valid information, but hardly dangerous if you use one of them with a padding pattern.

Dec 27 2010: Use Strong, Unique Passwords! Use Strong, Unique Passwords! Use Strong, Unique Passwords! – Valid information that once again suggests using a personal pattern.

Jan 18 2011: Password Voodoo – A nifty trick using your keyboard FCC ID to create a password, but it still requires that you remember a pattern.

Mar 26 2011: Create Perfect Passwords on Paper – Steve Gibson’s Perfect Paper Passwords is still relevant and also can be used to create your password padding pattern.

May 22 2011: How Long Should a Strong Password Be These Days? – Definitely valid information and the new paradigm makes it even easier to make 15-character long (or longer) passwords.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: