Security Corner

April 8, 2011  12:06 AM

OpenCandy – Benign Adware or Malicious Spyware?

Posted by: Ken Harthun
adware, Malware, OpenCandy, spyware

OpenCandy (OC), a relatively new advertising product is currently being bundled with software installers for popular programs including IZArc, mirC, PrimoPDF, Trillian Astra and more. As always happens with “new” methods of advertising via bundling agreements, OC is generating quite a bit of controversy in various forums and blogs. Some say it is benign adware under control of the person running the installer, others say it has the potential to be malicious spyware. I have no personal experience with OC, so I did some investigation by seeing what the OpenCandy folks had to say:

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development.

The installer uses the OpenCandy plug-in to present a software recommendation (such as the one below) during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.

OpenCandy isn’t installed onto your computer, doesn’t collect personally identifiable information about you, and doesn’t collect information about your web browsing habits. It is safe, secure, and used by hundreds of software developers, including many of the world’s largest anti-virus companies. Several of our partners are listed here:

IF this is true, then it looks like OC is benign. Check out the partners at the URL above, then you decide.  Other forum members at Dave’s Computer Tips seem to agree with me:

ozbloke: I believe OpenCandy, as it now stands, is relatively harmless adware; on the proviso that the software distributors who bundle it with their products stick to a regimen of full disclosure and and employ an opt-out system. However, the potential for abuse is somewhat disturbing and I would like to see some more concrete assurances/guarantees in place.

As always, caveat emptor.

April 3, 2011  11:48 PM

Kroger Customer Database Compromised

Posted by: Ken Harthun
Fraud, Online Scams, Security

I have not been able to verify whether or not Kroger uses the same email services vendor, Epsilon Interactive, as U.S. Bank (see U.S. Bank Vendor Epsilon Interactive Hacked), but got this notice as well:

Kroger wants you to know that the data base with our customers’ names and email addresses has been breached by someone outside of the company. This data base contains the names and email addresses of customers who voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience.

Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

Wonder how many other notices I’ll be getting?

April 3, 2011  12:45 PM

U.S. Bank Vendor Epsilon Interactive Hacked

Posted by: Ken Harthun
Banking Fraud, E-mail scam, Fraud, Hacking, Online banking fraud, Online Scams, Security

If you are a customer of U.S. Bank better be on the lookout for suspicious emails. It seems one the bank’s vendors of email marketing services, Epsilon Interactive, has been hacked and your email address may have been obtained in the process.

My wife got this email notice yesterday:

As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time.

Stay alert to anyone who requests personal information via email. It just isn’t done by any financial institution.

March 31, 2011  11:50 PM

Complex Compound Pass Phrases

Posted by: Ken Harthun
passwords, Secure Computing, Security best practice

What the heck is a “complex compound passphrase,” you ask? Ah, let me enlighten you, Grasshopper! I am the master of password systems, but this one escaped me. You see, I had fallen into the trap known as complexity and had been busy defining complex algorithms for generating unguessable passwords; in essence, I had been hoist by my own petard.

Yesterday, while solving the latest Cryptoquip puzzle in my local newspaper, I had a revelation. The description of the cryptoquip always says something along the line of “this puzzle is a simple substitution cipher…” The Aha! moment came when I realized that “simple” is the operative word here. People don’t like complexity, so the average person isn’t going to use a complex algorithm.

So, even though I call this “Complex Compound Pass Phrases,” the method of creating them is simple. I call them “complex” because they are extremely strong and nearly unbreakable for all intents and purposes. Here’s how to create them.

  1. Choose at least two words that are memorable to you. It doesn’t even matter if it’s something someone else would know. Use your pet’s name, your mother’s name, whatever.
  2. Merge the two (or more) together alternating letters from each word, creating a string.
  3. To make it all even more secure, capitalize every other letter or change a couple of the letters to their number equivalents.

All that would take a minute, at most and is easily remembered.

Here’s an example using my name and my pet’s name (Kenneth, Missy): KmEiNsNsEyTh. You could change the E’s to 3′s and you would have Km3iNsNs3yTh.

Pretty well unguessable!

Note to hackerz: I have not and never will use that pass phrase, so don’t bother trying to hack me! LOL

March 31, 2011  6:58 PM

No, Samsung Isn’t Shipping Laptops With Keylogger Spyware on Them.

Posted by: Ken Harthun
keylogger, Samsung, Security, spyware

Saw this in a security forum today:

Here’s a new one; how about keylogging software pre-installed on brand new laptops, straight from the factory…….BY THE MANUFACTURER!!

The “StarLogger” software was discovered by Mohamed Hassan, founder of NetSec Consulting, after he scanned 2 brand new Samsung laptops [model numbers R525 and 540].

StarLogger auto starts with Windows and records all keystrokes made on the computer. It can be difficult to detect, and can be set to periodically and surreptitiously send e-mails containing information gleaned from the computer to a preset e-mail address, with screen capture images attached.

When Hassan first contacted Samsung to report this intrusion they referred him to Microsoft, saying all they did was manufacture the hardware. However, a senior supervisor at Samsung finally admitted that they had indeed installed the software on the laptops in order to monitor machine performance “and to find out how it is being used.”

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.

Good grief!!

Sounds as though users should be adding one more essential security step to the conventional strategy…..i.e. thoroughly scan any brand new machine as soon as possible!!

Or do you do that already??

Say it ain’t so, Joe (it’s opening day in Cincinnati).

It ain’t so!

Relax, will ya?

March 30, 2011  6:55 PM

UPS Notification Spam

Posted by: Ken Harthun
Email security, Scam, Security, spam, Trojan

I can’t believe that a somewhat savvy friend of mine asked me about this message. He was actually considering opening it. Some people will fall for anything. The first thing is that this message is very poorly written. Anyway, please inform your family and clients that this is bogus and contains a malware attachment called that will infect their computers with a Trojan horse program. It usually arrives with a subject “United Parcel Service notification <number>”

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

Just delete it upon receipt.

March 29, 2011  6:32 PM

The RSA (SecureID) Compromise

Posted by: Ken Harthun
data breach, RSA Security, Security, Two-factor authentication

On March 17th, 2011, Art Coviello, RSA Security‘s Executive Chairman, posted a statement on their website disclosing their discovery of an attack on their network classified as an “Advanced Persistent Threat (APT).” Essentially, this means that the attackers had been rummaging around in their systems for awhile before being discovered; while doing so, they manage to penetrate one of RSA’s most secret databases.

This raises several questions: 1. How did the attackers penetrate RSA’s security perimeter; 2. How did they go unnoticed long enough to become a “persistent” threat; and, 3. What, exactly, did they get?

Coviello doesn’t address either of the first two questions and is quite vague on the third. How do you interpret this?

Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products [emphasis added]. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers [emphasis added] , this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack [emphasis added]. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

See what I emphasized up there? The attackers got some info related to the SecureID products. RSA isn’t saying exactly what they got, but Steve Gibson makes mention of this in a recent blog post:

…at the time of manufacture individual SecurID devices would be assigned a secret internal random or pseudo-random 64-bit key and a database would be maintained to forever map the device’s externally visible serial number to its internal secret 64-bit key.

This public-serial-number-to-secret-key mapping database then becomes “the keys to the kingdom”. It is RSA’s biggest secret to keep, since a full or partial disclosure of the database would potentially allow attackers to determine a device’s current and future display values and would therefore, of course, break any authentication protection.

More news as it becomes available.

March 27, 2011  5:50 PM

Malware Infection Flowchart

Posted by: Ken Harthun
Cybercrime, Malware, Online banking fraud, Online Scams, Security

This image needs little explanation, but I want to thank Dave at for posting it in his forum. If you’re not a member of that forum and a subscriber of the newsletter, you need to be. Here’s what he had to say:

I found this over at and it does an excellent job of explaining the “what” and “why” of malware. We at DCT often try to explain it in simple terms, but this picture just lets you follow the flow of money. Now you know why it is important to practice safe computing!

Hint: Click here to view the chart full size at its original location.

March 26, 2011  10:42 PM

Create Perfect Passwords on Paper

Posted by: Ken Harthun, LastPass, Password, Perfect Paper Passwords, Secure Computing, Spinrite, Steve Gibson

I wrote this article back in 2007. It was relevant then, and it’s relevant now, particularly in the light of the Comodo SSL compromise incident I reported in my last post. While I have gone on to using LastPass to generate and securely store my passwords, I still occasionally use Perfect Paper Passwords to generate secure passwords when I don’t want to clutter up LastPass with things I may never use again.  Steve has never mentioned this particular use of PPP, but I think it’s pretty cool.

So, here in all it’s glory is my original article entitled, “Perfect Passwords…On Paper:”

Steve Gibson, creator of Spinrite and winner of the Third Annual People’s Choice Podcast Awards in the Technology/Science category for his Security Now! podcast with Leo Laporte of, has just come up with a super-secure multifactor authentication system. Steve calls it “Perfect Paper Passwords” and you can read all about it on his web site. Be sure to read all of the pages, but beware — it’s pretty geeky stuff. Here’s a simple excerpt:

GRC’s “Perfect Paper Passwords” (PPP) system is a straightforward, simple and secure implementation of a paper-based One Time Password (OTP) system. When used in conjunction with an account name & password, the individual “passcodes” contained on PPP’s “passcards” serve as the second factor (“something you have”) of a secure multi-factor authentication system.

I feel like a kid turned loose in Toys-R-Us with a thousand-dollar budget. This is truly an amazing system and I’m just now starting to figure out how to implement it in my own environment. But using it as Steve designed it isn’t the subject of this post. Most network environments are still based on the username/password model, not a multi-factor authentication model. Until the PPP system becomes a standard (and it should!), why not use the passcards to create super-strong passwords?

I know, I know, he already has the Ultra-high Security Password Generator and I’ve been using that, but the idea of breaking long strings of characters into simple, four-character snippets makes things a bit simpler and it also allows you to take some control over generating your passwords. It adds another random factor into the mix by letting you choose the order of combination, something no computer or person anywhere can possibly know. Putting them into a seven columns by ten rows grid in a format that you can fold and stick in your wallet makes it even easier.

Using the web site, you print out three passcards, each containing 70 four-character passcodes for a total of 210. Now, if you randomly combine three passcodes to make virtually unbreakable 12-character passwords, you’ll have a resource of 70 passwords right at your fingertips. Circle the ones you’re using for your current password and cross them out when you change it. Better yet, write down the columns/rows and keep that separate from your passcards. No one’s going to know that A1F4D10 translates into Cai?DCGX@xBt, but you do.

Tell your clients about it. I do.

March 26, 2011  3:02 PM

SSL Compromise an Act of Cyber-warfare?

Posted by: Ken Harthun
Certificate Authority, Comodo, Cyber warfare, Cybercrime, SSL

SANS NewsBites | March 25, 2011 | Vol. 13, Num. 024: “SSL Security Compromised…Attackers compromised a partner of SSL certificate authority, Comodo and issued themselves fraudulent SSL certificates.  The certificates vouch for a site’s authenticity, and would have allowed the thieves to set up sites that fool visitors into believing they have reached major Internet presences, like Google, Microsoft and Skype.  Comodo has revoked the stolen certificates.”

Microsoft released an advisory on March 23, 2011 (2524375) noting that the following domains were affected:

  • (3 certificates)
  • (already known from an earlier announcement by Mozilla)
  • “Global Trustee”

Now, here’s where it gets interesting. The IP traced to the attacker was that of an Iranian ISP. Think about it. Here’s what Comodo had to say in their blog post:

The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran. A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP.

Of course, this could be just that the attacker was laying a false trail, which would be smart, but how about this?

It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.

It’s a Brave New World.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: