Security Corner


May 30, 2011  8:00 AM

Everything I’ve Ever Said About Passwords is Wrong?

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, maybe. At least that’s what Steve Gibson said in Episode 302 of the Security Now! podcast:

Nothing I’ve ever said about passwords is right. I mean, nothing everyone – anyone thinks. I have got some news. I know it sounds like I’ve lost my mind. But I think I can – I’m working on a new page now which is going to lay it all out and explain it and give people something to play with so they can test passwords using this new scheme. And when you hear it, you’re going to go, oh, my god. Why didn’t anyone ever think about this before?

If nothing anyone thinks about passwords is right, then I must be wrong, too, right?

Steve has been playing with a passcode designer under the premise “Maximal Entroypy, Minimal Length, Maximal Strength.” He says that in the process of working on this, he realized that our concepts of passwords are wrong and he has stamped the page with “obsolete.” He promises to reveal all in Security Now! Episode 303 this week. At the bottom of his passcode designer page, he posts a “post mortem.” Here’s an excerpt:

The Passcode Designer is based upon the concept of generating maximal-entropy, maximal-strength, and minimal-length passcodes by encouraging a high number of “transitions” between the four character “classes” where the classes were the uppercase alphabetic (A-Z), lowercase alphabetic (a-z), the ten digits (0-9) and the 33 printable special symbol characters (!\”#$%&’()*+,-./:;<=>?@[\\]^_`{|}~). The interactive graphical JavaScript-driven state machine at the top of this page was the beginning of the development of that concept. (It is fully functional, finished, and works as intended.)

But after reaching this point, by creating what I thought was right, I realized what was wrong with that approach. What I never expected was what happened next: Unlikely as this sounds, I realized that we (the entire computer industry) have always been thinking about maximum-strength attack-resistant passwords in the wrong way. I realized that the creation of high-entropy passwords was not only often the wrong goal, but was typically counter-productive.

I can’t wait to see what he has come up with.

May 29, 2011  6:35 PM

Top Five Public Computing Safety Tips

Ken Harthun Ken Harthun Profile: Ken Harthun

We all know that using public PCs in hotels or open public wi-fi connections is risky business these days. Nevertheless, we are so dependent on our computing devices that we often find we have no choice. True, many of the public wireless access points are now using encryption, but those kiosk PCs are another story. These PCs are rarely maintained properly and often contain keyloggers or other data-stealing malware, so using them for anything sensitive isn’t smart.

Regardless of whether you are using your own laptop or a kiosk PC, there are certain precautions you can take to make your public computing session safer. Here is my top five:

  • NEVER use an unencrypted wireless access point or public kiosk PC to log onto any banking, bill payment or credit card sites nor any site where you will be required to enter any sensitive personal information such as credit card numbers or bank account numbers. This applies to online shopping as well.
  • If using your own device, make certain you have the latest security updates for your OS and the latest version of your preferred browser. Block all pop-ups with a program like NoScript and store passwords only in a secure password manager like LastPass, never in the browser.
  • Do not, under any circumstances allow a public PC to save your logon information. Further, clear all history and temporary Internet files when you are finished browsing. If your browser allows private browsing (most do), use that feature.
  • Always LOG OFF of any site, such as social networking sites or webmail before closing the browser to insure the next person to use the machine cannot open your session. You may have noticed that you can close a tab or your browser and often your session doesn’t close. Try that with Facebook and you’ll see it in action.
  • Finally, be aware of your surroundings. Is someone standing behind you or watching you from the next table? Shoulder surfers can steal your login information. Believe me, it happens. Especially be wary if you see anyone with binoculars.


May 29, 2011  1:35 PM

Huge Spikes in Malware

Ken Harthun Ken Harthun Profile: Ken Harthun

According to the good folks over at Sunbelt Security (now owned by GFI), an incredible 73,000 new types of malware are being issued every day, a 26% increase over last year’s figures. Between this and the recent security breach at Epsilon, I am noticing a huge increase in my own spam levels. One of the most significant increases seems to be the pharmacy scam, but the 419 scams and variations are a close second. So far this week, I’m the beneficiary of nearly $750 million!

Here’s a screen shot of a portion of one of the more interesting scams purportedly directly from the FBI:

Not surprising, I have also been called upon to remove more malware infections than usual. Some of them are getting quite stealthy. Sunbelt Security’s Threats Page maintains and up-to-date list of the top ten malware detections as well as a handy meter of the worldwide threat activity level. Right now, it’s recommending that you take a guarded approach in your computing practices.

Six out of the 10 listings are Trojans that are normally delivered through email. No surprise there, either: email is the #2 vector for malware eclipsed only by malicious websites.


May 28, 2011  12:12 PM

Time to Lighten Up!

Ken Harthun Ken Harthun Profile: Ken Harthun

Very funny Cisco commercial. Sometimes, we just have to laugh and make fun of ourselves as Cisco does in this video.

[kml_flashembed movie="http://www.youtube.com/v/q35Uzw1M9e0" width="425" height="350" wmode="transparent" /]


May 28, 2011  1:12 AM

Wire Fund Transfer Trojan

Ken Harthun Ken Harthun Profile: Ken Harthun

Got an interesting email this morning purportedly from “alerts@federalreserve.gov” with “Your Wire fund transfer” as the subject. Here’s a screen shot:

This appears to be a warning of some sort, though it really makes little sense. The link points to a Slovenian domain name and if the victim clicks the link, they are taken to a 404 error page that attempts to download a PDF file, undoubtedly infected with an info-stealer of some sort.

The header is real, linked from the actual federalreserve.gov website which is intended to make the victim believe the email is real, which, of course, it is not. Examination of the headers shows a Return-Path to a Gmail address.

Please inform your family and friends to immediately delete this email should they receive it.


May 25, 2011  1:28 AM

Apple Refuses to Help Victims of Mac Defender

Ken Harthun Ken Harthun Profile: Ken Harthun
Mac Attack

Mac Attack

So, you’re a Mac user and you get hit by the Mac Defender fake virus warning. You call Apple’s tech support line, right? Well, you’ll get no help from them. According to a leaked Apple memo, here are the instructions to support personnel:

You cannot show the customer how to force quit Safari on a Mac Defender call.
You cannot show the customer how to remove from the Login items.
You cannot show the customer how to stop the process of Mac Defender in their Activity Monitor.
You cannot refer the customer to ANY forums or discussions [sic] boards for resolution (this includes the Apple.com forums)

In other words, you cannot do anything to help the customer. What the hell are they thinking? This is the wrong response. For Heaven’s sake, at least send them in the the right direction. Microsoft does.

Record numbers of OS X users are falling victim to this scam because Apple has created a false sense of security through their marketing and advertising suggesting Apple users are immune to security threats. The users believe this fake notice is real because of this false data, so they take action thinking that Apple really must be protecting them.

Perhaps this means that Mac has finally entered the mainstream. They are now a viable target for hackers, scammers and other cyber-criminals. And why not? One could argue that Mac owners have more money than PC owners as a rule. Why not go for those bigger bank accounts?

The bottom line is that Apple’s refusal to help its customers is going to give the company a major black eye. I wouldn’t be surprised to find people jumping off the Apple bandwagon, selling their Macs and getting PCs.

Stranger things have happened.


May 22, 2011  4:56 PM

How Long Should a Strong Password Be These Days?

Ken Harthun Ken Harthun Profile: Ken Harthun
thegoldguys.blogspot.com

Source: thegoldguys.blogspot.com

It used to be – and I used to recommend – that a good, strong password was a combination of upper/lower case letters, numbers and special symbols at least 8 characters long. But as technology advances, CPU speeds and processing power also increase, making brute-force password cracking programs able to guess longer passwords in less time. In these days of multi-core processors running at speeds approaching 4GHz, making distributed computing projects such as Distributed.net‘s Project Bovine RC5-64 reportedly capable of guessing 76.1 Billion passwords per second 8 characters just isn’t enough. Think about it, an 8 character password using a 96-character field has 7.2 quadrillion possible combinations; RC5-64 could guess it in less than 100 seconds.

When Georgia Tech Research Institute developed a method of using general purpose GPUs, to crack passwords last year (2010), I took their advice and began recommending 12 characters as the minimum length for passwords. With all of the recent database breaches in the news, I’m now considering upping the ante and recommending 15 characters as a minimum length for passwords. The problem with this is the extreme difficulty in remembering a password like %qz!BUrznT8Vs&T. Such long, random passwords have to be recorded somewhere, so some method of encrypting your password list or a secure password manager such as LastPass becomes essential.

The SANS Institute’s Security Awareness project recently published some good advice on creating and protecting passwords in this newsletter (PDF). I agree with their advice and highly recommend you take a look at the newsletter.


May 17, 2011  3:02 PM

Scam Alert: Fake Skype Update Email

Ken Harthun Ken Harthun Profile: Ken Harthun
FortBendNow.com

Source: FortBendNow.com

Got an email this morning from “Skype Newsletter” with the subject “New version of Skype has been released ! Upgrade now.” If you use Skype and you get such a notice, delete it: it’s a scam to get you to “join” some bogus software site. It is NOT from Skype. I did not see any attempt at installing malware. Here’s the text of the email:

Skype Voip  Upgrade Notification‏

This is to notify that new updates have been released for Skype.

(link removed)

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

(link removed)

Start downloading the update right now and let us know what you think about it.

We’re working on making Skype better all the time !

Talk soon,

The people at Skype

====================== PROTECT YOUR PASSWORD ===========================
Skype or Skype Staff will NEVER ask you for your password via email. The only place you are asked for your password is when you sign in to the Skype application or our website.


May 16, 2011  10:50 PM

Michaels POS Breach Bigger than Reported

Ken Harthun Ken Harthun Profile: Ken Harthun

Michaels Stores, Inc. says that their point-of-sale (POS) PIN pads at 90 stores in 20 states were tampered with. The craft store chain is replacing PIN pads at most of its 964 U.S. Stores. According to BankInfoSecurity.com, the breach is much bigger than the company initially thought. [See Michaels: Patterns Showed Fraud.]

Michael Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but on Tuesday [May 10, 2011] the arts and crafts supplies retailer issued a statement that said nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.

Michaels’ statement includes a list of the stores they determined were actually affected, but decided to be extra cautious and said this about the incident:

Michaels has identified less than 90 individual PIN pads (or approximately 1% of the total
devices) in its 964 US stores that showed signs of tampering. Suspicious PIN pads were
disabled and quarantined immediately. Out of an abundance of caution, Michaels has
removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads
from its US stores.

The company has commenced replacing these PIN pads in all US stores and expects the
replacement to be completed within the next 15 days. Until the new upgraded PIN pads are
installed, customers may have their credit and signature debit transactions processed on the
store register. As an additional precaution, Michaels is screening all PIN pads in Canadian
stores.

It is highly likely that this is a very carefully targeted organized crime effort, given the scope and level of effort needed to accomplish the physical tampering of the POS devices.


May 10, 2011  4:34 PM

LastPass Security Incident #4dc9630d9b403

Ken Harthun Ken Harthun Profile: Ken Harthun

Just received this email from LastPass which gives further information about the security incident.

Dear LastPass User,

On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.

As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.

Please visit https://lastpass.com/status for more information.

Thanks,
The LastPass Team

As I said before, I am very impressed by their response to this incident. Here is their latest update on the blog:

LastPass Security Notification

Update 9, ~11am 05/09 EST:

Many users are changing their password and then determining they can’t remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert
It allows you to either roll back your last password change or revert your account to the 4th. You must prove access to your email again to use it.

I guess those users should read Security Corner more often. This would help them:Your Wallet is the Best Password Manager, as would this one:Un-guessable Passwords—How to Make Them.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: