Security Corner


August 31, 2011  8:52 PM

Creating a corporate password policy

Ken Harthun Ken Harthun Profile: Ken Harthun

How many of you have been through this?

“Why does my password expire so often?”

“I can’t change my password, why does it expire?”

“Why can’t I use ‘abc123′ as my password?”

“I can’t log in; did you change my password?”

“I changed my password, but it doesn’t work.”

“I used ‘fido1′ and it doesn’t work.”

I find myself in the midst of a  major IT initiative and the powers that be are asking my what I recommend. I keep pointing them to my posts about the new password paradigm and others I have written over the years, but they keep asking me what I think.

Here’s what I think: Choose a memorable word or phrase, add a couple of characters to the front and back – also things you will remember – and leave it at that. Mix it up a bit. The hackers don’t know what you’re doing. My dog’s name is Missy. She was born in 2007. My password is “Missy07*(”

It’s not rocket science, people. Jeesh!

The key is the last two characters which is my personal password enhancement pattern.

August 31, 2011  1:41 AM

Humor: The Yorkie cipher

Ken Harthun Ken Harthun Profile: Ken Harthun

If you have been reading this blog for any length of time (and I hope you have!), you know that I’m a big fan of ciphers. In my next post, I’m going to talk about Steve Gibson’s “Off the Grid” paper encryption system; that one is a stroke of genius. It’s based upon Latin Squares with a twist. It works. It takes an unique approach to randomness.

Well, I realized that there isn’t anything too much more random than the behavior of my pet Yorkie, Missy. It’s always a combination of play bone, growl, bark, lick my leg, lick my arm, hide the bone, bark because I can’t find the bone, fetch the bone, growl, bark, lick my wife’s leg (rarely), run to the door, pee on the floor, ad nauseum. Get the idea? Truly random. No perceivable pattern (right now, she’s throwing “poor pitiful poochie” into the mix since I’m ignoring her). Oh, and she just nipped me on the leg. Truly random, no?

So, I’ve created a Yorkie cipher that is completely unbreakable. Here’s the cipher:

1. Create a key based on Yorkie behavior: bark=b, growl=g, hide bone=h. you get the idea.

2. Write down the letter for what the Yorkie is doing at least for 20 repetitions, then take the last four characters. In my case it was bone, growl, lick, fetch: bglf.

3. Reverse: flgb.

4. Ask Yorkie what that means.

5. Give up because this is just a joke.

Did I have you going there? Sorry. It’s just time to lighten up.


August 30, 2011  12:45 AM

Video: How to kill an Apache web server

Ken Harthun Ken Harthun Profile: Ken Harthun

When you know how it’s done, you can prevent it. Here’s a cool video on the latest DOS attack against Apache (which will soon be patched…)

[kml_flashembed movie="http://www.youtube.com/v/K13nutRdlvE" width="425" height="350" wmode="transparent" /]


August 28, 2011  10:23 PM

Sophos offers free e-book

Ken Harthun Ken Harthun Profile: Ken Harthun

Sophos is offering a free copy of “Data Leakage for Dummies.” The book promises to help you:

  • Create strategies for data-risk management
  • Prevent data loss from your computers and devices
  • Protect your network from data leakage

I downloaded my copy and am looking forward to implementing the advice it offers.

Get your copy here.


August 28, 2011  2:51 PM

How to set up Facebook’s two-factor authentication

Ken Harthun Ken Harthun Profile: Ken Harthun

For some time now, Facebook has offered two-factor authentication that allows you to force the entry of a code whenever there is a log-in attempt from an unrecognized device. This is a very good additional layer of protection against unauthorized log-ins to a user’s account. When you consider that most people use weak, easily guessable passwords (despite my advice and the advice of other experts), this additional factor can make a big difference.

Setup is simple: Go to Account > Security, edit Login Approvals and check the box. Facebook then gives you a wizard that walks you through setting up your mobile phone, starting with their sending of a confirmation code. Enter the code and you’re done!


August 21, 2011  5:20 PM

Browsers: Who’s the safest of them all?

Ken Harthun Ken Harthun Profile: Ken Harthun

How safe is your web browser? For a long time now, I and many other techies have been advocating a switch to to Firefox (or any of the other popular browsers) for anyone who is using Internet Explorer. The reason? Other browsers are more secure. We all know that’s not really true anymore, it’s just that the other browsers are attacked less frequently than IE. Internet Explorer is and always has been the low-hanging fruit for hackers.

For some time now, modern browsers have been coded to detect and block malicious websites. We have all seen the messages like the one shown below:

Have you ever wondered how well your browser stacks up with respect to blocking malware? The answer might surprise you. Msnbc.com’s Technolog reports that IE9 is the clear winner:

Tests by NSS Labs to “examine the ability of five different web browsers to protect users from socially-engineered malware” showed that IE9 was able to block this kind of threat 99 percent of the time, beating out Apple Safari 5, Google Chrome 12, Mozilla Firefox 4 and Opera 11.

(Msnbc.com is a joint venture of Microsoft and NBC Universal.)

The closest another Web browser got to that blocking-the-bad stuff rate was Chrome, at a very distant 13.2 percent. At the low end of the blockers was Opera, with a 6.1 percent rate.

Makes you think twice, doesn’t it? Those tests are meaningful, of course, but they don’t take into account that IE9’s market share is only 6.8 percent whereas IE8 controls the market with 29.23 percent, so the overall effect at this time is not significant. However, perhaps this will spur the others on to increasing the effectiveness of their own technologies.


August 14, 2011  8:51 PM

Is Your PC Infected With Malware?

Ken Harthun Ken Harthun Profile: Ken Harthun

I am always suspicious when my computer starts acting strangely and immediately do a scan for malware. I usually come up clean, discovering that the strangeness is some sort of software error or system glitch. The last time I noticed a computer acting strangely (not my own), it turned out to be a malware infection that was sending spam. The main symptom was extremely slow Internet access. That incident led me to a search for a good, easy-to-understand guide about recognizing and cleaning up malware infections.

I am happy to report that I found what I was looking for at MakeUseOf.com. This handy guide, entitled “Operation Cleanup: Complete Malware Recovery Guide” by Brian Meyer, is just what the Geek ordered for his clients, family and friends. Here’s an excerpt, giving the symptoms of possible malware infection:

  • Your computer shows strange error messages or popups.
  • Your computer takes longer to start and runs more slowly than usual.
  • Your computer freezes or crashes randomly.
  • The homepage of your web browser has changed.
  • Strange or unexpected toolbars appear in your web browser.
  • Your search results are being redirected.
  • You start ending up at websites you didn’t intend to go to.
  • You cannot access security related websites.
  • New icons and programs appear on the desktop that you did not put there.
  • Your desktop background has changed without your knowledge.
  • Your programs won’t start.
  • Your security protection have been disabled for no apparent reason.
  • You cannot connect to the internet or it runs very slowly.
  • Your programs and files are suddenly missing.
  • Your computer is performing actions on its own.

You’ll have to sign up (it’s free) to get the download password, but you won’t regret it. This is clearly one of the best sites I have seen for easy-to-follow, user-oriented information. (Don’t worry, Geeks, there’s a Geeky Stuff section, too!) There are more than 50 guides covering just about everything PC, Mac and SmartPhone, Windows, Mac OS, and Linux. You’ll love the “Best Of” section, too.

Check it out.


August 7, 2011  4:14 PM

From Spam to No Spam in Minutes

Ken Harthun Ken Harthun Profile: Ken Harthun

In my June 18, 2011 post, “Reduce Unwanted Email,” I mentioned a couple of temporary email addresses that you can use when signing up for information. I wrote that post to prevent others from experiencing the spam nightmare I have been having (which I also described in that post).

Unfortunately, using a disposable or temporary email address doesn’t help when you’re already being spammed in volume. Before I took some corrective measures and blacklisted some domains and addresses, I was getting upwards of 100 pieces of spam every day. My mail provider’s spam filtering was somewhat effective, but some spam still got through while there were quite a few false-positives. I quickly realized that wasn’t the solution.

As an avid listener of the podcast “Security Now!,” I have heard Leo Laporte speak very highly of MailRoute.net. I decided to give it a try and signed up for their 15-day free trial last week. As required by the service, I changed my MX record to point to mailroute.net’s servers. I then turned off my host’s spam filtering. Within minutes, the spam started trailing off and there were no false positives. I’m definitely going to spring for the yearly subscription when the trial ends.

Just today, I noticed one false positive–an email from a client’s backup software–but that was easy to fix. I just selected the message and told MailRoute to “Recover and whitelist sender.” The message appeared in my mailbox instantly.

Check it out.


July 31, 2011  3:44 AM

Is Information Security a Viable Career Choice?

Ken Harthun Ken Harthun Profile: Ken Harthun

Working in an educational environment is an interesting experience. Young people seeking the knowledge they need to start their careers have a different viewpoint than those of us who are working in our fields. We tend to know where we are headed with our careers; the youngsters have questions about where they are headed. One student asked me recently is Information Security a viable career choice? I answered that it is.

The student was concerned that information security measures are getting better all the time and that it may not be necessary to have information security professionals in the future if things keep improving. I pointed out that we still have physical security professionals employed virtually everywhere even though physical security technology is more advanced than it has ever been. Criminals still manage to circumvent physical security measures even in the face of advanced technologies. It is no different with information security.

I assured the student that she couldn’t go wrong in pursuing an information security certification. Crackers will always be there trying to breach the walls that we security professionals erect to keep them out of our networks. Sure, the technology will evolve and the skill sets needed today will be irrelevant tomorrow, but information security will always be a concern and there will always been a demand for qualified people who understand it.

Every information technology professional from the desktop support technician to the CIO has some responsibility for the security of their organization’s data. The Network Administrator’s role is probably the most critical since he is the one with his feet on the ground dealing with the day to day issues.

Physical security has evolved with technology; information security is doing the same. Despite advances, there is still a need for physical security personnel; likewise, there will always be a need for information security personnel. If information security is what interests you as a career path, I say go for it.


July 30, 2011  2:52 AM

(Humor) I Couldn’t Resist Replying to This

Ken Harthun Ken Harthun Profile: Ken Harthun

I get these scams all the time and I just couldn’t resist answering this one. Here’s the exchange:

Dear Mr. Hendrik:

God bless you, sir! This grant could not have come at a better time. You see, I had a dog for many years that I truly considered my friend and I had to put her to sleep recently. This devastated me so much that I went on a bender for six weeks and woke up in the hospital missing both of my legs. I have no idea what happened, but one of the nurses said I passed out on the railroad tracks. I don’t remember, but I guess I have to believe her.

They tell me that I have been here (in hospital) for almost a month now and the bill is approaching $500,000.00, so I really need this grant and it couldn’t have come at a better time. I will be able to pay off my hospital bills and have enough left over to re-build my life, such as it has become. Perhaps with the remaining money, I will be able to afford (barely) a pair of bionic legs.

However, your letter has left me with a dilemma: I have no money to pay your processing fee. Since I am to be granted $950,000.00 USD, I can certainly afford to pay you back should you be so kind as to lend me the $560.00 processing fee. In fact, I would be happy to pay you back $1,120.00 in exchange for your generosity.

Mr. Hendrik, I truly appreciate your contacting me in my time of need and look forward to receiving your loan of the processing fee via Western Union immediately upon receipt of this email. You can well imagine how desperate I am and your benevolence at helping a fellow human being in need will certainly be rewarded in whatever afterlife you find yourself.

On 7/24/2011 3:04 PM, Mr. Franklin Hendrik wrote:

International Monetary Fund (IMF)
Independent Corrupt Practices and Other Related Offenses Commission
Wuse Zone 5, Garki
ATTN: BENEFICIARY,
Your International Monetary fund (IMF) grant  of $950,000.00 USD  has been approved by the International Monetary fund (IMF) board of directors during their last meeting. The amount to be transfered to your nominated bank account is to be carried out by one of our partner banks
owing to the fact that the International Monetary fund(IMF) does not directly remit funds into the bank account of its beneficiaries .
The last hurdle you would have to scale to have your pending funds transfer transferred to your nominated bank account is the International Monetary fund (IMF) grant processing fee of $560.00 USD.
Once this fee is paid! The necessary documents the bank will require from you will be presented to you by us to enable you have access to your $950,000 USD.
This transaction can and should be concluded within 48 or at most 72 working hours after you have made payment of the International Monetary fund (IMF) grant processing fee of $560.00 USD.
Do respond swiftly, So that we can conclude this transaction as soon as possible.
Once again congratulations on your just approved grant of $950,000.00 USD.
Regards,
Mr. Franklin Hendrik
INTERNATIONAL MONETARY FUND.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: