Security Corner


May 25, 2011  1:28 AM

Apple Refuses to Help Victims of Mac Defender

Ken Harthun Ken Harthun Profile: Ken Harthun
Mac Attack

Mac Attack

So, you’re a Mac user and you get hit by the Mac Defender fake virus warning. You call Apple’s tech support line, right? Well, you’ll get no help from them. According to a leaked Apple memo, here are the instructions to support personnel:

You cannot show the customer how to force quit Safari on a Mac Defender call.
You cannot show the customer how to remove from the Login items.
You cannot show the customer how to stop the process of Mac Defender in their Activity Monitor.
You cannot refer the customer to ANY forums or discussions [sic] boards for resolution (this includes the Apple.com forums)

In other words, you cannot do anything to help the customer. What the hell are they thinking? This is the wrong response. For Heaven’s sake, at least send them in the the right direction. Microsoft does.

Record numbers of OS X users are falling victim to this scam because Apple has created a false sense of security through their marketing and advertising suggesting Apple users are immune to security threats. The users believe this fake notice is real because of this false data, so they take action thinking that Apple really must be protecting them.

Perhaps this means that Mac has finally entered the mainstream. They are now a viable target for hackers, scammers and other cyber-criminals. And why not? One could argue that Mac owners have more money than PC owners as a rule. Why not go for those bigger bank accounts?

The bottom line is that Apple’s refusal to help its customers is going to give the company a major black eye. I wouldn’t be surprised to find people jumping off the Apple bandwagon, selling their Macs and getting PCs.

Stranger things have happened.

May 22, 2011  4:56 PM

How Long Should a Strong Password Be These Days?

Ken Harthun Ken Harthun Profile: Ken Harthun
thegoldguys.blogspot.com

Source: thegoldguys.blogspot.com

It used to be – and I used to recommend – that a good, strong password was a combination of upper/lower case letters, numbers and special symbols at least 8 characters long. But as technology advances, CPU speeds and processing power also increase, making brute-force password cracking programs able to guess longer passwords in less time. In these days of multi-core processors running at speeds approaching 4GHz, making distributed computing projects such as Distributed.net‘s Project Bovine RC5-64 reportedly capable of guessing 76.1 Billion passwords per second 8 characters just isn’t enough. Think about it, an 8 character password using a 96-character field has 7.2 quadrillion possible combinations; RC5-64 could guess it in less than 100 seconds.

When Georgia Tech Research Institute developed a method of using general purpose GPUs, to crack passwords last year (2010), I took their advice and began recommending 12 characters as the minimum length for passwords. With all of the recent database breaches in the news, I’m now considering upping the ante and recommending 15 characters as a minimum length for passwords. The problem with this is the extreme difficulty in remembering a password like %qz!BUrznT8Vs&T. Such long, random passwords have to be recorded somewhere, so some method of encrypting your password list or a secure password manager such as LastPass becomes essential.

The SANS Institute’s Security Awareness project recently published some good advice on creating and protecting passwords in this newsletter (PDF). I agree with their advice and highly recommend you take a look at the newsletter.


May 17, 2011  3:02 PM

Scam Alert: Fake Skype Update Email

Ken Harthun Ken Harthun Profile: Ken Harthun
FortBendNow.com

Source: FortBendNow.com

Got an email this morning from “Skype Newsletter” with the subject “New version of Skype has been released ! Upgrade now.” If you use Skype and you get such a notice, delete it: it’s a scam to get you to “join” some bogus software site. It is NOT from Skype. I did not see any attempt at installing malware. Here’s the text of the email:

Skype Voip  Upgrade Notification‏

This is to notify that new updates have been released for Skype.

(link removed)

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

(link removed)

Start downloading the update right now and let us know what you think about it.

We’re working on making Skype better all the time !

Talk soon,

The people at Skype

====================== PROTECT YOUR PASSWORD ===========================
Skype or Skype Staff will NEVER ask you for your password via email. The only place you are asked for your password is when you sign in to the Skype application or our website.


May 16, 2011  10:50 PM

Michaels POS Breach Bigger than Reported

Ken Harthun Ken Harthun Profile: Ken Harthun

Michaels Stores, Inc. says that their point-of-sale (POS) PIN pads at 90 stores in 20 states were tampered with. The craft store chain is replacing PIN pads at most of its 964 U.S. Stores. According to BankInfoSecurity.com, the breach is much bigger than the company initially thought. [See Michaels: Patterns Showed Fraud.]

Michael Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but on Tuesday [May 10, 2011] the arts and crafts supplies retailer issued a statement that said nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.

Michaels’ statement includes a list of the stores they determined were actually affected, but decided to be extra cautious and said this about the incident:

Michaels has identified less than 90 individual PIN pads (or approximately 1% of the total
devices) in its 964 US stores that showed signs of tampering. Suspicious PIN pads were
disabled and quarantined immediately. Out of an abundance of caution, Michaels has
removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads
from its US stores.

The company has commenced replacing these PIN pads in all US stores and expects the
replacement to be completed within the next 15 days. Until the new upgraded PIN pads are
installed, customers may have their credit and signature debit transactions processed on the
store register. As an additional precaution, Michaels is screening all PIN pads in Canadian
stores.

It is highly likely that this is a very carefully targeted organized crime effort, given the scope and level of effort needed to accomplish the physical tampering of the POS devices.


May 10, 2011  4:34 PM

LastPass Security Incident #4dc9630d9b403

Ken Harthun Ken Harthun Profile: Ken Harthun

Just received this email from LastPass which gives further information about the security incident.

Dear LastPass User,

On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.

As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.

Please visit https://lastpass.com/status for more information.

Thanks,
The LastPass Team

As I said before, I am very impressed by their response to this incident. Here is their latest update on the blog:

LastPass Security Notification

Update 9, ~11am 05/09 EST:

Many users are changing their password and then determining they can’t remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert
It allows you to either roll back your last password change or revert your account to the 4th. You must prove access to your email again to use it.

I guess those users should read Security Corner more often. This would help them:Your Wallet is the Best Password Manager, as would this one:Un-guessable Passwords—How to Make Them.


May 7, 2011  11:32 PM

Video: How to Choose Strong Passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

The LastPass network anomaly incident (it’s still not known whether an actual data breach occurred) once again underscores the importance of using strong, unguessable passwords. Using dictionary words or short, simple, easy-to-crack passwords for a master password that protects all of your other passwords is just not smart. I have spent years educating my clients and their employees on the use of strong passwords and giving them simple solutions for coming up with them. This short video from Sophos Naked Security is a good resource.

[kml_flashembed movie="http://www.youtube.com/v/VYzguTdOmmU" width="425" height="350" wmode="transparent" /]


May 7, 2011  3:32 PM

LastPass Experiences Network Anomaly, Forces Users to Change Master Passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

Earlier this week, I noticed errors from LastPass when I fired up my browser and was unable to log in manually with my normal master password. I didn’t pay much attention to this at first since the email address I used to log in was one I shut down recently. I figured that was the reason and made a mental note to go change it later. But, when I tried to log in to LastPass to change my account settings (using a one-time password that I had previously created), I got a notice saying that the LastPass servers were overloaded and that I should try again later. That’s when I began to take a deeper look and discovered what others already knew: LastPass had noticed an “anomaly” in their network traffic and as a precaution had begun to force users to change their master passwords.

According to LastPass’s blog, May 4th, 2011, here’s what happened:

LastPass Security Notification

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

LastPass posted ongoing updates to the situation as it developed. The second update explained why I couldn’t get in properly.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We’re switching tactics — if you’ve made the password change already we’ll handle you normally.If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).

As it stands right now, I was able to log in with my original master password (which is very strong) and make account change settings, so everything seems to be back to normal. As of 9 am 5/7/2011, this the posted status on the blog:

Update 8, ~9am 05/07 EST:
We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.
We’re asking any users that have current issues with a password change to contact us — we will restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.
We appreciate your patience, we’ll continue to update with any changes.

So, back to normal it seems. And even though LastPass’s response over a mere “oddity” caused some major inconvenience for many of its users, I am even more confident in their security than I was before. Think about it. They saw something odd in their network traffic that they couldn’t explain. They saw a risk that sensitive information was getting into the wrong hands and they immediately took action, keeping users updated with detailed information about what they were doing and why and told users what to do about it.

Kudos to LastPass for being a good example of how to do security the right way.


May 2, 2011  8:36 PM

Bin Laden News Event Spawning Malware & Phishing Attempts

Ken Harthun Ken Harthun Profile: Ken Harthun

As always happens around big disasters and news events, the miscreants are using the event to attempt to infect PCs with malware and are sending phishing emails. Apparently Facebook is being targeted with video. Got this note from a friend on Skype:

“PLEASE READ AND REPOST!
WARNING: there is a video circulating around Facebook of a BBC video of the killing of Osama Bin Laden, supposedly made by US troops. It is a Virus!!!!! Spread the news because it’s circulating fast!!”

Here’s a video showing one of the virus attempts:

[kml_flashembed movie="http://www.youtube.com/v/D5CRARPMaeU" width="640" height="390" wmode="transparent" /]

Be aware that NO photos or videos have been released officially. The only official video is the one of President Obama announcing Bin Laden’s death.

I haven’t seen any phishing spam related to the event yet, but you can bet it will be on its way before you know it.


April 30, 2011  10:37 PM

Think You’re Not a Target Because You’re Small? Think Again

Ken Harthun Ken Harthun Profile: Ken Harthun

If you pay attention to mainstream media, you can easily get the wrong idea about online attacks. The press usually only covers the sensational data breaches like the recent Epsilon and Sony fiascoes. Truth is, there are far more people at risk than the press leads you to believe.

Consider the case of Rogelio Hackett, Jr., a 26-year-old hacker from Georgia who recently pleaded guilty to the theft of more than 675,000 credit cards. More than $36 million in damages resulted from his crime. Hackett targeted smaller organizations that had not coded their websites properly, leaving them open to SQL injection attacks. “He exploited SQL vulnerabilities,” say Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP. “And despite the fact that SQL injections are well documented, we’re still seeing companies that are getting hit and compromised by that kind of attack.”

This article on the Bank Information Security (BIS) blog gives further details:

According to court records, Hackett began his hacking career in the late 1990s by searching for and exploiting SQL vulnerabilities. More than a decade later, the same method of attack continued to reap rewards. “These SQL injections are allowing someone in through the side fence, not the front door,” Sabett says. Josh Corman, research director of the Enterprise Security Practice at The 451 Group, says SQL injections, oftentimes, go right through firewalls. “That’s why we need to look at application-level security,” Corman says. “Firewalls need to be augmented, with things like web-application firewalls.”

If you are a small business with an e-commerce site that stores transaction information in a SQL database, I would suggest you perform an immediate security audit to reveal any potential vulnerabilities in your system. You just don’t know where an attack may come from. It’s not like it used to be, with high-profile hackers and Eastern European crime syndicates leading they way. These days, it’s more like “disorganized crime.” Smaller, less spectacular crimes are able to stay under the law enforcement and card companies’ radars for longer periods.

Avivah Litan, distinguished analyst at Gartner Research, points out, Hackett’s case highlights how widespread and diverse hacking has become. “For every Rogelio Hackett Jr. that gets arrested, there are likely at least another dozen or more ‘Hacketts’ or ‘hackers’ that are not,” Litan says. (Source: BIS blog)


April 30, 2011  3:32 PM

New York Yankees Leaks Personal Info of 21,000 Season Ticket Holders

Ken Harthun Ken Harthun Profile: Ken Harthun

Yikes! Indeed, it has happened again but this time the leak was completely preventable. A season ticket sales representative for the New York Yankees inadvertently emailed a spreadsheet to 2,000 of his contacts. The spreadsheet contained account numbers, names, addresses, phone numbers, email addresses, and other information like their seat numbers and which ticket packages they purchased. .

Part of the notification sent to the victims from the Yankees’ office said this:

NO OTHER INFORMATION WAS INCLUDED IN THE DOCUMENT THAT WAS ACCIDENTALLY ATTATCHED (sic) TO THE APRIL 25TH E-MAIL. THE DOCUMENT DID NOT INCLUDE ANY BIRTH DATES, SOCIAL SECURITY NUMBERS, CREDIT CARD DATA, BANKING DATA OR ANY OTHER PERSONAL OR FINANCIAL INFORMATION.

Apparently, the data contained information only on holders of season tickets for the “non-premium” seats that make up the vast majority of Yankee Stadium; those holding tickets for suites and the first few rows in the infield were not listed. So the high rollers and celebrities aren’t in there. That certainly lessens the value of the data somewhat (no big, juicy targets), but It’s a good bet that the victims are going to spammed and phished to death at some point.

This is yet another piece of evidence in support of my continual assertion that there is absolutely no such thing as private information. Once you have given anything to a third party, you might as well have advertised it on lighted freeway billboard.

Your information is not safe and probably never will be.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: