Security Corner

February 19, 2012  5:00 PM

Boston Police respond to Anonymous hack with sarcasm

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s a saying that “nothing succeeds like insouciance.” Seems the Boston Police Department knows how that works. You may be aware of this news item, courtesy of Sophos:

A week ago, the website which provides news about the Boston police and crime in the area was hacked by Anonymous. The hackers replaced the home page of the site with a message and a video of American rapper KRS-One performing his song “Sound of Da Police”.

After almost a week of downtime, Boston Police have managed to bring their website back up – and have proven they have got a sense of humour by making a video about the hack.

[kml_flashembed movie="" width="425" height="350" wmode="transparent" /]

February 19, 2012  6:03 AM

Beware Whitney Houston autopsy links on Facebook

Ken Harthun Ken Harthun Profile: Ken Harthun

It isn’t true, folks. Yes, Whitney Houston died; no, there isn’t a video of her autopsy available. It’s a scam, typical of other “disaster news” scams that seem to pop up around other shocking news events.

The video will appear as a status update with text similar to this:

– Whitney Houstons autopsy reveals a shocking secret that explains her death.


Breaking News: Coroners autopsy reports reveals a dark past and secret life which tragically led to Whitney Houstons death.

Here’s a screen shot courtesy of Sophos:

Do NOT fall for this scam. It will take you to a fake YouTube screen that says you need an update. You don’t. The “update” is malware.

February 18, 2012  8:01 PM

If you still use FTP, stop!

Ken Harthun Ken Harthun Profile: Ken Harthun

If you are still using FTP to transfer web site files and other things to your servers, stop doing that and switch to something more secure. FTP sends usernames and passwords in plain text, so you’re opening yourself up to attack. Here are some alternatives to FTP that are much more secure:

Smart FTP: SmartFTP is an FTP (File Transfer Protocol), FTPS, SFTP, SSH, Terminal client. It allows you to transfer files between your local computer and a server on the Internet. With its many basic and advanced Features SmartFTP also offers secure, reliable and efficient transfers that make it a powerful tool.

WinSCP: WinSCP is an open source free SFTP client, SCP client, FTPS client and FTP client for Windows. Its main function is file transfer between a local and a remote computer. Beyond this, WinSCP offers scripting and basic file manager functionality.

WebDrive: A Universal File Access Client that maps drive letters to FTP, WebDAV, SFTP and S3 Servers. Not free, but probably well worth it for the features provided.

FireFTP for Firefox: FireFTP is a free, secure, cross-platform FTP/SFTP client for Mozilla Firefox which provides easy and intuitive access to FTP/SFTP servers. (Note: there is also a version for Google Chrome.)

February 13, 2012  4:30 PM

The death of spam is imminent!

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, if Microsoft, Facebook and Google have anything to say about, yes. But, recall that back in 2004, Mr. Bill Gates predicted the death of spam by 2006. Of course, by all accounts, the problem is worse than ever.

Enter the aforementioned titans who along with PayPal, LinkedIn, Bank Of America and others are getting lots of press about a proposed new internet standard called DMARC, or Domain-based Message Authentication, Reporting & Conformance. Some of the headlines noted by Sophos in a recent blog post:

Google, Microsoft Say DMARC Spec Stops Phishing (Information Week)
Google, Facebook, Microsoft in PHISH-FIGHTING smackdown (Channel Register)
[DMARC] could dramatically slash the amount of spam received by hundreds of millions of people (Financial Review)

If you’re responsible for the mail infrastructure in your organisation, you might be a little sceptical at this point. You’re probably asking yourself, “What happened to SPF and DKIM, which themselves were going to be the scourge of spammers?”

The answer to your sceptical [sic] question about DMARC is that it doesn’t replace SPF or DKIM, and it doesn’t replace your current email security and control solution. In fact, it is predicated upon them, to the point that DMARC’s official first step in its implementation guidelines is:

* Deploy DKIM & SPF. You have to cover the basics first.

So, will it work? We can only hope.

January 31, 2012  7:16 PM

When Hollywood tells hacker stories

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, in this case, it’s the BBC from an episode of “Spooks,” a TV drama which follows the complicated lives of MI5 agents. Seems the Russians are trying to launch a DDoS attack on Britain’s computers in order to collapse their economy. The Ruskies are using a submarine that can intercept transatlantic Internet cables. Interesting concept.

Anyway, MI5 has a “zero day virus” and 30 seconds in which to launch a counter-attack against the sub. Now, this is completely over the top, but it makes for a good story.

Most TV and movie depictions of hackers and malware are off the mark because they are trying to dramatize something that isn’t very dramatic in real life. Most malware is pretty humdrum when you get down to it and hackers are rarely spotted in real time. See what you think about this clip:

[kml_flashembed movie="" width="560" height="315" wmode="transparent" /]

January 29, 2012  5:10 PM

Beware Chuck Norris Facebook scam

Ken Harthun Ken Harthun Profile: Ken Harthun

Hey! Chuck Norris is NOT dead. The Facebook messages claiming to link to a video news report on his death are a scam. Here’s the text of a typical message:

Chuck Norris dies at age 71! Not a Joke.
See the video to find out how he died. News today of Chuck Norris death at age 71 has been met with confusion and humour, but sadly it is true.

If you are gullible enough to click on the link, you will be presented with a survey scam like the one below.

If you do fall for this scam, or one like it, make sure you aren’t now allowing rogue applications or “liking” questionable pages. These can help spread the scam.

And it’s probably a good idea to change your Facebook password while you have it on your mind.

Why do people do things like this? Simple, they do it for the money. Every survey someone fills out results in a payment to the scammer. It’s called “Cost Per Action” marketing and the scammers are just trying to run up their numbers. It’s illegal and they’ll get banned from the program if they get caught, but they can make a good haul before that happens.

Don’t help line their pockets.

January 28, 2012  8:34 PM

Full two-hour audio interview with Mary Coon

Ken Harthun Ken Harthun Profile: Ken Harthun

As promised, I am posting the full audio file of my recent interview with Mary Coon of We talked about online security and there was some great music (chosen by me) during the breaks. Be sure to listen to the first part of the interview to find out what life was like online during the early days of the Internet. I guess I give my age away, but you’ll find it fascinating if you didn’t experience it for yourself.

Download Interview with Mary Coon. (Will either open an audio player or will play in a browser window depending on your settings.)


January 22, 2012  9:39 PM

Listen to my interview with Mary Coon about online security

Ken Harthun Ken Harthun Profile: Ken Harthun

I recently did a 2-hour special interview with Mary Coon of on the subject of online security. We focused on my “14 Golden Rules of Computer Security” (which is currently being revised and will help launch my new site) We had a very lively discussion.  More interviews are planned for the future. I guess I’m now a radio “star,” at least online. Seriously, though, I think you should check out the site. I’ve been keeping it playing in the background. When there are no actual interviews or special programs running, they play some great inspirational and motivational music.

My show airs Wednesday, January 25, 2012 at 8 pm EST. Please make it a point to listen. I think you’ll like what you hear, as I certainly enjoyed doing it.

Who knows? There may be a podcast in my future…

Click here to listen.

After the show airs, I will post the audio file here for you to download and pass onto to your clients and family.

January 18, 2012  1:38 PM

Zappos security breach affects 24 million

Ken Harthun Ken Harthun Profile: Ken Harthun

This news is already getting old, having broken yesterday; however, there’s some good advice issued by Tony Hsieh, CEO of Zappos. I’ll get to that in a minute, but you might want to read his blog post.

So, Zappos got hacked. Customer account information on 24 million customers including names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords was obtained by the criminal(s). The actual passwords weren’t obtained, but we can assume the hackers will try to crack the crypto.

The email sent to the customers contained some great advice: “We also recommend that you change your password on any other web site where you use the same or a similar password.” Not that you should ever use the same password on multiple sites, but this is great advice. If you are an affected Zappos customer, be sure to take this advice and go change that password on the other sites. Just make sure that for each site you change it on, you use a different password, not the same one over and over.

To be honest with you, I do use a certain set of passwords that are the same on multiple sites. The sites I use these passwords on are not anything important and the passwords I repeat are never the same passwords I use on shopping sites and other critical financial sites; those are all different, very strong passwords.

With all the great password advice I’ve been giving you over the years, there is no reason for you to have any trouble coming up with good, easily remembered passwords.

January 17, 2012  11:33 PM

Understand Password Haystacks in under three minutes

Ken Harthun Ken Harthun Profile: Ken Harthun

As you know, I am a big fan of Steve Gibson’s Password Haystacks concept. The idea is very simple and makes it easy for anyone to create secure passwords that are also easy to remember. Last September, KABC in Los Angeles did a short news segment that full explains the essence of the password haystack. I was impressed. See what you think.

Click here to see the video interview.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: