Security Corner

January 17, 2012  10:57 AM

What the heck is a password honeypot?

Ken Harthun Ken Harthun Profile: Ken Harthun

Has your Gmail, Yahoo, Hotmail or Skype account ever been hacked? If so, you either have an extremely guessable password, or you gave hackers your login credentials by putting them into a password honeypot. What the heck is a password honeypot? Good question. Let me give you a bit of background.

The good guys who fight malware set up servers and computers that are directly connected to the Internet and which are deliberately left vulnerable to malware infection. They do this knowing that the bad guys will infect the machines as soon as they find them. The good guys then have an in-the-wild copy of the malware that they can reverse engineer to see how it works. This is the good version of a honeypot.  All of the major anti-malware companies continually monitor their honeypots to discover new malware and variants of old malware.

The bad guys want to hack you and steal your credentials so they can gain access to your accounts for nefarious purposes, such as sending spam, stealing the money from your bank accounts, hijacking your credit card numbers, or even stealing your identity. Besides other, more conventional methods such as email links and poisoned search results, the bad guys set up websites that pretend to give you access to good stuff, often free software, games, etc, and force you to “create an account” to gain access. This is the bad version of the honeypot.

The bad guys know that most people always use the same login name for everything and often also use the same password for everything. Create an account on one of these password honeypots, and there’s a good chance the bad guys have what they need to make your life miserable. Once they have the credentials you used to create the honeypot account, the bad guys (or their hired cronies) will try those credentials on all of the major email, social networking, banking, and credit card sites.

This is one very good reason never to use the same password on more than one site; and, certainly never use the same credentials ad your financial accounts. I have a very specific username for certain types of sites I don’t trust and I always use an unguessable, different password for each one.

January 16, 2012  10:47 PM

A simple password recycling method

Ken Harthun Ken Harthun Profile: Ken Harthun

Oh, I can already hear the groans and see the rotten tomatoes flying my way. But wait! There’s a way to recycle  your favorite passwords without compromising security. It’s rather ingenious, if I do say so myself. All you have to is set up a recurring, shifting pattern based on your password change cycle. This will work on your job as well as at home. Inspired by Steve Gibson’s Password Haystacks, and completely in line with my New Password Paradigm series of posts, this method of recycling passwords makes it easy for you to comply with your corporate password policy, without getting stumped about what password to use next.

The first thing you will want to do is take out a piece of paper; you are going to write down your password pads, i.e., the characters you are going to add to your “standard” password.  (Don’t worry, you won’t be writing down the actual password, that’s going to be something you will easily remember.) I suggest you use two characters at the front and two characters at the end, but that’s entirely up to you. The key is to make a secure password that is not only easy to remember, but different every time you are required to change it.

For the sake of illustration, let’s say that you are required to change your password monthly and that you cannot use any of the last six passwords you previously used. That means you must have seven “pads” that you rotate. (DO NOT USE the pattern I propose here; change it to make it your own!) You could do it this way: on the left side of your paper, write down the numerals 0 through 6 placing each on a new line. Then pick seven different uppercase and lowercase letters and some symbols and write one next to each numeral. My example list looks like this:


Now, either choose your favorite, easy-to-remember word or phrase, or use the favorite password you use for everything (I KNOW you do that, so don’t worry about it). For this example, I’ll use password.

At the first password change, use 0!password, 0!Password, 0!password0!, or whatever variation you wish, provided that you will remember it easily. Remember, the longer, the better. Cross off the pad you just used and each time you have to change the password, just change the pad and cross it off. After you use the seventh one, you can start over at the top of the list and the server should allow it.

One caveat: some password policy engines require a certain number of characters in the new password to be different from the old password. That’s no problem, just use the pad more than once or twice and you’ll be good to go.

Simple. Secure. Easy to remember.

December 31, 2011  11:59 PM

Solution: What a Geek puzzle!

Ken Harthun Ken Harthun Profile: Ken Harthun
New Year Resolutions Graphic

Happy New Year!

Happy New Year!

I promised you a solution and here it is!

[kml_flashembed movie="" width="425" height="350" wmode="transparent" /]

December 31, 2011  12:54 PM

What a Geek puzzle!

Ken Harthun Ken Harthun Profile: Ken Harthun

Can you solve this? The actual contest is over, but Sophos published a challenge recently that even stumped ME! Can you believe it? Anyway, here’s a link to the original challenge: “The #dragontattoo #sophospuzzle.”

Stage One is a simple 24-character code.

Here it is:


All you need to do is to figure out how to transform this code into a URL.

Then follow your nose to the next stage.

Believe me, it’s not easy (unless you already know how to transform the text!) Hint: The “=” gives it away if you know your Linux.

I’ll post the video solution on New Year’s Eve, 23:59 UTC.

December 30, 2011  6:45 PM

Oíche Shamhna agus tá na Nollag ar an lá céanna?

Ken Harthun Ken Harthun Profile: Ken Harthun

Now we’re having fun. In the spirit of the celebratory season, when brain cells are being destroyed by the millions, I think it’s a good idea to stimulate those that remain. The challenge is to identify the language and translate the post. Hint: the format of the post is the clue. It’s probably too easy, but what the heck, everyone deserves to win this one….

Tá sé an joke d’aois agus is dócha caite amach go hiomlán, ach ní raibh mé in ann resist scríobh faoi. Tar éis an tsaoil, tá mé ar Geek agus Ríomhchláraitheoir ó bhealach ar ais, agus mar sin bhuaileann sé sa bhaile.

C. Cén fáth a bhfuil mearbhall ríomhchláraitheoirí Oíche Shamhna leis na Nollag?

A. Toisc 31 Deireadh Fómhair agus an 25 Nollaig an gcéanna; dá bhrí sin, Oíche Shamhna = Nollag!

Mura ndéanann tú é a fháil, ní bhíonn tú ar Geek fíor. D’fhéadfaí a thabhairt Geek fíor gur míniú níos ciallmhaire ar an gcaidreamh Deireadh Fómhair 31 = Nollaig 25 Oíche Shamhna = Nollag!

An féidir leat freisin a mhíniú cén fáth 16 = 20 = 10? Cad é faoi 86 = 126 = 56?

Stuif spraoi. Geek siamsaíochta.

BTW, Googling Verboten! Iad siúd a fhaigheann Beidh Google Schlag i nead Arsch!

Iar do fhreagra sa tuairimí.

December 30, 2011  12:52 PM

Halloween and Christmas are on the same day?

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s an old joke and probably completely worn out, but I couldn’t resist writing about it. After all, I’m a Geek and programmer from way back, so it hits home.

Q. Why do programmers confuse Halloween with Christmas?

A. Because Oct. 31 and Dec. 25 are the same; therefore, Halloween = Christmas!

If you don’t get it, you’re not a true Geek. A true Geek could give a more sensible interpretation of the relationship OCT. 31 = DEC. 25 than “Halloween = Christmas!”

Can you also explain why 16 = 20 = 10? How about 86 = 126 = 56?

Fun stuff. Geek entertainment.

BTW, Googling is Verboten! Those who Google will receive a Schlag in den Arsch!

Post your answer in the comments.

December 29, 2011  11:34 PM

Router reboot can open your system to hackers

Ken Harthun Ken Harthun Profile: Ken Harthun


For years, I have given advice to everyone that the first line of security for your home PCs is a NAT router between your home network and the Internet. While that is still true, there is one situation where the protection normally afforded you by the router is non-existent, leaving your public IP address visible to the world and your home network open to attack. I have actually observed the phenomenon I will describe in a moment, so I know it is an issue and something you should know about. It’s highly unlikely it could be exploited on any large scale, but it’s possible, so something worth discussing. In any event, the concept is out there, so someone is sure to try it.

This reader question came up in Security Now! Episode 133:

Question #5, Sami Lehtinen…from Helsinki, Finland makes a GREAT observation about dangerously leaky “hardware” firewalls. He says: I wanted to warn people about potential problems with regular home routers such as the more expensive and fancy firewall routers that are very configurable. That configurability can backfire nastily….

While the router is booting – it’s quite a long process – parts of the system start with default configuration, like the switch portion. This causes all LAN, WAN and DMZ ports to be completely bridged for about one minute. After that, normal NAT/SPI, DHCP, et cetera, function returns….

What Sami discovered is that you are directly connected to public Internet for about a minute while the router reboots. Steve Gibson concurs and proposes his solution, which I wholeheartedly endorse:

So this is a very real problem. What, I mean, the takeaway from this actually is to – what I would do is, and I’m probably going to do it from now on, I don’t reboot my router very often, but I would disconnect my LAN side connection for a couple minutes until the router comes up and it settles down, and then bring my local network up inside….

December 16, 2011  1:38 AM

Et tu, CNET?

Ken Harthun Ken Harthun Profile: Ken Harthun
I'm fed up with Adobe!

No, sir, I don't like it!

For years I have trusted CNET’s as a trustworthy place to download software, but some recent news has made me rethink my position. Seems that according to Brian Krebs, “…CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.” Egad! While I am usually careful to pay attention to what an installer is wanting me to do, I prefer such stuff not be offered to me in the first place.

SANS reports: “The president of has apologized for bundling Nmap open source network scanning software with an installer that changed browsers’ home pages and default search engine. Nmap developer Gordon Lyon said that the bundling violated the Nmap distribution license.  The installer in question has been removed.”

CNET, get your act together or us Geeks will stop relying on you altogether as a trusted source of both information and software.

December 15, 2011  1:21 AM

Top 100 removal tool

Ken Harthun Ken Harthun Profile: Ken Harthun

I checked out an interesting site,, courtesy of one of my fellow Net Admins’ assistants. He referred me to a post about a malware removal tool that targets the most important infections identified in November. The tool, in both 32-bit and 64-bit versions, is provided by Bitdefender. You can read the post here.

I haven’t tested the tool and have had just a quick browse of the Malwarecity site, but it sure looks like true security Geek stuff. Makes sense, as the site is powered by Bitdefender.

Unfortunately, the list of the top 100 wasn’t yet posted on the download page as promised. I’ll try to check back and revise this post as soon as it shows up.

December 14, 2011  1:20 AM

Chrome is the most secure browser

Ken Harthun Ken Harthun Profile: Ken Harthun


A study by Accuvant Labs, commissioned by Google, has concluded that of the top three browsers, Chrome, Internet Explorer and Firefox, Chrome is the most secure. Internet Explorer ranks second and Firefox comes in third. Accuvant took a different approach than previous comparisons that relied on historical vulnerability statistics and URL blacklist services favoring instead a more comprehensive look that included sandboxing, plug-in security, JIT hardening, address space layout randomization (ASLR), and data execution prevention (DEP) as well as URL blacklist services. They concluded:

The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.

The 140-page report is highly informative, especially if you want to get your security geek on.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: