Security Corner


January 29, 2011  3:14 AM

Data Privacy Day is January 28, 2011



Posted by: Ken Harthun
cyber security, Cybercrime, Data Privacy, Identity Theft, Locational Privacy, Privacy

There’s no question that technology has vastly improved our lives, but at what cost? We live in a networked world where every piece of information about us exists in digitized form in some database somewhere: our identities, locations, actions, purchases, associations, movements, and histories are available to both legitimate authorities and the dark underworld of cybercriminals intent on identity fraud and theft. Check out DataPrivacyDay2011.org:

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.

Join in the dialogue among all of the stakeholders – businesses, individuals, government agencies, non-profit groups, academics, teachers and students – to look more thoroughly at how advanced technologies affect our daily lives.  We encourage this dialogue and are providing this website as a service to those who care about our common future and our roles as digital citizens and consumers.  And let us know what you think – and how you might be able to contribute to the discussion.

At The Privacy Projects, we are excited to promote Data Privacy Day and want as many individuals and organizations involved as possible.  So join in!  There are many ways you can become part of the dialog.  You can sponsor an event or an activity, use the educational materials, engage in the discussions, or put together your own event.

You can also follow Data Privacy Day 2011 news and updates on our Data Privacy Day 2011 Group page. Please invite your friends and colleagues to join as well.

Not a bad idea.

January 26, 2011  9:49 PM

Video: Goodbye, IPv4, Hello, IPv6



Posted by: Ken Harthun
IPSec, IPv6, Routing, Security

We knew it was coming. IPv4 address space is almost depleted and will probably run out completely by the end of this year. That’s only part of the picture, however; I’m jazzed about the implementation of mandatory IPSec. Watch this short video to get a good overview of what’s coming.

[kml_flashembed movie="http://www.youtube.com/v/2wa7y3W2DI0" width="425" height="350" wmode="transparent" /]


January 26, 2011  9:00 PM

Google and Mozilla Announce “Do Not Track” Features



Posted by: Ken Harthun
Chrome Firefox, Do Not Track, Google, Mozilla, Privacy

About two months ago, the US Federal Trade Commission called for a do not track mechanism similar to the “Do Not Call” list for telephones. The idea is to allow web surfers to opt out of having their personal data collected online. Here is the FTC’s December report: “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,”

Google has already implemented an extension in its Chrome browser and Mozilla announced a similar feature for its Firefox browser, based on Do Not Track HTTP headers.

Will it work? Maybe. One problem is that no matter what the browser companies develop in the way of technology, web sites are where the buck stops. In an InformationWeek article,  Anup Ghosh, founder and chief scientist of Invincea, a browser security company, said he finds both approaches lacking. “It’s basically up to Web sites to do something or nothing with [users' preference information],” he told InformationWeek. “It’s not enforceable.”

SANS News Bites editor, John Pescatore, had this to say in their latest issue: “The wording of this seems carefully limitedto the ‘Do Not Track’ extension, and will result in you seeing standard ads, not personalized ads. It doesn’t actually say there is any change in you being tracked, just that you won’t see personalized ads. To me the tracking is the problem, seeing personalized ads is just the symptom.”

More as this develops.


January 24, 2011  8:59 PM

Investigative Report on the State of the Black Market



Posted by: Ken Harthun
Banking Fraud, Cyber-criminal, Cybercrime, Panda Security, spambot

PandaLabs recently issued the results of an investigative report on the current state of the global cybercrime black market: http://press.pandasecurity.com/usa/press-room/panda-white-paper/.

The report provides a “state of the union” of the cybercrime black market in light of its ongoing rapid evolution. The black market has traditionally centered on selling stolen bank and credit card details but diversified its business model in 2010, now selling a much broader range of hacked confidential information including bank credentials, log-ins, passwords, fake credit cards and other valuable data.

Here’s a taste of some of the topics the report covers:

  • Average prices for the array of personal data and goods now sold on the black market. For example, PandaLabs found that card cloning machines run typically anywhere from $200-1,000 and fake ATM machines from $3,500 depending on the model;
  • What drives up the price of personal information. PandaLabs found that prices are higher for online accounts that have a history of online shopping or use payment platforms such as PayPal. For a simple account without a guaranteed balance, PandaLabs found prices starting at $10 and increasing to $1,500 depending on the platform and the guarantee of available funds;
  • How cybercriminals employ modern marketing tactics to run their “businesses”: For example, operators will often offer free ‘trial’ access to stolen bank or credit card details, as well as money back guarantees and free exchanges.


January 21, 2011  8:22 AM

Stuxnet: Joint U.S.-Israeli Cyberweapon?



Posted by: Ken Harthun
stuxnet

Welcome to the world of cyberwarfare. It’s official: Stuxnet was a US-Israeli effort to disrupt Iran’s nuclear program, according to the New York Times.

[The Israelis] tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona [Israel's secret complex--Ed.], the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program.

More info from Infosecurity (USA):

The Stuxnet worm was an Israeli-US project developed at the highly secretive Israeli Dimona complex in the Negev desert to sabotage Iran’s nuclear program…

Stuxnet development began in 2008 when Siemens cooperated with the Idaho National Laboratory to identify vulnerabilities in the company’s controllers that operate nuclear centrifuges and other industrial processes. A briefing about the findings was conducted by the Department of Homeland Security for US officials. The implication from the story is that this briefing was used by the Israelis, with US help, to develop the Stuxnet worm at Dimona.

And this is only the beginning…


January 21, 2011  12:22 AM

The Security Threat Report (Sophos)



Posted by: Ken Harthun
data, hackers, Hacking, Identity Theft, Malware, Security, sophos, webcast

I just registered for this and I wanted to pass it along to all of my readers. If you want to know what’s going on, these guys typically do a pretty good job of giving you the information you need and want.

The Security Threat Report: A look at the latest malware and attack vectors

Malware like Zeus, Stuxnet, Fake AV and Koobface made headlines in 2010, and cybercriminals continue to focus on using the web to deliver malware.  Although their tactics are constantly changing and evolving, their motivation to steal your data and money is not.

Join Graham Cluley, senior technology consultant at Sophos, for a live Webcast to learn about the latest security threats and trends in malware.  Armed with the latest threat data, Graham will discuss the tactics the bad guys are using to infect your systems and steal your data.

  • Latest hacker tricks
  • Exploitation of social-networking websites
  • Malware, malware, malware
  • Future trends for cyber attack

Everyone who registers gets a cool T-shirt, too.

I’ll see you there!


January 18, 2011  1:25 AM

Password Voodoo



Posted by: Ken Harthun
Password, passwords, Secure Computing, Security

I get the same question every day: “How can I make a password that is strong and easy to remember?” Frankly, when I’m in the cranky mood I was earlier today, I’m tempted to answer with a simple question in return: “Do you ever bother to read my posts?” Of course, the answer is that no, they don’t bother–they’re too lazy to look up my posts. Granted, it’s far easier to ask me and make a mental note than it is to actually find a post, read it, take notes, and take action. At least you would think so. The problem is, five minutes after I answer their question, they’ll forget what I told them, and the next time they see me, they’ll ask again. It’s a vicious cycle.

Four hundred years from now, when passwords have long since been replaced with real security measures, these same people, if they were still alive, would be asking the same question.

People want it easy; they want magic. People want to twitch their noses like Samantha on the TV sitcom Bewitched and make everything work they way they want without further effort.

It doesn’t work that way.

But, there is a bit of password voodoo that’s almost as quick as a nose twitch and it won’t take more than about 15 seconds to implement:

  1. Turn your keyboard over
  2. Find the FCC ID number
  3. Change the case of every other character
  4. Voila! A strong password that no one will guess.

It’s written down for you right there on your keyboard, but who is going to think to look there? The label on the bottom of my keyboard has enough information to create a completely uncrackable password.

Need to change the password after you’ve done this? Follow this sequence:

  1. Reverse the case you used previously
  2. Reverse the order of the characters
  3. Reverse the case again
  4. Shift the characters to the left, placing the leftmost character at the end
  5. Reverse the case again
  6. Repeat #4 and #5 through several iterations

Are your getting this?


January 9, 2011  11:45 PM

New Year Resolutions: Let’s Review Password Best Practice



Posted by: Ken Harthun
Password, Security best practice

It’s always a good thing to repeat good advice and what better time to do so than when people are making resolutions to improve their lives in the coming year?

Nearly three years ago, when I was just starting this blog, I posted Can a Criminal Hacker Guess Your Password?. That post had some good advice on what not to do. Here it is again:

According to Wikepedia there are several things many people use as passwords that results in their being predictable:

Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:

  • blank (none)
  • the word “password”, “passcode”, “admin” and their derivates
  • the user’s name or login name
  • the name of their significant other or another relative
  • their birthplace or date of birth
  • a pet’s name
  • automobile license plate number
  • a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
  • a row of letters from a standard keyboard layout (eg, the qwerty keyboardqwerty itself, asdf, or qwertyuiop)

So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Security Maxim #4: Use an unguessable, or difficult-to-guess password always.

Have a safe, happy and secure 2011!


January 9, 2011  4:25 PM

Sometimes Clients Do Listen to My Advice



Posted by: Ken Harthun
Email security, Encryption, insecure, Password, Security, Security best practice

It’s always a good thing when people take my security advice; I do, after all, give them good stuff (like that password card over there, for instance). Over the years, I’ve amassed a large store of advice and tips that I continually promote to my clients. Yesterday, I was given a task that showed me at least some of them listen.

During an on-site call on Friday, the office manager approached me and said she had discovered that some of the staff were using extremely insecure passwords, things like their initials and birthdate, and at least two cases of “password.” She asked me what to do. I told her order everyone to immediately create secure passwords with a minimum length of 8 characters and have at least three of the following: upper case letters, lower case letters, numerals and special characters. (Note: this is a law office, so users are not allowed to change passwords on their own. The owners of the firm keep a secure list of everyone’s passwords so they always have access to employees’ hard drives.)

When I checked my email yesterday morning, I found a message with a spreadsheet attached. Yes, it was the list of passwords for me to change on the server; every password conformed to the standard. So, it looks like there will be no more insecure passwords at that firm. I consider that real progress

Now, maybe I can get them to understand and use email encryption so they won’t be sending me passwords in clear text.


January 7, 2011  4:38 PM

PandaLabs Releases 2010 Annual Security Report



Posted by: Ken Harthun
Cyber warfare, Cybercrime, FakeAV, Malware, Panda Security, Rogueware, Virus, Worm

PandaLabs, the antimalware laboratory of Panda Security – The Cloud Security Company – has released its 2010 Annual Security Report, which details an extremely interesting year of cyber-crime, cyber-war and cyber-activism. The full report is available at: http://press.pandasecurity.com/press-room/panda-white-paper/ along with a wealth of other reports, bulletins and monographs from 2009 and 2010.

One striking discovery is that in 2010 alone, cyber-criminals created and distributed one-third of all existing viruses, creating 34 percent of all malware that has ever existed and been classified by the company. The report also highlights malware standbys that aren’t going anywhere, new and emerging malware trends, the impact cyber-criminal activity had on social media networks last year, and more.

Despite all of the drastic numbers outlined in the report, the report highlights some good news. PandaLabs discovered that the speed at which the number of new threats is growing has actually decreased when compared to 2009. Every year since 2003, new threats grew by at least 100 percent every year, but in 2010, the increase was approximately 50 percent. We can only hope that trend continues.

As you might suspect, banker Trojans still dominate among new malware that appeared in 2010, accounting for 56 percent of all samples. Viruses accounted for 22 percent, rogueware (fake antivirus software), 12 percent; worms, 10 percent.

The countries leading the list of most infections are Thailand, China and Taiwan, with 60 to 70 percent of infected computers. To see a graph of how other countries ranked, please visit: http://www.flickr.com/photos/panda_security/5299741647/. The United States did not rank in the top 20.

2010 was truly the year of cyber-crime, cyber-war and cyber-activism. Although cyber-crime has existed for many years, cyber-war became a much more active and aggressive part of the malware landscape. The most notorious was Stuxnet, a new worm that targeted nuclear power plants and managed to infect the Bushehr plant, as confirmed by the Iranian authorities. At the same time, a new worm appeared called “Here you have.” It was created by a terrorist organization whose intention was to remind the U.S. of the 9/11 attacks and call for respect for Islam, purportedly as a response to Pastor Terry Jones’ threat to burn the Koran.

2010 also witnessed the emergence of new phenomenon called cyber-protests or hacktivism. This phenomenon, made famous by the Anonymous group, is not actually new, but grabbed the headlines in 2010 for the coordinated DDoS attacks launched on copyright societies and their defense of WikiLeaks’ founder Julian Assange.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: