Security Corner


April 30, 2011  10:37 PM

Think You’re Not a Target Because You’re Small? Think Again

Ken Harthun Ken Harthun Profile: Ken Harthun

If you pay attention to mainstream media, you can easily get the wrong idea about online attacks. The press usually only covers the sensational data breaches like the recent Epsilon and Sony fiascoes. Truth is, there are far more people at risk than the press leads you to believe.

Consider the case of Rogelio Hackett, Jr., a 26-year-old hacker from Georgia who recently pleaded guilty to the theft of more than 675,000 credit cards. More than $36 million in damages resulted from his crime. Hackett targeted smaller organizations that had not coded their websites properly, leaving them open to SQL injection attacks. “He exploited SQL vulnerabilities,” say Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP. “And despite the fact that SQL injections are well documented, we’re still seeing companies that are getting hit and compromised by that kind of attack.”

This article on the Bank Information Security (BIS) blog gives further details:

According to court records, Hackett began his hacking career in the late 1990s by searching for and exploiting SQL vulnerabilities. More than a decade later, the same method of attack continued to reap rewards. “These SQL injections are allowing someone in through the side fence, not the front door,” Sabett says. Josh Corman, research director of the Enterprise Security Practice at The 451 Group, says SQL injections, oftentimes, go right through firewalls. “That’s why we need to look at application-level security,” Corman says. “Firewalls need to be augmented, with things like web-application firewalls.”

If you are a small business with an e-commerce site that stores transaction information in a SQL database, I would suggest you perform an immediate security audit to reveal any potential vulnerabilities in your system. You just don’t know where an attack may come from. It’s not like it used to be, with high-profile hackers and Eastern European crime syndicates leading they way. These days, it’s more like “disorganized crime.” Smaller, less spectacular crimes are able to stay under the law enforcement and card companies’ radars for longer periods.

Avivah Litan, distinguished analyst at Gartner Research, points out, Hackett’s case highlights how widespread and diverse hacking has become. “For every Rogelio Hackett Jr. that gets arrested, there are likely at least another dozen or more ‘Hacketts’ or ‘hackers’ that are not,” Litan says. (Source: BIS blog)

April 30, 2011  3:32 PM

New York Yankees Leaks Personal Info of 21,000 Season Ticket Holders

Ken Harthun Ken Harthun Profile: Ken Harthun

Yikes! Indeed, it has happened again but this time the leak was completely preventable. A season ticket sales representative for the New York Yankees inadvertently emailed a spreadsheet to 2,000 of his contacts. The spreadsheet contained account numbers, names, addresses, phone numbers, email addresses, and other information like their seat numbers and which ticket packages they purchased. .

Part of the notification sent to the victims from the Yankees’ office said this:

NO OTHER INFORMATION WAS INCLUDED IN THE DOCUMENT THAT WAS ACCIDENTALLY ATTATCHED (sic) TO THE APRIL 25TH E-MAIL. THE DOCUMENT DID NOT INCLUDE ANY BIRTH DATES, SOCIAL SECURITY NUMBERS, CREDIT CARD DATA, BANKING DATA OR ANY OTHER PERSONAL OR FINANCIAL INFORMATION.

Apparently, the data contained information only on holders of season tickets for the “non-premium” seats that make up the vast majority of Yankee Stadium; those holding tickets for suites and the first few rows in the infield were not listed. So the high rollers and celebrities aren’t in there. That certainly lessens the value of the data somewhat (no big, juicy targets), but It’s a good bet that the victims are going to spammed and phished to death at some point.

This is yet another piece of evidence in support of my continual assertion that there is absolutely no such thing as private information. Once you have given anything to a third party, you might as well have advertised it on lighted freeway billboard.

Your information is not safe and probably never will be.


April 29, 2011  2:49 AM

How to Secure WordPress in Five Easy Steps

Ken Harthun Ken Harthun Profile: Ken Harthun

Source: narga.com

WordPress is pretty secure out of the box. Nevertheless, there are always going to be individuals who want to crack into accounts for nefarious purpose or inject hidden spam links. Just as with any other application software, it’s important to make sure that your WordPress installation is as secure as you can possibly make it.

While these tips may seem like the same old over-used advice I give to everyone, they are still relevant. They are even more relevant to many of my marketing friends, business clients and colleagues who base their businesses in whole or in part on their blogs.

I’m not going to recommend a bunch of WordPress add-ons and plugins in this post (I’m still researching), but I am going to give some general advice on how to secure your installation. Here is how to secure WordPress in five easy steps:

  1. Update regularly – As with any other application, hackers find vulnerabilities and attempt to exploit them. WordPress developers are very conscientious when it comes to fixing security holes and WordPress is regularly upgraded. If you are in your administration panel and see a notice about a new version, upgrade immediately. As of the date of this post, the current version is 3.1.2.
  2. Use strong passwords – It goes without saying that if you use your pet’s name or some other simple, easy to guess password, you’re inviting hackers to hack you. I recommend no fewer than 8 characters that include both upper and lower case letters, numerals and punctuation. Example (don’t use this!): Th3Qu&(!
  3. Use Secret Keys – The WordPress config.php file that contains the name, address and password of the MySQL database for your blog allows you to use secret keys. In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. You don’t have to remember these. You can generate them at this link: https://api.wordpress.org/secret-key/1.1/salt/.
  4. Use .htaccess file properly – This can get complex, so I won’t go into details here, but you must be aware of what your .htaccess file contains and make sure it doesn’t allow access to files and directories you don’t want people to see. WordPress won’t do anything insecure to it, but it never hurts to be sure. A good tutorial is The Ultimate Htaccess. Warning: if you are not a techie, skip this and as a friendly Geek!
  5. Set proper file permissions – This is the first line of attack for a hacker, and the biggest problem is when you have file permissions set so that anyone can list a directory’s contents. Just go to WordPress Codex and do what it says. Again, if you’re not a techie, find a friendly Geek (like me) to help you.

Good luck, and if you need help, just ask!


April 27, 2011  10:44 PM

Personal Data of 70 Million People Stolen in PlayStation Network Hack

Ken Harthun Ken Harthun Profile: Ken Harthun

Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of video game players.

Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.

Sony says that hackers were able to access a variety of users’ personal information including:

  • Name
  • Address (city, state, zip code)
  • Country
  • Email address
  • Date of birth
  • PlayStation Network/Qriocity password and login
  • Handle/PSN online ID

Seems it’s time to implement the response I mentioned 2011 April 16 in “Data Breaches — Steps to Take if You Are Notified.” In particular, I would assume that identity theft is about to occur and take the following steps as recommend in the FTC guide: Take Charge: Fighting Back Against Identity Theft. Refer to that guide for complete information, but here’s what you should do if you are one of the affected users:

  • Place a fraud alert on your credit reports, and review your credit reports.
  • Close the accounts that you know, or believe, have been tampered with or opened fraudulently.


April 27, 2011  9:15 PM

Hard Drive Steganography?

Ken Harthun Ken Harthun Profile: Ken Harthun
eHow.com

Source: eHow.com

Imagine a way to intentionally fragment files on a hard disk so that it appears to be just a normal disk that has had files written, deleted and rewritten, i.e., nothing to indicate any encryption has taken place. No red flags raised; nothing to indicate there is anything on the disk to hide, yet the data is effectively hidden.

It’s steganography applied to hard drives and the inventors, Hassan Khan at the University of Southern California in Los Angeles and colleagues at the National University of Science and Technology in Islamabad, Pakistan, claim that it hides data so well as to be “unreasonably complex” to detect. They have already managed to encode a 20-megabyte message on a 160-gigabyte portable hard drive.

The technique relies on the way hard drives store file data in numerous small chunks, called clusters. The drive controller stores these clusters all over the disc, wherever there is free space and keeps track of the positions of the clusters using a special database on the disk.

The software that Khan and his colleagues have developed overrides the disk controller chip and positions the clusters according to a code. On the other end, the person needs to know the code in order to read the data. The researchers intend to make their software open source.

But what if a forensic investigator gets hold of a disk that has hidden data on it?

“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan.

Tests show that the technique works fine as long as none of the files on the hard disk are modified before the disk is passed onto the recipient. SANS NewsBites editor, John Pescatore, is skeptical.

“Everyone of these schemes always has a “code” involved, and tends to smell very much like encryption – just done in a non-standard way. There are a lot of examples of home-grown approaches being about as secure as paper mache,” Pescatore said.

Doesn’t seem to me like the researchers are at the level of “home-grown,” but judge for yourself. You can read the entire research paper at Computers and Security, DOI: 10.1016/j.cose.2010.10.005.


April 26, 2011  11:25 PM

Extremely Robust Security, the Google Way

Ken Harthun Ken Harthun Profile: Ken Harthun

Google recently released a video shows the extremely robust physical, data protection and operations security of its data centers. Google does not allow tours of its facilities and limits physical access to only necessary employees. Access is controlled by special badges and in some cases retinal scanners. Wait until you see how they dispose of hard drives. Fascinating stuff that serves as a shining example of security done right.

[kml_flashembed movie="http://www.youtube.com/v/1SCZzgfdTBo" width="600" height="390" wmode="transparent" /]


April 26, 2011  12:08 AM

Beware Cloud Data Storage–Pre-encrypt

Ken Harthun Ken Harthun Profile: Ken Harthun

Before you consider a cloud storage solution, be sure you research their policies thoroughly. I have used Dropbox in the past based on these features (from their website):

Your stuff is safe

Dropbox protects your files without you needing to think about it.

  • Dropbox keeps a one-month history of your work.
  • Any changes can be undone, and files can be undeleted.
  • All transmission of file data occurs over an encrypted channel (SSL).
  • All files stored on Dropbox are encrypted (AES-256).

Well, alright, but consider this from their privacy policy:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

So, Dropbox has the keys to the kingdom unless you encrypt the files yourself before uploading. And anyone on their staff, by extension, can decrypt your data. Not good.

If you want to maintain your security and privacy, pre-encrypt everything you intend to store in the cloud. If all the service has is pseudo-random noise in the first place, that it all anyone will get.

Trust no one when it comes to your data.


April 23, 2011  1:43 PM

Privacy is Dead

Ken Harthun Ken Harthun Profile: Ken Harthun

At one time, long before paranoid politicians, Madison Avenue ad agencies and the Internet, it was possible to enjoy true personal privacy. In fact, you could actually live in nearly total obscurity known only to those in close proximity. Not anymore. Today, privacy is dead, save for what you do in your own home (at least, I think that’s the way it is…). In particular, if you have established any sort of online presence, even if you just have a cell phone, then you are visible to the world.

Even if you you are not online, merely express your opinion to someone and if that someone takes issue (or agrees with you) and tweets or posts to Facebook or other social media you are visible if they name you. Most public records are online these days; genealogy websites, people search engines, newspaper archives, etc. all contain information about you. If you have lived, or died in recent history, you are known and visible to the world.

Don’t believe me? Type in the name of a deceased relative and see what happens.

Information about you, your life, your relatives is everywhere online these days. And this applies not only to what you do and say in public, but what you do and say in your own home or among trusted friends. Your private thoughts are no longer private if you express them to anyone–sooner or later, they will surface on the web. The only way to keep your thoughts and opinions to yourself these days is to write them down in a personal journal that you keep under lock and key. Maybe. As long as no one else ever sees it.

Pretty scary, eh? We don’t need thought police ala George Orwell’s 1984.

We have the Internet.


April 22, 2011  1:17 AM

Microsoft Launches Free On-Demand Virus & Malware Scanner

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft has jumped on the on-demand malware scanner bandwagon by launching a new, free virus/malware scanner that’s designed to be used if you think your computer might be infected. It’s called Microsoft Safety Scanner and is a portable app, so no installation is required. Here’s what Microsoft has to say about it:

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

This appears to be a variation of the Malicious Software Removal Tool (MSRT) that Microsoft runs on your system each month if you have automatic updates turned on. From what I can determine, the Microsoft Safety Scanner (MSS) is simply an on-demand version of Microsoft Security Essentials (MSE) that also targets some of the specific MSRT targets. I guess that makes sense in some way? Why wouldn’t you just use MSE and turn on automatic updates? Seems like the same effect.

Some people have noted that McAfee has a comparable tool, also free, called Stinger. Trend Micro, Symantec, and Malware Bytes also offer on-demand scanners. Also noted is that MSS is a 67 MB download while Stinger is just under 8 MB. Why such a disparity? Does this indicate that MSS has a much larger malware signature file, or is it just typical Microsoft bloat?

I don’t plan on testing MSS, so if you have any comments on your experiences with it, please leave them here.


April 20, 2011  10:50 PM

Geek Speak: Password Stuff

Ken Harthun Ken Harthun Profile: Ken Harthun

Since I often discuss password related subjects, I thought it might be a good idea to “define my terms” for everyone. Here are ten password related definitions for your reading pleasure.

Authentication: Determining whether someone or something is who or what it is declared to be. Is that really “mom” logging into your computer or some hacker?

Strong (unguessable) Password: A password that has been deliberately composed to be difficult or impossible for a person or a program to discover. The longer, and more random, the stronger (and more unguessable) the password.

Password Cracker: A program designed to discover passwords. These programs are often used by Sys Admins to discover forgotten user passwords. The program can be designed to use brute force or dictionary discovery. While a useful admin tool, these are what hackers use to steal information.

PIN: Personal Identification Number, often used in conjunction with a password to provide an additional security factor.  They are most commonly used with ATM cards.

Single Sign-on (SSO): An authentication system that allows a single username/password combination to be used to access multiple applications. Often used in corporate environments so that a person who uses multiple applications doesn’t have to log into each one separately when switching between them.

Identity Chaos: According to this article, it is “…a situation in which users have multiple identities and passwords across a variety of networks, applications, computers and/or computing devices. To further complicate matters, each of the user’s passwords may be subject to different rules, allow access at different security levels, and expire on different dates. Such a situation can lead to security risks. Because people have to remember so many different passwords, they may choose very simple ones and change them infrequently.

Phishing: A fraud method that utilizes official-looking email purporting to be from a financial institution or government agency in an attempt to trick you into entering sensitive information at a fake website. Be suspicious of any official-looking e-mail message that asks for updates on personal or financial information and never click on links in such messages. No legitimate organization will send you an email asking for personal information.

Social Engineering: When someone using personal contact via telephone or face-to-face runs a con game to secure personal information. The social engineer will often pose as a tech support or help desk contact for your company.

Worm: A kind of malware that is often sent in email attachments and replicates itself on the user’s system and the local network, using up system resources and bogging down the system.

Shoulder Surfing: This is someone literally looking over your shoulder to discover what you are typing into online forms, bank logins, your ATM machine, etc.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: