Security Corner


January 7, 2011  1:49 AM

Don’t Spread Hoaxes or Inaccurate Warnings



Posted by: Ken Harthun
E-mail scam, hoax, virus warning

A whole spate of this floating around today. Hey, people, wake up! This is ancient.

URGENT WARNING TO ALL ABOUT NEW COMPUTER VIRUS
> This information arrived this morning, Direct from *both* *Microsoft
> and Norton *
>
> Please send it to everybody you know who has Access to the Internet. You
>  may receive an apparently harmless e-mail titled *”Here you have it”* If
>  you open the file, a message will appear on your screen saying: ‘It
> is too
>  late now, your life is no longer beautiful…’
>
> Subsequently you will LOSE EVERYTHING IN YOUR PC, And the person who sent
>  it to you will gain access to your Name, e-mail and password. This is a
>  new virus which started to circulate on Saturday afternoon. AOL has
>  already confirmed the severity, and the anti virus software’s are not
>  capable of destroying it.
>
> The virus has been created by a hacker who calls himself ‘life owner’.
>
> PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask them to
> PASS
>  IT ON IMMEDIATELY ..
>
>  *THIS HAS BEEN CONFIRMED BY SNOPES.*

Here’s the real scoop:
It’s no longer applicable and isn’t even true, folks.

It was a real virus, but is no longer a threat. This is months old
(Sept. 2009). Also, the message above is not even close to accurate. 99%
of the “scare mail” floating around the Internet is the result of people
forwarding such stuff.

[9:08:25 AM] !! Ken Harthun (Asst. Host: TIIMG): Here’s the real truth
about it from US-CERT:

“Malicious Email Campaign Circulating

“added September 9, 2010 at 08:46 pm

“US-CERT is aware of public reports of malware spreading via email.
These reports indicate that the malicious email messages contain the
subject line “Here you have” or “Just For You” and contain a link to a
seemingly legitimate PDF file. If users click on this link, they will be
redirected to a malicious website that will prompt them to download and
install a screensaver (.scr) file. If they agree to install this file,
they will become infected with an email worm that will continue to
propagate through their email contacts.”

[9:08:29 AM] !! Ken Harthun (Asst. Host: TIIMG): Note the date.

And, BTW, hackers don’t wipe out hard drives anymore, they’re way too
interested in stealing your data, passwords, account information and, of
course, your money.

If you ever have a question about this, ask me first. I stay on top of
this stuff daily. Several of the Skype rooms as well as Facebook are
cluttered with this bogus message.

Part of my hat as an InfoSec specialist is education. Use me.

December 31, 2010  11:55 PM

Happy New Year! May You Flourish and Prosper in 2011



Posted by: Ken Harthun

To all of my loyal Security Corner readers, Happy New Year! My best wishes for you in 2011.


December 31, 2010  10:00 PM

All I Really Need to Know About Security I Learned From My Cat



Posted by: Ken Harthun
Pets rule, security tips

Don’t want to exclude the cat lovers out there. Besides, dogs aren’t the only security experts. In fact, dogs could learn a lot from cats (OK, cats could learn a lot from dogs, too). Anyway, thanks to Dr. Andrew Jones, DVM, for the idea to write this and my previous post. He sent me an email entitled “My New Years Resolution” and said, “With 2011 nearly here, one of my resolutions is too be MORE like my pets…” I agree, though my take is a little different. Pets are the best security guards we have: They sense danger when we don’t; they warn us of suspicious things; they keep insisting we take action until we do; they comfort us when we do something stupid. Pets rule!

All I really need to know about security I learned from my cat. Here is the list of lessons:

  1. Security is hard. Do it and then take a nap.
  2. Curiosity killed the PC.
  3. Despite what you’ve heard, cats (and your security) don’t have nine lives.
  4. When in doubt, assume the worst.
  5. When it comes to security, cop an attitude.
  6. Always give your cats expensive treats (Sorry, Squeakers, my cat, made me put that in there!)
  7. Purr when your security applications are up to date.
  8. Keep your claws sharp and shred intruders, even if they look like your friends.
  9. Don’t trust anyone who offers you a free gift (catnip) when you first meet.

Happy New Year, cat lovers!


December 31, 2010  9:08 PM

All I Really Need to Know About Security I Learned From My Dog



Posted by: Ken Harthun
Pets rule, security tips

Thanks to Dr. Andrew Jones, DVM for the idea to write this post. He sent me an email entitled “My New Years Resolution” and said, “With 2011 nearly here, one of my resolutions is too be MORE like my pets…” I agree, though my take is a little different. Pets are the best security guards we have: They sense danger when we don’t; they warn us of suspicious things; they keep insisting we take action until we do; they comfort us when we do something stupid. Pets rule!

All I really need to know about security I learned from my dog. Here is the list of lessons:

  1. Never pass up the opportunity to to give your dog a treat (OK, that’s not really security related, but my Missy Yorkie made me say that).
  2. Always sniff the air before deciding what to do.
  3. When loved ones send email with links, sniff to make sure they are really your loved ones.
  4. When in doubt, take a nap, then stretch before you click.
  5. Have fun, romp and surf when you know it’s safe.
  6. Be loyal to your security consultants (like me…).
  7. Never pretend to be someone else.
  8. Implement safe security practices with gusto and enthusiasm.
  9. If the information you want is buried, dig for it; if you still can’t find it, Ask the Geek!
  10. Never, never, never trust a link until you have sniffed it and determined it’s friendly.

Happy New Year, dog lovers!


December 31, 2010  4:50 AM

Humor: Hey Joe! I Hope This Answers Your Question



Posted by: Ken Harthun
Feedback, Internet Security Awareness Year, Password, Security, Security best practice

Being visible as a journalist on the Internet, I get feedback because my writing reaches a large audience. Thanks to you, my loyal readers and followers, most of the feedback is positive. But, there is the occasional negative comment, usually from the reader who either looks at the world through a fog of misguided optimism or one who is completely convinced that everyone in the entire world is out to get him.

Both viewpoints are insane.

I present, herewith, two examples. I have taken literary license with them so they make sense (some of these people can’t construct a sentence that even remotely resembles proper grammar).

hi geek. I think to you may worry to [sic] much about passwords and things because I have never had anyone steel [sic] my password because noone [sic] would try to do anything to me because noone knows who I am on the internet so noone will know my name and my password which is a long one its 123456asdfjkl; Can anyone hack me? thanks joe.

Yikes! Joe, just draw all your money out of the bank in cash and throw it out of a 30-story window.

Here’s another one from the overly-paranoid, conspiracy-theorist sector:

Are you f****** serious, you idiot? You recommend 12-character passwords. Are you insane? The government has all of your information. If you’re using windoze [sic] you’re hacked. The NSA is watching every move you make. I run Linux. Everything is encrypted on my computer and my login name is 84 characters long. My password is 128 random characters (I got them from your recommendation of Steve Gibson’s perfect password site, so thanks at least for that). Think about it.

What do YOU think? Do I worry too much, or am I a complete idiot for recommending the things I do?

Hint: Not one system I have administered or owned since 1995 has been breached; I have not lost a single dollar to hackers as a result of any compromise to the security of my accounts and neither have any of my clients. But, in the interest of complete disclosure, there have been several people whom I have supported who have not listened to me and have subsequently suffered financial losses. I consider those my personal failures.

I think it’s safe to listen to me and take my advice. So, I hereby declare 2011 the year of “Internet Security Awareness.”

Let’s ramp it up, shall we?

And, Joe, I can hack you in less than three minutes thanks to the information you sent me. I won’t, but someone might try. Please read everything I’ve ever written about online security…


December 31, 2010  12:40 AM

Friend Sent You a Link? Verify it!



Posted by: Ken Harthun
cyber security, Hacking, Phishing, Security best practice, spam

A friend of mine, whom I’ll call Sally, told me of a recent hack on their PayPal account that could only have resulted from her clicking a link that a “trusted friend” sent her in an email. You know, one of those “You have to see this!” things. She gets them all the time of course, and most of the time, they are what they claim to be. Only this time, the friend had gotten herself infected with a mass mailing trojan; even though the message appeared to be legitimate (since it was sent from the “friend,”) it was bogus.

The link installed a keylogger. Prior to going on vacation, Sally checked her PayPal and bank accounts. The hackers got her login information. When she tried to use her debit card, she found she was overdrawn by several thousand dollars. It ruined her vacation and took her the better part of two weeks to get her money back. Fortunately, the bank waived all overdraft fees. Lesson learned.

Now, what could she have done? Trust is what these hackers rely on; naturally, Sally would trust an email from her friend. That it wasn’t from her friend, is something that Sally probably didn’t suspect. But, she could have a personal security policy in place whereby she routinely calls her friend and mentions the email/link. If the friend says, “What email/link?” then you had better just delete it.

I have a fellow geek friend who routinely sends me scientific news, astronomy links, etc. I expect them, but I never open them until after I have talked with him (which I do several times a week) because he always asks me, “What did you think about [that particular article I sent you]?” My response is usually, “Oh, I’ve been busy, let me take a look (knowing, now, that it’s from him).” Then, we talk about it.

NEVER click a link you’re unsure about. Make a phone call to the “friend” that sent it to you. If you can’t call them, them just delete the message.

You won’t be missing out on anything important, trust me.


December 29, 2010  7:56 PM

Make an Anti Virus Bootable USB Thumb Drive



Posted by: Ken Harthun
Anti-virus, BLTDVS Toolkit, Bootable Anti Virus USB, Offline virus scanner, USB thumb drive

UPDATE! The BLTDVS Toolkit in its original form as referred to in the linked article below is now obsolete. The current state of the art has yielded self-contained USB installer tools for most of the popular anti virus rescue CDs.

I have updated this article with the latest information and put two versions of popular rescue CD USB installers in the revised BLTDVS Toolkit which is still available for download from the original location when you sign up for my newsletter list (send a blank email to: atg-subscribers@automateyourlist.com to receive download instructions).

With all the various flavors of anti virus rescue CDs around, it’s an easy matter to create a CD bootable anti virus scanner that will operate offline to disinfect even the worst malware infestation. In most cases, all you have to do is download the vendor’s latest rescue CD ISO image, burn it, boot it, and let the program do its thing. Easy. Making a bootable USB thumb drive from the ISO is another matter.

Extracting the files from an ISO image to the thumb drive requires a few tricks to accomplish. You can, of course, just download my BLTDVS toolkit from How to make a bootable thumb drive virus scanner for NTFS: 2009 update,? and follow the included instructions but, that toolkit is specifically optimized to work with the Kaspersky Rescue CD; what if you prefer to use a different vendor’s rescue package?

There’s a cool open source utility called UNetbootin that allows you to create bootable live USB drives for a variety of Linux distributions without requiring you to burn a CD. This is perfect since most, if not all, of the rescue CDs are Linux based. The UNetbootin site has full instructions on how to use the tool complete with screen shots. There are also several utilities and rescue tools listed for use with UNetbootin.

BitDefender

  1. Download the BitDefenderRescueCD_###.iso into the BLTDVS_toolkit folder if you have it, or make a folder of your own.
  2. Download and launch the Universal USB Installer or launch it from the BLTDVS_toolkit folder. Select the option “Try unlisted Linux ISO (Old Syslinux)” then browse to the BitDefender ISO file.

Kaspersky

  1. Download the Kaspersky Rescue CD and save it to the BLTDVS_toolkit folder.
  2. Download the rescue2usb utility and launch it or launch it from the BLTDVS_toolkit folder.


December 28, 2010  1:48 AM

Web Account Creation Tips



Posted by: Ken Harthun
cyber security, Password, Security best practice, User education

Although I consider it OK to use the same user name across multiple accounts, there’s no question that using a different user name for each account along with a strong, unique password is probably a good idea. The more difficult you make it for hackers to guess your information, the more secure you will be.

In my last post, I gave some tips on creating strong, unique passwords for websites. In this post, I give you three tips on how to create unguessable, unique usernames that you can pair with those passwords for even more security.

  1. Add a special character, the first three letters of the domain name for the site, then you normal login name. For example, for the foobar.com domain, you could use $fooJoeBlow as a user name. Use the same character and the same pattern for your login name so you can easily remember it.
  2. Use a PIN, part of the domain name and your name. For example, take the last three characters of your Windows key, the first three characters of the domain name, and your login name: YXKFooJoeBlow.
  3. Use the title bar of the site’s login page. For example, you could use SecJoeBlow for this site as your user name.

The user name is not nearly as important as the password as far as uniqueness is concerned, but it’s another factor that you can use to make your online experience more secure. I don’t use this particular method, but it’s worth implementing.


December 27, 2010  3:37 PM

Use Strong, Unique Passwords! Use Strong, Unique Passwords! Use Strong, Unique Passwords!



Posted by: Ken Harthun
Password, Security, Security best practice

There, I said it three times; did it sink in? Probably not, so I’ll say it again: Use strong, unique passwords!

In the wake of the recent Gawker Media hack, I feel it’s prudent to once again address the issue of strong, unique passwords. Sometimes I feel that I should rename this blog to “Password Corner” and devote the rest of my natural life to drumming it into people’s heads why this is important. I won’t do that, of course because I’ve figured out a long time ago that people are just too lazy to expend that little bit of extra effort to make a strong password that isn’t used anywhere else. They think it’s going to be too hard to remember or that they’ll have to carry a piece of paper around with them all the time. They would be wrong; it’s just laziness.

It is so simple to create strong, unique passwords that will thwart any but the most determined hackers. You only need a mixture of 12 characters, preferably a mixture of numbers, upper/lower case letters and punctuation to generate a strong password that for all intents and purposes is uncrackable. To make such a password easy to remember, you can use a simple pattern or algorithm known only to you.

Here are some ideas (don’t use these exact ones, for obvious reasons–this is a public blog and hackers have access to it):

  1. Use some easily-remembered numbers, some special characters and the domain name in a standard pattern. For example, say your phone number is 555-1234 and the site you want to generate a password for is foobar.com. You could use something like the following: 55*&Foobar&*12. See? It’s symmetrical; easy to remember the pattern, but it looks random. How about 12@(Foobar)@34? See where I’m going with this? Use the same pattern across sites, but change the middle part to be the domain of the site. You’ll have an easily-remembered password that is unique for each site.
  2. Use the domain name with altered characters and an unique added PIN or key. For example, if you have an account on Foobar.com, you could use something like F0oB@r.C0m-J03. Your key in this case would be “-J03.”
  3. Use the title bar of the login page with altered characters and/or a PIN or key. For example, here’s what you might use for the New York Times website: L0g-1n-N3yorkT1m3s.c0M-J03.

You can probably think of other ways to do this, something that is unique to you. For obvious reasons, you don’t want to use your name, your kid’s name, your pet’s name, etc. unless you make it strong by adding things to it.

At the very least, please, if you have online financial accounts, PayPal, credit cards, etc. make very sure that the passwords are strong and not used on any other sites. If they are, change them immediately. You can do that much for yourself, can’t you?


December 26, 2010  3:11 PM

Have You Been Gawkered?



Posted by: Ken Harthun
cyber security, Hacking, Password, Vulnerabilities

A couple of weeks ago, servers at Gawker Media, Inc., who also runs the sites Lifehacker.com and Gizmodo.com were hacked by a group who calls itself Gnosis. Reportedly, more than 1.3 million user accounts, email addresses and passwords were obtained. The hacker group has managed to decrypt about half of the database contents and released it as a torrent.

You might be thinking that this is no big deal; people can just change their passwords. That’s true. The problem is that many people– against my and countless other security advisers’ advice–use the same combination of user credentials across multiple sites. The only way to mitigate the risk in this case is to change credentials at every site and never use the same password more than once.

To make matters even worse, quite a few of the accounts used ridiculously simple passwords. You can find a list of the top 250 most commonly used passwords here, but in case you’re wondering, here is a list of the top 10:

 2516 123456
 2188 password
 1205 12345678
  696 qwerty
  498 abc123
  459 12345
  441 monkey
  413 111111
  385 consumer
  376 letmein

The significance of “monkey” escapes me, but I’ve seen the other ones used many times in my role as sys admin.

Here’s what Woody Leonhard of Windows Secrets recommends:

While perusing the list is entertaining, the important lesson here is about password use. For example, let’s say you posted a comment on Lifehacker a few years ago. To post the comment, you had to give an e-mail address and password — which, at this very moment, somebody might be decrypting. Now let’s say you’re sloppy and using the same password for PayPal you used for Lifehacker. If a cyber thief has the foresight to sign on to PayPal with your e-mail address and cracked password, you can kiss your PayPal balance good-bye.

If there’s the remotest chance you’ve posted a comment on Lifehacker.com or Gizmodo.com, go immediately to Duo Security’s “Did I get Gawkered” site and enter your e-mail address. If your name’s on the list, change your passwords!

To that, I would add, “and be sure they are strong passwords.”


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: