Security Corner

May 31, 2011  10:38 PM

Security Made Simple

Ken Harthun Ken Harthun Profile: Ken Harthun

With the official start of the summer season in the U.S. (Memorial Day holiday), I want to give everyone a few tips for staying secure. No, this isn’t the typical use-strong-passwords-and-don’t-click-email-links lecture. When favorable weather conditions prevail, our thoughts turn to getting through the week and getting to the weekend. Consequently, with our thoughts elsewhere, it’s easy to get careless.

Case in point: I live in a duplex town home and interact closely with my new neighbors. They told me they were going away for the weekend to the lake. I wished them a good time. On Saturday, I noticed they had left their garage door open. No big deal, I thought, as there is really nothing in there anyone would want. The door from the garage to the town home has a deadbolt lock, so I figured they had locked it. Being the good neighbor that I am though, I checked it. The door wasn’t locked! Anyone could have walked in and cleaned them out.

When they got back yesterday, they asked me if I noticed they had left everything unlocked and I told them I had. Apparently, they had left in an awful hurry and hadn’t checked to make sure everything was locked. Even their front door was left unlocked. Had I and my family not been around to keep an eye on things (which we did), my neighbors (as well as my family) could have suffered some big losses.

The lesson? Simple. No matter what’s going on, no matter where you have to be and when, TURN IT OFF, LOCK IT DOWN, LOCK IT UP.

That’s security made simple. Think about it.

May 31, 2011  12:00 PM

Cloud Security and Privacy – Do They Exist?

Ken Harthun Ken Harthun Profile: Ken Harthun

Got this announcement this morning from Sophos about a lecture at the New South Wales branch forum of the Australian Computer Society (ACS). That’s a bit out of my way, so I couldn’t attend, but here’s the gist:

The topic is Privacy and security in the cloud – is there any?

The Cloud - whatever that is - isn't new, whatever the marketing material may imply. But the scale of many modern-day cloud-oriented services is simply enormous. And since those services are run by experts, they readily promise to deliver the "holy trinity" of computer security - confidentiality, integrity and availability.

But do they? Will they? Can they? This thought-provoking presentation will help you advise your colleagues, your friends and your family how to embrace the benefits of the cloud whilst steering clear of the major risks.

This ties in nicely with something I have talked about before in a recent post, “Beware Cloud Data Storage–Pre-encrypt.”

Steve Gibson of the Security Now! podcast recently coined a term, “pre-egression encryption,” which worked out to the acronym, PEE. Not elegant, but it makes sense (he has since adopted the acronym PIE – pre-Internet encryption, coined by a listener). In other words, trust no one’s encryption: encrypt it yourself using your own secret key before you send anything to the cloud. Steve references an incident with DropBox in Security Now! episode 302:

…like Dropbox, are very user-friendly, and they say, oh, we encrypt. We use SSL 256 encryption so that all of your data is safe as it’s coming to us. The problem is, they encrypt it, and then they decrypt it at the other end. So they’re storing it, or they have it, at least, in an unencrypted state. In the case of Dropbox, they then would encrypt it for storage. But they encrypted it for storage. They have the key that was used. The only way any of this stuff is safe is if you do the encryption before it goes out on the wire, and that key never leaves your control. In which case we’re using the cloud as a big opaque storage container in the sky.

The bottom line is that you can trust no one with your security and privacy in the cloud. Before you send any data to the cloud, encrypt it with a key that is known only to you and completely under your control.

Assume that cloud security and privacy don’t exist.

May 30, 2011  11:47 PM

Scammers Getting Desperate?

Ken Harthun Ken Harthun Profile: Ken Harthun

Sophos reports that one of its SophosLab researchers received a 419 scam via snail mail:

The gentleman who contacted my colleague calls himself Tim Wu, and claims to be a private investment manager based in Hong Kong.

It seems that a former client of his (who had the first name “Anderson” and came to a sticky end in a hiking accident in mainland China) didn’t leave a will, and because there is no next of kin some of his $21 million fortune could be coming to my colleague here at Sophos instead!

There’s nothing new about snail mail scams, of course, but email scams are far more prevalent these days. Maybe this signals a paradigm shift. Are the scammers finally getting desperate because no one is responding to their junk emails? We can only hope. I plan to continue to admonish people not to open emails that come from persons they don’t know. I know I’m not the only one who does this. Spam filters are getting better, too, so much of the scammers’ crap ends up in the bit bucket.

Now, lets consider this: when they are messing with the postal services of the U.S. and other countries, there are no proxies and no onion routers. The mail can at least be traced from the point at which it was dropped. The anonymity factor is greatly diminished. Another thing to consider is that physical mailings require an expenditure for postage, which emails do not.

An acquaintance of mine in law enforcement once told me that if you take the profit out of crime, the only crimes would be crimes of passion. If the scammers have to spend huge sums on postage and people heed our warnings about their tricks and don’t fall for them, perhaps they’ll fade away.

Let’s hope that’s what happens.

May 30, 2011  8:00 AM

Everything I’ve Ever Said About Passwords is Wrong?

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, maybe. At least that’s what Steve Gibson said in Episode 302 of the Security Now! podcast:

Nothing I’ve ever said about passwords is right. I mean, nothing everyone – anyone thinks. I have got some news. I know it sounds like I’ve lost my mind. But I think I can – I’m working on a new page now which is going to lay it all out and explain it and give people something to play with so they can test passwords using this new scheme. And when you hear it, you’re going to go, oh, my god. Why didn’t anyone ever think about this before?

If nothing anyone thinks about passwords is right, then I must be wrong, too, right?

Steve has been playing with a passcode designer under the premise “Maximal Entroypy, Minimal Length, Maximal Strength.” He says that in the process of working on this, he realized that our concepts of passwords are wrong and he has stamped the page with “obsolete.” He promises to reveal all in Security Now! Episode 303 this week. At the bottom of his passcode designer page, he posts a “post mortem.” Here’s an excerpt:

The Passcode Designer is based upon the concept of generating maximal-entropy, maximal-strength, and minimal-length passcodes by encouraging a high number of “transitions” between the four character “classes” where the classes were the uppercase alphabetic (A-Z), lowercase alphabetic (a-z), the ten digits (0-9) and the 33 printable special symbol characters (!\”#$%&'()*+,-./:;<=>?@[\\]^_`{|}~). The interactive graphical JavaScript-driven state machine at the top of this page was the beginning of the development of that concept. (It is fully functional, finished, and works as intended.)

But after reaching this point, by creating what I thought was right, I realized what was wrong with that approach. What I never expected was what happened next: Unlikely as this sounds, I realized that we (the entire computer industry) have always been thinking about maximum-strength attack-resistant passwords in the wrong way. I realized that the creation of high-entropy passwords was not only often the wrong goal, but was typically counter-productive.

I can’t wait to see what he has come up with.

May 29, 2011  6:35 PM

Top Five Public Computing Safety Tips

Ken Harthun Ken Harthun Profile: Ken Harthun

We all know that using public PCs in hotels or open public wi-fi connections is risky business these days. Nevertheless, we are so dependent on our computing devices that we often find we have no choice. True, many of the public wireless access points are now using encryption, but those kiosk PCs are another story. These PCs are rarely maintained properly and often contain keyloggers or other data-stealing malware, so using them for anything sensitive isn’t smart.

Regardless of whether you are using your own laptop or a kiosk PC, there are certain precautions you can take to make your public computing session safer. Here is my top five:

  • NEVER use an unencrypted wireless access point or public kiosk PC to log onto any banking, bill payment or credit card sites nor any site where you will be required to enter any sensitive personal information such as credit card numbers or bank account numbers. This applies to online shopping as well.
  • If using your own device, make certain you have the latest security updates for your OS and the latest version of your preferred browser. Block all pop-ups with a program like NoScript and store passwords only in a secure password manager like LastPass, never in the browser.
  • Do not, under any circumstances allow a public PC to save your logon information. Further, clear all history and temporary Internet files when you are finished browsing. If your browser allows private browsing (most do), use that feature.
  • Always LOG OFF of any site, such as social networking sites or webmail before closing the browser to insure the next person to use the machine cannot open your session. You may have noticed that you can close a tab or your browser and often your session doesn’t close. Try that with Facebook and you’ll see it in action.
  • Finally, be aware of your surroundings. Is someone standing behind you or watching you from the next table? Shoulder surfers can steal your login information. Believe me, it happens. Especially be wary if you see anyone with binoculars.

May 29, 2011  1:35 PM

Huge Spikes in Malware

Ken Harthun Ken Harthun Profile: Ken Harthun

According to the good folks over at Sunbelt Security (now owned by GFI), an incredible 73,000 new types of malware are being issued every day, a 26% increase over last year’s figures. Between this and the recent security breach at Epsilon, I am noticing a huge increase in my own spam levels. One of the most significant increases seems to be the pharmacy scam, but the 419 scams and variations are a close second. So far this week, I’m the beneficiary of nearly $750 million!

Here’s a screen shot of a portion of one of the more interesting scams purportedly directly from the FBI:

Not surprising, I have also been called upon to remove more malware infections than usual. Some of them are getting quite stealthy. Sunbelt Security’s Threats Page maintains and up-to-date list of the top ten malware detections as well as a handy meter of the worldwide threat activity level. Right now, it’s recommending that you take a guarded approach in your computing practices.

Six out of the 10 listings are Trojans that are normally delivered through email. No surprise there, either: email is the #2 vector for malware eclipsed only by malicious websites.

May 28, 2011  12:12 PM

Time to Lighten Up!

Ken Harthun Ken Harthun Profile: Ken Harthun

Very funny Cisco commercial. Sometimes, we just have to laugh and make fun of ourselves as Cisco does in this video.

[kml_flashembed movie="" width="425" height="350" wmode="transparent" /]

May 28, 2011  1:12 AM

Wire Fund Transfer Trojan

Ken Harthun Ken Harthun Profile: Ken Harthun

Got an interesting email this morning purportedly from “” with “Your Wire fund transfer” as the subject. Here’s a screen shot:

This appears to be a warning of some sort, though it really makes little sense. The link points to a Slovenian domain name and if the victim clicks the link, they are taken to a 404 error page that attempts to download a PDF file, undoubtedly infected with an info-stealer of some sort.

The header is real, linked from the actual website which is intended to make the victim believe the email is real, which, of course, it is not. Examination of the headers shows a Return-Path to a Gmail address.

Please inform your family and friends to immediately delete this email should they receive it.

May 25, 2011  1:28 AM

Apple Refuses to Help Victims of Mac Defender

Ken Harthun Ken Harthun Profile: Ken Harthun
Mac Attack

Mac Attack

So, you’re a Mac user and you get hit by the Mac Defender fake virus warning. You call Apple’s tech support line, right? Well, you’ll get no help from them. According to a leaked Apple memo, here are the instructions to support personnel:

You cannot show the customer how to force quit Safari on a Mac Defender call.
You cannot show the customer how to remove from the Login items.
You cannot show the customer how to stop the process of Mac Defender in their Activity Monitor.
You cannot refer the customer to ANY forums or discussions [sic] boards for resolution (this includes the forums)

In other words, you cannot do anything to help the customer. What the hell are they thinking? This is the wrong response. For Heaven’s sake, at least send them in the the right direction. Microsoft does.

Record numbers of OS X users are falling victim to this scam because Apple has created a false sense of security through their marketing and advertising suggesting Apple users are immune to security threats. The users believe this fake notice is real because of this false data, so they take action thinking that Apple really must be protecting them.

Perhaps this means that Mac has finally entered the mainstream. They are now a viable target for hackers, scammers and other cyber-criminals. And why not? One could argue that Mac owners have more money than PC owners as a rule. Why not go for those bigger bank accounts?

The bottom line is that Apple’s refusal to help its customers is going to give the company a major black eye. I wouldn’t be surprised to find people jumping off the Apple bandwagon, selling their Macs and getting PCs.

Stranger things have happened.

May 22, 2011  4:56 PM

How Long Should a Strong Password Be These Days?

Ken Harthun Ken Harthun Profile: Ken Harthun


It used to be – and I used to recommend – that a good, strong password was a combination of upper/lower case letters, numbers and special symbols at least 8 characters long. But as technology advances, CPU speeds and processing power also increase, making brute-force password cracking programs able to guess longer passwords in less time. In these days of multi-core processors running at speeds approaching 4GHz, making distributed computing projects such as‘s Project Bovine RC5-64 reportedly capable of guessing 76.1 Billion passwords per second 8 characters just isn’t enough. Think about it, an 8 character password using a 96-character field has 7.2 quadrillion possible combinations; RC5-64 could guess it in less than 100 seconds.

When Georgia Tech Research Institute developed a method of using general purpose GPUs, to crack passwords last year (2010), I took their advice and began recommending 12 characters as the minimum length for passwords. With all of the recent database breaches in the news, I’m now considering upping the ante and recommending 15 characters as a minimum length for passwords. The problem with this is the extreme difficulty in remembering a password like %qz!BUrznT8Vs&T. Such long, random passwords have to be recorded somewhere, so some method of encrypting your password list or a secure password manager such as LastPass becomes essential.

The SANS Institute’s Security Awareness project recently published some good advice on creating and protecting passwords in this newsletter (PDF). I agree with their advice and highly recommend you take a look at the newsletter.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: