Security Corner

June 30, 2011  3:08 AM

Security Nightmares

Ken Harthun Ken Harthun Profile: Ken Harthun

In this case, it’s a nightmare on Seventh Street! These are the types of things that give me nightmares and I walked into a total nightmare factory:

Wiring closets are open on every floor and every floor has a managed switch and/or router sitting in the closet.

Servers behind unlocked and open doors because shutting the door makes the room too hot and the servers shut down.

Contractors putting in new floors in the server closet and I have no access control.

Backups to external USB drives that anyone in the unlocked closets could walk off with and backups have been intermittent.

Staff laptops are not using encryption.

Insecure and obsolete (Win 2000) servers on the network.

Still some floater laptops that have NO antivirus protection (just had to re-image one that got infected with a really nasty rootkit).

No security policy exists.

This is like a game show: “Hey, Mr. Hacker, COME ON IN!”

But don’t try it: I’m on the scene. “Drunk hacking – You WILL get caught, and you WILL be arrested!” LOL

Another week or so and those nightmares are history!

Believe me.

June 18, 2011  10:15 PM

Reduce Unwanted Email

Ken Harthun Ken Harthun Profile: Ken Harthun

If you use your main email address to get free offers, downloads, etc., you run the risk of having your email address become Spam Central. I know because not only has it happened to me, it has happened to almost everyone I know. Recently, I made the mistake of providing my main email address to an auto insurance “quote portal” who promised to get me three of the best rate quotes from top insurers. Big mistake! Within minutes, I was receiving loads of unwanted solicitations that I did not opt into. This “portal” must have sold my email address 300 times in mere seconds.

I could have prevented this incessant barrage by using a disposable or temporary email address. I’ve written about this before (see
Protect Yourself From Spam With Disposable Email Addresses) but I wanted to update you on a couple of other services I discovered.

10-Minute Mail gives you a temporary email address that lasts — you guessed it — 10 minutes. It has a neat feature whereby you can extend the time by an additional 10 minutes in case you didn’t get your download link quickly enough. Geek tested and approved!

Spambox creates a temporary e-mail address for you that will expire in the time you chose, anywhere from 30 minutes to a full year. All the mails directed to this e-mail will be transparently forwarded to your real e-mail. If you’re getting too much email from that address, you can cancel it and stop the flow. If you want to extend the life of the mailbox, you can do that too. This service has a very, very cool feature that allows you use your own domain so that websites who think they are wise to temporary email addresses won’t know the difference. Geek tested and approved!

June 12, 2011  4:33 PM

Cryptogram Contest

Ken Harthun Ken Harthun Profile: Ken Harthun

This is the “lighten up” portion of this month’s series of blog posts. I have created a cryptogram that I believe will be difficult to solve, though I have used a simple sequential variation on the Caesar Cipher. Everyone is eligible to play and the prize will be a DVD (or download – your preference) of my Geek Toolkit that normally sells for $27 through my special offer (You don’t have to enter – you can just buy a copy of the toolkit if you want). To enter, just email your solution and shipping details to me: ken [at] Deadline is 28 June 2011. I will publish the method I used and the solution on 30 June 2011.

The ciphertext is below. Hint: The key to solving this cipher is to figure out the shift and the variation. The very first letter of the cryptogram is the actual first letter of the first word and all punctuation is preserved. Please note that this is NOT a simple substitution cipher. There is no guaranteed the letters will be the same throughout, though you may notice repeating patterns.


Good luck!

June 11, 2011  2:34 AM

The American Cryptogram Association

Ken Harthun Ken Harthun Profile: Ken Harthun

Naval Enigma Machine

If you have followed me for any length of time, you know that I’m fascinated with codes, ciphers and crypto in general. My love of codes and ciphers started in the early 1960’s when I was an elementary school student. Being the mischievous type, I and several of my other geeky friends would invent codes and ciphers to pass notes in class. We’d say naughty things about the teachers or other students and even if we got caught, no one could figure out the messages. So, you can imagine my delight at finding the American Cryptogram Association web site.

Here’s what they say on the home page: “The American Cryptogram Association (ACA) is a non-profit organization dedicated to promoting the hobby and art of cryptanalysis — that is, learning to break ciphers.”

Sounds like great fun. They even provide a sample issue of their bi-monthly newsletter, The Cryptogram, which I immediately downloaded. I can’t wait to dig into that and peruse the rest of the resources on the site. One thing I’m particularly interested in is Crypto Lessons and Tutorials by LANAKI.

There are links to several cryptogram pages and scores of crypto tools on the Resources page, though I found a couple of broken links. Still, the home page appears to contain current information, so it looks like ACA is alive and well. Check it out.

June 9, 2011  3:36 PM

The New Password Paradigm – Part 3

Ken Harthun Ken Harthun Profile: Ken Harthun

In this part, I’ll comment on some of the past articles I’ve posted about passwords and align them all with the new paradigm (See “The New Password Paradigm – Part 1” and “The New Password Paradigm – Part 2“).

Feb 17 2008: How to Write Down Your Passwords and Not Worry About Someone Stealing Them – This article, one of my earliest on the subject, is a neat little system for creating unguessable passwords and writing them down. It’s a bit too complex and is now obsolete as is this Aug 24 2009 post: Un-guessable Passwords—How to Make Them.

Feb 24 2008: Can a Criminal Hacker Guess Your Password? – This article talks about the dangers of using common words, keyboard patterns and other easily guessable passwords. It is just as valid today as it ever was with the exception that under the new paradigm, you can use such things in combination with your personal password padding policy.

Apr 27 2008: Your Wallet is the Best Password Manager – Says to write your passwords down and keep them in your wallet. Still applicable. You should not write down your padding pattern with those passwords, however. Say you use “…” as your padding and choose the word “fireplace” as your password, padding it like this …fire…place… Simply write the word fireplace on your list, not the whole padded thing.

Aug 20 2009: Peter Piper Picked a Perfect Password Pattern – I suggested using patterns to pad passwords almost two years ago, a major component of the new paradigm.

Apr 22 2010: Passwords Are Too Complicated – I was right: passwords are too complicated! Passphrases are easier to remember and under the new paradigm, you don’t even have to get very creative to come up with them.

Apr 26 2010: Jabberwocky – Password – This nifty little post about using Lewis Carroll’s poem, “Jabberwocky,” to create stong passwords is pretty brilliant if I do say so myself. Couple that with a good padding pattern and you have a real winner.

May 13 2010: Secure Computing: Password Card is a Winner – The password card is a nifty little tool and is still a valid way to create and remember complex passwords; however, it’s obsolete under the new paradigm unless you want to use it to create padding patterns.

Sep 14 2010: Is Your Password on the List of Worst Ones Ever? – Valid information, but hardly dangerous if you use one of them with a padding pattern.

Dec 27 2010: Use Strong, Unique Passwords! Use Strong, Unique Passwords! Use Strong, Unique Passwords! – Valid information that once again suggests using a personal pattern.

Jan 18 2011: Password Voodoo – A nifty trick using your keyboard FCC ID to create a password, but it still requires that you remember a pattern.

Mar 26 2011: Create Perfect Passwords on Paper – Steve Gibson’s Perfect Paper Passwords is still relevant and also can be used to create your password padding pattern.

May 22 2011: How Long Should a Strong Password Be These Days? – Definitely valid information and the new paradigm makes it even easier to make 15-character long (or longer) passwords.

June 5, 2011  5:14 PM

The New Password Paradigm – Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

In The New Password Paradigm – Part 1, I promised to expand on the concept and also to provide an analysis of things I have told you in the past about passwords. Some of what I told you is still valid, even in the light of the new paradigm. Some of the information was off the mark.

Probably the most important concept of the new password paradigm is the idea of forcing the hacker to resort to brute force techniques by creating passwords that are not on known password lists or in the dictionary.  The first things hackers try when attacking passwords is various lists of common passwords such as  Top 500 Worst Passwords of All Time, Top 10 Most Common Passwords, and information gleaned from studies such as A Large-Scale Study of Web Password Habits published by Microsoft. The next thing they will try is names and dictionary words. If you use your name, a pet’s name or a dictionary word as your password, it will be discovered virtually instantly. Even an obscure dictionary word like “ratiocination” won’t work; however, simple changes to any common password, name or dictionary word cause the hacker to resort to brute force techniques.

I am not talking about merely capitalizing the first letter or changing some letters to their leet speak equivalents, such as 3 for “e.” The hackers know all these tricks, too and will likely incorporate them into their dictionaries, so taking my example of “ratiocination” and turning it into Rati0cin@tion might not work very well. Yes, a brute force attack would take a long time on such a combination, but the hacker is likely to try the common patterns that most people would choose. The list might look like this:

  • ratiocination
  • Ratiocination
  • r@tiocination
  • Rati0cin@tion
  • rAtIoCiNaTiOn

and so forth. Each different combination that the hacker incorporates into the dictionary tables increases the chance of a successful match without having to resort to brute force. However, add something to the word, and you’re golden: the hacker is now doomed to using brute force. Steve Gibson explains on his Password Haystacks page:

… the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn’t know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.

It’s such a simple concept, it’s beautiful! Just pad the password with a known pattern of your own invention.

In Part 3, I’ll list my previous articles on passwords and comment on them.

June 4, 2011  3:00 PM

The New Password Paradigm – Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

Break out your pet’s name, your children’s names, your spouse’s name or any other easy-to-remember words or phrases that I–and every other security wonk–have been telling you never to use. Apparently, we’ve been giving you some information that isn’t as valid as we thought. In fact, depending on how you look at it, we may have been completely wrong with some of the things we insisted you do or don’t do. Don’t misunderstand, what we told you worked and the information would have resulted in greater security, it was just too darned complex. Because of that, many people just didn’t make the extra effort

There has been a sea change in the password paradigm, thanks to Steve Gibson of who uses the needle-in-the-haystack analogy for passwords. It is an approach that results in even greater security while letting you create easily-remembered passwords. Gone are the days where you had to use such cryptic and impossible-to-remember passwords like PrXyc.N(n4k77#L!eVdAfp9. Steve gives an elegant explanation including an excerpt from the June 1st Security Now! podcast on is Password Haystacks page. The site also has what he calls a “Search Space Calculator” that will give you some real insight into what the hackers are up against.

The new password paradigm is to invent your own personal padding policy. “What the heck is that,” you say? It’s extremely simple: 1. Invent a pattern of characters that you will easily remember; 2. Pad your memorable words, phrases, dates, etc. with that pattern. The easiest way is to put the pattern before and after your chosen phrase, but you can do it any way you like as long as it is memorable for you. The beauty of this system is that you can even use any of the Top 500 Worst Passwords of All Time as long as you pad them. You can use any dictionary word, name, date, phrase–whatever you wish–and you’ll be OK.

I’ll expand on this concept in Part 2.

June 3, 2011  11:59 PM

Microsoft Standalone System Sweeper Beta

Ken Harthun Ken Harthun Profile: Ken Harthun

One of the problems with malware is that it is often difficult to remove while the system is running. Last week, I dealt with a particularly sticky infection that I couldn’t remove until I used a boot CD. In the case of rootkits, their very nature is to hide from the system, so you often don’t even know they are there. The only reliable way to remove a rootkit is by scanning the hard disk while the system is offline and comparing known good system files to those on the hard disk.

While not broadly publicized, Microsoft has developed a tool to remove rootkits and other advanced malware from systems running these versions of the Windows operating system: Windows XP Service Pack 3; Windows Vista (RTM, Service Pack 1, or Service Pack 2, or higher); Windows 7 (RTM, Service Pack 1, or higher) in both 32-bit and 64-bit editions. The tool is called “Microsoft Standalone System Sweeper Beta.” Looks like it has been designed for use by support personnel.

Thank you for contacting Microsoft Support. You have been directed here to download and install the beta version of Microsoft Standalone System Sweeper Beta, a recovery tool that can help you start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can’t detect or remove malware on your PC.

Microsoft Standalone System Sweeper Beta is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start your PC due to a virus or other malware infection.

I haven’t tried it out yet, but it’s probably a good idea to download and build bootable media for both the 32-bit and 64-bit editions.

If anyone tests this before I do, please leave a comment.

May 31, 2011  10:38 PM

Security Made Simple

Ken Harthun Ken Harthun Profile: Ken Harthun

With the official start of the summer season in the U.S. (Memorial Day holiday), I want to give everyone a few tips for staying secure. No, this isn’t the typical use-strong-passwords-and-don’t-click-email-links lecture. When favorable weather conditions prevail, our thoughts turn to getting through the week and getting to the weekend. Consequently, with our thoughts elsewhere, it’s easy to get careless.

Case in point: I live in a duplex town home and interact closely with my new neighbors. They told me they were going away for the weekend to the lake. I wished them a good time. On Saturday, I noticed they had left their garage door open. No big deal, I thought, as there is really nothing in there anyone would want. The door from the garage to the town home has a deadbolt lock, so I figured they had locked it. Being the good neighbor that I am though, I checked it. The door wasn’t locked! Anyone could have walked in and cleaned them out.

When they got back yesterday, they asked me if I noticed they had left everything unlocked and I told them I had. Apparently, they had left in an awful hurry and hadn’t checked to make sure everything was locked. Even their front door was left unlocked. Had I and my family not been around to keep an eye on things (which we did), my neighbors (as well as my family) could have suffered some big losses.

The lesson? Simple. No matter what’s going on, no matter where you have to be and when, TURN IT OFF, LOCK IT DOWN, LOCK IT UP.

That’s security made simple. Think about it.

May 31, 2011  12:00 PM

Cloud Security and Privacy – Do They Exist?

Ken Harthun Ken Harthun Profile: Ken Harthun

Got this announcement this morning from Sophos about a lecture at the New South Wales branch forum of the Australian Computer Society (ACS). That’s a bit out of my way, so I couldn’t attend, but here’s the gist:

The topic is Privacy and security in the cloud – is there any?

The Cloud - whatever that is - isn't new, whatever the marketing material may imply. But the scale of many modern-day cloud-oriented services is simply enormous. And since those services are run by experts, they readily promise to deliver the "holy trinity" of computer security - confidentiality, integrity and availability.

But do they? Will they? Can they? This thought-provoking presentation will help you advise your colleagues, your friends and your family how to embrace the benefits of the cloud whilst steering clear of the major risks.

This ties in nicely with something I have talked about before in a recent post, “Beware Cloud Data Storage–Pre-encrypt.”

Steve Gibson of the Security Now! podcast recently coined a term, “pre-egression encryption,” which worked out to the acronym, PEE. Not elegant, but it makes sense (he has since adopted the acronym PIE – pre-Internet encryption, coined by a listener). In other words, trust no one’s encryption: encrypt it yourself using your own secret key before you send anything to the cloud. Steve references an incident with DropBox in Security Now! episode 302:

…like Dropbox, are very user-friendly, and they say, oh, we encrypt. We use SSL 256 encryption so that all of your data is safe as it’s coming to us. The problem is, they encrypt it, and then they decrypt it at the other end. So they’re storing it, or they have it, at least, in an unencrypted state. In the case of Dropbox, they then would encrypt it for storage. But they encrypted it for storage. They have the key that was used. The only way any of this stuff is safe is if you do the encryption before it goes out on the wire, and that key never leaves your control. In which case we’re using the cloud as a big opaque storage container in the sky.

The bottom line is that you can trust no one with your security and privacy in the cloud. Before you send any data to the cloud, encrypt it with a key that is known only to you and completely under your control.

Assume that cloud security and privacy don’t exist.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: