Security Corner


March 30, 2011  6:55 PM

UPS Notification Spam

Ken Harthun Ken Harthun Profile: Ken Harthun

I can’t believe that a somewhat savvy friend of mine asked me about this message. He was actually considering opening it. Some people will fall for anything. The first thing is that this message is very poorly written. Anyway, please inform your family and clients that this is bogus and contains a malware attachment called UPS.zip that will infect their computers with a Trojan horse program. It usually arrives with a subject “United Parcel Service notification <number>”

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

Just delete it upon receipt.

March 29, 2011  6:32 PM

The RSA (SecureID) Compromise

Ken Harthun Ken Harthun Profile: Ken Harthun

On March 17th, 2011, Art Coviello, RSA Security‘s Executive Chairman, posted a statement on their website disclosing their discovery of an attack on their network classified as an “Advanced Persistent Threat (APT).” Essentially, this means that the attackers had been rummaging around in their systems for awhile before being discovered; while doing so, they manage to penetrate one of RSA’s most secret databases.

This raises several questions: 1. How did the attackers penetrate RSA’s security perimeter; 2. How did they go unnoticed long enough to become a “persistent” threat; and, 3. What, exactly, did they get?

Coviello doesn’t address either of the first two questions and is quite vague on the third. How do you interpret this?

Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products [emphasis added]. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers [emphasis added] , this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack [emphasis added]. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

See what I emphasized up there? The attackers got some info related to the SecureID products. RSA isn’t saying exactly what they got, but Steve Gibson makes mention of this in a recent blog post:

…at the time of manufacture individual SecurID devices would be assigned a secret internal random or pseudo-random 64-bit key and a database would be maintained to forever map the device’s externally visible serial number to its internal secret 64-bit key.

This public-serial-number-to-secret-key mapping database then becomes “the keys to the kingdom”. It is RSA’s biggest secret to keep, since a full or partial disclosure of the database would potentially allow attackers to determine a device’s current and future display values and would therefore, of course, break any authentication protection.

More news as it becomes available.


March 27, 2011  5:50 PM

Malware Infection Flowchart

Ken Harthun Ken Harthun Profile: Ken Harthun

This image needs little explanation, but I want to thank Dave at Davescomputertips.com for posting it in his forum. If you’re not a member of that forum and a subscriber of the newsletter, you need to be. Here’s what he had to say:

I found this over at computerschool.org and it does an excellent job of explaining the “what” and “why” of malware. We at DCT often try to explain it in simple terms, but this picture just lets you follow the flow of money. Now you know why it is important to practice safe computing!

Hint: Click here to view the chart full size at its original location.


March 26, 2011  10:42 PM

Create Perfect Passwords on Paper

Ken Harthun Ken Harthun Profile: Ken Harthun

I wrote this article back in 2007. It was relevant then, and it’s relevant now, particularly in the light of the Comodo SSL compromise incident I reported in my last post. While I have gone on to using LastPass to generate and securely store my passwords, I still occasionally use Perfect Paper Passwords to generate secure passwords when I don’t want to clutter up LastPass with things I may never use again.  Steve has never mentioned this particular use of PPP, but I think it’s pretty cool.

So, here in all it’s glory is my original article entitled, “Perfect Passwords…On Paper:”

Steve Gibson, creator of Spinrite and winner of the Third Annual People’s Choice Podcast Awards in the Technology/Science category for his Security Now! podcast with Leo Laporte of Twit.tv, has just come up with a super-secure multifactor authentication system. Steve calls it “Perfect Paper Passwords” and you can read all about it on his web site. Be sure to read all of the pages, but beware — it’s pretty geeky stuff. Here’s a simple excerpt:

GRC’s “Perfect Paper Passwords” (PPP) system is a straightforward, simple and secure implementation of a paper-based One Time Password (OTP) system. When used in conjunction with an account name & password, the individual “passcodes” contained on PPP’s “passcards” serve as the second factor (“something you have”) of a secure multi-factor authentication system.

I feel like a kid turned loose in Toys-R-Us with a thousand-dollar budget. This is truly an amazing system and I’m just now starting to figure out how to implement it in my own environment. But using it as Steve designed it isn’t the subject of this post. Most network environments are still based on the username/password model, not a multi-factor authentication model. Until the PPP system becomes a standard (and it should!), why not use the passcards to create super-strong passwords?

I know, I know, he already has the Ultra-high Security Password Generator and I’ve been using that, but the idea of breaking long strings of characters into simple, four-character snippets makes things a bit simpler and it also allows you to take some control over generating your passwords. It adds another random factor into the mix by letting you choose the order of combination, something no computer or person anywhere can possibly know. Putting them into a seven columns by ten rows grid in a format that you can fold and stick in your wallet makes it even easier.

Using the web site, you print out three passcards, each containing 70 four-character passcodes for a total of 210. Now, if you randomly combine three passcodes to make virtually unbreakable 12-character passwords, you’ll have a resource of 70 passwords right at your fingertips. Circle the ones you’re using for your current password and cross them out when you change it. Better yet, write down the columns/rows and keep that separate from your passcards. No one’s going to know that A1F4D10 translates into Cai?DCGX@xBt, but you do.

Tell your clients about it. I do.


March 26, 2011  3:02 PM

SSL Compromise an Act of Cyber-warfare?

Ken Harthun Ken Harthun Profile: Ken Harthun

SANS NewsBites | March 25, 2011 | Vol. 13, Num. 024: “SSL Security Compromised…Attackers compromised a partner of SSL certificate authority, Comodo and issued themselves fraudulent SSL certificates.  The certificates vouch for a site’s authenticity, and would have allowed the thieves to set up sites that fool visitors into believing they have reached major Internet presences, like Google, Microsoft and Skype.  Comodo has revoked the stolen certificates.”

Microsoft released an advisory on March 23, 2011 (2524375) noting that the following domains were affected:

  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (3 certificates)
  • login.skype.com
  • addons.mozilla.org (already known from an earlier announcement by Mozilla)
  • “Global Trustee”

Now, here’s where it gets interesting. The IP traced to the attacker was that of an Iranian ISP. Think about it. Here’s what Comodo had to say in their blog post:

The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran. A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP.

Of course, this could be just that the attacker was laying a false trail, which would be smart, but how about this?

It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.

It’s a Brave New World.


March 25, 2011  2:55 AM

Five Internet Security Tips (Unedited)

Ken Harthun Ken Harthun Profile: Ken Harthun

Here are the first five tips from my new work in progress, “101 Internet Security Tips.” These are unedited and I am posting them here to solicit feedback. The book can become a huge tome, or it can be kept small. I would like you to help guide the direction I take. So, here are the first five entries:

1.  Activate protection systems.

If your operating system comes standard with a built-in firewall, spam
blocker, anti-virus software or other security application, be sure that it’s
activated. Your Internet service provider may provide an e-mail spam
filtering service that should also be turned on.

2.  Upgrade your protection.

Using security software won’t help if it’s not up to date.  Be sure that
you are using the latest versions of spam, spyware and virus-detection
software.  The most current software will be ready to handle the most
current on-line threats.  Also remember to renew subscriptions if the
software registration expires at some point.

3.  Use anti-virus software.

You should always have anti-virus software on your computer.  These
programs scan all files that are downloaded from e-mail or opened from
the hard drive to ensure that they are safe from malware before use.
When these programs detect a virus, they are able to isolate and
destroy it so it does not infect your computer.

4.  Use anti-spyware programs.

Just like anti-virus programs, spyware protection is also necessary.
These programs scan your computer for spyware, browser hijackers
and other malicious programs.  Both free and commercial anti-spyware
products are available.

5.  Update automatically.

Set both your operating system and security programs to update
automatically. Your virus-detection software needs to adapt as new
threats become known.  Allowing the software to do automatic updates
will ensure that you always have the highest level of protection

What do you think?


March 23, 2011  12:10 AM

Japan Quake Spam Links to Malware

Ken Harthun Ken Harthun Profile: Ken Harthun

Surprised? You shouldn’t be. This type of thing seems to happen every time there is a major disaster anywhere in the World. We saw it with Katrina, the Indonesian tsunami, and countless others. The slime-bag criminals have no scruples and will take any opportunity to steal a buck from unsuspecting, good-hearted people.

Best thing to do is set up an email filter and send the emails to the junk bin. If one really wants to help, contact the local Red Cross chapter, or other lawful and recognized charitable groups.

At any rate, direct contact with those organizations is your best bet. Consider any email solicitation a scam.

Kaspersky Lab has detected a malicious spam campaign whereby if someone clicks on the link, the malicious website uses JAVA exploits to install malicious applications on their machine:

My friend and colleague, Jim, over at Dave’s Computer Tips had this to say in our forum:

DO NOT under any circumstances:
*Follow any Web links included in these e-mail messages.
*Open any attachments or click on photos and videos that claim to show dramatic images or footage of disasters.
*Provide any sensitive information, such as bank account information or credit card details.

ALWAYS ascertain the legitimacy of the email before doing anything; Most genuine charities have email addresses which emanate from their own domain and typically direct recipients to their own Web site to make donations….e.g. almost all legitimate charities have a web address that ends with “.org” rather than “.com”. Verify the authenticity of an email by going directly to the charity’s web site or by giving them a call on the telephone.

I concur.


March 17, 2011  8:31 PM

Very Funny Security Video

Ken Harthun Ken Harthun Profile: Ken Harthun

Time again for a very funny video. This is another Norton ad this time starring David Hasselhoff. Hit the comments and let me know if you like seeing these.

[kml_flashembed movie="http://www.youtube.com/v/pgrOKlV9CNI" width="425" height="350" wmode="transparent" /]


March 17, 2011  3:23 PM

I’m Shutting Down “Ask the Geek”

Ken Harthun Ken Harthun Profile: Ken Harthun

After a good run of more than 5 years, I am shutting down my Ask the Geek the website. I received a fair offer for the domain it rests on, kennyhart.com and have decided to accept it (yes, you read that right–it wasn’t an attempt to scam me). I don’t know exactly when it will be shut down or how it will emerge (if at all) in its new incarnation.

Many times, I have referenced the site here, so if the links are broken, let me know. The new owner intends to set the site up again somewhere and I may be able to redirect the links.

I am NOT giving up on “14 Golden Rules of Computer Security” and will soon also be releasing “101 Internet Security Tips.” The Geek Toolkit is also alive and well and it has been fully updated. If you purchased a copy of it, you already have access to the update and were informed by email.

I am doing this because I have committed to helping expand Dave’s Computer Tips and I think that my time and energy will be better spent working with Dave on this site than it was working on my own. My contract with TechTarget and Security Corner blog will not be affected by this.


March 16, 2011  12:58 AM

Adobe Flash – The worst security record of all time?

Ken Harthun Ken Harthun Profile: Ken Harthun

As you know, I’m an editor over at Dave’s Computer Tips and have been working with that site for going on four years. We have a forum, of course and this is a relevant thread, more than appropriate for Security Corner:

Postby thegeek » Tue Mar 15, 2011 8:48 pm

ozbloke wrote:Does Adobe Flash Player have the worst security record of all time??

Yes, even worse than Microsoft, if that’s even possible…

Has Adobe ever released a version of Flash Player that wasn’t riddled with vulnerabilities??

Not that I know of. I dumped all things Adobe a long time ago. Unfortunately, I can’t function without using the Flash player. @

Adobe has just discovered a “critical vulnerability” in its Flash Player that has the potential to cause all kinds of trouble; the flaw could cause a user’s computer or mobile device to crash and, even more concerning, the vulnerability could “potentially allow an attacker to take control of the affected system.”

Not even remotely surprised.

The flaw affects Adobe Flash Player 10.2.152.33 and earlier versions of the platform running on every major operating system, including Windows, Macintosh, Linux, and Solaris. It’s also an issue on Android devices running Flash 10.1 and earlier. To date, Adobe has discovered that the vulnerability is being exploited in Flash files, as well as through Microsoft Excel but the issue hasn’t affected Reader or Acrobat.

Don’t get me started about Reader and Acrobat. Two of the crappiest programs ever made, if you ask me.

According to reports; Adobe plans to release a fix for the vulnerability sometime next week. Until then, the company has warned users to “follow security best practices by keeping their anti-malware software and definitions up to date.”………no sh*t Sherlock!!

|( Ya think?

Roll on HTML5!!!

It’s really unacceptable and unfortunate that Adobe has managed to get itself into a position of being the “standard” for Flash. We need a change, don’t we?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: