Security Corner

March 12, 2011  12:37 AM

Anatomy of An Email Scam?

Ken Harthun Ken Harthun Profile: Ken Harthun

Got this email a couple of days ago. I was going to delete it, but somehow it looked legitimate:

I'm interested in purchasing
I'd likely be able to pay in the $200 - $700 range for it.
Let me know whether or not you are open to hearing a formal offer.

Now, that seemed right in the range of what I know the domain is probably worth, so I answered the email:

Sure. I was thinking about flipping it and my website.
Let me know what  you have in mind.

To which I received this reply back:

Thanks for getting back to me.
I can offer you $xxx for  and all associated content.
Let me know if you are interested and we  can get the ball rolling 
on the transfer.

I wrote back and told him I was up for it. The offer was a fair one and I was ready to accept it. He wrote back with this:

Great.  The easiest way to send the payment will be paypal.  Do you
have a paypal account?

Something felt a little odd that this was going so quickly and way too easy, but since I have PayPal locked down with 2-factor authentication, I wasn’t too worried about getting hacked. Still, I had to ask a simple question, so I replied with this:

I have PayPal. The PayPal email address is

Please clarify what you mean by "all associated content."
I assume you mean the content at Ask the Geek and Singing Songwriter web sites.
The writer website has no content at this time and copyright for my original
music is not subject to transfer, as I do not own 100% of the songs.

No reply. No payment. Nothing. It just stopped dead. As it stands right now, I believe it’s possible that I was targeted with a manual phishing attempt. It’s either that, or he decided my terms were a deal killer. Like I said, it appeared to be legitimate. He does have a website posted that solicits people to sell him their sites.

What could someone do with my PayPal email address? Attempt a brute force attack on my password, that’s what. Though that would never work because of the 2-factor requirement.

I’ll probably never know.

March 9, 2011  1:00 AM

Give Spam the Finger

Ken Harthun Ken Harthun Profile: Ken Harthun

No, I’m not talking about that finger; it’ll become obvious in a moment which finger I’m talking about. First, let me ask a few questions:

1. Is your car parked, empty, in the driveway right now with its engine on?
2. Is your shower, with no one in it, running?
3. Is your stove, with nothing cooking on it, turned on?
4. Is your attic light on 24/7?

I’m fairly sure that you answered “no” to all of these questions. It just doesn’t make sense to leave something on if you’re not using it. All this does is run up your electric bill for nothing, right?

Then why would you want to leave your PC on 24/7? If your PC has been compromised and is a member of one of the major spam zombie botnets, chances are that you’re spewing spam in a constant stream.

Do us all a favor and use your index finger to switch it off when you’re not using it. If you do nothing else to clean it up, just shutting down the PC if it’s not being used would cut spam volume significantly.

Do you agree or disagree? Hit the comments and put in your two cents.

March 8, 2011  1:14 AM

Introduction to 101 Internet Security Tips

Ken Harthun Ken Harthun Profile: Ken Harthun

101 Internet Security Tips

I just acquired Private Label Rights to an interesting series of media presentations called 101 Internet Security Tips. Because I am constantly faced with the necessity to educate people on security, I thought this would be a good starting point for a useful reference. [Private Label Rights, called “PLR” in Internet marketing circles, is a license granted by the original creator of the material that essentially gives the purchaser the right to do what he will with the material within the license terms. -Ed.]

After I read the entire report, I realized that I would have to bring it up to present time and expand upon the material given to include links to further reference materials and relevant products and utilities. This is typical for most PLR products–you have a framework of ideas, but it’s up to you as editor to develop them into a comprehensive and coherent end product. Moreover, one who is particularly well versed in the subject material will often find misconceptions and errors introduced by the original creator. Nevertheless, 101 Internet Security Tips is good information, even in its raw form.

So, let me present the raw introduction for your comment. Remember this because I plan to post excerpts, including the revised and updated version, in future posts.

Using the Internet for business and leisure is a necessity in today’s world.  As the technology that allows you to work more efficiently on-line increases, techniques used by Internet criminals also adapts.  While some on-line crimes are perpetrated only for the criminal to exert power by making your life miserable through damaging your computer, identity theft is a main focus for most Internet thieves.  In addition to identity theft threats from hackers, computers can fall victim to viruses, spyware and phishing programs from Internet misuse.  While you may think that high-profile or wealthy individuals are the common targets, most hackers are looking for any easy opportunity.  The easiest opportunity, of course, is an unprotected computer.  Your computer holds all of your most private personal and financial information, so proper security is a must to keep you and your files safe.

Stay tuned.

March 1, 2011  12:19 AM

Oh, I Almost Forgot This!

Ken Harthun Ken Harthun Profile: Ken Harthun

Unless you absolutely need Java, get rid of it. At the very least, update it. Here’s Steve Gibson of Security Now!

So the only real big news is that anyone who is still using or needs to use Java on their system needs to update it. It was just moved by Oracle/Sun, a major update from them, to Java 6 Update 24. It fixed a large collection of vulnerabilities, in total 21, 19 of which can be used to remotely install malicious software. So it’s important. And I did get a kick out of seeing now sort of the wisdom out there, I was reading other people saying, you know, since Java seems to be having so many problems now, and it’s surpassed Adobe in vulnerabilities and exploits, removing it, unless it’s needed, would probably be a good idea. And I’m thinking, hmm, where have we heard that before?

I still need it for some things, so I updated it. And to think I was going to study Java programming…

Things change so quickly in this arena, it’s hard to keep up!

February 28, 2011  11:45 PM

Good Password Advice is Never Wasted

Ken Harthun Ken Harthun Profile: Ken Harthun

So, let me repeat myself. People tell me everyday about how this kind of advice helps them, so here it is again.

A little Alliteration is good for writing effect every now and then; why not apply this to passwords? I don’t mean to write out an alliterative phrase and turn it into a password or passphrase (though you could, I guess); what I mean is to use a pattern that makes it easy for you to remember the password, but still results in a very strong, un-guessable one. Here’s an example of a very strong password: 19[-[Phrase]-]60.

This one is very weak: %6*Some*Phrase*6%. Can you see why? Too many repetitions of characters. Change it slightly, %6!Some*Phrase!6%, and it becomes very strong.

The trick is to come up with a pattern that means something to you. By no means should you use the patterns I suggest—use something that will be easy for you to remember.

I’ll leave it to you to analyze the two examples and let you come up with your own. Remember, the bad guys read these blogs, too.

You can mosey over to the Password Meter page at Ask the Geek to check the patterns/passwords you come up with. That’s the best password meter I’ve ever seen, bar none.

February 28, 2011  11:21 PM

What the Heck is a Botnet?

Ken Harthun Ken Harthun Profile: Ken Harthun

I have recently had issues with trying to explain botnets to a client. I was met with blank stares.

Thanks to Sophos for this definition:

A botnet is a collection of infected computers that are remotely controlled by a hacker.

Once a computer is infected with a bot, the hacker can control the computer remotely via the internet. From then on, the computer is a “zombie,” doing the bidding of the hacker, although the user is completely unaware. Collectively, such computers are called a botnet.

The hacker can share or sell access to control the botnet, allowing others to use it for malicious purposes.

For example, a spammer can use a botnet to send out spam email. Up to 99% of all spam is now distributed in this way. This enables the spammers to avoid detection and to get around any blacklisting applied to their own servers. It can also reduce their costsbecause the computer’s owner is paying for the internet access.

Hackers can also use zombies to launch a distributed denial-of-service attack, also known as a DDoS. They arrange for thousands of computers to attempt to access the same website simultaneously, so that the web server is unable to handle all the requests reaching it. The website thus becomes inaccessible.

February 28, 2011  11:08 PM

Skype Configuration Security Issues

Ken Harthun Ken Harthun Profile: Ken Harthun

people who are using Skype are clueless about how to configure it for maximum security, especially if they have set up a public chat. The default security settings for Skype are not adequate by any means.

Let me give you some tips. First off, click here for the list of commands you can issue in a Skype window.

If you have a public chat, you absolutely must issue this command:


If you don’t do that, then anyone can change the chat topic and/or title.

Also, change your privacy settings to allow only your contacts to call you and send you private messages.

If you have those things in place, you’re somewhat secure.

February 28, 2011  4:01 AM

New Cyberweapon Could Take Down the Internet

Ken Harthun Ken Harthun Profile: Ken Harthun

A new cyberweapon could take down the entire internet – and there’s not much that current defenses can do to stop it. (Marvin Martian proposed this a long time ago as immediate disintegration) So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defenses.

The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.

“Normal DDoS is a hammer; this is more of a scalpel,” says Schuchard. “If you cut in the wrong places then the attack won’t work.”

OK. Forgive me, but while I believe this is possible, only a government could mandate it, and I don’t believe we have anyone is Washington is savvy enough to do it. But, hey, it’s scary enough. Check it out at:

By the way, I am Marvin Martian’s boss, the one he refers to as “Sir Altitude.”

Have fun!

February 27, 2011  3:45 PM

The Invisible Web and What You Can Do About It

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s an invisible web that underlies everything we see. These things are invisible web – tags, web bugs, pixels and beacons that are included on web pages in order to get an idea of your online behavior. In other words, trackers. The debate rages on about the use of trackers by online advertisers and many people simply do not want to have their online activities tracked. But, what can one do about it?

I suggest that you check out They have a great little Firefox add-on that is free to download and use – plus you have their promise that Ghostery will never be used for advertising. The utility looks at the invisible web, tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity. Here’s what they do next:

After showing you who’s tracking you, Ghostery also gives you a chance to learn more about each company it identifies. How they describe themselves, a link to their privacy policies, and a sampling of pages where we’ve found them are just a click away.

Then, it give you options so you can take whatever actions you want: block scripts from companies that you don’t trust, delete local shared objects, and even block images and iframes. That’s putting you pretty much back in control.

To be honest, I don’t much care about being tracked and marketed to in a targeted way by reputable companies; however, I do perform security research which sometimes leads me into the clandestine and dangerous areas of the web.

Ghostery currently tracks 486 web bugs & 338 cookies that you can block selectively, so I think that’s got a lot ground covered. But what’s really interesting about Ghostery is the information they give you on each company/method they have listed. Let me just take one example that I bet you don’t know about: Facebook Beacon. Here’s an excerpt from Facebook’s description:

Facebook Beacon is a way for you to bring actions you take online into Facebook. Beacon works by allowing affiliate websites to send stories about actions you take to Facebook. Here’s how that process happens: If you are logged in to Facebook and visit a Beacon Affiliate, an action you take (like writing a review or purchasing an item), may trigger that website to want to publish a story to Facebook.

Give Ghostery a test drive and see what you learn. I promise that it’s going to give me fodder for many articles about the Invisible Web, so stay tuned.

February 26, 2011  4:17 PM

Website Security – How to Block a Country

Ken Harthun Ken Harthun Profile: Ken Harthun

I often consult with people who are running online marketing businesses and soliciting opt-in subscribers to their newsletters. They do this through special landing pages that have forms specific to the information product they are offering. The danger in having such a form live on the web is not unknown–it’s relatively easy to initiate an SQL injection attack.

Another issue is spammers using robots to sign up for newsletters and then using the address of the marketer to attempt to hack the mailing list management service he uses. Most of these services use the marketer’s email address as the account username, so if a hacker or spammer has that information, they can then attempt an attack on the password.

Finally, there is the issue of junk traffic and subscriptions. Naturally, a marketer wants prospects that are not only interested in the products offered, but capable of buying them. Depending on the marketing methods used, traffic can come from anywhere in the world, and often does. My own newsletter at Ask the Geek has a worldwide subscriber audience.

Let’s say we want to block all traffic from China. It’s mostly useless, is spammer/hacker central and they don’t buy anything. Start with When you arrive at the site, look to the sidebar on the right and select the country or countries you want to block. You’ll be asked for your email address. This is OK, it’s just for update purposes. Click the submit button.

You’ll get a pre-configured text that you add to your .htaccess file on your web server. Here’s a look at the concatenated version of what I got:

ErrorDocument 403
order allow,deny
deny from
deny from
deny from
deny from
...[[huge list of every IP address in
the country]]...
allow from all

You can change the location of the 403 error document to one you have created on your server. Then, just copy and paste or upload the file to your www root folder and you’re good to go. Full instructions are on the referenced website.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: