Security Corner

April 26, 2011  11:25 PM

Extremely Robust Security, the Google Way

Ken Harthun Ken Harthun Profile: Ken Harthun

Google recently released a video shows the extremely robust physical, data protection and operations security of its data centers. Google does not allow tours of its facilities and limits physical access to only necessary employees. Access is controlled by special badges and in some cases retinal scanners. Wait until you see how they dispose of hard drives. Fascinating stuff that serves as a shining example of security done right.

[kml_flashembed movie="" width="600" height="390" wmode="transparent" /]

April 26, 2011  12:08 AM

Beware Cloud Data Storage–Pre-encrypt

Ken Harthun Ken Harthun Profile: Ken Harthun

Before you consider a cloud storage solution, be sure you research their policies thoroughly. I have used Dropbox in the past based on these features (from their website):

Your stuff is safe

Dropbox protects your files without you needing to think about it.

  • Dropbox keeps a one-month history of your work.
  • Any changes can be undone, and files can be undeleted.
  • All transmission of file data occurs over an encrypted channel (SSL).
  • All files stored on Dropbox are encrypted (AES-256).

Well, alright, but consider this from their privacy policy:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

So, Dropbox has the keys to the kingdom unless you encrypt the files yourself before uploading. And anyone on their staff, by extension, can decrypt your data. Not good.

If you want to maintain your security and privacy, pre-encrypt everything you intend to store in the cloud. If all the service has is pseudo-random noise in the first place, that it all anyone will get.

Trust no one when it comes to your data.

April 23, 2011  1:43 PM

Privacy is Dead

Ken Harthun Ken Harthun Profile: Ken Harthun

At one time, long before paranoid politicians, Madison Avenue ad agencies and the Internet, it was possible to enjoy true personal privacy. In fact, you could actually live in nearly total obscurity known only to those in close proximity. Not anymore. Today, privacy is dead, save for what you do in your own home (at least, I think that’s the way it is…). In particular, if you have established any sort of online presence, even if you just have a cell phone, then you are visible to the world.

Even if you you are not online, merely express your opinion to someone and if that someone takes issue (or agrees with you) and tweets or posts to Facebook or other social media you are visible if they name you. Most public records are online these days; genealogy websites, people search engines, newspaper archives, etc. all contain information about you. If you have lived, or died in recent history, you are known and visible to the world.

Don’t believe me? Type in the name of a deceased relative and see what happens.

Information about you, your life, your relatives is everywhere online these days. And this applies not only to what you do and say in public, but what you do and say in your own home or among trusted friends. Your private thoughts are no longer private if you express them to anyone–sooner or later, they will surface on the web. The only way to keep your thoughts and opinions to yourself these days is to write them down in a personal journal that you keep under lock and key. Maybe. As long as no one else ever sees it.

Pretty scary, eh? We don’t need thought police ala George Orwell’s 1984.

We have the Internet.

April 22, 2011  1:17 AM

Microsoft Launches Free On-Demand Virus & Malware Scanner

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft has jumped on the on-demand malware scanner bandwagon by launching a new, free virus/malware scanner that’s designed to be used if you think your computer might be infected. It’s called Microsoft Safety Scanner and is a portable app, so no installation is required. Here’s what Microsoft has to say about it:

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

This appears to be a variation of the Malicious Software Removal Tool (MSRT) that Microsoft runs on your system each month if you have automatic updates turned on. From what I can determine, the Microsoft Safety Scanner (MSS) is simply an on-demand version of Microsoft Security Essentials (MSE) that also targets some of the specific MSRT targets. I guess that makes sense in some way? Why wouldn’t you just use MSE and turn on automatic updates? Seems like the same effect.

Some people have noted that McAfee has a comparable tool, also free, called Stinger. Trend Micro, Symantec, and Malware Bytes also offer on-demand scanners. Also noted is that MSS is a 67 MB download while Stinger is just under 8 MB. Why such a disparity? Does this indicate that MSS has a much larger malware signature file, or is it just typical Microsoft bloat?

I don’t plan on testing MSS, so if you have any comments on your experiences with it, please leave them here.

April 20, 2011  10:50 PM

Geek Speak: Password Stuff

Ken Harthun Ken Harthun Profile: Ken Harthun

Since I often discuss password related subjects, I thought it might be a good idea to “define my terms” for everyone. Here are ten password related definitions for your reading pleasure.

Authentication: Determining whether someone or something is who or what it is declared to be. Is that really “mom” logging into your computer or some hacker?

Strong (unguessable) Password: A password that has been deliberately composed to be difficult or impossible for a person or a program to discover. The longer, and more random, the stronger (and more unguessable) the password.

Password Cracker: A program designed to discover passwords. These programs are often used by Sys Admins to discover forgotten user passwords. The program can be designed to use brute force or dictionary discovery. While a useful admin tool, these are what hackers use to steal information.

PIN: Personal Identification Number, often used in conjunction with a password to provide an additional security factor.  They are most commonly used with ATM cards.

Single Sign-on (SSO): An authentication system that allows a single username/password combination to be used to access multiple applications. Often used in corporate environments so that a person who uses multiple applications doesn’t have to log into each one separately when switching between them.

Identity Chaos: According to this article, it is “…a situation in which users have multiple identities and passwords across a variety of networks, applications, computers and/or computing devices. To further complicate matters, each of the user’s passwords may be subject to different rules, allow access at different security levels, and expire on different dates. Such a situation can lead to security risks. Because people have to remember so many different passwords, they may choose very simple ones and change them infrequently.

Phishing: A fraud method that utilizes official-looking email purporting to be from a financial institution or government agency in an attempt to trick you into entering sensitive information at a fake website. Be suspicious of any official-looking e-mail message that asks for updates on personal or financial information and never click on links in such messages. No legitimate organization will send you an email asking for personal information.

Social Engineering: When someone using personal contact via telephone or face-to-face runs a con game to secure personal information. The social engineer will often pose as a tech support or help desk contact for your company.

Worm: A kind of malware that is often sent in email attachments and replicates itself on the user’s system and the local network, using up system resources and bogging down the system.

Shoulder Surfing: This is someone literally looking over your shoulder to discover what you are typing into online forms, bank logins, your ATM machine, etc.

April 16, 2011  6:47 PM

Data Breaches — Steps to Take if You Are Notified

Ken Harthun Ken Harthun Profile: Ken Harthun

The recent breach of Epsilon, an email marketing services company, emphasizes the fallacy of Online Privacy. There just is no such thing. But what do you do when you have trusted your private information to firms and financial institutions you deal with and someone breaches the security of the databases where that information is stored?

While the Epsilon breach reportedly only involved names and email addresses, not financial information, you should know how to deal with more serious data breaches where your personal financial information may be at risk. Here are five steps to take if you are notified of such a situation:

  1. Immediately change the passwords on all of your banking, credit card, and other online payment accounts and be sure they are all different. Do not use the same password for all of them and make sure the new passwords are unguessable.
  2. Change the passwords on any email accounts that you use for transacting business online.
  3. Be very alert to any phishing attempts arriving in your email the pretend to be from the affected accounts and monitor your accounts closely for unauthorized activity.
  4. If you suspect any unauthorized activity, immediately contact the financial institution. They will work with you to resolve any issues.
  5. Educate yourself on, or review the actions you should take in the event your identity is stolen, or if you suspect it has been. The FTC publishes an excellent guide: Take Charge: Fighting Back Against Identity Theft.

Please note that there is a big difference between simple fraud and identity theft. A data breach of any kind could lead to both. Someone using your stolen credit card is not the same thing as someone using your name, Social Security number (or other government-issued identity numbers), and other personal information to open credit accounts in your name, nor is it the same as someone posing as you to access your bank accounts.

April 13, 2011  12:53 AM

Who is Rachel Jimsym?

Ken Harthun Ken Harthun Profile: Ken Harthun

Watch this video and find out why security is important both outside and inside the network.

[kml_flashembed movie="" width="425" height="350" wmode="transparent" /]

April 8, 2011  12:20 PM

Beware LizaMoon Rogue-AV

Ken Harthun Ken Harthun Profile: Ken Harthun

I haven’t seen this one, but it seems to be quite nasty. The latest issue of Windows Secrets alerted me to it. Fred Langa posted a blow-by-blow account of an infection:

A nasty piece of malware known as LizaMoon has hijacked links on millions of websites in the past weeks, including some normally safe iTunes and Google links.

Fortunately, LizaMoon is easy to avoid if you know what to look for.

Using rogue-AV scare tactics, LizaMoon tries to trick you into running bogus security-scan and virus-cleanup tools on your PC — but it’s pure malware.

If allowed onto your PC, this particular ploy is especially troublesome because it can partially disable the Windows Security Center and change the Registry so that the full WSC can’t be restarted. It also interferes with Microsoft Security Essentials, if MSE is running. (You’ll find lots more LizaMoon news coverage via Google.)

Supposedly, infection peaked in October of 2010 at around 5600 affected sites, but it’s making a comeback, according to Langa. These things never really go away completely and often resurface. Be especially aware when searching sites on Google.

April 8, 2011  12:06 AM

OpenCandy – Benign Adware or Malicious Spyware?

Ken Harthun Ken Harthun Profile: Ken Harthun

OpenCandy (OC), a relatively new advertising product is currently being bundled with software installers for popular programs including IZArc, mirC, PrimoPDF, Trillian Astra and more. As always happens with “new” methods of advertising via bundling agreements, OC is generating quite a bit of controversy in various forums and blogs. Some say it is benign adware under control of the person running the installer, others say it has the potential to be malicious spyware. I have no personal experience with OC, so I did some investigation by seeing what the OpenCandy folks had to say:

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development.

The installer uses the OpenCandy plug-in to present a software recommendation (such as the one below) during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.

OpenCandy isn’t installed onto your computer, doesn’t collect personally identifiable information about you, and doesn’t collect information about your web browsing habits. It is safe, secure, and used by hundreds of software developers, including many of the world’s largest anti-virus companies. Several of our partners are listed here:

IF this is true, then it looks like OC is benign. Check out the partners at the URL above, then you decide.  Other forum members at Dave’s Computer Tips seem to agree with me:

ozbloke: I believe OpenCandy, as it now stands, is relatively harmless adware; on the proviso that the software distributors who bundle it with their products stick to a regimen of full disclosure and and employ an opt-out system. However, the potential for abuse is somewhat disturbing and I would like to see some more concrete assurances/guarantees in place.

As always, caveat emptor.

April 3, 2011  11:48 PM

Kroger Customer Database Compromised

Ken Harthun Ken Harthun Profile: Ken Harthun

I have not been able to verify whether or not Kroger uses the same email services vendor, Epsilon Interactive, as U.S. Bank (see U.S. Bank Vendor Epsilon Interactive Hacked), but got this notice as well:

Kroger wants you to know that the data base with our customers’ names and email addresses has been breached by someone outside of the company. This data base contains the names and email addresses of customers who voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience.

Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

Wonder how many other notices I’ll be getting?

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: