Security Corner


November 25, 2010  5:15 PM

Happy Thanksgiving to All My Readers Who Celebrate the Holiday!

Ken Harthun Ken Harthun Profile: Ken Harthun

Whether or not you celebrate the American holiday known as “Thanksgiving Day,” I ask you to take a moment and reflect on things that you have to be thankful for. Me, I’m almost overwhelmed this year by the blessings I reflect upon:

  • A new, healthy grandchild (who was born premature, but doing fine). Welcome, Aayla!
  • My own and my wife’s good health.
  • My family’s good health.
  • Friends that I have made worldwide (many of whom I’ve never met, but they’re friends nonetheless!)
  • My readers whose support allows me to continue publishing this blog for TechTarget.
  • My clients who stick with me and listen to my security advice (Not a single major security incident in the last four years, yeah!)

There are so many more that it’s impossible to list them all. But, I want to extend one special holiday greeting to my AWESOME friend, Stuart Stirling (whom I’ve never met in person, but whom I hope to one day), for sending me this incredible video. Happy Thanksgiving, Everyone!

[kml_flashembed movie="http://www.youtube.com/v/Ek1iIOTsiRo" width="425" height="350" wmode="transparent" /]

November 25, 2010  3:28 AM

Hey, Crackers, Spammers, and Other Assorted Idiots, Let’s See Something Original!

Ken Harthun Ken Harthun Profile: Ken Harthun

WARNING! This is not yet rated, but you don’t want young children reading it! This is a rant, and I’m not being very nice…

Hey, fools, I’m getting very bored with your useless crap. The spam isn’t even worth reporting anymore. I mean, if anyone is even falling for this junk, then they deserve everything they get. Find a new niche, you idiots, one that baby boomers really identify with (at least those that I know). I’m not going to even give you a hint about what that might be, but it would be fun to see some new and original spam for a change.

At least we wouldn’t all feel like we’re wasting our time thinking you’re a security threat. No, you’re just peddling your useless junk. At least, if you came up with something embedded in those graphic images on your porn site that gave us pause, we’d have something to do.

So, give us a break! You send spam with the subject “It’s just cool!” The “from” line reads, “EnlargePe***.Hi16@yahoo.com.” And then you tell us, “It’s just cool! Have a cool pe***!” Sheesh! we don’t want it be cool, we want it to be hot. Wrong marketing message. Makes sense, though: you Russian spammers don’t have anything better to do, I guess. And you certainly don’t have any brains (Maybe the thought process has descended into that large member you’re advertising).

It doesn’t work anymore. Try spamming gout remedies or hemorrhoid relief.


November 20, 2010  3:09 PM

Identity Exposure Index (iEi) Can Improve Over Time

Ken Harthun Ken Harthun Profile: Ken Harthun

In 2009 April, I introduced the concept of an Identity Exposure Index (iEi) in my post, What’s Your Identity Exposure Index? In 2009 May, in response to a reader’s coment, I posted Can Your iEi be Improved? I am happy to report that it is possible to improve your iEi.

When I first tried the method, my iEi was 2.8. Eighteen months later, doing what I recommended to my reader, my score is now 1.6-a significant drop. That’s a pretty good indicator to me that you do have some control. Here’s what I recommended:

I’ll give you the best solution I know, one that I’ve been using for some years now: If you are on line regularly, do everything you can to post and reveal the information that you *want* people to find. A blog is great for this. Using my blogs, over the past five years I’ve managed to push the junk well beyond the third page of most search engine results. I can live with that.

Here’s the actual sequence of searches to determine your iEi:

Use any top search engine. I used Google.

1. Search your name in the form you commonly use; e.g., Ken Harthun, not Kenny, Ken G. or other variants. Count the number of accurate hits on the first page.

2. Search your full legal name as it appears on your birth certificate. Count the number of accurate hits on the first page.

3. Search your mother’s married name, with and without her middle name and middle initial. If her maiden name shows up anywhere on the first page, count 10; if not, count 1.

4.  Search the last six digits of your Social Security number, including the dash. If your name shows up anywhere on the first page, count 10; if not, count 1.

5. Search your home phone number with area code. If your current address is shown, count 10; any former address, count 5; else, count 1.

Now, add all the scores. Maximum score is 50. Divide by 10 to get your iEi. It’s your choice whether or not to round off.

In another 2009 May post, ID Analytics Service Validates Identity Exposure Index, I mentioned the service provided by MyIDScore.com, a free public service that gives you a quick way to assess your risk of identity theft. Once again, that service validates my iEi test:

Here is your personal My ID Score calculated from the information you submitted:

Kenneth G Harthun
My ID Score: 224
Date: 11/20/2010
Report Code: [none of your business! ;-)]

A My ID Score of 224 indicates a LOW risk of identity fraud.

I just love it when I’m right! Nevertheless, I would have to recommend you use their method over mine; it’s easier, faster, and (probably) more accurate.


November 20, 2010  10:07 AM

Malware is Now a Trillion-Dollar Industry

Ken Harthun Ken Harthun Profile: Ken Harthun

“Show me the money!” (with all due deference to Jerry Maguire) is the new mantra for crackers and malware writers. According to an Imperva.com whitepaper, The Industrialization of Hacking, “Cybercrime has evolved into an industry whose value in fraud and stolen property exceeded one trillion dollars in 2009. By contrast, in 2007, professional hacking represented a multibillion-dollar industry.”

But how is the money made? Certainly, it’s not completely by outright theft of funds from bank accounts, payment processors and identity theft. Sure, we hear about those things in the news all the time, but they are usually perpetrated by some individual or group at the end of a long chain of transactions that have more to do with trading in stolen data or the botnets that steal the data.

There is an excellent paper that gives great insight into the value of trading in such things: The International Computer Science Institute’s An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants”, published in October 2007 as part of the proceedings of ACM Computer and Communication Security Conference (ACM CCS), Alexandria, Virginia.

The most common behavior in the market is the posting of want and sales ads for illicit digital goods and services. Goods range from compromised machines to mass email lists for spamming. Services range from electronically transferring funds out of bank accounts to spamming and phishing for hire… The goods and services advertised are sold to miscreants who perform various forms of e-crime including financial fraud, phishing, and spamming. For example, a miscreant, intent on phishing, can enter the market and buy the goods necessary to launch a targeted phishing campaign…

For example, here are some actual postings the researchers got from the channels:

i have boa wells and barclays bank logins….
have hacked hosts, mail lists, php mailer send to all inbox
i need 1 mastercard i give 1 linux hacked root
i have verified paypal accounts with good balance…and i can cashout paypals

They also noted posting of samples of sensitive information that act as advertisements of sorts, similar to the “free sample” marketing model:

Name: Phil Phished
Address: 100 Scammed Lane, Pittsburgh, PA
Phone: 555-687-5309
Card Number: 4123 4567 8901 2345
Exp: 10/09 CVV: 123
SSN: 123-45-6789

CHECKING 123-456-XXXX $51,337.31
SAVINGS 987-654-XXXX $75,299.64

People ask me every day (particularly on Skype in reference to the latest Skype phishing attempts), “Why do people do this?” Now, rather than explaining it to them, I’ll just point them to this post. And you can do the same.


November 17, 2010  11:55 PM

Video: Humorous Side of Google Hacking and Online Privacy Concerns

Ken Harthun Ken Harthun Profile: Ken Harthun

Warning: This would probably be rated PG-13, but it’s very funny. You might want to check out SecurityTube.net. Looks like it might be the YouTube of security videos.

This video shows the humorous side of our posting tons of private information online that is aggregated by Google. This from the post at SecurityTube.net: “By the way, the reason I mentioned “Google Hacking” in the title, is that “Google Hacking” is the process of searching using Google, with crafted search queries to find information which people would generally keep hidden but opened it up for search engines to mine by mistake.” Enjoy!

[kml_flashembed movie=”http://www.youtube.com/v/9RDe2Ia6YlM” width=”425″ height=”350″ wmode=”transparent” /]


November 17, 2010  8:39 PM

Devices to Protect Your Personal Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Being the security wonk that I am, I’m fascinated by TV crime shows like CSI, NCIS, Hawaii Five-O and the like. Anything that deals with high tech means of solving crimes is fair game. I don’t always have time to watch all of them, but It try to get my viewing in when I can. I’m also a big fan of the spy-thriller genre, having grown up with James Bond movies, Mission Impossible, The Man from U.N.C.L.E., and I-Spy.

But how applicable (and real) is some of that fancy technology you see on TV and in the movies? I wasn’t too surprised to find out that much of it is available, but I was surprised to find that almost all of it is available to the general public with few restrictions. Brick House Security is one place I stumbled upon. They have three general groupings on their website: Home & Family, Business & Government, and Police & Investigations. They claim to have more than 1000 products and a very interesting blog. With the holiday gift giving season upon us, I thought I would pick out a few products from the Brickhouse web site that might make great gifts and post a couple of them here each week.

Here’s a product you may have heard about on the news (Click on image):

Spark Nano Real-Time GPS Tracking Device

Spark Nano Real-Time GPS Tracking Device

Here’s a nifty way to protect yourself if you are ever out alone in unsafe places (Click on image):

Cell Phone Stun Gun

Cell Phone Stun Gun

Have fun on the site!


November 13, 2010  2:54 PM

Hotmail now Comes with HTTPS, Kind of

Ken Harthun Ken Harthun Profile: Ken Harthun

Start-to-finish SSL encryption is a very good thing when it works. And it usually does. Google has offered always-on encryption for more than two years on the GMail platform. Now Microsoft’s Hotmail features the same thing, almost. Here’s what I got when I tried to set it up (emphasis added):

Connect with HTTPS

  • Account Connect with HTTPS

Using HTTPS will help keep your account secure from hackers-especially if you commonly use public computers or unsecure wireless connections.

Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:

  • Outlook Hotmail Connector
  • Windows Live Mail
  • The Windows Live application for Windows Mobile and Nokia

If you only need a temporary HTTPS connection, enter “https” in front of the web address instead of “http”.

The page then gives you the option to use HTTPS automatically or manually, citing the important note above. I don’t use Outlook or Windows Live Mail, so I opted for automatic.

I’m sure they’ll get this resolved as they are aware of the issues according to this blog post. Here’s an excerpt:

To enable HTTPS for your Hotmail inbox, calendar, and contacts, go to https://account.live.com/ManageSSL. Once you enable this feature, all of your future connections to Hotmail will be delivered over SSL.

Some connections to Hotmail won’t be available if you turn on HTTPS, including:

  • Outlook Hotmail Connector
  • Windows Live Mail
  • The Windows Live application for Windows Mobile (version 6.5 and earlier) and Symbian

We’re constantly working to continue providing great security for our customers, so stay tuned.

Still, watered down or not, it’s much more secure than it was.


November 13, 2010  2:26 PM

Microsoft Pushing Microsoft Security Essentials via Update Provokes Anger

Ken Harthun Ken Harthun Profile: Ken Harthun

According to The Register, Panda Security and Trend Micro are attacking Microsoft for offering Security Essentials (MSE) via MS Update because Redmond is “restricting choice.”

I take issue with that. Microsoft is only offering MSE download via update to Windows users who aren’t already running antivirus software. The commercial AV firms clearly are miffed because their products aren’t being offered for download. That’s just ridiculous.

I’ve long criticized Microsoft for poor security practices, but with MSE, they got it right. I’m certainly no apologist for Redmond, but all of this drivel about being anti-competitive has to come to a stop at some point. Why in the world should Microsoft be forced to market other firms’ products for free? And that’s exactly what the others are saying.

Juan Santana, CEO of Panda Security argues, “We agree with Microsoft; it’s better to have some protection than not having any at all. However, the way the guys in Redmond are executing the idea is risky from a security perspective and could very well make the malware situation much worse for internet users. That’s why we encourage Microsoft to continue using Windows/Microsoft Update but instead to push all free antivirus products available on the market, not just MSE.” (You can read his blog post.)

Horseapples! How in the world is putting protection in place where there is none going to make the malware situation worse for Internet users? The argument has no substance. It’s illogical in the extreme.

Shame on both Panda and Trend Micro (who have both lost credibility with me as a result of this). Wouldn’t time spent on promoting the advantages and/or superiority of their products be more productive than trying to force Redmond to do their marketing for them?


November 8, 2010  2:56 PM

A Simple Trick to Make Public WiFi Encryption Easy to Implement

Ken Harthun Ken Harthun Profile: Ken Harthun

With the Firesheep firestorm (there are over 1,000,000 search results as of this writing) blazing across the web, there is a lot of pressure on cafes, coffee shops and other establishments that offer free open WiFi to implement WPA2 encryption. While it’s trivial to set it up, fielding the questions from users can disrupt the normal flow of business. The most frequent question will probably be, “What’s the password?” Most places will post signs and/or print up instruction cards with the password on them, but here’s a simple trick that most will probably overlook: rename the SSID of the wireless router so it also gives the password.

Here’s an example: Let’s assume that I own a place called “Ken’s Cafe.” The SSID of my wireless router is KCWiFi. I’ve implemented WPA2 and made the password Ken’sCafe. All I have to do is change the SSID to something like this: KCWiFi (Password: Ken’sCafe). Probably many patrons will see that and just connect when prompted for the password.

This simple trick will work well because there is nothing confidential about a WPA2 password; it doesn’t matter what it is or who has it. Unlike WEP, each connection to WPA2 is unique and there is client-to-client isolation between the connections.


November 5, 2010  3:31 AM

Baa Baa, Firesheep, Have You Any Wool?

Ken Harthun Ken Harthun Profile: Ken Harthun

Yes sir, yes sir,
Networks full.
One for the socials,
One for the tweets,
And one for the hacker boy
Who pwns all the peeps.

Sorry. I just had to do that. Firesheep is taking the ‘net by storm, it seems. Surely, you’ve heard about it by now; it has been around for nearly a week and has been downloaded more than 600,000 times. In case you haven’t hear about it, here’s the scoop from Bruce Schneier:

Firesheep is a new Firefox plugin that makes it easy for you to hijack other people’s social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection.

In other words, if I sniff your cookies, I can hijack your session and be you. I can do anything that you could do, see anything that you could see. So, if you’re using public (unencrypted, open) WiFi you’re in trouble.  Personally, I think this is a good thing: It may force the public hotspots to tighten security. After all, it’s not rocket science; you just implement WPA2 on your wireless router and give everyone the password. Steve Gibson explains:

Now that this concept is out, we’re going to see it go like crazy. And so…the remediation for the wireless access providers [is] simply bring up encryption… Again, it doesn’t have to be a secret password, just Starbucks can make it “Starbucks.” And that solves the problem. However, the providers of these services, the Facebook, the Twitter, the MySpace and so forth, they can’t rely on that. They have to simply enforce SSL, just like Google did.

Yes, there’s no reason not to just enforce SSL. On every website. Everywhere, all the time. It’s simple to do. End-to-end encryption and who the heck cares who’s sniffing? It’s all random noise to anyone looking at the data stream.

Complexity is the enemy of security; simplicity is the ultimate weapon. The solution to this problem is a simple one. We can only hope that the release of Firesheep is the wake up call we need.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: