Security Corner


September 4, 2010  2:12 PM

Security Online vs. Security in the Real World

Ken Harthun Ken Harthun Profile: Ken Harthun

Security online is analogous to security in the real world. The first thing any law enforcement professional will tell you is that you cannot make your home or business absolutely crime-proof; all you can do is increase the difficulty and risk to a level where most of the would-be intruders simply go looking for an easier target.

This same principle applies to security online. There are unknown vulnerabilities that make it impossible for your to completely hack-proof your networks; but, if you make sure your perimeter and internal defenses are strong, hackers are likely to leave you alone and go looking for an easier target.

It’s often easier to explain cyber-security to people using such analogies, especially when you’re being grilled about the need for that new, expensive Intrusion Detection System. Here are some useful comparisons:

  • Guardhouse at the entrance gate = Firewall with stateful packet inspection
  • Burglar alarm = Intrusion Detection System (IDS)
  • Security cameras = IDS sensor points
  • Automatic lock-out/lock-in doors = Intrusion Prevention System controls
  • Fire suppression system = Antivirus/Antimalware/Antispam
  • Safe = Disk or file encryption technology
  • Safe deposit box = Symmetric key encryption technology
  • Locked mailbox with open slot = Public key encryption technology

The easiest analogies are the ones regarding encryption, of course. A safe requires a combination; decryption of a disk or file requires the passphrase. A safe deposit box requires that both you and the bank have a key; symmetric encryption requires that both ends have a key. A locked mailbox with an open slot means that anyone can put mail in, but only the person with the key can read the message; public key encryption allows anyone to encrypt the message, but only the holder of the private key can decrypt it.

The other analogies are more open to interpretation and undoubtedly opinions will differ.

What do you think? Have you ever used such analogies? Leave a comment with your favorite comparisons.

September 3, 2010  3:11 PM

How to Combat Phishing Attempts

Ken Harthun Ken Harthun Profile: Ken Harthun

It seems that phishing attempts just keep increasing. Yesterday, more of my friends on Skype were sent this link: http://miw.host.sk/www.skype.com/?id=79826&lc=us along with the usual broken-English message, “hi how are you, i send to you link please sign in ok.” Recall my posts on the Skype phishing/hacking last month, which you should read and apply first:

Skype Phishing Attempts and Account Hacking – Part 1

Skype Phishing Attempts and Account Hacking – Part 2

The first thing you have to learn here is to NEVER CLICK on any links sent to you in email, chats, Skype, whatever until and unless you have verified their source and authenticity. The link above is obviously fake to those of us in the know, but to a normal user, it looks like it came from Skype.

The second thing you have to learn is how to recognize these bogus links. The casual observer will see www.skype.com in what looks like the right place. It would be, except for the single slash in front of it. The web server treats anything after the “/” as a directory. What you have here is the real URL, http://miw.host.sk, pointing to a directory called www.skype.com which contains a fake Skype login page. You can ignore the /?id=79826&lc=us. It doesn’t matter to anyone but the hacker. If you fall for this ruse, they get your password. This is typical of most phishing attempts.

The third thing you have to learn is that you absolutely MUST NOT use the same password for everything. If the hacker gets your password and is able to find out where you bank or find other sites that you log into, they will try that password out. In fact, the first place they are going to go is your PayPal account and heaven forbid if they know your PayPal email address!

You have two tools at your disposal to help combat this menace: OpenDNS and their excellent service, PhishTank. (I’ll do a separate post on PhishTank next week.) OpenDNS Basic is a free service that gives you all this:

  • Reliable DNS Infrastructure
  • Web Content Filtering
  • Phishing Protection
  • Basic Customization
  • Typo Correction

Head on over there, sign up for the free account and learn how to set it up on your system. Once you have it set up, you’ll get a message like this if you try to visit a phishing site:


This is actually working with PhishTank to determine whether it’s a known phishing site. I’ll tell you how to join the community and help report phishing sites in a future post. Also, look for a video or two on how to configure OpenDNS and how to recover a hacked Skype account.


August 31, 2010  8:45 PM

Protect Yourself From Spam With Disposable Email Addresses

Ken Harthun Ken Harthun Profile: Ken Harthun

Want to stop spam? Dumb question! Sure you do. Everyone except the spammers, that is. But the only really effective way to do it is to keep it from starting in the first place. That sounds like a pipe dream, but it’s not; there is a way to do it. The catch is you have to start with a clean slate. That means your existing email addresses have to go. If you don’t want to take it quite that far, you don’t have to, just use the new address you set up as a super-private one and give it to no one but trusted insiders.

First, you’ll need a clean email account, either on your email server (if you’re a Geek like me) or with one of the many fine webmail providers. I have several Gmail addresses that are known only to a few people. Now, make it your personal policy to never give the address to anyone you don’t absolutely trust to keep it to themselves. If spammers can’t get your address, there’s little chance they can send you spam. Finally, use disposable email addresses on web pages that force you to provide a valid email address to “register.”

Probably the best known disposable email service is Mailinator. To use it, all you have to is send mail to it. For example, you could use nofoo@mailinator.com. Most services work in this manner. I also like to use spam.la email addresses for throw-away site registrations. All email sent to any_address@spam.la is publicly readable right there on the page. They provide a filter option so you can just look up things you’ve sent there. The other day, someone told me about dispostable.com.

The only drawback to using these is that some sites are wise to the tactic and will complain if you try to enter such an address. In that case, just choose a different one. A search for “disposable email address” will give you plenty to choose from. If you’re diligent in doing this, you may never again see another spam email.


August 31, 2010  1:38 AM

PG-13 Video – Hilarious Japan Airport Security Video

Ken Harthun Ken Harthun Profile: Ken Harthun

It's that time again! We need to lighten up. I was ROTFL at this Japan airport "security" video. Great visual gags. You don't need to understand what is being said to get the joke. Enjoy!

[kml_flashembed movie="http://www.youtube.com/v/2UyXfd3p7M4" width="425" height="350" wmode="transparent" /]


August 28, 2010  12:45 PM

Ten Web Browsing Myths – Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

Here is my commentary on the remaining myths from Sophos’ recently issued whitepaper, “The 10 Myths of Safe Web Browsing.”

Myth #6: You can only get infected if you
download files.
Well, that used to be the case, but these days, most infections are via the “drive-by” download. No one is safe from this because the code is injected into the web page and it executes automatically when the page is viewed. For example, I once visited a site that has funny pictures of cats and was immediately infected by an adware trojan. The pop-ups took over my browser. A hard shutdown and start up scan fixed the problem. That site is fixed, but there are many others that aren’t.

Myth #7:  Firefox is more secure than Internet Explorer. This myth got started because IE uses ActiveX technology which has always had a greater share of vulnerabilities than any other plug-ins. The truth is that no browser is inherently more secure than another since all browsers can execute Javascript–the language used by all malware on the web for the initial attack. A study done by Secunia in 2008 showed that Firefox was actually the least secure browser at the time.

Myth #8: When the lock icon appears in the browser, it’s secure. This one can get you in trouble fast. All that lock means is that there is an SSL encrypted connection between the browser and the server. The information still flows. A real disadvantage to this type of connection is that any malware coming along will also be encrypted and could possibly bypass security scanners. Recently, spoofed SSL certificates have made it possible for hackers to give what appear to be valid SSL connections to fake bank, credit card, and PayPal sites.

Myth #9: Web security requires a trade-off between security and freedom. I’m going to disagree with their calling this a myth. Security always involves some trade-off with freedom. In their context, a suitable web security solution ( meaning their product, of course) gives the freedom to grant access to sites people need for business while keeping the organization secure. A rather vague argument in favor of making this one a myth.

Myth #10: Endpoint security solutions can’t protect against web threats. Again, their calling this a myth is simply expedient to their promotion of their web filtering product. As long as scripts can pass through to the browser–which is what has to happen or you’ll break most of the web sites–endpoint security solutions can’t do much.

As in all whitepapers, license is taken to put a spin on certain terms to make one’s product look more favorable. Sophos’ whitepaper does this with their calling those last two statements myths. However, they have given real value in their paper with the publication of the other eight myths.


August 28, 2010  2:48 AM

Ten Web Browsing Myths – Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

Sophos recently issued a whitepaper called “The 10 Myths of Safe Web Browsing.” It covers everything I have been saying to my clients all along.

The problem with security is often one of complacency (see Why People Are Complacent About Security); no visible infections or problems are manifest, so as far as anyone knows, nothing is wrong. Truth is, nothing could be further from the truth. Most infections these days are invisible. Look at this way: Burglars don’t want to be detected. The vast majority of malware these days is designed to steal valuable information and the more it can get, the better. The crackers don’t want you to know they are stealing your stuff–cuts into their profits–so the malware is very stealthy.

What follows in two parts is my commentary on Sophos’ myths.

Myth #1: The web is safe because I’ve never been infected by malware. Yeah, right. That’s the same illogic as “I’ve never been sick, so I don’t need to live a healthy lifestyle.” Sooner or later, it catches up to you. There are many examples of perfectly healthy athletic individuals collapsing while doing their exercise routines. Likewise, people don’t know their computers have been infected with malware until their bank account balance goes to zero or their credit cards get maxed out.

Myth #2:  My users aren’t wasting time surfing inappropriate content. Wanna bet? I’m not going to give specifics here, but I have seen firsthand that nearly half of the users in any given organization have accessed inappropriate content. Without adequate web filters in place, you just don’t know about it. One organization I worked for had excellent web filtering and still failed to spot a third of the inappropriate content being accessed by its employees.

Myth #3: We control web usage and our users can’t get around our policy. Good luck with that. All you have to do is search for “bypass web filter” to find that you’re really up against the wall. According to Sophos, “Anonymizing proxies make it easy for employees to circumvent your web iltering policy and visit any site they like. Anonymizing proxies are readily available and regularly exploited by school kids and employees alike.  Hundreds of new anonymizing proxies are published daily. . .”

Myth #4: Only porn, gambling, and other “dodgy” sites are dangerous. Yeah? Well, don’t tell my wife, but I’ve tested this myth on a PC with no antivirus and no antimalware protection with no hardware or software firewall. After a surfing session of more than 50 “dodgy” sites, I ran a malware scan and found nothing more than cookies and a small adware application. The truth is, “Hijacked trusted sites represent more than 83% of malware hosting sites,” according to Sophos. Makes sense, though, doesn’t it? It’s part of the overall deception. What better site to infect than one that is “trusted.” The best double agents are trusted by both sides, aren’t they?

Myth #5:  Only naive users get infected with malware and viruses. Another illogical statement. Naivete has nothing to do with it. “Malware from drive-by downloads happens automatically without any user action, other than visiting the site. Therefore, it doesn’t matter what level of computer expertise you have,” says Sophos. “The fact is, if you are visiting sites on the internet, you are at risk.” I recently found some suspicious files on my machine during a routine scan. I have no idea where they came from; they hadn’t been executed. The fact is, I’m not even close to being a “naive” user. I must have gotten the files during a download.

We’ll cover download infections and more in Part 2.


August 25, 2010  11:59 PM

Forty-Six Percent of SMBs Have Been Infected by Internet Threats

Ken Harthun Ken Harthun Profile: Ken Harthun

Panda’s PR department sent me the following yesterday:

Panda Security, the Cloud Security Company, today announced the results of the United States edition of its second annual International Barometer of Security at small- and medium-sized businesses (SMBs). The study, which surveyed nearly 10,000 SMBs around the globe and more than 1,500 in the United States, revealed that 46 percent of U.S. SMBs have fallen victim to cybercrime, up two percent from last year’s survey.

The 2010 survey revealed there has been little to no improvement from last year in SMBs using industry standard protection methods. Thirty-one percent of businesses are operating without anti-spam, 23 percent have no anti-spyware and 15 percent have no firewall.

“Many SMBs simply don’t have the resources in terms of budget, time and human capital to devote to protecting their computers and sensitive data,” said Sean-Paul Correll, threat researcher at PandaLabs. “The study results are proof that IT service providers and vendors have an important role to play in educating small businesses on threats, and helping them determine the best way to protect themselves.”

No question there; I’m in a constant dialogue with my clients about security. In fact, I’m conducting a web chat this evening on that very subject. The problem is that people either don’t listen, don’t get it, or a combination of both. Witness these statistics from the report:

- The infection ratio at U.S. companies has slightly increased since last year (46 percent in 2010 compared to 44 percent in 2009). It has dropped in Europe (49 percent in 2010 compared to 58 percent in 2009);

- U.S. SMBs named the Internet and USBs/external memory devices as the top methods for computer infections to enter the company (32 percent). E-mail (21 percent) and downloads/P2P (14 percent) were the other popular infection points;

- Viruses are the most popular threat SMBs are encountering (45 percent), followed by spyware (23 percent).

We have our work cut out for us, fellow security wonks!


August 25, 2010  1:18 AM

Skype Phishing Attempts and Account Hacking – Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

The news today is not good for many of those who have had their Skype accounts hacked. As part of my investigation in one wave of Skype phishing attempts, which I detailed in Skype Phishing Attempts and Account Hacking – Part 1, I attempted to recover a Skype ID. I was not successful for the test account (thanks again to my friend Allen D. for his help). Apparently, if you have never bought any credits from Skype–in essence, making you a “free” member–they don’t extend to you the ability to recover your password. So, if you get hacked, the hacker pwns your Skype ID forever. Not good, especially if you have used your real name (many people use IDs like mine: ken.harthun1). Fortunately, since I use Skype credits for regular calling, I have full access to the recovery features. I subscribe to the plan that allows me unlimited calls to regular phones in the U.S. and Canada. This costs $8.40 quarterly. I consider that cheap insurance.

Besides purchasing something at least once from Skype, there are other steps you must take for maximum security and “recoverability.” Here they are.

1. Sign up for a Gmail account and secure it with at least a 10-character RANDOM password. I’m talking like gtJ62kl9xL or something similar. Yes, you really need to do that.

2. Use the Gmail account to sign up for your Skype account and then don’t use it for anything else.

3. Use a 10-character RANDOM password when you sign up for your Skype accounts.

4. Use something other than your real name for your PUBLIC Skype ID; i.e., don’t use joe.blow, use jblow2341 or something of the sort. You can set up a second PRIVATE Skype ID with your real name.

5. Use the PUBLIC Skype ID for rooms, forums and chat; reserve the PRIVATE Skype ID for trusted contacts only.

6. If you have a PayPal account and don’t already have the PayPal Security Key, get one immediatley. The PayPal Security Key creates random temporary security codes that help safeguard your PayPal account when you log in. If a hacker ever gets your PayPal information, they won’t be able to log in without the security key. This is important if you plan to use PayPal for purchasing any credits on Skype.

7. For both your PUBLIC and PRIVATE Skype IDs, immediately purchase Skype credits or subscribe to a calling plan so you have a purchase record/history with Skype. Use PayPal or a credit card. The reason you want to do this is so that you have information that identifies you without a doubt–information that the hacker won’t have. You don’t have to make ongoing purchases, just a one-time purchase.

8. As soon as the purchase has been completed, immediately delete your stored payment details under the Settings and Extras section in each account. This prevents a hacker from getting any sensitive information.

If you do these things, you will have a verifiable identity with Skype because you will have information that only you know. If your account is ever hacked, you will be able to provide this information to verify your identity and reset your password; otherwise, you’re at the mercy of Skype’s support to recover your identity and you may or may not be able to do that. In any event, it will be an ordeal.

One more thing: Never click on any link anyone sends you asking you to log into Skype. This is especially true for one that does not begin with https:// and end with skype.com. Anything else is suspect.

Questions welcome here, or via Skype @ken.harthun1.

Be safe.


August 23, 2010  1:46 AM

Skype Phishing Attempts and Account Hacking – Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

Friend of mine got this message the other day, purportedly from someone they knew:

hey how are you

http://www.skype.com.betta.prod.bz/?id=79826&lc=us

sign in there to can see it
this is my page contains my pictures videos of my family....
i like you to see now for me
if you had ot the time take just a look

Do I have to say what happened next? I didn’t think so. I sandboxed my browser and hopped over to take a look at the page source.

My friend was taken to a fake Skype login page that was an exact copy of the real thing. In fact, everything worked exactly like the real Skype login page because all the links, etc. were correct. However, the username and password fields were actually inputs to a script that sent the information to the hackers.

Once the hackers had her password, they logged into her Skype account, changed the password and sent the link to everyone on her contact list. Of course, other people fell for it, thinking it was from someone they trusted, so the thing spread virally until I and several other savvy people got the word out.

It’s easy to stop the hacker and recover your access if you know how; problem is, most people don’t even know where to start. Part 2 will show step by step how to recover a hacked Skype account After I simulate an actual hack with a trusted friend as the “hacker,” I will post part 2 which will give details on what can and can’t be done. Unfortunately, it appears that unless you have an “upgraded” Skype account–meaning you have bought Skype calling credits at some point–you won’t be able to recover your original ID without Skype’s intervention (an ordeal, I’m told).  Stay tuned.


August 20, 2010  1:15 AM

Intel to Acquire McAfee

Ken Harthun Ken Harthun Profile: Ken Harthun

I thought you may be interested in the reaction from Juan Santana, CEO of Panda Security, on Intel’s unexpected $7.68 billion acquisition of McAfee this morning.

“It is an unexpected move that highlights the importance of IT security and underscores the health of the industry going forward. In a world where most appliances and gadgets that consumers use have some kind of Internet connectivity, security becomes a differentiator.

Intel recognizes this and they have taken a step forward to position themselves well for this evolution. Computer security can’t be ignored and this move highlights once again the need for it to be top of mind for consumers. We don’t expect any changes in the offering to consumers as a result of the transaction.”

My personal opinion (based on past experience with McAfee’s products) is that this won’t help Intel’s reputation any.

But we’ll see what the market says.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: