Security Corner

February 15, 2015  6:48 PM

Two good ways to make sure your email isn’t pwned

Ken Harthun Ken Harthun Profile: Ken Harthun
Data breach, Email, Hackers, Security, Security breaches

computer_thiefBreaches, breaches, breaches. It’s all part of the the daily news in IT security. It’s a good idea to keep tabs on your accounts, especially your email, to see if you’re relatively safe. I say “relatively” because no one is really safe on the internet anymore. I use two services: and to periodically check my email accounts. PwndList allows you to set up all of your email addresses and will send you notifications; will notify you about one account but requires you to manually check for others unless you make special arrangments.

PwnedList actively protects you by continually monitoring sites that host stolen credentials and other security data. If your data has been compromised we’ll notify you immediately—but that’s not all. You can check your online accounts and know with virtual certainty whether they’ve been compromised at any time.

Once you set up an account with them, you can add as many email addresses as you want. You will only be notified if any of them show up as being compromised.

[Troy Hunt, a Microsoft Most Valuable Professional] created Have I been pwned? as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.

To find out if any of your accounts have been pwned, you can visit, enter your email address (you can check as many email addresses as you want) and click the “pwned?” button. You’ll get one of two responses as shown below:


The one above shows you’re OK. No need to fret about it. If you get the one below, you had better take action: change your password immediately.


February 15, 2015  6:10 PM

Humor: I get scammed AND get a girlfriend to boot? Hmmm…

Ken Harthun Ken Harthun Profile: Ken Harthun
cyberscams, Scam emails, Security


I just couldn’t resist letting my readers see this latest variation on the Nigerian 419 scam. I can’t believe these things are even still going on. Anyway, I got a good laugh out of this and I hope you do, too.  You see, I paid “VIRTUALLY all fees and certificate,” but I still have to “SEND THE FEE FOR THE HARD DISK FIRST BEFORE I MAKE YOUR TRANSFER OR YOU BUY THE HARD DISK IN YOUR COUNTRY AND SEND IT TO ME,” before anything happens. But the great part is, “Miss Faith Okeke” will “run away from Nigeria to meet with you.” So, I get a bunch of money and a girlfriend, too boot. Fun stuff. I’m of half a mind to play along and reverse the scam on “her.”


I am Miss FAITH OKEKE. a computer scientist with central bank of Nigeria. I
am 26 years old, just started work with C.B.N. I came across your file which was
marked X and your released disk painted RED, I took time to study it and found
out that you have paid VIRTUALLY all fees and certificate but the fund has not
been release to you. The most annoying thing is that they cannot tell you the
truth that on no account will they ever release the fund to you, instead they
let you spend money unnecessarily.

I do not intend to work here all the days of my life, I can release this fund to
you if you can certify me of my security, and how I can run away from this
Nigeria if I do this, because if I don't run away from this country after i made
the transfer, I will be seriously in trouble and my life will be in danger.
Please this is like a Mafia setting in Nigeria, you may not understand it
because you are not a Nigerian.

The only thing I will need to release this fund is a special HARD DISK we call
it HD120 GIG. I will buy two of it, recopy your information, destroy the
previous one, punch the computer to reflect in your bank within 24 banking
hours. I will clean up the tracer and destroy your file, after which I will run
away from Nigeria to meet with you. If you are interested.



Do get in touch with me immediately, You should send to me your convenient
tell/fax numbers for easy communications and also re confirm your banking
details, so that there won't be any mistake.
For phone conversation,please call me on +234-8052520211



February 9, 2015  6:12 PM

Beware Anthem phishing attempts

Ken Harthun Ken Harthun Profile: Ken Harthun
Cybercrime, cyberscams, Data breach, Phishing, Security

In the wake of the Anthem breach, which affected approximately 80 million customers, cyber-criminals are launching phishing attacks by faking notifications from the company. They look pretty convincing (see photo) and unfortunately, a lot of gullible people are liable to fall for the ruse.


Anthem Phishing Email (Photo/Anthem)

Cyber-criminals often use alarming news stories to develop phishing campaigns and profit from unwary users who fall for the scheme. In this case, the cro0ks provide a link to a free year of credit monitoring for those who click the link. All that will happen, however, is the victim’s credit card information will be stolen.

Anthem has put up a FAQ page to deal with the breach. On that page, Anthem says, “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind.” Note that they put no time limit on said monitoring and protection.

The company has also established a toll-free number, 1-877-263-7995, which currently delivers a recording warning of the phishing attempts and also outbound call scams directed at current and former members. The recording warns, “These emails and calls are not from anthem and no notifications have been sent from anthem since the initial notification on Feb. 4, 2015.” The recording further states that all notifications will be sent out in the coming weeks via snail mail.

My standard advice in these situations is always:

  • NEVER click on any links in emails.
  • NEVER reply to such emails or communicate in any way with the senders.
  • NEVER provide any information in any website that has popped open, whether or not you have clicked on a link in an email
  • NEVER open email attachments
  • NEVER give any caller who contacts you any personal information. Hang up and call the company directly.

The Federal Trade Commission has an excellent Consumer Information page on how to spot phishing scams.

February 9, 2015  1:21 AM

10 Immutable Laws of Security Redux

Ken Harthun Ken Harthun Profile: Ken Harthun

pogoplaqueNearly six years ago, I posted “10 Immutable Laws of Security” on this blog. That post was based upon a Microsoft TechNet article “10 Immutable Laws of Security” and included my comments relative to the security universe at the time. I believe that this information is even more relevant than it was when originally posted, so I’m bringing it back with my comments relative to the security universe as it exists in 2015. We are our own enemies when it comes to security and perhaps these laws can help some see the light.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

I work in a career college environment servicing the needs of students who, while having grown up in an era where technology is ubiquitous, are not conscious of its vulnerability and risks. They take it for granted. Some of them are in awe of it and consider it no less than practical magic. They have little or no understanding of what makes their devices tick. They think that every message on their screen is something they should act upon, so when the drive-by malware warns them of “1080 viruses and errors” on their computer, they click the “Fix” button. Yeah, this fixes them all right; they’re now pwned. They are trust the technology out of ignorance.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Physical security isn’t complicated. My Security Maxim #8 covers it admirably. I would also say that if a child or someone who doesn’t know better has access to your computer, it’s not yours anymore. I constantly fix problems caused by the children, the friend or the spouse.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

That’s an understatement. Not only is it not your website anymore, but you’ve just become an unwitting accomplice in whatever havoc the bad guy wreaks. There is no reason in the world to allow anyone to upload programs to your website before you have the chance to vet them.

Law #5: Weak passwords trump strong security

I am reminded of a friend who was baffled when he discovered that his PC was part of a P2P network being used to transfer pirated music. He couldn’t understand why his firewall “quit working” suddenly (he had P2P blocked on his router). Long story short, his teenage son had guessed the router password and changed the configuration. See Law #3, and heed my advice and make your passwords unguessable.

Law #6: A computer is only as secure as the administrator is trustworthy

If you can’t trust the admin, you can’t trust the PC. The administrator can install anything he wants. If the accounts on the computer are administrator accounts, then anyone can install anything. See Law #3 above.

Law #7: Encrypted data is only as secure as the decryption key

Make sure that your decryption key is kept in a secure place, not on your computer. It’s best to memorize it, but if you can’t, store it on a memory card and put it in your wallet. Make two copies and keep one in some other physically secure place. The first place the bad guy is going to look is on the hard drive.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Out-of-date anti-virus and anti-malware software of any kind won’t protect you against the inevitable new variants that come along. Keep it updated, automatically, if possible.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

As it says in the article: “All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you.”

Law #10: Technology is not a panacea

Never has this been more true than in 2015. No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.

February 8, 2015  7:09 PM

How tight does your security really have to be?

Ken Harthun Ken Harthun Profile: Ken Harthun
Cyberattacks, Hackers, Security, Sony, Targeted Attacks

laptopinchainsIn the wake of cyber-attacks that have occurred over the past year, we have all been more concerned than usual about our organizations’ network security. Questions such as, “Is my my security software up to date?” and “Am I current on firmware updates in my router and firewall?” and “Am I doing all I can to detect and/or prevent and attack?” tend to keep us a bit edgy. Certainly, we all do our best but there is always that nagging concern about our best being good enough. How tight does our security really have to be? Perhaps taking a closer look at the hacking universe in general might help to allay some of those fears.

The January issue of Bruce Schneier’s Cryptogram features an essay, “Lessons from the Sony Hack,” that breaks down the types of hackers and their hacking methods into a few easy-to-understand categories. Essentially, there are two types of hacks: Opportunistic and targeted. An opportunistic attack is one where the attackers don’t really care who they  hit, they’re just looking for large databases of information that could be valuable. The vast majority of attacks fall under this category. Schneier cites the Home Depot attack as opportunistic. A targeted attack is one where the attackers are going after a specific victim; Sony, for example. To further divide things, he talks about the skill and focus of the hackers.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet. [Opportunistic]

High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so. [Opportunistic]

But even scarier are the high-skill, high-focus attacks — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame… [Targeted]

This represents a sort of scale of probability of you or your organization becoming a target: you are most likely to experience a low-skill, low focus attack and least likely to experience a high-skill, high-focus attack.

My take on it is simply that if you are timely in keeping your software patched against known vulnerabilities, your critical networking equipment updated with the latest firmware, proactively staying informed about the latest threats, and actively promoting security awareness in your organization, then you’re about as safe as you can hope to be. I don’t think that any of us can afford, either financially or mentally, to try to keep ourselves completely safe from the high-skill, high-focus attacker. I’ll leave you with this:

Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren’t sufficiently skilled, good security may protect you completely.

. . .

Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

January 31, 2015  10:30 PM

A roundup of two-factor authentication posts (and a good video)

Ken Harthun Ken Harthun Profile: Ken Harthun
Authentication, Password management, Security, Security tokens, Two factor authentication, Video

googleauthIt’s a new year and with that comes New Year’s Resolutions. Whether or not you have made any resolutions to be more secure in 2015, it won’t hurt to make or re-affirm one now. One of the best steps you can take is to implement two-factor authentication (2FA) everywhere you can. To help you out with that, here is a roundup of my past posts on the subject along with a good, simple video that not only explains what 2FA is, but how to set up your Google account to use it.

Yubico delivers secure two-factor authentication for Gmail and Google Apps

How to protect your password manager?

Ten New Year security resolutions

Twitter now has two-factor authentication

Two factor authentication becoming a necessity

Who supports 2FA (two-factor authentication)?

January 31, 2015  9:48 PM

What was that password?

Ken Harthun Ken Harthun Profile: Ken Harthun
Access Passwords, Administrator password, Password management, Security

crosswordpasswordI read with interest Jeff Cutler’s column The Lesson of the Bike Lock and Security Methodology. Great analogy, and I find this quite fitting: “The lesson today is not to have a lock you can’t use.” He’s referring to a combination lock with the combination known only to his father who had passed away: “Bike lock inaccessible. Useless. And no known plan to revive access,” he says. Who in IT hasn’t been confronted with taking over the post of a predecessor who failed to document (intentionally or otherwise) the password for a critical network device? In this case, it’s not quite as bad because there is often a procedure, albeit an arduous one, to reset the password and revive access. Still, it involves system downtime.

And that’s where today’s security lesson comes in. As much as we harp on folks to secure their data, computers, systems, personal effects and facilities, we haven’t offered much of a solution for recalling or securing the keys to the locks that keep your stuff…and your organization’s stuff…safe.

It’s not that solutions don’t exist; rather, I think it’s because we don’t take the time to properly implement them and educate people on how to use them.

What’s the best method for remembering a password? Do you just keep IT on speed-dial? Do you write it on a sticky not [sic] and put it under your keyboard? Don’t tell Ken that’s your plan…his eyeballs would pop out of his head!

Indeed! More likely that my head would completely explode, Jeff. These days, there are many ways passwords can be safely stored and passed along to successors without relying on sticky notes. I’ve advised estate planners and attorneys on simple methods for accomplishing this and I’ve written two posts, How will you pass on your passwords when you pass away? Part 1, and Part 2 that discuss this issue. Those posts don’t address procedures for an organization, so let me describe something that works quite well and isn’t complicated.

In my organization, there are four network administrators and a corporate office spread across three states. Any one of the net admins could be called upon to help out at another location or the corporate office in the regular guy’s absence, so having access to the passwords is vital. Here’s what we came up with:

  1. Each net admin created a password-protected spreadsheet containing all login information for every relevant device and service account for their location.
  2. Each campus president and office manager was given a copy of the spreadsheet and the document password for their location.
  3. Copies of all of the spreadsheets are in the custody of our IT manager at the corporate office.
  4. These spreadsheets are routinely updated as passwords are changed and old versions are retained.

How does your organization manage passwords?

January 31, 2015  4:24 PM

Email: The gateway to your online kingdom

Ken Harthun Ken Harthun Profile: Ken Harthun
cybercriminals, Email account, Email Address, Hackers, Security

Key to the KingdomEverybody has one and probably everybody takes it for granted–the email account. Until I read this blog post by Brian Krebs, I didn’t assign much importance to my email other than it being a convenient and fast means of communication. I’m sure that’s how most people see it. In truth, your email account is the center of your online universe and the gateway to your online kingdom; the password is the key. If a hacker gets hold of your account, he can gain access to everything that email is tied to: online services, merchants accounts, your blog, your website (if you have one), your photos, Facebook, Twitter, Skype, iTunes, the list goes on and on. If you use cloud services like Dropbox, Microsoft OneDrive, Google Drive and the like, he’ll have access to all of that, to

Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email.

A hacker using your email account can attempt to impersonate you to your bank and other financial institutions using information gained by reading your emails. (Yes, a smart hacker would gain all the information he could from your email conversations first. The more information, the easier to impersonate you online.)

Has this got you thinking yet? With all of the talk about strong passwords and two-factor authentication, do you think that it’s time you applied this to your email account(s)?, Hotmail/Live.comand all now offer multi-step authentication that users can and should use to further secure their accounts. Dropbox, Facebook and Twitter also offer additional account security options beyond merely encouraging users to pick strong passwords.

It goes without saying that you should never, ever use your email account password for anything else.

So, while you’re thinking about it, come up with some good, strong passwords for your email accounts and set up the multi-step authentication on those accounts that offer it.

Don’t lose the keys to your kingdom.

January 30, 2015  11:12 AM

Security and Super Bowl XLIX

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
C-suite, CTO, football, Hack, IT, Log management, provisioning, Security

Here comes the 2015 Super Bowl. It’s Sunday (a couple days from now) and the New England Patriots will be playing the Seattle Seahawks to decide the championship of the NFL. What’s that have to do with security? Everything!

If we look at both these football teams, they are predicated on good security across the board. In the Seahawks’ case, their security is defensive. The entire team runs around the field with an energy similar to that emerging from a killer beehive. They chase the opposing quarterback, they smash running backs and receivers. They use their special powers to create fumbles and interceptions, knock players to the ground like a boxer does to his or her opponents, and often win games.


On the other side of the ball is the Patriots’ offense. Their security is based solely on protecting their golden-boy quarterback. The New England offensive line endeavors to give Tom Brady enough time to find open receivers, dump the ball off to his running backs and tight ends, and sometimes even run the ball himself.

It’s going to be quite a match this Sunday, but the takeaway lesson here is building your business so it has a strong offense and defense as well. In four points, we’ll look at that process.

First, your organization must be proactive (offensive) in thinking about what data it needs to secure and what systems and facilities are most valuable. By identifying these up-front, an effective protection plan can be put in place (that’s step three).

Step two is communicating your plan to your team and vetting your personnel. This included provisioning employees, deciding who has access to what systems, and implementing security protocols in case of a disaster, loss, breach or other security event. Further, you need to get IT and the C suite on the same page – it’s a teamwork thing and it’s not solely in the NFL. It affects EVERY organization.


You’re all working from the same playbook, so you educate everyone about their particular role and responsibility when it comes to keeping the business and its property safe.

Step three is the protection plan. This is your Seattle defense step. You need to be vigilant in log management and evaluating possible weak points in your systems. To do this correctly, you should focus on scenarios that might occur in house or from outside agencies. Also take a little time to educate yourself and your whole team about what’s happening to your less-prepared competitors. Are they the Targets and the Home Depots? You can learn from their mistakes.

Fourth and final step is response. In the same way Seattle will try (and probably succeed) in intercepting Patriots passes, you need to respond quickly and decisively to events. Ensure that a breach of your technology or physical plant is identified and closed quickly. Get your players trained in how to respond, who to look to for guidance and when to rein in your perimeter and tighten your defenses.

I’m hoping for an eventful football game this Sunday. I’m also hoping your business processes are less eventful and more successful now that you know a bit more about how to secure your playing field.

January 29, 2015  4:13 PM

The Lesson of the Bike Lock and Security Methodology

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Data, IT, Security

We had a storm in Boston. A blizzard, really. While it wasn’t ridiculously devastating, it did knock out some power, brought production and travel to a standstill, and cost a bit of money to recover from. I tell you this so I can tell you about a problem I had with a bike lock.

You see, I wasn’t in Boston for the blizzard. Anyone with any sense at all hopped on a plane before the storm and got out of town. Who wants to be snowed in and dealing with 11-degree temperatures if they can be on the beach in Florida? That’s right, nobody. So I flew to Florida for a few days.


Interestingly, the storm also knocked out computers at airlines and overwhelmed some systems so data wasn’t accessible and flights weren’t scheduled…but that’s a topic for another column. Today, let’s talk about bike locks.

On the island of Sanibel, FL, the primary mode of transportation SHOULD be bicycles. There are bike paths the length of the island and experiments conducted by my wife and I have proven that biking around is quicker than driving a car.

Every store, restaurant and public building has bike racks nearby and there is plenty of educational literature on how folks are to access and use the bike paths. Some of the bike-path instructions even suggest you not text and ride while on your bike.

But nowhere does it suggest that you use a bike lock to secure your bike. It’s a strange concept for someone who grew up in a major city where bikes and bike theft were an industry. In fact, Kryptonite Lock is based in Massachusetts – mostly because they wanted to create a solution for the bike theft issue.


Regardless, I wanted to lock my bike and actually located a lock in the garage at my parent’s house. Coincidentally it was a Kryptonite-brand lock and looked to be in pretty good shape. But I didn’t have the combination.

And that’s where today’s security lesson comes in. As much as we harp on folks to secure their data, computers, systems, personal effects and facilities, we haven’t offered much of a solution for recalling or securing the keys to the locks that keep your stuff…and your organization’s stuff…safe.

What’s the best method for remembering a password? Do you just keep IT on speed-dial? Do you write it on a sticky not and put it under your keyboard? Don’t tell Ken that’s your plan…his eyeballs would pop out of his head!

In the case of my found bike lock, the combination was known to only my father. But he passed away a few years ago. Bike lock inaccessible. Useless. And no known plan to revive access.

In our business, this happens less frequently than you might think because there are certain checks and balances in place. There are also systems’ back doors where IT can get in even if an employee or malicious agent damages the front end or changes passwords and admin access.

The lesson today is not to have a lock you can’t use. Find out how well your data and facilities are protected. Then ensure there are friendly agents in place who can provide access should your normal means get usurped. Ultimately, the use and access to your data is worth the time it might take to implement additional authentication steps.

Have you ever lost data because you secured it too well? Let me know in the comments!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: