Security Corner


May 25, 2010  7:23 PM

Is Your Mechanic a Hacker?

Ken Harthun Ken Harthun Profile: Ken Harthun

Do you trust your mechanic? If you have any doubts, you had better find one you  can trust because your safety – maybe even your life – is in his hands. A recently completed study by researchers in the Departments of Computer Science and Engineering at the University of Washington and University of California San Diego entitled “Experimental Security Analysis of a Modern Automobile” reveals alarming vulnerabilities.

Someone—such as a mehanic, a valet, a person who rents a car, an ex-friend, a disgruntled family member, or the car owner—can, with even momentary access to the vehicle, insert a malicious component into a car’s internal network via the ubiquitous OBD-II port (typically under the dash). . . . A similar entry point is presented by counterfeit or malicious components entering the vehicle parts supply chain—either before the vehicle is sent to the dealer, or with a car owner’s purchase of an aftermarket third-party component (such as a counterfeit FM radio). . . . In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance. While outside the scope of this paper, we wish to be clear that vulnerabilities in such services are not purely theoretical.

Feeling a bit uneasy now? I was, too. I was quite disturbed by the time I finished reading what the researchers were able to do to the car. See the illustration above? Not only were they able to display an arbitrary message, but also a false speedometer reading (Note that the car is in park).  They had full control of the instrument panel cluster. They were also able to completely control – and disable user control of – the radio and display arbitrary messages as well as produce various sounds. The really scary stuff involves the ability completely disable the brakes and power steering, disrupt engine timing, kill the engine, lock the doors and windows.

Theoretically, someone could pull off a perfect murder with the right malware. Enter the dangerous new world of murder-by-software.

We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car’s telematics unit [think OnStar] and that will completely erase any evidence of its presence after a crash. . . . Combining our control over various BCM components, we created a “Self-Destruct” demo in which a 60-second count-down is displayed on the Driver Information Center (the dash), accompanied by clicks at an increasing rate and horn honks in the last few seconds. In our demo, this sequence culminated with killing the engine and activating the door lock relay (preventing the occupant from using the electronic door unlock button).

What if the sequence culminated in locking the brakes on the two wheels on the driver’s side of the car?

Scary stuff.

May 25, 2010  12:14 PM

Software for Secure Computing: Mozilla Plugin Check

Ken Harthun Ken Harthun Profile: Ken Harthun

As you know, I advocate keeping everything up to date on your PC, not just the OS. Applications, accessories and browser plugins are all subject to security vulnerabilities. Mozilla’s Plugin Check makes it easy to see if your browser plugins are up to date.

The beauty of this site is that it works with all popular browsers as noted by Steve Gibson of Security Now!:

The big news is they’ve decided to expand this service beyond Firefox, which is so cool. They’re now offering it for not only Firefox, but Safari, Chrome, Opera, and IE.

Just do it!


May 25, 2010  12:14 AM

Uninstall Adobe Shockwave

Ken Harthun Ken Harthun Profile: Ken Harthun

Adobe’s Shockwave (this is NOT flash – flash is sometimes labeled “Shockwave Flash”) has a bucket full of vulnerabilities (11 in all). It’s not a widely used platform and I recommend you uninstall it immediately. It will be labeled simply as “Shockwave” or “Shockwave Player” and will have a version number of 11.x.x.xxx. Shockwave Flash is at version 10.x. (See image.) In this @RISK: The Consensus Security Vulnerability Alert Volume: IX, Issue: 20, May 13, 2010 article, SANS outlines the vulnerabilities:

The first issue is caused by a boundary error while processing Shockwave 3D block. The second issue is a memory corruption vulnerability caused by a signedness error while processing malicious Shockwave files. The third issue is a memory corruption vulnerability caused by an array indexing error while processing malicious Shockwave files.

. . .

The eleventh issue is caused by a signedness error while processing Director files. There are some more unspecified errors which can be exploited to cause memory corruption.

Unless you have a specific use for this plugin, just get rid of it. I found I don’t even have it, so it’s not really an issue for website functionality.


May 22, 2010  1:00 AM

Google Releases SSL Search

Ken Harthun Ken Harthun Profile: Ken Harthun

Google just released SSL Search to beta. Earlier today, it was being selectively rolled out and wasn’t available to everyone. It appears to be more widely available now; at least, it works for me. With end-to-end SSL encryption, your searches are now completely private. Here’s what Google has to say in their Help article:

With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience.

To use the new feature, you have to explicitly enter https://www.google.com each time you want to perform a secure search. Google Images and Google Maps are not available over SSL yet. Also note that due to SSL overhead, you may notice that such searches are not as fast as regular searches. Google has created a new search logo (see below) to let you know when you’re using the new feature, but it’s good practice to make sure you see the lock icon in your browser and https:// in the address bar.

Google plans to make SSL the default but they first want to see how it affects users’ search experience and gather feedback. Hence the beta designation. Yahoo and Bing haven’t implemented encryption in their engines.


May 17, 2010  2:06 AM

Should You Be Held Liable for Illegal Activity on Your Unsecured WiFi?

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s currently no law in the U.S. that holds the owner of an unsecured access point liable for illegal activity on it. In Germany, however, people are now subject to a fine of 100 Euros ($130 US) if someone uses their network to download content illegally. See “German WiFi Owners Are Now Liable for What Third Party Users Download While Connected to Their Network.”

According to the article, experts in the UK don’t see such a ruling as affecting them anytime soon.

Asked whether a law such as this could ever transfer to the UK, Stuart Okin, managing director of Comsec Consulting, said: “I don’t ever see that coming over here as I don’t see how it could be policed in the UK.

“In Germany there is a different culture, and when rules come into play they are obeyed without question. In the UK I am not saying that no one will do it, but it is not advisable and realistic to work.”

That may very well be, but I call it a wrong target. The real culprit is the illegal downloader whose intent is clearly to hide his actions by stealing someone’s network identity – a crime in itself. Any time you assign illegal activity the wrong source, you end up with a legal quagmire that is certain to take years to sort out in the courts.

Moreover, I don’t think you can force an individual (not in this country at least) to learn a technology in order to use it. After all, one doesn’t have to learn the technology of the internal combustion engine in order to mow the lawn, one just has to know how to start the engine. Furthermore, we assume that the manufacturer has taken the necessary steps to make the device function properly and safely and if it doesn’t, the manufacturer is liable in most cases.

SANS News Bites Editor Stephen Northcutt extends this idea to the access point, “We all need to keep our eyes open, because if the access point itself has vulnerabilities that lead to filesharing then who is to blame. …if you meet the letter of the law, and “protect” your network and someone computes the WPA key and downloads files over your network, who gets sued and why?”

I won’t say it can’t happen here; that would be naive beyond belief. I will say that it’s a very bad idea to try force people into securing their access points. It would be much more workable if the manufacturers opted to make their equipment secure by default.

What do you think?


May 15, 2010  1:19 AM

“Report Has Changed” Spam is Not Malicious

Ken Harthun Ken Harthun Profile: Ken Harthun

Got this message in my Hotmail account the other day and decided to investigate a bit to see what was up. These things are usually either links to malware infested sites or volume spam designed to create lots of clicks to CPA (Cost Per Action) offers, i.e., click fraud. And it turns out that’s just what this is.

ken's Report Has Changed‏
bouyahiaoui rabie (b_rabie@hotmail.com)Wed 5/12/10 2:53 AM
To:kenharthun@hotmail.com
Hello ken, your report that has changed on May 12th
is ready for  viewing.
www.creditreport.com/344344/ken's-report.html

That link is actually

http://bit.ly/cIhmwF

and the expanded version points to:

http://track.dankcash.com/aff_c?offer_id=24&aff_id=268&source=hnov6.

I fired my browser up in a sandbox and visited the site. It goes to CreditReport.com. Clearly click fraud, but not malicious. I suggest we all just boycott the site. For sure, don’t subscribe to their service until you report the illegal spam activity.

What do you think?


May 13, 2010  2:20 AM

Secure Computing: Password Card is a Winner

Ken Harthun Ken Harthun Profile: Ken Harthun

Thanks to “A password reminder to carry with you” on the IT Trenches blog letting me know about this great little tool. This thing is a real winner for all those XP forgotten password issues. Now, when you get those calls like “I forgot my password for my ____,” you can give them something that allows them to write down password clues that are secure and also easily remembered.

You visit http://passwordcard.org and it generates an unique credit card sized matrix like the one in the picture at left. Just pick a symbol, a color and a number of characters and you have a secure password. You have the option of creating a numbers-only area as well as including symbols into the mix, depending on the type of passwords or PINs you require. The default is upper/lowercase and numbers. If you lose your card you can get a duplicate by going to the site and entering the number that appears on the bottom of the card, so you might want to write that down and keep it in a safe place just in case.

There are several ways you can use the password card. The simplest way is to pick a symbol, color and sequence of characters from left to right as in the illustration. You would remember this, or write it down, as “spade green 8.” But notice that there are eight rows under each symbol. You could could choose the column under the diamond symbol and use the password JwdC4aGt. You’d write that down as “diamond down.” Reverse the order, and you might write it down as “diamond up.” In this case, the password would be tGa4CdwJ.

Want to get really fancy? You can if you want. How about four symbols, four colors, two characters from each? The possibilities are endless.

Visit IT Trenches and tell me what you think about this tool.


May 12, 2010  1:22 AM

Why Bother Giving Password Advice?

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m miffed. I went to visit one of my clients yesterday – one that I’ve carefully educated in password selection and security – and saw a sticky note on the wall with all his passwords written down on it. I asked him why. He just went on and told me that it was just too much trouble to think about mnemonics, password encoding systems, etc. I said that at least he could put that sticky note on the bottom of his keyboard where it was less obvious. He said it didn’t matter; whomever wanted his passwords would find them there anyway.

I won’t tell you this client’s profession; if I did, you’d be shocked. Let’s just say that a member of the cleaning crew could use information obtained through illegal use of my client’s passwords to do some real damage. And don’t think that a determined hacker would find it beneath him- or herself to take a job as a custodian if there was profit in the offing.

Why bother? Well, here’s the thing: I have all of my advice in writing in the form of emails with training materials attached to them. If my client ever gets hacked, I’m not liable for the consequences of any breach. I told them so. If they chose to ignore my advice, so be it. I did my job.

But I’m still miffed; I thought my opinion was valued.

What would you think?


May 8, 2010  4:52 PM

Microsoft Security – No Longer an Oxymoron

Ken Harthun Ken Harthun Profile: Ken Harthun
Microsoft

Source: Microsoft

I have never been an apologist for Microsoft’s security policies and practices; indeed, I’ve often criticized the firm and accused them of a laissez-faire attitude towards their development teams. I have to admit that they’ve been making some headway in the direction of basic security over the years, but I’ve wondered if they would ever get it right. Recently, I’ve had a love-hate relationship with Microsoft Security Essentials (See “Microsoft Security Essentials is a Game Changer” and “Microsoft’s Security Essentials Causes Performance Problems“), their most recent attempt at complete security protection for Windows™. I’m going back to the love relationship. My reason? The combination of  Windows 7 security enhancements, IE8 and Microsoft Security Essentials is very secure; it looks like Microsoft has finally done it right.

I migrated my laptop to that combination in mid-March. I have enjoyed nearly two months of secure computing with no performance issues, no security issues, and the freedom from having to worry about which third-party security solution I should implement. I still use Thunderbird for email and Firefox as my main browser, but that’s no longer because I’m concerned about using IE–IE8′s default settings have proven to be more than sufficient.

I’m not the only one who’s noticed. Fred Langa of Windows Secrets Newsletter recently ran a 120-day test of his own under some pretty tough conditions. You’ll want to read that article, of course, especially if you’re an advanced Windows user, but Fred’s results are worth mentioning:

Four months in, and no malware has infected my Win7 systems. I’ve experienced no malware-like misbehavior on my machines, and to the best of my knowledge, my systems remain clean and unhacked.

So I’m comfortable saying that the combination of the Win7 firewall, Microsoft Security Essentials, and fully current browsers and e-mail clients is proving to be a wholly acceptable security solution for routine use.

However, I’m not ready to recommend this combination to advanced users — especially those with demanding needs or who require the ability to easily customize their setup.

What’s your opinion? Leave me a comment.


May 7, 2010  2:03 AM

Software for Secure Computing: Hivelogic’s Enkoder Form

Ken Harthun Ken Harthun Profile: Ken Harthun

Spam email is the primary distribution channel for malicious content, so it behooves us to do everything possible to prevent our email addresses from being harvested by web-crawling robots. Posting your email address on any public-facing web page is almost sure to get you on spammers’ lists, yet most webmasters do just that. What’s one to do? There has to be some secure way to allow visitors to contact you, right?

Enter Hivelogic’s Enkoder Form, a tool that encrypts your email address and converts the result into a self evaluating JavaScript. The browser is able to properly display the address, but an email harvesting robots will find nothing they can use. I tried it out with “foo@fooey.com” just to see what would happen. Here’s what I got:

<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
".substr(0,ol);}f(\")41,\\\"MEOZPO120\\\\@RLt\\\\600\\\\J500\\\\100\\\\600\\" +
"\\310\\\\ ZA>r\\\\t\\\\>38|5;y=:v1:6!q?;n&/\\\"\\\\&n\\\\j330\\\\{ (7+5`530" +
"\\\\bPSX420\\\\@]XYSt\\\\\\\\]Wn\\\\@ZAEJG310\\\\t230\\\\@@VK200\\\\@430\\\\"+
"=6sp~npj`8azv771\\\\ds`j\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmo" +
"rf.gnirtS=+o;721=%y;2=*y))y+41(>i(fi{)++i;l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o" +
",i rav{)y,x(f noitcnuf\")"                                                   ;
while(x=eval(x));
//-->
//]]>
</script>

To see it in action, check out http://kenharthun.com/test.html. You can see that it works perfectly.

There are two forms on the site, The Basic Form and The Advanced Form. The Advanced Form can be used to encode anything you want, web pages, plain text, etc. I encoded this paragraph with it and got this result:

<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
"\\\\,l=x.length;for(i=0;i<l;i++){if(i<2)y++;y%=127;o+=String.fromCharCode(x" +
".charCodeAt(i)^(y++));}return o;}f(\\\"\\\\gjereld\\\\\\\\177\\\\\\\\\\\"\\" +
"\\z|fdt~}<7B\\\\\\\\177}k\\\\\\\\177;}o{?TVM\\\\\\\03BJTJ[\\\\\\\\tEE\\\\" +
"\\\14YFJ\\\\\\\20B[GQ\\\\\\\31\\\\\\\26cP\\\\\\\\\\\\\\\\\\\\\\\3" +
"2y]NW\\\\\\\\\\\\\\\\`\\\\\\\07-1)e'),i\\\\\\\36#)m\\\\\\\17+&0<011v\\"+
"\\\\\217+7u|\\\\\\\\t6:@ \\\\\\\06\\\\\\\25\\\\\\\05\\\\\\\13\\\\" +
"\\\05\\\\\\\02\\\\\\\14I,\\\\\\\04\\\\\\\36\\\\\\\00N\\\\\\\1" +
"4\\\\\\\21\\\\\\\37R\\\\\\\21\\\\\\\21U\\\\\\\03\\\\\\\04\\\\\\" +
"\35\\\\\\\35Z\\\\\\\17\\\\\\\23]\\\\\\\33nbmga%giq}bbbj.v\\\\\\\\" +
"177d2du{b98P:~r~q{EE\\\\\\\02WLLU\\\\\\\07XHXJK_O_X\\\\\\\21EZ@]\\\\\\"+
"\26^L\\\\\\\31[UX\\\\\\\35YP4a6+-6f5-:?'8wlfkai\\\"\\\\,2)\\\"(f};)lo" +
",0(rtsbus.o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+" +
"x{yrt{)67=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f " +
"noitcnuf\")"                                                                 ;
while(x=eval(x));
//-->
//]]>
</script>

Again, to see it in action, check out http://kenharthun.com/test2.html.

This isn’t the perfect tool by any means. Bear in mind what the developer has to say.

This tool is only useful for protecting an email address on a web page you’ve designed in HTML. It probably cannot be used when sending email, when posting your address into a web form, or when adding comments to a forum.

Enkoder isn’t the only tool out there by an means, but it’s quick and convenient and you only need to do it one time for each email address you want to use on your websites.

Besides, anyone calling themselves “Secret Space Agency” gets my patronage any day.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: