Security Corner


May 30, 2010  5:03 PM

Security Video of the Month: DadLabs

Ken Harthun Ken Harthun Profile: Ken Harthun

Here is a humorous video featuring Daddy Brad and Daddy Clay from DadLabs.com. But the message is serious, even if couched in humor. Enjoy!

Is your family prepared for disasters like floods, hurricanes, and tornados? In this episode of The Lab, Daddy Clay and Daddy Brad tackle the topic of disaster preparedness. To do this, they compare survival kits.

Download “Is Your Family Prepared for Disaster?”

May 30, 2010  4:49 PM

Hacking Skills Challenge – Level 11

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s again time to delve into our Hacking Skills Challenge. Our last challenge was level 10 at HackThisSite.org and that was three months ago. They say these are supposed to get increasingly difficult as we climb the ladder, but the last one was fairly easy, albeit that it required a Firefox plugin to accomplish the hack. Level 11 is considerably more difficult and requires a bit of thinking out of the box. Here’s the challenge:

Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics.

One of the biggest problems people who don’t understand Apache run into is that they end up allowing their directories to be listed. We need to keep that in mind. You’ll see why in a minute.

When you click on the challenge, you’re taken to a page that has a sentence similar to: I love my music! “I Need You to Turn To” is the best! Not much of a clue there, it seems, and where’s the password prompt? And what page are we looking at? Viewing the source produced this:

I love my music!
"Someone Saved My Life Tonight" is the best!

<!--We even have our own collection - if you could find it!-->

Nothing listed for the actual page being viewed which made me think that it’s straight html. So, I tried ../index.php and voila! Got a password prompt. Progress, but a few tries at guessing the password were futile. On a whim, I went back to the original URL, http://www.hackthissite.org/missions/basic/11/, and found that the song name had changed. This time I got:

I love my music!
"Honky Cat" is the best!

<!--We even have our own collection - if you could find it!-->

So, I refreshed the page a few times and kept getting different songs. Like the two above, however, they all had one thing in common: The were songs performed by Elton John. I tried “elton” as the password, but no go, so it’s time to see if we can find .htaccess to see if we can get some answers.

http://www.hackthissite.org/missions/.htaccess – no go
http://www.hackthissite.org/missions/basic/.htaccess – no go
http://www.hackthissite.org/missions/basic/11/.htaccess – no go
http://www.hackthissite.org/missions/basic/11/elton/.htaccess – no go

Convinced that “elton” is the key, I tried an old trick that I’ve seen before and put this in: http://www.hackthissite.org/missions/basic/11/e. I got a listing with the letters b, c, d, e, f, g, and l as other directories. Hmm. . . could it be? I tried http://www.hackthissite.org/missions/basic/11/e/l and the last letter listed was “t.” Pretty obvious now: http://www.hackthissite.org/missions/basic/11/e/l/t/o/n. Nothing listed there, but that has to be where .htaccess is located. Sure enough:

IndexIgnore DaAnswer.* .htaccess
<Files .htaccess>
order allow,deny
allow from all
</Files>

Think “DaAnswer.*” might be it? Yep. http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/DaAnswer gives:

The answer is simple!
Just look a little harder.

The answer is: simple. That’s the password.

Mission accomplished!


May 29, 2010  1:39 PM

FTC Investigates Photocopier Data Security Risks

Ken Harthun Ken Harthun Profile: Ken Harthun

My April 26, 2010 post, “Security Risk of Digital Copiers,” I reported on the issue of permanent storage of images on copier hard drives and the potentially serious security risks associated. Now the FTC is getting involved.

Representative Edward J Markey (D-Mass), who first raised the issue with the FTC in April, said, “Many of these machines do not just copy sensitive documents; they store them as well, providing a treasure trove for identity thieves. In short, these machines are not merely document copiers, they are document keepers.

“I am very pleased to learn that the FTC is investigating this important matter, which most consumers are unaware of when they place their tax returns, financial records and other personal information on the copier and hit the ‘Start’ button.”

In a letter to Markey, FTC chairman Jon Leibowitz ensured that government data is safe: “With respect to government agencies, our own practice is to acquire ownership of the hard drives in the digital copiers we lease, and to erase and subsequently destroy these hard drives when the copiers are returned.”

Liebowitz also said that the FTC will work with manufacturers and vendors to educate customers of the security risks involved and promised to update FTC consumer and business educational materials.


May 28, 2010  12:52 AM

Facebook Announces Privacy Redesign

Ken Harthun Ken Harthun Profile: Ken Harthun

Facebook apparently listened to all the feedback and recent furor over its complicated privacy settings interface and have simplified it. You can check out the details in CEO Mark Zuckerberg’s blog post and check out the new Facebook Privacy Page. I commend Zuckerberg and the whole Facebook team for actually listening to its users. That certainly gives me more confidence in their product.

. . . you have sent us lots of feedback. We’ve listened carefully in order to figure out the best next steps. We recognize that we made a lot of changes, so we really wanted to take the time to understand your feedback and make sure we address your concerns.

The number one thing we’ve heard is that there just needs to be a simpler way to control your information. We’ve always offered a lot of controls, but if you find them too hard to use then you won’t feel like you have control. Unless you feel in control, then you won’t be comfortable sharing and our service will be less useful for you. We agree we need to improve this.

Today we’re starting to roll out some changes that will make all of these controls a lot simpler. We’ve focused on three things: a single control for your content, more powerful controls for your basic information and an easy control to turn off all applications.

What do you think?


May 28, 2010  12:35 AM

Software for Secure Computing: Privacy Settings Scanner for Facebook

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, I had already had this queued for publication before Facebook decided to change their privacy policy in the wake of significant user feedback. That will be the subject of my next post. Just to be sure the new policy didn’t break anything, I tested this scanner again and it still works. So what is it?

The tool is called “Reclaim Privacy” and I want to acknowledge Gizmo’s Best-ever Freeware for sending me the alert. Here’s the scoop:

Reclaim Privacy is written in Javascript.  It’s free and open source, so anyone who has concerns over its motives can easily check to see that it isn’t doing anything that it shouldn’t.

To use it, go to www.reclaimprivacy.org and add the utility to your browser favorites.  Then log into Facebook and go to your security settings page (there’s a link on the reclaimprivacy site to help you).  Then run the Reclaim Privacy script by selecting it from your bookmarked favorites, and the analysis of your security exposure will be ready in just a second or 2.

Here’s what it looks like:

This reminds me of Secunia’s PSI vulnerability scanner that I’ve written about on numerous occasions; the difference is that Reclaim Privacy is application-specific.

I never did arrive a perfect “secure” score on all things, but the “caution” items don’t bother me – I’ve set my Facebook account privacy settings to a level that I’m comfortable with.

If you use Facebook, give this tool a try and let me know what you think.


May 25, 2010  7:23 PM

Is Your Mechanic a Hacker?

Ken Harthun Ken Harthun Profile: Ken Harthun

Do you trust your mechanic? If you have any doubts, you had better find one you  can trust because your safety – maybe even your life – is in his hands. A recently completed study by researchers in the Departments of Computer Science and Engineering at the University of Washington and University of California San Diego entitled “Experimental Security Analysis of a Modern Automobile” reveals alarming vulnerabilities.

Someone—such as a mehanic, a valet, a person who rents a car, an ex-friend, a disgruntled family member, or the car owner—can, with even momentary access to the vehicle, insert a malicious component into a car’s internal network via the ubiquitous OBD-II port (typically under the dash). . . . A similar entry point is presented by counterfeit or malicious components entering the vehicle parts supply chain—either before the vehicle is sent to the dealer, or with a car owner’s purchase of an aftermarket third-party component (such as a counterfeit FM radio). . . . In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance. While outside the scope of this paper, we wish to be clear that vulnerabilities in such services are not purely theoretical.

Feeling a bit uneasy now? I was, too. I was quite disturbed by the time I finished reading what the researchers were able to do to the car. See the illustration above? Not only were they able to display an arbitrary message, but also a false speedometer reading (Note that the car is in park).  They had full control of the instrument panel cluster. They were also able to completely control – and disable user control of – the radio and display arbitrary messages as well as produce various sounds. The really scary stuff involves the ability completely disable the brakes and power steering, disrupt engine timing, kill the engine, lock the doors and windows.

Theoretically, someone could pull off a perfect murder with the right malware. Enter the dangerous new world of murder-by-software.

We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car’s telematics unit [think OnStar] and that will completely erase any evidence of its presence after a crash. . . . Combining our control over various BCM components, we created a “Self-Destruct” demo in which a 60-second count-down is displayed on the Driver Information Center (the dash), accompanied by clicks at an increasing rate and horn honks in the last few seconds. In our demo, this sequence culminated with killing the engine and activating the door lock relay (preventing the occupant from using the electronic door unlock button).

What if the sequence culminated in locking the brakes on the two wheels on the driver’s side of the car?

Scary stuff.


May 25, 2010  12:14 PM

Software for Secure Computing: Mozilla Plugin Check

Ken Harthun Ken Harthun Profile: Ken Harthun

As you know, I advocate keeping everything up to date on your PC, not just the OS. Applications, accessories and browser plugins are all subject to security vulnerabilities. Mozilla’s Plugin Check makes it easy to see if your browser plugins are up to date.

The beauty of this site is that it works with all popular browsers as noted by Steve Gibson of Security Now!:

The big news is they’ve decided to expand this service beyond Firefox, which is so cool. They’re now offering it for not only Firefox, but Safari, Chrome, Opera, and IE.

Just do it!


May 25, 2010  12:14 AM

Uninstall Adobe Shockwave

Ken Harthun Ken Harthun Profile: Ken Harthun

Adobe’s Shockwave (this is NOT flash – flash is sometimes labeled “Shockwave Flash”) has a bucket full of vulnerabilities (11 in all). It’s not a widely used platform and I recommend you uninstall it immediately. It will be labeled simply as “Shockwave” or “Shockwave Player” and will have a version number of 11.x.x.xxx. Shockwave Flash is at version 10.x. (See image.) In this @RISK: The Consensus Security Vulnerability Alert Volume: IX, Issue: 20, May 13, 2010 article, SANS outlines the vulnerabilities:

The first issue is caused by a boundary error while processing Shockwave 3D block. The second issue is a memory corruption vulnerability caused by a signedness error while processing malicious Shockwave files. The third issue is a memory corruption vulnerability caused by an array indexing error while processing malicious Shockwave files.

. . .

The eleventh issue is caused by a signedness error while processing Director files. There are some more unspecified errors which can be exploited to cause memory corruption.

Unless you have a specific use for this plugin, just get rid of it. I found I don’t even have it, so it’s not really an issue for website functionality.


May 22, 2010  1:00 AM

Google Releases SSL Search

Ken Harthun Ken Harthun Profile: Ken Harthun

Google just released SSL Search to beta. Earlier today, it was being selectively rolled out and wasn’t available to everyone. It appears to be more widely available now; at least, it works for me. With end-to-end SSL encryption, your searches are now completely private. Here’s what Google has to say in their Help article:

With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience.

To use the new feature, you have to explicitly enter https://www.google.com each time you want to perform a secure search. Google Images and Google Maps are not available over SSL yet. Also note that due to SSL overhead, you may notice that such searches are not as fast as regular searches. Google has created a new search logo (see below) to let you know when you’re using the new feature, but it’s good practice to make sure you see the lock icon in your browser and https:// in the address bar.

Google plans to make SSL the default but they first want to see how it affects users’ search experience and gather feedback. Hence the beta designation. Yahoo and Bing haven’t implemented encryption in their engines.


May 17, 2010  2:06 AM

Should You Be Held Liable for Illegal Activity on Your Unsecured WiFi?

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s currently no law in the U.S. that holds the owner of an unsecured access point liable for illegal activity on it. In Germany, however, people are now subject to a fine of 100 Euros ($130 US) if someone uses their network to download content illegally. See “German WiFi Owners Are Now Liable for What Third Party Users Download While Connected to Their Network.”

According to the article, experts in the UK don’t see such a ruling as affecting them anytime soon.

Asked whether a law such as this could ever transfer to the UK, Stuart Okin, managing director of Comsec Consulting, said: “I don’t ever see that coming over here as I don’t see how it could be policed in the UK.

“In Germany there is a different culture, and when rules come into play they are obeyed without question. In the UK I am not saying that no one will do it, but it is not advisable and realistic to work.”

That may very well be, but I call it a wrong target. The real culprit is the illegal downloader whose intent is clearly to hide his actions by stealing someone’s network identity – a crime in itself. Any time you assign illegal activity the wrong source, you end up with a legal quagmire that is certain to take years to sort out in the courts.

Moreover, I don’t think you can force an individual (not in this country at least) to learn a technology in order to use it. After all, one doesn’t have to learn the technology of the internal combustion engine in order to mow the lawn, one just has to know how to start the engine. Furthermore, we assume that the manufacturer has taken the necessary steps to make the device function properly and safely and if it doesn’t, the manufacturer is liable in most cases.

SANS News Bites Editor Stephen Northcutt extends this idea to the access point, “We all need to keep our eyes open, because if the access point itself has vulnerabilities that lead to filesharing then who is to blame. …if you meet the letter of the law, and “protect” your network and someone computes the WPA key and downloads files over your network, who gets sued and why?”

I won’t say it can’t happen here; that would be naive beyond belief. I will say that it’s a very bad idea to try force people into securing their access points. It would be much more workable if the manufacturers opted to make their equipment secure by default.

What do you think?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: