Security Corner


May 15, 2010  1:19 AM

“Report Has Changed” Spam is Not Malicious

Ken Harthun Ken Harthun Profile: Ken Harthun

Got this message in my Hotmail account the other day and decided to investigate a bit to see what was up. These things are usually either links to malware infested sites or volume spam designed to create lots of clicks to CPA (Cost Per Action) offers, i.e., click fraud. And it turns out that’s just what this is.

ken's Report Has Changed‏
bouyahiaoui rabie (b_rabie@hotmail.com)Wed 5/12/10 2:53 AM
To:kenharthun@hotmail.com
Hello ken, your report that has changed on May 12th
is ready for  viewing.
www.creditreport.com/344344/ken's-report.html

That link is actually

http://bit.ly/cIhmwF

and the expanded version points to:

http://track.dankcash.com/aff_c?offer_id=24&aff_id=268&source=hnov6.

I fired my browser up in a sandbox and visited the site. It goes to CreditReport.com. Clearly click fraud, but not malicious. I suggest we all just boycott the site. For sure, don’t subscribe to their service until you report the illegal spam activity.

What do you think?

May 13, 2010  2:20 AM

Secure Computing: Password Card is a Winner

Ken Harthun Ken Harthun Profile: Ken Harthun

Thanks to “A password reminder to carry with you” on the IT Trenches blog letting me know about this great little tool. This thing is a real winner for all those XP forgotten password issues. Now, when you get those calls like “I forgot my password for my ____,” you can give them something that allows them to write down password clues that are secure and also easily remembered.

You visit http://passwordcard.org and it generates an unique credit card sized matrix like the one in the picture at left. Just pick a symbol, a color and a number of characters and you have a secure password. You have the option of creating a numbers-only area as well as including symbols into the mix, depending on the type of passwords or PINs you require. The default is upper/lowercase and numbers. If you lose your card you can get a duplicate by going to the site and entering the number that appears on the bottom of the card, so you might want to write that down and keep it in a safe place just in case.

There are several ways you can use the password card. The simplest way is to pick a symbol, color and sequence of characters from left to right as in the illustration. You would remember this, or write it down, as “spade green 8.” But notice that there are eight rows under each symbol. You could could choose the column under the diamond symbol and use the password JwdC4aGt. You’d write that down as “diamond down.” Reverse the order, and you might write it down as “diamond up.” In this case, the password would be tGa4CdwJ.

Want to get really fancy? You can if you want. How about four symbols, four colors, two characters from each? The possibilities are endless.

Visit IT Trenches and tell me what you think about this tool.


May 12, 2010  1:22 AM

Why Bother Giving Password Advice?

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m miffed. I went to visit one of my clients yesterday – one that I’ve carefully educated in password selection and security – and saw a sticky note on the wall with all his passwords written down on it. I asked him why. He just went on and told me that it was just too much trouble to think about mnemonics, password encoding systems, etc. I said that at least he could put that sticky note on the bottom of his keyboard where it was less obvious. He said it didn’t matter; whomever wanted his passwords would find them there anyway.

I won’t tell you this client’s profession; if I did, you’d be shocked. Let’s just say that a member of the cleaning crew could use information obtained through illegal use of my client’s passwords to do some real damage. And don’t think that a determined hacker would find it beneath him- or herself to take a job as a custodian if there was profit in the offing.

Why bother? Well, here’s the thing: I have all of my advice in writing in the form of emails with training materials attached to them. If my client ever gets hacked, I’m not liable for the consequences of any breach. I told them so. If they chose to ignore my advice, so be it. I did my job.

But I’m still miffed; I thought my opinion was valued.

What would you think?


May 8, 2010  4:52 PM

Microsoft Security – No Longer an Oxymoron

Ken Harthun Ken Harthun Profile: Ken Harthun
Microsoft

Source: Microsoft

I have never been an apologist for Microsoft’s security policies and practices; indeed, I’ve often criticized the firm and accused them of a laissez-faire attitude towards their development teams. I have to admit that they’ve been making some headway in the direction of basic security over the years, but I’ve wondered if they would ever get it right. Recently, I’ve had a love-hate relationship with Microsoft Security Essentials (See “Microsoft Security Essentials is a Game Changer” and “Microsoft’s Security Essentials Causes Performance Problems“), their most recent attempt at complete security protection for Windows™. I’m going back to the love relationship. My reason? The combination of  Windows 7 security enhancements, IE8 and Microsoft Security Essentials is very secure; it looks like Microsoft has finally done it right.

I migrated my laptop to that combination in mid-March. I have enjoyed nearly two months of secure computing with no performance issues, no security issues, and the freedom from having to worry about which third-party security solution I should implement. I still use Thunderbird for email and Firefox as my main browser, but that’s no longer because I’m concerned about using IE–IE8′s default settings have proven to be more than sufficient.

I’m not the only one who’s noticed. Fred Langa of Windows Secrets Newsletter recently ran a 120-day test of his own under some pretty tough conditions. You’ll want to read that article, of course, especially if you’re an advanced Windows user, but Fred’s results are worth mentioning:

Four months in, and no malware has infected my Win7 systems. I’ve experienced no malware-like misbehavior on my machines, and to the best of my knowledge, my systems remain clean and unhacked.

So I’m comfortable saying that the combination of the Win7 firewall, Microsoft Security Essentials, and fully current browsers and e-mail clients is proving to be a wholly acceptable security solution for routine use.

However, I’m not ready to recommend this combination to advanced users — especially those with demanding needs or who require the ability to easily customize their setup.

What’s your opinion? Leave me a comment.


May 7, 2010  2:03 AM

Software for Secure Computing: Hivelogic’s Enkoder Form

Ken Harthun Ken Harthun Profile: Ken Harthun

Spam email is the primary distribution channel for malicious content, so it behooves us to do everything possible to prevent our email addresses from being harvested by web-crawling robots. Posting your email address on any public-facing web page is almost sure to get you on spammers’ lists, yet most webmasters do just that. What’s one to do? There has to be some secure way to allow visitors to contact you, right?

Enter Hivelogic’s Enkoder Form, a tool that encrypts your email address and converts the result into a self evaluating JavaScript. The browser is able to properly display the address, but an email harvesting robots will find nothing they can use. I tried it out with “foo@fooey.com” just to see what would happen. Here’s what I got:

<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
".substr(0,ol);}f(\")41,\\\"MEOZPO120\\\\@RLt\\\\600\\\\J500\\\\100\\\\600\\" +
"\\310\\\\ ZA>r\\\\t\\\\>38|5;y=:v1:6!q?;n&/\\\"\\\\&n\\\\j330\\\\{ (7+5`530" +
"\\\\bPSX420\\\\@]XYSt\\\\\\\\]Wn\\\\@ZAEJG310\\\\t230\\\\@@VK200\\\\@430\\\\"+
"=6sp~npj`8azv771\\\\ds`j\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmo" +
"rf.gnirtS=+o;721=%y;2=*y))y+41(>i(fi{)++i;l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o" +
",i rav{)y,x(f noitcnuf\")"                                                   ;
while(x=eval(x));
//-->
//]]>
</script>

To see it in action, check out http://kenharthun.com/test.html. You can see that it works perfectly.

There are two forms on the site, The Basic Form and The Advanced Form. The Advanced Form can be used to encode anything you want, web pages, plain text, etc. I encoded this paragraph with it and got this result:

<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
"\\\\,l=x.length;for(i=0;i<l;i++){if(i<2)y++;y%=127;o+=String.fromCharCode(x" +
".charCodeAt(i)^(y++));}return o;}f(\\\"\\\\gjereld\\\\\\\\177\\\\\\\\\\\"\\" +
"\\z|fdt~}<7B\\\\\\\\177}k\\\\\\\\177;}o{?TVM\\\\\\\03BJTJ[\\\\\\\\tEE\\\\" +
"\\\14YFJ\\\\\\\20B[GQ\\\\\\\31\\\\\\\26cP\\\\\\\\\\\\\\\\\\\\\\\3" +
"2y]NW\\\\\\\\\\\\\\\\`\\\\\\\07-1)e'),i\\\\\\\36#)m\\\\\\\17+&0<011v\\"+
"\\\\\217+7u|\\\\\\\\t6:@ \\\\\\\06\\\\\\\25\\\\\\\05\\\\\\\13\\\\" +
"\\\05\\\\\\\02\\\\\\\14I,\\\\\\\04\\\\\\\36\\\\\\\00N\\\\\\\1" +
"4\\\\\\\21\\\\\\\37R\\\\\\\21\\\\\\\21U\\\\\\\03\\\\\\\04\\\\\\" +
"\35\\\\\\\35Z\\\\\\\17\\\\\\\23]\\\\\\\33nbmga%giq}bbbj.v\\\\\\\\" +
"177d2du{b98P:~r~q{EE\\\\\\\02WLLU\\\\\\\07XHXJK_O_X\\\\\\\21EZ@]\\\\\\"+
"\26^L\\\\\\\31[UX\\\\\\\35YP4a6+-6f5-:?'8wlfkai\\\"\\\\,2)\\\"(f};)lo" +
",0(rtsbus.o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+" +
"x{yrt{)67=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f " +
"noitcnuf\")"                                                                 ;
while(x=eval(x));
//-->
//]]>
</script>

Again, to see it in action, check out http://kenharthun.com/test2.html.

This isn’t the perfect tool by any means. Bear in mind what the developer has to say.

This tool is only useful for protecting an email address on a web page you’ve designed in HTML. It probably cannot be used when sending email, when posting your address into a web form, or when adding comments to a forum.

Enkoder isn’t the only tool out there by an means, but it’s quick and convenient and you only need to do it one time for each email address you want to use on your websites.

Besides, anyone calling themselves “Secret Space Agency” gets my patronage any day.


May 4, 2010  12:37 AM

Secure Computing: Harden Your Browser

Ken Harthun Ken Harthun Profile: Ken Harthun

ActiveX – probably the worst idea Microsoft ever came up with – isn’t the only problem with browsers even though its vulnerabilities are probably the most frequently exploited. If you’ve been reading this blog for any length of time, you know where I stand on that issue. That’s not to say that any of the alternatives are inherently more secure; they’re not. Every modern browser supports JavaScript and there are plenty of exploits that rely on it. That’s why it’s essential that no matter what browser you use, you make every effort you can to harden it against attack.

Why is this necessary? Unfortunately, most of the time the browser that comes pre-installed on new computers, the one that the computer owners will use, is not set up in a secure default configuration. This is one of the worst ideas ever when it comes to security. If I had my way, I’d set the default configuration such that warnings would be issued for any website that wasn’t built with simple, benign HTML. I realize this isn’t practical on today’s interactive Internet and it would break nearly everything out there today (except a site like this one, composed only of an image and some text with a hypertext link).

Fortunately, there are plenty of free resources (including this blog and my free eBook, “14 Golden Rules of Computer Security“) that have good information on what to do. The best one, bar none, is CERT’s “Securing Your Web Browser.” All of the details anyone needs to secure the major browsers – Internet Explorer, Mozilla Firefox, and Apple Safari to name the top three – are all there with general tips on what to do with virtually any of the others you may encounter.

Tell everyone you know about it. Make it part of the setup routine when you deploy PCs or set them up for your family. The Internet will be a safer place if you do.


April 30, 2010  2:53 PM

Physical Security: Master Lock 1500iD Speed Dial

Ken Harthun Ken Harthun Profile: Ken Harthun
Master Lock 1500iD Speed Dial

Master Lock 1500iD Speed Dial

If you recall, Golden Rule #8: Does Encryption Have You Complacent About Physical Security? stresses that physical security is almost as important as data security, so when I hear of an interesting or innovative physical security product, I do the research.

Last week, I heard about the new Master Lock 1500iD Speed Dial™ combination lock. According to the company, this is the “world’s first combination lock that opens on up/down/left/right directional movements.” It’s fascinating for several reasons, most notably, the mechanical hash technology used to store any combination of any length. More on that in a moment. For now, check out the video demo.

How about that one-handed blind opening move? Very cool. The lock is also resettable as shown in this video. You might also want to check out Review: Master 1500iD “Speed Dial” lock. That article has links to some very interesting security items and concepts I plan to cover in future posts. What struck me most was this paragraph:

One of the first things I wanted to know was how it worked inside. I also wanted to know how difficult a task it was to get it open without completely destroying it. To the first end, I stumbled on Michael Huebler’s 1500iD visualization flash simulator, and subsequently the PDF breaking down most of the facts on this lock.

Something for us security Geeks to play with over the weekend. Enjoy!


April 30, 2010  1:03 AM

Symantec Buys PGP and GuardianEdge

Ken Harthun Ken Harthun Profile: Ken Harthun

Symantec Corporation announced today that it has signed agreements to acquire PGP Corporation and GuardianEdge Technologies, Inc. PGP Corporation needs little introduction as a global leader in email and data encryption software. GuardianEdge is the leader in endpoint data protection for the enterprise; their solutions have been deployed by leading organizations including Lockheed Martin Corporation as well as numerous government agencies including the U.S. departments of Vetera to Affairs, Defense, Energy, State and Education to name a few.

It appears as though Symantec is moving toward becoming  a one-stop security shop. As they said in their press release, “Encryption technology is an important element of an information-centric security solution, as critical information is increasingly on mobile devices and in the cloud. . . . By bringing together PGP and GuardianEdge’s standards-based encryption capabilities for full-disk, removable media, email, file, folder and smartphone, with Symantec’s endpoint security and data loss prevention offerings, Symantec will have the broadest set of integrated data protection solutions.”

That could be a good thing. . .or not. There’s nothing wrong with an integrated, comprehensive solution; often, that’s the best approach. But there have been some huge performance issues with Symantec’s Endpoint Protection.

Time will tell, of course.


April 29, 2010  1:18 AM

Hacking Skills Challenge – Level 10

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s again time to delve into our Hacking Skills Challenge. Our last challenge was level 9 at HackThisSite.org and that was three months ago. They say these are supposed to get increasingly difficult as we climb the ladder, but this one is almost too easy. Here’s the challenge:

Network Security Sam has decided to hard code the password into the script. He also started to use cookies to detect if the user is authorized to advance to the next level. When you enter the correct password, it sets you to authorized, and if you enter an incorrect password, it sets you to unauthorized.

Ever edit a cookie? That’s all you have to do. Read the above challenge again and you’ll see that it tells you exactly how to crack it. I used a Firefox add-on called “Edit Cookies” to accomplish it.

Enter some random password into the field. It won’t be the right one, of course. Now, you have a cookie set on your machine named “level11_authorized” that is set to “no.” Edit the cookie and change the content from “no” to “yes”. After this, you can move to the next level.

Mission accomplished!

(Note: when I went to check this again, I got a message that the site is currently under maintenance: “HackThisSite.org is temporarily offline. We’re currently busy fixing some erroneous code, and will have HackThisSite.org back online as soon as possible. Thanks for your patience! – HackThisSite Staff”)


April 28, 2010  1:38 AM

Security Fun: Homophonic Cipher Security Challenge

Ken Harthun Ken Harthun Profile: Ken Harthun

Time to lighten up a bit. Well, some people may consider this anything but light; however, real Geeks enjoy this kind of thing. Consider this homophonic ciphertext:

32 25 00 75 67 94 63 57 96 43 73 90 91 97 90 45 92 52 00 34 24 42 78 17 92 19 04 97 65 16 06 57 64 04 92 81 05 63 69 65 99 27 05 38 65 07 91 83 62 41 83 95 23 55 29 96 96 54 83 43 39 07 63 06 65 17 83 89 90 63 26 79 51 46 30 52 07 63 88 59 07 66 17 65 57 27

Here’s the challenge: Decipher the message above and post the resulting plaintext in the comments. Everyone who gets it right wins free lifetime access to my Geek Toolkit ($37 value). Hint: There are tools on the web that will decipher this if you know where to look.

If you don’t know what a homophonic cipher is, better do some homework. First, it’s a simple substitution cipher in which plaintext letters map to more than one ciphertext symbol. Typically, the highest-frequency plaintext symbols–such as the letter e in the English language–are given more equivalents than letters that appear less frequently. This makes it much more difficult to use frequency analysis to break the cipher. But this isn’t always the case. Take Poe‘s “The Gold-Bug” for a literary example where a whole set of symbols was invented to describe the location of buried treasure. See this Wikipedia entry for more information.

This won’t help you much, but here is the message “The quick brown fox jumps over the lazy dogz.” I put the extra z there because it’s the least-used letter in the English language and has only one substitution in a homophonic cipher, so that’s a clue. But e has 12 substitutions, so you won’t find that one. Here’s the ciphertext: 17 68 82 94 63 70 13 04 48 29 54 60 59 31 72 28 15 63 27 95 96 90 34 14 77 30 50 24 26 33 02 52 03 54 06 02.

Have fun!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: