Security Corner

September 26, 2010  4:02 PM

Hotmail Phishing Attempt

Ken Harthun Ken Harthun Profile: Ken Harthun

I have to admit this one is good enough that I opened it, but as soon as I started reading, its true intent was obvious. By the second sentence, it doesn’t even make sense anymore. Not only that, but another telltale sign is the way the headline is constructed. See for yourself:

Why anyone ever falls for these is beyond me, but I know that people fall victim to these things every day.

Don’t let your family and clients become victims. Teach them what to look for and how to avoid these attempts and once you’ve taught them, remind them on a regular basis.

September 21, 2010  1:59 AM

ClearCloud: Another Safe Computing Solution

Ken Harthun Ken Harthun Profile: Ken Harthun

Back in 2010 June, I posted Sunbelt’s ClearCloud DNS Sneak Peek. At that time, only one server was available. Now, ClearCloud DNS is officially in Beta.

You can configure your DNS settings to use ClearCloud with the following IP addresses: Preferred DNS server:; Alternate DNS server: 74.118.212. You will find complete instructions for Windows, Macintosh and router configuration here. They also provide a utility that allows you to automatically enable and disable ClearCloud at the click of a button. This can be handy if you run into a blocked site that you actually need or want to load.

Similar to OpenDNS, ClearCloud DNS is a free service that checks every website address your computer is trying to access; unlike OpenDNS, ClearCloud DNS does not provide content filtering as its intent is to be a security device to keep your computer safe from malicious sites. Here’s what they say:

As such, we do a lot more research on sites that try to steal information from you, download malicious files onto your machine, trick you into buying useless programs, and other similar functions. We block a lot more sites that are malicious because that’s what we concentrate on. We process up to a million potential threats a day, and capture any URLs that real threats “phone home” to. We also actively search out malicious sites and have other systems in place to identify who the bad guys are.

It would appear that you now have to make a choice between content filtering and blocking of malicious sites. I don’t know of any way to query two servers at the same time without some major shenanigans.

After you’ve configured ClearCloud, you can test it with 2 pages to verify that it’s working: – ClearCloud block page – Test page – You should see the ClearCloud logo on this page.

September 19, 2010  6:48 PM

Disable and Delete Flash Cookies for Good

Ken Harthun Ken Harthun Profile: Ken Harthun

You’ve disabled third-party cookies and locked down your privacy settings. Ever wondered why you are still tracked? You’ve probably got scores of “super cookies,” also known as Local Shared Objects (LSO) or Flash cookies. Maybe you’ve heard about these and used Adobe’s own tools, Adobe Global Storage Settings Panel, to disable and delete them, but they just seem to keep coming back. Suspicious. In Security Now! Episode 266, Steve Gibson talks about the problems he’s noticed:

So I went back over to the Flash configuration. And just using that UI, I disabled these again. I went through the various tabs, noting that there were more of them now than there used to be. And when I went back to the first tab where I turned it off, it was already turned on again. So I’m really annoyed by this. I don’t know, I haven’t tracked down what’s going on. But I’ll just tell people, you think you’ve turned this off, check back the next day and see if it stays off because something is turning it back on.

Enter BetterPrivacy, a safeguard which protects your system from these super cookies:

Better Privacy serves to protect against non-deletable long term cookies, a new generation of ‘Super-Cookie’, which silently conquered the internet. This new cookie generation offers unlimited user tracking to industry and market research. Concerning privacy Flash- and DOM Storage objects are most critical. This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them – since browsers are unable to do that for you.

I installed the add-on just see what was on my system and was greeted with a message on exit–that’s when BetterPrivacy does its work, by default–that it was about to delete 879 LSOs. Wow! That’s a lot of super cookies, but really not surprising considering the number of Flash videos I encounter on the web.

When you install the add-on, a new item appears under the Tools menu: BetterPrivacy. This control panel allows you to configure the add-on to perform according to your preferences. Explore the options and you’ll see what you can do.

This add-on doesn’t replace using Adobe’s tool to disable the cookies in the first place, but in the event Adobe’s shenanigans re-activate the “feature,” this tool will let you know about it right away.

September 17, 2010  8:15 PM

Who Else Has Had It With Adobe?

Ken Harthun Ken Harthun Profile: Ken Harthun
I'm fed up with Adobe!

I'm fed up with Adobe!

There are those of us who haven’t used Adobe’s Acrobat Reader in years, choosing alternatives like the free FoxIt Reader, or Open Source Xpdf instead. My reason at first was simply that Acroreader is bloatware, took forever to load and used up too much memory; these days, my reason includes the terribly insecure software Adobe insists on releasing. Unfortunately, it’s hard to get away from Flash on the web, but there is an alternative player/plugin that I’ll talk about in a moment. And here we go with business as usual:

Security Advisory for Flash Player

Release date: September 13, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884
Platform: All


A critical vulnerability exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We’ll have to wait until the week of September 27, 2010 for the Flash patch, and the week of October 4, 2010 for the Reader/Acrobat patches.

What can you do? Unless you absolutely have to have Reader/Acrobat for some reason, switch to an alternative such as one of those I mentioned above. FoxIt Reader integrates nicely with Firefox. There’s another FF add-on that’s an alternative to Adobe: gPDF is a handy tool to view PDF, DOC, DOCX and PPT files online, using Google’s Docs Viewer.

Next, disable Shockwave Flash plugin. Download and install Swiff Player (current version 1.7), a Free stand-alone player that enables web designers and Flash users to easily play Flash movies. When you install it, it also becomes the default player for .swf files on the web. Sweet, eh? Swiff Player is very fast, too. This won’t eliminate Flash (Swiff Player requires it), so I’m not sure exactly what is gained, but it’s an extra layer for hackers to penetrate, so it just might break a Flash exploit by introducing a misdirection.

Anyone have any thoughts on this?

September 17, 2010  1:24 AM

Panda Security Publishes Findings from 1st Annual Social Media Risk Index for SMBs

Ken Harthun Ken Harthun Profile: Ken Harthun

If you’re not familiar with this great company, you need to be. I’ve written about them here on several occasions. It seems to me that in this highly competitive security industry, these people just seem to want to do it right. They have great products and they’re attentive to their clients and potential clients. No, I didn’t get paid to say that.

The latest news from Panda Security is their announcement of the the results of their First Annual Social Media Risk Index for SMBs, a study which surveyed 315 US businesses with up to 1,000 employees.

Highlights from the study include:

  • 33% of SMBs have been infected by malware propagated via social networks
  • 23% of SMBs cited employee privacy violations on popular social media sites
  • 35% of SMBs infected by malware from social networks have suffered financial loss
  • Facebook takes top spot for social networking-related malware infections, followed by YouTube and Twitter
  • 57% of SMBs currently have a social media governance policy in place, with 81 percent of these companies employing personnel to actively enforce those policies

In addition, thirty-five percent of survey respondents that were infected by malware from social networking sites suffered a financial loss, with more than a third of those companies reporting losses in excess of $5,000.

“Social media is now ubiquitous among SMBs because of its many obvious business benefits, yet these tools don’t come without serious risks,” said Sean-Paul Correll, threat researcher at Panda Security. “In Panda’s first annual Social Media Risk Index, we set out to uncover the top SMB concerns about social media and draw a correlation to actual incidence of malware infection, privacy violations and hard financial losses. While a relatively high number of SMBs have been infected by malware from social sites, we were pleased to see that the majority of companies already have formal governance and education programs in place. These types of policies combined with up to date network security solutions are required to minimize risk and ultimately prevent loss.”

Is it any surprise that Facebook was cited as the top culprit for companies that experienced malware infection (71.6 percent) and privacy violations (73.2 percent)? I know that Facebook has taken some major steps to fix various privacy issues, but, hey, you still have to be very careful on there. YouTube took the second spot for malware infection (41.2 percent), while Twitter contributed to a significant amount of privacy violations (51 percent).

For companies suffering financial losses from employee privacy violations, Facebook was again cited as the most common social media site where these losses occurred (62 percent), followed by Twitter (38 percent), YouTube (24 percent) and LinkedIn (11 percent).

September 14, 2010  4:24 PM

Is Your Password on the List of Worst Ones Ever?

Ken Harthun Ken Harthun Profile: Ken Harthun

Graphic by Steve Lorenzo

My friend, Steve Lorenzo over at just compiled a report Top 500 Most Common Passwords Used Online and he’s giving it away for the asking. The subject has certainly been around for awhile, but every now and again it’s a good idea to revisit it.

In the 33-page report, Steve covers a lot of ground starting with phishing attacks on MySpace from a few years back and the most recent phishing attempts on Skype (which I also wrote about last month: Skype Phishing Attempts and Account Hacking – Part 1, and Skype Phishing Attempts and Account Hacking – Part 2).

If you are using any of the passwords on the lists presented in the report, you should change them immediately and then make sure that you don’t use the same username and password combination more than once on any site that matters. I confess that I have the same username/password combination on a few sites, but they are nothing important and I don’t use those combinations anywhere else. So, if a cracker manages to get one of those, he’ll waste time trying to make it work on my email accounts, back accounts, etc.

Further recommendations from the report:

  • Never use the same username / password combination twice
  • Always use the strongest possible passwords we may come with
  • Not dictionary words
  • Not our pet’s name
  • Or our Mother-in-Law’s
  • Neither the latest basketball or rock star’s name
  • Nor the latest trends in gaming
  • Finally, not even the coolest 4 letter word you just learned…

Again, this is a great reason to use a password manager to generate and store secure passwords. Steve likes RoboForm; as you know, I recommend LastPass. There’s a plethora of them out there; at last count, I was able to locate no fewer than 22 of them and with that many, there’s surely something for everyone.

September 12, 2010  12:07 AM

Do You Have the ‘Here You Have’ Email Worm?

Ken Harthun Ken Harthun Profile: Ken Harthun
Here You Have Worm

"Here You Have" Worm | Source:

Yet another email worm has been circulating via email with the subject line “Here You Have”–an obvious misunderstanding of the English idiom “here you go” on the part of a non-native English speaking cracker. Another subject line being used is “Just For You.” Besides the text shown above, this also appears in some messages: “This is The Free Dowload Sex Movies,you can find it Here.

Here is what McAfee says about it:

When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus.  When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).   Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

The good news is that the site hosting the malware has been taken down, effectively killing the worm. However, infected machines will still be spewing the emails, so need to be cleaned. If you suspect you or a client or family member is infected, run a malware scan on the system.

September 8, 2010  1:27 AM

Your Privacy is Bleeding onto the Internet

Ken Harthun Ken Harthun Profile: Ken Harthun

Privacy has been dead for a long time thanks to the Information Age. More personally-identifiable information than ever before is now accessible online through free and paid searches. The simple fact that most people post their intimate personal details on FaceBook, MySpace, Twitter, and other social networks contributes to the overall erosion of privacy. But, personally-identifiable information is only one aspect of the problem; perhaps an even bigger privacy threat is the leakage of machine-specific fingerprints that are used to track your online habits.

Beginning at the first part of 2010, the Electronic Frontier Foundation (EFF) initiated a study called Panopticlick designed to see if sufficient information could be gathered, irrespective of the use of cookies or other tracking methods, to uniquely identify machines on the Internet. The bad news is that yes, they could; the good news is that it’s not personally-identifiable information. You can read their full report, “How Secure is Your Browser?

I went to their research site and found that my browser was uniquely identifiable among more than 1.1 million others: “Your browser fingerprint appears to be unique among the 1,161,450 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 20.15 bits of identifying information.” What this means is that using the information listed below, my browsing habits can be tracked using only information gleaned from my browser’s interaction with web servers.

Steve Gibson of covered this research in minute detail in Security Now! Podcast Episode #264 last week and I highly suggest you listen to it. But, until you get a chance to do so, here is all the information you need to uniquely identify any machine on the Internet with amazing accuracy:

  • User agent
  • HTTP_ACCEPT headers
  • Browser plug-in details
  • Time Zone
  • Screen size and color depth
  • System fonts
  • Whether or not cookies are enabled
  • Supercookie (Flash cookies) test

Commercial services are already using this information to track your online habits–no matter how you try to block them–using technology to fingerprint your system, and they are building huge databases. While none of this information is tied to your personal identity, the profiles are nevertheless useful to advertisers who will use it to more accurately target web surfers with relevant marketing messages.

In the next post, I’ll detail what you can do about this (not much, unfortunately) and why, for now, you probably shouldn’t be too concerned.

September 6, 2010  3:13 PM

Book Review: Scrappy Information Security by Michael Seese

Ken Harthun Ken Harthun Profile: Ken Harthun

If you’re a security wonk like me, you’ll definitely want to pick up a copy of Scrappy Information Security — The Easy Way to Keep the Cyber Wolves at Bay (ISBN 978-1-60005-132-6) by Michael Seese.  Not just another dry tome produced in a boring, didactic style, this book is–as its name implies–written with an attitude and nowhere is the attitude more evident than in the first paragraph of the first chapter:

You have to learn to crawl before you can walk. It’s no different when learning about information security. But your first baby steps probably should not include thumbing through some of the tomes out there with upwards of 500 pages. . . Let us assume that you have a life, and don’t want to spend it flipping through such a text until you are well into your nineties.

The author’s approach to security focuses on the essentials and leaves out all of the unnecessary theory and discussion that don’t serve any purpose in the real world. He starts off by answering the standard reporter questions of who, what, when, where, and why, leading off with “Why do we need InfoSec?” I won’t spoil it for you and tell you the answer he gives, but I will tell you that it’s one of those answers that is so simple and so obvious that it escapes most people. From there, he breaks down security into three main divisions: Physical Security, Technical Security and Administrative Security, and his explanation of the components in those areas comprise the bulk of the book. Everything that matters from fences to firewalls, passwords to phishing and how to deal with social engineering is covered.

What impressed me most, besides the practicality of the information, was the way it’s presented. Each section starts off with a relevant, pithy quote, then proceeds into “Why it matters.” Next, is “The Technobabble” wherein the author details the technical elements of the subject. This is followed by a “What it means” explanation of the technology. Sometimes, the section will include a “Scrappy Tip” about how to apply the information or expanding upon some particularly relevant aspect. Bottom line: The book is technical enough for a Geek, but written in a way that almost anyone who’s at least somewhat computer-literate can understand.

I found chapter 5 – “Inform and Inspire–Training That Gets Results” particularly useful since I am often tasked with training people on various aspects of technology.

The author wraps it all up by saying, “Personally, I’m mad as hell and I’m not taking it any more! So if just one person reads this book, takes the lessons to heart, and [applies 13 principles] then my effort was worth it.”

Well, Mr. Seese, I assure you, it was.

September 5, 2010  9:14 PM

Kudos to OpenDNS for Catching 1-millionth Phish

Ken Harthun Ken Harthun Profile: Ken Harthun

On August 13, 2010, David Ulevitch, Founder & CEO of OpenDNS announced in a blog post that their community-driven site,, had just caught its 1-millionth phish: “Today I’m excited to announce that the 1 millionth phish has been submitted to PhishTank. The “winning” submission was a fake Citibank UK website, which was quickly verified by the PhishTank community,” he wrote.

I’ve written about OpenDNS before: DNS rebinding defenses still necessary, thanks to Web 2.0, at in Jul. 2008; OpenDNS Service to Track and Block Conficker Worm, here in Feb. 2009; and, Top Ten Security Tools at in Apr. 2009. Most recently, I posted How to Combat Phishing Attempts on Sep. 3, 2010, mentioning OpenDNS as a tool to help combat phishing attempts. I’ve never mentioned PhishTank before, so I think it’s time I did.

Using OpenDNS means you and your network are protected against phishing attempts. One of the ways we identify which sites are fraudulent, and which ones are legitimate, is through, the community-driven site we operate that we’re proud to report is the world’s largest and fastest-moving clearing house of phishing data.

OpenDNS launched the site four years ago in October of 2006 to create a clearinghouse for phishing data that could be made available to other services via an API. At the time, there was no existing common source of phishing data that was fast-moving, accurate and reliable. I’m a member, and I hope you’ll consider joining. It is an important contribution to the entire web community and, unlike many community sites out there, the OpenDNS people realize this and appreciate their community members:

Thank you to the thousands of security pros, researchers, academics and concerned Internet users for their contributions to PhishTank. It’s you who have made this possible. You’ve protected tens of millions of people around the world, lending your expertise to help take the guesswork out of identifying phishing scams. It’s a credit to the community that we’ve reached this milestone. And in doing so, we’ve together helped protect not only people who use OpenDNS, but millions more, since the phishing scams reported and verified are also blocked by all of the Internet services PhishTank shares the data with.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: