Security Corner

July 29, 2010  5:57 PM

Why People Are Complacent About Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Every day I see another example of an insecure system. When I inquire about it, I’m told things like “Oh we used to keep up with it, but we haven’t had any problems” or “We don’t use that program anyway.”

I’ve always wondered: Why are they so complacent? I think I’ve finally figured it out: The ones who are so complacent are the ones that have never had anything bad happen to their systems.  For example, I have left my garage door open on occasion. Anyone could have walked into my house and taken anything they wanted; it didn’t happen. In fact, the one time I was robbed, 38 years ago, was when everything I owned was so securely locked, the thieves had to break the door frames on my house and smash my car windows.

Now, I don’t take any unusual chances, but, in truth, nothing bad ever happens to me, so I really don’t worry about security. This has to be why a lot of people go “ho hum!” when I talk about security. It’s like “Why bother? Nothing bad has or will happen to me.”

Well, given today’s environment (see my recent Secunia post), most people are simply whistling past the graveyard. Sooner or later, something is going to happen; maybe not today, maybe not next week or next month, but it’s inevitable.

What do you think?

July 27, 2010  1:41 AM

Secunia Half Year Report 2010 Paints a Bleak Picture

Ken Harthun Ken Harthun Profile: Ken Harthun

Secunia, the firm who provides the Personal Software Inspector (PSI) that detects vulnerable and out-dated programs and plug-ins, has just released  their first Secunia Half Year Report. In the report, Secunia looks at the last five years in terms of vulnerabilities, the threat posed by them and the outlook for 2010 based on the data acquired during the first six months of this year. The news is not good:

The overall conclusion is that despite considerable security investments, the software industry at large still proves unable to produce software with substantially less vulnerabilities, highlighting the continued need for Vulnerability Intelligence and Patch Management.

Further, the report shows an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored. This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals.

What’s interesting is that since 2005 in more than 29,000 products covered by Secunia’s intelligence, no significant up- or downward trend in the number of vulnerabilities could be discerned. But that just means that software is still just as insecure as it was five years ago; no progress is being made. Not surprising, ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco account for an average of 38 percent of all vulnerabilities disclosed on a yearly basis. Further highlights:

  • In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760.
  • During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.
  • A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.

Secunia is testing its own Auto Update technology that will work with a broad variety of programs from a number of different vendors. They plan to release a version later this year with the intention to significantly improve the security of home users’ PCs.

Kudos to them, I say; it’s just a shame that the vendors themselves don’t take a more proactive role. That’s what absolutely must happen if we’re ever to get ahead of the curve.

July 26, 2010  12:56 AM

Vulnerability in Windows Shell Could Allow Remote Code Execution

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, Microsoft continues to keep us security professionals busy — and employed — which is both good and bad. Good, in that it keeps us employed; bad, in that puts people at risk. To wit:

Microsoft Security Advisory (2286198)

Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.

This is a bad one. Really bad one. It apparently goes all the way back to NT–maybe back to the beginning of Windows–though Microsoft is only reporting that it affects currently supported versions. Here’s how it can be exploited:

An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the victim system.

An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

Steve Gibson in Security Now! Episode 258 says this:

The problem is that there isn’t anything clearly – there’s no real good solution for this. Microsoft has posted a Fix it which makes some changes to the registry and also shows what manual changes can be made. The problem is that the fix that is required, until we actually get the problem repaired, is that all of your link, all of your shortcuts stop being displayed, and you get sort of the generic white rectangle  . . .  instead of the normal link that you’re expected to see. And many of the icons that people are familiar with are actually shortcuts that they’re not really aware of. So they don’t always have that little curly arrow down in the lower left-hand corner, which is what you get when you have, like, a manual shortcut created to a file somewhere. It turns out that Windows uses these pervasively to sort of glue things together. So if people do this and then reboot the system as is necessary, suddenly you’ve got your, like, windows and control panel and all kinds of things are covered with these white rectangles. And now it’s not even clear that that solves the problem.

Stay tuned. There will be much more on this front in the coming week.

July 24, 2010  12:49 AM

The Router Attack is Back in the News – Ho-Hum

Ken Harthun Ken Harthun Profile: Ken Harthun

Subtitle: “How to Hack Millions of Routers”

This really isn’t anything new, it’s just back in the news again. According to this article on

Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon Fios or DSL versions. Users who connect to the Internet through those devices and are tricked into visiting a page that an attacker has set up with Heffner’s exploit could have their router hijacked and used to steal information or redirect the user’s browsing.

It’s the old DNS Rebinding Attack I wrote about two years ago:

DNS rebinding attacks, also known as anti-DNS pinning attacks, have been around for at least a decade, but they were virtually forgotten until recently. The attacks are an exploit in which a hacker uses JavaScript on a malicious Web page to gain control of the victim’s router.

A user, for example, could be tricked into visiting an attacker’s website. If a default router password is detected, the hacker’s JavaScript code could cause the user’s browser to change details on the router administration page. Those alterations then might allow the attacker to control the device remotely, and as a result, control the owner’s Internet communications.

So, what’s new about this? Is this some sort of new approach to vulnerability? Must have been a slow security news week. Not this week, however. A newly-discovered 0-day vulnerability in Windows is the top of the news right now. My take on that one tomorrow.

July 21, 2010  1:23 AM

Facebook is in trouble with Germany

Ken Harthun Ken Harthun Profile: Ken Harthun

The German government has very strict privacy laws and they like to enforce them. Specifically, saving private information of individuals who don’t use the site and haven’t granted it access to their details is a no-no.

An official in the German government recently accused Facebook of illegally accessing and saving personal data of people who don’t use the social networking site. I’m sure it happens through their “tell a friend” feature. In fact, Facebook has asked me to upload my contact list from my email accounts–the “tell a friend” thing–so that Facebook can then invite those people to join under the strength of my recommendation. That’s OK, but apparently Facebook retains the contact information, whether or not the people choose to join; that’s not OK particularly to the Germans.

“We consider the saving of data from third parties, in this context, to be against data privacy laws,” Johannes Caspar, a German data protection official, said in a statement. Facebook has until Aug. 11 to respond formally to the complaint.

I support Germany’s position. I use Facebook mainly to keep up with other family members and friends that are scattered about the world. At one point, I started taking on “friends” whom I really don’t know on the basis of their being “mutual friends” of my friends. I recently decided that, beyond my real friends and family, I don’t want connections. So, short of just canceling my Facebook account completely, I’m eliminating connections with anyone whom I haven’t personally had contact with. In other words, if I haven’t interacted with them on a social level, they’re gone.

And I certainly don’t want Facebook to share my email address with others or even keep it on file.

July 19, 2010  1:28 AM

Sunbelt’s ClearCloud DNS Sneak Peek

Ken Harthun Ken Harthun Profile: Ken Harthun

Sunbelt Software, maker of Vipre Anti-Malware software, is about to release a new DNS service, ClearCloud DNS, that is designed to prevent users from  inadvertently accessing dangerous websites. The service is so new, that Sunbelt hasn’t even finished building their website about it. As I write, the “What is ClearCloud?” page on their site,, still has Greek text in place–you know, the “Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce auctor mollis luctus” stuff. However, one server at is functional at this time.

They do have some information in their FAQ:

What is ClearCloud™?
ClearCloud is a service that provides safe and reliable web browsing by preventing you from going to websites that are known to perform malicious activity. It’s like having a GPS in your car that won’t let you turn down a street with known criminal activity.

How does it work?
At heart, ClearCloud is a DNS server. DNS stands for Domain Name System. Every website on the planet is located by a number address, known as an IP address, similar to a phone number. For example, Sunbelt’s IP address is While some folks can remember the phone numbers of all of their friends and family, most of us save phone numbers in our cell phone by their names.

DNS works the same way. It’s really a big phone book of all the IP addresses and website names, known as URLs (Universal Resource Locator), the address “name” of the website. It’s much easier to remember “” than to remember “”

I’ve been using OpenDNS for a couple of years with filters enabled, but it appears that Sunbelt Software is being proactive about not even listing the DNS addresses of known malicious sites. Malware that assumes you’re just using regular DNS may try to trick you with a spoofed address like to get you to go to a bad site. That site won’t be available if you use ClearCloud DNS.

I’ll keep you posted on this, but if you’d like to check it out, you can visit their site and see for yourself.

July 18, 2010  4:21 PM

I Just Scored 65.1% on the LastPass Security Challenge

Ken Harthun Ken Harthun Profile: Ken Harthun

Last week, I posted the results of my first LastPass Security Challenge where I scored 55.7%. I was a bit shocked that my security was lacking and vowed to fix it:

You can bet that I’m going to be hard at work fixing these issues and I’ll take the challenge again and again until I’m satisfied with the score. I plan to address one issue at a time to see how it affects the score. As I complete each stage, I’ll post the results here along with an explanation of what I did.

The first thing I did was address the duplicate password issue on 48 sites. On those sites, the password was actually quite strong at 10 characters long, but the number of duplicates lowered the overall password strength rating to under 5%. On each of the sites, I used the LastPass secure password generator with options set to use 10 characters consisting of upper and lower case letters and numerals (this passes my password meter test with a rating of “Strong”). Here are the highlights:

  • Top strength rating for passwords is 100% – my average is 58.9% Still way too low.
  • 20 unique passwords are used on more than one site – a definite no-no.
  • 141 sites are using duplicate passwords – some of these are OK, but poor practice.
  • 42 of my passwords score below 50% strength rating.
  • Average password length is 8.4 characters – slightly improved.

Will I ever get a 100% rating? Probably not, since there are sites I have stored in LastPass that I don’t consider important enough to devote any time to securing (news sites, blog comments, and the like). But I do intend to keep working on this until I get the highest rating I can attain without unnecessary effort.

You have to be a LastPass user to take the security challenge, but if you are, give it a try and see if you can beat my score!

Stay tuned.

July 17, 2010  11:20 PM

OMG! My Account is Pending Suspension!

Ken Harthun Ken Harthun Profile: Ken Harthun

I got this email last week and I confess that my initial reaction was one of concern and disbelief. Then, rational thought took over and I realized that I don’t have any association with Citibank. Here’s what it said:

Subject: Account Pending Suspension

Dear Citibank client,

You account may have been used by a third party.  For your
protection, we decided to suspend access to it.

To  remove the suspension, please confirm your identity
with us.

To do this, please download and complete the attached
html form.

We are sorry for the inconvenience, but your security
is our primary concern. 

Kind Regards,

Customer Service

Copyright © 2010 Citibank

If you take the bait, here’s the page you get:

Obviously, this isn’t a Citibank site, but I’ll bet some people have fallen for it. I’ll also bet their bank accounts have smaller balances than they should have!

July 16, 2010  2:07 AM

Novel Password Generation Idea That Helps You Save Money

Ken Harthun Ken Harthun Profile: Ken Harthun

Save money by generating passwords? You read it right. As far as I know, this is a completely original system that is a perfect incentive for everyone to generate secure passwords. If you use this system faithfully, it will help you save hundreds–maybe even thousands–of dollars per year; at the same time, it will keep you secure on the web. Of course, you could just use LastPass, but who am I to tell you what to do?

Open your wallet. You heard me–this requires cash to implement. Grab the largest denomination bill you have in there (mine is completely empty…). The bigger the bill, the more money you’ll save.

Look at the serial number; it should be at least 10 characters (that’s what it is on my dollar bill–actually, it’s my wife’s money… I’m broke).

Type the serial number into a text editor, shifting every other character.  That’s your password. Here’s an example: My dollar bill has the serial number B86407872D. That becomes B*6$0&8&2d (note that shifting the case of an already capital letter reverses the case–D becomes d). Take a pencil and make a note in the white space on the bill what this password is used for. Fold it up and put it back in your wallet where you won’t spend it.

How does this help you save money? Well, now you can’t spend the bill because its serial number is your password reminder. Don’t cheat and write the password down; it defeats the purpose. I recommend you use 20’s, 50’s and 100’s as they can add up quickly depending on how many secure passwords you need. Now, when it comes time to change your passwords, simply use new bills and deposit the old ones into your savings account.

If you use 50’s for six passwords and change them every three months, you’ll save $1200 a year.

In my case, I’ll save $24 a year, but, hey, that’s a nice dinner out as a reward for being security conscious.

I hear the moans and groans, people. Yes, it’s very insouciant of me, but I’m not kidding. It does work.

Your comments?

July 11, 2010  11:30 PM

I Just Scored 55.7% on the LastPass Security Challenge

Ken Harthun Ken Harthun Profile: Ken Harthun

Back in 2010 February, I wrote about LastPass and touted its ease of use. I also talked about how easy it made the habit of using secure passwords:

Besides the convenience of having all of my site login information in one place I like the the way LastPass makes it easy for me to use secure passwords. Since all I have to remember is the master password to be able to log into LastPass, I don’t have to fudge around with mnemonic systems and such to make easy-to-remember complex passwords; I simply use the program’s built-in password generator to get strong, random password strings.

What I didn’t realize (until today) was how insecure I really am. The LastPass Security Challenge securely analyzes the strength of your passwords, alerts you if you have any duplicate or weak passwords, and tells you how to make them more secure. Of course, being a security wonk who has written countless articles on the subject, I know how to make them more secure. The problem–I’m embarrassed to say–is that I haven’t even taken my own advice.

For obvious reasons, I don’t want to give away too much information; however, I’ll hit the highlights:

  • Top strength rating for passwords is 100% – my average is 57.1% Yikes!
  • 25 unique passwords are used on more than one site – a definite no-no.
  • 204 sites are using duplicate passwords – some of these are OK, but poor practice.
  • 48 of my passwords score below 50% strength rating.
  • Average password length is 8.3 characters – 10 characters would be better.

You can bet that I’m going to be hard at work fixing these issues and I’ll take the challenge again and again until I’m satisfied with the score. I plan to address one issue at a time to see how it affects the score. As I complete each stage, I’ll post the results here along with an explanation of what I did.

I also want to give a mention to Steve Gibson who does the Security Now! podcast with Leo LaPorte each week. Episode 256, “LastPass Security,” delivers Steve’s “long-awaited, in-depth review and evaluation of LastPass. Steve explains the nature of the need for high-security passwords, the problem that need creates, and the way the design of LastPass completely and in every way securely answers that need.”

You have to be a LastPass user to take the security challenge, but if you are, give it a try and see if you can beat my score!

Don’t forget to leave your scored in the comments.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: