Security Corner


February 18, 2010  2:30 AM

Anonymity and the Internet

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s a faction that believes the solution to all our security woes on the Internet is a universal identification scheme. Anonymity is a bad thing in their book and if we get rid of it, we’ll know where all the bad stuff is coming from. We’ll be able to identify the spammers, the phishers, the source of all the DDoS attacks, malware mongers and the predators who threaten our children. We’ll achieve Internet Utopia!

Only, it won’t work. To eliminate anonymity would mean that every single packet on the Internet be tagged with the identity of the sender. The bandwidth cost would be astronomical, for one thing, not to mention the cost of implementing an infrastructure to certify the identity of every user and computer on the Internet. Besides that, it’s just too easy to re-anonymize a packet. I have to agree with Bruce Schneier’s position in the essay Schneier-Ranum Face-Off: Should we ban anonymity on the Internet? Here’s an excerpt of a key point:

Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server. If I wanted to send a packet anonymously to someone else, I’d just route it through that server. For even greater anonymity, I could route it through multiple servers. This is called onion routing and, with appropriate cryptography and enough users, it adds anonymity back to any communication.

The push for universal identification on the Internet, besides being an impossible task, is a concept almost as ridiculous as banning the killing of certain animals we use for food on the grounds that it’s cruel.

Well, maybe it’s not quite that bad, but it’s close.

What do you think?

February 17, 2010  3:28 AM

Mozilla Alert About Sothink Was False Positive

Ken Harthun Ken Harthun Profile: Ken Harthun

Better a false positive than no warning at all, I say. And the one real alert was confirmed. Here’s the scoop as reported by Mozilla in their blog:

Last week, we disclosed two instances of suspected malware in experimental add-ons on AMO.  Since that disclosure, we’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware.  The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan.

Recall that I reported on this last week: Mozilla Missed Malware in Infected Firefox Add-ons.

Here’s an idea: Err on the side of false positives rather than denial. Sure, it would be a little inconvenient to deal with, but at least we’d all be more secure as a result, don’t you think?

Well, what DO you think? Send me some feedback!


February 17, 2010  2:37 AM

Heal thy apps, they (plead) stipulate

Ken Harthun Ken Harthun Profile: Ken Harthun

Such a good tag line, I just had to steal it from The Register and this article.

This is a novel idea. If you were responsible for writing secure code, how would you like this? Would you agree to such a contract?

Computer experts from some 30 organizations worldwide have once again compiled a list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications.

Here’s the list: http://cwe.mitre.org/top25/. What do you say? Are you up to it?

Microsoft could learn something from this.


February 16, 2010  3:56 AM

Top Five Security Tips for Everyone

Ken Harthun Ken Harthun Profile: Ken Harthun

No matter what operating system you use for computing, security is a consideration. We connect to networks every day that we have little or no control over. Everyone uses email and there is no OS that can secure against or prevent a phishing attack. It comes down to a matter of best practices and education of the person at the keyboard.

Here are my top five security tips that anyone can employ and everyone should employ.

1. Use strong passwords. It goes without saying that strong passwords are an absolute necessity to thwart brute force attacks, but even more important than using strong passwords is using different strong passwords for different puposes. Far too many people use the same password on multiple sites. This is bad; even worse is using the same password for your financial accounts as you use on social networks. On a recent service call, I was asked to recover an Excel spreadsheet my client used to store login information. While verifying I had the right file, I noticed that the same password was used on eight sites, six of which were financial sites; the other two were Facebook and Twitter. Yikes! I gently suggested that this is not a good idea.

2. Use encryption. On the most basic level, such as to secure text files containing your banking information, passwords, etc., you can employ simple, readily available tools to encrypt single files or directories you want to protect. One such tool that I have good success using on idividual files is AxCrypt. Another good tool is LockNote, a portable memo pad that enables you to store text information using 256-bit AES encryption. For more extensive encryption needs you’ll want to use something like TrueCrypt. Naturally, sensitive communications should be encrypted as well. For that you can use GnuPG.

3. Keep your software updated. While automatic updates for operating system security holes occur regularly, users often neglect to patch their applications. Big mistake. It’s just as important to keep third party software patched. Secunia’s free Personal Software Inspector will test every application on your system and give you a detailed report, included recommended actions to take.

4. Don’t trust open wireless networks. This is worthy of an entire article. Just remember that “open” means just that. Don’t login to any site that doesn’t have a persistent SSL/TLS connection, especially financial sites.  Email isn’t safe either. For example, Yahoo! mail employs an initial secure connection for login and then immediately switches to an insecure connection. Same with Hotmail. Gmail does it right and maintains the secure connection throughout the session. If you don’t want your private email messages to be sniffed out of the air, don’t use insecure webmail.

5. Protect the perimeter. At bare minimum, you must install a NAT router between your high-speed Internet connection and you home network. Even better would be one with an integrated SPI firewall and lock it down tight.


February 12, 2010  4:11 AM

Does This Qualify for a Darwin Award?

Ken Harthun Ken Harthun Profile: Ken Harthun

Suzie Secretary received an email with the subject “Fire Your Boss.” She opened it. In it, she found a link which she clicked. She was taken to a website with a home page that contained this text (reproduced exactly as found):

Although this is a brand new site and a new carrier for me my main aim is to give you the oppertunity to browes this web site at your own pace to find excatly what it is you want and if we dont have it then please let us know and we will do our best to have what you want avalable.Just Email us and let us know what it is you are looking for a paticular product or eBook what ever it is you require and remember with any order you place thier is a full 30 day money back garrenty so thier is absolutly no risk of any kind wether you use the product for 1 day or 30 and then dont want the product or its not what you wanted then just send a quick Email and we will refund the money all we ask is that you delet the product from your computer.So please enjoy browsing

There were several pages on the site, all of which were sales pages with similar atrocious English. On each page was an order form asking for personal information and a credit card number. Suzie “ordered” one of the products with her credit card. She never received it. The advertised price was $49. Her credit card was charged $490. Twice. It finally dawned on her to report the fraud to her credit card company.

Duh! Some people should never be allowed near a computer.


February 10, 2010  9:25 PM

Software for Secure Computing: LastPass

Ken Harthun Ken Harthun Profile: Ken Harthun

Sometimes, a program or utility becomes such a part of the computing experience that we take it for granted. Such is the case with LastPass; it seems so “there” that I don’t even remember how long I’ve been using it. What I do remember is why I started using it. I had been using the portable version of KeePass, the Open Source password manager and had built up a large database of passwords. One day, I forgot the USB thumb drive with KeePass on it and was absolutely lost. I decided right then that I needed a solution that was securely accessible from anywhere. That’s when I switched.

Besides the convenience of having all of my site login information in one place I like the the way LastPass makes it easy for me to use secure passwords. Since all I have to remember is the master password to be able to log into LastPass, I don’t have to fudge around with mnemonic systems and such to make easy-to-remember complex passwords; I simply use the program’s built-in password generator to get strong, random password strings.

Probably the most powerful security feature is the support for one-time passwords (OTP). From a secure PC, you simply log into your secure LastPass vault on the website, configure a few OTPs, print them out and store them in your wallet. Then, if you ever have to access your LastPass vault from a public kiosk or insecure public WiFi hotspot, you just use one of the OTPs. Even if a keylogger snags it, the password cannot ever be used again. Your vault remains secure.

Even if you’re already using some other password manager program, you can easily switch. It’s simple to import existing passwords from Internet Explorer, Firefox, RoboForm, 1Password, KeePass, MyPasswordSafe, Password Agent, Password Safe, Sxipper, Passpack and TurboPasswords.


February 7, 2010  4:14 PM

Mozilla Missed Malware in Infected Firefox Add-ons

Ken Harthun Ken Harthun Profile: Ken Harthun

Two Firefox add-ons located in the experimental section of Mozilla’s official add-on download site were recently discovered to contain trojans. Despite the ability of commercial anti-virus Products to detect the trojans since 2008, The Register reported that “…a scanning tool used by Mozilla to vet add-ons during upload failed to catch the malicious files.” Here is what Mozilla had to say in a recent blog post:

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.

Apparently, the addition of two additional malware detection tools to its validation chain is what allowed Mozilla to discover the most recent infected add-on:

AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader.

Mozilla reports that no other instances of malware have been found.

Here’s a list of anti-virus software known to detect the trojans in the infected add-ons:

Antiy-AVL
Avast
AVG
GData
Ikarus
K7AntiVirus
McAfee
Norman
VBA32


February 5, 2010  2:51 AM

Security Humor: *[Adjective] Computer Worm [verb] Internet*

Ken Harthun Ken Harthun Profile: Ken Harthun

You really have to be a Geek to enjoy this, but it’s hilarious. Pete Lindstrom who writes the Spire Security Viewpoint blog, originally wrote this in 2003. Here’s an excerpt:

In the wee hours of [date], a [adjective] computer worm spread [adverb] throughout the Internet. Dubbed [silly name] because [ridiculous reason that doesn't explain anything about how it works], and also known as [another random name] and [another random name], the worm has infected an estimated [number] systems within [length of time]. Experts are calling this worm the most [adjective] since [date in the past].

The worm exploits a hole in [Microsoft product name] that was first identified [number] months ago by [security company name].

It gets better, believe me. Read the rest of it here: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/adjective_compu.html


January 31, 2010  11:18 PM

A Password Challenge Contest

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m going to end this first month of 2010 with a password challenge contest. There are two entry categories: The Top Ten List of Worst Passwords; and, the Strongest Short Easy-to-remember Password . One First Prize winner in each category will get a free copy of my Geek Toolkit. Here are the rules:

Top Ten List of Worst Passwords: Compile your own Top Ten List of the worst passwords you’ve seen or read about. I will compare that with my compiled list from authoritative sources. The person whose list matches the most entries on my list wins. If there are ties, everyone wins.

Strongest Short Easy-to-remember Password: In ten characters or fewer, come up with a strong password that is also easy to remember. Random strings are not allowed, i.e., I won’t accept Xcy4lmO3az. I will judge the strength of the passwords using my Password Meter at Ask the Geek. You must tell me what makes the password memorable to you. For example, can you write down a password hint that means nothing to me, but that tells you what the password is? If there are ties, everyone wins.

You may send an entry for either or both categories, but they must be in separate emails. Use my secure contact form to enter (http://askthegeek.kennyhart.com/index.php/ask-a-question/). Deadline is Sunday, February 7, 2010

Results will be published.

Good luck!


January 31, 2010  10:41 PM

The No. 1 Mistake in Security: Failing to Educate Employees

Ken Harthun Ken Harthun Profile: Ken Harthun

Ask almost any infosec expert what is the biggest mistake in security and he or she will answer that it’s failing to educate employees. While certain professions that fall under HIPAA, GLBA and other legislation are required to implement security awareness programs, the vast majority of businesses are not required–and don’t provide–such education to their employees. Let me give you two actual examples from my own experience to illustrate how even a very simple program can make a big difference.

The Wrong Way–ABC Company didn’t even have a security policy in place much less do any kind of employee training. The management had the misguided idea that since they spent a lot of money on a firewall and anti-malware software on the servers and PCs, they didn’t need to concern themselves with any security risks. One fine Spring afternoon, the receptionist received a call from someone claiming to be from the local ISP who told her that her password had been compromised and asked her to visit a certain web site to change it. Not knowing any better, she happily complied and her computer was infected with a spambot that caused all kinds of trouble before I finally got it under control.

The Right Way–XYZ Company has a very simple, but effective, security policy in place. Employees are given a one-hour orientation on security when they are hired and the sessions are repeated on a bi-monthly basis. Each session starts with this basic statement of security policy: “XYZ Company prides itself on having a secure network and a safe working environment. The reason we do is because of you.” The rest of the session is devoted to explaining what to watch out for in terms of email phishing attempts and social engineering attacks and what to do about them. It’s kept simple all the way and in each session, the same information is repeated. It works; they’ve never had a serious security problem.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: