Security Corner


September 14, 2013  11:07 PM

LastPass would shut down service before cooperating with NSA over weakening or installing backdoor



Posted by: Ken Harthun
Password, Secure Computing, Security, Security management

According to USA Today, The NSA and its British counterpart, the Government Communications Headquarters (GCHQ) have cracked encryption codes and have inserted secret “back doors” into security software through covert partnerships with technology companies and ISPs.

Perhaps I’ve gotten numb over all of this because I am not surprised.

Our friends at LastPass, however, want to make it very clear that they will have nothing to do with these shenanigans. In fact, they will shut down their service before cooperating with the government goons. Here’s an excerpt from a September 10 blog post:

With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.

In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.

This is right in line with the way I feel about covert government operations and is one of the big reasons I will continue to stick with LastPass. They conclude with this:

We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.

September 8, 2013  11:04 PM

Patch Tuesday: 8 remote code execution holes



Posted by: Ken Harthun
Microsoft Windows, Secure Computing, Security, Security bulletin, Security management, Vulnerabilities

microsoft_grayMicrosoft’s Patch Tuesday will be a big one, with 14 patches, eight of which address remote code execution holes.

The biggest patch is Bulletin 3, rated critical, addressing remote code execution vulnerabilities in all versions of Internet Explorer from IE 6 on Windows XP to IE 10 on Windows 8, including Windows 8 RT. This patch requires a reboot.

In addition to remote code execution (RCE) vulnerabilities, the patches also address privilege elevation and denial of service flaws.


September 7, 2013  3:33 PM

What does the future hold for passwords?



Posted by: Ken Harthun
Password, Secure Computing, Security, Security management

d_silhouetteI’ve written a lot about passwords in this blog and for many security and tech bloggers, it remains and evergreen topic. For all its problems, the password still holds sway as the primary authentication method. But with attacks becoming ever more sophisticated and predictable use of weak, guessable passwords, one has to wonder how long can we really keep on using them?

In theory, a password is an ideal authentication token, assuming knowledge of it resides only in the mind of the owner and it is securely stored on any other systems only in encrypted form. Practically, however, we know that this is rarely the case.

So what does the future hold? How can we replace the ubiquitous password with something more secure and less vulnerable to attack?

In life, we authenticate each other mainly by facial recognition, sometimes by voice (as in over the phone). Faces and voices are all unique and probably impossible to duplicate, though a voiceprint pattern could probably be altered by physical surgery. How about some combination of facial recognition combined with a spoken passphrase? That would give you three factors: face, voiceprint, passphrase.

Palmprints, fingerprints, iris scans could all be used to capitalize on the uniqueness of these things to authenticate you and various combinations of things could be devised.

The problem with these things, however, is that the hardware and software necessary to implement them effectively presents costs in terms of both money and system overhead. Facial recognition and voiceprint could be easily implemented using web cam and built in microphones on laptops and other smart devices.

Without a doubt, we eventually will see the password replaced by better methods. What do you think those methods will be?


July 31, 2013  10:56 PM

Humor: Bob, you’ve been phished!



Posted by: Ken Harthun
Fraud, Humor, Phishing, Security, Security Humor, Video

Time to lighten up a bit. This hokey “PSA” about phishing is really true, but the payoff in hilarity comes at the end. Pay careful attention to the “date” that Bob managed to finally get from that online dating site.

Hope your July was great and here’s to a fantastic month of August!


July 31, 2013  12:41 AM

Internet Safety: A Cautionary Tale



Posted by: Ken Harthun
Security

One more on the dangers of the internet and this one is the best yet. Good tips wrapped up in a credible story.


July 31, 2013  12:40 AM

Three ways to deal with an attack on your network



Posted by: Ken Harthun
Cybercrime, Ethical hacking, Hacker, hackers, Secure Computing, Security, Security best practice, Security management

chuck-norris-thumbThe way I see it, you have three choices when it comes to dealing with an attack on your network:

  • Confront it. Be proactive. Go after the attackers and fight back. Bullies and cowards – which comprise most of the script kiddie population – will turn tail and run if you let them know you’re going to fight back. Even the few organized criminal elements, unless they have some political agenda and can use you to forward it, will give up easily in the face of a determined counter attack.
  • Neglect it. Let them play around and waste their time as long as they aren’t doing any real damage. Just make sure that they can’t get beyond your sandbox or firewall. Sooner or later, having not obtained anything of value, they’ll give up.
  • Turn in your resignation and run screaming out the door because you failed to put adequate security measures in place. Don’t laugh: It has happened.

By far, the best approach is to confront the threat and engage in an active counter strike. This can be done by immediately implementing logging of all attack traffic and engaging law enforcement to help trace the attack back to its source. The bad guys want to remain anonymous: Do everything you can to make them visible.

Do you agree, or disagree? Comments, please.


July 28, 2013  9:20 PM

Everyone knows Sarah



Posted by: Ken Harthun
Secure Computing, Security, Security best practice

Every day, I see student computers and laptops infected with malware. Every day, I see questionable posts made by people who think only their friends can see what they write. That’s what “Sarah” thought and this video is a reminder that the internet is a very dangerous–and public–place. Please impress upon family, friends and co-workers that prudence is the best approach.


July 27, 2013  4:22 PM

Criminal ransomware tricks child sex abuse image addict into turning self in to cops



Posted by: Ken Harthun
Cybercrime, Malware, Poetic Justice, Secure Computing, Security

jay-rileyCall it poetic justice. Call it criminal stupidity. Call it what you want. I call it hilarious. I got a good laugh out of this at a time when I certainly need some laughs.  From Sophos’ Naked Security blog:

A US child abuse image collector turned himself in to local police earlier this month, after ransomware hit his PC and showed messages warning him that the FBI were on to his nasty activities.

Jay Matthew Riley, 21, of Woodbridge, Virginia, was apparently hit by the ransomware attack while surfing the web to add to his collection of unsavoury images.

As is usual with such malware, he was shown a warning demanding cash in return for keeping quiet about his suspicious activities.

He fell for the scam. Good for him. Maybe he’ll turn his life around.

The problem is that regular, law-abiding netizens get this ransomware, too, and those that fall for it and pay the bogus “fine” end up a few hundred dollars lighter in the wallet. Oh, and their banking information is probably comprised, too, so the losses can end up being much greater.

Law enforcement, especially the FBI and other three-letter agencies, do not enforce the law by such means, so NEVER comply with any directive to pay “fines” or “penalties” when such things pop up on your screen. Best to call your favorite Geek and have him/her clean the malware off your machine.

On the other hand, if you are a pedophile or sexual predator, feel free to head down to the local police station, where they should be able to help you out with three hots and a cot for a long time.


July 25, 2013  12:15 AM

Video: The internet is a dangerous place



Posted by: Ken Harthun
Secure Computing, Security, Video, YouTube

video1This is a very interesting video produced as a promo for security firm Comodo. It is almost four years old. The statistics were alarming back then. I wonder how much the dangers have expanded since?


July 14, 2013  7:42 PM

How to defeat online surveillance



Posted by: Ken Harthun
Big Brother, cyber security, Cybersecurity, Encryption, InfoSec, Infowar, Security

By now, we all know that each of us is being monitored: All of our electronic communications, email, Internet traffic, cell phone transmissions, faxes, even landline (which is really all delivered via microwave towers these days) is being intercepted and recorded in massive data centers run by the NSA. There are probably other secret three-letter (or four-letter, depending on your viewpoint) agencies that we don’t even know about yet who function as backups to the ones we do know about.

It’s unfortunate that our government is forcing its citizens to learn the art of surveillance in order to protect our First Amendment rights under the United States Constitution. This is being done, purportedly, to protect us from terrorism. The truth — and this is known by those who are doing it — is that our government is out of control and fears that its criminal activities will be exposed. I’m not talking about what we already know, I’m talking about those deep, dark secrets that, if discovered, could bring the government down.

But, that’s for others to address and fix.

There have long existed techniques for jamming radio transmissions to cripple enemy communications in times of war. One of these techniques is the transmission of high power carrier signals containing nothing but noise spread across the known frequency band the enemy is using, making it impossible for the enemy to get any valid traffic through the noise. This principle is applicable to internet traffic with a twist.

One could simply record random atmospheric noise in MP3 files, encrypt them to make them look like something of interest and keep a steady stream of them flowing from one’s internet connection to the cloud. Done with sufficient volume, this would tend to mask most of your valid traffic, burying it in the noise, so the watchers would have to sort through useless, random noise.

I’m not advocating this, mind you, just making an observation. I could probably turn this into a plausible plot for a cyber-thriller novel, but I’m not a novelist. If any novelist finds this an interesting plot, feel free to run with it.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: