Security Corner

March 11, 2010  2:36 AM

$120M Stolen by Hackers in Three Months

Ken Harthun Ken Harthun Profile: Ken Harthun

David Nelson, an examination specialist with the FDIC, says that online banking fraud involving the electronic transfer of funds rose to over $120 million in the third quarter of 2009. He presented his estimates Friday at the RSA Conference in San Francisco.

I wrote about this in October, 2009 in my article, “Protecting Your Business From Online Banking Fraud.” I wasn’t the only one to advocate secure read-only systems to use for banking, but it looks like the message didn’t spread very far. Businesses need a security manager to prevent such losses.

Let’s see, if I was to charge, say, 1% fee based on the monthly ACH transfer volume of a given company to keep them secure and that company was doing $1M/mo., that would be a good living. Hmmm…just might have to look into that.

Better to pay 1% than to lose 100%, don’t you think? Especially when you consider this: “Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses,” Nelson said. Bullitt County, Kentucky suffered a loss of $415,000: PC Invader Costs Ky. County $415,000.

Wake up, people!

March 9, 2010  1:33 AM

Security Humor: Anti-Terrorism Honor System

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, I’ve tried everything I can to embed this, but it’s not working. Just click on the link. This is hilarious, I “pinky swear!”


March 5, 2010  9:11 PM

Why It’s Important to Monitor Your Finances Closely

Ken Harthun Ken Harthun Profile: Ken Harthun

Being the security-conscious person that I am, I keep close tabs on my credit card and bank accounts. Everyone should monitor their finances closely; unfortunately (for them), many don’t. My daughter is one of those.

Imagine going to the bank to withdraw your rent money and being told you don’t have enough in your account. Panic. You know the money should be there; after all, you haven’t spent it. But someone did. That “someone” ran up a series of small purchases on the debit card totaling nearly $500 over a period of about a week. What’s a mystery at this point is who got access to the card and how, but that’s not the issue here.

The issue is that the very first unauthorized purchase should have been noticed and the bank informed of the fraud. Close monitoring of the account–I’m talking checking it on a daily basis–would have saved my daughter from considerable anxiety and inconvenience. It’s not that difficult to log on and check the transactions.

The good news is that the money will be returned by the bank, but it’s going to take a week or so to wrap up the investigation.

For those who are just too busy or don’t want to fool with it, there are services out there that monitor credit card and bank accounts and alert you if suspicious activity is noted. But these services charge anywhere from $12.99 to $19.99 a month and really don’t do anything that you can’t do yourself.

I’m betting that my daughter will take my advice.

March 4, 2010  7:37 PM

How NOT to Fight Spam

Ken Harthun Ken Harthun Profile: Ken Harthun

I received this in response to a legitimate email sent out to one of my double opt-in subscribers at Ask the Geek. You can certainly tell that this poor soul is seriously frustrated. The first problem is that he has a Hotmail account which is a spam magnet in itself. The other problem is that this message will probably never get to anyone who matters and only confirms that he has a valid email address.

Although I share his sentiments somewhat, I don’t recommend this approach. It’s a waste of time.

Subject: Vacation reply
To: You!



ALSO, Due to me being in an area that does not allow reliable internet connections, every email sent to this account will be forwarded to another email address that I do have routine access to, and if you are a friend, family, or someone I have business with, I will respond to you from that email address.


March 3, 2010  5:59 PM

Botnet of 13 Million Infected PCs Dismantled

Ken Harthun Ken Harthun Profile: Ken Harthun

The Mariposa (“butterfly” in Spanish) botnet, which infected nearly 13 million PCs and spread to more than 190 countries, has been taken down, thus ending a global menace that affected more than half of the Fortune 1000 companies and more than 40 major banks. Three people alleged to be the botnet’s ringleaders  have been arrested by authorities in Spain; more arrests are expected soon in other countries.

According to the AP report, Cesar Lorenza, a captain with Spain’s Guardia Civil, which is investigating the case, said that the three suspects are Spanish citizens with no criminal records. They weren’t hackers but had underworld contacts who helped them construct and run the botnet.

The botnet was set up to steal online login credentials for banks as well as email services from compromised Windows PCs.

Panda Security was part of the Mariposa Working Group (MWG) along with Defence Intelligence, the Georgia Tech Information Security Center and other international security experts and law enforcement agencies. MWG was formed to eradicate the botnet and bring the perpetrators to justice. According to PandaLabs blog, here’s what went down:

The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.

Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.

On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.

Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.

Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.

Good riddance!

February 28, 2010  10:45 PM

When “Security” Becomes Onerous

Ken Harthun Ken Harthun Profile: Ken Harthun

If you can even call this kind of conduct “security,” it’s utterly unacceptable and if proven to be true, there should be–at the very least–several firings, starting at the highest level where this was authorized and/or ordered. I would hope to see criminal charges come out of the investigation. I’m referring to Blake J Robbins v Lower Merion School District (PA) et al filed in U.S. District Court for the Eastern District of Pennsylvania. The case will probably be certified as a class action. If this doesn’t raise your hackles–and your ire–you’re not paying attention.

Unbeknownst to Plaintiffs and the members of the Class, and without their authorization, Defendants have been spying on the activities of Plaintiffs and Class members by Defendants’ indiscriminant use of and ability to remotely activate the webcams incorporated into each laptop issued to students by the School District. This continuing surveillance of Plaintiffs’ and the Class members’ home use of the laptop issued by the School District, including the indiscriminant remote activation of the webcams incorporated into each laptop, was accomplished without the knowledge or consent of the Plaintiffs or the members of the Class.

Besides the obvious invasion of privacy, how about the arrogance displayed by the Asst. Principal as indicated by this:

23. On November 11, 2009, Plaintiffs were for the first time informed of the
above-mentioned capability and practice by the School District when Lindy Matsko (“Matsko), an Assistant Principal at Harriton High School, informed minor Plaintiff that the School District was of the belief that minor Plaintiff was engaged in improper behavior in his home, and cited as evidence a photograph from the webcam embedded in minor Plaintiff s personal laptop issued by the School District.

The “what ifs” in this situation are obvious. Chief among them would be what if a student left the laptop on in his or her room and then engaged in some “improper behavior” of the kind that every teenager engages in during puberty? Or, perhaps that is what was captured in the incident in question. Even mere nudity could be construed as child pornography and I would certainly prosecute that.

You form your own opinion, but I’d sure like to hear from you on this. Leave a comment.

In the meantime, I hope every student has either turned in their laptop and refused to use it or has covered the camera lens and blinded it.

Read the entire filing: Blake J Robbins v Lower Merion School District (PA) et al.

February 27, 2010  2:02 AM

Waledac is Now Virtually Headless

Ken Harthun Ken Harthun Profile: Ken Harthun

Waledac Infections Worldwide

Microsoft isn’t playing around anymore.  Through legal action and technical cooperation with industry partners, they have managed to take down Waledac, a large and well-known spambot that is estimated to have infected hundreds of thousands of computers worldwide. According to their blog, “…Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.”

On February 22, in response to a complaint filed by Microsoft  (“Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.

This is good news! Cutting them off at the .com domain level is a virtual beheading.

This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

Click here for a map of the infection.

February 26, 2010  2:23 AM

Simple Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Complexity, they say, is the enemy of security. Actually, I think it was Bruce Schneier who I first heard it from. It has come to be one of those “everybody knows” things, however, so it’s irrelevant who first said it. Nevertheless, it’s true. The more complicated the software, device, or campus, the more room for error.

Good security for your stash of cash would be to encase it in a 3’x3’x3′ concrete cube and bury it where no one but you can find it. That’s pretty simple. Of course, this isn’t practical, so we have to look at other means. Enter complexity.

We keep the concrete, but add a sealed access panel. Security hole #1. It’s a little easier to breach now, but still impractical to access, so we remove the sealant and add a lock. But what if we lose the key? Add a  hidden back door access panel that only the owner knows about. But what if the owner dies? No problem, have a secret, secret back door that only the manufacturer knows about. On and on, ad nauseam it goes until there are so many “features” to accommodate every possible scenario that all it would take is a six-year-old kid with a big stick to open the “vault.”

Think about it. Used to be that you had to enter data in every field of a database manually. It didn’t matter if you were entering the same thing for a certain field in each record, you had to type it in. These days, you start typing and the software suggests the contents based on your last few entries. Convenient, but that’s cached somewhere and unless that cache is encrypted, it’s subject to compromise.

That’s just one “feature” of modern software. As we all know, modern software is all about giving everyone everything they want. And when you try to please everyone (which you can’t do anyway), you make software very complex. When you try to make all of those features play well with each other, you take shortcuts and you make mistakes.

Bye, bye security.

When I was programming back in the day–in assembly language–when you said “jump,” that’s what happened, the program did what you told it to do. These days, when you say “jump,” the program asks you if you really want to jump and suggests that the last command you gave was “leap,” which is almost the same, but not quite.

I know, I’m ranting. I’m tired. And my spell checker just misinterpreted my Latin phrase above and suggested that it was “nauseous.”

I hope I’m not nauseous to people, but right now, I’m a bit nauseated (the correct term for having the feeling of nausea, as in “that nauseates me,” NOT “that makes me nauseous”).

Oh, well. People program the spell checkers, too. And people make mistakes.

Bye, bye security.

February 24, 2010  3:24 AM

A Tale of Two PCs

Ken Harthun Ken Harthun Profile: Ken Harthun

“It was the best of times, it was the worst of times; it was the age of wisdom, it was the age of foolishness; it was the epoch of belief, it was the epoch of incredulity; it was the season of Light, it was the season of Darkness; it was the spring of hope, it was the winter of despair; we had everything before us, we had nothing before us; we were all going directly to Heaven, we were all going the other way.”

Dickens couldn’t have done a better job of describing the Internet today. Let me illustrate.

PC 1 – User profile: Uses pay-for-download sites to build music library; avoids risque sites; instantly spots “My Dear Friend” emails and deletes them; calls friends to ask them if they sent an email link and never clicks when not sure; knows that PayPal, the IRS and their bank never requests their password in an email; closes popups and scans for malware if one shows up. PC profile: Plugged into NAT router that has SPI firewall built in; security suite up to date; Windows firewall enabled; automatic updates enabled; uses alternative browser.

PC 2 – User profile: Loves to surf the web looking for free music downloads; occasionally surfs “soft” porn sites; has sympathy for the poor Nigerian gal who just lost her father and needs help to move USD 20,000,000 into a safe bank account in the US; clicks links in email; thinks phishing is a fun thing that people do; recently received warning that PC was infected and bought “repair” service via scareware popup. PC profile: Plugged directly into broadband router; AV software bundled with new PC expired months ago, not renewed. Windows firewall disabled by malware; automatic updates disabled; uses IE 6.

Need I say more?

February 21, 2010  11:48 PM

Security on Public PCs – NOT!

Ken Harthun Ken Harthun Profile: Ken Harthun

Sorry. There’s nothing you can do to make a public computer safe. I’ve had family members ask me if it’s OK, while their computer at home is down (due to spyware, adware and viruses, mind you) if they can go to the library and pay their credit card bills, check their bank accounts, etc.?

OMG! Are you crazy? I don’t really say that to them, but you get the idea. The answer is NO! NO! NO!

There is no such thing as a secure publicly accessible computer. And if you don’t want to listen to me, let me defer to security expert Steve Gibson of the Security Now! podcast; if you don’t believe him, you’re just beyond help!

…it would be nice to be able to say that there’s a way to reliably defeat keyloggers on public computers. And I’ve got to say that there isn’t. I can’t think of probably anything more frightening than using a public computer, that is, like a computer in a library or in an Internet cafe that is being used by lots of people, I can’t think of anything more frightening than to use such a machine for critical, sensitive work…I don’t think there’s any way you could argue that anything you could do…could make it safe. There could be a keystroke logger in the keyboard.

… So I would like to completely disabuse anyone from the idea that using a public computer can be safe.

Thanks for the help, Steve. I agree!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: