Security Corner


July 16, 2009  8:28 PM

Hacker HighSchool is a Great Idea!

Ken Harthun Ken Harthun Profile: Ken Harthun

Steve Gibson of Spinrite and Security Now! podcast fame talked about Hacker HighSchool in his most recent Security Now! episode 204. What a great idea! I checked out the site and here’s what I found:

The Hacker Highschool project is the development of license-free security and privacy awareness teaching materials and back-end support for teachers of elementary, junior high, and high school students.

Today’s kids and teens are in a world with major communication and productivity channels open to them and they don’t have the knowledge to defend themselves against the fraud, identity theft, privacy leaks and other attacks made against them just for using the Internet. This is the reason for Hacker Highschool.

In HHS, you will find lessons on utilizing Internet resources safely such as web privacy, chat protection, viruses and trojans (malware), and the over-all focus on how to recognize security problems on your computer. All lessons work with a free “live linux” CD which will boot off any PC with a CD-rom drive to perform the lessons. HHS is a great supplement to student course work or as part of after-school and club activities.

I checked out some of the lesson transcripts and I have to say that I plan to do them all myself. This is great stuff and while I’m no slacker at being a hacker, there’s a lot of great information to be had. Not only that, but I think it’ll be fun to pretend that I’m 16 in this day and age.

The first lesson (they’re in PDF format on the website) is aptly titled “Being A Hacker” and the first paragraph of the lesson starts out with this:

This lesson is about how to learn – a critical skill for a hacker.  Hacking, in reality, is a creative process that is based more on lifestyle than lesson. We can’t teach you everything that you need to know, but we can  help you recognize what you need to learn.  This is also true due to the constant advances in the computer sciences.

They go on to say that hacking is a life skill that can be applied to other fields, too.

I suggest you check it out for yourself and if you have teenagers still at home, get them going on these things ASAP.

July 10, 2009  8:30 PM

“I guess I forgot to lock the door.”

Ken Harthun Ken Harthun Profile: Ken Harthun

Physical security is something we often take for granted, but it can be just as important as cyber security. One of my clients recently called to say that some suspicious files had suddenly appeared on one of their servers. Naturally, I investigated, but I couldn’t find any breach in the firewall or any indication in the IDS logs that the network had been hacked from outside.

After spending a couple of hours digging around in the server logs, I finally dug into the registry and found that the files had apparently come from a USB device that had been plugged into the server around 9:30 pm on the day in question. Since only three people have access to the servers–myself, the IT Manager and the Controller–and none of us were guilty, I had to suspect that someone had gained unauthorized access to the server room.

Sure enough, the IT Manager recalled leaving early on an emergency the day of the incident and with a sheepish grin told me, “I guess I forgot to lock the door.”

We now have an electronic combination lock on the door and only the three of us have the code. The door automatically locks itself three seconds after it’s opened, so “forgetting” isn’t an option.

Lesson learned. Fortunately, the files were benign.


June 30, 2009  8:30 PM

Lighten up! Computer Humor of all Sorts

Ken Harthun Ken Harthun Profile: Ken Harthun

June is almost over and none to soon. I’m not one for wishing the time to fly, but in this case, I’m glad it did: It has been a very stressful month. Security can be a tough gig. So, it’s time to lighten up a bit with some geeky computer humor I found at http://www.gdargaud.net/Humor/QuotesComputer.html:

Users /nm./: collective term for those who use computers. Users are divided into three types: novice, intermediate and expert.
Novice Users: people who are afraid that simply pressing a key might break their computer.
Intermediate Users: people who don’t know how to fix their computer after they’ve just pressed a key that broke it.
Expert Users: people who break other people’s computers.
— From the Jargon File.

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect

“Morons. These people who live in my apartment complex are connected to my wireless. They must think they’re super-cool hackers by breaking into my completely unsecured network. Unfortunately, the connection works both ways. Long story short, they now have loads of horse porn on their computer.”    — Mootar from bash.org.

Helpdesk: Double click on “My Computer”
User: I can’t see your computer.
Helpdesk: No, double click on “My Computer” on your computer.
User: Huh?
Helpdesk: There is an icon on your computer labeled “My Computer”. Double click on it.
User: What’s your computer doing on mine?

I’ll leave you with this one (I’ve actually pulled off a similar prank with backups):

“Whenever my Boss pisses me off, I secretly change the password to his e-mail account.
When he can’t log on, he’ll piss and moan for 5 minutes, cursing the computer. Then he’ll come groveling to me for my help. Once he’s groveled enough, I re-enter the right password from my office, go to his and watch him look like a dummy while I log-on easily.
I just love it. Heh, heh, heh.”

Here’s to a great rest of the summer!


June 30, 2009  3:19 PM

Panda’s Cloud Antivirus (Beta) is a Winner!

Ken Harthun Ken Harthun Profile: Ken Harthun

I’ve been using Panda Security’s free Cloud Antivirus for awhile and I must say I’m impressed. It’s there, but you’ll never know it unless you look (the little panda icon in the system tray). I rarely get malware of any kind, but Cloud AV has caught a couple of things that were probably drive-bys. It’s so transparent that I actually had to go check on it before I noticed that malware had been caught. This is a perfect set-it-and-forget-it AV for the regular user. It’s free, self-updating and doesn’t require any decisions on the part of the user. You can believe what they have to say:

Light Light

Panda Cloud Antivirus protects you while you browse, play or work and you won’t even notice it. It is extremely light as all the work is done in the cloud.

Easy Easy

Panda Cloud Antivirus is truly install and forget. Don’t worry about updates, configuration or complicated decisions ever again.

Secure Secure

Panda Cloud Antivirus provides you with the fastest protection against the newest viruses thanks to its cloud-scanning from PandaLabs’ servers.

But the great part about it is how it works. Watch the video. It’s really slick, blocking malware within 6 minutes when encountered by anyone who has it installed; it’s truly real time updating.

That’s my two cents. You be the judge and try it for yourself.


June 30, 2009  1:32 AM

Accused Spam King Alan Ralsky Pleads Guilty

Ken Harthun Ken Harthun Profile: Ken Harthun

Once again, I’m behind on the news. This Security Fix report is almost a week old:

Alan Ralsky, a 64-year-old Michigan man that federal investigators say was among the world’s top spam kingpins, pleaded guilty on Monday to running a multi-million dollar international stock fraud scam powered by junk e-mail.

Ralsky … and his son-in-law and chief financial officer Scott K. Bradley, 38, also of Michigan, pleaded guilty to conspiracy to commit wire fraud, money laundering and to violate the CAN-SPAM Act.

Under the terms of his plea agreement, Ralsky faces a federal prison sentence of 87 months and a fine of $1 million. He allegedly earned up to $3 million on the Chinese penny stock scam that he promoted using junk mail sent out by various botnets. It’s interesting that the plea agreement doesn’t call for the forfeiture of his profits. So, he’ll spend his time in a minimum-security “camp” at taxpayer expense and, probably get released well before his full sentence is up the while earning interest on the money he has squirreled away somewhere.

BTW, my apologies for being lax in keeping this blog up to date. I do have an excuse: I tore ligaments in my left hip and have been unable to sit, stand or lie down for the better part of two weeks.  Look for a more regular posting schedule next month.


June 29, 2009  7:01 PM

Spam, Phishing, and Malware Related to Recent Celebrity Deaths

Ken Harthun Ken Harthun Profile: Ken Harthun

Michael Jackson malware? Farrah Fawcett phishing attempts? Billy Mays spam? Ed McMahon notifies you—from the other side of the grave–that you’ve just won the million-dollar Publisher’s Clearinghouse (but you have to send him some money, first)? Yes, expect it. US-CERT is monitoring reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths. Here’s a typical example:

To: <redacted>
Subject: Confidential===Michael Jackson
Date: Thu, 25 Jun 2009 19:25:50 –0400

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secrective to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us.

Notice the blatant misspellings, lack of punctuation and obvious grammatical mistakes from someone who is clearly not a native English-speaking person. If you get this email, delete it immediately. Same with anything related to any of the other celebrities’ deaths.

They’re all from scammers (criminals) either trying to steal your money, your identity or both.


June 24, 2009  5:45 PM

FAA Gives PKWare’s SecureZip Stamp of Approval

Ken Harthun Ken Harthun Profile: Ken Harthun

It doesn’t surprise me that the inventor of the ZIP file format was recently awarded a large enterprise
software license and maintenance agreement from the Federal Aviation Administration (FAA). What does surprise me is that with my network of security news sources, I hadn’t heard about this product before now.  Granted, I’m mostly an Open Source guy and SecureZIP is commercial software ($39.95 for a single-user license), but I was asleep on this one.

PKWARE’s SecureZIP software will initially be deployed across 50,000 Microsoft Windows® desktops
at the FAA and Department of Transportation (DOT).

I like the way SecureZIP leverages PKI. It enables users to secure files and folders with strong passphrase or digital certificate-based encryption. It also supports digital signatures to ensure data integrity. SecureZIP makes acquiring and using a digital certifcate simple: Upon installation, SecureZIP will automatically request and install (if desired) a digital certifcate from Comodo.

I like AxCrypt and have been using it for quite some time for simple security. AxCrypt doesn’t offer compression, however, so you have to create an archive first, then encrypt it. Moreover, you can’t use certificates or employ digital signatures. SecureZIP is a clear winner for robust security with compression.

I’m headed over there right now to get an evaluation version.


June 23, 2009  5:45 PM

Foxit Reader Contains Multiple Vulnerabilities

Ken Harthun Ken Harthun Profile: Ken Harthun

According to a U.S. Cert bulletin issued today, my favorite PDF reader, Foxit Reader has multiple security vulnerabilities:

Foxit Reader has released updates for multiple vulnerabilities. By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.US-CERT encourages users to review the Foxit Security Bulletin and Vulnerability Note VU#251793 and apply any necessary updates.

The Foxit Security Bulletin describes the issues:

Two Security Vulnerabilities Fixed in Foxit Reader 3.0 and JPEG2000/JBIG2 Decoder

SUMMARY
Here is detailed information about the vulnerabilities:

1. Fixed a problem related to negative stream offset (in malicious JPEG2000 stream) which caused reading data from an out-of-bound address. We have added guard codes to solve this issue.
2. Fixed a problem related to error handling when decoding JPEG2000 header, an uncaught fatal error resulted a subsequent invalid address access. We added error handling code to terminate the decoding process.

I recommend that all Foxit Reader users update their Foxit Reader 3.0, available here: http://www.foxitsoftware.com/downloads/. Then, be sure to go to Help>Check for updates and download the stream decoder update.


June 18, 2009  9:29 PM

How to Use the Windows Registry for Cyber Forensics: Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

In Part 1 of this series, I introduced you to the concept of date/time coincidence and we explored five registry keys that are useful to the forensic examiner. This time, I’ll show you how data can be encrypted and hidden in the registry.

If you’re involved in data security, you’re familiar with cryptography in some fashion and you know that ciphers – algorithms for performing encryption and decryption – are what do the work. You probably also know that there are a few quick-and-dirty algorithms for encrypting data. One such algorithm is known as the Caesar Cipher, or ROT-13, a simple algorithm that encrypts data by shifting each character 13 places in the alphabet while leaving non-alpha characters untouched. It’s so simple that you can decrypt it manually, but it’s enough to fool the casual observer. Anyone coming across something like cnffj beqsb egurf rperg svyrf vfcnf fjbeq, is naturally going to assume it’s encrypted; in fact, it’s ROT-13 for password for the secret files is password. I broke it up into five-character groups to make it more convincing.

For whatever reason, Microsoft uses ROT-13 to encrypt data in some registry keys. One such key is: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. Here’s an example: “HRZR_EHACNGU:P:\AFYBBXHC.RKR.” Decrypted, that’s “UEME_RUNPATH:C:\NSLOOKUP.EXE.” (We’ll look at the UserAssist key in Part 3.) A better way to hide data is to encode text-based information in binary format and store it in binary form as a string in registry values of type REG_SZ. Given that binary data is common in the registry, the technique would make it extremely difficult to retrieve the hidden information.

In addition to using ROT-13 and binary encoding to obfuscate data, a suspect could take advantage of a flaw in the registry editor to also make the data invisible to anyone but a forensics examiner who knows about the flaw. From “Forensic Analysis of the Windows Registry:”

The Windows 2000 and XP Registry Editor (regedit.exe or regedt32.exe) have an implementation flaw that allows hiding of registry information from viewing and editing, regardless of users access privilege (Secunia, 2005). The flaw involves any registry values with name from 256 to 259 (maximum value name) characters long. The overly long registry value (regardless of type) not only hides its own presence, but also subsequently created values (regardless of type) in the same key (Franchuk, 2005). The editor stops displaying the remaining of the values thinking the overly long value as the last value in that key. Suspect could exploit such Registry Editor flaw to hide information.

The Windows console registry tool (reg.exe) can display these overly long registry values so the hidden data can be recovered as evidence; however, given the sheer number of entries in the registry, this process is not trivial.

I hope this series is giving you some insight, perhaps even piqueing your interest, in cyber forensics. Hit the comment button and tell me what you think.

In Part 3, we’ll explore some keys that can tell us where a suspect has been storing files.


June 5, 2009  8:50 PM

“14 Golden Rules of Computer Security” Nearing Completion

Ken Harthun Ken Harthun Profile: Ken Harthun

My new eBook, “14 Golden Rules of Computer Security” is almost complete and will be ready for downloading shortly. Written with the non-technical person in mind, the book is packed with proven, practical advice on how to stay safe on the Wild, Wild Web including bonus articles about creating strong, easy-to-remember passwords and email security tips. I give you tons of links to free and low-cost tools as well as special discounts for software and services by some of the best computer security companies in the business. It’s a must-have for every computer owner.

Based upon my popular “How to Secure Your Computer” series of web articles and fully updated with late-breaking information on safe searching and social networks, “14 Golden Rules of Computer Security” will help you help your clients develop their own secure computing practices and save you from the hassle of dealing with unpleasant malware attacks.

All Security Corner readers are eligible for a free copy. Sign up by clicking here and you’ll be sent a download link when I release the book.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: