Security Corner

October 19, 2009  11:54 PM

Mozilla Disables Insecure Microsoft Firefox Add-on

Ken Harthun Ken Harthun Profile: Ken Harthun

When I fired up my laptop the other day, I was greeted with this pop-up box:

If you’re running Firefox, you may have already seen it yourself. Recall that these add-ons were installed into Firefox without the user’s permission, causing quite an uproar in the Mozilla user community. Brian Krebs of The Washington Post wrote:

In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove.

Mike Shaver, Mozilla’s vice president of engineering, wrote Friday on the Mozilla Security Blog:

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.

At least Microsoft agreed with Mozilla’s action to block the insecure add-on, but shame on them for blatantly compromising the security of a browser they don’t even own.

Conspiracy theorists: Do you have an opinion on this?

October 19, 2009  11:34 PM

Trust Only https:// on Form Pages

Ken Harthun Ken Harthun Profile: Ken Harthun

How often, when you log into a site that requires a username and password, to you check to see if the connection is secure? You probably don’t give it a second thought. Most people don’t. For many sites, like newspapers, online magazines, etc., it probably doesn’t matter much. Who cares if someone logs into a news site with your credentials? They’re not going to gain anything by doing so and there’s no identity or personal financial information at stake.

For any sites where you are accessing or entering sensitive identity or financial information such as bank account or credit card numbers or government program IDs such as Social Security numbers, State identification numbers or the like, you are seriously at risk of identity theft if you trust this information to a form that is served as “http://[URL].” It’s true that the Submit button may invoke transmission of the information using https:// (SSL), but there is no guarantee that this will happen, so you risk sending your information “in the clear.”

Best practice: change all of your bookmarks pointing to financial and other sensitive site login pages to read “https:// [URL of site].”

October 17, 2009  12:23 AM

Free Encryption Tool for the Absentminded

Ken Harthun Ken Harthun Profile: Ken Harthun

Security software firm SOPHOS (I’ve tested their products in the past) sent me an email yesterday offering a free encryption tool. I tested it this evening and I’m impressed. It’s very simple to use and is definitely a cure for the absentminded:

Whether you lose your laptop, misplace a CD or leave your USB drive in the coffee shop, if it’s encrypted you don’t have to worry about
becoming tomorrow’s headline!

Get the FREE Sophos encryption tool now and you can lose your data without losing your mind.

Sophos FREE Encryption:
an easy to use tool that encrypts your files, folders and emails.

I suggest you download this immediately and pass it on to everyone you know. Combine this with the LAlarm software and you have an unbeatable combination.

Here’s the download link:

Let me know what you think.

October 15, 2009  3:18 AM

Convert a USB Thumb Drive into a ROBAM

Ken Harthun Ken Harthun Profile: Ken Harthun

What’s a ROBAM? you ask. Check out this post: Protecting Your Business from Online Banking Fraud. SANS says, “The number one recommended mitigation [to online banking fraud caused by infostealer infections] is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions.”

You can use a USB thumb drive instead of a CD if you do the following:

1. Download your alternative Linux OS choice (I prefer Ubuntu or Knoppix) in .iso format
2. Download UNetbootin from
3. Create a bootable USB thumb drive using UNetbootin
4. Set the properties of the drive to “read only”

This should have the same effect as using a Linux live CD.

I haven’t tried this, so comments welcome.

October 15, 2009  2:42 AM

How to Make a USB Thumb Drive Laptop Theft Alarm

Ken Harthun Ken Harthun Profile: Ken Harthun

Picture this: Someone tries to steal your laptop off your desk and as soon as they pull the plug from the wall, your latpop emits a screaming siren that won’t quit until your password is entered to unlock the laptop and disable the alarm.

There’s another scenario: You take one of your old USB thumb drives (maybe the one you used to make an anti virus bootable scanner) attach a chain to it and secure it to your desk; if someone tries to move your laptop, unplugging the USB thumb drive in the process, the alarm goes off.

This is possible because of an interesting piece of software called “LAlarm.” It’s free for personal use and there’s a nominal fee for commercial use. Download LAlarm from this link:

I tested this software by installing it on my Dell laptop. It works. You simply install the software, configure the options you want and restart your laptop. To set the alarm, you just press Windows key + L to lock the workstation. If anyone pulls the plug or removes the thumb drive, the alarm sounds.

There’s much more to the software than just an alarm. You can set the software to destroy your data in selected folders in the event of a theft. You can also set zones based on IP addresses and cause an alarm to sound if the IP address changes.

The theft alarm is not affected by the system volume control setting–it’s screaming loud no matter how you have your volume set.

It’s a very cool tool.

October 13, 2009  1:20 PM

Protecting Your Business from Online Banking Fraud

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m pleased to see some professionals with clout advocating a security practice I have often recommended to my clients. Brian Krebs of The Washington Post and SANS Institute are both pushing the use of Linux live CDs for online banking. Krebs’ latest article, “Avoid Windows Malware: Bank on a Live CD,” starts off by recommending people NOT use Microsoft Windows for online banking:

An investigative series I’ve been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.

Krebs has reported frequently about some of the more prominent online banking fraud incidents, including the hack against Bullitt County, Ky. and two California firms that lost a combined total of more than half a million dollars, both of which were using two-factor authentication requiring the use of a security token.

The credential-stealing Trojans used in these attacks were designed to avoid detection by normal anti-malware software, so the victims had no clues that they had been infected. With the huge amounts of money involved, it’s likely the cybercriminals have evolved their programming skills to the point where it will be difficult for security firms to keep up.

It’s not surprising, then, that SANS, as a direct result of Krebs’ reporting, issued a challenge to its students to create a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. The report, “Protecting Your Business from Online Banking Fraud,” addresses the issue. Here’s that report’s Abstract:

Recently, small and medium businesses have lost millions of dollars from fraudulent electronic financial transactions.  This paper reviews the threat and provides guidance for mitigating the threat.  These crimes typically begin with a phishing email targeted at the comptroller or other staff in the finance department.  After the comptroller’s computer is compromised, sophisticated malware is used to eavesdrop on the comptroller’s activity and account credentials for financial systems.  Once the attackers have the required information, they begin to steal money with fraudulent transactions in amounts below $10,000.  These smaller amounts fly under the laundering detection mechanisms in the US Bank Secrecy Act.  In many cases, repeated transactions have added up to hundreds of thousands of dollars lost by individual organizations.  The paper provides a number of possible ways to mitigate these types of attacks.  A defense in depth approach is used to provide multiple mitigation recommendations.  The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions. [emphasis added] The mitigation steps also include protecting the email address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions.

I highly recommend that everyone responsible for security in their organization read this paper.

October 12, 2009  12:32 AM

October 2009 Patch Tuesday Sets New Record

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft Security Response Center’s October 2009 Bulletin Release Advance Notification:

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.

Ten of the 13 bulletins–which include all eight critical vulnerabilities–involve patches for remote code execution vulnerabilities. All versions of Windows and Windows Server, including Windows 7 (scheduled for release on Oct. 22) are affected.

This sets a new record for Microsoft. The previous record was set in June when the company issued 31 updates. I’m not too sure how to take this. I’m certainly glad that Microsoft is addressing its security problems, but the trend is a bit disturbing: 28 patches in December, 2008; 31 patches in June, 2009; and, 34 patches this month. We still have the better part of 3months left in 2009. Will we see another record set before year end?

What do you think? Does this mean that Microsoft is being more security conscious or are there more bugs than ever?

Hit the comments and weigh in.

October 8, 2009  2:18 AM

Hacking Skills Challenge – Level 6

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, slow security news week, so let’s tackle the next hacking skills challenge level. So far, we’ve explored the first 5 basic missions at At each new level, the difficulty increases. At level 6, we’re dealing with a bit of cryptography. Don’t worry, you don’t have to be a PhD to figure it out; it’s a pretty simple algorithm. The encryption table is publicly available. Here’s the challenge:

An encryption system has been set up, which uses an unknown algorithm to change the text given. Requirements: Persistence, some general cryptography knowledge.

Network Security Sam has encrypted his password. The encryption system is publically available…

You have recovered his encrypted password. It is: bc8g76g<

Your recovered password will be different, but the algorithm to solve it will be the same.

There’s a form where you can enter a text string and have it encrypted by the algorithm used, so that’s a good place to start to solve the cipher. My first attempt was to enter the encrypted password and see what I got back out of the algorithm. The output was bd:j;;mC. Clearly, this is shifting algorithm of some sort, with the first position, position 0, remaining unchanged. I went ahead and tried the ROT(n) algorithms, even though they don’t usually deal with numbers. No joy there. But a good look at the output might indicate a successive addition pattern: the first postion is 0, so the letter remains the same; the second position, 1, increments to the next letter. Reversing the pattern would yield 0, -1, -2, etc.

The presence of symbols suggests the ASCII symbol set and this is what works out to be the solution. Get an ASCII table. For each character position, count backwards from the letter in the password the number of places corresponding to the position number. So, for b, count back 0, for c, count back 1, for 8, count back 2, etc. This will give you bb6d31a5 which is the original password.

Mission accomplished!

October 7, 2009  1:59 AM

Microsoft Security Essentials is a Game Changer

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft’s Security Essentials (MSE), released last week amidst criticism from antivirus giant Symantec, is proving to be effective, robust protection against current malware threats. Performance analysis by shows that MSE is on par with many other standalone antivirus products.

Using Windows XP as a testbed, AV-Test pitted MSE against 545,000 current computer worms, viruses, backdoors, bots and Trojan horses; MSE detected more than 98 percent. It detected just over 90 percent of adware and spyware samples and excelled at detecting and removing rootkits.

My experience with MSE so far mirrors the company’s claims that the program “…runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.”

Any way you look at it, MSE is a game changer. While it’s currently only available as a downloadable add-on to Windows, I doubt it will be long before it comes bundled with the OS on new PCs. When that happens, the AV giants are going to find themselves hard pressed to come up with legitimate reasons for someone to purchase their products.

September 30, 2009  9:43 PM

Security Maxims of a Different Breed

Ken Harthun Ken Harthun Profile: Ken Harthun

Search for “computer security maxims” on any of the top three search engines (Google, Yahoo, Bing) and my articles mostly dominate the results. So I was quite surprised that Security Now Episode #215, entitled “Security Maxims,” gave no mention whatsoever of my contributions to this subject over the past three years. Guess I’ll have to take that up with Steve and Leo. To be fair about it, though, the maxims that Steve talked about in the episode, composed by Roger G. Johnston, Ph.D., CPP of Argonne National Laboratory, Nuclear Engineering Division, are related to “…physical security and nuclear safeguards.” However, according to Johnston, “They probably also have considerable applicability to cyber security.” Many of them are also amusing.

Take this one for instance:

So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

Or this one:

Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.
Comment: From security guru Bruce Schneier.

How about this?

Byrne’s Law: In any electrical circuit, appliances and wiring will burn out to protect the fuses.

In all, there are more than 60 maxims listed. You can download a PDF of “Security Maxims” if you want to see more. I highly recommend you read them. You may learn something new. Like I did.

Now, I’m out of here. Have to go fire off an email to Steve and Leo…

Comments? Let me know what you think.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: