Security Corner

November 25, 2009  2:04 AM

Golden Rule #3: Omit This Setup Step and Your Router Can Be Easily Compromised

Ken Harthun Ken Harthun Profile: Ken Harthun

Golden Rule #2 stressed having a NAT router–or router/firewall–between your PC and the Internet as a first line of defense. This is without question the first, most important security step, but it can be useless unless you have it properly configured; in fact, omitting one crucial first step can leave you even more vulnerable to attack that you would be without the device.

All routers come with a default user name and password, often as simple as admin/admin (when I’m faced with a router I haven’t seen before, this is the first thing I try–and it often gets me in). Default settings are a good thing because if you ever forget your password, you can reset the router and take it back to square one. However, this is also a dangerous security risk–these defaults are well known and published on the Web. A couple of years ago, for example, three of the more widely used consumer routers, Linksys, D-Link, and Netgear, were vulnerable to a JavaScript web page attack. Go to the wrong site and if you haven’t changed the default password, the attacker can change your router’s settings to send you to malicious websites. For example, you’ll think you’re looking at your bank’s login page, but it will be a fake look-alike that steals your account information as soon as you log in.

While the manufacturers try to patch such vulnerabilities, users often don’t apply the patches and even if they do, determine hackers often find other ways in. As recently as October, 2009, a blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company that it patched the routers. A report by Wired found that 45 percent of 2,729 publicly accessible Linksys routers still had a default password in place.

And that is precisely why you should put this on your list as Golden Rule #3: Always change the default user name and password of any configurable device you put on your home network.

November 24, 2009  3:44 AM

Golden Rule #2: How Not to Invite Attackers into Your PCs or Network – the First Line of Defense

Ken Harthun Ken Harthun Profile: Ken Harthun

Golden Rule #1 gives what I consider to be the most basic security maxim, one on which I base all of my security practices, so let me repeat: The best security measures are completely useless if you invite attackers into your PCs or networks.

Windows users will remember back before Windows XP Service Pack 2 was released that simply plugging your computer into your cable or DSL modem was almost certain to result in your being compromised in short order. (Who can forget the havoc that Sasser and other worms wreaked before Microsoft wised up and finally turned the firewall on by default?) Running naked with all ports open to the world is a gold-gilt invitation to every criminal and mischief maker on the Internet, and while running a software firewall is a good idea, it’s not nearly enough–crackers have known for some time how to disable the Window’s firewall.

Consider this: every IP address owned and/or issued by your Internet Service Provider, no matter who that may be, is constantly being targeted by hackers that are scanning the’Net for vulnerable systems, and worms, viruses and other malware that have already infected machines on the ‘Net. (As I write this, the IP address assigned to me by my cable Internet provider has been scanned or probed 46 times in the last hour; this goes on 24 hours a day, seven days a week.) I certainly don’t want my PC’s software firewall subjected to this kind of thing. Yet, most people, not knowing any better, plug their computer directly into the broadband modem. There is absolutely no reason to do this when there is an inexpensive, simple, yet effective first line of defense available at any big box electronics or office supply superstore–a router (Fig. 1).

Figure 1

Figure 1

Through the beauty of Network Address Translation (NAT), even the cheapest router becomes an effective hardware firewall, virtually making your PC invisible to the ‘Net. NAT Router Security Solutions by Steve Gibson of “Security Now!” explains NAT in detail. Here’s one of his illustrations from that article:

I must mention that except for one, easy configuration change that is absolutely essential, these simple devices work fine right out of the box. The average user can plug it in and not have to worry about a complicated setup process.

Golden Rule #2: A first, important step in securing your PC is to install and configure a NAT router.

November 24, 2009  3:30 AM

Golden Rule #1: Don’t Invite Attackers into Your PCs or Networks

Ken Harthun Ken Harthun Profile: Ken Harthun

Having worked in IT in various capacities since the early 1980’s, I’ve seen the need for security evolve from simple protection against viruses to the need for complex security policies designed to combat multiple attack vectors. These days, it takes constant vigilance to stay ahead of criminal hackers, to say nothing of terrorists; moreover, clueless users are often unwitting accomplices in security breaches. (See my article “Will You Be Used As a Weapon Against Your Own Country?“)

Today’s Internet is reminiscent of the Wild, Wild, West, only now it’s the Wild, Wild Web. Make a mistake, and you could be virtually dead before sundown, your identity stolen, your financial resources drained, your reputation ruined. Protecting yourself online seems like a daunting task, especially for the average home computer user; however, it’s not as hard as it seems, given some common sense and an understanding of basic security principles.

My goal for this eBook is to provide simple, sound advice and tips that will help you be more secure in your computing both at home and at the office. The first piece of advice I’ll give you is one I consider the most basic principle of computer security, the first Golden Rule of Computer Security: The best security measures are completely useless if you invite attackers into your PCs or networks.

November 24, 2009  3:19 AM

Preface to 14 Golden Rules of Computer Security

Ken Harthun Ken Harthun Profile: Ken Harthun

It isn’t getting any better on the Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration through such social networking websites and services as Twitter, Facebook, MySpace, and the like, web-based attacks are more prevalent than ever. These sites are based on active, dynamic content and rely on special programs that run in your web browser to perform their magic. These programs can be modified by malicious hackers to steal your passwords, bank account information and virtually anything stored on your computer.

New laws have done little to deter or eliminate spammers, largely because many of them aren’t located in the United States. Despite the few high profile cases in the news, the truth is that few spammers are ever caught. Considering studies that show some spam campaigns can produce as much as $3.5 million in a year, it’s easy to see why today the spam problem is worse than ever–some estimates place the amount of spam email at 80% to 90% of all emails sent.

These days, everyone is at risk of falling victim to cyber-crime, even those of us who know and practice computer security on a daily basis. The average person who goes to the local big box electronics store and buys a PC or laptop for use at home is often lulled into a false sense of security because their purchase is bundled with some “security suite” by some big-name company. They go home, take everything out of the box, plug it all in and usually end up getting infected with all kinds of nasty things in very short order.

I put this book together in hopes that it will make a difference, however small, in how people look at computing and the Internet. Maybe it will save someone from the hardships of financial loss caused by using a compromised PC to access their bank and credit card accounts. Maybe it will save someone from having to pay a big bill to a technician to clean up a severely infected computer. Maybe, just maybe, it will help take some of the profit out of spam and malware. One can always hope.

At the very least, I hope that you, Dear Reader, find this information useful and that it helps make your computing experience more enjoyable.

Ken Harthun

Note: Any discussion of security, cyber- or otherwise, must be based on the concept of a security baseline—the bare security essentials without which all else is futile. The articles that follow assume that a good baseline already exists, whether the computer is just out of the box, or has been running for awhile What’s a good PC security baseline? I propose these four bare security essentials: “…a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall.” These days antivirus, antimalware and a software firewall are usually combined into a single suite. I choose to align with Windows Secrets’ Security Baseline page: “…a hardware firewall that’s built into your [NAT] router, security software that guards against all types of malware threats, a software-update service to ensure that your applications are patched against the latest exploits, and a secure browser.”–KH

November 24, 2009  3:12 AM

Series Release: 14 Golden Rules of Computer Security

Ken Harthun Ken Harthun Profile: Ken Harthun

My new eBook, “14 Golden Rules of Computer Security” is almost complete and will be ready for downloading shortly. Written with the non-technical person in mind, the book is packed with proven, practical advice on how to stay safe on the Wild, Wild Web including bonus articles about creating strong, easy-to-remember passwords and email security tips. I give you tons of links to free and low-cost tools as well as special discounts for software and services by some of the best computer security companies in the business. It’s a must-have for every computer owner.

Based upon my popular “How to Secure Your Computer” series of web articles and fully updated with late-breaking information on safe searching and social networks, “14 Golden Rules of  Computer Security” will help you develop your own secure computing practices and save you from the hassle of dealing with unpleasant malware attacks.
As soon as the book is completed compiled, I’ll post a download link for a free personal copy. In the meantime, I’ve decided to post each new section here until all of the revised and updated rules have been posted. That way, you can start applying the information and helping others with it immediately.

November 19, 2009  2:51 AM

Law, PR Firms Being Targeted by Hackers says FBI

Ken Harthun Ken Harthun Profile: Ken Harthun

According to the Washington Post, “Hackers are increasingly targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients doing business overseas.”

Needless to say, I’ve informed all of my clients who may be affected.

The attacks turn out to be classic “spear phishing” attacks and they can be very convincing. (Recall that a couple of years ago, dentists were targeted.) Here’s what the FBI has to say about the current round of attacks:

[The FBI says hackers are using] spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms. During the course of ongoing investigations, the FBI identified noticeable increases in computer exploitation attempts against these entities. The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard. Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link. Network defense against these attacks is difficult as the subject lines are spoofed, or crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests. In addition to appearing to originate from a trusted source based on the relevance of the subject line, the attachment name and message body are also crafted to associate with the same specific business interests.

I wasn’t able to find the text of the latest emails floating around in this spear phishing campaign, but the above description should give you a clue.

November 18, 2009  2:18 AM

Microsoft’s Security Essentials Causes Performance Problems

Ken Harthun Ken Harthun Profile: Ken Harthun

I was all for MS Security Essentials when I heard the announcement of its release (see Microsoft Security Essentials Goes Live and Microsoft Security Essentials is a Game Changer). I installed it on all my machines. Then, I had some big time performance issues. My desktop machine slowed to a crawl and would often take the better part of 10-15 seconds just to repaint the screen. I experienced random lockups where the mouse pointer just froze and nothing would happen. I would start typing in a browser address bar (both IE and Firefox) and I’d have to wait several seconds before any characters would show up.

I didn’t attribute this to MSE. Instead, I got rid of my background picture on the desktop, defragmented my registry, defragmented my page file and did all of those things I normally do to completely tune up a machine. No joy.

Then, Panda came out with version 1.0 of Cloud Antivirus and I commented on that: Panda Cloud Antivirus Emerges From Beta. I said “slight” performance issues had been evident with MSE. I was wrong: They were major, and I’m not the only one who has experienced that. Here’s a comment I just got on my Ask the Geek blog:

nothing was working for me…until I disabled microsoft security essentials – which apparenlty came with Windows 7! I prefer another malware program and virus program anyway…then I did a msconfig service cleanup of all the crap (including stopping ms sec essentials)….everything’s been loading great.

Evidently, MSE isn’t all it’s cracked up to be and I stand corrected. BTW, Panda is doing fine and I no longer have the performance problems. Microsoft, please get it right for once.

Who else is having problems? Comments welcome.

November 14, 2009  6:05 PM

Cyber War Expose

Ken Harthun Ken Harthun Profile: Ken Harthun

Over the past couple of years, I’ve written several articles and blog posts about cyber-warfare, the two most popular being: Will You Be Used As a Weapon Against Your Own Country?, and Uncle Sam Wants You–to Become a Cyberspace Warrior. The former began with this scenario Continued »

November 10, 2009  2:25 PM

Panda Cloud Antivirus Emerges From Beta

Ken Harthun Ken Harthun Profile: Ken Harthun
Panda Cloud Antivirus UI

Panda Cloud Antivirus UI

I reported on Panda Cloud Antivirus back in June and July in my posts, Panda’s Cloud Antivirus (Beta) is a Winner! and Panda’s CloudAntivirus Update.

I tested Panda Cloud Antivirus extensively on my systems while it was in beta and only recently switched to Microsoft Security Essentials (MSE) for evaluation. Today, I’ll switch back to Panda on my older, slower system to compare performance of each one. I have noticed a slight performance degradation with MSE that was all but non-existent with Panda. Now that Panda Cloud Antivirus is out of beta, I can make a fair comparison which I will report on later. In the meantime, here’s some info from Panda’s press release I received this morning

Panda Cloud Antivirus, the industry’s first and most comprehensive free cloud-based anti-virus that protects consumers PCs against the latest malware, spyware, rootkits and viruses, today emerged from beta after six months of user testing. To experience the expanded performance and support capabilities of Cloud Antivirus, as well as benefit from both online and offline security protection, consumers can download the free service from Panda Security at

Recognized for being “the first anti-virus without an update button”, Panda Cloud Antivirus delivers the fastest protection against the newest and most dangerous viruses. This is made possible thanks to Collective Intelligence, Panda’s advanced system that gathers malware information from its global community of users in the cloud to automatically identify and classify new malware strains in minutes. Collective Intelligence combines local detection technologies with real-time cloud-scanning to maximize protection while minimizing resource consumption. Available in 11 languages, Panda Cloud Antivirus works under Windows XP (32 bits), Windows Vista (32bits and 64bits) and Windows 7 (32bits and 64bits) operating systems and only consumes 20 MB of RAM.

It’s an interesting technology and one that I think we’ll see more of in the future. As more users join the collective, the application gets even more sensitive to new malware strains. A PC World review found Cloud Antivirus impressive:

“Among all of the free anti-virus software we tested for our latest roundup, Panda Cloud Antivirus was the best app at blocking known malware. The approach is intended to take advantage of the latest signatures without the need for signature-database updates–and if its excellent showing at detecting malware in’s zoo of half a million samples is any indication, the approach works. Panda’s app produced an impressive 99.4 percent overall detection rate.”

Let me know if you try it and how you like it.

November 9, 2009  1:27 AM

Javascript Must Die!

Ken Harthun Ken Harthun Profile: Ken Harthun

At least that’s what Mr. John Graham-Cumming says on his blog–and what he told attendees at Virus Bulletin 2009 in his presentation called, “JavaScript Security: The Elephant running in your browser:”

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

I’ve been recommending that everyone use NoScript with Firefox for quite some time. Here’s my article from more than a year ago: Software for Secure Computing: Firefox & NoScript. Recent security updates to Firefox tend to reinforce this view since most of the workarounds for security flaws recommend disabling Javascript.

What do you think? Should Javascript be killed? Would this break 99% of the web sites out there?

Maybe it’s time for a new technology.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: