Security Corner

September 30, 2009  8:22 PM

Microsoft Security Essentials Goes Live

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft Security Essentials is now out of beta and ready for download.

The Microsoft Security Essentials team has this to say:

Microsoft Security Essentials (formerly codenamed “Morro”) is the newest security product from Microsoft that helps protect consumers against viruses, spyware and other malicious software. The program, using the same technology as the Forefront product family, is designed to protect and take the guess work out of you wondering if you are protected or not.

If you’re green, you’re good.

Red or yellow means there is something that needs to be done to keep your PC secure. A single click and the PC is back to the green protected state.

Microsoft Security Essentials is also designed to address cost and other barriers that have prevented many of our customers from running up-to-date security protection on their PCs. Because there are no subscription fees, there is no registration required to collect billing or other personal information.

It also runs quietly in the background scheduling scans when the PC is most likely idle and interrupting the user only when there is an action required to keep their PC secure. It employs practices like active memory swapping and CPU throttling to limit the impact on your PC performance, even on older or less powerful PCs.

Sounds good to me. I’m going to recommend it to some of my less-than-savvy clients and see how it works for them. I’ll even try it myself, though I’m not a good candidate for such a thing, being the security Geek that I am. Still, it can’t hurt. The one thing that’s unclear: Is this going to come standard with every new PC, or does everyone have to make the effort to download and install it?

Stay tuned.

September 29, 2009  12:58 AM

New IRS Scam and It Could Cost You More Than Taxes!

Ken Harthun Ken Harthun Profile: Ken Harthun

You usually see this around tax season, but it seems the cyber-crooks have figured out that fear of the IRS is an evergreen topic.

US-CERT is aware of public reports of malicious code circulating via spam email messages related to the IRS. The attacks arrive via an unsolicited email message and may contain a subject line of “Notice of Underreported  Income.” These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.

The Zeus Trojan is a keylogger that steals sensitive data, especially targeting online banking credentials. According to “New IRS Scam E-mail Could Be Costly”, in Brian Krebs’ Security Fix column, Landfill Service Corp. (LSC), a solid waste company based in Apalachin, NY is a recent victim of the Trojan. The firm may end up losing at least $92,000 from the incident. Not good.

The Zeus keystroke logging Trojan’s engine is a file called “sdra64.exe.” At least that’s what LSC’s tech guy found (Variations are sure to surface).

Rather than repeat it in my own words, here’s the US-CERT list of recommendations:

September 26, 2009  2:46 AM

Protect HTML Code for Increased Security

Ken Harthun Ken Harthun Profile: Ken Harthun

If the challenges at illustrate one thing, it’s that viewing the source code of web pages can often reveal exploitable vulnerabilities. Beyond that, eCommerce sites often have payment buttons, shopping carts and other means to facilitate transactions. If the code for these things is openly visible when viewing the page’s source, a hacker may be able to inject his own code to divert payments away from the rightful vendor and into the hacker’s account. This is particularly true if the code is straight HTML or raw Javascript rather than scripts hosted on a secure server.

One solution is to encrypt the web page code. A web search will reveal plenty of tools to accomplish this; one that I’ve tried is HTML Encrypt. It’s easy to use, just paste your raw code into the text entry box, click the “Encrypt” button and see your encrypted code in the lower panel.

It’s not a substitute for secure coding, but it can serve as an effective deterrent.

Comments? Go ahead and hit the button.

September 23, 2009  8:15 PM

Hacking Skills Challenge – Level 5

Ken Harthun Ken Harthun Profile: Ken Harthun

So far, we’ve explored the first 4 basic missions at As we get to each new level, the difficulty increases, but they’re still pretty easy.

Today, we solve level 5:

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

If you try the same tactic we used to solve level 4, you’ll get the error message, “Invalid referrer. The requested URL /missions/basic/5/level5.php will not be loaded.” You get this because the script checks the HTTP headers to see where you are viewing the page from. If the url is not /missions/basic/5/ or /missions/basic/5/index.php then it will give an error. Since you’re viewing it from a local file, the script fails.

There are two approaches we can take here: 1. Change the email address in the script using some form of code injection; 2. Use an online monitor/debugger that allows us to edit a page on the fly.

For the first approach, Javascript injection allows us to change the email address using the following code: javascript:alert(document.forms[0].to.value=”put_your@email. here”); Enter that in the address bar, hit Enter, and you’ll be greeted with an alert box show the email address you entered. If you then click the “Send Password to Sam” button, the password will be revealed. Copy the password, paste it into the password field, click Submit and you’re in. Like the last exploit, the page won’t actually send the password to the email address. In fact, you don’t even have to change the email address in the code; it will work as shown.

For the second approach, if you use Firefox, you can install a cool add-on called Firebug. This powerful tool allows you edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. I installed it, went to the challenge page and used the “Inspect Element” feature to see what was behind the “Send Password to Sam” button. Then, within Firebug, I changed the email address. When I clicked the “Send Password to Sam” button, the password was revealed.

Either way, mission accomplished!

(In a future post, I’ll show you how to hack any stored password using a similar javascript approach. And I’ll make sure you adopt a policy to never used a “remember me on this computer” check box on a publicly accessible PC ever again!)

September 20, 2009  9:54 PM

Google Safe Browsing Diagnostic Page

Ken Harthun Ken Harthun Profile: Ken Harthun

Thanks to Google, there’s a tool you can use to check any site and see if Google lists it as hosting any suspicious files or acting as a malware intermediary. Yes, I know there’s a Firefox extension and that the Google Toolbar for Firefox incorporates the tool, but what if you’re out in the field on a machine that doesn’t have the tool installed and you want to check a site? Simple. Use this URL:

“[URL of site you want to check]” (Leave off the http://).

For example, this URL produced the report shown in the screen shot (click on the image to view it full size):

Try it out for yourself on your favorite sites. You might be surprised at what you find out.

(Thanks to Steve Gibson and Leo Laporte of Security Now! for presenting a reader comment that brought this to my attention.)

What do you think? Leave a comment!

September 20, 2009  5:45 PM

Hacking Skills Challenge – Level 4

Ken Harthun Ken Harthun Profile: Ken Harthun

So far, we’ve explored the first 3 basic missions at As we get to each new level, the difficulty increases, but they’re still pretty easy. Today, we solve level four:

An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address.

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.

So, what we have to do is hack the page to get the password sent to an email address of our own choosing. The script is invoked by clicking the “Send Password to Sam” button. Once again, we can view the source to see what clues are there. Paths to two scripts stand out:


Those are both relative paths. We can’t make them absolute and save the source, but we can save the page to the desktop, edit it, then open the local file. This should give us some action. Make sure to change the email address to one you own.

When the page is opened, we see the challenge screen. Click on the “Send Password to Sam” button and voila! A page appears to reveal the password 50c3072c. The script doesn’t actually email the password, so don’t bother checking the email address you entered.

Mission accomplished!

According to some, level 5 is a bit tougher, but I’m sure we have the talent.

What do you think? How could this hack be thwarted? Leave a comment!

September 19, 2009  3:05 PM

Malvertising an Ever-expanding Threat

Ken Harthun Ken Harthun Profile: Ken Harthun

As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.

The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “” (that’s a randomly generated name if there ever was one), ITmeter INC, and “” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.

Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).

As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.

Caveat araneo-fluitator! (Let the web-surfer beware!)

What do you think? Leave a comment!

September 16, 2009  6:38 PM

Hacking Skills Challenge-Level 3

Ken Harthun Ken Harthun Profile: Ken Harthun

My most recent post, Hacker Skills Help Save a Client’s PC, is a real-life practical example of how honing (or developing) your hacking skills can help you better serve your clients. So if you haven’t gotten around to it yet, mosey on over to, create an account and get started on the basic missions. They’re pretty simple, but if you don’t know a thing about hacking, you’ll be challenged.

Did you figure out level 3 of the Basic Missions? Here’s the mission:

This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.

Recall that Sam forgot the password file the last time and so the script that checked for the file returned a <null> value—a blank password. This time, he remembered to upload the password file, which, if you look at the source code for the page, is password.php. In the last challenge, we were told that the password file was not encrypted. I wonder if we can open password.php? Let’s copy the URL of the challenge page and append “password.php” to it: Voila! The page opens, revealing 792debbc as the password.

Mission accomplished.

September 16, 2009  6:03 PM

Hacking Skills Help Save a Client’s PC

Ken Harthun Ken Harthun Profile: Ken Harthun

A client recently called about his home PC saying that there were all kinds of pop-ups telling him he was infected. Naturally, the pop-ups promised to remove the “infection” for $49.95, a typical scareware tactic. I figured this would be a simple job, probably WinAntivirus Pro or some variant of it, and I would be in and out in less than an hour. I was wrong; he had deeper problems.

When I booted his PC, I was confronted by multiple command windows all with the title “desote.exe.” I was able to get to a web page and determine that this file is related to Windows Police PRO, a WinAntivirus Pro variant. I was also able to download MalwareBytes’ Antimalware. It wouldn’t install; desote.exe popped in every time I tried to run MBAM installer. I decided to try a manual removal to get the PC to where I could run MBAM and clean things up later, so I deleted desote.exe, dbsinit.exe and a couple other related files. That was a mistake; Windows lost its ability to run .exe files.

I knew I’d probably have to hack it, so I fell back on an old trick: When .exe files won’t run, change the extension to .com. This worked. I was able to install MBAM, run it, and get the system cleaned up. Turns out that the malware changes the registry key HKCR\exefile\shell\open\command from the (Default) entry of [“%1″ %*] to ; since desote.exe was missing, Windows didn’t know what shell to run .exe files with. Besides that, MBAM found rootkit components that would have been difficult to remove manually.

Hacker skills are valuable for us white hats.

September 12, 2009  12:55 PM

Hacking Skills Challenge-Level 2

Ken Harthun Ken Harthun Profile: Ken Harthun

Did you figure out level 2 of the Basic Missions? Here’s the mission:

Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…

Read the mission briefing very carefully. A script loads a password from a file. There isn’t a file, so the script won’t load anything, meaning the variable will be…empty (blank). Clicking the Submit button with an empty password field should do it.

That worked. Mission accomplished.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: