Security Corner

August 14, 2009  7:18 PM

Gmail Vulnerability Points Up the Need for Strong Password Policy

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s a vulnerability affecting Gmail accounts that was recently announced by security researcher Vincente Aguilera Diaz. You can read the posting on the Full Disclosure security list which contains complete details on how a Gmail authentication attack is accomplished and how it can be automated.

Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.

Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa,  12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.

Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.

If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.

August 14, 2009  3:02 AM

Twitter Used As Botnet Command & Control Channel

Ken Harthun Ken Harthun Profile: Ken Harthun

A botnet that uses Twitter for command and control? You bet. Jose Nazario over at Arbor Networks apparently found one: “Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run.” The bots connect to the Twitter account using an RSS feed, allowing them to receive the tweets in real time without having their own accounts on Twitter. Pretty slick.

The tweets themselves are base64 encoded and when Nazario translated one of them, it was clear the encoded tweet was sending links to the bot.

Oddly enough, there’s no mention of this at, but the account in question (well, one of them, at least—there are probably more),, has been suspended, so it appears that  Twitter security folks are on the ball.

August 12, 2009  12:39 AM

Patch Tuesday – 19 Windows Security Flaws Fixed

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s that day of the month again and this time Microsoft has patched 19 security holes, 15 of which have a “critical” rating. The good news is that none of the vulnerabilities affect Windows 7. As usual, a bunch of the flaws stem from ActiveX controls, probably the worst thing Microsoft’s developers ever came up with (with the possible exception of Microsoft Bob).

At least one of the vulnerabilities, MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908), is currently being actively exploited on the Internet; exploit code for MS09-043 – Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) has been posted publicly.

Get those patches installed ASAP!

August 11, 2009  2:22 AM

Twitter Attack: Whodunit and How? Whonose?

Ken Harthun Ken Harthun Profile: Ken Harthun

Speculation abounds over who was responsible for the DDoS attacks that affected Twitter–and to a lesser degree, Facebook and LiveJournal–this past Thursday.

Various sources, including CNN and CNet, suggest that a Georgian blogger with accounts under the name “Cyxymu” (a town in the Republic of Georgia) on the services was targeted. The date of the attack coincides with the one year anniversary of the Russia-Georgia conflict.

Other sources, including The Register suggest that a JoeJob was the main source of the attack.  Joejobs are spam messages designed to induce someone to click on a link in the hopes that enough people will do so, thereby harming the site being linked to.

Still others blame a conventional DDoS attack using botnets, but Arbor Networks‘ analysis actually shows a drop in traffic volume hitting Twitter during the alleged DDoS attack, leaving doubt that this method was used.

I’ve also seen reports blaming hackers angry at Twitter for becoming more popular than IRC, a vigilante trying to point up the danger of botnets, and cyber-terrorists.

Seems no one really knows for sure at this point.

August 8, 2009  1:37 PM

Twitter Hit with DDoS Attack

Ken Harthun Ken Harthun Profile: Ken Harthun

On Thursday morning, I decided to check my Twitter account and was greeted by a “Network Timeout” error. I tried several more times and finally gave up, thinking I’d just try later. I thought nothing more about it until I heard the news item on a local radio station that Twitter had been DDoS’d. This was confirmed at

Ongoing denial-of-service attack

We are defending against a denial-of-service attack, and will update status again shortly.

Update: the site is back up, but we are continuing to defend against and recover from this attack.

Update (9:46a): As we recover, users will experience some longer load times and slowness. This includes timeouts to API clients. We’re working to get back to 100% as quickly as we can.

Update (4:14p): Site latency has continued to improve, however some web requests continue to fail. This means that some people may be unable to post or follow from the website.

As of late yesterday morning communication with the API and SMS was still down.

As usual, there always seems to be some humor in these situations. Here’s a comment by John Pescatore of SANS Institute from the SANS News Bites:

[Editor’s Note (Pescatore): Wow, 2 hours without tweets! That’s like a
car drive to the shore without anyone in the back seat saying "Are we
there yet? I see a rock. Is that a seagull? I like saltwater taffy.
Shaquille Oneal is really tall. Are we there yet?" the entire trip.]

August 8, 2009  1:15 PM

Tsk, Tsk! Weak Passwords Allow Congressional Web Site Defacements

Ken Harthun Ken Harthun Profile: Ken Harthun

This is simply idiocy—or gross negligence—of the highest degree. In the last week, more than a dozen US Representatives’ websites were defaced by hackers who posted digital graffiti on the home pages. The graffiti read, “H4ck3d by 3n_byt3 @ Indonesia H4ck3rs” (see screen shot). There was not other damage to the sites.


The method used to break in? Password guessing. The hackers compromised the site administration passwords at Web design and hosting firm GovTrends of Alexandria, VA which provides Web hosting for about 100 House sites. Not all were affected.

According to GovTrends founder Ab Emam, passwords assigned to member offices were never changed. Now, it’s typical for a Web hosting company to assign default admin passwords, but those passwords should be strong. In this case, they weren’t. “Most of these passwords could be guessed, they were obvious,” Emam said. “That’s been changed, and each of these sites is now required to have strong passwords.”

Really? Should have been required all along. There’s simply no excuse for this. I have written numerous articles over the years about how to generate strong, un-guessable passwords and I’m not the only one: a Google search brings up 61,800 results for that term. Will they ever learn?

(In all fairness, I have to report that there is some question as to whether password guessing was actually the cause of the breach. This article by Brian Krebs has been updated to suggest that SQL injection may have been the method.)

No matter; there’s no excuse for that, either.

August 7, 2009  6:50 PM

Shrink Your Attack Surface

Ken Harthun Ken Harthun Profile: Ken Harthun

I’ve heard this phrase bandied about in Linux forums and in the occasional blog post, but it’s something I never considered relative to the security of Windows boxes.  There’s an awful lot of research on the subject and it boils down to this: The larger the attack surface, the more insecure the system. Makes sense, but just what is an attack surface? Thanks to a research paper, Measuring a System’s Attack Surface, Pratusya Manadhata and Jeannette M. Wing, CMU Technical Report CMU-CS-04-102, January 2004, we have a concise definition:

A system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage.

This means that any applet, any built-in feature, any module, any application, probably contains multiple attack vectors. Moreover, certain applications like Internet Explorer are attack vectors in and of themselves. When I started to look into this, I found that some folks over at the Microsoft Developer Network had put together a discussion along with a handy list of Windows attack vectors:

  • Open sockets
  • Open RPC endpoints
  • Open named pipes
  • Services
  • Services running by default
  • Services running as SYSTEM
  • Active Web handlers (ASP files, HTR files, and so on)
  • Active ISAPI Filters
  • Dynamic Web pages (ASP and such)
  • Executable virtual directories
  • Enabled Accounts
  • Enabled Accounts in admin group
  • Null Sessions to pipes and shares
  • Guest account enabled
  • Weak ACLs in the file system
  • Weak ACLs in Registry
  • Weak ACLs on shares

Bear in mind that any of these can be subject to multiple vulnerabilities and many of them have been connected with specific vulnerabilities. However, the attack vector itself does not necessarily indicate a system vulnerability, per se. Think of  these as things an attacker would try to compromise; for example, attempting to logon to a system as Guest. If the Guest account is enabled, that’s a vulnerability; if the Guest account is disabled, it’s merely a vector for attack.

So, how can we use this information in our workaday world? First, realize that the OS itself is the basis of all of the above items. Next, realize that any program, web application, widget, gadget, what have you, is going to utilize one or more of them.  Finally, get the concept of “default unnecessary.”  Windows comes with many built-in (read default) features, services and applications—many of them completely unnecessary in the enterprise.

We shrink the desktop attack surface by building our desktop image in three stages:

  • We clean up the OS by removing ALL unnecessary features, tools, and applications. A good place to start is all the stuff in the Accessories folder. And who ever uses Microsoft Backup, or Character Map, or Tour Windows XP? You get the idea.
  • Given a stripped-down image, we next install ONLY those applications and tools that are absolutely necessary for the user to perform her job. Ideally, we avoid mainstream applications and utilities as much as possible and go with those that are not as widely used (security through obscurity) and therefore not as subject to attack. For example, if PDF isn’t used in the enterprise for purposes other than reading manuals, why use Adobe Reader? Foxit Reader or any of the Open Source apps will work.
  • Finally, disable all services and uninstall all protocols that aren’t required by the OS or necessary applications. The first things that come to mind here are UPnP and the SSDP Discovery Service and the Net.tcp Port Sharing service.

That will give us a clean desktop setup with a significantly lower attack surface; come to think of it, you should probably go check the servers, too.

If I’ve missed anything, let me know.

July 30, 2009  8:54 PM


Ken Harthun Ken Harthun Profile: Ken Harthun

Rogueware? The names just keep coming. It’s another name for Scareware, that stuff designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. The end result is to steal money from PC users by luring them into paying to remove nonexistent threats. Disturbing statistics point out why this stuff won’t go away:

  • Cybercriminals are earning approximately $34 million per month through rogueware attacks
  • Approximately 35 million computers are newly infected with rogueware each month
  • Rogueware is being distributed through Facebook, MySpace, Twitter, Digg and targeted BlackHat SEO attacks
  • Research confirms that majority of cybercriminals operate from Eastern Europe

PandaLabs, Panda Security’s malware analysis and detection laboratory, announced yesterday that they’ve made a multi-year study available that examines the proliferation of rogueware into the overall cybercriminal economy. The report, “The Business of Rogueware,” by PandaLabs researchers, Luis Corrons and Sean-Paul Correll, reviews the various forms of rogueware that have been created, and displays how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cybercriminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

It’s very clear the whole landscape has changed from a vandal model to a profit model. It used to be that the cyber-vandals trashed your hard drive and wrecked your website; now, cyber-criminals use tactics to steal your identity and extort money from you. The damage is no less costly, it has just increased in both the intensity of emotional pain and amount of financial loss. The difference is that cyber-vandals didn’t have a payday—cyber-criminals do.

And people ask me why I’m adamant about cyber-security…

July 30, 2009  3:45 PM

Video: I Go Chop Your Dollar

Ken Harthun Ken Harthun Profile: Ken Harthun

This video is a good example of how not all the effects of crime are bad. After all, if we didn’t have Nigerian 419 scammers, we wouldn’t have a song about the infamous Nigerian 419 scams that haunt email inboxes these days. Lyrics are a little hard to pick out, but the chorus repeats enough that you’ll eventually get it. It’s a catchy tune. Perfect to lighten things up after a serious month of fighting security threats.


I Go Chop Your Dollar


July 29, 2009  9:08 PM

I’ll Say it Again—Turn Off the Remote Web Management Interface!

Ken Harthun Ken Harthun Profile: Ken Harthun

I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:

Steve…Stanford security lab….will also be showing some very distressing news this weekend at the Black Hat conference. They tested 21 different devices from 16 different manufacturers. These are web-enabled gizmos – webcams, printers, network switches, photo frames, VoIP phones, remote management tools, all of these things – and, like, consumer routers, all of these things that are web-enabled, meaning that like so many peripherals now, they’ve got an Internet connection and a web interface. They tested the vulnerability of 21 devices made by 16 different manufacturers. There was not one that was not vulnerable to serious web-oriented problems. For example, they were able to enter JavaScript commands into the logon prompts.

Leo: Oh, boy.

Steve: And the device logged the log-on attempts. So when the administrator brought up the log, the act of displaying the log replayed the JavaScript commands…And that allowed the commands to connect to a remote server and download malware. They said that among the worst devices were network attached storage devices. They enumerated five different classes of attacks, and they said that the NAS…were vulnerable to all five classes of attack. For example, you could rename files to JavaScript strings. There was no control over file naming in these. And of course we all have long filenames now in our state-of-the-art file systems. Well, long meaning JavaScript. And so anytime this device attempted to display the filenames on a web page, again, you were running JavaScript. So now there’s scripting running in your directory listing, which is displayed on a web page, causing your browser to do whatever the JavaScript has said. And it’s running in the local context. So even systems that have security saying don’t allow remote sites to execute script, but of course we trust our self, well, now we can’t trust our self.

Don’t tell me I didn’t say so. Turn that interface OFF!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: