Security Corner

May 31, 2009  7:38 PM

Are YOU a Hacker?

Ken Harthun Ken Harthun Profile: Ken Harthun

Are you? It’s not necessarily a derogatory term. Neither is “geek.” But what does “hacker” really mean? Here’s one opinion:

Someone that is looking to work outside the normal parameters. The media grabs the term and turns it into something bad. Like all hackers are evil and looking to steal your identity, your money and bring down the system in some [sort of]  anti-government/corporate protest. Sure there are always extremist[s] on the either side of nearly any issue…For a true hacker, statements like, "Never do this…" or "one use only" or even better the golden "authorized users only" tend to get us thinking. What is behind that interface, that door, that piece of tape that will void my warranty if removed you are trying to keep me from learning.

Folks, I’m a hacker. I hack computers and networks—it’s part of my job—I  don’t do anything malicious, but I dig into things I probably shouldn’t. I’ve always been the kind of guy who takes things apart to see what makes them tick. Usually, I get them back together the way they were. Sometimes, I break them; but, I always come away with a better understanding of how things work.

If more people were “hackers,” if more people knew how things work, if more people *understood* how this universe is put together, if more people even cared to look, this world would be a better place.

I’m a hacker. Are you?

May 31, 2009  6:56 PM

Search for Screensavers at Your Own Risk

Ken Harthun Ken Harthun Profile: Ken Harthun

Enter “screensavers” into any major search engine and there’s better than a fifty percent chance that any result you click on will land you on a malicious website. According to McAfee’s recently released report “The Web’s Most Dangerous Search Terms,“ that search term carries a maximum risk of 59.1 percent. Furthermore, lyrics and anything that includes the word “free” have a high risk of exposing users to malicious or fraudulent web sites. Health-related search terms have the lowest risk profile. Check out The Web’s most dangerous keywords to search for on

One of the biggest problems is that the bad guys, using Black Hat SEO techniques, grab onto the trending search terms of the moment and use their popularity to get links to compromised sites placed high in the search engine rankings. This, coupled with the fact that 77% of Websites carrying malicious code are legitimate sites, make for an increasingly dangerous environment for the casual surfer.

This is yet another reason to continue to beat my drum: If you use IE, disable scripting and ActiveX (IE8 has increased security, so consider upgrading). Better yet, switch to Firefox and use the NoScript plugin. Tell the users who trust you to do the same, will you? And make sure they have the latest security patches on their systems. Most people are trusting souls; on the web, they shouldn’t be. Let’s instill the “trust no one” (except for us white hats, of course) mentality into everyone we can.

May 29, 2009  1:59 AM

ID Analytics Service Validates Identity Exposure Index

Ken Harthun Ken Harthun Profile: Ken Harthun

A new, free service offered by ID Analytics,, validates my Identity Exposure Index concept I proposed last month (What’s Your Identity Exposure Index?). While the results of the iEi investigation give you an index between 0 and 5, the results range from 0 to 1000. In both tests, the higher the score, the more at risk you are.

I compared iEi results for myself and my wife with those obtained from and was a bit surprised at the correlation: my iEi is exactly 4 times my wife’s; my My ID Score is 3.9 times my wife’s. I consider that a pretty strong case for my method. ID Analytics’ technology is patented, but they do reveal that they rely on real-time, cross-industry compilation of identity information, some other identity-specific analytics, and a database of reported identity frauds.

I don’t question the validity of their method and it’s certainly easier to go to their web site and enter a few pieces of basic information than it is to figure out your iEi, but it sure is interesting that my little “invention” appears to be just as valid.

You be the judge; do your own test and please let me know what you find.

May 27, 2009  8:25 PM

How to Use the Windows Registry for Cyber Forensics: Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

I recently completed the free SANS mini-course on cyber forensics (see my post, Free Mini-courses from SANS). That course could not have shown up at a more opportune time as I had just been asked to see if I could determine whether a client’s former employee had stolen their customer list. I learned a bit about looking in some nooks and crannies–specifically, the Windows registry–that I hadn’t considered before and was able to determine with reasonable certainty that the employee had not saved any sensitive information to any external storage media.

I’m no expert in this subject, but I’m confident that I now have a good idea of how to conduct a quick and dirty preliminary forensic examination based upon information found in the Windows registry. When you consider that virtually everything you or a program does in Windows refers to or is recorded into the registry, it stands to reason that it will reveal most anything from minor mischief to major mayhem to the examiner who knows where to look. In this first part, we’ll take a look at how to examine the registry and explore a few of the more common registry entries that have potential forensic value.

Let me first introduce you to the concept of date/time coincidence. All the evidence in the world means little unless it can be shown that it coincides with the time window of the specific incident in question. Therefore, it’s very important that you examine the “LastWrite” time of each key you examine. While this property doesn’t tell you what value was written, knowing the LastWrite time of a key can allow you to infer the date/time coincidence of an event. You can determine the LastWrite time by right-clicking any key, selecting “Export” and then saving it in .txt format. When you open the .txt file, you’ll see something similar to this:

Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Class Name:        <NO CLASS>
Last Write Time:   5/27/2009 – 12:29 PM

Here are five keys that can give you a quick overview of the activity on a given system and will tell you if it’s worth your effort to dig deeper. The fact that you’re investigating in the first place means that you have some idea of what you’re looking for and if you’re dealing with a non-technical user, it’s a good bet you’ll find something among these.


MRU is the abbreviation for “most recently used.” This key contains a list of files that were recently opened or saved via the Windows Explorer common dialog boxes. Note that this does not apply to Microsoft Office documents. The subkey * contains the file paths to the 10 most recently opened/saved files.


Similar to the OpenSaveMRU key, but it also contains the name of the program executable file that was used to open/save the document as well as the path to the file. All of the information is in binary format.


This key has a similar arrangement to OpenSaveMRU. Only the filename in binary format is stored here and it contains both network and local files recently opened.


Here you’ll find a list of entries with full file paths and commands that have been executed using the Start>Run command. This is useful to determine whether your suspect has been messing around in the registry, using the cmd shell or any management consoles.

HKCU\Software\Microsoft\Internet Explorer\TypedURLs\

A listing of the 25 recent URLs or file paths typed into the IE or Windows Explorer address bar. Useful to determine what websites your suspect has been surfing, but this key is cleared if IE’s Clear History option is invoked. Still, some people may not know about it and some may forget. It’s a good way to disprove the I-have-no-idea-where-that-came-from excuse.

Next time, we’ll look into how data can be encrypted and hidden in the registry.

May 20, 2009  7:24 PM

Three US Cyber Challenges to be Announced May 29

Ken Harthun Ken Harthun Profile: Ken Harthun

Just received SANS NewsBites’ May 19, 2009 issue (Vol. 11, Num. 39) and one article caught my eye. Seems that the sponsors of these Cyber Challenges need some help in naming them:

…a week from Friday…three national cyber games will be announced at a Center for Strategic and International Studies (CSIS) luncheon.  The competitions are part of a huge talent search and talent development program to find and nurture the young people who have the skills to become the next generation of great security professionals… But we are trying to agree on a name for the SANS competition.   Please pick the one, two or three you like best and send them back to Thanks in advance.

SANS Netwars
SANS War Games
SANS NetAttack Games
SANS King of the Hill Challenge
SANS Security Challenge
SANS InfoSec Challenge
SANS Challenge Net
SANS Security Warrior Competition
SANS Capture the Flag Student Tournament
SANS War Game Challenge
SANS War Games Challenge
SANS InfoSec Faceoff

It’s a great idea and sounds like loads of fun. How about we help them out? I chose SANS War Games, SANS Security Challenge, and SANS InfoSec Faceoff.

May 20, 2009  2:03 AM

Can Your iEi be Improved?

Ken Harthun Ken Harthun Profile: Ken Harthun

Last month, I posted “What’s Your Identity Exposure Index?” I’ve had some interesting feedback. This one stood out:

I was really interested in your article about online identity exposure. Since I’m on the web most of the day – for my job, Twittering, creating a brand for my jewelry business – a Google search for my name delivers all accurate results on the first page. However, after taking your suggested test, my iEi was still only 1.6, which made me feel a little better. Do you have any suggestions for lowering that score…or is the damage already done once it’s done?

I’m still researching this issue, but I can tell you from personal experience that once something is on the web, it’s likely to be there for a very long time. I have managed to get some erroneous public records removed from the web, but some very old USENET postings have resisted my efforts at removal.

Public records are just that, public; but governments are prohibited from revealing, willy-nilly, sensitive information about their citizens. This means that if a “public” record somehow shows up on the Internet with sensitive information revealed (SSN, police reports, legal information, e.g.), a complaint on the proper channels will usually get the record removed.

I’ll give you the best solution I know, one that I’ve been using for some years now: If you are on line regularly, do everything you can to post and reveal the information that you *want* people to find. A blog is great for this. Using my blogs, over the past five years I’ve managed to push the junk well beyond the third page of most search engine results. I can live with that.

May 11, 2009  8:44 PM

Real Spam Statistics

Ken Harthun Ken Harthun Profile: Ken Harthun

Depending on whose reports you view, spam accounts for from 85 to 95 percent of all emails sent. This may hold true over the Internet at large, but as with any other statistical data, there are local and regional variations. My own inbox is an exception to the general rule; I get far more legitimate emails than spam.

The company I work for provides spam filtering for several SMBs, so I have to hand real data that I can evaluate. Based on last week’s numbers, we processed nearly 100,000 messages in our filters. Of those messages, nearly 70,000–70%–were spam; nearly 30,000–30%–were accepted as legitimate. Our data has its own wild variations: one set is very low with only 18% spam; another set reaches a high of 92% spam.

I’m not a statistician, but it’s easy for me to see how big a problem spam has become. I’m not ready to say email is dead as a business communication medium, but it certainly needs an overhaul.

May 6, 2009  12:41 AM

Free Mini-courses from SANS

Ken Harthun Ken Harthun Profile: Ken Harthun

Without a doubt, SANS offers some of the best and most trusted computer security training and certifications. Today, I was thrilled to find that they’re currently offering four free mini-courses. I already completed the Windows Intrusion Discovery course and started on Cyber Forensics and let me tell you, there’s nothing “mini” about the content.

….(there are four – pen testing, forensics, vulnerability testing and Windows intrusion detection). They are very short…but you actually learn a lot in a short time. What is most interesting about them is how close the online teaching is to live classes. When the instructors are good enough,
on-demand courses are just wonderful- perhaps better than traveling to attend a live class because you can replay and review sections (Tivo-like) whenever you want. And you get real time feedback on mastery with quizzes at the end of each section. They are at

If you don’t have a SANS portal login, you’ll need to create a free account to gain access to the courses and other material on the site.

Each course presents a five-question assessment test (you can take it more than once) and you get a certificate of completion.

By the way, if you register for any full length SANS OnDemand course before June 15th, 2009, you’ll save 25% off the cost of tuition—a significant discount.

April 30, 2009  8:01 PM

What’s Your Identity Exposure Index?

Ken Harthun Ken Harthun Profile: Ken Harthun

Quick: On a scale of 0 to 5 (0 being nearly invisible, 5 being at risk), how much of your identity is exposed on the Internet? If you’re wondering, there are some tests you can try that will give you a good idea of you Identity Exposure index (iEi). Here are the tests I performed and some calculations you can use. I chose these tests because they could give an identity thief enough information to impersonate you under the right circumstances. For example, knowing your mother’s maiden name and a former address might be enough to get past a security question or two. Heaven forbid your Social Security number shows up anywhere on line!

Keep in mind that this isn’t absolute by any means; it’s more of a quick-and-dirty estimate. But what you find might surprise you.

Use any top search engine. I used Google. My test results are shown in parentheses.

1. Search your name in the form you commonly use; e.g., Ken Harthun, not Kenny, Ken G. or other variants. Count the number of accurate hits on the first page. (9)

2. Search your full legal name as it appears on your birth certificate. Count the number of accurate hits on the first page. (3)

3. Search your mother’s married name, with and without her middle name and middle initial. If her maiden name shows up anywhere on the first page, count 10; if not, count 1. (10)

4.  Search the last six digits of your Social Security number, including the dash. If your name shows up anywhere on the first page, count 10; if not, count 1. (1)

5. Search your home phone number with area code. If your current address is shown, count 10; any former address, count 5; else, count 1. (5)

Now, add all the scores. Maximum score is 50. Divide by 10 to get your iEi. It’s your choice whether or not to round off.

As you can see, my score was 28, so my iEi is 2.8, which is above the median. For comparison purposes, I also did the tests using my wife’s information and her iEi is 0.7. That makes sense because she does almost nothing on the web, save for checking her one Yahoo! mail account.

I’m interested in some feedback on this for a future article and to further refine the tests.

April 30, 2009  1:21 AM

Swine Flu Breeds Spam

Ken Harthun Ken Harthun Profile: Ken Harthun

As usually happens with major disaster events—in this case the impending Swine Flu pandemic—email scammers are busy perpetrating pharmaceutical and other types of scams. In some cases, they’re using celebrity names to grab attention. Spam is hitting inboxes with various subjects. The following list, compiled by McAfee and posted on the McAfee Avert Labs Blog, shows some of the subject lines they’ve seen:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

They also report a 30x increase in the number of domain name registrations mentioning “swine.” It’s a good bet that many of those names will be used by scammers.

I’ve alerted my clients to this latest wave and sent reminders to everyone that should they receive any such emails, they should immediately delete them. That’s good advice to pass along.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: