Security Corner

April 17, 2008  7:05 PM

Top Five Personal Firewalls

Ken Harthun Ken Harthun Profile: Ken Harthun

How well does your personal firewall protect you? GRC’s Leak Test, PCFlank, and Bob Sundling’s TooLeaky all provide a quick way to check your personal firewall to see if it effectively blocks outbound connections. But if you really want to know how well your firewall protects you against a whole host of known attacks, check out Matousec’s Firewall Challenge website. Here are the top five based on Matousec’s extensive testing:

  1. Comodo Firewall Pro (Free)
  2. Online Armor Personal Firewall ($40, Free version available)
  3. ProSecurity 1.43 ($30 single PC home user, $40 household)
  4. Outpost Firewall Pro 2008 6.0.2302.264.0490 ($40/year for 3 home PCs)
  5. Kaspersky Internet Security ($80/year for 3 PCs)

The top two, Comodo and Online Armor, scored 100% on the tests. I’m using Comodo from now on.

April 15, 2008  1:45 PM

Tighten Security With Your Hosts File

Ken Harthun Ken Harthun Profile: Ken Harthun

Using a HOSTS file to block access to malicious or unwanted web sites is an old trick and it’s excellent protection against malware. I’ve been using the hosts file for about five years, and I have never been infected with any malware, despite, for testing purposes, intentionally visiting sites known to host it. The thing just works. It’s a great way to add an additional layer of security to your machine. You’ll also notice that many of those annoying ads no longer display in your browser.

Today, I found a cool utility that will let you download, install, and update your HOSTS file directly from the site: Hosts File Updater, a freeware program by FaltronSoft. This single 16K executable checks the site for a new version of the HOSTS file. If it finds one, it asks you if you want to update. Give your permission and the program backs up your existing HOSTS file and downloads and installs the new one. It also automatically sets the file to read-only, a nice feature.

April 9, 2008  9:11 PM

How to Prevent DNS Rebinding Attacks

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s nothing new about the DNS rebinding attack, but it’s in the news again. Dan Kaminsky, Director of Penetration Testing for IOActive has shown a video of the attack in action at the RSA 2008 Conference. I first addressed this problem more than a year ago in a Lockergnome posting, and just recently in this Security Corner article. Both of those articles say the same thing: Change the default password on routers, switches, and any other configurable device on your network.

There’s another thing you can do: Use OpenDNS; they block known phishing and malware-infested sites, thereby making your web surfing more secure. They also just released a nifty tool called FixMyLinksys that makes it easy for anyone to change the default password and enable OpenDNS. An article at had this to say about OpenDNS:

…“This will stop all the automated attacks that Dan is showing at the RSA conference today. It’s easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. “In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

I’ve been using OpenDNS for some time; I’m glad to see they’ve addressed this issue directly.

April 7, 2008  8:46 PM

Make Your Own Paper Enigma Machine

Ken Harthun Ken Harthun Profile: Ken Harthun

The Enigma cipher machine was a very cool electromechanical device for producing polyalphabetic ciphers that reached it’s heyday during World War II. The original surviving devices are all in museums or private collections, but you can make a paper version. This site: will let you print one out and play with it.

Using the paper version is tedious, though, so you might want to check out this cool simulation that you can install on your PC. There’s also an online Flash-based simulation.

Have fun!

April 4, 2008  8:13 PM

Are You a Security “No” Man or a Security “Yes” Man?

Ken Harthun Ken Harthun Profile: Ken Harthun

We security wonks always seem to be put into a position of having to say “no.” That makes us unpopular with the I’m-not-hurting-anything crowd who insist on checking their webmail, IMing their friends, and running assorted and sundry downloaded and web-based applications (but only on their time, of course). Maybe they’re right on some level; many of those things are benign and don’t represent security threats. But there are also potentially dangerous applications such as peer-to-peer (P2P) file sharing that can expose your network to hackers via an open P2P connection (See P2P Leads to Major Leak at Citigroup Unit and Pfizer Falls Victim to P2P Hack).  What’s one to do?

Start saying “Yes.” You read that right. Look at it from the user’s standpoint: A blanket prohibition against anything and everything usually foments rebellion on the part of some and they’ll do whatever they want to do with wild abandon. Your network is less secure as a result. But, if you develop policies that allow webmail, online shopping, and IM instead of blocking them at the gateway, while prohibiting the potentially dangerous stuff, you just might find the users starting to ask you if it’s OK to do certain things.

And they just might listen to you if you say “No.”

March 25, 2008  9:12 PM

You Clicked? Really? Are You Nuts?!

Ken Harthun Ken Harthun Profile: Ken Harthun

This has to be one of the most evergreen security topics to come along; no matter how much anyone writes about the dangers of clicking on links or opening attachments in unsolicited email, people continue to do it. SANS NewsBites, March 25, 2008, Vol. 10, Num. 24, begins with this statement:

The Excel story is number two in Top of the News this week because of the critical lesson it teaches: When you see your anti-virus package scanning a Word or Excel file, the odds are VERY high that it won’t find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don’t open email attachments unless you were expecting them. [Emphasis added] Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization’s data are stolen and they won’t be able to hide.

(They’re referring to a months-old Excel vulnerability for which the exploit code has just been widely released. For more information on that, you can check out this ComputerWorld article.)

I remember, years ago, a client got a nasty malware infection that resulted in my finally resorting to a full wipe/reload of the OS and all her data. I had solved a couple of minor adware issues for her in the past and, as is my custom, gave her my standard admonition, “NEVER, EVER click on anything if you don’t know where it came from.”

“But I clicked on CANCEL!” she replied. She just couldn’t get her head wrapped around the idea that no means yes, yes means yes, cancel means yes, exit means yes, ANY click means yes.

I’m thankful that most of my clients now either call me or drop me an email if they see a message or pop-up they don’t understand, and malware-related emergencies are way down. But they’re not completely gone. Occasionally, I still get that one dull client who calls to say they clicked on something and now they’ve got popups all over their screen.

All I can say (think) is, “You clicked? Really? Are you nuts?”

March 25, 2008  6:58 PM

Wireless Headset Security Nightmare

Ken Harthun Ken Harthun Profile: Ken Harthun

Wireless headsetBeing a Ham Radio operator, I’ve always understood the risk inherent in using radio signals to transmit sensitive information: anyone with the right equipment can receive and record anything transmitted over the air. These days, I’m noticing a lot of people in various offices walking around with these cute wireless headsets hooked up to their office phones.

Ever wondered what kind of security risk these things might pose to your company? Yeah, me too. So, did the folks at Secure Network Technologies as evidenced by their article “Hacking Wireless Headsets” that appeared Jan. 22, 2008 at, a site that provides in-depth security news and analysis. Here’s an excerpt:

To perform the work, we purchased a commercially available radio scanner. These devices are available at any local electronics retailer at prices ranging from $80 to several thousand dollars. We chose a scanner capable of monitoring frequencies from 900-928 Mhz and the 1.2 Ghz ranges, which is where many of the popular hands-free headsets operate.

We took a position across the street from the facility and started up the scanner. Within seconds of turning on the device we were able to listen to conversations that appeared to be coming from our client’s employees. Several of these conversations discussed the business in detail, as well as very sensitive topics. After some careful listening, we determined that the conversations were indeed coming from our customer.

See the nightmare coming? With the right information you can then use social engineering techniques to get your tentacles very deep into the company. And that’s exactly what they did:

Our plan was to assume an identity of an employee who had never been to the office we were testing. Using that identity, we would enter the building, commandeer a place to sit and work, then see how long we could stay inside the building. After zeroing in on a particular employee, we gathered as much intelligence on him as we could. To prepare for the entry into the facility, we printed a business card with our assumed identity. I put on my best suit, and then went to work.

In all, they spent three days “working” in the company, gaining access to all sorts of information, technology, and resources. Not only that, but they also discovered that the headsets acted as bugging devices; even when disconnected, the headsets continued to transmit. The impersonators were able to listen in on conversations carried on by the wearers.

Be afraid. Be very afraid ;-) Seriously, read the article and if your office uses these things, do your own tests to find out where you’re leaking. Then, plug the leaks.

March 24, 2008  9:06 PM

Encrypt, You Must, But Do It Right!

Ken Harthun Ken Harthun Profile: Ken Harthun

EncryptionOne of the clients I service has information that falls under HIPAA. Prior to last week, all of the data was stored on a server located behind a strong firewall in a building with good physical security. Last week, however, this organization decided to deploy laptops for their field operatives. Major security problem. Full-drive encryption was my first thought.The good thing is that there was nothing on the laptops except for the OS–they were brand new. Nobody had seen them except me. I was able to encrypt the hard drive before any data had been written, thus insuring that no remnants of unencrypted data exist. Every future write to the hard drive will be encrypted.

If you think about it, this is the safest way to do full drive encryption. But what if you want to re-deploy equipment that has had data on it? In this case, you’ll want to first wipe the drive using a good tool like Darik’s Boot and Nuke (DBAN) or CMRR’s Secure Erase, depending on the sensitivity of the data. DBAN will let you write multiple passes of pseudorandom data, which is usually “good enough.” Then, reinstall your OS of choice and run your full drive encryption program assigning a passphrase at least 20 characters long (mine’s 45). All this working of the drive should sufficiently scramble any data remnants.

March 20, 2008  1:23 AM

Paranoid About Hard Drive Security? Try This

Ken Harthun Ken Harthun Profile: Ken Harthun

My company serves as the IT department for several medical, legal, social service, and banking organizations in our area. I don’t have to tell you that every one of these organizations deals with information that falls under various government data security and privacy acts. Every one of these organizations depends on and expects us to put in place measures to protect their data. In other words, if they suffer a breach, they’re going to assign responsibility to us on some level. So, when I decommission a server or PC, I take steps to make sure that no one is going to be able to read anything off the hard drives. Call me paranoid, but consider this: seven in 10 secondhand hard drives still have data. What’s one to do?

It’s well known that simply wiping out partitions and re-formatting drives doesn’t erase anything. It’s equally well known that overwriting every sector with pseudo-random data is considered a secure method of erasure. I give you a two-step approach that may be overkill, but is certainly a procedure that any court would consider a mitigating factor if I or my company is accused of negligence. (I work in a Microsoft environment, so that is the context here.)

Step one is to install TrueCrypt 5, (my hands-down favorite) or another full-drive encryption program, and perform the steps for full-drive encryption; this effectively writes pseudo-random noise to every sector of the hard drive. (Don’t fret about the 20-character password TrueCrypt warns you about–just type “password.” You’re not worried about logon security; you just want to encrypt the hard drive.) This one-pass encryption is probably sufficient for a home PC hard drive, but not for anything else.

Step two is to run a disk erase program that overwrites every sector with pseudo-random bits. I use Darik’s Boot and Nuke (DBAN), without question a best-of-breed open source program. One pass auto-wipe should be sufficient since you’re overwriting what already amounts to pseudo-random noise (created by TrueCrypt) on the hard disk.

After this treatment, any adversary would find it virtually impossible to recover anything usable off of the drive. Give it away, sell it on eBay, do whatever.

And have a good night’s sleep.

March 12, 2008  2:04 AM

Turn Off Message Preview in Your Email Client

Ken Harthun Ken Harthun Profile: Ken Harthun

Some of these tips may very well be “everybody knows” types of things, but I find that these are often the things that get overlooked. That’s why I’m publishing them as computer security maxims. Take a look at the recent furor surrounding the cold boot attack against disk encryption . That was an “everbody knows,” too.

I get questions all the over at Ask the Geek about using a mail client’s message preview feature. Opinions vary, of course, but for this geek, it’s a bad idea. In order to preview a message, it has to be opened or rendered by the HTML engine. Think about how a PC can be infected by a malicious web site and you’ll immediately understand the danger: The same malicious programs can exist in scripts in HTML messages. It’s a serious security risk.

Security Maxim #6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: