Security Corner

October 28, 2013  11:38 PM

Beware Halloween tricks: Malware is no treat

Ken Harthun Ken Harthun Profile: Ken Harthun

Halloween BannerThe bad guys love to trick people into downloading their malicious garbage and will use just about any tactics to do so. It’s Halloween season, so people will be searching for all kinds of scary stuff to decorate, dress up and generally celebrate the creepy. The hackers know this and will have already started putting up poisoned search results. Haven’t heard about any yet? Believe me, they are out there lying in wait for some unsuspecting victim.

How can you tell if you click on a poisoned search result? Video codecs are a favorite vehicle for hackers. If you get a pop-up saying you have to install such-and-so codec or some sort of image viewer, chances are it’s an attempt to infect you. But this isn’t the only method used; when you click on a search engine result, be aware of anything that doesn’t look or feel right. Lots of drive activity, very slow page loading, unusual error messages, any of these things can indicate an attempt to infect your system.

Hackers love holidays and news events because people can be counted on to search for related information, but the above advice applies to routine searches as well. Nothing is immune to being exploited or used as a vehicle for malware, so keep your eyes (and ears) open all the time. I know how my systems act so well that I can spot trouble long before the system crashes.

Don’t let Halloween malware ruin your day.

October 27, 2013  11:17 PM

Update: Tighten security with your hosts file

Ken Harthun Ken Harthun Profile: Ken Harthun

No place like 127-0-0-1

Since it’s National Cyber Security Awareness Month, I think it’s fitting to re-post my short 2008 piece on using the hosts file to block unwanted sites. I looking it over, I discovered that FaltronSoft no longer exists, hence the strikethrough. The site, however, still exists and is actively maintained with current information. You can sign up at the site to be notified of updates.

Using a HOSTS file to block access to malicious or unwanted web sites is an old trick and it’s excellent protection against malware. I’ve been using the hosts file for about five years, and I have never been infected with any malware, despite, for testing purposes, intentionally visiting sites known to host it. The thing just works. It’s a great way to add an additional layer of security to your machine. You’ll also notice that many of those annoying ads no longer display in your browser.

Today, I found a cool utility that will let you download, install, and update your HOSTS file directly from the site: Hosts File Updater, a freeware program by FaltronSoft. This single 16K executable checks the site for a new version of the HOSTS file. If it finds one, it asks you if you want to update. Give your permission and the program backs up your existing HOSTS file and downloads and installs the new one. It also automatically sets the file to read-only, a nice feature.

In Using the Windows Host File for Privacy and Security, has this to say:

Employing the Windows Hosts file to prevent a PC from connecting to undesirable web addresses is a very old practice that is still being used by some as a security measure or to block ads and cookies. Experienced PC users will be familiar with the Hosts file but, if it is a new concept to you, you can read about how this simple text file works at this link. You should also look at what Gizmo wrote about the file in his newsletter ten years ago.

I, for one, have been using this method successfully for years. Give it a try.

October 26, 2013  10:44 PM

Got CryptoLocker? Your data is probably toast

Ken Harthun Ken Harthun Profile: Ken Harthun

CryptoLocker is a particularly nasty piece of malware that encrypts dozens of file types including .doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf  then demands you pay a “ransom” to get the key to unlock your data. If you see this pop-up on your PC, you’ve been infected:


They make it sound bad, don’t they. Truth is, there is probably no way to get your data unless you risk paying the money to the criminals. Here’s what Windows Secrets has to say about it:

There are no patches to undo CryptoLocker and, as yet, there’s no clean-up tool — the only sure way to get your files back is to restore them from a backup.

Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it’s the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don’t want to add the insult of identity theft to the injury of data loss.

That last part is very good advice, but you still risk losing your money and not getting your data back. How can you trust a criminal to keep their promise?

You best strategy at this time is prevention. Antivirus software won’t catch CryptoLocker and limiting admin rights on your computer has no effect, either. To ensure that you will be able to recover your data, the most reliable method is frequent backups. Should CryptoLocker slam you, restoring your data from backup will save your bacon.

If you are running Windows XP Professional or higher, you can set Group Policy to prevent execution of the malware. If you are technically inclined and adventurous, has a comprehensive guide of some things you can try that might work to help you recover data.

Good luck!

October 13, 2013  11:45 PM

Muscle memory passphrases and passwords.

Ken Harthun Ken Harthun Profile: Ken Harthun

We probably all agree that passphrases can be easier to remember than complex, random passwords. IhaveABIG2013truck! can be memorized in just a couple of minutes whereas Ih*^29xB@@!dude would take a lot longer to commit to memory. This isn’t to say that passphrases can’t also be difficult to remember.

Athletes, artists, musicians, craftsmen – anyone who develops a particular manual skill – rely on muscle memory to a greater or lesser extent. As a musician, I know that repetitive practice of scale patterns, chords, picking patterns and melodic riffs trains the muscles in my fingers to “remember” those patterns. At first, I feel awkward and perform slowly, but after a while, the patterns come second nature and take little thought to perform.

You can do the same thing with passphrases and passwords. In fact, the best typists usually don’t think about what they are typing: the key patterns for whole words are trained into the muscle memory of their fingers.

An innovative approach to utilizing muscle memory is to choose passwords and passphrases that alternate between left hand and right hand on the keyboard. The rhythm 0f going back and forth will soon be ingrained into your fingers. This requires some knowledge of touch typing, but don’t worry, you can get familiar enough with it in just a few short lessons on line. Here’s something that may help you. The image shows the “home” keys and you can probably easily figure out which hand goes with which keys.


Source: Wikipedia

A random password like A*#9tU is a left, right, left, right pattern. For passphrases, there are hundreds of words that alternate in this manner. Below is a sampling from a list called lrwords.txt that you can find here:


Add in some numbers or special characters that alternate hands and you’ve got the advantage of unusual passphrases that use both your mental and physical memory. How about fiendish1927emblem? Easily memorized and has a nice rhythm on the keyboard. Type it a few times and it’s not likely you’ll forget it.

October 10, 2013  12:53 AM

Adobe resets user passwords in wake of security breach

Ken Harthun Ken Harthun Profile: Ken Harthun


On October 3, Adobe was hacked and 3 million user accounts were compromised. The attack exposed customer names, encrypted credit and debit card numbers, expiration dates, and other information. Adobe is resetting the passwords on all customer accounts. Here’s the text of the notification I received early this morning:

We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.

To prevent unauthorized access to your account, we have reset your password. Please visit to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information.

We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.

Adobe Customer Care

Reportedly, Adobe will also be notifying customers whose credit or debit card information was exposed. (I do not have a credit card on file with Adobe, so I just got the password reset notice.) Adobe has also promised to offer affected customers the option of enrolling in a one-year complimentary credit monitoring membership where available.

October 8, 2013  10:21 PM

Eight security bulletins highlight the 10th anniversary of Patch Tuesday

Ken Harthun Ken Harthun Profile: Ken Harthun

Image by Shawn Knight

It’s that time of the month again (no pun intended). It’s Patch Tuesday. It also happens to be the 10th anniversary of the celebrated (not) monthly visitor (sorry, they just keep coming). Microsoft released eight new security bulletins—four rated as Critical and four Important. The most urgent one, however, is MS13-080—the cumulative security update for Internet Explorer. It addresses a total of 10 separate vulnerabilities affecting all supported versions of the Web browser:

This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Other Critical patches:

MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)

MS13-082: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)

MS13-083: Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)

Better get patching!

October 5, 2013  7:30 PM

It’s National Cyber Security Awareness Month

Ken Harthun Ken Harthun Profile: Ken Harthun

NCSAM-10th-Anniversary-Logo-302x86October 1 marked the start – and the 10th anniversary of – National Cyber Security Awareness Month (NCSAM). Sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, NCSAM is an initiative aimed at making sure everyone has the resources they need to stay safer and more secure online.

We all can do our part by educating family, friends and coworkers on how to use the internet safely. The average person really has little clue about the dangers lurking in cyber space and even if they have an inkling, they are far too trusting of what their clueless friends routinely send them. In their defense, cyber security is not easy and the last ten years have shown us a wide range of security threats that test the mettle of even the most savvy cyber security professional.

Sophos has posted 10 topical tales, “in vaguely chronological order, that have burst into our collective security concerns at various times in the last decade.” It’s an interesting list and will give you some food for thought as well as real examples you can use to educate your people.

In another post, Sophos recommends that you do these 3 essential security tasks for your family today.

What are you waiting for? Git ‘er done!

September 30, 2013  4:00 PM

Microsoft releases Law Enforcement Requests Report

Ken Harthun Ken Harthun Profile: Ken Harthun

question-mark1Microsoft has released its Law Enforcement Requests Report for the first six months of 2013. It is the second such report they have issued. The report “…details the number of requests for data we received from law enforcement agencies around the world, and how Microsoft responds to those requests. It covers requests for data relating to all of Microsoft’s online and cloud services, including Skype.” The report is not permitted to give detailed information about the type and volume of any national security orders (e.g. FISA Orders and FISA Directives), so these are not included in the report. However,  they do summarize the aggregate volume of National Security Letters received.

Most of the data is in line with the report for the year 2012, so it makes one wonder about all of the recent hype: Just how much data is really being disclosed? It’s nice to have some real facts from at least one source to help evaluate the current state of things. Here are some of the more pertinent facts:

  • Microsoft (including Skype) received 37,196 requests from law enforcement agencies potentially impacting 66,539 accounts in the first six months of this year. This compares to 75,378 requests and 137,424 potential accounts in the whole of 2012.

  • Approximately 77 percent of requests resulted in the disclosure of “non-content data”. No data at all was disclosed in nearly 21 percent of requests.

  • Only a small number of requests result in the disclosure of customer content data, just 2.19 percent of total requests. 92 percent of the requests that resulted in the disclosure of customer content were from United States law enforcement agencies. This is again, broadly in line with what we saw in 2012.

What is interesting is the majority of the requests come from only five countries:

While we see requests from a large number of countries, when you look at the overall number, the requests are fairly concentrated with over 73% of requests coming from five countries, the United States, Turkey, Germany, the United Kingdom, and France. For Skype the requests were similarly concentrated, with four countries, the US, UK, France and Germany, accounting for over 70 percent of requests.

One thing really stands out for me and that is the position that Microsoft is taking on the sharing of information regarding FISA requests and national security. This is encouraging.

We believe this data is valuable and useful to the community that is looking to better understand these issues. However we recognize that this report—focused on law enforcement and excluding national security—only paints part of the picture. We believe the U.S. Constitution guarantees our freedom to share more information with you and are therefore are currently petitioning the federal government for permission to publish more detailed data relating to any legal demands we may have received from the U.S. pursuant to the Foreign Intelligence Surveillance Act (FISA).

September 30, 2013  12:40 AM

Software vulnerabilities are on the rise

Ken Harthun Ken Harthun Profile: Ken Harthun

Every year, Secunia publishes its Secunia Vulnerability Review. The 2013 version results do not bode well for our state of security. Here are some of their findings from 2012:

In 2012, 2,503 vulnerable products were discovered with a total of 9,776 vulnerabilities in them.

There’s an average of 4 vulnerabilities per vulnerable product.

Vulnerabilities were discovered in 2,503 products from 421 vendors.

The number shows a 15% increase in the five year trend, and a 5% increase from 2011 to 2012.

One fifth of the criticalities discovered in all products were rated as either ‘Highly critical’ (18.3%) or ‘Extremely critical’ (0.5%).

With an 80% share, the primary attack vector for all products was Remote Network.

Two things concern me: 1. That the trend is increasing; and, 2. That remote attacks are the primary vector. This tells me that we have to get better at hardening our perimeters and educating our users to keep the doors to our network closed.

And, of course, software companies need to work harder at closing security holes.

September 29, 2013  4:32 PM

Humor: Insane video requests

Ken Harthun Ken Harthun Profile: Ken Harthun

Time to lighten up a bit. Even though this is a cutely disguised ad for Sophos products, it’s funny. Who doesn’t have someone who comes in for a daily “I forgot my password?” I’ve gotten to the point where I see the faces and know what they need.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: