Security Corner

August 31, 2015  2:21 AM

Privacy is your responsibility, too

Ken Harthun Ken Harthun Profile: Ken Harthun
personal data, Privacy Protection, Privacy rights, private data

It seems these days that everywhere you look, there is a privacy disclosure statement. You get them from your bank, your credit card companies, lenders, and just about everyone who asks for any non-public personal information (NPI). Have you ever read one of those things? You should. You have a right to know what information is being kept and how it is used. Here is one such clause:

You have the right to know what NPI we have about you, to have access to it and to receive a copy upon request, where required by law. If you have questions about what we may have on file, please write to us. Give us your name and address, date of birth, [other information] and the type of NPI you want to receive. Some types of NPI obtained when [actions are taken] or defending lawsuits need not be shared with you.

The firm or group who has NPI about you may not have obtained all of it directly from you, so unless you ask for it, you don’t know exactly what they have. It is entirely possible that some NPI is incorrect and you will never know unless you request it. You have the right to request erroneous information be corrected.

You may contact [company] if you believe your file should be corrected, amended, or deleted. We will review your request, and within thirty (30) business days, we will make the requested change or provide an explanation of our refusal to do so. If we do not make the change, you may send a statement for insertion in your file, setting forth what you believe to be the correct NPI and explaining why you believe the NPI in our file to be incorrect. If you ask us to, we will notify persons to whom we have shared NPI of the change or your statement. With any subsequent sharing of NPI, we will include a copy of your statement.

You see, you have to ask. Any firm is going to do only what they are bound by law to do and no more. That’s their responsibility. Your responsibility is to be alert and informed and to take action if you are concerned. It’s not up to someone else.

It’s up to you.

August 30, 2015  1:07 AM

Video: Lighten up! Password humor

Ken Harthun Ken Harthun Profile: Ken Harthun
humor, Passwords, Security, Video

I simply have to try this someday. It’s hilarious! No better therapy for the IT Blues than a good laugh.

August 30, 2015  12:36 AM

Infected PC? Refresh or restore

Ken Harthun Ken Harthun Profile: Ken Harthun
malware, Restore, Security, system recovery

The more things change, the more they stay the same. I’m still seeing PCs with serious malware infections that defy any and all attempts to clean them up. I used to persevere and eventually succeed in killing whatever beasties were inhabiting the dark recesses of the system. Just last week, I fought one for two hours before finally doing a factory reset.The trouble is, now as then the things keep coming back and if I didn’t take drastic action, I’d be facing another hours long battle. Once a machine is infected you can never trust that machine again unless you refresh or restore it to factory configuration.

Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware (as in 2015) is even more tenacious and stealthy that it was 7 years ago when I first wrote about this. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Windows 8 gave you an easy way to preserve user files while restoring the factory image and it’s still going strong in Windows 10. I’m not totally convinced that this is the best way to go, but so far I haven’t seen too many “repeat customers” after doing it.


July 31, 2015  6:10 PM

What can we expect from Windows 10 security?

Ken Harthun Ken Harthun Profile: Ken Harthun


Maybe the question should be: When can we expect to see the first Windows 10 security vulnerability? The follow-up question is: What will it be?

With the recent release of Windows 10 on July 29, 2015, we are faced with a new operating system that is bound to have some security issues. It’s impossible to predict what and when but let me point out that Microsoft has introduced some new security features (Device Guard, Windows Hello, Passport, to name three of them, all of which are covered elsewhere). Any new feature means that it has been subjected to limited testing and we can’t have complete confidence in it until the millions of true beta testers–the user base–have put it through its paces.

Having said that, I do have the feeling that Windows 10 security will be far better than in all previous versions. Still, you have to realize that security is, and probably always will be, a cat-and-mouse game. We can keep building better mousetraps, but as long as the cyber-criminals continue to realize huge profits, they will continue to build better mice (or bring humans–the one irreparable vulnerability–into the colony).

July 29, 2015  5:19 PM

More on a novel password strengthening approach

Ken Harthun Ken Harthun Profile: Ken Harthun
Brute force attack, cybercriminals, Hackers, Password cracking, password encryption and decryption., Security

Key to the KingdomThe old cliche goes, “The best laid schemes o’ Mice an’ Men, Gang aft agley” (Scots version). As I tend to use those tips that I promulgate, I have been using the method described in my previous post. Well, wouldn’t you know it, some sites don’t like the “.” character in their password fields. I had to modify my method. So, I changed the character for the dot to “-” and the character for the dash to “_” making the letter “F” appear this way: –_-.

Then it occurred to me: You can substitute any character you want, even the representation of the sounds themselves, for the dots and dashes. If you represent “F” that way, it becomes “ditditdahdit.” Talk about adding complexity! And you won’t find any of that gibberish in any dictionary attack in this universe (at least not yet). Nor will you have to worry whether or not a special character will be accepted.

You could use the letters s & l for “short” and “long”–the duration of the sounds that make up audible Morse code. So “F” becomes “ssls.” That’s not quite as good as dit and dah, but it works–you just have to substitute for a few more letters or numbers to string out the complexity.

These days, it’s all about staying ahead of the bad guys and the best way I know to do that is with increased length and increased complexity to make their dictionaries and other pattern templates useless and drive them to use brute force methods.

Oh, by the way, you can safely write down any password by substituting the real thing for the Morse, to wit: Password is Doolittle. Write that down, but use Ddahdahdaholditditttle. That one is even sort of melodic…

July 21, 2015  6:04 PM

A novel password strengthening approach

Ken Harthun Ken Harthun Profile: Ken Harthun
morse code, Password, Password cracking, password encryption and decryption., Security

We all agree that strong passwords are especially necessary in today’s hack-a-day world and there are sites galore giving advice on how to create memorable strong passwords. I’ve posted more than my share of advice on this subject over the years.

One thing that has always been frustrating is attempting to use one of my favorite password strengthening patterns only to be told that the characters are not allowed. So, I’d have to switch to my alternative method which, unless I added several more characters, wasn’t as strong.

One thing I’ve noticed on these sites is that usually they will allow special characters like periods, dashes and the like. Periods. Dashes. Hmm, we Ham Radio operators (I’m W4KGH, in case you’re wondering) use dots and dashes to signify Morse Code characters. Everyone is familiar with the international distress signal, SOS which sounds like di-di-dit dah-dah-dah di-di-dit. Written with dots and dashes, it looks like this: …—…

So, I thought, why not use Morse code patterns in place of some letters in your password? Doing that will significantly increase the length and strength of your passwords. One might even consider it a form of encryption.

By way of example, the word “password” is eight characters. Replace one “s” with the Morse equivalent, “…” and you’ve lengthened it to ten characters. Let’s replace both both of the s’s and the o with the Morse characters and it becomes pa……w—rd with 14 characters (I don’t recommend you use my example).

You might say that using Morse code–which most people don’t know–would make passwords even harder to remember. Not so. If you limit your use to only the numbers, there is an easy-to-remember and quite elegant symmetry to the character patterns. You should be able to see it easily in the illustration.

Morse NumbersNote that each number comprises 5 characters, so just by using your age, for example, you’re adding a lot of complexity to your password.

Something like 8/.——–………– (22 characters) isn’t going to be cracked easily with a brute force attack and it sure isn’t going to fall to a dictionary attack.

There are many ways to utilize this and I’ll leave the rest to your imagination. Give it a try. It can’t hurt and you might have some fun.

July 9, 2015  4:22 PM

Who or what is the most dangerous security threat?

Ken Harthun Ken Harthun Profile: Ken Harthun

Hackers, cybercriminals, government-sponsored cyberattacks, terrorists, et al. are constantly in the news related to cyber security. The focus is usually on data breaches. These things certainly are not good and cause a lot of economic damage to the victims, not to mention the emotional distress and inconvenience. But is this really what we should be concerned about? Who or what is the most dangerous security threat?

Here is some food for thought. I venture to say that the most dangerous security threat we all face is our totalitarian-wannabe government (if you have never read George Orwell’s novel, 1984, I highly recommend it). It’s not too far a stretch what with how the NSA is actively spying on all of us (and don’t think for a moment that they aren’t still doing it, despite utterances to the contrary). The NSA continues to develop spyware and malware that even the elite in the cybercrime community haven’t begun to approach. Oh, wait, maybe the NSA are the elite in the cybercrime community.

Lest you dismiss what I am saying here, please take a look at what noted security researcher and Electronic Frontier Foundation board member, Bruce Schneier has to say in his article “How the NSA Threatens National Security:”

…the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like “collect,” “incidentally,” “target,” and “directed.” It cloaks programs in multiple code names to obscure their full extent and capabilities. Officials testify that a particular surveillance activity is not done under one particular program or authority, conveniently omitting that it is done under some other program or authority.

…US government surveillance is not just about the NSA. The Snowden documents have given us extraordinary details about the NSA’s activities, but we now know that the CIA, NRO, FBI, DEA, and local police all engage in ubiquitous surveillance using the same sorts of eavesdropping tools, and that they regularly share information with each other.

Those of us who know the score need to present a united front with our strong voices against the criminal agencies who continue to insist on spying on its law-abiding citizens. Inspection before the fact has always been–and always will be–a violation of individual rights, liberties and personal privacy.

June 26, 2015  2:04 AM

Samsung making Microsoft a little unhappy

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Apple, Business, laptop, Microsoft, news, samsung, Security, Updates, Windows

You know the person in your office who leaves their passwords taped to the front of their monitor? Sure you do. They’re putting everyone’s data and hard work at risk because they’ve short-circuited the security process. It’s not nice and it sometimes could cost the company money.

Screen Shot 2015-06-25 at 9.52.46 PM

What would you do if that same person ran around the office and logged into EVERY workstation – if that were allowed because it shouldn’t be – and then left all the machines on and the doors to the office open? You might actually think they had left the door to the Internet open with a sign for hackers to stop by and take what they want.

Yeah, well that’s pretty much what Samsung did recently when they took it upon themselves to disable the security update from Microsoft on some Samsung machines. In the news this week, the BBC reported that there have been some tales of Samsung machines disabling updates from Microsoft in favor of different software. This was denied – sort of – by Samsung with a comment about giving consumers a choice when it came to software.

But the bottom line is that it happened enough to get people’s attention.

Is it a huge deal? Not really in terms of numbers, but it might represent the way the market is going when it comes to software that comes preloaded on machines and what security is used to protect certain platforms.

Here’s a snippet of the article…

Screen Shot 2015-06-25 at 9.52.58 PM

What do you think? Does it make sense for Samsung to actually have some say about what goes on their machines? Should consumers have a say? Or are we still in a three-platform world with Linux, Apple and Microsoft running everything?

Leave your thoughts in the comments. Thanks!

June 20, 2015  1:40 AM

Want Money from the Gov’t? Get a Death Certificate.

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Data, Facilities, Facilities management, Log management, money

It’s odd. When most of my posts are about keeping things secure, this piece of news jumped out and reminded me that log and access management are still vital pieces to data and facilities security.

Screen Shot 2015-06-25 at 9.31.16 PM

A primer for those who just read the security corner for fun. Log management is the careful examination of all the people and events affecting the access to data on a system. That’s simplified.

Further, log management can also mean the examination of access logs to facilities and offices within a building or campus. That’s why so many businesses (most if not all these days) ensure that everyone they employ has a badge and that the badge is coded to allow them into certain areas. If you don’t have permission to be in an area – you have not been provisioned – then your badge won’t let you in.

In the case of the news in this article about the government paying out LOTS of money to dead people, it’s very clear that nobody checked to see if the people were still breathing. A simple check of credentials would have kept $46.8Million in the coffers of the USA and out of the pockets of thieves. While this wasn’t simply a case of “OK, your badge looks legit, go on in”, it is a case where better security should have been used.

What’s your take on how secure our government keeps its money? And then beyond that, how safe do you think they’re keeping information if they let actual cash get away so easily?

Yikes! I look forward to hearing from you in the comments or discussions. Thanks for reading!

June 16, 2015  2:39 PM

Opiates, Hospital Records and Communication

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Email, Hack, Healthcare, Password

In the news lately in MA is the discussion over stricter laws/legislation/rules about prescribing drugs. That’s pretty much always been the case, but this time the focus here is on opiates. The numbers are staggering – 6600 people died in ten years from this class of drugs in MA – but the security ramifications are also hefty.


For instance, right now you can go pick up an antibiotic prescription from your pharmacy just by telling the pharmacist your name and paying $5 or whatever these drugs go for. For many classes of opiates – up until the recent crackdown and increase in awareness – you would need your license and an actual paper prescription from the prescribing doctor.

Some folks say that the increased focus is going to make that seem like a cakewalk. In some instances, people are talking about patients on pain killers having to visit the pharmacy each week, each couple days or even for each dose. While this might make the handing out of these drugs more secure, it’s going to present issues itself in time, resources and headaches.

Similarly, as the actual drugs are being restricted so too are the records about your health. My current health pland and hospital have joined forces to institute an online site that allows me to get access to my records any time I’d like. The main issue is that the security interface, required password and lack of ability to reset passwords in a timely manner effectively lock me out of my records about 65% of the time.

In theory, it is a great system. My data is available to me and my physicians when I want to access it. In practice, only a skilled hacker would likely be able to get to this data on a regular and efficient basis. That scares me a little because I like to be able to get to my information and if it’s too hard to do so, most people will find shortcuts that eventually allow hackers and thieves to get inside the system. Stuff like writing passwords in plain sight, staying signed into accounts or even emailing themselves sensitive info about access.

Lastly, and maybe the best thing about the collection of healthcare technology I have working for and against me is the communication. That’s down to a science. While we might be informed time and again that emails are not secure communication, they are the fastest way to get the attention of my doctors and the best way for me to share information that they need to make decisions.

I’m loving that I can ask one doctor about symptoms, another about a prescription and set up an appointment with another all via email. That’s the way I communicate these days and I think the population of doctors have become more accustomed to doing business this way. I’m still careful not to share any specific info like hospital record numbers or minute details about my health. But I think this is where healthcare is headed.

I’m now waiting for the healthcare IT folks to actually spend some time on UX so their magnificent sites can be used by people like me and even those who are even more daunted by technology.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: