Security Corner

April 30, 2013  4:40 PM

!!!!!!!!!! RED ALERT for YOUR COMPUTER – Not!

Ken Harthun Ken Harthun Profile: Ken Harthun

stressedI guess the goofiness runs in cycles or waves. Variations of this hard-drive-burning-most-destructive-virus-that-ever-existed hoax have been floating around in email since email went public. Makes me want to tear my hair out. This one was recently seen floating around on Facebook:


Please circulate this notice to your friends, family and contacts!

In the coming days, warning: do not open any message containing an attachment called Archive (Windows live) regardless of who sends you. This is a virus that burns the entire hard disk. This virus comes from a known person you have in your mailing list, which is why you should send this message to all your contacts. If you receive a message called "UPDATING WINDOWS LIVE", even if is sent by a friend, do not open it and stop immediately. This is the worst virus announced by CNN. It has been classified by Microsoft as the most destructive virus that ever existed. The virus was discovered yesterday afternoon by McAfee, and there is no chance of repair for this type of virus. Simply destroys Sector Zero of the hard disk. Just copy and paste..

C’mon, people! A simple check of would reveal any such virus hoax.

April 30, 2013  12:57 PM

Same password for every site. Will they ever learn?

Ken Harthun Ken Harthun Profile: Ken Harthun

question-markFrom Naked Security:

A study by Ofcom, the UK communications watchdog…, “Adults’ Media Use and Attitudes Report 2013”, [comprising] a poll of 1805 adults aged 16 and over discovered that 55% of them used the same password for most – if not all! – websites.

Unbelievable! Will they ever learn? It’s precisely this kind of thing that gives us Network Administrators nightmares, especially when these same people are given access to resources on our networks. Don’t they realize that if one site gets compromised, the hackers have access to all of them?

This is compounded by the types of passwords people tend use, i.e., easy-to-remember passwords such as birthdays, pet names, etc. The study found that 26% of the people polled do this.

If you are one of these people, or if you know someone who is, please see to it that the passwords get fixed as soon as possible.

April 29, 2013  7:49 PM

Log out and shut down!

Ken Harthun Ken Harthun Profile: Ken Harthun

Are you one of those people who leave their computers logged into everything all the time? If not, then good for you, but I bet you know someone who does. It’s a bad idea. Even if you run with a limited user account, you’re at risk. An XKCD cartoon does a fine job of illustrating.

xkcd-login-cartoonLog out of those sites and shut down your PC or laptop.

April 28, 2013  11:54 PM

“Memory Hard Problem” thwarts password cracking

Ken Harthun Ken Harthun Profile: Ken Harthun

In one of his famous “propeller head” episodes, Steve Gibson of Security Now! podcast fame describes an algorithm that thwarts even the most powerful super computers’ attempts at cracking passwords. Episode 388 [MP3] in January, 2013 describes an ingenious method of requiring huge amounts of memory for each hash function iteration, effectively crippling even the best tools that cyber-criminals can deploy.

The podcast is nicely summarized in this AskMisterWizard video:

April 19, 2013  4:30 PM

Video: The Internet Password Minder Protector Minder

Ken Harthun Ken Harthun Profile: Ken Harthun

lolWARNING! May cause serious guffaws leading to tears and abdominal pain.

Hats off to Ellen DeGeneres for exposing a useless and insecure product–Internet Password Minder–and doing it in an amusing way while helping to raise awareness of password security issues.

And thanks to Naked Security for bringing it to my attention. Seriously funny.

April 17, 2013  3:04 PM

Despicable cyber-slugs exploiting Boston Marathon bombing with Trojan attack

Ken Harthun Ken Harthun Profile: Ken Harthun

Despicable, but it’s always inevitable in the wake of any human tragedy. Cyberslugs (I won’t elevate them to cybercriminal status, though they are certainly criminals) are using the Boston Marathon bombing to spread malware. Spam emails claim to contain a link to video of the bombing. The links vary but take you to a website that attempts to infect your computer with a Trojan horse. The videos are, in fact, real YouTube videos that disguise the malicious activity.

Subject lines of the emails vary, but include:

  • 2 Explosions at Boston Marathon
  • Aftermath to explosion at Boston Marathon
  • Boston Explosion Caught on Video
  • Video of Explosion at the Boston Marathon 2013

According to Sophos’s blog, nakedsecurity:

If installed, the malware makes changes to the Registry and installs the following files, allowing hackers to gain remote access to infected computers:


The file NPF.sys is registered as a new service named “NPF”, with a display name of “WinPcap Packet Driver (NPF)”.

Never accept “news” from other than legitimate news sources, especially not from unsolicited emails.

April 9, 2013  1:44 AM

Could my client’s server be part of the Spamhaus DDoS attack?

Ken Harthun Ken Harthun Profile: Ken Harthun

In the wake of what is reported to be the largest DDoS attack ever–actually a DNS amplification attack–I received a message on behalf of one of my clients that indicated his server has been shut down because of an outbound DoS attack originating from it. How it got infected, and with what, I don’t know, but something is surely amiss. I wonder if his server could be part of that massive attack. Here’s a redacted excerpt from the notice I received:

Your <redacted> Server was found to be part of a network of compromised machines
leading a Distributed Denial-of-Service Attack (DDoS Attack) against other servers.

IMPORTANT: In order to prevent further criminal activity from your <redacted> Server,
we have suspended access pending an investigation and resolution.

The logs they sent me show UDP packets indicating that this could be part of a DNS amplification attack. Take a look:

Please see the firewall logs below for details:
1365103763.526228 IP > UDP, length 1
1365103763.526232 IP > UDP, length 1
1365103763.526234 IP > UDP, length 1
1365103763.526236 IP > UDP, length 1

That’s all I know for now. I have to contact the provider, open a window of time to gain access, and secure the server. I’ll keep you posted.

March 31, 2013  10:17 PM

Beware of Easter holiday scams

Ken Harthun Ken Harthun Profile: Ken Harthun

I know I probably don’t have to mention this, but beware of scammers targeting the Easter holiday. Same tricks, different holiday. (I know this is a bit late in coming since it’s already late on Easter Sunday, but it’s just as valid for next year.) Some examples:

  • Emails with the subject “Happy Easter.” Make sure they are actually from someone you know and don’t click any links or open any attachments until you have verified that the send is who they say they are.
  • Fake ads for animals such as bunny rabbits and ducklings. Buy them live from a local dealer. Don’t have them shipped.
  • Solicitations by “charities” using the Easter holiday as the motivator. One such scam I have seen tugs your heartstrings by showing hungry children and tying it to Easter’s resurrection theme. Don’t fall for it.
  • Cheap “clearance” sales of Easter candy. Some of it has been known to be five years old and rancid. It could make you or your children sick.
  • Cheap Easter toys and baubles that come from countries that still use lead-based paints.

And, for those of you who celebrate the holiday, Happy Easter!

March 31, 2013  3:12 PM

Humor: Windows 98 BSOD at Comdex 1998

Ken Harthun Ken Harthun Profile: Ken Harthun

This isn’t exactly security related, but it’s a good laugh and we all need to take things less seriously now and then. Saw this on the Petri IT Knowledgebase site:

If you’ve ever used a Microsoft Windows OS over the last decade or so, you’ve undoubtedly come across the infamous blue screen of death, more commonly referred to by the acronym BSOD. Arguably the most famous BSOD sighting was at Comdex in 1998, when Microsoft exec Chris Capossela — now Microsoft’s Chief Marketing Officer — was demonstrating the still-in-development Windows 98 to an assembled throng of Comdex attendees, with Microsoft co-founder and then-CEO Bill Gates by his side. The rest, as they say, is history, as shown by this humorous video clip:

March 30, 2013  3:01 PM

Spamhaus target of massive DDoS attack

Ken Harthun Ken Harthun Profile: Ken Harthun


If you have noticed a bit of sluggishness on your internet connection in the past week or so, it could be due to the most massive DDoS attack ever recorded. Here’s what’s happening according to Naked Security:

A little over a week ago a questionable internet hosting provider in The Netherlands called Cyberbunker took umbrage with SpamHaus, an non-profit organization that was founded in 1998 to take on spammers and the internet hosts who profit from their activities.

How big is the attack? At times it has been reported to be as large as 300 gigabits per second. Traditionally even large botnets are only able to deliver hundreds of megabits or a few gigabits per second.

Ouch! That’s huge. It seems that many primary internet backbones (“tier 1 service providers”) are being overwhelmed by the volume of traffic. That’s why you may have noticed the slowdown on the internet. I certainly did, but since it was most prevalent where I work, I didn’t think much of it. Our bandwidth is always strained when school is in session. I did find it a bit odd that my home connection seemed sluggish. It all became clear with the report of the DDoS attack.

So, if large botnets aren’t capable of delivering such a volume of traffic, what is causing it? It’s a large scale DNS amplification/reflection attack taking advantage of misconfigured DNS servers that will allow anyone to query them without any filtering or rate-throttling. It’s a huge problem as there are reportedly more than 21.7 million such servers online (Open Resolver Project). A Microsoft TechNet article provides a high-level summary of this type of attack:

A DNS amplification attack (aka DNS reflection attack) is a type of distributed denial of service (DDos) attack that takes advantage of the fact that a small DNS query can generate a much larger response. When combined with source address spoofing, an attacker can direct a large volume of network traffic to a target system by initiating relatively small DNS queries.

I’ll leave it at that for now. I plan to give a more detailed analysis in a future post.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: