Security Corner

January 31, 2015  9:48 PM

What was that password?

Ken Harthun Ken Harthun Profile: Ken Harthun
Access Passwords, Administrator password, Password management, Security

crosswordpasswordI read with interest Jeff Cutler’s column The Lesson of the Bike Lock and Security Methodology. Great analogy, and I find this quite fitting: “The lesson today is not to have a lock you can’t use.” He’s referring to a combination lock with the combination known only to his father who had passed away: “Bike lock inaccessible. Useless. And no known plan to revive access,” he says. Who in IT hasn’t been confronted with taking over the post of a predecessor who failed to document (intentionally or otherwise) the password for a critical network device? In this case, it’s not quite as bad because there is often a procedure, albeit an arduous one, to reset the password and revive access. Still, it involves system downtime.

And that’s where today’s security lesson comes in. As much as we harp on folks to secure their data, computers, systems, personal effects and facilities, we haven’t offered much of a solution for recalling or securing the keys to the locks that keep your stuff…and your organization’s stuff…safe.

It’s not that solutions don’t exist; rather, I think it’s because we don’t take the time to properly implement them and educate people on how to use them.

What’s the best method for remembering a password? Do you just keep IT on speed-dial? Do you write it on a sticky not [sic] and put it under your keyboard? Don’t tell Ken that’s your plan…his eyeballs would pop out of his head!

Indeed! More likely that my head would completely explode, Jeff. These days, there are many ways passwords can be safely stored and passed along to successors without relying on sticky notes. I’ve advised estate planners and attorneys on simple methods for accomplishing this and I’ve written two posts, How will you pass on your passwords when you pass away? Part 1, and Part 2 that discuss this issue. Those posts don’t address procedures for an organization, so let me describe something that works quite well and isn’t complicated.

In my organization, there are four network administrators and a corporate office spread across three states. Any one of the net admins could be called upon to help out at another location or the corporate office in the regular guy’s absence, so having access to the passwords is vital. Here’s what we came up with:

  1. Each net admin created a password-protected spreadsheet containing all login information for every relevant device and service account for their location.
  2. Each campus president and office manager was given a copy of the spreadsheet and the document password for their location.
  3. Copies of all of the spreadsheets are in the custody of our IT manager at the corporate office.
  4. These spreadsheets are routinely updated as passwords are changed and old versions are retained.

How does your organization manage passwords?

January 31, 2015  4:24 PM

Email: The gateway to your online kingdom

Ken Harthun Ken Harthun Profile: Ken Harthun
cybercriminals, Email account, Email Address, Hackers, Security

Key to the KingdomEverybody has one and probably everybody takes it for granted–the email account. Until I read this blog post by Brian Krebs, I didn’t assign much importance to my email other than it being a convenient and fast means of communication. I’m sure that’s how most people see it. In truth, your email account is the center of your online universe and the gateway to your online kingdom; the password is the key. If a hacker gets hold of your account, he can gain access to everything that email is tied to: online services, merchants accounts, your blog, your website (if you have one), your photos, Facebook, Twitter, Skype, iTunes, the list goes on and on. If you use cloud services like Dropbox, Microsoft OneDrive, Google Drive and the like, he’ll have access to all of that, to

Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email.

A hacker using your email account can attempt to impersonate you to your bank and other financial institutions using information gained by reading your emails. (Yes, a smart hacker would gain all the information he could from your email conversations first. The more information, the easier to impersonate you online.)

Has this got you thinking yet? With all of the talk about strong passwords and two-factor authentication, do you think that it’s time you applied this to your email account(s)?, Hotmail/Live.comand all now offer multi-step authentication that users can and should use to further secure their accounts. Dropbox, Facebook and Twitter also offer additional account security options beyond merely encouraging users to pick strong passwords.

It goes without saying that you should never, ever use your email account password for anything else.

So, while you’re thinking about it, come up with some good, strong passwords for your email accounts and set up the multi-step authentication on those accounts that offer it.

Don’t lose the keys to your kingdom.

January 30, 2015  11:12 AM

Security and Super Bowl XLIX

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
C-suite, CTO, Hack, IT, Log management, provisioning, Security

Here comes the 2015 Super Bowl. It’s Sunday (a couple days from now) and the New England Patriots will be playing the Seattle Seahawks to decide the championship of the NFL. What’s that have to do with security? Everything!

If we look at both these football teams, they are predicated on good security across the board. In the Seahawks’ case, their security is defensive. The entire team runs around the field with an energy similar to that emerging from a killer beehive. They chase the opposing quarterback, they smash running backs and receivers. They use their special powers to create fumbles and interceptions, knock players to the ground like a boxer does to his or her opponents, and often win games.


On the other side of the ball is the Patriots’ offense. Their security is based solely on protecting their golden-boy quarterback. The New England offensive line endeavors to give Tom Brady enough time to find open receivers, dump the ball off to his running backs and tight ends, and sometimes even run the ball himself.

It’s going to be quite a match this Sunday, but the takeaway lesson here is building your business so it has a strong offense and defense as well. In four points, we’ll look at that process.

First, your organization must be proactive (offensive) in thinking about what data it needs to secure and what systems and facilities are most valuable. By identifying these up-front, an effective protection plan can be put in place (that’s step three).

Step two is communicating your plan to your team and vetting your personnel. This included provisioning employees, deciding who has access to what systems, and implementing security protocols in case of a disaster, loss, breach or other security event. Further, you need to get IT and the C suite on the same page – it’s a teamwork thing and it’s not solely in the NFL. It affects EVERY organization.


You’re all working from the same playbook, so you educate everyone about their particular role and responsibility when it comes to keeping the business and its property safe.

Step three is the protection plan. This is your Seattle defense step. You need to be vigilant in log management and evaluating possible weak points in your systems. To do this correctly, you should focus on scenarios that might occur in house or from outside agencies. Also take a little time to educate yourself and your whole team about what’s happening to your less-prepared competitors. Are they the Targets and the Home Depots? You can learn from their mistakes.

Fourth and final step is response. In the same way Seattle will try (and probably succeed) in intercepting Patriots passes, you need to respond quickly and decisively to events. Ensure that a breach of your technology or physical plant is identified and closed quickly. Get your players trained in how to respond, who to look to for guidance and when to rein in your perimeter and tighten your defenses.

I’m hoping for an eventful football game this Sunday. I’m also hoping your business processes are less eventful and more successful now that you know a bit more about how to secure your playing field.

January 29, 2015  4:13 PM

The Lesson of the Bike Lock and Security Methodology

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Data, IT, Security

We had a storm in Boston. A blizzard, really. While it wasn’t ridiculously devastating, it did knock out some power, brought production and travel to a standstill, and cost a bit of money to recover from. I tell you this so I can tell you about a problem I had with a bike lock.

You see, I wasn’t in Boston for the blizzard. Anyone with any sense at all hopped on a plane before the storm and got out of town. Who wants to be snowed in and dealing with 11-degree temperatures if they can be on the beach in Florida? That’s right, nobody. So I flew to Florida for a few days.


Interestingly, the storm also knocked out computers at airlines and overwhelmed some systems so data wasn’t accessible and flights weren’t scheduled…but that’s a topic for another column. Today, let’s talk about bike locks.

On the island of Sanibel, FL, the primary mode of transportation SHOULD be bicycles. There are bike paths the length of the island and experiments conducted by my wife and I have proven that biking around is quicker than driving a car.

Every store, restaurant and public building has bike racks nearby and there is plenty of educational literature on how folks are to access and use the bike paths. Some of the bike-path instructions even suggest you not text and ride while on your bike.

But nowhere does it suggest that you use a bike lock to secure your bike. It’s a strange concept for someone who grew up in a major city where bikes and bike theft were an industry. In fact, Kryptonite Lock is based in Massachusetts – mostly because they wanted to create a solution for the bike theft issue.


Regardless, I wanted to lock my bike and actually located a lock in the garage at my parent’s house. Coincidentally it was a Kryptonite-brand lock and looked to be in pretty good shape. But I didn’t have the combination.

And that’s where today’s security lesson comes in. As much as we harp on folks to secure their data, computers, systems, personal effects and facilities, we haven’t offered much of a solution for recalling or securing the keys to the locks that keep your stuff…and your organization’s stuff…safe.

What’s the best method for remembering a password? Do you just keep IT on speed-dial? Do you write it on a sticky not and put it under your keyboard? Don’t tell Ken that’s your plan…his eyeballs would pop out of his head!

In the case of my found bike lock, the combination was known to only my father. But he passed away a few years ago. Bike lock inaccessible. Useless. And no known plan to revive access.

In our business, this happens less frequently than you might think because there are certain checks and balances in place. There are also systems’ back doors where IT can get in even if an employee or malicious agent damages the front end or changes passwords and admin access.

The lesson today is not to have a lock you can’t use. Find out how well your data and facilities are protected. Then ensure there are friendly agents in place who can provide access should your normal means get usurped. Ultimately, the use and access to your data is worth the time it might take to implement additional authentication steps.

Have you ever lost data because you secured it too well? Let me know in the comments!

January 29, 2015  2:19 AM

Ten steps to protect your finances online

Ken Harthun Ken Harthun Profile: Ken Harthun
Credit Card Fraud, Credit cards, Cybercrime, Ecommerce applications, Online banking, Security

piratescopeIt seems like every time you turn on the TV or radio these days, there’s news of another major security breach. Cyber-crime is rampant and the landscape doesn’t seem to be improving much, if at all, despite the good guys’ efforts. So what is one to do? You can avoid shopping online altogether (probably now nearly impossible for most of us), or you can take reasonable steps to be as safe as possible when transacting business over the internet. Here are ten steps you can and should put in place.

  1. Shop only on secure web sites. Before you enter any credit card information into a web site, make sure it is secure. Look for https:// in the address bar of your browser. If you don’t see it, shop elsewhere.
  2. Never transact business over public wi-fi. You have no way of knowing if the connection is secure. There may be others eavesdropping on the traffic, trying to steal your information.
  3. Never transact business on a public computer. Hotels, libraries and airport kiosks, to name a few, often provide free “business services” that include publicly accessible computers. These are safe only for looking up information on the web. Never use them to log into anything, including your email. You have no idea what is lurking there, nor do you know what security measure are — but probably aren’t — present.
  4. Secure your home network. At the very least, install a router between your cable modem and your computer and turn on any firewall capabilities it has. Use a software firewall and antivirus and antimalware software on your computer.
  5. Configure alerts for your bank and credit card accounts. Most, if not all banks and credit card companies have features that allow you to set up email or text alerts for certain transactions.
  6. Use credit cards instead of debit cards. Credit cards usually have fraud protection and will allow you to dispute any charges you feel are unauthorized. With a debit card, the money leaves your bank account immediately and may take months to recover.
  7. Use hard-to-guess, complex passwords. Use hard-to-guess, complex passwords. Use hard-to-guess, complex passwords. There are plenty of articles on this site that tell you how to create and use hard-to-guess, complex passwords.
  8. Never directly answer or respond to an email from your bank. If you need to contact them, use the phone. Criminals have become very good at making their fraudulent emails look legitimate. It goes without saying that you should never click on any links in any email.
  9. Update everything, always. Keep your computers, smart phone, tablets and any other internet-connected device up to date with the latest security patches. This is even more important for the applications you use on these devices to access your financial accounts online.
  10. Stay alert. There is nothing that works better than good old-fashioned vigilance. Review your balances and transactions regularly to make sure everything is in order. If it doesn’t seem right (like that $5.96 charge you don’t remember making), take steps to notify your financial institution immediately.

This may seem like a lot to think about, but it’s really just common sense and once you develop these safe habits, they will serve you without much effort on your part.

Be safe!

January 29, 2015  1:36 AM

EMV is coming to America

Ken Harthun Ken Harthun Profile: Ken Harthun
Authentication, Credit Card Fraud, Credit cards, EMV, Security, Smart Cards

emv_card_300wOn October 1, 2015, the liability for fraudulent, in-person payments will begin to shift to the merchant. If an EMV card is used in a transaction at a business that does not accept chip and pin payments the merchant can be liable for the transaction.

What is EMV, you ask?

Named for Europay, MasterCard,® and Visa,® EMV is a new US card payment technology with a chip designed to enhance security and decrease fraud. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.

This is a big step toward making it nearly impossible for criminals to clone cards and will reduce the fraud from lost or stolen cards through the cardholder verification method (CVM). According to Wikipedia:

Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are:

  • Signature
  • Offline plaintext PIN
  • Offline enciphered PIN
  • Offline plaintext PIN and signature
  • Offline enciphered PIN and signature
  • Online PIN
  • No CVM required
  • Fail CVM processing.

The terminal uses a CVM list read from the card to determine the type of verification to be performed. The CVM list establishes a priority of CVMs to be used relative to the capabilities of the terminal.

You’ve probably heard the term “chip and PIN” bandied about in conversations about this technology. These are cards that require the cardholder to enter a four- to six-digit Personal Identification Number when making a purchase at terminals that have such capability. The chips in these cards have PIN listed as a priority for CVM and usually also specify a fallback to signature if the terminal isn’t equipped for PIN use.

One of the interesting aspects of these “smart cards” is that the issuer can send commands to them. The commands can be used to update cards, change PINs, block cards, etc.

It’s a fascinating technology and we’ll be hearing more about it as it passes into general use. Probably the best source of information about the EMV standard and its implementation is the Smart Card Alliance site. You might want to check out their white paper, Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization.

January 23, 2015  9:04 PM

Microsoft sues bogus tech support companies

Ken Harthun Ken Harthun Profile: Ken Harthun
Cybercrime, cyberscams, Lawsuits, Microsoft, Security, Technical support

managing-passwords-2012_06Microsoft is suing Consumer Focus Services, a Los Angeles-based company. They are known to operate under various names including Omni Tech Support, FixNow Tech, and Techsupport Pro. You can read the (PDF) complaint if you have a taste for legalese. In the complaint, Microsoft alleges trademark infringement, unfair competition, false advertising, and cybersquatting among other things. They seek an injunction against the defendants and an unspecified amount of damages.

Courtney Gregoire, Senior Attorney for Microsoft’s Digital Crime Unit posted a video and blog about the action. In that post she says that the company “has received over 65,000 customer complaints” about tech support scams. In the video, Kirsten Kliphouse, Corporate V.P. Customer Service & Support, says that over 3 million customers [last] year alone have been impacted by fraudulent scams.

Ms. Gregoire passes along this advice for avoiding becoming a victim of a tech support scam:

If someone claiming to be from Microsoft tech support, or affiliated with Microsoft, calls you:

  • Do not purchase any software or services.
  • Ask if there is a fee or subscription associated with the “service.” If there is, hang up.
  • Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
  • Take the caller’s information down and immediately report it to your local authorities.
  • Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.

Also, like some well-known government agencies, Microsoft NEVER cold-calls its customers, especially about technical support.

January 22, 2015  1:48 AM

PayPal proactive security measures

Ken Harthun Ken Harthun Profile: Ken Harthun
Credit Card Fraud, Data security standards, Fraud prevention, Paypal, Security

Received an email from PayPal. Nothing unusual there, I get them all the time because I’m quite active on eBay both as a buyer and seller. The subject line read, “Your New PayPal Debit MasterCard® Is On The Way.” I was a bit puzzled by this since my card is good until 2016. I opened the message and was greeted with this:

We are sending you a new PayPal Debit MasterCard that will replace your card ending in XXXX. This is a precaution we are taking to help protect your funds in light of an account review that indicates you made a purchase at a retailer that has recently announced a data compromise.  Please note that we are not affiliated with this retailer and do not have specific evidence that your account has been compromised. This is an extra layer of security to help you avoid any potential risks.

. . .

Our experienced Fraud Detection team will continue to monitor your account to help identify any unusual activity. However, it is important that you monitor your account closely, and report any unauthorized transactions immediately.

Well, I don’t know who that retailer might have been, but it is good to see PayPal taking such proactive measures.

Do the other card companies take the same kind of care for their cardholders?

January 18, 2015  7:06 PM

No more advance notice on Patch Tuesday fixes from Microsoft

Ken Harthun Ken Harthun Profile: Ken Harthun
Microsoft, Microsoft Patch Tuesday, Security, Windows Patch Management
I'm fed up with Microsoft!

I’m fed up with Microsoft!

Yes, you read that right: Microsoft is canceling its Advance Notification Service (ANS) for regular customers (i.e., you and me). If you want you it, you’ll have to pay for it. The announcement was made in a blog post on January 8, 2015.

We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.

So, those of us who rely on knowing what’s coming to plan our response to the frequent bugs that updates seem to cause, will now be forced into waiting.

ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.

I guess us small fry don’t matter (not that we ever really did).

January 12, 2015  6:00 PM

Getting Locked Out! How much security is too much?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Business, Customers, home, ROI, Security

Sometime in October of 2014 I got locked out of my house. The back door has a lock in the handle and a deadbolt. For some reason my keys were inside on the counter as I went out on the deck and pulled the door shut behind me. I immediately realized two things.


1 – That my iPhone was still in my hand. Underscoring the results of studies that say more people are prone to leave wallets and bags in taxicabs than they are to relinquish their phones.

2 – That in my quest to make my home more secure, I had ensured that all previous ‘hide-a-keys’ and easy ways into the dwelling were eliminated. No more was there one window left unlocked. No more was there a key under the monument on top of the cat grave in the back yard.

I was locked out. Which then made me do two things. Call my wife and let her know that I was an idiot. Ponder how much security is necessary when everyone is gunning for you. Especially these days when hackers are all out to breach any system they can and thieves are more desperate than ever to steal anything of value.


From a business standpoint, is it wise to lock down your enterprise so well that there are no back-door entrances? Is it smart to streamline your security to the point that it’s like running a gauntlet if you need to access a file or a facility?

Perhaps that’s the future. Businesses that put all their info into an impenetrable vault. But the issue then is productivity/efficiency and access. No one system for locking your facility or data has borne out as the ideal. What works for you might not work for other industries or even your competitors.

The bottom line is to find the system or situation that allows you to function as well as you can while keeping your stuff (and your customers’ data) safe.

BTW, I got back into the house by a method I choose not to share here.

What are you doing to keep your data, your company and yourself safe? Share that here in the comments! Thanks!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: