Security Corner

January 18, 2010  3:06 AM

“14 Golden Rules of Computer Security” Released

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s finally done! “14 Golden Rules of Computer Security” is now complete and for a limited time, I’m making it available to all of my readers here and on Ask the Geek for free download.

If you’ve been following my posts, you’ve already see the individual article series posted here.

All you have to do is visit this page, sign up and download your copy. Tell all your friends and associates to go get their copies, too.

Leave me feedback after you get a chance to read it.

Here’s that link again:

January 14, 2010  9:17 PM

Beware Haiti Spam & Phishing Emails

Ken Harthun Ken Harthun Profile: Ken Harthun

With the recent earthquake disaster in Haiti, everyone should beware of any emails or solicitations on social networking sites asking for donations to help the citizens of Haiti. The cyber-slime out there typically begin exploiting the gullible shortly after such an event. This comes via

Security software company Symantec says it typically starts seeing spam and phishing e-mails seeking money, “donations” or access to bank accounts about 24 to 48 hours after after news of a major tragedy such as Haiti’s.

And it’s not just e-mails that need to be closely monitored. It’s social networking sites like Twitter and Facebook, as well as fake Web that sites can pop up as fast as the news itself. There’s also the problem of “search engine poisoning,” which “we’re seeing limited examples of already” in the quake’s aftermath, said Joris Evers of McAfee security software.

The FBI gives tips to avoid getting scammed:

Before making a donation of any kind, consumers should adhere to certain guidelines, to include the following:

  • Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
  • Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
  • Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
  • Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
  • Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
  • Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.

Anyone who has received an e-mail referencing the above information or anyone who may have been a victim of this or a similar incident should notify the IC3 via

Here’s more good advice from the Better Business Bureau: BBB Advises Donors on How to Vet Haiti Earthquake Charity Appeals.

By all means, help; just make sure your help is funneled in the right direction.

January 11, 2010  12:45 AM

Survey: IT Security Challenges 2010

Ken Harthun Ken Harthun Profile: Ken Harthun

2010 is here and the IT security landscape is more active than ever. Web 2.0 is now a hotbed for crackers and identity thieves, not to mention hate mongers, jilted girlfriends, jealous boyfriends, and what-have-you. We IT Geeks are facing new challenges every day and it will be more of the same in 2010.

What challenges will you face and how will you meet them? What tools and information will help you mitigate the threats?

Please take my IT Security Challenges 2010 survey to help me help you meet the security challenges you’ll face this year. I’ll do my best to focus on what you tell me you need.

Click here to take survey

January 6, 2010  1:37 AM

ABA Recommends Using Dedicated PC for Online Banking

Ken Harthun Ken Harthun Profile: Ken Harthun

This is an idea that has been floating around for awhile. I recommended Convert a USB Thumb Drive into a ROBAM. (ROBAM means read-only bootable alternative media.) Now, the ABA is recommending that businesses use a dedicated PC for online banking. This from SANS News Bites Vol. 12 No. 1:

The American Bankers’ Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions.  Of special note is the recommendation that businesses use
a dedicated PC that is never used for email or web browsing to conduct online banking transactions.

My take on this would be to set up a PC with Microsoft’s Steady State, disable any Internet access except to the bank’s online application and uninstall Outlook Express. I would make a completely locked down and hardened installation of Windows with all services disabled except for essentials. Assign a static IP address to the machine. I would use a software firewall and disable all ports except 80 and 443. Of course, anti-malware software would be essential.

Make the machine so difficult to p0wn that the bad guys give up. It can be done.

December 31, 2009  11:30 PM

Thanks, Readers and Happy New Year

Ken Harthun Ken Harthun Profile: Ken Harthun

Once again, another year is behind us and not an uneventful one. As you may have noticed, in July I began doubling my posts here and I’m sure that contributed to the increase in readership of Security Corner over the past few months.

For that, I say thank you for being a valued reader. Knowing that you’re paying attention and that my thoughts and advice are useful is what keeps me going. The 14 Golden Rules of Computer Security seems to have been a popular series of posts based on comments I have received. I also have quite a bit of fun, especially with article series like the Hacking Skills Challenge. There will be more of those in 2010.

Unless you tell me otherwise, I will continue along in this manner in the new year. But don’t be shy; I welcome all comments, suggestions and feedback. If there is some particular aspect of security you’d like to see me put a spin on, let me know.

One more thing: I’m going to release “14 Golden Rules of Computer Security” in January. I will post a special link here to a free download. Keep an eye out for that.

Have a Happy and Prosperous New Year!

Ken “The Geek” Harthun

December 31, 2009  9:27 PM

New Years Eve Security

Ken Harthun Ken Harthun Profile: Ken Harthun

I know I don’t have to tell you, but if you drink, don’t drive, especially tonight. There are going to be plenty of revelers out there who don’t heed such advice. If you don’t have to go out, don’t. If you want to party hearty, do like my wife and I do every year and stay home, maybe with a few friends or family members who can spend the night.

That said, if you do plan to go out and party, leave your wallet or purse at home. Carry only your ID (driver’s license) and sufficient cash to get you through the night. Keep everything in your front pockets and rather than a large wad of bills, break it up into a couple of smaller batches. Drinking sensibly will keep you from doing something completely stupid. Better option is to carry cash for a cab ride home (or at least a tip–many cab companies will offer free cab rides tonight) and pay your bar tab with a credit card. You could lose all your cash; a credit card is replaceable.

Have fun. Celebrate. But be safe, okay?

December 31, 2009  8:38 PM

Web 2.0 Security: Crossover of Personal to Professional Online Presence

Ken Harthun Ken Harthun Profile: Ken Harthun

In addition to Facebook, MySpace, or other social networks we use for personal interaction, many of us also maintain a professional presence on networks like LinkedIn. Makes sense; business is business, personal is personal, right? Wrong. There’s no way you can prevent those partying pictures from ending up in front of your colleagues on LinkedIn if one of your “friends” wants to post them. Heaven forbid your boss ever sees them.

Nothing is private on the socials; you have to consider everything public. What you write in posts on your own wall, others’ walls, comments, your tweets if you have them linked to your Facebook, is out there just like a 20-foot high billboard on a busy expressway. And the consequences of revealing things that are better kept private can range from mildly embarrassing to loss of professional reputation and employment. Employers often access the socials to conduct a pre-check on a prospective employee to find out how they function away from the work environment.

What to do? Here’s some advice:

  1. If you’d be embarrassed if someone found out about it, don’t post a photo or talk about it.
  2. If you hate your job, find a better one; don’t whine online. See “How To Lose a Job Via Facebook In 140 Characters or Less.”
  3. On Facebook, use the new privacy settings to be very choosy about who can see what.
  4. Be aware of the connections you have in common on both personal and professional networks.

December 30, 2009  9:04 PM

Web 2.0 Security: Weaponized OpenSocial and Other Social Networking Applications

Ken Harthun Ken Harthun Profile: Ken Harthun

If you’re on it, you’ve seen the Facebook messages: “You have a give a heart request;” or, “<name> sent you a hug;” or one of dozens of others. Most of these social networking applications are benign; nevertheless, there’s always a risk associated with them. Think about it; you’re allowing some third party software access to your profile and this is just one more attack vector for the social networking miscreants. You really have no way of knowing for sure that an application is safe until it’s too late. Case in point from The Seven Deadliest Social Networking Hacks:

A rogue application called “Secret Crush” was circulating around Facebook earlier this year, spreading spyware instead of love. (See ‘Secret Crush’ Spreads Spyware, Not Love.) It sent victims an invitation to find out who has a secret “crush” on him or her, and lured them into installing and running the Secret Crush app, which spread spyware via an iFrame. The attack got more advanced and worm-like when it required the victim to invite at least five friends before learning who their “crush” was.

This is an example of an application deliberately written as a weapon of attack, but as we all know even the best applications have security holes. Considering the social sites are under constant attack by crackers, those security holes can be exploited to compromise your profile, your pages, even your PC. So the next time someone wants to send you a virtual hug,  heart or handshake, don’t just blindly accept it.

December 30, 2009  8:00 PM

Web 2.0 Security: Spam and Bot Infections

Ken Harthun Ken Harthun Profile: Ken Harthun

On the socials, spam is typically used for plain old advertising, click fraud and bot recruitment. The attackers hijack accounts and use their address books to spread spam, worms, or other malware. In my last post, I told you about how my Twitter account was hijacked to spread spam; fortunately, that spam was relatively innocuous, simply meant to recruit more victims whose accounts could be hijacked. However, it could have been intended for more nefarious purposes; I caught it before it got beyond a few spam tweets.

No one on the socials is immune to this, even security wonks like me. The other day, I fired up Skype and was immediately greeted by “Software Update” who informed me that “WINDOWS REQUIRES IMMEDIATE ATTENTION” and it provided me with a link. Of course, it’s bogus and had I clicked the link, I would probably have been infected with a bot or some other malware.

The same rules that apply to email spam apply to spam posts, comments, tweets, chats, even Skype contact requests. Let me refresh your memory on a few of the important ones:

  1. Don’t accept unsolicited messages from someone you don’t know.
  2. Never click on links in unsolicited messages.
  3. “Hot” girls or guys are NOT looking to meet you–that’s a ploy to get you to click. Don’t!
  4. Your bank will not notify you by email if there is a problem with your account.
  5. Neither will your credit card company.

December 27, 2009  3:36 PM

Web 2.0 Security: Watch Those Passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

Far too many people use weak passwords and then use the same weak passwords over and over again on the Web. Using a weak password is bad enough; using it in more than one place is lunacy. The worst place for a weak password is your electronic banking site, of course, but using one any Web 2.0 site can also put your personal information at risk. Let’s take Twitter, for example.

Most people probably wouldn’t think of Twitter as a sensitive site, but recall the previous article about impersonation. Compromise a Twitter password and you can easily pose as the account holder. You could then wreak all manner of havoc on the person’s reputation not only on Twitter, but on every site where the account is linked. Recently, someone managed to get hold of my Twitter password when I tried one of those “get follower” services that someone else recommended. Fortunately, all the thief did was spam messages about their “service,” but there were a few hours there where it appeared I was guilty of spamming. I lost quite a few followers and had to deal with a barrage of questions from my friends on other networks.

Twitter management is aware of the importance of strong passwords and will not allow you to set up an account with any of 370 commonly used weak ones. The list is right there in the source code of the sign up page if you care to look (view source and search for “banned passwords”); you can also see them in The Washington Post article “370 Passwords You Shouldn’t (And Can’t) Use On Twitter.” If you’re guilty of using any of those, change them immediately.

Here are some good policies to put in place:

  • Use strong passwords on all Web 2.0 sites
  • Do not use the same password more than once anywhere on the Web.
  • Particularly on Twitter, do not input your password into any third party site you are not absolutely sure is trustworthy
  • Periodically change your password

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: