Security Corner

January 1, 2015  8:29 AM

Paranoia and Personal Security – Redux

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Mobile, Security, Technology

I got a lot of feedback for my last column of 2014 and not all of it was complimentary. You see, some of the theories I shared and opinions I voiced were based on a decade of being an early adopter of new technology. It placed me in a land where my perspective was polluted because I was too familiar with the apps, gadgets and tech used to track people. I call that being in the fishbowl.

Screen Shot 2014-12-31 at 1.25.29 PM

This placement (ironic) in the fishbowl is akin to navel gazing. A person talks about their experiences and outlook without considering their audience or the general population. In the column earlier this week – and let’s be clear, these are columns not articles – I spoke of how disenchanted I’d become with services like Foursquare. I also indicated that I modified my behavior to not allow location services to track me. Further, I told of how I was less inclined these days to share my location via Twitter or Facebook.

But I’m not normal and neither was my rant. For the most part, being tracked these days is unavoidable. Especially if you plan to lead any type of normal life. The phone you carry tracks your location these days (too bad that wasn’t the case for Adnan or Jay in Serial). Most mobile device apps ask for location to be turned on for them to operate correctly. Browsers ask you to sign in so they can work better. And lots of data gets shared with who knows whom anytime you use a network – wired or wireless – anywhere.

Screen Shot 2014-12-31 at 1.24.21 PM

Want to buy a coffee at Starbucks? Use their app and they immediate can suggest the closest store. Take a picture and post it to Instagram? The service can use metadata on the photo to place you somewhere. Even legacy technology like DSLRs now embed GPS coordinates into photos to presumably make it easier for you to sort, search and create robust photo libraries.

But are people really aware of the dangers of oversharing? The fishbowl crew is. Many friends I know stopped using ‘check-in’ apps like the aforementioned Foursquare and its successor Swarm because of the interface and the privacy concerns. These people – first- and early-adopters – also modified their behavior. For a couple years now, most people I know post their visits to places away from home on a delay.

It’s a bummer that this happens as it makes popping in on someone when they’re in your hometown or near your office almost impossible. But that’s the reality. I’m sharing less about where I’m going because I’d rather not have folks break into my house when I’m away.

I sometimes post my photos after-the-fact instead of during an event, which sometimes hinders the effectiveness of promotional activities. Who’s going to get excited about an event, conference, concert, game or beer tasting if you’re sharing the details and images about it after it’s over?

Screen Shot 2014-12-31 at 1.27.06 PM

And there’s so much more to this location tracking and personal security and technology that I could cover. There certainly are lots of benefits, but a bunch of ways it should scare you.

Suffice it to say that the questions I raised in the earlier piece were valid. You are sharing too much, in my opinion. You are not as safe as you once were. And while location-based apps are NOT the cause of it, they certainly created an awareness in me that led me to write that other column.

What’s the solution to remaining low-key while still connecting with your online networks? Common sense. Don’t share that you’re leaving the country for a month and that you’ve sent your cats away to cat camp because you didn’t feel like paying a cat sitter. Don’t shout out that you’re wandering around Las Vegas looking for something to do with the money you just won. And don’t post so much information about your regular routines that a cursory look could map out the times you’ll be at the office or at home or on the road.

You could also start to trim your networks so the folks who see your updates are actually known to you. Ultimately, the world of location-based services, tracking and connectivity is only going to get more useful AND intrusive. If you want the benefits that come with being connected, then learn how to use and share safely.

If you are leaning toward getting a tin-foil hat and hopping off the grid, good luck to you. The credit car you use to buy the foil, the car you drive to Target to buy the shovel to dig your bunker, and the images from the Google Streetview car that passes as you’re getting the surplus silo delivered are going to be online before you can say “wow the Sony Interview thing wasn’t the North Koreans after all.”

Nothing is as safe or secure as we’d like it to be. So accept that fact and move on…it’s likely someone somewhere will be tracking where you go.

December 31, 2014  5:30 PM

Happy New Year!

Ken Harthun Ken Harthun Profile: Ken Harthun

I wish all of my readers, colleagues and employees of the TechTarget companies a Happy, Safe & Prosperous New Year.


December 31, 2014  5:27 PM

There’s a new, free, CA in town

Ken Harthun Ken Harthun Profile: Ken Harthun
Certificate authorities, Encryption, Open source, Security

It’s called “Let’s Encrypt,” and it’s a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.

Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.

This is scheduled for delivery in Q2 2015. With such respected industry leaders working with Internet Security Research Group (“ISRG”), a California public benefit corporation, we can be confident that it will be an effective solution.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

That last item is the best part. We won’t have to rely on any one organization that may or may not have it’s own agenda.

December 30, 2014  6:20 PM

Where are you now? Are you Secure? What about your data?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Applications, Data, location, Security, social media, Technology

As we close the year 2014, I was struck by a few thoughts – and I’ll likely post another blog entry tomorrow before we ring in the new year. But for now, I was wondering about location-based services and personal security.

It occurred to me as I spent a few days away from the house that I had actually been a lot better about broadcasting – or not broadcasting – my whereabouts lately. In the past, I was very open about what I was doing, what I was eating and where all this was going down.

In my opinion, now that Foursquare is dead, Swarm is useless and Path is more locked down in nature, folks are being more careful. And that’s a good thing, I think. While I am sharing less, I’m also feeling a little loss.

Screen Shot 2014-12-30 at 1.19.45 PM

I remember a time when I’d be able (and willing) to tweet out my location and my plan for an afternoon and folks would come meet me. It was a nice treat to have that utility and semblance of power. But it was also scary. If I was able to share my whereabouts and people come see me, what was happening to my home, my office, my loved ones, my stuff?

To be blunt, if I’m in one spot saying, “Hi, here I am!” then the bad guys are fully able to use that info to go where I’m not and break into my home and take my stuff. Or harm my family. Or kill my cat. Let’s not get crazy, but it could happen.

Is this a good thing or is it just something that’s happened? From where I sit, I think the shake-out of location-based services and oversharing via social media tools is good. We had some fun, but then serious stuff started to happen. Hackers took away our innocence and fear replaced fun.

Maybe I’m wandering a bit as I talk about how we’re no longer safe, our data is out there for everyone to see and the myth of security is just that – a myth.

The year is wrapping up. How are you wrapping up your persona and data so it’s not out there for anyone to see? Or do you even care? Is home security something of an afterthought to you? Do you figure if your data gets out then the credit card companies will pay off the indiscretions of the thieves? What’s your plan?

For me, it’s going to be less specific sharing and more wariness. But I’m still going to enjoy my travels and I’m not going to stay up at night worrying about data loss. It might be a rough world, but the convenience of technology outweighs (so far) the angst it brings.

Be safe and happy out there. Chat again tomorrow!

December 26, 2014  3:38 PM

Obama’s response to alleged N. Korea cyberattacks: Grandstanding, or truth?

Ken Harthun Ken Harthun Profile: Ken Harthun

Last Friday (12/20/2014), Barack Obama confirmed that the White House believed that North Korea engaged in a cyberattack against Sony Pictures.

They caused a lot of damage, and we will respond. We will respond proportionally, and we’ll respond in a place and time and manner that we choose.

I am not convinced that North Korea engaged in the attack against Sony. I see too many outpoints in the evidence (and lack of same) to convince me and I certainly have no trust whatsoever in the FBI. Mr. Obama seems to believe it (or maybe he’s just pretending), however, and issued a promise to retaliate. POTUS has engaged in a nice bit of grandstanding here, don’t you think? Unlike our late, former President Ronald Reagan, who was an actor, perhaps Mr. Obama should embrace such a career.

Regardless — or in spite — of the truth in this matter, and my own opinion notwithstanding, someone apparently took some sort of action to retaliate: North Korea was knocked completely off the internet on Monday. Is this just coincidence, or did the U.S. “respond in a place and time and manner that we choose?”

This is what we know for sure:

  • Sony was hacked and hacked data was released to the public
  • Hackers made some threats against movie theaters and mentioned 9/11/2001
  • The movie “The Interview” was withdrawn, then subsequently released and shown
  • The FBI blames North Korea for the attack on Sony
  • POTUS agrees with the FBI and issues a threat/promise to respond
  • North Korea’s internet connectivity was cut off on Monday

All the while, the media is making all sorts of noise, publishing hearsay and outright supposition as “facts” and generally confusing the issue as they always do.

We may never know the full truth but watching this story unfold has been quite entertaining so far.

December 25, 2014  5:38 PM

(Warning: Language) Is Elf on the Shelf a secret plot to brainwash children into accepting a surveillance state?

Ken Harthun Ken Harthun Profile: Ken Harthun
NSA surveillance, Surveillance

Some people just can’t resist attempting to ruin Christmas by spreading FUD. To those people I dedicate the song “You’re A Mean One, Mr. Grinch.” Since when has the magic of Christmas and all things wondrous and imaginary connected with it become something to be concerned about? I just read three articles — I’m sure there are more — that raise questions and concerns about “The Elf on the Shelf” toy that has become wildly popular since 2005. For instance:

When parents and teachers bring The Elf on the Shelf into homes and classrooms, are they preparing a generation of children to accept, not question, increasingly intrusive (albeit whimsically packaged) modes of surveillance? – From: “The Elf on the Shelf” and the normalization of surveillance – See more at:

And this from The Creepy Surveillance of Elf on the Shelf:

The space of childhood is also the haven of  things unseen, magic, enchantment, and endless possibility. Monsters could exist under your bed. Santa can deliver gifts to all children in only one night. And now, magical elves can report your naughtiness, so you better be nice. Surveillance is a dominant force in our world, so why wouldn’t Santa be implicated? Santa and his helpers seem to make the erosion of privacy comfortable and normal. In the name of family tradition and good behavior, what does The Elf on the Shelf ™ teach our children? Someone’s always watching, so act accordingly.

And this from Santa Claus and the Surveillance State:

It’s not just the Elf on the Shelf; children have been taught for centuries that dangerous authorities are watching and judging them. [Including Santa Claus and let’s not forget God and the other mythical gods of past civilizations. – Ed.]

He sees you when you’re sleeping. He knows when you’re awake.

He’s everywhere.

And that’s the whole point of the Elf on the Shelf, the bright-eyed, Kewpie-esque doll that millions of parents display around their homes in December as a reminder to children to behave. The elf, the story goes, is an agent reporting back to Santa Claus, and he’s tasked with documenting any seasonal misdeeds for his jolly boss.

You know what really scares me, what I find so creepy? It’s that people would actually buy into this bullshit. I didn’t turn into a happy slave to the surveillance state by being taught about — and one time believing in — Santa Claus and whatever else these misguided, paranoid people are concerned about. And I bet you didn’t either. If anyone can show me an example of one person they know who, having had a normal childhood steeped in Western tradition, now accepts and condones the surveillance actions of our criminal government “security” agencies (excepting, of course, the very idiots who are employed by said agencies), then I *might* be mildly interested in giving the issue an iota of concern.

Merry Christmas!

I hope Santa has you on his “nice” list 🙂

December 24, 2014  6:13 PM

ATM skimmer doesn’t work? No sweat, just blow it up!

Ken Harthun Ken Harthun Profile: Ken Harthun
ATM, Banking industry, NCR, Security

I guess it’s rather dark humor because it happens, but I find it funny how far these cyber-idiots will go to steal from an ATM.

From Krebs on Security: “According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise.


Explosive gas attack on ATM machine. Source: EAST via Krebs

Probably, this is more an act of desperation because of new security measures being deployed at ATM machine locations. ATM skimming devices sometimes require the criminals to cut a rather large opening to insert their device as shown in these photos:


Criminals cut a hole in an ATM to insert their skimmer, then cover it with a decal. Source: NCR via Krebs

Sometimes, they just can’t use regular tools to accomplish their crime.

NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

“Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

And when a blowtorch won’t work, they blow it up!

Next thing you know, they’ll be using RPGs. Then again, probably not; the RPGs would cost more than the booty obtained from the heist.

December 24, 2014  6:09 PM

Apple Pushes out Security Update — HORRORS!

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Apple, Data, news, Security, Update, Windows

To hear Apple fanatics tell the story, the recent (and supposedly first ever) automatic security update marks the end of the company. Apple is doomed now that it has gone the way of MSFT and pushed out a software update over which users didn’t have any warning nor any control. It’s 1984 – but the bad guys have won!

Settle down. I wear my Apple badge proudly and sometimes (OFTEN) believe blindly in what the benefactors at Apple are doing on my behalf. This includes their releasing of new hardware, the changes in software and even the move to iCloud backups and that whole mess. I also use to be the first person to shout, “get a Mac” when friends complained about their slow or blue-screened PC.

Screen Shot 2014-12-24 at 1.07.55 PM

But is an automatic update such a big deal? Especially when you can’t walk down the street without seeing store after store experiencing data breaches or security hacks? Even Sony got the short end of the stick when the one IT guy in North Korea punched in ‘password’ and miraculously broke through the defenses of that movie studio.

I’m in favor of the auto update…this time. And when it makes security sense. I certainly don’t want Apple – or anyone – jumping to my defense on such a regular basis that it interferes with my daily life. Note that the same friends with blue screens of death would wait 45 minutes each Tuesday for their MSFT firmware and software to get updated.

Let’s be very clear that’s not the right way to do things. But the world is changing and we have to change with it. If I now need two-factor authentication to use my credit card online, that’s fine. If I now have to start remembering my first car and favorite teacher to pay my bills electronically or access my GoDaddy account – OK.

When it gets obtrusive is when it makes other options more attractive. As I said in the beginning, for me the Apple system and way of life is much more attractive than the other options. The only time that will change is if Apple starts making this a regular occurrence. Then, the better option is for them to rethink their programming and infrastructure to make things more secure at the base level so those of us out here with laptops, iPads and iPhones don’t have to worry.

Yes, if you have a MSFT device, you’re still on your own…or actually locked up in the MSFT big brother funny farm.

Have a great holiday. See you next week!

December 24, 2014  5:42 PM

Merry Christmas!

Ken Harthun Ken Harthun Profile: Ken Harthun

I wish all my readers and all of the staff at ITKE a safe and Merry Christmas! However you celebrate this season, please keep the true meaning of the holidays in your thoughts: Peace on Earth and goodwill toward men.


December 16, 2014  10:06 PM

This ransomware is also a true virus

Ken Harthun Ken Harthun Profile: Ken Harthun
'Virus`, Ransomware, Security, Sophos

gremlinA new ransomware threat, which is detected and blocked by Sophos as W32/VirRnsm-A is actually a true virus, unlike most such malware. According to Sophos Labs:

The intriguing part of VirRansom is that as well as infecting your EXE (program) files, this new virus “infects” data files, too, such as ZIPSs, DOCs and JPGs.

Data files are encrypted, wrapped up into an EXE shell, and renamed so they end in .exe.

In a file viewer such as Explorer, you don’t see the infected extension .exe by default (and anyway the virus turns extensions off if you had them on).

Also, the virus sets the icon of the infected file to whatever it was before.

That means you could be excused for opening an infected file by mistake, because it looks as you’d expect.

And if you open an EXE file under the impression that it’s an image or a document, what you actually do it to execute it instead.

So, if you inadvertently open up an infected file, the virus runs, and then it:

  • Installs itself permanently on your hard disk (using random filenames unique to each infection).

  • Sets a registry entry so it will run again after you logout or reboot.

  • Activates itself by loading various processes into memory.

You can read all about it here. Just be on the lookout for it.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: