The series debuted on January 4, 2007 here on Ask the Geek, Too. I continued to post them here until March, 2008 when other commitments forced me to put this blog on the back burner. (Chris Pirillo and the Lockergnome gang have been gracious enough to keep my content live and I hope to contribute here on a regular basis again in the future.) I have since revised and re-posted all of the maxims on my Security Corner blog, most of them having been given more catchy titles. You will find the entire archive in descending chronological order in the Security Maxim archives - Security Corner.

Below are links to the original postings up to and including Maxim #11 which was the last one posted here; nos. 12, 13, & 14 are new and appear only at Security Corner.

2007.01.04 - How to Secure Your Computer: Maxim #1
2007.02.22 - How to Secure Your Computer: Maxim #2 (or, How Not to Invite Attackers Into Your PCs and Networks)
2007.03.03 - How to Secure Your Computer: Maxim #3
2007.03.14 - How to Secure Your Computer: Maxim #4
2007.05.30 - How to Secure Your Computer: Maxim #5
2007.06.27 - How to Secure Your Computer: Maxim #6
2007.07.25 - How to Secure Your Computer: Maxim #7
2007.07.26 - How to Secure Your Computer: Maxim #8
2007.07.28 - How to Secure Your Computer: Maxim #9
2007.08.17 - How to Secure Your Computer: Maxim #10
2007.10.29 - How to Secure Your Computer: Maxim #11

I will soon make available a complete compilation of these articles for download as a free bonus to everyone who subscribes to my feed.

Cheers!
The Geek

P.S. Please continue to follow me at Ask the Geek and be sure to check back here from time to time as I’ll be adding the occasional post.

Cheers!
The Geek

On January 28, 2008, Cisco announced the end-of-sale and end-of life dates for Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms/bundles will be July 28, 2008 and the last day to purchase accessories and licenses will be January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013.

Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances. In addition to providing the same robust firewall and IPsec VPN capabilities as Cisco PIX Security Appliances, the Cisco ASA 5500 Series offers significantly better performance and scalability, SSL VPN support, advanced Unified Communications (voice/video) security, and a modular design that allows you to add features such as intrusion prevention (IPS), antivirus, antispam, antiphishing, and URL filtering. Migration to the Cisco ASA 5500 Series is straightforward, because consistent management and monitoring interfaces allow you to take advantage of your knowledge and investment in Cisco PIX Security Appliances.

So long, old friend. Let’s hope your replacement provides the same high level of transparent protection that you are famous for.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist, currently works as a Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

But I digress.

I know this isn’t a new concept by any means, but the application of simple cryptographic principles can allow you to generate passwords using patterns that you can safely write down. One of the key elements of authentication is “something only you know” and you can use this to generate secure passwords with simple substitution and transposition ciphers. (WARNING: playing around with this stuff can be habit-forming!)

Let’s take a simple example of a substitution cipher based on a date. This one uses two levels of secret “keys”: 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use “BDAbe.” This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.)

Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the “something only you know,” with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern). Anyone who sees BDAbe%x# will have your keys, but it’s likely they won’t have a clue as to what to do with them. Write it down. Post it all over the place. Buy an ad in the newspaper. Tell everyone you know. Who cares? It isn’t your password and only you know what it means; but, it looks like a password and serves as an effective deception.

Finally, we generate the actual password using our cipher pattern of alternating shifted and lowercase characters, so 02121809 becomes our ciphertext of )2!2!8)9: eight characters, each having one of 96 possible choices. In a brute force attack, a modern PC, capable of guessing 10 million passwords per second, would take 23 years to go through all possible combinations of an eight-character password with a 96 character selection space. Not too shabby, eh?

For website logins where high security isn’t a concern, you can drop the “www.” and use the rest of the URL as your plaintext. In this case, you only need to write down the password length and encoding pattern. Let’s say I have a login on the site www.nytimes.com. I don’t care if someone reads the news using my password, so tight security isn’t a concern. I decide on a pattern of lowercase-shift-shift and decide to use a six-character password. The encoding pattern is x%^, so I can write that down as nytimes.com/x%^. Who’s going to know what that means? The password would be nYTiME. At only six characters and despite being based on the URL itself, that password is still relatively secure: it would take a hacker 33 minutes to crack your password; he’d be able to set up his own account in less than 2 minutes. And why would anyone want to crack your password? NYTimes.com doesn’t ask for any personal information other than your birth year and zip code, nothing that’s worth anything to a criminal hacker.

I encourage you to come up with your own method of applying this to your passwords, and of course, I welcome your comments and questions.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist, currently works as a Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

Has any Gnomie actually completed a survey or earned anything from them?

All I’ve gotten so far is a “Sorry, you don’t qualify for this study” and a gesture of thanks in the form of 20 points for my wasted time.

Well, no thanks, I’ve got better things to do.

Cheers!
The Geek

This incident gives us two things to consider: 1. Always keep backup media physically separated from the drives that are backed up; and, 2. Have more than one backup, if possible. Case in point: I have double copies of everything; I keep all my documents on a flash drive and I back up to an external USB drive regularly. One copy goes with me, the other stays in the office.

If someone steals my laptop, all they’ll get is an empty My Documents folder and some useful programs. They won’t get any of my personal data. And I’ll be up and running with no data loss in short order.

Cheers!
The Geek

Hi Ken,

I’m happy to finally be able to share Zonbu’s latest news! Starting today, Zonbu fans can be green and hassle-free on the go. Zonbu is announcing a new Zonbu Notebook. Like the Zonbu Mini Desktop, the Zonbu Notebook is based on the same principles of hassle-free, environmentally friendly, and affordable computing.

Affordable: The Zonbu Notebook starts at $279 with a $14.95 monthly subscription fee with the same acclaimed hassle-free plan as the Zonbu Mini Desktop.

Hassle-free: The Zonbu Notebook works right out of the box. It includes 20 best-of-breed software applications, free automatic software upgrades, generous online storage, remote file access and sharing, automatic data back-up, unlimited online tech support, and free hardware replacement in case of damage.  Best of all it eliminates the need to spend any time on managing the PC, or spending money on anti-virus packages, back-up storage or firewalls.

Environmentally Friendly: The Zonbu Notebook uses less energy, reduced use of hazardous materials like cadmium and mercury, offers free recycling/take back programs and responsible packaging, meeting the EU’s strict RoHS standards and earning the Zonbu Notebook a Silver EPEAT rating.

Additional Features: Zonbu Notebook includes a Facebook plug-in that enables users to automatically post multimedia data to your profile page. The notebook also includes built-in wireless, a DVD-RW/CD-RW, built-in speaker, microphone and headphone ports and more. (see http://www.zonbu.com/device/notebook.htm for full details.)

Although the final version of the Zonbu notebook’s software won’t be available until early 2008, Zonbu fans eager to try it can order a Zonbu Notebook with beta version of software starting today; once the software is finalized their system will be automatically updated to the final version.

Having reviewed the Zonbu Mini Desktop PC, I can vouch for all of the above. And it looks like they’re going to send me a Zonbu Notebook for review, too. Stay tuned. You can check out Ask the Geek (and see a photo of the laptop) for my opinion on this latest development.

Breaking news: Gregoire Gentil, Zonbu’s CEO,  was gracious enough to grant me an email interview that is very enlightening. I’ll post that to Ask the Geek tomorrow. Be sure to check it out.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you�re interested in: Click here to Ask the Geek! Kenny �The Geek� Harthun has been playing with geeky stuff since 1965. He�s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

But Dave has a problem–the writer who committed to do the “Getting Starting with Linux” column has flaked out on him and Dave needs someone to fill the hole. Since he’s already given readers a taste of the column, he wants to keep it going. Dave feels it would be bad etiquette to promise a column he can’t deliver.

Knowing that we have a great community of Linux Geeks on Lockergnome, I told Dave I’d help out by appealing to my fellow Gnomies.

Anyone interested? If so, contact Dave directly via his website at www.davescomputertips.com. Tell him Kenny “The Geek” Harthun sent you.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you�re interested in: Click here to Ask the Geek! Kenny �The Geek� Harthun has been playing with geeky stuff since 1965. He�s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

• More and more companies are offering vital business productivity applications as web-based services meaning you don’t have to buy and install software on your hard drive.
• PC security is nearly impossible for the average user; compromised computers that have been joined to huge botnets have made cybercrime a serious threat. Hardened�operating systems, running in firmware (Zonbu comes to mind)�effectively thwart cyber-criminals.
• Hard drives fail; and, without backups, data is lost.
• On-line data storage is a growing trend, making storage capacity effectively limitless.
• Large solid-state USB drives�are becoming commonplace.
• Gigabit (and beyond) broadband is on the horizon.

Some smirked when, in 1984, I predicted a solid-state device, smaller than a pack of cigarettes, that would produce full-fidelity stereo digital music�(the iPod Nano was introduced in 2005); I’m sure this prediction will have its critics, too.

Let’s take a look back on, say, New Year’s Eve 2011.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer�at Connective Computing, Inc. and loves to learn about anything and everything.

TagJag Tags: future, computing, broadband, prediction

1. Is your car parked, empty, in the driveway right now with its engine on?
2. Is your shower, with no one in it, running?
3. Is your stove, with nothing cooking on it, turned on?
4. Is your attic light on 24/7?

I’m fairly sure that you answered “no” to all of these questions. It just doesn’t make sense to leave something on if you’re not using it. All this does is run up your electric bill for nothing, right?

Then why would you want to leave your PC on 24/7? If your PC has been compromised and is a member of one of the major spam zombie networks, chances are that you’re spewing spam in a constant stream.

Do us all a favor and use your index finger to switch it off when you’re not using it. If you do nothing else to clean it up, just shutting down the PC if it’s not being used would cut spam volume significantly.

Do you agree or disagree? Hit the comments and put in your two cents.

Cheers!
The Geek

GRC’s “Perfect Paper Passwords” (PPP) system is a straightforward, simple and secure implementation of a paper-based One Time Password (OTP) system. When used in conjunction with an account name & password, the individual “passcodes” contained on PPP’s “passcards” serve as the second factor (”something you have”) of a secure multi-factor authentication system.

I feel like a kid turned loose in Toys-R-Us with a thousand-dollar budget. This is truly an amazing system and I’m just now starting to figure out how to implement it in my own environment. But using it as Steve designed it isn’t the subject of this post. Most network environments are still based on the username/password model, not a multi-factor authentication model. Until the PPP system becomes a standard (and it should!), why not use the passcards to create super-strong passwords?

I know, I know, he already has the Ultra-high Security Password Generator and I’ve been using that, but the idea of breaking long strings of characters into simple, four-character snippets makes things a bit simpler and it also allows you to take some control over generating your passwords. It adds another random factor into the mix by letting you choose the order of combination, something no computer or person anywhere can possibly know. Putting them into a seven columns by ten rows grid in a format that you can fold and stick in your wallet makes it even easier.

Using the web site, you print out three passcards, each containing 70 four-character passcodes for a total of 210. Now, if you randomly combine three passcodes to make virtually unbreakable 12-character passwords, you’ll have a resource of 70 passwords right at your fingertips. Circle the ones you’re using for your current password and cross them out when you change it. Better yet, write down the columns/rows and keep that separate from your passcards. No one’s going to know that A1F4D10 translates into Cai?DCGX@xBt, but you do.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

TagJag Tags: secure computing, passwords, security, perfect paper passwords, passcode, passcard

I’m talking about entering your password — or any sensitive information — into any web page that’s not secure. All communication — including your username and password — between your browser and a web server is normally transmitted in clear text, easily read by anyone who cares to look. Your data is being sent in clear text if you enter anything onto a page with the prefix http://. That’s how you know the page isn’t secure.

How do you know a page is secure? It will use an encrypted connection, signified by the prefix https://, known as Secure Sockets Layer (SSL). Any information you put into such a page is unreadable by anyone who might intercept it. Only your browser and the web server at the other end can decipher it. Some browsers even show a lock icon to let you know it’s secure. SSL relies on special security certificates issued by a trusted authority who has verified the identity of the website you are logging onto.

Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and/or a lock icon in the browser’s status bar.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

Within five minutes, Blaise was playing games. The only thing he needed help with was logging on.

Now that’s what I call easy.

Cheers
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

The inventor of Spam confesses and explains at www.spam.com.

Enjoy your weekend.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

After a repair install of XP, which resets the operating system to its original state, Windows Update can’t install the 80 most-recent patches from Microsoft.

I use the repair feature all the time in my support work and it ticks me off that now I have to jump through extra hoops to get an XP box fixed. Fortunately, the fix is simple enough, but the fact is we shouldn’t have to be continually fixing things that Microsoft breaks.

The manual fix is to re-register the Windows Update dll files. You can create a batch file with these commands:

regsvr32 /s wuapi.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups2.dll
regsvr32 /s wups.dll
regsvr32 /s wuweb.dll

The /s switch makes the command run silently so you don’t have to hit the Enter key after each line.

This may be a challenge in itself, but I’m seriously considering blocking any outbound connection to Windows Update from my PC and only opening it up when patch Tuesday rolls around. That may not even work, but at least I’ll feel more secure in knowing that I’m doing *something* about the situation.

Cheers!
The Geek

A vulnerability has been discovered in the Ask.com Ask Toolbar, which can be exploited by malicious people to compromise a user’s system. The vulnerability, a boundary error in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control (askBar.dll) when handling the “ShortFormat” property, can be exploited to cause a stack-based buffer overflow by assigning a string with a length of more than 500 bytes to the affected property. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 4.0.2 and currently remains unpatched.

Secunia recommends that you set the kill bit for The ActiveX control to prevent it from executing. Microsoft KB article 240797. Explains in detail how it’s done, but beware: it’s not for the faint of heart. You’ll need to know the CLSID for the control, so here it is: {5A074B2B-F830-49de-A31B-5BB9D7F6B407}.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

[tags]security, ask.com, secunia, vulnerability[/tags]

“A security flaw has been discovered in Adobe’s Acrobat Reader, which is installed on a huge number of PCs. The vulnerability allows attackers to compromise Windows computers…. This problems affects Acrobat Reader versions 7, 8.0 and 8.1. An attacker can use the exploit to automatically run an executable program on your computer if you open a PDF file that’s been crafted to do so.”

My first reaction to this was to immediately recommend that everyone switch to Foxit Reader, but it’s also affected, though to a lesser degree: Foxit gives you a confirmation dialog before it runs the exploit. From ARS Technica:

“The flaw affects both Windows XP SP2 and Windows 2003; Windows Vista, OS X, and Linux users are unaffected…. Some work-alike PDF readers, such as the svelte Foxit Reader, are also affected but in a lesser manner: they display a confirmation dialog before the exploit is allowed to run.”

I haven’t used Acrobat Reader on any of my machines since version 6.0–it just got too big. I prefer Foxit Reader/Open Office for reading and creating PDFs. Looks like the Foxit camp is still safe, just don’t allow the exploit to run.

What do you think?

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

Head over to SecurityCartoon.com and check it out. They have all kinds of different educational cartoon sequences with such titles as, “How to Stay Secure,” “Tricks, Tricks, Tricks” (how to trick them, and how they try to trick you), and ”Think Your Mother’s Maiden Name is Secret?” You can select cartoons from several categories: spoofing, malware, phishing, pharming, passwords, and fightback. There’s even a Geek Dictionary to help explain things.

My favorite cartoon is “…Another Day at the Support Group for Computers with Malware.”

Good stuff.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist and Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

Until recently, to get a hot fix you had to call Microsoft support services. Now they’ve made it easier by providing a web site where you can order hot fixes you need by filling out a hotfix request submission form, and someone from Microsoft will contact you via email.

Here’s the link to the submission form: https://support.microsoft.com/contactus2/emailcontact.aspx?scid=sw;en;1410&WS=hotfix

The form is simple and quick. The country/region, Platform, and Product Language fields are drop-down boxes, so the only two fields you have to type in are the KB Article Number and Email Address.

Has anyone tested this yet? If so, please comment.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a Microsoft Certified Systems Engineer with Connective Computing, Inc. and loves to learn about anything and everything.

So, I wrote a step-by-step article illustrating how to create your own custom shutdown button that will work with XP and Windows 2003 Server. Even if you don’t have shutdown problems, this handy little button makes shutting down your computer a one-click proposition.

Download the instructions (PDF)

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a Microsoft Certified Systems Engineer with Connective Computing, Inc. and loves to learn about anything and everything.

[tags]shutdown problems, shutdown button, XP, tips, how to[/tags]