Archive for August, 2008

Data Security Podcast Episode 15 – Aug 25 2008

Posted in Podcast with tags , , , , , , , , on August 25, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Drive-by Flash Clipboard Attack – nobody is immune; The law in virtual worlds; plus the latest security news.

–> Stream, subscribe or download Episode 15 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 14

News:

Flash Drive Security?
Flash Drive Security? Source: ArsTechnica.com

1.  Prosecutors: PA State Senator Fumo orders IT staffer to destroy electronic data to cover-up corruption.

2. Latest UK data loss due to misplaced USB thumb drive

3. E-Vote: Ohio Counties Move To Secure Voting Machine Delivery

Tales from The DarkWeb:

Chris Thornton from Thornsoft Development, Inc. and the author of ClipMate, a popular clipboard extender for Windows provides an excellent resource on his blog about the drive-by download Flash Clipboard Attack.

Alex Dubrovsky, Director of Software Engineering and Threat Research, SonicWall. The counter-measure mentioned by Alex is in the SonicWall Gateway Antivirus.

Interview:

The Law in Virtual Worlds; Benjamin Duranske, author of the new book Virtual Law. A book for legal pros and non-legal people.

Apple’s MobileMe Fails Security 101?

Posted in eMail Security with tags , , , , , , on August 25, 2008 by datasecurityblog

There are reports that Apple is using poor security in Apple’s not-ready-for-primetime MobileMe email and file storage service. MobileMe was billed by Apple as a Microsoft Exchange server email account “for the rest of us.” One of the best features of an Exchange server is it’s use of Secure Socket Layer (SSL) 128-bit encryption. In a nutshell, SSL is considered a secure, open standard to protect data in motion over the Internet.

An Exchange server can be configured to use SSL for both the username/password combo and the user’s actual data. The means that users of a properly-configured Exchange server and computer can use email, contacts, calendars, notes, memos, and tasks in airports, cafe’s, cell connections, and other out-of-the-office locations, and not have one’s data exposed to the world.

MobileMe

MobileMe

Over at Apple, they don’t seem to think that SSL is important for MobileMe users. The reports are that Apple is using an Apple-created proprietary encryption method. If this is true, that’s not good, since proprietary encryption is not validated by the information security community to be sound. Any security pro worth his salt knows to run, not walk, when a vendor offers proprietary encryption.

To make matters worse, it appears Apple is only encrypting the username/password combo with this special encryption solution, not the user’s data.

There have been many reports of the poor reliability of MobileMe. Now, if these new reports are true, there may be poor data confidentiality and data integrity for MobileMe users.

Email is the most important internet application for most people today. Many business people use email as their digital file cabinet. For $99/year, MobileMe does not look like a smart file cabinet, nor an alternative to a well-configured Exchange account.

You can find more technical details on the Benlog blog.

Data Security Podcast Episode 14 – Aug 19 2008

Posted in Podcast with tags , , , on August 19, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Institute for Justice fights to keep PI lobby from regulating information security; The CherryPal PC, a PC designed by an infosec pro; plus the latest security news .

–> Stream, subscribe or download Episode 14 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 14

News:

1. Law enforcement agencies in 10 cities have adopted military technology to help them “hear” what’s happening on the streets… The objective is to respond quickly to gunfire. See: http://www.shotspotter.com/

2. Online Privacy Bill of Rights, and “opt-in” to web traffic monitoring. See The Washington Post story: Some Web Firms Say They Track Behavior Without Explicit Consent. You can do Google, Yahoo and MSN searches WITHOUT being tracked by using BlackboxSearch.com for your searching.

3. Vista Security Useless? Not So Fast… See the PCMag story for details

Interviews:

1. The Institute for Justice is suing to change the law.

The Institute for Justice will notify you about activity in the state legislatures if you send an email to: asmith <at symbol> ij.org . They send periodic updates.

2. The CherryPal PC, a new PC developed by an information security pro.

Data Security Podcast Episode 13 – Aug 11 2008

Posted in Podcast with tags , , , , , on August 11, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

In this week’s episode: Defcon16 security/hacker conference reports, inluding the “MIT Subway Hack,” electronic billboard security holes, KeyMail physcial lock exploits, using iPhones for pen testing; Business logic flaw in web sites and web applications in our BlackHat Las Vegas report.

–> Stream, subscribe or download Episode 13 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 13

Defcon Reports:

1. Three MIT students ordered by a federal judge to halt Defcon talk on transit card vulnerabilites. Ira’s gets reaction to the controversy from three security experts.

2. DefCon Buzzword Survivor contest

3. Hijacking the Outdoor Digital Billboard Network

4. KeyMail lock vulnerabilities uncovered by Marc Tobias and his associates

5. Twitter information security executive John uses Wall of Sheep / Wall of Shame to uncover Twitter login credentials security issue. The Wall of Sheep (the DefCon area formerly known as the Wall of Shame) is explained here in this 2007 article. Pics of the 2008 edition here, and here.

5. Using iPhones as a pen-test tool

BlackHat Report:

Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, talks about his BlackHat talk on web attacks using business logic flaws. Business logic flaws whitepaper.

Phil Zimmerman, Dan Kaminsky, and Brenno de Winter on the DefCon “Subway Hack” Talk

Posted in Breach with tags , , , , , , on August 10, 2008 by datasecurityblog

The hacker conference Defcon is proving to be the source of breaking news this year. A lot of the technology news coverage to come out of the show concerns the three MIT students that were to present a talk on the vulnerabilities in the transit pay cards used in the Boston area by the Massachusetts Bay Transportation Authority. The same system is used in and some other cities in the US.

The Data Security Podcast spoke with some noted security experts for their take on the Subway Card Hacking controversy. But first, a quick review of the facts as they were presented here.

The Massachusetts Bay Transportation Authority went to federal court on Friday, Aug 8th to get an injunction against the students to prevent them from giving their talk at DefCon. Cnet’s news.com is doing a great job on that coverage, including coverage of yesterday’s press conference at 2PM PT with the students their lawyer from the Electronic Frontier Foundation.

One of the deeper issues of contention is when the students actually disclosed the vulnerabilities to the transit authority in Massachusetts. Giving disclosure in private to the transit authority would allow time to make changes to their systems in response to the vulnerabilities.

During yesterday’s press conference, the students, through their spokesperson, EFF attorney Kurt Opsahl, would not answer when they were asked they disclosed the results of their work to the Massachusetts Bay Transportation Authority officials.

Late in the day Saturday, The Data Security Podcast spoke with two well respected information security experts, Phil Zimmerman, and Dan Kaminsky.

Phil Zimmerman was the creator of Pretty Good Privacy, an encryption tool that was the target of a long legal battle with the federal government that began seventeen years ago (and has since been resolved).

Phil told the Data Security Podcast that if the unconfirmed reports are true that the MIT students only gave the Massachusetts Bay Transportation Authority less than ten days notice of their talk at DefCon, then the students acting in an irresponsible manner by not giving the MBTA time to put into place changes or mitigating controls in response to the flaw they students allege. Phil said that many times information security researchers find a flaw, and in their excitement they rush out to show the world the flaw, which may not always be wise.

Dan Kaminsky is famous now for what is recognized by many security experts as the ethical way to disclose a security vulnerability. Dan went to great lengths to keep the nature of a major flaw he out of the public eye until vendors could build patches to mitigate the flaw.

Dan’s comments focused on a more practical part of the controversy. Dan said, that there are “No signs that suppression of [security] talks accomplishes the [intended] goal. Suppression of speech highlights the issue.” Dan feels that all the attention this controversy is bringing will encourage others to uncover the flaws. Interestingly, the buzz at the conference is that a lot of the information in the MIT student’s talk was already uncovered by other researchers, and that information is on the internet. It appears that the MIT students leveraged flaws that were already
known.

Dan also commented, that for the information security industry in general, when a flaw is uncovered by researchers, “You can expect co-operation from software vendors more than ever today.”

Giving credibility to Dan’s assertions is Brenno de Winter. Brenno is a Dutch journalist who has been covering the flaws in systems in Holland and the UK. Brenno says those systems are very similar to the ones in Massachusetts, and in other parts of the U.S. Brenno gave a talk today at
DefCon on Dutch researchers who uncovered the flaws in the systems in use in Holland and the UK.

Brenno claimed that these RFID systems are not only used by transit agencies in Holland and the UK, but also for door access control by government agencies, data centers, and other secure areas.

Brenno showed a YouTube video and demonstrated how simple it is to defeat these systems, and how the information about these attacks are available by doing simple Google searches. Brenno also stated that Chinese electronics makers have had the equipment and access cards for sale on the “grey market” that would permit the creation of cloned cards.

Brenno speculated that all the attention on this topic will probably result in open source and other tools being released by security researchers interested in the topic. “It would be ignorant to think otherwise,” according to Brenno. One researcher that Brenno spoke with said that a modified iPhone could be used to get information from these access cards. By merely walking in an area where people have these cards in their wallets or purses, the access information on the card could be cloned.

If Brenno claims are true, it appears that Pandora’s box is already open on at least some of the flaws the MIT students were going to talk about. Here is the takeaway: When a security flaw is discovered by security research, the responsible action is to privately inform the company that
makes the product, and give them a reasonable amount of time to address the flaw.
When companies are informed about a flaw, the prudent action is to understand the flaw and make the changes needed. Trying to keep the information away from the public is probably futile once a flaw is discovered.

We will cover more on DefCon in this week’s Data Security Podcast.

Data Security Podcast Episode 12 – Aug 04 2008

Posted in Podcast on August 5, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

In this week’s episode: Interview with Paul Royal of Dambala, a new, open source approach to malware detection; Poor USB security might be the cause of a Countrywide Bank data breach; Court battle: GPS vs. Radar.

–> Stream, subscribe or download Episode 12 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 12

News:

1. Freelance reporter James Krause wrote this article about e-discovery challenges for international litigation. Lawyers are getting a headache because there’s a computer language barrier for documents created in languages that use symbols. (Chinese Japanese, Thai, Korean, and cyrillic
languages).

2. Two Black Hat Talks On Apple Security Canceled. Apple patch fails to address DNS flaw, say experts.

3. Should the government compete with the private sector for business? There’s a lawsuit heating up over high-speed network service between the city of Monticello Minnesota, and TDS Telecom.

3. DHS official defends HSIN Next Gen

4. The government has finally clarified Department of Homeland Security policy on laptop searches at airports and at the border. The DHS says it doesn’t need reasonable suspicion. There’s more in the Washington post.

Or you can read the policy for yourself.

Segment Notes:

1. Paul Royal, Dambala

Paul’s talk at BlackHat Briefings is on Wednesday, August 6th at 4:45 p.m. PT titled,
“Alternative Medicine: The Malware Analyst’s Blue Pill.” Following BlackHat and DefCon, we plan to post links for Paul’s talk and a related whitepaper in this space.

2. GPS and Radar

California teen Shaun Malone is using data from his GPS device to prove he wasn’t speeding.

But an attorney for the National Motorists Association says this is about more than police radar versus the GPS.
Tales From The Dark Web:

FBI: Flash drive used to steal Countrywide customer data

Airline Traveler Data Breach

Posted in Breach on August 5, 2008 by datasecurityblog

Verified Identity Pass has signed up more than 200,000 travelers to a program that allows airline travelers to speed through security and skip many of the security checks. The catch? The traveler has to submit to a background check, provide biometric data, and provide ID in person to complete the sign up process. And, the system is only in place in 17 US airports (the list is growing, though).

How do I know? As a member of InfraGard member alliance, I have to undergo some of the same checks. InfraGard members were informed that they can sign up for the program since the government already has screened us for much of the data.

The last step in the sign-up process is to go to one of the major airports, provide some more data, before a card is issued to you.

A laptop that was used at the SFO Airport for that final step was stolen last week (July 26, according to the Verified Identity Pass people). The laptop data for 33,000 ‘in-process” users was not encrypted. That’s the bad news. The good news is that the data on the laptops was not Social Security Numbers, driver’s licenses, bank information, or biometric information.

If the laptop was stolen to get the names of people that passed a background check, and then use social engineering or other techniques to put together IDs of people that can get though security, well, then the attack was successful.

Until the laptop and thief are caught, it is hard to know why it was stolen, or what will happen with the information.

According to the spokesperson: “The office housing the computer was locked and there were security cameras installed around it.” Hopefully the perpetrator will be caught so the motive can be discovered.

One would also hope that all the laptop encryption vendors are calling Verified Identity Pass and offering them good deals on whole disk crypto. Failing that, Verified Identity Pass can use totally free, and effective, TrueCrypt right away.

Look for coverage on this in Episode 13 of the Data Security Podcast.

Follow

Get every new post delivered to your Inbox.

Join 1,126 other followers