Archive for September, 2008

Data Security Podcast Episode 20 – Sep 30 2008

Posted in Podcast with tags , , , , , on September 29, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Virtual Machine Security, Maserati web data held hostage, plus the latest in security news.

–> Stream, subscribe or download Episode 20 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 20

News:

1. Open source for e-voting software gets a thumbs up from the California Secretary of State

2. GPS vs. radar speeding tickets

3. Nevada Encryption Law, NRS 597.970

Tales From The DarkWeb: Maserati data hijack

Conversation: Ira talks with Matthew E. Luallen, a Managing Partner with Encari, about the security challenges of having multiple virtual machines running on the same hardware. Matt mentioned the Center for Internet Security and the Level 1 Benchmark for Virtual Machines.

Data Security Podcast Episode 19 – Sep 23 2008

Posted in Podcast with tags , , , , , , on September 23, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: The lessons we can all learn about Web2.0 security from the Palin Yahoo Mail attack. We talk with The White Hat Security CTO, Jeremiah Grossman. Jeremiah is also a former Yahoo security executive. Plus, the latest security news.

–> Stream, subscribe or download Episode 19 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 19

News:

1. TN Chattanooga Grand Jury Could Hear Testimony On Alleged Hacking Of Sarah Palin’s Yahoo Mail Account

2. The 20 states that do not audit their election results are on notice from a coalition of election advocates including Common Cause.

3. Admins and InfoSec Pros Blackhole U.S. Based DarkWeb ISP Amid Fraud, Abuse Allegations

4. New York has become the second state to begin issuing hybrid driver’s licenses with RFID that also serve as official identification cards at U.S. border crossing points.

5. Web Threats are More Pervasive than Email Threats Yet Businesses Fail to Protect Against Them

6. Communities that use reverse 911 calls to spread warnings are seeking new technology to reach the expanding number of cellphone users

Conversation: Ira talks with Jeremiah Grossman about the lessons we can all learn about Web2.0 security from the Palin Yahoo Mail attack. Jeremiah is the founder and Chief Technology Officer of White Hat Security, and a formerly worked on Yahoo Mail security issues while at Yahoo. Be sure to read Jeremiah’s blog posting for more on this topic.

[Some] Critical Steps for Securing Wireless Networks and Devices

Posted in Vulnerabilities with tags , , , on September 22, 2008 by datasecurityblog

Government Technology Magazine interviewed me recently for a story on wireless security. The reporter did a pretty good job on the story, and covered some important issues in wireless internet access security. Very wisely, the reporter quoted me when I recommended 20+ character pass phrases when setting up a wireless network’s access “key.”

There are two important areas of the interview that ended up on the cutting room floor.

#1 Many wireless access points have NO provision to disable wireless access to the administrator’s control panel on the device that sends out the wireless signal (the “access point”). Therefore, an attacker has unlimited time, from far distances, to attempt multiple attacks on the network. If the attacker penetrates the access point, he can use that to springboard other attacks against users and that network.

A good access point will allow a configuration that allows the total shutdown of any admin control of the access point from a wireless connection. This setting requires an admin to physically plug-in to the access point or, in some models, plug into the UTM/Firewall that protects the network. Physical access is a much harder hurdle for an attacker, and does not give unlimited time to an attacker.

This physical access feature is mandatory for networks that have to comply with PCI-DSS mandates to protect credit card data. I put this feature on my must have list, with or without PCI-DSS requirements.

In general if you walk into a consumer computer store, none of the wireless access points have strong security in mind, and you are not likely to find an access point with this critical feature.

#2 I have also found that the companies that make the cheaper, less secure gear do not support long pass phrases for their encryption keys or for passwords to gain entry to the access point, or allow you to change the factory default user name. Combine a factory user name, a short password with unlimited wireless attacks, and you have a non-secure attack made much easier.

Why do the computer stores only sell the less secure gear? Price and poorly trained sales people. I have heard many computer salespeople tell customers: “Unless you are in the CIA, you don’t need to worry to much about wireless security issues.”

As Mark Twain famously said, “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.”

In computer and retail stores, the expensive, safer wireless gear just does not sell well, and it is “chased” off the shelf by the less expensive, less security wireless equipment.

The original story in Government Technology Magazine

Data Security Podcast Episode 18 – Sep 16 2008

Posted in Podcast with tags , , , , , , on September 16, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Law enforcement using social networking sites, virtual worlds, and multi-player game data to prosecute criminals and fight money laundering. Plus, the latest security news, including reports on virtualization / VM security from IT Security World in San Francisco.

–> Stream, subscribe or download Episode 18 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 18

News:

The county recorder in Arizona has adopted a policy to prevent ID theft and protect privacy — after you’re dead. The Maricopa County Recorder no longer posts death certificates. Hats off. If only government entities would protect your privacy while you’re alive.

Authorities in New York City are urging citizens to help the cops beef up their crime surveillance efforts — by using camera phones to record crimes in progress.
Ira reports this week from IT Security World in San Francisco. Reports on virtualization / VM security, and the failures of traditional anti-virus.

Conversation: Lt. Chuck Cohen from The Indiana State Police on law enforcement using social networks, virtual worlds, and multi-user game platforms as a source of investigatory information in criminal cases.

Data Security Podcast Episode 17 – Sep 09 2008

Posted in Podcast with tags , , , , , on September 8, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Four-fold surge in botnets in the last 3 months. New email handheld with security features. Plus, the latest security news.

–> Stream, subscribe or download Episode 17 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 17

News:

1. A federal grant will expand the surveillance camera system in the greater Pittsburg area. Emergency managers say the system called ‘Threat Viewer’ will help with disasters and terrorism, but the cops will use it, too. See more in this Pittsburgh Post-Gazette story.

2. And by the way, we hope it won¹t end up being used the way the British use their terrorist surveillance cameras…See more in this The Sunday Telegraph story.

3. E-Discovery was supposed to be helpful in litigation, but the legal community says the requirement for electronic discovery is sending costs through the roof, and even keeping some cases out of court.  See the Economist story, and get the complete report from The University of Denver.

4.  Plantiff gets WHACKED for deleting e-data related to litigation. Read more in this LA Times Posting.

5. Google Chrome Anonymizers from ghacks. Tools to keep web surfing more private when using Google’s new Chrome web browser.

Tales from The DarkWeb:  The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months. Read the SANS.org posting.

Conversation: The Peek mobile email device and it’s security features. Ira speaks with Amol Sarva, CEO of Peek.

AUDIT: 1800 “Renegade” Web Servers at IRS

Posted in web server security with tags , on September 8, 2008 by datasecurityblog

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

According to the report, the unauthorized servers pose a greater risk because the IRS has no way to ensure that they will be continually configured in accordance with security standards or patched when new vulnerabilities are identified. Malicious hackers or disgruntled employees could exploit the vulnerabilities on these web servers to manipulate data on the server or use the servers as a launching point to attack other computers on the network.

In addition to security vulnerabilities, the auditors found that the IRS was using 33 different web server software packages. The auditors believe that using as few products as possible would limit security risks, such as monitoring for security vulnerabilities, and to control costs for licensing fees, training, and maintenance.

September 15th and October 15th are are the deadlines for filing certain federal taxes returns for tax year 2007, for those that filed for an extention. The IRS spends a lot of money encouraging e-filing. This report may cause some to consider snail mail for filing tax returns.

Read the complete report here.

Data Security Podcast Episode 16 – Sept 02 2008

Posted in Podcast with tags , , , , , on September 2, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Cloud Computing is hot – but is it secure?  Plus, the latest security news.

–> Stream, subscribe or download Episode 16 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 16

News:

1.  Survey: IT staff would steal secrets if laid off

2. Improvements to smart card security...The company that sold millions of chips to the federal government for RFID passports has licensed technology that will make the products less vulnerable.

3.  Best Western CIO Scott Gibson On The Data Breach

4.  Scientists who research genetic predisposition to disease are now ready to use their technology to help law enforcement with identifying crime suspects.  Privacy implications? Oh yes.

5. Virus Infects Space Station Laptops (Again)

Interview

Pete Wood, Member of the ISACA Conference Committee and founder of First Base Technologies speaks with Ira about Cloud Computing Security.  Pete’s tips on creating strong passwords, as mentioned in this segment.

Follow

Get every new post delivered to your Inbox.

Join 1,064 other followers