Archive for December, 2008

Data Security Podcast Episode 33 – Dec 30 2008

Posted in Breach, darkweb, ediscovery, Exclusive, Podcast, Uncategorized with tags , , , , , , , , , on December 29, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Payroll and card processor data breach – a new trend? Exclusive interview with the developer anti-theft and data recovery program for the Blackberry .  Plus, the latest data security news.

–> Stream, subscribe or download Episode 33 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 33:

Integrity Attack on Traffic Enforcement Cameras

Integrity Attack on Traffic Enforcement Cameras

From the Data Security News

Traffic Enforcement Cameras:  Teen hackers are attacking an integrity vulnerability in traffic enforcement cameras in Maryland, to the detriment of innocent car owners.  The teens create a fake license plate, tape it over a real plate, and then drive in a manner that triggers the traffic enforcement cameras.

In a related story, many of these cameras focus on the driver’s side of the car… here is another integrity attack using a right hand drive Audi. The owner has placed a Muppet in the left front seat of a right hand drive car (see photo above) and has obfuscated the plate number. At least in his case, tickets are not going to other drivers, as they are in the Maryland attack.

The BBC has been covering the exploits of a new generation of teen hackers. These hackers don’t seem to realize that their exploits (both digital and in RL) cause innocent people the loss of life savings. Take a look at this informative BBC News video on how teen hackers are using social media sites.

Tales From The Dark Web: RBS WorldPay Breach Rings Alarm Bells About Acquirer Security, read the details

EXCLUSIVE: Ira talks with Dan Shipper the Founder of Convenience Software about their newest anti-theft and data recovery program for the BlackBerry – Get It Back. The application has some interesting and useful features, like using GPS to locate the device, making the device play a message like,”This BlackBerry has been stolen,” and the ability to withstand a SIM chip swap. The software still needs some improvement. For example, there is no secured log-on for the web administration control panel. As with all security software: Caveat emptor.

Data Security Podcast Episode 32 – Dec 22 2008

Posted in darkweb, Podcast with tags , , , , , , , on December 22, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: A viscous new DNS attack – it’s not easy to tell if you’re a victim. Plus, the data security news.

–> Stream, subscribe or download Episode 32 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 32:

Linux WiFi Photo Frame

Linux WiFi Photo Frame

Who wants a factory-fresh, worm infected photo frame for Christmas? Not you, we hope!  Read the SANS Internet Storm Center report about the lastest malware infested photo frame, the Samsung SPF-85H. Here is one of many safer alternatives .  The safer alternatives  (example of just one, pictured left) use WiFi and Linux to download photos from email accounts or online photo accounts. The safer alternatives don’t require a connection to a local computer to transfer photos to the frame. This lowers the the threats of malware infecting the local computer due to plugging a factory-fresh, but malware infected, digital  frame into a computer.

Tales From The DarkWeb: Ira has a conversation with Bojan Zdrnja of the SANS Internet Storm Center about a  viscous new DNS attack.

Data Security Podcast Episode 31 – Dec 15 2008

Posted in darkweb, Podcast, web server security with tags , , , , , , on December 15, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  What is  “Organized Retail Crime?”  How safe are web applications?  Plus, the latest news on data security.

–> Stream, subscribe or download Episode 31 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System and  DeviceLock removeable media security.

Program Notes for Episode 31:

Traffic cameras ruled constitutional by federal judge in Akron case.

Leading mobile phone providers banned from advertising that their voicemail is secure.

Tales From The DarkWeb: According to a new report by Urban Institute’s Justice  Policy Center identity theft and fraud will continue to be a fast growing crimes.  However, the nature of identity theft is likely to shift to more organized, high-stakes, global attacks, in the form of  ‘Organized Retail Crime.’

Conversation: Ira talks with Jeremiah Grossman of White Hat Security about web application attacks and how they are impacting holiday eCommerce sites and their shoppers. Check out WhiteHat Security’s Sixth Quarterly Website Security Statistics Report (reg required).

Recovering the “Unrecoverable”

Posted in criminal forensics with tags , , , on December 14, 2008 by datasecurityblog

In Santa Cruz California, the applications of forensic best practices led to the conviction this month of a serial rapist. According to a story in Computerworld, a man by the name of Michael Barnes was accused of multiple rapes. One of his alleged victims came forward to the police, and the police taped her account using a video camera. The interview was recorded onto a DVD.

The DVD became unreadable between the victim’s testimony and the trial, and was needed to secure a conviction. The Santa Cruz, California, District Attorney’s Office contacted two data recovery firms and sent them the DVD. They reported back that, yes, the DVD is unreadable. It appears that these two recovery firms did not apply the basic principals of data forensics: If one can get physical access to the media (DVD, hard drive, thumb drive, etc.), and the data is not encrypted, or over-written, one can always recover the data.

The DA’s parents, by chance, had a neighbor that used to work for Seagate, the hard drive maker. Seagate also has a data recovery division. The DA he sent the DVD to them to attempt a recovery.

Seagate discovered that the “lead-in” file at the beginning of the DVD was damaged, making the DVD unreadable using standard DVD software. Seagate forensically imaged the data on the DVD and then repaired the damaged file. The image of the DVD was then playable, and the original interview was recovered.

Barnes, the accused rapist, was convicted, and sentenced to 24 years in prison on Dec. 5 2008.

Stupid Campaign Tricks: BlackBerry Data Exposed

Posted in Breach, ediscovery, eMail Security with tags , , , on December 14, 2008 by datasecurityblog

Last week, a McCain for President Campaign office in Virginia was selling used BlackBerries, sans batteries and power cords. These devices were part of a rummage sale from the 2008 Presidential campaign.

A reporter from a Virginia TV station bought some of the devices, installed batteries, and charged them up. Behold, the data had not been erased from the devices. The station called a McCain-Palin campaign worker, who said, “It was an unfortunate staff error and procedures are being put in place to ensure all information is secure.” Let’s get this straight, the campaign is over, and just now security procedures are being put into place?

BlackBerries and the Blackberry Enterprise Server are part of one of the most secure mobile systems on the market today. For example, if one enters in the wrong password more than a set number of times into the device, the data auto-deletes. There is also a “remote delete” feature that allows an administrator to remotely wipe the data on one, or many devices, with a simple key stroke.

Following the reports of cyber attackers penetrating the Obama and McCain campaigns, and the attack against Palin’s Yahoo webmail account, one would think that security procedures would already be in place. It appears that there were no passwords on these devices, and that there were no remote wipe procedures in place.

If 2008 was the campaign where the Internet was integrated into winning campaigns, then the 2010 campaign should be the year that data security is integrated into the winning campaigns.

Data Security Podcast Episode 30 – Dec 9 2008

Posted in Podcast with tags , , on December 9, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: DNS Registration Attack Targets CheckFree users, we talk to a victim; and the latest news on data security.

–> Stream, subscribe or download Episode 30 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Anti-Spam Service

Program Notes for Episode 30

From the news:  Securing Cyberspace in the 44th Presidency,  a Commission “…created in 2007 to identify recommendations that the next administration could implement quickly and make a noticeable improvement in the nation’s cybersecurity…” Some of the content in this segment was taken from an excellent Wall Street Journal story on this report.

Tales From The DarkWeb: Ira talks with Jim Murray, whose witnessed the Checkfree attack first hand when his wife tried to pay bills online.  Jim is an information security architect, and talked about a tool he uses to alert end users that something is not right on the system,  Rubber Ducky.

We contacted Checkfree to give them the opportunity to comment on the hijack of their web domains, and the conversation with Jim Murray, but they did not reply. Checkfree did talk with Brian Krebs, a blogger with the Washington Post, about the attack.  As of this writing, Checkfree appears to have re-gained control of their web domains.

Data Security Podcast Episode 29 – Dec 2 2008

Posted in Podcast with tags , , , , on December 2, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Virus via USB hits 75% of the PCs on a military base; New vascular biometric sign-on; and the latest data security news.

–> Stream, subscribe or download Episode 29 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Anti-Spam Service

Program Notes for Episode 29

From the news: If you haven’t updated Windows OS systems with the emergency Microsoft Patch MS08-067 (released in October), find out about it here.

One of many postings on by-passing web URL filters, this posting has a YouTube how-to video that you can show non-technical managers.

Tales From The DarkWeb: Computer Virus [Via USB Thumb Drive] Hits U.S. Military Base in Afghanistan; U.S. military officials speculate the cyber attack may have originated in China

Conversation: Ira talks with Jerry Byrnes about vascular biometric technologies for two factor authentication.

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers