Archive for March, 2009

Data Security Podcast Episode 46 – Mar 30 2009

Posted in Breach, darkweb, Vulnerabilities with tags , , , , , , on March 29, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: New broadband gear botnet ;What will happen with Conficker on April 1st?  And the week’s news.

–> Stream, subscribe or download Episode 46 - Listen or subscribe to the feed to automatically get the latest episode sent to you to your  Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 46 of The Data Security Podcast

-From The News: NASCIO publication mentioned by Samantha, in her story on security and the stimulus plan.

- From The News: Ransom-ware attacks mentioned by Ira. See FireEye’s Blog posting on the topic for more details, including how to de-crypt files without paying the Dark Web’s ransom.

-From The News: RSPlug-F Mac Trojan horse distributed via HDTV website. See the video of an attempted attack. No such thing as malware for the Mac, eh?

. -Tales From The Dark Web: New psyb0t malware targets certain Linux broadband networking equipment. DroneBL has extensive information, scroll down to a post by Crichton for instructions on how to apply defence in depth security to networking gear that does not allow you to change factory default usernames. Unfortunately, many gear makers fall into that category. One also needs to update firmware on networking gear, not just desktop PCs, servers and handheld devices.

- Conversation: Ira talks with Paul Royal of PureWire Security about Conficker and what might or might not happen on April 1st, 2009.

- Wrap Up: Lauren buys a PC. Comments are from YouTube post, not from Data Security Podcast

Data Security Podcast Episode 45 – Mar 23 2009

Posted in Breach, darkweb, ediscovery, Podcast, Vulnerabilities, web server security with tags , , , , , , on March 22, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  Smart grid security threats;  Low-traffic web sites come under attack.  And the week’s news.

–> Stream, subscribe or download Episode 45 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 45 of The Data Security Podcast

-From The News:  Although we have been covering this story from a different angle, CNN did get an interview with Ed Skoudis (SANS security expert) on the topic of smart grid security.

- From The News:  CanSecWest was the stage for Microsoft to announce ‘!exploitable Crash Analyzer’ (pronounced: bang exploitable Crash Analyzer). Get the presentation slides and free open source application.

-Tales From The Dark Web:  Finjan released a report on new attack threats to smaller, lighter traffic web sites.  The report has not yet posted on Finjan’s site, but one would expect it to appear there soon .

-Conversation:  Ira speaks with Professor Howard Schmidt about the new CSSLP security certification. “Fast Tracking” ends on March 31st, 2009!

- Wrap up: Bruce Schneier blog posting regarding the backdoor in Blowfish encryption on the Fox TV show 24.  Here is a link to the segment of 24 at Hula.  The Morris O’brian character in 24 claims to know about a back door in Blowfish:

What does Miles  of 24 know about blowfish encryption?

What does this character of the Fox TV show 24 know about blowfish encryption?

Apologies to Bruce Schneier on our mispronunciation  of his last name in our segment.

Data Security Podcast Episode 44 – Mar 16 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities with tags , , , , , , , on March 15, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  Card merchants ignoring wireless security; Crypto, mobile VoIP, unlimited vox and data:  The smartest smartphone?  And the week’s news.

–> Stream, subscribe or download Episode 44 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 44 of The Data Security Podcast

-From The News:  Cnet has excellent team coverage of Craigslist, and the accusations that it is a hub for illegal sex offerings.

- From The News:  The PCI Security Council releases a Prioritized Approach Guide and Worksheet to help merchants with a six-step approach to PCI DSS compliance.

-From The News:  How to update Foxit PDF reader; Go to Help Menu-> Select Check for Updates -> and choose the option at or on the bottom of the list, 3.0.2009.1506 (or a higher number).

-Tales From The Dark Web:  Read Randy Abrams from ESET Anti-Virus company and his experience communicating with Google about Dark Web software he found on Google’s Blogspot.com .

-Conversation:  Ira speaks with Ben Pilani of Zer01mobile.com. They are going to offer smartphone software that includes:  Encryption, VoIP, unlimted voice and data.  Ira and Ben talk about security protocals used (SSL), and issues related to using Real Time Protocol (RTP) over the slow GSM cellular networks.

Data Security Podcast Episode 43 – Mar 09 2009

Posted in darkweb, ediscovery, eMail Security, Exclusive, Podcast with tags , , , , , , , , , on March 8, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  ex-White House InfoSec Chief Howard Schmidt on NSA controling cybersecurity; Web2.0 security with “GenWhy?”;  And the week’s news.

–> Stream, subscribe or download Episode 43 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes. This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 43 of The Data Security Podcast

-From The News: Howard Schmidt, ex-White House Security Chief,  Comments on Sudden Resignation of  Homeland Security’s National Cybersecurity Center Director

-From The News: Congress tries once again to keep children safe…And keep everybody else busy “helping” the police, with a proposal for expensive and time-consuming record-keeping requirements

-From The News: Faulty electronic record-keeping is not just a legal issue. For elected officials, it’s also becoming a tool in the hands of political opponents, as former Missouri Governor Matt Blunt knows. Read more on the story.

-Tales From The Dark Web:Security lab F-secure reports a thriving commercial center for the Dark Web on YouTube. Below is a screen shot of  logins belonging to bank customers from all over the world.  And F-Secure points out that YouTube offers no way to report these videos as what they actually are… Commercial messages for lawbreakers.   Read the posting at F-Secure, or click on the screen shot below to be taken to the posting.

Dark Web uses YouTube to advertise

Dark Web uses YouTube to advertise

- Conversation: Ira Victor talks with Roger MacBride Allen, Co-author of Mr. Lincoln’s High-Tech War

-Wrap Up: Ira talked with Roger Thorton, Founder and CTO of infosec firm Fortify. When Ira was talking with Roger, and others within earshot at the InfoSec World Conference, about Web2.0 security, this Daily Show segment about Twitter was mentioned, and Ira promised to post the line.

-CORRECTIONS: Ira mispoke in his reports from the floor of InfoSec World in Orlando Florida. US-CERT is the United States Computer Emergency Rediness Team. Howard Schmidt has over 40 yeears of combined security experience, in and out of the government. The panel on Web2.0 security and generational challenges was lead by Dr. Linda Gravett. The Data Security Podcast, and Ira Victor, apologize for the errors.

EXCLUSIVE TO DATA SECURITY PODCAST: Former White House Security Chief Comments on Sudden Resignation of Homeland Security’s National Cybersecurity Center Director

Posted in Exclusive with tags , , on March 8, 2009 by datasecurityblog

InfoSec World Conference, March 8th, Orlando Florida – In an exclusive in-person interview today with The Data Security Podcast, Howard Schmidt commented on the sudden resignation Friday of Rod Beckström as head of the National Cyber Security Center (“NCSC)”. Howard Schmidt served as the Cyber Security Advisor to the White House, and he was the Chief Security Strategist for the United States Computer Emergency Readiness Team (US-Cert) Partners Program for The NCSC. 

Rod Beckström wrote a strongly-worded resignation letter that has been made public. Mr. Beckström claims that the organization he was appointed to head, the NCSC, has been forced to subjugate its role as the nation’s leading cyber security body to the National Security Agency. The National Security Agency is part of the defence department. Rod Beckström felt that cyber security should be led by the civilian Department of Homeland Security, in the name of democracy and civilian control.

Schmidt said that Beckström, an entrepreneur and author prior to heading NCSC, had a “different perspective, coming from the private sector.”

“The NSA has done a great job on defense systems, and that [expertise] could be applied to other areas of cyber security,” Schmidt said.

Howard Schmidt thinks that NSA does have a legitimate role to play in the leading nation’s cyber security. While he does acknowledge Beckstrom’s concern about the NSA’s reputation of secrecy and eavesdropping on US Citizens, Schmidt thinks that controls can be put into place that “draws lines.” Schmidt suggested that these lines need to be “constantly monitored.”

He also said that the Obama administration promised transparency in government – that promise should extend to drawing those lines.

(Data Security Podcast says: To date, the Obama administration has been less than transparent in certain respects, and has reneged on promises to post all bills online for five days of public comment before the President signs them. Let’s hope for more transparent practices when it comes to cybersecurity.)

Learn more about the resignation in these stories by Declan McCullagh at Cnet, Noah Shachtman at Wired, and  Jaikumar Vijayan at Computer World.

More about the face-to-face interview on Episode 43 of the Data Security Podcast.

Data Security Podcast Episode 42 – Mar 02 2009

Posted in Breach, criminal forensics, Podcast, web server security with tags , , , , , , , , , on March 1, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  Poor infosec leads to Presidential security incident; Hall of Cyber Shame: State’s post info about delinquent taxpayers;  And the week’s news.

–> Stream, subscribe or download Episode 42 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 42 of The Data Security Podcast

-From The News:  Consortium of US Federal Cybersecurity Experts Establishes Baseline Standard of Due Care for Cybersecurity – The Top Twenty Most Critical Controls. See this SANS Link for more, and to add in your comments to the standard. Article on the topic in Federal Computer Week that was mentioned in this segment of the program.

President Obama takes off from the South Lawn of the White House on his first flight aboard Marine One.

President Obama takes off from the South Lawn of the White House on his first flight aboard Marine One.

-From The News: Poor data security at a defence contractor leads to Presidential security incident involving sensitive information, including Marine One’s entire blueprints and avionics package . Kudos to the Peer-2-Peer security team at Tiversa for discovering the breach.

From The News: When people are afraid of loosing their job, ethics sometimes goes out the window. See the report at http://www.cyber-ark.com/constants/white-papers.asp . Scroll down to find the link titled: The Global Recession and its Effect on Work Ethics. (Free registration is required, no integrity validation of field info appears to be in place. Is that you Thomas_Jefferson@nsa.gov downloading the report?)

-From The News: Why we don’t live in Michigan, reason #775.  As if Michigan residents don’t have enough to contend with, as they watch their primary industry go down for the count…. Governor Jennifer Granholm wants to humiliate delinquent taxpayers by posting their identities online.  Hey Gov, with your people suffering job loss, bankruptcies and foreclosures, one would think you’d want to preserve whatever dignity they have left.  (P.S. There are 18 states who brag that this “cybershame” method results in tax collections. Probably some identity thefts too, since addresses and other personal information are there for the world to see.)

- Conversation: Ira Victor talks with Bill Greeves, IT Director for Roanoke County, VA, about MuniGovCon’09 – A Virtual Conference on Web2.0 taking place in Second Life on April 10, 2009 from 9:00 AM – 1:00 PM PST. Here is the main site: MuniGov.org

-Wrap-Up: After hearing about EasyVPN on the Data Security Podcast, Peter Nikolaidis’ posted this blog entry: Comodo’s EasyVPN Landing Page is an Attack Site? Comodo responds with this very open, and candid, mea culpa.

Next Week: Ira reports from IT Security World in Orlando Florida.

P2P Usage Leads To Presidential Security Breach

Posted in Breach with tags , , , , , , , on March 1, 2009 by datasecurityblog

Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.

Bob Boback, CEO  Tiversa, said, that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it’s original source, which appears to be a defence contractor in Bethesda, MD.

How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defensible contractor had a file sharing program installed on their network, the same network that contained highly sensitive information on Marine One.

Boback said that someone from the company most likely downloaded a file-sharing program, typically used to share music and movie files, not realizing the potential problems.

Iran is not the only country that appears to be accessing this information through file-sharing programs. Boback said that they have seen the files accessed by systems in Pakistan, Yemen, Qatar and China.

If this is what passes for information security in matters of national defence, just wait until the Feds start mandating the digitizing of everyone’s medical records.

Boback’s team should get kudos for their investigative work. Boback notified the government immediately and said appropriate steps are being taken.

Pennsylvania Congressman Jason Altmire
will ask  Congress to investigate how to prevent this incident from happening again. There needs to be some tough questions asked, although too many times, these Congressional hearings don’t lead to serious changes.

This is all the more reason for  SANS’ new Consensus Audit Guidelines (CAG) to be taken seriously. One of the goals of that program is to deal with national security-related data breaches.

At this point, we don’t know what logging mechanism is in place at this contractor. Logging is a part of the CAG. Although one would have assumed that a good logging mechanism would have detected some of the peer-to-peer traffic before the incident got out of hand. Maybe the contractor has a “logging in name only,” (LINO) something I have seen first hand.

And, it’s important to point out, that among the layers of security in the CAG that need to be added to many networks is the right kind of data loss prevention( DLP).

I have seen a lot of vendors lately pitching what I call single port DLP solutions, many of which only block one port. And even more solutions that only block based upon pre-determined dictionaries of credit card numbers, or social security numbers, or HIPAA data.  They point these DLP solutions at the mail server, or others only monitor port 80 for web traffic.

Based upon what we know about this incident, one of the layers of security that is needed is a solution that fingerprints important files in that business unit, with hashing of the “slivers” of those files. Then, DLP should be pointed at all 65535 ports so they can all be monitored for leakage of any of the data, any port, any protocol. Even with a file sharing program on the network, the right DLP solution would have trapped the data before it ended up on servers in the Middle East, and Asia.

By the time you read this, this Marine One story will be all over the mainstream press. The public is going to be mad, and scared. It’s time for information security professionals to stand up, and let the public policy makers know that there are solutions to this challenges, and now is the time to (finally) take these solutions seriously.

Follow

Get every new post delivered to your Inbox.

Join 1,121 other followers