Archive for April, 2009

Swine Flu and Business Continuity Plans

Posted in Business Continuity with tags , , , on April 27, 2009 by datasecurityblog

Swine Flu is impacting locations in Mexico, the US, Canada, Asia, and Australia.  We recommend that you review your business continuity plan now. Even if the outbreak is contained, if it occurs where you have employees, your business could feel the full impact of the flu.

According to health officials at the UK NHS: “This virus is contagious and is spreading from human to human.” In the event of an outbreak in your area, many of your employees would need to become teleworkers.  The time to plan is BEFORE a disruption occurs.

The Data Security Podcast is working on stories now to help with planning. Subscribe to our RSS feed for updates.

Data Security Podcast Episode 50 – Apr 27 2009

Posted in Breach, Conference Coverage, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities with tags , , , , , , on April 26, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – RSA Security confab report; A new way to protect against piracy: two-factor authentication. And, our take on this week’s news

–> Stream, subscribe or download Episode 50 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.  Tune in or subscribe via our page at Podcast.com.

This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

The Show Notes Page for Episode 50 of The Data Security Podcast

-From The News: Your tax dollars at work… paying a non-PCS compliant company to process your tax dollars. Here’s a copy of Uncle Sam’s contract with RBS Worldpay, which announced a major data breach in December, and which Visa has declared to be non-compliant.

- From The News: Rogue WiFi hotspots at RSA Security, according to scans by AirPatrol.

-> RSA Security confab links: Yubico, BehavioSec, NetworkIntercept, MokaFive, AlertEnterprises.

Parabens Wireless StrongHold Bag

Paraben CEO, Amber Schroader, shows us the Parabens Wireless StrongHold Bag at RSA San Francisco

-Tales From The Dark Web: How a cybergang operates a network of 1.9 million infected computers.

-Conversation: Ira talks two factor authentication for software, music and movies with Stina Ehrensvärd of Yubico.

RSA_SF09 Dispatch: Best Security Swag for the Next 15 minutes

Posted in Conference Coverage with tags , on April 20, 2009 by datasecurityblog

I just took a pre-opening tour of the RSA Expo area. A lot of vendors are still setting up. Google has a very large booth, although I could not figure out what they were selling. Hopefully some privacy mojo will rub off from the participants, but I wouldn’t take a wager on that bet.

PhoneFactor is in the expo area. They offer a service that allows a cell phone to act a second factor for authentication. I award their PhoneFactor’s security cradle as the Best Security Swag, for the next 15 minutes. Earlier, I posted on Twitter, that it was the best of the day, but since the expo has not started, I will hold judgement until I see other booths.

Here is a pic of the Phone Factor Security Cradle, taken with a Blackberry Smartphone:

PhoneFactor Secure Cradle

PhoneFactor Secure Cradle

Data Security Podcast Episode 49 – Apr 20 2009

Posted in Breach, Conference Coverage, criminal forensics, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities with tags , , on April 19, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program -The Twitter attacker in his own words; The Father of SSL web encryption, Dr. Elgamal.  And our take on the news, including the over reaching and under reaching of law enforcement when it comes to cyber crime.

–> Stream, subscribe or download Episode 49 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by  Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. CORRECTION: The URL to use for the free offer in the ad is: http://www.testdrivevipre.com .

The Show Notes Page for Episode 49 of The Data Security Podcast

-From The News: Computer Science Student Targeted, Due In Part, to Running Command Line.

-From The News: Read the Terms of Service agreement Ira mentioned in the Twitter Worm Attacker story

- From The News: Evidence of poor reporting (in our opinion) Wanted: Computer hackers … to help government

-Tales From The Dark Web: The Conficker Eye Chart.

-Conversation:  Ira talks web security with Dr. Taher Elgamal, the holder of the patent on Secure Socket Layer web encryption.

- Ira tavels to RSA Security in San Francisco, and he will Twitter thoughts, and his location at this large conference. Find it here: http://twitter.iravictor.net

WHY WE CHOSE NOT TO POST OUR INTERVIEW WITH ALLEGED TWITTER WORM CREATOR

Posted in Breach, criminal forensics, darkweb, Exclusive with tags , , on April 12, 2009 by datasecurityblog

The blogosphere is atweet with news of a DarkWeb attack on Twitter users. We believe we were the first to contact the man who claims to be the creator of the worm. We thought better of using his voice on our podcast, though, when we realized he’s only 17 years old. That makes him too young to consent legally to a globally-distributed interview. He may also be too immature to be a reliable source. The jury’s out on that.

At this point, we’ve decided to sit on the tape, even though the young man’s identity and his claims of responsibility for the Twitter hack have been widely revealed.

The co-host of Data Security Podcast spent quite a few years in a broadcast news room, and it’s her insistence that has prevented us from posting the audio, based on the age of the subject, his assertion that he was drunk when he conducted his exploit, and a healthy dose of journalistic skepticism.

(She reminded me that just last week, The Taliban claimed responsibility for a mass shooting in upstate New York, which turned out not to be the case, according to police. She questioned whether this “kid” is responsible for the Twitter attack just because he says he is, and beyond that, is he a “kid” at all, or is he older than 17? If he is a kid, why are his parents allowing him to stand in the media spotlight when he could be in big legal trouble? By the way, where are his parents? All good questions.)

Indeed, the young man has changed his story since he spoke with me. Last night said he did it to drive traffic to his website. He now claims his attack was calculated to expose a Twitter vulnerability. And as I write this, he’s released a second attack, according to cnet news.

But there’s more to say about this Twitter attack. As everyone knows, the attack took the form of spam invitations to visit Stalkdaily.com, a site the young hacker claims to have created. Stalkdaily.com is a site with features similar to Twitter’s, but allows users to add multimedia to their posts.

In my conversation with the self-proclaimed attacker, I got a description of his methodology, which also been surmised by other analysts. What’s NOT getting much ink is that this man exploited a common vulnerability that exists on a huge number of websites (cross-site scripting attacks – XSS). Only because Twitter is the flavor of the month is there so much attention paid to this XSS attack.

There is evidence that there are thousands of these attacks going on every day, but since the web sites aren’t called Twitter, the attack is not on the radar screen for mainstream media. I fear that all the attention will be on Twitter, and on a young man seeking his 15 minutes of fame, rather than on the same serious security issues that are present on many, many other web sites.

Note to Tweeters: You should add layers of security to your Twitter usage, if you have not already done so. HOWTO: Protect Yourself On Twitter (Lessons Learned From The StalkDaily Twitter Hack)

If you like this posting, please consider  LISTENING TO AND SUBSCRIBING TO THE DATA SECURITY PODCAST

Data Security Podcast Episode 48 – Apr 13 2009

Posted in Breach, criminal forensics, darkweb, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , on April 12, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Twitter worm a case study in web app security; Will Congress give sweeping cyber authority to the White House?  And our take on the news.

–> Stream, subscribe or download Episode 48 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 48 of The Data Security Podcast

-From The News: Patch those third party apps, not just the OS! That’s the takeaway from the latest edition of The Microsoft Security Intelligence Report.

- From The News: IRS to Boost Oversight of Security, Accuracy of E-Filings, as posted in the Washington Post

- From The News: FTC’s attempt to fight fraud with the so-called “Red Flags Rules” Here is a link to the FTC’s How-To Guide for Business. Physicians are on the list of many types of business that need to comply.

-Tales From The Dark Web: We covered XSS and web application security. OWASP is an excellent resource for free, standards-based web application security information.

-Conversation:  Ira speaks with Lee Tien of the Electronic Frontier Foundation. Read more about the Cybersecurity Bill of 2009, including a link to the EFF blog posting on the issue.

- Wrap up:  HOWTO: Protect Yourself On Twitter (Lessons Learned From The StalkDaily Twitter Hack)

Will The Cybersecurity Act of 2009 Require IT Security Professionals To Get A License From The Feds?

Posted in Uncategorized with tags , , , on April 11, 2009 by datasecurityblog

The Cybersecurity Act of 2009 was just introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). This bill, if passed, could result in sweeping changes in how IT professionals do their job.

There is a provision within this bill that would require the licensure of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In the very next episode of the Data Security Podcast (episode 48), we are scheduled to air an interview with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Last month, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC)”. He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it?

We will keep following this bill, and this story, on the Data Security Podcast. You can also follow updates that EFF is posting on their blog. Read the Cybersecurity Act of 2009, and a summary of the bill.

Follow

Get every new post delivered to your Inbox.

Join 1,121 other followers