Archive for June, 2009

Data Security Podcast Episode 59 – June 29 2009

Posted in Breach, Court Cases, darkweb, Podcast, Vulnerabilities, web server security with tags , , , on June 29, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • Web drive-by download attacks have hit the users of the DenverPost.com .  Attacks in progress.
  • Drive-by downloads are the fastest growing area of cyber attacks. A new tool alerts you before you get hit.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 23 minutes long

–> Stream, subscribe or download Episode 59 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 59 of the Data Security Podcast

  • Tales From The Dark Web:  Ira has a conversation with Yuval Ben-Yizthak, CTO of security company Finjan about a browser tool that can alert you to drive-by downloads before they strike.  Check out http://securebrowsing.finjan.com to get the tool.
  • From The News:  The owner of TJMaxx stores, TJX entered into a settlement with 40 states and the District of Columbia as a result of a massive data security breach in 2007.  The nearly $10million settlement is far reaching. Read the entire settlement here,  thanks to the Office of the Attorney General of Washington State.
  • From The News:  Adobe Shockwave critical security update. Be sure to UNINSTALL the older versions of Shockwave and then install the new version, if you are on Windows. Mac users just need to do an update.
  • From The News:  According to multiple online scanning sources, The Denver Post web site, DenverPost.com, has been breached members of the Dark Web. The site appears to be attacking visitors to select pages of the site, and attempts to download malware onto the computers of readers of the site.  See screen shots from the Google malware blacklist below. More details on the show.

Google Malware Alert

Google's Denver Post Malware Alert - Click on image for larger view

Firefoxs Denver Post Malware Alert - Click on image for larger view

Firefox's Denver Post Malware Alert - Click on image for larger view

Yuval Ben-Yitzak, CTO of Finjan

BREAKING: DenverPost.com’s Site Blacklisted Due to Suspicious Web Drive-by Malware

Posted in Breach, darkweb, Vulnerabilities, web server security with tags , , , on June 27, 2009 by datasecurityblog

Web Blacklisting reports are coming in that late Saturday night, Pacific Time, that parts of the Denver Post newspaper site is getting blacklisted due to web-based drive-by downloads.

Web anti-malware company Dasient is reported that extras.denverpost.com (WARNING: MAY NOT BE SAFE…DO NOT GO TO THIS SITE WITHOUT STRONG LAYERS OF SECURITY) has 26 pages infected pages. Dasient also is reporting that the site is blacklisted by Google/Chrome and Mozilla Firefox.

Over at Google, the Google  Safe Browsing Diagnostic site is reporting:

“Site is listed as suspicious – visiting this web site may harm your computer….

Of the 137 pages we tested on the site over the past 90 days, 44 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-06-25, and the last time suspicious content was found on this site was on 2009-06-25.

Malicious software includes 46 scripting exploit(s).

Malicious software is hosted on 3 domain(s), including gumblar.cn/, bigtopmanagement.cn/, findbigbrother.cn/.

This site was hosted on 8 network(s) including AS20940 (AKAMAI), AS21399 (AS), AS2914 (NTT).”

It has been widely discussed in data security circles that web drive-by downloads are the fastest growing area of cyber attacks.  There were over 4000 new web application vulnerabilities reported last year. Members of the Dark Web seek out these web based vulnerabilities on legitimate sites.  Members of the Dark Web use these vulnerabilities to steal confidential data from web site visitors, and to steal confidential data from web site owners.

Security experts,  and the PCI (Payment Card Industry) standard, prescribe web application scanning and web application firewalls for web site owners to mitigate these attacks.

Web users can use browser sandboxing applications and browser-based plug-ins to mitigate these attacks. Many of these attacks are cross-platform, so using Mac OS X or Linux will not protect you from many of these web drive-by malware attacks.

We will have more coverage of this attack,  including an interview with the CTO of Finjan about tools to fight these attacks on the Data Security Podcast that will post on Sunday night June 28th.

TJMaxx Agrees “Leadership Role” In Data Security

Posted in Annoucements, Breach, criminal forensics, darkweb, ediscovery, Legislation, Vulnerabilities, web server security with tags , , , , , on June 24, 2009 by datasecurityblog

Large US retailer TJMaxx today announced that it has settled with a multi-state group of 41 Attorneys General, resolving the States’ investigations relating to the criminal intrusions into TJMaxx’s computer system announced by TJMaxx over two years ago.

Jeffrey Naylor, Chief Financial and Administrative Officer of The TJX Companies (the owner of TJMaxx) stated, “This settlement furthers our goal of enhancing consumer protection, which has been central to TJX. Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime.”

Mr. Naylor continued, “The sheer number of attacks by cyber criminals demonstrates the challenges facing the U.S. payment card system in protecting sensitive consumer data. This settlement furthers TJX’s efforts to unite retailers, law enforcement, banks, and payment card companies to consider installing in the U.S. the proven card security measures that are already in use throughout much of the world.”

What has not been announced are the specifics of what TJMaxx, or the states, will do to take a leadership role in exploring new technologies and approaches to improving data security.

Here are some suggestions:

1. Making protecting information a key, important function for all organizations, of all sizes. Too often, data security is looked at as  “an IT task.”   In many organizations today, data security is just a subset of the IT department. Then it falls on the CTO/CIO/MIS manager  to strike the balance between ease of access and security.  The Chief Information Security Officer should report to the CFO or CEO, and bring them actionable information risks and the options to mitigate those risks. It is the role of the non-technical manager to strike the balance between ease of use and security, not the head of IT.

2. Educating business that the PCI standard is a MINIMUM standard, not a bar or goal to be reached “one day.”

3. Educating businesses on ISO-27k, OWASP, NIST, and other standards that can help protect information.

4. The culture in security and business is to not to do PR about specific security measures. Make an exception. TJMaxx should use their bully pulpit, deploy, and get the word out about the  importance of advanced web application scanning, data encryption, web drive-by downloads,  two-factor authentication, wireless security, and open-source.

5. Responsible Disclosure.  Today, it is almost impossible to alert a business when they have a security flaw.  Retailers and other businesses must develop an easy method for “good guy” security people to inform them when a security issue is discovered.

Almost every state has data security laws. The monies that go to the states should be used to better educate managers and decision makers about protecting personally identifiable information, and the list above.

According to press reports, 40 states are participating in this settlement agreement. Those state are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, and Wisconsin. The District of Columbia is also a party to the settlement.

If TJMaxx is serious about playing a leadership role in data security, we hope to hear from them about what they will do. The Data Security Podcast has reached out the to TJMaxx. We have requested an interview for the audio program. We will let you know their response.

Data Security Podcast Episode 58 – June 22 2009

Posted in Breach, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , on June 22, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • The vast majority of malware infected web sites are legitimate sites that have been secretly hijacked. How would you know if your site was on that list?
  • Your GPS can now tell you where red light cameras, photo radar and DUI checkpoints are. Some local governments aren’t happy about this…we’ll talk to the CEO of the firm providing the data.
  • Plus,  Apple’s PR department calls us back, find out where information security was in their priority list.
  • More details and links in the show notes section below the audio listening instructions.

–>NEW! Stream This Week’s Show with our Built-In Flash Player: (or scroll down to try the Odeo link for a very firewall friendly player)

This week’s show is 26.5 minutes long

–> Stream, subscribe or download Episode 58 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 58 of the Data Security Podcast

  • Ira has a conversation with Joe Scott the CEO and Founder of PhantomAlert.com.  This services allows you to use your GPS, and the power of social networks to get early warnings of the locations of photo radar,  red light cameras, DUI checkpoints, and more.
  • From The News: Apple calls us back. They don’t want to talk about security, tune in to find out what they wanted to talk about.
  • From The News:  Due to some traveling, we will not have our take on this week’s news. Our analysis segment will return next week.
  • Wrap: New regulations proposed on GPS use in a moving vehicle.
<!–[if gte mso 9]> Normal 0 false false false MicrosoftInternetExplorer4 <![endif]–><!–[if gte mso 9]> <![endif]–> <!–[endif]–>

 

Data Security Podcast Episode 57 – June 15 2009

Posted in Breach, Business Continuity, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , on June 14, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • Is Al-Qaida getting funding by stealing minutes from business phone systems?
  • $10,000 was paid out to the security researchers that uncovered the flaws in StrongWebMail. Could your email be vulnerable to that same attack?  A conversation with  StrongWebMail’s top executive.
  • EXCLUSIVE – New proof of concept browser sniffer hack that does NOT use scripting attacks.
  • Plus, our take on this week’s news.
  • More details and links in the show notes section below the audio listening instructions.

–>NEW! Stream This Week’s Show with our Built-In Flash Player: (or scroll down to try the Odeo link for a very firewall friendly player)

This week’s show is 32 minutes long

–> Stream, subscribe or download Episode 57 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 57 of the Data Security Podcast

  • Ira has a conversation with Darren Berkovitz, COO of StrongWebMail.com and Telesign.com, about why he offered $10,000 to anyone who could break into the StrongWebMail system.
  • Tales From The Dark Web: The US Justice Department files indictments against three suspected terror suspects. They are charged with stealing business phone minutes, illegally re-selling those minutes, and using the proceeds to fund Al-Qaida terror activities.
  • From The News: EXCLUSIVE TO THE DATA SECURITY PODCAST, Brendon Boshell a web developer has created a unique remote browser sniffer that does NOT use the highly common, and easily blocked, scripting attacks. This is his proof of concept, but his site only explains part of the approach. We explain more in the show.
  • From The News: Hawaii sends woman to jail for using her medical records access to post HIV-AIDS patient’s medical information on MySpace.
  • From The News: The Las Vegas Review Journal got a visit from the Feds after publishing this story … with a subpeona demanding the identities of newspaper readers who posted comments.

Data Security Podcast Episode 56 – June 8 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on June 7, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Twitter users are the target of a new, malicious web re-direct. How will The President’s new cybersecurity plan impact you? One of the nation’s top cryptographers weights in. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Paul Kocher, President and Chief Scientist of Cryptography Research, Inc. about The Obama Administration’s new cybersecurity plans.

–> Tales From The Dark Web: Finjan‘s CTO Yuval Ben-Itzhak talks with us about a new web re-direction attack targeting users of Twitter.

–> From The News: Is there a constitutional right to informational privacy? The Ninth Circuit Court suggests there is by issuing an injunction in favor of contract employees at NASA who objected to invasive background investigations. But then the full Court declined to hear the case. So the question won’t be settled any time soon, but it raises some interesting issues.

Judge Kozinsky’s dissent (we should hear the case)

Judge Wardlaw’s concurrence (we shouldn’t hear the case)

A dissection of the privacy issues by legal blogger Eugene Volokh at the Volokh Conspiracy. Don’t scroll — the link will take you to the top of the blog, and then jump to the correct post.

–> The Wrap:  Autorun Worm Invades ZIP

Autorun Worm Invaded Zip Files

Autorun Worm Invaded Zip Files

StrongWebMail Bounty Attack – Caveat Emptor

Posted in Breach, eMail Security, Exclusive, web server security with tags , , , , , on June 7, 2009 by datasecurityblog

StrongWebMail has received publicity for the $10,000 bounty that the company’s chief executive offered if someone could break into his web mail account.The executive, Darren Berkovitz, posted his StrongWebMail username and password on the company web site.

IDG is reporting that three information security professionals are now claiming that they were able to pwn (“own”) Mr. Berkovitz’s StrongWebMail account. Although their exact method has not been revealed, IDG is reporting that the StrongWebMail site was vulnerable to cross site scripting attacks.

The Data Security Podcast had a conversation with Darren Berkovitz on Friday June 5th.

He was not yet ready to talk about the StrongWebMail bounty attack. But, he agreed to do so in the coming week. That conversation will be posted on June 15th, in Episode 57 of the Data Security Podcast.

He did talk with us on Friday about his service in general, and about the challenges of market adoption of multi-factor authentication.

StrongWebMail’s parent company, Telesign is a provider a phone focused multi-factor authenticaion services. The service allows owners of web sites to validate users with a phone call to end users. That call can contains a validation code, for use on the web site, in addition to a username/password pair. StrongWebMail is, in some ways, a proof of concept that is designed by Telesign to demonstrate the acceptance of multi-factor authentication for the world’s most popular web application: web mail.

According to Mr. Berkovitz, StrongWebMail uses an off-the-shelf web mail application once users get pased validation.

And, that may be the chink in the armour that security researchers used. Rather than attacking the multi-factor element, IDG reports that the researchers created their own StrongWebMail accounts. They then used those accounts to launch attacks that allowed them “hop over” from one user account to another, including, allegedly, hopping over to Mr. Burkovitz’s account.

If they waited for Mr. Berkovitz to log in, and then hopped over to his account, that could be a method to gain access to his account. If this indeed  isthe nature of the bounty attack, then it would re-emphasis the important of securing the code of web appliations.  The best multi-factor systems cannot compensate for weaknesses in a web application.

So, if we are on the right track, then this is not a story about the weaknesses of a two factor authenticaion system. This may simply be another example of the importance of security in web-based, or so-called cloud computing, applications. That even includes web sites that assure customers that “our site is secure,” or even when the site has names, icons, or other technolgies associated with information security in general.

Follow

Get every new post delivered to your Inbox.

Join 1,140 other followers