Archive for August, 2009

Data Security Podcast Episode 68, Sep 01 2009

Posted in Breach, darkweb, Legislation, Podcast, Vulnerabilities, web server security, Zero Day Project with tags , , , , on August 30, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* New attacks against business bank accounts…. an earth-shaking recommendation from the banking industry.

* Hackers say they are gearing up for winter attacks – according to a survey of hackers at DefCon 2009.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 68 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 68 of the Data Security Podcast

*  Ira talks with Michael Hamel, Chief Security Architect, with Tufin Technologies, about the survey of hackers he crafted for DefCon 2009. We cover:  Hackers Take a Break This Summer Before Winter Hacking Spike, and importantly, counter-measures to get prepared.

* Tales From The Dark Web: New attacks against business bank accounts…. an earth-shaking recommendation from the banking industry.

* From the News:   WPA WiFi encryption can now be cracked in one minute, according to new research.  Terms in the story:

WPA:  Wi-Fi Protected Access

WPA -TKIP: WPA with Temporal Key Integrity Protocol for encryption

WPA-AES:  WPA with Advanced Encryption Standard for encryption

WPA2:  Second Generation WPA encryption

WEP:  Wired Equivalent Privacy

Take-Away: WPA-TKIP and WEP is bad, um-kay? WPA-AES and WPA2 is good, um-kay?

* From the News:  Federal Web Site Collects Data on Stimulus. We report: Whose minding the security of the data?

* From the News:  Stealth-Laptop Bag

Stealth Laptop Case

Stealth Laptop Case

Wrap Up Story:    Is Federal InfoSec License Key To ‘Net Control?

Cybersecurity Act: Is Federal InfoSec License Key To ‘Net Control?

Posted in Uncategorized on August 28, 2009 by datasecurityblog

The Internet is abuzz today with the reports by Declan McCullagh that the newest version of The Cybersecurity Act of 2009 has been getting some edits by Senator Jay Rockefeller (D-WV). Although the full edits have not been release, the reports so far continue to talk about how this bill, if passed, could result in sweeping changes in how IT professionals do their job.

The provision  would require the licensing of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision, like many provisions in this bill, are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control. Some have wondered if this is a way to enforce a cyber state of emergency – order licensed professionals to turn over controls to the Feds when an emergency is declared.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In Data Security Podcast Episode 48, we talked with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Earlier this year, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC”). He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it? As we reported on the Podcast a few weeks ago, Melissa E. Hathaway, the White House’s Senior Cybersecurity Official also resigned.

Data Security Podcast Episode 67, Aug 24 2009

Posted in Annoucements, Breach, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , on August 24, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* The security lessons from Heartland data breach – what the newscasters didn’t tell you. Details on our Tales from The Dark Web segment.

* What if you discovered a web security flaw and their customer service staff ignored your alerts? An exciting announcement about a project to address this problem.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 67 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 67 of the Data Security Podcast

* EXCLUSIVE: Ira talks with Russ McRee of HolisticInfoSec.org about major security issues. This conversation  project, ReportSecurityFlaws.com .

* Tales From The Dark Web: What the other newscasters didn’t talk about with the news of an indictment of the Heartland / TJMaxx / 7-11 attacker, Albert Gonzales.

*From the News:  Web app attacks lead to possible breach of Law Enforcement data

*From the News:  SQL Injection Dymisytified – A look at the attack and how to protect your applications from it

* From the News:  Report by the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack

* From the News:  Cyber-Ambulance Chasing (Can’t we think of another way to accomplish this?)

Unspam Technologies filed a “John Doe” lawsuit in federal court against cybercriminals who have been targeting banks. The unfortunate bank customers are now caught between the devil and the deep blue sea. Unspam’s suit seeks confidential account information from the financial institutions, as part of its strategy to track down the hackers.

Here’s the money quote from the coverage in the New York Times:  Even though Unspam’s lawyer “concedes he is unlikely ever to discover the names of the hackers… he hopes to get the details of the thefts, the names of victims and other information from the banks that can be used to improve security and possibly identify the hackers.”

We’re not sure we like this strategy. Who’s next? Shall we force insurance companies to cough up individual medical records in order to prosecute hospital ID theft?

Read the story by Saul Hansell in the New York Times.

* Wrap: Vanishing eMail

REPORT: SQL Injection Attacks #1 Web Drive-by Hazard

Posted in Annoucements, Vulnerabilities, web server security with tags , , on August 17, 2009 by datasecurityblog

Web application security company Breach Security announced today that SQL Injection attacks remains the number one web attack vector, accounting for nearly one-fifth of all security breaches (19%).

Attack vectors exploiting Web 2.0 features such as user-contributed content were also commonly employed: authentication abuse was the second most active attack vector (11%), and Cross Site Request Forgery (CSRF) rose to number five with 5% of the reported attacks.

The data released today was part of Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report.  Breach Security contributes to the project. The WHID project compiles and analyzes application-related security incidents, focusing exclusively on publicly reported web application security attacks that have an identified outcome. The WHID 2009 Bi-Annual report analyzed global security incidents that occurred from January 1 through July 31, 2009. The report shows a 30 percent increase in overall web attacks compared to the same period in 2008.

The report also shows that planting of malware and standard overt changes on web sites, remains the most common outcome of web attacks (28%), while leakage of sensitive information is a close second, at 26%.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web application-related security incidents. The WHID’s purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security – which focus on the technical aspect of the incident – the WHID focuses on the impact of the attack.

Data Security Podcast Episode 66, Aug 17 2009

Posted in Breach, Court Cases, darkweb, eMail Security, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , on August 16, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* Like stealing candy from a baby….is Adobe making it that easy for attackers to get into computers?

* The Clampi Trojan is cleaning out bank accounts, and AV usually doesn’t see it.

* Researcher says that Palm is acting like Big Brother, tracking its users.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 66 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 66 of the Data Security Podcast

* Conversation: Ira talks with Joe Stewart. Technical Director of Malware Research at SecureWorks about the Clampi/Ligats/Ilomo Trojan.  AV usually won’t see it, and targets bank account log-ins, insurance log-ins, and other log-ins that allow attackers to steal.

* Tales From The Dark Web: Security researchers at Trustee are claiming that attacks in the wild targeting unpatched Adobe Flash and Adobe PDF Reader are appearing. And Adobe is making the problem worse. Read the report, and then see what happens when you check the patch level of a system using Adobe’s own Flash version checker. This attack impacts Windows, Mac, Linux and Solaris usres.

*From the News:  Sheriff’s Office explains why it took over county computers

*From the News: Fake Search Engines for Twitter, from Karthik at BlogrPro.

* From the News:  Joey Hess wrote a blog posting where he reveals that Palm is acting like Big Brother to PalmPre users.  Deter Bahn wrote a related posting with more information.

*From the News: Mac OS Trojan.  Read the posting,  and blacklist the .com domain names that are listed here.

Mac Trojan called Mac Cinema

Mac Trojan called "Mac Cinema" - Looks Legit, Doesn't It? Well, it's not.

Data Security Podcast Episode 65 – Aug 9 2009

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, eMail Security, Exclusive, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 9, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* More DefCon17 Coverage: How safe are Cloud Computing applications?

* Melissa Hathaway is leaving her White House job as top cyber security official, why is the main stream press not spending time on this story?

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 34 minutes.

–> Stream, subscribe or download Episode 65 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 64 of the Data Security Podcast

* Tales From The Dark Web: Ira and Samantha talk with the team from Sensepost about Cloud Computing Security

*From the News: The site we mention that was able to successfully repel the attacks last week against Twitter/Facebook/LiveJournal: Fotik

* From the News:  A 20 year old man attacks the communication system of the Chicago Transit Authority, and the Chicago Loop.  And here’s the announcement about the federal homeland security grant to CTA for bomb-sniffing dogs and other physical security measures.  Wow… think transportation officials might have their eye on the wrong ball?

Chicago Loop

The Chicago Loop

Data Security Podcast Episode 64 – Aug 4 2009

Posted in Breach, Conference Coverage, darkweb, eMail Security, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 4, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

SPECIAL DEFCON17 Coverage From Las Vegas

* Is YOUR tax return sitting out there on the Internet? Maybe not yours, but Larry Pesce tells us about the tax returns — and the other stuff he found without much effort.

* Breaching the new “personal WiFi” hot spots, is it child’s play? We’ll find out…. On a special Tales From The Dark Web segment … with David Maynor from Errata Security.

* Our take on the DefCon news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 34 minutes.

–> Stream, subscribe or download Episode 64 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 64 of the Data Security Podcast

* Conversation: Ira talks with Larry Pesce, of PaulDotCom, about the downright scary information he easily found while sifting through a file sharing network.

* Tales From The Dark Web:  Ira talks with David Maynor of Errata Security about the security threats associated with personal WiFi devices.  The photo below is of David:

David Mayner with personal WiFi devices

David Maynor holding the Clear personal WiFi device (left) and the Verizon/MiFi personal Wifi device (right)

* From the News:  SSL Certificates Trust attack;  Mike Sussman from Intrepidusgroup.com.

*From the News: Cross Site Request Forgery attacks; Mike Bailey’s from skeptikal.org.

*From the News:  Justin Samuel from the RequestPolicy.com Firefox plug-in team.

*From the News: Tony Flick from Fyrmassociates.com on the electric smart grid security threats.

* Wrap: DIFRWear.com RFID protection products

Michael Aiello, CEO of DIFRWear RFID Protection

Michael Aiello, CEO of DIFRWear RFID Protection

* Wrap: BumpMyLock.com, locks, lock penetration testing supplies, and how to bump open a lock:

BumpMyLock Booth at DefCon17

BumpMyLock Booth at DefCon17

PLUS:

In the Lockpicking Village, Selestius tries to pick her way out of a set of handcuffs. Although the photo is blurry, there is a very slim, long, lockpick in Selestius’ right hand:

Lockpicking handcuffs

Lockpicking handcuffs

Hacking Session Floor Space

Some sessions got so crowded, there was no where to sit.  Sometimes the side isle standing room would fill up.  Due to fire rules, sitting on the floor of the center isle was a hazard.  Faced with not getting to see a hot session, Thomas from LA thought of an original floor hack: He bought a small, $10 folding camping chair. He pulled it next to a hotel chair,  and got a  seat in the center isle of every crowded session! Thomas tells the Data Security Podcast that the “Goons” (DefCon staff) appreciated his innovative approach to crowded sessions.

http://security.talkworkshop.com/images/floor_hacking.jpg

Hacking Floor Space

Follow

Get every new post delivered to your Inbox.

Join 1,126 other followers