Archive for January, 2010

Episodes 106 and 107- January 31, 2010

Posted in criminal forensics, darkweb, Show Notes, Vulnerabilities with tags , , , , , on January 31, 2010 by datasecurityblog

After some experiments with posting our new radio show, we return to our classic podcast sound.   If you were a fan of the Data Security Podcast, you will recognize the familiar sound in The CyberJungle from now on. Thanks for enduring the experimental phase.  We tried to edit out portions where the radio station played popular music under our voices.  Legally necessary, but we acknowledge that the result was choppy. There are also certain required live radio elements made the podcast versions longer than they needed to be.

If want the full radio show,   radio station KOH can legally post it and they retain full radio versions of The CyberJungle.  And of course, you can  listen live on Saturday mornings.  If you’re interested in a shorter show with just the meat and potatoes, get it here on our website.

On with the show notes:

Episode 106 is The CyberJungle’s su root interview for the technically advanced listener. Mandiant’s Rob Lee on the APT – advanced persistent threat.  Attacks used to be short-term and removable.  Now they burrow in for months or years, for the purpose of ongoing theft.  Episode 106 is the 30-minute, unedited version.  The short version of the interview can be heard in episode 107.  It starts roughly 40 minutes into the show.

Mandiant allows you to  download a copy of Rob Lee’s report here.

In Episode 107 we discuss the week’s top story – In “Digital Combat, U.S. Finds No Easy Deterrent”

A conference-room war game featuring sophisticated cyberattacks left top military officials perplexed. This article discusses the apparent head-scratching in the Pentagon over how to respond to digital threats to national security. The problem – at least in part – seems that the U.S. government is still using the language of conventional war.  Two things are troubling. First, a gee-whiz quality to this piece suggests that this is the first time the U.S. military is considering these challenges. It’s certainly not, but the portrayal of top military brass as stuck in low gear on this issue is unsettling at best. Second, it muses about an attack on the grid, OR the banking system, OR the emergency communication system.  Doesn’t venture any possibility of a “digital pearl harbor”  featuring these events simultaneously.

We also talked with Peter Eckersly of EFF. He’s heading up a project that measures your computer’s unique configuration…. and calculates whether you’re easy to track (even when you shut off cookies and do the other “prudent” things that should prevent tracking, but don’t). EFF is seeking participants in this analysis. You can get a uniqueness rating ad participate in the experiment. And no, they will not use your computer’s fingerprint for any other purpose.

Our conversation with Peter Eckersly starts about 15 minutes into Episode 107.

Speaking of tracking… the Google Toolbar appears to be spying on you even after you disable it.  No matter what Google says.  Read Ben Edelman’s account of his own exploration of  this matter. Ben says he followed Google’s instructions and found he was still being scrutinized.

More news from the week:

International survey: IT Security managers see disaster looming. The takeaway from this 40-page report, Critical Infrastructure in the Age of Cyber War :  Top management just doesn’t get it.

70 percent of major companies are considering iPhone adoption. A New Era For Corporate Culture: iPhone Use Doubles in the Enterprise Ira would rewrite this headline:  “Likelihood of secure business communication cut in half.”

Latest email scams tap into widespread interest in current events.  Like the one that tells colleagues  “I just wrote an article about the Chinese cyberattack. Hope you like it. Click here. ”  The attached PDF file is the Chinese cyberattack.  See this example from and earnest researcher at George Washington University at F-secure.

More email scams – we tried to deliver a package but you weren’t home. Click here for info. The bad guys are using physical addresses to discover email addresses.

Affluent individuals who live ‘the good life’ are 43 percent more likely to be victims.  A survey of ID theft victims who were hit based on activity profiling.

News Outlet Reports “Hacking” and Makes Itself a Target for More “Hacking”

Posted in The CyberJungle with tags , on January 30, 2010 by datasecurityblog

The web sites of nearly 50 Members of Congress were defaced just prior to Obama’s State of the Union address.

The Hotline political site (part of The National Journal), covered the story. In their story on the topic, they included the screen shot below showing the web defacement. It appears that the computer that was/is used by The Hotline for this story, is itself open to exploit. Note the icons on the lower right of the screen shot below. The system is not properly patched.

Screen Show of Defacement Reveals Something More...

Screen Shot of Defacement Reveals Something More...

Read the original story at The Hotline

Show Notes: The CyberJungle Episodes 105 and 104- Jan 23 2010

Posted in Program Preview, The CyberJungle, Vulnerabilities with tags on January 22, 2010 by datasecurityblog

This week’s features-

Interview with Joe Grand, electrical engineer, hardware hacker and proprietor of Grand Idea Studio. Ira and Joe discuss hardware hacking.  Hobbyists, researchers, and innovators are modifying electronic devices in greater numbers

The 23-minute  interview (too long for radio) is posted by itself as episode 104. There’s a partial version of the interview contained in the show,  episode 105 of theCyberJungle.

Hardware Hacking Extra:  Cell phone as vehicle starter- We got quite a few comments about this. visit: “Dave Hacks, Well, not really hack, but I definitely ‘modify’ things.”

http://davehacks.troublem8ker.com/wordpress/?p=4

AND —  You probably didn’t know this, but Thursday January 28 is International Data Privacy Day. Does the market reward  businesses that protect customer privacy? There must be some reward, because there’s growing field of certified privacy professionals… and their organization has thousands of members.

PLUS — Our take on this week’s news:

A new generation of card skimmers. Photos below.

Source: Krebsonsecurity.com and Mikko Hypponen:

Could you detect the ATM card skimmer here?

Pin-hole camera to capture PIN numbers

Indonesian Police Intensifying Efforts To Investigate ATM Scams http://ow.ly/16p52r

Data hung out to dry as 4,500 USBs are left in Dry Cleaners  http://www.credant.com/news-a-events/press-releases/376-dry-cleaners.html

Microsoft Patches IE, Admits it Knew of Bug Last August: As Microsoft patched the Internet Explorer zero-day … http://bit.ly/8p2JnG

Emergency IE patch goes live as exploits proliferate: Hundreds of sights locked and loaded  http://www.theregister.co.uk/2010/01/21/ie_emergency_patch_released/

80% of gov’t Web sites miss DNS security deadline  http://www.computerworld.com/s/article/9147018/80_of_gov_t_Web_sites_miss_DNS_security_deadline

Microsoft confirms 17-year-old Windows bug  http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17_year_old_Windows_bug

Poisoned PDF pill used to attack US military contractors  http://www.f-secure.com/weblog/archives/00001859.html

NTSB recommends camera surveillance in train locomotives, after investigating a crash that killed 25. The engineer was texting and using his cell phone at the time of the crash. The union representing train engineers has objected to the recommendation on privacy grounds. Salient fact in the story – the texting engineer had 5 reprimands in his personnel file, issued over a two-and-a-half year period.  Now the feds should install cameras to watch ALL engineers (including the ones who follow the rules) just because railroad management failed to fire the loose cannon in their ranks?

http://www.ble.org/pr/news/headline.asp?id=29037

And Microsoft pushes congress for a cloud computing law.

http://thehill.com/blogs/hillicon-valley/technology/77155-microsoft-pushes-cloud-computing-act

Nevada InfraGard Event – Presentation Notes

Posted in Conference Coverage, Vulnerabilities, Zero Day Project with tags , , on January 21, 2010 by datasecurityblog

Ira Victor was a speaker on Threats and Countermeasures at the Sierra Nevada InfraGard event held on January 21st in Reno, Nevada.  Here are the notes and links from that talk:

* “Aurora Zero-Day” out-of-band emergency patch scheduled for release today by MSFT

* New MSFT Windows Kernel Zero-Day vulnerability – 16bit support hazard impacts many current Windows users. Tip: Win7 64-bit (most common version on Win7) not impacted.

* Security Update Available for Shockwave Player (Win and Mac)

* Alternatives to Adobe PDF Reader  and Adobe Acrobat:

Reviews of four alternatives to Adobe PDF

More alternatives: For Windows users, CutePDF has free readers and writers

More alternatives: For Linux users, Xpdf is an open source viewer for Portable Document Format (PDF) files.

Show Notes: The CyberJungle Episodes 103 and 102 Jan 12 2010

Posted in Breach, Court Cases, criminal forensics, Exclusive News, Podcast, Show Notes, The CyberJungle, Vulnerabilities, Zero Day Project with tags , , , , , , , , on January 16, 2010 by datasecurityblog

Two episodes this week: Episode 103 is a podcast version of the live radio program.

Episode 102 is our ‘su root’ podcast, in-depth technical interviews for the more advanced listener.

Overview of this week’s program.  More detailed notes and links provided below under “show notes.”

*Episode 103 the broadcast- Breaking News:  Do airport checkpoint whole body scanners have logging and auditing to enforce security and privacy policies?  We’re not sure after talking with a representative of one of the companies that makes the machines.  Seems the TSA may not have included an audit function in its specifications.   And, our guest tells us what happened to the “puffer machine” that would have detected the underwear bomber’s chemical payload on Christmas Day.

We also talked with an attorney from EPIC, the organization that sought and won the TSA specification documents revealing that body scanning machines are indeed capable of retaining and transmitting the naked images of the passengers they scan. This is NOT what TSA told the American public.

*Episode 102 (the su root interiews… requires above-average technology background). Click fraud is running rampant… ripping off internet advertisers. A new, more serious attack that not only steals credit for click-through purchases, but hijack’s the end user’s computer. This is a must-listen for marketing, security, and legal personnel. Discussion on the live show, with the full interview online.

*Episode 102 (the su root interviews…requires above-average technology background.) A new user credential – your cell phone calls you for a voice print… and then lets you into your email, bank account, authorizes credit card purchases or VPN remote access. Great idea? We have an exclusive audio interview with the co-founder of the company.

–> Listen This Week’s Show through our Main Site

Show Notes for Episode 103 of the CyberJungle

*ZeroDay Flaw in some versions of Microsoft Internet Explorer (MSIE) web browser.  Microsoft’s TechNet site has posted detailed information about the flaw. If you have not checked your MSIE browser version, do it now. Launch MSIE, find the Help Icon (usually the far right menu/icon, depending on the version of MSIE you are running), and select About Internet Explorer. If you are not running MSIE verson 8, you need to update your browser. Read more here. Update your browser to MSIE 8 here.

* People around the world are searching the web for the latest updates on Haiti earthquake. Members of the Dark Web use major events like this to spread their malicious code. Read more on this attack at the WebSense Security site. Ira mentioned the Google Trends site, a site that tracks hot topics on The Web.

* Samantha had a conversation with Ginger McCall, Esq., with the Electronic Privacy Information Center (EPIC). They talked  about the DHS airport body scanners, and a Freedom of Information lawsuit by EPIC. Read more at this EPIC-sponsored site.

* Samantha and Ira had a conversation Brook Miller, VP with Smiths Detection, the makers of “the puffer” machine, and the whole body scanners.

* Samantha had a conversation with Dr. Kerry Kerry Nemovicher, Ph.D. about “The Human Firewall” event by  InfraGard. This event takes place on Thursday, Jan 21st at Boomtown Casino, in Reno Nevada. This lunch event runs from 11.15am to 1.15pm. $15 donation when you reserve your ticket by Monday at 9:00am, $20 at the door.

Show Notes for Episode 102 of The CyberJungle, an ‘su root’ program, in-depth technical interviews and analysis

*Ira has a conversation with Dr. Ben Edelman, from the Harvard Business School, about a new type of online advertising “click fraud” that takes over customer’s computers. Read more on Dr. Edelman’s site. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

* Ira has a conversation with Steven Dispensa, CTO and co-founder of PhoneTrust, about voice print authentication. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

The CyberJungle Episode 101 – Jan 10 2010

Posted in Annoucements, Breach, Court Cases, darkweb, eMail Security, Legislation, Podcast, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on January 10, 2010 by datasecurityblog

Security, Your Privacy, and The Law

On this week’s program:

* Houston DA Tweets the names of people arrested for DUI

* WiFi for passive aggressives

* You won’t believe the password to launch nuclear war

–> Stream This Week’s Show with our Built-In Flash Player (for higher security, stream through FeedBurner, using the hyperlink below):

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 101 – Use Feedburner to listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall. The shows don’t always display on chronological order on Odeo.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • Award-winning Sunbelt Network Security Inspector a scalable and effective vulnerability scanner. Windows IT Pro Magazine readers chose SNSI as their Favorite Vulnerability Scanner for two years in a row. Read more here, and contact Data Clone Labs for a test drive.

Show Notes for Episode 101 of the CyberJungle

* Conversation: Ira and Samantha interview Houston civil rights attorney Randall Kallinen about the Houston Texas-area DA Tweeting the names of those arrested for DUI.

*How Google collects information

*Google Near Me Now application

* Digital piracy hits the book industry

* Mind-reading at the airports

*WiFi for passive aggressive

*Nuclear launch passcodes

*Ransomware – buy back your own files?

*One in ten botnets are engaged in the Zues attack

*Ironkey CEO speaks about the USB crypto flaw

*FTC says FCC needs to consider the dangers of cloud computing

The CyberJungle LIVE Call-In Talk Show Launches – Sat 10am-Noon PT

Posted in Annoucements, The CyberJungle with tags on January 8, 2010 by datasecurityblog

The Data Security Podcast will go LIVE this week as the nation’s first call-in talk show on security, privacy and the law. You can listen on a web stream or terrestrial radio every Saturday, starting this Saturday, Jan 9th from 10 a. m. until noon Pacific Time.  Be sure to tune into the web stream of KKOH-780am, here is a link to their site, click on the’ Listen Live’ link on the upper right hand corner.

We are changing the name of the show to The CyberJungle. We will keep this site active, and we will keep the current iTunes site active for a while, as we transition to the new name and site.   We will  continue to post our interviews with security experts. The material that’s too technical for the radio will be posted here.

We want to thank all of you for  the support and feedback for the last 18 months. We are grateful that you chose to spend your time with us. Our sponsors have also been very good to us. If you enjoy the show, please try their products, and please let the know you heard about them from us.

A big thanks also to the management of KOH Radio. They “get it,” and we salute them for understanding that the time is right for this show.

Follow

Get every new post delivered to your Inbox.

Join 1,141 other followers