Archive for February, 2010

Episodes 114 and 115 – February 27, 2010

Posted in Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Podcast, Show Notes, Vulnerabilities with tags , , , , on February 28, 2010 by datasecurityblog

The CyberJungle episode 115 features an interview with Simon Bransfield-Garth, CEO of CellCrypt on the growing potential for cell phone eavesdropping; also, an interview with information activist John Young, whose website cryptome.org was shut down on orders from Microsoft attorneys after he posted a document the company considers proprietary.Bransfield-Garth’s interview starts approximately 21 minutes into the podcast.  Young’s interview can be found approximately 53 minutes into the podcast.

We have posted a separate, unedited version of the Simon Bransfield-Garth interview, as our “su root” edition this week. The su root interview is always longer and more technically sophisticated than the podcast versions, which have been edited for radio. This su root offering is labeled episode 114.

Click Here to Listen to Episode 115. Shownotes below.

The Chuck Norris attack… so named because of references to the action film star in the code…. It’s targeting the D-Link router.

Wyndham Hotels Breached for the third time – And the Wyndam Privacy and Security Policy indicates privacy and security might not be a top priority… also reveals the large number of brand name hospitality establishments owned by Wyndam.

Inventory documents from the Department of Homeland Security show that 985 computers were lost by the Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) in fiscal 2008. In addition the departments lost hundreds of night vision scopes, computer switchers worth $92,000 apiece, and an international harvester truck. All of this loss was considered by the feds to be within acceptable loss limits.

Eric Schmidt, privacy hypocrite: We’re ordering a T-shirt for Google CEO Eric Schmidt, who famously proclaimed in a recent CNBC interview that “if you have something you don’t want anyone to know, maybe you should be doing it in the first place.” Schmidt apparently had his employees take down a blog from Google Blogspot, in which his mistress made numerous references to him. So fortunate that he runs the company where his privacy was breached. His new motto will be “Privacy for me, but not for thee.” Thanks to Valley Wag for this delicious morsel.

Just in case you’ve been living under a rock, parents of high school students in Lower Merion School District are suing after the district activated the cameras in school-issued laptops and spied on the kids while they were at home. The lawsuit slaps the district with violations of all of the following laws:

Electronic Communications Privacy Act, The Computer Fraud Abuse Act, the Stored Communications Act, a section of the Civil Rights Act, the Fourth Amendment of the U.S. Constitution, the Pennsylvania Wiretapping and Electronic Surveillance Act and Pennsylvania common law.

Not so fast, says Orin Kerr, law professor at George Washington University, and regular contributor to the Volokh Conspiracy. Kerr’s analysis shows how specific these laws are, and how tough it is to prosecute violations of federal computer protection laws. The only real case against the school district, says Kerr, is a Fourth Amendment case.

New Photos Show ATM Skimmers Are Evolving

Posted in Breach with tags on February 26, 2010 by datasecurityblog

The wave of ATM card skimming attacks continue to grow. On The CyberJungle Saturday Feb 27th episode, we will talk the newest variations of this growing attack. The photos below are from ATM maker Diebold, via CSOonline.com.

Fake ATM card reader

Fake ATM card reader

Anohter Fake ATM card reader

Another Fake ATM card reader

The genuine ATM card reader

The genuine ATM card reader: Same unit as the middle photo, but the genuine model adds a green-lighted perimeter as another layer of visual security.

Is The New York Times Sending You it’s “Times Reader?””

Posted in darkweb with tags , , on February 26, 2010 by datasecurityblog

MessageLabs Intelligence is tracking a new targeted attack pretending to be from the New York Times. Beware if you are introduced to a new “helpful applications:” The New York “Times Reader” software. Details On Episode 115 of TheCyberJungle and on the live program Saturday morning.

NYT Trojan

Beware of this New "Helpful" App

Episodes 113A, 113B, and 112 su root editon: February 21, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, Legislation, Podcast, Show Notes, The CyberJungle, web server security with tags , , , , , , on February 21, 2010 by datasecurityblog

Three episodes, one low price. (Free). We posted the show in three parts this week. Episode 113 A is a 35-minute interview on cell phone tracking, posted separately, so that anyone who wants the cybercrime news can skip straight to Episode 113 B.

The other post is the su root edition for the technically proficient. This week it’s an interview with Ben Jun from Cryptography Research, on developing applications that adapt to sweeping changes in technology. A preview of his RSA presentation. It’s 20 minutes long.

Episode 113 A – cell phone tracking interview

This is an interview segment on the legal and technical issues under review by the federal Third Circuit Court of Appeals regarding tracking of cell phone users. Our guests are Rebecca Gasca of the Nevada ACLU and Dr. Nirmala Shinoy of the Rochester Institute of Technology. This segment is 35 minutes long.

The most informative of the documents is the 2008 court order now being appealed, in which a Western Pennsylvania magistrate denied the government’s request for tracking data without a warrant. It’s 56 pages long, but offers a very comprehensive statutory history of the laws that apply to phone tapping and tracking. Newsweek recaps the issue and covers the appeal. http://www.newsweek.com/id/233916

Episode 113B Cybercrime and Security News

A spike in power grid attacks is predicted in the next 12 months. The Project Grey Goose report claims the number and severity of attacks on the existing grid has been underreported.

Coincidentally, Zues and its variants are more severe and widespread than previously reported. The attack is not just stealing money from commercial bank accounts. It’s settled into more than two thousand entities and 74 thousand computers, stealing intellectual property, credit card numbers email and network credentials, and a wide variety of other information. The good news is, it’s finally hitting the mainstream press. Reported this week in the following publications.

CNET: Zeus on 74k PCs in global botnet. “…Compromises of enterprise networks have reached epidemic levels”

NY Times: Malicious Software Infects Corporate Computers. Attack goes well beyond just bank account info stealing.

Wall St Journal: Broad New Hacking Attack Detected

WaPo: Nearly 2500 companies victim of massive cyberattack

The economics of malware- a new report urges us to look at cybercrime differently. It’s not lone gunmen and geeky teens, it’s an entire economy, with mom and pop shops, street vendors, manufacturers and marketers.

A TV news story that suggests banks are using your social networking pages to glean information about your creditworthiness. A company that mines the sites for data and sells it to the banks says nope… the institutions only use it for marketing, not for lending decisions.

A Houston television station launched an investigation of retail credit card practices at the cash register in Sears and K-Mart. Employees at the store accepted credit cards without checking ID or signatures. The reporters made numerous purchases using cards that didn’t belong to them. The stores will “immediately” begin retraining their employees at more than 2,000 combined stores nationwide in techniques for preventing credit card fraud.

Episodes 110 and 111- February 14, 2010

Posted in Breach, Conference Coverage, Court Cases, darkweb, Legislation, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , on February 13, 2010 by datasecurityblog

su root edition: Episode 110 is the full-length, unedited version of our interview with Dr. Martin Hellman. It is 26 minutes long.  We discuss Dr. Hellman’s early work on public key encryption, and his new project, applying security risk assessments to measure the threat posed by the nation’s nuclear weapons stockpiles.

Read Dr. Hellman’s latest paper here.

Here are the show notes for Episode 111, the whole show, which also  has a version of Dr. Hellman’s interview, during the final 10 minutes of the show. Episode 111 is exactly one hour long, and here are the show notes.

The Zeus banking attacks are multiplying like rabbits, and there are new victims everywhere. Read about a Los Angeles businessman who’s out $50 thousand dollars, and can’t get recourse from his bank. This story illustrates the state of general ignorance that exists about the Zues attack (which we suspect is the culprit). The bank says its procedures preclude online theft, and the customer says the bank must have crooked employees. The customer has filed a lawsuit, and each party is pointing its finger at the other.

Meanwhile – adding insult to injury – a new variant of Zeus not only steals money out of the accounts… it carries a hidden message that taunts the anti-virus makers.

And another one – New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered

Alert – Zeus Campaign Targeted Government Departments.

What was Google thinking when it launched Google Buzz, pulling gmail users into the social networking site without their permission, and exposing all the user’s frequent email contacts to public view? It was Google’s attempt to leapfrog Facebook in the social networking arena, creating instant follower and friend lists from people who are alread part of the gmail users’ own social networks. This caused an uproar. After four days of online rage from angry gmail users and privacy advocates, Google cried uncle, and apologized for forcing their product on the customers.

This was the first story about Google Buzz. There are probably hundreds more that posted in the next few days.

The TPM (trusted platform module) chip can be hacked. This hack was demonstrated at Black Hat D.C.

Macy’s trash cans full of customers’ personal information. Actually the papers containing the information had been fished out of the dumpster and were being used for a bed by a homeless man.  But don’t worry, Macy’s has started putting lids on the trash bins now.

XP patching problems – some people have experienced total system failure after applying last week’s Microsoft patches. Microsoft reports the problem may have a different source. “Root kits” stored on some systems. F-secure offers a root kit elimination application, It’s called Black Light and it’s free

Question: Do I really want someone with an iPhone taking my credit card info?

New law enforcement tool makes fingerprinting obsolete. Arapahoe County, Colorado is using an iris scanner.

Episodes 108 and 109 – February 6, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, Show Notes, Vulnerabilities with tags , , , , , on February 6, 2010 by datasecurityblog

Show notes from Episode 108

Episode 108 is the su root edition. Interview with Gretchen Hellman of Vormetric, expert in HIPAA and encryption.  Gretchen discusses the 2009 “son of HIPAA” passed by congress, called “HIPAA high tech,” and a Connecticut HIPAA lawsuit against Health Net, involving the loss of thousands of unencrypted records. Read about the lawsuit here.

Shownotes from Episode 109

Google approaches the National Security Agency for help in securing its networks.  National Security Agency says yes.  Neither is commenting publicly.  NSA will perform a range of tasks for Google that are widely available from private information security companies.  Is Google getting IT Security on the taxpayer dime? What’s Google offering the NSA in return? ?  Is there more to Chinese Google attack than we’ve been told? Read the Washington Post report.

Speaking of China…  they’ll get around to everyone sooner or later.  This week it was the Iowa Gaming and Racing Commission.  The Desmoines Register describes the attack, which exposed personal information belonging to 80,000 current and former casino employees, jockeys, horse and greyhound owners, and more.  Desmoines Register reports.

Major patch Tuesday for Microsoft.  This batch will include patches for 26 holes in multiple versions of Windows.

News from Black Hat D.C. A researcher points out holes in Cisco’s wiretapping architecture.

Biggest threats to databases come not from SQL injections, but from poor account management.

Law Enforcement is pushing for ISPs and other service provides to develop a web interface to make it easier and faster for police investigators seeking customer records.  cnet’s Declan McCullough  is on top of it.

Follow

Get every new post delivered to your Inbox.

Join 1,120 other followers