Archive for April, 2010

April 24, 2010 – Episode 131

Posted in Breach, Business Continuity, Court Cases, criminal forensics, ediscovery, eMail Security, Exclusive, Legislation, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , on April 24, 2010 by datasecurityblog

Interview: Evan Ratliff joins us to discuss his attempt to vanish for a month, with Wired Magazine challenging readers to find him, and a $5,000 reward for anyone who snapped his photo and said the word “fluke.”  An online posse developed, Evan ducked discovery for 25 days, and was caught in New Orleans, a few days shy of his goal.  The interview is about 14 minutes long, and it starts about 57 minutes into Episode 131. You may stream the program here:

You may download Episode 131 here. Or visit the Listening Options page for more ways to hear the program.

Discussion: The texting case that made it to the U.S. Supreme Court.  We discuss with ACLU Attorney Lee Rowland Fourth Amendment protections as they apply (or don’t apply — that’s what the court is considering)  to text messages, and under what circumstances.  Our discussion with Lee is about 20 minutes long, and starts about 22  minutes into Episode 131

Our Take on This Week’s News

Amazon is fighting off a demand from the North Carolina Department of Revenue (the state tax collectors). The state wants a record of all Amazon purchases made by its residents, and it wants names, so it can collect the sales tax.  Amazon says “privacy violation.”  And remember Amazon’s original business was books, which have a special place in the law when it comes to protecting their owners from government intrusion.

Here’s the story as reported by c|net, and here’s Amazon’s complaint.

Cyberattack on Google Said to Hit Password System.  More has been revealed about the extent of the Aurora attack on Google.  This story was apparently leaked to the New York Times by someone familiar with the investigation.  It suggests huge implications for the security of all Google applications.

Facebook is becoming quite brazen about exposing user profile information. This opinion piece at EFF explains the latest piece of information to be taken out of the user’s control.

Related:  The Facebook “like it” button, coming soon to websites everywhere.

About the most straightforward information-sharing scheme we’ve seen yet:  Blippy mines your email and credit card statements (with  your permission) and posts every purchase you make.  Blippy is the VC flavor of the month, having just received $11 million.  Too bad some credit card numbers belonging to Blippy users turned up when some curious surfers hit Google with search strings containing the words “Blippy.com” and “from card”.  Will Blippy survive?  Probably, even in the face of a less-than-apologetic stance from the company (Co-founded by the infamous Pud, of the infamous FuckedCompany.com site from the “dot-bomb” period.)  Why anyone would want to be part of Blippy, especially now,  is a separate discussion.

Highly-paid SEC lawyers and accountants spent their days surfing porn sites while Bernie Madoff was making off with a whole lotta other people’s money. We ask why, in an entity whose mission revolves around audits and controls, were there no audit trails and controls to call attention to an employee with 16,000 attempts to access porn?  Shouldn’t this have been nipped in the bud before it spiraled out of control?

You probably read about some of the chaos that ensued from McAfee’s latest update.  But this story by a SANS incident handler takes the prize.

Malware mules:  We all know about drug mules and money mules.  But the black market for email credentials is creating some new opportunities.

Episode 129 – April 17, 2010

Posted in Breach, Court Cases, criminal forensics, darkweb, Exclusive News, Legislation, Podcast, Report Security Flaws, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , on April 17, 2010 by datasecurityblog

Interview Segment:  Physicians, citizen groups, and many states are lining up to sue the federal government over the new individual health insurance mandate.  But there’s a unique case coming out of Mississippi, where an attorney has filed a suit claiming the new health care reform violates the right to medical privacy.  Our interview with Doug Lee starts about 22 minutes into the show, and it’s about 9 minutes long.

The full show can be streamed on the flash player below.

Or download Episode 129 here. Or visit the Listening Options page for more ways to hear the program.

Our take on this week’s news:

News coming out the the Computer-Human Interaction conference meeting in Atlanta this week, Where researchers announced their findings about possible security problems with advanced wireless medical devices.

Another example of a big company that offers no means to report security flaws on its website. This is something we’ve complained about for years.  How can you help these people if they won’t help you by offering a communication channel?

High marks for entrepreneurship – these two New York City companies facilitate a match-up, via text or tweet,  between people who need a parking space, and people who are vacating a parking space.  Find a need and fill it.  We wish these guys the best, but we sure hope they don’t end up facilitating a rape or robbery in the middle of the night. (I ‘m a bad guy with a parking space at 3 a.m…. come and get it, little girl.)

Congress passes the “Truth in Caller ID Act of 2010″:  Under the bill, it becomes illegal “to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive.”

Security sucks, according to formern national cybersecurity advisor Amit Yoran… everywhere he looks… he sees the same cluelessness,  Why your information security stinks, and what to do about it

Federal Agencies Falling Short On OMB’s Federal Desktop Core Configuration Mandate. No agency has fully implemented all the configuration settings on applicable PCs

Critical Java update:  Oracle issues emergency Java patch to stop zero-day attacks.

Episode 126 and 127 – April 10, 2010

Posted in Breach, Court Cases, criminal forensics, eMail Security, Podcast, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on April 11, 2010 by datasecurityblog

Interviews:  Peter Schlampp, VP of Marketing and New Products, from Solera Networks, who discussed a new approach to uncovering the source of attacks:  network forensics.  Stuart Staniford Chief Scientist from FireEye, who discussed research to help counter the attacks that bypass firewalls and antivirus.  And world famous white-hat hacker Charlie Miller talks with us about Apple Security, how he won the CanSec West PWNtoOwn contest… and the security implications of Apple’s announcement about location-aware advertising, and  multitasking on the iPhone OS 4 platform. Dr. Miller is also a researcher at Security Evaluators. The full show can be streamed with via the Flash player here:

Download the Episode 127 MP3 file here or visit the Listening Options page for more ways to hear the program.

Episode 126 is the su root version of The CyberJungle.  It features only these three unedited versions of the interviews with these three men. We have also featured partial versions of the interview along with all the other regular content  in the full version of the show. Listen via the Flash player here:

Download the Episode 126 MP3 file here or visit the Listening Options page for more ways to hear the program.

Our Take on This Week’s News

Class action suit against Countrywide Financial: Plaintiffs ask $20 million after Countrywide employee stole and sold tens of thousands (or millions?) of customer records.

Another inside job: Bank of America Employee Charged With Planting Malware on ATMs.

German Government Pays Hacker For Stolen Bank Account Data Gov pays cybercriminals for data stolen from banks in tax haven countries, and uses the info to catch tax cheats.

Computer Hacker Sentenced to 37 Months in Prison in Manhattan Federal Court for Scheme to Steal and Launder Money from Brokerage Accounts.  This guy got three years for perpetrating something that sounds like the Zeus attack… in addition to credit card fraud and other counts.  No wonder cybercrime is proliferating.

Phishing Attacks on Taxpayers Rise in the Weeks Leading up to April 15th IRS Tax Filing. Sonic wall offers an online quiz to test your phishing IQ.  Ten questions. It’s actually harder than you think, but it’s fun. We recommend you give this quiz to employees, bosses, family… anyone who might benefit from learning the difference between legitimate email and a phishing attack.

Looking for Tiger Woods’ Nike advert could lead to users  into visiting malicious sites.

Sierra Nevada Infragard announcement:

InfraGard Sierra Nevada April Lunch Event

KEYNOTER: Stuart Staniford, Chief Scientist with security firm FireEye has a long history in the intrusion detection field, starting in the research arena at UC Davis back in 1994. He was conducting a variety of research projects with government contractor Silicon Defense before joining FireEye.

WHERE: The Washoe County Regional Public Safety Training Center, 5190 Spectrum Blvd. Room 105, in Reno, Nevada.

WHEN: Thursday, April 15, 2010; 11:15am-1PM, includes lunch

DONATION: $10 for InfraGard members with advanced purchase before April 13th, 2010;

$15 at the door and for non-members.

To register for the Infragard lunch event, please follow this link

If you heard Ira Victor live on The John Sanchez Show (the live program that follows The CybeJungle on KKOH.com), Ira mentioned the web site to report phishing and other scams:

Episode 125 – April 3, 2010

Posted in Breach, Court Cases, darkweb, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , , on April 3, 2010 by datasecurityblog

Interviews, Episode 125:  Big Batches of Patches! Following huge releases on Patch Tuesday from Microsoft, Apple, Sun/Java, Mozilla Firefox, and Mozilla Thunderbird, we talk with patch management expert Jason Miller. He’s Data and Security Team Manager from Shavlik Technologies. Jason’s interview starts about 22 minutes into the program.

We also talked with Randy Sarafan, the Author of 62 Projects to Make With a Dead Computer.  Fun stuff.  Interview starts about 53 minutes into the show. You can download the file from our XML feed, from iTunes, and other sites. See the Listening Options page, or use the flash player below:

Our Take on This Week’s News

CNN presents a glowing story about the success of airport whole body scanners, which have found drugs and other junk in people’s pockets. The TSA plans to roll out 1000 more of the machines.  Meanwhile, the Electronic Privacy Information Center posted this doc, in which the TSA contradicts itself to congress regarding the ability of the machines to store and transmit images. See item # 8, where they claim that the airport scanning machines are not capable of transmitting images, BUT, the images they transmit to remote viewing facilities are encrypted.

A new web service allows businesses to monitor the social networking communications of their employees. Facebook and Twitter users, you should probably just assume that what you post publicly is being monitored by your employer. Employers, you should probably assume that your employees post a lot of stuff that shouldn’t be shared.

Quip app security hole shares private photos. People who used a free service to send naked photos of themselves were exposed. Hey wait a minute… doesn’t the Apple app store performed extensive reviews before they accept a product?

iPad is coming to the office, and we found some security applications for it.  iTeleport: Jaadu VNC is encrypted remote access allows a secure connection between the iPad and a desktop comupter.  ALSO — in PC World, Tom Bradly Reports another option from Array Networks: “One app that is not yet available, but has significant promise for leveraging the iPad to connect with Microsoft Windows systems is Array Networks Desktop Direct.

Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts.

Way cool! Open PDF Links Directly In Google Docs Viewer

Whole Foods Scam on Facebook. Free gift cards worth $500 for the first 12,000 users. Uh-huh.

Cleveland Plain Dealer exposes identity of community leader who posts anonymous comments. Starts debate about privacy versus the public’s right to know. We wonder why just anyone at the newspaper can look at the email registry.

Follow

Get every new post delivered to your Inbox.

Join 1,100 other followers