Archive for May, 2010

May 23, 2010 – Episode 139

Posted in Court Cases, criminal forensics, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , , on May 22, 2010 by datasecurityblog

Interview Segment:

Josh Levy, a writer, internet strategist, and the organizer of a project called “pledge to leave facebook.” The interview is 9 minutes long, and it starts about 56 minutes into the show. Episode 139 is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or click on the listening options page for other ways to listen.

To listen to Episode 139 via the flash player:

Our take on this week’s news:

Co-host Ira Victor is out of town.  Lee Rowland from the ACLU of Nevada sits in as guest co-host for a first-hour privacy round-up.  Recent issues include:

The Houston Police Department recently held a secret (no media allowed) event where the invited guests contemplated the use of drone aircraft for domestic law enforcement.  Nonetheless,  one news outlet got wind of it, and stationed its television cameras on the property next door. They caught the launch of the drone on camera.  Cops say they aren’t sure how they’ll use the technology, but aren’t ruling out anything. Watch the whole report.  It’s about four minutes long.

Incoming U.C. Berkeley freshmen are being encouraged to offer a  DNA sample.  And why were RFID chips implanted in Alzheimers patients without proper oversight?

TSA continues to roll out the full body scanning machines to airports across the nation.  Passengers don’t seem to be aware that they can opt for a pat-down instead of a virtual strip search.

Tough week for Facebook.  The Wall Street Journal reports the company gave personal info to advertisers. EFF offers insight.

On the heels of a CBS news investigative report about the data left on copy machine hard drives, the FTC is applying pressure to the makers of the machines to educate customers about scrubbing the hard drives.  (Xerox is leading the pack, according to one account.)

The first-ever jail sentence for a HIPAA violation has been imposed. We wonder why this guy was informed he was about to be fired, and then allowed to hang around and access patient records repeatedly.

Todd Davis of LifeLock told the world his social security number as an advertising gimmick, trying to prove a point, of course.  His identity has been successfully stolen 13 times since being “covered” by LifeLock.

Not cool enough for a mac?  Why the Apple Store refused to sell an iPad to a disabled woman. (She wanted to pay cash. Apple’s iPad policy was credit or debit card only.) And why Apple relented, and delivered the device to her home a few days later. (San Francisco television consumer reporter Michael Finney and his news feature “7 on Your Side” shamed them into it.)

May 15, 2010 – Episode 137

Posted in Court Cases, criminal forensics, darkweb, ediscovery, Report Security Flaws, The CyberJungle, Vulnerabilities, web server security with tags , , , , on May 15, 2010 by datasecurityblog

Interview Segment – Jason Miller, Data and Security Team Manager for Shavlik Technologies on patch management.  It’s not a sexy topic, but it’s critically important. Jason says patching should be determined by the needs of the business, rather than the importance rating issued by Microsoft or other vendors. The interview is 7 minutes 38 seconds long, and it starts at about 21 minutes into episode 137.

You may listen to to Episode 137 on via the flash player:

Or go to the listening options page to choose another method of receiving the program.

Our Take on This Week’s News

Privacy: Did Facebook’s Zuckerberg describe early users of his product as  “dumb F**ks” for submitting private information when they signed up?

And Google admits that its Street View cars have been slurping up wireless access point information. There’s a lot of anger over this, and we’re predicting an advertiser backlash against the privacy violators.

As if Goldman Sachs doesn’t have enough problems… Now the company is being sued for intellectual property theft.

Nine  former employees of an education agency in Iowa were indicted for sneaking a peak at Presidential candidate Barack Obama’s student loan records.

A new twist on a familiar theme.  A big company with a security flaw on its website;  a security expert discovers it and tries to report it, but the company ignores him or pats him on the head and tells him to go away.  This happens with surprising regularity. In this case, Smackdown blogger Michael VanDeMer writes about a spate of hacks to blogs hosted by GoDaddy.

Web security firm Dasient reports: In Q1 2010, we estimate that over 720,000 web sites were infected.

Twitter links are safer than Google links.

Critical zero-day flaw found in Apple’s Safari browser.

FAQ:  To delete Apple Safari browser (and other applications) in WindowsXP, in Windows7.

Browser alternatives to Safari on iPhone: Opera Mobil (versions also available for BlackBerry. Ira also like Bolt Browser for BlackBerry.

Flashback: Remember Mikeyy the (self-proclaimed) teenaged Twitter Hacker?

May 8, 2010 – Episode 135

Posted in Breach, criminal forensics, ediscovery, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , on May 9, 2010 by datasecurityblog

Interview segment

If your company accepts credit cards, listen to our featured interview with Richard Moulds from security firm Thales.  He and Ira discuss the upcoming revision of Payment Card Industry standards. (Standards are set  by the PCI Security Standards Council).  Thales sponsored a survey of PCI auditors, to discover where they believe the weak spots are, and where improvements should be made. The interview is 11 minutes long, and it starts 56 minutes into Episode 135.

You may listen to to Episode 135 on via the flash player:

You may download the MP3 file here; or go to the listening options page for other ways to hear the program.

Our Take on This Week’s News

FedGov wants to snoop into your financial transactions: As most major news organizations have reported, there are potential privacy hazards for consumers and merchants lurking in the federal financial reform bill.  Republicans objected last week to the creation of two agencies that would be empowered to scrutinize purchases made on credit. We’re thankful the subject was raised, but we note that the Republicans very likely were using consumer privacy as a bargaining chip to get other changes in the bill that they consider truly important.  Let’s not be lulled into believing that citizen privacy is not a priority for any legislator when there are other issues on the table. Sure enough, this article, published a day and a half later, bears out our assertion.  It’s a three-page report indicating that Republican objections had been trounced.  In three pages of reporting, not a mention of the privacy concerns, so it’s clear that other matters dominated the discussion, and any concerns over privacy must have evaporated in the backroom discussions.

BTW –  those two snooping “consumer protection” agencies would be located within the Federal Reserve and the U.S. Department of Treasury.  Well, it seems that Treasury is having some data security problems right now.  PandaLabs has located easy-as-pie hacker kits with targets that include the U.S. Treasury.

Computer glitches hamper census:  Remember how much money and effort was spent persuading you to return your census form?  Now the GAO reports fairly significant problems with the computer system that was specially designed for processing the paper responses.  For the moment, they’re reporting major cost overruns — AND — that a lot of the paper responses might not be counted anyway.  Why is this in our data security beat?  Because information security has three pillars:  Confidentiality, Integrity, and Availability.  We can rule out data integrity here, because the census data most likely won’t be accurate. Rule out confidentiality, because, as congress has now been informed, stacks of paper responses are piled up in offices waiting to be entered into the system.  And we should probably rule out availability too, unless the many agencies making use of census data want to trudge over to the commerce department and analyze it by hand.

You may have seen this by now:  Hats off to CBS news for their coverage of the copy machine hard drives left unscrubbed when the machines are discarded by business.  Chilling.  Few mainstream news organizations are doing good coverage of these issues, and we hope this CBS reporter wins an award for his excellent work.

The FBI is having some challenges with forensic investigations on smart phones and game consoles. Read why they need to get info from these devices.

WiFi cracking kits make it easier than ever for wireless networks to be hacked.

This Tuesday is Patch TuesdayMicrosoft is offering a webinar to answer customer questions about patching.  Kudos for this public outreach.  But why was Microsoft silent last month, when it issued these patches?

Did fedgov use drones to track the Times Square bomber?  This story has not been reported anywhere else, but the source seems credible.  Leaving us to wonder about the Obama administration’s public preference for giving suspected terrorists constitutional rights.  A terrorist is either a criminal suspect or a combatant.  Not both.  If there is a behind-the-scenes use of military signal intelligence to track criminals, then they are not criminals, they are combatants. Or are they? Let’s decide and stick with one course.

Caller Kevin wanted to know how to diagnose mysterious CPU spikes on his system. Is there a security issue here? Ira promised to look up a free utility that can help. Long ago, when The CyberJungle was still the Data Security Podcast, we reported on MimarSinan’s Rubber Ducky System Monitor. Jim Murray, the creator of this utility, talked with us about how he came up with the software after his wife’s computer system came under attack.

Lovers of Apple can become lovers:  A new dating site for fans of Apple products.  God bless entrepreneurs everywhere.

May 1, 2010- Episode 133

Posted in Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive News, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on May 1, 2010 by datasecurityblog

Interview segment:

Jon Pironti, President of IP Architects, LLC,  talks with us about risk management for businesses. Ira met John at the Interop Business Technology Conference in Las Vegas, where John presented a session on developing an information risk management and security strategy.  The interview 9s 12 minutes long, and it starts about 22 minutes into Episode 133.  The standalone interview is also posted on our conference notes page.

You may listen to to Episode 133 on via the flash player:

You may download the MP3 file here; or go to the listening options page for other ways to hear the program.

Our take on this week’s news

Former city of San Francisco network engineer convicted of computer tampering for locking city officials out of the network when he got wind of impending layoffs.

Microsoft issues work-around, advice for SharePoint zero-day attack.

Sarah Palin’s email hacker convicted. The following account is from WBIR in Knoxville, TN.  Ira has his own detailed version, as he kept close track of the initial events that led to David Kernell’s arrest. Ira’s account starts about 45 minutes into episode 133

A federal jury found former UT student David Kernell guilty of obstruction of justice and unauthorized access in the breach of Sarah Palin’s e-mail. It happened in September 2008, when Palin was running for U.S. Vice President. The obstruction of justice conviction makes Kernell a felon. David Kernall tried to cover up his actions by erasing the hard drive of the computer he used in the crimes. The case is a mistrial on count one, the charge of identity theft. The jury found Kernell not guilty on count 2, the charge of wire fraud. Unauthorized access is a misdemeanor lesser included charge from count three, which accused Kernell of felony unlawful computer access. The jury found Kernell guilty of obstruction of justice. That carries a maximum sentence of 20 years in prison, with a fine up to $250,000.

Report from the Interop Business Technology Conference in Las Vegas

Hot Topics at Interop 2010 Las Vegas: Cloud Computing, Virtualization, IT Security and Risk Management, VoIP and Unified Communications, Mobile Business Communications.  Ira discusses the conference, starting about 11 minutes into episode 133.

Ira spoke with Michael Saitow, CIO of Liquor Distributor, MS Walker;  and Philippe Winthrop, Managing Director, The Enterprise Mobility Foundation, both were panelist on a mobile communications and policy seminar at Interop.

Money laundering operation shut down, as an entrepreneur is indicted:  ACH Transactions Used to move money for internet gambling operations

Another indictment: conspirator in hospital scheme to sell trauma patient medical records to personal injury attorneys.

Credit unions lose almost $2 million to an IT contractor who had unlimited remote access to their networks.

Follow

Get every new post delivered to your Inbox.

Join 1,140 other followers