May 8, 2010 – Episode 135

Interview segment

If your company accepts credit cards, listen to our featured interview with Richard Moulds from security firm Thales.  He and Ira discuss the upcoming revision of Payment Card Industry standards. (Standards are set  by the PCI Security Standards Council).  Thales sponsored a survey of PCI auditors, to discover where they believe the weak spots are, and where improvements should be made. The interview is 11 minutes long, and it starts 56 minutes into Episode 135.

You may listen to to Episode 135 on via the flash player:

You may download the MP3 file here; or go to the listening options page for other ways to hear the program.

Our Take on This Week’s News

FedGov wants to snoop into your financial transactions: As most major news organizations have reported, there are potential privacy hazards for consumers and merchants lurking in the federal financial reform bill.  Republicans objected last week to the creation of two agencies that would be empowered to scrutinize purchases made on credit. We’re thankful the subject was raised, but we note that the Republicans very likely were using consumer privacy as a bargaining chip to get other changes in the bill that they consider truly important.  Let’s not be lulled into believing that citizen privacy is not a priority for any legislator when there are other issues on the table. Sure enough, this article, published a day and a half later, bears out our assertion.  It’s a three-page report indicating that Republican objections had been trounced.  In three pages of reporting, not a mention of the privacy concerns, so it’s clear that other matters dominated the discussion, and any concerns over privacy must have evaporated in the backroom discussions.

BTW –  those two snooping “consumer protection” agencies would be located within the Federal Reserve and the U.S. Department of Treasury.  Well, it seems that Treasury is having some data security problems right now.  PandaLabs has located easy-as-pie hacker kits with targets that include the U.S. Treasury.

Computer glitches hamper census:  Remember how much money and effort was spent persuading you to return your census form?  Now the GAO reports fairly significant problems with the computer system that was specially designed for processing the paper responses.  For the moment, they’re reporting major cost overruns — AND — that a lot of the paper responses might not be counted anyway.  Why is this in our data security beat?  Because information security has three pillars:  Confidentiality, Integrity, and Availability.  We can rule out data integrity here, because the census data most likely won’t be accurate. Rule out confidentiality, because, as congress has now been informed, stacks of paper responses are piled up in offices waiting to be entered into the system.  And we should probably rule out availability too, unless the many agencies making use of census data want to trudge over to the commerce department and analyze it by hand.

You may have seen this by now:  Hats off to CBS news for their coverage of the copy machine hard drives left unscrubbed when the machines are discarded by business.  Chilling.  Few mainstream news organizations are doing good coverage of these issues, and we hope this CBS reporter wins an award for his excellent work.

The FBI is having some challenges with forensic investigations on smart phones and game consoles. Read why they need to get info from these devices.

WiFi cracking kits make it easier than ever for wireless networks to be hacked.

This Tuesday is Patch Tuesday.  Microsoft is offering a webinar to answer customer questions about patching.  Kudos for this public outreach.  But why was Microsoft silent last month, when it issued these patches?

Did fedgov use drones to track the Times Square bomber?  This story has not been reported anywhere else, but the source seems credible.  Leaving us to wonder about the Obama administration’s public preference for giving suspected terrorists constitutional rights.  A terrorist is either a criminal suspect or a combatant.  Not both.  If there is a behind-the-scenes use of military signal intelligence to track criminals, then they are not criminals, they are combatants. Or are they? Let’s decide and stick with one course.

Caller Kevin wanted to know how to diagnose mysterious CPU spikes on his system. Is there a security issue here? Ira promised to look up a free utility that can help. Long ago, when The CyberJungle was still the Data Security Podcast, we reported on MimarSinan’s Rubber Ducky System Monitor. Jim Murray, the creator of this utility, talked with us about how he came up with the software after his wife’s computer system came under attack.

Lovers of Apple can become lovers:  A new dating site for fans of Apple products.  God bless entrepreneurs everywhere.