Archive for September, 2010

September 25, 2010 – Episode 175

Posted in Annoucements, Breach, Conference Coverage, Court Cases, darkweb, Podcast, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , on September 26, 2010 by datasecurityblog

Episode 175:

This week’s regular episode of  The Cyberjungle  is 1 hour and 25 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 175 via the flash player:

Interview

Lance Spitzner from the SANS “Securing the Human” project joins us to discuss the final (and largest) hole in network security. It’s the users, stupid.  Millions of hours and billions of brain cells have been spent securing computers and networks.  The job will never be done until we secure the humans.  Our interview with Lance is about 5 minutes long, and it starts about 25 minutes into the show. Lance’s blog posting with slides from his presentation at SANS Las Vegas.

Tales from the Dark Web

Twitter attack is warning to social network users

We all love to give our opinions.  Apparently, the bad guys know it. The latest dark web scam involves online and email surveys.

Our Take on This Week’s News

Teacher fired for posting a blog that included references to various students. The article in the Austin Statesman is unclear, but the reader comments help us piece together the story. Apparently this teacher, who was last year’s teacher of the year, wrote a blog on which she contemplated how to approach teaching challenges presented by some of her individual students.  Her mistake was probably posting photos.  One comment indicates that she did not identify any of the students by name.  We are inclined to blame the administration for failure to make clear the policies regarding federal student privacy laws (FERPA).

“Respondent May NOT Use Internet in Any Manner to Communicate About Petitioner Ever Again.” An order handed down in a divorce case.  The question on the Volokh Conspiracy is whether the order in constitutional.  (Remember free speech?) You can’t libel someone, and maybe you can be gagged during litigation, but the government can’t permanently keep you from trashing your ex.

Wonder how many jobs this created or saved? Federal stimulus dollars are being used for an RFID program to track preschoolers.    ACLU and EFF open a can of whip-ass.

Lawyers heart Facebook! Best not to post photos of yourself looking healthy and robust on Facbook if you’re in litigation for a personal injury.  A judge has ordered  the private portions of plaintiff’s Facebook are discoverable,  since the public portions suggest she’s having more fun that she claims her physical condition permits.

U.S. Cybercommand proposing an internet “safe zone” for government and such critical industries as utilities and banking.  A super-safe segregated network might raise as many questions as it answers. Read various versions below for a variety of angles.

http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092302171.html

http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092305431.html

http://www.nytimes.com/2010/09/24/us/24cyber.html?_r=1&ref=technology

http://www.wired.com/dangerroom/2010/09/militarys-cyber-commander-swears-no-role-on-civilian-networks/

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227500515

Worm attack on Iranian nuke facility. Is this malware part of a nation-state attack?

Top ten internal threats to network securityThis how the risks stack up according to researchers at Fortinet.

September 19, 2010 – Episode 173

Posted in Breach, Court Cases, criminal forensics, darkweb with tags , , , , on September 18, 2010 by datasecurityblog

Episode 173:

This week’s regular episode of  The Cyberjungle  is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 173 via the flash player:

Interview

Chris Hadnagy from Social-Engineer.org, which organized a social engineering contest at this year’s DefCon conference.  The contestants assumed made-up identities, and placed phone calls to 15 major American companies. Objective: cajole as much information as possible about company operations out of the employee on the other end of the phone. (The info would be of value to bad guys trying to cook up an attack.) Social-Engineer released its report this week on the results of the exercise. Our interview with Chris starts about 23 minutes into episode 173.  The interview is 7 minutes long.

Tales from the Dark Web

If you enjoy the occasional online porn adventure, heed this:  a trojan that monitors what you’re watching, then blackmails you.  “Pay us or we’ll tell the world what you’re watching.”

Ira’s recommendation: Change your computer to dual-boot with Linux as the other operating system. I like LinuxMint, VectorLinux, and (fav) PeppermintIce. These systems are best for web surfing, email, and word processing.

Our Take on This Week’s News

Texting money to politicians: Ready to text your political campaign donations? Politico reports on the legal issues surrounding campaign finance compliance. But says nothing about the security issues related to sending money via SMS.

Has Google’s HR department ever heard of a psychological profile? Google Engineer Repeatedly Accessed Customer data, Spied on Communications

Is the guy  in the next booth packing heat? Before you leave for dinner, check this website, launched last week in response to a new Tennessee law that allows permit holders to carry their firearms into bars and restaurants. The site indicates two categories of dining establishments –- those who allow guns and those who don’t.

Facebook alternative apparently has some security holes: What if you could have the convenience of Facebook, but strong privacy and security? That was the idea behind Diaspora. Some college students from NYU came up with the idea,  and posted the project on a web site where people can donate money to support new start-up business ideas. The students thought they needed $10k to build the code. They were written up in a New York Times story, and they raised nearly a quarter million dollars. Well, the very, very first version of the code is out, and the privacy and security experts are weighing in with harsh criticism.

SF law enforcement formula — treat the citizens like criminals: San Francisco mayor has ordered the cops to beef up security at nightclubs in the city, to prevent violence like the recent spate of shootings that included the killing of a German tourist near a comedy club. Cops want more cameras, metal detectors, police patrols paid by club owners, and ID scanners to capture the drivers license info from customers… which will be stored for 15 days.

New tool from Google:  Alerts to let you know if your web site is hijacked. Read more in a blog posting by Kelvin Newman at Site Visibility.

The Ninth Circuit lets the air out of its own ruling: An earlier ruling issued guidelines  for law enforcement to follow during searches of computers by law enforcements. The feds said the guidelines were “complicating” prosecutions, so the court overturned itself… sort of.  Read this. It’s not trivial.

The cost of free entertainment: Internet services and sites that offer free ring tones, movies, and other entertainment content, have a higher probability of delivering malware to your computer, according to a new report by Mack-ah-fee.

CyberJungle FAQ: Ira Mentioned HauteSecure, but their tool is now throwing errors. He will research alternatives and report back in a future episode of The CyberJungle.

September 12, 2010- Episode 171

Posted in Court Cases, criminal forensics, darkweb, eMail Security, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on September 12, 2010 by datasecurityblog

Episode 171:

This week’s regular episode of  The Cyberjungle  is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 171 via the flash player:

Interview

Nathan Burchfiel from the Center for Media and Culture. Topic: The Craigslist Adult Services section takedown.  Ira mentioned this story on the topic by Nathan Burchfiel’s associate, Alana Goodman.

Tales from the Dark Web

Remember the “please rob me” and the “i can stalk you” sites designed to point out the folly of broadcasting your whereabouts?  The petty criminals have discovered the target-rich environments provided by Foursquare, Facebook, Twitter and others that have an integrated location-based service. Read more here from the New Hampshire Union Leader newspaper.

Our Take on This Week’s News

Is a Cyber Jihad group linked to ‘Here You have’ worm?

An appeals court in Virginia upholds warrantless GPS tracking of criminal suspects.  The issue has been appealed three times, with different outcomes.  The D.C. Circuit Court decided against law enforcement, and San Francisco’s Ninth Circuit recently upheld it in a decision that drew a blistering dissent. Supreme Court in 2011? Probably.

Will Andriod will replace Windows? One Security Start-up is betting the farm on it.

Law enforcement in North Carolina wants to rifle through your medicine cabinet, virtually speaking, as the sheriff requests access to a state database of prescriptions.

Adobe Reader zero day attack contains a scary new booby-trap impacting all computer users.

A new survey by anti-virus maker Norton examines the emotional impact of cycbercrime, calling it a “silent epidemic” that’s affected two-thirds of internet users around the globe.

The cybercriminal shopping list… it’s not that expensive to get into the business.

CyberJungle FAQ

After upgrading her business computers, Claire wants to know if she can continue to use her old clunkers safely for web-based activity. Ira recommends LinuxMint.com, or VectorLinux.com.

Robert wants an alternative to Adobe PDF products.  Adobe PDF Reader and Acrobat alternatives: Foxitsoftware.com , CutePDF.com , and gPDF.

For those who don’t wish to tackle problems alone, Ira recommends Friendly Computers of Reno. They come to your home or business, and they also do support via remote access. They listen to our program, so they know what we’re recommending. Why call a geek when you can call a friend?

To Win A Netbook

See how enter to win a dual-boot friendly netbook, compliments of Lightwave Security, visit The CyberJungle Expert’s Guide.

Follow

Get every new post delivered to your Inbox.

Join 1,141 other followers