Archive for April, 2011

April 25, 2011 – Episode 210

Posted in Breach, Court Cases, criminal forensics, ediscovery, Interview Only Edition, Show Notes, The CyberJungle with tags , , on April 24, 2011 by datasecurityblog

Episode 210 of  The CyberJungle is about 23 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 210 via the flash player:


Interviews

First Interview – Alex Levinson: iPhone forensics expert. Here are the links Alex mentioned:

His first post in response to iPhone Tracker Gate - 3 Major Issues with the Latest iPhone Tracking “Discovery

Alex Levinson’s later posting on iPhone security and tracking

The book Alex Levinson contributed to: iOS Forensic Analysis: for iPhone, iPad, and iPod touch

Alex Levinson is the Lead Engineer for Katana Forensics

Second Interview:  ACLU Staff Attorney Mark Fancher. He is with the Racial Jucstice Project at the Michigan ACLU.

The Week’s News

The Guardian Project: A Free Open Source Project for people to improve the security of their mobile phones if they are concerned about the privacy of their communications and the safety of data.

Sealed Records Exposed In Major Court Gaffe: Federal prosecutors scramble to cloak details of ongoing probes.

Michigan TrackerGate: ACLU Speaks To CyberJungle Radio

Posted in criminal forensics, ediscovery, Exclusive News, The CyberJungle with tags , , on April 21, 2011 by datasecurityblog

The row continutes between the Michigan ACLU and the Michigan Law Enforcment tonight. The Michigan ACLU leveled the charge earlier this week that Michigan Law Enforement was asking for hundreds of thousands for dollars for records related to the possible forensic imaging of mobile devices using the well-known Cellebrite UFED.  Michigan Law Enforcement has responded.  In a statement, The Michigan State Police said, “The DEDs [Digital Extraction Devices] are not being used to extract citizens’ personal information during routine traffic stops.” The Michgan State Police also said that there are been no claims that law enforcement has broken any laws in the use of these DEDs.

I interviewed ACLU Staff Attorney Mark Fancher today for a segment in next week’s CyberJungle Radio.  Mark Fancher is with the Racial Jucstice Project at the Michigan ACLU.  The CyberJungle felt it was too important to hold this interview until Monday’s scheduled release at part of the next episode of CyberJungle Radio.

You can hear the interview by clicking on the flash player below. You may download the file directly – great for listening on many smartphones.

To listen to the CyberJungle Radio interview with Mark Fancher of the Michigan ACLU, via the flash player:


Members of the media, please credit CyberJungleRadio.com

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

iOS TrackerGate: Not New, But Still Disturbing

Posted in Court Cases, criminal forensics, ediscovery, eMail Security with tags , , , , , , on April 21, 2011 by datasecurityblog

The technical and non-technical press is buzzing over the “discovery” by a forensic researchers Alasdair Allan and Pete Warden. The revelations are not new, but the implications are still very disturbing.

Yesterday, Allan and Warden released a an application that uses an interesting plain-text file on 3G iPhones and iPads.  This file contains the geo location of where the device (and presumably it’s owner) has been.  The application blots the geo data onto a map, allowed one to see the travels and location of the device, and it’s owner.

The non-technical press has taken this story as a revelation.  Both the Wall Street Journal radio report out of the Bay Area (on KSFOAM) and The BBC World Service have been running this story all morning. Alex Levinson is a forensic researcher that has correctly pointed out that work by Allan and Warden did not credit the earlier research done by Alex, and others, in this area. Indeed, in a The CyberJungle posting from the Paraben Forensic Innovator’s Conference (PFIC) in Park City, UT last November, we reported the mountains of data that can be recovered from iOS devices.

The privacy implications of this data becoming available to in a civil lawsuit, or in a criminal matter, are quiet significant. Everything from visits to a mental health provider, a controversial art exhibit, a winery,  or a discreet meeting with an ex lover could become open to unwanted scrutiny.  It’s difficult to predict how the information regarding someone’s whereabouts could be used to harm an individual in a civil or criminal matter. We already have privacy challenges with the proliferation of closed circuit television (CCTV), and the ability to correlate the data with iOS geo data becomes an enormously powerful investigative tool.

Interestingly, yesterday also saw reports that Michigan law enforcement  maybe taking complete “in the field” forensic images of mobile devices from some drivers during routine traffic stops.  This revelation should cause any citizen to take a pause, as it has the Michigan ACLU.

What are some of the techniques the average citizen can use to add layers of privacy, and still use a mobile phone, or tablet?  We plan more coverage of this story in the next episode of CyberJungle Radio (episode 210), including options to help mitigate these privacy leaks.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

April 18, 2011 – Episode 209

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on April 17, 2011 by datasecurityblog

Episode 209 of  The CyberJungle is about 35 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 22:30 mark.

To listen to Episode 209 via the flash player:


Interview

Mickey Boodaei, CEO of Trusteer: The war to against corporate espionage continues, and one expert says that training is not enough to prevent these targeted attacks. Is training enough to prevent these attacks? Our guest says no. Trustter.com main site.

Our Take on The Week’s News

The Digital forensic and eDiscovery investigation of the decade? That’s what some are saying about a new Facebook lawsuit. Here’s What Happens Next — And Who Is Likely To Pay.

California high court’s ZIP code ruling spawns consumer suits. Just days after the California Supreme Court ruled that retailers cannot ask for customers’ ZIP codes during credit card transactions, more than a dozen people filed state court class-action lawsuits alleging unfair business practices by numerous merchants.

Tales from the Dark Web

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat from Adobe

Adobe patches latest Flash zero-day: Good run-down from Computerworld

Adobe Flash Player 0-day Exploit Analysis (CVE-2011-0611): Secunia analysis

Flash Player Zero day – SWF in DOC/ XLS – Disentangling, original research by Mila ParkourShe did the independent research on this flaw.

Wrap

Case Leads: Ira’s SANS Institute Forensics Blog Column

Five Questions To Ask Your Firewall Vendor Today About The NSSLabs Breach Report

Posted in Breach, darkweb, Report Security Flaws, Vulnerabilities, web server security with tags , on April 13, 2011 by datasecurityblog

A new report was released yesterday by independent security research firm, NSS Labs.  The report detailed the apparent lack of basic security by firewall makers, and the results are shaking the security community this week. At minimum, organizations need to do a risk assessment of the effectiveness of their current gateway security systems. Most organizations rely upon their firewall as a critical element in a layered approach to digital security.

Key findings from the NSS Labs report:

  • Three out of six firewall products failed to remain operational when subjected to NSS’s stability tests.  NSS called this lack of resiliency “…alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.”
  • Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall protection from basic “outside to inside” attack.
  • Measuring performance based upon the Benchmarking Methodology for Network Interconnect Devices (RFC-2544 for UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.

The vulnerabilities that NSS Labs uncovered could allow an intruder to come into the business network, and compromise highly sensitive business data, customer records, intellectual property, and more.  Most privacy and security regulations/mandates like HIPAA HITECH, GLBA, PCI-DSS,  and state data protection laws like Nevada’s landmark 603A, assume that the network behind the firewall is a private network, and not accessable from the outside, publc network. These findings could threaten that assumption. (Disclosure: this blogger was an advisor and subject matter expert to the Nevada Legislature on NRS 603A).

For the last 18 months or so, major and minor hardware firewall makers have been pushing so-called “Next Generation Firewalls.” Many of the presentaions at trade-shows and conferences have be focused on using these devices to improve operational efficency and security for the enterprise.

For example: Employees might need access to Facebook to keep in touch with customers and prospects, but should posting an update on one’s Wall take priority over an order from the web site? And, just because the organization gives access to Facebook, does that mean it should allow access to Facebook apps like Farmville? In a similar vien, the marketing department might need access to YouTube, but do they access to YouTube in HD? Next Gen Firewalls can segment this traffic, and, in part, give greater granular control and security to specific cloud applications.

Some of the vendors have pitched the web application firewall (WAF) features in their Next Generation firewalls. Web application attackers by-pass a firewall’s DMZ (semi-public zone) to gain access to web servers. They do this, in many cases, to deliver malware via the cloud, to the visitors of those sites. Many of these attacks are the so-called drive-by download attacks. WAFs can provide an important function to detect these attacks before they compromise the server. Web site owners can better protect their customers, and their reputation by deploying a WAF.  But, all these new features obviously do not negate the basic reason why an organization deploys a firewall in the first place: To protect from more direct outside threats coming into the private network from the public network.

It appears that some firewall vendors may have lost focus on this key element. It’s time for your information security staff or advisor to contact your firewall vendor and get specific answers to the following questions:

  1. How exactly does the hardware we have protect against the “TCP Split Handshake Attack” that NSS Labs used in their tests? The vendor should provide a detailed answer, not just spin.
  2. If your vendor does not have protection against this attack now, when will they provide an update?
  3. How will they alert you about the update?
  4. What is the mitigation the vendor will offer until an update is available?
  5. What measures is your software vendor taking to improve testing to prevent this problem in the future?

On a related note: Many organizations still lump together Information Technology(IT) and Information Security. This is yet another case that highlights the differences between the two. Many Chief Information Officers (CIOs) may downplay this risk, since “our firealls are working fine, and no one is complaining.”  A good Chief Information Security Officer (CISO) will measure the risk, provide options for protection and a summary report to the CFO or CEO. Hopefully, the CIO is NOT the boss for the CISO. Alas, that is still the case for far to many organizations, and this report is yet another reason why that organizational structure is not recommended experts at The SANS Institute, and others. If your organization still relys upon IT for security, this would be a good time to seek outside help from qualified information security professionals.

The NSS Labs report is available for a fee, hereCyberJungle Radio will have more on this story as it develops, in the next episode, schedule to post Monday morning, April 18th.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

April 11, 2011 – Episode 208

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, Show Notes, The CyberJungle, Vulnerabilities with tags , , on April 10, 2011 by datasecurityblog

Episode 208 of  The CyberJungle is about 30 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 16:50 mark.

To listen to Episode 208 via the flash player:


Interview

Brian Fox, the creator of BASH (BASH makes a lot of Linux tasks easier), is working on a brand-new project to simplify browser security called Coccoon.  According to the company, with the Cocoon Plugin you get: “No tracking. No viruses. No spam. And your browsing history truly private.”

Our Take on The Week’s News

State of IT Security: Ponemon Institute Study of Utilities and Energy Companies. Global energy and utilities organizations face a number of emerging security challenges that are unique to their industry. Ponemon Research surveyed 291 IT and IT security practitioners within the energy and utilities market, and found that most don’t take IT security seriously. Download this research paper to learn more.

Calls for revisions to an auto accident privacy law. Originally intended to protect citizens, but is it being used to block government transparency?

Disable Geolocation in popular web browsers and social tools with this handy guide by Fred de Vries. And, check out Comodo Dragon, a version of Google Chrome with tracking disabled. Comodo Dragon browser also highlights revoked SSL certs, and by default routes traffic to more secure DNS. Only for Windows users right now.

Tales from the Dark Web

Epsilon Marketing Breach: What did Epsilon know about a pending attack and when did they know it?

Wrap

Anatomy of a Tweet.  Very handy forensic guide, called “map-of-a-tweet” by

April 4, 2011 – Episode 207

Posted in Breach, criminal forensics, darkweb, ediscovery, eMail Security, The CyberJungle, Vulnerabilities, web server security with tags , , , , on April 4, 2011 by datasecurityblog

Episode 207 of  The CyberJungle is about 48 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 26:30 mark.

To listen to Episode 207 via the flash player:


Interview

Rob Lee, of the SANS Institute and Mandiant: Defining the Advanced Persistent Threat(APT)

Our Take on The Week’s News

The Epsilon breach, read more in two blog postings at The CyberJungle, here and here.

News on the causes of the RSA breach, read an in-depth blog report from RSA/EMC

Pornwikileaks and a Health clinic under fire for alleged release of porn actors’ personal information. NSFW: Pornwikileaks

Tales from the Dark Web

If you don’t understand this basic cyber crime concept, you better figure it out this week, because there is a large-scale attack underway. The Websense link to the blog posting and video Ira mentioned.

Wrap

Cell phone panic button app sends emergency alerts

Hello McFly….Epsilon Breach Shows Cybercriminals Has Moved Way Past ID Theft

Posted in Breach, criminal forensics, ediscovery, eMail Security with tags , on April 4, 2011 by datasecurityblog

Major media outlets around the globe are giving greater coverage to the Epsilon data breach story today.  This might be the biggest breach of non-regulated PII (personally identifiable information) in US history. Read more in on the story in this CyberJungle posting Sunday night.

Typically, the mainstream media has focused on Personally Identifiable Information (PII) ID theft: credit card breaches, financial account information theft, and healthcare data breaches. There has been little attention paid to business data theft, by the media, pressure groups and many of the businesses that house the data, since business data is not typically regulated like PII is.

This might be a watershed moment when the attention is shifted to business data. According to a report released last week by McAfee/Intel and SAIC, “…cybercriminals have made the shift from stealing personal information, to targeting the corporate intellectual capital of some of the most well-known global organizations. Cybercriminals understand there is greater value in selling a corporations’ proprietary information and trade secrets which have little to no protection, making intellectual capital their new currency of choice…”

The focus of attention in the Epsilon story is consumer data. Big story number one not yet getting much attention: the wide-spread theft and re-sale on the digital black market of business intellectual property like trade secrets, technologies, sales data, price lists, key customer contacts, manufacturing processes, software code, salary info, and more.

Another big story not getting much attention: contrary to the spin from data collectors and pressure groups, the biggest data risks associated with the collection of consumer information is not that the data collector will sell the data to another firm. The biggest risk is that the data these data collectors will end up in the hands of cyber criminals, a government agency, or become part of damaging civil litigation, all risks that can cause much great harm.

The CyberJungle Radio program that will post Monday, will cover this story and other news about security, privacy and the law. Other stories we are covering include the wide-spread SQL injection attack; a new panic button smart phone app: and an in-depth look at the Advanced Persistant Threat (APT) with Rob Lee of the SANS Institute. Listen to Episode 207 at TheCyberJungle listening options page.

Posted by Ira Victor

Ameriprise Financial Customers Exposed in Massive Marketing Firm Breach

Posted in Breach, criminal forensics, darkweb, eMail Security with tags , , on April 3, 2011 by datasecurityblog

Ameriprise Financial has joined a growing list of large companies annoucing that their customers were exposed in data breach at marketing firm Epsilon. The CyberJungle has learned that Ameriprise Financial notice sent a notice to customers Sunday evening, reading, in part:

We were recently notified by Epsilon, an industry-leading provider of email marketing services, that an unauthorized individual accessed files that included some of our client and consumer information. Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this.

You are receiving this because you have in the past received a communication from Ameriprise. If you receive an email that appears to be from Ameriprise asking for personal or financial information, do not respond. Instead, please immediately forward the email to us at: anti.fraud@ampf.com.

The notice gives general recommendations, including using anti-virus and anti-spyware software, not to send financial information via email, to be cautiious about pop-ups, and to “Use caution when opening attachments or downloading files from email.”

Among the other high-profile companies whose customers were exposed by the breach of Epsilon Marketing’s information systems are Citi, Kroger’s Marriott, Walgreens. A recently updated list is in this SecurityWeek.com story.

In a separate Epsilon statement last week the marketing company said “an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s systems. The information that was obtained was limited to email addresses and/or customer names only.”

Epsilon’s “about us” section says, in part, “ …We offer a full range of marketing services to help you [businesses] connect with them [customers] anytime, … This full-brain approach has earned us numerous accolades…” The Epsilon web site has a security policy which states, in part, “We protect information we collect about you by maintaining physical, electronic and procedural safeguards. All information is secure and may be accessed only by key staff members of Epsilon.”

The CyberJungle take: It appears that Epsilon may not have been using a “full brain” approach in protecting information assets. The thrust of their statement is: The attackers only took customer names, email addresses and the names of companies the customers do business with, so there is not much of risk of harm.  The risk of harm is that social engineering attacks, phishing attacks, and other attacks could be launched against customers. Users are more likely to respond to a message from, say, Walgreens, if in fact they are already a customer of that store. As social engineers have shown, once trust and rapport is gained, an attacker can do significant harm. There could be wide-spread consumer harm, extending to employer data, since many people give a work email address for these services. Security and human resource administrators should consider holding a staff training meeting to help protect the information assets of the business, and protect the staff members from personal cyber attacks that could hurt worker productivity.

The CyberJungle Radio program that will post Monday, will cover this story and other news about security, privacy and the law. Other stories we are covering include the wide-spread SQL injection attack; a new panic button smart phone app: and an in-depth look at the Advanced Persistant Threat (APT) with Rob Lee of the SANS Institute. Listen to Episode 207 at TheCyberJungle listening options page.

Posting by Ira Victor

Follow

Get every new post delivered to your Inbox.

Join 1,064 other followers