Archive for April, 2011

April 25, 2011 – Episode 210

Posted in Breach, Court Cases, criminal forensics, ediscovery, Interview Only Edition, Show Notes, The CyberJungle with tags , , on April 24, 2011 by datasecurityblog

Episode 210 of  The CyberJungle is about 23 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 210 via the flash player:

Interviews

First Interview – Alex Levinson: iPhone forensics expert. Here are the links Alex mentioned:

His first post in response to iPhone Tracker Gate - 3 Major Issues with the Latest iPhone Tracking “Discovery

Alex Levinson’s later posting on iPhone security and tracking

The book Alex Levinson contributed to: iOS Forensic Analysis: for iPhone, iPad, and iPod touch

Alex Levinson is the Lead Engineer for Katana Forensics

Second Interview:  ACLU Staff Attorney Mark Fancher. He is with the Racial Jucstice Project at the Michigan ACLU.

The Week’s News

The Guardian Project: A Free Open Source Project for people to improve the security of their mobile phones if they are concerned about the privacy of their communications and the safety of data.

Sealed Records Exposed In Major Court Gaffe: Federal prosecutors scramble to cloak details of ongoing probes.

Michigan TrackerGate: ACLU Speaks To CyberJungle Radio

Posted in criminal forensics, ediscovery, Exclusive News, The CyberJungle with tags , , on April 21, 2011 by datasecurityblog

The row continutes between the Michigan ACLU and the Michigan Law Enforcment tonight. The Michigan ACLU leveled the charge earlier this week that Michigan Law Enforement was asking for hundreds of thousands for dollars for records related to the possible forensic imaging of mobile devices using the well-known Cellebrite UFED.  Michigan Law Enforcement has responded.  In a statement, The Michigan State Police said, “The DEDs [Digital Extraction Devices] are not being used to extract citizens’ personal information during routine traffic stops.” The Michgan State Police also said that there are been no claims that law enforcement has broken any laws in the use of these DEDs.

I interviewed ACLU Staff Attorney Mark Fancher today for a segment in next week’s CyberJungle Radio.  Mark Fancher is with the Racial Jucstice Project at the Michigan ACLU.  The CyberJungle felt it was too important to hold this interview until Monday’s scheduled release at part of the next episode of CyberJungle Radio.

You can hear the interview by clicking on the flash player below. You may download the file directly – great for listening on many smartphones.

To listen to the CyberJungle Radio interview with Mark Fancher of the Michigan ACLU, via the flash player:

Members of the media, please credit CyberJungleRadio.com

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

iOS TrackerGate: Not New, But Still Disturbing

Posted in Court Cases, criminal forensics, ediscovery, eMail Security with tags , , , , , , on April 21, 2011 by datasecurityblog

The technical and non-technical press is buzzing over the “discovery” by a forensic researchers Alasdair Allan and Pete Warden. The revelations are not new, but the implications are still very disturbing.

Yesterday, Allan and Warden released a an application that uses an interesting plain-text file on 3G iPhones and iPads.  This file contains the geo location of where the device (and presumably it’s owner) has been.  The application blots the geo data onto a map, allowed one to see the travels and location of the device, and it’s owner.

The non-technical press has taken this story as a revelation.  Both the Wall Street Journal radio report out of the Bay Area (on KSFOAM) and The BBC World Service have been running this story all morning. Alex Levinson is a forensic researcher that has correctly pointed out that work by Allan and Warden did not credit the earlier research done by Alex, and others, in this area. Indeed, in a The CyberJungle posting from the Paraben Forensic Innovator’s Conference (PFIC) in Park City, UT last November, we reported the mountains of data that can be recovered from iOS devices.

The privacy implications of this data becoming available to in a civil lawsuit, or in a criminal matter, are quiet significant. Everything from visits to a mental health provider, a controversial art exhibit, a winery,  or a discreet meeting with an ex lover could become open to unwanted scrutiny.  It’s difficult to predict how the information regarding someone’s whereabouts could be used to harm an individual in a civil or criminal matter. We already have privacy challenges with the proliferation of closed circuit television (CCTV), and the ability to correlate the data with iOS geo data becomes an enormously powerful investigative tool.

Interestingly, yesterday also saw reports that Michigan law enforcement  maybe taking complete “in the field” forensic images of mobile devices from some drivers during routine traffic stops.  This revelation should cause any citizen to take a pause, as it has the Michigan ACLU.

What are some of the techniques the average citizen can use to add layers of privacy, and still use a mobile phone, or tablet?  We plan more coverage of this story in the next episode of CyberJungle Radio (episode 210), including options to help mitigate these privacy leaks.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

April 18, 2011 – Episode 209

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on April 17, 2011 by datasecurityblog

Episode 209 of  The CyberJungle is about 35 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 22:30 mark.

To listen to Episode 209 via the flash player:

Interview

Mickey Boodaei, CEO of Trusteer: The war to against corporate espionage continues, and one expert says that training is not enough to prevent these targeted attacks. Is training enough to prevent these attacks? Our guest says no. Trustter.com main site.

Our Take on The Week’s News

The Digital forensic and eDiscovery investigation of the decade? That’s what some are saying about a new Facebook lawsuit. Here’s What Happens Next — And Who Is Likely To Pay.

California high court’s ZIP code ruling spawns consumer suits. Just days after the California Supreme Court ruled that retailers cannot ask for customers’ ZIP codes during credit card transactions, more than a dozen people filed state court class-action lawsuits alleging unfair business practices by numerous merchants.

Tales from the Dark Web

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat from Adobe

Adobe patches latest Flash zero-day: Good run-down from Computerworld

Adobe Flash Player 0-day Exploit Analysis (CVE-2011-0611): Secunia analysis

Flash Player Zero day – SWF in DOC/ XLS – Disentangling, original research by Mila ParkourShe did the independent research on this flaw.

Wrap

Case Leads: Ira’s SANS Institute Forensics Blog Column

Five Questions To Ask Your Firewall Vendor Today About The NSSLabs Breach Report

Posted in Breach, darkweb, Report Security Flaws, Vulnerabilities, web server security with tags , on April 13, 2011 by datasecurityblog

A new report was released yesterday by independent security research firm, NSS Labs.  The report detailed the apparent lack of basic security by firewall makers, and the results are shaking the security community this week. At minimum, organizations need to do a risk assessment of the effectiveness of their current gateway security systems. Most organizations rely upon their firewall as a critical element in a layered approach to digital security.

Key findings from the NSS Labs report:

  • Three out of six firewall products failed to remain operational when subjected to NSS’s stability tests.  NSS called this lack of resiliency “…alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.”
  • Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall protection from basic “outside to inside” attack.
  • Measuring performance based upon the Benchmarking Methodology for Network Interconnect Devices (RFC-2544 for UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.

The vulnerabilities that NSS Labs uncovered could allow an intruder to come into the business network, and compromise highly sensitive business data, customer records, intellectual property, and more.  Most privacy and security regulations/mandates like HIPAA HITECH, GLBA, PCI-DSS,  and state data protection laws like Nevada’s landmark 603A, assume that the network behind the firewall is a private network, and not accessable from the outside, publc network. These findings could threaten that assumption. (Disclosure: this blogger was an advisor and subject matter expert to the Nevada Legislature on NRS 603A).

For the last 18 months or so, major and minor hardware firewall makers have been pushing so-called “Next Generation Firewalls.” Many of the presentaions at trade-shows and conferences have be focused on using these devices to improve operational efficency and security for the enterprise.

For example: Employees might need access to Facebook to keep in touch with customers and prospects, but should posting an update on one’s Wall take priority over an order from the web site? And, just because the organization gives access to Facebook, does that mean it should allow access to Facebook apps like Farmville? In a similar vien, the marketing department might need access to YouTube, but do they access to YouTube in HD? Next Gen Firewalls can segment this traffic, and, in part, give greater granular control and security to specific cloud applications.

Some of the vendors have pitched the web application firewall (WAF) features in their Next Generation firewalls. Web application attackers by-pass a firewall’s DMZ (semi-public zone) to gain access to web servers. They do this, in many cases, to deliver malware via the cloud, to the visitors of those sites. Many of these attacks are the so-called drive-by download attacks. WAFs can provide an important function to detect these attacks before they compromise the server. Web site owners can better protect their customers, and their reputation by deploying a WAF.  But, all these new features obviously do not negate the basic reason why an organization deploys a firewall in the first place: To protect from more direct outside threats coming into the private network from the public network.

It appears that some firewall vendors may have lost focus on this key element. It’s time for your information security staff or advisor to contact your firewall vendor and get specific answers to the following questions:

  1. How exactly does the hardware we have protect against the “TCP Split Handshake Attack” that NSS Labs used in their tests? The vendor should provide a detailed answer, not just spin.
  2. If your vendor does not have protection against this attack now, when will they provide an update?
  3. How will they alert you about the update?
  4. What is the mitigation the vendor will offer until an update is available?
  5. What measures is your software vendor taking to improve testing to prevent this problem in the future?

On a related note: Many organizations still lump together Information Technology(IT) and Information Security. This is yet another case that highlights the differences between the two. Many Chief Information Officers (CIOs) may downplay this risk, since “our firealls are working fine, and no one is complaining.”  A good Chief Information Security Officer (CISO) will measure the risk, provide options for protection and a summary report to the CFO or CEO. Hopefully, the CIO is NOT the boss for the CISO. Alas, that is still the case for far to many organizations, and this report is yet another reason why that organizational structure is not recommended experts at The SANS Institute, and others. If your organization still relys upon IT for security, this would be a good time to seek outside help from qualified information security professionals.

The NSS Labs report is available for a fee, hereCyberJungle Radio will have more on this story as it develops, in the next episode, schedule to post Monday morning, April 18th.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

April 11, 2011 – Episode 208

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, Show Notes, The CyberJungle, Vulnerabilities with tags , , on April 10, 2011 by datasecurityblog

Episode 208 of  The CyberJungle is about 30 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 16:50 mark.

To listen to Episode 208 via the flash player:

Interview

Brian Fox, the creator of BASH (BASH makes a lot of Linux tasks easier), is working on a brand-new project to simplify browser security called Coccoon.  According to the company, with the Cocoon Plugin you get: “No tracking. No viruses. No spam. And your browsing history truly private.”

Our Take on The Week’s News

State of IT Security: Ponemon Institute Study of Utilities and Energy Companies. Global energy and utilities organizations face a number of emerging security challenges that are unique to their industry. Ponemon Research surveyed 291 IT and IT security practitioners within the energy and utilities market, and found that most don’t take IT security seriously. Download this research paper to learn more.

Calls for revisions to an auto accident privacy law. Originally intended to protect citizens, but is it being used to block government transparency?

Disable Geolocation in popular web browsers and social tools with this handy guide by Fred de Vries. And, check out Comodo Dragon, a version of Google Chrome with tracking disabled. Comodo Dragon browser also highlights revoked SSL certs, and by default routes traffic to more secure DNS. Only for Windows users right now.

Tales from the Dark Web

Epsilon Marketing Breach: What did Epsilon know about a pending attack and when did they know it?

Wrap

Anatomy of a Tweet.  Very handy forensic guide, called “map-of-a-tweet” by

April 4, 2011 – Episode 207

Posted in Breach, criminal forensics, darkweb, ediscovery, eMail Security, The CyberJungle, Vulnerabilities, web server security with tags , , , , on April 4, 2011 by datasecurityblog

Episode 207 of  The CyberJungle is about 48 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 26:30 mark.

To listen to Episode 207 via the flash player:

Interview

Rob Lee, of the SANS Institute and Mandiant: Defining the Advanced Persistent Threat(APT)

Our Take on The Week’s News

The Epsilon breach, read more in two blog postings at The CyberJungle, here and here.

News on the causes of the RSA breach, read an in-depth blog report from RSA/EMC

Pornwikileaks and a Health clinic under fire for alleged release of porn actors’ personal information. NSFW: Pornwikileaks

Tales from the Dark Web

If you don’t understand this basic cyber crime concept, you better figure it out this week, because there is a large-scale attack underway. The Websense link to the blog posting and video Ira mentioned.

Wrap

Cell phone panic button app sends emergency alerts

Follow

Get every new post delivered to your Inbox.

Join 1,141 other followers