Archive for October, 2011

October 31, 2011 – Episode 236

Posted in criminal forensics, darkweb, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , on October 31, 2011 by datasecurityblog

Episode 236  of  The CyberJungle is about 29 minutes long.  You can hear it by clicking on the flash player below. The interview begins at about 13min. You may download the file directly – great for listening on many smartphones. Or, you  may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 236 via the flash player:

Interview

The author of Black Hawk Down, Mark Bowden. The CyberJungle talk about his new book, Worm: The First Digital World War.

Our Take On This Week’s News

Researchers find major security holes in the Amazon cloud. Read more at h-online.com .

Ubuntu Linux for ARM heads to smartphones/tablets. Read more at ZDnet

Tales From The Dark Web

Spam scams behind the mask of a legitimate looking network news site. Here is the link, but DO NOT go there on a non-high security system, there may be malware on this domain, as it appears to be controlled by spammer: http://www.news13i.com/ [Cut and paste at your own risk]

Wrap

John McCarthy, who some have called the Godfather of PKI,  1927-2011 . Read more at the MIT Press Log

October 24, 2011 – Episode 235

Posted in Breach, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive News, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , on October 24, 2011 by datasecurityblog

Episode 235  of  The CyberJungle is about 25 minutes long.  You can hear it by clicking on the flash player below. The interview begins at about 12min. You may download the file directly – great for listening on many smartphones. Or, you  may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 235 via the flash player:

Interview

EXCLUSIVE: Does ‘Son of Stuxnet’ hold a clue to another SSL CA breach? Jeff Hudson of Venafi give us his take

Our Take On This Week’s News

Another online video breach victim: Microsoft . Read more at Geekwire.

iPad Smart Cover Security Flaw. Read more at PCWorld

Tales From The Dark Web

NASDAQ attackers target business executives. Read more at the Chicago Tribune.

Wrap

What if, two years before the 9/11 attacks the U.S. had been given complete digital forensic access to al-Qaeda and Taliban calls and data? Read more in the long, but very worthwhile, Vanity Fair story.


October 17, 2011 – Episode 234

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , on October 17, 2011 by datasecurityblog

Episode 234  of  The CyberJungle is about 28 minutes long.  You can hear it by clicking on the flash player below. The interview begins at about 14min. You may download the file directly – great for listening on many smartphones. Or, you  may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 234 via the flash player:

Interview

Rob Rachwald, Director of Security Strategy, and lead blogger with with Imperva. Rob and Ira discuss a study on an cybercrime.

Our Take On This Week’s News

Samsung Approved For Enterprise (SAFE) program should help the company get more business users. Read more at IntoMobile.

Lessons Not Learned? Porn Gets Uploaded To Sesame Street Site.

Several German states admit to use of controversial spy software. Read more at Deutsche Welle.

Tales From The Dark Web

Mac Trojan Flashback.B Checks for VM. Read more at the F-Secure Malware Blog.

Wrap

I’ll take extra salt with that hard drive, please.

Lessons Not Learned? Porn Gets Uploaded To Sesame Street Site

Posted in Breach with tags , , on October 16, 2011 by datasecurityblog

There must be some hand wringing going on at Public Broadcasting Corporation (PBS) tonight.

On the heels of a PBS server breach earlier this year, that revealed the passwords of journalists from numerous media outlets.  They’ve now had to endure the defilement of their signature children’s program, Sesame Street.

If you grew up watching Oscar the Grouch trading one-liners with Bert and Ernie, you will be horrified to know that for about twenty minutes today X-rated video content was substituted for G-rated content.

It is shocking that anyone would think that putting X-rated content in front of the Sesame Street audience could be justified.

At this time, we don’t know the entry-point for this breach. It does make one wonder what might have happened to cause this incident.

An attacker might have been able to learn the username and password that allows Sesame Street producers to upload new content. As we saw in the breach of the PBS server in May of this year, once an attacker controls one critical system, it is often easy to discover the user names and passwords of users. Often the passwords are trivial to guess, or easy to “crack.”

And, often staff members use the same user/password pair to access multiple systems. It is possible that some sort of password stealing trojan was used against the staff of Sesame Street. Once that attacker(s) has one, or some passwords, the he might have found it trivial to impersonate a Sesame Street producer and upload whatever content he wished.

Even after so many attacks in the news (and more that don’t make the headlines), non-technical managers still look at information security as an expense, rather than a strategic investment. They often think that they are not a target since they are not a bank, or the Pentagon, or the FBI, and that they have nothing of value to take. Many non-technical decision makers downplay the risks, and once the risk is lowered, there is no need, in their minds, to take measures to protect the organization’s information assets.

What is disturbing, in this case is that AFTER a breach earlier this year at PBS, it appears that Sesame Street did not take information security measures to protect the most vulnerable members of the PBS audience.

There is a bigger message here for all organizations: Passwords alone are no longer effective in protecting information assets. Users have too many systems to log into to remember long, complex passwords for each system. And, with modern attacks, even THOSE passwords can be cracked or stolen with relative ease.

What’s a solution? Non-technical decision makers need to look at so-called multi-factor authentication. Something you know is one factor (a username/password) and something you have can be another factor. The best systems use multi-factor authentication with one time passwords. So that each time a user authenticates, a new, one time password is used. If an attacker steals that passwords, it is useless.

Of course we can’t overlook another strong possibility. Research shows us repeatedly, that disgruntled employees are often at the root of cyber breaches.  I hasten to add, that I have no information, aside from what I have read in the press. There are also several types of technologies that would alert management engages in unauthorized activity.

Technology provides the answers, but sometimes management has to get stung before they become curious enough to look into them.

By: Ira Victor G2700, GCFA, GPCI, GSEC, CGEIT, CRISC,  Member: HTCIA ; Ira Victor is an  information security and forensics analyst, and Co-Host of CyberJungle Radio

October 10, 2011 – Episode 233

Posted in Breach, Court Cases, criminal forensics, darkweb, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , on October 10, 2011 by datasecurityblog

Episode 233 of  The CyberJungle is about 37 minutes long.  You can hear it by clicking on the flash player below. The interview begins at about 14min. You may download the file directly – great for listening on many smartphones. Or, you  may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 233 via the flash player:

Interview

Ever wonder when you’re watching CSI about the scientific process for matching crime scene DNA to the suspect? We talked with Dr. Arthur Eisenberg, Co-Director of the Center for Human Identification a the University of North Texas. Dr. Eisenberg was also employee number 20 in the company that pioneered DNA analysis for the purpose of identifying criminals. (Hired in 1984, incidentally. For whatever that’s worth.)


Our Take On This Week’s News

Wired Story: Computer Virus Hits U.S. Drone Fleet [Note: These planes actually are Unmanned Aerial Vehicles, not Drones].  But, one information security researcher speculates has an alternate theory and ponders if the software might not be malware.   An excellent essay on UAVs, and the future of warfare, from Kenneth Anderson at the well-respected The Volokh Conspiracy blog

Claim from the Chaos Computer Club: “The largest European hacker club, “Chaos Computer Club” (CCC), has reverse engineered and analyzed a “lawful interception” malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.” Read more here.

Tales From The Dark Web

Most complex passwords cracked by cheap consumer hardware

Wrap

A portable GPS device with real personality

October 3, 2011 – Episode 232

Posted in Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , on October 3, 2011 by datasecurityblog

Episode 232  of  The CyberJungle is about 28 minutes long.  You can hear it by clicking on the flash player below. The interview begins at about 14min. You may download the file directly – great for listening on many smartphones. Or, you  may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 232 via the flash player:

Interview

Attorney Aaron Crews: Bring Your Own Device could be a legal land mine for businesses. Aaron D. Crews is a member of Littler Mendelson’s e-Discovery Practice Group

Our Take On This Week’s News

Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More. Read the story at AndroidPolice.com.

Kindle Fire: the tablet that knows your next move. Jeff Bezos’s announcement of Amazon’s assault on the tablet market comes with an added twist. Read The Guardian story.

Tales From The Dark Web

Malicious QR Codes Pushing Android Malware

Wrap

1977 Star Wars Celica: Have You Seen This Car?

Follow

Get every new post delivered to your Inbox.

Join 1,100 other followers