Archive for the Annoucements Category

Program Note – Data Security Podcast 82

Posted in Annoucements with tags on November 22, 2009 by datasecurityblog

Episode 82 of the Data Security Podcast is scheduled to post Monday over night/Tuesday early morning, Greenwich Mean Time.  In the meantime listen to Ira Victor’s two-part infosec special interviews on fighting web drive-by downloads. We posted a two part special edition last Thursday and Friday, Episode #80 and #81.

Data Security Podcast Episode 81, Nov 20 2009

Posted in Annoucements, darkweb, Exclusive, Interview Only Edition, Podcast, web server security with tags , , , on November 20, 2009 by datasecurityblog

EXCLUSIVE – For Friday November 20th, we depart from our regular format for those with an advanced understanding of information security technologies.

This is part two of two special editions featuring technical conversations with newsmakers on new counter measures to fight web drive-by downloads. Part two features Louis Hughes, Chairman and CEO of InZero Systems; and Yura Socolov, Director, IT Security of InZero Systems. InZero Systems has created a new hardware sandbox approach to this vexing security issue.

We will return to our regular format of the latest news on data security, privacy, and the law with Episode 82.  Episode 82 is scheduled to post Sunday night /Monday morning, November 23rd, 2009 at ~12.01am Greenwich Mean Time. That is our regularly scheduled show posting time.

On Episode 81:  InfoSec Conversation with InZero Systems on countering web drive-by downloads with a new hardware sandbox.

–> Stream This Special Episode with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 81 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version forFREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 81 of the Data Security Podcast

Ira has an extended, technical conversation with Louis Hughes, Chairman and CEO of InZero Systems; and Yura Socolov, Director, IT security of InZero Systems. InZero Systems has an interested approach to fighting web drive-by downloads.

Special Security Geek Edition: Interview with Marsh Ray, Discoverer of SSL Flaw

Posted in Annoucements, Breach, darkweb, Exclusive with tags , , on November 5, 2009 by datasecurityblog

For Thursday November 5th, we depart from our regular format for those with an advanced understanding of information security technologies. This episode is a one-topic special edition, providing coverage of a major man-in-the-middle flaw discovered in the SSL protocol (see, we told you it was for security geeks).

We will return to our regular format of the latest news on data security, privacy, and the law with Episode 78.  Episode 78 is scheduled to post Sunday night /Monday morning, November 8th, 2009 at ~12.01am Greenwich Mean Time. That is our regularly scheduled show posting time.

On Episode 77:  Conversation with Marsh Ray, discoverer of the new SSL flaw

–> Stream This Special Episode Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 77 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version forFREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 77 of the Data Security Podcast

Breaking news with an extended interview with Marsh Ray,  Senior Software Developer and Engineer with multi-factor security company PhoneFactor.

SSL lock engaged, but is the connection secure?

SSL lock engaged, but is the connection secure?

Marsh Ray discovered a major security flaw in the SSL protocol.   SSL is the most widely used encryption protocol on the internet.

Marsh Ray keeps a blog at extendedsubset.com.  He works for PhoneFactor, where you can read more about this vulnerability in SSL.

Data Security Podcast Episode 76, Nov 02 2009

Posted in Annoucements, Breach, Court Cases, criminal forensics, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities with tags , , , , , , , , , , , on November 1, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Placing an online bet for the World Series? Employees of online betting sites might be selling customer data online.

* Google Book Search: What data is Google storing about readers of online books?

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 76 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 76 of the Data Security Podcast

* Conversation:  Samantha talks with Rebecca Jeschke  of the Electronic Frontier Foundation (EFF). There are lots of privacy objections to the Google book search settlement… EFF is leading the way on the privacy objections. Read about it here. And here’s the legal document filed by EFF… the settlement hearing has been indefinitely postponed.

* Tales From The Dark Web:  Are online casinos leaking information about their customers? Hard to say, as we saw the original web posting about this is only available in the Google Cache. Here is a story from TightPoker.com about the original posting. That story lists the original site at AustralianGambling.au, but the URL should be AustralianGambling.com.au .

* From Our Take on The News:  Lobbyists beware: judge rules metadata is public record. This story also talks about the Google metadata leak.

* From Our Take on The News: A MUST READ – Samantha writes at the ReasonableReporter.com about social engineering and how the technique is used in real life, and in the new movie Law Abiding Citizen:

* Wrap: Ira talked about the launch of Digital Forensics Magazine.

BREAKING NEWS – New Twist to Zeus Bank Trojan; Well-Known Penetration Tester at ISACA Conference Calls Revelation “Disastrous”

Posted in Annoucements, Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Vulnerabilities, web server security with tags , , , , on September 30, 2009 by datasecurityblog

Reporting from the ISACA Security and Risk Management Conference in Las Vegas, we have breaking security news this morning.

Organized cyber criminals have added a new damaging element to an already viscous cyber attack. Yuval Ben-Itzhak, CTO of Finjan spoke by phone with the Data Security Podcast about a frightening new twist to the surge of bank account stealing Trojan attacks.

First some background: This news program, and other media outlets, have been reporting in the last few months about a wave of bank account Trojans that have been stealing money from small and medium sized businesses, and local governments. Theses well organized cyber criminals have been combining web drive-by attacks, with unauthorized electronic funds transfers. The cyber criminals then use innocent money mules to launder the money. The mules are typically lured into popular “make cash at home” schemes.

A construction company in Maine lost $588,000 from a recent attack, and they are now suing their bank. It’s important to note that while consumers generally have 60 days to “unwind” an unauthorized electronic funds transfer, businesses accounts are only protected if the bank is alerted within 48 hours of an unauthorized transfer. On The Data Security Podcast earlier this week, we interviewed the lawyer representing the construction company that suffered the $588,000 loss, see link below.

The Data Security Podcast can now report a dangerous new element to these attacks. Ben-Izthak tells the Data Security Podcast that Finjin security researchers have seen the cyber criminals actually alter the “account view” online screens that a victim sees. Of course the altered screen views do not show suspicious transactions. This means that a business will probably lose the chance to catch unauthorized transactions within the 48 hour window.

Here’s the process – The business uses a computer(s) to do online business banking, and uses that same computer to do web activities, email, and other standard business internet tasks. The attackers use those normal internet activities to plant a version of Zeus banking Trojan onto the business computer systems. These attacks are designed to by-pass most firewalls and many popular anti-virus programs.

The Trojan captures log-in info, challenge question/answers, and account numbers, right from the business computer systems…all the info the criminals need to conduct unauthorized electronic funds transfers.

Here’s the new twist: The attackers are now altering the web screens that display business account information. The bank’s computers are not altered, but rather the business customer’s view of their own accounts, as seen from their own computers. This is known in security-speak as an integrity attack: when authorized persons are unable to trust the accuracy of their own information

Ira Victor, Co-Host of The Data Security Podcast, is covering the ISACA Las Vegas Conference and had an exclusive sit-down interview with well-known data security researcher and penetration testing expert ‘Famous Peter Woods’ (as he is known), about this new attack.  Peter Woods is the COO of First Base, a security company in the UK.  Mr. Woods is also a keynote speaker at the conference.

Peter Woods characterized this new variation of the Zeus bank Trojan “as a disaster.”  Mr. Woods recommended that business engage is a serious round of new user awareness training. When we asked Mr. Woods about technical counter-measures the banks could undertake, he questioned the willingness of many banks to invest in counter-measures that would truly be effective against these types of attacks. He thought that many banks would be more likely to add new legal disclosures in an attempt to indemnify themselves from financial loss.

Indeed, some banks are now putting new warnings on their web sites that encourage customers to “update anti-virus” and to “update system-patches.” Other speakers at the ISACA conference in Las Vegas generally agree that while that those measures are good for stopping certain attacks, they are mostly insufficient to thwart these newer types of attacks.

In Data Security Podcast Episode 71, Samantha Stone has an eye-opening interview with the attorney of the Maine construction company that lost $588,000 in a cyber attack, and is suing their bank. The cause of action? The plaintiff claims the bank breached it fiduciary duty when it failed to protect against the loss of the $588,000.  We suspect that a variant of  the Zeus banking Trojan attack was used to steal the money.

Be sure to listen to subscribe to our RSS feed and listen Data Security Podcast Episode 72. When that show posts, it will include our interview with Yuval Ben-Yitzhak of Finjan. Here is the link to the Finjan Report on the new Zeus bank Trojan.

Labor Day Program Note – Data Security Podcast

Posted in Annoucements, Report Security Flaws, Vulnerabilities on September 6, 2009 by datasecurityblog

The Data Security Podcast is taking Labor Day off….we are working on these stories for next week’s program:

* Brian Mastenbrook’s excellent blog posting,  How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications

I talked to Brian, and we will advance the story he tells  on web application security,  and the difficulty in reporting vulnerabilities to site managers/owners.

Here is a link to Brian’s Posting, and a link to the Report Security Flaws project.

* Apple’s Snow Leopard release DOWNGRADES users to an older version of Adobe software…a version that contains known vulnerabilities.  Will Apple release a general update that will fix this issue, or will it shift the burden to the end user to discover their new OS has a significant security hazard?

In the meantime, follow update to date stories on Ira Victor’s Twitter feed, including a new ZeroDay on IIS…go to :  http://twitter.iravictor.net

Data Security Podcast Episode 67, Aug 24 2009

Posted in Annoucements, Breach, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , on August 24, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* The security lessons from Heartland data breach – what the newscasters didn’t tell you. Details on our Tales from The Dark Web segment.

* What if you discovered a web security flaw and their customer service staff ignored your alerts? An exciting announcement about a project to address this problem.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 67 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 67 of the Data Security Podcast

* EXCLUSIVE: Ira talks with Russ McRee of HolisticInfoSec.org about major security issues. This conversation  project, ReportSecurityFlaws.com .

* Tales From The Dark Web: What the other newscasters didn’t talk about with the news of an indictment of the Heartland / TJMaxx / 7-11 attacker, Albert Gonzales.

*From the News:  Web app attacks lead to possible breach of Law Enforcement data

*From the News:  SQL Injection Dymisytified – A look at the attack and how to protect your applications from it

* From the News:  Report by the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack

* From the News:  Cyber-Ambulance Chasing (Can’t we think of another way to accomplish this?)

Unspam Technologies filed a “John Doe” lawsuit in federal court against cybercriminals who have been targeting banks. The unfortunate bank customers are now caught between the devil and the deep blue sea. Unspam’s suit seeks confidential account information from the financial institutions, as part of its strategy to track down the hackers.

Here’s the money quote from the coverage in the New York Times:  Even though Unspam’s lawyer “concedes he is unlikely ever to discover the names of the hackers… he hopes to get the details of the thefts, the names of victims and other information from the banks that can be used to improve security and possibly identify the hackers.”

We’re not sure we like this strategy. Who’s next? Shall we force insurance companies to cough up individual medical records in order to prosecute hospital ID theft?

Read the story by Saul Hansell in the New York Times.

* Wrap: Vanishing eMail

REPORT: SQL Injection Attacks #1 Web Drive-by Hazard

Posted in Annoucements, Vulnerabilities, web server security with tags , , on August 17, 2009 by datasecurityblog

Web application security company Breach Security announced today that SQL Injection attacks remains the number one web attack vector, accounting for nearly one-fifth of all security breaches (19%).

Attack vectors exploiting Web 2.0 features such as user-contributed content were also commonly employed: authentication abuse was the second most active attack vector (11%), and Cross Site Request Forgery (CSRF) rose to number five with 5% of the reported attacks.

The data released today was part of Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report.  Breach Security contributes to the project. The WHID project compiles and analyzes application-related security incidents, focusing exclusively on publicly reported web application security attacks that have an identified outcome. The WHID 2009 Bi-Annual report analyzed global security incidents that occurred from January 1 through July 31, 2009. The report shows a 30 percent increase in overall web attacks compared to the same period in 2008.

The report also shows that planting of malware and standard overt changes on web sites, remains the most common outcome of web attacks (28%), while leakage of sensitive information is a close second, at 26%.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web application-related security incidents. The WHID’s purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security – which focus on the technical aspect of the incident – the WHID focuses on the impact of the attack.

Data Security Podcast Episode 61 – July 14 2009

Posted in Annoucements, Breach, darkweb, Podcast, Vulnerabilities, web server security with tags , , , , , , , on July 14, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* A double whammy…. two critical zero day attacks hit users of Microsoft products.

* A non-profit security group has a plan to fight web drive-by downloads.

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 28.5 minutes

–> Stream, subscribe or download Episode 61 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 61 of the Data Security Podcast

* Conversation:  StopBadware.org is a non-profit security group with a plan to fight web drive-by downloads. We spoke with Maxim Weinstein, the Executive director of the project. They will help you if your site is blacklisted, and they are looking for help from the security community in uncovering and fighting web drive-by downloads.

* Tales From The Dark Web: Two Zero Day Attacks in the news this week-

ActiveX  Video Flaw.  Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution. Option 1, apply the work around in the Microsoft Advisory, or upgrade all systems to Microsoft Internet Explorer 8. This Zero Day impacts users of Windows XP and Windows 2003 running IE6 or IE7. UPDATE: Microsoft’s “patch tuesday” (monthly patch cycle by Microsoft) includes a fix for this issue

Microsoft Office. Read the detailed SANS Internet Storm Center Alert: Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution.  There is a long list of Windows products impacted by this flaw. Be sure to go through the Microsoft Advisory.

* From The News: Does Google Know Too Much About You?  Read the details in Ian Paul’s story in PCWorld.

* From The News: Point; at Foxnews: Wireless Cybercriminals Target Clueless Vacationers.  Counter Point;  Summer Time, and Wireless Fear Mongering Is in the Air by Glenn Fleishman at WifiNetNews.

A non-profit security group has a plan to fight web drive-by downloads. That’s in our interview segment later in the show.

Update: This Week’s Data Security Podcast

Posted in Annoucements with tags , on July 13, 2009 by datasecurityblog

Note to listeners: Although we usually post on Sunday night, this week’s program will be posted within the next 24 hours.

We are working on the following stories for you:  Who’s behind the latest web site break-ins?  How a non-profit organization can help shield you from attacks by The Darkweb.

These stories, and more, coming up on Episode 61 of The Data Security Podcast; 30 minutes every week on data security, privacy, and the law.

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers