September 25, 2010 – Episode 175

Episode 175:

This week’s regular episode of  The Cyberjungle  is 1 hour and 25 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 175 via the flash player:

Interview

Lance Spitzner from the SANS “Securing the Human” project joins us to discuss the final (and largest) hole in network security. It’s the users, stupid.  Millions of hours and billions of brain cells have been spent securing computers and networks.  The job will never be done until we secure the humans.  Our interview with Lance is about 5 minutes long, and it starts about 25 minutes into the show. Lance’s blog posting with slides from his presentation at SANS Las Vegas.

Tales from the Dark Web

Twitter attack is warning to social network users

We all love to give our opinions.  Apparently, the bad guys know it. The latest dark web scam involves online and email surveys.

Our Take on This Week’s News

Teacher fired for posting a blog that included references to various students. The article in the Austin Statesman is unclear, but the reader comments help us piece together the story. Apparently this teacher, who was last year’s teacher of the year, wrote a blog on which she contemplated how to approach teaching challenges presented by some of her individual students.  Her mistake was probably posting photos.  One comment indicates that she did not identify any of the students by name.  We are inclined to blame the administration for failure to make clear the policies regarding federal student privacy laws (FERPA).

“Respondent May NOT Use Internet in Any Manner to Communicate About Petitioner Ever Again.” An order handed down in a divorce case.  The question on the Volokh Conspiracy is whether the order in constitutional.  (Remember free speech?) You can’t libel someone, and maybe you can be gagged during litigation, but the government can’t permanently keep you from trashing your ex.

Wonder how many jobs this created or saved? Federal stimulus dollars are being used for an RFID program to track preschoolers.    ACLU and EFF open a can of whip-ass.

Lawyers heart Facebook! Best not to post photos of yourself looking healthy and robust on Facbook if you’re in litigation for a personal injury.  A judge has ordered  the private portions of plaintiff’s Facebook are discoverable,  since the public portions suggest she’s having more fun that she claims her physical condition permits.

U.S. Cybercommand proposing an internet “safe zone” for government and such critical industries as utilities and banking.  A super-safe segregated network might raise as many questions as it answers. Read various versions below for a variety of angles.

http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092302171.html

http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092305431.html

http://www.nytimes.com/2010/09/24/us/24cyber.html?_r=1&ref=technology

http://www.wired.com/dangerroom/2010/09/militarys-cyber-commander-swears-no-role-on-civilian-networks/

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227500515

Worm attack on Iranian nuke facility. Is this malware part of a nation-state attack?

Top ten internal threats to network security – This how the risks stack up according to researchers at Fortinet.

May 29, 2010 – Episode 141

Interviews:

Peter Eckersly of the Electronic Frontier Foundation announces the results of his research project called Panopticlick .  Bottom line – 94 percent of computers leave a unique fingerprint on websites.  The interview starts about 25 minutes into episode 141. Episode 141 is one hour and 12 minutes long. You can listen by clicking on the flash player below, or there are other ways of listening to the show on our “listening options “ page.

To listen to Episode 141 via the flash player:

Chris Hogue tells us about his upcoming presentation to a SANS Forensics and Incident Response Summit in Washington DC.  He’s discussing “Sniper Forensics”… it’s a new approach to computer forensics.  The interview begins about 55 minutes into episode 141.

Our Take on This Week’s News

Zeus-style banking attack perpetrated on a credit union in Salt Lake City.  The bad guys apparently penetrated an employee’s desktop computer, and then were able to get into the bank system. $100K disappeared, largely in $5K increments. Credit Union president says the attack got past the company’s Norton… Geez

One-in-four iPhones sold by ATT is for business… Meanwhile, there’s an easy new way to get data off the phones.

Remember the Pennsylvania school district that gave its students laptops loaded with tracking software… and then proceeded to collect hundreds of photos of the kids at home, snapped through the laptop lenses… well it seems the tracking  software on the Lower Marion laptops  can be easily hacked. A security company did some research on it, and here’s what they found.

A new attack works on multiple browser tabs… inactive tabs are vulnerable to “tabnapping” hack.

Cisco Warns Of Security Flaws In Building Management System… Multiple vulnerabilities could enable attackers to access power, HVAC, and physical security systems

American express left a gaping hole in its site exposing credit card numbers and other personally identifiable information.

Majority of fed employees don’t use secure methods for data transfer.

Tales from the Dark Web:  Hackers targeting business phone systems.

May 23, 2010 – Episode 139

Interview Segment:

Josh Levy, a writer, internet strategist, and the organizer of a project called “pledge to leave facebook.” The interview is 9 minutes long, and it starts about 56 minutes into the show. Episode 139 is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or click on the listening options page for other ways to listen.

To listen to Episode 139 via the flash player:

Our take on this week’s news:

Co-host Ira Victor is out of town.  Lee Rowland from the ACLU of Nevada sits in as guest co-host for a first-hour privacy round-up.  Recent issues include:

The Houston Police Department recently held a secret (no media allowed) event where the invited guests contemplated the use of drone aircraft for domestic law enforcement.  Nonetheless,  one news outlet got wind of it, and stationed its television cameras on the property next door. They caught the launch of the drone on camera.  Cops say they aren’t sure how they’ll use the technology, but aren’t ruling out anything. Watch the whole report.  It’s about four minutes long.

Incoming U.C. Berkeley freshmen are being encouraged to offer a  DNA sample.  And why were RFID chips implanted in Alzheimers patients without proper oversight?

TSA continues to roll out the full body scanning machines to airports across the nation.  Passengers don’t seem to be aware that they can opt for a pat-down instead of a virtual strip search.

Tough week for Facebook.  The Wall Street Journal reports the company gave personal info to advertisers. EFF offers insight.

On the heels of a CBS news investigative report about the data left on copy machine hard drives, the FTC is applying pressure to the makers of the machines to educate customers about scrubbing the hard drives.  (Xerox is leading the pack, according to one account.)

The first-ever jail sentence for a HIPAA violation has been imposed. We wonder why this guy was informed he was about to be fired, and then allowed to hang around and access patient records repeatedly.

Todd Davis of LifeLock told the world his social security number as an advertising gimmick, trying to prove a point, of course.  His identity has been successfully stolen 13 times since being “covered” by LifeLock.

Not cool enough for a mac?  Why the Apple Store refused to sell an iPad to a disabled woman. (She wanted to pay cash. Apple’s iPad policy was credit or debit card only.) And why Apple relented, and delivered the device to her home a few days later. (San Francisco television consumer reporter Michael Finney and his news feature “7 on Your Side” shamed them into it.)

April 24, 2010 – Episode 131

Interview: Evan Ratliff joins us to discuss his attempt to vanish for a month, with Wired Magazine challenging readers to find him, and a $5,000 reward for anyone who snapped his photo and said the word “fluke.”  An online posse developed, Evan ducked discovery for 25 days, and was caught in New Orleans, a few days shy of his goal.  The interview is about 14 minutes long, and it starts about 57 minutes into Episode 131. You may stream the program here:

You may download Episode 131 here. Or visit the Listening Options page for more ways to hear the program.

Discussion: The texting case that made it to the U.S. Supreme Court.  We discuss with ACLU Attorney Lee Rowland Fourth Amendment protections as they apply (or don’t apply — that’s what the court is considering)  to text messages, and under what circumstances.  Our discussion with Lee is about 20 minutes long, and starts about 22  minutes into Episode 131

Our Take on This Week’s News

Amazon is fighting off a demand from the North Carolina Department of Revenue (the state tax collectors). The state wants a record of all Amazon purchases made by its residents, and it wants names, so it can collect the sales tax.  Amazon says “privacy violation.”  And remember Amazon’s original business was books, which have a special place in the law when it comes to protecting their owners from government intrusion.

Here’s the story as reported by c|net, and here’s Amazon’s complaint.

Cyberattack on Google Said to Hit Password System.  More has been revealed about the extent of the Aurora attack on Google.  This story was apparently leaked to the New York Times by someone familiar with the investigation.  It suggests huge implications for the security of all Google applications.

Facebook is becoming quite brazen about exposing user profile information. This opinion piece at EFF explains the latest piece of information to be taken out of the user’s control.

Related:  The Facebook “like it” button, coming soon to websites everywhere.

About the most straightforward information-sharing scheme we’ve seen yet:  Blippy mines your email and credit card statements (with  your permission) and posts every purchase you make.  Blippy is the VC flavor of the month, having just received $11 million.  Too bad some credit card numbers belonging to Blippy users turned up when some curious surfers hit Google with search strings containing the words “Blippy.com” and “from card”.  Will Blippy survive?  Probably, even in the face of a less-than-apologetic stance from the company (Co-founded by the infamous Pud, of the infamous FuckedCompany.com site from the “dot-bomb” period.)  Why anyone would want to be part of Blippy, especially now,  is a separate discussion.

Highly-paid SEC lawyers and accountants spent their days surfing porn sites while Bernie Madoff was making off with a whole lotta other people’s money. We ask why, in an entity whose mission revolves around audits and controls, were there no audit trails and controls to call attention to an employee with 16,000 attempts to access porn?  Shouldn’t this have been nipped in the bud before it spiraled out of control?

You probably read about some of the chaos that ensued from McAfee’s latest update.  But this story by a SANS incident handler takes the prize.

Malware mules:  We all know about drug mules and money mules.  But the black market for email credentials is creating some new opportunities.

Episode 129 – April 17, 2010

Interview Segment:  Physicians, citizen groups, and many states are lining up to sue the federal government over the new individual health insurance mandate.  But there’s a unique case coming out of Mississippi, where an attorney has filed a suit claiming the new health care reform violates the right to medical privacy.  Our interview with Doug Lee starts about 22 minutes into the show, and it’s about 9 minutes long.

The full show can be streamed on the flash player below.

Or download Episode 129 here. Or visit the Listening Options page for more ways to hear the program.

Our take on this week’s news:

News coming out the the Computer-Human Interaction conference meeting in Atlanta this week, Where researchers announced their findings about possible security problems with advanced wireless medical devices.

Another example of a big company that offers no means to report security flaws on its website. This is something we’ve complained about for years.  How can you help these people if they won’t help you by offering a communication channel?

High marks for entrepreneurship – these two New York City companies facilitate a match-up, via text or tweet,  between people who need a parking space, and people who are vacating a parking space.  Find a need and fill it.  We wish these guys the best, but we sure hope they don’t end up facilitating a rape or robbery in the middle of the night. (I ‘m a bad guy with a parking space at 3 a.m…. come and get it, little girl.)

Congress passes the “Truth in Caller ID Act of 2010″:  Under the bill, it becomes illegal “to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive.”

Security sucks, according to formern national cybersecurity advisor Amit Yoran… everywhere he looks… he sees the same cluelessness,  Why your information security stinks, and what to do about it

Federal Agencies Falling Short On OMB’s Federal Desktop Core Configuration Mandate. No agency has fully implemented all the configuration settings on applicable PCs

Critical Java update:  Oracle issues emergency Java patch to stop zero-day attacks.

Episode 126 and 127 – April 10, 2010

Interviews:  Peter Schlampp, VP of Marketing and New Products, from Solera Networks, who discussed a new approach to uncovering the source of attacks:  network forensics.  Stuart Staniford Chief Scientist from FireEye, who discussed research to help counter the attacks that bypass firewalls and antivirus.  And world famous white-hat hacker Charlie Miller talks with us about Apple Security, how he won the CanSec West PWNtoOwn contest… and the security implications of Apple’s announcement about location-aware advertising, and  multitasking on the iPhone OS 4 platform. Dr. Miller is also a researcher at Security Evaluators. The full show can be streamed with via the Flash player here:

Download the Episode 127 MP3 file here or visit the Listening Options page for more ways to hear the program.

Episode 126 is the su root version of The CyberJungle.  It features only these three unedited versions of the interviews with these three men. We have also featured partial versions of the interview along with all the other regular content  in the full version of the show. Listen via the Flash player here:

Download the Episode 126 MP3 file here or visit the Listening Options page for more ways to hear the program.

Our Take on This Week’s News

Class action suit against Countrywide Financial: Plaintiffs ask $20 million after Countrywide employee stole and sold tens of thousands (or millions?) of customer records.

Another inside job: Bank of America Employee Charged With Planting Malware on ATMs.

German Government Pays Hacker For Stolen Bank Account Data Gov pays cybercriminals for data stolen from banks in tax haven countries, and uses the info to catch tax cheats.

Computer Hacker Sentenced to 37 Months in Prison in Manhattan Federal Court for Scheme to Steal and Launder Money from Brokerage Accounts.  This guy got three years for perpetrating something that sounds like the Zeus attack… in addition to credit card fraud and other counts.  No wonder cybercrime is proliferating.

Phishing Attacks on Taxpayers Rise in the Weeks Leading up to April 15th IRS Tax Filing. Sonic wall offers an online quiz to test your phishing IQ.  Ten questions. It’s actually harder than you think, but it’s fun. We recommend you give this quiz to employees, bosses, family… anyone who might benefit from learning the difference between legitimate email and a phishing attack.

Looking for Tiger Woods’ Nike advert could lead to users  into visiting malicious sites.

Sierra Nevada Infragard announcement:

InfraGard Sierra Nevada April Lunch Event

KEYNOTER: Stuart Staniford, Chief Scientist with security firm FireEye has a long history in the intrusion detection field, starting in the research arena at UC Davis back in 1994. He was conducting a variety of research projects with government contractor Silicon Defense before joining FireEye.

WHERE: The Washoe County Regional Public Safety Training Center, 5190 Spectrum Blvd. Room 105, in Reno, Nevada.

WHEN: Thursday, April 15, 2010; 11:15am-1PM, includes lunch

DONATION: $10 for InfraGard members with advanced purchase before April 13th, 2010;

$15 at the door and for non-members.

To register for the Infragard lunch event, please follow this link

If you heard Ira Victor live on The John Sanchez Show (the live program that follows The CybeJungle on KKOH.com), Ira mentioned the web site to report phishing and other scams:

Episodes 116 and 117 – March 7, 2010

The CyberJungle episode 117 is a special RSA Security Conference coverage. It includes an interview with Juan Santana, the CEO of Panda Security on the take down of the Mariposa Botnet. This botnet impacted people in just about every county in the world, and stole in part, bank credentials. Ira mentioned Christopher Brown’s forensics book, Computer Evidence: Collection & Preservation.

In “Tales from the Dark Web” we explore how cybercrime gangs recruit and use money mules to move cash after they’ve stolen it out of bank accounts.  Bank of America Senior Vice President David Shroyer.

We attended a Cloud Security Alliance Security Summit at RSA, where we discovered  the CloudAudit.org.

The CyberJungle full episode 117 can be downloaded from the listening options page, or streamed here:

Plus, as our “su root” edition this week, we have posted an interview on the incident response related to the Mariposa Botnet with Pedro Bustamante from Panda Security. We caught up with him at the RSA Security Conference.

We spoke with Gerry Brown and Christopher Brown on forensics and evidence collection for electric smart grid attacks. The su root interview is always longer and more technically sophisticated than the podcast versions, which have been edited for radio.

This su root episode (#116) of The CyberJungle can be downloaded from the listening options page, or streamed here:

Episodes 114 and 115 – February 27, 2010

The CyberJungle episode 115 features an interview with Simon Bransfield-Garth, CEO of CellCrypt on the growing potential for cell phone eavesdropping; also, an interview with information activist John Young, whose website cryptome.org was shut down on orders from Microsoft attorneys after he posted a document the company considers proprietary.Bransfield-Garth’s interview starts approximately 21 minutes into the podcast.  Young’s interview can be found approximately 53 minutes into the podcast.

We have posted a separate, unedited version of the Simon Bransfield-Garth interview, as our “su root” edition this week. The su root interview is always longer and more technically sophisticated than the podcast versions, which have been edited for radio. This su root offering is labeled episode 114.

Click Here to Listen to Episode 115. Shownotes below.

The Chuck Norris attack… so named because of references to the action film star in the code…. It’s targeting the D-Link router.

Wyndham Hotels Breached for the third time – And the Wyndam Privacy and Security Policy indicates privacy and security might not be a top priority… also reveals the large number of brand name hospitality establishments owned by Wyndam.

Inventory documents from the Department of Homeland Security show that 985 computers were lost by the Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) in fiscal 2008. In addition the departments lost hundreds of night vision scopes, computer switchers worth $92,000 apiece, and an international harvester truck. All of this loss was considered by the feds to be within acceptable loss limits.

Eric Schmidt, privacy hypocrite: We’re ordering a T-shirt for Google CEO Eric Schmidt, who famously proclaimed in a recent CNBC interview that “if you have something you don’t want anyone to know, maybe you should be doing it in the first place.” Schmidt apparently had his employees take down a blog from Google Blogspot, in which his mistress made numerous references to him. So fortunate that he runs the company where his privacy was breached. His new motto will be “Privacy for me, but not for thee.” Thanks to Valley Wag for this delicious morsel.

Just in case you’ve been living under a rock, parents of high school students in Lower Merion School District are suing after the district activated the cameras in school-issued laptops and spied on the kids while they were at home. The lawsuit slaps the district with violations of all of the following laws:

Electronic Communications Privacy Act, The Computer Fraud Abuse Act, the Stored Communications Act, a section of the Civil Rights Act, the Fourth Amendment of the U.S. Constitution, the Pennsylvania Wiretapping and Electronic Surveillance Act and Pennsylvania common law.

Not so fast, says Orin Kerr, law professor at George Washington University, and regular contributor to the Volokh Conspiracy. Kerr’s analysis shows how specific these laws are, and how tough it is to prosecute violations of federal computer protection laws. The only real case against the school district, says Kerr, is a Fourth Amendment case.

Episodes 113A, 113B, and 112 su root editon: February 21, 2010

Three episodes, one low price. (Free). We posted the show in three parts this week. Episode 113 A is a 35-minute interview on cell phone tracking, posted separately, so that anyone who wants the cybercrime news can skip straight to Episode 113 B.

The other post is the su root edition for the technically proficient. This week it’s an interview with Ben Jun from Cryptography Research, on developing applications that adapt to sweeping changes in technology. A preview of his RSA presentation. It’s 20 minutes long.

Episode 113 A – cell phone tracking interview

This is an interview segment on the legal and technical issues under review by the federal Third Circuit Court of Appeals regarding tracking of cell phone users. Our guests are Rebecca Gasca of the Nevada ACLU and Dr. Nirmala Shinoy of the Rochester Institute of Technology. This segment is 35 minutes long.

The most informative of the documents is the 2008 court order now being appealed, in which a Western Pennsylvania magistrate denied the government’s request for tracking data without a warrant. It’s 56 pages long, but offers a very comprehensive statutory history of the laws that apply to phone tapping and tracking. Newsweek recaps the issue and covers the appeal. http://www.newsweek.com/id/233916

Episode 113B Cybercrime and Security News

A spike in power grid attacks is predicted in the next 12 months. The Project Grey Goose report claims the number and severity of attacks on the existing grid has been underreported.

Coincidentally, Zues and its variants are more severe and widespread than previously reported. The attack is not just stealing money from commercial bank accounts. It’s settled into more than two thousand entities and 74 thousand computers, stealing intellectual property, credit card numbers email and network credentials, and a wide variety of other information. The good news is, it’s finally hitting the mainstream press. Reported this week in the following publications.

CNET: Zeus on 74k PCs in global botnet. “…Compromises of enterprise networks have reached epidemic levels”

NY Times: Malicious Software Infects Corporate Computers. Attack goes well beyond just bank account info stealing.

Wall St Journal: Broad New Hacking Attack Detected

WaPo: Nearly 2500 companies victim of massive cyberattack

The economics of malware- a new report urges us to look at cybercrime differently. It’s not lone gunmen and geeky teens, it’s an entire economy, with mom and pop shops, street vendors, manufacturers and marketers.

A TV news story that suggests banks are using your social networking pages to glean information about your creditworthiness. A company that mines the sites for data and sells it to the banks says nope… the institutions only use it for marketing, not for lending decisions.

A Houston television station launched an investigation of retail credit card practices at the cash register in Sears and K-Mart. Employees at the store accepted credit cards without checking ID or signatures. The reporters made numerous purchases using cards that didn’t belong to them. The stores will “immediately” begin retraining their employees at more than 2,000 combined stores nationwide in techniques for preventing credit card fraud.

Episodes 110 and 111- February 14, 2010

su root edition: Episode 110 is the full-length, unedited version of our interview with Dr. Martin Hellman. It is 26 minutes long.  We discuss Dr. Hellman’s early work on public key encryption, and his new project, applying security risk assessments to measure the threat posed by the nation’s nuclear weapons stockpiles.

Read Dr. Hellman’s latest paper here.

Here are the show notes for Episode 111, the whole show, which also  has a version of Dr. Hellman’s interview, during the final 10 minutes of the show. Episode 111 is exactly one hour long, and here are the show notes.

The Zeus banking attacks are multiplying like rabbits, and there are new victims everywhere. Read about a Los Angeles businessman who’s out $50 thousand dollars, and can’t get recourse from his bank. This story illustrates the state of general ignorance that exists about the Zues attack (which we suspect is the culprit). The bank says its procedures preclude online theft, and the customer says the bank must have crooked employees. The customer has filed a lawsuit, and each party is pointing its finger at the other.

Meanwhile – adding insult to injury – a new variant of Zeus not only steals money out of the accounts… it carries a hidden message that taunts the anti-virus makers.

And another one – New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered

Alert – Zeus Campaign Targeted Government Departments.

What was Google thinking when it launched Google Buzz, pulling gmail users into the social networking site without their permission, and exposing all the user’s frequent email contacts to public view? It was Google’s attempt to leapfrog Facebook in the social networking arena, creating instant follower and friend lists from people who are alread part of the gmail users’ own social networks. This caused an uproar. After four days of online rage from angry gmail users and privacy advocates, Google cried uncle, and apologized for forcing their product on the customers.

This was the first story about Google Buzz. There are probably hundreds more that posted in the next few days.

The TPM (trusted platform module) chip can be hacked. This hack was demonstrated at Black Hat D.C.

Macy’s trash cans full of customers’ personal information. Actually the papers containing the information had been fished out of the dumpster and were being used for a bed by a homeless man.  But don’t worry, Macy’s has started putting lids on the trash bins now.

XP patching problems – some people have experienced total system failure after applying last week’s Microsoft patches. Microsoft reports the problem may have a different source. “Root kits” stored on some systems. F-secure offers a root kit elimination application, It’s called Black Light and it’s free

Question: Do I really want someone with an iPhone taking my credit card info?

New law enforcement tool makes fingerprinting obsolete. Arapahoe County, Colorado is using an iris scanner.