Archive for the Uncategorized Category

December 7, 2010 – Episode 190

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Uncategorized, Vulnerabilities with tags , , , on December 7, 2010 by datasecurityblog

Episode 190 of  The Cyberjungle  is 36 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 190 via the flash player:


Interview

Interview with Marc Maiffret, eEye CTO, on 0days, and a new free 0day detection tool. Read the announcement: eEye Delivers Centralized, End-to-End Vulnerability and Compliance Management Solution. White paper from eEye.

Tales from the Dark Web

The King of Spam gets busted while shopping for custom car accessories at SEMA Las Vegas.

Our Take On This Week’s News

Warrantless tracking of car rentals, credit card sales, and even supermarket club cards: Researcher Christopher Soghoian discovered law enforcement uses something called a “hotwatch order” that allows real-time surveillance of purchases and movement.

Think Hillary Clinton is p o’d at Julian Assange? What about this woman, whose chats, emails, photos, and facebook messages were turned over to New York Magazine, reportedly by Wikileaks. Poor Claire… now friends know she hates their weddings, and her boss knows what she thinks about him. Nice of New York Mag to redact the name of Claire’s boss, but it was kind of a meaningless gesture since they posted a photo of her.

Sherrif’s Department Data Breach could put people at risk. IT staffer posts confidential law enforcement data to an unprotected web server. Poor policy, poor procedures, or both?


From the Expo Floor at RSA – And you thought your computer was buggy…

Posted in Uncategorized on March 2, 2010 by datasecurityblog

If this doesn’t get the point across, we don’t know what would.  (They’re real, and they’re spectacular.) Someone in the eset marketing department deserves a raise and a promotion for this exhibit.  To see and hear more serious reports about the RSA Security Conference  in San Francisco, see our Conference Notes page. We’ll post new material several times daily. The Conference Notes page also has its own RSS feed, so if you’re interested, you can be notified whenever there’s a new post.

Cybersecurity Act: Is Federal InfoSec License Key To ‘Net Control?

Posted in Uncategorized on August 28, 2009 by datasecurityblog

The Internet is abuzz today with the reports by Declan McCullagh that the newest version of The Cybersecurity Act of 2009 has been getting some edits by Senator Jay Rockefeller (D-WV). Although the full edits have not been release, the reports so far continue to talk about how this bill, if passed, could result in sweeping changes in how IT professionals do their job.

The provision  would require the licensing of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision, like many provisions in this bill, are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control. Some have wondered if this is a way to enforce a cyber state of emergency – order licensed professionals to turn over controls to the Feds when an emergency is declared.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In Data Security Podcast Episode 48, we talked with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Earlier this year, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC”). He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it? As we reported on the Podcast a few weeks ago, Melissa E. Hathaway, the White House’s Senior Cybersecurity Official also resigned.

Update: This Week’s Data Security Podcast

Posted in Uncategorized on July 20, 2009 by datasecurityblog

Note to listeners: Although we typically post on Sunday night, this week’s program is again sceduled to be posted on Tuesday.

We are working on the following stories for you:  EXCLUSIVE: New tool to fight drive-by downloads.  A take on the corporate Twitter attack you have not heard elsewhere.

These stories, and more, coming up on Episode 62 of The Data Security Podcast; 30 minutes every week on data security, privacy, and the law with Ira Victor and Samantha Stone.

Will The Cybersecurity Act of 2009 Require IT Security Professionals To Get A License From The Feds?

Posted in Uncategorized with tags , , , on April 11, 2009 by datasecurityblog

The Cybersecurity Act of 2009 was just introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). This bill, if passed, could result in sweeping changes in how IT professionals do their job.

There is a provision within this bill that would require the licensure of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In the very next episode of the Data Security Podcast (episode 48), we are scheduled to air an interview with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Last month, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC)”. He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it?

We will keep following this bill, and this story, on the Data Security Podcast. You can also follow updates that EFF is posting on their blog. Read the Cybersecurity Act of 2009, and a summary of the bill.

Data Security Podcast Episode 34 – Jan 04 2009

Posted in darkweb, eMail Security, Podcast, Uncategorized with tags , , , , , , , , , on January 4, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Is Google logging the keystrokes on your computer? New attack on fingerprint readers .  Plus, this week’s data security news.

–> Stream, subscribe or download Episode 34 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

In the Data Security News This Week:

From a Seattle Times article:  After 6 months, drivers ignoring cellphone ban

Are drivers are ignoring cell phone bans?

Cell Phone Ban, by Theo Moudakis

From TimesOnline:  The Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

DATA SECURITY PODCAST KUDOS: We have been very hard on government agencies, because many of them are bad a protecting data. Here is an exception to the rule;  the Chief Information Security Officer for The State of Michigan, Dan Lohrman.

Tales from The Dark Web:  Woman buys fingerprint spoofing tape  from counterfit ID broker

Conversation: Ira talks with Robert Gelb of the AngryHacker.com Blog about desktop keylogging concerns with Google Desktop Search, and possible data hijacking concerns when using Google Docs.

Data Security Podcast Episode 33 – Dec 30 2008

Posted in Breach, darkweb, ediscovery, Exclusive, Podcast, Uncategorized with tags , , , , , , , , , on December 29, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Payroll and card processor data breach – a new trend? Exclusive interview with the developer anti-theft and data recovery program for the Blackberry .  Plus, the latest data security news.

–> Stream, subscribe or download Episode 33 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 33:

Integrity Attack on Traffic Enforcement Cameras

Integrity Attack on Traffic Enforcement Cameras

From the Data Security News

Traffic Enforcement Cameras:  Teen hackers are attacking an integrity vulnerability in traffic enforcement cameras in Maryland, to the detriment of innocent car owners.  The teens create a fake license plate, tape it over a real plate, and then drive in a manner that triggers the traffic enforcement cameras.

In a related story, many of these cameras focus on the driver’s side of the car… here is another integrity attack using a right hand drive Audi. The owner has placed a Muppet in the left front seat of a right hand drive car (see photo above) and has obfuscated the plate number. At least in his case, tickets are not going to other drivers, as they are in the Maryland attack.

The BBC has been covering the exploits of a new generation of teen hackers. These hackers don’t seem to realize that their exploits (both digital and in RL) cause innocent people the loss of life savings. Take a look at this informative BBC News video on how teen hackers are using social media sites.

Tales From The Dark Web: RBS WorldPay Breach Rings Alarm Bells About Acquirer Security, read the details

EXCLUSIVE: Ira talks with Dan Shipper the Founder of Convenience Software about their newest anti-theft and data recovery program for the BlackBerry – Get It Back. The application has some interesting and useful features, like using GPS to locate the device, making the device play a message like,”This BlackBerry has been stolen,” and the ability to withstand a SIM chip swap. The software still needs some improvement. For example, there is no secured log-on for the web administration control panel. As with all security software: Caveat emptor.

Follow

Get every new post delivered to your Inbox.

Join 1,064 other followers