Archive for the Zero Day Project Category

Nevada InfraGard Event – Presentation Notes

Posted in Conference Coverage, Vulnerabilities, Zero Day Project with tags , , on January 21, 2010 by datasecurityblog

Ira Victor was a speaker on Threats and Countermeasures at the Sierra Nevada InfraGard event held on January 21st in Reno, Nevada.  Here are the notes and links from that talk:

* “Aurora Zero-Day” out-of-band emergency patch scheduled for release today by MSFT

* New MSFT Windows Kernel Zero-Day vulnerability – 16bit support hazard impacts many current Windows users. Tip: Win7 64-bit (most common version on Win7) not impacted.

* Security Update Available for Shockwave Player (Win and Mac)

* Alternatives to Adobe PDF Reader  and Adobe Acrobat:

Reviews of four alternatives to Adobe PDF

More alternatives: For Windows users, CutePDF has free readers and writers

More alternatives: For Linux users, Xpdf is an open source viewer for Portable Document Format (PDF) files.

Show Notes: The CyberJungle Episodes 103 and 102 Jan 12 2010

Posted in Breach, Court Cases, criminal forensics, Exclusive News, Podcast, Show Notes, The CyberJungle, Vulnerabilities, Zero Day Project with tags , , , , , , , , on January 16, 2010 by datasecurityblog

Two episodes this week: Episode 103 is a podcast version of the live radio program.

Episode 102 is our ‘su root’ podcast, in-depth technical interviews for the more advanced listener.

Overview of this week’s program.  More detailed notes and links provided below under “show notes.”

*Episode 103 the broadcast- Breaking News:  Do airport checkpoint whole body scanners have logging and auditing to enforce security and privacy policies?  We’re not sure after talking with a representative of one of the companies that makes the machines.  Seems the TSA may not have included an audit function in its specifications.   And, our guest tells us what happened to the “puffer machine” that would have detected the underwear bomber’s chemical payload on Christmas Day.

We also talked with an attorney from EPIC, the organization that sought and won the TSA specification documents revealing that body scanning machines are indeed capable of retaining and transmitting the naked images of the passengers they scan. This is NOT what TSA told the American public.

*Episode 102 (the su root interiews… requires above-average technology background). Click fraud is running rampant… ripping off internet advertisers. A new, more serious attack that not only steals credit for click-through purchases, but hijack’s the end user’s computer. This is a must-listen for marketing, security, and legal personnel. Discussion on the live show, with the full interview online.

*Episode 102 (the su root interviews…requires above-average technology background.) A new user credential – your cell phone calls you for a voice print… and then lets you into your email, bank account, authorizes credit card purchases or VPN remote access. Great idea? We have an exclusive audio interview with the co-founder of the company.

–> Listen This Week’s Show through our Main Site

Show Notes for Episode 103 of the CyberJungle

*ZeroDay Flaw in some versions of Microsoft Internet Explorer (MSIE) web browser.  Microsoft’s TechNet site has posted detailed information about the flaw. If you have not checked your MSIE browser version, do it now. Launch MSIE, find the Help Icon (usually the far right menu/icon, depending on the version of MSIE you are running), and select About Internet Explorer. If you are not running MSIE verson 8, you need to update your browser. Read more here. Update your browser to MSIE 8 here.

* People around the world are searching the web for the latest updates on Haiti earthquake. Members of the Dark Web use major events like this to spread their malicious code. Read more on this attack at the WebSense Security site. Ira mentioned the Google Trends site, a site that tracks hot topics on The Web.

* Samantha had a conversation with Ginger McCall, Esq., with the Electronic Privacy Information Center (EPIC). They talked  about the DHS airport body scanners, and a Freedom of Information lawsuit by EPIC. Read more at this EPIC-sponsored site.

* Samantha and Ira had a conversation Brook Miller, VP with Smiths Detection, the makers of “the puffer” machine, and the whole body scanners.

* Samantha had a conversation with Dr. Kerry Kerry Nemovicher, Ph.D. about “The Human Firewall” event by  InfraGard. This event takes place on Thursday, Jan 21st at Boomtown Casino, in Reno Nevada. This lunch event runs from 11.15am to 1.15pm. $15 donation when you reserve your ticket by Monday at 9:00am, $20 at the door.

Show Notes for Episode 102 of The CyberJungle, an ‘su root’ program, in-depth technical interviews and analysis

*Ira has a conversation with Dr. Ben Edelman, from the Harvard Business School, about a new type of online advertising “click fraud” that takes over customer’s computers. Read more on Dr. Edelman’s site. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

* Ira has a conversation with Steven Dispensa, CTO and co-founder of PhoneTrust, about voice print authentication. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

Data Security Podcast Episode 87, Dec 28 2009

Posted in Breach, Court Cases, criminal forensics, ediscovery, Exclusive, Podcast, Zero Day Project with tags , , on December 27, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* One semi-colon could expose your web server, and there’s no patch

* World Exclusive Interview:  Researcher uncovers Adobe Flash programming flaw that impacts millions of web users.

* Our take on this week’s news

–> Stream This Week’s Show with our Built-In Flash Player (for higher security, stream through FeedBurner, using the hyperlink below):

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 87 – Use Feedburner to listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall. The shows don’t always display on chronological order on Odeo.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Award-winning Sunbelt Network Security Inspector a scalable and effective vulnerability scanner. Windows IT Pro Magazine readers chose SNSI as their Favorite Vulnerability Scanner for two years in a row. Read more here, and contact Data Clone Labs for a test drive .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 87 of the Data Security Podcast

* Ira talks with Eugene Dokukin about flaws in the programming of Adobe Flash.  Read more on Eugene’s site, including how to change the code in the Adobe Flash files your company creates.

* From Our Take on The News:  More people report debit info stolen at gas pumps . Read more here.

Ohio Supreme Court

Ohio Supreme Court

* From Our Take on The News:  The Semi‐Colon Attack: Microsoft IIS Zero-Day Vulnerability.  Read more here, including work-arounds.

* From Out Take on The News:  Ohio Supreme Court rules on cell-phone search and seizure.  Read the opinion here.

Data Security Podcast Episode 68, Sep 01 2009

Posted in Breach, darkweb, Legislation, Podcast, Vulnerabilities, web server security, Zero Day Project with tags , , , , on August 30, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* New attacks against business bank accounts…. an earth-shaking recommendation from the banking industry.

* Hackers say they are gearing up for winter attacks – according to a survey of hackers at DefCon 2009.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 68 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 68 of the Data Security Podcast

*  Ira talks with Michael Hamel, Chief Security Architect, with Tufin Technologies, about the survey of hackers he crafted for DefCon 2009. We cover:  Hackers Take a Break This Summer Before Winter Hacking Spike, and importantly, counter-measures to get prepared.

* Tales From The Dark Web: New attacks against business bank accounts…. an earth-shaking recommendation from the banking industry.

* From the News:   WPA WiFi encryption can now be cracked in one minute, according to new research.  Terms in the story:

WPA:  Wi-Fi Protected Access

WPA -TKIP: WPA with Temporal Key Integrity Protocol for encryption

WPA-AES:  WPA with Advanced Encryption Standard for encryption

WPA2:  Second Generation WPA encryption

WEP:  Wired Equivalent Privacy

Take-Away: WPA-TKIP and WEP is bad, um-kay? WPA-AES and WPA2 is good, um-kay?

* From the News:  Federal Web Site Collects Data on Stimulus. We report: Whose minding the security of the data?

* From the News:  Stealth-Laptop Bag

Stealth Laptop Case

Stealth Laptop Case

Wrap Up Story:    Is Federal InfoSec License Key To ‘Net Control?

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers