Archive for Apple

September 19, 2010 – Episode 173

Posted in Breach, Court Cases, criminal forensics, darkweb with tags , , , , on September 18, 2010 by datasecurityblog

Episode 173:

This week’s regular episode of  The Cyberjungle  is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 173 via the flash player:

Interview

Chris Hadnagy from Social-Engineer.org, which organized a social engineering contest at this year’s DefCon conference.  The contestants assumed made-up identities, and placed phone calls to 15 major American companies. Objective: cajole as much information as possible about company operations out of the employee on the other end of the phone. (The info would be of value to bad guys trying to cook up an attack.) Social-Engineer released its report this week on the results of the exercise. Our interview with Chris starts about 23 minutes into episode 173.  The interview is 7 minutes long.

Tales from the Dark Web

If you enjoy the occasional online porn adventure, heed this:  a trojan that monitors what you’re watching, then blackmails you.  “Pay us or we’ll tell the world what you’re watching.”

Ira’s recommendation: Change your computer to dual-boot with Linux as the other operating system. I like LinuxMint, VectorLinux, and (fav) PeppermintIce. These systems are best for web surfing, email, and word processing.

Our Take on This Week’s News

Texting money to politicians: Ready to text your political campaign donations? Politico reports on the legal issues surrounding campaign finance compliance. But says nothing about the security issues related to sending money via SMS.

Has Google’s HR department ever heard of a psychological profile? Google Engineer Repeatedly Accessed Customer data, Spied on Communications

Is the guy  in the next booth packing heat? Before you leave for dinner, check this website, launched last week in response to a new Tennessee law that allows permit holders to carry their firearms into bars and restaurants. The site indicates two categories of dining establishments –- those who allow guns and those who don’t.

Facebook alternative apparently has some security holes: What if you could have the convenience of Facebook, but strong privacy and security? That was the idea behind Diaspora. Some college students from NYU came up with the idea,  and posted the project on a web site where people can donate money to support new start-up business ideas. The students thought they needed $10k to build the code. They were written up in a New York Times story, and they raised nearly a quarter million dollars. Well, the very, very first version of the code is out, and the privacy and security experts are weighing in with harsh criticism.

SF law enforcement formula — treat the citizens like criminals: San Francisco mayor has ordered the cops to beef up security at nightclubs in the city, to prevent violence like the recent spate of shootings that included the killing of a German tourist near a comedy club. Cops want more cameras, metal detectors, police patrols paid by club owners, and ID scanners to capture the drivers license info from customers… which will be stored for 15 days.

New tool from Google:  Alerts to let you know if your web site is hijacked. Read more in a blog posting by Kelvin Newman at Site Visibility.

The Ninth Circuit lets the air out of its own ruling: An earlier ruling issued guidelines  for law enforcement to follow during searches of computers by law enforcements. The feds said the guidelines were “complicating” prosecutions, so the court overturned itself… sort of.  Read this. It’s not trivial.

The cost of free entertainment: Internet services and sites that offer free ring tones, movies, and other entertainment content, have a higher probability of delivering malware to your computer, according to a new report by Mack-ah-fee.

CyberJungle FAQ: Ira Mentioned HauteSecure, but their tool is now throwing errors. He will research alternatives and report back in a future episode of The CyberJungle.

August 15, 2010 – Episodes 162 and 163

Posted in Breach, criminal forensics, darkweb, ediscovery, eMail Security, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , on August 15, 2010 by datasecurityblog

Episode 163 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 162 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of an interview with Wayne Huang,  who did early research that led to the discovery of the drive-by download.  Scroll down to the end of this batch of show notes to find it.

Episode 163:

This week’s regular episode of  The Cyberjungle  is 1 hour and 19 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 163 via the flash player:

Interview

Wayne Huang is an executive at Armorize, working in Taiwan. His early research led to the discovery of what we now call drive-by downloads.  This episode of the Cyberjungle has a 7-minute interview with Wayne, which is a bit more elementary than the 35-minute su root version at the bottom of this set of show notes.  The 7-minute interview starts at about 24 minutes into episode 163.

Free Open Source Project to fight drive-by downloads is at Drivesploit.

Tales from the Dark Web

When your patch reminders pop up on your screen automatically, that’s a convenience.  When they arrive by email, that’s a scam.

Our Take on This Week’s News

Is Google buying microdrones like the ones in this vide0? And if so, what will Goolge do with them? Seems unclear at this point, but the implications kind of freak us out.

This is about as low as it gets: Cybercriminals pose as American military men — even fallen soldiers — creating fake dating profiles to ensnare women romantically and then ask them for money.

Everyone wants an iPad… we wonder if elected officials are willing to contort financial reality and ignore open meeting law requirements in order to play with an iPad on the taxpayers dime.  This USA today report says city councils are buying iPads to save the cost of paper.  But they might be buying a whole lot of trouble that will make the paper budget seem trivial.

City of San Francisco’s former network administrator Terry Childs was sentenced to 4 years for locking the city out of its network.  He’s been cooling his heels in jail for two years during the trial, and now it looks like he’ll serve about another 6 months with credit for time served. The San Francisco Weekly had the best summary of the case, and seems to be the only media outlet that truly grasps the moral of the Terry Childs story.

Attention merchants and other businesses relying on credit card purchases. PCI 2.0 is coming in October, and will probably become effective in January.  Yes, it will require more of you. Here is the current standard. The new standard will require web application logging, and better accountability and tracking of credit card number within the business network.

Apple iPhone Patches have been distributed for devices affected by the jailbreakme flaw.  Problem is, the patches work selectively. They do not apply to all devices.  Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later. Here’s Apple’s report on the flaw.  Jay Freeman (Saurik) has made an unofficial patch for one (CVE-2010-1797) of the two vulnerabilities patched by Apple. It’s available for Jailbroken devices via Cydia,  and will work also on the older devices that have not yet received any updates from Apple, plus new devices if you don’t want to use Apple’s update.

Adobe Flash problems aren’t solved after upgrades.

Cybercriminals are already gearing up for the holidays, creating booby traps for likely Halloween and Thanksgiving search terms.

Did your shrink leave town for a convention this week?  If (s)he is attending the San Diego gathering of the American Psychological Association, you might want to text him or her, and warn about the social networking app the convention organizers have made available.  Seems the attendee code on the ID badges double as the log-in codes for the shrink network.  Oops… one wrong digit and you can view someone else’s conference registration data.

CyberJungle FAQ

1. From Steve: Our small business is running rather old PCs. Many of them are over 7 years old, and they take for ever to boot up. We are on a tight budget, we are seeing refurbished PCs with XP and new PCs with Windows7, is it worth the extra money to upgrade to Windows7? Will we get improved security?

A: YES, and your company can purchase refurbished PCs running Windows7. Get the 64 bit version, and upgrade to Office2010, for improved security and productivity.

2. From Malik: We are having a lot problems with our business email server. We are a company with less than 20 employees, but we are spending a lot of money with our IT guy on the server, where the email, and our filesve. He says we should buy a new server. The one we have is about 5 years old. Should we buy a new server, or, should we look at switching to something like gmail?

A: Get a new, smaller file server that runs Windows2008, or (even better) Linux. Buy business-grade email services from a quality firm that offers hosted Microsoft Exchange, or Open Source Zimbra.

3. Andrew: Our employees want to use their own iPads at work. They want to access work files, do email, take notes, and do other tasks. If they want to buy the iPads on their own, what are the risks to our business.

A: Plenty. Ediscovery, loss of business data, are just two. Wait a few months as business-grade alternatives to iPads are released. They are just about to be launched into the market for just your situation.

Episode 162 – su root edition:

This is our unedited edition, featuring a longer and more technical conversation with Wayne Huang of Armorize, discussing his early research that led to the discovery of drive-by downloads  The audio file is 35 minutes long.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to su root edition (episode 162)  via the flash player:

August 8, 2010 – Episode 160 and 161 from DefCon 18

Posted in Conference Coverage, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 7, 2010 by datasecurityblog

Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of three conversations  from DefCon 18.  Scroll down to the end of this batch of shownotes to find it.

Episode 161:

This week’s regular episode of  The Cyberjungle  is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 161 via the flash player:

Interview:

Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store.  He’s found major flaws in these router/firewalls.  This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161.  Or you can just listen to the interview by going to our conference notes page.  Also, here are some links to more information about Craig’s work:

Craigs Hefner’s White Paper on this attack

Craigs Hefner’s DefCon18 presentation slides

Craigs Hefner’s Proof-of-Concept code

Tales from the Dark Web:

Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident.  We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning.  There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified.  Lamo now denies that he ever had possession of top secret documents.  The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.

Our Take on This Week’s News:

The National Science Foundation has a porn problem according to Senator Chuck Grassley.  Seems the science guys are passing around porn despite technical measures taken by the agency to block it.  Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000.  So do the math.  This guy makes $290k per year???  WTF!!!

BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?

Apple remote jailbreak flaw. Major Flaw Uncovered in Apple iPhone/iPad/iPod

Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.

We stumbled over the Social Engineering contest at DefCon18.   A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info.  Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer.  The audio file is located about half-way through the story.)  Read about the Social Engineering organization here.

The annual session on physical lock security is always a hit. (This year there was more than one.)  We attended the presentation by Marc Weber Tobias.  His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200  fingerprint biometric, the electronic RFID military lock and even a personal safe.  You can see the videos here, demonstrating how the locks were breached.

Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column.  The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden.  Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.

Adobe plans emergency patch for critical Reader bug

If we don’t laugh, we’ll probably cry.  For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports.  Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library?  And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities.  Duh.  Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?

Episode 160 – su root edition:

This is our unedited edition, featuring three interviews straight from DefCon 18.  The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to su root edition (episode 160)  via the flash player:

July 31, 2010 – Episode 159

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle with tags , , , , , , , , on August 2, 2010 by datasecurityblog

You can hear episode 159 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 159 is one hour and 9 minutes long.

Interviews

Interview #1 – Jeremiah Grossman, CEO of White Hat Security,  discovered an odd security flaw in the Apple Safari Browser. Alas, he tried to notify Apple, only to be rebuffed. He posted the story on his blog, and he decided to go public at Black Hat, and just about the time we finished this interview with him, Apple acknowledged the problem.  Fix pending.  Hear an overview of Jeremiah’s presentation in Episode 159. It’s 11 minutes long, starting about 12 minutes into the show.

Interview #2 – Mickey Boodaei, CEO of security firm Trusteer, has been hard at work on the banking trojan problem, and they’ve got a problem that may help. We discuss it with him in Episode 159. It’s 10 minutes long, starting at 55:00.

Tales from the dark web

Mariposa Botnet facilitator arrested. (You may remember that Panda Security was on top of Mariposa months ago, as we reported in this interview from the RSA Security Conference2010.)

Our take on this week’s news:

Virulent Microsoft link attack affects just about everyone. The prediction is that this one will be big. UPDATE: MICROSOFT ISSUES EMERGENCY PATCH

A really insulting  psychological profile of iPad users. The only thing they left out is that iPad users pull the whiskers off kittens.

Krebs on security writes about the victims of scareware – they end up buying the stuff, and then they’re embarrassed to go to the police. Good piece

Banks have long since stopped moving paper checks from one location to another, preferring the economy of scanning. What if someone broke into the digital repository where they store all those pictures of checks?… Someone did.

Think Different: Citibank iPhone Risks Banking Data

Posted in Annoucements, Breach, eMail Security with tags , , , on July 26, 2010 by datasecurityblog

Citibank announced today a major flaw in its iPhone/iPad banking app. The app leaves account information on the device. What is this bad? Well, iPhone/iPad/iOS  does not support whole disc encryption.

At last month’s Gartner Security and Risk Conference in DC, I sat next to a Senior Executive with one of the larger anti-virus companies. According to this executive, the company wants to make and sell a whole disc crypto product, but Apple will not open its API (application program interface) to support whole disc encryption.

Citi iPhone App

Citi iPhone App

Today’s announcement by Citibank about a flaw in their app, comes as little surprise. While this particular flaw can be fixed with an update, the fact remains: The foundation is sitting on shifting sands.  The iOS is first and foremost a consumer media platform. It has a great bright interface, and plays music and videos really well. It has a great eBook reader. But, these devices were not and are not built with security and privacy at their foundation.

When you mistype a word, iOS saves, it, unencrypted. When you use a map, iOS saves it, unencrypted. When info is “erased.” the platform saves it, unencrypted.  As a forensic analysis, the iOS is a boon to uncovering information that the owner of the device would be shocked to learn can be discovered.

Some will say, “all devices are like this.” Well, that is just not so. The Blackberry platform was built with security in mind, rather than an after thought. That’s why the UAE government views the Blackberry as a security threat. Not the iPhone.

I am realistic. Many people are gaga for every device Apple makes. To borrow a phrase: “If Apple took a brick and called it an iPhone you would still want it.” For these people, buying a smartdevice is all about being trendy and the purchase is almost all based upon emotions. I doubt that anything they read about poor security on the iOS will change their behavior.

For others, I suggest  “Think Different.” Resist the temptation to use an unprotected consumer device for business. Use your iPhone/iPad as a media device, and use Blackberries (with the Blackberry Enterprise Server), for business use. It looks like the industry will release business-oriented slate devices to compete with iPad. That may turn out to be smarter for business use.

Until Apple addresses the underlying security issues in the platform, it’s a safe prediction that we will hear other stories about security flaws hurting iOS users.

July 4th, 2010 – Episode 151

Posted in Annoucements, Breach, Court Cases, criminal forensics, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on July 3, 2010 by datasecurityblog

You can hear Episode 151 by clicking on the flash player below, or you can go to our listening options page, and find other ways to receive the show. Episode 151 is one hour and ten minutes long.

Interview Segments:

Interview – Laptop security – it’s part psychology, part technology. Dr. Larry Ponemon from the Ponemon Institute shares his research on laptop theft.  The interview is about ten minutes long, and it starts about 54 minutes into the show.

Interview – David Thompson is co-author of Wild West 2.0, a book that explains what’s happening as the wild web matures, and becomes civilized.  The book takes a historical approach, by drawing parallels between the internet and the wild American frontier, and the disruptions to society as “gentrification” occured — and newbies began to inhabit those spaces.

Event Announcement- Sierra Nevada Infragard

Get smart about smart phone policy in the workplace:

The InfraGard Sierra Nevada Members Alliance is holding its summer meeting on Thursday, July 15, 2010, on the topic of an urgent workplace hazard: Employee-Owned Smartphones—Accessing Workplace Email and Data. A panel of data security and legal experts will cover the technology, human resource, and legal issues related to smartphones in the workplace.

This is a lunch-time event. Donation is $8 buys a light lunch and the admission.  The location is: The Regional Public Safety Training Center, 5190 Spectrum Boulevard, Room #102A, Reno, Nevada

Pre-registration/RSVP

Our Take on This Week’s News

America is riddled with politically motivated surveillance,or so reports the American Civil Liberties Union. Here’s the ACLU report on police infiltration and monitoring of citizen activity in 33 states and the District of Columbia.

Don’t think about lying in family court… divorce lawyers are finding out the real scoop on facebook.

Best Buy tries to fire employee for satire.  The employee was worked three years selling mobile phones for Best Buy.  But the company didn’t appreciate it when its mobile phone expert created a video poking fun at the irrational appetite for iPhone. WARNING: Do not listen to this at work without headphones; potty mouth alert!

Voice mail hacking –  an example of an app that allows  CallerID spoofing.  Anyone can get into many voice mail accounts without a password, and can listen to messages, alter settings, or even create a new voice mail greeting.

Growing risks of advanced attack threats — eighty percent of businesses have been hit.

The government of India has ordered Skype, RIM (Blackberry) and Google to provide a way for its security agencies to intercept messages.  Why is this important? Two reasons:  1) we all do business with India in some indirect fashion.  Someone you are doing business with is doing business with companies in India.  2)  Giving a back door to the Indian government is, in effect, giving it to the world.  The companies have 15 days to comply with the order or be banned from doing business in India.

FBI’s Internet Crime Complaint Center (IC3) reports a spam attack that appears to come from one of your friends who is stuck overseas without money or passport.  Needs help.

The accused Russian Spies had an interesting bag of tricks that included the use of steganography. That’s the art and science of hiding messages in plain site, by embedding the information in the text of another document, or in a photo or a piece of art.  It’s not just a tool for spies. You, too, can use steganography to protect your privacy.

June 26, 2010 – Episode 149

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Legislation, Report Security Flaws, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 26, 2010 by datasecurityblog

You can listen to Episode 149 by clicking on the flash player below, or go to our listening options page for a list of other ways to receive the show.  Episode 149 is one hour and 15 minutes long.

To listen to Episode 149 via the flash player:

Interviews:

Your employees will use social media whether you like it or not… and our expert says fully20 percent of current business communication is done via social media. So why not take control of the situation, and create ground rules and guidelines, so you’re in charge of how it’s used?  Our interview with Gartner Research Director Andrew Walls is 8 minutes long and starts about 24 minutes into the show. This is an excerpt. We also posted the entire 25-minute interview on our conference notes page, if you’d like to hear it.

In our interview with Ed Rowley of M86 Security, we discuss a new iPhone scam……… The interview starts 61 minutes into the show.

Tales from the Dark Web

Polymorphic attacks are making the lastest drive-by infected web sites mostly invisible to signature-based anti-virus.

Our Take on This Week’s News

iPhone 4 and Motorola Droid X released in the same week.  Guess which phone won the hype war?  The press coverage of the iPhone release centered on the ecstatic throngs of Apple heads waiting all night on the sidewalk outside the stores.  The Android roundup consisted of dry product reviews and analysis of the platform’s future prospects.

Meanwhile smart phone security is a hot topic, and Ira just returned from the Gartner Security and Risk Management Summit, where there was a comprehensive session on the subject.

Speaking of phones… congress is holding hearings on cellphone tracking of citizens by government.

Employers are in denial about the sensitive information that lives on the laptops and smart phones of their employees. Listen to our interview with Kevin Beaver of Principle Logic, who found an interesting gap between perception and reality while he was conducting security audits.  The interview is just over 4 minutes long, taped at the Gartner conference. Look for it on our conference notes page.

Scotland Yard cuffs teens alleged to be participants in the largest English-speaking cybercrime forum in the world.

Lawyers breach medical records during discovery. Anthem spokesperson says, not to worry, the data was only accessible for a short period of time.  Thank goodness!

FBI released information about a new approach to banking attacks with a simultaneous denial of service attack on the account holdder’s phone lines.  Very complicated.

Happy Birthday to George Orwell.  His influence cannot be understated.  He would have been 107 years old on June 25, 201o.

June 20, 2010 – Episodes 147 and 146

Posted in Breach, Court Cases, criminal forensics, darkweb, eMail Security, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on June 19, 2010 by datasecurityblog

Episode 147 is the this week’s full episode of The CyberJungle.  Episode 146 is the su root edition for advanced listeners – too technical for the radio.

Episode 147-

This week’s show is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 147 via the flash player:

Interviews:

David Perry, Global Director of Education for TrendMicro. David just flew back from the international Anti-Phishing Working Group Conference in Sao Palo Brazil. David became really animated when I asked him about details regarding a huge cybercrime armies in China.  David recommends the Counter-Measures Blog by TrendMicro. This conversation is about 9 minutes long, and starts about 21 minutes into the show.  For the full 36-minute interview, which was too long and technical to air on the radio, scroll down to Episode 146.

ALSO – Security Software entrepreneur Phil Lieberman President of Lieberman Software, who has been serving as an adviser to members of the U.S, Senate on the cybersecurity bill…. sweeping new legislation that could impact every department in the Federal Government, and data security at the Ssate level.  That interview begins about 58 minutes into the show.

Tales from the Dark Web:

A 21-year-old cybercriminal parlayed his talent into  a Porsche, expensive watches and £30,000 in gold bullion. He’s been arrested.

Our Take on This Week’s News:

The rush to deploy smart meters:  Federal stimulus money can get you high, and it makes decision-makers really stupid.  The smart meters are among several advanced systems being deployed before they’re really ready, in terms of their vulnerability to cybercrime. BTW — Kudos to cnet’s Elinor Mills who wrote the article above. Well researched and thorough.

Buy a Chevy Volt – Get a Free Government Surveillance Device! Yes, if you’re one of the first to purchase, you’ll receive a super-fast charger for your garage… and it reports back to big brother on the details of your daily driving.

And if you like reporting to big brother about your driving habits, maybe you should move to the UK, where the cops have stored 7.6 billion images of cars moving through the streets.  HMP Britain is an interesting blog that’s posted the response to its FOIA request about the use of the data taken from CCTV —  a surveillance method ubiquitous in Britain.  HMP stands for “Her Majesty’s Prison” and it’s a prefix in the name of the slammer in every jurisdiction.  HMP Nottingham, etc…. The name of the website suggests the entire nation is a prison, according to its proprietor.

Sorry, wrong number:  Another week, AT&T and Apple team up for another giant blunder. Customers who logged onto their AT&T accounts to order the new iPhone 4 were greeted with someone else’s account information. Has anyone at these companies heard of web application security?

Goatse Security published a serious security flaw in Safari browser that impacts on the iPhone/iPad back in March. Apple has still not patched that flaw, and the code is available on the internet for any attacker to see.

The Disgruntled Employee Chronicles, Chapter 359:  How many times does this story have to play out before managers begin to realize that when you fire someone,  you have to terminate their user name and password.  This former employee was creating havoc inside the hospital’s network after he no longer worked there.

A serious flaw in Windows XP – No patch available. Bad guys taking advantage of the situation. Time to upgrade to Win 7 already? (Come on, Tommy Turtle… do it.)  Go here for information about some other measures you can take.

At last! A data breach story with a happy ending!  Department of the Interior lost a CD containing personal data for 7500 federal employees… but wait a minute…. The data was encrypted and password protected.  And the department reviewed its procedures to make sure it doesn’t happen again.  And they disclosed the loss of the disk within 10 days.  And then pigs started flying out the windows of the Department of the Interior building.  (Just kidding.  We salute the Department of the Interior. If only other federal agencies would implement and follow best practices.)

The good folks at EFF offer yet another great privacy and security idea!   HTTPS everywhere. It’s a Firefox plug-in that encrypts popular search engine and social media sites.  Also allows you to customize sites you visit frequently. Check it out.

More about the Google StreetView debacle.  The roaming hacker cars grabbled user names and passwords, including for email accounts.

Everything Old is New Again. The USB typewriter, for instance.  Cute, but can you imagine hauling it onto an airplane?

Episode 146- su root Edition:

This is our unedited interview wth David Perry, Global Director of Education for TrendMicro. We had a long conversation about iPhone security, web application security, and malware attacks. ALSO — David discusses an army of 300,000 Chinese cybercriminals.  The interview is 36 minutes long. Click on the flash player below, or go to our listening options page and browse for other was to hear the show.

To listen to Episode 146 via the flash player:

June 12, 2010 – Episode 145

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 14, 2010 by datasecurityblog

You can hear episode 145 of The CyberJungle by clicking on the Flash player below, or go to our listening options page for other ways to listen. Episode 145 is 69 minutes long.

To listen to Episode 145 via the flash player:

Interview Segments:

We talked with Jason Miller from Shavlik about why some businesses are still playing catch-up from the big Patch Tuesday… and about the Adobe Flash flaw that affects just about everyone on the planet.  Check the patch management site for help. The interview starts about 21 minutes into Episode 145.

We also played an interview from earlier this year with David Shroyer from Bank of America.  This is a short excerpt from a longer conversation about the reaction of the financial services industry to the Zeus banking attacks.  The 7-minute segment we aired today  is about the “money mules” who launder cash for cybercriminals.  The mules are generally suckers who fall for the “work at home in your pajamas and make thousands of dollars with your computer” schemes. This interview starts about 56 minutes into Episode 145.

Tales from the Dark Web:

Visitors to adult sites might encounter some naughtiness that has nothing to do with sex. See the BBC story: ‘Shady’ porn site practices put visitors at risk

Show notes:

AT&T web application flaw combines with Apple business model flaw to allow a major hack of iPad user email addresses.  The story was widely told this week. Here’s one version.  There are a lot more angles to this story than the mainstream press has covered.

British Petroleum is in for an e-discovery gusher once the Gulf oil spill litigation begins.  Court orders for documents will follow, and cost of discovery could top $100 million, according to this post.

Adobe Flash and Adobe PDF attack surge.

FIFA 2010 World Cup is inspiring a wave of malicious spam tailored to soccer fans.  Symantec has a good overview of “Crimes Against Football Fans” here.

Google has hired an independent firm to investigate its Street View “snafu,” in which its photographer’s vehicles snarfed up information from thousands of private wifi networks, violating privacy and perhaps breaking the law.  The report from the company’s own investigators suggests criminal intent.

Prepaid cell phones are the last available communication device that offers privacy and anonymity.  But two U.S. Senators would like to put an end to it.  Schumer (NY) and Cornyn (TX) want to register the ID of phone purchasers and require the carriers to keep the data for 18 months after deactivation.

Google expands location tags – and other popular location services are riddled with bugs, according to this report.

Beverly High School students in Boston will be required to have a laptop next fall. But not just any laptop.  Parents will have to shell out $900 for a MacBook.  School administrators say PCs will be incompatible with the school’s network. What?

Our Tether contest – win wireless access for your BlackBerry

Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143.   You can still enter by sending an email to comments@thecyberjungle.com, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.)  We award the prize to the first ten requests of the week.  Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.

BTW — there is a :60 second Tether commercial in these shows.  We are running them as a thank-you to Tether for the software keys.  We want to acknowledge the people who created some of the components in the spot.  The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production.  The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.”  All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers