Episode 203 of The CyberJungle is about 53 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 25:30 mark.
To listen to Episode 203 via the flash player:
Interviews
Charlie Miller, 3x Pwn2Own “hacking” contest winner stays home; response by Dragos, Founder of CanSecWest . Follow Charlie on Twitter.
Lawsuit accuses Amazon of capturing and sharing customer information without permission by tricking Microsoft Internet Explorer
Google Android in app malware flap, iPad2 security, and Blackberry Playbook running Android apps + better security? Interview on Playbook security Ira Victor mentioned in this segment. You may download the segment, or listen to the conversation here:
Proof once again that disgruntled employees are among the most dangerous cybercriminals… Texas man sentenced after breaching former employer’s network and deleting critical business files.
Wrap
OtterBox Cases for slider Smartphones: Samantha and Ira give a new OtterBox the field test
This week’s regular episode of The Cyberjungle is 1 hour and 18 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
School bus surveillance cams - School buses equipped with traffic cams. It’s an experiment in a Maryland school district, where officials say the little darlings are in more danger as they alight from the bus than any other time, although no child in Maryland has ever been hit while alighting from a school bus.
Ten oreos, two handfuls of fritos, a pint of Ben and Jerry’s - Are you aware that when you make use of web tools that allow you to keep track your personal behavior, that information could become discoverable in court? (Diet websites come to mind.)
Participants wanted- A new project to monitor BlackBerry traffic as it is sent from various countries. The results will help researchers and users understand what’s happening to the communications as RIM is pressured to cooperate with repressive governments.
More BlackBerry news - The how and why of BlackBerry eavesdropping, and why it might not be what you think.
A new tool for good guys,- And bad guys, parents, employers, forensic investigators, and everyone who needs to keep tabs on someone. ElcomSoft tool cracks web browser passwords.
Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below. Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio. The advanced material consists of three conversations from DefCon 18. Scroll down to the end of this batch of shownotes to find it.
Episode 161:
This week’s regular episode of The Cyberjungle is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 161 via the flash player:
Interview:
Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store. He’s found major flaws in these router/firewalls. This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161. Or you can just listen to the interview by going to our conference notes page. Also, here are some links to more information about Craig’s work:
Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident. We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning. There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified. Lamo now denies that he ever had possession of top secret documents. The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.
Our Take on This Week’s News:
The National Science Foundation has a porn problem according to Senator Chuck Grassley. Seems the science guys are passing around porn despite technical measures taken by the agency to block it. Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000. So do the math. This guy makes $290k per year??? WTF!!!
BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?
Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.
We stumbled over the Social Engineering contest at DefCon18. A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info. Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer. The audio file is located about half-way through the story.) Read about the Social Engineering organization here.
The annual session on physical lock security is always a hit. (This year there was more than one.) We attended the presentation by Marc Weber Tobias. His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200 fingerprint biometric, the electronic RFID military lock and even a personal safe. You can see the videos here, demonstrating how the locks were breached.
Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column. The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden. Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.
If we don’t laugh, we’ll probably cry. For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports. Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library? And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities. Duh. Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?
Episode 160 – su root edition:
This is our unedited edition, featuring three interviews straight from DefCon 18. The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.
You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to su root edition (episode 160) via the flash player:
You can hear episode 159 by clicking on the Flash player below, or if your device does not support Flash, you can visit our listening options page for other ways to receive the show. Episode 159 is one hour and 9 minutes long.
Interviews
Interview #1 – Jeremiah Grossman, CEO of White Hat Security, discovered an odd security flaw in the Apple Safari Browser. Alas, he tried to notify Apple, only to be rebuffed. He posted the story on his blog, and he decided to go public at Black Hat, and just about the time we finished this interview with him, Apple acknowledged the problem. Fix pending. Hear an overview of Jeremiah’s presentation in Episode 159. It’s 11 minutes long, starting about 12 minutes into the show.
Interview #2 – Mickey Boodaei, CEO of security firm Trusteer, has been hard at work on the banking trojan problem, and they’ve got a problem that may help. We discuss it with him in Episode 159. It’s 10 minutes long, starting at 55:00.
Krebs on security writes about the victims of scareware – they end up buying the stuff, and then they’re embarrassed to go to the police. Good piece
Banks have long since stopped moving paper checks from one location to another, preferring the economy of scanning. What if someone broke into the digital repository where they store all those pictures of checks?… Someone did.
You can hear episode 155 by clicking on the Flash player below, or if your device does not support Flash, you can visit our listening options page for other ways to receive the show. Episode 155 is one hour and 14 minutes long.
Interviews
Jeff Bryner from pOwnlabs offers a preview of his DefCon presentation to be given in Las Vegas at the end of the month. “Google Toolbar – The NARC Within” — how the tool bar spies on you. Jeff”s interview is about 9 minutes long, and it begins 22 minutes into the episode.
Penetration Tester David Bryan, speaking for himself, (not his company,) will also present at DefCon – “Cloud Computing as a Weapon of Mass Destruction.” His interview is just over 9 minutes long and begins at about 54 minutes into the episode.
Our Take on This Week’s News
The state of Utah is investigating the origins of a 29-page list of personally identifying information belonging to more than a thousand people the leakers say are illegal immigrants receiving benefits from the taxpayers. This topic stirred up the immigration issue on the talk shows, but we’re interested in these questions: What was the data access policy — who had access to this data and for what purpose? And should there be a set of guidelines for ethical whistleblowing (if that’s what the leakers were trying to do) where electronically stored information is involved?
Photos taken with certain camera-enabled devices can reveal you location with geotags attached to the metadata. Mayhemic Labs has scanned a couple of million photo links on Twitter, and was able to pinpoint location of the user in about three percent of them. Then they created icanstlku.com to prove it.
You can hear episode 153 by clicking on the Flash player below, or if your device does not support Flash, you can visit our listening options page for other ways to receive the show. Episode 153 is one hour and 15 minutes long.
Interviews
Gunter Ollman from Damballa offers a preview of his Black Hat Briefings presentation to be given in Las Vegas at the end of the month. “Becoming the Six Million Dollar Man” will discuss how cybercriminals get filthy rich using other people’s computers. Gunter’s interview is about 10 minutes long, and it begins 22 minutes into the episode.
Tony Flick, Principal at Fyrm Associates and Justin Morehouse, speaking for himself, (not his company,) discuss what will happen as the smart meters “goes social.” Smart grid proponents are promoting the idea of networking the smart grid with social networking accounts
Speaking of the smart grid, this story says Maryland public utilities regulators sent Baltimore’s power company back to the drawing board last month, with a rejection of its smart grid plan. The public objection, as in most cases, was based on cost to ratepayers rather than any security or privacy issues.
Meanwhile, Congresswoman Jane Harmon has open, unencrypted WiFi at her home. (p.s. she’s a senior member of the Homeland Security Committee, and Chair of its Intelligence and Terrorism Risk Assessment Subcommittee)
Automakers working with silicon valley to create “connected car”
Game publisher Blizzard announces a real ID program for World of Warcraft forum…. No more screen names. But the market spoke, and the company withdrew the plan.
Episode 147 is the this week’s full episode of The CyberJungle. Episode 146 is the su root edition for advanced listeners – too technical for the radio.
Episode 147-
This week’s show is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 147 via the flash player:
Interviews:
David Perry, Global Director of Education for TrendMicro. David just flew back from the international Anti-Phishing Working Group Conference in Sao Palo Brazil. David became really animated when I asked him about details regarding a huge cybercrime armies in China. David recommends the Counter-Measures Blog by TrendMicro. This conversation is about 9 minutes long, and starts about 21 minutes into the show. For the full 36-minute interview, which was too long and technical to air on the radio, scroll down to Episode 146.
ALSO – Security Software entrepreneur Phil Lieberman President of Lieberman Software, who has been serving as an adviser to members of the U.S, Senate on the cybersecurity bill…. sweeping new legislation that could impact every department in the Federal Government, and data security at the Ssate level. That interview begins about 58 minutes into the show.
Tales from the Dark Web:
A 21-year-old cybercriminal parlayed his talent into a Porsche, expensive watches and £30,000 in gold bullion. He’s been arrested.
Our Take on This Week’s News:
The rush to deploy smart meters: Federal stimulus money can get you high, and it makes decision-makers really stupid. The smart meters are among several advanced systems being deployed before they’re really ready, in terms of their vulnerability to cybercrime. BTW — Kudos to cnet’s Elinor Mills who wrote the article above. Well researched and thorough.
And if you like reporting to big brother about your driving habits, maybe you should move to the UK, where the cops have stored 7.6 billion images of cars moving through the streets. HMP Britain is an interesting blog that’s posted the response to its FOIA request about the use of the data taken from CCTV – a surveillance method ubiquitous in Britain. HMP stands for “Her Majesty’s Prison” and it’s a prefix in the name of the slammer in every jurisdiction. HMP Nottingham, etc…. The name of the website suggests the entire nation is a prison, according to its proprietor.
Sorry, wrong number: Another week, AT&T and Apple team up for another giant blunder. Customers who logged onto their AT&T accounts to order the new iPhone 4 were greeted with someone else’s account information. Has anyone at these companies heard of web application security?
Goatse Security published a serious security flaw in Safari browser that impacts on the iPhone/iPad back in March. Apple has still not patched that flaw, and the code is available on the internet for any attacker to see.
The Disgruntled Employee Chronicles, Chapter 359: How many times does this story have to play out before managers begin to realize that when you fire someone, you have to terminate their user name and password. This former employee was creating havoc inside the hospital’s network after he no longer worked there.
At last! A data breach story with a happy ending! Department of the Interior lost a CD containing personal data for 7500 federal employees… but wait a minute…. The data was encrypted and password protected. And the department reviewed its procedures to make sure it doesn’t happen again. And they disclosed the loss of the disk within 10 days. And then pigs started flying out the windows of the Department of the Interior building. (Just kidding. We salute the Department of the Interior. If only other federal agencies would implement and follow best practices.)
The good folks at EFF offer yet another great privacy and security idea! HTTPS everywhere. It’s a Firefox plug-in that encrypts popular search engine and social media sites. Also allows you to customize sites you visit frequently. Check it out.
Everything Old is New Again. The USB typewriter, for instance. Cute, but can you imagine hauling it onto an airplane?
Episode 146- su root Edition:
This is our unedited interview wth David Perry, Global Director of Education for TrendMicro. We had a long conversation about iPhone security, web application security, and malware attacks. ALSO — David discusses an army of 300,000 Chinese cybercriminals. The interview is 36 minutes long. Click on the flash player below, or go to our listening options page and browse for other was to hear the show.
You can hear episode 145 of The CyberJungle by clicking on the Flash player below, or go to our listening options page for other ways to listen. Episode 145 is 69 minutes long.
To listen to Episode 145 via the flash player:
Interview Segments:
We talked with Jason Miller from Shavlik about why some businesses are still playing catch-up from the big Patch Tuesday… and about the Adobe Flash flaw that affects just about everyone on the planet. Check the patch management site for help. The interview starts about 21 minutes into Episode 145.
We also played an interview from earlier this year with David Shroyer from Bank of America. This is a short excerpt from a longer conversation about the reaction of the financial services industry to the Zeus banking attacks. The 7-minute segment we aired today is about the “money mules” who launder cash for cybercriminals. The mules are generally suckers who fall for the “work at home in your pajamas and make thousands of dollars with your computer” schemes. This interview starts about 56 minutes into Episode 145.
AT&T web application flaw combines with Apple business model flaw to allow a major hack of iPad user email addresses. The story was widely told this week. Here’s one version. There are a lot more angles to this story than the mainstream press has covered.
British Petroleum is in for an e-discovery gusher once the Gulf oil spill litigation begins. Court orders for documents will follow, and cost of discovery could top $100 million, according to this post.
FIFA 2010 World Cup is inspiring a wave of malicious spam tailored to soccer fans. Symantec has a good overview of “Crimes Against Football Fans” here.
Google has hired an independent firm to investigate its Street View “snafu,” in which its photographer’s vehicles snarfed up information from thousands of private wifi networks, violating privacy and perhaps breaking the law. The report from the company’s own investigators suggests criminal intent.
Prepaid cell phones are the last available communication device that offers privacy and anonymity. But two U.S. Senators would like to put an end to it. Schumer (NY) and Cornyn (TX) want to register the ID of phone purchasers and require the carriers to keep the data for 18 months after deactivation.
Google expands location tags – and other popular location services are riddled with bugs, according to this report.
Beverly High School students in Boston will be required to have a laptop next fall. But not just any laptop. Parents will have to shell out $900 for a MacBook. School administrators say PCs will be incompatible with the school’s network. What?
Our Tether contest – win wireless access for your BlackBerry
Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143. You can still enter by sending an email to comments@thecyberjungle.com, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.) We award the prize to the first ten requests of the week. Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.
BTW — there is a :60 second Tether commercial in these shows. We are running them as a thank-you to Tether for the software keys. We want to acknowledge the people who created some of the components in the spot. The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production. The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.” All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.
We talk with Gary Biller, Executive Director of the National Motorists Association, about an Ohio Supreme Court decision that says law enforcement officers do not need to back up their vehicle speed estimate with reports from a radar reading; eyeballing it is good enough. The Ohio press reports. The interview starts about 20 minutes into Episode 143.
Federal Trade Commission settles with CyberSpy Software, LLC. Settlement requires the company to stop instructing its customers how to send its keylogging product in a stealth email attachment. Also must notify the receiving computer that the software is about to download, and receive consent. This will put a chill on the spying.
Our Tether contest – win wireless access for your BlackBerry
Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143. You can still enter by sending an email to comments@thecyberjungle.com, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.) We award the prize to the first ten requests of the week. Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.
BTW — there is a :60 second Tether commercial in these shows. We are running them as a thank-you to Tether for the software keys. We want to acknowledge the people who created some of the components in the spot. The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production. The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.” All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.
Peter Eckersly of the Electronic Frontier Foundation announces the results of his research project called Panopticlick . Bottom line – 94 percent of computers leave a unique fingerprint on websites. The interview starts about 25 minutes into episode 141. Episode 141 is one hour and 12 minutes long. You can listen by clicking on the flash player below, or there are other ways of listening to the show on our “listening options “ page.
To listen to Episode 141 via the flash player:
Chris Hogue tells us about his upcoming presentation to a SANS Forensics and Incident Response Summit in Washington DC. He’s discussing “Sniper Forensics”… it’s a new approach to computer forensics. The interview begins about 55 minutes into episode 141.
Our Take on This Week’s News
Zeus-style banking attack perpetrated on a credit union in Salt Lake City. The bad guys apparently penetrated an employee’s desktop computer, and then were able to get into the bank system. $100K disappeared, largely in $5K increments. Credit Union president says the attack got past the company’s Norton… Geez
Remember the Pennsylvania school district that gave its students laptops loaded with tracking software… and then proceeded to collect hundreds of photos of the kids at home, snapped through the laptop lenses… well it seems the tracking software on the Lower Marion laptops can be easily hacked. A security company did some research on it, and here’s what they found.
