Archive for darkweb

Episode 125 – April 3, 2010

Posted in Breach, Court Cases, darkweb, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , , on April 3, 2010 by datasecurityblog

Interviews, Episode 125:  Big Batches of Patches! Following huge releases on Patch Tuesday from Microsoft, Apple, Sun/Java, Mozilla Firefox, and Mozilla Thunderbird, we talk with patch management expert Jason Miller. He’s Data and Security Team Manager from Shavlik Technologies. Jason’s interview starts about 22 minutes into the program.

We also talked with Randy Sarafan, the Author of 62 Projects to Make With a Dead Computer.  Fun stuff.  Interview starts about 53 minutes into the show. You can download the file from our XML feed, from iTunes, and other sites. See the Listening Options page, or use the flash player below:

Our Take on This Week’s News

CNN presents a glowing story about the success of airport whole body scanners, which have found drugs and other junk in people’s pockets. The TSA plans to roll out 1000 more of the machines.  Meanwhile, the Electronic Privacy Information Center posted this doc, in which the TSA contradicts itself to congress regarding the ability of the machines to store and transmit images. See item # 8, where they claim that the airport scanning machines are not capable of transmitting images, BUT, the images they transmit to remote viewing facilities are encrypted.

A new web service allows businesses to monitor the social networking communications of their employees. Facebook and Twitter users, you should probably just assume that what you post publicly is being monitored by your employer. Employers, you should probably assume that your employees post a lot of stuff that shouldn’t be shared.

Quip app security hole shares private photos. People who used a free service to send naked photos of themselves were exposed. Hey wait a minute… doesn’t the Apple app store performed extensive reviews before they accept a product?

iPad is coming to the office, and we found some security applications for it.  iTeleport: Jaadu VNC is encrypted remote access allows a secure connection between the iPad and a desktop comupter.  ALSO — in PC World, Tom Bradly Reports another option from Array Networks: “One app that is not yet available, but has significant promise for leveraging the iPad to connect with Microsoft Windows systems is Array Networks Desktop Direct.

Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts.

Way cool! Open PDF Links Directly In Google Docs Viewer

Whole Foods Scam on Facebook. Free gift cards worth $500 for the first 12,000 users. Uh-huh.

Cleveland Plain Dealer exposes identity of community leader who posts anonymous comments. Starts debate about privacy versus the public’s right to know. We wonder why just anyone at the newspaper can look at the email registry.

March 20, 2010 – Episode 121

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, eMail Security, Exclusive, Show Notes, web server security with tags , , , , , , , , on March 20, 2010 by datasecurityblog

Episode 121 is 70 minutes long. Our interview segment is a major highlight- not to be missed! Patrick Peterson, Cisco Fellow, explains how modern web attacks work, amd why anti-virus and firewalls are failing. The interview is about ten minutes long, and it starts about 22 minutes into the show. You may go to listening options to download the program or find other options to hear the program; or you may stream the program using the flash player below:

Our Take on This Week’s News:

MySpace user data is offered for sale on InfoChimps.org. This lengthy blog post on ReadWriteWeb contemplates the state of “big data.”  PC world reports it, too.

Annual report from the internet crime complaint center (IC3) was released this week. The FBI’s cybercrime investigation unit – which was launched in 2000 — reports that complaints were up 22 percent in 2009 over 2008… and that the loss from all cases referred was more than half a billion dollars… descriptions of top scams start on page 13 of the report.

Madoff’s computer programmers indicted.

Ponemon Institute study on the level of trust in the banks by commercial customesr. A wakeup call to the banking industry: Get serious about Zeus or you customers will walk.

CanSecWest (Canadian Security conference) starts Wednesday: Microsoft’s Internet Explorer 8 will be easily penetrated in the Pwn2Own hacking challenge.

Plus Chmapion hacker Charlie Miller says he has 20 vulnerabilites to bring down Apple Safari browser on Mac OS X.

Hancock Fabrics – Bad guys swap PIN pads at cashier desks. Here’s a letter from the President and CEO of the stores:

Vodafone distributes Mariposa botnet attack.

Remember the former auto dealership employee who hacked the remote communication system and started disabling customer vehicles?   We interview executives from the company that makes the system,  Pay Technologies.  Jim Kreuger and David Ronisky are the co-founders.

Teen hacks code for Walmart public address system, makes racially charged announcement to customers.

Episodes 113A, 113B, and 112 su root editon: February 21, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, Legislation, Podcast, Show Notes, The CyberJungle, web server security with tags , , , , , , on February 21, 2010 by datasecurityblog

Three episodes, one low price. (Free). We posted the show in three parts this week. Episode 113 A is a 35-minute interview on cell phone tracking, posted separately, so that anyone who wants the cybercrime news can skip straight to Episode 113 B.

The other post is the su root edition for the technically proficient. This week it’s an interview with Ben Jun from Cryptography Research, on developing applications that adapt to sweeping changes in technology. A preview of his RSA presentation. It’s 20 minutes long.

Episode 113 A – cell phone tracking interview

This is an interview segment on the legal and technical issues under review by the federal Third Circuit Court of Appeals regarding tracking of cell phone users. Our guests are Rebecca Gasca of the Nevada ACLU and Dr. Nirmala Shinoy of the Rochester Institute of Technology. This segment is 35 minutes long.

The most informative of the documents is the 2008 court order now being appealed, in which a Western Pennsylvania magistrate denied the government’s request for tracking data without a warrant. It’s 56 pages long, but offers a very comprehensive statutory history of the laws that apply to phone tapping and tracking. Newsweek recaps the issue and covers the appeal. http://www.newsweek.com/id/233916

Episode 113B Cybercrime and Security News

A spike in power grid attacks is predicted in the next 12 months. The Project Grey Goose report claims the number and severity of attacks on the existing grid has been underreported.

Coincidentally, Zues and its variants are more severe and widespread than previously reported. The attack is not just stealing money from commercial bank accounts. It’s settled into more than two thousand entities and 74 thousand computers, stealing intellectual property, credit card numbers email and network credentials, and a wide variety of other information. The good news is, it’s finally hitting the mainstream press. Reported this week in the following publications.

CNET: Zeus on 74k PCs in global botnet. “…Compromises of enterprise networks have reached epidemic levels”

NY Times: Malicious Software Infects Corporate Computers. Attack goes well beyond just bank account info stealing.

Wall St Journal: Broad New Hacking Attack Detected

WaPo: Nearly 2500 companies victim of massive cyberattack

The economics of malware- a new report urges us to look at cybercrime differently. It’s not lone gunmen and geeky teens, it’s an entire economy, with mom and pop shops, street vendors, manufacturers and marketers.

A TV news story that suggests banks are using your social networking pages to glean information about your creditworthiness. A company that mines the sites for data and sells it to the banks says nope… the institutions only use it for marketing, not for lending decisions.

A Houston television station launched an investigation of retail credit card practices at the cash register in Sears and K-Mart. Employees at the store accepted credit cards without checking ID or signatures. The reporters made numerous purchases using cards that didn’t belong to them. The stores will “immediately” begin retraining their employees at more than 2,000 combined stores nationwide in techniques for preventing credit card fraud.

Show Notes: The CyberJungle Episodes 103 and 102 Jan 12 2010

Posted in Breach, Court Cases, criminal forensics, Exclusive News, Podcast, Show Notes, The CyberJungle, Vulnerabilities, Zero Day Project with tags , , , , , , , , on January 16, 2010 by datasecurityblog

Two episodes this week: Episode 103 is a podcast version of the live radio program.

Episode 102 is our ‘su root’ podcast, in-depth technical interviews for the more advanced listener.

Overview of this week’s program.  More detailed notes and links provided below under “show notes.”

*Episode 103 the broadcast- Breaking News:  Do airport checkpoint whole body scanners have logging and auditing to enforce security and privacy policies?  We’re not sure after talking with a representative of one of the companies that makes the machines.  Seems the TSA may not have included an audit function in its specifications.   And, our guest tells us what happened to the “puffer machine” that would have detected the underwear bomber’s chemical payload on Christmas Day.

We also talked with an attorney from EPIC, the organization that sought and won the TSA specification documents revealing that body scanning machines are indeed capable of retaining and transmitting the naked images of the passengers they scan. This is NOT what TSA told the American public.

*Episode 102 (the su root interiews… requires above-average technology background). Click fraud is running rampant… ripping off internet advertisers. A new, more serious attack that not only steals credit for click-through purchases, but hijack’s the end user’s computer. This is a must-listen for marketing, security, and legal personnel. Discussion on the live show, with the full interview online.

*Episode 102 (the su root interviews…requires above-average technology background.) A new user credential – your cell phone calls you for a voice print… and then lets you into your email, bank account, authorizes credit card purchases or VPN remote access. Great idea? We have an exclusive audio interview with the co-founder of the company.

–> Listen This Week’s Show through our Main Site

Show Notes for Episode 103 of the CyberJungle

*ZeroDay Flaw in some versions of Microsoft Internet Explorer (MSIE) web browser.  Microsoft’s TechNet site has posted detailed information about the flaw. If you have not checked your MSIE browser version, do it now. Launch MSIE, find the Help Icon (usually the far right menu/icon, depending on the version of MSIE you are running), and select About Internet Explorer. If you are not running MSIE verson 8, you need to update your browser. Read more here. Update your browser to MSIE 8 here.

* People around the world are searching the web for the latest updates on Haiti earthquake. Members of the Dark Web use major events like this to spread their malicious code. Read more on this attack at the WebSense Security site. Ira mentioned the Google Trends site, a site that tracks hot topics on The Web.

* Samantha had a conversation with Ginger McCall, Esq., with the Electronic Privacy Information Center (EPIC). They talked  about the DHS airport body scanners, and a Freedom of Information lawsuit by EPIC. Read more at this EPIC-sponsored site.

* Samantha and Ira had a conversation Brook Miller, VP with Smiths Detection, the makers of “the puffer” machine, and the whole body scanners.

* Samantha had a conversation with Dr. Kerry Kerry Nemovicher, Ph.D. about “The Human Firewall” event by  InfraGard. This event takes place on Thursday, Jan 21st at Boomtown Casino, in Reno Nevada. This lunch event runs from 11.15am to 1.15pm. $15 donation when you reserve your ticket by Monday at 9:00am, $20 at the door.

Show Notes for Episode 102 of The CyberJungle, an ‘su root’ program, in-depth technical interviews and analysis

*Ira has a conversation with Dr. Ben Edelman, from the Harvard Business School, about a new type of online advertising “click fraud” that takes over customer’s computers. Read more on Dr. Edelman’s site. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

* Ira has a conversation with Steven Dispensa, CTO and co-founder of PhoneTrust, about voice print authentication. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

The CyberJungle Episode 101 – Jan 10 2010

Posted in Annoucements, Breach, Court Cases, darkweb, eMail Security, Legislation, Podcast, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on January 10, 2010 by datasecurityblog

Security, Your Privacy, and The Law

On this week’s program:

* Houston DA Tweets the names of people arrested for DUI

* WiFi for passive aggressives

* You won’t believe the password to launch nuclear war

–> Stream This Week’s Show with our Built-In Flash Player (for higher security, stream through FeedBurner, using the hyperlink below):

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 101 – Use Feedburner to listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall. The shows don’t always display on chronological order on Odeo.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • Award-winning Sunbelt Network Security Inspector a scalable and effective vulnerability scanner. Windows IT Pro Magazine readers chose SNSI as their Favorite Vulnerability Scanner for two years in a row. Read more here, and contact Data Clone Labs for a test drive.

Show Notes for Episode 101 of the CyberJungle

* Conversation: Ira and Samantha interview Houston civil rights attorney Randall Kallinen about the Houston Texas-area DA Tweeting the names of those arrested for DUI.

*How Google collects information

*Google Near Me Now application

* Digital piracy hits the book industry

* Mind-reading at the airports

*WiFi for passive aggressive

*Nuclear launch passcodes

*Ransomware – buy back your own files?

*One in ten botnets are engaged in the Zues attack

*Ironkey CEO speaks about the USB crypto flaw

*FTC says FCC needs to consider the dangers of cloud computing

Data Security Podcast Episode 88, Jan 04 2010

Posted in Annoucements, Breach, darkweb, Legislation, Podcast, The CyberJungle with tags , , , , , , , on January 3, 2010 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Bad guys buying services to evade anti-virus

* Special announcement

* Our take on this week’s news

–> Stream This Week’s Show with our Built-In Flash Player (for higher security, stream through FeedBurner, using the hyperlink below):

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 88 – Use Feedburner to listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall. The shows don’t always display on chronological order on Odeo.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Award-winning Sunbelt Network Security Inspector a scalable and effective vulnerability scanner. Windows IT Pro Magazine readers chose SNSI as their Favorite Vulnerability Scanner for two years in a row. Read more here, and contact Data Clone Labs for a test drive .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 88 of the Data Security Podcast

* Tales From The Dark Web: Bad guys buying services evade anti-virus. Brian Krebs (formerly with The Washington Post) does his usual outstanding work on the topic, from his brand new blog. Read more here.

* From Our Take on The News: Body scanning machines; here’s a story from the UK that dismisses their effectiveness in cases where a guy stuffs a chemical explosive in his underwear. (But they are very effective at revealing the other junk in your underwear.) Read more here.

Meanwhile, Logan International in Boston and the Newark Liberty Airport in New Jersey will both get the body imaging machines. (Both were points of origin for the September 11 attacks.) Read more here from The Star Ledger. And read more here from Boston Globe.

* From Our Take on The News: TSA nominee misled Congress about accessing confidential records. Read more here from The Washington Post.

* From Our Take on The News:  How embarrassing! The Chairman of the FCC sends a facebook spam. Read more here from The New York Times blog.

* Special Announcement:  The Data Security Podcast will go LIVE this week as the nation’s first  call-in talk show on security, privacy and the law. You can listen on a web stream or terrestrial radio every Saturday, starting this Saturday, Jan 9th from 10 a. m. until noon Pacific Time.  Be sure to tune into the web stream of KKOH-780am, here is a link to their site, click on the’ Listen Live’ link on the upper right hand corner.

We are changing the name of the show to The CyberJungle. We will keep this site active, and we will keep the current iTunes site active for a while, as we transition to the new name and site.   We will  continue to post our interviews with security experts. The material that’s too technical for the radio will be posted here.

We want to thank all of you for  the support and feedback for the last 18 months. We are grateful that you chose to spend your time with us. Our sponsors have also been very good to us. If you enjoy the show, please try their products, and please let the know you heard about them from us.

A big thanks also to the management of KOH Radio. They “get it,” and we salute them for understanding that the time is right for this show.

KOH Call-In for The New Show

Data Security Podcast Episode 85, Dec 14 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , on December 14, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* New surge in attacks targeting bank accounts

* Data security requires physical security

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 85 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall. The shows don’t always display on chronological order on Odeo.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Award-winning Sunbelt Network Security Inspector a scalable and effective vulnerability scanner. Windows IT Pro Magazine readers chose SNSI as their Favorite Vulnerability Scanner for two years in a row. Read more here, and contact Data Clone Labs for a test drive .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 85 of the Data Security Podcast

* Ira talks with Marc Weber Tobias  about lock security. Read more at the in.security.org blog site.  The book authored by Marc, mentioned in the segment, Open in Thirty Seconds.

* Tales From The Dark Web:  New surge in bank stealing attacks, via SQL injection.  Read more at The Register.  Part II: Top Cyber Attack Vectors of 2009, as documented by Verizon. Read the report here.

* From Our Take on The News: It’s confirmed Cybercriminals are now hiring hit men just like the real mafia. Read more at LawFuel.com .

* From Our Take on The News:  Bruce Schneier (of Schneier on Security) says he missed this story… and pointed us to the Top Ten Stories You Missed this year, posted by a publication called “Foreign Policy.  Here’s story number 7. How to get an American passport for a fake person..

* The Wrap:  Holiday attacks target Facebook users, read more from PandaLabs .

Data Security Podcast Episode 84, Dec 7 2009

Posted in Breach, Court Cases, criminal forensics, ediscovery, Legislation, Podcast with tags , , on December 7, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Is there is a Russian connection to the “Climategate” attack?

* ‘Take Back Your Privacy’ — A new nation-wide effort ramps up

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 84 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 84 of the Data Security Podcast

* Samantha has a conversation with Leslie Harris, president and CEO of The Center for Democracy and Technology. They are a D.C. group launching a consumer privacy campaign. They want to educate consumers, pressure businesses, and push for a new law. Read more at the “Take Back Our Privacy” area of their site.

* Tales From The Dark Web:  What, if any connection is there between Russian and the “Climategate” attack? Read more in the The UK Daily Mail story. And, Adobe to release critical security patches tomorrow .

* From Our Take on The News: SC police academy IT chief nabbed in Web sting‘Accidental’ Download Sending Man To Prison.

* From Our Take on The News:  Department of Defense misses its own deadline for removing social security numbers from military ID cards. Read about it at Stars and Stripes.

* From Our Take on The News: Sprint received 8 million requests from Law Enforcement for GPS location data. EFF is on the case, but this story has a fascinating origin… and an almost instantaneous rebuttal from Sprint. (Which doesn’t deny the 8 million figure, but attempts to give it some context… The company is, of course, a regulated industry stuck in the middle, between the demands of its customers and the demands of congress, law enforcement and FTC… ). Read more at EFF.

* From Our Take on The News: The economics of security advice; a very interesting MSFT research paper, and a related SANS posting. Read more at The SANS Internet Storm Center.

* The Wrap:  Many More Government Records Compromised in 2009 than Year Ago, Report Claims. Read more at databreaches.net .

Data Security Podcast Episode 82, Nov 24 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Podcast, Vulnerabilities, web server security with tags , , , , , , on November 23, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* FBI Report: Latest target for the cybercriminal? Law Firms and PR Firms

* Adobe Speaks: special segment with their senior security officers

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 82 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 82 of the Data Security Podcast

Adobe Flash Logo* Ira has a conversation with two security officers at Adobe Systems about the allegations made by web security researcher Mike Bailey of unpatchable “Same Origin Flaws” in Adobe Flash.  Brad Arkin, Director of Product Security and Privacy, and Peleus Uhley, Senior Security Researcher give their take on Mike Bailey’s claims. Here are the links mentioned in the segment:

- Adobe Flash Player security white paper

- Browser Security Handbook, Part 2—Information on the Same-Origin Policy.

Peleus Uhley’s article on creating more secure Flash applications / “Understanding that SWFs are Code”

* Tales From The Dark Web: FBI WARNING: U.S. LAW FIRMS AND PUBLIC RELATIONS FIRMS.  That link is a copy of the FBI posting. The FBI does not contain a permanent link, so it may become hard to find as new stories are posted above this law firm alert.

* From Our Take on The News:  FBI looking at UMC records leak: Agent says ‘multiple federal laws’ might have been violated. Hat tip to the Las Vegas Sun newspaper for the investigative reporting on this story.

* From Our Take on The News:  Symantec exposed passwords, serials numbers;  SQL Injection, full database access, from Romanian security researcher, Unu. Apologies for mis-spelling Unu’s name on the show.

*  From The Wrap:  Read the SANS Internet Storm Center’s reports on IE6 and IE7 web browser 0-Day Flaw, and an Update. No patch available (yet?), but Microsoft has some mitigation suggestions, linked through the Update.

Data Security Podcast Episode 80, Nov 19 2009

Posted in darkweb, Interview Only Edition, Podcast, Vulnerabilities, web server security with tags , , , , , , on November 19, 2009 by datasecurityblog

For Thursday November 19th, and Friday November 20th, we depart from our regular format for those with an advanced understanding of information security technologies.

These two special editions feature technical conversations with newsmakers on new counter measures to fight web drive-by downloads. Part one (this episode) features Pedro Bustamante, Senior Security Researcher with PandaSecurity. Part two will post tomorrow, with an EXCLUSIVE interview with the creators of a new hardware sandbox approach to this vexing security issue.

We will return to our regular format of the latest news on data security, privacy, and the law with Episode 82.  Episode 82 is scheduled to post Sunday night /Monday morning, November 23rd, 2009 at ~12.01am Greenwich Mean Time. That is our regularly scheduled show posting time.

On Episode 80:  InfoSec Conversation with Pedro Bustamante on countering web drive-by downloads.

–> Stream This Special Episode with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 80 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version forFREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 80 of the Data Security Podcast

Ira has an extended, technical conversation with Pedro Bustamante, Senior Security Researcher with PandaSecurity. Ira and Pedro will discuss web drive-by downloads. Here is the link that Pedro mentions in the segment.

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers