Archive for DefCon

August 1, 2011 – Episode 224

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Legislation, Report Security Flaws, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , on August 1, 2011 by datasecurityblog

Episode 224 of  The CyberJungle is about 40 minutes long this week, due to extended preview coverage of BlackHat, SecurityBSides, and DefCon.  You can hear it by clicking on the flash player below. The first interview begins at about 17min, and the second interview at about 27min. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 224 via the flash player:

Interviews

Brian Kennish, Founder of Anti-Web tracking tool maker Disconnect, on tracking the web trackers

Tyler Shields of Vericode, Owning your MobilePhone at every layer

Our Take On This Week’s News

The GMail Man – watch the Office365 Official Video

US Appeals Court: Ok to Check DNS of Those Arrested, from the Pittsburgh Post-Gazette


Tales From The Dark Web

Three-fourths of all rootkits on decade-old OS, says antivirus firm. Hat tip: Computerworld story by Gregg Keizer

Conference Coverage

The CyberJungle goes to BlackHat, SecurityBSides and DefCon this week. Get the reports in Conference Notes. Send your questions for Tyler Shields of Vericode via The CyberJungle Contact Form.

July 25, 2011 – Episode 223

Posted in Court Cases, darkweb, Report Security Flaws, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , on July 25, 2011 by datasecurityblog

Episode 223 of  The CyberJungle is about 31 minutes long.  You may hear it by clicking on the flash player below. The interview begins at about 15min. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show, including a direct link to our audio feeds.

To listen to Episode 223 via the flash player:

Interviews

Imperva CTO, Amichai Shulman on the web app attack preso you won’t see at BlackHat Las Vegas.  As a part of their ongoing Hacker Intelligence Initiative, Imperva has compiled a Web Application Attack Report (WAAR) that gives a new insight into attacks against the top 30 web applications based on more than 10 million individual attacks over the last 6 months.  WAAR outlines the frequency, type and geography of origin of each attack.  Surprisingly a little known type of attack has become very common. Blog.Imperva.com was the link mentioned in the segment

Our Take On This Week’s News

The CyberJungle Radio’s take on this Las Vegas Review Journal news story: Providing Wi-Fi as a perk has a price for businesses

Mac battery cyberflaw exposes explosive risk?

Wrap

No Soup For You! No over the air updates for jailbroken iOS5 powered devices, according to the ZDNet posting


Conference Coverage

The CyberJungle goes to BlackHat Las Vegas and DefCon19  week. Get the reports in Conference Notes starting the middle of next week.

September 19, 2010 – Episode 173

Posted in Breach, Court Cases, criminal forensics, darkweb with tags , , , , on September 18, 2010 by datasecurityblog

Episode 173:

This week’s regular episode of  The Cyberjungle  is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 173 via the flash player:

Interview

Chris Hadnagy from Social-Engineer.org, which organized a social engineering contest at this year’s DefCon conference.  The contestants assumed made-up identities, and placed phone calls to 15 major American companies. Objective: cajole as much information as possible about company operations out of the employee on the other end of the phone. (The info would be of value to bad guys trying to cook up an attack.) Social-Engineer released its report this week on the results of the exercise. Our interview with Chris starts about 23 minutes into episode 173.  The interview is 7 minutes long.

Tales from the Dark Web

If you enjoy the occasional online porn adventure, heed this:  a trojan that monitors what you’re watching, then blackmails you.  “Pay us or we’ll tell the world what you’re watching.”

Ira’s recommendation: Change your computer to dual-boot with Linux as the other operating system. I like LinuxMint, VectorLinux, and (fav) PeppermintIce. These systems are best for web surfing, email, and word processing.

Our Take on This Week’s News

Texting money to politicians: Ready to text your political campaign donations? Politico reports on the legal issues surrounding campaign finance compliance. But says nothing about the security issues related to sending money via SMS.

Has Google’s HR department ever heard of a psychological profile? Google Engineer Repeatedly Accessed Customer data, Spied on Communications

Is the guy  in the next booth packing heat? Before you leave for dinner, check this website, launched last week in response to a new Tennessee law that allows permit holders to carry their firearms into bars and restaurants. The site indicates two categories of dining establishments –- those who allow guns and those who don’t.

Facebook alternative apparently has some security holes: What if you could have the convenience of Facebook, but strong privacy and security? That was the idea behind Diaspora. Some college students from NYU came up with the idea,  and posted the project on a web site where people can donate money to support new start-up business ideas. The students thought they needed $10k to build the code. They were written up in a New York Times story, and they raised nearly a quarter million dollars. Well, the very, very first version of the code is out, and the privacy and security experts are weighing in with harsh criticism.

SF law enforcement formula — treat the citizens like criminals: San Francisco mayor has ordered the cops to beef up security at nightclubs in the city, to prevent violence like the recent spate of shootings that included the killing of a German tourist near a comedy club. Cops want more cameras, metal detectors, police patrols paid by club owners, and ID scanners to capture the drivers license info from customers… which will be stored for 15 days.

New tool from Google:  Alerts to let you know if your web site is hijacked. Read more in a blog posting by Kelvin Newman at Site Visibility.

The Ninth Circuit lets the air out of its own ruling: An earlier ruling issued guidelines  for law enforcement to follow during searches of computers by law enforcements. The feds said the guidelines were “complicating” prosecutions, so the court overturned itself… sort of.  Read this. It’s not trivial.

The cost of free entertainment: Internet services and sites that offer free ring tones, movies, and other entertainment content, have a higher probability of delivering malware to your computer, according to a new report by Mack-ah-fee.

CyberJungle FAQ: Ira Mentioned HauteSecure, but their tool is now throwing errors. He will research alternatives and report back in a future episode of The CyberJungle.

August 8, 2010 – Episode 160 and 161 from DefCon 18

Posted in Conference Coverage, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 7, 2010 by datasecurityblog

Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of three conversations  from DefCon 18.  Scroll down to the end of this batch of shownotes to find it.

Episode 161:

This week’s regular episode of  The Cyberjungle  is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 161 via the flash player:

Interview:

Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store.  He’s found major flaws in these router/firewalls.  This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161.  Or you can just listen to the interview by going to our conference notes page.  Also, here are some links to more information about Craig’s work:

Craigs Hefner’s White Paper on this attack

Craigs Hefner’s DefCon18 presentation slides

Craigs Hefner’s Proof-of-Concept code

Tales from the Dark Web:

Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident.  We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning.  There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified.  Lamo now denies that he ever had possession of top secret documents.  The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.

Our Take on This Week’s News:

The National Science Foundation has a porn problem according to Senator Chuck Grassley.  Seems the science guys are passing around porn despite technical measures taken by the agency to block it.  Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000.  So do the math.  This guy makes $290k per year???  WTF!!!

BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?

Apple remote jailbreak flaw. Major Flaw Uncovered in Apple iPhone/iPad/iPod

Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.

We stumbled over the Social Engineering contest at DefCon18.   A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info.  Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer.  The audio file is located about half-way through the story.)  Read about the Social Engineering organization here.

The annual session on physical lock security is always a hit. (This year there was more than one.)  We attended the presentation by Marc Weber Tobias.  His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200  fingerprint biometric, the electronic RFID military lock and even a personal safe.  You can see the videos here, demonstrating how the locks were breached.

Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column.  The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden.  Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.

Adobe plans emergency patch for critical Reader bug

If we don’t laugh, we’ll probably cry.  For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports.  Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library?  And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities.  Duh.  Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?

Episode 160 – su root edition:

This is our unedited edition, featuring three interviews straight from DefCon 18.  The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to su root edition (episode 160)  via the flash player:

Episode 157 – July 25, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , on July 24, 2010 by datasecurityblog

You can hear episode 157 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 157 is one hour and 10 minutes long.

Interviews

Dr. Charlie Miller, Principal Analyst for Independent Security Evaluators,  offers a preview of his DefCon presentation about cyberwarfare to be given in Las Vegas at the end of the month.  “Kim Jong-il and Me.” (Yes he’s that Charlie Miller.) Charlie says he really didn’t feel qualified to address the topic of cyberwarfare when he was first asked, but then decided to treat the request as an opportunity to play a game in he pretended he was approached by a rogue government for the purpose of building a cyberarmy.  What would it take?  Hear Charlie’s interview about 23 minutes into episode 157.

Retraction

The CyberJungle mistakenly reported that it is not possible to turn off an Apple iPad and iPhone feature that reports the owner’s location to the Big A twice daily.  We oversimplified this story and we got it wrong.  We have been informed by our favorite Apple connoisseurs that it is possible to turn the feature off.  We apologize for the misinformation. We have removed the segment from the podcast, so it won’t be heard again,  and we will note in next week’s radio show that we were incorrect.

Tales from the Dark Web

If you’re using Microsoft Windows this attack is aimed at you.  (Raise your hand if you aren’t using Microsoft Windows.)  Here is the MSFT Advisory on the Microsoft Link Attacks. Here is an explanation of the attack and video demo from Sophos.

Our Take on This Week’s News

A consumer survey that measured for the first time customer satisfaction with social media sites reports that — are you sitting down? — people hate Facebook.  It scored lower than the airlines and the cable companies, and even lower than the IRS.

A watchdog organization reports that White House Emails Show More Extensive Improper Contact With Google. The National Law and Policy Center posts links to its letter to the House Committee on Oversight and Government Reform, asking for an investigation of the relationship between Google and its former lobbyist who now occupies the top advisory position to president Obama on internet policy.  There are also links to some of the emails, which seem to support the conclusion that Deputy Chief Technology Officer Andrew McLaughlin is helping to stack the policy deck in Google’s favor on a number of issues.

And while we’re at it, was Google providing intelligence data to the federal government as part of its WiFi Streetview program?

This should freak you out. A Woman found a webcam hidden inside a copy of Chicken Soup for the Soul, which was on a bookcase in her bedroom, pointed directly at her bed.  We found a source for these cameras, which are supposed to be a security tool,  for less than 50 bucks.

Get comfy on the patio with a cold brew and read this great story about a fake infosec chick who persuaded her social networking pals — mostly guys who know secrets related to national security — to forget themselves and reveal a lot of stuff they aren’t supposed to give up.  To anyone.  The girl — Robin Sage — was named after a military training exercise, which was just one of many clues that “screamed fake,” according to her creator, a security researcher whose ruse has demonstrated something we all knew.  Only James Bond can flirt with an exotic hottie and not get burned.

GM suffers theft of hybrid technology worth an estimated $40million. Insider stole information by using a portable USB drive. Data allegedly sold to at least one Chinese auto maker, Chery.

Major Zero-day flaw in Apple’s Safari browser discovered, Apple ignored the warnings so well-known researcher goes public.

Some Dell replacement motherboards come pre-loaded with malware.

July 18, 2010- Episode 155

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, Legislation, The CyberJungle, Vulnerabilities with tags , , , , , , on July 17, 2010 by datasecurityblog

You can hear episode 155 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 155 is one hour and 14 minutes long.

Interviews

Jeff Bryner from pOwnlabs offers a preview of his DefCon presentation to be given in Las Vegas at the end of the month.  “Google Toolbar – The NARC Within” — how the tool bar spies on you. Jeff”s  interview is about 9 minutes long, and it begins 22 minutes into the episode.

Penetration Tester David Bryan, speaking for himself, (not his company,) will also present at DefCon —  “Cloud Computing as a Weapon of Mass Destruction.” His interview is just over 9 minutes long and begins at about 54 minutes into the episode.

Our Take on This Week’s News

The state of Utah is investigating the origins of a 29-page list of personally identifying information belonging to more than a thousand people the leakers say are illegal immigrants receiving benefits from the taxpayers.  This topic stirred up the immigration issue on the talk shows, but we’re interested in these questions:  What was the data access policy — who had access to this data and for what purpose? And should there be a set of guidelines for ethical whistleblowing (if that’s what the leakers were trying to do) where electronically stored information is involved?

The Bureau of Motor Vehicles in the state of Ohio is selling personal information about its licensed drivers.  For some reason, the primary beef is that the state isn’t making enough money selling the identities of its citizens.

NSA whistleblower facing 35 years in prison

Bank Account Takeover Attack Now Mimicking Credit Card SecureCode Systems

New  zero day Attack using USB drives. There is a Microsoft advisory for dealing with it.

Bluetooth is making it easier for cybercriminals to steal debit card numbers at the gas pump.

Google get patent on technology that monitors on your mouse movements as it relates to search results. And Google is becoming quite an established presence on Capitol Hill.

Photos taken with certain camera-enabled devices can reveal you location with geotags attached to the metadata.  Mayhemic Labs has scanned a couple of million photo links on Twitter, and was able to pinpoint location of the user in about three percent of them.  Then they created icanstlku.com to prove it.

Chinese Cyber Army presentation pulled at BlackHat under pressure from Taiwan.

July 11, 2010 – Episode 153

Posted in Breach, Court Cases, criminal forensics, ediscovery, Show Notes, Vulnerabilities with tags , , , on July 10, 2010 by datasecurityblog

You can hear episode 153 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 153 is one hour and 15 minutes long.

Interviews

Gunter Ollman from Damballa offers a preview of his Black Hat Briefings presentation to be given in Las Vegas at the end of the month.  “Becoming the Six Million Dollar Man” will discuss how cybercriminals get filthy rich using other people’s computers. Gunter’s interview is about 10 minutes long, and it begins 22 minutes into the episode.

Tony Flick, Principal at Fyrm Associates and Justin Morehouse, speaking for himself, (not his company,) discuss what will happen as the smart meters “goes social.”  Smart grid proponents are promoting the idea of networking the smart grid with social networking accounts

Speaking of the smart grid, this story says Maryland public utilities regulators sent Baltimore’s power company back to the drawing board last month, with a rejection of its smart grid plan.  The public objection, as in most cases, was based on cost to ratepayers rather than any security or privacy issues.

Our take on this week’s news

Top story –  soldier charged with theft of secret DOD files

Meanwhile, Congresswoman Jane Harmon has open, unencrypted WiFi at her home. (p.s. she’s a senior member of the Homeland Security Committee, and Chair of its Intelligence and Terrorism Risk Assessment Subcommittee)

Automakers working with silicon valley to create “connected car”

NSA Perfect Citizen – Big Brother has arrived.

Swiss Bank security guy steals customer data… offers it to tax authorities.

Survey- ex employees and IT staff are snooping on business

Game publisher Blizzard announces a real ID program for World of Warcraft forum…. No more screen names. But the market spoke, and the company withdrew the plan.

Airport body scanners will be the primary security check at U.S. airports.

Follow

Get every new post delivered to your Inbox.

Join 1,139 other followers