July 18, 2010- Episode 155

You can hear episode 155 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 155 is one hour and 14 minutes long.

Interviews

Jeff Bryner from pOwnlabs offers a preview of his DefCon presentation to be given in Las Vegas at the end of the month.  “Google Toolbar – The NARC Within” — how the tool bar spies on you. Jeff”s  interview is about 9 minutes long, and it begins 22 minutes into the episode.

Penetration Tester David Bryan, speaking for himself, (not his company,) will also present at DefCon –  “Cloud Computing as a Weapon of Mass Destruction.” His interview is just over 9 minutes long and begins at about 54 minutes into the episode.

Our Take on This Week’s News

The state of Utah is investigating the origins of a 29-page list of personally identifying information belonging to more than a thousand people the leakers say are illegal immigrants receiving benefits from the taxpayers.  This topic stirred up the immigration issue on the talk shows, but we’re interested in these questions:  What was the data access policy — who had access to this data and for what purpose? And should there be a set of guidelines for ethical whistleblowing (if that’s what the leakers were trying to do) where electronically stored information is involved?

The Bureau of Motor Vehicles in the state of Ohio is selling personal information about its licensed drivers.  For some reason, the primary beef is that the state isn’t making enough money selling the identities of its citizens.

NSA whistleblower facing 35 years in prison

Bank Account Takeover Attack Now Mimicking Credit Card SecureCode Systems

New  zero day Attack using USB drives. There is a Microsoft advisory for dealing with it.

Bluetooth is making it easier for cybercriminals to steal debit card numbers at the gas pump.

Google get patent on technology that monitors on your mouse movements as it relates to search results. And Google is becoming quite an established presence on Capitol Hill.

Photos taken with certain camera-enabled devices can reveal you location with geotags attached to the metadata.  Mayhemic Labs has scanned a couple of million photo links on Twitter, and was able to pinpoint location of the user in about three percent of them.  Then they created icanstlku.com to prove it.

Chinese Cyber Army presentation pulled at BlackHat under pressure from Taiwan.

July 11, 2010 – Episode 153

You can hear episode 153 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 153 is one hour and 15 minutes long.

Interviews

Gunter Ollman from Damballa offers a preview of his Black Hat Briefings presentation to be given in Las Vegas at the end of the month.  “Becoming the Six Million Dollar Man” will discuss how cybercriminals get filthy rich using other people’s computers. Gunter’s interview is about 10 minutes long, and it begins 22 minutes into the episode.

Tony Flick, Principal at Fyrm Associates and Justin Morehouse, speaking for himself, (not his company,) discuss what will happen as the smart meters “goes social.”  Smart grid proponents are promoting the idea of networking the smart grid with social networking accounts

Speaking of the smart grid, this story says Maryland public utilities regulators sent Baltimore’s power company back to the drawing board last month, with a rejection of its smart grid plan.  The public objection, as in most cases, was based on cost to ratepayers rather than any security or privacy issues.

Our take on this week’s news

Top story -  soldier charged with theft of secret DOD files

Meanwhile, Congresswoman Jane Harmon has open, unencrypted WiFi at her home. (p.s. she’s a senior member of the Homeland Security Committee, and Chair of its Intelligence and Terrorism Risk Assessment Subcommittee)

Automakers working with silicon valley to create “connected car”

NSA Perfect Citizen – Big Brother has arrived.

Swiss Bank security guy steals customer data… offers it to tax authorities.

Survey- ex employees and IT staff are snooping on business

Game publisher Blizzard announces a real ID program for World of Warcraft forum…. No more screen names. But the market spoke, and the company withdrew the plan.

Airport body scanners will be the primary security check at U.S. airports.

Data Security Podcast Episode 79, Nov 16 2009

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* The odds of unknowingly logging onto an ‘evil twin’ of your online banking site is increasing due to new broadband hazards.

* A revised Google Book Settlement was submitted to the courts . It doesn’t address privacy at all.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 79 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 79 of the Data Security Podcast

* Program note about this week’s Conversation:  Ira will have an extended, technical conversation with Pedro Bustamante, Senior Security Researcher with PandaSecurity.  Ira and Pedro will discuss web drive-by downloads and other security issues in a special interview segment that will appear in a separate posting later this week. You can listen to the segment by streaming on this site, on iTunes, or other RSS feeds you use to listen to the Data Security Podcast.

* Tales From The Dark Web: What if you typed in your bank’s web address, but unknown to you, you were taken to an evil twin of your bank, controlled by cyber criminals? Well, the odds of that happening is increasing, due to Domain Name System (DNS)  issues in a significant number of broadband modems and routers.  Many other attacks can use these DNS flaws. Hat tip to the coverage by Robert McMillan of the IDG News Service.

* From Our Take on The News:  Airport security in Saint Louis hassled one guy for half an hour, because he was carrying $4,700 in a cash box, which he placed on the x-ray conveyor belt and subjected to TSA scrutiny, as is required for all carry-on cargo. The money was connected with his (legal) job with Campaign for Liberty. The guy recorded the abusive inquisition on his iPhone. The ACLU sued the TSA. Now the airport security rules have changed. Read the coverage in The Washington Times.

* From Our Take on The News:  A flaw in Adobe Flash has a huge impact on web usage, especially those businesses that use Google Gmail/Google Apps/PHP Discussions, and sites the scores of sites that allow the upload of information to the site.  Mike Bailey, an expert on web application security, has an excellent infosec write up at the Foreground Security blog.  Faster read in Computerworld.

*  From The Wrap:  Revised Google Book Settlement was submitted to the court late Friday night. It doesn’t address privacy at all, even after EFF and other parties submitted a legal brief outlining legitimate fears that Google can track, and is likely to share individual book search information with law enforcement and anyone else who issues a subpoena. Google will retain book-search details, right down to page number and how long you lingered there, for every book you search. Read this account of the revised settlement.

Data Security Podcast Episode 73, Oct 11 2009

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Major patching in store this week, due in part to flaws revealed this summer in Las Vegas?

* A fresh look at a Zeus banking attack counter-measure

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 73 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 73 of the Data Security Podcast

* Conversation:  Ira takes a new look at a counter-measure for the latest wave of Zeus banking attacks in his conversation with Steven Dispensa, CTO of PhoneFactor.

* Tales From The Dark Web: It’s like clockwork…two months after security events BlackHat and Defcon every summer in Las Vegas, we see a surge in patches for attacks that were highlighted at these events.  Microsoft Security Bulletin Advance Notification for October 13th 2009. Security Advisory for Adobe Reader and Acrobat for October 13th 2009, including the CVE number.

* From Our Take on The News:  Danger Will Robinson! Danger!  Update on Danger’s Sidekick Massive Data Loss.  Read the FAQ for tips on trying to salvage your data.

* From Our Take on The News:  Computer Network Denial Of Service Denial

* From Our Take on The News: Twitter shuts down legit security researcher, Mikko Hypponen.  Reports from his blog here, and an update here.

Twitter Shuts Legit Down Security Researcher's Account

Data Security Podcast Episode 68, Sep 01 2009

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* New attacks against business bank accounts…. an earth-shaking recommendation from the banking industry.

* Hackers say they are gearing up for winter attacks – according to a survey of hackers at DefCon 2009.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 68 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 68 of the Data Security Podcast

*  Ira talks with Michael Hamel, Chief Security Architect, with Tufin Technologies, about the survey of hackers he crafted for DefCon 2009. We cover:  Hackers Take a Break This Summer Before Winter Hacking Spike, and importantly, counter-measures to get prepared.

* Tales From The Dark Web: New attacks against business bank accounts…. an earth-shaking recommendation from the banking industry.

* From the News:   WPA WiFi encryption can now be cracked in one minute, according to new research.  Terms in the story:

WPA:  Wi-Fi Protected Access

WPA -TKIP: WPA with Temporal Key Integrity Protocol for encryption

WPA-AES:  WPA with Advanced Encryption Standard for encryption

WPA2:  Second Generation WPA encryption

WEP:  Wired Equivalent Privacy

Take-Away: WPA-TKIP and WEP is bad, um-kay? WPA-AES and WPA2 is good, um-kay?

* From the News:  Federal Web Site Collects Data on Stimulus. We report: Whose minding the security of the data?

* From the News:  Stealth-Laptop Bag

Stealth Laptop Case

Wrap Up Story:    Is Federal InfoSec License Key To ‘Net Control?

Data Security Podcast Episode 65 – Aug 9 2009

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* More DefCon17 Coverage: How safe are Cloud Computing applications?

* Melissa Hathaway is leaving her White House job as top cyber security official, why is the main stream press not spending time on this story?

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 34 minutes.

–> Stream, subscribe or download Episode 65 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 64 of the Data Security Podcast

* Tales From The Dark Web: Ira and Samantha talk with the team from Sensepost about Cloud Computing Security

*From the News: The site we mention that was able to successfully repel the attacks last week against Twitter/Facebook/LiveJournal: Fotik

* From the News:  A 20 year old man attacks the communication system of the Chicago Transit Authority, and the Chicago Loop.  And here’s the announcement about the federal homeland security grant to CTA for bomb-sniffing dogs and other physical security measures.  Wow… think transportation officials might have their eye on the wrong ball?

The Chicago Loop

Data Security Podcast – Special DefCon Coverage

The Data Security Podcast went to DefCon this past weekend. DefCon is the world’s largest hacker conference.  We have team coverage in Episode 64, scheduled to post in the next 24 hours.  Coverage will include:

-> Can you really trust an SSL Encryption Certificate?

-> Is YOUR web site on the list vulnerable to common cross site attack?

-> Is YOUR tax return sitting out there on the Internet, readable with zero hacking skills?

-> Breaching the new “personal WiFi” hot spots, is it child’s play?

All this, and more, on the next Data Security Podcast with Ira Victor and Samantha Stone

Data Security Podcast Episode 63 – July 27 2009

30 minutes each week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* iPhone Security. Is that an oxymoron?

* Google Chrome Browser uses sandboxing for security.  We talk to a security engineer that says his firm has built a better sandbox.

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 30 minutes.

–> Stream, subscribe or download Episode 63 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 63 of the Data Security Podcast

* Conversation: Ira talks with Matt Hite, an engineer with Check Point security, about sandbox security software,  and how they are trying to leapfrog the sandbox security software included in Google’s Chrome Browser.

* Tales From The Dark Web:  iPhone Security. Is that an oxymoron? Take a look at this video by Jonathan Zdziarksi from the extensive write-up in at Wired.

* Tales From The Dark Web: Finjan’s Malicious Code Research Center (MCRC) has detected yet another case of a 0-day attack “in the wild”. This time, hackers are exploiting a vulnerability (CVE-2009-1862) in Adobe Acrobat/Reader and Flash player. By exploiting this vulnerability, the hackers can download and execute malicious code on the victim’s PC. Patch due from Adobe on July 31, 2009. Get ready now to roll out the patch(es).

* From the News: Advance notification by Microsoft for emergency patches for release tomorrow, July 28th, 2009. Get ready now to roll out the patch(es).

* From the News:  Exposed: Repair Shops Hack Your Laptops.

* Wrap: Ira will be traveling to DefCon, the World’s Largest Hacker Event, this weekend. DefCon is held in Las Vegas, Nevada. Ira will be tweeting from the show, you can follow his comments at his Twitter site, http://twitter.iravictor.net . If you plan to attend DefCon, follow his tweets,  find him, and say hello.

* Correction:  When Ira spoke about iPhone security, he did not credit Jonathan Zdziarski for the comments about screen captures and keylogging. We apologize for the mistake.

Data Security Podcast Episode 61 – July 14 2009

30 minutes each week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* A double whammy…. two critical zero day attacks hit users of Microsoft products.

* A non-profit security group has a plan to fight web drive-by downloads.

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 28.5 minutes

–> Stream, subscribe or download Episode 61 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 61 of the Data Security Podcast

* Conversation:  StopBadware.org is a non-profit security group with a plan to fight web drive-by downloads. We spoke with Maxim Weinstein, the Executive director of the project. They will help you if your site is blacklisted, and they are looking for help from the security community in uncovering and fighting web drive-by downloads.

* Tales From The Dark Web: Two Zero Day Attacks in the news this week-

ActiveX  Video Flaw.  Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution. Option 1, apply the work around in the Microsoft Advisory, or upgrade all systems to Microsoft Internet Explorer 8. This Zero Day impacts users of Windows XP and Windows 2003 running IE6 or IE7. UPDATE: Microsoft’s “patch tuesday” (monthly patch cycle by Microsoft) includes a fix for this issue

Microsoft Office. Read the detailed SANS Internet Storm Center Alert: Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution.  There is a long list of Windows products impacted by this flaw. Be sure to go through the Microsoft Advisory.

* From The News: Does Google Know Too Much About You?  Read the details in Ian Paul’s story in PCWorld.

* From The News: Point; at Foxnews: Wireless Cybercriminals Target Clueless Vacationers.  Counter Point;  Summer Time, and Wireless Fear Mongering Is in the Air by Glenn Fleishman at WifiNetNews.

A non-profit security group has a plan to fight web drive-by downloads. That’s in our interview segment later in the show.

Data Security Podcast Episode 55 – June 01 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Polymorphic drive-by download attack targets tens of thousands of legit business and government web sites. SSL can be used for good or evil, find out how to tell the difference. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Dan Proch, with Netronome about SSL security. Secure Socket Layer can be used for good or evil. We talk about how to detect the difference. Learn more with white papers and webinars by Netronome.

–> Tales From The Dark Web: Polymorphic drive-by download attack targets the visitors of tens of thousands of legit business and government web sites. The attack is slipping past AV, and exploits desktop vulnerabilities. Read more about it in the Websense blog posting, and a article at TheRegister.com .

–> From The News: Dutch Researchers expose potential vulnerabilities in NXP MIFARE RFID Smart Cards. Billions of these cards are in use for transit fares and building access control. Here is an excellent proof of concept video of how to attack these systems:

–> From The News:  Read  Maribel Lopez detailed report comparing the security of Blackberry, iPhone and Windows Mobile .

–> From The News: The White House is planning major cyber security intervention. Here is official video on the topic from the White House: