Archive for EFF

Data Security Podcast Episode 57 – June 15 2009

Posted in Breach, Business Continuity, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , on June 14, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • Is Al-Qaida getting funding by stealing minutes from business phone systems?
  • $10,000 was paid out to the security researchers that uncovered the flaws in StrongWebMail. Could your email be vulnerable to that same attack?  A conversation with  StrongWebMail’s top executive.
  • EXCLUSIVE – New proof of concept browser sniffer hack that does NOT use scripting attacks.
  • Plus, our take on this week’s news.
  • More details and links in the show notes section below the audio listening instructions.

–>NEW! Stream This Week’s Show with our Built-In Flash Player: (or scroll down to try the Odeo link for a very firewall friendly player)


This week’s show is 32 minutes long

–> Stream, subscribe or download Episode 57 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 57 of the Data Security Podcast

  • Ira has a conversation with Darren Berkovitz, COO of StrongWebMail.com and Telesign.com, about why he offered $10,000 to anyone who could break into the StrongWebMail system.
  • Tales From The Dark Web: The US Justice Department files indictments against three suspected terror suspects. They are charged with stealing business phone minutes, illegally re-selling those minutes, and using the proceeds to fund Al-Qaida terror activities.
  • From The News: EXCLUSIVE TO THE DATA SECURITY PODCAST, Brendon Boshell a web developer has created a unique remote browser sniffer that does NOT use the highly common, and easily blocked, scripting attacks. This is his proof of concept, but his site only explains part of the approach. We explain more in the show.
  • From The News: Hawaii sends woman to jail for using her medical records access to post HIV-AIDS patient’s medical information on MySpace.
  • From The News: The Las Vegas Review Journal got a visit from the Feds after publishing this story … with a subpeona demanding the identities of newspaper readers who posted comments.

Data Security Podcast Episode 55 – June 01 2009

Posted in Breach, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , on June 1, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Polymorphic drive-by download attack targets tens of thousands of legit business and government web sites. SSL can be used for good or evil, find out how to tell the difference. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Dan Proch, with Netronome about SSL security. Secure Socket Layer can be used for good or evil. We talk about how to detect the difference. Learn more with white papers and webinars by Netronome.

–> Tales From The Dark Web: Polymorphic drive-by download attack targets the visitors of tens of thousands of legit business and government web sites. The attack is slipping past AV, and exploits desktop vulnerabilities. Read more about it in the Websense blog posting, and a article at TheRegister.com .

–> From The News: Dutch Researchers expose potential vulnerabilities in NXP MIFARE RFID Smart Cards. Billions of these cards are in use for transit fares and building access control. Here is an excellent proof of concept video of how to attack these systems:

–> From The News:  Read  Maribel Lopez detailed report comparing the security of Blackberry, iPhone and Windows Mobile .

–> From The News: The White House is planning major cyber security intervention. Here is official video on the topic from the White House:

Data Security Podcast Episode 51 – May 04 2009

Posted in Breach, Business Continuity, Conference Coverage, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, Podcast, Vulnerabilities with tags , , , , , , on May 4, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Swing Flu IT Security Tactics; A work around for the latest Adobe PDF Zero-day; And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.  Tune in or subscribe via our page at Podcast.com.

This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

The Show Notes Page for Episode 51 of The Data Security Podcast

-From The News: FTC delays full enforcement of it’s Red Flag Rules

-From The News: WRAL Report, Mom says Patriot Act stripped son of due process

-From the News: A fresh attack against Twitter.

-> Tales From The Dark Web: Another Adobe PDF Zero-Day

-> Ira has a conversation with Ed Cohen, VP, Corporate Development at SonicWall on IT Security planning in the event of a second wave of Swind Flu. SonicWall offers an ebook on the top trends in teleworking, and a white paper on the cost savings from teleworking.

-> Wrap-up: Ira enjoyed using the Bracktron Grip-It to hold his smartphone and listen to podcasts and other internet content when he drove from Nevada to the RSA Security Conference in San Francisco. Ira reports that it is highly adjustable, so it can accommodate a variety of devices. The Grip-It keeps devices hands free, and at eye-level. No drilling required, and it can be removed from the dash when parking to help keep away interested theives. He reports that it was stable at highway speeds, and in the sweeepers.

Bracketron Grip-It vent mount for smartphones, MP3 players, and GPS devices

Bracketron Grip-It vent mount for smartphones, MP3 players, and GPS devices

Data Security Podcast Episode 48 – Apr 13 2009

Posted in Breach, criminal forensics, darkweb, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , on April 12, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Twitter worm a case study in web app security; Will Congress give sweeping cyber authority to the White House?  And our take on the news.

–> Stream, subscribe or download Episode 48 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 48 of The Data Security Podcast

-From The News: Patch those third party apps, not just the OS! That’s the takeaway from the latest edition of The Microsoft Security Intelligence Report.

- From The News: IRS to Boost Oversight of Security, Accuracy of E-Filings, as posted in the Washington Post

- From The News: FTC’s attempt to fight fraud with the so-called “Red Flags Rules” Here is a link to the FTC’s How-To Guide for Business. Physicians are on the list of many types of business that need to comply.

-Tales From The Dark Web: We covered XSS and web application security. OWASP is an excellent resource for free, standards-based web application security information.

-Conversation:  Ira speaks with Lee Tien of the Electronic Frontier Foundation. Read more about the Cybersecurity Bill of 2009, including a link to the EFF blog posting on the issue.

- Wrap up:  HOWTO: Protect Yourself On Twitter (Lessons Learned From The StalkDaily Twitter Hack)

Will The Cybersecurity Act of 2009 Require IT Security Professionals To Get A License From The Feds?

Posted in Uncategorized with tags , , , on April 11, 2009 by datasecurityblog

The Cybersecurity Act of 2009 was just introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). This bill, if passed, could result in sweeping changes in how IT professionals do their job.

There is a provision within this bill that would require the licensure of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In the very next episode of the Data Security Podcast (episode 48), we are scheduled to air an interview with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Last month, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC)”. He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it?

We will keep following this bill, and this story, on the Data Security Podcast. You can also follow updates that EFF is posting on their blog. Read the Cybersecurity Act of 2009, and a summary of the bill.

Follow

Get every new post delivered to your Inbox.

Join 1,064 other followers