Archive for endpoints

Data Security Podcast Episode 61 – July 14 2009

Posted in Annoucements, Breach, darkweb, Podcast, Vulnerabilities, web server security with tags , , , , , , , on July 14, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* A double whammy…. two critical zero day attacks hit users of Microsoft products.

* A non-profit security group has a plan to fight web drive-by downloads.

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:


This week’s show is 28.5 minutes

–> Stream, subscribe or download Episode 61 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 61 of the Data Security Podcast

* Conversation:  StopBadware.org is a non-profit security group with a plan to fight web drive-by downloads. We spoke with Maxim Weinstein, the Executive director of the project. They will help you if your site is blacklisted, and they are looking for help from the security community in uncovering and fighting web drive-by downloads.

* Tales From The Dark Web: Two Zero Day Attacks in the news this week-

ActiveX  Video Flaw.  Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution. Option 1, apply the work around in the Microsoft Advisory, or upgrade all systems to Microsoft Internet Explorer 8. This Zero Day impacts users of Windows XP and Windows 2003 running IE6 or IE7. UPDATE: Microsoft’s “patch tuesday” (monthly patch cycle by Microsoft) includes a fix for this issue

Microsoft Office. Read the detailed SANS Internet Storm Center Alert: Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution.  There is a long list of Windows products impacted by this flaw. Be sure to go through the Microsoft Advisory.

* From The News: Does Google Know Too Much About You?  Read the details in Ian Paul’s story in PCWorld.

* From The News: Point; at Foxnews: Wireless Cybercriminals Target Clueless Vacationers.  Counter Point;  Summer Time, and Wireless Fear Mongering Is in the Air by Glenn Fleishman at WifiNetNews.

A non-profit security group has a plan to fight web drive-by downloads. That’s in our interview segment later in the show.

TJMaxx Agrees “Leadership Role” In Data Security

Posted in Annoucements, Breach, criminal forensics, darkweb, ediscovery, Legislation, Vulnerabilities, web server security with tags , , , , , on June 24, 2009 by datasecurityblog

Large US retailer TJMaxx today announced that it has settled with a multi-state group of 41 Attorneys General, resolving the States’ investigations relating to the criminal intrusions into TJMaxx’s computer system announced by TJMaxx over two years ago.

Jeffrey Naylor, Chief Financial and Administrative Officer of The TJX Companies (the owner of TJMaxx) stated, “This settlement furthers our goal of enhancing consumer protection, which has been central to TJX. Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime.”

Mr. Naylor continued, “The sheer number of attacks by cyber criminals demonstrates the challenges facing the U.S. payment card system in protecting sensitive consumer data. This settlement furthers TJX’s efforts to unite retailers, law enforcement, banks, and payment card companies to consider installing in the U.S. the proven card security measures that are already in use throughout much of the world.”

What has not been announced are the specifics of what TJMaxx, or the states, will do to take a leadership role in exploring new technologies and approaches to improving data security.

Here are some suggestions:

1. Making protecting information a key, important function for all organizations, of all sizes. Too often, data security is looked at as  “an IT task.”   In many organizations today, data security is just a subset of the IT department. Then it falls on the CTO/CIO/MIS manager  to strike the balance between ease of access and security.  The Chief Information Security Officer should report to the CFO or CEO, and bring them actionable information risks and the options to mitigate those risks. It is the role of the non-technical manager to strike the balance between ease of use and security, not the head of IT.

2. Educating business that the PCI standard is a MINIMUM standard, not a bar or goal to be reached “one day.”

3. Educating businesses on ISO-27k, OWASP, NIST, and other standards that can help protect information.

4. The culture in security and business is to not to do PR about specific security measures. Make an exception. TJMaxx should use their bully pulpit, deploy, and get the word out about the  importance of advanced web application scanning, data encryption, web drive-by downloads,  two-factor authentication, wireless security, and open-source.

5. Responsible Disclosure.  Today, it is almost impossible to alert a business when they have a security flaw.  Retailers and other businesses must develop an easy method for “good guy” security people to inform them when a security issue is discovered.

Almost every state has data security laws. The monies that go to the states should be used to better educate managers and decision makers about protecting personally identifiable information, and the list above.

According to press reports, 40 states are participating in this settlement agreement. Those state are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, and Wisconsin. The District of Columbia is also a party to the settlement.

If TJMaxx is serious about playing a leadership role in data security, we hope to hear from them about what they will do. The Data Security Podcast has reached out the to TJMaxx. We have requested an interview for the audio program. We will let you know their response.

Data Security Podcast Episode 58 – June 22 2009

Posted in Breach, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , on June 22, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • The vast majority of malware infected web sites are legitimate sites that have been secretly hijacked. How would you know if your site was on that list?
  • Your GPS can now tell you where red light cameras, photo radar and DUI checkpoints are. Some local governments aren’t happy about this…we’ll talk to the CEO of the firm providing the data.
  • Plus,  Apple’s PR department calls us back, find out where information security was in their priority list.
  • More details and links in the show notes section below the audio listening instructions.

–>NEW! Stream This Week’s Show with our Built-In Flash Player: (or scroll down to try the Odeo link for a very firewall friendly player)


This week’s show is 26.5 minutes long

–> Stream, subscribe or download Episode 58 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 58 of the Data Security Podcast

  • Ira has a conversation with Joe Scott the CEO and Founder of PhantomAlert.com.  This services allows you to use your GPS, and the power of social networks to get early warnings of the locations of photo radar,  red light cameras, DUI checkpoints, and more.
  • From The News: Apple calls us back. They don’t want to talk about security, tune in to find out what they wanted to talk about.
  • From The News:  Due to some traveling, we will not have our take on this week’s news. Our analysis segment will return next week.
  • Wrap: New regulations proposed on GPS use in a moving vehicle.
<!–[if gte mso 9]> Normal 0 false false false MicrosoftInternetExplorer4 <![endif]–><!–[if gte mso 9]> <![endif]–> <!–[endif]–>

 

Data Security Podcast Episode 55 – June 01 2009

Posted in Breach, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , on June 1, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Polymorphic drive-by download attack targets tens of thousands of legit business and government web sites. SSL can be used for good or evil, find out how to tell the difference. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Dan Proch, with Netronome about SSL security. Secure Socket Layer can be used for good or evil. We talk about how to detect the difference. Learn more with white papers and webinars by Netronome.

–> Tales From The Dark Web: Polymorphic drive-by download attack targets the visitors of tens of thousands of legit business and government web sites. The attack is slipping past AV, and exploits desktop vulnerabilities. Read more about it in the Websense blog posting, and a article at TheRegister.com .

–> From The News: Dutch Researchers expose potential vulnerabilities in NXP MIFARE RFID Smart Cards. Billions of these cards are in use for transit fares and building access control. Here is an excellent proof of concept video of how to attack these systems:

–> From The News:  Read  Maribel Lopez detailed report comparing the security of Blackberry, iPhone and Windows Mobile .

–> From The News: The White House is planning major cyber security intervention. Here is official video on the topic from the White House:

Data Security Podcast Episode 54 – May 24 2009

Posted in Breach, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities with tags , , , , , , on May 24, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Does that shiny new computer come pre-installed with malware?  A new project fights viruses in home PCs FROM the cloud. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Pedro Bustamante, Security Researcher Advisor of Panda, about the testing of a cloud based anti-virus for home PC users.  Check out the blog mentioned in the show at: http://blog.cloudantivirus.com .

Privacy advocates have launched a campaign against whole body imaging in U.S. airports

Privacy advocates have launched a campaign against whole body imaging in U.S. airports

–> Tales From The Dark Web: Does that shiny new computer come pre-installed with malware?

–> From The News: The Fight Against Whole Body Imaging at US Airports. We were afraid nobody was going to object to this!

After a terrifyingly silent public response to news that TSA workers at six major American airports are using whole body imaging technology — Otherwise known as “naked pictures”  — of airline passengers, CNN reports this week that privacy advocates have launched a campaign against the machines.  You can read the petition here against the “virtual strip search” of citizens by Homeland Security.

–> From The News: 9 Month Old Critical Java Vuln. Still Not Patched in Mac OS X

–> From The News:  C. Harwick’s Thrica.com blog posting on potentially harmful privacy issues with Safari 4 beta

–> Wrap Up: Massachusetts Supreme Judicial Court Tosses Out Warrant in Boston College Case, Says No Probable Cause Existed

Data Security Podcast Episode 53 – May 18 2009

Posted in Breach, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities, web server security with tags , , , , , , , on May 17, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – One web malware variant overtakes all others; Smart cards INSIDE MiniSD for two factor auth via cell phone. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> Stream, subscribe, or download via our page at Podcast.com.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

Combining smart cards and memory on a MiniSD for two factor ID

Combining smart cards and memory on a MiniSD for two factor ID

–> Ira has a conversation with William Holmes, of Go Trust. They have developed technology to merge smart cards with MiniSD memory. This technology can be used to make rather smart two-factor authentication. Go Trust is looking for people that want to develop applications that leverage this new security technology.

–> Tales From The Dark Web: According to Graham Cluely’s Blog at Sophos, Malicious JSRedir-R script found to be biggest malware threat on the web, at least for the next 15 minutes..

–> Be sure to read a new feature on our web site: Lame Excuses, the dumb statements by people who should have been responsible for securing information.  A new entry was added this week, and we welcome your contributions.

–> From The News: The Federal Computer Week story,  Homeland Security Information Network suffers intrusions.

–> From The News: U.S. attorney’s office tells employees not to log on to Drudge Report, as reported by Jonathan Martin at POLITICO.com .

Data Security Podcast Episode 50 – Apr 27 2009

Posted in Breach, Conference Coverage, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities with tags , , , , , , on April 26, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – RSA Security confab report; A new way to protect against piracy: two-factor authentication. And, our take on this week’s news

–> Stream, subscribe or download Episode 50 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.  Tune in or subscribe via our page at Podcast.com.

This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

The Show Notes Page for Episode 50 of The Data Security Podcast

-From The News: Your tax dollars at work… paying a non-PCS compliant company to process your tax dollars. Here’s a copy of Uncle Sam’s contract with RBS Worldpay, which announced a major data breach in December, and which Visa has declared to be non-compliant.

- From The News: Rogue WiFi hotspots at RSA Security, according to scans by AirPatrol.

-> RSA Security confab links: Yubico, BehavioSec, NetworkIntercept, MokaFive, AlertEnterprises.

Parabens Wireless StrongHold Bag

Paraben CEO, Amber Schroader, shows us the Parabens Wireless StrongHold Bag at RSA San Francisco

-Tales From The Dark Web: How a cybergang operates a network of 1.9 million infected computers.

-Conversation: Ira talks two factor authentication for software, music and movies with Stina Ehrensvärd of Yubico.

Data Security Podcast Episode 42 – Mar 02 2009

Posted in Breach, criminal forensics, Podcast, web server security with tags , , , , , , , , , on March 1, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  Poor infosec leads to Presidential security incident; Hall of Cyber Shame: State’s post info about delinquent taxpayers;  And the week’s news.

–> Stream, subscribe or download Episode 42 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 42 of The Data Security Podcast

-From The News:  Consortium of US Federal Cybersecurity Experts Establishes Baseline Standard of Due Care for Cybersecurity – The Top Twenty Most Critical Controls. See this SANS Link for more, and to add in your comments to the standard. Article on the topic in Federal Computer Week that was mentioned in this segment of the program.

President Obama takes off from the South Lawn of the White House on his first flight aboard Marine One.

President Obama takes off from the South Lawn of the White House on his first flight aboard Marine One.

-From The News: Poor data security at a defence contractor leads to Presidential security incident involving sensitive information, including Marine One’s entire blueprints and avionics package . Kudos to the Peer-2-Peer security team at Tiversa for discovering the breach.

From The News: When people are afraid of loosing their job, ethics sometimes goes out the window. See the report at http://www.cyber-ark.com/constants/white-papers.asp . Scroll down to find the link titled: The Global Recession and its Effect on Work Ethics. (Free registration is required, no integrity validation of field info appears to be in place. Is that you Thomas_Jefferson@nsa.gov downloading the report?)

-From The News: Why we don’t live in Michigan, reason #775.  As if Michigan residents don’t have enough to contend with, as they watch their primary industry go down for the count…. Governor Jennifer Granholm wants to humiliate delinquent taxpayers by posting their identities online.  Hey Gov, with your people suffering job loss, bankruptcies and foreclosures, one would think you’d want to preserve whatever dignity they have left.  (P.S. There are 18 states who brag that this “cybershame” method results in tax collections. Probably some identity thefts too, since addresses and other personal information are there for the world to see.)

- Conversation: Ira Victor talks with Bill Greeves, IT Director for Roanoke County, VA, about MuniGovCon’09 – A Virtual Conference on Web2.0 taking place in Second Life on April 10, 2009 from 9:00 AM – 1:00 PM PST. Here is the main site: MuniGov.org

-Wrap-Up: After hearing about EasyVPN on the Data Security Podcast, Peter Nikolaidis’ posted this blog entry: Comodo’s EasyVPN Landing Page is an Attack Site? Comodo responds with this very open, and candid, mea culpa.

Next Week: Ira reports from IT Security World in Orlando Florida.

P2P Usage Leads To Presidential Security Breach

Posted in Breach with tags , , , , , , , on March 1, 2009 by datasecurityblog

Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.

Bob Boback, CEO  Tiversa, said, that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it’s original source, which appears to be a defence contractor in Bethesda, MD.

How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defensible contractor had a file sharing program installed on their network, the same network that contained highly sensitive information on Marine One.

Boback said that someone from the company most likely downloaded a file-sharing program, typically used to share music and movie files, not realizing the potential problems.

Iran is not the only country that appears to be accessing this information through file-sharing programs. Boback said that they have seen the files accessed by systems in Pakistan, Yemen, Qatar and China.

If this is what passes for information security in matters of national defence, just wait until the Feds start mandating the digitizing of everyone’s medical records.

Boback’s team should get kudos for their investigative work. Boback notified the government immediately and said appropriate steps are being taken.

Pennsylvania Congressman Jason Altmire
will ask  Congress to investigate how to prevent this incident from happening again. There needs to be some tough questions asked, although too many times, these Congressional hearings don’t lead to serious changes.

This is all the more reason for  SANS’ new Consensus Audit Guidelines (CAG) to be taken seriously. One of the goals of that program is to deal with national security-related data breaches.

At this point, we don’t know what logging mechanism is in place at this contractor. Logging is a part of the CAG. Although one would have assumed that a good logging mechanism would have detected some of the peer-to-peer traffic before the incident got out of hand. Maybe the contractor has a “logging in name only,” (LINO) something I have seen first hand.

And, it’s important to point out, that among the layers of security in the CAG that need to be added to many networks is the right kind of data loss prevention( DLP).

I have seen a lot of vendors lately pitching what I call single port DLP solutions, many of which only block one port. And even more solutions that only block based upon pre-determined dictionaries of credit card numbers, or social security numbers, or HIPAA data.  They point these DLP solutions at the mail server, or others only monitor port 80 for web traffic.

Based upon what we know about this incident, one of the layers of security that is needed is a solution that fingerprints important files in that business unit, with hashing of the “slivers” of those files. Then, DLP should be pointed at all 65535 ports so they can all be monitored for leakage of any of the data, any port, any protocol. Even with a file sharing program on the network, the right DLP solution would have trapped the data before it ended up on servers in the Middle East, and Asia.

By the time you read this, this Marine One story will be all over the mainstream press. The public is going to be mad, and scared. It’s time for information security professionals to stand up, and let the public policy makers know that there are solutions to this challenges, and now is the time to (finally) take these solutions seriously.

Data Security Podcast Episode 41 – Feb 23 2009

Posted in criminal forensics, darkweb, Podcast, Vulnerabilities with tags , , , , , on February 22, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Confiker Sequel hits hard; Demand for computer forensics training soars, SANS Institute fills the gaps;  Plus, this week’s news.

–> Stream, subscribe or download Episode 41 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 40

-From The News: Adobe PDF Zero Day. We suggest that you delete Adobe PDF reader, and install a non-Adobe PDF reader. Try PdfReaders.com , and the LostInTechnology.com blog for alternatives to Adobe PDF readers. Read details on the threat at The Shadowserver.org site, including how to disable JavaScipt on Adobe PDF reader. Here is the instructions for a GPO to disable Adobe PDF reader JavaScript.

-From The News: Nigerian 419 scams are more complex than you might think. One example, from the Salt Lake Tribune: Nigerian web scam bilked Utah out of $2.5M.  And, there is this excellent article at 419Eater.com that includes an analysis of some of the variations and motivations of these “poor people who are just trying to get by” when they steal and defraud innocent people of millions of dollars/euros/pounds/yen.

419Eater.com Counter-Scam Site

From 419Eater.com Counter-Scam Site

- Tales From The Dark Web:  Conficker / Downadup strikes back….a newer, stronger variant is out. See details in this blog posting by Ira Victor.

- Conversation: Ira Victor talks with Rob Lee, computer forensics Grand Poobah of The SANS Institute computer forensics program , and the SANS Forensic Blog.

Follow

Get every new post delivered to your Inbox.

Join 1,064 other followers